A cybersquatting scheme targeting prominent writers and entrepreneurs has exposed flaws in Bluesky's domain-based verification system, newsletter Tedium reports, citing users.

Bloomberg columnist Conor Sen reported receiving an extortion attempt this week when an anonymous user who had purchased his namesake domain demanded payment to transfer ownership. The episode has unraveled wider revelations of similar attacks targeting at least five other well-known users, including political blogger Matt Yglesias and The Hustle founder Sam Parr.

The platform's moderation team initially banned Parr's legitimate account while leaving the impersonator active, Sen told Tedium. The fake account was only removed after users escalated the issue to senior Bluesky staff.

Microsoft bought twice as many of Nvidia's flagship chips as any of its largest rivals in the US and China this year, as OpenAI's biggest investor accelerated its investment in artificial intelligence infrastructure. From a report: Analysts at Omdia, a technology consultancy, estimate that Microsoft bought 485,000 of Nvidia's "Hopper" chips this year. That put Microsoft far ahead of Nvidia's next biggest US customer Meta, which bought 224,000 Hopper chips, as well as its cloud computing rivals Amazon and Google.

With demand outstripping supply of Nvidia's most advanced graphics processing units for much of the past two years, Microsoft's chip hoard has given it an edge in the race to build the next generation of AI systems. This year, Big Tech companies have spent tens of billions of dollars on data centres running Nvidia's latest chips, which have become the hottest commodity in Silicon Valley since the debut of ChatGPT two years ago kick-started an unprecedented surge of investment in AI.

An anonymous reader shares a report: A Chinese hacker indicted earlier this month and the PRC-based cybersecurity company he worked for are both sanctioned by the US government for compromising "tens of thousands of firewalls" -- some protecting US critical infrastructure, putting human lives at risk.

In a series of coordinated actions, the US Treasury Department's Office of Foreign Assets Control (OFAC), the Department of Justice (DoJ), and the FBI said the massive cyber espionage campaign, which compromised at least 36 firewalls protecting US critical infrastructure, posed significant risks to national security.

A federal court in Indiana earlier this month unsealed an indictment charging 30-year-old Guan Tianfeng (Guan) with conspiracy to commit computer and wire fraud by hacking into firewall devices worldwide, including one "used by an agency of the United States." Guan, employed by the Chinese cybersecurity firm Sichuan Silence -- a known contractor for Beijing intelligence -- was alleged to have discovered a zero-day vulnerability in firewall products manufactured by UK cybersecurity firm Sophos.

Seagate has launched its first mass-produced hard drives using heat-assisted magnetic recording (HAMR) technology, introducing 32TB and 30TB models under the Exos M brand. The drives, based on Seagate's Mozaic 3+ platform, mark the company's commercial breakthrough in HAMR technology after 16 years of development. Compatible with existing systems, the 32TB model uses shingled magnetic recording, while the 30TB version employs conventional magnetic recording.

Framework has announced a $39 Dual M.2 Adapter for its Laptop 16, enabling users to add two additional M.2 slots to the laptop's expansion bay. The new component allows for up to 26TB of total storage when combined with the laptop's existing SSD slots, supporting various M.2 form factors with PCIe 4.0 connectivity.

The company also replaced the Laptop 16's liquid metal cooling system with Honeywell PTM7958 thermal paste to address performance concerns. Framework will provide the new thermal solution to existing customers upon request. The adapter marks Framework's first modular expansion component for the Laptop 16 since its launch, complementing the optional Radeon RX 7700S graphics card offering.

A cyberattack on Rhode Island's RIBridges system has exposed personal data of individuals involved in programs like Medicaid, SNAP, and others, with hackers demanding a ransom. The breach may include sensitive details like Social Security numbers and banking information. The Associated Press reports: Anyone who has been involved in Medicaid, the Supplemental Nutrition Assistance Program known as SNAP, Temporary Assistance for Needy Families, Childcare Assistance Program, Rhode Island Works, Long-term Services and Supports, the At HOME Cost Share Program and health insurance purchased through HealthSource RI may be impacted, McKee said Saturday.

The system known as RIBridges was taken offline on Friday, after the state was informed by its vendor, Deloitte, that there was a major security threat to the system. The vendor confirmed that "there is a high probability that a cybercriminal has obtained files with personally identifiable information from RIBridges," the state said. The state has contracted with Experian to run a toll-free hotline for Rhode Islanders to call to get information about the breach and how they can protect their data.

WordPress co-founder and CEO of Automattic Matt Mullenweg is trolling contributors and users of the WordPress open-source project by requiring them to check a box that says "Pineapple is delicious on pizza." From a report: The change was spotted by WordPress contributors late Sunday, and is still up as of Monday morning. Trying to log in or create a new account without checking the box returns a "please try again" error.

