America's most populous state is shrinking — at least a little. The Associated Press reports: With an estimated 39,185,605 residents, California is still the U.S.'s most populous state, putting it far ahead of second-place Texas and its 29.5 million residents. But after years of strong growth brought California tantalizingly close to the 40 million milestone, the state's population is now roughly back to where it was in 2016 after declining by 117,552 people this year.
That's a drop of 0.29% — at least some of which seems attributable to the pandemic. California's population growth had been slowing even before the pandemic as baby boomers' aged, younger generations were having fewer children and more people were moving to other states. But the state's natural growth — more births than deaths — and its robust international immigration had been more than enough to offset those losses. That changed in 2020, when the pandemic killed tens of thousands of people above what would be expected from natural causes, a category demographers refer to as "excess deaths." And it prompted a sharp decline in international immigration because of travel restrictions and limited visas from the federal government.

California's population fell for the first time that year. At the time, state officials thought it was a outlier, the result of a pandemic that turned the world upside down. But the new estimate released Monday by the California Department of Finance showed the trend continued in 2021, although the decline was less than it had been in 2020. State officials pointed specifically to losses in international immigration. California gained 43,300 residents from other countries in 2021. But that was well below the annual average of 140,000 that was common before the pandemic.
The state's official demographer predicts California's population will go back to increasing in 2022.

And even with the decline, the article points out that California "had a record budget surplus last year, and is in line for an even larger one this year of as much as $68 billion — mostly the result of a progressive tax structure and a disproportionate population of billionaires."

"Employee monitoring software became the new normal during COVID-19..." writes Australia's public broadcaster ABC, "logging keystrokes and mouse movement, capturing screenshots, tracking location, and even activating webcams and microphones."

And now "It seems workers are stuck with it.... Surveys of employers in white-collar industries show that even returned office workers will be subject to these new tools. What was introduced in the crisis of the pandemic, as a short-term remedy for lockdowns and working from home has quietly become the 'new normal' for many Australian workplaces." (Thousands of employees have apparently even purchased mouse-jiggling software just to fool the surveillance software.)

But is there a larger issue? "The vast majority of people are not paid enough for the productivity that is demanded of them," argues BuzzFeed's former senior culture writer (now publishing a newsletter called "Culture Study.") After looking at technology's escalating demands, Petersen warns that the real problem is that human productivity ultimately has a ceiling.

"We have to collectively reject the engine of endless growth, and the aspiration for infinite productivity, before it breaks us all."

Thanks to long-time Slashdot reader theodp for sharing the stories!

Heroku has now revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database. BleepingComputer reports: The Salesforce-owned cloud platform acknowledged the same compromised token was used by attackers to exfiltrate customers' hashed and salted passwords from "a database." Like many users, we unexpectedly received a password reset email from Heroku, even though BleepingComputer does not have any OAuth integrations that use Heroku apps or GitHub. This indicated that these password resets were related to another matter. [...]

In its quest to be more transparent with the community, Heroku has shed some light on the incident, starting a few hours ago. "We value transparency and understand our customers are seeking a deeper understanding of the impact of this incident and our response to date," says Heroku. The cloud platform further stated that after working with GitHub, threat intel vendors, industry partners and law enforcement during the investigation it had reached a point where more information could be shared without compromising the ongoing investigation:

"On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code. GitHub identified the activity on April 12, 2022, and notified Salesforce on April 13, 2022, at which time we began our investigation. As a result, on April 16, 2022, we revoked all GitHub integration OAuth tokens, preventing customers from deploying apps from GitHub through the Heroku Dashboard or via automation. We remain committed to ensuring the integration is secure before we re-enable this functionality." Heroku users are advised to continue monitoring the security notification page for updates related to the incident.

A bug in Google Docs is causing it to crash when a series of words are typed into a document opened with the online word processor. BleepingComputer reports: It's official -- Google Docs crashes at the sight of "And. And. And. And. And." when the "Show grammar suggestion" is turned on. A Google Docs user, Pat Needham brought up the issue on Google Docs Editors Help forum. [...] Another user, Sergii Dymchenko, said strings like "But. But. But. But. But." triggered the same response. Some also noticed putting any of the terms like "Also, Therefore, And, Anyway, But, Who, Why, Besides, However," in the same format achieved the outcome.

