Hot Hardware reports: When it comes to mechanical hard disk drive (HDDs), you'd be very hard pressed to find any data on failure rates reported by any of the major players, such as Western Digital, Seagate, and the rest. Fortunately for us stat nerds and anyone else who is curious, the folks at cloud backup firm Backblaze frequently issue reliability reports that give insight into the how often various models and capacities give up the ghost. At a glance, Backblaze's latest report highlights that bigger capacity drives -- 12TB, 14TB, and 16TB -- fail less often than smaller capacity models. A closer examination, however, reveals that it's not so cut and dry.

[...] In a nutshell, Backblaze noted an overall rise in the annual failure rates (AFRs) for 2022. The cumulative AFR of all drives deployed rose to 1.37 percent, up from 1.01 percent in 2021. By the end of 2022, Backblaze had 236,608 HDDs in service, including 231,309 data drives and 4,299 boot drives. Its latest report focuses on the data drives. [...] Bigger drives are more reliable than smaller drives, case close, right? Not so fast. There's an important caveat to this data -- while the smaller drives failed more often last year, they are also older, as can be seen in the graph above. "The aging of our fleet of hard drives does appear to be the most logical reason for the increased AFR in 2022. We could dig in further, but that is probably moot at this point. You see, we spent 2022 building out our presence in two new data centers, the Nautilus facility in Stockton, California and the CoreSite facility in Reston, Virginia. In 2023, our focus is expected to be on replacing our older drives with 16TB and larger hard drives," Backblaze says.

GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom. From a report: Code-signing certificates place a cryptographic stamp on code to verify it was developed by the listed organization, which in this case is GitHub. If decrypted, the certificates could allow an attacker to sign unofficial versions of the apps that had been maliciously tampered with and pass them off as legitimate updates from GitHub. Current versions of Desktop and Atom are unaffected by the credential theft.

"A set of encrypted code signing certificates were exfiltrated; however, the certificates were password-protected and we have no evidence of malicious use," the company wrote in an advisory. "As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications." The revocations, which will be effective on Thursday, will cause certain versions of the apps to stop working.

An anonymous reader quotes a report from TechCrunch: A bug in a new centralized system that Meta created for users to manage their logins for Facebook and Instagram could have allowed malicious hackers to switch off an account's two-factor protections just by knowing their phone number. Gtm Manoz, a security researcher from Nepal, realized that Meta did not set up a limit of attempts when a user entered the two-factor code used to log into their accounts on the new Meta Accounts Center, which helps users link all their Meta accounts, such as Facebook and Instagram.

With a victim's phone number, an attacker would go to the centralized accounts center, enter the phone number of the victim, link that number to their own Facebook account, and then brute force the two-factor SMS code. This was the key step, because there was no upper limit to the amount of attempts someone could make. Once the attacker got the code right, the victim's phone number became linked to the attacker's Facebook account. A successful attack would still result in Meta sending a message to the victim, saying their two-factor was disabled as their phone number got linked to someone else's account.

Manoz found the bug in the Meta Accounts Center last year, and reported it to the company in mid-September. Meta fixed the bug a few days later, and paid Manoz $27,200 for reporting the bug. Meta spokesperson Gabby Curtis told TechCrunch that at the time of the bug the login system was still at the stage of a small public test. Curtis also said that Meta's investigation after the bug was reported found that there was no evidence of exploitation in the wild, and that Meta saw no spike in usage of that particular feature, which would signal the fact that no one was abusing it.

The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. BleepingComputer reports: KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden. To secure these local databases, users can encrypt them using a master password so that malware or a threat actor can't just steal the database and automatically gain access to the passwords stored within it. The new vulnerability is now tracked as CVE-2023-24055, and it enables threat actors with write access to a target's system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control. However, this export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords. [...]

While the CERT teams of Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this shouldn't be classified as a vulnerability given that attackers with write access to a target's device can also obtain the information contained within the KeePass database through other means. In fact, a "Security Issues" page on the KeePass Help Center has been describing the "Write Access to Configuration File" issue since at least April 2019 as "not really a security vulnerability of KeePass." If the user has installed KeePass as a regular program and the attackers have write access, they can also "perform various kinds of attacks." Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

"In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)," the KeePass developers explain. "These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment." If the KeePass devs don't release a version of the app that addresses this issue, BleepingComputer notes "you could still secure your database by logging in as a system admin and creating an enforced configuration file."

