Generative AI models like Google Bard and GitHub Copilot are increasingly being used in various industries, but users often overlook their limitations, leading to serious errors and inefficiencies. Daniel Stenberg of curl and libcurl highlights a specific problem of AI-generated security reports: when reports are made to look better and to appear to have a point, it takes a longer time to research and eventually discard it. "Every security report has to have a human spend time to look at it and assess what it means," adds Stenberg. "The better the crap, the longer time and the more energy we have to spend on the report until we close it." The Register reports: The curl project offers a bug bounty to security researchers who find and report legitimate vulnerabilities. According to Stenberg, the program has paid out over $70,000 in rewards to date. Of 415 vulnerability reports received, 64 have been confirmed as security flaws and 77 have been deemed informative -- bugs without obvious security implications. So about 66 percent of the reports have been invalid. The issue for Stenberg is that these reports still need to be investigated and that takes developer time. And while those submitting bug reports have begun using AI tools to accelerate the process of finding supposed bugs and writing up reports, those reviewing bug reports still rely on human review. The result of this asymmetry is more plausible-sounding reports, because chatbot models can produce detailed, readable text without regard to accuracy.

As Stenberg puts it, AI produces better crap. "A crap report does not help the project at all. It instead takes away developer time and energy from something productive. Partly because security work is considered one of the most important areas so it tends to trump almost everything else." As examples, he cites two reports submitted to HackerOne, a vulnerability reporting community. One claimed to describe Curl CVE-2023-38545 prior to actual disclosure. But Stenberg had to post to the forum to make clear that the bug report was bogus. He said that the report, produced with the help of Google Bard, "reeks of typical AI style hallucinations: it mixes and matches facts and details from old security issues, creating and making up something new that has no connection with reality." [...]

Stenberg readily acknowledges that AI assistance can be genuinely helpful. But he argues that having a human in the loop makes the use and outcome of AI tools much better. Even so, he expects the ease and utility of these tools, coupled with the financial incentive of bug bounties, will lead to more shoddy LLM-generated security reports, to the detriment of those on the receiving end.

An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims. From a report: San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023. Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims' information in order to notify state authorities and the individuals affected. In a series of data breach notification letters sent to affected individuals, Orrick said the hackers stole reams of data from its systems that pertain to security incidents at other companies, during which Orrick served as legal counsel.

A consumer action group is accusing Starbucks of exploiting customers via its gift card and app payments, forcing them to enter a spending cycle where they will never be able to fully spend the remaining balance of prepaid amounts. From a report: The Washington Consumer Protection Coalition, a self-described "movement of everyday consumers advocating for corporate accountability," is calling on the state attorney general to investigate whether the company's policies violate consumer protection laws.

"Starbucks rigs its payment platform so consumers are encouraged to leave unspent money on their cards and apps," said Chris Carter, campaign manager for the group, in a statement. "A few dollars here and there left on a payment platform may not sound like a lot but it adds up. Over the last five years Starbucks has claimed nearly $900 million in unspent gift card and app money as corporate revenue, boosting corporate profits and inflating executive bonuses."

[...] The group, in a 15-page complaint, alleges the platforms for Starbucks' mobile app and digital payment cards are akin to an "involuntary subscription." Customers can only reload money in $5 increments, with a $10 minimum purchase. That, the group says, prevents customers from ever reaching a zero balance, meaning Starbucks pockets more of the customer's money. The Coalition does concede that customers can reload their accounts in stores for a custom amount of $5 or more, making it easier to hit a zero balance.

LG says it developed a 27-inch OLED gaming monitor that can reach an incredibly high 480Hz refresh rate, promising to usher in an "era of OLEDs featuring ultra-high refresh rates," LG says. From a report: LG says it achieved the 480Hz rate on a QHD 2,560-by-1,440-resolution display. Other vendors, including Alienware and Asus, have also introduced PC monitors that can hit 500Hz. But they did so using IPS or TN panels at a lower 1920-by-1080 resolution. OLED panels, on the other hand, are known for offering stunning color contrasts, and true blacks, resulting in top-notch picture quality.

The 480Hz refresh rate will be overkill for the average gamer. But the ultra-high refresh rate could appeal to competitive players, where latency and smooth gameplay matters. LG adds that the 27-inch OLED monitor features a 0.03-millisecond response time. The OLED panel should also be easier on the eyes during long playthroughs. "The company's Gaming OLEDs emit the lowest level of blue light in the industry and approximately half the amount emitted by premium LCDs," LG says. "This reduction in blue light not only minimizes eye fatigue but also eliminates flickers, providing gamers with more comfortable and enjoyable gaming sessions."

