An anonymous reader shares a report: Firefox has a reputation of being something of a resource hog, even among modern browsers. But it might not be entirely earned, because it looks like a CPU bug affecting Firefox users on Windows was actually the fault of Windows Defender. The latest update to the ubiquitous security tool addresses the issue, and should result in measurably lower CPU usage for the Windows version of Firefox. According to Mozilla senior software engineer Yannis Juglaret, the culprit was MsMpEng.exe, which you might recognize from your Task Manager. It handles the Real-Time protection feature that monitors web activity for malicious threats.

The bug was causing Firefox to call on the service much more frequently than comparable browsers like Chrome or Edge, resulting in notable CPU spikes. Said CPU spikes could reduce performance in other applications or affect a laptop's battery life. The issue was first reported on Mozilla's bug tracker system way back in 2018 and quickly assigned to the MsMpEng service, but some more recent and diligent documentation on the part of Juglaret resulted in more swift action from Microsoft's developers.

An anonymous reader shares a report:Weather apps are not all the same. There are tens of thousands of them, from the simply designed Apple Weather to the expensive, complex, data-rich Windy.App. But all of these forecasts are working off of similar data, which are pulled from places such as the National Oceanic and Atmospheric Administration (NOAA) and the European Centre for Medium-Range Weather Forecasts. Traditional meteorologists interpret these models based on their training as well as their gut instinct and past regional weather patterns, and different weather apps and services tend to use their own secret sauce of algorithms to divine their predictions. On an average day, you're probably going to see a similar forecast from app to app and on television. But when it comes to how people feel about weather apps, these edge cases -- which usually take place during severe weather events -- are what stick in a person's mind. "Eighty percent of the year, a weather app is going to work fine," Matt Lanza, a forecaster who runs Houston's Space City Weather, told me. "But it's that 20 percent where people get burned that's a problem."

No people on the planet have a more tortured and conflicted relationship with weather apps than those who interpret forecasting models for a living. "My wife is married to a meteorologist, and she will straight up question me if her favorite weather app says something different than my forecast," Lanza told me. "That's how ingrained these services have become in most peoples' lives." The basic issue with weather apps, he argues, is that many of them remove a crucial component of a good, reliable forecast: a human interpreter who can relay caveats about models or offer a range of outcomes instead of a definitive forecast. [...] What people seem to be looking for in a weather app is something they can justify blindly trusting and letting into their lives -- after all, it's often the first thing you check when you roll over in bed in the morning. According to the 56,400 ratings of Carrot in Apple's App Store, its die-hard fans find the app entertaining and even endearing. "Love my psychotic, yet surprisingly accurate weather app," one five-star review reads. Although many people need reliable forecasting, true loyalty comes from a weather app that makes people feel good when they open it.

Hackers using spyware made by a little known cyber mercenary company used malicious calendar invites to hack the iPhones of journalists, political opposition figures, and an NGO worker, according to two reports. From a report: Researchers at Microsoft and the digital rights group Citizen Lab analyzed samples of malware they say was created by QuaDream, an Israeli spyware maker that has been reported to develop zero-click exploits -- meaning hacking tools that don't require the target to click on malicious links -- for iPhones. QuaDream has been able to mostly fly under the radar until recently. In 2021, Israeli newspaper Haaretz reported that QuaDream sold its wares to Saudi Arabia. The next year, Reuters reported that QuaDream sold an exploit to hack iPhones that was similar to one provided by NSO Group, and that the company doesn't operate the spyware, its government customers do -- a common practice in the surveillance tech industry.

QuaDream's customers operated servers from several countries around the world: Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, United Arab Emirates (UAE), and Uzbekistan, according to internet scans done by Citizen Lab. Both Citizen Lab and Microsoft published groundbreaking new technical reports on QuaDream's alleged spyware on Tuesday. Microsoft said it found the original malware samples, and then shared them with Citizen Lab's researchers, who were able to identify more than five victims -- an NGO worker, politicians, and journalists -- whose iPhones were hacked. The exploit used to hack those targets was developed for iOS 14, and at the time was unpatched and unknown to Apple, making it a so-called zero-day. The government hackers who were equipped with QuaDream's exploit used malicious calendar invites with dates in the past to deliver the malware, according to Citizen Lab.

