Tech groups have called on ministers to clarify the extent of proposed powers that they fear would allow the UK government to intervene and block the rollout of new privacy features for messaging apps. FT: The Investigatory Powers Amendment Bill, which was set out in the King's Speech on Tuesday, would oblige companies to inform the Home Office in advance about any security or privacy features they want to add to their platforms, including encryption. At present, the government has the power to force telecoms companies and messaging platforms to supply data on national security grounds and to help with criminal investigations.

The new legislation was designed to "recalibrate" those powers to respond to risks posed to public safety by multinational tech companies rolling out new services that "preclude lawful access to data," the government said. But Meredith Whittaker, president of private messaging group Signal, urged ministers to provide more clarity on what she described as a "bellicose" proposal amid fears that, if enacted, the new legislation would allow ministers and officials to veto the introduction of new safety features. "We will need to see the details, but what is being described suggests an astonishing level of technically confused government over-reach that will make it nearly impossible for any service, homegrown or foreign, to operate with integrity in the UK," she told the Financial Times.

In a rare move, Apple hit pause on development of next year's software updates for the iPhone, iPad, Mac and other devices so that it could root out glitches in the code. From a report: The delay, announced internally to employees last week, was meant to help maintain quality control after a proliferation of bugs in early versions, according to people with knowledge of the decision. Rather than adding new features, company engineers were tasked with fixing the flaws and improving the performance of the software, said the people, who asked not to be identified because the matter is private.

Apple's software -- famous for its clean interfaces, easy-to-use controls and focus on privacy -- is one of its biggest selling points. That makes quality control imperative. But the company has to balance a desire to add new features with making sure its operating systems run as smoothly as possible. [...] When looking at new operating systems due for release next year, the software engineering management team found too many "escapes" -- an industry term for bugs missed during internal testing. So the division took the unusual step of halting all new feature development for one week to work on fixing the bugs. With thousands of different Apple employees working on a range of operating systems and devices -- that need to work together seamlessly -- it's easy for glitches to crop up.

An anonymous reader quotes a report from 404 Media: Hakan Ayik, an infamous drug trafficker who also popularized the use of certain brands of encrypted phones around the world, was arrested during a series of dramatic raids in Turkey last week. At one point a group of heavily armed Turkish tactical officers in brown and gray camouflage piled outside an apartment and banged on the door repeatedly. They then smashed the door down and moved inside with a riot shield, according to a video tweeted by Turkey's Minister of the Interior. The video then showed a photograph of Ayik, shirtless and on his knees while staring straight ahead, surrounded by multiple officers.

It was a moment that capped off the arrest of Australia's most wanted man, and a sign that Turkey is no longer a safe haven to organized criminals. But it was also something of a closing act on Anom, a brand of encrypted phone that the FBI secretly took over and managed for years after inserting a backdoor into the product, allowing agents to read tens of millions of messages sent across it. Ayik unknowingly helped the FBI gain that piercing insight into organized crime by selling the devices to other criminal associates. Given Ayik's position as a trusted authority on what communications tools drug traffickers should use, one associate even referred to him as the 'encryption king' in an Anom message I've seen. According to the Sydney Morning Herald, Ayik will not be extradited to Australia. Instead, Australian police are encouraging Turkish authorities to investigate and prosecute him as a Turkish citizen.

Mark Tyson reports via Tom's Hardware: A commercial smartphone or Linux computer can be used to crack RSA-2048 encryption, according to a prominent research scientist. Dr Ed Gerck is preparing a research paper with the details but couldn't hold off from bragging about his incredible quantum computing achievement (if true) on his LinkedIn profile. Let us be clear: the claims seem spurious, but it should be recognized that the world isn't ready for an off-the-shelf system that can crack RSA-2048, as major firms, organizations, and governments haven't yet transitioned to encryption tech that is secured for the post-quantum era.

