Apple has moved the power button on its new M4 Mac mini to an awkward spot underneath the device, requiring users to lift or tip the computer to turn it on. The button now sits near the left rear corner, raised slightly by cooling vents, instead of its previous accessible position on the back panel. The change, absent from Apple's marketing materials, complicates basic operations like power-cycling the machine - especially with cables attached.

Further reading: Apple's New Mouse Retains Flawed Charging Design.

French newspaper Le Monde found that the fitness app Strava can easily track confidential movements of foreign leaders, including U.S. President Joe Biden, and presidential rivals Donald Trump and Kamala Harris. The Independent reports: Le Monde found that some U.S. Secret Service agents use the Strava fitness app, including in recent weeks after two assassination attempts on Trump, in a video investigation released in French and in English. Strava is a fitness tracking app primarily used by runners and cyclists to record their activities and share their workouts with a community. Le Monde also found Strava users among the security staff for French President Emmanuel Macron and Russian President Vladimir Putin. In one example, Le Monde traced the Strava movements of Macron's bodyguards to determine that the French leader spent a weekend in the Normandy seaside resort of Honfleur in 2021. The trip was meant to be private and wasn't listed on the president's official agenda.

Le Monde said the whereabouts of Melania Trump and Jill Biden could also be pinpointed by tracking their bodyguards' Strava profiles. In a statement to Le Monde, the U.S. Secret Service said its staff aren't allowed to use personal electronic devices while on duty during protective assignments but "we do not prohibit an employee's personal use of social media off-duty." "Affected personnel has been notified," it said. "We will review this information to determine if any additional training or guidance is required." "We do not assess that there were any impacts to protective operations or threats to any protectees," it added. Locations "are regularly disclosed as part of public schedule releases."

In another example, Le Monde reported that a U.S. Secret Service agent's Strava profile revealed the location of a hotel where Biden subsequently stayed in San Francisco for high-stakes talks with Chinese President Xi Jinping in 2023. A few hours before Biden's arrival, the agent went jogging from the hotel, using Strava which traced his route, the newspaper found. The newspaper's journalists say they identified 26 U.S. agents, 12 members of the French GSPR, the Security Group of the Presidency of the Republic, and six members of the Russian FSO, or Federal Protection Service, all of them in charge of presidential security, who had public accounts on Strava and were therefore communicating their movements online, including during professional trips. Le Monde did not identify the bodyguards by name for security reasons.

Apple has maintained the controversial bottom-charging design in its new $79-$99 USB-C Magic Mouse, released alongside the new iMac Tuesday, despite years of customer criticism. The port location, unchanged since 2015, renders the mouse unusable while charging.

Banks and regulators are warning that QR code phishing scams -- also known as "quishing" -- are slipping through corporate cyber defences and increasingly tricking customers into giving up their financial details. From a report: Lenders including Santander, HSBC, and TSB have joined the UK National Cyber Security Centre and US Federal Trade Commission among others to raise concerns about a rise in fraudulent QR codes being deployed for sophisticated fraud campaigns.

The new type of email scam often involves criminals sending QR codes in attached PDFs. Experts said the strategy is effective because the messages frequently get through corporate cyber security filters -- software that typically flags malicious website links, but often does not scan images within attachments. "The appeal for criminals is that it's bypassing all of the [cyber security] training and it's also bypassing our products," said Chester Wisniewski, a senior adviser at security software company Sophos.

When it comes to introducing liability for software products, "the EU and U.S. are taking very different approaches," according to Lawfare's cybersecurity newsletter. "While the U.S. kicks the can down the road, the EU is rolling a hand grenade down it to see what happens." Under the status quo, the software industry is extensively protected from liability for defects or issues, and this results in systemic underinvestment in product security. Authorities believe that by making software companies liable for damages when they peddle crapware, those companies will be motivated to improve product security... [T]he EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.

Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.

Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however. The directive isn't law itself but sets the legislative direction for EU member states, and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding.

Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.

"Friction between bosses and their employees over the terms of their return shows no signs of abating," reports the Los Angeles Times. But there's one big loophole... About 80% of organizations have put in place return-to-office policies, but in a sign that many managers are reluctant to clamp down on the flexibility employees have become accustomed to, only 17% of those organizations actively enforce their policies, according to recent research by real estate brokerage CBRE. "Some organizations out there have 'mandated' something, but if most of your organization is not following that mandate, then there is not too much you can do to enforce it," said Julie Whelan, head of research into workplace trends for CBRE...

