Tech companies should move ahead with controversial technology that scans for child abuse imagery on users' phones, the technical heads of GCHQ and the UK's National Cybersecurity Centre have said. From a report: So-called "client-side scanning" would involve service providers such as Facebook or Apple building software that monitors communications for suspicious activity without needing to share the contents of messages with a centralised server. Ian Levy, the NCSC's technical director, and Crispin Robinson, the technical director of cryptanalysis -- codebreaking -- at GCHQ, said the technology could protect children and privacy at the same time.

"We've found no reason why client-side scanning techniques cannot be implemented safely in many of the situations one will encounter," they wrote in a discussion paper published on Thursday, which the pair said was "not government policy." They argued that opposition to proposals for client-side scanning -- most famously a plan from Apple, now paused indefinitely, to scan photos before they are uploaded to the company's image-sharing service -- rested on specific flaws, which were fixable in practice. They suggested, for instance, requiring the involvement of multiple child protection NGOs, to guard against any individual government using the scanning apparatus to spy on civilians; and using encryption to ensure that the platform never sees any images that are passed to humans for moderation, instead involving only those same NGOs.

We appear to be entering a period of Windows' development where we can expect new features and tweaks to come to the operating system several times a year. To that end, Microsoft continues to add, remove, and generally experiment with Windows 11's features and user interface via its Insider Preview channels. From a report: The most interesting addition we've seen in a while is rolling out to users on the experimental Dev Channel now: a modified version of the taskbar with much-improved handling of app icon overflow when users have too many apps open at once. Click an ellipsis button on your taskbar, and a new icon overflow menu opens up, allowing you to interact with any of those extra icons the same way you would if they were sitting on the taskbar. This would be a big improvement over the current overflow behavior, which devotes one icon's worth of space to show the icon for the app you last interacted with, leaving the rest inaccessible. That icon will continue to appear on the taskbar alongside the new ellipsis icon. Microsoft says that app icons in the overflow area will be able to show jump lists and other customizable shortcuts the same as any other app icon in the taskbar.

An anonymous reader quotes a report from TechCrunch: The Russia-linked hacking group behind the infamous SolarWinds espionage campaign is now using Google Drive to stealthily deliver malware to its latest victims. That's according to researchers at Palo Alto Networks' Unit 42 threat intelligence team, who said on Tuesday that the Russian Foreign Intelligence Service (SVR) hacking unit -- tracked as "Cloaked Ursa" by Unit 42 but more commonly known as APT29 or Cozy Bear -- has incorporated Google's cloud storage service into its hacking campaigns to hide their malware and their activities.

APT29 has used this new tactic in recent campaigns targeting diplomatic missions and foreign embassies in Portugal and Brazil between early May and June 2022, according to Unit 42. "This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide," the researchers said. "When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign." Unit 42 disclosed the activity to both Dropbox and Google, which took action. In May, the group was found to be using Dropbox in a campaign targeting diplomats and various government agencies. A Dropbox spokesperson told TechCrunch it disabled the accounts immediately.

Mojang has drawn a line in the sand against NFTs in Minecraft, saying in an update posted today that NFT integration with the game is "generally not something we will support or allow." From a report: The update begins with a quick rundown of what NFTs are, including a note about their extreme volatility, before laying out the current policies on Minecraft servers. The overall goal of those policies, Mojang said, is "to ensure that Minecraft remains a community where everyone has access to the same content." NFTs, on the other hand, are specifically designed to "create models of scarcity and exclusion," which obviously conflicts with that principle. And so, they're out.

"To ensure that Minecraft players have a safe and inclusive experience, blockchain technologies are not permitted to be integrated inside our client and server applications, nor may Minecraft in-game content such as worlds, skins, persona items, or other mods, be utilized by blockchain technology to create a scarce digital asset," Mojang wrote. The update was apparently prompted by the fact that numerous Minecraft-associated NFTs and play-to-earn servers are already available, taking advantage of the gap in official policy and dividing the community into "the haves and the have-nots," Mojang said.

The Biden administration is pushing to fill hundreds of thousands of cybersecurity jobs in the United States as part of a bid to close a talent shortage US officials describe as both a national security challenge and an economic opportunity. From a report: On Tuesday, the administration announced a multi-agency plan to create hundreds of registered apprenticeship programs with the private sector to flesh out the nation's cybersecurity workforce -- and defend against a rising tide of data breaches, ransomware attacks and other hacking incidents. In a 120-day sprint, the US government will work with employers to establish apprenticeship programs in the cybersecurity industry, said Labor Secretary Marty Walsh, vowing to launch the joint program with the Department of Commerce "in as little as 48 hours."

