Following the launch of Apple's new 13-inch MacBook Pro with the M2 chip, it has been discovered that the $1,299 base model with 256GB of storage has significantly slower SSD read/write speeds compared to the equivalent previous-generation model. From a report: YouTube channels such as Max Tech and Created Tech tested the 256GB model with Blackmagic's Disk Speed Test app and found that the SSD's read and write speeds are both around 1,450 MB/s, which is around 50% slower reading and around 30% slower writing compared to the 13-inch MacBook Pro with the M1 chip and 256GB of storage.

Disk Speed Test app numbers shared by Vadim Yuryev of Max Tech:
13-inch MacBook Pro (M1/256GB) Read Speed: 2,900
13-inch MacBook Pro (M2/256GB) Read Speed: 1,446
13-inch MacBook Pro (M1/256GB) Write Speed: 2,215
13-inch MacBook Pro (M2/256GB) Write Speed: 1,463

Yuryev disassembled the new 13-inch MacBook Pro and discovered that the 256GB model is equipped with only a single NAND flash storage chip, whereas the previous model has two NAND chips that are likely 128GB each. This difference likely explains why the new model has a slower SSD, as multiple NAND chips allows for faster speeds in parallel.

Today I learned Turkey's Scientific and Technological Research Council has a subsidiary developing a GNU/Linux distro called Pardus, "redesigned to be used in accordance with the practices and habits of users in Turkey."

And this week the Free Software Foundation published a post from the proud project leader of Pardus, explaining exactly why open source was chosen in the district of Eyüpsultan (on the European side of Istanbul) and how they got it implemented: After the municipal elections held in 2014, the new administration realized (through internal financial analysis reports) that a large amount of money was being spent on licensing proprietary software. Looking to cut costs, management asked for a study to be carried out for solutions. As the Eyüpsultan municipality's IT department, we recommended to replace Microsoft Windows with Pardus GNU/Linux instead. We described our preference to transition to free software as "the desire to be independent from a company as well as the savings to be gained from cutting hefty license fees."

Additionally, we spoke about how the four freedoms would improve things outside of the budget. For example, we told the administration that users, when using free software, can fully benefit from the rights they have over the programs running on their computers. We also informed everyone that, when the software they run is proprietary, it means that a company claims rights over the user, and that such a claim of ownership can place restrictions on users in how they may or may not use the software. We told them that this is unacceptable. Arguments such as these were among the deciding factors that influenced our transition to free software.

The plan was presented to the municipal administration and widely accepted.

The municipal administration approved the project, and in January, 2015, the Eyüpsultan municipality started using free software applications such as LibreOffice (e.g. Writer, Calc, Impress, etc.). Prior to the implementations, basic user training on LibreOffice software was provided to the personnel of the institution. Over time, users were gradually and steadily directed to free systems, and, notably, without receiving backlash from users.... Training was an important item in the transition to Pardus GNU/Linux.
Besides an online support forum, they've also set up a live call center to answer questions. "I think we may be the only distribution that helps with issues via a call center."

So how do they feel now about that transition, eight years later? Free software has many advantages, including flexibility, high performance, major cost savings from licensing fees, independence from any particular company, and compliance with interoperability standards. Therefore, the transition of Eyüpsultan municipality to free software has resulted in benefits that were both strategic and practical. We believe, in the near future, more organizations will need to understand the philosophy of free software and the opportunities that free software provides.

The municipal budget has freed up money as a result of the moving from proprietary software to free software. The savings from the "proprietary software licenses" line of the budget was applied to the district in the form of new projects. The money goes now to, among other things, increasing the number of new parks and gardens, bicycle paths, and security cameras in the parks. Additionally, by increasing the number of classes we provide technical training, we started to provide classes in robotics and computation to young people. The Eyüpsultan municipality is now increasing the opportunities for students to further develop their personalities, abilities, goals, and self-discovery. It introduces young people to technology and encourages them to produce new technologies.
One final effect of using free software? It encourages others to do the same: As a result of this brave decision, many of the Istanbul district municipalities have started working to switch or have already made the switch to the Pardus GNU/Linux operating system. Institutions in other cities of the country have also expressed growing interest by asking questions about the Pardus operating system and free software.