In his social media post, Gerck states that a humble device like a smartphone can crack the strongest RSA encryption keys in use today due to a mathematical technique that "has been hidden for about 2,500 years -- since Pythagoras." He went on to make clear that no cryogenics or special materials were used in the RSA-2048 key-cracking feat. BankInfoSecurity reached out to Gerck in search of some more detailed information about his claimed RSA-2048 breakthrough and in the hope of some evidence that what is claimed is possible and practical. Gerck shared an abstract of his upcoming paper. This appears to show that instead of using Shor's algorithm to crack the keys, a system based on quantum mechanics was used, and it can run on a smartphone or PC.

In some ways, it is good that the claimed breakthrough doesn't claim to use Shor's algorithm. Alan Woodward, a professor of computer science at the University of Surrey, told BankInfoSecurity that no quantum computer in existence has enough gates to implement Shor's algorithm and break RSA-2048. So at least this part of Gerck's explanation checks out. However, the abstract of Gerck's paper looks like it is "all theory proving various conjectures - and those proofs are definitely in question," according to Woodward. The BankInfoSecurity report on Gerck's "QC Algorithms: Faster Calculation of Prime Numbers" paper quotes other skeptics, most of whom are waiting for more information and proofs before they organize a standing ovation for Gerck.

Jacob Knutson reports via Axios: Sensitive, highly detailed personal data for thousands of active-duty and veteran U.S. military members can be purchased for as little as one cent per name through data broker websites, according to a new study (PDF) published on Monday by Duke University researchers. [...] The data about military personnel purchased as part of the study included full names, physical and email addresses, health and financial information and details about their ethnicity, religious practices and political affiliation. In some cases, the information also included whether the person owned or rented a home, was married or had children. The children's ages and sexes were accessible, too.

The researchers bought data on up to around 45,000 military personnel for between $0.12 to $0.32 per record. They also bought data belonging to 5,000 friends and family members of military personnel. Larger data purchases of over 1.5 million service members were available for as little as $0.01 per record from at least one broker the researchers contacted. The researchers called on Congress to pass a comprehensive privacy law and for regulatory agencies like the Federal Trade Commission to develop rules to govern military personnel data purchases.

China's presence is growing in cybersecurity technology, with companies such as Huawei and Tencent accounting for six of the top 10 global patent holdings in the sector as of August. From a report: Chinese companies have made headway in technological fields that affect economic security, according to industry insiders, as they focus on fostering their own tech amid the growing standoff between the U.S. and China. The rankings, compiled by Nikkei in cooperation with U.S. information services provider LexisNexis, are based on patents registered in 95 countries and regions, including Japan, the U.S., China and the European Union. Patent registrations were screened for the cybersecurity field using such factors as the international patent classification, with filings of the same patent in multiple countries counted as a single patent.

As of August, IBM led the rankings with 6,363 patents. Huawei Technologies came in second with 5,735 patents and Tencent Holdings placed third with 4,803. Other Chinese companies in the top 10 included financial services provider Ant Group in sixth with 3,922 patents, followed by power transmission company State Grid Corp. of China with 3,696, Alibaba Group Holding with 3,122 and sovereign wealth fund China Investment with 3,042. Patent applications filed by Chinese companies have increased since around 2018, when the U.S. began to impose full-scale export controls on Chinese high-tech companies. Compared with 10 years ago, IBM's patent holdings increased by a factor of 1.5. In contrast, holdings for Huawei and Tencent were 2.3 times and 13 times higher, respectively.

"Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations," reports Bleeping Computer, citing disclosures Thursday from Trend Micro's Zero Day Initiative, who reported them to Microsoft on September 7th and 8th, 2023.

In an email to the site, a Microsoft spokesperson said customers who applied the August Security Updates are already protected from the first vulnerability, while the other three require attackers to have prior access to email credentials. (And for two of them no evidence was presented that it can be leveraged to gain elevation of privilege.)

"We've reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate."

From Bleeping Computer's report: ZDI disagreed with this response and decided to publish the flaws under its own tracking IDs to warn Exchange admins about the security risks... All these vulnerabilities require authentication for exploitation, which reduces their severity CVSS rating to between 7.1 and 7.5... It should be noted, though, that cybercriminals have many ways to obtain Exchange credentials, including brute-forcing weak passwords, performing phishing attacks, purchasing them, or acquiring them from info-stealer logs...

