Major U.S. companies are tightening eligibility requirements for student discounts, cracking down on graduates who continue to claim benefits years after leaving school. Amazon, Spotify, and other firms are partnering with verification services like SheerID to validate student status, ending an era of lax enforcement that allowed many to exploit discounts long after graduation.

While companies aim to build brand loyalty among young consumers, they're also guarding against fraud. SheerID claims it helped clients avoid $2 billion in fraudulent discounts last year. Most streaming services retain over 90% of student customers after graduation, according to SheerID CEO Stephanie Copeland Weber. "They're building trust and loyalty with those consumers," she told WSJ.

Bruce66423 writes: Sellafield [U.K.'s largest nuclear site] has apologised after pleading guilty to criminal charges relating to a string of cybersecurity failings at Britain's most hazardous nuclear site, which it admitted could have threatened national security.

Among the failings at the vast nuclear waste dump in Cumbria was the discovery that 75% of its computer servers were vulnerable to cyber-attacks, Westminster magistrates court in London heard. Information that could threaten national security was left exposed for four years, the nuclear watchdog revealed, and Sellafield said it had been performing critical IT health checks that were not, in fact, being carried out.

The Guardian's investigation also revealed concerns about external contractors being able to plug memory sticks into Sellafield's system while unsupervised and that its computer servers were deemed so insecure that the problem was nicknamed Voldemort after the Harry Potter villain because it was so sensitive and dangerous.

The good news is that the problem has been spotted. The bad news is that there can be no meaningful punishment for a government owned company. One can only hope that they will do better in the future.

Microsoft researchers said on Friday that Iran government-tied hackers tried breaking into the account of a "high ranking official" on the U.S. presidential campaign in June, weeks after breaching the account of a county-level U.S. official. From a report: The breaches were part of Iranian groups' increasing attempts to influence the U.S. presidential election in November, the researchers said in a report that did not provide any further detail on the "official" in question.

The report follows recent statements by senior U.S. Intelligence officials that they'd seen Iran ramp up use of clandestine social media accounts with the aim to use them to try to sow political discord in the United States. Iran's mission to the United Nations in New York told Reuters in a statement that its cyber capabilities were "defensive and proportionate to the threats it faces" and that it had no plans to launch cyber attacks.

Signal developer Moxie Marlinspike criticized early encryption software's user-unfriendly design at Black Hat 2024, admitting he and others initially failed to consider non-technical users' needs. Speaking with Black Hat founder Jeff Moss, Marlinspike said developers of tools like Pretty Good Privacy (PGP) wrongly assumed users would adopt complex practices like running keyservers and signing keys over dinner. "We were just wrong," Marlinspike said, describing this as "software snobbery" that undermined wider adoption. "You take on the complexity instead of making the user deal with it," Marlinspike contrasted PGP's arcane interface with Signal's more accessible design.

Security researcher Grant Smith uncovered a large-scale smishing scam where scammers posing as the USPS tricked victims into providing their credit card details through fake websites. Smith hacked into the scammers' systems, gathered evidence, and collaborated with the USPS and a US bank to protect over 438,000 unique credit cards from fraudulent activity. Wired reports: The flood of text messages started arriving early this year. They carried a similar thrust: The United States Postal Service is trying to deliver a parcel but needs more details, including your credit card number. All the messages pointed to websites where the information could be entered. Like thousands of others, security researcher Grant Smith got a USPS package message. Many of his friends had received similar texts. A couple of days earlier, he says, his wife called him and said she'd inadvertently entered her credit card details. With little going on after the holidays, Smith began a mission: Hunt down the scammers. Over the course of a few weeks, Smith tracked down the Chinese-language group behind the mass-smishing campaign, hacked into their systems, collected evidence of their activities, and started a months-long process of gathering victim data and handing it to USPS investigators and a US bank, allowing people's cards to be protected from fraudulent activity.

