Bosses are hellbent on getting their staff back into the office. It's just that the rules don't necessarily apply to them. Bloomberg reports: While 35% of non-executive employees are in the office five days a week, only 19% of executives can say the same thing, according to a survey conducted by Future Forum, a research consortium supported by the Slack messaging channel. Of the percentage of employees who move to work, more than half say they would like to have at least some flexibility, and non-executive workers generally say that work-life balance is much worse than that of their bosses. Moreover, the disparity is increasing. In the fourth quarter of 2021, non-executive employees were approximately 1.3 times more likely than their bosses to be completely in the office. Now, the probability is almost twice as high, and the proportion of non-executives working from the office five days a week is the highest since the survey began in June 2020, according to the more than 10,000 administrative workers surveyed in the United States, Australia and France, Germany, Japan and the United Kingdom.

The gap points to a double standard in back-to-office messaging: executives, from Bank of America Corp. to Alphabet Inc.'s Google, urge their workers to return in part to increase face-to-face collaboration, but the bosses themselves are somewhat exempt. Companies are also trying to justify long-term office leases or state-of-the-art locations like Apple Park in Cupertino, California. [...] As the back-to-office policy debate evolves, Future Forum recommends flexible schedules and location to retain top talent, even if it means breaking cultural traditions and developing new workflows. "People being in the office gives the illusion of control, but it's just an illusion," [Brian Elliott, executive director of Future Forum] said. "It doesn't mean they're being productive."

Former eBay security director Jim Baugh will plead guilty to running a bizarre 2019 cyberstalking campaign against a couple who ran a website critical of the company, Bloomberg reported Tuesday, citing a person familiar with the matter. From a report: Baugh had been scheduled to face trial in late May. In a court filing on Tuesday, his defense attorney, William Fick, asked a federal judge in Boston to allow Baugh to change his plea via videoconference. Five other former eBay employees have already admitted to roles in a cross-country campaign designed to intimidate Ina and David Steiner of Natick, Mass. Several were expected to testify against Baugh. Another eBay employee, former global resiliency director David Harville is scheduled to face trial in May. Ina Steiner's reporting about eBay on the couple's site eCommerce Bytes upset the company's then-Chief Executive Officer Devin Wenig, whose compensation package she revealed. "Take her down," Wenig texted his then-communications chief Steve Wymer, according to prosecutors.

An anonymous reader shares a report: Users of privacy-focused search engine DuckDuckGo have been unable to site search the domains of some well-known pirated media sites recently, as reported by TorrentFreak on Friday. This follows a News Punch article last month calling out DuckDuckGo for "purging" independent media sources from search results, and naming them "Google Lite." DuckDuckGo's CEO Gabriel Weinberg called the News Punch piece "completely made up" in a Twitter thread over the weekend to respond to the public and address both issues.

To observers, it seemed as if DuckDuckGo had de-indexed searches for copyright-flouting media download sites like The Pirate Bay and Fmovies, and even a site search for the open-source tool youtube-dl came up empty. TorrentFreak later updated its report citing a company spokesperson blaming the issue on Bing search data, which DuckDuckGo relies upon. Weinberg insisted the company is not purging any results and said that site search results are not appearing due to the site operator error "Anyone can verify this by searching for an outlet and see it come up in results," Weinberg tweeted.

Many users have started to report that they are seeing suggestions -- such as grammar and spelling fixes -- to improve their writing when using Google Docs. The company made the announcement about this earlier this month. From a report: A purple squiggly line will appear under suggestions to help make your writing more concise, inclusive, active, or to warn you away from inappropriate words. These new Google suggestions have long been available via third-party services like Grammarly, which is able to integrate with Google Docs and aims to help improve the quality of your writing. Depending on the quality of Google's native suggestions, it could vastly reduce the need for these third-party services. Does it count as "sherlocking" when someone other than Apple does it? The catch is that Google isn't rolling out these assistive writing features to all of its Workspace plans. It says the "Tone and Style" suggestions will be available for "Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, [and] Education Plus" subscribers.

Researchers in Beijing have set a new quantum secure direct communication (QSDC) world record of 102.2 km (64 miles), smashing the previous mark of 18 km (11 miles), The Eurasian Times reported. Engadget reports: Transmission speeds were extremely slow at 0.54 bits per second, but still good enough for text message and phone call encryption over a distance of 30 km (19 miles), wrote research lead Long Guilu in Nature. The work could eventually lead to hack-proof communication, as any eavesdropping attempt on a quantum line can be instantly detected. QSDC uses the principal of entanglement to secure networks. Quantum physics dictates that entangled particles are linked, so that if you change the property of one by measuring it, the other will instantly change, too -- effectively making hacking impossible. In theory, the particles stay linked even if they're light-years apart, so such systems should work over great distances.