ZDI suggests that the only salient mitigation strategy is to restrict interaction with Exchange apps. However, this can be unacceptably disruptive for many businesses and organizations using the product. We also suggest implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances even when account credentials have been compromised.

Okta says attackers who breached its customer support system last month gained access to files belonging to 134 customers, five of them later being targeted in session hijacking attacks with the help of stolen session tokens. From a report: "From September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta's customer support system associated with 134 Okta customers, or less than 1% of Okta customers," Okta revealed. "Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event." The three Okta customers that already disclosed they were targeted due to the company's October security breach are 1Password, BeyondTrust, and Cloudflare. They all notified Okta of suspicious activity after detecting unauthorized attempts to log into in-house Okta administrator accounts.

An anonymous reader quotes a report from 404 Media: Spread across four computer monitors arranged in a grid, a blue and green interface shows the location of more than 50 different surveillance cameras. Ordinarily, these cameras and others like them might be disparate, their feeds only available to their respective owners: a business, a government building, a resident and their doorbell camera. But the screens, overlooking a pair of long conference tables, bring them all together at once, allowing law enforcement to tap into cameras owned by different entities around the entire town all at once. This is a demonstration of Fusus, an AI-powered system that is rapidly springing up across small town America and major cities alike. Fusus' product not only funnels live feeds from usually siloed cameras into one central location, but also adds the ability to scan for people wearing certain clothes, carrying a particular bag, or look for a certain vehicle.

404 Media has obtained a cache of internal emails, presentations, memos, photos, and more which provide insight into how Fusus teams up with police departments to sell its surveillance technology. All around the country, city councils are debating whether they want to have a system that qualitatively changes what surveillance cameras mean for a town's residents and public agencies. While many have adopted Fusus, others have pushed back, and refused to have the hardware and software installed in their neighborhoods. In some ways, Fusus is deploying smart camera technology that historically has been used in places like South Africa, where experts warned about it creating an ever present blanket of surveillance. Now, tech with some of the same capabilities is being used across small town America.

Rather than selling cameras themselves, Fusus' hardware and software latches onto existing installations, which can include government-owned surveillance cameras as well as privately owned cameras at businesses and homes. It turns dumb cameras into smart ones. "In essence, the Fusus solution puts a brain into every camera connected with the system," one memorandum obtained by 404 Media reads. In addition to integrating with existing surveillance installations, Fusus' hardware, called SmartCORE, can turn cameras into automatic license plate readers (ALPRs). It can reportedly offer facial recognition features, too, although Fusus hasn't provided clear clarification on this matter.

The report says the system has been adopted by numerous police departments across the United States, with approximately 150 jurisdictions using Fusus. Orland Park police have called it a "game-changer." It's also being used internationally, launching in the United Kingdom.

Here's what Beryl Lipton, investigative researcher at the Electronic Frontier Foundation (EFF), had to say about it: "The lack of transparency and community conversation around Fusus exacerbates concerns around police access of the system, AI analysis of video, and analytics involving surveillance and crime data, which can influence officer patrols and priorities. In the absence of clear policies, auditable access logs, and community transparency about the capabilities and costs of Fusus, any community in which this technology is adopted should be concerned about its use and abuse."

David Shepardson reports via Reuters: The top members of a U.S. House committee on China are introducing a bill that seeks to ban the U.S. government from buying Chinese drones. Mike Gallagher, the Republican chair of the committee, and Raja Krishnamoorthi, the ranking Democrat, are introducing the "American Security Drone Act" on Wednesday, the lawmakers said in a statement to Reuters. "This bill would prohibit the federal government from using American taxpayer dollars to purchase this equipment from countries like China," Gallagher said. "It is imperative that Congress pass this bipartisan bill to protect U.S. interests and our national security supply chain."