If you want to sneak malware onto people's Android devices via the official Google Play store, it may cost you about $20,000 to do so, Kaspersky suggests. The Register reports: This comes after the Russian infosec outfit studied nine dark-web markets between 2019 and 2023, and found a slew of code and services for sale to infect and hijack the phones and tablets of Google Play users. Before cybercriminals can share their malicious apps from Google's official store, they'll need a Play developer account, and Kaspersky says those sell for between $60 and $200 each. Once someone's bought one of these accounts, they'll be encouraged use something called a loader.

Uploading straight-up spyware to the Play store for people to download and install may attract Google's attention, and cause the app and developer account to be thrown out. A loader will attempt to avoid that: it's software a criminal can hide in their otherwise innocent legit-looking app, installed from the official store, and at some convenient point, the loader will fetch and apply an update for the app that contains malicious code that does stuff like steal data or commit fraud. That update may ask for extra permissions to access the victim's files, and may need to be pulled from an unofficial store with the victim's blessing; it depends on the set up. The app may refuse to work as normal until the loader is allowed to do its thing, convincing marks into opening up their devices to crooks. These tools are more pricey, ranging from $2,000 to $20,000, depending on the complexity and capabilities required.

Would-be crims who don't want to pay thousands for a loader can pay substantially less -- between $50 and $100 -- for a binding service, which hides a malicious APK file in a legitimate application. However, these have lower successful install rates compared to loaders, so even in the criminal underground you get what you pay for. Some other illicit services offered for sale on these forums include virtual private servers ($300), which allow attackers to redirect traffic or control infected devices, and web injectors ($25 to $80) that look out for victims' visiting selected websites on their infected devices and replacing those pages with malicious ones that steal login info or similar. Criminals can pay for obfuscation of their malware, and they may even get a better price if they buy a package deal. "One of the sellers offers obfuscation of 50 files for $440, while the cost of processing only one file by the same provider is about $30," Team Kaspersky says. Additionally, to increase the number of downloads to a malicious app, thus making it more attractive to other mobile users, attackers can buy installs for 10 cents to $1 apiece. Kaspersky's report can be found here.

The FBI recently warned consumers against using free public charging stations, saying crooks have managed to hijack public chargers that can infect devices with malware, or software that can give hackers access to your phone, tablet or computer. From a report: "Avoid using free charging stations in airports, hotels or shopping centers," a tweet from the FBI's Denver field office said. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead." The FBI offers similar guidance on its website to avoid public chargers.

Slashdot reader unixbhaskar writes: A company in the U.K. calling itself Minifree has started to ship old Thinkpad (specifically the X series and T series models) with Libreboot firmware. Which is based on coreboot firmware.
More specifically, Libreboot is the free-as-in-speech replacement for proprietary BIOS/UEFI firmware, the site notes, "offering faster boots speeds, better security and many advanced features compared to most proprietary boot firmware." Those advanced features include the GNU project's multiple-OS-booting "grand unified bootloader" GNU GRUB directly in the boot flash, along with several other customization options. "The aim is simple: make it easy to have a computer that was made to run entirely on Free Software at every level, meaning no proprietary software of any kind. That includes the boot firmware, operating system, drivers and applications."

The Libreboot project's founder is also the founder of Minifree, and the profits from Minifree's sales directly fund the Libreboot project. (The whole Minifree web site runs on Libreboot-powered servers, on a network behind a Libreboot-powered router...) Their site points out that Minifree Ltd has also privately funded several new board ports to coreboot, including 90,000 USD to Raptor Engineering for ASUS KGPE-D16 and KCMA-D8 libreboot support, and 4000 AUD to Damien Zammit for Gigabyte GA-G41M-ES2L and Intel D510MO libreboot support.

