An anonymous reader quotes a report from Ars Technica: Researchers are marveling at the scope and magnitude of a vulnerability that hackers are actively exploiting to take full control of network devices that run on some of the world's biggest and most sensitive networks. The vulnerability, which carries a 9.8 severity rating out of a possible 10, affects F5's BIG-IP, a line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks. There are more than 16,000 instances of the gear discoverable online, and F5 says it's used by 48 of the Fortune 50. Given BIG-IP's proximity to network edges and their functions as devices that manage traffic for web servers, they often are in a position to see decrypted contents of HTTPS-protected traffic.

Last week, F5 disclosed and patched a BIG-IP vulnerability that hackers can exploit to execute commands that run with root system privileges. The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing (PDF) BIG-IP devices. "This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented," Aaron Portnoy, the director of research and development at security firm Randori, said in a direct message. "Once you are an admin, you can interact with all the endpoints the application provides, including execute code."

Images floating around Twitter in the past 24 hours show how hackers can use the exploit to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges. While many images show exploit code supplying a password to make commands run, exploits also work when no password is supplied. [...] Elsewhere on Twitter, researchers shared exploit code and reported seeing in-the-wild exploits that dropped backdoor webshells that threat actors could use to maintain control over hacked BIG-IP devices even after they're patched. BIG-IP users can check exploitability via a one-line bash script that can be found here.

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild. BleepingComputer reports: The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible. [...] The dropper copies the legitimate OS error handling file [...] and then drops an encrypted binary resource to the 'wer.dll' (Windows Error Reporting) in the same location, for DLL search order hijacking to load malicious code. DLL hijacking is a hacking technique that exploits legitimate programs with insufficient checks to load into memory a malicious Dynamic Link Library (DLL) from an arbitrary path.

[Denis Legezo, lead security researcher at Kaspersky] says that the dropper's purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs (category 0x4142 - 'AB' in ASCII. If no such record is found, it writes 8KB chunks of encrypted shellcode, which are later combined to form the code for the next stager. "The dropped wer.dll is a loader and wouldn't do any harm without the shellcode hidden in Windows event logs," says Legezo. The new technique analyzed by Kaspersky is likely on its way to becoming more popular as Soumyadeep Basu, currently an intern for Mandiant's red team, has created and published on GitHub source code for injecting payloads into Windows event logs.

Lincoln College is scheduled to close its doors Friday, becoming the first U.S. institution of higher learning to shut down in part due to a ransomware attack. From a report: A goodbye note posted to the school's website said that it survived both World Wars, the Spanish flu and the Great Depression, but was unable to handle the combination of the Covid pandemic and a severe ransomware attack in December that took months to remedy. "Lincoln College was a victim of a cyberattack in December 2021 that thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections," the school wrote in its announcement. "All systems required for recruitment, retention, and fundraising efforts were inoperable. Fortunately, no personal identifying information was exposed. Once fully restored in March 2022, the projections displayed significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester." The Illinois school, which is named after President Abraham Lincoln and broke ground on his birthday in 1865, is one of only a handful of rural American colleges that qualify as predominantly Black institutions by the Department of Education.

Apple's director of machine learning, Ian Goodfellow, "is leaving the company due to its return to work policy," reports a tech reporter for the Verge. "In a note to staff, he said 'I believe strongly that more flexibility would have been the best policy for my team.'"

9to5Mac notes that Apple "poached Goodfellow from Google back in 2019 to join its 'Special Projects Group' as the director of machine learning." Apple employees started returning to in-person work on April 11 following a two-year stint of remote work brought on by the COVID-19 pandemic... At first, the company required employees to work in person at least one day per week. On May 4, the company ramped that up to two days per week in the office.

Starting on May 23, employees will need to be in the office three days per week. This is the start of Apple's so-called "hybrid" work plan, which will require employees to work from the office on Monday, Tuesday, and Thursday every week....

Goodfellow's former employer Google mandated that some teams return to in-person work starting last month, but many employees are able to permanently work from home.
Discontent with that policy is widespread, reports Fortune: Seventy-six percent of Apple workers surveyed said they were dissatisfied with Apple's return-to-office policy that was implemented after the COVID pandemic started waning. The survey, conducted by anonymous social network Blind, collected answers from 652 Apple employees from April 13 to April 19....

