Portables (Apple)

Perfectly Good MacBooks From 2020 Are Being Sold For Scrap Because of Activation Lock (vice.com) 222

2-year-old MacBooks with Apple's T2 security chip are being turned into parts because recyclers have no way to login and factory reset the machines, reports Motherboard. "It's a boon for security and privacy and a plague on the second hard market." From the report: "How many of you out there would like a 2-year-old M1 MacBook? Well, too bad, because your local recycler just took out all the Activation Locked logic boards and ground them into carcinogenic dust," John Bumstead, a MacBook refurbisher and owner of the RDKL INC repair store, said in a recent tweet. First introduced in 2018, the laptop makes it impossible for anyone who isn't the original owner to log into the machine. "Like it has been for years with recyclers and millions of iPhones and iPads, it's pretty much game over with MacBooks now -- there's just nothing to do about it if a device is locked," Bumstead told Motherboard. "Even the jailbreakers/bypassers don't have a solution, and they probably won't because Apple proprietary chips are so relatively formidable." When Apple released its own silicon with the M1, it integrated the features of the T2 into those computers.

"The functionality of T2 is built into Apple silicon, so it's the same situation. But whereas T2 with activation lock is basically impossible to overcome, bypass developers are finding the m1/m2 chips with activation lock even more difficult," Bumstead said. "Many bypassers have claimed solutions to T2 macs (I have not tried or confirmed they work... I am skeptical) but they admit they have had no success with M1. Regardless, a bypassed Mac is a hacked machine, which reverts to the lock if wiped and reset, so it is not ethical to sell bypassed macs in the retail environment."

Responsible recyclers and refurbishers wipe the data from used devices before selling them on. In these cases, the data is wiped, but cannot be assigned to a new user, making them effectively worthless. Instead of finding these machines a second home, Bumstead and others are dismantling them and selling the parts. These computers often end up at recycling centers after corporations go out of business or buy all new machines. [...] Motherboard first reported on this problem in 2020, but Bumstead said it's gotten worse recently. "Now we're seeing quantity come through because companies with internal 3-year product cycles are starting to dump their 2018/2019s, and inevitably a lot of those are locked," he said.
"When we come upon a locked machine that was legally acquired, we should be able to log into our Apple account, enter the serial and any given information, then click a button and submit the machine to Apple for unlocking," Bumstead said. "Then Apple could explore its records, query the original owner if it wants, but then at the end of the day if there are no red flags and the original owner does not protest within 30 days, the device should be auto-unlocked."
The Military

Playing Military Sim War Thunder May Get You Classed As a National Security Risk (pcmag.com) 27

Playing the military simulation War Thunder is now reportedly considered an official risk on background checks. PCMag reports: As GamesRadar reports, a user going by the name Add Fiat 6616 Pls posted on the War Thunder subreddit earlier this week explaining how a friend of his had applied for a job at aerospace and defense conglomerate Raytheon Technologies. As part of the security clearance process, a private investigator is used to contact the candidates "witnesses," which is shorthand for their friends. Add Fiat 6616 Pls was one of those friends and therefore received a call to answer a range of questions in an attempt to discover if the candidate's lifestyle raised any red flags. One of those question was: "Does he play War Thunder?"

The question makes sense as part of a security check and national security assessment after you realize how much classified information has leaked via the game over the past few years. War Thunder is a free-to-play vehicular combat online multiplayer game developed by Russian game developer Gaijin Entertainment (which relocated to Budapest in 2015). Since 2021, there have been six incidents of restricted or classified documents being leaked during discussions about the accuracy of the vehicles used in the game.

Iphone

Apple Gives Some Older iPhones OS Updates, Going Back To iPhone 5S (appleinsider.com) 45

Apple has provided iOS 12.5.7, macOS 11.7.3, and other updates for older devices that can't be updated to the latest releases. AppleInsider reports: The new updates are for users still using older devices and operating systems and address similar bugs and security patches available in the recent iOS 16.3 and macOS Ventura releases. The security patch notes list at least 14 different systems affected by security issues that have been patched. The new update versions are: iOS 12.5.7, iOS 15.7.3, iPadOS 15.7.3, macOS Big Sur 11.7.3, and macOS Monterey 12.6.3.

