"Major VPN services have shut down service in India, as there is no way to comply with a new law without breaching their own privacy protection standards," reports 9to5Mac. "The law also applies to iCloud Private Relay, but Apple has not yet commented on its own plans." The Wall Street Journal reports: Major global providers of virtual private networks, which let internet users shield their identities online, are shutting down their servers in India to protest new government rules they say threaten their customers' privacy [...] Such rules are "typically introduced by authoritarian governments in order to gain more control over their citizens," said a spokeswoman for Nord Security, provider of NordVPN, which has stopped operating its servers in India. "If democracies follow the same path, it has the potential to affect people's privacy as well as their freedom of speech," she said [...]

Other VPN services that have stopped operating servers in India in recent months are some of the world's best known. They include U.S.-based Private Internet Access and IPVanish, Canada-based TunnelBear, British Virgin Islands-based ExpressVPN, and Lithuania-based Surfshark. ExpressVPN said it "refuses to participate in the Indian government's attempts to limit internet freedom." The government's move "severely undermines the online privacy of Indian residents," Private Internet Access said. "Customers in India will be able to connect to VPN servers in other countries," adds 9to5Mac. "This is the same approach taken in Russia and China, where operating servers within those countries would require VPN companies to comply with similar legislation."

"Cloud storage services are also subjected to the new rules, though there would be little practical impact on Apple here. iCloud does not use end-to-end encryption, meaning that Apple holds a copy of your decryption key, and can therefore already comply with government demands for information."

Shopify is pushing back on Amazon's one-click checkout service. The e-commerce platform is warning merchants who try to install Amazon's "Buy With Prime" button on their storefront that it violates Shopify's terms of service, and is also raising the specter of security risks, according to research firm Marketplace Pulse. CNBC: Amazon introduced Buy With Prime in April, pitching it as a way for merchants to grow traffic on their own websites. The service lets merchants add the Prime logo and offer Amazon's speedy delivery options on their sites. Members of the retail giant's Prime loyalty club can check out using their Amazon account. Shopify will not protect merchants who try to use Buy With Prime against fraudulent orders, according to a screenshot of a notice Shopify sent to merchants. The notice also warns that Amazon's service could steal customer data, and charge customers incorrectly. Shopify's terms of service require merchants to use Shopify Checkout "for any sales associated with your online store," seemingly prohibiting them from offering alternative checkout options.

According to Twitter user @runews, someone hacked the largest taxi service in Russia, Yandex Taxi, and ordered all the available taxis to an address on Kutuzovsky Prospekt. The tweet includes a video showing the traffic jam that this caused in the middle of Moscow. It's not known who was behind the attack.

In a statement to SouthFront, the company said: "The security service promptly stopped attempts to artificially accumulate cars. Drivers spent about 40 minutes in traffic due to fake orders. The issue of compensation will be resolved in the very near future." The company stressed that in order to exclude such incidents in the future, "the algorithm for detecting and preventing such attacks has already been improved."

The next generation of USB devices might support data transfer speeds as high as 80 Gbps, which would be twice as fast as current-gen Thunderbolt 4 products. From a report: The USB Promotor Group says it plans to publish the new USB4 version 2.0 specification ahead of this year's USB Developer Days events scheduled for November, but it could take a few years before new cables, hubs, PCs, and mobile devices featuring the new technology are available for purchase. According to the group, the new protocol will make use of the same USB Type-C cables and connectors as USB4 version 1.0. In fact, if you've already got a USB Type-C passive cable that's capable of 40 Gbps speeds, you should be able to use that same cable with next-gen hardware to achieve speeds up to 80 Gbps. But the new standard will also introduce a new USB Type-C active cable designed specifically for speeds up to 80 Gbps. The new standard is also backward compatible, which means that if you buy a new device with USB 4 v2 support, it will still work with older hardware featuring USB 2.0, 3.2, or Thunderbolt 3 connectivity. You just won't be able to take advantage of the full speeds.

Apple has released an iOS 12 update users of older iPhone and iPad devices should download as soon as possible. Engadget reports: The new version of the company's 2018 operating system addresses a major vulnerability that Apple recently patched within iOS 15. According to a support document, the WebKit flaw could have allowed a website to run malicious code on your device. In its usual terse manner, Apple notes it is "aware of a report that this issue may have been actively exploited."