For Stack Overflow's annual survey, "Over 73,000 developers from 180 countries each spent roughly 15 minutes answering our questions," a blog post announces: The top five languages for professional developers haven't changed: JavaScript is still the most used, and Rust is the most loved for a seventh year. The big surprise came in the most loved web framework category. Showing how fast web technologies change, newcomer Phoenix took the most loved spot from Svelte, itself a new entry last year.... Check out the full results from this year's Developer Survey here.
In fact, 87% of Rust developers said that they want to continue using Rust, notes SD Times' summary of the results: Rust also tied with Python as the most wanted technology in this year's report, with TypeScript and Go following closely behind. The distinction between most loved and most wanted is that most wanted includes only developers who are not currently developing with the language, but have an interest in developing with it.
Slashdot reader logankilpatrick writes, "It should come as no surprise to those following the growth and expansion of the Julia Programming Language ecosystem that in this year's Stack Overflow developer survey, Julia ranked in the top 5 for the most loved languages (above Python — 6th, MatLab — Last, and R — 33rd)."

And the Register shares more highlights: Also notable in the 71,547 responses regarding programming languages was a switch again between Python and SQL. In 2021, Python pushed out SQL to be the third most commonly used language. This year SQL regained third place, just behind second placed HTML /CSS.

And the most hated...

Unsurprisingly, developers still dread that tap on the shoulder from the finance department for a tweak to that bit of code upon which the entire company depends. Visual Basic for Applications and COBOL still lurk within the top three most dreaded technologies.

The operating system rankings were little changed: Windows won out for personal and professional use, although for professional use Linux passed macOS to take second place with 40 percent of responses compared to Apple's 33 percent. Most notable was the growth of Windows Subsystem for Linux, which now accounts for 14 percent of personal use compared with a barely registering 3 percent in 2021.
But SD Times noted what may be the most interesting statistic: Only 15% of developers work on-site full time. Forty-three percent are fully remote and 42% are hybrid. Smaller organizations with 2-19 employees are more likely to be in-person, while large organizations with over 10k employees are more likely to be hybrid, according to the survey.
InfoWorld delves into what this means: "The world has made the decision to go hybrid and remote, I have a lot of confidence given the data I have seen that that is a one-way train that has left the station," Prashanth Chandrasekar, CEO of Stack Overflow told InfoWorld.

Chandrasekar says that flexibility and the tech stack developers get to work with are the most important contributors to overall happiness at work. "Many developers drop out of the hiring process because of the tech stack they will be working with," he said... Organizational culture is also shifting, and cloud-native techniques have taken hold among Stack Overflow survey respondents. Most professional developers (70%) now use some form of CI/CD and 60% have a dedicated devops function....

Lastly, Web3 still has software developers torn, with 32% of respondents favorable, 31% unfavorable, and 26% indifferent. Web3 refers to the emerging idea of a decentralized web where data and content are registered on blockchains, tokenized, or managed and accessed on peer-to-peer distributed networks.

Russia's invasion of Ukraine is "the first full-scale battle in which traditional and cyberweapons have been used side by side," reports the New York Times. But the biggest surprise is that "many of the attacks were thwarted, or there was enough redundancy built into the Ukrainian networks that the efforts did little damage... more than two-thirds of them failed, echoing its poor performance on the physical battlefield."

Microsoft president Brad Smith says the ultimate result is Russia's attempted cyberatacks get underreported, according to the Times: [A study published by Microsoft Wednesday] indicated that Ukraine was well prepared to fend off cyberattacks, after having endured them for many years. That was at least in part because of a well-established system of warnings from private-sector companies, including Microsoft and Google, and preparations that included moving much of Ukraine's most important systems to the cloud, onto servers outside Ukraine....

In many instances, Russia coordinated its use of cyberweapons with conventional attacks, including taking down the computer network of a nuclear power plant before moving in its troops to take it over, Mr. Smith said. Microsoft officials declined to identify which plant Mr. Smith was referring to. While much of Russia's cyberactivity has focused on Ukraine, Microsoft has detected 128 network intrusions in 42 countries. Of the 29 percent of Russian attacks that have successfully penetrated a network, Microsoft concluded, only a quarter of those resulted in data being stolen. Outside Ukraine, Russia has concentrated its attacks on the United States, Poland and two aspiring members of NATO, Sweden and Finland...

