Software quality issues may have cost the U.S. economy $2.41 trillion in 2022. From a report: This statistic is unearthed in Synopsys's 'The Cost of Poor Software Quality in the US: A 2022 Report.' The report's findings reflect that as of 2022, the cost of poor software quality in the U.S. -- which includes cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt -- have led to a build-up of historic software deficiencies. Co-sponsored by Synopsys, the report was produced by the Consortium for Information & Software Quality (CISQ), an organization developing international standards to automate software quality measurement and promoting the development and maintenance of secure, reliable, and trustworthy software.

The report highlights several key areas of CPSQ growth, including:
Cybercrime losses due to a rising number of software vulnerabilities. Losses rose 64% from 2020 to 2021 and are on track for a further 42% increase from 2021 to 2022. The quantity and cost of cybercrime incidents have been on the rise for over a decade, and now account for a sum equivalent to the world's third-largest economy after the U.S. and China.
Software supply chain problems with underlying third-party components are up significantly. This year's report shows that the number of failures due to weaknesses in open-source software components accelerated by an alarming 650% from 2020 to 2021.
Technical debt has become the largest obstacle to making changes in existing code bases. Technical debt refers to software development rework costs from the accumulation of deficiencies leaving data and systems potentially vulnerable. This year's report illustrates that deficiencies aren't being resolved, leading technical debt to increase to approximately $1.52 trillion.

An anonymous reader shares a report: According to a recent IDC forecast, the PC and tablet markets are expected to shrink. Shipments for tablets and PCs will decline almost 12% in 2022, the research firm reported, and are expected to decline further in 2023. But excess inventory is already forcing suppliers to heavily discount products and shift from the premium segment to more mid-range products, the analysts said. On the other hand, the report states that tablet and PC shipments will continue to remain above pre-pandemic levels. But uncertain economic conditions will threaten inventory and increase market saturation next year.

"The reality is that both PC and tablet makers will struggle in the coming months as not only are volumes expected to decline, but so will average selling prices," Jitesh Ubrani, IDC's research manager for mobility and consumer device trackers, said in a release. In October of this year, IDC reported that tablet shipments were down 8.8%, signaling the fifth straight quarter of the tablet market's decline. This market contraction followed two years of massive growth, which can be mostly attributed to economic factors.

A little-known phone monitoring app called Xnspy has stolen data from tens of thousands of iPhones and Android devices, the majority whose owners are unaware that their data has been compromised. From a report: Xnspy is one of many so-called stalkerware apps sold under the guise of allowing a parent to monitor their child's activities, but are explicitly marketed for spying on a spouse or domestic partner's devices without their permission. Its website boasts, "to catch a cheating spouse, you need Xnspy on your side," and, "Xnspy makes reporting and data extraction simple for you."

Stalkerware apps, also known as spouseware, are surreptitiously planted by someone with physical access to a person's phone, bypassing the on-device security protections, and are designed to stay hidden from home screens, which makes them difficult to detect. Once installed, these apps will silently and continually upload the contents of a person's phone, including their call records, text messages, photos, browsing history and precise location data, allowing the person who planted the app near-complete access to their victim's data. But new findings show many stalkerware apps are riddled with security flaws and are exposing the data stolen from victims' phones. Xnspy is no different.

Microsoft's Chromium-based Edge browser was an improvement over the initial version of Edge in many ways, including its support for Windows 7 and Windows 8. But the end of the road is coming: Microsoft has announced that Edge will end support for Windows 7 and Windows 8 in mid-January of 2023, shortly after those operating systems stop getting regular security updates. From a report: Support will also end for Microsoft Edge Webview2, which can use Edge's rendering engine to embed webpages in non-Edge apps. The end-of-support date for Edge coincides with the end of security update support for both Windows 7 and Windows 8 on January 10, and the end of Google Chrome support for Windows 7 and 8 in version 110. Because the underlying Chromium engine in both Chrome and Edge is open source, Microsoft could continue supporting Edge in older Windows versions if it wanted, but the company is using both end-of-support dates to justify a clean break for Edge.