Several prominent museums have been unable to display their collections online since a cyberattack hit a prominent technological service provider that helps hundreds of cultural organizations show their works digitally and manage internal documents. From a report: The Museum of Fine Arts Boston, the Rubin Museum of Art in New York and the Crystal Bridges Museum of American Art in Arkansas were among the institutions confirming that their systems have experienced outages in recent days. The service provider, Gallery Systems, said in a recent message to clients, which was obtained by The New York Times, that it had noticed a problem on Dec. 28, when computers running its software became encrypted and could no longer operate.

"We immediately took steps to isolate those systems and implemented measures to prevent additional systems from being affected, including taking systems offline as a precaution," the company said in the message. "We also launched an investigation and third-party cybersecurity experts were engaged to assist. In addition, we notified law enforcement." Signs of disruption were evident on several museum websites because eMuseum, a tool that usually lets visitors search online collections, was down. There was also disruption behind the scenes: Some curators said that they had returned from their winter vacations to find themselves unable to access sensitive information from another Gallery Systems program called TMS. That system can include the names of donors, loan agreements, provenance records, shipping information and storage locations of priceless artworks.

Microsoft is adding a dedicated "Copilot" key to PC keyboards, adjusting the standard Windows layout for the first time since 1994. The key will open its AI assistant Copilot on Windows 10 and 11. On Copilot-enabled PCs, users can already invoke Copilot by pressing Windows+C. On other PCs, the key will open Search instead. ArsTechnica adds: A quick Microsoft demo video shows the Copilot key in between the cluster of arrow keys and the right Alt button, a place where many keyboards usually put a menu button, a right Ctrl key, another Windows key, or something similar. The exact positioning, and the key being replaced, may vary depending on the size and layout of the keyboard.

We asked Microsoft if a Copilot key would be required on OEM PCs going forward; the company told us that the key isn't mandatory now, but that it expects Copilot keys to be required on Windows 11 keyboards "over time." Microsoft often imposes some additional hardware requirements on major PC makers that sell Windows on their devices, beyond what is strictly necessary to run Windows itself.

An anonymous reader quotes a report from TechCrunch: Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch. "Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers. The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing. From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe's DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform. In other words, by hacking into only 14,000 customers' accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.

But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that "users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe." "Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures," the letter reads. [...] 23andMe's lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims. "The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe's platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature. Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver's license number, or any payment or financial information)," the letter read. "This finger pointing is nonsensical," said Zavareei. "23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing -- especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform."

"The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe's platform, not because they used recycled passwords," added Zavareei. "Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe's attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever."

LastPass notified customers today that they are now required to use complex master passwords with a minimum of 12 characters to increase their accounts' security. From a report: Even though LastPass has repeatedly said that there is a 12-character master password requirement since 2018, users have had the ability to use a weaker one. "Historically, while a 12-character master password has been LastPass' default setting since 2018, customers still had the ability to forego the recommended default settings and choose to create a master password with fewer characters, if they wished to do so," LastPass said in a new announcement today.

LastPass has begun enforcing a 12-character master password requirement since April 2023 for new accounts or password resets, but older accounts could still use passwords with fewer than 12 characters. Starting this month, LastPass is now enforcing the 12-character master password requirement for all accounts. Furthermore, LastPass added that it will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.

Security researchers say info-stealing malware can still access victims' compromised Google accounts even after passwords have been changed. From a report: A zero-day exploit of Google account security was first teased by a cybercriminal known as "PRISMA" in October 2023, boasting that the technique could be used to log back into a victim's account even after the password is changed. It can also be used to generate new session tokens to regain access to victims' emails, cloud storage, and more as necessary. Since then, developers of infostealer malware -- primarily targeting Windows, it seems -- have steadily implemented the exploit in their code. The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future.

Eggheads at CloudSEK say they found the root of the exploit to be in the undocumented Google OAuth endpoint "MultiLogin." The exploit revolves around stealing victims' session tokens. That is to say, malware first infects a person's PC -- typically via a malicious spam or a dodgy download, etc -- and then scours the machine for, among other things, web browser session cookies that can be used to log into accounts.

