An anonymous reader shares a report: Did you force your PC to install Windows 11 despite it not meeting the official requirements? Microsoft might start nagging you for doing that -- or at least reminding you that what you've done is against the intended use of its operating system. The January 2023 Windows 11 update is pestering folks who forced the update on their PCs with a persistent watermark on the desktop warning that system requirements haven't been met. The story is circulating among Windows blogs, though I found a couple of instances of folks complaining about the watermark on the official Microsoft support forums.

The watermark says "system requirements not met" and is emblazoned on the desktop's lower right hand corner if the operating system notices that it's running on hardware that doesn't meet the minimum requirements. It's possible the culprit is the dedicated security processor, or TPM 2.0 (Trusted Platform Module) chip, used by services like BitLocker and Windows Hello. Microsoft requires this module before upgrading. It's why many PCs were rendered un-upgradeable when Windows 11 was announced. Most new CPUs and motherboards have capability for it built into them, but the feature wasn't a guaranteed inclusion prior to the Windows 11 launch.

Slashdot reader John Smith 2294 is an IT consultant and system administrator "who started in the days of DEC VAX/VMS," now maintaining networks for small to medium businesses and non-profits. And they're sharing a concern with Slashdot.

"I object to Windows 11 insisting on an outlook.com / Microsoft Account OS login." Sure there are workarounds, but user action or updates can undo them. So I will not be using Windows 11 for science or business any more.... I will be using Win10 refurbs for as long as they are available, and then Mac Mini refurbs and Linux. My first Linux Mint user has been working happily for two months now and I have not heard a word from them.

So, as an IT Admin responsible for business or education networks of 20 users or more, will you be using Windows 11 on your networks or, like me, is this the end of the road for Windows for you too?
I'd thought their concern would be about Windows is sending user data to third parties. But are these really big enough reasons for system adminstrators to be avoiding Windows 11 altogether?

Share your thoughts and experiences in the comments. Should production networks avoid Windows 11?

"All right, we're going to begin this hour with a question on many people's minds these days, amid all these major developments in the field of artificial intelligence. And that question is this: How long until the machines replace us, take our jobs?"

That's the beginning of a segment broadcast on CBS's morning-television news show (with the headline, "Will artificial intelligence erase jobs?") Some excerpts:


"As artificial intelligence gets better.... job security is only supposed to get worse. And in reports like this one, of the top jobs our AI overlords plan to kill, coding or computing programming is often on the list. So with the indulgence of Sam Zonka, a coder and instructor at the General Assembly coding school in New York, I decided to test the idea of an imminent AI takeover -- by seeing if the software could code for someone who knows as little about computers as me -- eliminating the need to hire someone like him."

Gayle King: "So all this gobbledy-gook on the screen. That's what people who sit in these classrooms learn?"

"And I for one was prepared to be amazed. But take a look at the results. About as basic as a basic web site can be."

King: What do you think? You're the professional.
Zonka: Ehh.

[Microsoft CEO Satya Nadella also spoke to CBS right before the launch of its OpenAI-powered Bing search engine, arguing that AI will create more satisfaction in current jobs as well as more net new jobs -- and even helping the economy across the board. "My biggest worry," Nadella says, "is we need some new technology that starts driving real productivity. It's time for some real innovation.]

King: Do you think it'll drive up wages?
Nadella: I do believe it will drive up wages, because productivity and wages are related.


At the end of the report, King tells his co-anchors "In the long term, the research suggests Nadella is correct. In the long term, more jobs, more money. It's in the short-term that all the pain happens."

The report also features an interview with MIT economist David Autor, saying he believes the rise of AI "does indeed mean millions of jobs are going to change in our lifetime. And what's scary is we're just not sure how.... He points out, for example, that more than 60% of the types of jobs people are doing today didn't even exist in the 1940s -- while many of the jobs that did exist have been replaced."

There was also a quote from Meredith Whittaker (co-founder of the AI Now Institute and former FTC advisor), who notes that AI systems "don't replace human labor. They just require different forms of labor to sort of babysit them to train them, to make sure they're working well. Whose work will be degraded and whose house in the Hamptons will get another wing? I think that's the fundamental question when we look at these technologies and ask questions about work."

Later King tells his co-anchors that Whittaker's suggestion was for workers to organize to try to shape how AI system are implemented in their workplace.

But at an open house for the General Assembly code camp, coder Zonka says on a scale of 1 to 10, his worry about AI was only a 2. "The problem is that I'm not entirely sure if the AI that would replace me is 10 years from now, 20 years from now, or 5 years from now."

