Lenovo has released a security advisory to inform customers that more than 70 of its laptops are affected by a UEFI/BIOS vulnerability that can lead to arbitrary code execution. SecurityWeek reports: Researchers at cybersecurity firm ESET discovered a total of three buffer overflow vulnerabilities that can allow an attacker with local privileges to affected Lenovo devices to execute arbitrary code. However, Lenovo says only one of the vulnerabilities (CVE-2022-1892) impacts all devices, while the other two impact only a handful of laptops. "The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features," ESET explained. "These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call," it added.

Lenovo has also informed customers about Retbleed, a new speculative execution attack impacting devices with Intel and AMD processors. The company has also issued an advisory for a couple of vulnerabilities affecting many products that use the XClarity Controller server management engine. These flaws can allow authenticated users to cause a DoS condition or make unauthorized connections to internal services.

Bandai Namco, the Japanese video game publisher behind titles including Pac-Man, Tekken and Elden Ring, has admitted that hackers accessed its systems and potentially made off with customer data. TechCrunch reports: In a statement shared with TechCrunch, Bandai Namco said it detected "unauthorized access" to its systems by a third party on July 3, adding that it has since taken measures, such as blocking access to the affected servers, to "prevent the damage from spreading." The confirmation comes days after the Alphv ransomware gang, also known as BlackCat, added the Japanese company to its dark web leak site. Bandai Namco declined to elaborate on the nature of the cyberattack or how hackers were able to access its systems, but warned customer data may have been stolen, all but confirming that it was hit by ransomware.

"There is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage [sic], scope of the damage and investigating the cause," Bandai Namco said. The Alphv ransomware group -- believed to be the latest incarnation of the DarkSide ransomware gang responsible for the Colonial Pipeline attack -- has threatened that the stolen data will be released "soon," but no exact deadline has been given. Bandai Namco declined to say whether it had been given a ransom demand. "We will continue to investigate the cause of this incident and will disclose the investigation results as appropriate," Bandai Namco added. "We will also work with external organizations to strengthen security throughout the Group and take measures to prevent recurrence. We offer our sincerest apologies to everyone involved for any complications or concerns caused by this incident."

An anonymous reader quotes a report from Ars Technica: Earlier this month, Google sent a request (PDF) to the Federal Election Commission seeking an advisory opinion on the potential launch of a pilot program that would allow political committees to bypass spam filters and instead deliver political emails to the primary inboxes of Gmail users. During a public commenting period that's still ongoing, most people commenting have expressed staunch opposition for various reasons that they're hoping the FEC will consider. "Hard pass," wrote a commenter called Katie H. "Please do not allow Google to open up Pandora's Box on the people by allowing campaign/political emails to bypass spam filters."

Out of 48 comments submitted (PDF) as of July 11, only two commenters voiced support for Google's pilot program, which seeks to deliver more unsolicited political emails to Gmail users instead of marking them as spam. The rest of the commenters opposed the program, raising a range of concerns, including the potential for the policy to degrade user experience, introduce security risks, and even possibly unfairly influence future elections. Business Insider reported that the period for public commenting ends on Saturday, July 16, which is longer than what was shared in conflicting reports that said the initial deadline to comment was July 11. That means there's still time for more Gmail users and interested parties to chime in. "For some opposing commenters, it's about rejecting unnecessary strains on the Gmail user experience," adds Ars. "In short: People don't want emails coming to their inbox that they did not sign up for."

"Other commenters were more concerned over a perceived government overreach." There were also commenters that said the move could introduce security risks, influence elections, and make Gmail more vulnerable to "emotionally charged" messaging that they never signed up for.

An anonymous reader shares a report: System76's "Launch" keyboard has been wildly popular with the Linux community thanks to its open source firmware, ability to be customized, and excellent build quality (it's made in the USA). The Launch keyboard uses a USB-C connector to interface with the host computer, but you can utilize either a USB-C to USB-C or USB-C to USB-A cable to connect it -- depending on what ports you have available. Launch even serves double-duty as a USB hub, allowing you to plug USB devices directly into it. System76's Launch keyboard is already tenkeyless and rather small, but apparently, there has been a desire for an even smaller offering. And so, tomorrow, the company will begin selling exactly that. Called "Launch Lite," the $199 variant is a very similar keyboard to the regular Launch, but in a smaller form factor and with fewer keys. System76 is also launching silent brown and silent pink switch options. Unfortunately, the reduced footprint means the USB hub feature found on the standard Launch is not included on the Lite.

