An anonymous reader shared this report from Fortune: For eight years now, as millennials have entered their thirties and forties, also known as "homebuying age," Bank of America has surveyed over 1,000 members of the generation once a year for its Home Work series. And for 2023's edition... older millennials (age 31-41) are almost three times as likely to move into a house than an apartment, the survey found...

Migration patterns during the pandemic have clearly established that most homebuyers have wanted to flee big cities, with some "zoomtowns" such as Boise benefiting in particular. But the survey reveals something even more drastic. In a section called "suburban nation," BofA reveals that 43% to 45% of millennials — of every age — expect to buy a house in the suburbs. "We expect the ability to work from home to remain an incentive for young families to seek out more remote suburban and rural markets where housing may be more affordable," wrote the BofA team led by research analyst Elizabeth Suzuki. And remote work is still robust, they added.

Millennials are also looking toward the suburbs for wealth-building. A majority (two-thirds) of them believe that they'll buy a home in the next two years, citing a return on investment as the number one reason for purchasing. The interest is pervasive across the generation, and maybe means that the suburb is in for a new and better revival. And a 2021 study from Pew Research Center found that one in five adults preferred city life, compared to one quarter of adults in 2018...

Millennials reported to BoA that the pandemic increased their likelihood of buying a home...

US authorities have seized another major Z-Library domain but still haven't been able to wipe the pirate book site off the Internet. From a report: Z-Library claims to offer over 13 million books, up from 11 million since US authorities launched their first major operation against Z-Library late last year. "Unfortunately, one of our primary login domains was seized today," Z-Library wrote in a Wednesday message on its Telegram account. "Therefore, we recommend using the domain singlelogin[dot]re to log in to your account, as well as to register. Please share this domain with others." In November, US authorities charged Russian nationals Anton Napolsky and Valeriia Ermakova with criminal copyright infringement, wire fraud, and money laundering for allegedly operating Z-Library. The US said at the time that it seized 250 "interrelated web domains" run by Z-Library and that Napolsky and Ermakova were arrested in Argentina at the request of the US government. Other people continue to operate Z-Library, which remained available on the Tor network and returned to the clearnet in February with a new strategy of assigning personal, secret URLs to each user. Z-Library directed users to singlelogin[dot]me, where they could sign in with their login credentials and receive a unique URL to access the entire pirate library.

A judge sentenced Joe Sullivan, the former chief security officer at Uber, to three years' probation and 200 hours of community service on Thursday for covering up a 2016 cyberattack from authorities and obstructing a federal investigation. From a report: Sullivan's case is likely the first time a security executive has faced criminal charges for mishandling a data breach, and the response to Sullivan's case has split the cybersecurity community. In October, a jury found Sullivan guilty of obstructing an active FTC investigation into Uber's security practices and concealing a 2016 data breach that affected 50 million riders and drivers. Uber paid the hackers $100,000 to not release any stolen data and keep the attack quiet. Sullivan and his team routed the payment through the company's bug bounty program, which good-faith security researchers usually use to report flaws. The hack wasn't publicly disclosed until 2017, shortly after Dara Khosrowshahi stepped into the CEO role.

Khosrowshahi fired Sullivan in 2017, telling the jury last fall that he thought the decision to conceal the breach was "the wrong decision." Sullivan then joined Cloudflare as its chief security officer in 2018, and he stayed there until July 2022 when he stepped down to prepare for his trial. "If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison," Judge William Orrick said during the sentencing on Thursday. "When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off," Orrick added.

An anonymous reader quotes a report from TechCrunch: The City of Dallas in Texas has confirmed a ransomware attack has downed key services, including 911 dispatch systems. City officials confirmed on Wednesday that a number of the city's servers had "been compromised with ransomware," causing widespread service outages. The Dallas Police Department (DPD) website is currently offline. The City of Dallas website displays a message stating that "the City is experiencing a service outage and is working to restore services," and the city wrote on a page that contains updates about the incident that all courts were closed on Wednesday and would be closed again on Thursday.

DPD spokesperson Melinda Gutierrez confirmed to TechCrunch that the outage has also impacted Computer Aided Dispatch, or "CAD" systems, which are used by dispatchers and 911 operators to prioritize and record incident calls. Local media reported that this has forced 911 call takers to manually write down instructions for responding officers. "There is no effect to 911 calls at this time, and they continue to be dispatched for service," Gutierrez added. "The outage is not affecting police response."

