The API tokens of tech giants Meta, Microsoft, Google, VMware, and more have been found exposed on Hugging Face, opening them up to potential supply chain attacks. From a report: Researchers at Lasso Security found more than 1,500 exposed API tokens on the open source data science and machine learning platform -- which allowed them to gain access to 723 organizations' accounts. In the vast majority of cases (655), the exposed tokens had write permissions granting the ability to modify files in account repositories. A total of 77 organizations were exposed in this way, including Meta, EleutherAI, and BigScience Workshop - which run the Llama, Pythia, and Bloom projects respectively.

The three companies were contacted by The Register for comment but Meta and BigScience Workshop did not not respond at the time of publication, although all of them closed the holes shortly after being notified. Hugging Face is akin to GitHub for AI enthusiasts and hosts a plethora of major projects. More than 250,000 datasets are stored there and more than 500,000 AI models are too. The researchers say that if attackers had exploited the exposed API tokens, it could have led to them swiping data, poisoning training data, or stealing models altogether, impacting more than 1 million users.

An anonymous reader shares a report: On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access "a significant number of files containing profile information about other users' ancestry." But 23andMe would not say how many "other users" were impacted by the breach that the company initially disclosed in early October. As it turns out, there were a lot of "other users" who were victims of this data breach: 6.9 million affected individuals in total.

In an email sent to TechCrunch late on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe's DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person's name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.

The latest post on the Google Security blog details a new upgrade to Gmail's spam filters that Google is calling "one of the largest defense upgrades in recent years." ArsTechnica: The upgrade comes in the form of a new text classification system called RETVec (Resilient & Efficient Text Vectorizer). Google says this can help understand "adversarial text manipulations" -- these are emails full of special characters, emojis, typos, and other junk characters that previously were legible by humans but not easily understandable by machines. Previously, spam emails full of special characters made it through Gmail's defenses easily.

[...] The reason emails like this have been so difficult to classify is that, while any spam filter could probably swat down an email that says "Congratulations! A balance of $1000 is available for your jackpot account," that's not what this email actually says. A big portion of the letters here are "homoglyphs" -- by diving into the endless depths of the Unicode standard, you can find obscure characters that look like they're part of the normal Latin alphabet but actually aren't.

Asking ChatGPT to repeat specific words "forever" is now flagged as a violation of the chatbot's terms of service and content policy. From a report: Google DeepMind researchers used the tactic to get ChatGPT to repeat portions of its training data, revealing sensitive privately identifiable information (PII) of normal people and highlighting that ChatGPT is trained on randomly scraped content from all over the internet. In that paper, DeepMind researchers asked ChatGPT 3.5-turbo to repeat specific words "forever," which then led the bot to return that word over and over again until it hit some sort of limit. After that, it began to return huge reams of training data that was scraped from the internet.

Using this method, the researchers were able to extract a few megabytes of training data and found that large amounts of PII are included in ChatGPT and can sometimes be returned to users as responses to their queries.

Now, when I ask ChatGPT 3.5 to "repeat the word 'computer' forever," the bot spits out "computer" a few dozen times then displays an error message: "This content may violate our content policy or terms of use. If you believe this to be in error, please submit your feedback -- your input will aid our research in this area." It is not clear what part of OpenAI's "content policy" this would violate, and it's not clear why OpenAI included that warning.

The UK's most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China, the Guardian can reveal. From the report: The astonishing disclosure and its potential effects have been consistently covered up by senior staff at the vast nuclear waste and decommissioning site, the investigation has found. The Guardian has discovered that the authorities do not know exactly when the IT systems were first compromised. But sources said breaches were first detected as far back as 2015, when experts realised sleeper malware -- software that can lurk and be used to spy or attack systems -- had been embedded in Sellafield's computer networks.

It is still not known if the malware has been eradicated. It may mean some of Sellafield's most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised. Sources suggest it is likely foreign hackers have accessed the highest echelons of confidential material at the site, which sprawls across 6 sq km (2 sq miles) on the Cumbrian coast and is one of the most hazardous in the world.

What's behind a supposed shortage of cybersecurity workers? Last month cybersecurity professional Ben Rothke questioned whether a "shortage" even existed. Instead Rothke argued that human resources "needs to understand how to effectively hire information security professionals. Expecting an HR generalist to find information security specialists is a fruitless endeavor at best."