Accustomed to no commute, they're now balking at having to return to the office and say they will seek jobs at other tech companies that offer more flexible work arrangements. A sizable number of workers — 56% — claimed they are looking to leave Apple expressly because of its office requirement. It's unclear how many actually will carry through.... Blind's users are "overwhelmingly corporate workers in engineering or product roles," according to Rick Chen, director of public relations at Blind.

More action might be expected after May 23 when the pilot plan for hybrid work comes into full effect. Another worker stated: "Apple is going to see attrition like no other come June. 60% of my team doesn't even live near the office. They are not returning. "

This week the Washington Post described Russia as "struggling under an unprecedented hacking wave" — with one survey finding Russia is now the world's leader for leaked sensitive data (such as passwords and email addresses). "Federation government: your lack of honor and blatant war crimes have earned you a special prize..." read a message left behind on one of the breached networks...

Documents were stolen from Russia's media regulator and 20 years of email from one of Russia's government-owned TV/radio broadcasting companies. Ukraine's government is even suggesting targets through its "IT Army" channel on telegram, and has apparently distributed the names of hundreds of Russia's own FSB security agents. And meanwhile, the Post adds, "Ordinary criminals with no ideological stake in the conflict have also gotten in on the act, taking advantage of preoccupied security teams to grab money as the aura of invincibility falls, researchers said." Soon after the invasion, one of the most ferocious ransomware gangs, Conti, declared that it would rally to protect Russian interests in cyberspace. The pledge backfired in a spectacular fashion, since like many Russian-speaking crime groups it had affiliates in Ukraine. One of them then posted more than 100,000 internal gang chats, and later the source code for its core program, making it easier for security software to detect and block attacks.

Network Battalion 65 [a small hacktivist group formed as the war began looking inevitable] went further. It modified the leaked version of the Conti code to evade the new detections, improved the encryption and then used it to lock up files inside government-connected Russian companies. "We decided it would be best to give Russia a taste of its own medicine. Conti caused (and still causes) a lot of heartache and pain for companies all around the world," the group said. "As soon as Russia ends this stupidity in Ukraine, we will stop our attacks completely."

In the meantime, Network Battalion 65 has asked for ransomware payments even as it has shamed victims on Twitter for having poor security. The group said it hasn't gotten any money yet but would donate anything it collects to Ukraine.
Ars Technica quotes a cybersecurity researcher who now says "there are tens of terabytes of data that's just falling out of the sky."

Thanks to long-time Slashdot reader SpzToid for sharing the article!

A UCLA assistant professor of Information Studies just published a short history of software engineering in Logic magazine — titled "Agile and the Long Crisis of Software."

It begins by describing Agile's history as "a long-running wrestling match between what managers want software development to be and what it really is, as practiced by the workers who write the code." When software engineering failed to discipline the unwieldiness of development, businesses turned to Agile, which married the autonomy that developers demanded with a single-minded focus on an organization's goals. That autonomy is limited, however, as developers are increasingly pointing out. When applied in a corporate context, the methods and values that Agile esteems are invariably oriented to the imperatives of the corporation. No matter how flexible the workplace or how casual the meetings, the bottom line has to be the organization's profits.
But this has major implications, the essay's conclusion argues: Could Agile even have played a role in some of the more infamous failures of the tech industry...? If a company sets a goal of boosting user engagement, Agile is designed to get developers working single-mindedly toward that goal — not arguing with managers about whether, for example, it's a good idea to show people content that inflames their prejudices. Such ethical arguments are incompatible with Agile's avowed dedication to keeping developers working feverishly on the project, whatever it might be.

This issue becomes especially pressing when one considers that contemporary software is likely to involve things like machine learning, large datasets, or artificial intelligence — technologies that have shown themselves to be potentially destructive, particularly for minoritized people. The digital theorist Ian Bogost argues that this move-fast-and-break-things approach is precisely why software developers should stop calling themselves "engineers": engineering, he points out, is a set of disciplines with codes of ethics and recognized commitments to civil society. Agile promises no such loyalty, except to the product under construction.