So after speaking to all the experts, King synthesized what he'd learned. "Don't necessarily panic. You see these lists of all the jobs that are going to be eliminated. We're not very good at making those predictions. Things happen in different ways than we expect. And you could actually find an opportunity to make more money, if you figure out how you can complement the machine as opposed to getting replaced by the machine."

The Washington Post reports that Amazon has over 1 million workers worldwide — and they want most of them to be back in the office at least three days a week: In a note to employees, chief executive Andy Jassy said that the length of the pandemic had given senior managers time to observe what workplace models work best. They concluded that being in person most of the time had distinct benefits, allowing employees to more easily share ideas, collaborate, train new hires and connect. "Invention is often sloppy. It wanders and meanders and marinates," Jassy wrote. "Serendipitous interactions help it, and there are more of those in-person than virtually."

Amazon is just the latest major company to adopt some version of a return-to-work policy that requires workers to show up at the office for a certain number of days. Walt Disney Co. recently told its staffers to appear in the office four days a week. The Washington Post requires workers based in D.C. to report to headquarters three days a week....

Earlier this month, data tracked by Kastle Systems said 50 percent of workers were now back at their desks — and some experts think that's as high as it will go.
GeekWire notes that Apple has already asked employees to come in three days a week, something Google also expects from most of its staff. GeekWire's article adds that local business organizations applauded Amazon's move, with the Bellevue Chamber, calling it "extraordinary news for the health and vitality in downtown." And the site also reports the various reasons Amazon's senior executives gave for favoring employees-in-the-office at least three days a week: "It's easier to learn, model, practice, and strengthen our culture when we're in the office together most of the time and surrounded by our colleagues."

"Collaborating and inventing is easier and more effective when we're in person. The energy and riffing on one another's ideas happen more freely."

"Learning from one another is easier in-person. Being able to walk a few feet to somebody's space and ask them how to do something or how they've handled a particular situation is much easier than Chiming or Slacking them."

"Teams tend to be better connected to one another when they see each other in person more frequently."

That thinking doubles down on a mindset that Jassy expressed before he took over as CEO in 2021 from Amazon founder Jeff Bezos. Jassy said in March 2021 that "invention" is hard to do virtually compared to people brainstorming together in person. "You just don't riff the same way," he said at the time, "so it's really changed the way that we've had to think about how we drive innovation, and how we solicit information from our builders and the types of meetings that we run."

Jassy said there will be a small minority of exceptions to the new return-to-office requirement and that Amazon plans to implement the change effective May 1.
The move takes effect May 1st.

An anonymous reader quotes a report from TechCrunch: Australian software giant Atlassian and Envoy, a startup that provides workplace management services, were at loggerheads on Thursday over a data breach that exposed the data of thousands of Atlassian employees. As first reported by Cyberscoop, a hacking group known as SiegedSec leaked data on Telegram this week that it claimed to have stolen from Atlassian. This data includes the names, email addresses, work departments and phone numbers of approximately 13,200 Atlassian employees, along with floor plans of Atlassian offices located in San Francisco and Sydney, Australia.

Atlassian was quick to point the finger of blame for the breach at Envoy, which the Sydney-headquartered company uses to organize its office spaces. "On February 15, 2023, we learned that data from Envoy, a third-party app that Atlassian uses to coordinate in-office resources, was compromised and published," Atlassian spokesperson Megan Sutton said in a statement shared with TechCrunch. "Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk." Envoy, however, was just as quick to rebuff Atlassian's claims. Envoy spokesperson April Marks told TechCrunch that the startup is "not aware of any compromise to our systems," adding that initial research had shown that "a hacker gained access to an Atlassian employee's valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy's app."

Soon after the startup's denial, Atlassian changed its stance to align more closely with Envoy. Atlassian's Sutton told TechCrunch that the company's internal investigation since revealed that attackers had actually compromised Atlassian data from the Envoy app "using an Atlassian employee's credentials that had been mistakenly posted in a public repository by the employee." "As such, the hacking group had access to data visible via the employee account which included the published office floor plans and public Envoy profiles of other Atlassian employees and contractors," Sutton added. "The compromised employee's account was promptly disabled eliminating any further threat to Atlassian's Envoy data. Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk." In a statement to TechCrunch, Envoy's Marks ruled out a breach on its end: "We found evidence in the logs of requests that confirms the hackers obtained valid user credentials from an Atlassian employee account and used that access to download the affected data from Envoy's app."

Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack. From a report: While GoDaddy discovered the security breach in early December 2022 following customer reports that their sites were being used to redirect to random domains, the attackers had access to the company's network for multiple years. "Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy," the hosting firm said in an SEC filing. The company says that previous breaches disclosed in November 2021 and March 2020 are also linked to this multi-year campaign. The November 2021 incident led to a data breach affecting 1.2 million Managed WordPress customers after attackers breached GoDaddy's WordPress hosting environment using a compromised password. They gained access to the email addresses of all impacted customers, their WordPress Admin passwords, sFTP and database credentials, and SSL private keys of a subset of active clients.

Disney+ Hotstar is suffered an outage for some users in India in the middle of a popular cricket match on Friday, drawing flak from customers at a time when the Disney crown jewel is already facing several setbacks in the South Asian market. From a report: It's unclear what prompted the glitch, which Hotstar acknowledged as "unforeseen technical issues" across its apps and web. Domain registrar records show that Hotstar renewed the domain name, Hotstar.com, on February 17. If Disney had briefly lost the ownership of the domain, it would take some time for the new change to reflect to all users.

Researchers have discovered a clever piece of malware that stealthily exfiltrates data and executes malicious code from Windows systems by abusing a feature in Microsoft Internet Information Services (IIS). From a report: IIS is a general-purpose web server that runs on Windows devices. As a web server, it accepts requests from remote clients and returns the appropriate response. In July 2021, network intelligence company Netcraft said there were 51.6 million instances of IIS spread across 13.5 million unique domains. IIS offers a feature called Failed Request Event Buffering that collects metrics and other data about web requests received from remote clients. Client IP addresses and port and HTTP headers with cookies are two examples of the data that can be collected. FREB helps administrators troubleshoot failed web requests by retrieving ones meeting certain criteria from a buffer and writing them to disk. The mechanism can help determine the cause of 401 or 404 errors or isolate the cause of stalled or aborted requests.

Criminal hackers have figured out how to abuse this FREB feature to smuggle and execute malicious code into protected regions of an already compromised network. The hackers can also use FREB to exfiltrate data from the same protected regions. Because the technique blends in with legitimate eeb requests, it provides a stealthy way to further burrow into the compromised network. The post-exploit malware that makes this possible has been dubbed Frebniis by researchers from Symantec, who reported on its use on Thursday. Frebniis first ensures FREB is enabled and then hijacks its execution by injecting malicious code into the IIS process memory and causing it to run. Once the code is in place, Frebniis can inspect all HTTP requests received by the IIS server.

Microsoft has outlined how users running Apple Silicon-based Macs can utilize Windows 11 in a new support document published today. The document explains how users running Mac devices with either M1 or M2 chips can use Windows 11, either via the cloud or using a local virtualization such as Parallels Desktop. From a report: Unfortunately, the document makes no mention of installing Windows 11 natively on Apple Silicon hardware. Apple's legacy Bootcamp application, which previously allowed Mac users to install Windows into its own bootable partition on a Mac, was removed when Apple transitioned to ARM processors. As of now, Microsoft points to Windows 365 as a potential solution for running Windows 11 on a Mac, using its enterprise service to stream a Windows 11 PC from the cloud. [...] For those users, Microsoft also mentions Parallels Desktop as a viable alternative. Version 18 of Parallels Desktop is now officially authorized to run Windows 11 on ARM on a Mac with M1 or M2 processors. This is the only way to officially run Windows 11 on ARM locally on a Mac with Apple Silicon.

Coming to the campuses of Facebook parent Meta Platforms is a contraption that can block sound, shield workers from their peers and allow for heads-down, uninterrupted work. It's a cubicle. From a report: That is, a noise-canceling cubicle designed using some of the same principles found in soundproof, echo-free anechoic chambers. "The Cube," which the company is beginning to roll out to offices worldwide after months of development, absorbs sound from multiple directions, says John Tenanes, vice president of global real estate and facilities at Meta. "It's like a self-cocoon."

Meta's experiment comes as workplaces are in the midst of a shake-up. Like many other employers, Meta realized early in the pandemic that its open-plan arrangements would need to shift to accommodate a new hybrid era of work. In 2021, it asked 10 groups of architects, design firms and furniture manufacturers-- including MillerKnoll's Herman Miller, KI and others -- to build a new office set-up. They were given guiding principles to follow and eight weeks to do it. [...] The Cube began to take shape, in part, after one of Meta's furniture vendors brought in an early prototype of a movable screen. Engineers quickly gravitated to it, grabbing one or two at a time to essentially barricade themselves at their desks, Dr. Nagy says. Meta and its vendors refined the Cube, and its popularity became even more apparent during testing when workers began personalizing the spaces to effectively reserve them.

