GitLab has addressed a critical severity vulnerability that could allow remote attackers to take over user accounts using hardcoded passwords. Bleeping Computer reports: The bug (discovered internally and tracked as CVE-2022-1162) affects both GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw results from static passwords accidentally set during OmniAuth-based registration in GitLab CE/EE. GitLab urged users to immediately upgrade all GitLab installations to the latest versions (14.9.2, 14.8.5, or 14.7.7) to block potential attacks. GitLab also added that it reset the passwords of a limited number of GitLab.com users as part of the CVE-2022-1162 mitigation effort. It also found no evidence that any accounts have been compromised by attackers using this hardcode password security flaw.

An anonymous reader quotes a report from 9to5Mac: A major Wyze Cam security flaw easily allowed hackers to access stored video, and it went unfixed for almost three years after the company was alerted to it, says a new report today. Additionally, it appears that Wyze Cam v1 -- which went on sale back in 2017 -- will never be patched, so it will remain vulnerable for as long as it is used.

Bleeping Computer reports: "A Wyze Cam internet camera vulnerability allows unauthenticated, remote access to videos and images stored on local memory cards and has remained unfixed for almost three years. The bug, which has not been assigned a CVE ID, allowed remote users to access the contents of the SD card in the camera via a webserver listening on port 80 without requiring authentication. Upon inserting an SD card on the Wyze Cam IoT, a symlink to it is automatically created in the www directory, which is served by the webserver but without any access restrictions."

And as if that weren't bad enough, it gets worse. Many people re-use existing SD cards they have laying around, some of which still have private data on them, especially photos. The flaw gave access to all data on the card, not just files created by the camera. Finally, the AES encryption key is also stored on the card, potentially giving an attacker live access to the camera feed. Altogether, Bitdefender security researchers advised the company of three vulnerabilities. It took Wyze six months to fix one, 21 months to fix another, and just under two years to patch the SD card flaw. The v1 camera still hasn't been patched, and as the company announced last year that it has reached end-of-life status, so it appears it never will.

According to Bloomberg, Apple and Meta "provided customer data to hackers who masqueraded as law enforcement officials." Bloomberg's William Turton reports: Apple and Meta provided basic subscriber details, such as a customer's address, phone number and IP address, in mid-2021 in response to the forged "emergency data requests." Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don't require a court order. Snap Inc. received a forged legal request from the same hackers, but it isn't known whether the company provided data in response. It's also not clear how many times the companies provided data prompted by forged legal requests.

Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the U.K. and the U.S. [...] The fraudulent legal requests are part of a months-long campaign that targeted many technology companies and began as early as January 2021. The forged legal requests are believed to be sent via hacked email domains belonging to law enforcement agencies in multiple countries. The forged requests were made to appear legitimate. In some instances, the documents included the forged signatures of real or fictional law enforcement officers. By compromising law enforcement email systems, the hackers may have found legitimate legal requests and used them as a template to create forgeries. Further reading: Hackers Gaining Power of Subpoena Via Fake 'Emergency Data Requests'

After a short "vacation," the Lapsus$ hacking gang is back. In a post shared through the group's Telegram channel on Wednesday, Lapsus$ claimed to have stolen 70GB of data from Globant -- an international software development firm headquartered in Luxembourg, which boasts some of the world's largest companies as clients. From a report: Screenshots of the hacked data, originally posted by Lapsus$ and shared on Twitter by security researcher Dominic Alvieri, appeared to show folders bearing the names of a range of global businesses: among them were delivery and logistics company DHL, US cable network C-Span, and French bank BNP Paribas. Also in the list were tech giants Facebook and Apple, with the latter referred to in a folder titled "apple-health-app." The data appears to be development material for Globant's BeHealthy app, described in a prior press release as software developed in partnership with Apple to track employee health behaviors using features of the Apple Watch.

