Microsoft

Microsoft Disputes Severity of Four Zero-Day Vulnerabilities Found in Exchange by Trend Micro (bleepingcomputer.com) 26

"Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations," reports Bleeping Computer, citing disclosures Thursday from Trend Micro's Zero Day Initiative, who reported them to Microsoft on September 7th and 8th, 2023.

In an email to the site, a Microsoft spokesperson said customers who applied the August Security Updates are already protected from the first vulnerability, while the other three require attackers to have prior access to email credentials. (And for two of them no evidence was presented that it can be leveraged to gain elevation of privilege.)

"We've reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate."

From Bleeping Computer's report: ZDI disagreed with this response and decided to publish the flaws under its own tracking IDs to warn Exchange admins about the security risks... All these vulnerabilities require authentication for exploitation, which reduces their severity CVSS rating to between 7.1 and 7.5... It should be noted, though, that cybercriminals have many ways to obtain Exchange credentials, including brute-forcing weak passwords, performing phishing attacks, purchasing them, or acquiring them from info-stealer logs...

ZDI suggests that the only salient mitigation strategy is to restrict interaction with Exchange apps. However, this can be unacceptably disruptive for many businesses and organizations using the product. We also suggest implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances even when account credentials have been compromised.

Security

Okta Breach: 134 Customers Exposed in October Support System Hack 13

Okta says attackers who breached its customer support system last month gained access to files belonging to 134 customers, five of them later being targeted in session hijacking attacks with the help of stolen session tokens. From a report: "From September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta's customer support system associated with 134 Okta customers, or less than 1% of Okta customers," Okta revealed. "Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event." The three Okta customers that already disclosed they were targeted due to the company's October security breach are 1Password, BeyondTrust, and Cloudflare. They all notified Okta of suspicious activity after detecting unauthorized attempts to log into in-house Okta administrator accounts.
Security

Fusus' AI-Powered Cameras Are Spreading Across the United States 33

An anonymous reader quotes a report from 404 Media: Spread across four computer monitors arranged in a grid, a blue and green interface shows the location of more than 50 different surveillance cameras. Ordinarily, these cameras and others like them might be disparate, their feeds only available to their respective owners: a business, a government building, a resident and their doorbell camera. But the screens, overlooking a pair of long conference tables, bring them all together at once, allowing law enforcement to tap into cameras owned by different entities around the entire town all at once. This is a demonstration of Fusus, an AI-powered system that is rapidly springing up across small town America and major cities alike. Fusus' product not only funnels live feeds from usually siloed cameras into one central location, but also adds the ability to scan for people wearing certain clothes, carrying a particular bag, or look for a certain vehicle.

404 Media has obtained a cache of internal emails, presentations, memos, photos, and more which provide insight into how Fusus teams up with police departments to sell its surveillance technology. All around the country, city councils are debating whether they want to have a system that qualitatively changes what surveillance cameras mean for a town's residents and public agencies. While many have adopted Fusus, others have pushed back, and refused to have the hardware and software installed in their neighborhoods. In some ways, Fusus is deploying smart camera technology that historically has been used in places like South Africa, where experts warned about it creating an ever present blanket of surveillance. Now, tech with some of the same capabilities is being used across small town America.

Rather than selling cameras themselves, Fusus' hardware and software latches onto existing installations, which can include government-owned surveillance cameras as well as privately owned cameras at businesses and homes. It turns dumb cameras into smart ones. "In essence, the Fusus solution puts a brain into every camera connected with the system," one memorandum obtained by 404 Media reads.
In addition to integrating with existing surveillance installations, Fusus' hardware, called SmartCORE, can turn cameras into automatic license plate readers (ALPRs). It can reportedly offer facial recognition features, too, although Fusus hasn't provided clear clarification on this matter.

The report says the system has been adopted by numerous police departments across the United States, with approximately 150 jurisdictions using Fusus. Orland Park police have called it a "game-changer." It's also being used internationally, launching in the United Kingdom.

Here's what Beryl Lipton, investigative researcher at the Electronic Frontier Foundation (EFF), had to say about it: "The lack of transparency and community conversation around Fusus exacerbates concerns around police access of the system, AI analysis of video, and analytics involving surveillance and crime data, which can influence officer patrols and priorities. In the absence of clear policies, auditable access logs, and community transparency about the capabilities and costs of Fusus, any community in which this technology is adopted should be concerned about its use and abuse."
China

US House Panel Seeks Ban On Federal Purchases of China Drones (reuters.com) 33

David Shepardson reports via Reuters: The top members of a U.S. House committee on China are introducing a bill that seeks to ban the U.S. government from buying Chinese drones. Mike Gallagher, the Republican chair of the committee, and Raja Krishnamoorthi, the ranking Democrat, are introducing the "American Security Drone Act" on Wednesday, the lawmakers said in a statement to Reuters. "This bill would prohibit the federal government from using American taxpayer dollars to purchase this equipment from countries like China," Gallagher said. "It is imperative that Congress pass this bipartisan bill to protect U.S. interests and our national security supply chain."

The bill would also bar local and state governments from purchasing Chinese drones using federal grants and require a federal report detailing the amount of foreign commercial off-the-shelf drones and covered unmanned aircraft systems procured by federal departments and agencies from China. Krishnamoorthi said the bill "helps protect against any vulnerabilities posed by our government agencies' reliance on foreign-manufactured drone technology and will encourage growth in the U.S. drone industry."

