LinkedIn has been hit by a rise in sophisticated recruitment scams, as fraudsters seek to take advantage of the trend towards remote working and widespread lay-offs across the tech sector. From a report: Jobseekers on the world's largest professional network are being defrauded out of money after taking part in fake recruitment processes set up by scammers who pose as employers, before obtaining personal and financial information. "There's certainly an increase in the sophistication of the attacks and the cleverness," Oscar Rodriguez, vice-president of product management at LinkedIn told the Financial Times "We see websites being set up, we see phone numbers with a seemingly professional operator picking up the phone and answering on the company's behalf. We see a move to more sophisticated deception," he added.

The warning comes as the Microsoft-owned social media company said it has sought to block tens of millions of fake accounts in recent months, while US regulators warn of an increase in jobs-related cons. Last month, cyber security company Zscaler revealed a scam that targeted jobseekers and a dozen US companies, where fraudsters approached people through LinkedIn's direct messaging feature InMail. Scammers identified businesses that were already hiring, including enterprise software company Zuora, software developer Intellectsoft and Zscaler itself. They then created "lookalike" websites with similar job ads and, via LinkedIn's InMail feature, invited jobseekers to enter personal information into the websites, before conducting remote interviews via Skype.

Google Chrome's giving its page zoom feature a boost, which should make it more helpful for people who have difficulty reading the smaller screen on a phone. From a report: With the improved feature, you can increase the size of text, images, videos, and interactive controls on mobile web pages by up to 300 percent while preserving their original formatting. While the feature hasn't yet become available for all Chrome users, you can access it now if you download the Chrome beta on your phone or tablet. To enable the feature, tap the three dots icon in the top right corner of the browser, hit Settings > Accessibility, and then adjust the zoom level to your liking. Google will save this preference for all the sites you browse so you won't have to keep tweaking it, and will even bypass the ones that try to block zoom features. Previously, Google only allowed users to adjust text scaling options up to 200 percent.

Since the earliest versions of the iPhone, "The ability to dynamically execute code was nearly completely removed," write security researchers at Trellix, "creating a powerful barrier for exploits which would need to find a way around these mitigations to run a malicious program. As macOS has continually adopted more features of iOS it has also come to enforce code signing more strictly.

"The Trellix Advanced Research Center vulnerability team has discovered a large new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS.... The vulnerabilities range from medium to high severity with CVSS scores between 5.1 and 7.1. These issues could be used by malicious applications and exploits to gain access to sensitive information such as a user's messages, location data, call history, and photos."

Computer Weekly explains that the vulnerability bypasses strengthened code-signing mitigations put in place by Apple on its developer tool NSPredicate after the infamous ForcedEntry exploit used by Israeli spyware manufacturer NSO Group: So far, the team has found multiple vulnerabilities within the new class of bugs, the first and most significant of which exists in a process designed to catalogue data about behaviour on Apple devices. If an attacker has achieved code execution capability in a process with the right entitlements, they could then use NSPredicate to execute code with the process's full privilege, gaining access to the victim's data.

Emmitt and his team also found other issues that could enable attackers with appropriate privileges to install arbitrary applications on a victim's device, access and read sensitive information, and even wipe a victim's device. Ultimately, all of the new bugs carry a similar level of impact to ForcedEntry.

Senior vulnerability researcher Austin Emmitt said the vulnerabilities constituted a "significant breach" of the macOS and iOS security models, which rely on individual applications having fine-grain access to the subset of resources needed, and querying services with more privileges to get anything else.
"The key thing here is the vulnerabilities break Apple's security model at a fundamental level," Trellix's director of vulnerability research told Wired — though there's some additional context: Apple has fixed the bugs the company found, and there is no evidence they were exploited.... Crucially, any attacker trying to exploit these bugs would require an initial foothold into someone's device. They would need to have found a way in before being able to abuse the NSPredicate system. (The existence of a vulnerability doesn't mean that it has been exploited.)