But Microsoft, other technology companies and government officials have said that Russia has paired those infiltration attempts with a broad effort to deliver propaganda around the world. Microsoft tracked the growth in consumption of Russian propaganda in the United States in the first weeks of the year. It peaked at 82 percent right before the Feb. 24 invasion of Ukraine, with 60 million to 80 million monthly page views. That figure, Microsoft said, rivaled page views on the biggest traditional media sites in the United States. One example Mr. Smith cited was that of Russian propaganda inside Russia pushing its citizens to get vaccinated, while its English-language messaging spread anti-vaccine content. Microsoft also tracked the rise in Russian propaganda in Canada in the weeks before a trucker convoy protesting vaccine mandates tried to shut down Ottawa, and that in New Zealand before protests there against public health measures meant to fight the pandemic.
Russians successfully "sabotaged a satellite communications network called Viasat in the opening days of the war," notes the Washington Post, "with the damage spilling over into other European countries. But Ukraine, working with private tech companies, Western intelligence and its own expert software engineers, has quickly fixed most of the damage..."

"The close partnerships that have emerged between U.S. technology companies and Western cybersecurity agencies is one of the unheralded stories of the war...." "Cyber responses must rely on greater public and private collaboration," argues Brad Smith, Microsoft's president, in a new study... published Wednesday on Microsoft's "lessons learned" from cyber conflict in Ukraine. A White House cyber official explains the new cooperative approach this way: "Where companies see destructive attacks, that has driven partnerships with the intelligence community and other government agencies to see how best we can share information to protect infrastructure around the world." The tech world's sympathies lie with the underdog, Ukraine. That applies to giant firms such as Microsoft and Google....

Ukraine's cybersecurity defense benefited from an early start. U.S. Cyber Command experts went to Ukraine months before the war started, according to its commander, Gen. Paul Nakasone. Microsoft and Google became involved even earlier. Microsoft began monitoring Russian phishing attacks against Ukrainian military networks in early 2021, and through the rest of last year observed increasingly aggressive hacks by six different attackers linked to Russia's three intelligence services, the GRU, SVR and FSB, according to a Microsoft report released in April. Microsoft has spent a total of $239 million on financial and technical assistance to Ukraine, a company official said....

Google, a part of Alphabet, has also helped Ukraine fend off threats. Back in 2014, prompted by Russia's use of DDOS ("distributed denial-of-service") malware in its seizure of Crimea and eastern Ukraine, Google began what it called "Project Shield." Software protected news sites, human rights groups and election sites against crippling DDOS floods of junk internet messages. Today, Project Shield is used by 200 sites in Ukraine and 2,300 others in 140 countries around the world, according to Jared Cohen, the chief executive of Google's Jigsaw unit.

Long-time Slashdot reader theodp writes: Back in 1998, Ellen Ullman wrote in Salon about The dumbing-down of programming: "My programming tools were full of wizards. Little dialog boxes waiting for me to click "Next" and "Next" and "Finish." Click and drag and shazzam! — thousands of lines of working code. No need to get into the "hassle" of remembering the language. No need to even learn it. It is a powerful siren-song lure: You can make your program do all these wonderful and complicated things, and you don't really need to understand."

Twenty-four years later, PVS-Studio has published a translation of Ivan Belokamentsev's cautionary tale of how modernizing his interviewing process from coding on paper to a computer led him to inadvertently hire 'Google Programmers', who dazzled him in interviews and initially on the job, but soon reached a plateau in productivity that puzzled him until he had a gobsmacking realization.
From their article: It was like somebody hit me on the head with a sack of flour. It took me about two days to process it. How is it really possible? The beautiful, well-optimized code they showed me at the first interview was from the Internet. The explosive growth of productivity in the first months was due to the solutions that they found on the Internet. Those answers to user questions after the magic "We'll call you back" from these guys — were found on the Internet. They were coding without understanding the basic constructs. No, they didn't write code — they downloaded it. No, that's not it, either. To download the code is like running "npm i", it's ok. They copy-pasted the code. Without knowing how to write it.