"This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thus mitigating the CVE-2023-24055 issue."

An anonymous reader quotes a report from Ars Technica: Nearly 45GB of source code files, allegedly stolen by a former employee, have revealed the underpinnings of Russian tech giant Yandex's many apps and services. It also revealed key ranking factors for Yandex's search engine, the kind almost never revealed in public. [...] While it's not clear whether there are security or structural implications of Yandex's source code revelation, the leak of 1,922 ranking factors in Yandex's search algorithm is certainly making waves. SEO consultant Martin MacDonald described the hack on Twitter as "probably the most interesting thing to have happened in SEO in years" (as noted by Search Engine Land). In a thread detailing some of the more notable factors, researcher Alex Buraks suggests that "there is a lot of useful information for Google SEO as well."

Yandex, the fourth-ranked search engine by volume, purportedly employs several ex-Google employees. Yandex tracks many of Google's ranking factors, identifiable in its code, and competes heavily with Google. Google's Russian division recently filed for bankruptcy after losing its bank accounts and payment services. Buraks notes that the first factor in Yandex's list of ranking factors is "PAGE_RANK," which is seemingly tied to the foundational algorithm created by Google's co-founders.

As detailed by Buraks (in two threads), Yandex's engine favors pages that: - Aren't too old
- Have a lot of organic traffic (unique visitors) and less search-driven traffic
- Have fewer numbers and slashes in their URL
- Have optimized code rather than "hard pessimization," with a "PR=0"
- Are hosted on reliable servers
- Happen to be Wikipedia pages or are linked from Wikipedia
- Are hosted or linked from higher-level pages on a domain
- Have keywords in their URL (up to three)

Sports fashion retailer JD Sports has confirmed miscreants broke into a system that contained data on a whopping 10 million customers, but no payment information was among the mix. The Register reports: In a post to investors this morning, the London Stock Exchange-listed business said the intrusion related to infrastructure that housed data for online orders from sub-brands including JD, Size? Millets, Blacks, Scotts and MilletSport between November 2018 and October 2020. The data accessed consisted of customer name, billing address, delivery address, phone number, order details and the final four digits of payment cards "of approximately 10 million unique customers." The company does "not hold full payment card details" and said that it has "no reason to believe that account passwords were accessed."

As is customary in such incidents, JD Sports has contacted the relevant authorities such as the Information Commissioner's Office and says it has enlisted the help of "leading cyber security experts." The chain has stores across Europe, with some operating in North America and Canada. It also operates some footwear brands including Go Outdoors and Shoe Palace. "We want to apologize to those customers who may have been affected by this incident," said Neil Greenhalgh, chief financial officer at JD Sports. "We are advising them to be vigilant about potential scam emails, calls and texts and providing details on now to report these."

He added: "We are continuing with a full review of our cyber security in partnership with external specialists following this incident. Protecting that data of our customers is an absolute priority for JS."

Amazon is "selling a vacant Bay Area office complex purchased about 16 months ago," reports Bloomberg, "the company's latest effort to unwind a pandemic-era expansion that left it with a surfeit of warehouses and employees." Amazon in October 2021 paid $123 million for the 29-acre property in Milpitas, California, part of a strategy to lock up real estate near big cities that could be used for new warehouses and facilitate future growth.... Amazon is expected to take a loss on the sale of the Metro Corporate Center, according to one person familiar with the terms of the deal, who spoke on condition of anonymity....

Amazon last year began its biggest-ever round of job cuts that will ultimately affect 18,000 workers around the globe. The world's largest e-commerce company, which is scheduled to report earnings on Feb. 2, warned investors that fourth-quarter sales growth would be the slowest in its history.
SFGate writes that the possible sale "is indicative of broader trends in Bay Area corporate real estate, which has struggled with remote work, tech layoffs and broader economic shifts."

"According to a report by commercial real estate firm Kidder Mathews, direct office vacancies in San Francisco rose to more than 18.4% in the fourth quarter of 2022, while a Kastle Systems report found that office occupancy rates rose to 41.8%, just 1% higher than the rates in September 2022."