The bill would also bar local and state governments from purchasing Chinese drones using federal grants and require a federal report detailing the amount of foreign commercial off-the-shelf drones and covered unmanned aircraft systems procured by federal departments and agencies from China. Krishnamoorthi said the bill "helps protect against any vulnerabilities posed by our government agencies' reliance on foreign-manufactured drone technology and will encourage growth in the U.S. drone industry."

Separately, the U.S. Senate on Tuesday unanimously approved an amendment proposed by Republican Senator Marsha Blackburn and Democrat Mark Warner that would prohibit the Federal Aviation Administration (FAA) from operating or providing federal funds for drones produced in China, Russia, Iran, North Korea, Venezuela or Cuba. "Taxpayer dollars should never fund drones manufactured in regions that are hostile toward our nation," Blackburn said. China recently announced export controls on some drones and drone-related equipment, saying it wanted to safeguard "national security and interests." The U.S. Commerce Department in 2020 added dozens of Chinese companies to a trade blacklist, including the country's top chipmaker SMIC and Chinese drone giant DJI.

Microsoft has changed the terms and conditions for its online services to include a warning that "excessive" users of its generative AI services will have their access restricted. From a report: The new language appeared in a November 1 update to Microsoft's legalese spotted by licensing-watchers Cloudy With A Chance Of Licensing. The restrictions are described in a new clause of the document titled "Capacity Limitations," is: "Excessive use of a Microsoft Generative AI Service may result in temporary throttling of Customer's access to the Microsoft Generative AI Service." The document does not, however, define "excessive use", how long a "temporary" restriction might last, or exactly what happens during "throttling."

An anonymous reader shares a report: Back in July, Google's work on a Web Integrity API emerged and many equated it to DRM. While prototyped, it was only at the proposal stage and the company announced today it's not going ahead with it. With this proposal, Google wanted to give websites a way to confirm the authenticity of the user and their device/browser.

The Web Integrity API would let websites "request a token that attests key facts about the environment their client code is running in." It's not all too different from the Play Integrity API (SafetyNet) on Android that Google Wallet and other banking apps use to make sure a device hasn't been tampered with (rooted).

The Brave browser is rolling out a privacy-focused AI assistant named Leo, which the company claims provides "unparalleled privacy" compared to AI chatbot services likes Bing Chat, ChatGPT, Google Bard and others. The Verge reports: Following several months of testing, Leo is now available to use for free by all Brave desktop users running version 1.60 of the web browser. Leo is rolling out "in phases over the next few days" and will be available on Android and iOS "in the coming months."

The core features of Leo aren't too dissimilar from other AI chatbots like Bing Chat and Google Bard: it can translate, answer questions, summarize webpages, and generate new content. Brave says the benefits of Leo over those offerings are that it aligns with the company's focus on privacy -- conversations with the chatbot are not recorded or used to train AI models, and no login information is required to use it. As with other AI chatbots, however, Brave claims Leo's outputs should be "treated with care for potential inaccuracies or errors."

The standard version of Leo utilizes Meta's Llama 2 large language model and is free to use by default. For users who prefer to access a different AI language model, Brave is also introducing Leo Premium, a $15 monthly subscription that features Anthropic's AI assistant, Claude Instant -- a faster and cheaper version of Anthropic's Claude 2 large language model. Brave says that additional models will be available to Leo Premium users alongside access to higher-quality conversations, priority queuing during peak usage, higher rate limits, and early access to new features.

An ongoing Cloudflare outage has taken down many of its products, including the company's dashboard and related application programming interfaces (APIs) customers use to manage and read service configurations. From a report: The complete list of services whose functionality is wholly or partially impacted includes the Cloudflare dashboard, the Cloudflare API, Logpush, WARP / Zero Trust device posture, Stream API, Workers API, and the Alert Notification System. "This issue is impacting all services that rely on our API infrastructure including Alerts, Dashboard functionality, Zero Trust, WARP, Cloudflared, Waiting Room, Gateway, Stream, Magic WAN, API Shield, Pages, Workers," Cloudflare said. "Customers using the Dashboard / Cloudflare APIs are impacted as requests might fail and/or errors may be displayed."