In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers, says Smith, a red team engineer and the founder of offensive cybersecurity firm Phantom Security. Many people entered multiple cards each, he says. More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains. The victims were spread across the United States -- California, the state with the most, had 141,000 entries -- with more than 1.2 million pieces of information being entered in total. "This shows the mass scale of the problem," says Smith, who is presenting his findings at the Defcon security conference this weekend and previously published some details of the work. But the scale of the scamming is likely to be much larger, Smith says, as he didn't manage to track down all of the fraudulent USPS websites, and the group behind the efforts have been linked to similar scams in at least half a dozen other countries.

"Sonos is delaying two hardware releases originally planned for later this year as it deploys an all-hands-on-deck approach to fixing the app," writes The Verge's Chris Welch. The company released a redesigned mobile app on May 7th that has been riddled with flaws and missing features. Sonos also entered the crowded headphone market in May with the launch of its Ace headphones, but it was immediately "overshadowed" by problems with the new Sonos app, according to Sonos CEO Patrick Spence. The Verge reports: "I will not rest until we're in a position where we've addressed the issues and have customers raving about Sonos again," Spence said during the afternoon earnings call. "We believe our focus needs to be addressing the app ahead of everything else," he continued."This means delaying the two major new product releases we had planned for Q4 until our app experience meets the level of quality that we, our customers, and our partners expect from Sonos." One of those two products is almost certainly Sonos' next flagship soundbar, codenamed Lasso, which I revealed last month. "These products were ready to ship in Q4," Spence said in response to a question on the call.

He also went in-depth on the app issues and how Sonos plans to fix them. Spence remains adamant that overhauling the app and its underlying infrastructure "was the right thing to do" for the company's future; the new app "has a modular developer platform based on modern programming languages that will allow us to drive more innovation faster," he said. But Spence also now acknowledges that the project was rushed. "With the app, my push for speed backfired," he said. "As we rolled out the new software to more and more users, it became evident that there were stubborn bugs we had not discovered in our testing. As a result, far too many of our customers are having an experience that is worse than what they previously had." [...]

For now, Sonos is turning to some longtime experts for help. "I've asked Nick Millington, the original software architect of the Sonos experience, to do whatever it takes to address the issues with our new app," Spence said. Sonos board member Tom Conrad is helping to oversee the app improvement effort and "ensure" things stay on the right track.

ADT confirmed this week that it was recently hacked, compromising some customer data. From a report: The home security company did not say when the cyberattack and data breach occurred, but disclosed that the attackers accessed the company's databases containing customer home addresses, email addresses, and phone numbers.

In a brief regulatory filing published late Wednesday, ADT said it has "no reason to believe" that customer home security systems were compromised during the incident, but ADT did not say how it reached that conclusion. The statement said a "small percentage" of customers are affected, but did not provide a more specific number. As of June 2024, ADT said it had six million customers.

The Internet Corporation for Assigned Names and Numbers (ICANN) has agreed to reserve the .internal top-level domain so it can become the equivalent to using the 10.0.0.0, 172.16.0.0 and 192.168.0.0 IPv4 address blocks for internal networks. From a report: Those blocks are reserved for private use by the Internet Assigned Numbers Authority, which requires they never appear on the public internet. As The Register reported when we spotted the proposal last January, ICANN wanted something similar but for DNS, by defining a top-level domain that would never be delegated in the global domain name system (DNS) root.

Doing so would mean the TLD could never be accessed on the open internet -- achieving the org's goal of delivering a domain that could be used for internal networks without fear of conflict or confusion. ICANN suggested such a domain could be useful, because some orgs had already started making up and using their own domain names for private internal use only. Networking equipment vendor D-Link, for example, made the web interface for its products available on internal networks at .dlink. ICANN didn't like that because the org thought ad hoc TLD creation could see netizens assume the TLDs had wider use -- creating traffic that busy DNS servers would have to handle. Picking a string dedicated to internal networks was the alternative. After years of consultation about whether it was a good idea -- and which string should be selected -- ICANN last week decided on .internal. Any future applications to register it as a global TLD won't be allowed.

