Long-time Slashdot reader theodp writes: Back in January, Rice University professor and former CACM Editor-in-Chief Moshe Y. Vardi wrote of the unintended consequences of social media and mobile computing in "Computing, You Have Blood on Your Hands!" To close out the year, Vardi addresses the role tech workers play in enabling dubious Big Tech business models — including now-powered-by-AI Big Tech Surveillance Capitalism — in an opinion piece titled "I Was Wrong about the Ethics Crisis."

Vardi writes: "The belief in the magical power of the free market always to serve the public good has no theoretical basis. In fact, our current climate crisis is a demonstrated market failure. To take an extreme example, Big Tobacco surely does not support the public good, and most of us would agree that it is unethical to work for Big Tobacco. The question, thus, is whether Big Tech is supporting the public good, and if not, what should Big Tech workers do about it. Of course, there is no simple answer to such a question, and the only reasonable answer to the question of whether it is ethical to work for Big Tech is, 'It depends.' [...] It is difficult to get a man to understand something, when his salary depends on his not understanding it, said the writer and political activist Upton Sinclair. By and large, Big Tech workers do not seem to be asking themselves hard questions, I believe, hence my conclusion that we do indeed suffer from an ethics crisis."

A new report reveals that the VW Group left sensitive data for 800,000 electric vehicles from Audi, VW, Seat, and Skoda poorly secured on an Amazon cloud, exposing precise GPS locations, battery statuses, and user habits for months. Carscoops reports: It gets worse. A more tech-savvy user could reportedly connect vehicles to their owners' personal credentials, thanks to additional data accessible through VW Group's online services Crucially, in 466,000 of the 800,000 cases, the location data was so precise that anyone with access could create a detailed profile of each owner's daily habits. As reported by Spiegel, the massive list of affected owners isn't just a who's-who of regular folks. It includes German politicians, entrepreneurs, Hamburg police officers (the entire EV fleet, no less), and even suspected intelligence service employees. Yes, even spies may have been caught up in this digital debacle.

This glaring error originated from Cariad, a VW Group company that focuses on software, due to an error that occurred in the summer of 2024. An anonymous whistleblower used freely accessible software to dig up the sensitive information and promptly alerted Chaos Computer Club (CCC), Europe's largest hacker association. CCC wasted no time contacting Lower Saxony's State Data Protection Officer, the Federal Ministry of the Interior, and other security bodies. They also gave VW Group and Cariad 30 days to address the issue before going public. According to CCC, Cariad's technical team "responded quickly, thoroughly and responsibly," blocking unauthorized access to its customers' data.

Hackers have compromised several different companies' Chrome browser extensions in a series of intrusions dating back to mid-December, according to one of the victims and experts who have examined the campaign. From a report: Among the victims was the California-based Cyberhaven, a data protection company that confirmed the breach in a statement to Reuters on Friday. "Cyberhaven can confirm that a malicious cyberattack occurred on Christmas Eve, affecting our Chrome extension," the statement said.

It cited public comments from cybersecurity experts. These comments, said Cyberhaven, suggested that the attack was "part of a wider campaign to target Chrome extension developers across a wide range of companies." Cyberhaven added: "We are actively cooperating with federal law enforcement." The geographical extent of the hacks was not immediately clear.

A ninth U.S. telecommunications company has been compromised in a Chinese espionage campaign that targeted private communications, particularly around Washington D.C., White House Deputy National Security Adviser Anne Neuberger said Friday.

The intrusion, part of the "Salt Typhoon" operation that previously hit eight telecom firms, allowed hackers to access customer call records and private messages. While the total number of affected Americans remains unclear, many targets were government officials and political figures in the Washington-Virginia area.

A wave of fraudulent copyright takedowns on YouTube has exposed vulnerabilities in the platform's content moderation system, enabling anonymous users to threaten creators' channels through false legal claims, The Verge is reporting. Several gaming content creators, including a channel with 1.5 million subscribers, received takedown notices from someone impersonating Nintendo's legal team. Though YouTube acknowledged the false claims, the company declined to explain how it verifies takedown requests or detail measures to prevent abuse of its copyright system.

Microsoft is warning that Windows 11 installations using USB or CD media created with October or November 2024 security updates may be unable to receive future security patches.

The bug affects version 24H2 installations made between October 8 and November 12, but does not impact systems updated through Windows Update or the Microsoft Update Catalog. Microsoft advised users to rebuild installation media using December 2024 patches while it works on a permanent fix for the issue, which primarily affects business and education environments.

Japan Airlines said it was hit by a cyberattack Thursday, causing delays to more than 20 domestic flights but the carrier said there was no impact on flight safety. From a report: JAL said the problem started Thursday morning when the company's network connecting internal and external systems began malfunctioning. The airline said the cyberattack had delayed 24 domestic flights for more than 30 minutes, and the impact could expand later in the day.