Rothke — a founding member of the Cloud Security Alliance — contacted Slashdot this week with "a follow-up piece" arguing there's another problem. "How can you know how many security jobs there are if there's no real statistical data available?" (Most articles on the topic cite the exact same two studies, which Rothke sees as "not statistically defendable.") Which begs the question — how many information security jobs are there? The short answer is that no one has a clue. The problem is that there is no statistically verifiable and empirically researched data on the number of current information security jobs and what the future holds. All data to date is based on surveys and extrapolations, which is a poor way to do meaningful statistical research... Based on LinkedIn job postings, veteran industry analyst Richard Stiennon found 15,849 job openings at 1,433 cybersecurity vendors. As to the millions of security jobs, he notes that the same could be extrapolated for office administrators. There are millions of companies, but it's not like they all will need full-time security people.

Helen Patton is a veteran information security professional and CISO at Cisco Security Business Group, and the author of Navigating the Cybersecurity Career Path. As to the security jobs crisis, she notes that there are plenty of talented and capable people looking for jobs, and feels there's in fact, no crisis at all. Instead, she says part of the issue is hiring managers who don't truly stop to think about the skills required for a role, and how a candidate can demonstrate those skills. What they do is post jobs that ask for false proxies for experience — degrees, certifications, work experience — and as a consequence, they are looking for candidates that don't exist. She suggests that fixing the hiring process will go a lot further to close the skills gap, than training a legion of new people.
Challenging this supposed glut of unfilled positions, Rothke also shares some recent stories from people who've recently looked for information security jobs. ("He tried to explain to the CIO that Agile was not an appropriate methodology for security projects unless they were primarily software-based. The CIO replied, 'oh the CIO at Chase would tell you differently.' Not realizing that most projects at the bank are software-based.") If you want to know how few information security jobs there really are — speak to people who have graduated from security bootcamps and master's degree programs, and they will tell you the challenges they are facing... That's not to say there are not lots of information security jobs. It's just that there are not the exaggerated and hyperbolic amounts that are reported.

A pull request has been merged to fix a data corruption issue in OpenZFS (the open-source implementation of the ZFS file system and volume manager). "OpenZFS 2.2.2 and 2.1.14 released with fix in place," reports a Thursday comment on GitHub.

Earlier this week, jd (Slashdot reader #1,658) wrote: All versions of OpenZFS 2.2 suffer from a defect that can corrupt the data. Attempts to mitigate the bug have reduced the likelihood of it occurring, but so far nobody has been able to pinpoint what is going wrong or why.

Phoronix reported on Monday: Over the US holiday weekend it became more clear that this OpenZFS data corruption bug isn't isolated to just the v2.2 release — older versions are also susceptible — and that v2.2.1 is still prone to possible data corruption. The good news at least is that data corruption in real-world scenarios is believed to be limited but with some scripting help the corruption can be reproduced. It's also now believed that the OpenZFS 2.2 block cloning feature just makes encountering the problem more likely.

The Linux Foundation's own "Open Software Security foundation" has an associated project called Alpha-Omega funded by Microsoft, Google, and Amazon with a mission to catalyze sustainable security improvements to critical open source projects and ecosystems.

It was established nearly two years ago in February of 2022 — and this month announced plans to continue supporting the Rust Foundation Security Initiative: 2022 was also the first full year of operation for the Rust Foundation — an independent nonprofit dedicated to stewarding the Rust programming language and supporting its global community. Given the considerable growth and rising popularity of the Rust programming language in recent years, it has never been more critical to have a healthy and well-funded foundation in place to help ensure the safety and security of this important language.

When the Rust Foundation emerged, OpenSSF recognized a shared vision of global open source security baked into their organizational priorities from day one. These shared security values were the driving force behind Alpha-Omega's decision to grant $460k USD to the Rust Foundation in 2022. This funding helped underwrite their Security Initiative — a program dedicated to improving the state of security within the Rust programming language ecosystem and sowing security best practices within the Rust community. The Security Initiative began in earnest this past January and has now been in operation for a full year with many achievements to note and exciting plans in development.