Apple patched the NSPredicate vulnerabilities Trellix found in its macOS 13.2 and iOS 16.3 software updates, which were released in January. Apple has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531. Since Apple addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people's devices.
TechCrunch explores its severity: While Trellix has seen no evidence to suggest that these vulnerabilities have been actively exploited, the cybersecurity company tells TechCrunch that its research shows that iOS and macOS are "not inherently more secure" than other operating systems....

Will Strafach, a security researcher and founder of the Guardian firewall app, described the vulnerabilities as "pretty clever," but warned that there is little the average user can do about these threats, "besides staying vigilant about installing security updates." And iOS and macOS security researcher Wojciech ReguÅa told TechCrunch that while the vulnerabilities could be significant, in the absence of exploits, more details are needed to determine how big this attack surface is.

Jamf's Michael Covington said that Apple's code-signing measures were "never intended to be a silver bullet or a lone solution" for protecting device data. "The vulnerabilities, though noteworthy, show how layered defenses are so critical to maintaining good security posture," Covington said.

An anonymous reader quotes an article from Fortune: Earlier this month, job advice platform Resumebuilder.com surveyed 1,000 business leaders who either use or plan to use ChatGPT. It found that nearly half of their companies have implemented the chatbot. And roughly half of this cohort say ChatGPT has already replaced workers at their companies....

Business leaders already using ChatGPT told ResumeBuilders.com their companies already use ChatGPT for a variety of reasons, including 66% for writing code, 58% for copywriting and content creation, 57% for customer support, and 52% for meeting summaries and other documents. In the hiring process, 77% of companies using ChatGPT say they use it to help write job descriptions, 66% to draft interview requisitions, and 65% to respond to applications.

Overall, most business leaders are impressed by ChatGPT's work," ResumeBuilder.com wrote in a news release. "Fifty-five percent say the quality of work produced by ChatGPT is 'excellent,' while 34% say it's 'very good....'" Nearly all of the companies using ChatGPT said they've saved money using the tool, with 48% saying they've saved more than $50,000 and 11% saying they've saved more than $100,000....

Of the companies ResumeBuilder.com identified as businesses using the chatbot, 93% say they plan to expand their use of ChatGPT, and 90% of executives say ChatGPT experience is beneficial for job seekers — if it hasn't already replaced their jobs.

Long-time Slashdot reader destinyland writes: They say "always be learning" — but do podcasts actually help? I've been trying to find podcasts that discuss programming, and I've enjoyed Lex Fridman's interviews with language creators like Guido van Rossum, Chris Lattner, and Brendan Eich (plus his long interviews with Donald Knuth). Then I discovered that GitHub, Red Hat, Stack Overflow, and the Linux Foundation all have their own podcast.

There's a developer podcast called "Corecursive" that I like with the tagline "the stories behind the code," plus a whole slew of (sometimes language-specific) podcasts at Changelog (including an interview with Brian Kernighan). And it seems like there's an entirely different universe of content on YouTube — like the retired Microsoft engineer doing "Dave's Garage," Software Engineering Daily, and the various documentaries by Honeypot.io. Computerphile has also scored various interviews with Brian Kernighan, and if you search YouTube enough you'll find stray interviews with Steve Wozniak.

But I wanted to ask Slashdot's readers: Do you listen to podcasts about computer science? And if so, which ones? (Because I'm always stumbling across new programming podcasts, which makes me worry about what else I've been missing out on.) Maybe I should also ask if you ever watch coding livestreams on Twitch — although that gets into the more general question of just how much content we consume that's related to our profession.
Fascinating discussions, or continuing work-related education? (And do podcasts really help keep your skills fresh? Are coding livestreams on Twitch just a waste of time?) Most importantly, does anyone have a favorite geek podcast that they're listening to? Share your own experience and opinions in the comments...

What's the best podcast about computer science?

