Shiftall, the Japan-based VR hardware creator, is no longer owned by Panasonic, as the company has been effectively sold off to the Tokyo-based company CREEK & RIVER. From a report: As first noted by tech analyst and YouTuber Brad Lynch, Panasonic today announced it has transferred all shares of Shiftall to the Tokyo-based company CREEK & RIVER Co., Ltd., which specializes in outsourcing, consulting, content management and distribution services. Acquired by Panasonic in 2018, Shiftall primarily focused on niche consumer devices, but shifted over the years to focusing on VR hardware, such as its MeganeX PC VR headset, HaritoraX wireless body trackers, FlipVR motion controllers, and mutalk soundproof microphones.

Software developer Alex debunked the myth of a 381 km x 381 km maximum PDF size. While limitations exist in reader apps, the format itself allows for much larger documents, she found. She even created a PDF exceeding Germany's size.

Cybercriminals are selling ready-made "pig-butchering" scam kits on the dark web to conduct "DeFi savings" cryptocurrency fraud, according to Sophos. The kits expedite scamming worldwide. In these scams, criminals build online relationships then persuade victims to invest in fake crypto schemes, manipulating them to drain digital wallets. The bundled kits contain websites enabling wallet access via Ethereum blockchain plus chat support posing as technical staff. Victims open legitimate crypto apps but enter malicious sites letting criminals steal funds. The report details the mass distribution of these DIY crypto fraud kits.

wiredmikey writes: Web security and CDN giant Cloudflare said it was hacked by a threat actor using stolen credentials to access internal systems, code repositories, along with an AWS environment, as well as Atlassian Jira and Confluence. The goal of the attack, Cloudflare says, was to obtain information on the company's infrastructure, likely to gain a deeper foothold.

According to Cloudflare, more than 5,000 individual production credentials were rotated following the incident, close to 5,000 systems were triaged, test and staging systems were physically segmented, and every machine within the Cloudflare global network was reimaged and rebooted.

Identity management company Okta said on Thursday in a message to employees that it would lay off 400 employees, about 7% of the company's headcount. From a report: CEO Todd McKinnon said in his message that the "reality is that costs are still too high." Okta is only the latest tech company to trim headcount in the opening weeks of 2024. Nearly 24,000 tech workers lost their jobs in January alone, even as many tech companies saw their stock prices continue to grow.

Apple has discontinued support for the mid-2012 13-inch MacBook Pro, the last model to include an optical drive. Products are considered obsolete when Apple ceased distribution over 7 years ago, making service and parts unavailable. The laptop was removed from Apple's lineup in 2016 but remained compatible with macOS until Big Sur in 2020. While optical drives had already fallen out of favor, the phase out marks the end of an era for pro users requiring discs for media production.

"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," said FBI Director Christopher Wray in a prepared testimony before the House Select Committee on the Chinese Communist Party. NBC News reports: Wray also argued that "there has been far too little public focus" that Chinese hackers are targeting critical infrastructure in the U.S. such as water treatment plants, electrical grids, oil and natural gas pipelines, and transportation systems, according to the prepared remarks. "And the risk that poses to every American requires our attention -- now," his prepared testimony said.

As Wray testified, the Justice Department and FBI announced they had disabled a Chinese hacking operation that had infected hundreds of small office and home routers with botnet malware that targeted critical infrastructure. The DOJ said the hackers, known to the private sector as "Volt Typhoon," used privately owned small routers that were infected with "KV botnet" malware to conceal further Chinese hacking activities against U.S. and foreign victims. Wray addressed the malware in his testimony, emphasizing that it targets critical infrastructure in the U.S. [...]

At Wednesday's hearing, the director of the federal Cybersecurity and Infrastructure Security Agency, Jen Easterly, testified that Americans should expect efforts by China to wage influence campaigns online relating to the 2024 election. However, Easterly added that she was confident that voting systems and other election infrastructure are well-defended. "To be very clear, Americans should have confidence in the integrity of our election infrastructure because of the enormous amount of work that's been done by state and local election officials, by the federal government, by vendors, by the private sector since 2016," Easterly said in her testimony.

Wray emphasized in the remarks that the "cyber onslaught" of Chinese hackers "goes way beyond prepositioning for future conflict," saying in the prepared remarks that every day the hackers are "actively attacking" U.S. economic security, engaging in "wholesale theft of our innovation, and our personal and corporate data." "And they don't just hit our security and economy. They target our freedoms, reaching inside our borders, across America, to silence, coerce, and threaten our citizens and residents," the excerpts said.

