An anonymous reader quotes a report from Motherboard: One of the world's largest publishers of academic papers said it adds a unique fingerprint to every PDF users download in an attempt to prevent ransomware, not to prevent piracy. Elsevier defended the practice after an independent researcher discovered the existence of the unique fingerprints and shared their findings on Twitter last week. "The identifier in the PDF helps to prevent cybersecurity risks to our systems and to those of our customers -- there is no metadata, PII [Personal Identifying Information] or personal data captured by these," an Elsevier spokesperson said in an email to Motherboard. "Fingerprinting in PDFs allows us to identify potential sources of threats so we can inform our customers for them to act upon. This approach is commonly used across the academic publishing industry."

When asked what risks he was referring to, the spokesperson sent a list of links to news articles about ransomware. However, Elsevier has a long history of pursuing people who pirate or share its paywalled academic articles. [...] It's unclear exactly how fingerprinting every PDF downloaded could actually prevent ransomware. Jonny Saunders, a neuroscience PhD candidate at University of Oregon, who discovered the practice, said he believes Elsevier is trying to surveil its users and prevent people from sharing research without paying the company. "The subtext there is pretty loud to me," Saunders told Motherboard in an online chat. "Those breaches/ransoms are really a pretext for saying 'universities need to lock down accounts so people can't skim PDFs. When you have stuff that you don't want other people to give away for free, you want some way of finding out who is giving it away, right?"

"Saying that the unique identifiers *themselves* don't contain PII is a semantic dodge: the way identifiers like these work is to be able to match them later with other identifying information stored at the time of download like browser fingerprint, institutional credentials, etc," Saunders added. "Justifying them as a tool to protect against ransomware is a straightforward admission that these codes are intended to identify the downloader: how would they help if not by identifying the compromised account or system?"

"Intel will have to defend itself against claims that the semiconductor goliath knew its microprocessors were defective and failed to tell customers," reports the Register: On Wednesday, Judge Michael Simon, of the US District Court of Oregon, partially denied the tech giant's motion to dismiss a class-action lawsuit arising from the 2018 public disclosure of Meltdown and Spectre, the family of data-leaking chip microarchitecture design blunders....

To defend against Meltdown and Spectre, Intel and other affected vendors have had to add software and hardware mitigations that for some workloads make patched processors mildly to significantly slower. The disclosure of related flaws has continued since that time, as researchers develop variations on the initial attacks and find other parts of chips that similarly expose privileged data. It is a problem that still is not entirely solved...

[L]awsuits have been consolidated into a multi-district proceeding known as "Intel Corp. CPU Marketing, Sales Practices and Products Liability Litigation" (3:18-md-02828-SI). And since 2018, Intel has been trying to get them to go away. Twice before the judge had dismissed the plaintiffs' complaint while allowing the plaintiffs to amend and refile their allegations. This third time, the judge only partially granted Intel's motion to toss the case. Judge Simon dismissed claims based on purchases up through August 2017 because Intel was unaware of the microarchitecture vulnerabilities up to that point. But he allowed seven claims, from September 2017 onward, to proceed, finding the plaintiffs' contention that Intel delayed disclosure of the flaws to maximize holiday season sales plausible enough to allow the case to move forward.

"Based on plaintiffs' allegations, it is not clear that Intel had a countervailing business interest other than profit for delaying disclosure for as long as it did (through the holiday season), for downplaying the negative effects of the mitigation, for suppressing the effects of the mitigation, and for continuing to embargo further security exploits that affect only Intel processors," the judge wrote in his order. [PDF]

"Focus on the horse race and the flashy news and you'll miss the real stories," argues Mike Loukides, the content strategy VP at O'Reilly Media. So instead he shares trends observed on O'Reilly's learning platform in the first nine months of 2021: While new technologies may appear on the scene suddenly, the long, slow process of making things that work rarely attracts as much attention. We start with an explosion of fantastic achievements that seem like science fiction — imagine, GPT-3 can write stories! — but that burst of activity is followed by the process of putting that science fiction into production, of turning it into real products that work reliably, consistently, and fairly. AI is making that transition now; we can see it in our data. But what other transitions are in progress...?

