For storing passwords, Slashdot reader eggegick has a simple, easy solution: "I use Vim to keep my passwords in an encrypted file."

But what's the easiest solution for people who don't use Vim? My wife is not a Linux geek like I am, so she's using [free and open-source] KeePass. It's relatively simple to install and use, but I seem to recall it used to be even much simpler... Does anybody know of a really simple password manager or encrypting notepad?

I've looked at a number of them, and they use Java or Javascript, or they involve an external web site, or they have way too many features, or they use an installation program. Or Windows Defender objects to them.
Share your own suggestions and thoughts in the comments.

What's the best (encrypted) password manager?

Dumi, a Zimbabwean, fell for E-Creator's review-writing job, investing $112. When the company's director disappeared with $1M, his account was frozen, leaving him scammed. Rest of World reports: Thousands of Zimbabweans have been lured into a scam in hopes of making a quick buck, at a time when unemployment in the country is high: Estimates vary from 7.9% to 20%, or even 90%, according to the Zimbabwe Congress of Trade Unions. Alongside the job crisis, the country has been reeling under an inflation of more than 100%, with many struggling to make ends meet. Dumi, who previously worked as a clerk, told Rest of World he found it hard to get another job due to scarce opportunities. He said he joined the E-Creator scheme hoping he'd earn an income while waiting to find the job of his dreams. "Some of us living in marginalized townships such as Mbare, with no decent employment, jumped at an opportunity, which seemed to be so technologically significant and rewarding. Losing money in the process was unexpected," Dumi said, adding that he would not have joined the scheme if he had a job of his choice.

E-Creator agents told Rest of World they had taken up the role because they were unemployed or couldn't find enough work. They said they were lured by the promise of earning 10% returns for posting 10 fake reviews if they invested between $15 and $100. There were higher rewards promised for bigger investments: Depositing $100-$500 and recruiting five agents meant an additional 4.5% return; depositing $500-$2,000 and recruiting over 50 others would take earnings to the highest level of a 5% commision and a 10% base payout. While they could withdraw money from their E-Creator wallets, the lure of getting higher returns stopped them from doing so. Watson Manjobo, a former manager and affiliate marketer for E-Creator, told Rest of World the company owed him his salary for June. His job was to recruit more users and help people reset their account passwords. When news of Jiaotong's escape went viral, users flooded his phone with messages demanding answers, he said, adding that his direct superiors have since been unreachable.

A cyberattack has disrupted hospital computer systems in several states, forcing some emergency rooms to close and ambulances to be diverted, and many primary care services remained closed on Friday as security experts worked to determine the extent of the problem and resolve it. From a report: The "data security incident" began Thursday at facilities operated by Prospect Medical Holdings, which is based in California and has hospitals and clinics there and in Texas, Connecticut, Rhode Island and Pennsylvania. "Upon learning of this, we took our systems offline to protect them and launched an investigation with the help of third-party cybersecurity specialists," the company said in a statement Friday. "While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible." In Connecticut, the emergency departments at Manchester Memorial and Rockville General hospital were closed for much of Thursday and patients were diverted to other nearby medical centers.

[...] The FBI in Connecticut issued a statement saying it is working with "law enforcement partners and the victim entities" but could not comment further on an ongoing investigation. Elective surgeries, outpatient appointments, blood drives and other services were suspended, and while the emergency departments reopened late Thursday, many primary care services were closed on Friday, according to the Eastern Connecticut Health Network, which runs the facilities. Patients were being contacted individually, according to the network's website. Similar disruptions also were reported at other facilities system-wide.

An anonymous reader quotes a report from Wired: Travel rewards programslike those offered by airlines and hotels tout the specific perks of joining their club over others. Under the hood, though, the digital infrastructure for many of these programs -- including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy -- is built on the same platform. The backend comes from the loyalty commerce company Points and its suite of services, including an expansive application programming interface (API).But new findings, published today by a group of security researchers, show that vulnerabilities in the Points.com API could have been exploited to expose customer data, steal customers' "loyalty currency" (like miles), or even compromise Points global administration accounts to gain control of entire loyalty programs. The researchers -- Ian Carroll, Shubham Shah, and Sam Curry -- reported a series of vulnerabilities to Points between March and May, and all the bugs have since been fixed.

