Security

SIM Card Swindler 'Baby Al Capone' Agrees To Pay Back $22 Million To Hacked Crypto Investor (gizmodo.com) 5

A young man who was not even old enough to drive back in 2018 managed to yoink nearly $24 million from a major crypto investor's account. Now, over four years later and thousands likely invested in both an investigation and lawyers fees, Michael Terpin can now claim he has reclaimed $22 million from the the original hack, according to a recently filed agreement. From a report: The original complaint filed in New York Southern District Court back in 2020 named the then-18-year-old Ellis Pinsky of leading a 20-person group that met on the OGUsers' forum that attacked people's crypto wallets using stolen SIM card data. Pinsky allegedly performed this hack when he was only 15 years old while living with his mother in upstate New York. The only other hacker named in the original complaint was 20-year-old Nick Truglia, who had been previously jailed on federal charges for a separate crypto theft. Terpin was a major name in the tech and crypto world, especially back in the late 20-teens as the co-founder of crypto investment firm BitAngels along with early work launching Motley Fool and Match.com. At the time, Terpin's phone hack was one of the largest crypto hacks of its kind. Nowadays, however, $24 million would be chump change to some of the funds modern crypto hackers seem to be rolling in by attacking crypto exchanges, protocols, and cross-chain bridges.
Security

Signal To Phase Out SMS Support From the Android App 54

schwit1 shares a blog post from Signal, the popular instant messaging app: In the interest of privacy, security, and clarity we're beginning to phase out SMS support from the Android app. You'll have several months to export your messages and either find a new app for SMS or tell your friends to download Signal.

[...] To give some context, when we started supporting SMS, Signal didn't exist yet. Our Android app was called TextSecure and the Signal encryption protocol was called Axolotl. Almost a decade has passed since then, and a lot has changed. In this time we changed our name, built iOS and desktop apps, and grew from a small project to the most widely used private messaging service on the planet. And we continued supporting the sending and receiving of plaintext SMS messages via the Signal interface on Android. We did this because we knew that Signal would be easier for people to use if it could serve as a homebase for most of the messages they were sending or receiving, without having to convince the people they wanted to talk to to switch to Signal first. But this came with a tradeoff: it meant that some messages sent and received via the Signal interface on Android were not protected by Signal's strong privacy guarantees.

We have now reached the point where SMS support no longer makes sense. For those of you interested, we walk through our reasoning in more detail below. In order to enable a more streamlined Signal experience, we are starting to phase out SMS support from the Android app. You will have several months to transition away from SMS in Signal, to export your SMS messages to another app, and to let the people you talk to know that they might want to switch to Signal, or find another channel if not.
Security

How Wi-Fi Spy Drones Snooped On Financial Firm (theregister.com) 52

An anonymous reader quotes a report from The Register: Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place. Greg Linares, a security researcher, recently recounted an incident that he said occurred over the summer at a US East Coast financial firm focused on private investment. He told The Register that he was not involved directly with the investigation but interacted with those involved as part of his work in the finance sector. In a Twitter thread, Linares said the hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network.

The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device. "This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained. The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing, according to Linares. The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable. "During their investigation, they determined that the DJI Phantom drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi," Linares said. "This data was later hard coded into the tools that were deployed with the Matrice."

According to Linares, the tools on the drones were used to target the company's internal Confluence page in order to reach other internal devices using the credentials stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he's seen over the past two years. "The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register. "This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT confluence server that contained other credentials for accessing other resources and storing IT procedures." [...] While the identity of the attacker has not been disclosed, Linares believes those responsible did their homework. "This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget and knew their physical security limitations," he said.

