Instead of eliminating jobs, self-service kiosks at McDonald's and other fast-food chains "have added extra work for kitchen staff," reports CNN — and as a bonus, "pushed customers to order more food than they do at the cash register..." Kiosks "guarantee that the upsell opportunities" like a milkshake or fries are suggested to customers when they order, Shake Shack CEO Robert Lynch said on an earnings call last month. "Sometimes that is not always a priority for employees when you've got 40 people in line. You're trying to get through it as quick as possible." Kiosks also shift employees from behind the cash register to maintaining the dining area, delivering food to customers or working in the kitchen, he said. [Although a study from Temple University researchers found long lines at a kiosk stress customers — making them order less.]

Some McDonald's franchisees — which own and operate 95% of McDonald's in the United States — are now rolling out kiosks that can take cash and accept change. But even in these locations, McDonald's is reassigning cashiers to other roles, including new "guest experience lead" jobs that help customers use the kiosks and assist with any issues. "In theory, kiosks should help save on labor, but in reality, restaurants have added complexity due to mobile ordering and delivery, and the labor saved from kiosks is often reallocated for these efforts," said RJ Hottovy, an analyst who covers the restaurant and retail industries at data analytics firm Placer.ai....

Christopher Andrews, a sociologist at Drew University who studies the effects of technology on work, said the impacts of kiosks were similar to other self-service technology such as ATMs and self-checkout machines in supermarkets. Both technologies were predicted to cause job losses. "The introduction of ATMs did not result in massive technological unemployment for bank tellers," he said. "Instead, it freed them up from low-value tasks such as depositing and cashing checks to perform other tasks that created value." Self-checkout also has not caused retail job losses. In some cases, self-checkout backfired for chains because self-checkout leads to higher merchandise losses from customer errors and more intentional shoplifting than when human cashiers are ringing up customers.

Fast-food chains and retailers need to do a better job communicating what the potential benefits of kiosks and self-checkout are to consumers and employees, Andrews said. "What I think will be central for customers is that they see how this technology is providing them with more or better service rather than more unpaid busywork," he said. "Otherwise, the public is just likely to view it as yet another attempt to reduce labor costs via automation and self-service."
This article ends up taking both sides of the issue. For example, some befuddled kiosk users can take longer to order, the article points out — and of course, kiosks can also break down.

Restaurant analyst Hottovy told CNN "If kiosks really improved speed of service, order accuracy, and upsell, they'd be rolled out more extensively across the industry than they are today."

The creator of an open source project that scraped the internet to determine the ever-changing popularity of different words in human language usage says that they are sunsetting the project because generative AI spam has poisoned the internet to a level where the project no longer has any utility. 404 Media: Wordfreq is a program that tracked the ever-changing ways people used more than 40 different languages by analyzing millions of sources across Wikipedia, movie and TV subtitles, news articles, books, websites, Twitter, and Reddit. The system could be used to analyze changing language habits as slang and popular culture changed and language evolved, and was a resource for academics who study such things. In a note on the project's GitHub, creator Robyn Speer wrote that the project "will not be updated anymore."

"Generative AI has polluted the data," she wrote. "I don't think anyone has reliable information about post-2021 language usage by humans." She said that open web scraping was an important part of the project's data sources and "now the web at large is full of slop generated by large language models, written by no one to communicate nothing. Including this slop in the data skews the word frequencies." While there has always been spam on the internet and in the datasets that Wordfreq used, "it was manageable and often identifiable. Large language models generate text that masquerades as real language with intention behind it, even though there is none, and their output crops up everywhere," she wrote.

Software developers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government's Cybersecurity and Infrastructure Security Agency, has argued. From a report: "The truth is: Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," declared Easterly during a Wednesday keynote address at Mandiant's mWise conference. Easterly also implored the audience to stop "glamorizing" crime gangs with fancy poetic names. How about "Scrawny Nuisance" or "Evil Ferret," Easterly suggested.

Even calling security holes "software vulnerabilities" is too lenient, she added. This phrase "really diffuses responsibility. We should call them 'product defects,'" Easterly said. And instead of automatically blaming victims for failing to patch their products quickly enough, "why don't we ask: Why does software require so many urgent patches? The truth is: We need to demand more of technology vendors."

Deadly attacks using booby-trapped pagers and walkie-talkies in Lebanon has revealed significant vulnerabilities in the supply chains for older electronic devices. The incident, which killed 37 people and injured about 3,000, has sparked investigations across Europe into the origins of the weaponized gadgets.