"The surprise for me was related to the fact that there is a central entity for loyalty and points systems, which almost every big brand in the world uses," Shah says. "From this point, it was clear to me that finding flaws in this system would have a cascading effect to every company utilizing their loyalty backend. I believe that once other hackers realized that targeting Points meant that they could potentially have unlimited points on loyalty systems, they would have also been successful in targeting Points.com eventually." One bug involved a manipulation that allowed the researchers to traverse from one part of the Points API infrastructure to another internal portion and then query it for reward program customer orders. The system included 22 million order records, which contain data like customer rewards account numbers, addresses, phone numbers, email addresses, and partial credit card numbers. Points.com had limits in place on how many responses the system could return at a time, meaning an attacker couldn't simply dump the whole data trove at once. But the researchers note that it would have been possible to look up specific individuals of interest or slowly siphon data from the system over time.

Another bug the researchers found was an API configuration issue that could have allowed an attacker to generate an account authorization token for any user with just their last name and rewards number. These two pieces of data could potentially be found through past breaches or could be taken by exploiting the first vulnerability. With this token, attackers could take over customer accounts and transfer miles or other rewards points to themselves, draining the victim's accounts. The researchers found two vulnerabilities similar to the other pair of bugs, one of which only impacted Virgin Red while the other affected just United MileagePlus. Points.com fixed both of these vulnerabilities as well. Most significantly, the researchers found a vulnerability in the Points.com global administration website in which an encrypted cookie assigned to each user had been encrypted with an easily guessable secret -- the word "secret" itself. By guessing this, the researchers could decrypt their cookie, reassign themselves global administrator privileges for the site, reencrypt the cookie, and essentially assume god-mode-like capabilities to access any Points reward system and even grant accounts unlimited miles or other benefits.

An anonymous reader quotes a report from Ars Technica: Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation." The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.

On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a "critical" issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday's disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.

"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank," Yoran wrote. "They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft." He continued: "Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix -- and only for new applications loaded in the service." In response, Microsoft officials wrote: "We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption." Microsoft went on to say that the initial fix in June "mitigated the issue for the majority of customers" and "no customer action is required."

In a separate email, Yoran responded: "It now appears that it's either fixed, or we are blocked from testing. We don't know the fix, or mitigation, so hard to say if it's truly fixed, or Microsoft put a control in place like a firewall rule or ACL to block us. When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn't happen, so it's a black box, which is also part of the problem. The 'just trust us' lacks credibility when you have the current track record."

Google is making it a lot easier to find and remove your contact information from its search results. From a report: The company will now send out notifications when it finds your address, phone number, or email on the web, allowing you to review and request the removal of that information from Search. All this takes place from Google's "results about you" dashboard on mobile and web, which it first rolled out last September. With the update, you can find your information on Google without actually having to conduct the search yourself. Once you input your personal information, the dashboard will automatically pull up websites that contain any matches, letting you review each webpage it appears on and then submit a request to remove it.

For over a decade, Backblaze's quarterly reports on the annualized failure rates (AFRs) of its substantial hard disk drives inventory have offered a peek into long-term storage utilization. The company, known for its backup and cloud storage services, has now disclosed data for the second quarter of 2023, revealing a fascinating rise in AFRs. ArsTechnica: Today's blog post details data for 240,940 HDDs that Backblaze uses for data storage around the world. There are 31 different models, and Backblaze's Andy Klein, who authored the blog, estimated in an email to Ars Technica that 15 percent of the HDDs in the dataset, including some of the 4, 6, and 8TB drives, are consumer-grade. The dataset doesn't include boot drives, drives in commission for testing purposes, or drive models for which Backblaze didn't have at least 60 units. One of the biggest revelations from examining the drives from April 1, 2023, through June 30, 2023, was an increase in AFR from Q1 2023 (1.54 percent) to Q2 2023 (2.28 percent). Backblaze's Q1 dataset examined 237,278 HDDs across 30 models. Of course, that AFR increase alone isn't enough to warrant any panic.

Since quarterly AFR numbers are "volatile," Klein told Ars Technica, Backblaze further evaluates both quarter-to-quarter and lifetime trends "to see if what happened was an anomaly or something more." So, Klein started digging further by grouping the drives by capacity. This is because, as Klein explained to Ars: "A Backblaze storage vault consists of 1,200 drives of the same size, with 60 drives in 20 storage servers. If we grouped the drives strictly by age and wanted to replace just the oldest drives in a given Backblaze vault, we would only replace those drives in the vault that met the old age criteria, not all the drives. Then, a year from now, we'd do it again, and the year after that, etc. By using the average age by drive size, we can, as appropriate, replace/upgrade all of the drives in a vault at once."