The installed OS on the laptops is either encrypted Debian (KDE Plasma desktop environment), with full driver support, or "other Linux distro/BSD (e.g. OpenBSD, FreeBSD) at your request... Advanced features like encrypted /boot (GNU+Linux only), signed kernels and more are available." And the laptops are also shipped — worldwide — with "your choice of 480/960GB SSD or 2x480GB/2x960GB RAID1 SSDs, with good batteries and 16GB RAM. Free technical support via email/IRC plus 5-year warranty."

But judging by their FAQ, the support is even more extensive. "If you brick your Minifree laptop when updating Libreboot, Minifree will unbrick it for free if you send it back to us. Even if your warranty has expired! However, such bricking is rare."

An anonymous reader shares a report from the New York Post: A supposed glitch in the popular "Find My iPhone" app has been directing random strangers to the home of an unsuspecting Texas dad at all hours of the day, falsely accusing him of stealing their electronic devices.

[Software engineer] Scott Schuster told the local news station KTRK that he's been visited by close to a dozen irate people over the past few years, telling him that their missing phone had last pinged at his address. "[I] had to wake up and go answer the door and explain to them that I didn't have their device, and people don't tend to believe you," the dad of two told the outlet.
The Texas resident tells KTRK that his biggest concern was "someone coming to the house potentially with a weapon."

And the same station reports that local sheriff Eric Fagan "said he was so shocked and concerned that he informed his patrol units and dispatchers, just in case anyone called about the address." "Apple needs to do more about this," Fagan said. "Please come out and check on this. This is your expertise. Mine is criminal and keeping our public safe here in Fort Bend County." Fagan added that Apple doing nothing puts a family's safety in jeopardy. "I would ask them to come out and see what they can do. It should be taken seriously. You are putting innocent lives at risk," he said....

There have been other high-profile device pinging errors elsewhere in the country, with at least one that brought armored vehicles to a neighborhood. In 2021, body camera footage captured a Denver police SWAT team raiding the home of a 77-year-old woman in Colorado over a false ping on the app. Denver officers believed she had stolen guns connected to a car theft after tracking a stolen iPhone to her address using the Find My app. That woman later sued the lead detective.

ABC13 has tried contacting the software giant since Tuesday. Someone called back, so we know they are aware of the incident. Still, no one has said if they are going to fix the issue, or at the very least, look into the matter.

"Thieves has discovered new ways to steal cars by pulling off smart devices (like smart headlights) to get at and attack via the Controller Area Network (CAN) bus," writes longtime Slashdot reader KindMind. The Register reports: A Controller Area Network (CAN) bus is present in nearly all modern cars, and is used by microcontrollers and other devices to talk to each other within the vehicle and carry out the work they are supposed to do. In a CAN injection attack, thieves access the network, and introduce bogus messages as if it were from the car's smart key receiver. These messages effectively cause the security system to unlock the vehicle and disable the engine immobilizer, allowing it to be stolen. To gain this network access, the crooks can, for instance, break open a headlamp and use its connection to the bus to send messages. From that point, they can simply manipulate other devices to steal the vehicle.

"In most cars on the road today, these internal messages aren't protected: the receivers simply trust them," [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor's RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.

Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota -- which among other things allows you to inspect the data logs of your vehicle -- helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, "Ian's car dropped a lot of DTCs." Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn't failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.

An anonymous reader shares a report: Back in 2020, we reported that emulator developers were using a hole in the Xbox Store's app distribution system to get around Microsoft's longstanding ban on emulators running on Xbox consoles. This week, though, many of the emulators that were distributed through that workaround have stopped working, the apparent victims of a new crackdown by Microsoft. Xbox emulator makers and users can't say they weren't warned. In the "Gaming and Xbox" section of Microsoft's official Store Policies, section 10.13.10 clearly states that "products that emulate a game system or game platform are not allowed on any device family."