The tension "is due to the fact that we have changed since we all went to our separate corners and then came back" from pandemic-imposed office exile, said Elizabeth Brink, a workplace expert at architecture firm Gensler. "It's fair to say that we have different needs now." A disconnect persists between employer expectations for office attendance and employee behavior, CBRE found. Sixty percent of leaders surveyed said they want their employees in the office three or more days a week, while only 51% reported that employees work in the office at that frequency. Conversely, 37% of employees show up one or two days a week, yet only 17% of employers are satisfied with that attendance.
In the article, one worker complains about their employer's two-days-a-week of mandated in-office time. "I feel like I'm back in grade school and being forced to sit down and do my homework."

The article also notes some employers are also considering changes in the other direction: "calculating whether to shed office space to cut down on rent, typically the largest cost of operating a business after payroll."

SC World reports: Several major end-to-end encrypted cloud storage services contain cryptographic flaws that could lead to loss of confidentiality, file tampering, file injection and more, researchers from ETH Zurich said in a paper published this month.

The five cloud services studied offer end-to-end encryption (E2EE), intended to ensure files can not be read or edited by anyone other than the uploader, meaning not even the cloud storage provider can access the files. However, ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong, who presented their findings at the ACM Conference on Computer and Communications Security (CCS) last week, found serious flaws in four out of the five services that could effectively bypass the security benefits provided by E2EE by enabling an attacker who managed to compromise a cloud server to access, tamper with or inject files.

The E2EE cloud storage services studied were Sync, pCloud, Seafile, Icedrive and Tresorit, which have a collective total of about 22 million users. Tresorit had the fewest vulnerabilities, which could enable some metadata tampering and use of non-authentic keys when sharing files. The other four services were found to have more severe flaws posing a greater risk to file confidentiality and integrity.
BleepingComputer reports that Sync is "fast-tracking fixes," while Seafile "promised to patch the protocol downgrade problem on a future upgrade." And SC World does note that all 10 of the tested exploits "would require the attacker to have already gained control of a server with the ability to read, modify and inject data.

"The authors wrote that they consider this to be a realistic threat model for E2EE services, as these services are meant to protect files even if such a compromise was to occur."

Thanks to Slashdot reader spatwei for sharing the article.

It was originally created back in 2005 by Sun Microsystems for its proprietary Solaris Unix systems, "for troubleshooting kernel and application problems on production systems in real time," explains Wikipedia. "DTrace can be used to get a global overview of a running system, such as the amount of memory, CPU time, filesystem and network resources used by the active processes," explains its Wikipedia entry.

But this week, Gentoo announced: The real, mythical DTrace comes to Gentoo! Need to dynamically trace your kernel or userspace programs, with rainbows, ponies, and unicorns — and all entirely safely and in production?! Gentoo is now ready for that!

Just emerge dev-debug/dtrace and you're all set. All required kernel options are already enabled in the newest stable Gentoo distribution kernel...

Documentation? Sure, there's lots of it. You can start with our DTrace wiki page, the DTrace for Linux page on GitHub, or the original documentation for Illumos. Enjoy!
Thanks to Heraklit (Slashdot reader #29,346) for sharing the news.

An anonymous reader quotes a report from TechCrunch: Ahead of the debut of Apple's private AI cloud next week, dubbed Private Cloud Compute, the technology giant says it will pay security researchers up to $1 million to find vulnerabilities that can compromise the security of its private AI cloud. In a post on Apple's security blog, the company said it would pay up to the maximum $1 million bounty to anyone who reports exploits capable of remotely running malicious code on its Private Cloud Compute servers. Apple said it would also award researchers up to $250,000 for privately reporting exploits capable of extracting users' sensitive information or the prompts that customers submit to the company's private cloud.

Apple said it would "consider any security issue that has a significant impact" outside of a published category, including up to $150,000 for exploits capable of accessing sensitive user information from a privileged network position. "We award maximum amounts for vulnerabilities that compromise user data and inference request data outside the [private cloud compute] trust boundary," Apple said. You can learn more about Apple's Private Cloud Computer service in their blog post. Its source code and documentation is available here.

UnitedHealth Group said a ransomware attack in February resulted in more than 100 million individuals having their private health information stolen. The U.S. Department of Health and Human Services first reported the figure on Thursday. TechCrunch reports: The ransomware attack and data breach at Change Healthcare stands as the largest known digital theft of U.S. medical records, and one of the biggest data breaches in living history. The ramifications for the millions of Americans whose private medical information was irretrievably stolen are likely to be life lasting. UHG began notifying affected individuals in late July, which continued through October. The stolen data varies by individual, but Change previously confirmed that it includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, and government identity documents, including Social Security numbers, driver's license numbers, and passport numbers. The stolen health data includes diagnoses, medications, test results, imaging and care and treatment plans, and health insurance information -- as well as financial and banking information found in claims and payment data taken by the criminals.