That's what angered me — what the...? Well, I understand when you surf the net to figure out how a new technology works. Or when you need to use some exotic feature and not to bloat your head with unnecessary information. But basic things! How can you copy-paste basic things from the Internet?!
The article meditates on the mindset of "Google" programmers. Rather than learning about basic objects, types, and the constructs of a programming language, "Any information is available to them, always and everywhere. They've learned how to find this information quickly — whether it's the address of a store with cookies, pants on sale or generating a query."

But long-time Slashdot reader AmiMoJo now pushes back: This is dumb. Not everyone has a great memory, and these days there are so many different tools and frameworks that nobody can remember them all anyway. Back in the day when it was all C, you could reasonably write useful code on paper. These days most of that code will probably be interacting with libraries that you have not committed to memory.

If your developers are not progressing, help them. Give them training or mentoring. Challenge them.
And there's also this advice from Slashdot reader Iamthecheese: "Stop selecting for low ethics in your hiring process." There is a stupid, stupid idea out there among the pointy hair types that it's possible to hire top tier candidates for peanuts. This idea has been put into their heads by massively over-promising companies selling HR solutions of all shapes... They're actively selecting people with just enough ability to pass these specific tests and who are unwilling to show their true levels of ability by hashing it out on their own. So you have these untrained people who look for easy ways past problems, but you were expecting "rock stars".
Their suggested solution? "Stop looking for easy, cheap, already trained people and start looking for trainable, people." And then, "show them a little loyalty. That way you'll have people to train new hires, who also know what they're doing on the job."

Phoronix reports a new change was merged into the soon-to-be-released Linux 5.19 on Tuesday, making the kernel's signature verification code compliant with the Federal Information Processing Standards known as FIPS: FIPS are public standards via the National Institute of Standards and Technology used by U.S. government agencies and contractors in the areas of computer security and interoperability... Known-answer self-tests are required for FIPS compliance at startup/reboot, but the Linux kernel's signature verification code has been lacking such tests.

The signature checking code is used for module signing, Kexec, and other functionality. With Linux 5.19 there will now be some basic self-tests at start.
The tests will make their debut in Linux 5.19-rc4.

Thanks to long-time Slashdot reader UnknowingFool for sharing the news!

Since its initial release over a decade ago (and even following Microsoft's 2014 acquisition of developer Mojang), Minecraft has let players create private servers where they're in full control of what behaviors (and players) are allowed. Next week, though, Microsoft is set to roll out a new update that lets it ban a Minecraft player from all online play, including private servers and those hosted on Microsoft's subscription-based Realms plan. From a report: Earlier this week, Microsoft launched a pre-release version of Update 1.19.1 for the Java Edition of Minecraft, which will go live for everyone on Tuesday, June 28. That update will add the ability to report users who abuse the game's chat system and allow for "reported players [to be] be banned from online play and Realms after moderator review." On a recently updated "Why Have I been Banned from Minecraft?" help page, Microsoft notes that banned players will also get a message when they "sign into Minecraft on any platform (non-Java Edition) [aka "Bedrock"]." That message will clarify that "banned players are not allowed to play on servers, join Realms, host or join multiplayer games, or use the marketplace. They are also not allowed to access Minecraft Earth. Xbox players will no longer have access to their worlds [emphasis added]."

Microsoft is preparing to send reminders to Windows 8.1 users that support will end on January 10th 2023. The software giant will start sending notifications to existing Windows 8.1 devices next month, as a first reminder leading up to the January 2023 support cutoff. From a report: The notifications will be similar to ones Microsoft has used in the past to remind Windows 7 users about end of support dates. Microsoft originally sunset Windows 8 support in 2016, but the Windows 8.1 update will cease support fully in January 2023. Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1, so businesses won't be able to pay for additional security patches and will have to upgrade or accept the risk of running software without security updates.

An anonymous reader quotes a report from BleepingComputer: The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory today recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines. PowerShell is frequently used in cyberattacks, leveraged mostly in the post-exploitation stage, but the security capabilities embedded in Microsoft's automation and configuration tool can also benefit defenders in their forensics efforts, improve incident response, and to automate repetitive tasks. The NSA and cyber security centers in the U.S. (CISA), New Zealand (NZ NCSC), and the U.K. (NCSC-UK) have created a set of recommendations for using PowerShell to mitigate cyber threats instead of removing or disabling it, which would lower defensive capabilities.

Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts. Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections. Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker's chance for successful lateral movement. For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication:

- remote connections don't need HTTPS with SSL certificates
- no need for Trusted Hosts, as required when remoting over WinRM outside a domain
- secure remote management over SSH without a password for all commands and connections
- PowerShell remoting between Windows and Linux hosts

Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM), thus denying operations outside the policies defined by the administrator. Recording PowerShell activity and monitoring the logs are two recommendations that could help administrators find signs of potential abuse. The NSA and its partners propose turning on features like Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS). The first two enable building a comprehensive database of logs that can be used to look for suspicious or malicious PowerShell activity, including hidden action and the commands and scripts used in the process. With OTS, administrators get records of every PowerShell input or output, which could help determine an attacker's intentions in the environment. The full document, titled "Keeping PowerShell: Security Measures to Use and Embrace" is available here (PDF).

The group responsible for developing and updating the PCI Express standard, the PCI-SIG, aims to update that standard roughly every three years. From a report: Version 6.0 was released earlier this year, and the group has announced that PCIe version 7.0 is currently on track to be finalized sometime in 2025. Like all new PCI Express versions, its goal is to double the available bandwidth of its predecessor, which in PCIe 7.0's case means that a single PCIe 7.0 lane will be able to transmit at speeds of up to 32GB per second. That's a doubling of the 16GB per second promised by PCIe 6.0, but it's even more striking when compared to PCIe 4.0, the version of the standard used in high-end GPUs and SSDs today. A single PCIe 4.0 lane provides bandwidth of about 4GB per second, and you need eight of those lanes to offer the same speeds as a single PCIe 7.0 lane.

Increasing speeds opens the door to ever-faster GPUs and storage devices, but bandwidth gains this large would also make it possible to do the same amount of work with fewer PCIe lanes. Today's SSDs normally use four lanes of PCIe bandwidth, and GPUs normally use 16 lanes. You could use the same number of lanes to support more SSDs and GPUs while still providing big increases in bandwidth compared to today's accessories, something that could be especially useful in servers.

Security researchers at Lookout recently tied a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software house RCS Lab. Now, Google threat researchers have confirmed much of Lookout's findings, and are notifying Android users whose devices were compromised by the spyware. From a report: Hermit is a commercial spyware known to be used by governments, with victims in Kazakhstan and Italy, according to Lookout and Google. Lookout says it's also seen the spyware deployed in northern Syria. The spyware uses various modules, which it downloads from its command and control servers as they are needed, to collect call logs, record ambient audio, redirect phone calls and collect photos, messages, emails, and the device's precise location from a victim's device. Lookout said in its analysis that Hermit, which works on all Android versions, also tries to root an infected Android device, granting the spyware even deeper access to the victim's data. Lookout said that targeted victims are sent a malicious link by text message and tricked into downloading and installing the malicious app -- which masquerades as a legitimate branded telco or messaging app -- from outside of the app store.

A security researcher found vulnerabilities in Jacuzzi's SmartTub interface that allowed access to the personal data of every hot tub owner. From a report: Jacuzzi's SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a "personal hot tub assistant," users can make use of the app to control water temperature, switch on and off jets, and change the lights. But as documented by hacker Eaton Zveare, this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names and email addresses. It's unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.

"The main concern is their name and email being leaked," Zveare told TechCrunch, adding that attackers could also potentially heat up someone else's hot tub or change the filtration cycles. "That would make things unpleasant the next time the person checked their tub," he said. "But I don't think there is anything truly dangerous that could have been done -- you have to do all chemicals by hand." Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an "unauthorized" error. But for the briefest moment Zveare saw the full admin panel populated with user data flash on his screen.

Russia has levied dozens of cyber espionage campaigns in 42 countries since it invaded Ukraine in February, according to a new Microsoft report. From a report: The report says those efforts have targeted entities across six continents and primarily focused on NATO allies and groups supporting Ukraine. "The Russian invasion relies in part on a cyber strategy that includes at least three distinct and sometimes coordinated efforts -- destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine and cyber influence operations targeting people around the world," Microsoft President Brad Smith said in the report. The tech giant previously detailed Russian cyber operations against Ukraine itself during the invasion in April. Sixty-three percent of the observed Russian activity in the 42 countries beyond Ukraine targeted NATO members, according to the new report. The United States has been Russia's top target, but the company also noted a large amount of activity in Poland -- which borders Ukraine and has provided significant military and humanitarian assistance to the country -- as well as the Baltic states.