Users may note the skipped iOS versions between iOS 12 and iOS 15. Those are due to where devices were cut off from updating. Every device that could run iOS 13 could run iOS 15, so Apple doesn't update every version. The oldest device supported by iOS 12.5.7, for example, is the iPhone 5s, which was released in September 2013. The oldest Macs supported by macOS Big Sur are the 2013 MacBook Air, Mac Pro, and MacBook Pro. Anyone capable of updating these new updates to the older operating systems should do so as soon as possible. The update addresses known security issues that could put the user at risk.

IT

GPU Cooler Tested With Ketchup, Potatoes, and Cheese as Thermal Paste 35

Tom's Hardware: Finding the best TIM can be a tricky endeavor, but some people are more adventurous than others. Case in point: An enthusiast recently broadened his GPU thermal paste search to include several interesting substances ranging from regular thermal paste to thermal pads, cheese, ketchup, toothpaste, diaper rash ointment, and even potatoes. The user originally set out to test different types of thermal pads but decided to expand into other substances, making for an interesting and entertaining study in GPU cooling with some substances that are definitely not safe for long-term use. The test system used a Radeon R7 240 with a 30W TDP, with temperature readings from a five-minute run of Furmark. As such, these tests aren't a great indicator of the long-term feasibility of using a potato to cool your chip, so here's a statement of the obvious: Don't try this at home. The user shared a spreadsheet showing the findings, including 22 different tested thermal "paste" materials. The list includes several standard thermal pads of different sizes, including Arctic TP2 0.5mm, 1mm, 1.5mm, Arctic TP3 1mm, 1.5mm, EC360 Blue 0.5mm, EC360 Gold 1mm, 0.5mm EKWB, and Thermal Grizzly Minus 8 thermal pads.

Several items caused the GPU to engage its thermal throttling mechanism due to overheating as the GPU hit its maximum temperature of 105C, including the sliced cheese and potato slices. Some thermal pads also didn't fare well, with throttling occurring with the EC360 Blue 0.5mm thermal pad, 0.5mm EKWB pad, Arctic TP2 1mm pad, Arctic TP2 1.5mm pad, Thermal Grizzly Minus 8 1.5mm pad copper tape. The double-sided aluminum adhesive pad was the worst offender of them all -- it caused the system to shut down. The Pentaten Creme (for diaper rashes) and copper paste were also problematic. However, the rest of the thermal applications were functional and did not cause the GPU to thermal throttle. This includes the 0.5mm Arctic TP2 thermal pad, 1mm Alphacool Apex thermal pad, Arctic TP3 1mm thermal pad, 1mm EC360 Gold thermal pad, and 1.5mm Arctic TP3 thermal pad. All of these thermal pads kept the GPU anywhere between 61C and 79C. The various different kinds of toothpaste did decently well, too, with the Amasan T12 coming out on top at 63C, Silber Wl.paste at 65C, and the plain no-named toothpaste being the worst, hitting 90C. Surprisingly, the Ketchup did exceptionally well, keeping the GPU at 71C.
Security

GoTo Says Hackers Stole Customers' Backups and Encryption Key (bleepingcomputer.com) 27

GoTo (formerly LogMeIn) is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data. From a report: GoTo provides a platform for cloud-based remote working, collaboration, and communication, as well as remote IT management and technical support solutions. In November 2022, the company disclosed a security breach on its development environment and a cloud storage service used by both them and its affiliate, LastPass. At the time, the impact on the client data had yet to become known as the company's investigation into the incident with the help of cybersecurity firm Mandiant had just begun.