An anonymous reader quotes a report from NPR: A nearly decade-long scheme to steal millions of dollars of computers and iPads from Yale University's School of Medicine is officially over. Former Yale administrator Jamie Petrone, 42, pleaded guilty Monday in federal court in Hartford, Conn., to two counts of wire fraud and a tax offense for her role in the plot. Petrone's ploy started as far back as 2013 and continued well into 2021 while she worked at the university, according to the U.S. Attorney's Office for the District of Connecticut. Until recently, her role was the director of finance and administration for the Department of Emergency Medicine at Yale. As part of this job, Petrone had the authority to make and authorize certain purchases for the department -- as long as the amount was below $10,000.

Starting in 2013, Petrone would order, or have a member of her staff order, computers and other electronics, which totaled to thousands of items over the years, from Yale vendors using the Yale School of Medicine's money. She would then arrange to ship the stolen hardware, whose costs amounted to millions of dollars, to a business in New York, in exchange for money once the electronics were resold. Investigators said Petrone would report on documents to the school that the equipment was for specific needs at the university, like medical studies that ultimately didn't exist. She would break up the fraudulent purchases into orders that were below $10,000 each so that she wouldn't need to get additional approval from school officials. Petrone would ship this equipment out herself to the third-party business that would resell the equipment. It would later pay Petrone by wiring funds into an account of Maziv Entertainment LLC, a company she created.

Petrone used the money to live the high life, buy real estate and travel, federal prosecutors say. She bought luxury cars as well. At the time of her guilty pleas, she was in possession of two Mercedes-Benz vehicles, two Cadillac Escalades, a Dodge Charger and a Range Rover. [...] At the time of her guilty plea, she agreed to forfeit the luxury vehicles as well as three homes in Connecticut. A property she owns in Georgia may also be seized. Petrone has also agreed to forfeit more than $560,000 that was seized from the Maziv Entertainment LLC bank account. Federal prosecutors say the loss to Yale totals approximately $40,504,200.

An anonymous reader quotes a report from ZDNet: The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers. On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. Not only are backdoors and cryptocurrency miners being deployed, but in addition, scripts are used to gather and steal device information. Log4Shell is a critical vulnerability in Apache Log4J Java logging library. The unauthenticated remote code execution (RCE) vulnerability was made public in December 2021 and is tracked as CVE-2021-44228 with a CVSS score of 10.0.

According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. The attackers behind the campaign are leveraging the bug to obtain access to vulnerable servers. Once they have infiltrated the system, Atera agent or Splashtop Streamer, two legitimate remote monitoring software packages, may be installed, with their purpose twisted into becoming backdoor surveillance tools.

The other backdoor detected by Sophos is Silver, an open source offensive security implant released for use by pen testers and red teams. Sophos says that four miners are linked to this wave of attacks: z0Miner, JavaX miner, Jin, and Mimu, which mine for Monero (XMR). Previously, Trend Micro found z0Miner operators were exploiting the Atlassian Confluence RCE (CVE-2021-26084) for cryptojacking attacks. A PowerShell URL connected to this both campaigns suggests there may also be a link, although that is uncertain. [...] In addition, the researchers uncovered evidence of reverse shell deployment designed to collect device and backup information.

A cryptocurrency affiliated with the popular free-to-play blockchain game Axie Infinity has been hacked in one of the largest crypto heists in history. From a report: The Ronin network is a blockchain launched in February 2021 to make interacting with the Ethereum-based Axie Infinity a little less costly. Whereas doing anything at all on Ethereum costs fees, Ronin allows 100 free transactions per day, per user. Axie Infinity is popular in the Philippines, for example, where users work playing the game in exchange for tokens, often on behalf of individuals or firms that may employ dozens or hundreds of so-called "scholars."