The initiative draws funding from a wider $500 million Commerce Department program known as the Good Jobs Challenge, and will particularly focus on recruiting young people, women and minorities to train and work in the cybersecurity field, said Walsh and Commerce Secretary Gina Raimondo at a White House event on Tuesday focused on broader cyber workforce issues. The US government commitment highlights what officials describe as a critical lack of cybersecurity professionals in both government and the private sector who can help protect the nation from foreign adversaries and cybercriminals. Months ago, there were an estimated 500,000 unfilled cybersecurity positions in the United States, Raimondo said, but today that figure has exploded to more than 700,000, a 40% increase.

An anonymous reader quotes a report from Ars Technica: A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimize exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they're moving, track location histories, disarm alarms, and cut off fuel. An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered (PDF) what it said were six "severe" vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

The vulnerabilities include one tracked as CVE-2022-2107, a hardcoded password that carries a severity rating of 9.8 out of a possible 10. Micodus trackers use it as a master password. Hackers who obtain this passcode can use it to log in to the web server, impersonate the legitimate user, and send commands to the tracker through SMS communications that appear to come from the GPS user's mobile number. With this control, hackers can: Gain complete control of any GPS tracker; Access location information, routes, geofences, and track locations in real time; Cut off fuel to vehicles; and Disarm alarms and other features. A separate vulnerability, CVE-2022-2141, leads to a broken authentication state in the protocol the Micodus server and the GPS tracker use to communicate. Other vulnerabilities include a hardcoded password used by the Micodus server, a reflected cross-site scripting error in the Web server, and an insecure direct object reference in the Web server. The other tracking designations include CVE-2022-2199, CVE-2022-34150, CVE-2022-33944. The U.S. Cybersecurity and Infrastructure Security Administration is also warning about the risks posed by the critical security bugs. "Successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands, and the disarming of various features (e.g., alarms)," agency officials wrote.

Russian government hackers tried to trick Ukrainian and international volunteers into using a malicious Android app disguised as an app to launch Distributed Denial of Service (DDoS) attacks against Russian sites, according to new research published by Google on Tuesday. Motherboard reports: Since the beginning of the Russian invasion, Ukraine has resisted not only on the ground, but also online. A loose collective of technologists and hackers has organized under an umbrella quasi-hacktivist organization called the IT Army, and they have launched constant and persistent cyberattacks against Russian websites. The Russian government tried to turn this volunteer effort around to unmask Ukrainian hackers, in a smart, but ultimately failed attempt.

Google researchers wrote in the report that the app was created by the hacking group known as Turla, which several cybersecurity companies believe works for the Kremlin. [Shane Huntley, the head of the Google research team Threat Analysis Group] said that they were able to attribute this operation to Turla because they have tracked the group for a long time and have good visibility into their infrastructure and link it to this app. The hackers pretended to be a "community of free people around the world who are fighting russia's aggression" -- much like the IT Army. But the app they developed was actually malware. The hackers called it CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine's national guard. To add more credibility to the ruse they hosted the app on a domain "spoofing" the Azov Regiment: cyberazov[.]com.

The app actually didn't DDoS anything, but was designed to map out and figure out who would want to use such an app to attack Russian websites, according to Huntely. "Now that they have an app that they control, and they see where it came from, they can actually work out what the infrastructure looks like, and work out where the people that are potentially doing these sorts of attacks are," Huntley said. Google said the fake app wasn't hosted on the Play Store, and that the number of installs "was miniscule." Still, it was a smart attempt to trick unknowing Ukrainians or people interested in working with Ukrainians to fall into the trap.

With gas prices at record highs in the U.S. in recent months, some people have turned to hacking the pump. From a report: Since prices spiked in March, police have arrested at least 22 people across the country for either digitally manipulating computers that manage gas pumps or installing homemade devices to discount their fuel, according to an NBC News review of police and local news reports.

The most common tactics aren't technologically sophisticated. Gas hackers take advantage of the fact that gas pump equipment in the U.S. is heavily standardized and largely relies on a handful of manufacturers that often don't include strong security protections. And some of the hacking tools are easily available online for purchase. While there's no formal law enforcement metric to measure the trend, 1 in 4 convenience-store gas station owners say fuel thefts have been rising since March, said Jeff Lenard, a vice president of the National Association of Convenience Stores, an industry group.

Cloud services and servers hosted by Google and Oracle in the UK have dropped offline due to cooling issues as the nation experiences a record-breaking heatwave. From a report: When the mercury hit 40.3C (104.5F) in eastern England, the highest ever registered by a country not used to these conditions, datacenters couldn't take the heat. Selected machines were powered off to avoid long-term damage, causing some resources, services, and virtual machines to became unavailable, taking down unlucky websites and the like.

