An anonymous reader shares a report: September has been a big month for desktop hypervisors, with the field's big players all delivering significant updates. Oracle delivered VirtualBox version 7.1, billed as a major upgrade thanks to its implementation of a UI with a "modernized look and feel, offering a selection between Basic and Experienced user level with reduced or full UI functionality."

[...] Parallels also released a desktop hypervisor update last week. Version 20 of the eponymous tool now offers a VM that's packed with tools developers may find handy as they work on generative AI applications. Among those tools are the Docker community edition, lmutils, the OpenCV computer vision library, and the Ollama chatbot interface for AI models. [...] The other big player in desktop hypervisors is VMware, with its Fusion and Workstation products for macOS and Windows respectively. Both were recently updated.

Luxury camera maker Leica Camera reported record sales in 2023, defying the global decline in digital camera demand. The German company's Q3 model, priced at $6,000, saw six-month waiting lists upon release last year. Industry data shows premium camera sales are surging as smartphone photography dominates the consumer market, Economist writes.

The Camera and Imaging Products Association reports the average camera price has tripled in six years as manufacturers shift focus to high-end models. Fujifilm's X100 series, launched in February at $1,600, is sold out and commanding higher prices on secondary markets. Nikon and other brands are following suit, prioritizing premium offerings. From a report: In a Japanese interview with Yomiuri, Nikon's president, Muneaki Tokunari, acknowledged that while smartphones harmed overall sales of digital interchangeable lens cameras, they may contribute to the demand for high-end cameras. Not many years removed from dire straits, Tokunari also outlined Nikon's ambitious expansion plans, including its recent acquisition of RED Digital Cinema.

Tokunari says that many camera businesses were recently operating at a loss and that some competitors excited the photo business altogether. This was, unsurprisingly, driven in large part by the massive growth of the smartphone market and the improving quality of smartphone cameras, which reached the "good enough" stage the late Steve Jobs predicted years before the camera industry felt the sting of smartphones.

However, "We are now in an age where smartphones and digital cameras can coexist," Tokunari explains in the machine-translated Yomiuri interview, initially spotted by Digicame-Info. "Global sales of digital cameras have fallen to one-twentieth of their peak. However, domestic companies are doing well. The top five companies hold most of the world's market share. This is a rare example in Japanese industry."

Google is updating the post-quantum cryptography in Chrome, replacing the experimental Kyber with the fully standardized Module Lattice Key Encapsulation Mechanism (ML-KEM) to enhance protection against quantum computing attacks. BleepingComputer reports: This change comes roughly five months after Google rolled out the post-quantum secure TLS key encapsulation system on Chrome stable for all users, which also caused some problems with TLS exchanges. The move from Kyber to ML-KEM though is not related to those early problems, that got resolved soon after manifesting. Rather, its a strategic choice to abandon an experimental system for a NIST-approved and fully standardized mechanism.

ML-KEM was fully endorsed by the U.S. National Institute of Standards and Technology (NIST) in mid-August, with the agency publishing the complete technical specifications of the final version at the time. Google explains that despite the technical changes from Kyber to ML-KEM being minor, the two are essentially incompatible, so a switch had to be made. "The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," explains Google. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519."

Apple has increased its out-of-warranty battery replacement fee for iPhone 16 Pro models. From a report: Apple Stores can replace the battery inside an iPhone 16 Pro or iPhone 16 Pro Max for $119 in the U.S., which is up from $99 for the iPhone 15 Pro and iPhone 15 Pro Max. This is a 20% increase to the fee, which includes the cost of a new battery and service by an Apple Store. The fee may vary at third-party Apple Authorized Service Providers. The fee remains $99 for the standard iPhone 16 and iPhone 16 Plus. Customers with AppleCare+ can still get an iPhone 16 Pro battery replaced for free, but only if the battery retains less than 80% of its original capacity.