Once crashed, you may not be able to easily re-access the document as doing so would trigger the crash again. BleepingComputer was able to reproduce the issue last night and reached out to Google. Google told us it is aware of the bug and working on a fix. [...] Until Google has an answer as to what causes this problem, it might be wise to turn off grammar suggestions by navigating to Tools, Spelling and grammar and unticking 'Show grammar suggestions.' If the bug has already been triggered and you're locked out of the Google Doc in question, there might be a workaround. Use the Google Docs mobile app to access the document, remove the offending words and the file should now open up gracefully on your Google Docs web version too.

Ukrainian hacktivists reportedly disrupted alcohol shipments in Russia after committing distributed denial of service (DDoS) attacks against a critical online portal, according to local reports. From a report: Alcohol producers and distributors are required by law to register their shipments with the EGAIS portal, loosely translated as the "Unified State Automated Alcohol Accounting Information System." However, several entities in the sector told local news site Vedomosti this week that DDoS attacks by Ukrainian hacktivists downed the site on May 2 and 3.

The outage impacted not only vodka distribution but also wine companies and purveyors of other types of alcohol. Government sources quoted in the report claim that the site is running normally and any excessive waiting times are merely due to heavy demand. However, one company, Fort, had failed to upload about 70% of invoices to EGAIS due to the outage, according to the report. Its supplies of wine to retail chains and restaurants were apparently disrupted on May 4 due to the incident.

An anonymous reader shares a report: One of the key selling points of the blockchain is that it's immutable: Once data is processed, once a transaction occurs, it can't be undone. One of the most painful downsides to the blockchain? It's immutable. If human error causes something to be sold for the wrong price or money to be sent to the wrong place, reversing it can be difficult or even impossible. That is the unfortunate place developers of the Juno cryptocurrency find themselves. A community vote had decreed that around 3 million Juno tokens, worth around $36 million, be seized from an investor deemed to have acquired the tokens via malicious means. (This in itself was a big crypto news story.) The funds were to be sent to a wallet controlled by Juno token holders, who could vote on how it would be spent.

But a developer inadvertently copy and pasted the wrong wallet address, as reported by CoinDesk, leading to $36 million in crypto being sent to an inaccessible address. Andrea Di Michele, one of Juno's founding developers, explained to the publication that he sent the correct wallet address to the developer responsible for the transfer, as well as a hash number. Hashes connect blocks to one another in the blockchain, and at a glance hash numbers can look very similar to wallet addresses. The programmer in charge for the transfer accidentally copied and pasted the hash number, rather than the wallet address.

VPN companies are squaring up for a fight with the Indian government over new rules designed to change how they operate in the country. Wired: On April 28, officials announced that virtual private network companies will be required to collect swathes of customer data -- and maintain it for five years or more -- under a new national directive. VPN providers have two months to accede to the rules and start collecting data. The justification from the country's Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn't wash with VPN providers, some of whom have said they may ignore the demands.

"This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens," says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its "operations and infrastructure to preserve this principle if and when necessary." Other VPN providers are also considering their options. Gytis Malinauskas, head of Surfshark's legal department, says the VPN provider couldn't currently comply with India's logging requirements because it uses RAM-only servers, which automatically overwrite user-related data. [...] ProtonVPN is similarly concerned, calling the move an erosion of civil liberties.

Apple, Google, and Microsoft are launching a "joint effort" to kill the password. The major OS vendors want to "expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium." From a report: The standard is being called either a "multi-device FIDO credential" or just a "passkey." Instead of a long string of characters, this new scheme would have the app or website you're logging in to push a request to your phone for authentication. From there, you'd need to unlock the phone, authenticate with some kind of pin or biometric, and then you're on your way. This sounds like a familiar system for anyone with phone-based two-factor authentication set up, but this is a replacement for the password rather than an additional factor.