Steam: As of January 1 2024, Steam has officially stopped supporting the Windows 7, Windows 8 and Windows 8.1 operating systems. After that date, existing Steam Client installations on these operating systems will no longer receive updates of any kind including security updates. Steam Support will be unable to offer users technical support for issues related to the old operating systems, and Steam will be unable to guarantee continued functionality of Steam on the unsupported operating system versions.

In order to ensure continued operation of Steam and any games or other products purchased through Steam, users should update to a more recent version of Windows. We expect the Steam client and games on these older operating systems to continue running for some time without updates after January 1st, 2024, but we are unable to guarantee continued functionality after that date. The Verge adds: 95.57 percent of surveyed Steam users are already on Windows 10 and 11, with nearly 2 percent of the remainder on Linux and 1.5 percent on Mac -- so we may be talking about fewer than 1 percent of users on these older Windows builds. Older versions of MacOS will also lose support on February 15th, just a month and a half from now.

"For several years, thousands more high-earning, well-educated workers have left California than have moved in," reports the Los Angeles Times: Even though California has experienced lopsided out-migration for decades, the financial blow has been cushioned by the kinds of people moving into the state: The newcomers were generally better educated and earned more money than those who left. Not now: That long-standing trend has reversed...

The reversal, largely in response to the state's high taxes and soaring cost of living, has begun to damage California's overall economy. And, by cutting into tax revenues, has delivered punishing blows to state and local governments. State budget analysts recently projected a record $68 billion deficit in the next fiscal year because of a 25% drop in personal income tax collection in 2023. Some city, county and other local taxing authorities, particularly in the San Francisco Bay Area, have also recorded revenue declines. With investors and high-income taxpayers receiving substantial compensation in the form of stocks, last year's sluggish stock market accounted for a major share of the decline in state income tax revenues. So did layoffs and financial weakness in the tech sector. But rising unemployment in the state and the growing flight of professionals, business operators and others making good salaries were also notable contributors. And those factors will be harder to reverse, at least in the foreseeable future.

"There's a price to pay for the movement of middle- and upper-income people and corporations," said Joel Kotkin, a fellow at Chapman University who has researched the flight from California and the resulting threat to the state's fiscal outlook. "People who are leaving are taking their tax dollars with them."

The accelerating exodus from California in recent years, of both companies and people, has been well documented. The pandemic-induced rise in remote work, inflated housing prices and changing social conditions have spurred more Californians to pull up stakes... Moody's Analytics economist Mark Zandi analyzed moves in and out of California for The Times using Equifax credit data, to zero in on the age of the movers. He found that since the pandemic in early 2020, California has lost residents in every age group, but by a significant margin the biggest net out-migration came from those 35 to 44 years old. "This is probably motivated by the severe housing affordability crisis in California," Zandi said. "It's all but impossible for them to become homeowners in the state."

Eric McGhee, a senior fellow at the Public Policy Institute of California, who has written about demographic trends in migration, thinks the increased loss of higher-educated Californians to other states in recent years can be traced in significant part to the rise of remote work since the pandemic. As more employers call workers back to the office, and the share of fully remote work appears to have settled at around 10% of all employees, McGhee expects the net out-migration from California to slow...

Even if the outflow of residents reverts to pre-pandemic levels, the broader economic climate doesn't bode well for the state's budget and economic outlook, at least in the immediate future. The U.S. economy is slowing, and California's economy is decelerating faster than the nation's, with the state's unemployment rate, most recently at 4.8%, already a full point higher than nationwide.
The article clarifies that "it's not just the sheer numbers of people who have left. What's different is that in each of the prior two years, more than 250,000 Californians with at least a bachelor's degree moved out, while an average of 175,000 college graduates from other states settled in California, according to an analysis of census data by William Frey, a demographer at the Brookings Institution. In prior periods over the last two decades, that balance was about even or slightly in California's favor."

And besides billionaires, "There's been a broader exodus of ordinary Californians in the upper-income spectrum as well. In the tax filing years 2020 and 2021, the average gross income of taxpayers who had moved from California to another state was about $137,000. That was up from $75,000 in 2015 and 2016, according to migration and personal income data from the Internal Revenue Service."

TechCrunch reports: Apple's warnings in late October that Indian journalists and opposition figures may have been targeted by state-sponsored attacks prompted a forceful counterattack from Prime Minister Narendra Modi's government. Officials publicly doubted Apple's findings and announced a probe into device security.

