Google Search Labs is testing a "Talk to a Live Representative" feature where it will "help you place the call, wait on hold, and then give you a call once a live representative is available." From a report: When you search for customer service numbers, which Google recently started surfacing for Knowledge Panels, you might see a prominent "Talk to a live representative" prompt. Very simply, Google will call the support line "for you and wait on hold until a customer service representative picks up." At that time, Google will call you so you can get on with your business.

To "Request a call," you first specify a reason for why you're calling. In the case of airlines, it's: Update existing booking, Luggage issue, Canceled flight, Other issue, Flight check-in, Missed my flight, and Delayed flight. You then provide your phone number, with Google sending SMS updates. The Request page will note the estimated wait time. After submitting, you can cancel the request at any time.

Following a hoax bomb threat sent via ProtonMail to schools in Chennai, India, police in the state of Tamil Nadu put in a request to block the encrypted email service in the region since they have been unable to identify the sender. According to Hindustan Times, that request was granted today. From the report: The decision to block Proton Mail was taken at a meeting of the 69A blocking committee on Wednesday afternoon. Under Section 69A of the IT Act, the designated officer, on approval by the IT Secretary and at the recommendation of the 69A blocking committee, can issue orders to any intermediary or a government agency to block any content for national security, public order and allied reasons. HT could not ascertain if a blocking order will be issued to Apple and Google to block the Proton Mail app. The final order to block the website has not yet been sent to the Department of Telecommunications but the MeitY has flagged the issue with the DoT.

During the meeting, the nodal officer representing the Tamil Nadu government submitted that a bomb threat was sent to multiple schools using ProtonMail, HT has learnt. The police attempted to trace the IP address of the sender but to no avail. They also tried to seek help from the Interpol but that did not materialise either, the nodal officer said. During the meeting, HT has learnt, MeitY representatives noted that getting information from Proton Mail, on other criminal matters, not necessarily linked to Section 69A related issues, is a recurrent problem.

Although Proton Mail is end-to-end encrypted, which means the content of the emails cannot be intercepted and can only be seen by the sender and recipient if both are using Proton Mail, its privacy policy states that due to the nature of the SMTP protocol, certain email metadata -- including sender and recipient email addresses, the IP address incoming messages originated from, attachment name, message subject, and message sent and received times -- is available with the company. "We condemn a potential block as a misguided measure that only serves to harm ordinary people. Blocking access to Proton is an ineffective and inappropriate response to the reported threats. It will not prevent cybercriminals from sending threats with another email service and will not be effective if the perpetrators are located outside of India," said ProtonMail in a statement.

"We are currently working to resolve this situation and are investigating how we can best work together with the Indian authorities to do so. We understand the urgency of the situation and are completely clear that our services are not to be used for illegal purposes. We routinely remove users who are found to be doing so and are willing to cooperate wherever possible within international cooperation agreements."

An anonymous reader quotes a report from TechCrunch: The U.S. Department of Defense is notifying tens of thousands of individuals that their personal information was exposed in an email data spill last year. According to the breach notification letter sent out to affected individuals on February 1, the Defense Intelligence Agency -- the DOD's military intelligence agency -- said, "numerous email messages were inadvertently exposed to the Internet by a service provider," between February 3 and February 20, 2023. TechCrunch has learned that the breach disclosure letters relate to an unsecured U.S. government cloud email server that was spilling sensitive emails to the open internet. The cloud email server, hosted on Microsoft's cloud for government customers, was accessible from the internet without a password, likely due to a misconfiguration.

The DOD is sending breach notification letters to around 20,600 individuals whose information was affected. "As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure. DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing," said DOD spokesperson Cdr. Tim Gorman in an email to TechCrunch.

An anonymous reader quotes a report from Ars Technica: The European Court of Human Rights (ECHR) has ruled that weakening end-to-end encryption disproportionately risks undermining human rights. The international court's decision could potentially disrupt the European Commission's proposed plans to require email and messaging service providers to create backdoors that would allow law enforcement to easily decrypt users' messages. This ruling came after Russia's intelligence agency, the Federal Security Service (FSS), began requiring Telegram to share users' encrypted messages to deter "terrorism-related activities" in 2017, ECHR's ruling said. [...] In the end, the ECHR concluded that the Telegram user's rights had been violated, partly due to privacy advocates and international reports that corroborated Telegram's position that complying with the FSB's disclosure order would force changes impacting all its users.

The "confidentiality of communications is an essential element of the right to respect for private life and correspondence," the ECHR's ruling said. Thus, requiring messages to be decrypted by law enforcement "cannot be regarded as necessary in a democratic society." [...] "Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general, and indiscriminate surveillance of personal electronic communications," the ECHR's ruling said. "Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users' electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field."