Microsoft's enforcement of this clause has historically focused on removing emulators published as "private" UWP apps to the Xbox Store. Those apps could be distributed to whitelisted users via direct links accessed on the system's Edge browser, getting around the usual approval process for a public store listing. Previously, users who downloaded one of these "hidden" emulator listings before Microsoft's inevitable takedown could run that emulator on an unmodified retail system indefinitely. That is no longer the case; trying to launch downloaded versions of emulators like Xenia or Retrospection on an Xbox console now generates an error saying, "Unable to launch this game or app. The game or app you're trying to launch violates Microsoft Store policy and is not supported."

Google is ending support for the Dropcam and the Nest Secure home security system in one year, on April 8th, 2024. From a report: They are among the few remaining Nest products that haven't been brought over to Google Home, and their demise hints that the new Google Home app might almost be here. At least, no more than a year away. Surely. Google is also winding down the last few legacy Works with Nest connections, but not 'til September 29th. Existing Dropcam cameras will keep working until April 8th, 2024, after which you won't be able to access them from the Nest app. To soften the blow, Google's offering a free indoor wired Nest Cam to Dropcam owners who subscribe to Nest Aware. Nonsubscribers will get a 50 percent-off coupon. The promotion runs until May 7, 2024, so you can keep using your Dropcam until it stops working.

Here's a good reason to use Google Pay: Google might send you a bunch of free money. From a report: Many users report that Google accidentally deposited cash in their accounts -- anywhere from $10 to $1,000. Android researcher Mishaal Rahman got hit with the bug and shared most of the relevant details on Twitter. The cash arrived via Google Pay's "reward" program. Just like a credit card, you're supposed to get a few bucks back occasionally for various promotions, but nothing like this. Numerous screenshots show users receiving loads of "Reward" money for what the message called "dogfooding the Google Pay Remittance experience." "Dogfooding" is tech speak for "internally beta testing pre-release software," so if a message like this was ever supposed to go out, it should have only gone out to Google employees and/or some testing partners. Many regular users received multiple copies of this message with multiple payouts.

MSI has confirmed it suffered a data breach after a ransomware gang claimed it stole files from the PC maker. The company published a Taiwanese stock exchange filing about experiencing a âoecyber attack,â although the company is thin on details. From a report: "After detecting some information systems being attacked by hackers, MSI's IT department has initiated information security defense mechanism and recovery procedures," the PC maker said. The company also reported the incident to authorities. MSI didn't immediately respond to a request for comment, making it unclear whether customer data is affected. But in the stock exchange filing, the PC maker says it anticipates the breach having "no significant impact" on its financials or operations. A new ransomware group called Money Message claims it breached the PC maker to steal the company's source code, including the framework for the BIOS used in MSI products.

Amazon has banned the sale of the Flipper Zero portable multi-tool for pen-testers as it no longer allows its sale on the platform after tagging it as a card-skimming device. From a report: The Flipper Zero is a compact, portable, and programmable pen-testing tool that can help experiment with and debug various digital and hardware devices via various protocols, including RFID, radio, NFC, infrared, Bluetooth, and others. Since its launch, users have showcased Flipper Zero's capabilities demonstrating its capacity to activate doorbells, conduct replay attacks to unlock cars and open garage doors, and clone a wide range of digital keys. According to notices sent to sellers on Thursday evening, Amazon has now banned Flipper Zero on its platform, tagging it as a "restricted product." Card-skimming devices are listed on Amazon's Seller Central portal under the Lock Picking & Theft Devices restricted product category, next to key duplicating devices and shoplifting devices, such as sensormatic detachers. Currently, some links to previously available Amazon pages selling Flipper Zero tools are dead and displaying "Sorry, we couldn't find that page. Try searching or go to Amazon's home page." errors, while others list it as "Unavailable."