Taiwan-based Gold Apollo blamed a European licensee for the compromised pagers, while Japan's Icom could not verify the authenticity of the walkie-talkies bearing its name. Both companies denied manufacturing the deadly components in their home countries. Industry executives say older electronics from Asia often lack the tight supply chain controls of newer products, making it difficult to trace their origins. Counterfeiting, surplus inventories, and complex manufacturing deals further complicate the issue.

Disney plans to transition away from using Slack as its companywide collaboration tool after a hacking group leaked over a terabyte of data from the platform. Many teams at Disney have already begun moving to other enterprise-wide tools, with the full transition expected later this year. Reuters reports: Hacking group NullBulge had published data from thousands of Slack channels at the entertainment giant, including computer code and details about unreleased projects, the Journal reported in July. The data spans more than 44 million messages from Disney's Slack workplace communications tool, WSJ reported earlier this month. The company had said in August it was investigating an unauthorized release of over a terabyte of data from one of its communication systems.

An anonymous reader quotes a report from The Register: Germany's Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrike's outage in July are dropping their current vendor's products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to do so in the near future. It wasn't explicitly said whether this referred to CrowdStrike's Falcon product specifically or was a knee-jerk reaction to security vendors generally. One in five will also change the selection criteria when it comes to reviewing which security vendor gets their business. The whole fiasco doesn't seem to have hurt the company much though, at least not yet.

The findings come from a report examining the experiences of 311 affected organizations in Germany, published today. Of those affected in one way or another, most said they first heard about the issues from social media (23 percent) rather than CrowdStrike itself (22 percent). The report also revealed that half of the 311 surveyed orgs had to halt operations -- 48 percent experienced temporary downtime. Ten hours, on average. Aside from the obvious business continuity impacts, this led to various issues with customers too. Forty percent said their collaboration with customers was damaged because they couldn't provide their usual services, while more than one in ten organizations didn't even want to address the topic. The majority of respondents (66 percent) said they will improve their incident response plans in light of what happened, or have done so already, despite largely considering events like these as unavoidable. The report highlights a curious finding that over half of CrowdStrike customers wanted to install updates more regularly, even though that would have been worse for an organization.

"Regardless, with the number of urgent patch warnings we and the infosec community dish out every week, it's probably a net positive, even if it's slightly misguided," concludes The Register.

Apple's latest macOS 15 "Sequoia" update, released earlier this week, has disrupted security tools from major providers including CrowdStrike, SentinelOne, and Microsoft, according to reports. The extent and cause of the disruption remain unclear.

Google is updating its Password Manager to allow users to sync passkeys across multiple devices, including Windows, macOS, Linux, and Android, with iOS and ChromeOS support coming soon. Engadget reports: Once saved, the passkey automatically syncs across other devices using Google Password Manager. The company says this data is end-to-end encrypted, so it'll be pretty tough for someone to go in and steal credentials. [...] Today's update also brings another layer of security to passkeys on Google Password Manager. The company has introduced a six-digit PIN that will be required when using passkeys on a new device. This would likely stop nefarious actors from logging into an account even if they've somehow gotten ahold of the digital credentials. Just don't leave the PIN number laying on a sheet of paper directly next to the computer.

The Register's Jessica Lyons reports: Chinese state-sponsored spies have been spotted inside a global engineering firm's network, having gained initial entry using an admin portal's default credentials on an IBM AIX server. In an exclusive interview with The Register, Binary Defense's Director of Security Research John Dwyer said the cyber snoops first compromised one of the victim's three unmanaged AIX servers in March, and remained inside the US-headquartered manufacturer's IT environment for four months while poking around for more boxes to commandeer. It's a tale that should be a warning to those with long- or almost-forgotten machines connected to their networks; those with shadow IT deployments; and those with unmanaged equipment. While the rest of your environment is protected by whatever threat detection you have in place, these legacy services are perfect starting points for miscreants.

This particular company, which Dwyer declined to name, makes components for public and private aerospace organizations and other critical sectors, including oil and gas. The intrusion has been attributed to an unnamed People's Republic of China team, whose motivation appears to be espionage and blueprint theft. It's worth noting the Feds have issued multiple security alerts this year about Beijing's spy crews including APT40 and Volt Typhoon, which has been accused of burrowing into American networks in preparation for destructive cyberattacks.

After discovering China's agents within its network in August, the manufacturer alerted local and federal law enforcement agencies and worked with government cybersecurity officials on attribution and mitigation, we're told. Binary Defense was also called in to investigate. Before being caught and subsequently booted off the network, the Chinese intruders uploaded a web shell and established persistent access, thus giving them full, remote access to the IT network -- putting the spies in a prime position for potential intellectual property theft and supply-chain manipulation. If a compromised component makes it out of the supply chain and into machinery in production, whoever is using that equipment or vehicle will end up feeling the brunt when that component fails, goes rogue, or goes awry.