When Google laid off 6% of its workforce — some of whom had worked for the company for decades — employees "got the news in their inbox," writes Gawker's founding editor in a scathing opinion piece in the New York Times: That sting is becoming an all-too-common sensation. In the last few years, tens of thousands of people have been laid off by email at tech and digital media companies including Twitter, Amazon, Meta and Vox. The backlash from affected employees has been swift.... It's not just tech and media. Companies in a range of industries claim this is the only efficient way to do a lot of layoffs. Informing workers personally is too complicated, they say — and too risky, as people might use their access to internal systems to perform acts of sabotage. (These layoff emails are often sent to employees' personal email; by the time they check it, they've been locked out of all their employer's own platforms.)

As someone who's managed people in newsrooms and digital start-ups and has hired and fired people in various capacities for the last 21 years, I think this approach is not just cruel but unnecessary. It's reasonable to terminate access to company systems, but delivering the news with no personal human contact serves only one purpose: letting managers off the hook. It ensures they will not have to face the shock and devastation that people feel when they lose their livelihoods. It also ensures the managers won't have to weather any direct criticism about the poor leadership that brought everyone to that point.... Future hiring prospects will be reading all about it on Twitter or Glassdoor. In a tight labor market, a company's cruelty can leave a lasting stain on its reputation....

The expectation that an employee give at least two weeks notice and help with transition is rooted in a sense that workers owe their employers something more than just their labor: stability, continuity, maybe even gratitude for the compensation they've earned. But when it's the company that chooses to end the relationship, there is often no such requirement. The same people whose labor helped build the company get suddenly recoded as potential criminals who might steal anything that's not nailed down....

Approval of unions is already at 71 percent. Dehumanizing workers like this is accelerating the trend. Once unthinkable, unionization at large tech companies now seems all but inevitable. Treating employees as if they're disposable units who can simply be unsubscribed to ultimately endangers a company's own interests. It seems mistreated workers know their value, even if employers — as they are increasingly prone to demonstrate — do not.

Fortune reports on what happened next: As questions piled up over the weekend, Google CEO Sundar Pichai addressed the entire company in a meeting on Monday to answer questions, and announced then that top executives would take a pay cut this year as part of the company's cost reduction measures, Business Insider reported. Pichai said that all roles above the senior vice president level will witness "very significant reduction in their annual bonus," adding that for senior roles the compensation was linked to company performance. It was not immediately clear how big Pichai's own pay cut would be.
Reuters also points out that Pichai "received a massive hike in salary a few weeks before Google announced layoffs." But Fortune makes an interesting comparison: Pichai's move to cut the pay for senior executives comes only weeks after Apple's Tim Cook announced his compensation would be 40% lower amid shareholder pressure. The iPhone maker had a strong 2022 and remains one of the few tech behemoths that hasn't announced layoffs yet.
Last year Apple's share price still dropped 27%, reports Forbes, and "According to the Wall Street Journal, Apple is expected next month to report its first quarterly sales decline in over three years."

Yet Apple seems to have avoided layoffs — which Forbes argues is because Apple didn't hire aggressively during the pandemic. Compared to the other Big Tech companies, Apple scaled its workforce at a relatively slow pace and has generally followed the same hiring rate since 2016. While there was a hiring surge in Silicon Valley during the pandemic, Apple added less than 7,000 jobs in 2020....

The tech companies undergoing layoffs right now hired fervently during their pandemic — and even before. Alphabet has consecutively expanded its workforce at least 10% annually since 2013, according to CNBC....

Since 2012, Meta has expanded its workforce by thousands each year. In 2020, Zuckerberg increased headcount by 30% — 13,000 workers. The following year, the social media platform added another 13,000 employees to its payroll. Those two years marked the biggest growth in the company's history.

Amazon has initiated its plan to separate more than 18,000 white-collar professionals from its payroll. In 2021, the online retailer hired an estimated 500,000 employees, according to GeekWire, becoming the second-largest employer in the United States after Walmart. A year later, the company expanded its workforce by 310,000.
Entrepeneur supplies some context about those layoffs at Google: Reports indicate qualifying staff who were let go will receive their full notification period salary plus a severance package beginning at 16 weeks' pay and two additional weeks for every year of employment. Also part of the package: bonuses, vacation time, and health care coverage for up to six months will be paid for, along with job placement and immigration support.
Entrepreneur also notes reports that Google's latest round of layoffs "affected 27 massage therapists across Los Angeles and Irvine."