Important signals often appear in technologies that have been fairly stable. For example, interest in security, after being steady for a few years, has suddenly jumped up, partly due to some spectacular ransomware attacks. What's important for us isn't the newsworthy attacks but the concomitant surge of interest in security practices — in protecting personal and corporate assets against criminal attackers. That surge is belated but healthy.... Usage of content about ransomware has almost tripled (270% increase). Content about privacy is up 90%; threat modeling is up 58%; identity is up 50%; application security is up 45%; malware is up 34%; and zero trust is up 23%. Safety of the supply chain isn't yet appearing as a security topic, but usage of content about supply chain management has seen a healthy 30% increase....

Another important sign is that usage of content about compliance and governance was significantly up (30% and 35%, respectively). This kind of content is frequently a hard sell to a technical audience, but that may be changing.... This increase points to a growing sense that the technology industry has gotten a regulatory free ride and that free ride is coming to an end. Whether it's stockholders, users, or government agencies who demand accountability, enterprises will be held accountable. Our data shows that they're getting the message.

According to a study by UC Berkeley's School of Information, cybersecurity salaries have crept slightly ahead of programmer salaries in most states, suggesting increased demand for security professionals. And an increase in demand suggests the need for training materials to prepare people to supply that demand. We saw that play out on our platform....

C++ has grown significantly (13%) in the past year, with usage that is roughly twice C's. (Usage of content about C is essentially flat, down 3%.) We know that C++ dominates game programming, but we suspect that it's also coming to dominate embedded systems, which is really just a more formal way to say "internet of things." We also suspect (but don't know) that C++ is becoming more widely used to develop microservices. On the other hand, while C has traditionally been the language of tool developers (all of the Unix and Linux utilities are written in C), that role may have moved on to newer languages like Go and Rust. Go and Rust continue to grow. Usage of content about Go is up 23% since last year, and Rust is up 31%. This growth continues a trend that we noticed last year, when Go was up 16% and Rust was up 94%....

Both Rust and Go are here to stay. Rust reflects significantly new ways of thinking about memory management and concurrency. And in addition to providing a clean and relatively simple model for concurrency, Go represents a turn from languages that have become increasingly complex with every new release.
Other highlights from their report:

• "Quantum computing remains a topic of interest. Units viewed is still small, but year-over-year growth is 39%. That's not bad for a technology that, honestly, hasn't been invented yet...."

• "Whether it's the future of finance or history's biggest Ponzi scheme, use of content about cryptocurrency is up 271%, with content about the cryptocurrencies Bitcoin and Ethereum (ether) up 166% and 185% respectively...."

• "Use of JavaScript content on our platform is surprisingly low — though use of content on TypeScript (a version of JavaScript with optional static typing) is up.... Even with 19% growth, TypeScript has a ways to go before it catches up; TypeScript content usage is roughly a quarter of JavaScript's..."

• "Python, Java, and JavaScript are still the leaders, with Java up 4%, Python down 6%, and JavaScript down 3%...."

• "Finally, look at the units viewed for Linux: it's second only to Kubernetes. While down very slightly in 2021, we don't believe that's significant. Linux has long been the most widely used server operating system, and it's not ceding that top spot soon."

An anonymous reader quotes a report from Motherboard: OpenSea has revealed just how much of the NFT activity on its platform is defined by fakery and theft, and it's a lot. In fact, according to the company, nearly all of the NFTs created for free on its platform are either spam or plagiarized. The revelation began with some drama. On Thursday, popular NFT marketplace OpenSea announced that it would limit how many times a user could create (or "mint") an NFT for free on the platform using its tools to 50. So-called "lazy minting" on the site lets users skip paying a blockchain gas fee when they create an NFT on OpenSea (with the buyer eventually paying the fee at the time of sale), so it's a popular option especially for people who don't have deep pockets to jumpstart their digital art empire.

