Cloudflare has emerged victorious in a patent infringement lawsuit against Sable Networks, securing a $225,000 settlement and forcing the patent holder to dedicate its entire portfolio to the public domain. The case, which began in March 2021 with Sable asserting nearly 100 claims across four patents, concluded after a Texas jury found Cloudflare not guilty of infringement in February 2024.

Sable, described by Cloudflare as a "patent troll," had previously sued several tech companies, including Cisco and Juniper Networks, who settled out of court. Cloudflare's aggressive defense strategy included launching Project Jengo, a crowd-sourced initiative to invalidate Sable's patents. The settlement prevents Sable from asserting these patents against any other company in the future, marking a significant blow to patent trolling practices in the tech industry. In a blog post, Cloudflare adds: While this $225,000 can't fully compensate us for the time, energy and frustration of having to deal with this litigation for nearly three years, it does help to even the score a bit. And we hope that it sends an important message to patent trolls everywhere to beware before taking on Cloudflare.

An anonymous reader quotes a report from KrebsOnSecurity: Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which use custom jailbreaks to bypass content filtering, often veer into darker role-playing scenarios, including child sexual exploitation and rape. Researchers at security firm Permiso Security say attacks against generative artificial intelligence (AI) infrastructure like Bedrock from Amazon Web Services (AWS) have increased markedly over the last six months, particularly when someone in the organization accidentally exposes their cloud credentials or key online, such as in a code repository like GitHub.

Investigating the abuse of AWS accounts for several organizations, Permiso found attackers had seized on stolen AWS credentials to interact with the large language models (LLMs) available on Bedrock. But they also soon discovered none of these AWS users had enabled logging (it is off by default), and thus they lacked any visibility into what attackers were doing with that access. So Permiso researchers decided to leak their own test AWS key on GitHub, while turning on logging so that they could see exactly what an attacker might ask for, and what the responses might be. Within minutes, their bait key was scooped up and used in a service that offers AI-powered sex chats online.

"After reviewing the prompts and responses it became clear that the attacker was hosting an AI roleplaying service that leverages common jailbreak techniques to get the models to accept and respond with content that would normally be blocked," Permiso researchers wrote in a report released today. "Almost all of the roleplaying was of a sexual nature, with some of the content straying into darker topics such as child sexual abuse," they continued. "Over the course of two days we saw over 75,000 successful model invocations, almost all of a sexual nature."

An anonymous reader shares a report: It's not exactly breaking news that people reuse passwords, but you might expect password manager subscribers to avoid the practice. You'd be wrong, according to a new study. Dashlane's downer of a report draws on saved logins analyzed on-device by Dashlane's software across "millions" of individual and business accounts. It finds dismally high percentages of password reuse worldwide. The US and Canada rank the worst of every region Dashlane tracked, with 48% of passwords in individual password vaults being reused. Another 15% rate as compromised, meaning those passwords have shown up in data breaches.

Combined with other security data points, the US and Canada land at a security score of 72.6 out of 100 in Dashlane's report, the lowest of all 14 regions covered in the study. The report, along with the Password Health score that Dashlane's software computes for individual users, emphasizes the longstanding problem of password reuse because that practice leaves its practitioners so vulnerable to getting hacked.Â

An anonymous reader quotes a report from Ars Technica: Attackers are actively exploiting a critical vulnerability in mail servers sold by Zimbra in an attempt to remotely execute malicious commands that install a backdoor, researchers warn. The vulnerability, tracked as CVE-2024-45519, resides in the Zimbra email and collaboration server used by medium and large organizations. When an admin manually changes default settings to enable the postjournal service, attackers can execute commands by sending maliciously formed emails to an address hosted on the server. Zimbra recently patched the vulnerability. All Zimbra users should install it or, at a minimum, ensure that postjournal is disabled.

On Tuesday, Security researcher Ivan Kwiatkowski first reported the in-the-wild attacks, which he described as "mass exploitation." He said the malicious emails were sent by the IP address 79.124.49[.]86 and, when successful, attempted to run a file hosted there using the tool known as curl. Researchers from security firm Proofpoint took to social media later that day to confirm the report. On Wednesday, security researchers provided additional details that suggested the damage from ongoing exploitation was likely to be contained. As already noted, they said, a default setting must be changed, likely lowering the number of servers that are vulnerable. [...]

