For almost five years, Booking.com customers have been on the receiving end of a continuous series of scams that clearly demonstrate that criminals have obtained travel plans and other personal information customers provided to the travel site. From a report: One of the more recent shakedowns happened to an Ars Reader who asked not to be identified by his real name. A few months ago, Thomas, as I'll call him, reserved and paid for a two-night stay scheduled for this July in a hotel in Italy. Last week, out of the blue, he received two emails. The headers show that the first message came from the genuine Booking.com domain. It purported to have been sent on behalf of the hotel in Italy and asked that he click a non-existent confirm button for his upcoming stay. It went on to inform him that the hotel would "also transfer all bookings made from that address to your account." As phishy as that sounds, the email included his full name, the confirmation number of his reservation, the correct name of the hotel, and the dates of the stay.

The growing ease with which anyone can create convincing audio in someone else's voice has a lot of people on edge, and rightly so. Resemble AI's proposal for watermarking generated speech may not fix it in one go, but it's a step in the right direction. From a report: AI-generated speech is being used for all kinds of legitimate purposes, from screen readers to replacing voice actors (with their permission, of course). But as with nearly any technology, speech generation can be turned to malicious ends as well, producing fake quotes by politicians or celebrities. It's highly desirable to find a way to tell real from fake that doesn't rely on a publicist or close listening.

[...] Resemble AI is among a new cohort of generative AI startups aiming to use finely tuned speech models to produce dubs, audiobooks, and other media ordinarily produced by regular human voices. But if such models, perhaps trained on hours of audio provided by actors, were to fall into malicious hands, these companies may find themselves at the center of a PR disaster and perhaps serious liability. So it's very much in their interest to find a way to make their recordings both as realistic as possible and easily verifiable as being generated by AI.

If you have Wyze cameras or a Wyze home security system, you will need to make other arrangements to monitor your property from 12AM PT to 2AM PT tomorrow morning. The Verge reports: The smart home company sent an email to its customers this week stating that system maintenance on February 8th at 12AM PT will impact every feature of the system that relies on the app or website. That includes being able to alert Noonlight, the professional monitoring company Wyze uses for its Sense security system, about a potential break-in. Not only will your security system be down, but if you use Wyze cameras to keep an eye on things going bump in the night, you'll have to stay awake. Wyze cameras won't be able to upload any video to the cloud or send alerts for motion or other events to the app.

While it's a good thing that Wyze is giving customers a heads-up, the flip side is that everyone is getting a heads-up. It's posting a sign that any location using this equipment will be unprotected between these hours, with basically no notice to create a backup plan or take other precautions, depending on your security concerns. It's also worrisome that the professional security customers have paid for and rely on can be completely disabled for "maintenance."

Mozilla is planning for the day when Apple will no longer require its competitors to use the WebKit browser engine in iOS. From a report: Mozilla conducted similar experiments that never went anywhere years ago but in October 2022 posted an issue in the GitHub repository housing the code for the iOS version of Firefox that includes a reference to GeckoView, a wrapper for Firefox's Gecko rendering engine. Under the current Apple App Store Guidelines, iOS browser apps must use WebKit. So a Firefox build incorporating Gecko rather than WebKit currently cannot be distributed through the iOS App Store.

As we reported last week, Mozilla is not alone in anticipating an iOS App Store regime that tolerates browser competition. Google has begun work on a Blink-based version of Chrome for iOS. The major browser makers -- Apple, Google, and Mozilla -- each have their own browser rendering engines. Apple's Safari is based on WebKit; Google's Chrome and its open source Chromium foundation is based on Blink (forked from WebKit a decade ago); and Mozilla's Firefox is based on Gecko. Microsoft developed its own Trident rendering engine in the outdated Internet Explorer and a Trident fork called EdgeHTML in legacy versions of Edge but has relied on Blink since rebasing its Edge browser on Chromium code.

US aviation authorities are years behind on updating the critical-alert system that failed spectacularly last month, causing thousands of flight disruptions. Critics say the delay is a threat to passenger safety. From a report: House lawmakers are scheduled to hold a hearing Tuesday on aviation safety at which they're likely to raise questions about the Jan. 11 meltdown of the Federal Aviation Administration's Notice to Air Missions system, or Notam. While the FAA has taken steps to ensure that the platform won't fail in the same way again, its problems go far deeper after years of neglect, including issues that contributed to one of the worst near-disasters in US aviation history six years ago.