This decision set off a firestorm, with some projects complaining that this was an out-of-the-blue roadblock for them as they still needed to mint NFTs but suddenly couldn't. Shortly after, OpenSea reversed course and announced that it would remove the limit, as well as provided some reasoning for the limit in the first place: The free minting tool is being used almost exclusively for the purposes of fraud or spam. "Every decision we make, we make with our creators in mind. We originally built our shared storefront contract to make it easy for creators to onboard into the space," OpenSea said in a tweet thread. "However, we've recently seen misuse of this feature increase exponentially. Over 80% of the items created with this tool were plagiarized works, fake collections, and spam."

The Android malware known as BRATA has added new and dangerous features to its latest version, including GPS tracking, the capacity to use multiple communication channels, and a function that performs a factory reset on the device to wipe all traces of malicious activity. BleepingComputer reports: BRATA was first spotted by Kaspersky back in 2019 as an Android RAT (remote access tool) that mainly targeted Brazilian users. In December 2021, a report by Cleafy underscored the emergence of the malware in Europe, where it was seen targeting e-banking users and stealing their credentials with the involvement of fraudsters posing as bank customer support agents. Analysts at Cleafy continued to monitor BRATA for new features, and in a new report published today, illustrate how the malware continues to evolve.

The latest versions of the BRATA malware now target e-banking users in the UK, Poland, Italy, Spain, China, and Latin America. Each variant focuses on different banks with dedicated overlay sets, languages, and even different apps to target specific audiences. The authors use similar obfuscation techniques in all versions, such as wrapping the APK file into an encrypted JAR or DEX package. This obfuscation successfully bypasses antivirus detections [...]. On that front, BRATA now actively seeks signs of AV presence on the device and attempts to delete the detected security tools before proceeding to the data exfiltration step.

The best way to avoid being infected by Android malware is to install apps from the Google Play Store, avoid APKs from shady websites, and always scan them with an AV tool before opening. During installation, pay close attention to the requested permissions and avoid granting any that appear unnecessary for the app's core functionality. Finally, monitor battery consumption and network traffic volumes to identify any inexplicable spikes that may be attributed to malicious processes running in the background.

Messenger has fully rolled out end-to-end encryption (E2EE) to everyone, with toggles to encrypt text messages as well as group chats and calls. As The Verge notes, Messenger first added E2EE in 2016 back when it was still called Facebook Messenger and Meta was still Facebook. "Meta has discussed switching to E2EE as a default, but that may not happen until next year at the earliest, as some regulators claim this would harm public safety," adds The Verge. From the report: There are two ways Messenger users can opt in to the secure chats, either via vanish mode, by swiping up on an existing chat to enter one where messages automatically disappear when the window is closed or the original version that was introduced in 2016 as Secret Conversations. You can turn that on by toggling the lock icon when you start a new chat.

In addition to a full rollout of the feature, Messenger has some new features to enable as well. Now, in end-to-end encrypted chats, you can use GIFs, stickers, reactions, and long-press to reply or forward messages. The encrypted chats also now support verified badges so that people can identify authentic accounts. You can also save media exchanged in the chats, and there's a Snapchat-style screenshot notification that will be rolling out over the next few weeks.

Apple appears to be testing a feature that will let you use Face ID to unlock the phone even when wearing a mask. From a report: The first developer beta for iOS 15.4 has a screen that asks if you want to be able to use Face ID while wearing a mask, at the cost of reduced security, according to photos from Brandon Butch on Twitter and MacRumors. According to pictures of the screen, Apple says that "iPhone can recognize the unique features around the eye area to authenticate" but warns that Face ID is going to be more accurate if you have it set to not work with a mask.