Ivanti warned on Wednesday that hackers are exploiting another previously undisclosed zero-day vulnerability affecting its widely used corporate VPN appliance. From a report: Since early December, ââChinese state-backed hackers have been exploiting Ivanti Connect Secure's flaws -- tracked as CVE-2023-46805 and CVE-2024-21887 -- to break into customer networks and steal information. Ivanti is now warning that it has discovered two additional flaws -- tracked as CVE-2024-21888 and CVE-2024-21893 -- affecting its Connect Secure VPN product. The former is described as a privilege escalation vulnerability, while the latter -- known as a zero-day because Ivanti had no time to fix the bug before hackers began exploiting it -- is a server-side bug that allows an attacker access to certain restricted resources without authentication. In its updated disclosure, Ivanti said it has observed "targeted" exploitation of the server-side bug. Germany's Federal Office for Information Security, known as the BSI, said in a translated advisory on Wednesday that it has knowledge of "multiple compromised systems."

A highly sensitive cache of code, infrastructure diagrams, internal passwords, and other technical information belonging to cryptocurrency giant Binance has been sitting on a publicly accessible GitHub repository for months, 404 Media has learned. From a report: Binance only managed to have GitHub remove the data under a copyright takedown request last week, but not before 404 Media and other people managed to view it. Although there is no public evidence this data was accessed or used by malicious parties, the cache contained a wealth of information that could be useful to hackers looking to compromise Binance's systems.

"This account is using our client's internal code which poses significant risk to Binancec. and causes severe financial harm to Binance and user's confusion/harm," a section of the takedown request, available on GitHub, reads. Another section says the GitHub repository is "hosting and distributing leaks of internal code which poses significant risk to BINANCE." For example, one diagram included in a folder called "binance-infra-2.0" shows the interlocking between different parts of Binance's various dependencies. The cache also contains a wealth of scripts and code. Some of that code appears to relate to how Binance implements passwords and multi-factor authentication. The code includes comments in both English and Chinese.

An anonymous reader shares a report: In a somewhat groundbreaking yet bizarre scientific feat, MIT biotechnology PhD student researcher Lauren "Ren" Ramlan has coaxed a simulation of the humble E. coli bacteria into a rudimentary screen capable of displaying the iconic video game. However, before you get too excited about playing games in a petri dish, there's a catch. According to Ramlan's simulation, displaying a single frame of Doom on these bioluminescent bacteria -- should anyone attempt to do this with the real thing -- would take roughly 70 minutes, with a full reset to the bacteria's original state taking a whopping eight hours and 20 minutes.

Dubbed a step into the world of biological screens, Ramlan engineered a system where the bacteria would function as 1-bit pixels, toggling between light and dark states. This bio-display utilizes a well plate in a 32x48 array, each containing genetically modified E. coli that can be induced to fluoresce, creating a grid of pixel-like structures.

Tom Warren, writing for The Verge: Last week, I turned on my PC, installed a Windows update, and rebooted to find Microsoft Edge automatically open with the Chrome tabs I was working on before the update. I don't use Microsoft Edge regularly, and I have Google Chrome set as my default browser. Bleary-eyed at 9AM, it took me a moment to realize that Microsoft Edge had simply taken over where I'd left off in Chrome. I never imported my data into Microsoft Edge, nor did I confirm whether I wanted to import my tabs. But here was Edge automatically opening after a Windows update with all the Chrome tabs I'd been working on. I didn't even realize I was using Edge at first, and I was confused why all my tabs were suddenly logged out.

After the shock wore off, I looked to make sure I hadn't accidentally allowed this behavior. I found a setting in Microsoft Edge that imports data from Google Chrome on each launch. "Always have access to your recent browsing data each time you browse on Microsoft Edge," reads Microsoft's description of the feature in Edge. This setting was disabled, and I had never been asked to turn it on. So I went to install the same Windows update on a laptop, which actually resulted in it failing and my having to do a system restore. Once the system restore was complete, the same thing happened. Edge opened automatically with all of my Chrome tabs. I haven't been able to replicate the behavior on other PCs, but a number of X users replied to my post about this saying they have experienced the same thing in the past.