In a blog post published on Tuesday, Ronin revealed it had fallen victim to a security breach that has drained half a billion dollars in crypto. Hackers were able to exploit the Ronin bridge and make off with 173,600 ETH (worth about $591,242,019) and $25.5 million worth of the stablecoin USDC in two separate transactions by taking over the blockchain's validator nodes. Validator nodes verify and approve transactions in Ronin's Proof-of-Authority (PoA) model, which differs from the decentralized mining and approval process employed by Bitcoin. Ronin has nine validator nodes, five of which were needed to approve any particular deposit or withdrawal. According to the blog, the hackers "used hacked private keys in order to forge fake withdrawals." The attackers found a backdoor in the gas-free RPC node run by Sky Mavis -- the company that owns Axie Infinity -- allowing them to gain control over a validator node linked to the Axie DAO after it helped Sky Mavis distribute free transactions in November 2021 during an overload of users, according to the Ronin blog post. With Axie DAO's validator node and the four controlled by Sky Mavis, the attackers were able to approve the two transactions.

Microsoft is finally making it easier to change your default browser in Windows 11. A new update (KB5011563) has started rolling out this week that allows Windows 11 users to change the default browser with a single click. After testing the changes in December, this new one-click method is rolling out to all Windows 11 users. From a report: Originally, Windows 11 shipped without a simple button to switch default browsers that was always available in Windows 10. Instead, Microsoft forced Windows 11 users to change individual file extensions or protocol handlers for HTTP, HTTPS, .HTML, and .HTM, or you had to tick a checkbox that only appeared when you clicked a link from outside a browser. Microsoft defended its decision to make switching defaults harder, but rival browser makers like Mozilla, Brave, and even Google's head of Chrome criticized Microsoft's approach.

Krebs on Security reports: In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena. Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name. But in certain circumstances -- such as a case involving imminent harm or death -- an investigating authority may make what's known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.

It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately. In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR -- and potentially having someone's blood on their hands -- or possibly leaking a customer record to the wrong person. "We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers," said Mark Rasch, a former prosecutor with the U.S. Department of Justice. "And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately," Rasch continued. "Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there's no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they'll comply." To make matters more complicated, there are tens of thousands of police jurisdictions around the world -- including roughly 18,000 in the United States alone -- and all it takes for hackers to succeed is illicit access to a single police email account.

Almost $10 billion over the next decade will be pumped into helping Australia compete in cyber warfare with adversaries such as Russia and China in a major funding boost that will nearly double the size of the nation's leading cyber security agency. From a report: In its centrepiece defence budget announcement, the government will make the largest single investment in the 75-year history of the Australian Signals Directorate, the country's powerful and highly secretive electronic intelligence agency. The government said the funding increase -- dramatically named Project REDSPICE (Resilience, Effects, Defence, Space, Intelligence, Cyber, and Enablers) -- will significantly expand the ASD's offensive cyber capabilities, as well as the agency's ability to prevent hacking and other digital attacks.

The government intends to put national security at the centre of the upcoming election campaign, contrasting its latest announcements with reductions to defence spending during the Rudd-Gillard era. In his budget night speech Treasurer Josh Frydenberg described the $9.9 billion in spending over 10 years as the country's "biggest ever investment in Australia's cyber preparedness." It comes on top of the government's previously announced expansion in Australian Defence Force personnel and the purchase of new Chinook helicopters, Abrams tanks and combat engineering vehicles.

Corin Faife writes via The Verge: On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA). Seen as an ambitious law with far-reaching implications, the most eye-catching measure in the bill would require that every large tech company -- defined as having a market capitalization of more than 75 billion euros or a user base of more than 45 million people in the EU -- create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS -- which security experts worry will undermine hard-won gains in the field of message encryption.

The main focus of the DMA is a class of large tech companies termed "gatekeepers," defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to "break open" some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols. But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users.

Signal is small enough that it wouldn't be affected by the DMA provisions, but WhatsApp -- which uses the Signal protocol and is owned by Meta -- certainly would be. The result could be that some, if not all, of WhatsApp's end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging. Given the need for precise implementation of cryptographic standards, experts say that there's no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.

The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before subsequently accessing the internal systems of authentication giant Okta, according to documents seen by TechCrunch that provide new details of the cyber intrusion that have not yet been reported. The report adds: [...] The documents provide the most detailed account to date of the Sitel compromise, which allowed the hackers to later gain access to Okta's network. [...] The documents, obtained by independent security researcher Bill Demirkapi and shared with TechCrunch, include a Sitel customer communication sent on January 25 -- more than a week after hackers first compromised its network -- and a detailed timeline of the Sitel intrusion compiled by incident response firm Mandiant dated March 17 that was shared with Okta.