An anonymous reader shares a report: Microsoft has published a year in review for its Edge browser and talked up AI-powered chats while lightly skipping over the software's stagnating market share. The company had some big numbers to share. There had been over 10 billion AI-powered chats with Copilot from inside the Edge browser window (although it did not disclose how many chats were customers asking how to install Chrome). Some 38 trillion characters had been auto-translated. Seven trillion megabytes of PC memory had been saved through the use of sleeping tabs.

However, are those numbers actually as big as they seem? What Microsoft did not say is how little Edge has moved the needle on market share in 2024. Strangely, the company did not share raw usage information. Yet, a look at Statcounter's figures for browser desktop market share showed Edge with 11.9 percent of the market in December 2023 and reaching 12.87 percent by November 2024 -- an increase of less than 1 percent. The market leader, Google's Chrome browser, went from 65.23 percent to 66.33 percent in the same period. That's only slightly more than 1 percent, but it still maintains its dominance.

An anonymous reader quotes a report from the Boston Globe: Every weekday morning at 8:30, Preston Thorpe makes himself a cup of instant coffee and opens his laptop to find the coding tasks awaiting his seven-person team at Unlocked Labs. Like many remote workers, Thorpe, the nonprofit's principal engineer, works out in the middle of the day and often stays at his computer late into the night. But outside Thorpe's window, there's a soaring chain-link fence topped with coiled barbed wire. And at noon and 4 p.m. every day, a prison guard peers into his room to make sure he's where he's supposed to be at the Mountain View Correctional Facility in Charleston, Maine, where he's serving his 12th year for two drug-related convictions in New Hampshire, including intent to distribute synthetic opioids.

Remote work has spread far and wide since the pandemic spurred a work-from-home revolution of sorts, but perhaps no place more unexpectedly than behind prison walls. Thorpe is one of more than 40 people incarcerated in Maine's state prison system who have landed internships and jobs with outside companies over the past two years -- some of whom work full time from their cells and earn more than the correctional officers who guard them. A handful of other states have also started allowing remote work in recent years, but none have gone as far as Maine, according to the Alliance for Higher Education in Prison, the nonprofit leading the effort.

Unlike incarcerated residents with jobs in the kitchen or woodshop who earn just a few hundred dollars a month, remote workers make fair-market wages, allowing them to pay victim restitution fees and legal costs, provide child support, and contribute to Social Security and other retirement funds. Like inmates in work-release programs who have jobs out in the community, 10 percent of remote workers' wages go to the state to offset the cost of room and board. All Maine DOC residents get re-entry support for housing and job searches before they're released, and remote workers leave with even more: up-to-date resumes, a nest egg -- and the hope that they're less likely to need food or housing assistance, or resort to crime to get by.

In 2024, North Korean state-sponsored hackers stole $1.34 billion in cryptocurrency across 47 attacks, marking a 102.88% increase from 2023 and accounting for 61% of global crypto theft. BleepingComputer reports: Although the total number of incidents in 2024 reached a record-breaking 303, the total losses figure isn't unprecedented, as 2022 remains the most damaging year with $3.7 billion. Chainalysis says most of the incidents this year occurred between January and July, during which 72% of the total amount for 2024 was stolen. The report highlights the DMM Bitcoin hack from May, where over $305 million was lost, and the WazirX cyberheist from July, which resulted in the loss of $235 million.

As for what types of platforms suffered the most damage, DeFi platforms were followed by centralized services. Regarding the means, the analysts report that private key compromises accounted for 44% of the losses, while exploitation of security flaws corresponded to just 6.3% of stolen cryptocurrency. This is a sign that security audits have a significant effect on reducing exploitable flaws on the platforms. However, stricter security practices in the handling of private keys need to be implemented.

ASUS computer owners have been reporting widespread alarm after a Christmas-themed banner suddenly appeared on their Windows 11 screens, accompanied by a suspicious "Christmas.exe" process in Task Manager.

The promotional campaign, first reported by WindowsLatest, was delivered through ASUS' pre-installed Armoury Crate software. It displays a large wreath banner that covers one-third of users' screens. The unbranded holiday display, which can interrupt gaming sessions and occasionally crashes applications, has triggered security concerns among users who initially mistook it for malware.

An anonymous reader quotes a report from Ars Technica: Health care company Ascension lost sensitive data for nearly 5.6 million individuals in a cyberattack that was attributed to a notorious ransomware gang, according to documents filed with the attorney general of Maine. Ascension owns 140 hospitals and scores of assisted living facilities. In May, the organization was hit with an attack that caused mass disruptions as staff was forced to move to manual processes that caused errors, delayed or lost lab results, and diversions of ambulances to other hospitals. Ascension managed to restore most services by mid-June. At the time, the company said the attackers had stolen protected health information and personally identifiable information for an undisclosed number of people.