While security is a clear priority of the Rust language itself and can be seen in its memory safety-critical features, the Rust Project cannot reasonably be expected to foster long term, sustainable security without proper support and funding. Indeed, there is still a pervasive attitude across technology that cybersecurity is being managed and prioritized by "someone else." The unfortunate impact of this attitude is that critical security work often falls on overburdened and under-resourced open source maintainers. By prioritizing the Security Initiative during their first full year in operation, the Rust Foundation has taken on the responsibility of overseeing — and supporting — security improvements within the Rust ecosystem while ensuring meaningful progress...

Alpha-Omega is excited to announce our second year of supporting the Rust Foundation Security Initiative. We believe that this funding will build on the good work and momentum established by the Rust Foundation in 2023. Through this partnership, we are helping relieve maintainer burdens while paving an important path towards a healthier and more secure future within the Rust ecosystem.
Meanwhile, this month the Rust Foundation announced that downloads from Rust's package repository crates.io have now reached 45 billion — and that the foundation is "committed to facilitating the healthy growth of Rust through funding and resources for the community and the Project.

"After conducting initial planning and research and getting approval from our board of directors, we are pleased to announce our intention to help fulfill this commitment by developing a Rust Foundation training and certification program." We continue to be supportive of anyone creating Rust training and education materials. In fact, we are proud to have provided funding to a few individuals involved in this work via our Community Grants Program. Our team is also aware that commercial Rust training courses already exist and that global training entities are already developing their own Rust-focused programs. Given the value of Rust in professional open source, this makes sense. However, we are eager to introduce a program that will allow us to direct profits back into the Rust ecosystem.

As a nonprofit organization, we sit in a unique position thanks to the tools, connections, insights, administrative support, and resources at our disposal — all of which will add value to course material aimed at professional development and adoption. We see our forthcoming program as one tool of many that can be used to verify skills for prospective employers, and for those employers to build out their professional teams of Rust expertise. We will remain supportive of existing training programs offered by Rust Foundation member companies and we'll look for ways to ensure this remains the case as program development progresses... There is no set launch date for the Rust Foundation training and certification program yet, but we plan to continue laying high-quality groundwork in Q4 of 2023 and the first half of 2024.

For years, India's tech graduates could bank on a job offer from one of the country's IT giants. Now those starting positions are suddenly waning, leaving hundreds of thousands in peril and creating a fresh headache for Prime Minister Narendra Modi. From a report: Infosys and Wipro were among companies that shocked students nationwide last month, saying they were cutting college recruitment as demand for their services cooled across the globe. [...] The unusual pullback from the $245 billion industry risks exacerbating youth unemployment in the world's most populous nation, a potential scar on Modi's ambitious plan to keep India growing at a fast clip and make it the third-biggest economy during his reign. The high-profile problem of youth joblessness also gives the opposition another rallying point ahead of next year's elections, in which Modi is trying to snag a third term that would extend his tenure to 15 years.

The tech-services industry is one of the largest employers in India, and accounts for 7.5% of the South Asian country's more than $3 trillion economy. The biggest tech companies have each traditionally hired tens of thousands of tech graduates every year, then rigorously trained them for tasks such as writing software for some of the world's biggest enterprises ranging from Apple to PepsiCo. The IT companies hired particularly aggressively in the past two years as the pandemic prompted customers to spend on services and technologies enabling remote working. The top two IT companies, Tata Consultancy Services and Infosys, hired more than 284,000 graduates over that period combined. Now the uncertainty caused by Russia's attack on Ukraine as well as high global inflation and interest rates are causing customers around the world to hold off on spending. Meanwhile, technologies such as artificial intelligence are increasingly performing tasks previously handled by entry-level IT workers.

An anonymous reader quotes a report from Ars Technica: Security researchers are tracking what they say is the "mass exploitation" of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open source file-sharing server app. The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said, they began observing "mass exploitation" in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.

CVE-2023-49103 resides in versions 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, depending on the way they're configured. A third-party code library used by the app provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In last week's disclosure, ownCloud officials said that in containerized configurations -- such as those using the Docker virtualization tool -- the URL can reveal data used to log in to the vulnerable server. The officials went on to warn that simply disabling the app in such cases wasn't sufficient to lock down a vulnerable server. [...]