For that reason, you should download the update as soon as possible if you're still using an iOS 12 device. That's a list that includes the iPhone 5s, iPhone 6, as well as iPad Air, iPad mini 2 and iPad mini 3. You can download iOS 12.5.6 by opening the Settings app, tapping on "General" and then selecting "Software Update."

Dashlane announced today that it's integrating passkeys into its cross-platform password manager. "We said, you know what, our job is to make security simple for users," says Dashlane CEO JD Sherman, "and this is a great tool to do that. So we should actually be thinking about ushering in this passwordless era." The Verge reports: Passwords are dying, long live passkeys. Practically the entire tech industry seems to agree that hexadecimal passwords need to die, and that the best way to replace them is with the cryptographic keys that have come to be known as passkeys. Basically, rather than having you type a phrase to prove you're you, websites and apps use a standard called WebAuthn to connect directly to a token you have saved -- on your device, in your password manager, ultimately just about anywhere -- and authenticate you automatically. It's more secure, it's more user-friendly, it's just better. The transition is going to take a while, though, and even when you can use passkeys, it'll be a while before all your apps and websites let you do so.

Going forward, Dashlane users can start to set up passkeys to log into sites and apps where they previously would have created passwords. And whereas systems like Apple's upcoming implementation in iOS 16 will often involve taking a picture of a QR code to log in, Dashlane says it can make the process even simpler because it has apps for most platforms and an extension for most browsers.

Cyberinsurance doesn't cover acts of war. But even as cyberattacks mount, the definition of "warlike" actions remains blurry. From a report: This summer marks the fifth anniversary of the most expensive cyberattack ever: the NotPetya malware, released by Russia in June 2017, that shut down computer systems at companies and government agencies around the world, causing upward of $10 billion in damage due to lost business, repairs, and other operational disruptions. Half a decade later, the businesses affected by NotPetya are still sorting out who will pay those considerable costs in a series of legal disputes that will have serious ramifications for the rapidly growing cyberinsurance industry, as well as for the even more rapidly growing number of state-sponsored cyberattacks that blur the line between cyberwar and standard-issue government cyberactivity.

Whether or not insurers cover the costs of a cyberattack can depend, in part, on being able to make clear-cut distinctions in this blurry space: When Russian government hackers targeted Ukraine's electric grid earlier this year, was that an act of war because the two countries were already at war? What about when Russia hacked Ukraine's electric grid in 2015, or when pro-Russian hackers targeted servers in countries like the United States, Germany, Lithuania, and Norway because of their support for Ukraine? Figuring out which of these types of intrusions are "warlike" is not an academic matter for victims and their insurers -- it is sometimes at the heart of who ends up paying for them. And the more that countries like Russia exercise their offensive cyber capabilities, the harder and more critical it becomes to make those distinctions and sort out who is on the line to cover the costs.

When insurers first began offering policies that covered costs related to computer security breaches more than 20 years ago, the promise was that the industry would do for cybersecurity what it had done for other types of risks like car accidents, fires, or robbery. In other words, cyberinsurance was supposed to insulate policyholders from some of the most burdensome short-term costs associated with these events while simultaneously requiring those same policyholders to adopt best practices (seat belts, smoke detectors, security cameras) for reducing the likelihood of these risks in the first place. But the industry has fallen well short of that goal, in many cases failing both to help breached companies cover the costs of major cyberattacks like NotPetya, and to help companies reduce their exposure to cyber risk.

Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open-source software or in the building blocks that its software is built on. It'll pay anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party dependencies that are included in those projects' codebases. From a report: While it's important for Google to fix bugs in its own projects (and in the software that it uses to keep track of changes to its code, which the program also covers), perhaps the most interesting part is the bit about third-party dependencies. Programmers often use code from open-source projects so they don't continuously have to reinvent the same wheel. But since developers often directly import that code, as well as any updates to it, that introduces the possibility of supply chain attacks. That's when hackers don't target the code directly controlled by Google itself but go after these third-party dependencies instead.

As SolarWinds showed, this type of attack isn't limited to open-source projects. But in the past few years, we've seen several stories where big companies have had their security put at risk thanks to dependencies. There are ways to mitigate this sort of attack vector -- Google itself has begun vetting and distributing a subset of popular open-source programs, but it's almost impossible to check over all the code a project uses. Incentivizing the community to check through dependencies and first-party code helps Google cast a wider net.