"The scary side of it is: With our supply chain, we have an assumed risk chain, where whoever is consuming the final product -- whether it is the government, the US Department of the Defense, school systems â" assumes all of the risks of all the interconnected pieces of the supply chain," Dwyer told The Register. Plus, he added, adversarial nations are well aware of this, "and the attacks continually seem to be shifting left." That is to say, attempts to meddle with products are happening earlier and earlier in the supply-chain pipeline, thus affecting more and more victims and being more deep-rooted in systems. Breaking into a classified network to steal designs or cause trouble is not super easy. "But can I get into a piece of the supply chain at a manufacturing center that isn't beholden to the same standards and accomplish my goals and objectives?" Dwyer asked. The answer, of course, is yes. [...]

International police forces have taken down an encrypted communication platform and arrested 51 people, marking a success for co-ordinated efforts to crack down on anonymous messaging services used by criminal groups. FT: Europol and law enforcement agencies from nine countries dismantled Ghost [non-paywalled source], an online platform which used three different encryption standards and allowed users to destroy all messages by sending a specific code, Europol announced on Wednesday. The crackdown is the latest operation by international agencies to decode encrypted messaging services used by criminals to manage their international operations, following the takedown of platforms such as EncroChat and Sky ECC in recent years.

[...] McLean said Ghost was administered by a 32-year-old man from Australia, one of the operation's principal targets. As a result of the decryption operation, where officers broke the app's code so they could read users' messages, the death or injury of as many as 50 people could have been prevented, McLean said.

An anonymous reader shares a report: Last week, the FBI took control of a botnet made up of hundreds of thousands of internet-connected devices, such as cameras, video recorders, storage devices, and routers, which was run by a Chinese government hacking group, FBI director Christopher Wray and U.S. government agencies revealed Wednesday. The hacking group, dubbed Flax Typhoon, was "targeting critical infrastructure across the U.S. and overseas, everyone from corporations and media organizations to universities and government agencies," Wray said at the Aspen Cyber Summit cybersecurity conference on Wednesday.

"But working in collaboration with our partners, we executed court-authorized operations to take control of the botnet's infrastructure," Wray said, explaining that once the authorities did that, the FBI also removed the malware from the compromised devices. "Now, when the bad guys realized what was happening, they tried to migrate their bots to new servers and even conducted a [Distributed Denial of Service] attack against us."

An anonymous reader shares a report: September has been a big month for desktop hypervisors, with the field's big players all delivering significant updates. Oracle delivered VirtualBox version 7.1, billed as a major upgrade thanks to its implementation of a UI with a "modernized look and feel, offering a selection between Basic and Experienced user level with reduced or full UI functionality."

[...] Parallels also released a desktop hypervisor update last week. Version 20 of the eponymous tool now offers a VM that's packed with tools developers may find handy as they work on generative AI applications. Among those tools are the Docker community edition, lmutils, the OpenCV computer vision library, and the Ollama chatbot interface for AI models. [...] The other big player in desktop hypervisors is VMware, with its Fusion and Workstation products for macOS and Windows respectively. Both were recently updated.

Luxury camera maker Leica Camera reported record sales in 2023, defying the global decline in digital camera demand. The German company's Q3 model, priced at $6,000, saw six-month waiting lists upon release last year. Industry data shows premium camera sales are surging as smartphone photography dominates the consumer market, Economist writes.

The Camera and Imaging Products Association reports the average camera price has tripled in six years as manufacturers shift focus to high-end models. Fujifilm's X100 series, launched in February at $1,600, is sold out and commanding higher prices on secondary markets. Nikon and other brands are following suit, prioritizing premium offerings. From a report: In a Japanese interview with Yomiuri, Nikon's president, Muneaki Tokunari, acknowledged that while smartphones harmed overall sales of digital interchangeable lens cameras, they may contribute to the demand for high-end cameras. Not many years removed from dire straits, Tokunari also outlined Nikon's ambitious expansion plans, including its recent acquisition of RED Digital Cinema.

Tokunari says that many camera businesses were recently operating at a loss and that some competitors excited the photo business altogether. This was, unsurprisingly, driven in large part by the massive growth of the smartphone market and the improving quality of smartphone cameras, which reached the "good enough" stage the late Steve Jobs predicted years before the camera industry felt the sting of smartphones.