Some push 2FA systems work over the Internet, but this new FIDO scheme works over Bluetooth. As the whitepaper explains, "Bluetooth requires physical proximity, which means that we now have a phishing-resistant way to leverage the user's phone during authentication." Bluetooth has a terrible reputation for compatibility, and I'm not sure "security" has ever been a real concern, but the FIDO alliance notes that Bluetooth is just "to verify physical proximity" and that the actual sign-in process "does not depend on Bluetooth security properties." Of course, that means both devices will need Bluetooth on board, which is a given for most smartphones and laptops but could be a tough ask for older desktop PCs.

GitHub, the code hosting platform used by tens of millions of software developers around the world, announced today that all users who upload code to the site will need to enable one or more forms of two-factor authentication (2FA) by the end of 2023 in order to continue using the platform. The Verge reports: The new policy was announced Wednesday in a blog post by GitHub's chief security officer (CSO) Mike Hanley, which highlighted the Microsoft-owned platform's role in protecting the integrity of the software development process in the face of threats created by bad actors taking over developers' accounts. "The software supply chain starts with the developer," Hanley wrote. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."

Even though multi-factor authentication provides significant additional protection to online accounts, GitHub's internal research shows that only around 16.5 percent of active users (roughly one in six) currently enable the enhanced security measures on their accounts -- a surprisingly low figure given that the platform's user base should be aware of the risks of password-only protection. By steering these users towards a higher minimum standard of account protection, GitHub hopes to boost the overall security of the software development community as a whole, Hanley told The Verge. "GitHub is in a unique position here, just by virtue of the vast majority of open source and creator communities living on GitHub.com, that we can have a significant positive impact on the security of the overall ecosystem by raising the bar from a security hygiene perspective," Hanley said. "We feel like it's really one of the best ecosystem-wide benefits that we can provide, and we're committed to making sure that we work through any of the challenges or obstacles to making sure that there's successful adoption."

An anonymous reader shares a report: The realm of physics offers the exciting possibility of "wormholes" that could let us collapse space and time. But here on Earth, most of us are subject to more mundane realities -- including that the rich and powerful usually get what they want. Dick Merryman, a 79-year-old computer engineer, got a reminder of that last month when Jump Operations -- the holding company for crypto giant Jump Trading -- put the legal screws to him to obtain wormhole.com, a domain he has owned for years and that corresponds to an email he created for he and his wife. For Merryman, the domain reflects his fondness for astrophysicist Carl Sagan, whose 1985 novel "Contact" deployed a "wormhole" to let characters skip across light years. Merryman purchased the wormhole.com domain in 1994, creating a simple placeholder website that displays a cosmic picture.

For Jump, however, "wormhole" has a very different significance. It is the name of a crypto platform that creates "bridges" between popular blockchains such as Solana and Ethereum, and in which Jump has a very significant investment. While Jump is currently using the wormholenetwork.com to host Wormhole-related content, it has coveted the shorter name owned by Merryman, and began trying to acquire it last year. In June of 2021, someone at Jump used a third-party domain broker to approach Merryman and offer $2,500 for the name. The latter rebuffed the request, saying -- perhaps in jest -- that the price was a "firm US$50000." To Merryman's surprise, Jump promptly accepted the offer -- an acceptance that Merryman proceeded to ignore. After being badgered by the broker, he made his feelings clear a few weeks later. Jump then pulled out the big guns. The company's lawyers warned Merryman he was in breach of contract and that he had to honor the message saying he would sell for $50,000.

tsu doh nimh shares a report from Krebs on Security: Faced with a brain drain of smart people fleeing the country following its invasion of Ukraine, the Russian Federation is floating a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation's prison population to perform low-cost IT work for domestic companies. Multiple Russian news outlets published stories on April 27 saying the Russian Federal Penitentiary Service had announced a plan to recruit IT specialists from Russian prisons to work remotely for domestic commercial companies.

Russians sentenced to forced labor will serve out their time at one of many correctional centers across dozens of Russian regions, usually at the center that is closest to their hometown. Alexander Khabarov, deputy head of Russia's penitentiary service, said his agency had received proposals from businessmen in different regions to involve IT specialists serving sentences in correctional centers to work remotely for commercial companies. Khabarov told Russian media outlets that under the proposal people with IT skills at these facilities would labor only in IT-related roles, but would not be limited to working with companies in their own region. "We are approached with this initiative in a number of territories, in a number of subjects by entrepreneurs who work in this area," Khabarov told Russian state media organization TASS. "We are only at the initial stage. If this is in demand, and this is most likely in demand, we think that we will not force specialists in this field to work in some other industries."