Martin Husovec, a law professor who helped to draft EISI's testimony, told Ars that EISI is "obviously pleased that the Court has recognized the value of encryption and agreed with us that state-imposed weakening of encryption is a form of indiscriminate surveillance because it affects everyone's privacy." [...] EISI's Husovec told Ars that ECHR's ruling is "indeed very important," because "it clearly signals to the EU legislature that weakening encryption is a huge problem and that the states must explore alternatives." If the Court of Justice of the European Union endorses this ruling, which Husovec said is likely, the consequences for the EU's legislation proposing scanning messages to stop illegal content like CSAM from spreading "could be significant," Husovec told Ars. During negotiations this spring, lawmakers may have to make "major concessions" to ensure the proposed rule isn't invalidated in light of the ECHR ruling, Husovec told Ars. Europol and the European Union Agency for Cybersecurity (ENISA) said in a statement: "Solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well, which makes an easy solution impossible."

DuckDuckGo keeps adding new features to its browser; and while these features are common in other browsers, DuckDuckGo is giving them a privacy-minded twist. The latest is a private, end-to-end encrypted syncing service. There's no account needed, no sign-in, and the company says it never sees what you're syncing. From a report: Using QR codes and shortcodes, and a lengthy backup code you store somewhere safe, DuckDuckGo's browser can keep your bookmarks, passwords, "favorites" (i.e., new tab page shortcuts), and settings for its email protection service synced between devices and browsers. DuckDuckGo points to Google's privacy policy for using its signed-in sync service on Chrome, which uses "aggregated and anonymized synchronized browsing data to improve other Google products and services." DuckDuckGo states that the encryption key for browser sync is stored only locally on your devices and that it lacks any access to your passwords or other data.

Microsoft said Wednesday it had detected and disrupted instances of U.S. adversaries -- chiefly Iran and North Korea and to a lesser extent Russia and China -- using or attempting to exploit generative AI developed by the company and its business partner to mount or research offensive cyber operations. From a report: The techniques Microsoft observed, in collaboration with its partner OpenAI, represent an emerging threat and were neither "particularly novel or unique," the Redmond, Washington, company said in a blog post. But the blog does offer insight into how U.S. geopolitical rivals have been using large-language models to expand their ability to more effectively breach networks and conduct influence operations.

Microsoft said the "attacks" detected all involved large-language models the partners own and said it was important to expose them publicly even if they were "early-stage, incremental moves." Cybersecurity firms have long used machine-learning on defense, principally to detect anomalous behavior in networks. But criminals and offensive hackers use it as well, and the introduction of large-language models led by OpenAI's ChatGPT upped that game of cat-and-mouse.

Mark Tyson reports via Tom's Hardware: A serial burglar in Edina, Minnesota is suspected of using a Wi-Fi jammer to knock out connected security cameras before stealing and making off with the victim's prized possessions. [...] Edina police suspect that nine burglaries in the last six months have been undertaken with Wi-Fi jammer(s) deployed to ensure incriminating video evidence wasnâ(TM)t available to investigators. The modus operandi of the thief or thieves is thought to be something like this:

- Homes in affluent areas are found - Burglars carefully watch the homes - The burglars avoid confrontation, so appear to wait until homes are empty - Seizing the opportunity of an empty home, the burglars will deploy Wi-Fi jammer(s) - "Safes, jewelry, and other high-end designer items," are usually taken

A security expert interviewed by the source publication, KARE11, explained that the jammers simply confused wireless devices rather than blocking signals. They usually work by overloading wireless traffic âoeso that real traffic cannot get through,â the news site was told. [...] Worryingly, Wi-Fi jamming is almost a trivial activity for potential thieves in 2024. KARE11 notes that it could buy jammers online very easily and cheaply, with prices ranging from $40 to $1,000. Jammers are not legal to use in the U.S. but they are very easy to buy online.

Backblaze has published a report on hard drive failures for 2023, finding that rates increased during the year due to aging drives that it plans to upgrade. From a report: Backblaze, which focuses on cloud-based storage services, claims to have more than three exabytes of data storage under its management. As of the end of last year, the company monitored 270,222 hard drives used for data storage, some of which are excluded from the statistics because they are still being evaluated. That still left a collection of 269,756 hard drives comprised of 35 drive models. Statistics on SSDs used as boot drives are reported separately.