The cyberattack became public on February 21 when Change Healthcare pulled much of its network offline to contain the intruders, causing immediate outages across the U.S. healthcare sector that relied on Change for handling patient insurance and billing. UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang, which later took credit for the cyberattack. The ransomware gang's leaders later vanished after absconding with a $22 million ransom paid by the health insurance giant, stiffing the group's contractors who carried out the hacking of Change Healthcare out of their new financial windfall. The contractors took the data they stole from Change Healthcare and formed a new group, which extorted a second ransom from UHG, while publishing a portion of the stolen files online in the process to prove their threat.

There is no evidence that the cybercriminals subsequently deleted the data. Other extortion gangs, including LockBit, have been shown to hoard stolen data, even after the victim pays and the criminals claim to have deleted the data. In paying the ransom, Change obtained a copy of the stolen dataset, allowing the company to identify and notify the affected individuals whose information was found in the data. Efforts by the U.S. government to catch the hackers behind ALPHV/BlackCat, one of the most prolific ransomware gangs today, have so far failed. The gang bounced back following a takedown operation in 2023 to seize the gang's dark web leak site. Months after the Change Healthcare breach, the U.S. State Department upped its reward for information on the whereabouts of the ALPHV/BlackCat cybercriminals to $10 million.

Google is introducing a dark mode to the web version of Google Calendar and rolling out a "refreshed user interface." From a report: The new UI will include buttons, dialog boxes, and sidebars that are "more modern and accessible" with improved typefaces. The update started rolling out this week and soon it will be available to everyone, whether they're using a personal Gmail login or any sort of paid Google Workspace account.

[...] Google says the updated calendar UI will also feature "iconography that is legible and crisp, with a fresh feel," using its "custom-designed and highly-legible typefaces" that bring it line with Google's Material Design 3 standards. The updates, including dark mode, will also apply to "the entire calendar web experience," including the task list view.

penciling_in writes: Pat Kane, Senior VP at Verisign, reports that on October 20th, ICANN and Verisign renewed the agreement under which Verisign will continue to act as Root Zone Maintainer for the Domain Name System (DNS) for another 8-year term. "The Root Zone sits atop the hierarchical architecture of the DNS and is essential to virtually all internet navigation, acting as the dynamic, cryptographically secure, global directory of all top-level domains that exist in the DNS. The Root Zone Maintainer is a unique role that ensures the cryptographic signing and publication of the Root Zone no less than once a day, without which, navigation on the internet would be impossible," the story adds.

Notion, the maker of a popular eponymous note-taking app, appears to be getting ready to launch its own email product, called Notion Mail, TechCrunch reported Thursday, citing sources. From the report: Earlier this year, Notion acquired Skiff, a privacy-focused email service and app. At the time, Skiff said that it would provide a 12-month sunset window to users so that they have enough time to migrate to a different email service. For months, users on Reddit have shared hints of Notion working on its email product.

Some folks found the development environment URL, others reportedly found the login page to the email product. At the time of writing, when TechCrunch entered mail.notion.so in a web browser, "Notion Mail" appeared briefly as the page title with a mail logo... But we were then redirected to Notion's main login page.

An anonymous reader quotes a report from SecurityWeek.com: White hat hackers taking part in the Pwn2Own Ireland 2024 contest organized by Trend Micro's Zero Day Initiative (ZDI) have earned half a million dollars on the first day of the event, for exploits targeting NAS devices, cameras, printers and smart speakers. The highest single reward, $100,000, was earned by Sina Kheirkhah of Summoning Team, who chained a total of nine vulnerabilities for an attack that went from a QNAP QHora-322 router to a TrueNAS Mini X storage device. Another exploit chain involving the QNAP QHora-322 and TrueNAS Mini X products was demonstrated by Viettel Cyber Security, but this team earned only $50,000.

A significant reward was also earned by Jack Dates of RET2 Systems, who received $60,000 for hacking a Sonos Era 300 smart speaker. QNAP TS-464 and Synology DiskStation DS1823XS+ NAS device exploits earned $40,000 each for two different teams. Participants also successfully demonstrated exploits against the Lorex 2K WiFi, Ubiquity AI Bullet, and Synology TC500 cameras, and HP Color LaserJet Pro MFP 3301fdw and Canon imageCLASS MF656Cdw printers. These attempts earned the hackers between $11,000 and $30,000. According to ZDI, a total of $516,250 was paid out on the first day of Pwn2Own Ireland for over 50 unique vulnerabilities.