Printers on the City of Dallas network reportedly began printing out ransom notes on Wednesday morning. As per a copy the note, the Royal ransomware gang has claimed responsibility for the attack, and a URL included on the note directed to a contact form on Royal's dark web victims site. The note said critical data was encrypted, and threatened to publish it online if a ransom demand is not met. The City of Dallas has not yet been listed on Royal's dark web leak site and it's not yet known what types of data has been stolen. City officials have not responded to TechCrunch's questions. The full impact of the ransomware attack remains unknown. In a statement, the city said it was "actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted. The City is currently working to assess the complete impact, but at this time, the impact on the delivery of City services to its residents is limited."

An anonymous reader shares a report: We recently covered a study by Secure Data Recovery, an HDD, SSD, and RAID data recovery company, of 2,007 defective hard disk drives it received. It found the average time before failure among those drives to be 2 years and 10 months. That seemed like a short life span, but considering the limited sample size and analysis in Secure Data Recovery's report, there was room for skepticism. Today, Backblaze, a backup and cloud storage company with a reputation for detailed HDD and SSD failure analysis, followed up Secure Data Recovery's report with its own research using a much larger data set. Among the 17,155 failed HDDs Backblaze examined, the average age at which the drives failed was 2 years and 6 months.

Backblaze arrived at this age by examining all of its failed drives and their respective power-on hours. The company recorded each drive's failure date, model, serial number, capacity, failure, and SMART raw value. The 17,155 drives examined include 72 different models and does not include failed boot drives, drives that had no SMART raw attribute data, or drives with out-of-bounds data. If Backblaze only looked at drives that it didn't use in its data centers anymore, there would be 3,379 drives across 35 models, and the average age of failure would be a bit longer at 2 years and 7 months. Backblaze said its results thus far "are consistent" with Secure Data Recovery's March findings. This is despite Backblaze currently using HDDs that are older than 2 years and 7 months.

Dallas is experiencing IT and police communication outages following a ransomware attack on municipal systems. From a report: City officials said in a statement Wednesday that hackers had compromised "a number of servers" and that they were working with vendors to try to control the spread of malware. With a ransomware attack, hackers lock up victims' data or knock services offline, then demand an extortion payment. "We have been having a system shutdown for the past two days now," a Dallas 311 operator told Bloomberg News. "We are very limited in what we are able to access internally right now."

The Dallas police department's website was inaccessible when Bloomberg News tried to visit the page Thursday. The hack also affected the police dispatch system and resulted in the closure of local courts on Wednesday, TechCrunch reported. "We appreciate your patience during this time," the city website stated. The "Royal" ransomware gang claimed responsibility for the attack. The group sent city officials a note that included a link to communicate with the hackers and discuss a payment, however the size of the ransom demand was not immediately clear.

Discord is making "big changes" to how identities work on the platform, a move that will force you to change your username. From a report: Up until now, the company has appended four-digit tags to identities as a way to distinguish people with the same username. However, the new system will give everyone a unique username, much like Twitter, Instagram and other services. "The whole point of these changes is that we want to make it a lot easier for you and all the new users coming to Discord to connect and hang out with friends," co-founder Stanislav Vishnevskiy wrote in a blog post. "We know that your username and identity are important, and we understand that some of you may not like this change and disagree with it." The original aim with the four-digit tags was to allow you to choose any username you wanted, but it has now become "technical debt," according to Discord. The company said that the usernames are "too complicated or obscure" for people to remember.

Microsoft is making its Bing GPT-4 chatbot available to everyone today, no more waitlist necessary. From a report: All you need to do is sign in to the new Bing or Edge with your Microsoft account, and you'll now access the open preview version that's powered by GPT-4. Microsoft is also massively upgrading Bing Chat with lots of new features and even plug-in support. Microsoft is now adding more smart features to Bing Chat, including image and video results, new Bing and Edge Actions feature, persistent chat and history, and plug-in support. The plug-in support will be the key addition for developers and for the future of Bing Chat.