The same research team set the previous fiber record, and devised a "novel design of physical system with a new protocol" to achieve the longer distance. They simplified it by eliminating the "complicated active compensation subsystem" used in the previous model. "This enables an ultra-low quantum bit error rate (QBER) and the long-term stability against environmental noises." As a result, the system can withstand much more so-called channel loss that makes it impossible to decode encrypted messages. That in turn allowed them to extend the fiber from 28.3km to the record 102.2 km distance. "The experiment shows that intercity quantum secure direct communication through the fiber is feasible with present-day technology," the team wrote in Nature.

An anonymous reader quotes a report from Axios: The average American received roughly 42 spam texts just in the month of March, according to new data from RoboKiller, an app that blocks spam calls and texts. Spammers like using text messages because of their high open rates -- and are now even mimicking targets' own phone numbers to get them to click malicious links, the New York Times reported. "Just like with robocalls, it's extremely easy to deploy [spam texts] in enormous volume and hide your identity," Will Maxson, assistant director of the FTC's division of marketing practices, told Axios. "There's a large number of actors all over the world trying to squeeze spam into the network from almost an infinite number of entry points all the time."

It's not just texts. Every form of spam is on the rise. There were more spam calls last month than in any of the previous six months, per YouMail's Robocall Index. Spam emails rose by 30% from 2020 to 2021, according to a January report from the Washington Post. There was an unprecedented increase in social media scams last year, according to data from the Federal Trade Commission. Many scams were related to bogus cryptocurrency investments.

Experts attribute the sharp increase in spam to the pandemic. People's increased reliance on digital communications turned them into ready targets. The Federal Communications Commission saw a nearly 146% increase in the number of complaints about unwanted text messages in 2020. Americans reported losing $131 million to fraud schemes initiated by text in 2021, a jump over 50% from the year before, according to data from the FTC.

Good news for archivists, academics, researchers and journalists: Scraping publicly accessible data is legal, according to a U.S. appeals court ruling. From a report: The landmark ruling by the U.S. Ninth Circuit of Appeals is the latest in a long-running legal battle brought by LinkedIn aimed at stopping a rival company from scraping personal information from users' public profiles. The case reached the U.S. Supreme Court last year but was sent back to the Ninth Circuit for the original appeals court to re-review the case. In its second ruling on Monday, the Ninth Circuit reaffirmed its original decision and found that scraping data that is publicly accessible on the internet is not a violation of the Computer Fraud and Abuse Act, or CFAA, which governs what constitutes computer hacking under U.S. law.

The Ninth Circuit's decision is a major win for archivists, academics, researchers and journalists who use tools to mass collect, or scrape, information that is publicly accessible on the internet. Without a ruling in place, long-running projects to archive websites no longer online and using publicly accessible data for academic and research studies have been left in legal limbo. But there have been egregious cases of scraping that have sparked privacy and security concerns. Facial recognition startup Clearview AI claims to have scraped billions of social media profile photos, prompting several tech giants to file lawsuits against the startup. Several companies, including Facebook, Instagram, Parler, Venmo and Clubhouse have all had users' data scraped over the years.

Arqit says its encryption system can't be broken by quantum computers, but former employees and people outside the company question the relevance of its technology. The Wall Street Journal: A U.K. cybersecurity startup rocketed to a multibillion-dollar valuation when it listed publicly last fall on the promise of making encryption technology that would protect the defense industry, corporations and consumers alike from the prying eyes of next-generation computer systems. Founder and Chief Executive David Williams told investors at the time that his company, Arqit Quantum had an "impressive backlog" of revenue and was ready "for hyperscale growth." But Arqit has given investors an overly optimistic view of its future revenue and the readiness and workability of its signature encryption system, according to former employees and other people familiar with the company, and documents viewed by The Wall Street Journal.