Dan Goodin, reporting for ArsTechnica: ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users, screenshots submitted by an Ars reader on Monday indicated. Two of the seven screenshots the reader submitted stood out in particular. Both contained multiple pairs of usernames and passwords that appeared to be connected to a support system used by employees of a pharmacy prescription drug portal. An employee using the AI chatbot seemed to be troubleshooting problems they encountered while using the portal.

"THIS is so f-ing insane, horrible, horrible, horrible, i cannot believe how poorly this was built in the first place, and the obstruction that is being put in front of me that prevents it from getting better," the user wrote. "I would fire [redacted name of software] just for this absurdity if it was my choice. This is wrong." Besides the candid language and the credentials, the leaked conversation includes the name of the app the employee is troubleshooting and the store number where the problem occurred. The entire conversation goes well beyond what's shown in the redacted screenshot above. A link Ars reader Chase Whiteside included showed the chat conversation in its entirety. The URL disclosed additional credential pairs. The results appeared Monday morning shortly after reader Whiteside had used ChatGPT for an unrelated query.

The U.S. government in recent months launched an operation to fight a pervasive Chinese hacking operation that successfully compromised thousands of internet-connected devices, Reuters reported Tuesday, citing two Western security officials and another person familiar with the matter. From the report: The Justice Department and Federal Bureau of Investigation sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign, the sources told Reuters. The Biden administration has increasingly focused on hacking, not only for fear nation states may try to disrupt the U.S. election in November, but because ransomware wreaked havoc on Corporate America in 2023.

The hacking group at the center of recent activity, Volt Typhoon, has especially alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers and utilities. While the Volt Typhoon campaign initially came to light in May 2023, the hackers expanded the scope of their operations late last year and changed some of their techniques, according to three people familiar with the matter. The widespread nature of the hacks led to a series of meetings between the White House and private technology industry, including several telecommunications and cloud commuting companies, where the U.S. government asked for assistance in tracking the activity.

New submitter betso.net shares a report: A German railway firm posted a vacancy for a Windows 3.11 Administrator just before the weekend. In addition to skills in wrangling Windows for Workgroups on the 30-year-old operating system, the recruiter would look upon a candidate more fondly for possessing MS-DOS experience. The admin would purportedly oversee systems with 166MHz processors and a whopping 8MB of RAM. It might seem slightly worrying that modern railways are still running on such ancient systems, but mission-critical systems often adhere to the "if it ain't broke, don't fix it" philosophy.

An anonymous reader quotes a report from TechCrunch: Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave "unrestricted access" to the company's source code, according to the security research firm that discovered it. Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the exposure and asked for help in disclosing to the car maker. The London-based cybersecurity company said it discovered a Mercedes employee's authentication token in a public GitHub repository during a routine internet scan in January. According to Mittal, this token -- an alternative to using a password for authenticating to GitHub -- could grant anyone full access to Mercedes's GitHub Enterprise Server, thus allowing the download of the company's private source code repositories.

"The GitHub token gave 'unrestricted' and 'unmonitored' access to the entire source code hosted at the internal GitHub Enterprise Server," Mittal explained in a report shared by TechCrunch. "The repositories include a large amount of intellectual property connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information." Mittal provided TechCrunch with evidence that the exposed repositories contained Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes source code. It's not known if any customer data was contained within the repositories. It's not known if anyone else besides Mittal discovered the exposed key, which was published in late-September 2023. A Mercedes spokesperson confirmed that the company "revoked the respective API token and removed the public repository immediately."

"We can confirm that internal source code was published on a public GitHub repository by human error. The security of our organization, products, and services is one of our top priorities. We will continue to analyze this case according to our normal processes. Depending on this, we implement remedial measures."

Remember that cheery corporate video Internet Brands tried announcing their new (non-negotiable) hybrid return-to-office policy (with the festive song "Iko Iko" playing in the background)? They've now pulled the video from Vimeo.

Could that signal a larger shift in attitudes about working from home? The Washington Post reports: Now, new research from the Katz Graduate School of Business at the University of Pittsburgh suggests that office mandates may not help companies' financial performances, but they can make workers less satisfied with their jobs and work-life balance... "We will not get back to the time when as many people will be happy working from the office the way they were before the pandemic," said Mark Ma, co-author of the study and associate professor at the Katz Graduate School of Business. Additionally, mandates make workers less happy, therefore less productive and more likely to look for a new job, he said.

