An anonymous reader shares a report: Who knows whether it's FOMO or actual customer demand for such a thing, but Salesforce announced today that it's launching a pilot of NFT Cloud, a new platform for buying and selling these crypto assets. It's a turn to the future, according to the company, one it insists comes from customer curiosity. "Salesforce is seeing interest from CMOs and CDOs who are asking for help entering web3, and we are enthusiastic about bringing new innovations, products and offerings to our customers in a way that allows them to build and maintain meaningful relationships with their customers," Adam Caplan, SVP of Emerging Technology at Salesforce told TechCrunch.

The company's goal with this product is to make NFT selling more accessible. "NFT Cloud is all about helping our customers mint, manage and sell NFTs, and of course it's all no code. So it's super easy on our platform, abstracting all the complicated technology in this [new] web3 world," he said. He says he's seeing interest across a variety of verticals including retail, media, fashion and consumer goods, among others. "It's really about driving engagement and communities, and we're seeing super passionate communities in the NFT space..." Caplan explained. He sees it as a way to market to customers with something of potential value to them. "It's really about utility. And what we mean by utility is as an NFT holder, I receive certain benefits. It could be something in a digital world, or it could be something in the physical world," he said.

An anonymous reader quotes a report from TechCrunch: A new security feature in Apple's upcoming macOS 13 Ventura will automatically block new USB-C devices from communicating with the operating system until the accessory can be approved by the user. Apple dropped details of the new security feature in its release notes, which appears to be aimed at protecting newer Apple laptops that run its bespoke M1 or M2 chips from potentially malicious accessories.

According to Apple's description, the feature will be enabled by default and will require the user to approve a USB-C accessory before it can talk to the operating system -- essentially an on-screen pop-up asking the user for permission. Apple says this doesn't apply to power adapters, standalone displays, and connections to an approved hub -- and devices can still charge even if you don't approve the accessory. Apple says that accessories that are already connected will automatically work when updating to the new macOS software.

Bozhidar Batsov writes: Every now and again I come across some discussion on making Emacs "modern". The argument always go more or less like this - Emacs doesn't look and behave like and the world will end if we don't copy something "crucial" from it. [...] If you ask me -- there's pretty much nothing we can do that would suddenly make Emacs as popular as VS Code. But you know what -- that's perfectly fine. After all there are plenty of "modern" editors that are even less popular than Emacs, so clearly being "modern" doesn't make you popular. And there's also our "arch-nemesis" vim, that's supposedly as "dated" as Emacs, but is extremely popular.

The developers behind the open source MongoDB, and its commercial service counterpart MongoDB Atlas, have been busy making the document database easier to use for developers. From a report: Available in preview, Queryable Encryption provides the ability to query encrypted data, and with the entire query transaction be encrypted -- an industry first according to MongoDB. This feature will be of interest to organizations with a lot of sensitive data, such as banks, health care institutions and the government. This eliminates the need for developers to be experts in encryption, Davidson said. This end-to-end client-side encryption uses novel encrypted index data structures, the data being searched remains encrypted at all times on the database server, including in memory and in the CPU. The keys never leave the application and the company maintains that the query speed nor overall application performance are impacted by the new feature.

MongoDB is also now supporting time series data, which are important for monitoring physical systems, quick-moving financial data, or other temporally-oriented datasets. In MongoDB 6.0, time-series collections can have secondary indexes on measurements, and the database system has been optimized to sort time-based data more quickly. Although there are a number of databases specifically geared towards time-series data specifically, such as InfluxDB, many organizations may not want to stand-up an entire database system for this specific use, a separate system costing more in terms of support and expertise, Davidson argued. Another feature is Cluster-to-Cluster Synchronization, which provides the continuous data synchronization of MongoDB clusters across environments. It works with Atlas, in private cloud, on-premises, or on the edge. This sets the stage for using data in multiple places for testing, analytics, and backup.

Apple announced some major new features for Mail that finally bring the email app closer to parity with Gmail and other popular email clients. From a report: Perhaps the most useful will be an undo send feature, which will let you call back an email within 10 seconds of hitting the send button. A "remind me" feature will let you set a time for an email to come back to the top of your inbox. A new scheduled send feature that allows you to specify exactly when an email should go out. And Mail will even tell you when it thinks you've forgotten to include an attachment.