According to the documents, Sitel said it discovered the security incident in its VPN gateways on a legacy network belonging to Sykes, a customer service company working for Okta that Sitel acquired in 2021. The timeline details how the attackers used remote access services and publicly accessible hacking tools to compromise and navigate through Sitel's network, gaining deeper visibility to the network over the five days that Lapsus$ had access. Sitel said that its Azure cloud infrastructure was also compromised by hackers. According to the timeline, the hackers accessed a spreadsheet on Sitel's internal network early on January 21 called "DomAdmins-LastPass.xlsx." The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee's LastPass password manager.

Ukraine's state-owned telecommunications company Ukrtelecom experienced a disruption in internet service on Monday after a "powerful" cyberattack, according to Ukrainian government officials and company representatives. Reuters reports: The incident is the latest hacking attack against Ukrainian internet services since Russian military forces invaded in late February. "Today, the enemy launched a powerful cyberattack against Ukrtelecom's IT-infrastructure," said Yurii Shchyhol, chairman of the State Service of Special Communication and Information Protection of Ukraine. "The attack was repelled. And now Ukrtelecom has an ability to begin restoring its services to the clients." "Currently, the attack is repulsed, the provision of services is gradually resumed," said Ukrtelecom spokesperson Mikhail Shuranov.

NetBlocks, which monitors internet service disruptions, posted on Twitter earlier on Monday that it saw "connectivity collapsing" with an "ongoing and intensifying nation-scale disruption." A similar incident took place earlier this month with Triolan, a smaller Ukrainian telecom company, Forbes previously reported. That company suffered a hack that reset some internal systems, resulting in some local subscribers losing access.

A "powerful" cyberattack has hit Ukraine's biggest fixed line telecommunications company, Ukrtelecom. Described as the most severe cyberattack since the start of the Russian invasion in February, it has sent the company's services across the country down. From a report: Victor Zhora, deputy head of the State Service for Special Communications and Information Protection, confirmed to Forbes that the government was investigating the attack. He said it's not yet known whether Ukrtelecom -- a telephone, internet and mobile provider -- has been hit by a distributed denial of service (DDoS) attack or a deeper, more sophisticated intrusion. The attack has only been acknowledged by Ukrtelecom in responses to customer comments on Facebook. In one, it responded by saying that services were down as a result of a "powerful cyber attack of the enemy." When Forbes messaged Ukrtelecom over Facebook, an automated response was provided, reading, "Currently, there are difficulties in using the internet service from Ukrtelecom. Our specialists are doing everything possible to resolve this issue as soon as possible. Due to the abnormal load and problems with internal systems, the operators of the contact center and Facebook can not process customer requests." NetBlocks, which tracks internet downtimes across the world, found Ukrtelecom had been dealing with a disrupted service since this morning, "collapsing to 13% of pre-war levels."

Microsoft's new security chief Charlie Bell issued a call to arms to build protection from hackers and criminals in the emerging metaverse from the start of the new technology. From a report: "There's going to be a lot of innovation and there will be a lot of struggling to figure out what has to be done," Bell said in an interview. "But I think because of the speed, there will be fast innovation on the security side."

The metaverse -- a concept that promises to let users live, work and play within interconnected virtual worlds -- will present some unique and more serious security challenges for technology and cybersecurity companies. As an example, hackers may be able to make avatars that look like a user's trusted contacts, a twist on the traditional email phishing scheme that will be hard for users to resist, he said. The nature of the metaverse, which offers the possibility of less centralized control of content and users, also is a challenge for those trying to protect customers.

"Picture what phishing could look like in the metaverse -- it won't be a fake e-mail from your bank," wrote Bell, Microsoft's executive vice president, security, compliance, identity, and management, in a blog posted Monday on Microsoft's web site. "It could be an avatar of a teller in a virtual bank lobby asking for your information. It could be an impersonation of your CEO inviting you to a meeting in a malicious virtual conference room."