The internal investigation so far has revealed that the incident had a significant impact on GoTo's customers. According to a GoTo's security incident notification a reader shared with BleepingComputer, the attack affected backups relating to the Central and Pro product tiers stored in a third-party cloud storage facility. "Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility," reads the notice to customers.

IOS

iOS 16.3 and macOS Ventura 13.2 Add Hardware Security Key Support 17

Apple released iOS and iPadOS 16.3, macOS Ventura 13.2, and watchOS 9.3 today. The updates focus primarily on bug fixes and under-the-hood improvements, but there is one notable addition: Apple ID got support for hardware security keys. From a report: Once they've updated to the new software, a user can opt to make a device like a YubiKey a required part of the two-factor authentication process for their account. It's unlikely most users will take advantage of this, of course, but for a select few, the extra security is welcome. Other additions in iOS 16.3 include support for the upcoming new HomePod model, a tweak to how Emergency SOS calls are made, and a new Black History Month wallpaper. On the Mac side, hardware security key support is joined by the rollout of Rapid Security Response, a means for urgent security updates to be delivered to Macs without issuing a major software update. The watchOS update is oriented around bug fixes.
Security

925,000 Norton LifeLock Accounts Targeted by Credential-Stuffing Attack (cnet.com) 44

"Thousands of people who use Norton password manager began receiving emailed notices this month alerting them that an unauthorized party may have gained access to their personal information," reports CNET, "along with the passwords they have stored in their vaults.

"Gen Digital, Norton's parent company, said the security incident was the result of a credential-stuffing attack rather than an actual breach of the company's internal systems." Gen's portfolio of cybersecurity services has a combined user base of 500 million users — of which about 925,000 active and inactive users, including approximately 8,000 password manager users, may have been targeted in the attack, a Gen spokesperson told CNET via email....

Norton's intrusion detection systems detected an unusual number of failed login attempts on Dec. 12, the company said in its notice. On further investigation, around Dec. 22, Norton was able to determine that the attack began around Dec. 1. "Norton promptly notified both regulators and customers as soon as the team was able to confirm that data was accessed in the attack," Gen's spokesperson said.

Personal data that may have been compromised includes Norton users' full names, phone numbers and mailing addresses. Norton also said it "cannot rule out" that password manager vault data including users' usernames and passwords were compromised in the attack....

Norton is also offering access to credit monitoring services for affected users, according to its letter to customers.

Government

Can Cities Transform 'Dead Downtowns' by Converting Offices Into Apartments? (washingtonpost.com) 220

The Washington Post's editorial board recently commented on the problem of America's "dead downtowns. Tourists are back, but office workers are still missing in action.... [R]estaurants, coffee hangouts, stores and transit systems cannot sustain themselves without more people in center cities...."

The problem? America "is in the midst of one of the biggest workforce shifts in generations: Many now have experienced what it is like to work from home and have discovered they prefer it."

Their proposed solution? The Post's editorial board is urging cities to adapt to the new reality of workers wanting to work two or three days remotely in part by converting commercial offices to apartments and entertainment venues. The goal is a "24/7" downtown with ample work spaces, apartments, parks and entertainment venues that draw people in during the day and have a core of residents who keep the area vibrant after commuters go home.... Office use isn't going back to pre-pandemic levels. Even Texas cities that did not shut down during the worst of the pandemic are 20 to 30 percent below 2019 office occupancy. New York, Los Angeles and D.C. are still down more than 40 percent. This a classic oversupply problem. Cities have too much office space, especially in the older buildings that companies are fleeing as they seek out new construction with more light and flexible space.

Mayors and city lawmakers have reason to be bold in seizing this opportunity. There's growing interest among developers and investors who want to be a part of the office-to-apartment revolution. They are already eyeing the easiest buildings to convert: The ones with elevators in the middle, windows and light on all sides, and the right length and width. The challenge for city leaders is to generate interest in the buildings that are "maybe" candidates for conversion.