Academics in the US have developed an attack dubbed NUIT, for Near-Ultrasound Inaudible Trojan, that exploits vulnerabilities in smart device microphones and voice assistants to silently and remotely access smart phones and home devices. The Register reports: The research team -- Guenevere Chen, an associate professor at the University of Texas at San Antonio, her doctoral student Qi Xia, and Shouhuai Xu, a professor at the University of Colorado Colorado Springs -- found Apple's Siri, Google's Assistant, Microsoft's Cortana, and Amazon's Alexa are all vulnerable to NUIT attacks, albeit to different degrees. In an interview with The Register this month, Chen and Xia demonstrated two separate NUIT attacks: NUIT-1, which emits sounds to exploit a victim's smart speaker to attack the same victim's microphone and voice assistant on the same device, and NUIT-2, which exploits a victim's speaker to attack the same victim's microphone and voice assistant on a different device. Ideally, for the attacker, these sounds should be inaudible to humans.

The attacks work by modulating voice commands into near-ultrasound inaudible signals so that humans can't hear them but the voice assistant will still respond to them. These signals are then embedded into a carrier, such as an app or YouTube video. When a vulnerable device picks up the carrier, it ends up obeying the hidden embedded commands. Attackers can use social engineering to trick the victim into playing the sound clip, Xia explained. "And once the victim plays this clip, voluntarily or involuntarily, the attacker can manipulate your Siri to do something, for example, open your door."

For NUIT-1 attacks, using Siri, the answer is yes. The boffins found they could control an iPhone's volume so that a silent instruction to Siri generates an inaudible response. The other three voice assistants -- Google's, Cortana, and Alexa -- are still susceptible to the attacks, but for NUIT-1, the technique can't silence devices' response so the victim may notice shenanigans are afoot. It's also worth noting that the length of malicious commands must be below 77 milliseconds -- that's the average reaction time for the four voice assistants across multiple devices.

In a NUIT-2 attack, the attacker exploits the speaker on one device to attack the microphone and associated voice assistant of a second device. These attacks aren't limited by the 77-millisecond window and thus give the attacker a broader range of possible action commands. An attacker could use this scenario during Zooms meeting, for example: if an attendee unmutes themself, and their phone is placed next to their computer, an attacker could use an embedded attack signal to attack that attendees phone. The researchers will publish their research and demonstrate the NUIT attacks at the USENIX Security Symposium in August.

An anonymous reader quotes a report from CBS News: Americans have grown so fond of working from home that many are are willing to sacrifice pay for the privilege of skipping the office. So found a recent survey by recruiting firm Robert Half, which polled thousands of U.S. employees and hiring managers about their attitudes toward remote work. Some workers said they're willing to take a pay cut -- with an average reduction of 18% -- to remain fully remote, Paul McDonald, a Robert Half senior executive director, told CBS News. Overall, roughly one in three workers who go into the office at least one day a week said they were willing to earn less for the opportunity to work remotely.

An anonymous reader quotes a report from Ars Technica: A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed. Each $80 device, used to open and close garage doors and control home security alarms and smart power plugs, employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time.

The result: Anyone with a moderate technical background can search Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow a door to be opened, a device connected to a smart plug to be turned off, or an alarm to be disarmed. Worse still, over the past three months, personnel for Texas-based Nexx haven't responded to multiple private messages warning of the vulnerabilities.

"Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media," Sabetan wrote in a post published on Tuesday. "Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue." Sabetan estimates that more than 40,000 devices, located in residential and commercial properties, are impacted, and more than 20,000 individuals have active Nexx accounts.

eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware. BleepingComputer reports: eFile.com was caught serving malware, as spotted by multiple users and researchers. The malicious JavaScript file in question is called 'popper.js'. The development comes at a crucial time when U.S. taxpayers are wrapping up their IRS tax returns before the April 18th due date. BleepingComputer can confirm, the malicious JavaScript file 'popper.js' was being loaded by almost every page of eFile.com, at least up until April 1st. As of today, the file is no longer seen serving the malicious code.