While the company says it has a solution to a quantum-computing security challenge that U.S. intelligence last year said "could be devastating to national security systems and the nation," government cybersecurity experts in the U.S. and the U.K. have cast doubt on the utility of Arqit's system. Arqit's stock price reached its highest level to date of $38.06 on Nov. 30 and has since fallen, to $15.06 on April 14, amid a broad pullback of young tech stocks. When the company secured its Nasdaq listing last autumn, its revenue consisted of a handful of government grants and small research contracts, and its signature product was an early-stage prototype unable to encrypt anything in practical use, according to the people. The encryption technology the company hinges on -- a system to protect against next-generation quantum computers -- might never apply beyond niche uses, numerous people inside and outside the company warned, unless there were a major overhaul of internet protocols. Arqit disputed that its encryption system was only a prototype at the company's market debut. "This was a live production software release and not a demonstration or trial," said a company representative. "It was being used by enterprise customers on that day and subsequently for testing and integration purposes, because they need to build Arqit's software into their products."

Catalonia's regional leader accused the Spanish government on Monday of spying on its citizens after a rights group said his phone and dozens more belonging to Catalan pro-independence figures had been infected with spyware used by sovereign states. From a report: The Citizen Lab digital rights group found more than 60 people linked to the Catalan separatist movement, including several members of the European Parliament, other politicians, lawyers and activists, had been targeted with "Pegasus" spyware made by Israel's NSO Group after a failed independence bid. NSO, which markets the software as a law-enforcement tool, said Citizen Lab and Amnesty International, which was not involved in this investigation but has published previous studies about Pegasus, had produced inaccurate and unsubstantiated reports to target the company.

Decentralized finance project Beanstalk Farms suffered one of the largest-ever flash-loan exploits on Sunday, sending its price tumbling. From a report: The credit-focused, Ethereum-based stablecoin protocol suffered a total loss of around $182 million and the attacker got away with around $80 million of crypto tokens, according to blockchain security firm PeckShield, which had flagged the incident on Twitter. The project's native token BEAN fell about 75% from its $1 peg against the dollar, pricing from CoinGecko showed. The protocol's creators disclosed their identities on Beanstalk's Discord server, and said that they were not involved in the attack. "We are not aware of the identity of the individuals who were involved. Like all other investors in Beanstalk, we lost all of our deposited assets in the Silo, which was substantial," the founders wrote. It isn't yet clear whether investors who lost funds will be reimbursed -- or if so, how and to what extent. Unlike traditional lending, which requires a loan to be secured with a collateral or credit checks, DeFi smart contracts allow users to borrow huge sums of stablecoins in what are known as flash loans, without any form of security. Flash loans, where the entire process of borrowing and returning the loan happens in a single transaction on the blockchain, are fairly popular among arbitrage traders.

GitHub issued a security alert Friday.

GitHub's chief security officer wrote that on Tuesday, "GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm..."

We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats. Following immediate investigation, we disclosed our findings to Heroku and Travis-CI on April 13 and 14...

Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.

We are sharing this today as we believe the attacks may be ongoing and action is required for customers to protect themselves.

The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key. Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above. Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm's internal use of these compromised applications.

We believe that the two impacts to npm are unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage.

At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials. We are still working to understand whether the attacker viewed or downloaded private packages.

npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack. Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.

Once GitHub identified stolen third-party OAuth tokens affecting GitHub users, GitHub took immediate steps to respond and protect users. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users.... GitHub is currently working to identify and notify all of the known-affected victim users and organizations that we discovered through our analysis across GitHub.com. These customers will receive a notification email from GitHub with additional details and next steps to assist in their own response within the next 72 hours. If you do not receive a notification, you and/or your organization have not been identified as affected.

You should, however, periodically review what OAuth applications you've authorized or are authorized to access your organization and prune anything that's no longer needed. You can also review your organization audit logs and user account security logs for unexpected or anomalous activity....

The security and trustworthiness of GitHub, npm, and the broader developer ecosystem is our highest priority. Our investigation is ongoing, and we will update this blog, and our communications with affected customers, as we learn more.

"Cryptocurrency has changed the game of cybercrime," argues Vice's Christian Devolu, in a new episode of their video series CRYPTOLAND. "Hackers and cybergangs have been locking down the data of large corporations, police departments, and even hospitals, and demanding ransom — and guess what they're asking for? Cryptocurrency!"

In short, argues an article accompanying the episode, cryptocurrency "gave birth to the ransomware epidemic."