However, "We are now in an age where smartphones and digital cameras can coexist," Tokunari explains in the machine-translated Yomiuri interview, initially spotted by Digicame-Info. "Global sales of digital cameras have fallen to one-twentieth of their peak. However, domestic companies are doing well. The top five companies hold most of the world's market share. This is a rare example in Japanese industry."

Google is updating the post-quantum cryptography in Chrome, replacing the experimental Kyber with the fully standardized Module Lattice Key Encapsulation Mechanism (ML-KEM) to enhance protection against quantum computing attacks. BleepingComputer reports: This change comes roughly five months after Google rolled out the post-quantum secure TLS key encapsulation system on Chrome stable for all users, which also caused some problems with TLS exchanges. The move from Kyber to ML-KEM though is not related to those early problems, that got resolved soon after manifesting. Rather, its a strategic choice to abandon an experimental system for a NIST-approved and fully standardized mechanism.

ML-KEM was fully endorsed by the U.S. National Institute of Standards and Technology (NIST) in mid-August, with the agency publishing the complete technical specifications of the final version at the time. Google explains that despite the technical changes from Kyber to ML-KEM being minor, the two are essentially incompatible, so a switch had to be made. "The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," explains Google. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519."

Apple has increased its out-of-warranty battery replacement fee for iPhone 16 Pro models. From a report: Apple Stores can replace the battery inside an iPhone 16 Pro or iPhone 16 Pro Max for $119 in the U.S., which is up from $99 for the iPhone 15 Pro and iPhone 15 Pro Max. This is a 20% increase to the fee, which includes the cost of a new battery and service by an Apple Store. The fee may vary at third-party Apple Authorized Service Providers. The fee remains $99 for the standard iPhone 16 and iPhone 16 Plus. Customers with AppleCare+ can still get an iPhone 16 Pro battery replaced for free, but only if the battery retains less than 80% of its original capacity.

Apple says all four iPhone 16 models are equipped with larger batteries, and all of the devices received an internal redesign for improved heat dissipation, according to the company. A metal enclosure was rumored for at least some iPhone 16 batteries, but we are still waiting for teardowns to get a proper look inside of the devices.

Microsoft has abandoned plans to overhaul its Edge browser interface, scrapping the design choice unveiled in February 2023. The redesign -- featuring a sleeker look with rounded tab buttons and increased blur effects -- aimed to give Edge a distinct identity as the company pushed into AI services. The new design never officially launched and the company has no intention to launch it later, according to Microsoft-focused news outlet Windows Central.

A Microsoft spokesperson confirmed to Windows Central that the company is moving away from the rounded tabs concept. Some elements of the redesign will remain, including webpage borders and a repositioned user button, but the majority of the proposed changes have been shelved. The decision marks a retreat from Microsoft's efforts to visually differentiate Edge from Google Chrome and align it with Windows 11's design language.

On Tuesday Ivanti issued a "high severity vulnerability" announcement for version 4.6 of its Cloud Service Appliance (or CSA). "Successful exploitation could lead to unauthorized access to the device running the CSA." And Friday that announcement got an update: Ivanti "has confirmed exploitation of this vulnerability in the wild."

While Ivanti released a security update, they warned that "with the end-of-life status this is the last fix that Ivanti will backport for this version. Customers must upgrade to Ivanti CSA 5.0 for continued support."

This prompted a response from CISA (the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security). The noted that Ivanti is urging customers to upgrade to version 5.0, as "Ivanti no longer supports CSA 4.6 (end-of-life)." But in addition, CISA "ordered all federal civilian agencies to remove CSA 4.6. from service or upgrade to the 5.0. by October 4," reports the Record: Ivanti said users will know they are impacted by exploitation of the bug by looking to see if there are modified or newly added administrative users. They also urged customers to check security alerts if they have certain security tools involved.

The issue arose one day after another Ivanti bug caused alarm among defenders. The company pledged a security overhaul in April after a cascade of headline-grabbing nation-state attacks broke through the systems of government agencies in the U.S. and Europe using vulnerabilities in Ivanti products.

For 30 days, 17,000 AT&T workers in nine different states from the CWA union went on strike. As it began one North Carolina newspaper noted some AT&T customers "report prolonged internet outages." Last week an Emory University economist told NPR that "If it wasn't disruptive or it didn't have any kind of negative element towards customers, then AT&T, I suspect, wouldn't feel any kind of pressure to negotiate."

The 30-day strike was "the longest telecommunications strike in the region's history," according to the union — announcing today that they'd now negotiated "strong tentative contract agreements" and that workers would report to work for their scheduled shifts tomorrow. The new contract in the Southeast covers 17,000 workers technicians, customer service representatives and others who install, maintain and support AT&T's residential and business wireline telecommunications network in Alabama, Florida, Georgia, Kentucky, Louisiana, Mississippi, North Carolina, South Carolina and Tennessee.