A report commissioned by cloud security company Barracuda found that 94% of respondents have experienced some form of attack on their industrial IoT (IIoT) or operational technology (OT) systems during the last 12 months. From a report: The State of Industrial Security in 2022 report surveyed 800 senior IT and security officers responsible for these industrial systems. "In the current threat landscape, critical infrastructure is an attractive target for cybercriminals, but unfortunately IIoT/OT security projects often take a backseat to other security initiatives or fail due to cost or complexity, leaving organizations at risk," said Tim Jefferson, senior vice president for data protection, network, and application security at Barracuda said in a statement accompanying the report.

Recent attacks such as those targeted through the SolarWinds attack, and the Russian DDoS attack on Lithuania last month, have raised concerns over nation state-backed attacks on industrial systems. As a result, the survey found that 89% of the respondents are very or fairly concerned about the current geopolitical situation. Constellation Research analyst Liz Miller acknowledged that "the Russian invasion of Ukraine set the world on high alert as it anticipated vulnerabilities in IIoT devices becoming prime targets should the battle enter the cyberspace."

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability. Ars Technica reports: Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which was introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they're about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled. [...] The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures and AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations. [...] Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don't have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place. "Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today's public disclosure date," Intel wrote in a blog post. "Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment." AMD, meanwhile, has also published guidance. "As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks," a spokesman wrote in an email. The company has also published a whitepaper.

[Research Kaveh Razavi added:] "Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs." The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD and be sure to follow the mitigation guidance.

Getting things started for this "Patch Tuesday" are the disclosure of two new X.Org Server vulnerabilities. Phoronix reports: These issues affecting out-of-bounds accesses with the X.Org Server can lead to local privilege elevation on systems where the X.Org Server is running privileged and remote code execution for SSH X forwarding sessions.

CVE-2022-2319 and CVE-2022-2320 were made public this morning and both deal with the X.Org Server's Xkb keyboard extension not properly validating input that could lead to out-of-bounds memory writes. Fixes for these XKB vulnerabilities have been patched in X.Org Server Git and xorg-server 21.1.4 point release is expected soon with these fixes. Both vulnerabilities were discovered by Trend Micro's Zero Day Initiative.

PyPI or the Python Package Index is giving away 4,000 Google Titan security keys as part of its move to mandatory two-factor authentication (2FA) for critical projects built in the Python programming language. ZDNet reports: PyPI, which is managed by the Python Software Foundation, is the main repository where Python developers can get third-party developed open-source packages for their projects. [...] One way developers can protect themselves from stolen credentials is by using two-factor authentication and the PSF is now making it mandatory for developers behind "critical projects" to use 2FA in coming months. PyPI hasn't declared a specific date for the requirement. "We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," the PSF said on its PyPI Twitter account.

As part of the security drive, it is giving away 4,000 Google Titan hardware security keys to project maintainers gifted by Google's open source security team. "In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months," PSF said in a statement. "To ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.

PSF says it deems any project in the top 1% of downloads over the prior six months as critical. Presently, there are more than 350,000 projects on PyPI, meaning that more than 3,500 projects are rated as critical. PyPI calculates this on a daily basis so the Titan giveaway should go a long way to cover a chunk of key maintainers but not all of them. In the name of transparency, PyPI is also publishing 2FA account metrics here. There are currently 28,336 users with 2FA enabled, with nearly 27,000 of them using a 2FA app like Microsoft Authenticator. There are over 3,800 projects rated as "critical" and 8,241 PyPI users in this group. The critical group is also likely to grow since projects that have been designated as critical remain so indefinitely while new projects are added to mandatory 2FA over time. The 2FA rule applies to both project maintainers and owners.

An anonymous reader quotes a report from The Drive: Hackers have uncovered ways to unlock and start nearly all modern Honda-branded vehicles by wirelessly stealing codes from an owner's key fob. Dubbed "Rolling Pwn," the attack allows any individual to "eavesdrop" on a remote key fob from nearly 100 feet away and reuse them later to unlock or start a vehicle in the future without owner's knowledge. Despite Honda's dispute that the technology in its key fobs "would not allow the vulnerability," The Drive has independently confirmed the validity of the attack with its own demonstration.

Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle. The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a "window," When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks. This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.

[...] Contrary to Honda's claim, I independently confirmed the vulnerability by capturing and replaying a sequence of lock and unlock requests with my 2021 Honda Accord and a Software-Defined Radio. Despite being able to start and unlock the car, the vulnerability doesn't allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob. However, the fact that a bad actor can get this far is already a bad sign. At this time, the following vehicles may be affected by the vulnerability: 2012 Honda Civic, 2018 Honda X-RV, 2020 Honda C-RV, 2020 Honda Accord, 2021 Honda Accord, 2020 Honda Odyssey, 2021 Honda Inspire, 2022 Honda Fit, 2022 Honda Civic, 2022 Honda VE-1, and 2022 Honda Breeze. It's not yet clear if this affects any Acura-branded vehicles. "[W]e've looked into past similar allegations and found them to lack substance," said a Honda spokesperson in a statement to The Drive. "While we don't yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims."

Microsoft is still planning to block Visual Basic for Applications (VBA) macros by default in Office apps. From a report: The software giant rolled back planned changes last week, surprising IT admins who had been preparing for Microsoft to prevent Office users from easily enabling macros in Office files downloaded from the internet. The change, designed to improve security in Office, was supposed to go live in June before Microsoft suddenly reverted the block on June 30th. "Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability," explains Kellie Eickmeyer, principal product manager at Microsoft, in a blog post update. "This is a temporary change, and we are fully committed to making the default change for all users."

Security reporter Brian Krebs: Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn't theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim's personal information and a different email address.

John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account. Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian's password reset process was useless at that point because any password reset links would be sent to the new (impostor's) email address. An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.

Microsoft describes "thriving" at work as being "energized and empowered to do meaningful work."

So Microsoft's "people analytics" chief and its "culture measurements" director teamed up for a report in Harvard Business Review exploring "as we enter the hybrid work era... how thriving can be unlocked across different work locations, professions, and ways of working."

ZDNet columnist Chris Matyszczyk took special note of the researchers' observation that "Employees who weren't thriving talked about experiencing siloes, bureaucracy, and a lack of collaboration," asking playfully, "Does that sound like Microsoft to you?" Klinghoffer and McCune were undeterred in their search for the secret of happiness. They examined those who spoke most positively about thriving at work and work-life balance. They reached a startling picture of a happy Microsoft employee. They said: "By combining sentiment data with de-identified calendar and email metadata, we found that those with the best of both worlds had five fewer hours in their workweek span, five fewer collaboration hours, three more focus hours, and 17 fewer employees in their internal network size."

Five fewer collaboration hours? 17 fewer employees in their internal network? Does this suggest that the teamwork mantra isn't working so well? Does it, in fact, intimate that collaboration may have become a buzzword for a collective that is more a bureaucracy than a truly productive organism?

Klinghoffer and McCune say collaboration isn't bad in itself. However, they say: "It is important to be mindful of how intense collaboration can impact work-life balance, and leaders and employees alike should guard against that intensity becoming 24/7."

If you're a leader, you have a way to stop it. If you're an employee, not so much.
The Microsoft researchers' conclusion? "Thriving takes a village" (highlighting the importance of managers), and that "the most common thread among those who were not thriving was a feeling of exclusion — from a lack of collaboration to feeling left out of decisions to struggling with politics and bureaucracy."

Matyszczyk's conclusion? "It's heartening to learn, though, that perhaps the most important element to making an employee happy at work is giving them time to, well, actually work."

An anonymous reader quotes a report from Axios: The Federal Communications Commission on Thursday told carriers to stop delivering those annoying auto warranty robocalls and said it has launched a formal investigation. The scam has resulted in more than 8 billion unwanted and possibly illegal phone calls. It has been the top consumer robocall complaint for the past two years.

The FCC said it is working with a number of other agencies, including the Ohio attorney general, which is suing Roy Cox, Jr., Aaron Michael Jones, their Sumco Panama companies and other international associates said to be a part of the scam. The agency's enforcement bureau said it sent cease-and-desist letters to Call Pipe, Fugle Telecom, Geist Telecom, Global Lynks, Mobi Telecom, South Dakota Telecom, SipKonnect and Virtual Telecom to warn them to stop carrying this suspicious robocall traffic within 48 hours. The FCC said that its inquiry shows that the operation is still generating millions of apparently unlawful calls to consumers on a daily basis.