Google is taking a big step toward our supposedly passwordless future by enabling passkey-only Google accounts. From a report: In the blog post, titled "The beginning of the end of the password," Google says: "We've begun rolling out support for passkeys across Google Accounts on all major platforms. They'll be an additional option that people can use to sign in, alongside passwords, 2-Step Verification (2SV), etc." Previously, you've been able to use a passkey with a Google account as part of two-factor authentication, but that was always in addition to a password. Now it's possible to use a Google account with a passkey instead of a password.

A passkey, if you haven't heard of the new authentication method, is a new way to log in to apps and websites and may someday replace a password. Password entry began as a simple text box for humans, and those text boxes slowly had automation and complication bolted onto them as the desire for higher security arrived. While you used to type a remembered word into a password field, today, the right way to use a password is to have a password manager paste a random string of characters into the password box. Since few of us physically type in our passwords, passkeys remove the password box. Passkeys have your operating system directly swap public-private keypairs -- the "WebAuthn" standard -- with a website, and that's how you get authenticated. Google's demo of how this will work on a phone looks great -- the usual box asks for your Google username, then instead of a password, it asks for a fingerprint, which unlocks the passkey system, and you're logged in. Google's passwordless support is headed for consumer devices right now, while business Google Workspace accounts will "soon" have the option to enable passkeys for end users.

An anonymous reader shares a report: Microsoft has now started notifying IT admins that it will force Outlook and Teams to ignore the default web browser on Windows and open links in Microsoft Edge instead. Reddit users have posted messages from the Microsoft 365 admin center that reveal how Microsoft is going to roll out this change. "Web links from Azure Active Directory (AAD) accounts and Microsoft (MSA) accounts in the Outlook for Windows app will open in Microsoft Edge in a single view showing the opened link side-by-side with the email it came from," reads a message to IT admins from Microsoft. While this won't affect the default browser setting in Windows, it's yet another part of Microsoft 365 and Windows that totally ignores your default browser choice for links. Microsoft already does this with the Widgets system in Windows 11 and even the search experience, where you'll be forced into Edge if you click a link even if you have another browser set as default. Further reading: Microsoft Broke a Chrome Feature To Promote Its Edge Browser.

Google will remove the familiar lock icon that allows users to check a website's Transport Layer Security status for the connection, citing research that only a few users correctly understood its precise meaning. From a report: The lock icon has been displayed by web browsers since the 1990s, indicating that the connection to web sites is secured and authenticated with encryption. However, Google said its 2021 research showed that only 11 percent of participants in a study correctly understood the meaning of the lock icon. This, Google argued, is not harmless since most phishing sites also use the hyper text transfer protocol secure extension (HTTPS) and also display the lock icon. Ergo, a lock icon is not in actual fact an indicator of a site's security. [...] Starting with Chrome version 117, Google will introduce a new "tune" icon, which does not imply a site is trustworthy, and is more obviously clickable. The "tune" icon is more commonly associated with settings and other control, and Google said a more neutral indicator like that prevents the misunderstanding around site security that the lock icon is causing.

Facebook owner Meta said on Wednesday it had uncovered malware purveyors leveraging public interest in ChatGPT to lure users into downloading malicious apps and browser extensions, likening the phenomenon to cryptocurrency scams. From a report: Since March, the social media giant has found around 10 malware families and more than 1,000 malicious links that were promoted as tools featuring the popular artificial intelligence-powered chatbot, it said in a report. In some cases, the malware delivered working ChatGPT functionality alongside abusive files, the company said. Speaking at a press briefing on the report, Meta Chief Information Security Officer Guy Rosen said that for bad actors, "ChatGPT is the new crypto."

An anonymous reader quotes a report from KrebsOnSecurity: A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network's chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016. KrebsOnSecurity was recently contacted by a security researcher who said he found a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the USPS. Further investigation revealed a long-running international operation that has been emailing and text messaging people for years to sign up at a slew of websites that all promise they can help visitors secure employment at the USPS.