Customers currently have issues when attempting to log into their accounts and are seeing 'Code: 10000' authentication errors and internal server errors when trying to access the Cloudflare dashboard. Cloudflare says the service issues don't affect the cached file delivery via the Cloudflare CDN or Cloudflare Edge security features.

An anonymous reader shares a report: Microsoft has had a rough few years of cybersecurity incidents. It found itself at the center of the SolarWinds attack nearly three years ago, one of the most sophisticated cybersecurity attacks we've ever seen. Then, 30,000 organizations' email servers were hacked in 2021 thanks to a Microsoft Exchange Server flaw. If that weren't enough already, Chinese hackers breached US government emails via a Microsoft cloud exploit earlier this year. Something had to give.

Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services today. It's the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.

Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands. In an internal memo to Microsoft's engineering teams today, the company's leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of "blatantly negligent" cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.

"Earlier this month, the California Department of Food and Agriculture quarantined 69 square miles of metro L.A. after invasive and destructive Mediterranean fruit flies were found at a home in the Leimert Park neighborhood," notes The Hill. Officials are now planning to use small planes to drop millions of fruit flies over Los Angeles in an effort to eradicate an invasive and destructive species of the insects. From the report: Jay Van Rein, a spokesperson for the CDFA, told SFGATE that officials plan to drop approximately 250,000 sterile male fruit flies per square mile in the quarantine area every week for six months, or perhaps longer. The sterile males mate with the females, which fail to produce offspring, reducing the population over time. Van Rein says the Preventative Release Program (PRP), as it's called, has been used effectively to manage invasive species since 1996.

The quarantine radius includes parts of downtown and South L.A., Hyde Park, Baldwin Hills, Culver City, Inglewood, Pico-Robertson and Mid-Wilshire. Those who live within the zone are urged not to transport any fruits or vegetables from their property and to double-bag them in plastic before tossing them in the trash. The Mediterranean fruit fly is very tiny -- only about 1/4 inch in length -- but they can potentially cause hundreds of millions of dollars in damage to crops if left unchecked, officials said. When a female lays eggs in a fruit or vegetable, they hatch into maggots that tunnel through it and cause rot.

Richard Speed reports via The Register: Asahi Linux, a project to port Linux to Apple Silicon Macs, has reported a combination of bugs in Apple's macOS that could leave users with hardware in a difficult-to-recover state. The issues revolve around how recent versions of macOS handle refresh rates, and MacBook Pro models with ProMotion displays (the 14 and 16-inch versions) are affected. According to the Asahi team, the bugs lurk in the upgrade and boot process and, when combined, can create a condition where a machine always boots to a black screen, and a Device Firmware Update (DFU) recovery is needed.

Asahi Linux's techies have looked into the issue, having first suspected it had something to do with either having an Asahi Linux installation on a Mac and then upgrading to macOS Sonoma or installing Asahi Linux after a Sonoma upgrade. However, the issue appears to be unconnected to the project. The team said: "As far as we can tell, ALL users who upgraded to Sonoma the normal way have an out-of-date or even broken System RecoveryOS, and in particular MacBook Pro 14" and 16" owners are vulnerable to ending up with a completely unbootable system." While this might sound alarming, the team was at pains to assure users that data was not at risk and only certain versions of macOS were affected -- Sonoma 14.0+ and Ventura 13.6+.

The first bug is related to macOS Sonoma using the previously installed version as System Recovery, which can cause problems when an older RecoveryOS runs into newer firmware. The second occurs if a display is configured to a refresh rate other than ProMotion. According to the Asahi Linux team, the system will no longer be able to boot into old macOS installs or Asahi Linux. "This includes recovery mode when those systems are set as the default boot OS, and also System Recovery at least until the next subsequent OS upgrade." The team noted: "Even users with just 13.6 installed single-boot are affected by this issue (no Asahi Linux needed).

"We do not understand how Apple managed to release an OS update that, when upgraded to normally, leaves machines unbootable if their display refresh rate is not the default. This seems to have been a major QA oversight by Apple."