The study analyzed a sample of Standard & Poor's 500 firms to explore the effects of office mandates, including average change in quarterly results and company stock price. Those results were compared with changes at companies without office mandates. The outcome showed the mandates made no difference. Firms with mandates did not experience financial boosts compared with those without. The sample covered 457 firms and 4,455 quarterly observations between June 2019 and January 2023...

"There are compliance issues universally," said Prithwiraj Choudhury, a Harvard Business School professor who studies remote work. "Some companies are issuing veiled threats about promotions and salary increases ... which is unfortunate because this is your talent pool, your most valuable resource...." Rather than grappling with mandates as a means of boosting productivity, companies should instead focus on structuring their policies on a team basis, said Choudhury of Harvard. That means not only understanding the frequency and venue in which teams would be most productive in-person, but also ensuring that in-person days are structured for more collaboration. Requiring employees to work in-office to boost productivity in general has yet to prove itself out, he added.

"Return-to-office is just a knee-jerk reaction trying to make the world go back to where it was instead of recognizing this as a point for fundamental transformation," he said. "I call them return-to-the-past mandates."
The article cites US Bureau of Labor Statics showing movement in the other directionRoughly 78% of workers ages 16 and older "worked entirely on-site in December 2023, down from 81% a year earlier" — and for tech workers only 34% worked entirely on-site last month compared with 38% last year.

"Still, some companies are going all in on mandates, reminding workers and sometimes threatening promotions and job security for noncompliance. Leaders are unlikely to backtrack on mandates once they have been implemented because that could be viewed as admitting they made a mistake, said Ma."

Slashdot reader Bruce66423 shared this report from the BBC: A Spanish court has cleared a British man of public disorder, after he joked to friends about blowing up a flight from London Gatwick to Menorca.

Aditya Verma admitted he told friends in July 2022: "On my way to blow up the plane. I'm a member of the Taliban." But he said he had made the joke in a private Snapchat group and never intended to "cause public distress"... The message he sent to friends, before boarding the plane, went on to be picked up by UK security services. They then flagged it to Spanish authorities while the easyJet plane was still in the air.

Two Spanish F-18 fighter jets were sent to flank the aircraft. One followed the plane until it landed at Menorca, where the plane was searched. Mr Verma, who was 18 at the time, was arrested and held in a Spanish police cell for two days. He was later released on bail... If he had been found guilty, the university student faced a fine of up to €22,500 (£19,300 or $20,967) and a further €95,000 (£81,204 or $103,200) in expenses to cover the cost of the jets being scrambled.
But how did his message first get from the encrypted app to the UK security services? One theory, raised in the trial, was that it could have been intercepted via Gatwick's Wi-Fi network. But a spokesperson for the airport told BBC News that its network "does not have that capability"... A spokesperson for Snapchat said the social media platform would not "comment on what's happened in this individual case".
richi (Slashdot reader #74,551) thinks it's obvious what happened: SnapChat's own web site says they scan messages for threats and passes them on to the authorities. ("We also work to proactively escalate to law enforcement any content appearing to involve imminent threats to life, such as...bomb threats...."

"In the case of emergency disclosure requests from law enforcement, our 24/7 team usually responds within 30 minutes."

An anonymous Slashdot reader shared this report from CNBC: The S&P 500 is trading at a record and the Nasdaq is at its highest in two years. Alphabet shares reached a new pinnacle on Thursday, as did Meta and Microsoft, which ran past $3 trillion in market cap.

Don't tell that to the bosses.

While Wall Street cheers on Silicon Valley, tech companies are downsizing at an accelerating clip. So far in January, some 23,670 workers have been laid off from 85 tech companies, according to the website Layoffs.fyi. That's the most since March, when almost 38,000 people in the industry were shown the exits. Activity picked up this week with SAP announcing job changes or layoffs for 8,000 employees and Microsoft cutting 1,900 positions in its gaming division. Additionally, high-valued fintech startup Brex laid off 20% of its staff and eBay slashed 1,000 jobs, or 9% of its full-time workforce... Earlier in the month, Google confirmed that it cut several hundred jobs across the company, and Amazon has eliminated hundreds of positions spanning its Prime Video, MGM Studios, Twitch and Audible divisions. Unity said it's cutting about 25% of its staff, and Discord, which offers a popular messaging service used by gamers, is shedding 17% of its workforce...