Apple says all four iPhone 16 models are equipped with larger batteries, and all of the devices received an internal redesign for improved heat dissipation, according to the company. A metal enclosure was rumored for at least some iPhone 16 batteries, but we are still waiting for teardowns to get a proper look inside of the devices.

Microsoft has abandoned plans to overhaul its Edge browser interface, scrapping the design choice unveiled in February 2023. The redesign -- featuring a sleeker look with rounded tab buttons and increased blur effects -- aimed to give Edge a distinct identity as the company pushed into AI services. The new design never officially launched and the company has no intention to launch it later, according to Microsoft-focused news outlet Windows Central.

A Microsoft spokesperson confirmed to Windows Central that the company is moving away from the rounded tabs concept. Some elements of the redesign will remain, including webpage borders and a repositioned user button, but the majority of the proposed changes have been shelved. The decision marks a retreat from Microsoft's efforts to visually differentiate Edge from Google Chrome and align it with Windows 11's design language.

On Tuesday Ivanti issued a "high severity vulnerability" announcement for version 4.6 of its Cloud Service Appliance (or CSA). "Successful exploitation could lead to unauthorized access to the device running the CSA." And Friday that announcement got an update: Ivanti "has confirmed exploitation of this vulnerability in the wild."

While Ivanti released a security update, they warned that "with the end-of-life status this is the last fix that Ivanti will backport for this version. Customers must upgrade to Ivanti CSA 5.0 for continued support."

This prompted a response from CISA (the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security). The noted that Ivanti is urging customers to upgrade to version 5.0, as "Ivanti no longer supports CSA 4.6 (end-of-life)." But in addition, CISA "ordered all federal civilian agencies to remove CSA 4.6. from service or upgrade to the 5.0. by October 4," reports the Record: Ivanti said users will know they are impacted by exploitation of the bug by looking to see if there are modified or newly added administrative users. They also urged customers to check security alerts if they have certain security tools involved.

The issue arose one day after another Ivanti bug caused alarm among defenders. The company pledged a security overhaul in April after a cascade of headline-grabbing nation-state attacks broke through the systems of government agencies in the U.S. and Europe using vulnerabilities in Ivanti products.

For 30 days, 17,000 AT&T workers in nine different states from the CWA union went on strike. As it began one North Carolina newspaper noted some AT&T customers "report prolonged internet outages." Last week an Emory University economist told NPR that "If it wasn't disruptive or it didn't have any kind of negative element towards customers, then AT&T, I suspect, wouldn't feel any kind of pressure to negotiate."

The 30-day strike was "the longest telecommunications strike in the region's history," according to the union — announcing today that they'd now negotiated "strong tentative contract agreements" and that workers would report to work for their scheduled shifts tomorrow. The new contract in the Southeast covers 17,000 workers technicians, customer service representatives and others who install, maintain and support AT&T's residential and business wireline telecommunications network in Alabama, Florida, Georgia, Kentucky, Louisiana, Mississippi, North Carolina, South Carolina and Tennessee.

Wages and health care costs were key issues at the bargaining table, and the five-year agreement includes across the board wage increases of 19.33%, with additional 3% increases for Wire Technicians and Utility Operations. The health care agreement holds health care premiums steady in the first year and lowers them in the second and third years, with modest monthly increases in the final two years.
The statement adds that "CWA members and retirees from every region and sector of our union mobilized in support of our bargaining teams, including by distributing flyers with information about the strike at AT&T Wireless stores." CWA District 3 Vice President Richard Honeycutt added "We know that our customers have faced hardship during the strike as well. We are happy to be getting back to work keeping our communities safe and connected."

There's also a separate four-year agreement covering 8,500 AT&T West workers in California and Nevada. "Union members will meet to review the tentative agreements, before holding ratification votes in each region."

AT&T's chief operating officer said the Southeast agreement will "support our competitive position in the broadband industry where we can grow and win against our mostly non-union competitors."