An anonymous reader shares a report: As the mechanical keyboard hobby exploded during the early days of the pandemic, a lot of companies raced to launch new products. Drop, however, which maybe did more than anybody to popularize custom mechanical keyboards by making them and lots of accessories available to a larger audience, mostly added third-party keyboards to its lineup during this time. Now, however, it is launching the Sense75, its first brand-new in-house keyboard in two years.

As the name implies, this is a 75% keyboard, meaning you get the full set of function and arrow keys, as well as three buttons on the right side (by default, these are delete, page up and page down) and, as has become standard these days, a knob. They're are RGB LEDs, of course, including underside diffusers that will create what Drop calls a "visually appealing halo' and, of course, hot-swap sockets so you can easily change out your switches." The keyboard will support customization through QMK and VIA to adapt it to your typing needs. The pre-built version will set you back $349 for the black edition and $399 for the white one, while the barebones version will cost $249 in black and $299 in white.

An anonymous reader shares a report: Partha Ranganathan came to realize about seven years ago that Moore's law was dead. No longer could the Google engineering VP expect chip performance to double roughly every 18 months without major cost increases, and that was a problem considering he helped Google construct its infrastructure spending budget each year. Faced with the prospect of getting a chip twice as fast every four years, Ranganathan knew they needed to mix things up. Ranganathan and other Google engineers looked at the overall picture and realized transcoding (for YouTube) was consuming a large fraction of compute cycles in its data centers. The off-the-shelf chips Google was using to run YouTube weren't all that good at specialized tasks like transcoding. YouTube's infrastructure uses transcoding to compress video down to the smallest possible size for your device, while presenting it at the best possible quality.

What they needed was an application-specific integrated circuit, or ASIC -- a chip designed to do a very specific task as effectively and efficiently as possible. Bitcoin miners, for example, use ASIC hardware and are designed for that sole purpose. "The thing that we really want to be able to do is take all of the videos that get uploaded to YouTube and transcode them into every format possible and get the best possible experience," said Scott Silver, VP of engineering at YouTube. It didn't take long to sell upper management on the idea of ASICs. After a 10-minute meeting with YouTube chief Susan Wojcicki, the company's first video chip project was approved. Google started deploying its Argos Video Coding Units (VCUs) in 2018, but didn't publicly announce the project until 2021. At the time, Google said the Argos VCUs delivered a performance boost of anywhere between 20 to 33 times compared to traditional server hardware running well-tuned transcoding software. Google has since flipped the switch on thousands of second-gen Argos chips in servers around the world, and at least two follow-ups are already in the pipeline.

Following a preview in April, Microsoft this morning announced the general availability of virtual machines (VMs) on Azure featuring the Ampere Altra, a processor based on the Arm architecture. From a report: The first Azure VMs powered by Arm chips, Microsoft says that they're accessible in 10 Azure regions today and can be included in Kubernetes clusters managed using Azure Kubernetes Service beginning on September 1.

The Azure Arm-based VMs have up to 64 virtual CPU cores, 8 GB of memory per core and 40 Gbps of networking bandwidth as well as SSD local and attachable storage. Microsoft describes them as "engineered to efficiently run scale-out, cloud-native workloads," including open source databases, Java and .NET applications and gaming, web, app and media servers. Preview releases of Windows 11 Pro and Enterprise and Linux OS distributions including Canonical Ubuntu, Red Hat Enterprise Linux, SUSE Enterprise Linux, CentOS and Debian are available on the VMs day one, with support for Alma Linux and Rocky Linux to arrive in the future. Microsoft notes that Java apps in particular can run with few additional code changes, thanks to the company's contributions to the OpenJDK project.

"Google employees are receiving regular notifications from management of Covid-19 infections," CNBC report Friday — "causing some to question the company's return-to-office mandates." The employees, who spoke with CNBC on the condition of anonymity, said since they have been asked to return to offices, infections notifications pop up in their email inboxes regularly....

The company began requiring most employees to return to physical offices at least three days a week in April. Since then, staffers have pushed back on the mandate after they worked efficiently for so long at home while the company enjoyed some of its fastest revenue growth in 15 years. Google has offered full-time employees the option to request permanent remote work, but it's unclear how many workers have been approved.