Community Health Systems (CHS), one of the largest healthcare providers in the United States with close to 80 hospitals in 16 states, confirmed this week that criminal hackers accessed the personal and protected health information of up to 1 million patients. TechCrunch reports: The Tennessee-based healthcare giant said in a filing with government regulators that the data breach stems from its use of a popular file-transfer software called GoAnywhere MFT, developed by Fortra (previously known as HelpSystems), which is deployed by large businesses to share and send large sets of data securely. Community Health Systems said that Fortra recently notified it of a security incident that resulted in the unauthorized disclosure of patient data. "As a result of the security breach experienced by Fortra, protected health information and personal information of certain patients of the company's affiliates were exposed by Fortra's attacker," according to the filing by Community Health Systems, which was first spotted by DataBreaches.net. The healthcare giant added that it would offer identity theft protection services and notify all affected individuals whose information was exposed, but said there had been no material interruption to its delivery of patient care.

CHS hasn't said what types of data were exposed and a spokesperson has not yet responded to TechCrunch's questions. This is CHS' second-known breach of patient data in recent years. The Russia-linked ransomware gang Clop has reportedly taken responsibility for exploiting the new zero-day in a new hacking campaign and claims to have already breached over a hundred organizations that use Fortra's file-transfer technology -- including CHS. While CHS has been quick to come forward as a victim, Clop's claim suggests there could be dozens more affected organizations out there -- and if you're one of the thousands of GoAnywhere users, your company could be among them. Thankfully, security experts have shared a bunch of information about the zero-day and what you can do to protect against it. Security researcher Brian Krebs first flagged the zero-day vulnerability in Fortra's GoAnywhere software on February 2.

"A zero-day remote code injection exploit was identified in GoAnywhere MFT," Fortra said in its hidden advisory. "The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS)."

An anonymous reader quotes a report from BleepingComputer: Oakland has declared a local state of emergency because of the impact of a ransomware attack that forced the City to take all its IT systems offline on February 8th. Interim City Administrator G. Harold Duffey declared (PDF) a state of emergency to allow the City of Oakland to expedite orders, materials and equipment procurement, and activate emergency workers when needed. "Today, Interim City Administrator, G. Harold Duffey issued a local state of emergency due to the ongoing impacts of the network outages resulting from the ransomware attack that began on Wednesday, February 8," a statement issued today reads. The incident did not affect core services, with the 911 dispatch and fire and emergency resources all working as expected.

While last week's ransomware attack only impacted non-emergency services, many systems taken down immediately after the incident to contain the threat are still offline. The ransomware group behind the attack is currently unknown, and the City is yet to share any details regarding ransom demands or data theft from compromised systems. "The City's IT Department is working with a leading forensics firm to perform an extensive incident response and analysis, as well as with additional cybersecurity and technology firms on recovery and remediation efforts," the statement said. "This continues to be an ongoing investigation with multiple local, state, and federal agencies involved."

More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the Python programming language, in the latest indication that the targeting of software developers using this form of attack isn't a passing fad. From a report: All 451 packages found recently by security firm Phylum contained almost identical malicious payloads and were uploaded in bursts that came in quick succession. Once installed, the packages create a malicious JavaScript extension that loads each time a browser is opened on the infected device, a trick that gives the malware persistence over reboots. The JavaScript monitors the infected developer's clipboard for any cryptocurrency addresses that may be copied to it. When an address is found, the malware replaces it with an address belonging to the attacker. The objective: intercept payments the developer intended to make to a different party.

Deutsche Lufthansa has grounded all of its flights because of company computer issues. From a report: A Lufthansa spokesman said Wednesday the company is urgently investigating the matter. It wasn't immediately clear whether Lufthansa flights that were already airborne were instructed to land. Lufthansa's stable of airlines includes its namesake brand and the national flag-carriers Austrian Airlines, Brussels Airlines and Swiss. The company also operates low-cost carrier Eurowings as well as other smaller airlines. In total, the group operates around 700 aircraft, making it Europe's largest airline by fleet size.