The Rust foundation is making "considerable progress" on a complete security audit of the Rust ecosystem, according to the coding news site I Programmer, citing a newly-released report from the nonprofit Rust foundation: The foundation is investigating the development of a Public Key Infrastructure (PKI) model for the Rust language, including the design and implementation for a PKI CA and a resilient Quorum model for the project to implement, and the report says that language updates suggested by members of the Project were nearly ready for implementation.

Following the XZ backdoor vulnerability, the Security Initiative has focused on supply chain security, including work on provenance-tracking, verifying that a given crate is actually associated with the repository it claims to be. The top 5,000 crates by download count have been checked and verified.

Threat modeling has now been completed on the Crates ecosystem. Rust Infrastructure, crates.io and the Rust Project.

Two open source security tools, Painter and Typomania, have been developed and released. Painter can be used to build a graph database of dependencies and invocations between all crates within the crates.io ecosystem, including the ability to obtain 'unsafe' statistics, better call graph pruning, and FFI boundary mapping. Typomania ports typogard to Rust, and can be used to detect potential typosquatting as a reusable library that can be adapted to any registry.
They've also tightened admin privileges for Rust's package registry, according to the article. And "In addition to the work on the Security Initiative, the Foundation has also been working on improving interoperability between Rust and C++, supported by a $1 million contribution from Google."

According to the Rust foundation's technology director, they've made "impressive technical strides and developed new strategies to reinforce the safety, security, and longevity of the Rust programming language." And the director says the new report "paints a clear picture of the impact of our technical projects like the Security Initiative, Safety-Critical Rust Consortium, infrastructure and crates.io support, Interop Initiative, and much more."

"A two-day AI Labor Summit between AFL-CIO leaders and Microsoft executives this week reflects the tech giant's revamped approach to unions," writes GeekWire, "which includes a pledge by the company to incorporate feedback from labor unions and their members into the development of artificial intelligence."

But just two days later, "Microsoft Gaming CEO Phil Spencer announced it was game over for the jobs of another 650 Microsoft staffers (on top of an earlier 1,900 employee staff reduction)," writes long-time Slashdot reader theodp, "cuts that Spencer made clear were related to Microsoft's $69B acquisition of Activision Blizzard in 2023." Interestingly, Microsoft's Smith in October 2023 affirmed a "groundbreaking neutrality agreement" with the Communications Workers of America union (CWA) — designed to go into effect if Microsoft was successful in its acquisition of Activision Blizzard — in which Microsoft acknowledged the rights of its employees to unionize and pledged to work constructively with any who did. At the same time, Microsoft made it clear that it hoped its employees wouldn't feel the need to form or join unions, saying they would "never need to organize to have a dialogue with Microsoft's leaders."

In July 2023, the AFL-CIO applauded Microsoft's Activision Blizzard acquisition and the Microsoft-CWA agreement, which AFL-CIO union federation president Liz Shuler said "sets a new standard for respecting workers' rights in the video game industry and the larger technology sector." And in December 2023, Shuler thanked Smith for Microsoft's "absolutely historic partnership" on AI and the Future of the Workforce, which Shuler suggested "can be mutually beneficial for workers, for businesses, and for our country as a whole."
Thursday the CWA union issued critical remarks about the layoffs at Microsoft Gaming (which were later retweeted by the @AFLCIO Twitter account).

"While we would hope that a company like Microsoft with $88 billion in profits last year could achieve 'long-term success' without destroying the livelihoods of 650 of our colleagues, heartless layoffs like these have become all too common."

23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023. BleepingComputer reports: The proposed class action settlement (PDF), filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval. "23andMe believes the settlement is fair, adequate, and reasonable," the company said in a memorandum filed (PDF) Friday.

23andMe has also agreed to strengthen its security protocols, including protections against credential-stuffing attacks, mandatory two-factor authentication for all users, and annual cybersecurity audits. The company must also create and maintain a data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. An updated Information Security Program will also be provided to all employees during annual training sessions. "23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives' claims for statutory damages," the company said in the filed preliminary settlement.