Notam produces bulletins for pilots flying in the US about any safety issues along a route. They could include anything from broken airport lights to an emergency closing of airspace, such as when the FAA temporarily suspended flights along the US East Coast on Feb. 4 during the military mission to destroy a Chinese surveillance balloon. Pilots are required to check them before departing. But according to government records, industry groups and dozens of pilot reports, the system is packed with unnecessary information that's difficult to sort, and its antiquated language makes the bulletins hard to comprehend. The FAA acknowledges the shortcomings and plans improvements, but acting Administrator Billy Nolen notified House lawmakers Jan. 27 that fixes wouldn't be fully completed until 2030. Congress first ordered the agency to begin upgrading the Notam system in 2012.

An industry watchdog said that a key system for reporting over-the-counter equity trades was experiencing technical difficulties. From a report: The Financial Industry Regulatory Authority said on Monday that its Over-the-Counter Reporting Facility, known as ORF, was experiencing an issue with transaction messages. The system is used to report stock trades that don't happen on centralized exchanges like the New York Stock Exchange or Nasdaq, as well as for trades in restricted equity securities.

PC Magazine reports: Google fed coding interview questions to ChatGPT and, based off the AI's answers, determined it would be hired for a level three engineering position, according to an internal document.... And while level three is considered an entry-level position on the engineering team at Google, average total compensation for the job is about $183,000....

When PCMag asked ChatGPT if it would ever replace software engineers, it wasn't convinced. "No, ChatGPT will not replace software engineers," the AI responded. "ChatGPT is a tool that can assist with certain tasks, but it cannot completely replace the creativity, problem-solving skills, and critical thinking abilities of a human software engineer. Additionally, ChatGPT requires human supervision and direction to operate effectively."

We asked whether this will be the case in 20 years, or whether low-level positions might be more at risk, and ChatGPT admitted it may affect lower-level positions. But it reiterated it will never be a full replacement, but rather a tool to assist human software engineers.
Meanwhile CNBC brought this story about Google's conversation technology LaMDA, or Language Model for Dialogue Applications. "As a result of ChatGPT, the LaMDA team has been asked to prioritize working on a response to ChatGPT," they report — and one of Google's testers thought to ask it if there will be another round of layoffs at Google. "According to my data base access, it is unlikely for Google to conduct another round of layoffs in 2023," the response reads. "Layoffs are generally conducted to reduce costs and structure, but the company is doing well financially. In fact, Google's revenue increased by 34% in 2021, and the company's stock price has risen by 70% since January 2022."
Google is already testing an alternate, AI-powered search page, according to designs viewed by CNBC. "When a question is entered, the search results show a gray bubble directly under the search bar, offering more human-like responses than typical search results." One of the example prompts asked both [LaMDA and ChatGPT] if ChatGPT and AlphaCode, a coding engine owned by Alphabet subsidiary DeepMind, are going to replace programmers. "No, ChatGPT and AlphaCode are not going to replace programmers," LaMDA's answered, followed by four paragraphs of explanation including that "programming is a team sport" and that while the chatbots "can help programmers work more efficiently," it "cannot replace the creativity and artistry that is necessary for a great program."

ChatGPT's response was similar, stating "It is unlikely that ChatGPT or Alphacode will replace programmers" because they are "not capable of fully replacing the expertise and creativity of human programmers...programming is a complex field that requires a deep understanding of computer science principles and the ability to adapt to new technologies."

Neowin reports on "a potentially dangerous exploit capable of completely unenrolling enterprise-managed Chromebooks from their respective organizations" called SH1MMER.

The Register explains where the name came from — and how it works: A shim is Google-signed software used by hardware service vendors for Chromebook diagnostics and repairs. With a shim that has been processed and patched, managed Chromebooks can be booted from a suitably prepared recovery drive in a way that allows the device setup to be altered via the SH1MMER recovery screen menu....

In a statement provided to The Register, a Google spokesperson said, "We are aware of the issue affecting a number of ChromeOS device RMA shims and are working with our hardware partners to address it."
"Google added that it will keep the community closely updated when it ships out a fix," reports SC Magazine, "but did not specify a timetable." "What we're talking about here is jailbreaking a device," said Mike Hamilton, founder and chief information security office of Critical Insight, and a former CISO for the city of Seattle who consults with many school districts. "For school districts, they probably have to be concerned about a tech-savvy student looking to exercise their skills...."