Apple on Wednesday lost a bid to block a mass London lawsuit worth up to $2 billion which accuses the tech giant of hiding defective batteries in millions of iPhones. From a report: The lawsuit was brought by British consumer champion Justin Gutmann on behalf of around 24 million iPhone users in the United Kingdom. Gutmann is seeking damages from Apple on their behalf of up to 1.6 billion pounds ($1.9 billion) plus interest, with the claim's midpoint range being 853 million pounds. His lawyers argued Apple concealed issues with batteries in certain phone models by "throttling" them with software updates and installed a power management tool which limited performance.

Apple, however, said the lawsuit was "baseless" and strongly denied batteries in iPhones were defective, apart from in a small number of iPhone 6s models for which it offered free battery replacements. The company sought to get the case thrown out of court, but the Competition Appeal Tribunal (CAT) said Gutmann's case can proceed in a written ruling on Wednesday.

Microsoft has decided to axe the Windows Insider MVP program, which is now scheduled to be discontinued at the end of the year. From a report: A Microsoft spokesperson told The Register: "In an effort to consolidate MVP-style programs across Microsoft, we have decided to retire the Windows Insider MVP Program effective December 31, 2023. All our existing Windows Insider MVPs will be nominated to participate in the Microsoft MVP Program which has similar benefits and opportunities to continue networking with us and interacting with many other Microsoft MVPs globally."

The Windows Insider MVPs are usually enthusiasts of Microsoft's wares who are rewarded for their loyalty with access to the engineering teams, complimentary subscriptions to products such as Visual Studio Enterprise and Office 365, as well as the odd paperweight or two. A nomination must come from another MVP or a Microsoft employee to achieve this coveted status. An application is then scrutinized, and if one has demonstrated sufficient passion for all things Microsoft, the nod is given. Microsoft has plenty of Insider programs where users can play with pre-release versions of the company's software.

Thomas Claburn reports via The Register: For a period of two years between September 2019 and September 2021, two Americans and two Russians allegedly compromised the taxi dispatch system at John F. Kennedy International Airport in New York to sell cabbies a place at the front of the dispatch line. The two Russian nationals, Aleksandr Derebenetc and Kirill Shipulin, were indicted by a grand jury for conspiring to commit computer intrusions, the US Justice Department said on Tuesday. They remain at large. In early October, the two American nationals, Daniel Abayev and Peter Leyman, who were indicted last year, pleaded guilty, each to one count of conspiring to commit computer intrusions.

The scheme represented an attempt to monetize the demand among taxi drivers for lucrative airport fares -- the current flat rate for JFK to Manhattan is $70 plus additional charges. As described in the indictment (PDF), taxi drivers are required to wait in a holding lot at JFK, often for several hours, before being dispatched in the order of their arrival to airport terminals. And because time spent waiting in line is not paid, drivers have a financial incentive to avoid waiting in line. The conspirators allegedly developed a plan to hack the dispatch system around September 2019. The indictment describes several approaches that were tried, "including bribing someone to insert a flash drive containing malware into computers connected to the dispatch system, obtaining unauthorized access to the dispatch system via a Wi-Fi connect, and stealing computer tablets connected to the dispatch system."

The government's filing suggests that the group gained and lost access to the dispatch system several times. When they did have access, the alleged conspirators offered to move drivers to the front of the dispatch queue for a $10 fee, and waived the fee for those who found other drivers willing to pay to play. Many drivers took advantage of the service. According to the Justice Department, the group booked 2,463 queue cuts in a single week around December 2019. The scheme allegedly enabled as many as 1,000 trips per day that skipped the queue at JFK. The American conspirators are said to have collected the money from participating drivers and to have sent payments to the alleged Russian conspirators, describing the money transfers as "payment for software development" or "payment for services rendered." The indictment indicates that the Russians received more than $100,000 for their work. If apprehended -- which appears unlikely given current US relations with Russia -- the Russians face charges that carry a maximum sentence of ten years in prison. Abayev and Leyman each face up to five years in prison. They're scheduled to be sentenced early next year.