Proofpoint has explained that some of the malicious emails used multiple email addresses that, when pasted into the CC field, attempted to install a webshell-based backdoor on vulnerable Zimbra servers. The full cc list was wrapped as a single string and encoded using the base64 algorithm. When combined and converted back into plaintext, they created a webshell at the path: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp. Proofpoint went on to say: "Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field; if present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection."

The Verge's Gaby Del Valle reports: New York City Mayor Eric Adams, who was indicted last week on charges including fraud, bribery, and soliciting donations from foreign nationals, told federal investigators he forgot his phone password before handing it over, according to charging documents. That was almost a year ago, and investigators still can't get into the phone, prosecutors said Wednesday.

During a federal court hearing, prosecutor Hagan Scotten said the FBI's inability to get into Adams' phone is a "significant wild card," according to a report from the New York Post. The FBI issued a search warrant for Adams' devices in November 2023. Adams initially handed over two phones but didn't have his personal device on him. The indictment does not mention what type of device Adams uses. When Adams turned in his personal cellphone the following day, charging documents say, he said he had changed the password a day prior -- after learning about the investigation -- and couldn't remember it. Adams told investigators he changed the password "to prevent members of his staff from inadvertently or intentionally deleting the contents of his phone," the indictment alleges. The FBI just needs the right tools. When investigators failed to break into the Trump rally shooter's phone in July, they sent the device to the FBI lab in Quantico, Virginia, where agents used an unreleased tool from the Israeli company Cellebrite to crack it in less than an hour.

Microsoft is bringing some new AI-powered Paint and Photos features to Copilot Plus PCs that could make creatives less reliant on more powerful image editing software. From a report: Generative Fill and Generative Erase -- which appear to be heavily inspired by similar AI tools in Adobe Photoshop -- are being introduced to Paint, allowing users to precisely add or remove objects in their images.

Both tools utilize a size-adjustable brush to "paint" over specific areas of an image to edit. Generative Erase will remove unwanted figures, objects like background clutter, and other distractions, similar to the Magic Eraser feature on Google's Pixel phones. Generative Fill allows Paint users to add new AI-generated assets to an image using a text description and select precisely where they should be placed -- much like the Photoshop tool that shares the same name. These build on the Cocreator tool for Paint announced for Copilot Plus PCs earlier this year that can generate images using a combination of text prompts and reference sketches. The company says the diffusion-based model powering these features has been updated to improve output quality and speed and now includes "built-in moderation" to help prevent it from being abused.

Microsoft has unveiled new features for its Copilot AI assistant, including screen analysis and voice interaction capabilities. Copilot Vision, available to Copilot Pro subscribers, can analyze web content in Microsoft Edge and answer queries about on-screen information. The company said processed data is immediately deleted and not used for model training.

A new Think Deeper function aims to tackle complex problems using advanced reasoning models. Copilot Voice introduces synthetic speech output and voice input in select English-speaking countries. Microsoft also announced personalization features, leveraging user history to tailor Copilot recommendations. This functionality will be limited initially, with the company evaluating options for European Economic Area users due to regulatory considerations.

A Russian criminal gang secretly conducted cyberattacks and espionage operations against NATO allies on the orders of the Kremlin's intelligence services, according to the UK's National Crime Agency. From a report: Evil Corp., which includes a man who gained notoriety for driving a Lamborghini luxury sports car, launched the hacks prior to 2019, the NCA said in statement on Tuesday. The gang has been accused of using malicious software to extort millions of dollars from hundreds of banks and financial institutions in more than 40 countries. In December 2019, the US government sanctioned Evil and accused its alleged leader, Maksim Yakubets, of providing "direct assistance" to the Russian state, including by "acquiring confidential documents." The NCA's statement on Tuesday provides new detail on the work Yakubets and other members allegedly carried out to aid the Kremlin's geopolitical aims. The exact nature of the hacks against the North Atlantic Treaty Organization allies wasn't immediately clear.

Sonos CEO Patrick Spence has unveiled a plan to address the fallout from the company's botched app release in May 2024. The audio equipment maker aims to overhaul its software development practices and rebuild customer trust after the controversial update sparked widespread criticism, The Verge reports.

The company will extend warranties by one year for select products and implement more rigorous testing processes, including an expanded beta program. Sonos has also pledged to introduce major app changes gradually and create an opt-in system for experimental features.

To improve internal accountability, Sonos will appoint a "quality ombudsperson" to escalate concerns and report to leadership. The firm also plans to establish a customer advisory board for pre-launch feedback. Executive bonuses will be tied to app quality improvements and regaining customer confidence.