LastPass says they're now the first password manager with a passwordless sign-in feature. Engadget reports: Grant permission through the LastPass Authenticator mobile app and you can update account info on the web without entering your master password. The approach relies on FIDO-compliant password-free technology. The feature is available to both personal and business users. LastPass is also promising options beyond the Authenticator app in the future, such as relying on biometric scans or hardware security keys.

Palermo in Southern Italy, home to about 1.3 million people, has shut down all its services, public websites, and online portals following a cyberattack on Friday. BleepingComputer reports: It's impossible to communicate or request any service that relies on digital systems, and all citizens have to use obsolete fax machines to reach public offices. Moreover, tourists cannot access online bookings for tickets to museums and theaters (Massimo Theater) or even confirm their reservations on sports facilities. Finally, limited traffic zone cards are impossible to acquire, so no regulation occurs, and no fines are issued for relevant violations. Unfortunately, the historical city center requires these passes for entrance, so tourists and local residents are severely impacted.

Italy recently received threats from the Killnet group, a pro-Russian hacktivist who attacks countries that support Ukraine with resource-depleting cyberattacks known as DDoS (distributed denial of service). While some were quick to point the finger at Killnet, the cyberattack on Palermo bears the signs of a ransomware attack rather than a DDoS. The councilor for innovation in the municipality of Palermo, Paolo Petralia Camassa, has stated that all systems were cautiously shut down and isolated from the network while he also warned that the outage might last for a while.

Apple demonstrated "passkeys" at WWDC 2022, a new biometric sign-in standard that could finally kill off the password for good. TechCrunch reports: Passkeys are based on the Web Authentication API (WebAuthn), a standard that uses public-key cryptography instead of passwords for authenticating users to websites and applications, and are stored on-device rather than on a web server. The digital password replacement uses Touch ID or Face ID for biometric verification, which means that rather than having to input a long string of characters, an app or website you're logging into will push a request to your phone for authentication.

During its WWDC demo of the password-free technology, Apple showed how passkeys are backed up within the iCloud Keychain and can be synced across Mac, iPhone, iPad and Apple TV with end-to-end encryption. Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," said Garrett Davidson, an Apple engineer on the Authentication Experience team.

The phones of Ukrainian officials have been targeted by hackers as Russia pursues its invasion of Ukraine, a senior cybersecurity official said Monday. Reuters: Victor Zhora, the deputy head of Ukraine's State Special Communications Service, said that phones being used by the country's public servants had come under sustained targeting. "We see a lot of attempts to hack Ukrainian officials' phones, mainly with the spreading of malware," Zhora told journalists at an online news conference meant to mark the 100 days since Russian forces poured across the border. Zhora said his service had, so far, not seen any evidence that Ukrainian devices had been compromised. The hacking of government leaders' devices crept up the international agenda following a cascade of revelations last year around the how phones used by presidents, ministers, and other government officials had been targeted or compromised.

NPR reports: Just last month [Apple] decided to postpone its plan after more than 1,000 current and former employees signed an open letter called the plan inefficient, inflexible and a waste of time. "Stop treating us like school kids who need to be told when to be where and what homework to do," they wrote. It was yet more evidence of the shift in the balance of power between management and rank and file, as demand for workers has hit record highs in the past year.

Companies are finding it hard to enforce unpopular policies and mandates when they fear their workers could just walk away.... Google maps workers, who are employed by the tech company Cognizant, also decided to fight back. They connected with the Alphabet Workers Union and signed a petition citing COVID fears, the costs of commuting amid $5 gas, and the increase in productivity and morale that employees have experienced while working from home.... "Our first day back to the Bothell office full-time will now be September 6," the company said in a statement released on Thursday.

Even as some companies seek to bring back some semblance of office life, others are asking: What is the office for anyway?
In an iconic moment, NPR's reporter also visited a management consulting firm, where their new human resources worker (who started in May) admits that "It's hard to even fathom going into the office 100%. I don't think I could do it ever again."