The Post's suggestions include announcing targets for new residents living downtown, and speeding up city approvals like permitting and rezoning. "America's cities are ripe for new skylines and fresh streetscapes. The best leaders will get going soon."
Apple

Apple Agrees to Audit of Its Labor Practices After Pressure from Investors (nytimes.com) 22

The New York Times reports: Apple will conduct an asessment of its U.S. labor practices under an agreement with a coalition of investors that includes five New York City pension funds. The assessment will focus on whether Apple is complying with its official human rights policy as it relates to "workers' freedom of association and collective bargaining rights in the United States," the company said in a filing last week with the Securities and Exchange Commission.

The audit comes amid complaints by federal regulators and employees that the company has repeatedly violated workers' labor rights as they have sought to unionize over the past year. Apple has denied the accusations. "There's a big apparent gap between Apple's stated human rights policies regarding worker organizing, and its practices," said Brad Lander, the New York City comptroller, who helped initiate the discussion with Apple on behalf of the city's public worker pension funds....

The investor coalition that pushed for the labor assessment argues that Apple's response to the union campaigns is at odds with its human rights policy because that policy commits it to respect the International Labor Organization's Declaration on Fundamental Principles and Rights at Work, which includes "freedom of association and the effective recognition of the right to collective bargaining."

"Apple offered few details, saying that it would conduct the assessment by the end of the year and that it would publish a report related to the assessment."
Security

PayPal Accounts Breached in Large-Scale Credential Stuffing Attack (bleepingcomputer.com) 34

PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data. From a report: Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."

PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them. According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.

Security

T-Mobile Suffers Another Data Breach, Affecting 37 Million Accounts (cnet.com) 30

The nation's second-largest wireless carrier on Thursday disclosed that a "bad actor" took advantage of one of its application programming interfaces to gain data on "approximately 37 million current postpaid and prepaid customer accounts." CNET reports: In an 8K filing with the US Securities and Exchange Commission, the carrier says that it was able to trace and stop the "malicious activity" within a day of learning about it. T-Mobile also says that the API that was used does not allow for access to "any customer payment card information, Social Security numbers/tax IDs, driver's license or other government ID numbers, passwords/PINs or other financial account information." According to the filing, the carrier believes that the breach first occurred "on or around" Nov. 25, 2022. The carrier didn't learn that a "bad actor" was getting data from its systems until Jan. 5.

The company's API, however, did reveal other user information, including names, billing addresses, email addresses, phone numbers and birth dates of its customers, their T-Mobile account numbers, and information on which plan features they have with the carrier and the number of lines on their accounts. The company said in the SEC filing that it has "begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements."
In 2021, T-Mobile suffered a data breach that exposed data of roughly 76.6 million people. "T-Mobile agreed to a $500 million settlement in the case in July, with $350 million going to settle customer claims from a class action lawsuit and $150 million going to upgrade its data protection system," adds CNET.
Security

Fewer Companies Are Paying Ransoms To Hackers, Researchers Say (bloomberg.com) 23

Fewer companies that are infected with ransomware are coughing up extortion payments demanded by hackers, according to new research from Chainalysis. From a report: In findings published on Thursday, the blockchain forensics firm estimated that ransom payments -- which are almost always paid in cryptocurrency -- fell to $456.8 million in 2022 from $765.6 million in 2021, a 40% drop. "That doesn't mean attacks are down, or at least not as much as the drastic dropoff in payments would suggest," according to the report. "Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers." Chainalysis also said the actual totals could be much higher, as there are cryptocurrency addresses controlled by ransomware attackers that its researchers haven't yet identified.
Encryption

iOS 16.3 Expands Advanced Data Protection Option For iCloud Encryption Globally (macrumors.com) 17

Apple today announced that Advanced Data Protection is expanding beyond the United States. MacRumors reports: Starting with iOS 16.3, the security feature will be available globally, giving users to option to enable end-to-end encryption for many additional iCloud data categories, including Photos, Notes, Voice Memos, Messages backups, device backups, and more. iOS 16.3 is currently in beta and expected to be released to the public next week.