Agile is good at compartmentalizing features, neatly packaging them into sprints and deliverables. Really, that's a tendency of software engineering at large — modularity, or "information hiding," is a critical way for humans to manage systems that are too complex for any one person to grasp. But by turning features into "user stories" on a whiteboard, Agile has the potential to create what [software engineer] Yvonne Lam calls a "chain of deniability": an assembly line in which no one, at any point, takes full responsibility for what the team has created.
Other observations from the article:

• "Daily standups, billed as lightweight, low key check-ins, have become, for some workers, exercises in surveillance. "

• "The warts-and-all breakdown of Agile 'retrospectives' seems healthy, but I've watched them descend into a structureless series of accusations; everything depends on who's leading the team."

• One freelance developer in the article even argues that "As developers, IT professionals, we like to think of ourselves as knowledge workers, whose work can't be rationalized or commodified. But I think Agile tries to accomplish the exact opposite approach."

• "Some people I talked to pointed out that Agile has the potential to foster solidarity among workers. If teams truly self-organize, share concerns, and speak openly, perhaps Agile could actually lend itself to worker organization.
  
  "Maybe management, through Agile, is producing its own gravediggers. Maybe the next crisis of software development will come from the workers themselves."

America's most populous state is shrinking — at least a little. The Associated Press reports: With an estimated 39,185,605 residents, California is still the U.S.'s most populous state, putting it far ahead of second-place Texas and its 29.5 million residents. But after years of strong growth brought California tantalizingly close to the 40 million milestone, the state's population is now roughly back to where it was in 2016 after declining by 117,552 people this year.
That's a drop of 0.29% — at least some of which seems attributable to the pandemic. California's population growth had been slowing even before the pandemic as baby boomers' aged, younger generations were having fewer children and more people were moving to other states. But the state's natural growth — more births than deaths — and its robust international immigration had been more than enough to offset those losses. That changed in 2020, when the pandemic killed tens of thousands of people above what would be expected from natural causes, a category demographers refer to as "excess deaths." And it prompted a sharp decline in international immigration because of travel restrictions and limited visas from the federal government.

California's population fell for the first time that year. At the time, state officials thought it was a outlier, the result of a pandemic that turned the world upside down. But the new estimate released Monday by the California Department of Finance showed the trend continued in 2021, although the decline was less than it had been in 2020. State officials pointed specifically to losses in international immigration. California gained 43,300 residents from other countries in 2021. But that was well below the annual average of 140,000 that was common before the pandemic.
The state's official demographer predicts California's population will go back to increasing in 2022.

And even with the decline, the article points out that California "had a record budget surplus last year, and is in line for an even larger one this year of as much as $68 billion — mostly the result of a progressive tax structure and a disproportionate population of billionaires."

"Employee monitoring software became the new normal during COVID-19..." writes Australia's public broadcaster ABC, "logging keystrokes and mouse movement, capturing screenshots, tracking location, and even activating webcams and microphones."

And now "It seems workers are stuck with it.... Surveys of employers in white-collar industries show that even returned office workers will be subject to these new tools. What was introduced in the crisis of the pandemic, as a short-term remedy for lockdowns and working from home has quietly become the 'new normal' for many Australian workplaces." (Thousands of employees have apparently even purchased mouse-jiggling software just to fool the surveillance software.)

But is there a larger issue? "The vast majority of people are not paid enough for the productivity that is demanded of them," argues BuzzFeed's former senior culture writer (now publishing a newsletter called "Culture Study.") After looking at technology's escalating demands, Petersen warns that the real problem is that human productivity ultimately has a ceiling.

"We have to collectively reject the engine of endless growth, and the aspiration for infinite productivity, before it breaks us all."

Thanks to long-time Slashdot reader theodp for sharing the stories!

Heroku has now revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database. BleepingComputer reports: The Salesforce-owned cloud platform acknowledged the same compromised token was used by attackers to exfiltrate customers' hashed and salted passwords from "a database." Like many users, we unexpectedly received a password reset email from Heroku, even though BleepingComputer does not have any OAuth integrations that use Heroku apps or GitHub. This indicated that these password resets were related to another matter. [...]