Last week, as part of the ongoing legal battle between WP Engine and Automattic, the company that owns WordPress.com, a judge ordered Mullenweg to remove a controversial login checkbox from WordPress.org that required users to pledge that they were not affiliated with WP Engine before logging in.

"Envy the lumberjacks, for they perform the happiest, most meaningful work on earth," the Washington Post wrote almost two years ago, after analyzing more than 13,000 journals from the U.S. Bureau of Labor Statistics' time-use survey. (For the first time the surveys asked how workers felt during the day.) And outdoor forestry jobs "look awesome by that metric, dangerous as they often are in the long run," the Post wrote in a recent follow-up. [Alternate URL.]

But is that really the right metric? "Readers kept reminding us that there's more to a fulfilling job than how happy you are while doing it." What about those wanting jobs where they're meaningfully impacting the world? We didn't have a stellar way to measure other feelings about work, but we kept our eye on an often-overlooked federal data provider: AmeriCorps. The independent agency, which CEO Michael D. Smith described to us as "bite-sized" but "punching well above our weight," funds the Civic Engagement and Volunteering Supplement, part of the Census Bureau's Current Population Survey... In 2021 and again in 2023, the researchers behind the CEV asked if you agree or disagree with these four statements:

- I am proud to be working for my employer.
- My main satisfaction in life comes from work.
- My workplace contributes to the community.
- I contribute to the community through my work....


The workers most likely to say they're proud to be working for their employer and that they gain satisfaction from work are — surprise! — the self-employed. The self-employed who are incorporated — a group that often includes small-business owners — are almost twice as likely as private-sector, for-profit workers to strongly profess pride in their employer.

Government and nonprofit workers fall somewhere in the middle on those questions. But they rank at the very top on "My workplace contributes to the community" and "I contribute to the community through my work." Local government workers, who include teachers, take the top spot for strong agreement on both, followed by nonprofit workers. Private-sector, for-profit workers once again lag behind. The jobs that do worse on these measures tend to be in manufacturing or other blue-collar production and extraction jobs, or at the lower-paid end of the service sector. Folks in food services (e.g., bartenders and food prep), janitorial roles and landscaping, and personal services (e.g., barbershops, laundry and hotels) all struggle to find greater meaning in their work. Though some better-paid service jobs also struggle by some measures — think sales, engineering or software development.

On the questions regarding pride in your employer and life satisfaction, we see managers and our old friends in agriculture and forestry take the top spots. But right behind them — and actually in the lead in the other question — lurks the real standout, a set of jobs we'd classify as "care and social services." That includes, most notably, religious workers. Looking a bit deeper at about 100 occupations for which we have detailed data, we see clergy were most likely to strongly agree on every question.
Other observations from the article:

• "As a rule, you feel better about your job as you get older. Presumably, it's some mix of people who love their work delaying retirement, people job-hopping until they find meaningful employment, and people learning to love whatever hand they've been dealt."

• "Most measures of satisfaction also rise with education, often quite sharply. Someone with a graduate degree is twice as likely as a high school dropout to strongly agree their workplace contributes to the community."

• But... "More-educated folks are actually a bit less likely to strongly agree that work is their main satisfaction in life."

The non-profit, free certificate authority Let's Encrypt shared some news from their executive director as they approach their 10th anniversary in 2025: Internally things have changed dramatically from what they looked like ten years ago, but outwardly our service hasn't changed much since launch. That's because the vision we had for how best to do our job remains as powerful today as it ever was: free 90-day TLS certificates via an automated API. Pretty much as many as you need. More than 500,000,000 websites benefit from this offering today, and the vast majority of the web is encrypted.

Our longstanding offering won't fundamentally change next year, but we are going to introduce a new offering that's a big shift from anything we've done before — short-lived certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the security of the TLS ecosystem because it minimizes exposure time during a key compromise event.

Because we've done so much to encourage automation over the past decade, most of our subscribers aren't going to have to do much in order to switch to shorter lived certificates. We, on the other hand, are going to have to think about the possibility that we will need to issue 20x as many certificates as we do now. It's not inconceivable that at some point in our next decade we may need to be prepared to issue 100,000,000 certificates per day. That sounds sort of nuts to me today, but issuing 5,000,000 certificates per day would have sounded crazy to me ten years ago... It was hard to build Let's Encrypt. It was difficult to scale it to serve half a billion websites...

Charitable contributions from people like you and organizations around the world make this stuff possible. Since 2015, tens of thousands of people have donated. They've made a case for corporate sponsorship, given through their Donor-Advised Funds, or set up recurring donations, sometimes to give $3 a month. That's all added up to millions of dollars that we've used to change the Internet for nearly everyone using it.
Thanks to long-time Slashdot reader rastos1 for sharing the news.