An anonymous reader quotes a report from The Verge: Hyundai and Kia are offering free software updates for millions of their cars in response to a rash of car thefts inspired by a viral social media challenge on TikTok. The so-called "Kia Challenge" on the social media platform has led to hundreds of car thefts nationwide, including at least 14 reported crashes and eight fatalities, according to the National Highway Traffic Safety Administration. Thieves known as "the Kia Boyz" would post instructional videos about how to bypass the vehicles' security system using tools as simple as a USB cable.

The thefts are reportedly easy to pull off because many 2015-2019 Hyundai and Kia vehicles lack electronic immobilizers that prevent thieves from simply breaking in and bypassing the ignition. The feature is standard equipment on nearly all vehicles from the same period made by other manufacturers. Hyundai and its subsidiary Kia are offering to update the "theft alarm software logic" to extend the length of the alarm sound from 30 seconds to one minute. The vehicles will also be updated to require a key in the ignition switch to turn the vehicle on. The software upgrade modifies certain vehicle control modules on Hyundai vehicles equipped with standard "turn-key-to-start" ignition systems. As a result, locking the doors with the key fob will set the factory alarm and activate an "ignition kill" feature so the vehicles cannot be started when subjected to the popularized theft mode. Customers must use the key fob to unlock their vehicles to deactivate the "ignition kill" feature.

There hasn't been a nationwide accounting of how many Hyundai and Kia vehicles have been stolen, but stats from individual cities provide some sense of how viral the trend has become. In Milwaukee, for example, police report that 469 Kias and 426 Hyundais were stolen in 2020. Those numbers spiked the following year to 3,557 Kias and 3,406 Hyundais, according to NPR. Approximately 3.8 million Hyundais and 4.5 million Kias are eligible for the software update free of charge, for a total of 8.3 million cars. Vehicle owners are instructed to take their cars to a local dealership, where technicians will install the upgrades in less than an hour. The upgraded vehicles will also get a window decal indicating they've been equipped with anti-theft technology.

A new bill advancing through the Arkansas legislature aims to make it harder for people to access porn sites. From a report: Senate Bill 66, the Protection of Minors from Distribution of Harmful Material Act, would require anyone in Arkansas to provide a "digitized identification card" before viewing a site that contains more than 33.33 percent of "harmful material." That arbitrarily-defined number, and the language of the bill itself, is a copycat of a recently-enacted law in Louisiana that blocks people from seeing porn if they don't hand over official identification. SB66 was filed in the Arkansas Senate in January, and passed to the House on February 1.

Microsoft has confirmed that it's finally killing off Yammer, the enterprise social network it procured more than a decade ago for $1.2 billion. From a report: Yammer was initially created out of San Francisco back in 2008, with cofounder David Sacks formally launching the startup at a TechCrunch startup event. The company went on to raise north of $140 million in funding before Microsoft swooped in with its billion-dollar bid four years after its launch. In many ways, it's surprising that the Yammer brand has lasted this long.

Despite Microsoft's best efforts to bring Yammer to the masses by integrating it into its core Office suite of products, Microsoft has set about developing tangential communication tools such as Microsoft Teams, which the company integrated with Yammer in 2019. And then two years ago, Microsoft launched Viva, pitched as an "employee experience platform" that was something akin to the corporate intranet of yore. In the intervening months, Microsoft has been turbo-charging Viva, and last year it launched Viva Engage, which it said at the time was an "evolution of the Yammer Communities app."

Security camera company Arlo is reversing course on its controversial decision to apply a retroactive end-of-life policy to many of its popular home security cameras. The Verge reports: On Friday, Arlo CEO Matthew McRae posted a thread on Twitter, announcing that the company will not remove free storage of videos for existing customers and that it is extending the EOL dates for older cameras a further year to 2025. He also committed to sending security updates to these cameras until 2026. The end-of-life policy was due to go into effect January 1st, 2023, and removed a big selling point -- seven-day free cloud storage -- for many Arlo cams. McRae now says all users with the seven-day storage service will "continue to receive that service uninterrupted." But he did note that "any future migrations will be handled in a seamless manner," indicating there are changes coming still.

The thread did not provide details on specific models other than using the Arlo Pro 2 as an example of a camera that will now EOL in 2025 instead of 2024, as previously announced, with security updates continuing until 2026. There was also no update on the plans to remove other features, such as email notifications and E911 emergency calling, or whether "legacy video storage" will remain. The EOL policy applied to the following devices: Arlo Gen 3, Arlo Pro, Arlo Baby, Arlo Pro 2, Arlo Q, Arlo Q Plus, Arlo Lights, and Arlo Audio Doorbell.