By default, Apple stores encryption keys for some iCloud data types on its servers to ensure that users can recover their data if they lose access to their Apple ID account. If a user enables Advanced Data Protection, the encryption keys are deleted from Apple's servers and stored on a user's devices only, preventing Apple, law enforcement, or anyone else from accessing the data, even if iCloud servers were to be breached.

iCloud already provides end-to-end encryption for 14 data categories without Advanced Data Protection turned on, including Messages (excluding backups), passwords stored in iCloud Keychain, Health data, Apple Maps search history, Apple Card transactions, and more. Advanced Data Protection expands this protection to the vast majority of iCloud categories, with major exceptions including the Mail, Contacts, and Calendar apps.
For more information, you can read Apple's Advanced Data Protection support document.
Security

Mailchimp Says It Was Hacked - Again (techcrunch.com) 11

Email marketing and newsletter giant Mailchimp says it was hacked and that dozens of customers' data was exposed. From a report: It's the second time the company was hacked in the past six months. Worse, this breach appears to be almost identical to a previous incident. Mailchimp said in an unattributed blog post that its security team detected an intruder on January 11 accessing one of its internal tools used by Mailchimp customer support and account administration, though the company did not say for how long the intruder was in its systems, if known. Mailchimp said the hacker targeted its employees and contractors with a social engineering attack. The hacker then used those compromised employee passwords to gain access to data on 133 Mailchimp accounts, which the company notified of the intrusion. One of those targeted accounts belongs to e-commerce giant WooCommerce. In a note to customers, WooCommerce said it was notified by Mailchimp a day later that the breach may have exposed the names, store web addresses and email addresses of its customers, though it said no customer passwords or other sensitive data was taken.
Security

More Than 4,400 Sophos Firewall Servers Remain Vulnerable To Critical Exploits (arstechnica.com) 9

More than 4,400 Internet-exposed servers are running versions of the Sophos Firewall that's vulnerable to a critical exploit that allows hackers to execute malicious code, a researcher has warned. From a report: CVE-2022-3236 is a code-injection vulnerability allowing remote code execution in the User Portal and Webadmin of Sophos Firewalls. It carries a severity rating of 9.8 out of 10. When Sophos disclosed the vulnerability last September, the company warned it had been exploited in the wild as a zero-day. The security company urged customers to install a hotfix and, later on, a full-blown patch to prevent infection.

According to recently published research, more than 4,400 servers running the Sophos firewall remain vulnerable. That accounts for about 6 percent of all Sophos firewalls, security firm VulnCheck said, citing figures from a search on Shodan. "More than 99% of Internet-facing Sophos Firewalls haven't upgraded to versions containing the official fix for CVE-2022-3236," VulnCheck researcher Jacob Baines wrote. "But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator). It's likely that almost all servers eligible for a hotfix received one, although mistakes do happen. That still leaves more than 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that didn't receive a hotfix and are therefore vulnerable."

Microsoft

Microsoft To Cut Thousands of Jobs Across Divisions (reuters.com) 31

Microsoft plans to cut thousands of jobs with some roles expected to be eliminated in human resources and engineering divisions, according to media reports on Tuesday. From a report: The expected layoffs would be the latest in the U.S. technology sector, where companies including Amazon.com and Meta have announced retrenchment exercises in response to slowing demand and a worsening global economic outlook. Microsoft's move could indicate that the tech sector may continue to shed jobs.

"From a big picture perspective, another pending round of layoffs at Microsoft suggests the environment is not improving, and likely continues to worsen," Morningstar analyst Dan Romanoff said. U.K broadcaster Sky News reported, citing sources, that Microsoft plans to cut about 5% of its workforce, or about 11,000 roles.