Long-time Slashdot reader theodp writes: In what might be mistaken for an early April Fools' joke, one month after Amazon confirmed it would layoff 18,000+ employees, Amazon News last week put out a whimsical story about 10,000+ of its employees' dogs who are registered to "work" at corporate offices as part of Amazon's Dogs at Work program. "This unique program," Amazon explains," pulls out all the stops to make sure dogs have everything they need for a successful work day, including decked out dog parks, unlimited treats from the reception desk, and regular events where dogs and their owners can get to know their colleagues."

Amazon employees also received a back-to-the office edict last week from CEO Andy Jassy, who cited the need for "serendipitous interactions" between team members, which Amazon has at times suggested would be facilitated if its employees' dogs return to the workplace, too. "The dog-friendly policy also contributes to the company's culture of collaboration," Amazon reported last year. "Dogs in the workplace are an unexpected mechanism for connection, an Amazon manager added. "I see employees meeting each other in our lobbies or elevators every day because of their dogs."

Amazon News offers profiles of "11 Amazing Pups" who didn't need obedience school to be convinced to return to the office, including Murray and Ripley. "Working from home certainly has its perks," Amazon reports, "but Murray LOVES coming into the office. He gets to see his favorite colleagues-both human and canine-and brighten everyone's day." And "Ripley starts each workday with a greeting from her best friend Lisa at the Culver Studios gate. From there, she promptly reports for duty, doling out kisses to anyone who needs a little pick-me-up."

After an iPhone was stolen, $10,000 vanished from the owner's bank account — and they were locked out of their Apple account's photos, contacts and notes. The thieves "stole thousands of dollars through Apple Pay" and "opened an Apple Card to make fraudulent charges," writes 9 to 5 Mac, citing a report from the Wall Street Journal. These thieves often work in groups with one distracting a victim while another records over a shoulder as they enter their passcode. Others have been known to even befriend victims, asking them to open social media or other apps on their iPhones so they can watch and memorize the passcode before stealing it. A 12-person crime ring in Minnesota was recently taken down after targeting iPhones like this in bars. Almost $300,000 was stolen from 40 victims by this group before they were caught.
The Journal adds that "similar stories are piling up in police stations around the country," while one of their article's authors has tweeted Apple's official response. "We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare.... We will continue to advance the protections to help keep user accounts secure."

The reporter suggests alphanumeric passwords are harder to steal, while MacRumors offers some other simple fixes. "Use Face ID or Touch ID as much as possible when in public to prevent thieves from spying... In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry."

More than a quarter of Google's full-time workforce is in its cloud unit, reports CNBC. And now Google is asking cloud employees and partners "to share their desks and alternate days with their desk mates starting next quarter, citing 'real estate efficiency.'" The new desk-sharing model will apply to Google Cloud's five largest U.S. locations — Kirkland, Washington; New York City; San Francisco; Seattle; and Sunnyvale, California — and is happening so the company "can continue to invest in Cloud's growth," according to an internal FAQ recently shared with cloud employees and viewed by CNBC. Some buildings will be vacated as a result, the document noted.

"Most Googlers will now share a desk with one other Googler," the internal document stated, noting they expect employees to come in on alternate days so they're not at the same desk on the same day. "Through the matching process, they will agree on a basic desk setup and establish norms with their desk partner and teams to ensure a positive experience in the new shared environment." The FAQ says employees may come in on other days, but if they're in on an unassigned day, they will use "overflow drop-in space."

Internally, leadership has given the new seating arrangement a title: "Cloud Office Evolution" or "CLOE," which it describes as "combining the best of pre-pandemic collaboration with the flexibility" of hybrid work. The new workspace plan is not a temporary pilot, the document noted. "This will ultimately lead to more efficient use of our space," it said.
A Google spokesperson said they'd conducted pilot programs and surveys "to explore different hybrid work models," CNBC reports, with the results showing employees "value guaranteed in-person collaboration when they are in the office, as well as the option to work from home a few days each week." So they've devised their new system to combine "the best of pre-pandemic collaboration with the flexibility and focus we've all come to appreciate from remote work, while also allowing us to use our spaces more efficiently."