"Employees have gotten more — not less — engaged over the past three years since remote work became the norm for many knowledge workers," argues an assistant professor of management from the business school at the University of Texas at Austin. He'd teamed up with a software company providing analytics to large corporations to measure the number of spontaneously-happening individual remote meetings: Given the anecdotal evidence of workers recently disengaging or quiet quitting, we had originally predicted that one of the easiest ways to observe this effect would be a continual decrease in the number of times remote or hybrid coworkers were engaging — or meeting — with each other. However, we found quite the opposite.

To more deeply explore the nature of how remote collaboration is changing over time, we gathered metadata from all Zoom, Microsoft Teams, and Webex meetings (involving webcams on and/or off) from 10 large global organizations (seven of which are Fortune 500 firms) spanning a variety of fields, including technology, health care, energy, and financial services. Specifically, we compared six-week snapshots of raw meeting counts from April through mid-May in 2020 following the Covid-19 lockdowns, and the same set of six weeks in 2021 and 2022.... This dataset resulted in a total of more than 48 million meetings for more than half a million employees....

In 2020, 17% of meetings were one-on-one, but in 2022, 42% of meetings were one-on-one... In 2020, only 17% of one-on-one meetings were unscheduled, but in 2022, 66% of one-on-one meetings were unscheduled. Furthermore, the growth in one-on-one meetings between 2020 and 2022 was almost solely due to the increase in unscheduled meetings (whereas scheduled meetings remained relatively constant)... The combination of these findings presents an interesting picture: not that remote workers seem to be becoming less engaged, but rather — at least with respect to meetings — they are becoming more engaged with their colleagues.

This data also suggests that remote interactions are shifting to more closely mirror in-person interactions. Whereas there have been substantial concerns that employees are missing out on the casual and spontaneous rich interactions that happen in-person, these findings indicate that remote employees may be beginning to compensate for the loss of those interactions by increasingly having impromptu meetings remotely.

An anonymous reader quotes a report from Ars Technica: Following Google's beta rollout of the feature in October, passkeys are now hitting Chrome stable M108. "Passkey" is built on industry standards and backed by all the big platform vendors -- Google, Apple, Microsoft -- along with the FIDO Alliance. Google's latest blog says: "With the latest version of Chrome, we're enabling passkeys on Windows 11, macOS, and Android." The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey. [...]

Now that this is actually up and running on Chrome 108 and a supported OS, you should be able to see the passkey screen under the "autofill" section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar). Next up we'll need more websites and services to actually support using a passkey instead of a password to sign in. Google Account support would be a good first step -- right now you can use a passkey for two-factor authentication with Google, but you can't replace your password yet. Everyone's go-to example of passkeys is the passkeys.io demo site, which we have a walkthrough of here.

Robots may be the future, but robotic arms are apparently no good at using an old and steadfast form of technology: the barcode. Barcodes can be hard to find and might be affixed to oddly shaped products, Amazon said in a press release Friday, something robots can't troubleshoot very well. As a result, the company says it has a plan to kill the barcode. From a report: Using pictures of items in Amazon warehouses and training a computer model, the e-commerce giant has developed a camera system that can monitor items flowing one-by-one down conveyor belts to make sure they match their images. Eventually, Amazon's AI experts and roboticists want to combine the technology with robots that identify items while picking them up and turning them around.

"Solving this problem, so robots can pick up items and process them without needing to find and scan a barcode, is fundamental," said Nontas Antonakos, an applied science manager in Amazon's computer vision group in Berlin. "It will help us get packages to customers more quickly and accurately." The system, called multi-modal identification, isn't going to fully replace barcodes soon. It's currently in use in facilities in Barcelona, Spain, and Hamburg, Germany, according to Amazon. Still, the company says it's already speeding up the time it takes to process packages there. The technology will be shared across Amazon's businesses, so it's possible you could one day see a version of it at a Whole Foods or another Amazon-owned chain with in-person stores.