An anonymous reader quotes a report from Ars Techinca: It's not the kind of security discovery that happens often. A previously unknown hacker group used a novel backdoor, top-notch tradecraft, and software engineering to create an espionage botnet that was largely invisible in many victim networks. The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims' networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:

- The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don't support antivirus or endpoint detection. This makes detection through traditional means difficult.
- Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device.
- A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible.
- An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol.

The SOCKS tunnel allowed the hackers to effectively connect their control servers to a victim's network where they could then execute tools without leaving traces on any of the victims' computers. A secondary backdoor provided an alternate means of access to infected networks. It was based on a version of the legitimate reGeorg webshell that had been heavily obfuscated to make detection harder. The threat actor used it in the event the primary backdoor stopped working. [...] One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system. Eventually, Quietexit executes its final objective: accessing email accounts of executives and IT personnel in hopes of obtaining documents related to things like corporate development, mergers and acquisitions, and large financial transactions. "Unpacking this threat group is difficult," says Ars' Dan Goodin. "From outward appearances, their focus on corporate transactions suggests a financial interest. But UNC3524's high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more."

The Centers for Disease Control and Prevention (CDC) bought access to location data harvested from tens of millions of phones in the United States to perform analysis of compliance with curfews, track patterns of people visiting K-12 schools, and specifically monitor the effectiveness of policy in the Navajo Nation, according to CDC documents obtained by Motherboard. From a report: The documents also show that although the CDC used COVID-19 as a reason to buy access to the data more quickly, it intended to use it for more general CDC purposes. Location data is information on a device's location sourced from the phone, which can then show where a person lives, works, and where they went.

The sort of data the CDC bought was aggregated -- meaning it was designed to follow trends that emerge from the movements of groups of people -- but researchers have repeatedly raised concerns with how location data can be deanonymized and used to track specific people. The documents reveal the expansive plan the CDC had last year to use location data from a highly controversial data broker. SafeGraph, the company the CDC paid $420,000 for access to one year of data to, includes Peter Thiel and the former head of Saudi intelligence among its investors. Google banned the company from the Play Store in June.

UnknowingFool writes: In October 2021, PC World reviewed Windows 11 and labeled it as an "unnecessary replacement" to Windows 10 and did not recommend it for Windows 10 users. PC World noted that it was a "mixed bag of improved features and unnecessary changes." Six months later they reviewed it again. While MS has made improvements, PC World does not feel the improvements warrant a recommendation for Windows 10 users to upgrade.

A new espionage actor is breaching corporate networks to steal emails from employees involved in big financial transactions like mergers and acquisitions. From a report: Mandiant researchers, which first discovered the advanced persistent threat (APT) group in December 2019 and now tracks it as "UNC3524," says that while the group's corporate targets hint at financial motivation, its longer-than-average dwell time in a victim's environment suggests an intelligence gathering mandate. In some cases, UNC3524 remained undetected in victims' environments for as long as 18 months, versus an average dwell time of 21 days in 2021.

Mandiant credits the group's success at achieving such a long dwell time to its unique approach to its use of a novel backdoor -- tracked as "QuietExit" -- on network appliances that do not support antivirus or endpoint detection, such as storage arrays, load balancers and wireless access point controllers. The QuietExit backdoor's command-and-control servers are part of a botnet built by compromising D-Link and LifeSize conference room camera systems, according to Mandiant, which said the compromised devices were likely breached due to the use of default credentials, rather than an exploit.

Technology startup Rivos allegedly stole Apple's computer-chip trade secrets after poaching its engineers, Apple said in a lawsuit filed in California federal court. From a report: Apple's Friday lawsuit said Mountain View, California-based Rivos has hired over 40 of its former employees in the past year to work on competing "system-on-chip" (SoC) technology, and that at least two former Apple engineers took gigabytes of confidential information with them to Rivos. Rivos is a "stealth" startup that has largely avoided public attention since its founding last year.