"23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever."

An anonymous reader quotes a report from Ars Technica: Researchers still don't know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries. Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections. "At the moment, the source of the TV boxes' backdoor infection remains unknown," Thursday's post stated. "One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access." The following device models infected by Vo1d are: [R4, TV BOX, KJ-SMART4KVIP].

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What's more, Doctor Web said it's not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models. Further, while only licensed device makers are permitted to modify Google's AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user. "These off-brand devices discovered to be infected were not Play Protect certified Android devices," Google said in a statement. "If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety."

Users can confirm if their device runs Android TV OS via this link and following the steps here.

An anonymous reader quotes a report from Wired: You can tell a lot about someone from their eyes. They can indicate how tired you are, the type of mood you're in, and potentially provide clues about health problems. But your eyes could also leak more secretive information: your passwords, PINs, and messages you type. Today, a group of six computer scientists are revealing a new attack against Apple's Vision Pro mixed reality headset where exposed eye-tracking data allowed them to decipher what people entered on the device's virtual keyboard. The attack, dubbed GAZEploit and shared exclusively with WIRED, allowed the researchers to successfully reconstruct passwords, PINs, and messages people typed with their eyes. "Based on the direction of the eye movement, the hacker can determine which key the victim is now typing," says Hanqiu Wang, one of the leading researchers involved in the work. They identified the correct letters people typed in passwords 77 percent of the time within five guesses and 92 percent of the time in messages.

To be clear, the researchers did not gain access to Apple's headset to see what they were viewing. Instead, they worked out what people were typing by remotely analyzing the eye movements of a virtual avatar created by the Vision Pro. This avatar can be used in Zoom calls, Teams, Slack, Reddit, Tinder, Twitter, Skype, and FaceTime. The researchers alerted Apple to the vulnerability in April, and the company issued a patch to stop the potential for data to leak at the end of July. It is the first attack to exploit people's "gaze" data in this way, the researchers say. The findings underline how people's biometric data -- information and measurements about your body -- can expose sensitive information and beused as part of the burgeoning surveillance industry.

The GAZEploit attack consists of two parts, says Zhan, one of the lead researchers. First, the researchers created a way to identify when someone wearing the Vision Pro is typing by analyzing the 3D avatar they are sharing. For this, they trained a recurrent neural network, a type of deep learning model, with recordings of 30 people's avatars while they completed a variety of typing tasks. When someone is typing using the Vision Pro, their gaze fixates on the key they are likely to press, the researchers say, before quickly moving to the next key. "When we are typing our gaze will show some regular patterns," Zhan says. Wang says these patterns are more common during typing than if someone is browsing a website or watching a video while wearing the headset. "During tasks like gaze typing, the frequency of your eye blinking decreases because you are more focused," Wang says. In short: Looking at a QWERTY keyboard and moving between the letters is a pretty distinct behavior.

The second part of the research, Zhan explains, uses geometric calculations to work out where someone has positioned the keyboard and the size they've made it. "The only requirement is that as long as we get enough gaze information that can accurately recover the keyboard, then all following keystrokes can be detected." Combining these two elements, they were able to predict the keys someone was likely to be typing. In a series of lab tests, they didn't have any knowledge of the victim's typing habits, speed, or know where the keyboard was placed. However, the researchers could predict the correct letters typed, in a maximum of five guesses, with 92.1 percent accuracy in messages, 77 percent of the time for passwords, 73 percent of the time for PINs, and 86.1 percent of occasions for emails, URLs, and webpages. (On the first guess, the letters would be right between 35 and 59 percent of the time, depending on what kind of information they were trying to work out.) Duplicate letters and typos add extra challenges.

Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company's Microsoft Sharepoint server. From a report: Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices. The company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services.