Multiple Oracle Cloud Infrastructure resources are offline, including networking, storage, and compute provided by its servers in the south of UK. Cooling systems were blamed, and techies switched off equipment in a bid to prevent hardware burning out, according to a status update from Team Oracle. "As a result of unseasonal temperatures in the region, a subset of cooling infrastructure within the UK South (London) Data Centre has experienced an issue," Oracle said on Tuesday at 1638 UTC. "As a result some customers may be unable to access or use Oracle Cloud Infrastructure resources hosted in the region.

Federal investigators "disrupted" a North Korean state-sponsored hacking group that targeted US medical facilities and other health organizations, a top Justice Department official said Tuesday. From a report: The attacks included the targeting of a medical center in Kansas last year, Deputy Attorney General Lisa Monaco said, disabling the hospital's systems that store important data and run key equipment. Monaco said the government's investigation led to a public warning, with the Department of Homeland Security, about "Maui" ransomware targeting the health sector.

"The hospital's leadership faced an impossible choice: Give in to the ransom demand, or cripple the ability of the doctors and nurses to provide critical care," Monaco said at the International Conference on Cyber Security at Fordham University in New York. The Biden administration has increasingly warned of cyber threats from countries, including Russia, and has urged the private sector to do more to harden its security. The Cybersecurity and Infrastructure Security Agency, for instance, has widely published tips it said could help deter and mitigate potentially disruptive attacks.

Apple agreed to pay $50 million to settle a class-action lawsuit by customers who claimed it knew and concealed that the "butterfly" keyboards on its MacBook laptop computers were prone to failure. From a report: The proposed preliminary settlement was filed late Monday night in the federal court in San Jose, California, and requires a judge's approval. Customers claimed that MacBook, MacBook Air and MacBook Pro keyboards suffered from sticky and unresponsive keys, and that tiny amounts of dust or debris could make it difficult to type.

They also said Apple's service program was inadequate because the Cupertino, California-based company often provided replacement keyboards with the same problems. The settlement covers customers who bought MacBook, MacBook Air and most MacBook Pro models between 2015 and 2019 in seven U.S. states: California, Florida, Illinois, Michigan, New Jersey, New York and Washington.

An anonymous reader quotes a report from Politico: The Trump administration's immigration enforcers used mobile location data to track people's movements on a larger scale than previously known, according to documents that raise new questions about federal agencies' efforts to get around restrictions on warrantless searches. The data, harvested from apps on hundreds of millions of phones, allowed the Department of Homeland Security to obtain data on more than 336,000 location data points across North America, the documents show. Those data points may reference only a small portion of the information that CBP has obtained.

These data points came from all over the continent, including in major cities like Los Angeles, New York, Chicago, Denver, Toronto and Mexico City. This location data use has continued into the Biden administration, as Customs and Border Protection renewed a contract for $20,000 into September 2021, and Immigration and Customs Enforcement signed another contract in November 2021 that lasts until June 2023. The American Civil Liberties Union obtained the records from DHS through a lawsuit it filed in 2020. It provided the documents to POLITICO and separately released them to the public on Monday.

The documents highlight conversations and contracts between federal agencies and the surveillance companies Babel Street and Venntel. Venntel alone boasts that its database includes location information from more than 250 million devices. The documents also show agency staff having internal conversations about privacy concerns on using phone location data. In just three days in 2018, the documents show that the CBP collected data from more than 113,000 locations from phones in the Southwestern United States -- equivalent to more than 26 data points per minute -- without obtaining a warrant. The documents highlight the massive scale of location data that government agencies including CBP and ICE received, and how the agencies sought to take advantage of the mobile advertising industry's treasure trove of data. "It was definitely a shocking amount," said Shreya Tewari, the Brennan fellow for the ACLU's Speech, Privacy and Technology Project. "It was a really detailed picture of how they can zero in on not only a specific geographic area, but also a time period, and how much they're collecting and how quickly."

Images of a canceled mid-range version of the Surface Duo have appeared online thanks to an archived eBay listing. Dubbed as a Surface Duo 2 "dev unit" on eBay.com, the listing (which has since been deleted) provides us with a first look at what appears to be a "lite" version of the Surface Duo 2. From a report: The images reveal the device to have a smaller camera bump, slightly more rounded external design with a matte finish, and flat displays similar to the Surface Duo 1. Unfortunately, the eBay listing provides no details other than images of the handset. I had come across the eBay listing last month but was unsure if it was legitimate. By the time I was able to verify, the device had been sold to an unknown buyer and the listing was removed. I've since been able to confirm that the listing and device were indeed real.