A new essay from The Baffler suggests burnout is "a personal malady that indexes a broken labor system," rather than a trendy term that "resonates with affluent professionals who fetishize overwork."

And then the essay turns to Jonathan Malesic's new book The End of Burnout: He casts a critical eye on burnout discourse, in which the term is used loosely and self-flatteringly. Journalistic treatments of burnout — such as Anne Helen Petersen's widely read 2019 essay — tend to emphasize the heroic exertions of the burned-out worker, who presses on and gets her work done, no matter what. Such accounts have significantly raised burnout's prestige, Malesic argues, by aligning the disorder with "the American ideal of constant work." But they give, at best, a partial view of what burnout is. The psychologist Christina Maslach, a foundational figure in burnout research — the Maslach Burnout Inventory is the standard burnout assessment — sees burnout as having three components: exhaustion; cynicism or depersonalization (detectable in doctors, for example, who see their patients as "problems" to be solved, rather than people to be treated); and a sense of ineffectiveness or futility.... Accounts of the desperate worker as labor-hero ignore the important fact that burnout impairs your ability to do your job. A "precise diagnostic checklist" for burnout, Malesic writes, would curtail loose claims of fashionable exhaustion, while helping people who suffer from burnout seek medical treatment.

Malesic, however, is interested in more than tracing burnout's clinical history. A scholar of religion, he diagnoses burnout as an ailment of the soul. It arises, he contends, from a gap between our ideals about work and our reality of work. Americans have powerful fantasies about what work can provide: happiness, esteem, identity, community. The reality is much shoddier. Across many sectors of the economy, labor conditions have only worsened since the 1970s. As our economy grows steadily more unequal and unforgiving, many of us have doubled down on our fantasies, hoping that in ceaseless toil, we will find whatever it is we are looking for, become whoever we yearn to become. This, Malesic says, is a false promise.... [The book] is an attack on the cruel idea that work confers dignity and therefore that people who don't work — the old, the disabled — lack value. On the contrary, dignity is intrinsic to all human beings, and in designing a work regime rigged for the profit of the few and the exhaustion of the many, we have failed to honor one another's humanity.... William Morris, in his famous essay "Useful Work Versus Useless Toil," dreamed of a political transformation in which all work would be made pleasurable. Malesic thinks, instead, that work should not be the center of our lives at all....

Burnout is an indicator that something has gone wrong in the way we organize our work. But as a concept it remains lodged in an old paradigm — a work ethic that was already dubious in America's industrial period, and now, in a period of extreme inequality and increasing precarity across once-stable professions, is even harder to credit.... The top 1 percent of the income distribution is composed largely of executives, financiers, consultants, lawyers, and specialist doctors who report extremely long work hours, sometimes more than seventy a week....

But the strange work ethic the rich have devised seems highly relevant for our understanding of burnout as a cultural phenomenon, especially as it spreads beyond its traditional victims — doctors, nurses, teachers, social workers, anti-poverty lawyers — and courses through the ranks of knowledge workers more generally."

"Wannabe innovation hubs from coast to coast have been slavering over the prospect that the work-from-home revolution triggered by the COVID pandemic would finally break the stranglehold that California and Silicon Valley have had on high-tech jobs," writes a business columnist for the Los Angeles Times.

"Here's the latest picture on this expectation: Not happening." That's the conclusion of some new studies, most recently by Mark Muro and Yang You of the Brookings Institution. They found that although the pandemic brought about some changes in the trend toward the concentration of tech jobs in a handful of metropolitan areas, the largest established hubs as a group "slightly increased their share" of national high-tech employment from 2019 through 2020. (Emphasis theirs....) "[T]he big tech superstar cities aren't going anywhere," Muro told me. "There's a suggestion that we're on the brink of an entirely different geography. I don't think recent history or the nature of the technologies point in that direction.... "

"The California metropolises really do retain their irreplaceable depth and strength," Muro says. "That's not to say there won't be some movement. Early in the period we saw some exiting, especially from the Bay Area, but it turned out that much of it was within California, rather than to Kansas." This shouldn't be too surprising. The value of concentrated ecosystems in nurturing innovation has been documented for decades....