Long-time Slashdot reader Beave writes: Security researchers and practitioners at Quadrant Information Security recently found themselves in a battle with the Russian ransomware gang known as "Black Basta"... Quadrant discovered the Russian gang attempting to exfiltrate data from a network. Once a victim's data is fully exfiltrated the gang then encrypts workstations and servers, and demands ransom payments from the victim in order to decrypt their data and to prevent Black Basta from releasing exfiltrated data to the public.

Fortunately, in this case, Black Basta didn't make it that far. Instead, the security researchers used the opportunity to better understand Black Basta's "backend servers", tools, and methods. Black Basta will sometimes use a victim's network to log into their own servers, which leads to interesting opportunities to observe the gang's operations...

The first write up goes into technical details about the malware and tactics Black Basta used. The second second write up focuses on Black Basta's "backend" servers and how they manage them.

TLDR? You can also listen to two of the security researchers discuss their findings on the latest episode of the "Breaking Badness" podcast.
The articles go into great detail - even asking whether deleting their own exfiltrated data from the gang's server "would technically constitute a federal offense per the 'The Computer Fraud and Abuse Act' of 1986."

The FBI revealed today that it had shut down the prolific ransomware gang called Hive, "a maneuver that allowed the bureau to thwart the group from collecting more than $130 million in ransomware demands from more than 300 victims," reports Reuters. Slashdot readers wiredmikey and unimind shared the news. From the report: At a news conference, U.S. Attorney General Merrick Garland, FBI Director Christopher Wray, and Deputy U.S. Attorney General Lisa Monaco said government hackers broke into Hive's network and put the gang under surveillance, surreptitiously stealing the digital keys the group used to unlock victim organizations' data. They were then able to alert victims in advance so they could take steps to protect their systems before Hive demanded the payments. "Using lawful means, we hacked the hackers," Monaco told reporters. "We turned the tables on Hive."

News of the takedown first leaked on Thursday morning when Hive's website was replaced with a flashing message that said: "The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware." Hive's servers were also seized by the German Federal Criminal Police and the Dutch National High Tech Crime Unit. The undercover infiltration, which started in July 2022, went undetected by the gang until now.

The Justice Department said that over the years, Hive has targeted more than 1,500 victims in 80 different countries, and has collected more than $100 million in ransomware payments. Although there were no arrests announced on Wednesday, Garland said the investigation was ongoing and one department official told reporters to "stay tuned."

A Dutch hacker arrested in November obtained and offered for sale the full name, address and date of birth of virtually everyone in Austria, the Alpine nation's police said on Wednesday. From a report: A user believed to be the hacker offered the data for sale in an online forum in May 2020, presenting it as "the full name, gender, complete address and date of birth of presumably every citizen" in Austria, police said in a statement, adding that investigators had confirmed its authenticity.

The trove comprised close to nine million sets of data, police said. Austria's population is roughly 9.1 million. The hacker had also put "similar data sets" from Italy, the Netherlands and Colombia up for sale, Austrian police said, adding that they did not have further details.

The U.S. government's cybersecurity agency has warned that criminal financially motivated hackers compromised federal agencies using legitimate remote desktop software. From a report: CISA said in a joint advisory with the National Security Agency on Wednesday that it had identified a "widespread cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software" that had targeted multiple federal civilian executive branch agencies -- known as FCEBs -- a list that includes Homeland Security, the Treasury, and the Justice Department.

CISA said it first identified suspected malicious activity on two FCEB systems in October while conducting a retrospective analysis using Einstein, a government-operated intrusion detection system used for protecting federal civilian agency networks. Further analysis led to the conclusion that many other government networks were also affected.

A Yandex source code repository allegedly stolen by a former employee of the Russian technology company has been leaked as a Torrent on a popular hacking forum. From a report: Yesterday, the leaker posted a magnet link that they claim are 'Yandex git sources' consisting of 44.7 GB of files stolen from the company in July 2022. These code repositories allegedly contain all of the company's source code besides anti-spam rules.

An anonymous reader shares a report: More than 700 miles from Wall Street, the New York Stock Exchange's backup data center on Cermak Road in Chicago is supposed to safeguard US markets, standing by at all hours in case disaster ever strikes the world's largest venue for trading shares. When markets are closed, it participates in a well-worn routine, with NYSE staffers turning on and off systems to ensure everything works. But heading into Tuesday, an NYSE employee failed to properly shut down Cermak's disaster-recovery system -- leading to a disaster.