Brave blog: One year ago, we launched Brave Search to give everyone online a real choice over Big Tech: a privacy-protecting, unbiased alternative to Google and Bing, and a truly independent alternative to providers -- such as DuckDuckGo or Startpage -- that rely on Big Tech to run. Today, Brave Search is exiting its beta phase. [...] Brave Search has grown faster than any search provider since Bing. Some numbers: 2.5 billion queries in the past 365 days, a high of 14.1 million queries per day, 5 billion queries annualized (projection based on current monthly totals).

An anonymous reader quotes a report from Ars Technica: In the decade since larger-than-life character Kim Dotcom founded Mega, the cloud storage service has amassed 250 million registered users and stores a whopping 120 billion files that take up more than 1,000 petabytes of storage. A key selling point that has helped fuel the growth is an extraordinary promise that no top-tier Mega competitors make: Not even Mega can decrypt the data it stores. On the company's homepage, for instance, Mega displays an image that compares its offerings to Dropbox and Google Drive. In addition to noting Mega's lower prices, the comparison emphasizes that Mega offers end-to-end encryption, whereas the other two do not. Over the years, the company has repeatedly reminded the world of this supposed distinction, which is perhaps best summarized in this blog post. In it, the company claims, "As long as you ensure that your password is sufficiently strong and unique, no one will ever be able to access your data on MEGA. Even in the exceptionally improbable event MEGA's entire infrastructure is seized!" (emphasis added). Third-party reviewers have been all too happy to agree and to cite the Mega claim when recommending the service.

Research published on Tuesday shows there's no truth to the claim that Mega, or an entity with control over Mega's infrastructure, is unable to access data stored on the service. The authors say that the architecture Mega uses to encrypt files is riddled with fundamental cryptography flaws that make it trivial for anyone with control of the platform to perform a full key recovery attack on users once they have logged in a sufficient number of times. With that, the malicious party can decipher stored files or even upload incriminating or otherwise malicious files to an account; these files look indistinguishable from genuinely uploaded data.

After receiving the researchers' report privately in March, Mega on Tuesday began rolling out an update that makes it harder to perform the attacks. But the researchers warn that the patch provides only an "ad hoc" means for thwarting their key-recovery attack and does not fix the key reuse issue, lack of integrity checks, and other systemic problems they identified. With the researchers' precise key-recovery attack no longer possible, the other exploits described in the research are no longer possible, either, but the lack of a comprehensive fix is a source of concern for them. "This means that if the preconditions for the other attacks are fulfilled in some different way, they can still be exploited," the researchers wrote in an email. "Hence we do not endorse this patch, but the system will no longer be vulnerable to the exact chain of attacks that we proposed." Mega has published an advisory here. However, the chairman of the service says that he has no plans to revise promises that the company cannot access customer data.

An anonymous reader quotes a report from BleepingComputer: Security researchers found that Adobe Acrobat is trying to block security software from having visibility into the PDF files it opens, creating a security risk for the users. Adobe's product is checking if components from 30 security products are loaded into its processes and likely blocks them, essentially denying them from monitoring for malicious activity. [...] In a post on Citrix forums on March 28, a user complaining about Sophos AV errors due to having an Adobe product installed said that the company "suggested to disable DLL-injection for Acrobat and Reader.

Replying to BleepingComputer, Adobe confirmed that users have reported experiencing issue due to DLL components from some security products being incompatible with Adobe Acrobat's usage of the CEF library: "We are aware of reports that some DLLs from security tools are incompatible with Adobe Acrobat's usage of CEF, a Chromium based engine with a restricted sandbox design, and may cause stability issues." The company added that it is currently working with these vendors to address the problem and "to ensure proper functionality with Acrobat's CEF sandbox design going forward." Minerva Labs researchers argue that Adobe chose a solution that solves compatibility problems but introduces a real attack risk by preventing security software from protecting the system.