Slashdot reader em1ly shares one highlight from the video: The team visits a school district in Missouri ["just one of around 1,000 U.S. schools hacked last year with ransomware"] that was the victim of a ransomware attack. ["Luckily, the school's backups were not impacted...."]
Another interesting observation from the article: When ransom payments do happen, companies like Chainalysis can track the Bitcoin through the blockchain, identifying the hackers' wallets and collaborating with law enforcement in an attempt to recover the funds or identify the hackers themselves.

Boffins at two US universities have found that muting popular native video-conferencing apps fails to disable device microphones -- and that these apps have the ability to access audio data when muted, or actually do so. The research is described in a paper titled, "Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing App." The Register reports: Among the apps studied -- Zoom (Enterprise), Slack, Microsoft Teams/Skype, Cisco Webex, Google Meet, BlueJeans, WhereBy, GoToMeeting, Jitsi Meet, and Discord -- most presented only limited or theoretical privacy concerns. The researchers found that all of these apps had the ability to capture audio when the mic is muted but most did not take advantage of this capability. One, however, was found to be taking measurements from audio signals even when the mic was supposedly off. "We discovered that all of the apps in our study could actively query (i.e., retrieve raw audio) the microphone when the user is muted," the paper says. "Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button." They found that Webex, every minute or so, sends network packets "containing audio-derived telemetry data to its servers, even when the microphone was muted."

This telemetry data is not recorded sound but an audio-derived value that corresponds with the volume level of background activities. Nonetheless, the data proved sufficient for the researchers to construct an 82 per cent accurate background activity classifier to analyze the transmission and infer the likely activity among six possibilities -- e.g. cooking, cleaning, typing, etc. -- in the room where the app is active. Worse still from a security standpoint, while other apps encrypted their outgoing data stream before sending it to the operating system's socket interface, Webex did not. "Only in Webex were we able to intercept plaintext immediately before it is passed to the Windows network socket API," the paper says, noting that the app's monitoring behavior is inconsistent with the Webex privacy policy. The app's privacy policy states Cisco Webex Meetings does not "monitor or interfere with you your [sic] meeting traffic or content." After the researchers reached out about their findings, Cisco altered Webex so it no longer transmits microphone telemetry data. "Cisco is aware of this report, and thanks the researchers for notifying us about their research," said a Cisco spokesperson. "Webex uses microphone telemetry data to tell a user they are muted, referred to as the 'mute notification' feature. Cisco takes the security of its products very seriously, and this is not a vulnerability in Webex."

A new social engineering scam is making the rounds, and this one is particularly insidious: It tricks users into sending money to what they think is their own account to reverse a fraudulent charge. From a report: The FBI's Internet Crime Complaint Center issued the warning, which it said involves cybercriminals who have definitely done their homework. "In addition to knowing the victim's financial institution, the actors often had further information such as the victim's past addresses, social security number, and the last four digits of their bank accounts," the IC3 said.

The con starts off as many that target individuals do nowadays: With a text message. In this case it's not a phishing attempt, it's an attempt to ascertain whether the person receiving the message is susceptible to further manipulation. Posing as the target's bank, the message asks whether a large charge ($5,000 in the example the FBI gives) was legitimate and asks for a reply of YES or NO. Replying no leads to a follow-up text: "Our fraud specialist will be contacting you shortly. This is where social engineering comes in, and the FBI is painting a picture of a sophisticated operation. The "fraud specialists" contacting users reportedly "speak English without a discernible accent," and once they establish credibility with the victim they move on to "helping" them "reverse" the fake transaction.

It gets even more insidious here: The charges that are being refuted aren't bank charges directly: they are payments being made through an instant payment app like Venmo or CashApp. The fraudster never asks for a password or any information that might clue someone in that they're being strung along. Instead, the caller asks the victim to use their bank website or app to remove their email address from the digital payment app (thereby unlinking the app and bank account), which the fraudster then asks for. Next, the victim is asked to send the same amount as the fake payment to themselves using their own email address, which has already been added to an account the criminal controls.

Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild. From a report: The emergency updates the company issued this week impact the almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi. It is the third such emergency update Google has had to issue for Chrome this year. One of the flaws is a type confusion vulnerability tracked as CVE-2022-1364, a high-severity, zero-day bug that is actively being used by attackers. With a type confusion flaw, a program will allocate a resource like a pointer or object using one type but later will access the resource using another, incompatible type. In some languages, like C and C++, the vulnerability can result in out-of-bounds memory access. This incompatibility can cause a browser to crash or trigger logical errors. However, if exploited, it could enable a hacker to execute arbitrary code.