Early this morning, a threat actor posted to a hacking forum that they had stolen 440GB of data from Fortinet's Azure Sharepoint instance. The threat actor then shared credentials to an alleged S3 bucket where the stolen data is stored for other threat actors to download. The threat actor, known as "Fortibitch," claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay. In response to our questions about incident, Fortinet confirmed that customer data was stolen from a "third-party cloud-based shared file drive."

Microsoft announced plans to modify Windows, enabling security vendors like CrowdStrike to operate outside the operating system's kernel. The move follows the July incident where a faulty CrowdStrike update caused widespread system failures. From a report: Microsoft says it has now "discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors" with partners like CrowdStrike, Broadcom, Sophos, and Trend Micro.

[...] While Microsoft isn't directly saying it's going to close off access to the Windows kernel, it's clearly at the early stages of designing a security platform that can eventually move CrowdStrike and others out of the kernel. Microsoft last tried to close off access to the Windows kernel in Windows Vista in 2006, but it was met with pushback from cybersecurity vendors and regulators.

An anonymous reader quotes a report from Ars Technica: Microsoft has updated a key cryptographic library with two new encryption algorithms designed to withstand attacks from quantum computers. The updates were made last week to SymCrypt, a core cryptographic code library for handing cryptographic functions in Windows and Linux. The library, started in 2006, provides operations and algorithms developers can use to safely implement secure encryption, decryption, signing, verification, hashing, and key exchange in the apps they create. The library supports federal certification requirements for cryptographic modules used in some governmental environments. Despite the name, SymCrypt supports both symmetric and asymmetric algorithms. It's the main cryptographic library Microsoft uses in products and services including Azure, Microsoft 365, all supported versions of Windows, Azure Stack HCI, and Azure Linux. The library provides cryptographic security used in email security, cloud storage, web browsing, remote access, and device management. Microsoft documented the update in a post on Monday. The updates are the first steps in implementing a massive overhaul of encryption protocols that incorporate a new set of algorithms that aren't vulnerable to attacks from quantum computers. [...]

The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST). The KEM in the new name is short for key encapsulation. KEMs can be used by two parties to negotiate a shared secret over a public channel. Shared secrets generated by a KEM can then be used with symmetric-key cryptographic operations, which aren't vulnerable to Shor's algorithm when the keys are of a sufficient size. [...] The other algorithm added to SymCrypt is the NIST-recommended XMSS. Short for eXtended Merkle Signature Scheme, it's based on "stateful hash-based signature schemes." These algorithms are useful in very specific contexts such as firmware signing, but are not suitable for more general uses. Monday's post said Microsoft will add additional post-quantum algorithms to SymCrypt in the coming months. They are ML-DSA, a lattice-based digital signature scheme, previously called Dilithium, and SLH-DSA, a stateless hash-based signature scheme previously called SPHINCS+. Both became NIST standards last month and are formally referred to as FIPS 204 and FIPS 205. In Monday's post, Microsoft Principal Product Manager Lead Aabha Thipsay wrote: "PQC algorithms offer a promising solution for the future of cryptography, but they also come with some trade-offs. For example, these typically require larger key sizes, longer computation times, and more bandwidth than classical algorithms. Therefore, implementing PQC in real-world applications requires careful optimization and integration with existing systems and standards."

A security researcher has exposed a critical vulnerability in the WHOIS system. Benjamin Harris, CEO of watchTowr, gained unprecedented access by registering an expired domain once used for .mobi's authoritative WHOIS server. His rogue server received millions of queries from thousands of systems, including government agencies, certificate authorities, and major tech companies. ArsTechnica adds: The humor aside, the rogue WHOIS server gave him powers he never should have had. One of the greatest was the ability to dictate the email address certificate authority GlobalSign used to determine if a party applying for a TLS certificate was the rightful owner of the domain name the certificate would apply to. Like the vast majority of its competitors, GlobalSign uses an automated process. An application for example.com, for instance, will prompt the certificate authority to send an email to the administrative email address listed in the authoritative WHOIS for that domain. If the party on the other end clicks a link, the certificate is automatically approved. When Harris generated a certificate signing request for microsoft.mobi, he promptly received an email from GlobalSign. The email gave him the option of receiving a verification link at whois@watchtowr.com. For ethical reasons, he stopped the experiment at this point. The vulnerability stems from outdated WHOIS client configurations, which underscores systemic weaknesses in internet infrastructure management.