Researchers have uncovered advanced, never-before-seen macOS malware that was installed using exploits that were almost impossible for most users to detect or stop once the users landed on a malicious website. From a report: The malware was a full-featured backdoor that was written from scratch, an indication that the developers behind it have significant resources and expertise. DazzleSpy, as researchers from security firm Eset have named it, provides an array of advanced capabilities that give the attackers the ability to fully monitor and control infected Macs. Features include: victim device fingerprinting, screen capture, file download/upload, execute terminal commands, audio recording, and keylogging. Mac malware has become more common over the years, but the universe of advanced macOS backdoors remains considerably smaller than that of advanced backdoors for Windows. The sophistication of DazzleSpy -- as well as the exploit chain used to install it -- is impressive. It also doesn't appear to have any corresponding counterpart for Windows. This has led Eset to say that the people who developed DazzleSpy are unusual. "First, they seem to be targeting Macs only," Eset researcher Marc-Etienne M.Leveille wrote in an email. "We haven't seen payloads for Windows nor clues that it would exist. Secondly, they have the resources to develop complex exploits and their own spying malware, which is quite significant."

Attackers have commandeered thousands of TracFone customers' phone numbers in recent weeks, forcing new owner Verizon Communications to improve safeguards less than two months after it took over the prepaid wireless provider. From a report: TracFone offers prepaid wireless service under several brands, including Straight Talk, Total Wireless and its namesake brand. Some customers of Straight Talk said they found their phone lines suddenly disconnected around the December holidays. "We were recently made aware of bad actors gaining access to a limited number of customer accounts and, in some cases, fraudulently transferring, or porting out, mobile telephone numbers to other carriers," TracFone said in a notice posted on its website this month. In some cases, customers said they discovered their lines had been moved without their permission to Metro, a unit of T-Mobile US. A T-Mobile spokeswoman said the company investigated and found "no fraud or data breach of any sort" on its side. The company added that such unauthorized transfers "are unfortunately an industrywide issue."

Verizon, which acquired TracFone in late November in a $6.25 billion deal, said it had added security protections to the recently acquired services to prevent such fraudulent transfers. For instance, the prepaid operators will now send customers a text message notification when a transfer request is made. A Verizon spokeswoman said the attack appeared to affect about 6,000 TracFone customers, a fraction of Verizon's roughly 24 million prepaid lines. "We have no reason to think that this was caused by anybody on the inside," the spokeswoman said. "You've got the bad actors out there constantly trying to find points of weakness," Matt Ellis, Verizon's finance chief, said Tuesday in an interview. "We've addressed that weakness."

ryanw shares a report from BleepingComputer: A new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide using what they claim is a zero-day vulnerability in the device's software. The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a .deadbolt file extension. Instead of creating ransom notes in each folder on the device, the QNAP device's login page is hijacked to display a screen stating, "WARNING: Your files have been locked by DeadBolt." This screen informs the victim that they should pay 0.03 bitcoins (approximately $1,100) to an enclosed Bitcoin address unique to each victim.

After payment is made, the threat actors claim they will make a follow-up transaction to the same address that includes the decryption key. This decryption key can then be entered into the screen to decrypt the device's files. At this time, there is no confirmation that paying a ransom will result in receiving a decryption key or that users will be able to decrypt files. The DeadBolt ransomware gang is offering the full details of the alleged zero-day vulnerability if QNAP pays them 5 Bitcoins worth $184,000. They are also willing to sell QNAP the master decryption key that can decrypt the files for all affected victims and the zero-day info for 50 bitcoins, or approximately $1.85 million.

An anonymous reader quotes a report from ZDNet: [S]ecurity company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit's pkexec, CVE-2021-4034. Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution. This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualsys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true." Why is it so bad? Let us count the ways:

- Pkexec is installed by default on all major Linux distributions.
- Qualsys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable.
- Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command").
- An unprivileged local user can exploit this vulnerability to get full root privileges.
- Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.
- And, last but not least, it's exploitable even if the polkit daemon itself is not running.

Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high. [...] This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualsys, is: "If our PATH is "PATH=name=.", and if the directory "name=." exists and contains an executable file named "value", then a pointer to the string "name=./value" is written out-of-bounds to envp[0]." While Qualsys won't be releasing a demonstration exploit, the company is sure it won't take long for exploits to be available. Frankly, it's not that hard to create a PwnKit attack. It's recommended that you obtain and apply a patch ASAP to protect yourself from this vulnerability.

"If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation," adds ZDNet. "For example, this root-powered shell command will stop attacks: # chmod 0755 /usr/bin/pkexec."