On March 17th, a Reddit thread surfaced where multiple eFile.com users suspected the website was "hijacked." At the time, the website showed an SSL error message that, some suspected, was fake and indicative of a hack. Turns out that's indeed the case. [...] The malicious JavaScript file 'update.js', further attempts to prompt users to download next stage payload, depending on whether they are using Chrome [update.exe - VirusTotal] or Firefox [installer.exe - VirusTotal]. Antivirus products have already started flagging these executables as trojans.

BleepingComputer has independently confirmed these binaries establish a connection to a Tokyo-based IP address, 47.245.6.91, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online associated with this incident. Security research group, MalwareHunterTeam further analyzed these binaries, and stated that these contain Windows botnets written in PHP -- a fact that the research group mocked. Additionally, the group called out eFile.com for leaving the malicious code on its website for weeks: "So, the website of [efile.com]... got compromised at least around middle of March & still not cleaned," writes MalwareHunterTeam.

Atlassian customers' eleven-year quest for custom domains continues, with the Australian upstart's proposed solution failing to satisfy. The Register: As The Register reported in 2022, Atlassian floated the idea of custom domains for its custom apps in 2011. Yes, 2011. The ticket for the change is called "CLOUD 6999" and has become infamous for the length of time it has remained unresolved. An unidentified wag has even made t-shirts bearing the CLOUD 6999 name. Atlassian promised last year to sort it out some time in 2023, and in February posted an update on its initial designs.

It hasn't gone down well. Atlassian's proposed solution requires "a company-branded domain name, a list of options for the 1st-level subdomain keyword, and a 2nd-level subdomain at your own choice." Atlassian cloud admin experience chap Luke Liu explained that structure as delivering URLs such as internal.support.acme.com or people.knowledge.acme.org. One of Atlassian's stated company values is "Don't #@!% the customer." But plenty of Atlassian customers feel well and truly #@!%ed by the custom domain plan. "The cloud roadmap specifically uses an example of 1 level," wrote one commenter on the 1,445-item thread discussing CLOUD 6999. "The team managing this seems to be completely lost and disconnected from the user base."

Google is backtracking on its decision to put a file creation cap on Google Drive. From a report: Around two months ago, the company decided to cap all Google Drive users to 5 million files, even if they were paying for extra storage. The company did this in the worst way possible, rolling out the limit as a complete surprise and with no prior communication. Some users logged in to find they were suddenly millions of files over the new limit and unable to upload new files until they deleted enough to get under the limit. Some of these users were businesses that had the sudden file cap bring down their systems, and because Google never communicated that the change was coming, many people initially thought the limitation was a bug.

Apparently, sunshine really is the best disinfectant. The story made the tech news rounds on Friday, and Ars got Google on the record saying that the file cap was not a bug and was actually "a safeguard to prevent misuse of our system in a way that might impact the stability and safety of the system." After the weekend reaction to "Google Drive's Secret File Cap!" Google announced on Twitter Monday night that it was rolling back the limit. [...] Google told us it initially rolled the limitation out to stop what it called "misuse" of Drive, and with the tweet saying Google wants to "explore alternate approaches to ensure a great experience for all," it sounds like we might see more kinds of Drive limitations in the future.

Microsoft has just officially unveiled the Surface Thunderbolt 4 Dock hours after the device leaked. From a report: Priced at $299.99, the new Surface dock will connect over USB-C instead of the proprietary Surface Connect port. Microsoft is planning to keep selling its Surface Dock 2, complete with the Surface Connect port that's designed for Surface devices that don't have USB-C or Thunderbolt 4. This new Surface Thunderbolt 4 Dock will support devices other than Surface for the first time. You can connect to it via USB-C, and it supports data transfer speeds of up to 40Gbps and 96W charging thanks to Thunderbolt 4. At the front, there is a single USB-C port alongside a USB-A port but sadly no SD card slot. The rear of the Surface Thunderbolt 4 Dock has two USB-C ports, two USB-A ports, a 2.5-gigabit ethernet port, an audio jack, and a security lock slot.