Sites like FederalJobsCenter[.]com also show up prominently in Google search results for USPS employment, and steer applicants toward making credit card "registration deposits" to ensure that one's application for employment is reviewed. These sites also sell training, supposedly to help ace an interview with USPS human resources. FederalJobsCenter's website is full of content that makes it appear the site is affiliated with the USPS, although its "terms and conditions" state that it is not. Rather, the terms state that FederalJobsCenter is affiliated with an entity called US Job Services, which says it is based in Lawrenceville, Ga. The site says applicants need to make a credit card deposit to register, and that this amount is refundable if the applicant is not offered a USPS job within 30 days after the interview process. But a review of the public feedback on US Job Services and dozens of similar names connected to this entity over the years shows a pattern of activity: Applicants pay between $39.99 and $100 for USPS job coaching services, and receive little if anything in return. Some reported being charged the same amount monthly. Michael Martel, spokesperson for the United States Postal Inspection Service, said in a written statement that the USPS has no affiliation with the websites or companies named in this story.

"To learn more about employment with USPS, visit USPS.com/careers," Martel wrote. "If you are the victim of a crime online report it to the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov. To report fraud committed through or toward the USPS, its employees, or customers, report it to the United States Postal Inspection Service (USPIS) at www.uspis.gov/report."

A list of all the current sites selling this product can be found in Krebs' report.

T-Mobile on Monday said it experienced a hack that exposed account PINs and other customer data in the company's second network intrusion this year and the ninth since 2018. From a report: The intrusion, which started on February 24 and lasted until March 30, affected 836 customers, according to a notification on the website of Maine Attorney General Aaron Frey. "The information obtained for each customer varied but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines," the company wrote in a letter sent to affected customers. Account PINs, which customers use to swap out SIM cards and authorize other important changes to their accounts, were reset once T-Mobile discovered the breach on March 27.

The incident is the second hack to hit T-Mobile this year. It's the ninth since 2018, based on reporting by TechCrunch. In January, T-Mobile said "bad actors" abused its application programming in a way that allowed them to access the data of 37 million customers. The hack started on November 25, 2022, and wasn't discovered by T-Mobile until January 5, TechCrunch said. Data obtained in that incident included names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and information such as the number of lines on accounts and plan features.

In response to a new law that requires porn sites to verify users' ages, Pornhub has completely disabled its websites for people located in Utah. From a report: As of today, anyone accessing Pornhub from a Utah-based IP address doesn't see the Pornhub homepage, but instead is met with a video of Cherie DeVille, adult performer and member of the Adult Performer Advocacy Committee, explaining that they won't be able to visit the site. "As you may know, your elected officials in Utah are requiring us to verify your age before allowing you access to our website," DeVille says. "While safety and compliance are at the forefront of our mission, giving your ID card every time you want to visit an adult platform is not the most effective solution for protecting our users, and in fact, will put children and your privacy at risk."

Apple promised faster turnaround times for security patches with iOS 16 and macOS Ventura, and it's now delivering on that claim. From a report: The company has released its first Rapid Security Response updates for devices running iOS 16.4.1, iPadOS 16.4.1 and macOS 13.3.1. They're available through Software Update as usual, but are small downloads that don't require much time to install. MacRumors says the fix is deploying over the course of 48 hours, so don't be surprised if you have to wait a short while.

The Washington Post's "Tech Friend" newsletter suggests some "tech fears you can stop worrying about." And it starts by reasuring readers, "You're fine using the WiFi in a coffee shop, hotel or airport. "Yes, it is safe," said Chester Wisniewski, a digital security specialist with the firm Sophos. Five or 10 years ago, it wasn't secure to use the shared WiFi in a coffee shop or another place outside your home. But now, most websites and apps scramble whatever you do online. That makes it tough for crooks to snoop on you when you're connected to public WiFi. It's not impossible, but criminals have easier targets.

Even Wisniewski, whose job involves sensitive information, said he connected to the WiFi at the airport and hotel on a recent business trip. He plans to use the WiFi at a conference in Las Vegas attended by the world's best computer hackers. Wisniewski generally does not use an extra layer of security called a VPN, although your company might require it. He avoids using WiFi in China.

You should be wary of public WiFi if you know you're a target of government surveillance or other snooping. But you are probably not Edward Snowden or Brad Pitt... For nearly all of us and nearly all of the time, you can use public WiFi without stress.
The newsletter also suggests we stop worrying about public phone chargers. ("Security experts told me that 'juice jacking' is extremely unlikely... Don't worry about the phone chargers unless you know you're being targeted by criminals or spies.")

Beyond that, "Focus your energy on digital security measures that really matter" — things like using strong and unique passwords for online accounts. ("This is a pain. Do it anyway.") And it calls two-factor authentication possibly the single best thing you can do to protect yourself online.