An anonymous reader quotes a report from the Associated Press: The government of Australia's most populous state ordered all public employees to work from their offices by default beginning Tuesday and urged stricter limits on remote work, after news outlets provoked a fraught debate about work-from-home habits established during the pandemic. Chris Minns, the New South Wales premier, said in a notice to agencies Monday that jobs could be made flexible by means other than remote working, such as part-time positions and role sharing, and that "building and replenishing public institutions" required "being physically present." His remarks were welcomed by business and real estate groups in the state's largest city, Sydney, who have decried falling office occupancy rates since 2020, but denounced by unions, who pledged to challenge the initiative if it was invoked unnecessarily.

The instruction made the state's government, Australia's largest employer with more than 400,000 staff, the latest among a growing number of firms and institutions worldwide to attempt a reversal of remote working arrangements introduced as the coronavirus spread. But it defied an embrace of remote work by the governments of some other Australian states, said some analysts, who suggested lobbying by a major newspaper prompted the change. "It seems that the Rupert Murdoch-owned Daily Telegraph in Sydney has been trying to get the New South Wales government to mandate essentially that workers go back to the office," said Chris F. Wright, an associate professor in the discipline of work at the University of Sydney. The newspaper cited prospective economic boons for struggling businesses.

The newspaper wrote Tuesday that the premier's decision "ending the work from home era" followed its urging, although Minns did not name it as a factor. But the union representing public servants said there was scant evidence for the change and warned the state government could struggle to fill positions. "Throughout the New South Wales public sector, they're trying to retain people," said Stewart Little, the General Secretary of the Public Service Association. "In some critical agencies like child protection we're looking at 20% vacancy rates, you're talking about hundreds of jobs." Little added that government offices have shrunk since 2020 and agencies would be unable to physically accommodate every employee on site. Minns said the state would lease more space, according to the Daily Telegraph. Further reading: Ordered Back To the Office, Top Tech Talent Left Instead, Study Finds

Ryan Christoffel writes via 9to5Mac: Since the Mac doesn't have the same locked-down app distribution system of iOS and iPadOS, Apple has created other tools meant to protect users. Some of those tools include app signing and notarization. Essentially, these provide a way for Apple to perform a level of vetting for macOS apps, even ones that don't hit the Mac App Store. The intent is to ultimately prevent harmful software from being inadvertently opened by Mac users. Trying to open an app that isn't correctly signed or notarized results in some scary warnings. But until now, power users could bypass those warnings -- and Apple's overall security process -- using a Control-click shortcut. But that shortcut is going away in macOS Sequoia.

According to a new post on the Apple Developer site: "In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn't signed correctly or notarized. They'll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run." The post then urges developers to make sure their software is properly signed so users won't need to jump through these hoops.

Lenovo's widely used ThinkPad laptop hasn't changed much over the years. Corporate technology leaders say that's why they love it. From a report: "There's a lot to be said for familiarity and that consistent experience," said Ace Hardware Chief Information Officer Rick Williams, whose company uses about 4,000 ThinkPads. The ThinkPad brand of personal computers, originally created by International Business Machines, hit the market in 1992 before Lenovo acquired it, along with IBM's PC division, in 2005. Since then, the boxy design -- originally inspired by the Japanese bento box -- has gotten thinner and lighter, but not much else has changed from a design perspective, Lenovo said.

The logo is the same, although in 2005 Lenovo did add the red dot over the "i" in "Think" that remains today. That logo has remained angled at 37 degrees on the device. And on the keyboard the small, red, old-timey trackpoint remains nestled between the "B," "G" and "H" keys (which Lenovo says some users swear by and some CIOs say they never use). Ports and camera placement have also been relatively consistent. And despite some experimentation with colors, the laptop itself primarily remains its original black. "You're going to recognize the iconic ThinkPad," said Tom Butler, executive director for worldwide commercial portfolio and product management at Hong Kong-based Lenovo.

Its strategy might seem counterintuitive in an industry where winners and losers are often determined based on their pace of innovation, and where to stay the same often means to become obsolete. Big consumer tech companies that dominated the early 2000s, like BlackBerry, Nokia and Motorola, ultimately couldn't keep pace with competitors and struggled. But for Lenovo, which plays in the enterprise space, it's paying off. Lenovo has been leading in market share in the worldwide personal computer vendor market, based on unit shipments, on and off for more than 10 years, according to research firm Gartner.