The UK government's cyber-security agency plans to release Nmap scripts in order to help system administrators in scanning their networks for unpatched or vulnerable devices. From a report: The new project, titled Scanning Made Easy (SME), will be managed by the UK National Cyber Security Centre (NCSC) and is a joint effort with Industry 100 (i100), a collaboration between the NCSC and the UK private sector. "When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network," the NCSC said yesterday. "To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results."

The NCSC said that the SME project was created to solve this problem by having some of the UK's leading security experts, from both the government and public sector, either create or review scripts that can be used to scan internal networks. Approved scripts will be made available via the NCSC's SME GitHub project page, and the agency said it's also taking submissions from the security community as well. Only scripts for the Nmap network scanning app will be made available through this project, the NCSC said on Monday.

Logitech has introduced two mechanical keyboards to its lineup. Shipping in February, the boards are part of the company's PC gaming brand, but with their $70 starting price and classic, toned-down look, they're also interesting candidates for someone seeking a productivity keyboard with mechanical switches. From a report: The Logitech G G413 SE and G413 TKL SE are $80 and $70, respectively, offering a reasonable entry point for people who might think mechanical keyboards are too expensive. Logitech, specifically its G gaming brand, isn't afraid to overload its keyboards with RGB lighting, but the backlight on these boards comes in white only. The standard G413 is available with an all-white or all-red backlight. A subdued appearance continues with a top case made of aluminum-magnesium alloy with a brushed black finish that matches the black PBT keycaps. The plastic should be an upgrade from the non-SE G413's ABS plastic keyboards, as PBT is generally more resistant to degradation over time. Underneath those keycaps are what Logitech calls "tactile mechanical switches." That phrase suggests something like Cherry MX Browns, but Logitech didn't specify the exact switch used. According to the full-size SE keyboard's product page, the switches actuate at 1.9 mm with 50 g of force and bottom out at 4 mm.

First, he forgot his PIN -- then he started looking for hackers. From a report: In early 2018, Dan Reich and a friend decided to spend $50,000 in Bitcoin on a batch of Theta tokens, a new cryptocurrency then worth just 21 cents apiece. At first, they held the tokens with an exchange based in China, but within weeks, a broad crackdown on cryptocurrency by the Chinese government meant they would soon lose access to the exchange, so they had to transfer everything to a hardware wallet. Reich and his friend chose a Trezor One hardware wallet, set up a PIN, and then got busy with life and forgot about it. By the end of that year, the token had sunk to less than a quarter of its value, come back up, and then crashed again. Reich decided he wanted to cash out, but his friend had lost the paper where he'd written the PIN and couldn't remember the digits. They tried guessing what they thought was a four-digit PIN (it was actually five), but after each failed attempt, the wallet doubled the wait time before they could guess again. After 16 guesses, the data on the wallet would automatically erase. When they reached a dozen tries, they stopped, afraid to go further. Reich gave up and wrote off the money in his mind. He was willing to take the loss -- until the price started to rise again. From a low of around $12,000, the value of their tokens started to skyrocket. By the end of 2020, it would be worth more than $400,000, rising briefly to over $3 million. It would be hard to get into the wallet without the PIN -- but it wasn't impossible.

And with potentially millions on the line, Reich and his friend vowed to find a way inside. The only way to own cryptocurrency on the blockchain is to have sole possession of a private key associated with a block of currency -- but managing those keys has been a, sometimes high-stakes, challenge from the beginning. [...] The cryptocurrency data firm Chainalysis estimates that more than 3.7 million Bitcoins worth $66.5 billion are likely lost to owners. Currency can be lost for many reasons: the computer or phone storing a software wallet is stolen or crashes and the wallet is unrecoverable; the owner inadvertently throws their hardware wallet away; or the owner forgets their PIN or dies without passing it to family members. As the value of their inaccessible tokens rapidly rose in 2020, Reich and his friend were desperate to crack their wallet. They searched online until they found a 2018 conference talk from three hardware experts who discovered a way to access the key in a Trezor wallet without knowing the PIN. The engineers declined to help them, but it gave Reich hope. "We at least knew that it was possible and had some directional idea of how it could be done," Reich says. Then they found a financier in Switzerland who claimed he had associates in France who could crack the wallet in a lab. But there was a catch: Reich couldn't know their names or go to the lab. He'd have to hand off his wallet to the financier in Switzerland, who would take it to his French associates. It was a crazy idea with a lot of risks, but Reich and his friend were desperate. Gripping story.