In its quest to be more transparent with the community, Heroku has shed some light on the incident, starting a few hours ago. "We value transparency and understand our customers are seeking a deeper understanding of the impact of this incident and our response to date," says Heroku. The cloud platform further stated that after working with GitHub, threat intel vendors, industry partners and law enforcement during the investigation it had reached a point where more information could be shared without compromising the ongoing investigation:

"On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code. GitHub identified the activity on April 12, 2022, and notified Salesforce on April 13, 2022, at which time we began our investigation. As a result, on April 16, 2022, we revoked all GitHub integration OAuth tokens, preventing customers from deploying apps from GitHub through the Heroku Dashboard or via automation. We remain committed to ensuring the integration is secure before we re-enable this functionality." Heroku users are advised to continue monitoring the security notification page for updates related to the incident.

A bug in Google Docs is causing it to crash when a series of words are typed into a document opened with the online word processor. BleepingComputer reports: It's official -- Google Docs crashes at the sight of "And. And. And. And. And." when the "Show grammar suggestion" is turned on. A Google Docs user, Pat Needham brought up the issue on Google Docs Editors Help forum. [...] Another user, Sergii Dymchenko, said strings like "But. But. But. But. But." triggered the same response. Some also noticed putting any of the terms like "Also, Therefore, And, Anyway, But, Who, Why, Besides, However," in the same format achieved the outcome.

Once crashed, you may not be able to easily re-access the document as doing so would trigger the crash again. BleepingComputer was able to reproduce the issue last night and reached out to Google. Google told us it is aware of the bug and working on a fix. [...] Until Google has an answer as to what causes this problem, it might be wise to turn off grammar suggestions by navigating to Tools, Spelling and grammar and unticking 'Show grammar suggestions.' If the bug has already been triggered and you're locked out of the Google Doc in question, there might be a workaround. Use the Google Docs mobile app to access the document, remove the offending words and the file should now open up gracefully on your Google Docs web version too.

Ukrainian hacktivists reportedly disrupted alcohol shipments in Russia after committing distributed denial of service (DDoS) attacks against a critical online portal, according to local reports. From a report: Alcohol producers and distributors are required by law to register their shipments with the EGAIS portal, loosely translated as the "Unified State Automated Alcohol Accounting Information System." However, several entities in the sector told local news site Vedomosti this week that DDoS attacks by Ukrainian hacktivists downed the site on May 2 and 3.

The outage impacted not only vodka distribution but also wine companies and purveyors of other types of alcohol. Government sources quoted in the report claim that the site is running normally and any excessive waiting times are merely due to heavy demand. However, one company, Fort, had failed to upload about 70% of invoices to EGAIS due to the outage, according to the report. Its supplies of wine to retail chains and restaurants were apparently disrupted on May 4 due to the incident.

An anonymous reader shares a report: One of the key selling points of the blockchain is that it's immutable: Once data is processed, once a transaction occurs, it can't be undone. One of the most painful downsides to the blockchain? It's immutable. If human error causes something to be sold for the wrong price or money to be sent to the wrong place, reversing it can be difficult or even impossible. That is the unfortunate place developers of the Juno cryptocurrency find themselves. A community vote had decreed that around 3 million Juno tokens, worth around $36 million, be seized from an investor deemed to have acquired the tokens via malicious means. (This in itself was a big crypto news story.) The funds were to be sent to a wallet controlled by Juno token holders, who could vote on how it would be spent.

But a developer inadvertently copy and pasted the wrong wallet address, as reported by CoinDesk, leading to $36 million in crypto being sent to an inaccessible address. Andrea Di Michele, one of Juno's founding developers, explained to the publication that he sent the correct wallet address to the developer responsible for the transfer, as well as a hash number. Hashes connect blocks to one another in the blockchain, and at a glance hash numbers can look very similar to wallet addresses. The programmer in charge for the transfer accidentally copied and pasted the hash number, rather than the wallet address.