That human error, described by people with direct knowledge of NYSE's internal operations, is what triggered wild market swings when trading opened Tuesday morning in Manhattan. The chaos affected more than 250 companies including Wells Fargo, McDonald's, Walmart and Morgan Stanley, in some cases sending stock prices swinging by 25 percentage points in a matter of minutes. The episode has prompted the exchange to cancel thousands of trades at a cost that's still being determined. Meanwhile, market professionals and day traders are rattled and waiting for the exchange to elaborate on what it publicly called a "manual error" involving its "disaster recovery configuration."

British cybersecurity officials are warning that hacking groups linked to Russia and Iran are duping people into clicking malicious links by impersonating journalists and experts. From a report: The hackers, who have similar goals but are said to be working separately, have sought to steal emails from people working in academia, defense, the media and government, as well as from activists and non-governmental organizations, according to an advisory released on Thursday by the UK's National Cyber Security Centre. "These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems," said Paul Chichester, the center's director of operations. "We strongly encourage organizations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online."

An anonymous reader quotes a report from TechCrunch: If you recently made a purchase from an overseas online store selling knockoff clothes and goods, there's a chance your credit card number and personal information were exposed. Since January 6, a database containing hundreds of thousands of unencrypted credit card numbers and corresponding cardholders' information was spilling onto the open web. At the time it was pulled offline on Tuesday, the database had about 330,000 credit card numbers, cardholder names, and full billing addresses -- and rising in real-time as customers placed new orders. The data contained all the information that a criminal would need to make fraudulent transactions and purchases using a cardholder's information.

The credit card numbers belong to customers who made purchases through a network of near-identical online stores claiming to sell designer goods and apparel. But the stores had the same security problem in common: Any time a customer made a purchase, their credit card data and billing information was saved in a database, which was left exposed to the internet without a password. Anyone who knew the IP address of the database could access reams of unencrypted financial data. Anurag Sen, a good-faith security researcher, found the exposed credit card records and asked TechCrunch for help in reporting it to its owner. Sen has a respectable track record of scanning the internet looking for exposed servers and inadvertently published data, and reporting it to companies to get their systems secured.

But in this case, Sen wasn't the first person to discover the spilling data. According to a ransom note left behind on the exposed database, someone else had found the spilling data and, instead of trying to identify the owner and responsibly reporting the spill, the unnamed person instead claimed to have taken a copy of the entire database's contents of credit card data and would return it in exchange for a small sum of cryptocurrency. A review of the data by TechCrunch shows most of the credit card numbers are owned by cardholders in the United States. [...] Internet records showed that the database was operated by a customer of Tencent, whose cloud services were used to host the database. TechCrunch contacted Tencent about its customer's database leaking credit card information, and the company responded quickly. The customer's database went offline a short time later. Many of the stores leaking customers' information claim to operate out of Hong Kong and were set up in the past few weeks. Some of the websites include: spraygroundusa.com, ihuahebuy.com, igoodlinks.com, ibuysbuy.com, lichengshop.com, hzoushop.com, goldlyshop.com, haohangshop.com, twinklebubble.store, and spendidbuy.com.

Google plans to discontinue a pilot program that allows political campaigns to evade its email spam filters, the latest round in the technology giant's tussle with the GOP over online fundraising. The Washington Post reports: The company will let the program sunset at the end of January instead of prolonging it, Google's lawyers said in a filing on Monday. The filing, in U.S. District Court for the Eastern District of California, asked the court to dismiss a complaint lodged by the Republican National Committee accusing Google of "throttling its email messages because of the RNC's political affiliation and views." "The RNC is wrong," Google argued in its motion. "Gmail's spam filtering policies apply equally to emails from all senders, whether they are politically affiliated or not." [...]

While rejecting the GOP's attacks, Google nonetheless bowed to them. The company asked the Federal Election Commission to greenlight the pilot program, available to all campaigns and political committees registered with the federal regulator. The company anticipated at the time that a trial run would last through January 2023. Thousands of public comments implored the FEC to advise against the program, which consumer advocates and other individuals said would overwhelm Gmail users with spam. Anne P. Mitchell, a lawyer and founder of an email certification service called Get to the Inbox, wrote that Google was "opening up the floodgates to their users' inboxes ... to assuage partisan disgruntlement."