Encryption

Android Leaks Some Traffic Even When 'Always-On VPN' Is Enabled (bleepingcomputer.com) 30

Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the "Block connections without VPN," or "Always-on VPN," features is enabled. BleepingComputer reports: The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic. This behavior is built into the Android operating system and is a design choice. However, Android users likely didn't know this until now due to the inaccurate description of the "VPN Lockdown" features in Android's documentation. Mullvad discovered the issue during a security audit that hasn't been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

Android offers a setting under "Network & Internet" to block network connections unless you're using a VPN. This feature is designed to prevent accidental leaks of the user's actual IP address if the VPN connection is interrupted or drops suddenly. Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features. This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the "Block connections without VPN" setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks. "This is a feature request for adding the option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled for a VPN app," explains Mullvad in a feature request on Google's Issue Tracker. "This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy."
In response to Mullvad's request, a Google engineer said this is the intended functionality and that it would not be fixed for the following reasons:

- Many VPNs actually rely on the results of these connectivity checks to function,
- The checks are neither the only nor the riskiest exemptions from VPN connections,
- The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and the case remains open.
IT

Microsoft's Edge Browser Gets Shared Workspaces, New Security Features (techcrunch.com) 14

Microsoft today announced a few user-facing updates to its Edge browser. The most important of these is likely Edge Workspaces, a new feature (currently in preview) that will allow teams to share browser tabs. From a report: Microsoft argues that this feature can be useful when bringing on new team members to an existing project. Instead of sharing lots of links and files, the team can simply share a single like to an Edge Workspace (which will then likely consist of lots of links and files, but hey, at least it's just one link to share). As the project evolves, the tabs are updated in real time. I guess that's a use case. We've seen our share of extensions that do similar things, none of which ever get very popular. Meanwhile, teams share these links and files in other ways (think Confluent, etc.). On the security front, Microsoft is bringing typo protection for website URLs to the browser, promising to protect "users from accidentally navigating to online fraud sites after misspelling the website address by suggesting the website that the user intended." Nothing too complicated here, and a useful feature for sure.
Google

Google is Bringing Passkey Support To Android and Chrome (googleblog.com) 63

Android Developers Blog: Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don't leak in server breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps. Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint. Passkeys on users' phones and computers are backed up and synced through the cloud to prevent lockouts in the case of device loss. Additionally, users can use passkeys stored on their phone to sign in to apps and websites on other nearby devices.

Today's announcement is a major milestone in our work with passkeys, and enables two key capabilities: Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager. Developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms. To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year. Our next milestone in 2022 will be an API for native Android apps. Passkeys created through the web API will work seamlessly with apps affiliated with the same domain, and vice versa. The native API will give apps a unified way to let the user pick either a passkey or a saved password. Seamless, familiar UX for both passwords and passkeys helps users and developers gradually transition to passkeys.

For the end-user, creating a passkey requires just two steps: (1) confirm the passkey account information, and (2) present their fingerprint, face, or screen lock when prompted. Signing in is just as simple: (1) The user selects the account they want to sign in to, and (2) presents their fingerprint, face, or screen lock when prompted. A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device. Since passkeys are built on industry standards, this works across different platforms and browsers - including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.

Privacy

Toyota Discloses Data Leak After Access Key Exposed On GitHub (bleepingcomputer.com) 9

An anonymous reader quotes a report from BleepingComputer: Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers. This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.

On September 17, 2022, the database's keys were changed, purging all potential access from unauthorized third parties. The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren't stored in the exposed database. Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused. The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data. For this reason, all users of T-Connect who registered between July 2017 and September 2022 are advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota.

Security

Germany's Cybersecurity Chief Faces Dismissal, Reports Say (reuters.com) 33

German Interior Minister Nancy Faeser wants to dismiss the country's cybersecurity chief due to possible contacts with people involved with Russian security services, German media reported late on Sunday, citing government sources. Reuters reports: Arne Schoenbohm, president of the BSI federal information security agency, could have had such contacts through the Cyber Security Council of Germany, various outlets reported. Schoenbohm was a founder of the association, which counts as a member a German company that is a subsidiary of a Russian cybersecurity firm founded by a former KGB employee, they wrote. "These accusations must be decisively investigated," said Konstantin von Notz, the head of the parliamentary oversight committee for Germany's intelligence agencies.
Security