A US government probe into how many mobile phones belonging to diplomats and government workers have been infected with spyware could "easily run to the hundreds," according to a member of the House Intelligence Committee. From a report: Jim Himes, a Democrat representative from Connecticut, told Bloomberg News that the Biden administration is "just beginning to get an inkling of the magnitude of the problem." He predicted that the probe could find that spyware was used against "hundreds" of federal personnel in "multiple countries." Himes was a lead author of a September letter calling on the federal government to better protect US diplomats overseas from spyware and publicly detail instances of such abuse. He received a letter last month written jointly by the Departments of Commerce and State that confirmed commercial spyware has targeted US government personnel serving overseas.

"Spyware technology has sort of moved beyond our ability to ensure that the communications of our diplomats are protected, or even the locations and contacts and photographs of our diplomats are protected. And that's obviously a huge vulnerability," he said. The official confirmation follows a Reuters report from last year that the iPhones of at least nine State Department employees were hacked with spyware developed by Israel's NSO Group. The employees were either based in Uganda or focused on issues related to the country, according to the report.

An anonymous reader quotes a report from the Associated Press: The leading hospital in India's capital limped back to normalcy on Wednesday after a cyberattack crippled its operations for nearly two weeks. Online registration of patients resumed Tuesday after the hospital was able to access its server and recover lost data. The hospital worked with federal authorities to restore the system and strengthen its defenses. It's unclear who conducted the Nov. 23 attack on the All India Institute of Medical Sciences or where it originated.

The attack was followed by a series of failed attempts to hack India's top medical research organization, the Indian Council of Medical Research. This raised further concerns about the vulnerability of India's health system to attacks at a time when the government is pushing hospitals to digitize their records. More than 173,000 hospitals have registered with a federal program to digitize health records since its launch in September 2021. The program assigns patients numbers that are linked to medical information stored by hospitals on their own servers or in cloud-based storage. Experts fear that hospitals may not have the expertise to ensure digital security.

"Digitizing an entire health care system without really safeguarding it can pretty much kill an entire hospital. It suddenly stops functioning," said Srinivas Kodali, a researcher with the Free Software Movement of India. That is what happened to the hospital in New Delhi. Healthcare workers couldn't access patient reports because the servers that store laboratory data and patient records had been hacked and corrupted. The hospital normally treats thousands of people a day, many of whom travel from distant places to access affordable care. Always crowded, queues at the hospital grew even longer and more chaotic. Sandeep Kumar, who accompanied his ill father, said the digital attack meant that appointments couldn't be booked online, and that doctors could do little when they saw patients because they couldn't access their medical history.

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

An anonymous reader quotes a report from MacRumors: Apple yesterday announced that end-to-end encryption is coming to even more sensitive types of iCloud data, including device backups, messages, photos, and more, meeting the longstanding demand of both users and privacy groups who have rallied for the company to take the significant step forward in user privacy. iCloud end-to-end encryption, or what Apple calls "Advanced Data Protection," encrypts users' data stored in iCloud, meaning only a trusted device can decrypt and read the data. iCloud data in accounts with Advanced Data Protection can only be read by a trusted device, not Apple, law enforcement, or government entities.

While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud, governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it's "deeply concerned with the threat end-to-end and user-only-access encryption pose." Speaking generally about end-to-end encryption like Apple's Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests "lawful access by design": "This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime, and terrorism," the bureau said in an emailed statement. "In this age of cybersecurity and demands for 'security by design,' the FBI and law enforcement partners need 'lawful access by design.'"

Former FBI official Sasha O'Connell also weighed in, telling The New York Times "it's great to see companies prioritizing security, but we have to keep in mind that there are trade-offs, and one that is often not considered is the impact it has on decreasing law enforcement access to digital evidence."

Lukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. From a report: The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets. [...] Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.

Google today announced two new performance settings in its Chrome browser: Memory Saver and Energy Saver. From a report: The Memory Saver mode promises to reduce Chrome's memory usage by up to 30% by putting inactive tabs to sleep. The tabs will simply reload when you need them again. The Energy Saver mode, meanwhile, limits background activity and visual effects for sites with animations and videos when your laptop's battery level drops below 20%.