Online marketplace eBay is once again expanding its authentication service, this time to include support for authenticating valuable trading cards. From a report: The service will now be able to authenticate cards worth at least $750 from collectible card games, as well as sports and other non-sports cards, the company said. By the middle of this year, this service will grow to include graded, autograph and patch cards sold for $250 and higher, as well. These additions broaden eBay's ability to assure its customers of the authenticity of high-value items, including the sneakers, watches and handbags the company is already able to authenticate. Like other verticals where authentication is available, eBay saw the value in adding support for trading cards due to the volume of activity in the category on its site. The company said the trading cards category is growing "significantly faster" than its total marketplace, and the category saw $2 billion in transactions in the first half of 2021. That's equal to all of the trading card transactions that took place in 2020, for comparison.

As tensions rise in the standoff over Ukraine, the Department of Homeland Security has warned that the U.S. response to a possible Russian invasion could result in a cyberattack launched against the U.S. by the Russian government or its proxies. ABC News reports: "We assess that Russia would consider initiating a cyber attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security," a DHS Intelligence and Analysis bulletin sent to law enforcement agencies around the country and obtained by ABC News said. The bulletin was dated Jan. 23, 2022.

Russia, DHS said, has a "range of offensive cyber tools that it could employ against US networks," and the attacks could range from a low level denial of service attack, to "destructive" attacks targeting critical infrastructure. "We assess that Russia's threshold for conducting disruptive or destructive cyber attacks in the Homeland probably remains very high and we have not observed Moscow directly employ these types of cyber attacks against US critical infrastructure -- notwithstanding cyber espionage and potential prepositioning operations in the past," the bulletin said. Last year, Russian cybercriminals launched a ransomware attack on Colonial Pipeline, shutting down operations and causing widespread outages across the country. Meat supplier JBS also had its operations shutdown due to Russian based hackers.

Hacktivists in Belarus said on Monday they had infected the network of the country's state-run railroad system with ransomware and would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine. Ars Technica reports: Referring to the Belarus Railway, a group calling itself Cyber Partisans wrote on Telegram: "BelZhD, at the command of the terrorist Lukashenko, these days allows the occupying troops to enter our land. As part of the 'Peklo' cyber campaign, we encrypted the bulk of the servers, databases and workstations of the BelZhD in order to slow down and disrupt the operation of the road. The backups have been destroyed [...]." The group also announced the attack on Twitter.

A representative from the group said in a direct message that the Peklo cyber campaign targets specific entities and government-run companies with the goal of pressuring the Belarus government to release political prisoners and stop Russian troops from entering Belarus to use its ground for the attacks on Ukraine. "The government continues to suppress the free will of Belarusians, imprison innocent people, they continue to unlawfully keep... thousands of political prisoners," the representative wrote. "The major goal is to overthrow Lukashenko's regime, keep the sovereignty and build a democratic state with the rule of law, independent institutions and protection of human rights."

At the time this post went live, several services on the railway's website were unavailable. Online ticket purchases, for instance, weren't working [...]. The representative said that besides ticketing and scheduling being disrupted, the cyberattack also affected freight trains. According to reports, Russia has been sending military equipment and personnel by rail into Belarus, which shares a border with Ukraine. @belzhd_live, a group of Belarus Railway workers that tracks activity on the 5,512-km railway, said on Friday that in a week's time, more than 33 Russian military trains loaded with equipment and troops had arrived in Belarus for joint strategic exercises there. The worker group said at the time that it expected a total of 200 so-called echelons to arrive in the coming days.