India has never confirmed nor denied using the Pegasus tool, but nonprofit advocacy group Amnesty International reported Thursday that it found NSO Group's invasive spyware on the iPhones of prominent journalists in India, lending more credibility to Apple's early warnings. "Our latest findings show that increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation," said Donncha Ã" Cearbhaill, head of Amnesty International's Security Lab, in the blog post.
Cloud security company Lookout has also published "an in-depth technical look" at Pegasus, calling its use "a targeted espionage attack being actively leveraged against an undetermined number of mobile users around the world." It uses sophisticated function hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, Apple's built-in messaging and email apps, and others. It steals the victim's contact list and GPS location, as well as personal, Wi-Fi, and router passwords stored on the device...

According to news reports, NSO Group sells weaponized software that targets mobile phones to governments and has been operating since 2010, according to its LinkedIn page. The Pegasus spyware has existed for a significant amount of time, and is advertised and sold for use on high-value targets for multiple purposes, including high-level espionage on iOS, Android, and Blackberry.
Thanks to Slashdodt reader Mirnotoriety for sharing the news.

"Remote-work numbers have dwindled over the past few years as employers issue return-to-office mandates," reports USA Today. "But will that continue in 2024?" The numbers started to slide after spring 2020, when more than 60% of days were worked from home, according to data from WFH Research, a scholarly data collection project. By 2023, that number had dropped to about 25% â' much lower than its peak but still a fivefold increase from 5% in 2019. But work-from-home numbers have held steady throughout most of 2023. And according to remote-work experts, they're expected to rebound in the years to come as companies adjust to work-from-home trends. "Return-to-office died in '23," said Nick Bloom, an economics professor at Stanford University and work-from-home expert. "There's a tombstone with 'RTO' on it...."

Though a number of companies issued return-to-work mandates this year, most are allowing employees to work from home at least part of the week. That makes 2024 the year for employers to figure out the hybrid model. "We're never going to go back to a five-days-in-the-office policy," said Stephan Meier, professor of business at Columbia University. "Some employers are going to force people to come back, but I think over the next year, more and more firms will actually figure out how to manage hybrid well." Thirty-eight percent of companies require full-time in-office work, down from 39% one quarter ago and 49% at the start of the year, according to software firm Scoop Technologies...

[Stanford economics professor] Bloom called remote-work numbers in 2023 "pancake-flat." Yes, large companies like Meta and Zoom made headlines by ordering workers back to the office. But, Bloom said, just as many other companies were quietly reducing office attendance to cut costs.
Bloom thinks holograms and VR devices are possible within five years. "In the long run, the thing that really matters is technology."

One paper estimates that currently 37% of America's jobs can be done entirely at home, according to the article, and ZipRecruiter's chief economist seems to agree, predicting as much as 33% America's work days will eventually be completed from home. "I think the numbers will gradually go up as this becomes more of an accepted norm as future generations grow up with it being so widely available, and as the technology for for doing it gets better."

And the article notes that the ZipRecruiter economist sees another factor fueling the trend. "Reluctant leaders aging out of the workforce will help, too, she said."

Microsoft has again disabled the MSIX ms-appinstaller protocol handler after multiple financially motivated threat groups abused it to infect Windows users with malware. From a report: The attackers exploited the CVE-2021-43890 Windows AppX Installer spoofing vulnerability to circumvent security measures that would otherwise protect Windows users from malware, such as the Defender SmartScreen anti-phishing and anti-malware component and built-in browser alerts cautioning users against executable file downloads.

Microsoft says the threat actors use both malicious advertisements for popular software and Microsoft Teams phishing messages to push signed malicious MSIX application packages. "Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware," the company said.

LG just announced its latest 4K projector, the CineBeam Qube. It'll officially unveil the projector at CES 2024 in early January, but the company's giving curious consumers an early look. From a report: The CineBeam Qube has plenty of high-tech bells and whistles, but with a stylish design that LG calls "minimalist." There's also a handle that resembles a crank. Yeah this thing has an actual handle. The CineBeam Qube is built for portability. It's lightweight, at around three pounds, and the square form factor makes it easy to place just about anywhere. The 360-degree rotatable handle also helps with placement. LG's calling it "one of the smallest projectors available."

Of course, the most important part of any projector is, well, the projection. The Qube projects 4K UHD (3,840 x 2,160) resolution images that measure up to 120 inches. There's an RGB laser light source, a 450,000:1 contrast ratio and 154 percent coverage of the DCI-P3 color gamut. With these specs, that episode of Reacher will really pop. Speaking of streaming content, the projector runs on LG webOS 6.0 and offers access to all of the big streaming services, including Prime Video, Disney+, Netflix and YouTube.