A filing Ascension made earlier in December revealed that nearly 5.6 million people were affected by the breach. Data stolen depended on the particular person but included individuals' names and medical information (e.g., medical record numbers, dates of service, types of lab tests, or procedure codes), payment information (e.g., credit card information or bank account numbers), insurance information (e.g., Medicaid/Medicare ID, policy number, or insurance claim), government identification (e.g., Social Security numbers, tax identification numbers, driver's license numbers, or passport numbers), and other personal information (such as date of birth or address). Ascension is now in the process of notifying affected individuals. The organization is also offering two years of credit and fraud monitoring, a $1 million insurance reimbursement policy, and managed ID theft recovery services. The services became effective last Thursday. Further reading: Black Basta Ransomware Attack Brought Down Ascension IT Systems, Report Finds

Since 2021, Apple has been sending threat notifications to certain users, informing them that they may have been individually targeted by mercenary spyware attacks. When victims of spyware reach out to Apple for help, TechCrunch reports, "Apple doesn't tell the targets to get in touch with its own security engineers." Instead, Apple directs them to the nonprofit security lab Access Now, "which runs a digital helpline for people in civil society who suspect they have been targets of government spyware."

While some view this as Apple sidestepping responsibility, cybersecurity experts agree that Apple's approach -- alerting victims, directing them to specialized support, and recommending tools like Lockdown Mode -- has been a game changer in combating mercenary spyware threats. From the report: For people who investigate spyware, Apple sharing spyware notifications with victims represented a turning point. Before the notifications, "We were just like in the dark, not knowing who to check," according to Access Now's legal counsel Natalia Krapiva. "I think it's one of the greatest things that's happened in the sphere of this kind of forensic investigations and hunting of sophisticated spyware," Krapiva told TechCrunch.

Now, when someone or a group of people get a notification from Apple, they are warned that something potentially anomalous is happening with their device, that someone is targeting them, and that they need to get help. And Apple tells them exactly where to get it, according to Scott-Railton, who said Access Now's helpline is the right place to go because "the helpline is able to do good, systematic triage work and support." Krapiva said that the helpline is staffed by more than 30 people, supported by others who work in other departments of the nonprofit. So far in 2024, Krapiva said Access Now received 4,337 tickets through the helpline.

For anyone alerted by a notification, Apple tells those targets and victims of spyware to update their iOS software and all their apps. Apple also suggests the user switches on Lockdown Mode, an opt-in iOS security feature that has stopped spyware attacks in the past by limiting device features that are often exploited to plant spyware. Apple said last year that it is not aware of any successful spyware infection against someone who used Lockdown Mode.

The U.S. Department of Justice has charged Russian-Israeli national, Rostislav Panev, for his alleged role as a developer in the LockBit ransomware group, accused of designing malware and maintaining infrastructure for attacks that extorted over $500 million and caused billions in global damages. CyberScoop reports: The arrest is part of a broader campaign by international law enforcement agencies to dismantle LockBit. In February, a coordinated operation led by the U.K.'s National Crime Agency in cooperation with the FBI and the U.S. Justice Department disrupted LockBit's infrastructure, seizing websites and servers critical to its operations. These efforts significantly curtailed the group's ability to launch further attacks and extort victims.

Panev is one of several individuals charged in connection with LockBit. Alongside him, other key figures have been indicted, including Dmitry Khoroshev, alleged to be "LockBitSupp," the group's primary creator and administrator. Khoroshev, still at large, is accused of developing the ransomware and coordinating attacks on an international scale. The State Department has offered a reward of up to $10 million for his capture.

Meanwhile, numerous members linked to LockBit remain fugitives, such as Russian nationals Artur Sungatov and Ivan Kondratyev, each facing charges for deploying ransomware against multiple industries globally. Mikhail Matveev, another alleged LockBit affiliate, is also at large, with a $10 million reward for his capture. Matveev was recently charged with computer crimes in Russia. You can read the full criminal complaint against Panev here (PDF).

Japanese electronics manufacturer Sanwa Supply has launched a rotating USB-C cable capable of 240W power delivery but sadly USB 2.0 transfer speeds, Tom'sHardware reports. The $16 cable features a 360-degree rotating connector and is available in 1-meter and 1.8-meter lengths, with both USB-C to USB-C and USB-A to USB-C options, the report adds.

An anonymous reader quotes a report from Gizmodo: Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven't even been booted from the telecom networks yet. The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting "highly targeted individuals," which includes a new warning (PDF) about text messages.

"Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals," the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it's better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it's only really speaking about high-value targets. The telecommunications hack mentioned above has been called the "worst hack in our nation's history," according to Sen. Mark Warner (D-VA).

Microsoft has lauded the success of its efforts to convince customers to use passkeys instead of passwords, without actually quantifying that success. From a report: The software megalith credits passkey adoption to its enrolment user experience, or UX, which owes its unspecified uptake to unavoidable passkey solicitations -- sometimes referred to as "nudges."

"We're implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don't let them permanently opt out of passkey invitations," explained Sangeeta Ranjit, group product manager, and Scott Bingham, principal product manager, in a blog post. The corporation's onboarding strategy seems to suit its corporate address: One Microsoft Way.

Ranjit and Bingham describe that strategy in a post titled "Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security." But they don't disclose how many customers love passkeys enough to actually use them.

Longtime Slashdot reader sinij shares a report from Wired with the caption: "This story will be an on-going payday for traffic ticket lawyers. I am ordering one now." From the report: Digital license plates, already legal to buy in a growing number of states and to drive with nationwide, offer a few perks over their sheet metal predecessors. You can change their display on the fly to frame your plate number with novelty messages, for instance, or to flag that your car has been stolen. Now one security researcher has shown how they can also be hacked to enable a less benign feature: changing a car's license plate number at will to avoid traffic tickets and tolls -- or even pin them on someone else.

Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to "jailbreak" digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By removing a sticker on the back of the plate and attaching a cable to its internal connectors, he's able to rewrite a Reviver plate's firmware in a matter of minutes. Then, with that custom firmware installed, the jailbroken license plate can receive commands via Bluetooth from a smartphone app to instantly change its display to show any characters or image. That susceptibility to jailbreaking, Rodriguez points out, could let drivers with the license plates evade any system that depends on license plate numbers for enforcement or surveillance, from tolls to speeding and parking tickets to automatic license plate readers that police use to track criminal suspects. "You can put whatever you want on the screen, which users are not supposed to be able to do," says Rodriguez. "Imagine you are going through a speed camera or if you are a criminal and you don't want to get caught."

Worse still, Rodriguez points out that a jailbroken license plate can be changed not just to an arbitrary number but also to the number of another vehicle -- whose driver would then receive the malicious user's tickets and toll bills. "If you can change the license plate number whenever you want, you can cause some real problems," Rodriguez says. All traffic-related mischief aside, Rodriguez also notes that jailbreaking the plates could also allow drivers to use the plates' features without paying Reviver's $29.99 monthly subscription fee. Because the vulnerability that allowed him to rewrite the plates' firmware exists at the hardware level -- in Reviver's chips themselves -- Rodriguez says there's no way for Reviver to patch the issue with a mere software update. Instead, it would have to replace those chips in each display. That means the company's license plates are very likely to remain vulnerable despite Rodriguez's warning -- a fact, Rodriguez says, that transport policymakers and law enforcement should be aware of as digital license plates roll out across the country. "It's a big problem because now you have thousands of licensed plates with this issue, and you would need to change the hardware to fix it," he says.

An anonymous reader quotes a report from TechCrunch: GPS tracking firm Hapn is exposing the names of thousands of its customers due to a website bug, TechCrunch has learned. A security researcher alerted TechCrunch in late November to customer names and affiliations -- such as the name of their workplace -- spilling from one of Hapn's servers, which TechCrunch has seen.

Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices, which can be attached to vehicles or other equipment. The company also sells GPS trackers to consumers under its Spytec brand, which rely on the Hapn app for tracking. Spytec touts its GPS devices for tracking the locations of valuable possessions and "loved ones." According to its website, Hapn claims to track more than 460,000 devices and counts customers within the Fortune 500.

The bug allows anyone to log in with a Hapn account to view the exposed data using the developer tools in their web browser. The exposed data contains information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. The exposed data does not include location data, but thousands of records contain the names and business affiliations of customers who own, or are tracked by, the GPS trackers.

An anonymous reader shares a report: Australia's chief cyber security agency has decided local orgs should stop using the tech that forms the current cryptographic foundation of the internet by the year 2030 -- years before other nations plan to do so -- over fears that advances in quantum computing could render it insecure.

The Land Down Under's plans emerged last week when the Australian Signals Directorate (ASD) published guidance for High Assurance Cryptographic Equipment (HACE) -- devices that send and/or receive sensitive information -- that calls for disallowing the cryptographic algorithms SHA-256, RSA, ECDSA and ECDH, among others, by the end of this decade.

Bill Buchanan, professor in the School of Computing at Edinburgh Napier University, wrote a blog post in which he expressed shock that the ASD aims to move so quickly. "Basically, these four methods are used for virtually every web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent," he wrote. "The removal of SHA-256 definitely goes against current recommendations."