Google's Covid-19 outbreak in Los Angeles is currently the largest of any employer in LA., according to the city's public health dashboard. Deadline.com first reported that the tech giant's trendy Silicon Beach campus in Venice, Calif., recorded 145 infections while 135 cases were recorded at the company's large Playa Vista campus.

Staffers have been filling Memegen, an internal company image-sharing site, with memes about the increased number of exposure notifications they're receiving. One meme, which was upvoted 2,840 times, showed a photo of an inbox with the email subject from a San Francisco-based facilities manager stating "We're so excited to see you back in the office!" and a subsequent email subject line stating "Notification of Confirmed COVID-19 Case...."

Some employees said they received a spike in notifications from the Mountain View, Calif. headquarters and in San Francisco offices after the company held a return-to-office celebration, where Grammy award-winning artist Lizzo performed for thousands of employees at the Shoreline Amphitheater, near Google's main campus.
Defending the safety of working on-site, a Google spokesperson told CNBC they hadn't been experiencing a sudden recent spike in their Covid cases, arguing that instead the hundreds of Covid cases had been occurring over "the last few months."

"Since 2012 researchers in the Georgia Tech Cyber Forensics Innovation Laboratory have uncovered 47,337 malicious plugins across 24,931 unique WordPress websites through a web development tool they named YODA," warns an announcement released Friday: According to a newly released paper about the eight-year study, the researchers found that every compromised website in their dataset had two or more infected plugins.

The findings also indicated that 94% of those plugins are still actively infected.

"This is an under-explored space," said Ph.D. student Ranjita Pai Kasturi who was the lead researcher on the project. "Attackers do not try very hard to hide their tracks and often rightly assume that website owners will not find them."

YODA is not only able to detect active malware in plugins, but it can also trace the malicious software back to its source. This allowed the researchers to determine that these malicious plugins were either sold on the open market or distributed from pirating sites, injected into the website by exploiting a vulnerability, or in most cases, infected after the plugin was added to a website. According to the paper written by Kasturi and her colleagues, over 40,000 plugins in their dataset were shown to have been infected after they were deployed. The team found that the malware would attack other plugins on the site to spread the infection.

"These infections were a result of two scenarios. The first is cross-plugin infection, in which case a particular plugin developer cannot do much," said Kasturi. "Or it was infected by exploiting existing plugin vulnerabilities. To fix this, plugin developers can scan for vulnerabilities before releasing their plugins for public use."

Although these malicious plugins can be damaging, Kasturi adds that it's not too late to save a website that has a compromised plugin. Website owners can purge malicious plugins entirely from their websites and reinstall a malware free version that has been scanned for vulnerabilities. To give web developers an edge over this problem, the Cyber Forensics Innovation Laboratory has made the YODA code available to the public on GitHub.

Microsoft has confirmed to Sky News that criminals are posting counterfeit packages designed to appear like Office products in order to defraud people. From the report: One such package seen by Sky News is manufactured to a convincing standard and contains an engraved USB drive, alongside a product key. But the USB does not install Microsoft Office when plugged in to a computer. Instead, it contains malicious software which encourages the victim to call a fake support line and hand over access to their PC to a remote attacker.

Microsoft launched an internal investigation into the suspect package after being contacted by Sky News. The company spokesperson confirmed that the USB and the packaging were counterfeit and that they had seen a pattern of such products being used to scam victims before. They added that while Microsoft had seen this type of fraud, it is very infrequent. More often when fraudulent products are sold they tend to be product keys sent to customers via email, with a link to a site for downloading the malicious software.

The hackers that breached Twilio earlier this month also compromised more than 130 other organizations during their hacking spree that netted the credentials of close to 10,000 employees. TechCrunch: Twilio's recent network intrusion allowed the hackers to access the data of 125 Twilio customers and companies -- including end-to-end encrypted messaging app Signal -- after tricking employees into handing over their corporate login credentials and two-factor codes from SMS phishing messages that purported to come from Twilio's IT department. At the time, TechCrunch learned of phishing pages impersonating other companies, including a U.S. internet company, an IT outsourcing company and a customer service provider, but the scale of the campaign remained unclear.