Saturday the New York Times also reported that some corporate leaders "might find themselves fighting a culture shift beyond their control.... [Non-paywalled version here]

"If the pandemic's two-plus years of remote work experimentation have taught us anything, it's that many people can be productive outside the office, and quite a few are happier doing so." Even as the pandemic has changed course, there are signs that the work-from-home trend is actually accelerating. One recent survey published in the National Bureau of Economic Research found that employers are now saying they will allow employees to work from home an average of 2.3 days per week, up from 1.5 days in the summer of 2020.

It's not just the office — it's also the commute. The Wall Street Journal reported this week that almost all of the major cities with the biggest drops in office occupancy during the pandemic had an average one-way commute of more than 30 minutes; and most cities with the smallest drops had shorter commutes.

"Microsoft on Thursday announced a new strategy for dealing with organized labor..." reports the Washington Post (in a story republished on MSN.com): In a blog post shared with The Washington Post, Microsoft President Brad Smith wrote that the company will respect workers' rights to unionize and plans to work collaboratively with organized labor organizations to "make it simpler rather than more difficult" for employees to unionize if they so choose.

Microsoft is in the process of completing a $69 billion acquisition of Activision, a video game company where employees of a small subsidiary voted to unionize in March. That union, the Game Workers Alliance, is a division of the Communications Workers of America (CWA), which in a statement called Microsoft's announcement "encouraging and unique among the major tech companies." CWA Secretary-Treasurer Sara Steffens added that "to truly give workers a legally protected voice in decisions that affect them and their families, these principles must be put into action and incorporated into Microsoft's day-to-day operations and its expectations for its contractors...."

Rebecca Givan, a Rutgers University professor of labor relations, said Microsoft's announcement could mean the company is trying to smooth things over with employees interested in unionizing. "There's a lot of actual organizing or talk or desire in the video game sector, and that's a piece of what Microsoft does. That might be what they're trying to get out in front of," Givan said.
The article argues that Microsoft is "attempting to set itself apart from other Big Tech firms like Google and Amazon that have clashed publicly with employees seeking union representation." And it provides specific examples where other big tech companies have "gotten into trouble" with America's National Labor Relations Board:

• "The labor board has repeatedly found that Amazon wrongfully terminated or retaliated against workers who were involved with union organizing."

• "Google, too, has had to settle charges with workers who said the company fired them in response to union organizing."

• "Workers at Apple told The Post in April that they were targeted by management for supporting the union and threatened with the loss of certain benefits and opportunities for promotion."

The president of America's largest federation of union, the AFL-CIO, tells the Post in a statement that "Microsoft's collaborative approach to working with its employees who seek to organize is a best practice that we look forward to seeing implemented at Microsoft and other companies."

"An actively exploited Microsoft zero-day flaw still has no patch," Wired wrote Friday (in an article they've designated as "free for a limited time only.")

Microsoft first received reports of the flaw on April 21st, the article points out, and researchers have now seen malicious Word documents exploiting Follina for targets in Russia, India, the Philippines, Belarus, and Nepal. Yet "The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows." Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that "a remote, unauthenticated attacker could exploit this vulnerability," known as Follina, "to take control of an affected system." But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED [Thursday].

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a "zero-day," or previously unknown vulnerability, but Microsoft has not classified it as such. "After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it," says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic....

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation.

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected.
The Register adds that the flaw works in Microsoft Word even when macros are disabled. (Thanks to long-time Slashdot reader Z00L00K for sharing the story!)

Friday Microsoft went into the vulnerability's official CVE report and added this update.

"Microsoft is working on a resolution and will provide an update in an upcoming release."

EU countries and EU lawmakers are set to agree on a common charging port for mobile phones, tablets and headphones on June 7 when they meet to discuss a proposal that has been fiercely criticised by Apple, Reuters reported Friday, citing people familiar with the matter said. From the report: The proposal for a single mobile charging port was first broached by the European Commission more than a decade ago after iPhone and Android users complained about having to use different chargers for their phones. The former is charged from a Lightning cable while Android-based devices are powered using USB-C connectors. The trilogue next Tuesday will be the second and likely the final one between EU countries and EU lawmakers on the topic, an indication of a strong push to get a deal done, the people said.