The pandemic-driven shift to remote work does seem to have opened entrepreneurs' eyes at least to the potential for doing away with centralized workforces. In a recent survey of tech startup founders, the share of respondents saying they would prefer to start a firm with an entirely remote workforce from Day One rose to 42.1% in 2021 from only 6% in 2020. Among physical locations where the founders said prefer to launch their businesses, however, San Francisco still dominated, at 28.4%, with New York a distant second....

Unlike service industries such as leisure and tourism, most tech industries experienced barely a hiccup in their long-term growth trends during the pandemic.
The column also questions when, "if ever," work-from-home jobs will become a significant share of the workforce. "Full-scale work-from-home only applies to about 6% of workers, UC Berkeley economist Enrico Moretti says. That's triple the 2% level of the pre-pandemic era, but still an exception to the rule."

Apple is paying six-figure "special retention grants" to a handful of hardware and software engineers. Protocol reports: The bonuses, anonymous sources told Bloomberg, are worth between $100,000 and more than $200,000 in restricted stock units that vest over several years, providing another incentive for engineers to stay at Apple... The bonuses show the level of insecurity that some of the top-paying companies in the industry feel in this tight market for tech talent. (Even Google employees are feeling unhappy with their compensation....) Apple and other tech giants are throwing more and more money at employees to retain them.

In the last few months, Alphabet has adopted a new cash bonus plan that allows employee bonuses "of nearly any size for nearly any reason," The Wall Street Journal reported last month, and Amazon has raised its cash-pay cap from $160,000 to $350,000, according to The New York Times.
Bloomberg points out Apple "has suffered some attrition in its chip design group," as Facebook's parent Meta Platforms "has stepped up recruiting of engineers — aiming to put them to work on the so-called metaverse," and the payouts also went to Apple employees working on virtual and augmented reality headsets. Inflation also has put pressure on employers to boost compensation. And Apple is preparing for a return to the office — a source of tension for some employees. By May, the company will require engineers and other corporate staff to work out of the office at least three days a week.
So the bonuses "are designed to keep the employees from leaving by vesting over several years," Bloomberg concludes, "and they could become more valuable over time if Apple's stock price continues to rise.

"The shares are up more than 40% over the past 12 months..."

The U.S. placed internet-security provider AO Kaspersky Lab on a list of companies deemed a threat to national security, for the first time adding a Russian entity to a list dominated by Chinese telecommunications firms. Bloomberg reports: The Federal Communications Commission on Friday also added China Telecom (Americas) Corp, and China Mobile International USA Inc. to the list. Once a company is on the list, federal subsidies can't be used to purchase its equipment or services. The action is part of the FCC's efforts to "strengthen America's communications networks against national security threats," Jessica Rosenworcel, the agency's chairwoman, said in a news release.

Kaspersky is a well known provider of anti-virus software, and has conducted investigations into a range of nation-state hacking incidents. It calls itself the world's largest privately-owned cybersecurity company on its website. It says it protects over 400 million users and 240,000 companies. [...] For Friday's update of the list, the FCC said it relied on findings by the Department of Homeland Security and an executive branch interagency body called the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.

If Netflix follows through with its test to charge an additional fee to users sharing passwords, it could rake in $1.6 billion in global revenue annually, according to a new Wall Street analysis. Variety reports: Last week, Netflix said it was launching a test in three Latin America countries (Chile, Costa Rica and Peru) to address password sharing. Customers will be able to add up to two Extra Member accounts for about $2-$3/month each, on top of their regular monthly fee. According to estimates by Cowen & Co. analysts, if Netflix rolls the program out globally it could add an incremental $1.6 billion in global revenue annually, or about 4% upside to the firm's 2023 revenue projection of $38.8 billion. The firm's estimate assumes that about half of non-paying Netflix password-sharing households will become paying members; further, the model predicts that of those, about half will opt to sign up for their own separate paid account.