Reuters reports: Amazon.com Inc is pausing the construction of six new office buildings in Bellevue and Nashville to reevaluate the designs to suit hybrid work, the tech giant said on Friday... "The pandemic has significantly changed the way people work ... Our offices are long-term investments and we want to make sure that we design them in a way that meets our employees' needs in the future," said John Schoettler, vice president of Global Real Estate and Facilities at Amazon.

Separately, Bloomberg News reported on Friday that Facebook parent Meta Platforms and Amazon have pulled back on their office expansion plans in New York City.... "The past few years have brought new possibilities around the ways we connect and work," a Meta spokesperson told Reuters without confirming or denying the report.
Various news sites seems to have different pieces of the story. On Hawaii's most populous island Oahu, the office vacancy rate is now 14% — the highest level ever recorded.

And this week a tech founder admitted in Fast Company that after converting to a hybrid company, "we're just as productive as we were before the pandemic (if not more so). Our engineering team's engagement has remained strong, and we've actually seen a boost in retention since the transition to hybrid work....

"Our transition from in-person, to remote, and now to hybrid work has reinforced the value of staying open-minded to innovation not just in our products, but also in how we work."

Slashdot reader storagedude writes: The first signs of the ransomware attack at data storage vendor Spectra Logic were reports from a number of IT staffers about little things going wrong at the beginning of the day. Matters steadily worsened within a very short time and signs of a breach became apparent. Screens then started to display a ransom demand, which said files had been encrypted by the NetWalker ransomware virus. The ransom demand was $3.6 million, to be paid in bitcoin within five days.

Tony Mendoza, Senior Director of Enterprise Business Solutions at Spectra Logic, laid out the details of the attack at the annual Fujifilm Recording Media USA Conference in San Diego late last month, as reported by eSecurity Planet.

"We unplugged systems, as the virus was spreading faster than we could investigate," Mendoza told conference attendees. "As we didn't have a comprehensive cybersecurity plan in place, the attack brought the entire business to its knees."

To make matters worse, the backup server had also been wiped out, but with the help of recovery specialist Ankura, uncorrupted snapshots and [offline] tape backups helped the company get back online in days, although full recovery took a month.

"We were able to restore everything and paid nothing," said Mendoza. "Other than a few files, all data was recovered."

The attack, which started from a successful phishing attempt, "took us almost a month to fully recover and get over the ransomware pain," said Mendoza.

"A growing number of cities and towns all over the U.S. are handing out cash grants and other perks aimed at drawing skilled employees of faraway companies to live there and work remotely," reports the Wall Street Journal: A handful of such programs have existed for years, but they have started gaining traction during the pandemic — and have really taken off in just the past year or so. Back in October there were at least 24 such programs in the U.S. Today there are 71, according to the Indianapolis-based company MakeMyMove, which is contracted by cities and towns to set up such programs.

Because these programs specifically target remote workers who have high wages, a disproportionate share of those who are taking advantage of them work in tech — and especially for big tech companies. Companies whose employees have participated in one remote worker incentive program in Tulsa, Oklahoma, include Adobe, Airbnb, Amazon, Apple, Dell, Facebook parent Meta Platforms, Google, IBM, Microsoft, Lyft, Netflix, Oracle and Siemens, according to a spokeswoman for the organization.

Local governments are offering people willing to move up to $12,000 in cash, along with subsidized gym memberships, free babysitting and office space....

A skeptic might ask why local economic development programs are spending funds to subsidize the lives of people who work for some of the most valuable companies in the world. On the other hand, because these remote workers aren't coming to town seeking local jobs, an argument can be made that they constitute a novel kind of stimulus program for parts of the country that have been left out of the tech boom — courtesy of big tech companies... Every remote worker these places successfully attract and retain is like gaining a fraction of a new factory or corporate office, with much less expenditure and risk, argues Mark Muro, who studies cities and labor at the Brookings Institution.
The reporter interviewed an Amazon engineer who moved to Greensburg, Indiana (population: 12,193), and Meta worker David Gora, who moved to Tulsa, Oklahoma and praises its relocation program's sense of mission, possibility, and community. "Even with the pay cuts that Meta has imposed on workers who relocate to areas with a lower cost of living, Mr. Gora is saving a lot more money and has a much higher quality of life than before, he adds."

Tulsa's program is unique in that it's funded by a philanthropic organization rather than a local economic-development budget, the article points out. But it adds that "a study conducted by the Economic Innovation Group and commissioned by Tulsa Remote concluded that for every two people the program brings to the city, one new job is created." By contrast, when an office moves to a town, every new high-wage tech job creates an estimated five more jobs in sectors including healthcare, education and service, according to research by economist Enrico Moretti. That's because those deals involve not only people but the money that goes into building and maintaining facilities, paying commercial property taxes and more.