Wages and health care costs were key issues at the bargaining table, and the five-year agreement includes across the board wage increases of 19.33%, with additional 3% increases for Wire Technicians and Utility Operations. The health care agreement holds health care premiums steady in the first year and lowers them in the second and third years, with modest monthly increases in the final two years.
The statement adds that "CWA members and retirees from every region and sector of our union mobilized in support of our bargaining teams, including by distributing flyers with information about the strike at AT&T Wireless stores." CWA District 3 Vice President Richard Honeycutt added "We know that our customers have faced hardship during the strike as well. We are happy to be getting back to work keeping our communities safe and connected."

There's also a separate four-year agreement covering 8,500 AT&T West workers in California and Nevada. "Union members will meet to review the tentative agreements, before holding ratification votes in each region."

AT&T's chief operating officer said the Southeast agreement will "support our competitive position in the broadband industry where we can grow and win against our mostly non-union competitors."

The Rust foundation is making "considerable progress" on a complete security audit of the Rust ecosystem, according to the coding news site I Programmer, citing a newly-released report from the nonprofit Rust foundation: The foundation is investigating the development of a Public Key Infrastructure (PKI) model for the Rust language, including the design and implementation for a PKI CA and a resilient Quorum model for the project to implement, and the report says that language updates suggested by members of the Project were nearly ready for implementation.

Following the XZ backdoor vulnerability, the Security Initiative has focused on supply chain security, including work on provenance-tracking, verifying that a given crate is actually associated with the repository it claims to be. The top 5,000 crates by download count have been checked and verified.

Threat modeling has now been completed on the Crates ecosystem. Rust Infrastructure, crates.io and the Rust Project.

Two open source security tools, Painter and Typomania, have been developed and released. Painter can be used to build a graph database of dependencies and invocations between all crates within the crates.io ecosystem, including the ability to obtain 'unsafe' statistics, better call graph pruning, and FFI boundary mapping. Typomania ports typogard to Rust, and can be used to detect potential typosquatting as a reusable library that can be adapted to any registry.
They've also tightened admin privileges for Rust's package registry, according to the article. And "In addition to the work on the Security Initiative, the Foundation has also been working on improving interoperability between Rust and C++, supported by a $1 million contribution from Google."

According to the Rust foundation's technology director, they've made "impressive technical strides and developed new strategies to reinforce the safety, security, and longevity of the Rust programming language." And the director says the new report "paints a clear picture of the impact of our technical projects like the Security Initiative, Safety-Critical Rust Consortium, infrastructure and crates.io support, Interop Initiative, and much more."

"A two-day AI Labor Summit between AFL-CIO leaders and Microsoft executives this week reflects the tech giant's revamped approach to unions," writes GeekWire, "which includes a pledge by the company to incorporate feedback from labor unions and their members into the development of artificial intelligence."

But just two days later, "Microsoft Gaming CEO Phil Spencer announced it was game over for the jobs of another 650 Microsoft staffers (on top of an earlier 1,900 employee staff reduction)," writes long-time Slashdot reader theodp, "cuts that Spencer made clear were related to Microsoft's $69B acquisition of Activision Blizzard in 2023." Interestingly, Microsoft's Smith in October 2023 affirmed a "groundbreaking neutrality agreement" with the Communications Workers of America union (CWA) — designed to go into effect if Microsoft was successful in its acquisition of Activision Blizzard — in which Microsoft acknowledged the rights of its employees to unionize and pledged to work constructively with any who did. At the same time, Microsoft made it clear that it hoped its employees wouldn't feel the need to form or join unions, saying they would "never need to organize to have a dialogue with Microsoft's leaders."

In July 2023, the AFL-CIO applauded Microsoft's Activision Blizzard acquisition and the Microsoft-CWA agreement, which AFL-CIO union federation president Liz Shuler said "sets a new standard for respecting workers' rights in the video game industry and the larger technology sector." And in December 2023, Shuler thanked Smith for Microsoft's "absolutely historic partnership" on AI and the Future of the Workforce, which Shuler suggested "can be mutually beneficial for workers, for businesses, and for our country as a whole."
Thursday the CWA union issued critical remarks about the layoffs at Microsoft Gaming (which were later retweeted by the @AFLCIO Twitter account).

"While we would hope that a company like Microsoft with $88 billion in profits last year could achieve 'long-term success' without destroying the livelihoods of 650 of our colleagues, heartless layoffs like these have become all too common."