A notorious Russian cybercrime group has updated its attack methods in response to sanctions that prohibit US companies from paying it a ransom, according to cybersecurity researchers. From a report: The security firm Mandiant said Thursday it believes that the Evil Corp gang is now using a well-known ransomware tool named Lockbit. Evil Corp has shifted to using Lockbit, a form of ransomware used by numerous cybercrime groups, rather than its own brand of malicious software to hide evidence of the gang's involvement so that compromised organizations are more likely to pay an extortion fee, researchers said. The US Treasury Department in 2019 sanctioned the alleged leaders of the Evil Corp gang, creating legal liabilities for American companies that knowingly send ransom funds to the hackers. While cybersecurity firms have associated Evil Corp with two kinds of malware strains, known as Dridex and Hades, the group's use of LockBit could cause hacked organizations to believe that another hacking group, other than Evil Corp, was behind the breach. Evil Corp is believed to be behind some of the worst banking fraud and computer hacking schemes of the past decade, stealing more than $100 million from companies across 40 countries, according to the US government.

U.S. Cyber Command Director Gen. Paul Nakasone confirmed for the first time that the U.S. had conducted offensive cyber operations in support of Ukraine. From a report: "We've conducted a series of operations across the full spectrum: offensive, defensive, [and] information operations," Nakasone said in an interview Wednesday with Sky News, a British television news channel. Although the general did not provide specifics, he said the operations were lawful and conducted with civilian oversight of the military. "My job is to provide a series of options to the secretary of Defense and the president, and so that's what I do," he told Sky News. Nakasone previously said his agency deployed a "hunt forward" team in December to help Ukraine shore up its cyber defenses and networks against active threats. But his latest remarks appear to be the first time that a U.S. official said publicly that the U.S. has been involved in offensive cyber operations in response to Russia's invasion of Ukraine.

An anonymous reader quotes a report from Popular Science: Ahead of the upcoming midterm elections, Connecticut is hiring a "security analyst" tasked with monitoring and addressing online misinformation. The New York Times first reported this new position, saying the job description will include spending time on "fringe sites like 4chan, far-right social networks like Gettr and Rumble and mainstream social media sites." The goal is to identify election-related rumors and attempt to mitigate the damage they might cause by flagging them to platforms that have misinformation policies and promoting educational content that can counter those false narratives.

Connecticut Governor Ned Lamont's midterm budget (PDF), approved in early May, set aside more than $6 million to make improvements to the state's election system. That includes $4 million to upgrade the infrastructure used for voter registration and election management and $2 million for a "public information campaign" that will provide information on how to vote. The full-time security analyst role is recommended to receive $150,000. "Over the last few election cycles, malicious foreign actors have demonstrated the motivation and capability to significantly disrupt election activities, thus undermining public confidence in the fairness and accuracy of election results," the budget stated, as an explanation for the funding.

While the role is a first for Connecticut, the NYT noted that it's part of a growing nationwide trend. Colorado, for example, has a Rapid Response Election Security Cyber Unit tasked with monitoring online misinformation, as well as identifying "cyber-attacks, foreign interference, and disinformation campaigns." Originally created in anticipation of the 2020 presidential election, which proved to be fruitful ground for misinformation, the NYT says the unit is being "redeployed" this year. Other states, including Arizona, California, Idaho, and Oregon, are similarly funding election information initiatives in an attempt to counter misinformation, provide educational information, or do both.

The FBI thwarted a planned cyberattack on a children's hospital in Boston that was to have been carried out by hackers sponsored by the Iranian government, FBI Director Christopher Wray said Wednesday. From a report: Wray told a Boston College cybersecurity conference that his agents learned of the planned digital attack from an unspecified intelligence partner and got Boston Children's Hospital the information it needed last summer to block what would have been "one of the most despicable cyberattacks I've seen."

"And quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids who depended on it," Wray said. The FBI chief recounted that anecdote in a broader speech about ongoing cyber threats from Russia, China and Iran and the need for partnerships between the U.S. government and the private sector.

Denmark-based Poul-Henning Kamp describes himself as the "author of a lot of FreeBSD, most of Varnish and tons of other Open Source Software." And he shares this message in June's Communications of the ACM.

"The software industry is still the problem." If any science fiction author, famous or obscure, had submitted a story where the plot was "modern IT is a bunch of crap that organized crime exploits for extortion," it would have gotten nowhere, because (A) that is just not credible, and (B) yawn!