An anonymous reader quotes a report from BleepingComputer: Domain registrar Namecheap had their email account breached Sunday night, causing a flood of MetaMask and DHL phishing emails that attempted to steal recipients' personal information and cryptocurrency wallets. The phishing campaigns started around 4:30 PM ET and originated from SendGrid, an email platform used historically by Namecheap to send renewal notices and marketing emails. After recipients began complaining on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account was compromised and that they disabled email through SendGrid while they investigated the issue.

Namecheap published a statement Sunday night stating that their systems were not breached but rather it was an issue at an upstream system that they use for email. "We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you," reads a statement issued by Namecheap. "We would like to assure you that Namecheap's own systems were not breached, and your products, accounts, and personal information remain secure." After the phishing incident, Namecheap says they stopped all emails, including two-factor authentication code delivery, trusted devices' verification, and password reset emails, and began investigating the attack with their upstream provider. Services were restored later that night at 7:08 PM EST.

While Namecheap did not state the name of this upstream system, the CEO of Namecheap previously tweeted that they were using SendGrid, which is also confirmed in the phishing emails' mail headers. However, Twilio SendGrid told BleepingComputer that Namecheap's incident was not the result of a hack or compromise of the email service provider's systems, adding more confusion as to what happened: "Twilio SendGrid takes fraud and abuse very seriously and invests heavily in technology and people focused on combating fraudulent and illegal communications. We are aware of the situation regarding the use of our platform to launch phishing email and our fraud, compliance and cyber security teams are engaged in the matter. This situation is not the result of a hack or compromise of Twilio's network. We encourage all end users and entities to take a multi-pronged approach to combat phishing attacks, deploying security precautions such as two factor authentication, IP access management, and using domain-based messaging. We are still investigating the situation and have no additional information to provide at this time."

"The waiting time for general purpose quantum computers is getting shorter, but they are still probably decades away," notes Security Week.

But "The arrival of cryptanalytically-relevant quantum computers that will herald the cryptopocalypse will be much sooner — possibly less than a decade." It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.... [T]his is not a threat for the future — the threat exists today. Adversaries are known to be stealing and storing encrypted data with the knowledge that within a few years they will be able to access the raw data. This is known as the 'harvest now, decrypt later' threat. Intellectual property and commercial plans — not to mention military secrets — will still be valuable to adversaries when the cryptopocalypse happens.

The one thing we can say with certainty is that it definitely won't happen in 2023 — probably. That probably comes from not knowing for certain what stage in the journey to quantum computing has been achieved by foreign nations or their intelligence agencies — and they're not likely to tell us. Nevertheless, it is assumed that nobody yet has a quantum computer powerful enough to run Shor's algorithm and crack PKI encryption in a meaningful timeframe. It is likely that such computers may become available as soon as three to five years. Most predictions suggest ten years.

Note that a specialized quantum computer designed specifically for Shor does not need to be as powerful as a general-purpose quantum computer — which is more likely to be 20 to 30 years away.... "Quantum computing is not, yet, to the point of rendering conventional encryption useless, at least that we know of, but it is heading that way," comments Mike Parkin, senior technical engineer at Vulcan Cyber. Skip Sanzeri, co-founder and COO at QuSecure, warns that the threat to current encryption is not limited to quantum decryption. "New approaches are being developed promising the same post-quantum cybersecurity threats as a cryptographically relevant quantum computer, only much sooner," he said. "It is also believed that quantum advancements don't have to directly decrypt today's encryption. If they weaken it by suggesting or probabilistically finding some better seeds for a classical algorithm (like the sieve) and make that more efficient, that can result in a successful attack. And it's no stretch to predict, speaking of predictions, that people are going to find ways to hack our encryption that we don't even know about yet."

Steve Weston, co-founder and CTO at Incrypteon, offers a possible illustration. "Where is the threat in 2023 and beyond?" he asks. "Is it the threat from quantum computers, or is the bigger threat from AI? An analysis of cryptoanalysis and code breaking over the last 40 years shows how AI is used now, and will be more so in the future."
The article warns that "the coming cryptopocalypse requires organizations to transition from known quantum-vulnerable encryption (such as current PKI standards) to something that is at least quantum safe if not quantum secure." (The chief revenue officer at Quintessence Labs tells the site that symmetric encryption like AES-256 "is theorized to be quantum safe, but one can speculate that key sizes will soon double.")

"The only quantum secure cryptography known is the one-time pad."

Thanks to Slashdot reader wiredmikey for sharing the article.