Investors lauded the cost-cutting measures that companies put in place last year in response to rising inflation, interest rates hikes, recession concerns and a brutal market downturn in 2022. Even with an improving economic outlook, the thriftiness continues. Layoffs peaked in January of last year, when 277 technology companies cut almost 90,000 jobs, as the tech industry was forced to reckon with the end of a more than decade-long bull market. Most of the rightsizing efforts took place in the first quarter of 2023, and the number of cuts proceeded to decline each month through September, before ticking up toward the end of the year.

One explanation for the January surge as companies budget for the year ahead: They've learned they can do more with less... Nigel Vaz, CEO of consulting firm Publicis Sapient, told CNBC that some companies are probably looking at the boon that Meta and Salesforce got after their hefty cost-cutting measures last year... At the large publicly traded companies, there's an "intense focus" on profitability, margins and cost cutting, said Tim Herbert, chief research officer at CompTIA, which tracks trends across the tech sector.
CNBC emphasizes that layoff numbers are much lower than last year, according to the CEO of the company that owns the tech-recruiting site Dice — and that the layoffs aren't limited to the tech industry. But the article also argues that "AI demand is so great that some tech companies are cutting headcount in parts of the business to invest more heavily in developing AI products." (SAP specifically said its restructuring aimed to boost "focus on key strategic growth areas, in particular Business AI.")

And elsewhere CNBC writes that "As tech firms prioritize investments into artificial intelligence and go on a hiring spree, other segments are likely to see layoffs continue into 2024, according to industry experts."

"Security experts expect many more companies to disclose that they've been hacked by Russian intelligence agents who stole emails from executives," reports the Washington Post, "following disclosures by Microsoft and Hewlett-Packard Enterprise in the past week." Microsoft said late Thursday that it had found more victims and was in the process of notifying them. A spokesperson declined to say how many. But three experts in and out of government said that the attack was deeper and broader than the disclosures to date reveal. Two said that more than 10 companies, and perhaps far more, are expected to come forward...

The Securities and Exchange Commission last year strengthened the rules that require companies to notify their stockholders of computer intrusions that could have a material impact on company results. That helped spur the recent disclosures.
A spokesperson for America's Department of Homeland Security said "at this time we are not aware of impacts to Microsoft customer environments or products," according to the article. (Although the Washington Post adds that "The Microsoft and HPE breaches are especially concerning because so many other companies and agencies rely on them for cloud services, including email.")

The attackers were potentially spying on Microsoft's senior leadership team "for weeks or months," reports the Verge, citing a newly-published analysis by Microsoft: Crucially, the non-production test tenant account that was breached didn't have two-factor authentication enabled. [A cyber-breaching group named Nobelium from Russia's foreign intelligence service] "tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection," says Microsoft. From this attack, the group "leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment...." This elevated access allowed the group to create more malicious OAuth applications and create accounts to access Microsoft's corporate environment and eventually its Office 365 Exchange Online service that provides access to email inboxes...

Hewlett Packard Enterprise (HPE) revealed earlier this week that the same group of hackers had previously gained access to its "cloud-based email environment." HPE didn't name the provider, but the company did reveal the incident was "likely related" to the "exfiltration of a limited number of [Microsoft] SharePoint files as early as May 2023."

An anonymous reader quotes a report from The Register: For a country that prides itself on being free, America does seem to have an awful lot of spying going on, as the new Street Surveillance Hub from the Electronic Frontier Foundation shows. The Hub contains detailed breakdowns of the type of surveillance systems used, from bodycams to biometrics, predictive policing software to gunshot detection microphones and drone-equipped law enforcement. It also has a full news feed so that concerned citizens can keep up with the latest US surveillance news; they can also contribute to the Atlas of Surveillance on the site.

The Atlas, started in 2019, allows anyone to check what law enforcement is being used in their local area -- be it license plate readers, drones, or gunshot detection microphones. It can also let you know if local law enforcement is collaborating with third parties like home security vendor Ring to get extra information. EFF policy analyst Matthew Guariglia told The Register that once people look into what's being deployed using their tax dollars, a lot of red flags are raised. Over the last few years America's thin blue line have not only been harvesting huge amounts of data themselves, but also buying it in from commercial operators. The result is a perfect storm on privacy -- with police, homeowners, and our personal technology proving to be a goldmine of intrusive information that's often misused.