The article points out that Google Cloud is currently not profitable, and "is still losing hundreds of millions of dollars every quarter — $480 million in the fourth quarter, although that was nearly half of the loss a year prior."

An internal FAQ warns that affected employees are now expected to have "conversations about how they will or will not decorate the space, store personal items, and tidiness expectations."

Thanks to Slashdot reader RUs1729 for sharing the story.

L.Kynes shares a report from CSO Online: At a time when almost all software contains open source code, at least one known open source vulnerability was detected in 84% of all commercial and proprietary code bases examined by researchers at application security company Synopsys. In addition, 48% of all code bases analyzed by Synopsys researchers contained high-risk vulnerabilities, which are those that have been actively exploited, already have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities. The vulnerability data -- along with information on open source license compliance -- was included in Synopsys' 2023 Open Source Security and Risk Analysis (OSSRA) report (PDF), put together by the company's Cybersecurity Research Center (CyRC). "Of the 1,703 codebases that Synopsys audited in 2022, 96% of them contained open source," adds L.Kynes, citing the report. "Aerospace, aviation, automotive, transportation, logistics; EdTech; and Internet of Things are three of the 17 industry sectors included in the report that had open source in 100% of their audited codebases. In the remaining verticals, over 92% of the codebases contained open source."

Canada's second-largest telecom, TELUS is investigating a potential data breach after a threat actor shared samples online of what appears to be employee data. BleepingComputer reports: The threat actor subsequently posted screenshots that apparently show private source code repositories and payroll records held by the company. TELUS has so far not found evidence of corporate or retail customer data being stolen and continues to monitor the potential incident. On February 17, a threat actor put up what they claim to be TELUS' employee list (comprising names and email addresses) for sale on a data breach forum. "TELUS employes [sic] from a very recent breach. We have over 76K unique emails and on top of this, we have internal information associated with each employee scraped from Telus' API," states the forum post.

While BleepingComputer has been unable to confirm the veracity of threat actor's claims just yet, the small sample set posted by the seller does have valid names and email addresses corresponding to present-day TELUS employees, particularly software developers and technical staff. By Tuesday, February 21, the same threat actor had created another forum post -- this time offering to sell TELUS' private GitHub repositories, source code, as well as the company's payroll records. The seller further boasts that the stolen source code contains the company's "sim-swap-api" that will purportedly enable adversaries to carry out SIM swap attacks.

An anonymous reader quotes a report from Motherboard, written by Joseph Cox: On Wednesday, I phoned my bank's automated service line. To start, the bank asked me to say in my own words why I was calling. Rather than speak out loud, I clicked a file on my nearby laptop to play a sound clip: "check my balance," my voice said. But this wasn't actually my voice. It was a synthetic clone I had made using readily available artificial intelligence technology. "Okay," the bank replied. It then asked me to enter or say my date of birth as the first piece of authentication. After typing that in, the bank said "please say, 'my voice is my password.'" Again, I played a sound file from my computer. "My voice is my password," the voice said. The bank's security system spent a few seconds authenticating the voice. "Thank you," the bank said. I was in.

I couldn't believe it -- it had worked. I had used an AI-powered replica of a voice to break into a bank account. After that, I had access to the account information, including balances and a list of recent transactions and transfers. Banks across the U.S. and Europe use this sort of voice verification to let customers log into their account over the phone. Some banks tout voice identification as equivalent to a fingerprint, a secure and convenient way for users to interact with their bank. But this experiment shatters the idea that voice-based biometric security provides foolproof protection in a world where anyone can now generate synthetic voices for cheap or sometimes at no cost. I used a free voice creation service from ElevenLabs, an AI-voice company. Now, abuse of AI-voices can extend to fraud and hacking. Some experts I spoke to after doing this experiment are now calling for banks to ditch voice authentication altogether, although real-world abuse at this time could be rare. A Lloyds Bank spokesperson said in a statement that "Voice ID is an optional security measure, however we are confident that it provides higher levels of security than traditional knowledge-based authentication methods, and that our layered approach to security and fraud prevention continues to provide the right level of protection for customers' accounts, while still making them easy to access when needed."