Russian-Speaking Hackers Knock Multiple US Airport Websites Offline (cnn.com) 41

More than a dozen public-facing airport websites, including those for some of the nation's largest airports, appeared inaccessible Monday morning, and Russian-speaking hackers claimed responsibility. From a report: No immediate signs of impact to actual air travel were reported, suggesting the issue may be an inconvenience for people seeking travel information. "Obviously, we're tracking that, and there's no concern about operations being disrupted," Kiersten Todt, Chief of Staff of the US Cybersecurity and Infrastructure Security Agency (CISA), said Monday at a security conference in Sea Island, Georgia. The 14 websites include the one for Atlanta's Hartsfield-Jackson International Airport. An employee there told CNN there were no operational impacts. The Los Angeles International Airport website was offline earlier but appeared to be restored shortly before 9 a.m. Eastern.
Social Networks

Your Boss Can Monitor Your Activities Without Special Software (seattletimes.com) 54

"Your boss probably has enough data about your digital activities to get a snapshot of your workday — without using any special monitoring software...." reports the Washington Post.

"Workers should be aware that many online work apps offer data about their daily activities...." Commonly used network-connected apps such as Zoom, Slack and Microsoft Office give managers the ability to find everything from the number of video meetings in which you've actively participated, to how much you chatted online with co-workers and the number of documents you saved to the cloud....

At the beginning of 2022, global demand for employee monitoring software increased 65 percent from 2019, according to internet security and digital rights firm Top10VPN. But popular work apps also offer data. On Microsoft 365, an account administrator can pull data — though it may not be easy and would be tracked in compliance logs — on how many emails workers sent, how many files they saved on a shared drive and how many messages they sent as well as video meetings they participated in on the messaging and video tool Microsoft Teams. Google Workspace, Google's suite of work tools, allows administrators, for security and audit purposes, to see how many emails a user sent and received, how many files they saved and accessed on Google Drive, and when a user started a video meeting, from where they joined meetings, and who was in a meeting. Select administrators on both services can also access the content of emails and calendar items.

On paid Slack accounts, managers can see how many days users have been active and how many messages they've sent over a set period of time. Zoom allows account administrators to see how many meetings users participated in, the length of the meetings, and whether users enabled their camera and microphone during them. And if employees have company-issued phones or use office badges or tech that requires them to sign in at the office, managers can track phone usage and office attendance.

To be sure, several software companies say their reports are not for employee evaluation and surveillance. Microsoft has stated that using technology to monitor employees is counterproductive and suggested that some managers may have "productivity paranoia." In the help section of its website, Slack states that the analytics data it offers should be "used for understanding your whole team's use of Slack, not evaluating an individual's performance."

"Several workplace experts agree on one thing: The data doesn't properly represent a worker's productivity," the article concludes.

"Activities such as in-person mentoring, taking time to brainstorm, sketching out a plan or using offline software won't appear in the data. And measuring quantity might discount the quality of one's work or interactions."
Security

Pro-Russian 'Hacktivists' Temporarily Disrupted Some US State Government Web Sites (cnn.com) 20

"Russian-speaking hackers on Wednesday claimed responsibility for knocking offline state government websites in Colorado, Kentucky and Mississippi, among other states," reports CNN, calling it "the latest example of apparent politically motivated hacking following Russia's invasion of Ukraine.... The websites in Colorado, Kentucky and Mississippi were sporadically available Wednesday morning and afternoon as administrators appeared to try to bring them online." The Kentucky Board of Elections' website, which posts information on how to register to vote, was also temporarily offline on Wednesday, but it was not immediately clear what caused that outage. The board of elections' website is also managed by the Kentucky government, though the hackers did not specifically list the board as a target.... Websites like that of the Kentucky Board of Elections are not directly involved in the casting or counting of votes, but they can provide useful information for voters....

The hacking group claiming responsibility for Wednesday's website outage is known as Killnet and stepped up their activity after Russia's February invasion of Ukraine to target organizations in NATO countries. They are a loose band of so-called "hacktivists" — politically motivated hackers who support the Kremlin but whose ties to that government are unknown. The group also claimed responsibility for briefly downing a US Congress website in July, and for cyberattacks on organizations in Lithuania after the Baltic country blocked the shipment of some goods to the Russian enclave of Kaliningrad in June....