WankerWeasel writes: Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data. With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend. With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account. And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple's highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.

An anonymous reader quotes a report from Insider: Deserted downtowns have been haunting US cities since the beginning of the pandemic. Before the pandemic, 95% of offices were occupied. Today that number is closer to 47%. Employees' not returning to downtown offices has had a domino effect: Less foot traffic, less public-transit use, and more shuttered businesses have caused many downtowns to feel more like ghost towns. Even 2 1/2 years later, most city downtowns aren't back to where they were prepandemic. [...] The increased cancellations of office leases have cratered the office real-estate market. A study led by Arpit Gupta, a professor of finance at New York University's Stern School of Business, characterized the value wipeout as an "apocalypse." It estimated that $453 billion in real-estate value would be lost across US cities, with a 17-percentage-point decline in lease revenue from January 2020 to May 2022. The shock to real-estate valuations has been sharp: One building in San Francisco's Mission District that sold for $397 million in 2019 is on the market for about $155 million, a 60% decline.

Other key indicators that economists use to measure the economic vitality of downtowns include office vacancy rates, public-transportation ridership, and local business spending. Across the country, public-transportation ridership remains stuck at about 70% of prepandemic levels. If only 56% of employees of financial firms in New York are in the office on a given day, the health of a city's urban core is negatively affected. The second-order effects of remote work and a real-estate apocalypse are still playing out, but it isn't looking good. Declines in real-estate valuations lead to lower property taxes, which affects the revenue collected to foot the bill of city budgets. Declines in foot traffic have deteriorated business corridors; a recent survey by the National League of Cities suggested cities expect at least a 2.5% decline in sales-tax receipts and a 4% decline in revenue for fiscal 2022. "The solution to the office-housing conundrum seems obvious: Turn commercial spaces like offices into housing. Empty offices can become apartments to ease housing pressure while also bringing more people back to downtown areas," reports Insider. "But after two years, few buildings have been converted." According to the report, it's being hampered by hard-to-justify construction costs and local housing rules.

"Overall, combating the death of downtowns requires a reworking of how we think about cities and the value they provide," the report says. "The urban author Jane Jacobs proclaimed in her famous 1958 article for Fortune magazine, 'Downtown Is for People,' that "'there is no logic that can be superimposed on the city; people make it, and it is to them, not buildings, that we must fit our plans.'"

"The economic health of cities is intrinsically linked to how space is used or unused, and right now downtowns are undergoing a massive shift. Despite the sluggish movement, it's in cities' best interest to figure out how to quickly convert office-centric downtowns into something more suitable for everyone."

Google's search results on desktop will load in a continuous scroll instead of dividing into pages, the company has announced. From a report: The move follows a similar change made on mobile in October last year, but isn't quite an "infinite" scroll. Instead, Google will load six pages of results into a single scroll before offering users a "See more" button to show more results. Google says the change is rolling out first for English searches in the US, but judging by the rollout of the feature on mobile it seems safe to expect to see additional markets and languages added over time.

Competitive Excel clearly is not the NFL, but it does have the beginnings of a fan base. From a report: This was just the second year of the World Championship, but it's already streaming on ESPN3. This year's edition has 30,000 views on YouTube. Supporters of Michael Jarman, the No. 3 seed in this year's competition, call themselves the "Jarmy Army." A few months ago, an all-star game of sorts aired on ESPN2, and this month, ESPNU will televise the collegiate championship. The tournament begins with a 128-player field and proceeds March Madness -- style, in one-on-one, single-elimination contests. The format lends itself to frequent upsets: This year, the No. 2 seed was eliminated in the third round. In each match, players work as fast as possible -- they're generally given about 30 minutes -- to answer a series of progressively more difficult questions testing both their puzzle-solving skills and their fluency with Excel.