The Consumer Financial Protection Bureau, one of the U.S. agencies that regulates the financial industry, said: "The CFPB is concerned with data security, and companies are on notice that they'll be held accountable for shoddy practices. We expect that any firm follow the law, regardless of technology used."

The cyber-insurance market, battered by a rash of pandemic-era ransomware attacks, is making a comeback. Price hikes are moderating, new carriers and fresh sources of capital are emerging, and companies can better afford coverage. From a report: Cyber-insurance pricing increased 10% from a year earlier in January, a fraction of the 110% annual increase reported in the first quarter of 2022, preliminary data from insurance broker Marsh McLennan show. If those trends continue, prices could be set to decline, said Tom Reagan, Marsh's cyber practice leader. The reversal would follow a wave of digital intrusions that dominated the work-from-home era and forced insurers to recalibrate both how they write policies and their risk appetites. Those attacks also pushed their clients to adopt stronger cybersecurity measures. The brutal conditions in the market have let up since then, with claim frequency declining in the fourth quarter of 2022 even as severity remained elevated, according to Marsh.

"What we're left with is a very, very, very different market than what we went into two or three years ago," said Paul Bantick, the global head of cyber risks at London-based insurer Beazley. "We have a mature market that has stood up against a huge test." The risks posed by cyber criminals are still enormous. Ransomware attacks against industrial organizations increased by 87% in 2022 from the year before, while the US Treasury Department said financial institutions flagged nearly $1.2 billion in likely ransomware-related payments in 2021. Recent high-profile breaches at financial services firm ION Trading UK and a major Asian data center emphasized the grim risk posed by hackers. Even so, the total amount extorted from ransomware victims in 2022 dropped to $456.8 million from $765.6 million the year before, according to data from Chainalysis.

Bruce66423 writes: The encrypted-messaging app Signal has said it would stop providing services in the UK if a new law undermined encryption. If forced to weaken the privacy of its messaging system under the Online Safety Bill, the organisation "would absolutely, 100% walk" Signal president Meredith Whittaker told the BBC. The government said its proposal was not "a ban on end-to-end encryption". The bill, introduced by Boris Johnson, is currently going through Parliament. Critics say companies could be required by Ofcom to scan messages on encrypted apps for child sexual abuse material or terrorism content under the new law. This has worried firms whose business is enabling private, secure communication.

Staff working at the European Commission have been ordered to remove the TikTok app from their phones and corporate devices. The BBC reports: The commission said it was implementing the measure to "protect data and increase cybersecurity." EU spokeswoman Sonya Gospodinova said the corporate management board of the European Commission, the EU's executive arm, had made the decision for security reasons. "The measure aims to protect the Commission against cybersecurity threats and actions which may be exploited for cyberattacks against the corporate environment of the commission," she said. The ban also means that European Commission staff cannot use TikTok on personal devices that have official apps installed.

The commission says it has around 32,000 permanent and contract employees. They must remove the app as soon as possible and no later than March 15. For those who do not comply by the set deadline, the corporate apps -- such as the commission email and Skype for Business -- will no longer be available. [...] TikTok, owned by Chinese company ByteDance, has faced allegations that it harvests users' data and hands it to the Chinese government.

In an episode that underscores the vulnerability of global computer networks, hackers got ahold of login credentials for data centers in Asia used by some of the world's biggest businesses, a potential bonanza for spying or sabotage, according to a cybersecurity research firm. From a report: The previously unreported data caches involve emails and passwords for customer-support websites for two of the largest data center operators in Asia: Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centres, according to Resecurity, which provides cybersecurity services and investigates hackers. About 2,000 customers of GDS and STT GDC were affected. Hackers have logged into the accounts of at least five of them, including China's main foreign exchange and debt trading platform and four others from India, according to Resecurity, which said it infiltrated the hacking group. It's not clear what -- if anything -- the hackers did with the other logins. The information included credentials in varying numbers for some of the world's biggest companies, including Alibaba Group Holding, Amazon, Apple, BMW, Goldman Sachs, Huawei, Microsoft, and Walmart, according to the security firm and hundreds of pages of documents that Bloomberg reviewed.