Thousands of Verizon users across the United States reported having little or no cellphone service on Monday morning in major cities, including in Atlanta, Chicago, Denver, New York and Phoenix. From a report: According to the website Downdetector, which tracks user reports of internet disruptions, more than 104,000 cases of Verizon outages were reported across the country as of 11:20 a.m. Eastern, more than an hour after the first issues were reported.

A map posted on the site showed cities with the most reports. On the site, many users said their cellphones were intermittently displaying SOS mode and that they could not place calls or send or receive text messages. "We're aware of the issue affecting service for some customers," a spokesman for Verizon, Ilya Hemlin, said in a telephone interview at 11:30 a.m. "Our engineers are engaged and we are working quickly to solve the issue," he added.

AMD has released BIOS updates to boost performance and reduce latency for its Ryzen 9600X and 9700X processors. The updates come a month after disappointing Zen 5 desktop CPU reviews and coincide with Windows 11 optimizations for AMD chips. The new AGESA PI 1.2.0.2 firmware addresses high core-to-core latency issues and introduces a 105-watt cTDP option, promising up to 10% performance gains for multithreaded workloads.

Long-time Slashdot reader AsylumWraith writes: Visual Capitalist has posted an article and graph showing that, on average, 67% of US tech workers would be interested in joining a union.

The percentage is highest at companies like Intuit, with 94% or respondents indicating they'd be interested in joining a union. On the other end of the scale, fewer than half of the employees at Apple, Tesla, and Google, who were surveyed were interested in such a move.

"After complaining that Gen Z grads are difficult to work with for the best part of two years, bosses are no longer all talk, no action — now they're rapidly firing young workers who aren't up to scratch just months after hiring them," writes Fortune.

"According to a new report, six in 10 employers say they have already sacked some of the Gen Z workers they hired fresh out of college earlier this year." Intelligent.com, a platform dedicated to helping young professionals navigate the future of work, surveyed nearly 1,000 U.S. leaders... After experiencing a raft of problems with young new hires, one in six bosses say they're hesitant to hire college grads again. Meanwhile, one in seven bosses have admitted that they may avoid hiring them altogether next year. Three-quarters of the companies surveyed said some or all of their recent graduate hires were unsatisfactory in some way...

Employers' gripe with young people today is their lack of motivation or initiative — 50% of the leaders surveyed cited that as the reason why things didn't work out with their new hire. Bosses also pointed to Gen Z being unprofessional, unorganized and having poor communication skills as their top reasons for having to sack grads. Leaders say they have struggled with the latest generation's tangible challenges, including being late to work and meetings often, not wearing office-appropriate clothing, and using language appropriate for the workspace.

Now, more than half of hiring managers have come to the conclusion that college grads are unprepared for the world of work. Meanwhile, over 20% say they can't handle the workload.
Thanks to long-time Slashdot reader smooth wombat for sharing the article.

Meta has been fined $101.5 million by the Irish Data Protection Commission (DPC) for storing over half a billion user passwords in plain text for years, with some engineers having access to this data for over a decade. The issue, discovered in 2019, predominantly affected non-US users, especially those using Facebook Lite. AppleInsider reports: Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union. It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.

SpzToid shares a report: Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles -- dozens of models representing millions of cars on the road -- from the smartphone of a car's owner to the hackers' own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle's license plate and within seconds gain the ability to track that car's location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group's findings and hasn't responded to WIRED's emails since then. But Kia's patch is far from the end of the car industry's web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they've reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they've discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

The United Nations is set to vote on a treaty later this year intended to create norms for fighting cybercrime -- and the Biden administration is fretting over whether to sign on. Politico: The uncertainty over the treaty stems from fears that countries including Russia, Iran and China could use the text as a guise for U.N. approval of their widespread surveillance measures and suppression of the digital rights of their citizens. If the United States chooses not to vote in favor of the treaty, it could become easier for these adversarial nations -- named by the Cybersecurity and Infrastructure Security Agency as the biggest state sponsors of cybercrime -- to take the lead on cyber issues in the future. And if the U.S. walks away from the negotiating table now, it could upset other nations that spent several years trying to nail down the global treaty with competing interests in mind.