Boeing instructed customer airlines to inspect their 787 Max jets for loose bolts, the Federal Aviation Administration (FAA) announced this week. From a report: The request comes after the manufacturer discovered two aircraft with missing bolts in the rudder control system, raising concerns about faults across all aircraft. "The issue identified on the particular airplane has been remedied," Boeing told CNN in a statement. "Out of an abundance of caution, we are recommending operators inspect their 737 Max airplanes and inform us of any findings." The inspection request entails a two-hour probe of the aircraft's safety-critical parts for each of the approximately 1,300 787 Max jets in service, the FAA said.

After falsified records for spare aircraft parts set off a frantic global search for suspect pieces, the aviation industry now faces another daunting task: adapting the archaic paperwork for 100 million components to the digital age. From a report: Since the middle of the year, maintenance shops and aerospace manufacturers have found thousands of engine parts with falsified records linked to a distributor called AOG Technics. Airlines from China to the US and Europe have had to pull planes from service and extract the dubious components, leaving jets grounded and racking up millions of dollars in costs.

The episode has prodded carriers and maintenance shops to bolster scrutiny of their vendors and the parts they receive. And it's given fresh weight to an ongoing push to digitize the paper-based records still prevalent in the industry to document the lifespan of every piece of an aircraft from the time that it's made to when it lands in a scrap heap. But any structural reforms to thwart would-be copycats of the scheme of which AOG is suspected are likely years away. The industry is accustomed to following standardized methods and only making fundamental changes after a detailed and often lengthy examination of potential safety risks -- and costs.

An anonymous reader quotes a report from SecurityWeek: Albania's Parliament said on Tuesday that it had suffered a cyberattack with hackers trying to get into its data system, resulting in a temporary halt in its services. A statement said Monday's cyberattack had not "touched the data of the system," adding that experts were working to discover what consequences the attack could have. It said the system's services would resume at a later time. Local media reported that a cellphone provider and an air flight company were also targeted by Monday's cyberattacks, allegedly from Iranian-based hackers called Homeland Justice, which could not be verified independently.

Albania suffered a cyberattack in July 2022 that the government and multinational technology companies blamed on the Iranian Foreign Ministry. Believed to be in retaliation for Albania sheltering members of the Iranian opposition group Mujahedeen-e-Khalq, or MEK, the attack led the government to cut diplomatic relations with Iran two months later. The Iranian Foreign Ministry denied Tehran was behind an attack on Albanian government websites and noted that Iran has suffered cyberattacks from the MEK. In June, Albanian authorities raided a camp for exiled MEK members to seize computer devices allegedly linked to prohibited political activities. [...] In a statement sent later Tuesday to The Associated Press, MEK's media spokesperson Ali Safavi claimed the reported cyberattacks in Albania "are not related to the presence or activities" of MEK members in the country.

Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over its Chrome browser's Incognito mode. From a report: Arising in the Northern District of California, the lawsuit accused Google of continuing to "track, collect, and identify [users'] browsing data in real time" even when they had opened a new Incognito window. The lawsuit, filed by Florida resident William Byatt and California residents Chasom Brown and Maria Nguyen, accused Google of violating wiretap laws.

It also alleged that sites using Google Analytics or Ad Manager collected information from browsers in Incognito mode, including web page content, device data, and IP address. The plaintiffs also accused Google of taking Chrome users' private browsing activity and then associating it with their already-existing user profiles. Google initially attempted to have the lawsuit dismissed by pointing to the message displayed when users turned on Chrome's incognito mode. That warning tells users that their activity "might still be visible to websites you visit."

Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky. Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of. ArsTechnica: "The exploit's sophistication and the feature's obscurity suggest the attackers had advanced technical capabilities," Kaspersky researcher Boris Larin wrote in an email. "Our analysis hasn't revealed how they became aware of this feature, but we're exploring all possibilities, including accidental disclosure in past firmware or source code releases. They may also have stumbled upon it through hardware reverse engineering."

Other questions remain unanswered, wrote Larin, even after about 12 months of intensive investigation. Besides how the attackers learned of the hardware feature, the researchers still don't know what, precisely, its purpose is. Also unknown is if the feature is a native part of the iPhone or enabled by a third-party hardware component such as ARM's CoreSight. The mass backdooring campaign, which according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia, according to Russian government officials, came to light in June. Over a span of at least four years, Kaspersky said, the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action. With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn't survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.