Backblaze found one drive model exhibited zero failures for all of 2023, the Seagate 8 TB ST8000NM000A. However, this came with the caveat that there are only 204 examples in service, and these were deployed only since Q3 2022, so have accumulated a limited number of drive days (total time operational). Nevertheless, as Backblaze's principal cloud storage evangelist Andy Klein pointed out: "Zero failures over 18 months is a nice start."

Indian tech services giant Infosys has been named as the source of a data leak suffered by the Bank of America. From a report: Infosys disclosed the breach in a November 3, 2023, filing that revealed its US subsidiary Infosys McCamish Systems LLC (IMS) "has become aware of a cyber security incident resulting in non-availability of certain applications and systems in IMS." A data breach notification filed in the US state of Maine this week describes the incident as "External system breach (hacking)" and reveals the improperly accessed data includes "Name or other personal identifier in combination with: Social Security Number."

The notification was submitted by an outside attorney working on behalf of the Bank of America, names IMS as the source, and revealed that information on 57,028 people was leaked. A sample of the letter sent to those impacted by the incident reveals that on November 24, "IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America's systems were not compromised." Things then get a bit scary: "It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information."

Starting today, telcos in American will need to disclose system break-ins within seven days. "[T]he same deadline now exists to report any data leaks to the FBI and US Secret Service as well," adds The Register. From the report: After releasing a proposed rule in early January and giving the industry 30 days to respond, the FCC's final rule was published today. It solidifies what the agency proposed a little more than a month ago, and what was teased in early 2022 when FCC chairwoman Jessica Rosenworcel drafted initial changes to the commission's 16-year old security "breach" reporting duties.

Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service as well. As the FCC planned, the new rule also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers. The FCC now "requires carriers to notify customers of breaches of covered data without unreasonable delay ... and in no case more than 30 days following reasonable determination of a breach."

"Reasonable determination" of a data blurt is further defined as "when the carrier has information indicating that it is more likely than not that there was a breach" and "does not mean reaching a conclusion regarding every fact surrounding a data security incident that may constitute a breach." In other words, if customers are affected then they had better be notified post-haste. The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of. Prior to the passage of the new rule customers only had to be told if Customer proprietary network information (CPNI) was exposed to the world.

FT Alphaville: Last year, Norway's $1.5tn sovereign wealth fund revealed that it had lost NKr980mn, roughly $92mn, on an error relating to how it calculated its mandated benchmark. Here's what Norges Bank Investment Management said at the time: "In February this year, a calculation error was discovered in the composition of the index we're measured against. This error led to a marginal overweight in US fixed income relative to global fixed income. When this was discovered, we immediately set about correcting it, but because the fund is so large, the return was 0.7 basis points. Due to this our previously reported positive relative return of NOK 118 billion was adjusted down to NOK 117 billion."

It is a good example of how even tiny operational mistakes can have mammoth-sized consequences in nominal terms when you manage one of the world's biggest pools of capital. Sometimes a mistake can even lead to a windfall -- such as in 2021, when NBIM apparently made NKr582mn by accidentally accumulating an outsized position in a rising stock. But the 2023 index snafu is by far the biggest the fund has registered, almost twice as large as the cumulative operational-accidental losses it suffered from 2010-20. Alphaville was intrigued. What exactly went wrong? Well, in a recently-released anthropological report commissioned to investigate its own culture, NBIM seems to have inadvertently revealed just how minuscule the mistake was.

Here's an NBIM employee called "Simon" recounting the debacle to the report's author, Tone Danielsen. Alphaville's emphasis below: "Last year (spring 2022) we had an off-site. One of our workshops was on 'Mistakes and how to deal with them.' We wrote post-it notes, classifying them into different categories from harmless to no-goes. One of my post-it notes, I remember it vividly, read: Miscalculation of the Ministry of Finance benchmark. I placed it in the category unforgivable.

When I wrote that note, I honestly couldn't even dare to think about the consequences. And less than a year later, I did exactly that. My worst nightmare. It was a manual mistake. My mistake. I used the wrong date, December 1st instead of November 1st which is clearly stated in our mandate. The mistake was not revealed until months later, by the Ministry of Finance. They reported back that the numbers did not add up. I did all the numbers once more, and the cause of the mistake was identified. I immediately reported to Patrick [Global Head] and Dag [Chief]. I openly express that this was my mistake, and mine alone. I felt miserable and was ready to take the consequences -- whatever they might be."