The Git team has issued an update to fix a bug in Git for Windows that "affects multi-user hardware where untrusted parties have write access to the same hard disk," reports The Register. Specifically, the update is concerned with CVE-2022-24765. From the report: Arguably, if an "untrusted party" has write access to a hard disk, then all bets are off when it comes to the nooks and crannies of a PC anyway. In this case, the miscreants would only need to create the folder c:\.git, "which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory," according to NIST. The result is that Git would use the config in the directory.

NIST went on to list potentially vulnerable products, which included Visual Studio. "Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash." The Git team was little blunter about the vulnerability, and warned that "Merely having a Git-aware prompt that runs 'git status' (or 'git diff') and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user." [...] To deal with the issue, the Git team recommends an update. Alternatively, a user could create that .git folder themselves and remove read/write access as workaround or "define or extend 'GIT_CEILING_DIRECTORIES' to cover the parent directory of the user profile," according to NIST.

wiredmikey writes: The U.S government is sounding a loud alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers. A joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation. Privately owned ICS security firm Dragos issued a separate notice documenting what is now the seventh known industrial control system (ICS)-specific malware. "[This] is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment," the company said.

Gergely Orosz: We are in the middle of the longest outage Atlassian has had. Close to 400 companies and anywhere from 50,000 to 400,000 users had no access to JIRA, Confluence, OpsGenie, JIRA Status page, and other Atlassian Cloud services. The outage is its 9th day, having started on Monday, 4th of April. Atlassian estimates many impacted customers will be unable to access their services for another two weeks. At the time of writing, 45% of companies have seen their access restored. For most of this outage, Atlassian has gone silent in communications across their main channels such as Twitter or the community forums. It took until Day 9 for executives at the company to acknowledge the outage.

While the company stayed silent, outage news started trending in niche communities. In these forums, people tried to guess causes of the outage, wonder why there is full radio silence, and many took to mocking the company for how it is handling the situation. Atlassian did no better with communicating with customers during this time. Impacted companies received templated emails and no answers to their questions. After I tweeted about this outage, several Atlassian customers turned to me to vent about the situation, and hope I can offer more details. Customers claimed how the company's statements made it seem they received support, which they, in fact, did not. Several customers hoped I could help get the attention of the company which had not given them any details, beyond telling them to wait weeks until their data is restored.

An anonymous reader quotes a report from Wired: More than half a decade has passed since the notorious Russian hackers known as Sandworm targeted an electrical transmission station north of Kyiv a week before Christmas in 2016, using a unique, automated piece of code to interact directly with the station's circuit breakers and turn off the lights to a fraction of Ukraine's capital. That unprecedented specimen of industrial control system malware has never been seen again -- until now: In the midst of Russia's brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.

On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia's GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia's most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.

ESET and CERT-UA say the malware was planted on target systems within a regional Ukrainian energy firm on Friday. CERT-UA says that the attack was successfully detected in progress and stopped before any actual blackout could be triggered. But an earlier, private advisory from CERT-UA last week, first reported by MIT Technology Review today, stated that power had been temporarily switched off to nine electrical substations. Both CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves, according to Farid Safarov, Ukraine's deputy minister of energy. [...] The revelation of Sandworm's attempted blackout attack provides more evidence that Russia's invasion of Ukraine has been accompanied by a new wave of cyberattacks on the country's networks and critical infrastructure, though with only mixed success.

Dell employees in the Netherlands will be able to work four days a week from this month, a director of Dell Technologies Netherlands has confirmed to The Register. From the report: The news comes just weeks before what is touted to be the biggest ever 4-day working week trial begins in the UK. Isabel Moll, newly appointed vice president and general manager at Dell Netherlands, told us the part-time pilot has already been rolled out by the Dutch and Argentinian operations. "On April 1 we welcomed our first starter, and we're currently in the late phases of the interviewing process with [another]. We're hoping to welcome many other candidates in the near future, once the word spreads more and more." She noted that the scheme was also open to existing employees, with pay corresponding to hours worked.

Speaking to local financial news daily Financieele Dagblad, Dell GM Moll described the April Argentinian and Dutch pilot as addressing both the issues of scarcity in the labor market and a way to bring in a more diverse group, including women and younger people, who are no longer interested in working until "they drop" or have other obligations. She said such people often end up leaving the sector, to its detriment, or use their technical skills in other sectors which have less intensive hours, telling the paper: "Working harder won't pay off, because the pond is empty..."