A new study published by the IMDEA Networks Institute shows just how common it is for government websites to install third-party cookies in visitors' web browsers. HotHardware reports: The study makes a distinction between third-party (TP) cookies and third-party tracking (TPT) cookies, because not all third-party cookies are "set by domains that are known to be tracking users for data collection purposes." The chart [here] shows the percentage of government websites for each country that install at least one third-party cookie, as well as the percentage of said cookies that are associated with domains that are known to be tracking users. Russia tops out the list with over 90% of its government websites installing third-party cookies in visitors' web browsers. Meanwhile, nearly 60% of US government websites install at least one third-party cookie. Germany sits at the bottom of the list with a little under 30% of government websites serving up third-party cookies.

Most of the third-party cookies installed by government websites are known tracking cookies, except in the case of Germany, where under 10% of third-party cookies are associated with domains that are known to track users. The researchers also found that, depending on the country, 20% to 60% of the third party cookies installed by government websites remain in visitors' browsers without expiring for a year or more. That's a long time for a tracker installed without your knowledge or consent to remain active. Beyond specifically tracking cookies, the researchers measured the number of trackers of any kind present on government websites. The Russian gov.ru has the most trackers out of any government website analyzed by the researchers, numbering 31 trackers in total. However, Brazil and Canada aren't far behind, with 25 trackers present on both investexportbrasil.gov.br and nac-cna.ca. The US government website with the most trackers is hhs.gov, which has 13.

The researchers point out that both third-party tracking cookies are automatically installed in visitors' web browsers without their consent. However, the researchers guess that web developers and administrators likely include third-party content without intending to add trackers to their websites. A great many websites now rely on third-party resources and include social content that come with trackers built-in.

In the first six months of 2022, Web3 projects have lost more than $2 billion to hacks and exploits -- more than all of 2021 combined. The Verge reports: That's according to research from blockchain auditing and security company CertiK, which on Thursday released its quarterly Web3 security report covering Q2 of this year. The report paints a sobering picture of a cryptocurrency space still plagued by hacks, scams, and phishing schemes while also facing relatively new threats like flash loan attacks. CertiK puts particular focus on this last category of threat, which has been created by the invention of flash loans: a decentralized finance mechanism that lets borrowers access extremely large amounts of cryptocurrency for very short periods of time. If used maliciously, flash loans can be used to manipulate the value of a certain token on exchanges or buy up all of the governance tokens in a project and vote to withdraw all of the funds, as happened to Beanstalk in April.

In total, CertiK's report claims that a total of $308 million was lost across 27 flash loan attacks in Q2 2022 -- an enormous increase compared to just $14 million lost to flash loans in Q1. Phishing attacks also increased in frequency between Q1 and Q2 of this year, with CertiK recording 290 in the most recent quarter compared with 106 in the first three months of the year. Discord was the vector for the vast majority of phishing attempts, a signal of its continuing popularity as the social network of choice for the cryptocurrency and NFT scene, despite ongoing security concerns. CertiK also found that so-called "rug pulls" -- where the founders of a project halt development and abscond with the funds -- were down 16.5 percent from the previous quarter.

Google is testing a method to boost the battery life of Chromebooks by changing how they work with the Chrome web browser. It's shaping up to be a potentially attractive update for users who leave a lot of tabs open on their Chromebooks. From a report: Google Chrome currently cuts the CPU time and throttles the CPU load for any tab you haven't touched or looked at for five minutes. Google calls this "intensive throttling of JavaScript timer wake up," and it's supposed to help conserve system battery life. The feature also makes the page wake up once every 60 seconds to check if you're actively using the tab again. It seems Google is interested in pushing the idea even further, at least for Chromebook users. About Chromebooks this week spotted a new flag in Chrome OS 105, currently being tested in the dev channel, that changes this five-minute period to 10 seconds.