Abstract of a paper [PDF] the on pre-print server Arxiv: Citations are widely considered in scientists' evaluation. As such, scientists may be incentivized to inflate their citation counts. While previous literature has examined self-citations and citation cartels, it remains unclear whether scientists can purchase citations. Here, we compile a dataset of about 1.6 million profiles on Google Scholar to examine instances of citation fraud on the platform. We survey faculty at highly-ranked universities, and confirm that Google Scholar is widely used when evaluating scientists. Intrigued by a citationboosting service that we unravelled during our investigation, we contacted the service while undercover as a fictional author, and managed to purchase 50 citations. These findings provide conclusive evidence that citations can be bought in bulk, and highlight the need to look beyond citation counts.

Microsoft appears to be readying its own DLSS-like AI upscaling feature for PC games. From a report: X user PhantomOcean3 discovered the feature inside the latest test versions of Windows 11 over the weekend, with Microsoft describing its automatic super resolution as a way to "use AI to make supported games play more smoothly with enhanced details." That sounds a lot like Nvidia's Deep Learning Super Sampling (DLSS) technology, which uses AI to upscale games and improve frame rates and image quality. AMD and Intel also offer their own variants, with FSR and XeSS both growing in popularity in recent PC game releases.

An anonymous reader shares a report: The startup that develops the phone app for casino resort giant WinStar has secured an exposed database that was spilling customers' private information to the open web. Oklahoma-based WinStar bills itself as the "world's biggest casino" by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings.

The app is developed by a Nevada software startup called Dexiga. The startup left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser. Dexiga took the database offline after TechCrunch alerted the company to the security lapse. Anurag Sen, a good-faith security researcher who has a knack for discovering inadvertently exposed sensitive data on the internet, found the database containing personal information, but it was initially unclear who the database belonged to. Sen said the personal data included full names, phone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch to help identify its owner and disclose the security lapse.

Many websites are using AI tools to generate fake obituaries about average people for profit. These articles lack substantiating details but are optimized for SEO, frequently outranking legitimate obituaries, The Verge reports. The fake obituaries, as one can imagine, are causing distress for grieving families and friends. In response, Google told The Verge that it aims to surface high-quality information but struggles with "data voids." The company terminated some YouTube channels sharing fake notices but declined to say if the flagged websites violate policies.

Martin Hellman "achieved legendary status as co-inventor of the Diffie-Hellman public key exchange algorithm, a breakthrough in software and computer cryptography," notes a new interview in InfoWorld.

Nine years after winning the Turing award, the 78-year-old cryptologist shared his perspective on some other issues: What do you think about the state of digital spying today?

Hellman: There's a need for greater international cooperation. How can we have true cyber security when nations are planning — and implementing — cyber attacks on one another? How can we ensure that AI is used only for good when nations are building it into their weapons systems? Then, there's the grandaddy of all technological threats, nuclear weapons. If we keep fighting wars, it's only a matter of time before one blows up.

The highly unacceptable level of nuclear risk highlights the need to look at the choices we make around critical decisions, including cyber security. We have to take into consideration all participants' needs for our strategies to be effective....

Your battle with the government to make private communication available to the general public in the digital age has the status of folklore. But, in your recent book (co-authored with your wife Dorothie [and freely available as a PDF]), you describe a meeting of minds with Admiral Bobby Ray Inman, former head of the NSA. Until I read your book, I saw the National Security Agency as bad and Diffie-Hellman as good, plain and simple. You describe how you came to see the NSA and its people as sincere actors rather than as a cynical cabal bent on repression. What changed your perspective?

Hellman: This is a great, real-life example of how taking a holistic view in a conflict, instead of just a one-sided one, resolved an apparently intractable impasse. Those insights were part of a major change in my approach to life. As we say in our book, "Get curious, not furious." These ideas are effective not just in highly visible conflicts like ours with the NSA, but in every aspect of life.
Hellman also had an interesting answer when asked if math, game theory, and software development teach any lessons applicable to issues like nuclear non-proliferation or national defense.

"The main thing to learn is that the narrative we (and other nations) tell ourselves is overly simplified and tends to make us look good and our adversaries bad."

An anonymous reader shared this report from the New York Times When it's after hours, and the boss is on the line, Australian workers — already among the world's best-rested and most personally fulfilled employees — can soon press "decline" in favor of the seductive call of the beach. In yet another buttress against the scourge of overwork, Australia's Senate on Thursday passed a bill giving workers the right to ignore calls and messages outside of working hours without fear of repercussion. It will now return to the House of Representatives for final approval.

The bill, expected to pass in the House with ease, will let Australian workers refuse "unreasonable" professional communication outside of the workday. Workplaces that punish employees for not responding to such demands could be fined. "Someone who is not being paid 24 hours a day shouldn't be penalized if they're not online and available 24 hours a day," Prime Minister Anthony Albanese said at a news conference Wednesday...