Officials at the FBI and CISA reiterated this week that any efforts by hackers to breach election infrastructure are "unlikely to result in largescale disruptions or prevent voting."

Government Technology supplies some context: Amsterdam-based threat intelligence technology and services provider EclecticIQ's Threat Research team said in a blog post that Killnet appears to only have the capacity to launch DDoS attacks with short-term impact, and falls short of dealing lasting damage to victims' network infrastructure. "Analysts believe that Killnet supporters are novice users with zero or limited experience with DDoS attacks, based on an analysis of Telegram messaging data and open-source reporting," EclecticIQ wrote.
CNN described Killnet's typical attacks as "crude hacks that temporarily knock websites offline but don't do further damage to infrastructure.

"Killnet thrives off of public attention and bravado, and cybersecurity experts have to strike a balance between being mindful of Killnet's online antics and not hyping a low-level threat."
Medicine

Ransomware Attack Delays Patient Care at Several Hospitals Across the US (nbcnews.com) 30

"One of the largest hospital chains in the U.S. was hit with a suspected ransomware cyberattack this week," reports NBC News, "leading to delayed surgeries, hold ups in patient care and rescheduled doctor appointments across the country." CommonSpirit Health, ranked as the fourth-largest health system in the country by Becker's Hospital Review, said Tuesday that it had experienced "an IT security issue" that forced it to take certain systems offline. While CommonSpirit declined to share specifics, a person familiar with its remediation efforts confirmed to NBC News that it had sustained a ransomware attack.

CommonSpirit, which has more than 140 hospitals in the U.S., also declined to share information on how many of its facilities were experiencing delays. Multiple hospitals, however, including CHI Memorial Hospital in Tennessee, some St. Luke's hospitals in Texas, and Virginia Mason Franciscan Health in Seattle all have announced they were affected.

One Texas woman, who spoke to NBC News on the condition of anonymity to protect her family's medical privacy, said that she and her husband had arrived at a CommonSpirit-affiliated hospital on Wednesday for long-scheduled major surgery, only for his doctor to recommend delaying it until the hospital's technical issues were resolved.

The surgeon "told me it could potentially delay post-op care, and he didn't want to risk it," she said.

Wednesday the company confirmed that "We have taken certain systems offline."
Encryption

VPN, Tor Use Increases in Iran After Internet 'Curfews' (cnbc.com) 22

Iran's government is trying to limit internet access, reports CNBC — while Iranians are trying a variety of technologies to bypass the blocks: Outages first started hitting Iran's telecommunications networks on September 19, according to data from internet monitoring companies Cloudflare and NetBlocks, and have been ongoing for the last two and a half weeks. Internet monitoring groups and digital rights activists say they're seeing "curfew-style" network disruptions every day, with access being throttled from around 4 p.m. local time until well into the night. Tehran blocked access to WhatsApp and Instagram, two of the last remaining uncensored social media services in Iran. Twitter, Facebook, YouTube and several other platforms have been banned for years.

As a result, Iranians have flocked to VPNs, services that encrypt and reroute their traffic to a remote server elsewhere in the world to conceal their online activity. This has allowed them to restore connections to restricted websites and apps. On September 22, a day after WhatsApp and Instagram were banned, demand for VPN services skyrocketed 2,164% compared to the 28 days prior, according to figures from Top10VPN, a VPN reviews and research site. By September 26, demand peaked at 3,082% above average, and it has continued to remain high since, at 1,991% above normal levels, Top10VPN said....

Mahsa Alimardani, a researcher at free speech campaign group Article 19, said a contact she's been communicating with in Iran showed his network failing to connect to Google, despite having installed a VPN. "This is new refined deep packet inspection technology that they've developed to make the network extremely unreliable," she said. Such technology allows internet service providers and governments to monitor and block data on a network. Authorities are being much more aggressive in seeking to thwart new VPN connections, she added....

VPNs aren't the only techniques citizens can use to circumvent internet censorship. Volunteers are setting up so-called Snowflake proxy servers, or "proxies," on their browsers to allow Iranians access to Tor — software that routes traffic through a "relay" network around the world to obfuscate their activity.