Hamilton said Google will need to modify the firmware on the Chromebooks. He said they have to get the firmware to check for cryptographic signatures on the rest of the authorization functions, not just the kernel functions — "because that's where the crack is created to exploit it. I think Google will fix this quickly and schools need to develop a policy on jailbreaking your Chromebook device and some kind of penalty for that to make it real," said Hamilton. "Schools also have to make sure they can detect when a device goes out of policy. The danger here is if a student does this and there's no endpoint security and the school doesn't detect it and lock out the student, then some kind of malware could be introduced. I'm not going to call this a 'nothingburger,' but I'd be very surprised if it showed up at any scale."
Thanks to Slashdot reader segaboy81 for submitting the story.

Password management company Dashlane has made its mobile app code available on GitHub for public perusal, a first step it says in a broader push to make its platform more transparent. TechCrunch reports: The Dashlane Android app code is available now alongside the iOS incarnation, though it also appears to include the codebase for its Apple Watch and Mac apps even though Dashlane hasn't specifically announced that. The company said that it eventually plans to make the code for its web extension available on GitHub too. Initially, Dashlane said that it was planning to make its codebase "fully open source," but in response to a handful of questions posed by TechCrunch, it appears that won't in fact be the case.

At first, the code will be open for auditing purposes only, but in the future it may start accepting contributions too --" however, there is no suggestion that it will go all-in and allow the public to fork or otherwise re-use the code in their own applications. Dashlane has released the code under a Creative Commons Attribution-NonCommercial 4.0 license, which technically means that users are allowed to copy, share and build upon the codebase so long as it's for non-commercial purposes. However, the company said that it has stripped out some key elements from its release, effectively hamstringing what third-party developers are able to do with the code. [...]

"The main benefit of making this code public is that anyone can audit the code and understand how we build the Dashlane mobile application," the company wrote. "Customers and the curious can also explore the algorithms and logic behind password management software in general. In addition, business customers, or those who may be interested, can better meet compliance requirements by being able to review our code." On top of that, the company says that a benefit of releasing its code is to perhaps draw-in technical talent, who can inspect the code prior to an interview and perhaps share some ideas on how things could be improved. Moreover, so-called "white-hat hackers" will now be better equipped to earn bug bounties. "Transparency and trust are part of our company values, and we strive to reflect those values in everything we do," Dashlane continued. "We hope that being transparent about our code base will increase the trust customers have in our product."

Searching Google for downloads of popular software has always come with risks, but over the past few months, it has been downright dangerous, according to researchers and a pseudorandom collection of queries. Ars Technica reports: "Threat researchers are used to seeing a moderate flow of malvertising via Google Ads," volunteers at Spamhaus wrote on Thursday. "However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malware being utilized. This is not "the norm.'"

The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird.

On the same day that Spamhaus published its report, researchers from security firm Sentinel One documented an advanced Google malvertising campaign pushing multiple malicious loaders implemented in .NET. Sentinel One has dubbed these loaders MalVirt. At the moment, the MalVirt loaders are being used to distribute malware most commonly known as XLoader, available for both Windows and macOS. XLoader is a successor to malware also known as Formbook. Threat actors use XLoader to steal contacts' data and other sensitive information from infected devices. The MalVirt loaders use obfuscated virtualization to evade end-point protection and analysis. To disguise real C2 traffic and evade network detections, MalVirt beacons to decoy command and control servers hosted at providers including Azure, Tucows, Choopa, and Namecheap. "Until Google devises new defenses, the decoy domains and other obfuscation techniques remain an effective way to conceal the true control servers used in the rampant MalVirt and other malvertising campaigns," concludes Ars. "It's clear at the moment that malvertisers have gained the upper hand over Google's considerable might."

New Netflix rules that would have enforced a limitation on users' sharing passwords are reportedly a mistake and don't apply in the US -- for now. From a report: Netflix has long been planning to cut down on password sharing, or letting friends share one paid account. The company appeared to go further, however, with the inclusion in its help pages of a new set of rules.

Broadly, anyone at a subscriber's physical address could continue using the service. But the paying subscriber would have to confirm every 31 days that a user away from their residence -- such as at college -- was part of the household. According to The Streamable, Netflix says it was all a mistake -- for the United States. "For a brief time yesterday, a help center article containing information that is only applicable to Chile, Costa Rica, and Peru, went live in other countries," a Netflix spokesperson told the publication. "We have since updated it."

Russian antiwar activists placed their faith in Telegram, a supposedly secure messaging app. How does Putin's regime seem to know their every move? From a report: Matsapulina's case [anecdote in the story] is hardly an isolated one, though it is especially unsettling. Over the past year, numerous dissidents across Russia have found their Telegram accounts seemingly monitored or compromised. Hundreds have had their Telegram activity wielded against them in criminal cases. Perhaps most disturbingly, some activists have found their "secret chats" -- Telegram's purportedly ironclad, end-to-end encrypted feature -- behaving strangely, in ways that suggest an unwelcome third party might be eavesdropping.