America's 1994 "Communications Assistance for Law Enforcement Act" (or CALEA) created the security hole that helped enable a massive telecomm breach. But now America's FBI "is falling back on the same warmed-over, bad advice about encryption that it has trotted out for years," argues the Intercept: In response to the Salt Typhoon hack, attributed to state-backed hackers from China, the bureau is touting the long-debunked idea that federal agents could access U.S. communications without opening the door to foreign hackers. Critics say the FBI's idea, which it calls "responsibly managed encryption," is nothing more than a rebranding of a government backdoor. "It's not this huge about-face by law enforcement," said Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. "It's just the same, illogical talking points they have had for 30+ years, where they say, 'Encryption is OK, but we need to be able to access communications.' That is a circle that cannot be squared...."

In a blog post last month, encryption expert Susan Landau said CALEA had long been a "national security disaster waiting to happen... If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That's the inevitable consequence of CALEA, one we warned would come to pass — and it did," she said...

Sean Vitka, the policy director at the progressive group Demand Progress, said the hack has once again provided damning evidence that government backdoors cannot be secured. "If the FBI cannot keep their wiretap system safe, they absolutely cannot keep the skeleton key to all Apple phones safe," Vitka said.
Thanks to Slashdot reader mspohr for sharing the article.

An anonymous reader quotes a report from Ars Technica: A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said. The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.

The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month. It's unclear who the threat actors are or what their motives may be. Datadog researchers have designated the group MUT-1244, with MUT short for "mysterious unattributed threat."

Healthcare giant Optum has restricted access to an internal AI chatbot used by employees after a security researcher found it was publicly accessible online, and anyone could access it using only a web browser. TechCrunch: The chatbot, which TechCrunch has seen, allowed employees to ask the company questions about how to handle patient health insurance claims and disputes for members in line with the company's standard operating procedures (SOPs).

While the chatbot did not appear to contain or produce sensitive personal or protected health information, its inadvertent exposure comes at a time when its parent company, health insurance conglomerate UnitedHealthcare, faces scrutiny for its use of artificial intelligence tools and algorithms to allegedly override doctors' medical decisions and deny patient claims.

Mossab Hussein, chief security officer and co-founder of cybersecurity firm spiderSilk, alerted TechCrunch to the publicly exposed internal Optum chatbot, dubbed "SOP Chatbot." Although the tool was hosted on an internal Optum domain and could not be accessed from its web address, its IP address was public and accessible from the internet and did not require users to enter a password.

HDMI Forum will announce new specifications with increased bandwidth capabilities at CES 2025, ahead of anticipated graphics card launches from AMD and NVIDIA. The announcement, scheduled for January 6, is expected to introduce HDMI 2.2 standard alongside a new cable supporting higher resolutions and refresh rates.

Current HDMI 2.1 specification maxes out at 48 Gbps bandwidth, allowing 10K resolution at 120 Hz with compression. The upgrade aims to compete with DisplayPort 2.1, which offers up to 80 Gbps bandwidth and is already supported by recent AMD and Intel GPUs.

Yahoo laid off around 25% of its cybersecurity team -- known as The Paranoids -- over the last year, TechCrunch has learned. From the report: Overall, the company has laid off or lost through attrition 40 to 50 people from a total of 200 employees in the cybersecurity team since the start of 2024, according to multiple current and former Yahoo employees who spoke to TechCrunch on condition of anonymity. (Yahoo is TechCrunch's parent company.)

The Paranoids are not the only team affected by the layoffs. Valeri Liborski, who was appointed Yahoo's chief technology officer in September, sent an email this week to employees announcing changes across the broader technology unit, including enterprise productivity and core services. The email to staff, which was obtained by TechCrunch, said: "This was a very difficult decision and one I have not taken lightly."

The Paranoids' so-called red team, or offensive security team -- which conducts cyberattack simulations to identify weaknesses in the company's network before external hackers can -- was eliminated entirely this week, and there have been at least three rounds of layoffs impacting the cybersecurity team this year, according to the sources.

An anonymous reader shares a report: Copilot has gone native for Windows Insiders and commandeered a popular keyboard shortcut in the process. The move from a Progressive Web App (PWA) to a native binary -- although most of it appears to still be a website, just not running as a PWA -- will be welcomed. Microsoft noted that once the app update has been installed, Copilot will appear in the system tray.

However, the assistant's quick view feature has been given the Alt+Space keyboard shortcut. This is already used by many other applications, including Microsoft's own PowerToys. PowerToys Run, for example, uses Alt+Space to open a launcher into which users can type in the name of the service they are seeking. Alt+Space is also used to show the context menu of the active window. Therefore, Microsoft's decision to hand the shortcut over to Copilot is unlikely to please keyboard warriors who are used to their shortcuts working in a particular way.