While the treaty is not set for a vote during the U.N. General Assembly this week, it's a key topic of debate on the sidelines, following meetings in New York City last week, and committee meetings set for next month once the world's leaders depart. The treaty was troubled from its inception. A cybercrime convention was originally proposed by Russia, and the U.N. voted in late 2019 to start the process to draft it -- overruling objections by the U.S. and other Western nations. Those countries were worried Russia would use the agreement as an alternative to the Budapest Convention -- an existing accord on cybercrime administered by the Council of Europe, which Russia, China and Iran have not joined.

wiredmikey writes: Three months after pulling previews of the controversial Windows Recall feature due to public backlash, Microsoft says it has completely overhauled the security architecture with proof-of-presence encryption, anti-tampering and DLP checks, and screenshot data managed in secure enclaves outside the main operating system.

In an interview with SecurityWeek, Microsoft vice president David Weston said the company's engineers rewrote the security model of Windows Recall to reduce attack surface on Copilot+ PCs and minimize the risk of malware attackers targeting the screenshot data store.

"Dozens of Fortune 100 organizations" have unknowingly hired North Korean IT workers using fake identities, generating revenue for the North Korean government while potentially compromising tech firms, according to Google's Mandiant unit. "In a report published Monday [...], researchers describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018," reports The Record. "In most cases, the IT workers 'consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.'" From the report: The remote workers "often gain elevated access to modify code and administer network systems," Mandiant found, warning of the downstream effects of allowing malicious actors into a company's inner sanctum. [...] Using stolen identities or fictitious ones, the actors are generally hired as remote contractors. Mandiant has seen the workers hired in a variety of complex roles across several sectors. Some workers are employed at multiple companies, bringing in several salaries each month. The tactic is facilitated by someone based in the U.S. who runs a laptop farm where workers' laptops are sent. Remote technology is installed on the laptops, allowing the North Koreans to log in and conduct their work from China or Russia.

Workers typically asked for their work laptops to be sent to different addresses than those listed on their resumes, raising the suspicions of companies. Mandiant said it found evidence that the laptops at these farms are connected to a "keyboard video mouse" device or multiple remote management tools including LogMeIn, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer and others. "Feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops," Mandiant reported.

In several incident response engagements, Mandiant found the workers used the same resumes that had links to fabricated software engineer profiles hosted on Netlify, a platform often used for quickly creating and deploying websites. Many of the resumes and profiles included poor English and other clues indicating the actor was not based in the U.S. One characteristic repeatedly seen was the use of U.S-based addresses accompanied by education credentials from universities outside of North America, frequently in countries such as Singapore, Japan or Hong Kong. Companies, according to Mandiant, typically don't verify credentials from universities overseas. Further reading: How Not To Hire a North Korean IT Spy

Cybersecurity firm Kaspersky has defended its decision to automatically replace its antivirus software on U.S. customers' computers with UltraAV, a product from American company Pango, without explicit user consent. The forced switch, affecting nearly one million users, occurred as a result of a U.S. government ban on Kaspersky software.

Kaspersky spokesperson Francesco Tius told TechCrunch that the company informed eligible U.S. customers via email about the migration, which began in early September. Windows users experienced an automatic transition to ensure continuous protection, while Mac and mobile users were instructed to manually install UltraAV. Some customers expressed alarm at the unannounced software swap. Kaspersky blamed missed notifications on unregistered email addresses, directing users to in-app messages and an online FAQ. The abrupt change raises concerns about user autonomy and privacy in software updates, particularly as UltraAV lacks an established security track record.

A year-long test of Apple's 80% charge limit feature on the iPhone 15 Pro Max has revealed only marginal benefits to battery health. MacRumors editor Juli Clover reported her device maintained 94% battery capacity after 299 charge cycles, compared to 87-90% capacity for iPhones without the limit. The opt-in setting, introduced with iPhone 15 models, aims to extend battery longevity by restricting maximum charge.

Clover adhered strictly to the 80% limit for 12 months, noting occasional inconveniences like depleted batteries during long days. While the test showed slightly better battery health retention, Clover questioned whether the trade-off in daily usability was worthwhile. She adds: I don't have a lot of data points for comparison, but it does seem that limiting the charge to 80 percent kept my maximum battery capacity higher than what my co-workers are seeing, but there isn't a major difference. I have four percent more battery at 28 more cycles, and I'm not sure suffering through an 80 percent battery limit for 12 months was ultimately worth it. It's possible that the real gains from an 80 percent limit will come in two or three years rather than a single year, and I'll keep it limited to 80 percent to see the longer term impact.