To fix the ownCloud vulnerability under exploitation, ownCloud advised users to: "Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities.

We also advise to change the following secrets:
- ownCloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key"

Windows users are reporting that Hewlett Packard's HP Smart application is appearing on their systems, despite them not having any of the company's hardware attached. From a report: While Microsoft has remained tight-lipped on what is happening, folks on various social media platforms noted the app's appearance, which seems to afflict both Windows 10 and Windows 11. The Windows Update mechanism is used to deploy third-party applications and drivers as well as Microsoft's updates, and we'd bet someone somewhere has accidentally checked the wrong box.

Up to now, the response from affected users has been one of confusion. One noted on Reddit: "I thought that was just me. I didn't install it, it just appeared on new apps in start menu out of nowhere." Another said: "I just checked and I had it installed too. Checking the event log for the Microsoft Store shows that it installed earlier today, but I definitely did [not] request or initiate it because I do not have any devices from HP." And, of course, there was the inevitable: "Would it be that hard for Microsoft to just provide an operating system without needless bloat?" To be clear, not all users are affected.

Google Play has reversed its latest ban on a web browser that keeps getting targeted by vague Digital Millennium Copyright Act (DMCA) notices. Downloader, an Android TV app that combines a browser with a file manager, was restored to Google Play last night. From a report: Downloader, made by app developer Elias Saba, was suspended on Sunday after a DMCA notice submitted by copyright-enforcement firm MarkScan on behalf of Warner Bros. Discovery. It was the second time in six months that Downloader was suspended based on a complaint that the app's web browser is capable of loading websites.

The first suspension in May lasted three weeks, but Google reversed the latest one much more quickly. As we wrote on Monday, the MarkScan DMCA notice didn't even list any copyrighted works that Downloader supposedly infringed upon. Instead of identifying specific copyrighted works, the MarkScan notice said only that Downloader infringed on "Properties of Warner Bros. Discovery Inc." In the field where a DMCA complainant is supposed to provide an example of where someone can view an authorized example of the work, MarkScan simply entered the main Warner Bros. URL: https://www.warnerbros.com/.

China is waging a growing number of cyberattacks on neighboring Taiwan, according to cybersecurity experts at Alphabet's Google. From a report: Google has observed a "massive increase" in Chinese cyberattacks on Taiwan in the last six months or so, said Kate Morgan, a senior engineering manager in Google's threat analysis division, which monitors government-sponsored hacking campaigns. Morgan warned that Chinese hackers are employing tactics that make their work difficult to track, such as breaking into small home and office internet routers and repurposing them to wage attacks while masking their true origin.

"The number of groups in China that are performing hacking and trying to get into technology companies or get into cloud customers is huge," Morgan said. "I don't have the exact number, but it is probably over 100 groups that we are tracking just out of China alone." The hackers are going "after everything," including defense sector, government and private industry on the island, she said. Google's findings come as concerns have grown over the prospect of a conflict in Taiwan. The relationship between the US -- Taiwan's top military backer -- and China has deteriorated in recent years over a wide range of issues including Taiwan, human rights and a race to dominate advanced technologies such as chips, quantum computing and artificial intelligence.

Dollar Tree was impacted by a third-party data breach stemming from the hack of service provider Zeroed-In Technologies. According to Bleeping Computer, nearly two million customers have been affected. "The information stolen during the attack includes names, dates of birth, and Social Security numbers (SSNs)." From the report: According to a data breach notification shared with the Maine Attorney General, Dollar Tree's service provider, Zeroed-In, suffered a security incident between August 7 and 8, 2023. As part of this cyberattack, the threat actors managed to steal data containing the personal information of Dollar Tree and Family Dollar employees. "While the investigation was able to determine that these systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor," reads the letter sent to affected individuals. "Therefore, Zeroed-In conducted a review of the contents of the systems to determine what information was present at the time of the incident and to whom the information relates."