An anonymous reader shares a report: When Microsoft releases new test builds of Windows, there are usually a handful of features that are announced but only actually enabled for a small subset of testers. Sometimes it's because the company is A/B testing a couple of different versions of the same thing or because Microsoft wants to roll out major changes to a few users before rolling them out to everyone. Users normally have little control over whether new features actually appear in their Windows beta installs, but Microsoft has internal software called StagingTool that its own developers can use to switch things on and off themselves.

And now StagingTool has leaked to the public, thanks to a "bug bash" the company is running this week to find and fix problems before the next big batch of new Windows features releases this fall. As reported by The Verge, some bug bash participants were sent on "quests" that explicitly mentioned using the StagingTool to turn on specific features. Those quests and the tool itself have since been removed from Microsoft's servers, but StagingTool is already being freely distributed among Windows enthusiasts who want more control over the features they see.

Printer manufacturer Canon is warning that sensitive Wi-Fi settings don't automatically get wiped during resets, so customers should manually delete them before selling, discarding, or getting them repaired to prevent the settings from falling into the wrong hands. From a report: "Sensitive information on the Wi-Fi connection settings stored in the memories of inkjet printers (home and office/large format) may not be deleted by the usual initialization process," company officials wrote in an advisory on Monday. They went on to say that manual wiping should occur "when your printer may be in the hand of any third party, such as when repairing, lending or disposing the printer."

Like many printers these days, those from Canon connect to networks over Wi-Fi. To do this, users must provide the SSID name, the password preventing unauthorized access to the network, and in some cases, additional information such as Wi-Fi network type, the local network IP address, the MAC address, and network profile. It would be reasonable to assume that performing a simple factory reset that returns all settings to their defaults would be enough to remove these settings, but Monday's advisory indicated that isn't necessarily the case. In the event this information is exposed, malicious actors could use them to gain unauthorized access to a network hosting a Canon printer.

Once known for distributing hacking tools and shaming software companies into improving their security, a famed group of technology activists is now working to develop a system that will allow the creation of messaging and social networking apps that won't keep hold of users' personal data. From a report: The group, Cult of the Dead Cow, has developed a coding framework that can be used by app developers who are willing to embrace strong encryption and forsake revenue from advertising that is targeted to individuals based on detailed profiles gleaned from the data most apps now routinely collect. The team is building on the work of such free products as Signal, which offers strong encryption for text messages and voice calls, and Tor, which offers anonymous web surfing by routing traffic through a series of servers to disguise the location of the person conducting the search.

The latest effort, to be detailed at the massive annual Def Con hacking conference in Las Vegas next week, seeks to provide a foundation for messaging, file sharing and even social networking apps without harvesting any data, all secured by the kind of end-to-end encryption that makes interception hard even for governments. Called Veilid, and pronounced vay-lid, the code can be used by developers to build applications for mobile devices or the web. Those apps will pass fully encrypted content to one another using the Veilid protocol, its developers say. As with the file-sharing software BitTorrent, which distributes different pieces of the same content simultaneously, the network will get faster as more devices join and share the load, the developers say. In such decentralized "peer-to-peer" networks, users download data from each other instead of from a central machine.

Microsoft is making it a lot more convenient to use multiple high refresh rate monitors with Windows 11. From a report: The software giant has started testing a Windows 11 update that automatically adjusts refresh rates on multiple monitors depending on what content is being displayed, which should improve power usage and could even result in some GPUs spinning up their fans less often. "We have improved refresh rate logic to allow different refresh rates on different monitors, depending on the refresh rate for each monitor and content shown on the screen," explains Microsoft in a Windows Insider blog from last week. "This will help most with refresh rate-dependent multitasking, like playing a game and watching a video at the same time." If you have multiple monitors that support high refresh rates then running them at their full potential often increases the power draw of your GPU. Nvidia RTX 30- and 40-series Founders Edition cards also have a zero RPM mode, which will keep the fans at zero even when you're watching video content on a single monitor. If you add a second high refresh rate display, this often disables the zero RPM mode and means the GPU keeps its fans spinning if you have both monitors at high refresh rates.

"A significant swath of our downtown office space is sitting empty," writes a columnist for the Guardian. "New York, Chicago, Atlanta, Los Angeles, Denver, Philadelphia, San Francisco, Houston, Dallas and other big cities are experiencing record-high office vacancies as workers keep working from home and companies keep letting them..." Some face-time is necessary but we're never going to go back to a 100% in-the-office policy, and companies that attempt this will lose talent to those that adapt to the shift. All this means that a substantial amount of square feet in all those tall office buildings in our major metropolitan areas are going to remain empty. The owners of these properties are already feeling the pressure of meeting higher debt maintenance with lower lease revenue, with many facing default. Countless small businesses in downtown areas facing significantly less traffic are closing their doors. And unless something is done, those empty buildings — after the banks have repossessed them from bankrupt borrowers — will become derelict, inviting even more crime and homelessness. It's already happening.