Still, for towns that don't have the budget to attract a whole office or factory, the modest impact of bringing in a handful of remote tech workers can be balanced by the much smaller investment required to attract them.

The Washington Post reports on a "widely adopted, even codified" trend in recent months: people aren't coming in to their offices on Friday.

"The drop-off in office work, particularly on Fridays, has led coffee shops to reduce their hours, delis to rethink staffing and bars like Pat's Tap in Minneapolis to kick off happy hour earlier than ever — starting at 2 p.m." Just 30 percent of office workers swiped into work on Fridays in June, the least of any weekday, according to Kastle Systems, which provides building security services for 2,600 buildings nationwide. That's compared to 41 percent on Mondays, the day with the second-lowest turnout, and 50 percent on Tuesdays, when the biggest share of workers are in the office.

"It's becoming a bit of cultural norm: You know nobody else is going to the office on Friday, so maybe you'll work from home, too," said Peter Cappelli, director of the Center for Human Resources at the University of Pennsylvania's Wharton School. "Even before the pandemic, people thought of Friday as a kind of blowoff day. And now there's a growing expectation that you can work from home to jump-start your weekend...."

Some start-ups and tech firms have begun doing away with Fridays altogether. Crowdfunding platform Kickstarter and online consignment shop ThredUp are among a small but growing number of firms moving to a four-day workweek that runs from Monday to Thursday. Executives at Bolt, a checkout technology company in San Francisco, began experimenting with no-work Fridays last summer and quickly realized they'd hit a winning formula. Employees were more productive than before, and came back to work on Mondays with new enthusiasm. In January, it switched to a four-day workweek for good.
"Managers were onboard, people kept hitting their goals," Bolt's head of employee experience tells the Post. "And they come back on Mondays energized and more engaged."

An adviser at the Society of Human Resource Management tells the Post that employers are trying new inducements to get people to return to offices on Fridays. "If you feed them, they will come. Food trucks, special catered events, ice cream socials, that's what's popular right now." And the Post adds that other employers have also tried wine carts, costume contests and karaoke sing-offs — "all aimed at getting workers to give up their couches for cubicles."

An anonymous reader shares a report: Getting Doom to run on things that were never meant to run Doom is something of a cottage industry among a die-hard subset of PC hackers and coders. Your motherboard's BIOS, a bunch of old potatoes, a Lego brick, a home pregnancy test: The list goes on and on. But YouTuber and Doomworld community member kgsws has set a new standard for, well, something with this brilliant bit of techno-recursion: Doom running in Doom.

The full explanation for how it works gets technical but what it comes down to is an exploit that enables code execution within the game itself. That's why this bit of trickery only works with the original DOS-based Doom 2, and not any of the more modern ports like GZDoom, which lack the exploit. (That's not convenient for this project but it's a good thing overall, kgsws noted: "People would abuse it to spread malicious code.")

Google is releasing Chrome OS Flex today, a new version of Chrome OS that's designed for businesses and schools to install and run on old PCs and Macs. From a report: Google first started testing Chrome OS Flex earlier this year in an early access preview, and the company has now resolved 600 bugs to roll out Flex to businesses and schools today. Chrome OS Flex is designed primarily for businesses running old Windows PCs, as Google has been testing and verifying devices from Acer, Asus, Dell, HP, Lenovo, LG, Toshiba, and many more OEMs. Flex will even run on some old Macs, including some 10-year-old MacBooks. The support of old hardware is the big selling point of Chrome OS Flex, as businesses don't have to ditch existing hardware to get the latest modern operating system. More than 400 devices are certified to work, and installation is as easy as using a USB drive to install Chrome OS Flex.

Twitter faced a brief outage on Thursday, leaving thousands of users without service for about an hour. From a report: At the peak, at 8:20 a.m. in New York, 54,582 users reported problems on Downdetector.com, an outage tracking platform. Twitter's website displayed an error message and prompted users to reload the page. It wasn't immediately clear what caused the outage. A message on Twitter's support account posted at 9:10 a.m. said: "Some of you are having issues accessing Twitter and we're working to get it back up and running for everyone. Thanks for sticking with us." By 9:16 a.m., about 1,600 users reported they were still having trouble. The last time Twitter faced an outage was in February, when the site crashed due to a "technical bug" on the page. In its early days, Twitter was famous for crashing amid high traffic, leading to the iconic "fail whale" image that popped up when service was down.