The Windows vendor acknowledged that the shortcut was already in use by many apps, saying: "For any apps installed on your PC that might utilize this keyboard shortcut, Windows will register whichever app is launched first on your PC and running in the background as the app that is invoked when using Alt+Space."

Amazon has postponed implementing Microsoft's cloud-based Office suite for its workforce by one year, citing security concerns following a Russian cyber attack on Microsoft's systems. The delay affects a $1 billion, five-year contract signed last year to provide Microsoft 365 to Amazon's 1.5 million employees, making the e-commerce giant one of the largest customers of Microsoft's cloud productivity suite.

The decision came after Microsoft revealed that Midnight Blizzard, a Russia-linked hacking group, had breached several employee email accounts, including those of senior executives and cybersecurity staff. Amazon subsequently conducted its own security review and requested enhanced protection measures from Microsoft.

Startup Embodied is closing down, and its product, an $800 robot for kids ages 5 to 10, will soon be bricked. From a report: Embodied blamed its closure on a failed "critical funding round." On its website, it explained: "We had secured a lead investor who was prepared to close the round. However, at the last minute, they withdrew, leaving us with no viable options to continue operations. Despite our best efforts to secure alternative funding, we were unable to find a replacement in time to sustain operations."

The company didn't provide further details about the pulled funding. Embodied's previous backers have included Intel Capital, Toyota AI Ventures, Amazon Alexa Fund, Sony Innovation Fund, and Vulcan Capital, but we don't know who the lead investor mentioned above is. When it first announced Moxie in April 2020, Embodied described the robot as a "safe and engaging animate companion for children designed to help promote social, emotional, and cognitive development."

An anonymous reader shares a report: Russia has reportedly cut some regions of the country off from the rest of the world's internet for a day, effectively siloing them, according to reports from European and Russian news outlets reshared by the US nonprofit Institute for the Study of War (ISW) and Western news outlets.

Russia's communications authority, Roskomnadzor, blocked residents in Dagestan, Chechnya, and Ingushetia, which have majority-Muslim populations, ISW says. The three regions are in southwest Russia near its borders with Georgia and Azerbaijan. People in those areas couldn't access Google, YouTube, Telegram, WhatsApp, or other foreign websites or apps -- even if they used VPNs, according to a local Russian news site.

Russian digital rights NGO Roskomsvoboda told TechRadar that most VPNs didn't work during the shutdown, but some apparently did. It's unclear which ones or how many actually worked, though. Russia has been increasingly blocking VPNs more broadly, and Apple has helped the country's censorship efforts by taking down VPN apps on its Russian App Store. At least 197 VPNs are currently blocked in Russia, according to Russian news agency Interfax.

Security researchers have uncovered a new surveillance tool that they say has been used by Chinese law enforcement to collect sensitive information from Android devices in China. From a report: The tool, named "EagleMsgSpy," was discovered by researchers at U.S. cybersecurity firm Lookout. The company said at the Black Hat Europe conference on Wednesday that it had acquired several variants of the spyware, which it says has been operational since "at least 2017."

Kristina Balaam, a senior intelligence researcher at Lookout, told TechCrunch the spyware has been used by "many" public security bureaus in mainland China to collect "extensive" information from mobile devices. This includes call logs, contacts, GPS coordinates, bookmarks, and messages from third-party apps including Telegram and WhatsApp. EagleMsgSpy is also capable of initiating screen recordings on smartphones, and can capture audio recordings of the device while in use, according to research Lookout shared with TechCrunch.

A manual obtained by Lookout describes the app as a "comprehensive mobile phone judicial monitoring product" that can obtain "real-time mobile phone information of suspects through network control without the suspect's knowledge, monitor all mobile phone activities of criminals and summarize them."

An anonymous reader shares a report: Software vulnerability submissions generated by AI models have ushered in a "new era of slop security reports for open source" -- and the devs maintaining these projects wish bug hunters would rely less on results produced by machine learning assistants. Seth Larson, security developer-in-residence at the Python Software Foundation, raised the issue in a blog post last week, urging those reporting bugs not to use AI systems for bug hunting.

"Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects," he wrote, pointing to similar findings from the Curl project in January. "These reports appear at first glance to be potentially legitimate and thus require time to refute." Larson argued that low-quality reports should be treated as if they're malicious.

As if to underscore the persistence of these concerns, a Curl project bug report posted on December 8 shows that nearly a year after maintainer Daniel Stenberg raised the issue, he's still confronted by "AI slop" -- and wasting his time arguing with a bug submitter who may be partially or entirely automated.