So what to do? The good news is that there are many opportunities for the entrepreneurial.

For example, existing office floors can be turned into less expensive single units for startups and incubators who want to boast a downtown address. Some buildings in cities with a vibrant and residential downtown — like Philadelphia — could be turned into residences. Others that are burdened with older, unsafe, non-air-conditioned school structures could convert this space into classrooms for students. Or perhaps all the homeless people sleeping on the streets outside of these empty structures could be given a warm place to stay with medical and counselling support?

With the continuing boom in e-commerce, warehouse space remains costly but could become more affordable — and logistically accessible — in a downtown structure. Manufacturing space could be more accommodating, with a better location making it easier to procure workers. Other alternatives for these buildings already being considered include vertical farming, storage facilities, gyms and movie sets. Or what about taking the red pill and merely knocking these buildings down and creating open spaces, parks, museums or structures that are more amenable to this new era of downtown life?

Slashdot reader storagedude writes: A quantum computer capable of breaking public-key encryption is likely years away. Unfortunately, so are products that support post-quantum cryptography.

That's the conclusion of an eSecurity Planet article by Henry Newman. With the second round of NIST's post-quantum algorithm evaluations — announced last week — expected to take "several years" and the FIPS product validation process backed up, Newman notes that it will be some time before products based on post-quantum standards become available.

"The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market," Newman writes. "It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time.

"I am not sure that NIST is up to the dual challenge of getting the algorithms out and products validated so that vendors can have products that are available before quantum computers can break current technology. There is a race between quantum technology and NIST vetting algorithms, and at the moment the outcome is looking worrisome."

And as encrypted data stolen now can be decrypted later, the potential for "harvest now, decrypt later" attacks "is a quantum computing security problem that's already here."

Monday a researcher with Google Information Security posted about a new vulnerability he independently found in AMD's Zen 2 processors. Tom's Hardware reports: The 'Zenbleed' vulnerability spans the entire Zen 2 product stack, including AMD's EPYC data center processors and the Ryzen 3000/4000/5000 CPUs, allowing the theft of protected information from the CPU, such as encryption keys and user logins. The attack does not require physical access to the computer or server and can even be executed via JavaScript on a webpage...

AMD added the AMD-SB-7008 Bulletin several hours later. AMD has patches ready for its EPYC 7002 'Rome' processors now, but it will not patch its consumer Zen 2 Ryzen 3000, 4000, and some 5000-series chips until November and December of this year... AMD hasn't given specific details of any performance impacts but did issue the following statement to Tom's Hardware: "Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment..."

AMD describes the exploit much more simply, saying, "Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information."
The article includes a list of the impacted processors with a schedule for the release of the updated firmware to OEMs.

The Google Information Security researcher who discovered the bug is sharing research on different CPU behaviors, and says the bug can be patched through software on multiple operating systems (e.g., "you can set the chicken bit DE_CFG[9]") — but this might result in a performance penalty.

Thanks to long-time Slashdot reader waspleg for sharing the news.

An anonymous reader quotes a report from TechCrunch: U.S. government services contracting giant Maximus has confirmed that hackers exploiting a vulnerability in MOVEit Transfer accessed the protected health information of as many as 11 million individuals. Virginia-based Maximus contracts with federal, state and local governments to manage and administer government-sponsored programs, such as Medicaid, Medicare, healthcare reform and welfare-to-work. In an 8-K filing on Wednesday, Maximus confirmed that the personal information of a "significant number" of individuals was accessed by hackers exploiting a zero-day vulnerability in MOVEit Transfer, which the organization uses to "share data with government customers pertaining to individuals who participate in various government programs."

While Maximus hasn't yet been able to confirm the exact number of individuals impacted -- something the company expects to take "several more weeks" -- the organization said it believes hackers accessed the personal data, including Social Security numbers and protected health information, of "at least" 8 to 11 million individuals. If the latter, this would make the breach the largest breach of healthcare data this year -- and the most significant data breach reported as a result of the MOVEit mass-hacks. Maximus has not confirmed which specific types of health data were accessed and has not responded to TechCrunch's questions. In its 8-K filing, the company said it began notifying impacted customers and federal and state regulators, adding that it expects the security incident to cost approximately $15 million to investigate and remediate. Clop, the Russia-linked data extortion group responsible for the MOVEit mass-hacks, claims to have stolen 169 gigabytes of data from Maximus, which it has not yet published. The report notes that "more than 500 organizations have so far been impacted by the MOVEit mass-hacks, exposing the personal information of more than 34.5 million people."