Hot Hardware warns that on Tuesday, the Stable Channel for Chrome's desktop edition "had an update on April 26, 2022. That update includes 30 security fixes, some of them so bad that Google is urging all users to update immediately." The release notes for Google's Chrome v101.0.4951.41 for Windows, Mac, and Linux has a long list of bug fixes; you can view it here. However, there's also a key statement in that page.

"Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed...."

Effectively the the non-developer translation of the quote above is that something so significant was found, the details are being kept hidden.

As an apparent reward for returning to the office, thousands of Google employees were treated to a private Lizzo concert at the Shoreline Amphitheatre near Google's headquarters, reports CNBC: Google implemented a return-to-office policy starting in early April, requiring employees to go to physical facilities at least three days a week. Staffers pushed back on the mandate and the prospect of navigating traffic jams, after they worked efficiently for so long at home while the company enjoyed some of its fastest revenue growth of the past 15 years....

Google had delayed its return plans on multiple occasions, due mostly to surges in Covid-19 case numbers. But this time, the company stuck to its reopening schedule. In the early days back, employees were greeted with marching bands on campus, as well as photo booths, celebratory food and visits from prominent politicians.

"Thank you for being back!" Lizzo said. "Thank you for surviving! Google, we back, bitch!!" [...] She inserted the company's name into her popular song "Boys," changing the lyrics from "I heard you a freak, too" to "I heard you a freak, Google!"
After two and a half years "of protecting others and ourselves but also being very disconnected," Lizzo told the crowd, "It's so incredible to see how connected we are right now!" CNBC reports.

Someone in the crowd shouted back, "Propaganda! Propaganda!"

The San Francisco Chronicle reports: San Francisco's office occupancy rate continued its spring recovery, rising above New York and San Jose last week, according to a review by a building security firm. After four months of increases, 33.4% of San Francisco workers were back at their desks last week, higher than New York's 32.9% and San Jose's 31%, but still behind seven major cities in security firm Kastle's Back to Work Barometer.... The city of Austin has consistently had the highest office occupancy tracked by Kastle and was at 58% last week, followed by fellow Texas cities Houston and Dallas. [And Los Angeles charts at around 40%]

Both San Francisco Mayor London Breed and New York Mayor Eric Adams have urged firms to bring back workers to the office to help revitalize urban streets and the broader economy. "You can't stay home in your pajamas all day," Adams said at an event in February. "That is not who we are as a city. You need to be out, cross-pollinating ideas, interacting with humans. It is crucial. We're social creatures, and we must socialize to get the energy that we need as a city...."

Around a fifth of San Francisco office space remains vacant and rents have been flat.
That's better than during the omicron surge, when occupancy in New York and San Francisco was around 10%. (According to the article, citing figures from Kastle.) But there's also other metrics.

The newspaper notes that the number of people exiting the stations for the San Francisco's public rail system "were up in the first three months of the year but still only around a quarter of pre-pandemic levels."

"The Biden administration has a plan to rob Vladimir Putin of some of his best innovators," reports Bloomberg, "by waiving some visa requirements for highly educated Russians who want to come to the U.S., according to people familiar with the strategy." One proposal, which the White House included in its latest supplemental request to Congress, is to drop the rule that Russian professionals applying for an employment-based visa must have a current employer. It would apply to Russian citizens who have earned master's or doctoral degrees in science, technology, engineering or mathematics in the U.S. or abroad, the proposal states.

A spokesman for the National Security Council confirmed that the effort is meant to weaken Putin's high-tech resources in the near term and undercut Russia's innovation base over the long run — as well as benefit the U.S. economy and national security. Specifically, the Biden administration wants to make it easier for top-tier Russians with experience with semiconductors, space technology, cybersecurity, advanced manufacturing, advanced computing, nuclear engineering, artificial intelligence, missile propulsion technologies and other specialized scientific areas to move to the U.S.

Biden administration officials have said they've seen significant numbers of high-skilled technology workers flee Russia because of limited financial opportunities from the sanctions the U.S. and allies have imposed after Putin's invasion on Ukraine.

The provision would expire in four years.