Security researchers from SafeBreach have found what they say is a Windows downgrade attack that's invisible, persistent, irreversible and maybe even more dangerous than last year's BlackLotus UEFI bootkit. From a report: After seeing the damage that UEFI bootkit could do by bypassing secure boot processes in Windows, SafeBreach's Alon Leviev became curious whether there were any other fundamental Windows components that could be abused in a similar manner. He hit the jackpot in one of the most unlikely places: The Windows update process.

"I found a way to take over Windows updates to update the system, but with control over all of the actual update contents," Leviev told us in an interview ahead of his Black Hat USA conference presentation today detailing his findings. Using his technique, having compromised a machine so that he could get in as a normal user, Leviev was able to control which files get updated, which registry keys are changed, which installers get used, and the like. And he was able to do all of it while side-stepping every single integrity verification implemented in the Windows update process. After that, "I was able to downgrade the OS kernel, DLLs, drivers ... basically everything that I wanted." To make matters worse, Leviev said that poking and prodding around the vulnerabilities he found enabled him to attack the entire Windows virtualization stack, including virtualization-based security (VBS) features that are supposed to isolate the kernel and make attacker access less valuable.

Things aren't working out well for Humane, a heavily-funded startup that launched an eponymous AI device earlier this year. Despite significant funding from prominent Silicon Valley figures, the product has been grappling with negative reviews -- and now more pressing issues are emerging. An anonymous reader shares a report: Shortly after Humane released its $699 AI Pin in April, the returns started flowing in. Between May and August, more AI Pins were returned than purchased, according to internal sales data obtained by The Verge. By June, only around 8,000 units hadn't been returned, a source with direct knowledge of sales and return data told me. As of today, the number of units still in customer hands had fallen closer to 7,000, a source with direct knowledge said.

At launch, the AI Pin was met with overwhelmingly negative reviews. Our own David Pierce said it "just doesn't work," and Marques Brownlee called it "the worst product" he's ever reviewed. Now, Humane is attempting to stabilize its operations and maintain confidence among staff and potential acquirers. The New York Times reported in June that HP is considering purchasing the company, and The Information reported last week that Humane is negotiating with its current investors to raise debt, which could later be converted into equity.

Parody site creator David Senk has rebuffed CrowdStrike's attempt to shut down his "ClownStrike" website, which lampoons the cybersecurity firm's role in a recent global IT outage. Senk swiftly contested the Digital Millennium Copyright Act takedown notice, asserting fair use for parody. When hosting provider Cloudflare failed to acknowledge his counter-notice, Senk defiantly relocated the site to a Finnish server beyond U.S. jurisdiction. The IT consultant decried the takedown as "corporate cyberbullying," accusing CrowdStrike of exploiting copyright law to silence criticism. Despite CrowdStrike's subsequent admission that parody sites were not intended targets, Senk is remaining resolute, demanding a public apology and refusing to return to Cloudflare's services.

Logitech has quashed its earlier remarks about building a subscription-based mouse, following widespread backlash to comments made by CEO Hanneke Faber. The Swiss-American computer peripherals maker clarified that the "forever mouse" concept, mentioned by Faber in a recent podcast interview, was merely speculative internal discussion and not a planned product.

Disney Plus will soon no longer let you share your password with people outside your household. From a report: During an earnings call on Wednesday, Disney CEO Bob Iger said the crackdown will kick off "in earnest" this September. The timeline for Disney's password-sharing crackdown has been a bit confusing so far. In February, Disney announced plans to roll out paid sharing and also began notifying users about the change. It then launched paid sharing in a "few countries" in June but provided no information on when it would reach the US.

Zack Whittaker reports via TechCrunch: A cyberattack on Mobile Guardian, a U.K.-based provider of educational device management software, has sparked outages at schools across the world and has left thousands of students unable to access their files. Mobile Guardian acknowledged the cyberattack in a statement on its website, saying it identified "unauthorized access to the iOS and ChromeOS devices enrolled to the Mobile Guardian platform." The company said the cyberattack "affected users globally," including in North America, Europe and Singapore, and that the incident resulted in an unspecified portion of its userbase having their devices unenrolled from the platform and "wiped remotely." "Users are not currently able to log in to the Mobile Guardian Platform and students will experience restricted access on their devices," the company said.