VPN companies are squaring up for a fight with the Indian government over new rules designed to change how they operate in the country. Wired: On April 28, officials announced that virtual private network companies will be required to collect swathes of customer data -- and maintain it for five years or more -- under a new national directive. VPN providers have two months to accede to the rules and start collecting data. The justification from the country's Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn't wash with VPN providers, some of whom have said they may ignore the demands.

"This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens," says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its "operations and infrastructure to preserve this principle if and when necessary." Other VPN providers are also considering their options. Gytis Malinauskas, head of Surfshark's legal department, says the VPN provider couldn't currently comply with India's logging requirements because it uses RAM-only servers, which automatically overwrite user-related data. [...] ProtonVPN is similarly concerned, calling the move an erosion of civil liberties.

Apple, Google, and Microsoft are launching a "joint effort" to kill the password. The major OS vendors want to "expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium." From a report: The standard is being called either a "multi-device FIDO credential" or just a "passkey." Instead of a long string of characters, this new scheme would have the app or website you're logging in to push a request to your phone for authentication. From there, you'd need to unlock the phone, authenticate with some kind of pin or biometric, and then you're on your way. This sounds like a familiar system for anyone with phone-based two-factor authentication set up, but this is a replacement for the password rather than an additional factor.

Some push 2FA systems work over the Internet, but this new FIDO scheme works over Bluetooth. As the whitepaper explains, "Bluetooth requires physical proximity, which means that we now have a phishing-resistant way to leverage the user's phone during authentication." Bluetooth has a terrible reputation for compatibility, and I'm not sure "security" has ever been a real concern, but the FIDO alliance notes that Bluetooth is just "to verify physical proximity" and that the actual sign-in process "does not depend on Bluetooth security properties." Of course, that means both devices will need Bluetooth on board, which is a given for most smartphones and laptops but could be a tough ask for older desktop PCs.

GitHub, the code hosting platform used by tens of millions of software developers around the world, announced today that all users who upload code to the site will need to enable one or more forms of two-factor authentication (2FA) by the end of 2023 in order to continue using the platform. The Verge reports: The new policy was announced Wednesday in a blog post by GitHub's chief security officer (CSO) Mike Hanley, which highlighted the Microsoft-owned platform's role in protecting the integrity of the software development process in the face of threats created by bad actors taking over developers' accounts. "The software supply chain starts with the developer," Hanley wrote. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."

Even though multi-factor authentication provides significant additional protection to online accounts, GitHub's internal research shows that only around 16.5 percent of active users (roughly one in six) currently enable the enhanced security measures on their accounts -- a surprisingly low figure given that the platform's user base should be aware of the risks of password-only protection. By steering these users towards a higher minimum standard of account protection, GitHub hopes to boost the overall security of the software development community as a whole, Hanley told The Verge. "GitHub is in a unique position here, just by virtue of the vast majority of open source and creator communities living on GitHub.com, that we can have a significant positive impact on the security of the overall ecosystem by raising the bar from a security hygiene perspective," Hanley said. "We feel like it's really one of the best ecosystem-wide benefits that we can provide, and we're committed to making sure that we work through any of the challenges or obstacles to making sure that there's successful adoption."

An anonymous reader shares a report: The realm of physics offers the exciting possibility of "wormholes" that could let us collapse space and time. But here on Earth, most of us are subject to more mundane realities -- including that the rich and powerful usually get what they want. Dick Merryman, a 79-year-old computer engineer, got a reminder of that last month when Jump Operations -- the holding company for crypto giant Jump Trading -- put the legal screws to him to obtain wormhole.com, a domain he has owned for years and that corresponds to an email he created for he and his wife. For Merryman, the domain reflects his fondness for astrophysicist Carl Sagan, whose 1985 novel "Contact" deployed a "wormhole" to let characters skip across light years. Merryman purchased the wormhole.com domain in 1994, creating a simple placeholder website that displays a cosmic picture.