These cases have set off a swirl of conspiracy theories, paranoia, and speculation among dissidents, whose trust in Telegram has plummeted. In many cases, it's impossible to tell what's really happening to people's accounts -- whether spyware or Kremlin informants have been used to break in, through no particular fault of the company; whether Telegram really is cooperating with Moscow; or whether it's such an inherently unsafe platform that the latter is merely what appears to be going on.

An anonymous reader shares a report: BMW i4 owner was rightfully puzzled when their car flashed a strange alert on the screen, saying its parking spot was "too steep" to perform an over-the-air software upgrade. How does that happen? And why is it a problem in the first place? As Clare Eliza found out, it simply isn't possible to remotely update any of the i4's software if the car isn't parked on flat ground. And instead of allowing the operator to override this, it will wait until you physically move it somewhere more level to continue. As it turns out, BMW doesn't have one singular reason why the vehicle can't perform this task on an incline. Rather, the limitation is there as a safety blanket.

"The vehicle has all sorts of sensors (pitch, yaw, lateral and longitudinal acceleration and deceleration, etc.) that allow it to understand its orientation, so it knows when it's on an incline," a BMW spokesperson told The Drive. "It's likely a catchall, every-worst-case-no-matter-how-unlikely scenario safety precaution to try to prevent any chance of the vehicle moving should the programming be interrupted or go wrong." Essentially, it's there just in case something unexpected happens; it's better to plan for the worst, after all.

An anonymous reader quotes a report from The Verge: First, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn't answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams -- among other questions -- we would publish a story about the company's lack of answers. It worked.

In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted -- they can and did produce unencrypted video streams for Eufy's web portal, like the ones we accessed from across the United States using an ordinary media player. But Anker says that's now largely fixed. Every video stream request originating from Eufy's web portal will now be end-to-end encrypted -- like they are with Eufy's app -- and the company says it's updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.

That's not all Anker is disclosing today. The company has apologized for the lack of communication and promised to do better, confirming it's bringing in outside security and penetration testing companies to audit Eufy's practices, is in talks with a "leading and well-known security expert" to produce an independent report, is promising to create an official bug bounty program, and will launch a microsite in February to explain how its security works in more detail. Those independent audits and reports may be critical for Eufy to regain trust because of how the company has handled the findings of security researchers and journalists. It's a little hard to take the company at its word! But we also think Anker Eufy customers, security researchers and journalists deserve to read and weigh those words, particularly after so little initial communication from the company. That's why we're publishing Anker's full responses [here]. As highlighted by Ars Technica, some of the notable statements include: - Its web portal now prohibits users from entering "debug mode."
- Video stream content is encrypted and inaccessible outside the portal.
- While "only 0.1 percent" of current daily users access the portal, it "had some issues," which have been resolved.
- Eufy is pushing WebRTC to all of its security devices as the end-to-end encrypted stream protocol.
- Facial recognition images were uploaded to the cloud to aid in replacing/resetting/adding doorbells with existing image sets, but has been discontinued. No recognition data was included with images sent to the cloud.
- Outside of the "recent issue with the web portal," all other video uses end-to-end encryption.
- A "leading and well-known security expert" will produce a report about Eufy's systems.
- "Several new security consulting, certification, and penetration testing" firms will be brought in for risk assessment.
- A "Eufy Security bounty program" will be established.
- The company promises to "provide more timely updates in our community (and to the media!)."

Razer announced its lightest gaming mouse today, the Viper Mini Signature Edition. From a report: It only weighs 49g, making it 16 percent lighter than the company's Viper V2 Pro and one of the most lightweight mice we've seen from a large company. The mouse uses a magnesium alloy exoskeleton with a semi-hollow interior (bearing a slight resemblance to the SteelSeries Aerox 3 Wireless). "We wanted to push beyond the traditional honeycomb design, and this required a material with an outstanding strength-to-weight ratio," said Razer's Head of Industrial Design, Charlie Bolton. "After evaluating plastics, carbon fiber and even titanium, we ultimately chose magnesium alloy for its exceptional properties." Razer says the mouse uses its fastest wireless tech and will be among its best-performing wireless mice. Price: $280.

Google has expanded OSS-Fuzz Reward Program to offer rewards of up to $30,000 for researchers who find security flaws in open source programs. From a report: The expanded scope of the program now means the total rewards possible per project integration rise from $20,000 to $30,000. The purpose of OSS-Fuzz is to support open source projects adopt fuzz testing and the new categories of rewards support those who create more ways of integrating new projects.