An anonymous reader quotes a report from The Register: More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found. Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

With all those credentials available for sale online, account takeover attacks have proliferated as well, the report said. Seventy-five percent of the passwords for sale online were not unique, noted Digital Shadows, which said everyone needs to be wary. Proactive account protection, consistent application of good authentication habits, and awareness of one's organizational digital footprint are necessary to protect against account takeover attacks, the study found. Individuals, the report said, should "use multi-factor authentication, password managers, and complex, unique passwords."

An anonymous reader quotes a report from Krebs on Security: Check out this handmade sign posted to the front door of a shuttered Jimmy John's sandwich chain shop in Missouri last week. See if you can tell from the store owner's message what happened. If you guessed that someone in the Jimmy John's store might have fallen victim to a Business Email Compromise (BEC) or "CEO fraud" scheme -- wherein the scammers impersonate company executives to steal money -- you'd be in good company. In fact, that was my initial assumption when a reader in Missouri shared this photo after being turned away from his favorite local sub shop. But a conversation with the store's owner Steve Saladin brought home the truth that some of the best solutions to fighting fraud are even more low-tech than BEC scams.

Visit any random fast-casual dining establishment and there's a good chance you'll see a sign somewhere from the management telling customers their next meal is free if they don't receive a receipt with their food. While it may not be obvious, such policies are meant to deter employee theft. You can probably guess by now that this particular Jimmy John's franchise -- in Sunset Hills, Mo. -- was among those that chose not to incentivize its customers to insist upon receiving receipts. Thanks to that oversight, Saladin was forced to close the store last week and fire the husband-and-wife managers for allegedly embezzling nearly $100,000 in cash payments from customers. Saladin said he began to suspect something was amiss after he agreed to take over the Monday and Tuesday shifts for the couple so they could have two consecutive days off together. He said he noticed that cash receipts at the end of the nights on Mondays and Tuesdays were "substantially larger" than when he wasn't manning the till, and that this was consistent over several weeks. Then he had friends proceed through his restaurant's drive-thru, to see if they received receipts for cash payments.

"One of [the managers] would take an order at the drive-thru, and when they determined the customer was going to pay with cash the other would make the customer's change for it, but then delete the order before the system could complete it and print a receipt," Saladin said. Saladin said his attorneys and local law enforcement are now involved, and he estimates the former employees stole close to $100,000 in cash receipts. That was on top of the $115,000 in salaries he paid in total each year to both employees. Saladin also has to figure out a way to pay his franchisor a fee for each of the stolen transactions. Now Saladin sees the wisdom of adding the receipt sign, and says all of his stores will soon carry a sign offering $10 in cash to any customers who report not receiving a receipt with their food.

Tapping on images of traffic lights or deciphering squiggly text to prove you are human will soon be a much less common nuisance for iPhone users, as iOS 16 introduces support for bypassing CAPTCHAs in supported apps and websites. From a report: The handy new feature can be found in the Settings app under Apple ID > Password & Security > Automatic Verification. When enabled, Apple says iCloud will automatically and privately verify your device and Apple ID account in the background, eliminating the need for apps and websites to present you with a CAPTCHA verification prompt.

ZDNet is warning that Linux users need to watch out for "a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device's memory." The Panchan P2P botnet was discovered by researchers at Akamai in March and the company is now warning it could be taking advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks.

But rather than stealing intellectual property from these educational institutions, the Panchan botnet is using their Linux servers to mine cryptocurrency, according to Akamai... "Instead of just using brute force or dictionary attacks on randomized IP addresses like most botnets do, the malware also reads the id_rsa and known_hosts files to harvest existing credentials and use them to move laterally across the network...." Akamai found 209 peers, but only 40 of them are currently active and they were mostly located in Asia.

And why is the education sector more impacted by Panchan? Akamai guesses this could be because of poor password hygiene, or that the malware moves across the network with stolen SSH keys.
Akamai writes that the malware "catches Linux termination signals (specifically SIGTERM — 0xF and SIGINT — 0x2) that are sent to it, and ignores them.

"This makes it harder to terminate the malware, but not impossible, since SIGKILL isn't handled (because it isn't possible, according to the POSIX standard, page 313)."