Security

MSI Accidentally Breaks Secure Boot for Hundreds of Motherboards 59

Over 290 MSI motherboards are reportedly affected by an insecure default UEFI Secure Boot setting that allows any operating system image to run regardless of whether it has a wrong or missing signature. From a report: This discovery comes from a Polish security researcher named Dawid Potocki, who claims that he did not receive a response despite his efforts to contact MSI and inform them about the issue. The issue, according to Potocki, impacts many Intel and AMD-based MSI motherboards that use a recent firmware version, affecting even brand-new MSI motherboard models.
Encryption

CircleCI Says Hackers Stole Encryption Keys and Customers' Secrets (techcrunch.com) 23

Last month, CircleCI urged users to rotate their secrets following a breach of the company's systems. The company confirmed in a blog post on Friday that some customers' data was stolen in the breach. While the customer data was encrypted, cybercriminals obtained the encryption keys able to decrypt the data. TechCrunch reports: The company said in a detailed blog post on Friday that it identified the intruder's initial point of access as an employee's laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication. The company took the blame for the compromise, calling it a "systems failure," adding that its antivirus software failed to detect the token-stealing malware on the employee's laptop. Session tokens allow a user to stay logged in without having to keep re-entering their password or re-authorizing using two-factor authentication each time. But a stolen session token allows an intruder to gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to differentiate between a session token of the account owner, or a hacker who stole the token.

CircleCi said the theft of the session token allowed the cybercriminals to impersonate the employee and gain access to some of the company's production systems, which store customer data. "Because the targeted employee had privileges to generate production access tokens as part of the employee's regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys," said Rob Zuber, the company's chief technology officer. Zuber said the intruders had access from December 16 through January 4.

Zuber said that while customer data was encrypted, the cybercriminals also obtained the encryption keys able to decrypt customer data. "We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores," Zuber added. Several customers have already informed CircleCi of unauthorized access to their systems, Zuber said. Zuber said that CircleCi employees who retain access to production systems "have added additional step-up authentication steps and controls," which should prevent a repeat-incident, likely by way of using hardware security keys.

Communications

Russian Strikes Sap Ukraine Mobile Network of Vital Power (wsj.com) 139

Russia's attacks on Ukraine's electrical grid are straining the war-torn country's mobile-telephone network, leading to a global hunt for batteries and other equipment critical for keeping the communications system working. From a report: Ukraine's power outages aren't just putting out the lights. The electricity shortages also affect water supplies, heating systems, manufacturing and the cellular-telephone and internet network, a vital communications link in a nation where fixed-line telephones are uncommon. Consumers can charge their cellphones at cafes or gas stations with generators, but the phones have to communicate with base stations whose antennas and switching equipment need large amounts of power. With rolling blackouts now a regular feature of life in Ukraine, the internet providers are relying on batteries to keep the network going.

The stakes are high, since Ukrainian officials are using positive news of the war, speeches by President Volodymyr Zelensky and videos distributed by cellphone to maintain popular support for fighting Russia. First responders and evacuees rely on the mobile network, and a long-term loss of communications in major cities would compound the existing problems of electrical, heating and water outages, the companies say. Labor shortages have exacerbated the mobile-network issues as many Ukrainians have been displaced by the war or gone to the front to fight. In December, the chief executive of Ukraine's Lifecell mobile operator, Ismet Yazici, went into the field himself to wheel in a generator and restore backup power at a cell tower, according to the company. But the biggest problem is power equipment.

Games

Videogame Studio Called 'Proletariat' Declines to Recognize Union (msn.com) 59

An anonymous reader shares a report from the Washington Post: Staff at Activision Blizzard-owned video game studio Proletariat — whose name is a term for the working class — announced their intention to form a union in December of last year. "Well, what'd you expect?" the Proletariat Workers Alliance wrote on Twitter at the time. Earlier this week, however, Proletariat leadership shared an update: Instead of voluntarily recognizing the union, it will conduct an anonymous vote through the National Labor Relations Board.

Proletariat owner Activision Blizzard has been accused of employing union-busting tactics in its negotiations with two other subsidiaries that have voted to unionize, Raven Software and Blizzard Albany.

Slashdot Top Deals