Phoronix reports: With the financial backing of Amazon Web Services, sudo and su are being rewritten in the Rust programming language in order to increase the memory safety for the widely relied upon software... to further enhance Linux/open-source security.
"[B]ecause it's written in C, sudo has experienced many vulnerabilities related to memory safety issues," according to a blog post announcing the project: It's important that we secure our most critical software, particularly from memory safety vulnerabilities. It's hard to imagine software that's much more critical than sudo and su.

This work is being done by a joint team from Ferrous Systems and Tweede Golf with generous support from Amazon Web Services. The work plan is viewable here. The GitHub repository is here.

CNBC reports that 84 Amazon delivery drivers at a California facility "joined the International Brotherhood of Teamsters, the union said Monday, in a win for labor organizers that have long sought to gain a foothold at the e-retailer."

An anonymous reader shared this follow-up report from Vox: [T]hey unanimously ratified the contract, which will bring their wages from around $20 currently to $30 by September and would allow them to refuse to do deliveries they consider unsafe. But that victory is a bit complicated... They wear Amazon vests and drive Amazon-branded vehicles, have schedules dictated by Amazon, and can even be fired by Amazon. But they're technically employed by Battle Tested Strategies (BTS), one of approximately 3,000 delivery contract companies that make up Amazon's extensive delivery network. BTS voluntarily recognized the union after a majority of workers signed union authorization cards and negotiated the union contract.

Amazon has told Vox that its contract with BTS, which exclusively delivers for Amazon, was terminated "well before" workers notified the tech giant Monday, but that the contract hasn't expired yet. The union said that the delivery people are still working for Amazon and that the contract goes through October, when it typically would auto-renew. What happens next depends on Amazon, the workers, and the interpretation of outdated US labor law... At the crux of the delivery driver issue is whether Amazon controls enough of what the workers do to be considered a joint employer. "If Amazon is able to get away with ignoring the workers' decision and hiding behind the subcontractor relationships, then I'm afraid we'll have yet another story of the failure of American labor law," said Benjamin Sachs, a labor professor at Harvard Law School. "If this leads to a recognition that these drivers are Amazon employees, joint employees, then this could be massively important."

One element of note: These workers organized in California, which has a lower bar for who is considered an employee, and by extension, who enjoys union protections... Another element that the National Labor Relations Board will likely have to decide is whether Amazon terminated the contract with BTS in order to avoid working with a union, something that would be illegal if they were considered employees.
The article also notes that elsewhere, 50 YouTube contractors also voted to unionize this week.

"Since the pandemic began, Lyft employees have been able to work remotely," notes the New York Times, "logging into videoconferences from their homes and dispersing across the country like many other tech workers. Last year, the company made that policy official, telling staff that work would be 'fully flexible' and subleasing floors of its offices in San Francisco and elsewhere." No longer. On Friday, David Risher, the company's new chief executive, told employees in an all-hands meeting that they would be required to come back into the office at least three days a week, starting this fall. [Although the Times adds later that "People will be allowed to work remotely for one month each year, and those living far from offices would not be required to come in."]

It was one of the first major changes he has made at the struggling ride-hailing company since starting this month, and it came just a day after he laid off 26 percent of Lyft's work force. "Things just move faster when you're face to face," Mr. Risher said in an interview. Remote work in the tech industry, he said, had come at a cost, leading to isolation and eroding culture. "There's a real feeling of satisfaction that comes from working together at a whiteboard on a problem."

The decision, combined with the layoffs and other changes, signals the beginning of a new chapter at Lyft. It could also be an indication that some tech companies — particularly firms that are struggling — may be changing their minds on flexibility about where employees work. Nudges toward working in the office could soon turn into demands, as they have at companies like Disney and Apple...

Lyft also planned to tell employees that it would reduce their stock grants this year, according to a person familiar with the decision.
Risher "said the cost savings from the layoffs would go toward lower prices for riders and higher earnings for drivers," the Times adds, noting that last month Lyft's two founders said they'd step down after disappointing financial results. (Lyft's stock price closed Friday at $10.25 — down from a peak of $78.)

Bob Sutton, a Stanford professor and organizational psychologist, suggests another possible motivation to the Times: executives worried about financial stress "feel compelled to increase their own illusion of control."