Now, cybersecurity company Group-IB says the attack on Twilio was part of a wider campaign by the hacking group it's calling "0ktapus," a reference to how the hackers predominantly target organizations that use Okta as a single sign-on provider. Group-IB, which launched an investigation after one of its customers was targeted by a linked phishing attack, said in findings shared with TechCrunch that the vast majority of the targeted companies are headquartered in the U.S. or have U.S.-based staff. The attackers have stolen at least 9,931 user credentials since March, according to Group-IB's findings, with more than half containing captured multi-factor authentication codes used to access a company's network.

New submitter alfabravoteam writes: Password management company LastPass has published information about a security incident. "We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information," reads the official message published.

They also clarify that no user data was lost. "We never store or have knowledge of your Master Password," the firm said in an FAQ. "We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers' Master Password", they inform. Hence, no action is required to users to follow.

After offering them for over a decade, Heroku announced this week that it will eliminate all of its free services -- pushing users to paid plans. From a report: Starting November 28, the Salesforce-owned cloud platform as a service will stop providing free product plans and shut down free data services and soon (on October 26) will begin deleting inactive accounts and associated storage for accounts that have been inactive for over a year. In a blog post, Bob Wise, Heroku general manager and Salesforce EVP, blamed "abuse" on the demise of the free services, which span the free plans for Heroku Dynos and Heroku Postgres as well as the free plan for Heroku Data for Redis.

[...] Wise went on to note that Heroku will be announcing a student program at Salesforce's upcoming Dreamforce conference in September, but the details remain a mystery at this point. For the uninitiated, Heroku allows programmers to build, run and scale apps across programming languages including Java, PHP, Scala and Go. Salesforce acquired the company for $212 million in 2010 and subsequently introduced support for Node.js and Clojure and Heroku for Facebook, a package to simplify the process of deploying Facebook apps on Heroku infrastructure. Heroku claims on its website that it's been used to develop 13 million apps to date.

Last year, DuckDuckGo announced a free service designed to fend off email trackers and help people protect their privacy. The Email Protection beta was initially available through a waitlist. Now, it's now in open beta, meaning everyone can try it without having to wait for access. From a report: Email Protection is a forwarding service that removes trackers from messages. DuckDuckGo will tell you which trackers it scrubs as well. During the waitlist beta, DuckDuckGo says it found trackers in 85 percent of testers' emails. Anyone can now sign up for an @duck.com email address, which will work across desktop, iOS and Android. DuckDuckGo says you can create unlimited private email addresses, including a throwaway one for every website, if you prefer. You can also deactivate an address at any time.

The kingdom of Google's third major operating system, Fuchsia, is growing a little wider today. ArsTechnica: 9to5Google reports Google completed the rollout of Fuchsia to the Google Nest Hub Max. Along with the original Nest Hub/Google Home Hub, that puts two of Google's three smart displays on the new OS, with the one holdout being the 2nd Gen Nest Hub. The Nest Hub Max is the first device running Fuchsia that Google is currently selling -- the Home Hub only got Fuchsia after it had been discontinued. The Google smart display user interface is written in Flutter, a Google programming language designed for portability, which runs on Android, iOS, Fuchsia, and the weird cast platform Nest Hubs typically use. So it's not right to describe the user interface as "similar" after the OS swap -- it's the exact same code because Flutter runs on nearly everything.

You are getting a slightly newer code version, though, and it comes with a Bluetooth menu. If you dive into the settings and hit "about device," you'll see a "Fuchsia Version" field that will say something like "6.20211109.1.3166243." It's a bit weird to do an entire OS switch to the futuristic, secretive Fuchsia project and then have basically nothing to show (or say) for it in terms of obvious improvements in performance or security. You can dive into the minutia of the Fuchsia source code, but it continues to be a mystery in terms of what practical benefits it offers consumers. Google never talks about Fuchsia, so not much is known about what, exactly, Google is accomplishing here.

An anonymous reader shares a report: While mostly of benefit to server administrators with large fleets of hardware, Linux 6.1 aims to make it easier to help spot problematic CPUs/cores by reporting the likely socket and core when a segmentation fault occurs, which can help in spotting any trends if routinely finding the same CPU/core is causing problems. Queued up now in TIP's x86/cpu branch for the Linux 6.1 merge window in October is a patch to print the likely CPU at segmentation fault time. Printing the likely CPU core and socket when a seg fault occurs can be beneficial if routinely finding seg faults happening on the same CPU package or particular core.