Google is adding some new features to Chrome that aim to help users organize and keep track of their browser tabs across both desktop and mobile devices. From a report: The search giant announced in a new blog post that tab groups -- which enable Android and desktop Chrome users to keep related pages together in custom-labeled groups -- will start rolling out to Chrome for iOS starting today. Once Chrome is updated, iPhone and iPad users can access the feature by opening the tab grid, long-pressing on a tab, and selecting "Add Tab to New Group." Custom names and colors can then be assigned to the created tab groups to help keep them organized and easily identifiable. Another feature that's rolling out across Android and desktop Chrome apps is the ability to sync those saved tab groups across multiple devices.

wiredmikey shares a report from SecurityWeek: Microsoft on Tuesday raised an alarm for in-the-wild exploitation of a critical flaw in Windows Update, warning that attackers are rolling back security fixes on certain versions of its flagship operating system. The Windows flaw, tagged as CVE-2024-43491 and marked as actively exploited, is rated critical and carries a CVSS severity score of 9.8/10. Redmond's documentation of the bug suggests a downgrade-type attack similar to the 'Windows Downdate' issue discussed at this year's Black Hat conference. Microsoft's bulletin reads: "Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 -- KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability."

To protect against this exploit, Microsoft says Windows users should install this month's Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.

CrowdStrike CFO Burt Podbere says the cybersecurity firm has not faced lawsuits over July's global IT outage. Speaking at a conference, Podbere emphasized efforts to shift customer focus from legal threats to business discussions. The Register: There were dark rumblings from Delta Air Lines last month, for example, threatening litigation over alleged gross negligence. At the time, CrowdStrike reiterated its apologies, saying: "Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive to any party." During his time at the Citi conference, Podbere admitted: "We don't know how it's all going to shake out.

"Everything we're doing and trying to do is take the legal discussion away from our interaction with customers and move it to the business discussion. "And as time goes on, that does get easier because we're moving further away from the Sun, right? And that's how we think about it."

Workers get the right to request a four-day workweek under a new proposal by the U.K. government. But a professor of economics at the University of Leeds argues "There remain problems, however" — starting with the fact that "under current laws, employers can still resist the requests of workers, if they want to." There is also the problem of unevenness in the effect of the law. While workers in well-paid jobs have bargaining leverage to assert their legal rights, others in lower-paid jobs face minimal protection and risk direct exploitation... [A]dvancing the case for a four-day working week is likely to be more difficult if it is seen as benefiting only one section of society (one that already enjoys strong rights and privileges)....

Another problem is the scope for compressed hours — working a five-day week of around 40 hours in four days. Under the new proposal, workers requesting and getting a four-day working week will still be required to put in the same hours. Longer work days may be welcomed by some — for example, they may cut down on childcare costs. But they risk undermining the benefits of a shorter working week. Indeed, they may threaten the health of workers by creating heavier work days which they need longer to recover from. At worst, a three-day weekend may be needed to recover from a four-day working week with longer days.
While a four-day work week could improve the quality of life and help address climate change, the analysis argues that the government's proposal ultimately raises issues about the "purpose and potential" of a four-day working week, possibly suggesting other policy changes that may also be needed. "It is important that low wages are addressed alongside work-time reduction."

• "If the government is serious about achieving a four-day working week to raise productivity and improve employee wellbeing, it needs to encourage trials in the public sector... "

• "The government also needs to target a future date, say 2040, for the realisation of a four-day working week. This could be facilitated by establishing a partnership of unions and employers to identify barriers to a four-day working week and ways to overcome them."