Security

Utility Security Is So Bad, US DoE Offers Rate Cuts To Improve It (theregister.com) 18

The US Department of Energy has proposed regulations to financially reward cybersecurity modernization at power plants by offering rate deals for everything from buying new hardware to paying for outside help. The Register reports: In a notice of proposed rulemaking published earlier this week (which nullified a similar 2021 plan), the DoE said the time was right "to establish rules for incentive-based rate treatments" for utilities making investments in cybersecurity technology. The DoE said these included products and services, and information like plans, policies, procedures and other info related to cybersecurity tech. [...] In addition to stimulating voluntary security improvements, the proposed policy also encourages utilities to join cyber threat information sharing programs, and mandates regular reports for the duration of incentives.

The DoE's proposal includes a long list of things it said would be eligible for incentive-based rate treatments. While it's too long to include here, the DoE's language about what it will allow means it could essentially include anything that could "materially improve cybersecurity," be that a product, service or info-sharing program. The DoE said that hardware incentives would have a five-year depreciation period, while activities would cease to be incentivized once they become mandatory. As for how the rewards would be applied, the proposal specifies two methods: A return on equity (RoE) of 200 base points (2 percent) that would be applied to transmission rates, and a cost-recovery deferral that would allow them to amortize equipment purchased and treated as a regulatory asset.

Facebook

Facebook Warns 1 Million Users Whose Logins Were Stolen By Scam Mobile Apps (theverge.com) 15

Meta is warning Facebook users about hundreds of apps on Apple and Google's app stores that were specifically designed to steal login credentials to the social network app. From a report: The company says it's identified over 400 malicious apps disguised as games, photo editors, and other utilities and that it's notifying users who "may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials." According to Bloomberg, a million users were potentially affected. In its post, Meta says that the apps tricked people into downloading them with fake reviews and promises of useful functionality (both common tactics for other scam apps that are trying to take your money rather than your login info). But upon opening some of the apps, users were prompted to log in with Facebook before they could actually do anything -- if they did, the developers were able to steal their credentials.
Security

Game Firm 2K Says Users Info Stolen (arstechnica.com) 2

Game company 2K has warned users to remain on the lookout for suspicious activity across their accounts following a breach last month that allowed a threat actor to obtain email addresses, names, and other sensitive information provided to 2K's support team. From a report: The breach occurred on September 19, when the threat actor illegally obtained system credentials belonging to a vendor 2K uses to run its help desk platform. 2K warned users a day later that the threat actor used unauthorized access to send some users emails that contained malicious links. The company warned users not to open any emails sent by its online support address or click on any links in them. If users already clicked on links, 2K urged them to change all passwords stored in their browsers. On Thursday, after an outside party completed a forensic investigation, 2K sent an unknown number of users an email warning them that the threat actor was able to obtain some of the personal information they supplied to help desk personnel.
Security

Binance-linked Blockchain Hit By $570 Million Crypto Hack, Binance Says (reuters.com) 34

A blockchain linked to Binance, the world's largest crypto exchange, has been hit by a $570 million hack, a Binance spokesperson said on Friday, the latest in a series of hacks to hit the crypto sector this year. From a report: Binance CEO Changpeng Zhao said in a tweet that tokens were stolen from a blockchain "bridge" used in the BNB Chain, which was known as Binance Smart Chain until February. Blockchain bridges are tools used to transfer cryptocurrencies between different applications. Zhao said the hackers stole around $100 million worth of crypto. BNB Chain later said in a blog post that a total of 2 million of the cryptocurrency BNB - worth around $570 million - was withdrawn by the hacker.
Data Storage

Big Tech, Banks, Government Departments Shred Millions of Storage Devices They Could Reuse (ft.com) 80

Companies such as Amazon and Microsoft, as well as banks, police services and government departments, shred millions of data-storing devices each year, the Financial Times has learnt through interviews with more than 30 people who work in and around the decommissioning industry and via dozens of freedom of information requests. From the report: This is despite a growing chorus of industry insiders who say there is another, better option to safely dispose of data: using computer software to securely wipe the devices before selling them on the secondary market. "From a data security perspective, you do not need to shred," says Felice Alfieri, a European Commission official who co-authored a report about how to make data centres more sustainable and is promoting "data deletion" over device destruction. Underpinning the reluctance to move away from shredding is the fear that data could leak, triggering fury from customers and huge fines from regulators.