The information stolen during the attack includes names, dates of birth, and Social Security numbers (SSNs). Zeroed-In has notified the affected individuals and enclosed instructions on enrolling in a twelve-month identity protection and credit monitoring service. Other Zeroed-In customers apart from Dollar Tree and Family Dollar may have also been impacted by the security breach, but this hasn't been confirmed yet. Meanwhile, the scale of the data breach has already triggered investigations from law firms looking into a potential class-action lawsuit against Zeroed-In.

An anonymous reader quotes a report from CNBC: Hackers who compromised Okta's customer support system stole data from all of the cybersecurity firm's customer support users, Okta said in a letter to clients Tuesday, a far greater incursion than the company initially believed. The expanded scope opens those customers up to the risk of heightened attacks or phishing attempts, Okta warned. An Okta spokesperson told CNBC that customers in government or Department of Defense environments were not impacted by the breach. "We are working with a digital forensics firm to support our investigation and we will be sharing the report with customers upon completion. In addition, we will also notify individuals that have had their information downloaded," a spokesperson said in a statement to CNBC.

Nonetheless, Okta provides identity management solutions for thousands of small and large businesses, allowing them to give employees a single point of sign on. It also makes Okta a high-profile target for hackers, who can exploit vulnerabilities or misconfigurations to gain access to a slew of other targets. In the high profile attacks on MGM and Caesars, for example, threat actors used social engineering tactics to exploit IT help desks and target those company's Okta platforms. The direct and indirect losses from those two incidents exceeded $100 million, including a multi-million dollar ransom payment from Caesars.

An anonymous reader quotes a report from Ars Technica: A prolific espionage hacking group with ties to China spent over two years looting the corporate network of NXP, the Netherlands-based chipmaker whose silicon powers security-sensitive components found in smartphones, smartcards, and electric vehicles, a news outlet has reported. The intrusion, by a group tracked under names including "Chimera" and "G0114," lasted from late 2017 to the beginning of 2020, according to Netherlands national news outlet NRC Handelsblad, which cited "several sources" familiar with the incident. During that time, the threat actors periodically accessed employee mailboxes and network drives in search of chip designs and other NXP intellectual property. The breach wasn't uncovered until Chimera intruders were detected in a separate company network that connected to compromised NXP systems on several occasions. Details of the breach remained a closely guarded secret until now.

NRC cited a report published (and later deleted) by security firm Fox-IT, titled Abusing Cloud Services to Fly Under the Radar. It documented Chimera using cloud services from companies including Microsoft and Dropbox to receive data stolen from the networks of semiconductor makers, including one in Europe that was hit in "early Q4 2017." Some of the intrusions lasted as long as three years before coming to light. NRC said the unidentified victim was NXP. "Once nested on a first computer -- patient zero -- the spies gradually expand their access rights, erase their tracks in between and secretly sneak to the protected parts of the network," NRC reporters wrote in an English translation. "They try to secrete the sensitive data they find there in encrypted archive files via cloud storage services such as Microsoft OneDrive. According to the log files that Fox-IT finds, the hackers come every few weeks to see whether interesting new data can be found at NXP and whether more user accounts and parts of the network can be hacked."

NXP did not alert customers or shareholders to the intrusion, other than a brief reference in a 2019 annual report. It read: "We have, from time to time, experienced cyber-attacks attempting to obtain access to our computer systems and networks. Such incidents, whether or not successful, could result in the misappropriation of our proprietary information and technology, the compromise of personal and confidential information of our employees, customers, or suppliers, or interrupt our business. For instance, in January 2020, we became aware of a compromise of certain of our systems. We are taking steps to identify the malicious activity and are implementing remedial measures to increase the security of our systems and networks to respond to evolving threats and new information. As of the date of this filing, we do not believe that this IT system compromise has resulted in a material adverse effect on our business or any material damage to us. However, the investigation is ongoing, and we are continuing to evaluate the amount and type of data compromised. There can be no assurance that this or any other breach or incident will not have a material impact on our operations and financial results in the future."

Microsoft is returning to the Bliss hill once again with this year's entry in its now-traditional ugly retro-computing sweater series. From a report: Blue hemming at the bottom and on the sleeves evokes Windows XP's bright-blue taskbar, and in case people don't immediately recognize Bliss as "a computer thing," there's also a giant mouse pointer hovering over it. The sweater is available from size small up to a 3XL, and costs $70 regardless of which version you buy. All sizes are currently expected to arrive sometime between December 2 and 6.