The U.S. Department of Defense secured an exposed server on Monday that was spilling internal U.S. military emails to the open internet for the past two weeks, TechCrunch reported Tuesday. From a report: The exposed server was hosted on Microsoft's Azure government cloud for Department of Defense customers, which uses servers that are physically separated from other commercial customers and as such can be used to share sensitive but unclassified government data. [...] But a misconfiguration left the server without a password, allowing anyone on the internet access to the sensitive mailbox data inside using only a web browser, just by knowing its IP address.

[...] The server was packed with internal military email messages, dating back years, some of which contained sensitive personnel information. One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information.

Crypto exchange Coinbase has confirmed that it was briefly compromised by the same attackers that targeted Twilio, Cloudflare, DoorDash, and more than a hundred other organizations last year. From a report: In a post-mortem of the incident published over the weekend, Coinbase said that the so-called '0ktapus' hackers stole the login credentials of one of its employees in an attempt to remotely gain access to the company's systems. 0ktapus is a hacking group that has targeted more than 130 organizations in 2022 as part of an ongoing effort to steal the credentials of thousands of employees, often by impersonating Okta log-in pages. That figure of 130 organizations is now likely much higher, as a leaked Crowdstrike report seen by TechCrunch claims that the gang is now targeting several tech and video game companies.

Google has released optimization features designed to improve battery life and memory usage on machines running the latest version of its Chrome desktop web browser. From a report: Chrome's new Energy Saver and Memory Saver modes were first announced in December last year alongside the release of Chrome 108, and now as noted by Android Police, the two optimization utilities are starting to roll out globally onto Chrome 110 desktops for Mac, Windows, and Chromebooks.

Memory Saver mode essentially snoozes Chrome tabs that aren't currently in use to free up RAM for more intensive tasks and create a smoother browsing experience. Don't worry if you're a tab hoarder though, as these inactive tabs are still visible and can be reloaded at any time to pick up where you left off. Your most used websites can also be marked as exempt from Memory Saver to ensure they're always running at the maximum possible performance.

New submitter calicuse writes: Microsoft's Outlook spam filters appear to be broken for many users today. I woke up to more than 20 junk messages in my Focused Inbox in Outlook this morning, and spam emails have kept breaking through on an hourly basis today. Many Outlook users in Europe have also spotted the same thing, with some heading to Twitter to complain about waking up to an inbox full of spam messages. Most of the messages that are making it into Outlook users' inboxes are very clearly spam. Today's issues are particularly bad, after weeks of the Outlook spam filter progressively deteriorating for me personally.

An anonymous reader shares a report: Did you force your PC to install Windows 11 despite it not meeting the official requirements? Microsoft might start nagging you for doing that -- or at least reminding you that what you've done is against the intended use of its operating system. The January 2023 Windows 11 update is pestering folks who forced the update on their PCs with a persistent watermark on the desktop warning that system requirements haven't been met. The story is circulating among Windows blogs, though I found a couple of instances of folks complaining about the watermark on the official Microsoft support forums.

The watermark says "system requirements not met" and is emblazoned on the desktop's lower right hand corner if the operating system notices that it's running on hardware that doesn't meet the minimum requirements. It's possible the culprit is the dedicated security processor, or TPM 2.0 (Trusted Platform Module) chip, used by services like BitLocker and Windows Hello. Microsoft requires this module before upgrading. It's why many PCs were rendered un-upgradeable when Windows 11 was announced. Most new CPUs and motherboards have capability for it built into them, but the feature wasn't a guaranteed inclusion prior to the Windows 11 launch.