Security researchers from Kaspersky said they have discovered a novel bootkit that can infect a computer's UEFI firmware. From a report: What makes MoonBounce -- the name they gave the bootkit -- special is the fact that the malware doesn't burrow and hide inside a section of the hard drive named ESP (EFI System Partition), where some UEFI code typically resides, but instead it infects the SPI flaws memory that is found on the motherboard. This means that, unlike similar bootkits, defenders can't reinstall the operating system and replace the hard drive, as the bootkit will continue to remain on the infected device until the SPI memory is re-flashed (a very complex process) or the motherboard is replaced. According to Kaspersky, MoonBounce marks the third UEFI bootkit they have seen so far that can infect and live inside the SPI memory, following previous cases such as LoJax and MosaicRegressor. Furthermore, MoonBounce's discovery also comes after researchers have also found additional UEFI bootkits in recent months, such as ESPectre, FinSpy's UEFI bootkit, and others, which has led the Kaspersky team to conclude that what was once considered unachievable following the rollout of the UEFI standard has gradually become the norm.

A bug in OpenSea, the popular NFT marketplace, has let hackers buy rare NFTs for well below market value, in some cases leading to hundreds of thousands of dollars in losses for the original owners -- and hundreds of thousands of dollars in profits for the apparent thieves. From a report: The bug appears to have been present for weeks and seems to be referenced in at least one tweet from January 1st, 2022. But exploitation of the bug has picked up significantly in the past day: blockchain analytics company Elliptic reported that in a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to "steal" NFTs with a market value of over $1 million. One of the NFTs, Bored Ape Yacht Club #9991, was purchased using the exploit technique for 0.77 ETH ($1,760) and quickly resold for 84.2 ETH ($192,400), netting the attacker a profit of more than $190,000. An Ethereum address linked to the reseller had received more than 400 ETH ($904,000) in payouts from OpenSea in the same 12-hour period.

"It's a subjective thing whether you consider this to be a loophole or a bug, but the fact is that people are being forced into sales at a price they wouldn't otherwise have accepted right now," said Tom Robinson, chief scientist and co-founder of Elliptic. According to a Twitter thread by software developer Rotem Yakir, the bug is caused by a mismatch between the information available in NFT smart contracts and the information presented by OpenSea's user interface. Essentially, the attackers are taking advantage of old contracts that persist on the blockchain but are no longer present in the view provided by the OpenSea application.

"The traditional idea of going to the office five days a week or working 9 to 5 may be dying," reports the Washington Post: Zoom, which many workplaces and workers relied on during the pandemic, is starting to allow its more than 6,000 workers to choose whether to work in the office, work remotely, or go hybrid, as in working remotely a certain number of days per week or month at their choosing. Bolt, a San Francisco-based e-commerce start-up boldly introduced a permanent four-day workweek for its nearly 600 employees. Workplace communications platform Slack is reimagining its office primarily as a gathering place for meetings and projects. And tech giants Amazon and Salesforce are allowing their employees to decide as a team when and where they should work, based on the projects at hand.

These approaches come as companies rethink workplace policies amid the fast spread of the omicron variant and the "Great Resignation," during which employers are finding it more difficult to retain talent. U.S. office occupancy dipped to about 28 percent during the third week of January, compared to 40 percent in November before the massive spread of the omicron variant, according to building security company Kastle Systems. Still, some employers see this as an opportunity to rethink the way employees have traditionally worked, opting for even more flexible and creative arrangements that are more likely to lure and retain workers....

Jennifer Christie [Bolt's chief people officer] said after piloting the policy last year, 91 percent of managers and 94 percent of employees wanted to continue. They also reported increased productivity and better work-life balance. Meanwhile, the start-up has been inundated with resumes and emails from people interested in working for the company, Christie said. "People want to be empowered and have autonomy to do work in a way that fits them," Christie said. "That's going to be where talent is attracted...."

The one thing the Kickstarter union workers agree on is the desire for the four-day workweek. "I'd be lying if I said I hadn't listened to some recruiters from places that already implemented a four-day workweek," said Dannel Jurado [a member of Kickstarter United, which is part of the Office and Professional Employees International Union].