The FEC gave its approval in August, with one Democrat joining the commission's three Republicans to clear the way for the initiative. Ultimately, more than 100 committees of both parties signed up for the program, said Google spokesman Jose Castaneda. The RNC was not one of them, as Google emphasized in its motion to dismiss in the federal case in California. "Ironically, the RNC could have participated in a pilot program leading up to the 2022 midterm elections that would have allowed its emails to avoid otherwise-applicable forms of spam detection," the filing stated. "Many other politically-affiliated entities chose to participate in that program, which was approved by the FEC. The RNC chose not to do so. Instead, it now seeks to blame Google based on a theory of political bias that is both illogical and contrary to the facts alleged in its own Complaint." [...] "Indeed, effective spam filtering is a key feature of Gmail, and one of the main reasons why Gmail is so popular," the filing stated.

To help reduce the potential for malware, Android 14 will begin fully blocking the installation of apps that target outdated versions of Android. 9to5Google reports: For years now, the guidelines for the Google Play Store have ensured that Android developers keep their apps updated to use the latest features and safety measures of the Android platform. Just this month, the guidelines were updated, requiring newly listed Play Store apps to target Android 12 at a minimum. Up to this point, these minimum API level requirements have only applied to apps that are intended for the Google Play Store. Should a developer wish to create an app for an older version, they can do so and simply ask their users to sideload the APK file manually. Similarly, if an Android app hasn't been updated since the guidelines changed, the Play Store will continue serving the app to those who have installed it once before.

According to a newly posted code change, Android 14 is set to make API requirements stricter, entirely blocking the installation of outdated apps. This change would block users from sideloading specific APK files and also block app stores from installing those same apps. Initially, Android 14 devices will only block apps that target especially old Android versions. Over time though, the plan is to increase the threshold to Android 6.0 (Marshmallow), with Google having a mechanism to "progressively ramp [it] up." That said, it will likely still be up to each device maker to decide the threshold for outdated apps or whether to enable it at all. The report notes that it'll still be possible to install an outdated version of an app "through a command shell, by using a new flag."

2-year-old MacBooks with Apple's T2 security chip are being turned into parts because recyclers have no way to login and factory reset the machines, reports Motherboard. "It's a boon for security and privacy and a plague on the second hard market." From the report: "How many of you out there would like a 2-year-old M1 MacBook? Well, too bad, because your local recycler just took out all the Activation Locked logic boards and ground them into carcinogenic dust," John Bumstead, a MacBook refurbisher and owner of the RDKL INC repair store, said in a recent tweet. First introduced in 2018, the laptop makes it impossible for anyone who isn't the original owner to log into the machine. "Like it has been for years with recyclers and millions of iPhones and iPads, it's pretty much game over with MacBooks now -- there's just nothing to do about it if a device is locked," Bumstead told Motherboard. "Even the jailbreakers/bypassers don't have a solution, and they probably won't because Apple proprietary chips are so relatively formidable." When Apple released its own silicon with the M1, it integrated the features of the T2 into those computers.

"The functionality of T2 is built into Apple silicon, so it's the same situation. But whereas T2 with activation lock is basically impossible to overcome, bypass developers are finding the m1/m2 chips with activation lock even more difficult," Bumstead said. "Many bypassers have claimed solutions to T2 macs (I have not tried or confirmed they work... I am skeptical) but they admit they have had no success with M1. Regardless, a bypassed Mac is a hacked machine, which reverts to the lock if wiped and reset, so it is not ethical to sell bypassed macs in the retail environment."

Responsible recyclers and refurbishers wipe the data from used devices before selling them on. In these cases, the data is wiped, but cannot be assigned to a new user, making them effectively worthless. Instead of finding these machines a second home, Bumstead and others are dismantling them and selling the parts. These computers often end up at recycling centers after corporations go out of business or buy all new machines. [...] Motherboard first reported on this problem in 2020, but Bumstead said it's gotten worse recently. "Now we're seeing quantity come through because companies with internal 3-year product cycles are starting to dump their 2018/2019s, and inevitably a lot of those are locked," he said. "When we come upon a locked machine that was legally acquired, we should be able to log into our Apple account, enter the serial and any given information, then click a button and submit the machine to Apple for unlocking," Bumstead said. "Then Apple could explore its records, query the original owner if it wants, but then at the end of the day if there are no red flags and the original owner does not protest within 30 days, the device should be auto-unlocked."