Mobile device management (MDM) software allows businesses and schools to remotely monitor and manage entire fleets of devices used by employees or students. Singapore's Ministry of Education, touted as a significant customer of Mobile Guardian on the company's website since 2020, said in a statement overnight that thousands of its students had devices remotely wiped during the cyberattack. "Based on preliminary checks, about 13,000 students in Singapore from 26 secondary schools had their devices wiped remotely by the perpetrator," the Singaporean education ministry said in a statement. The ministry said it was removing the Mobile Guardian software from its fleet of student devices, including affected iPads and Chromebooks.

Intel has announced significant progress on its 18A process technology, with lead products successfully powering on and booting operating systems. The company's Panther Lake client processor and Clearwater Forest server chip, both built on 18A, achieved these milestones less than two quarters after tape-out. The 18A node, featuring RibbonFET gate-all-around transistors and PowerVia backside power delivery, is on track for production in 2025.

Intel released the 18A Process Design Kit 1.0 in July, enabling foundry customers to leverage these advanced technologies in their designs. "Intel is out ahead of everyone else in the industry with these innovations," Kevin O'Buckley, Intel's new head of Foundry Services stated, highlighting the node's potential to drive next-generation AI solutions. Clearwater Forest will be the industry's first mass-produced, high-performance chip combining RibbonFET, PowerVia, and Foveros Direct 3D packaging technology. It also utilizes Intel's 3-T base-die technology, showcasing the company's systems foundry approach. Intel expects its first external customer to tape out on 18A in the first half of 2025. EDA and IP partners are updating their tools to support customer designs on the new node. The success of 18A is crucial for Intel's ambitions to regain process leadership and grow its foundry business.

An anonymous reader shares a report: Google has revealed technical details of its in-house data transfer tool, called Effingo, and bragged that it uses the project to move an average of 1.2 exabytes every day. As explained in a paper [PDF] and video to be presented on Thursday at the SIGCOMM 2024 conference in Sydney, bandwidth constraints and the stubbornly steady speed of light mean that not even Google is immune to the need to replicate data so it is located close to where it is processed or served.

Indeed, the paper describes managed data transfer as "an unsung hero of large-scale, globally-distributed systems" because it "reduces the network latency from across-globe hundreds to in-continent dozens of milliseconds." The paper also points out that data transfer tools are not hard to find, and asks why a management layer like Effingo is needed. The answer is that the tools Google could find either optimized for transfer time or handled point-to-point data streams -- and weren't up to the job of handling the 1.2 exabytes Effingo moves on an average day, at 14 terabytes per second. To shift all those bits, Effingo "balances infrastructure efficiency and users' needs" and recognizes that "some users and some transfers are more important than the others: eg, disaster recovery for a serving database, compared to migrating data from a cluster with maintenance scheduled a week from now."

Microsoft said Delta Air Lines turned down repeated offers for assistance following last month's catastrophic system outage, echoing claims by CrowdStrike in an increasingly contentious conflict between the carrier and its technology partners. From a report: Microsoft employees reached out to Delta to give technical support every day from July 19 through July 23, and "each time Delta turned down Microsoft's offers to help," according to a letter Tuesday from the technology giant's attorneys to Delta's representatives. Microsoft Chief Executive Officer Satya Nadella also personally emailed Delta CEO Ed Bastian and never heard back. "Even though Microsoft's software had not caused the CrowdStrike incident, Microsoft immediately jumped in and offered to assist Delta at no charge," according to the letter, which was signed by Mark Cheffo of Dechert LLP. The claims, in response to Delta's hiring of attorney David Boies, heighten the tension after Delta suggested it would try to seek compensation for a breakdown it expects to cost it $500 million this quarter. The airline was slower to recover than competitors after an errant software update from CrowdStrike affected Microsoft systems, creating a cascading effect that led Delta to cancel thousands of flights over several days.