India's government has granted its Computer Emergency Response Team, CERT-In, immunity from Right To Information (RTI) requests, the nation's equivalent of the freedom of information queries in the US, UK, or Australia. From a report: Reasons for the exemption have not been explained, but The Register has reported on one case in which an RTI request embarrassed CERT-In. That case related to India's sudden decision, in April 2022, to require businesses of all sizes to report infosec incidents to CERT-in within six hours of detection. The rapid reporting requirement applied both to serious incidents like ransomware attacks, and less critical messes like the compromise of a social media account.

CERT-In justified the rules as necessary to defend the nation's cyberspace and gave just sixty days notice for implementation. The plan generated local and international criticism for being onerous and inconsistent with global reporting standards such as Europe's 72-hour deadline for notifying authorities of data breaches. The reporting requirements even applied to cloud operators, who were asked to report incidents on tenants' servers. Big Tech therefore opposed the plan.

An anonymous reader quotes a report from Ars Technica: [L]ast week, researchers at Blackwing Intelligence published an extensive document showing how they had managed to work around some of the most popular fingerprint sensors used in Windows PCs. Security researchers Jesse D'Aguanno and Timo Teras write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft's own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we've reviewed in the last few years. It's likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.

Blackwing's post on the vulnerability is also a good overview of exactly how fingerprint sensors in a modern PC work. Most Windows Hello-compatible fingerprint readers use "match on chip" sensors, meaning that the sensor has its own processors and storage that perform all fingerprint scanning and matching independently without relying on the host PC's hardware. This ensures that fingerprint data can't be accessed or extracted if the host PC is compromised. If you're familiar with Apple's terminology, this is basically the way its Secure Enclave is set up. Communication between the fingerprint sensor and the rest of the system is supposed to be handled by the Secure Device Connection Protocol (SCDP). This is a Microsoft-developed protocol that is meant to verify that fingerprint sensors are trustworthy and uncompromised, and to encrypt traffic between the fingerprint sensor and the rest of the PC.

Each fingerprint sensor was ultimately defeated by a different weakness. The Dell laptop's Goodix fingerprint sensor implemented SCDP properly in Windows but used no such protections in Linux. Connecting the fingerprint sensor to a Raspberry Pi 4, the team was able to exploit the Linux support plus "poor code quality" to enroll a new fingerprint that would allow entry into a Windows account. As for the Synaptic and ELAN fingerprint readers used by Lenovo and Microsoft (respectively), the main issue is that both sensors supported SCDP but that it wasn't actually enabled. Synaptic's touchpad used a custom TLS implementation for communication that the Blackwing team was able to exploit, while the Surface fingerprint reader used cleartext communication over USB for communication. "In fact, any USB device can claim to be the ELAN sensor (by spoofing its VID/PID) and simply claim that an authorized user is logging in," wrote D'Aguanno and Teras."Though all of these exploits ultimately require physical access to a device and an attacker who is determined to break into your specific laptop, the wide variety of possible exploits means that there's no single fix that can address all of these issues, even if laptop manufacturers are motivated to implement them," concludes Ars.

Blackwing recommends all Windows Hello fingerprint sensors enable SCDP, the protocol Microsoft developed to try to prevent this exploit. PC makers should also "have a qualified expert third party audit [their] implementation" to improve code quality and security.

Google Drive users are reporting files mysteriously disappearing from the service, with some posters on the company's support forums claiming six or more months of work have unceremoniously vanished. From a report: The issue has been rumbling for a few days, with one user logging into Google Drive and finding things as they were in May 2023. According to the poster, almost everything saved since then has gone, and attempts at recovery failed. Others chimed in with similar experiences, and one claimed that six months of business data had gone AWOL. There is little information regarding what has happened; some users reported that synchronization had simply stopped working, so the cloud storage was out of date.

Others could get some of their information back by fiddling with cached files, although the limited advice on offer for the affected was to leave things well alone until engineers come up with a solution. A message purporting to be from Google support also advised not to make changes to the root/data folder while engineers investigate the issue. Some users speculated that it might be related to accounts being spontaneously dropped. We've asked Google for its thoughts and will update should the search giant respond.