Last month, the US Securities and Exchange Commission fined Morgan Stanley $35mn for an "astonishing" failure to protect customer data, after the bank's decommissioned servers and hard drives were sold on without being properly wiped by an inexperienced company it had contracted. This was on top of a $60mn fine in 2020 and a $60mn class action settlement reached earlier this year. Some of the hardware containing bank data ended up being auctioned online. While the incident stemmed from a failure to wipe the devices before selling them on, the bank now mandates that every one of its data-storing devices is destroyed -- the vast majority on site. This approach is widespread. One employee at Amazon Web Services, who spoke on condition of anonymity, explained that the company shreds every single data-storing device once it is deemed obsolete, usually after three to five years of use: "If we let one [piece of data] slip through, we lose the trust of our customers." A person with knowledge of Microsoft's data disposal operations says the company shreds everything at its 200-plus Azure data centres.

Software

The Thorny Problem of Keeping the Internet's Time (newyorker.com) 95

An obscure software system synchronizes the network's clocks. Who will keep it running? From a report: To solve the problem of time synchronization on the arpanet, computer scientist David Mills built what programmers call a protocol -- a collection of rules and procedures that creates a lingua franca for disparate devices. The arpanet was experimental and capricious: electronics failed regularly, and technological misbehavior was common. His protocol sought to detect and correct for those misdeeds, creating a consensus about the time through an ingenious system of suspicion. Mills prided himself on puckish nomenclature, and so his clock-synchronizing system distinguished reliable "truechimers" from misleading "falsetickers." An operating system named Fuzzball, which he designed, facilitated the early work. Mills called his creation the Network Time Protocol, and N.T.P. soon became a key component of the nascent Internet. Programmers followed its instructions when they wrote timekeeping code for their computers. By 1988, Mills had refined N.T.P. to the point where it could synchronize the clocks of connected computers that had been telling vastly differing times to within tens of milliseconds -- a fraction of a blink of an eye. "I always thought that was sort of black magic," Vint Cerf, a pioneer of Internet infrastructure, told me.

Today, we take global time synchronization for granted. It is critical to the Internet, and therefore to civilization. Vital systems -- power grids, financial markets, telecommunications networks -- rely on it to keep records and sort cause from effect. N.T.P. works in partnership with satellite systems, such as the Global Positioning System (G.P.S.), and other technologies to synchronize time on our many online devices. The time kept by precise and closely aligned atomic clocks, for instance, can be broadcast via G.P.S. to numerous receivers, including those in cell towers; those receivers can be attached to N.T.P. servers that then distribute the time across devices linked together by the Internet, almost all of which run N.T.P. (Atomic clocks can also directly feed the time to N.T.P. servers.) The protocol operates on billions of devices, coÃrdinating the time on every continent. Society has never been more synchronized.

Security

Former Amazon Worker Gets Probation For Massive Capital One Hack (apnews.com) 76

A former Seattle tech worker convicted of several charges related to a massive hack of Capital One bank and other companies in 2019 was sentenced Tuesday to time served and five years of probation. From a report: U.S. District Judge Robert S. Lasnik said sentencing former Amazon software engineer Paige Thompson to time in prison would have been particularly difficult on her "because of her mental health and transgender status," the Department of Justice said in a statement.

U.S. Attorney Nick Brown said his office was "very disappointed" with the sentencing decision, adding prosecutors had asked for Thompson to serve seven years in prison. "This is not what justice looks like," Brown said in the statement. In June, a Seattle jury found her guilty of wire fraud, unauthorized access to a protected computer and damaging a protected computer. The jury acquitted her of other charges, including access device fraud and aggravated identity theft.

Slashdot Top Deals