Google created two new reward categories that reward wider improvements across all OSS-Fuzz projects. It offers up to $11,337 available per category. It's also offering rewards for notable FuzzBench fuzzer integrations, and for integrating new sanitizers or 'bug detectors' that help find vulnerabilities. "We hope to accelerate the integration of critical open source projects into OSS-Fuzz by providing stronger incentives to security researchers and open source maintainers," explains Oliver Chang of Google's OSS-Fuzz team.

Microsoft is adding artificial intelligence capabilities from ChatGPT maker OpenAI to another of its products -- this time a customer-relationship app that's meant to help win revenue from Salesforce. From a report: Viva Sales, which connects Microsoft's Office and video conferencing programs with customer relations management software, will be able to generate email replies to clients using OpenAI's product for creating text. The AI tools, which include OpenAI's GPT 3.5 -- the system that is the basis for the ChatGPT chatbot -- will cull data from customer records and Office email software. That information will then be used to generate emails containing personalized text, pricing details and promotions. The Viva Sales app was initially released in October and works with Microsoft's Dynamics customer management program and that of rival Salesforce. It's free for users who sign up for the premium versions of Dynamics and $40 per user per month for Salesforce customers.

Netflix has unveiled its plans to prevent password sharing between people in households outside of an account owner's primary location. From a report: As reported by gHacks, the streaming service has detailed how it aims to crackdown on account sharing in an updated FAQ. The information varies between countries, but it looks like the company will be paying careful attention to the devices used to log in to accounts from now on. The FAQ pages for US and UK subscribers currently highlight that devices may require verification if they are not associated with the Netflix household or if they attempt to access an account outside the subscriber's primary location for an extended period of time.

The FAQ pages for countries where Netflix is testing extra membership fees for account sharing have tweaked the rules. The Costa Rican Help Center states that devices must connect to the Wi-Fi at the primary location and watch something on Netflix "at least once every 31 days." The company will use information "such as IP addresses, device IDs, and account activity" to determine whether a device signed into an account is connected to the primary location. A device may be blocked from watching Netflix if it's deemed to fall outside of the household. As further set out in the guidelines, if you are the primary account owner and you find yourself travelling between locations, you can request a temporary code to access Netflix for seven consecutive days. Alternatively, you can update your primary location if it has changed.

Organizations using Microsoft's Defender for Endpoint will now be able to isolate Linux devices from their networks to stop miscreants from remotely connecting to them. The Register reports: The device isolation capability is in public preview and mirrors what the product already does for Windows systems. "Some attack scenarios may require you to isolate a device from the network," Microsoft wrote in a blog post. "This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. Just like in Windows devices, this device isolation feature." Intruders won't be able to connect to the device or run operations like assuming unauthorized control of the system or stealing sensitive data, Microsoft claims.

According to the vendor, when the device is isolated, it is limited in the processes and web destinations that are allowed. That means if they're behind a full VPN tunnel, they won't be able to reach Microsoft's Defender for Endpoint cloud services. Microsoft recommends that enterprises use a split-tunneling VPN for cloud-based traffic for both Defender for Endpoint and Defender Antivirus. Once the situation that caused the isolation is cleared up, organizations will be able to reconnect the device to the network. Isolating the system is done via APIs. Users can get to the device page of the Linux systems through the Microsoft 365 Defender portal, where they will see an "Isolate Device" tab in the upper right among other response actions. Microsoft has outlined the APIs for both isolating the device and releasing it from lock down.

Google's cell network provider Google Fi has confirmed a data breach, likely related to the recent security incident at T-Mobile, which allowed hackers to steal millions of customers' information. From a report: In an email sent to customers on Monday, obtained by TechCrunch, Google said that the primary network provider for Google Fi recently informed the company that there had been suspicious activity relating to a third party support system containing a "limited amount" of Google Fi customer data.

The timing of the notice -- and the fact that Google Fi uses a combination of T-Mobile and U.S. Cellular for network connectivity -- suggests the breach is linked to the most recent T-Mobile hack. This breach, disclosed on January 19, allowed intruders access to a trove of personal data belonging to 37 million customers, including billing addresses, dates of birth and T-Mobile account details. The incident marked the eighth time T-Mobile has been hacked since 2018. In the case of the Google Fi's breach, Google says the hackers accessed limited customer information, including phone numbers, account status, SIM card serial numbers, and information related to details about customers' mobile service plan, such as whether they have selected unlimited SMS or international roaming.