Australia follows in the footsteps of European nations such as France, which in 2017 introduced the right of workers to disconnect from employers while off duty, a move later emulated by Germany, Italy and Belgium. The European Parliament has also called for a law across the European Union that would alleviate the pressure on workers to answer communications off the clock...

Australians already enjoy a host of standardized benefits, including 20 days of paid annual leave, mandatory paid sick leave, "long service" leave of six weeks for those who have remained at an employer for at least seven years, 18 weeks of paid maternity leave and a nationwide minimum wage of about $15 an hour.

InfoWorld reports: Don't look now, but 25% of organizations surveyed in the United Kingdom have already moved half or more of their cloud-based workloads back to on-premises infrastructures. This is according to a recent study by Citrix, a Cloud Software Group business unit. The survey questioned 350 IT leaders on their current approaches to cloud computing. The survey also showed that 93% of respondents had been involved with a cloud repatriation project in the past three years. That is a lot of repatriation. Why?

Security issues and high project expectations were reported as the top motivators (33%) for relocating some cloud-based workloads back to on-premises infrastructures such as enterprise data centers, colocation providers, and managed service providers (MSPs). Another significant driver was the failure to meet internal expectations, at 24%... Those surveyed also cited unexpected costs, performance issues, compatibility problems, and service downtime. The most common motivator for repatriation I've been seeing is cost. In the survey, more than 43% of IT leaders found that moving applications and data from on-premises to the cloud was more expensive than expected.

Although not a part of the survey, the cost of operating applications and storing data on the cloud has also been significantly more expensive than most enterprises expected. The cost-benefit analysis of cloud versus on-premises infrastructure varies greatly depending on the organization... The cloud is a good fit for modern applications that leverage a group of services, such as serverless, containers, or clustering. However, that doesn't describe most enterprise applications.
The article cautions, "Don't feel sorry for the public cloud providers."

"Any losses from repatriation will be quickly replaced by the vast amounts of infrastructure needed to build and run AI-based systems... As I've said a few times here, cloud conferences have become genAI conferences, which will continue for several years."

Clay Risen reports via the New York Times: David Kahn, whose 1967 book, "The Codebreakers," established him as the world's pre-eminent authority on cryptology -- the science of making and breaking secret codes -- died on Jan. 24 in the Bronx. He was 93. His son Michael said the death, at a senior-living facility, was from the long-term effects of a stroke in 2015.

Before Mr. Kahn's book, cryptology itself was something of a secret. Despite an explosion in cryptological technology and techniques during the 20th century and the central role they played during World War II, the subject was typically overlooked by historians, if only because their possible sources were still highly classified. "Codebreaking is the most important form of secret intelligence in the world today," Mr. Kahn wrote in his book's preface. "Yet it has never had a chronicler."

Over the course of more than 1,000 pages, along with some 150 pages of notes, Mr. Kahn laid out cryptology's long history, starting with ancient Egypt 4,000 years ago and proceeding through the French and American revolutions, the innovations wrought by the advent of the telegraph and telephone to the mid-20th century and the dawn of computer-assisted code breaking.

An anonymous reader quotes a report from TechCrunch: The maker of a popular smart ski and bike helmet has fixed a security flaw that allowed the easy real-time location tracking of anyone wearing its helmets. Livall makes internet-connected helmets that allow groups of skiers or bike riders to talk with each other using the helmet's in-built speaker and microphone, and share their real-time location in a friend's group using Livall's smartphone apps. Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, said Livall's smartphone apps had a simple flaw allowing easy access to any group's audio chats and location data. Munro says the two apps, one for skiers and one for bike riders, collectively have about a million users.

At the heart of the bug, Munro found that anyone using Livall's apps for group audio chat and sharing their location must be part of the same friends group, which could be accessed using only that group's six-digit numeric code. "That 6-digit group code simply isn't random enough," Munro said in a blog post describing the flaw. "We could brute force all group IDs in a matter of minutes." In doing so, anyone could access any of the 1 million possible permutations of group chat codes.

"As soon as one entered a valid group code, one joined the group automatically," said Munro, adding that this happened without alerting other group members. "It was therefore trivial to silently join any group, giving us access to any users' location and the ability to listen in to any group audio communications," said Munro. "The only way a rogue group user could be detected was if the legitimate user went to check on the members of that group." [...] In an email, Livall's R&D director Richard Yi explained that the company improved the randomness of group codes by also adding letters, and including alerts for new members joining groups. Yi also said the app now allows the shared location to be turned off at the user level.