Microsoft is rolling back a planned change to block Visual Basic for Applications (VBA) macros by default in a variety of Office apps. From a report: Announced earlier this year, Microsoft had been planning to prevent Office users from easily enabling certain content in files downloaded from the internet that include macros, in a move to improve security against malicious files. Microsoft had been testing this change ahead of a planned rollout to all Microsoft 365 users in June, but suddenly reverted the block on June 30th. BleepingComputer reports that Microsoft notified IT admins last week that it was rolling back the VBA macro block based on feedback from Office users testing the changes. "We appreciate the feedback we've received so far, and we're working to make improvements in this experience," reads a Microsoft 365 message. The unusual rollback has surprised some Microsoft 365 users, as many had been waiting years for Microsoft to be more aggressive about blocking macros from Office files. Hackers have been regularly targeting Office documents with malicious macros, and Office has typically prompted users to click to enable macros running with a simple button. Microsoft's planned changes meant Office users would only be able to enable the macros by specifically ticking an unblock option on the properties of a file.

Twitter removes more than 1 million spam accounts each day, executives told reporters in a briefing on Thursday, providing new insight into efforts to reduce harmful automated bots as billionaire Elon Musk has demanded more details from the social media company. Reuters reports: The briefing comes after Musk threatened to halt a $44 billion deal to purchase Twitter unless the company showed proof that spam and bot accounts were fewer than 5% of users who see advertising on the social media service. Musk previously tweeted that one of his biggest priorities after acquiring Twitter is to "defeat the spam bots or die trying."

On a conference call, the company reiterated that spam accounts were well under 5% of users who are served advertising, a figure that has been unchanged in its public filings since 2013. Human reviewers manually examine thousands of Twitter accounts at random and use a combination of public and private data in order to calculate and report to shareholders the proportion of spam and bot accounts on the service, Twitter said. The company said it does not believe a calculation of such accounts could be performed externally because it would require private information, but declined to comment on the type of data it would provide to Musk.

An anonymous reader shares a report: Despite the name change and metaverse hyperbole, Facebook has always been at the center of the Meta suite of software for users engaging with its wider ecosystem. While that may continue to be the case indefinitely, it's clear the company is taking steps to ensure that its next swath of users aren't tied to a network that may still pay the bills but isn't where the company sees its reinvention. Next month, the company will be introducing a new type of login called a Meta account that will allow users to engage with products that previously might have required a Facebook account to use.

At launch, users will be able to use their Meta account to sign up for and log in to the company's Quest hardware, functionality that will come to other Meta devices in the future, the company says. Users can choose to link their Meta account to their Facebook and Instagram accounts as well, or not. Unlike Facebook accounts, users are free to have multiple Meta accounts, the company says. This change addresses the concerns of some VR users who complained about various quirks of relying on a private social media profile login to play video games. While plenty of users were concerned by privacy implications, others were frustrated by more organizational issues related to combining the two accounts with separate friends lists, settings and rules. By the beginning of next year, Meta accounts will be the standard login for VR users.

The U.K. government has tabled an amendment (PDF) to the Online Safety Bill that could put it on a collision course with end-to-end encryption. TechCrunch reports: It's proposing to give the incoming internet regulator, Ofcom, new powers to force messaging platforms and other types of online services to implement content-scanning technologies, even if their platform is strongly encrypted -- meaning the service/company itself does not hold keys to decrypt and access user-generated content in the clear. The home secretary, Priti Patel, said today that the governments wants the bill to have greater powers to tackle child sexual abuse.

"Child sexual abuse is a sickening crime. We must all work to ensure criminals are not allowed to run rampant online and technology companies must play their part and take responsibility for keeping our children safe," she said in a statement -- which also offers the (unsubstantiated) claim that: "Privacy and security are not mutually exclusive -- we need both, and we can have both and that is what this amendment delivers." The proposed amendment is also being targeted at terrorism content -- with the tabled clause referring to: "Notices to deal with terrorism content or CSEA [child sexual exploitation & abuse] content (or both)."

These notices would allow Ofcom to order a regulated service to use "accredited" technology to identify CSEA or terrorism content which is being publicly shared on their platform and "swiftly" remove it. But the proposed amendment goes further -- also allowing Ofcom to mandate that regulated services use accredited technical means to prevent users from encountering these types of (illegal) content -- whether it's being shared publicly or privately via the service, raising questions over what the power might mean for E2E encryption.