For Jump, however, "wormhole" has a very different significance. It is the name of a crypto platform that creates "bridges" between popular blockchains such as Solana and Ethereum, and in which Jump has a very significant investment. While Jump is currently using the wormholenetwork.com to host Wormhole-related content, it has coveted the shorter name owned by Merryman, and began trying to acquire it last year. In June of 2021, someone at Jump used a third-party domain broker to approach Merryman and offer $2,500 for the name. The latter rebuffed the request, saying -- perhaps in jest -- that the price was a "firm US$50000." To Merryman's surprise, Jump promptly accepted the offer -- an acceptance that Merryman proceeded to ignore. After being badgered by the broker, he made his feelings clear a few weeks later. Jump then pulled out the big guns. The company's lawyers warned Merryman he was in breach of contract and that he had to honor the message saying he would sell for $50,000.

tsu doh nimh shares a report from Krebs on Security: Faced with a brain drain of smart people fleeing the country following its invasion of Ukraine, the Russian Federation is floating a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation's prison population to perform low-cost IT work for domestic companies. Multiple Russian news outlets published stories on April 27 saying the Russian Federal Penitentiary Service had announced a plan to recruit IT specialists from Russian prisons to work remotely for domestic commercial companies.

Russians sentenced to forced labor will serve out their time at one of many correctional centers across dozens of Russian regions, usually at the center that is closest to their hometown. Alexander Khabarov, deputy head of Russia's penitentiary service, said his agency had received proposals from businessmen in different regions to involve IT specialists serving sentences in correctional centers to work remotely for commercial companies. Khabarov told Russian media outlets that under the proposal people with IT skills at these facilities would labor only in IT-related roles, but would not be limited to working with companies in their own region. "We are approached with this initiative in a number of territories, in a number of subjects by entrepreneurs who work in this area," Khabarov told Russian state media organization TASS. "We are only at the initial stage. If this is in demand, and this is most likely in demand, we think that we will not force specialists in this field to work in some other industries."

An anonymous reader quotes a report from Ars Techinca: It's not the kind of security discovery that happens often. A previously unknown hacker group used a novel backdoor, top-notch tradecraft, and software engineering to create an espionage botnet that was largely invisible in many victim networks. The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims' networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:

- The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don't support antivirus or endpoint detection. This makes detection through traditional means difficult.
- Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device.
- A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible.
- An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol.

The SOCKS tunnel allowed the hackers to effectively connect their control servers to a victim's network where they could then execute tools without leaving traces on any of the victims' computers. A secondary backdoor provided an alternate means of access to infected networks. It was based on a version of the legitimate reGeorg webshell that had been heavily obfuscated to make detection harder. The threat actor used it in the event the primary backdoor stopped working. [...] One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system. Eventually, Quietexit executes its final objective: accessing email accounts of executives and IT personnel in hopes of obtaining documents related to things like corporate development, mergers and acquisitions, and large financial transactions. "Unpacking this threat group is difficult," says Ars' Dan Goodin. "From outward appearances, their focus on corporate transactions suggests a financial interest. But UNC3524's high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more."

The Centers for Disease Control and Prevention (CDC) bought access to location data harvested from tens of millions of phones in the United States to perform analysis of compliance with curfews, track patterns of people visiting K-12 schools, and specifically monitor the effectiveness of policy in the Navajo Nation, according to CDC documents obtained by Motherboard. From a report: The documents also show that although the CDC used COVID-19 as a reason to buy access to the data more quickly, it intended to use it for more general CDC purposes. Location data is information on a device's location sourced from the phone, which can then show where a person lives, works, and where they went.

The sort of data the CDC bought was aggregated -- meaning it was designed to follow trends that emerge from the movements of groups of people -- but researchers have repeatedly raised concerns with how location data can be deanonymized and used to track specific people. The documents reveal the expansive plan the CDC had last year to use location data from a highly controversial data broker. SafeGraph, the company the CDC paid $420,000 for access to one year of data to, includes Peter Thiel and the former head of Saudi intelligence among its investors. Google banned the company from the Play Store in June.

UnknowingFool writes: In October 2021, PC World reviewed Windows 11 and labeled it as an "unnecessary replacement" to Windows 10 and did not recommend it for Windows 10 users. PC World noted that it was a "mixed bag of improved features and unnecessary changes." Six months later they reviewed it again. While MS has made improvements, PC World does not feel the improvements warrant a recommendation for Windows 10 users to upgrade.