The Russian Foreign Ministry says it had been targeted by a large-scale distributed denial-of-service attack (DDoS). "A massive cyberattack from abroad began this morning on the infrastructure of the official website, the Russian Foreign Ministry's portal," said spokeswoman Maria Zakharova. She noted that the ministry regularly encounters similar attacks, but today's attack was "unprecedented in scale." Reuters notes that the attack coincided with the major BRICS summit taking place in the country.

Developing...

On July 4, 2012, CERN physicist Fabiola Gianotti announced a major quantum field theory discovery using a PowerPoint presentation in Comic Sans, sparking both mockery and debate. The font, created by Vincent Connare for Microsoft Bob in 1994, featured deliberately imperfect letters inspired by comic books. Comic Sans shipped with Windows 95 and exploded in popularity as personal computing democratized typography. A backlash emerged as the font appeared on everything from funeral notices to museum signs, culminating in Dave and Holly Combs's "Ban Comic Sans" campaign.

Session, a small but increasingly popular encrypted messaging app, is moving its operations outside of Australia after the country's federal law enforcement agency visited an employee's residence and asked them questions about the app and a particular user. 404 Media reports: Now Session will be maintained by an entity in Switzerland. The move signals the increasing pressure on maintainers of encrypted messaging apps, both when it comes to governments seeking more data on app users, as well as targeting messaging app companies themselves, like the arrest of Telegram's CEO in August. "Ultimately, we were given the choice between remaining in Australia or relocating to a more privacy-friendly jurisdiction, such as Switzerland. For the project to continue, it could not be centred in Australia," Alex Linton, president of the newly formed Session Technology Foundation (STF) which will publish the Session app, told 404 Media in a statement. The app will still function in Australia, Linton added. Linton said that last year the Australian Federal Police (AFP) visited a Session employee at their home in the country. "There was no warrant used or meeting organised, they just went into their apartment complex and knocked on their front door," Linton said.

The AFP asked about the Session app and company, and the employee's history on the project, Linton added. The officers also asked about an ongoing investigation related to a specific Session user, he added. Linton showed 404 Media an email sent by Session's legal representatives to the AFP which reflected that series of events. Part of Session's frustration around the incident came from the AFP deciding to "visit an employee at home rather than arranging a meeting through our proper (publicly available) channels," Linton said.

WordPress sites are being compromised through malicious plugins that display fake software updates and error messages, leading to the installation of information-stealing malware. BleepingComputer reports: Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware. In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.

Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns. "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."

The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names. Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign. When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site. When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners. From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.

jd writes: Linus Torvalds is not a happy camper and is condemning hardware vendors for poor security and the plethora of actual and theoretical attacks, especially as some of the new features being added impact the workarounds. These workarounds are now getting very expensive, CPU-wise.

TFA quotes Linus Torvalds:

"Honestly, I'm pretty damn fed up with buggy hardware and completely theoretical attacks that have never actually shown themselves to be used in practice.

"So I think this time we push back on the hardware people and tell them it's *THEIR* damn problem, and if they can't even be bothered to say yay-or-nay, we just sit tight.

Because dammit, let's put the onus on where the blame lies, and not just take any random shit from bad hardware and say 'oh, but it *might* be a problem.'"

A principal security software engineer at Microsoft described how they use their Azure cloud platform "to hunt phishers at scale," in a talk at the information security conference BSides Exeter.

Calling himself Microsoft's "Head of Deception." Ross Bevington described how they'd created a "hybrid high interaction honeypot" on the now retired code.microsoft.com "to collect threat intelligence on actors ranging from both less skilled cybercriminals to nation state groups targeting Microsoft infrastructure," according to a report by BleepingComputer: With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity... Bevington and his team fight phishing by leveraging deception techniques using entire Microsoft tenant environments as honeypots with custom domain names, thousands of user accounts, and activity like internal communications and file-sharing...

In his BSides Exeter presentation, the researcher says that the active approach consists in visiting active phishing sites identified by Defender and typing in the credentials from the honeypot tenants. Since the credentials are not protected by two-factor authentication and the tenants are populated with realistic-looking information, attackers have an easy way in and start wasting time looking for signs of a trap. Microsoft says it monitors roughly 25,000 phishing sites every day, feeding about 20% of them with the honeypot credentials; the rest are blocked by CAPTCHA or other anti-bot mechanisms.

Once the attackers log into the fake tenants, which happens in 5% of the cases, it turns on detailed logging to track every action they take, thus learning the threat actors' tactics, techniques, and procedures. Intelligence collected includes IP addresses, browsers, location, behavioral patterns, whether they use VPNs or VPSs, and what phishing kits they rely on... The deception technology currently wastes an attacker 30 days before they realize they breached a fake environment. All along, Microsoft collects actionable data that can be used by other security teams to create more complex profiles and better defenses.