Apple will soon start cracking down on apps that collect data on users' devices in order to track them (aka "fingerprinting"), according to an article on its developer site. Engadget writes: Starting with the release of iOS 17, tvOS 17, watchOS 10 and macOS Sonoma, developers will be required to explain why they're using so-called required reason APIs. Apps failing to provide a valid reason will be rejected started in spring of 2024. "Some APIs... have the potential of being misused to access device signals to try to identify the device or user, also known as fingerprinting. Regardless of whether a user gives your app permission to track, fingerprinting is not allowed," Apple wrote.

"To prevent the misuse of certain APIs that can be used to collect data about users' devices through fingerprinting, you'll need to declare the reasons for using these APIs in your app's privacy manifest." The new rules could increase the rate of app rejections, some developers told 9to5Mac. For instance, an API called UserDefaults falls into the "required reason" category, but since it stores user preferences, it's used by a lot of apps.

Cyber attackers targeted a digital platform used by Kenya's government to deliver services, the country's technology minister said, highlighting the vulnerabilities of the system. From a report: The attack on the e-Citizen platform in recent days caused system outages that left users unable to access a broad range of government services, ranging from passport applications to electricity payments. Some private companies were also affected.

It was "an unsuccessful attempt to overload the system through extraordinary requests, with the intention of clogging it," said Eliud Owalo, cabinet secretary for information technology, in a statement on Thursday. He said technical teams had blocked the source of the requests, adding that privacy and the security of data had not been compromised.

The U.S. Securities and Exchange Commission (SEC) has implemented new rules requiring publicly traded companies to disclose any cyberattacks considered material incidents within four business days of discovery. BleepingComputer reports: According to the Wall Street watchdog, material incidents are those that a public company's shareholders would consider important "in making an investment decision." The SEC also adopted new regulations mandating foreign private issuers to provide equivalent disclosures following cybersecurity breaches. Listed companies must now include details about the cyberattack (including the incident's nature, scope, and timing) in periodic report filings, specifically on 8-K forms.

These new cybersecurity incident reporting rules are set to take effect in December or 30 days after being published in the Federal Register. However, smaller companies will be granted an additional 180 days before they are required to provide Form 8-K disclosures. In some instances, the disclosure timeline may also be postponed if the U.S. Attorney General determines that an immediate disclosure would pose a significant risk to national security or public safety. "Whether a company loses a factory in a fire -- or millions of files in a cybersecurity incident -- it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors," said SEC Chair Gary Gensler today.

"I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."

Hackers are infecting players of an old Call of Duty game with a worm that spreads automatically in online lobbies, according to two analyses of the malware. From a report: On June 26, a user on a Steam forum alerted other players of Call of Duty: Modern Warfare 2 that hackers "attack using hacked lobbies," and suggested running an antivirus. The malware mentioned in the thread appears to be on the malware online repository VirusTotal. Another player claimed to have analyzed the malware and wrote in the same forum thread that the malware appears to be a worm, based on a series of text strings inside the malware. A game industry insider, who asked to remain anonymous because they were not allowed to speak to the press, confirmed that the malware contains those strings, indicating a worm.

Following two years of testing, The Browser Company's Arc is graduating from its waitlist phase, launching its version 1.0. Arc, the Mac and iOS browser, aims to redefine online interaction by incorporating tools for note-taking, collaboration, webpage personalisation, among others. The Verge adds: We've covered Arc a lot in recent months, both because it's a good browser and because it's a big new idea about how you use the internet. The Browser Company's ultimate plan is to build "the operating system for the internet." Arc isn't just a place to see webpages; it has tools for taking notes, making visual and collaborative easels with others, redesigning webpages to your liking, and more. (Personally, I love Arc's picture-in-picture mode above everything else, especially now that it works with Google Meet calls.) Arc 1.0 doesn't seem to come with any splashy new features. Rather, The Browser Company seems to just feel like it's ready to launch more widely. Arc has been pretty stable for me in recent months, though it does run into some of the same performance issues you'll find with any browser based on the Chromium engine -- you can always open a couple dozen tabs and watch your computer grind to a halt.