The questions all revolve around the same scenario. In the quarterfinal, for example, the questions all had to do with a fictional country transitioning from dictatorship to democracy. The first and easiest question asked players to calculate how many votes were cast for the purple party. The championship case, which was far more difficult, centered on a 100x100 chessboard. This year's total prize money was $10,000. Naturally, a large proportion of Excel competitors work in Excel-heavy jobs; the field included plenty of finance bros, data analysts, mathematicians, actuaries, and engineers. All but one of the eight finalists had over the course of their lives spent thousands of hours working in Excel (the other is a Google Sheets guy), and half of them had spent more than 10,000. The tournament is not particularly diverse. Of the eight finalists, Deaton was the only woman. In the field of 128, she told me, she counted no more than a dozen, which didn't surprise her, given how heavily male the relevant occupations skew.

An anonymous reader shares a report: KmsdBot, a cryptomining botnet that could also be used for denial-of-service (DDOS) attacks, broke into systems through weak secure shell credentials. It could remotely control a system, it was hard to reverse-engineer, didn't stay persistent, and could target multiple architectures. KmsdBot was a complex malware with no easy fix. That was the case until researchers at Akamai Security Research witnessed a novel solution: forgetting to put a space between an IP address and a port in a command. And it came from whoever was controlling the botnet.

With no error-checking built in, sending KmsdBot a malformed command -- like its controllers did one day while Akamai was watching -- created a panic crash with an "index out of range" error. Because there's no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the bot's functions. It is, as Akamai notes, "a nice story" and "a strong example of the fickle nature of technology." KmsdBot is an intriguing modern malware. It's written in Golang, partly because Golang is difficult to reverse-engineer. When Akamai's honeypot caught the malware, it defaulted to targeting a company that created private Grand Theft Auto Online servers. It has a cryptomining ability, though it was latent while the DDOS activity was running. At times, it wanted to attack other security companies or luxury car brands.

An anonymous reader quotes a report from KrebsOnSecurity: In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet's largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for tortious interference in their sprawling cybercrime business, later brazenly offered to dismantle the botnet in exchange for payment from Google. The judge in the case was not amused, found for the plaintiff, and ordered the defendants and their U.S. attorney to pay Google's legal fees. The lawyer for the defendants, New York-based cybercrime defense attorney Igor Litvak, filed a motion to reconsider (PDF), asking the court to vacate the sanctions against him. He said his goal is to get the case back into court. "The judge was completely wrong to issue sanctions," Litvak told KrebsOnSecurity. "From the beginning of the case, she acted as if she needed to protect Google from something. If the court does not decide to vacate the sanctions, we will have to go to the Second Circuit (Court of Appeals) and get justice there."

Meanwhile, Google said the court's decision will have significant ramifications for online crime, adding that it's observed a 78 percent reduction in the number of hosts infected by Glupteba since its technical and legal attacks on the botnet last year.

"While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them," reads a blog post from Google's General Counsel Halimah DeLaine Prado and vice president of engineering Royal Hansen. "And the steps [Google] took last year to disrupt their operations have already had significant impact."

Microsoft has released an out-of-band update to nudge laggards toward Windows 11 amid a migration pace that company executives would undoubtedly prefer is rather faster. From a report: The software giant is offering an option of upgrading to Windows 11 as an out of box experience to its Windows 10 22H2 installed base, the main aim being to smooth their path forward to the latest operating system. "On November 30, 2022, an out-of-band update was released to improve the Windows 10, version 2004, 20H2, 21H1, 21H2, and 22H2 out-of-box experience (OOBE). It provides eligible devices with the option to upgrade to Windows 11 as part of the OOBE process. This update will be available only when an OOBE update is installed."

The update, KB5020683, applies only to Windows 10 Home and Professional versions 2004, 20H2, 21H1, 22H2. There are some pre-requisites that Microsoft has listed here before users can make the move to Windows 11. The operating system was released on October 5 last year but shifting stubborn consumers onto this software has proved challenging for top brass at Microsoft HQ in Redmond. According to Statcounter, a web analytics service that has tracking code installed on 1.5 million websites and records a page view for each, some 16.12 percent of Windows users had installed Windows 11 in November, higher than the 15.44 percent in the prior month, but likely still not close to the figures that Microsoft was hoping for.