And yet, here we are.... As I write this, 200-plus corporations, including many retail chains, have inoperative IT because extortionists found a hole in some niche, third-party software product most of us have never heard of.
But he's also proposing a solution. In Denmark, 129 jobs are regulated by law. There are good and obvious reasons why it is illegal for any random Ken, Brian, or Dennis to install toilets or natural-gas furnaces, perform brain surgery, or certify a building is strong enough to be left outside during winter. It may be less obvious why the state cares who runs pet shops, inseminates cattle, or performs zoological taxidermy, but if you read the applicable laws, you will learn that animal welfare and protection of endangered species have many and obscure corner cases.

Notably absent, as in totally absent, on that list are any and all jobs related to IT; IT architecture, computers, computer networks, computer security, or protection of privacy in computer systems. People who have been legally barred and delicensed from every other possible trade — be it for incompetence, fraud, or both — are entirely free to enter the IT profession and become responsible for the IT architecture or cybersecurity of the IT system that controls nearly half the hydrocarbons to the Eastern Seaboard of the U.S....

With respect to gas, water, electricity, sewers, or building stability, the regulations do not care if a company is hundreds of years old or just started this morning, the rules are always the same: Stuff should just work, and only people who are licensed — because they know how to — are allowed to make it work, and they can be sued if they fail to do so.

The time is way overdue for IT engineers to be subject to professional liability, like almost every other engineering profession. Before you tell me that is impossible, please study how the very same thing happened with electricity, planes, cranes, trains, ships, automobiles, lifts, food processing, buildings, and, for that matter, driving a car.

As with software product liability, the astute reader is apt to exclaim, "This will be the end of IT as we know it!" Again, my considered response is, "Yes, please, that is precisely my point!"

"Researchers at Trend Micro have discovered some new Linux-based ransomware that's being used to attack VMware ESXi servers," reports CSO Online. (They describe the ESXi servers as "a bare-metal hypervisor for creating and running several virtual machines that share the same hard drive storage.") Called Cheerscrypt, the bad app is following in the footsteps of other ransomware programs — such as LockBit, Hive and RansomEXX — that have found ESXi an efficient way to infect many computers at once with malicious payloads.

Roger Grimes, a defense evangelist with security awareness training provider KnowBe4, explains that most of the world's organizations operate using VMware virtual machines. "It makes the job of ransomware attackers far easier because they can encrypt one server — the VMware server — and then encrypt every guest VM it contains. One compromise and encryption command can easily encrypt dozens to hundreds of other virtually run computers all at once."

"Most VM shops use some sort of VM backup product to back up all guest servers, so finding and deleting or corrupting one backup repository kills the backup image for all the hosted guest servers all at once," Grimes adds....

The gang behind Cheerscrypt uses a "double extortion" technique to extract money from its targets, the researchers explain. "Security Alert!!!" the attackers' ransom message declares. "We hacked your company successfully. All files have been stolen and encrypted by us. If you want to restore your files or avoid file leaks, please contact us."

This week Google began a rolling release for stable Chrome version 102 "with 32 security fixes for browser on Windows, Mac and Linux," reports ZDNet: Chrome 102 for the desktop includes 32 security fixes reported to Google by external researchers. There's one critical flaw, while eight are high severity, nine are medium severity, and seven are low severity. Google also creates other fixes for issues found through internal testing...

The critical flaw, labelled as CVE-2022-1853, is a 'use after free in IndexedDB', an interface for applications to store data in a user's browser.... "My guess is that an attacker could construct a specially crafted website and take over the visitor's browser by manipulating the IndexedDB," says Pieter Arntz, a malware intelligence researcher at Malwarebytes. None of the flaws fixed in this Chrome 102 stable release were zero days, meaning flaws that were exploited before Google released a patch for it.

Google's Project Zero (GPZ) team last year counted 58 zero-day exploits for popular software in 2021. Twenty-five of these were in browsers, of which 14 affected Chrome. Google engineers argue zero-day counts are rising because vendors are improving detection, fixes and disclosure. However, GPZ researchers argue the industry as a whole is not making zero days hard enough for attackers, who often rely on tweaking existing flaws rather than being forced to conjure up entirely new exploitation methods.
Linux/Mac/Windows users of Chrome can check Help/About to see if the update has already rolled out to their system — or if they need to update manually.