Separately, the U.S. Senate on Tuesday unanimously approved an amendment proposed by Republican Senator Marsha Blackburn and Democrat Mark Warner that would prohibit the Federal Aviation Administration (FAA) from operating or providing federal funds for drones produced in China, Russia, Iran, North Korea, Venezuela or Cuba. "Taxpayer dollars should never fund drones manufactured in regions that are hostile toward our nation," Blackburn said. China recently announced export controls on some drones and drone-related equipment, saying it wanted to safeguard "national security and interests."
The U.S. Commerce Department in 2020 added dozens of Chinese companies to a trade blacklist, including the country's top chipmaker SMIC and Chinese drone giant DJI.
Microsoft

Microsoft Warns It May 'Throttle' Its Generative AI Services for 'Excessive' Users (theregister.com) 15

Microsoft has changed the terms and conditions for its online services to include a warning that "excessive" users of its generative AI services will have their access restricted. From a report: The new language appeared in a November 1 update to Microsoft's legalese spotted by licensing-watchers Cloudy With A Chance Of Licensing. The restrictions are described in a new clause of the document titled "Capacity Limitations," is: "Excessive use of a Microsoft Generative AI Service may result in temporary throttling of Customer's access to the Microsoft Generative AI Service." The document does not, however, define "excessive use", how long a "temporary" restriction might last, or exactly what happens during "throttling."
Chrome

Chrome Not Proceeding With Web Integrity API Deemed By Many To Be DRM (9to5google.com) 24

An anonymous reader shares a report: Back in July, Google's work on a Web Integrity API emerged and many equated it to DRM. While prototyped, it was only at the proposal stage and the company announced today it's not going ahead with it. With this proposal, Google wanted to give websites a way to confirm the authenticity of the user and their device/browser.

The Web Integrity API would let websites "request a token that attests key facts about the environment their client code is running in." It's not all too different from the Play Integrity API (SafetyNet) on Android that Google Wallet and other banking apps use to make sure a device hasn't been tampered with (rooted).

Privacy

Brave Responds To Bing and ChatGPT With a New 'Anonymous and Secure' AI Chatbot (theverge.com) 11

The Brave browser is rolling out a privacy-focused AI assistant named Leo, which the company claims provides "unparalleled privacy" compared to AI chatbot services likes Bing Chat, ChatGPT, Google Bard and others. The Verge reports: Following several months of testing, Leo is now available to use for free by all Brave desktop users running version 1.60 of the web browser. Leo is rolling out "in phases over the next few days" and will be available on Android and iOS "in the coming months."

The core features of Leo aren't too dissimilar from other AI chatbots like Bing Chat and Google Bard: it can translate, answer questions, summarize webpages, and generate new content. Brave says the benefits of Leo over those offerings are that it aligns with the company's focus on privacy -- conversations with the chatbot are not recorded or used to train AI models, and no login information is required to use it. As with other AI chatbots, however, Brave claims Leo's outputs should be "treated with care for potential inaccuracies or errors."

The standard version of Leo utilizes Meta's Llama 2 large language model and is free to use by default. For users who prefer to access a different AI language model, Brave is also introducing Leo Premium, a $15 monthly subscription that features Anthropic's AI assistant, Claude Instant -- a faster and cheaper version of Anthropic's Claude 2 large language model. Brave says that additional models will be available to Leo Premium users alongside access to higher-quality conversations, priority queuing during peak usage, higher rate limits, and early access to new features.

IT

Cloudflare Dashboard and APIs Down After Data Center Power Outage (bleepingcomputer.com) 22

An ongoing Cloudflare outage has taken down many of its products, including the company's dashboard and related application programming interfaces (APIs) customers use to manage and read service configurations. From a report: The complete list of services whose functionality is wholly or partially impacted includes the Cloudflare dashboard, the Cloudflare API, Logpush, WARP / Zero Trust device posture, Stream API, Workers API, and the Alert Notification System. "This issue is impacting all services that rely on our API infrastructure including Alerts, Dashboard functionality, Zero Trust, WARP, Cloudflared, Waiting Room, Gateway, Stream, Magic WAN, API Shield, Pages, Workers," Cloudflare said. "Customers using the Dashboard / Cloudflare APIs are impacted as requests might fail and/or errors may be displayed."

Customers currently have issues when attempting to log into their accounts and are seeing 'Code: 10000' authentication errors and internal server errors when trying to access the Cloudflare dashboard. Cloudflare says the service issues don't affect the cached file delivery via the Cloudflare CDN or Cloudflare Edge security features.

Microsoft

Microsoft Overhauling Its Software Security After Major Azure Cloud Attacks (theverge.com) 40

An anonymous reader shares a report: Microsoft has had a rough few years of cybersecurity incidents. It found itself at the center of the SolarWinds attack nearly three years ago, one of the most sophisticated cybersecurity attacks we've ever seen. Then, 30,000 organizations' email servers were hacked in 2021 thanks to a Microsoft Exchange Server flaw. If that weren't enough already, Chinese hackers breached US government emails via a Microsoft cloud exploit earlier this year. Something had to give.

Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services today. It's the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.

Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands. In an internal memo to Microsoft's engineering teams today, the company's leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of "blatantly negligent" cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.

Bug

Millions of Fruit Flies Will Be Dropped On Los Angeles (thehill.com) 84

"Earlier this month, the California Department of Food and Agriculture quarantined 69 square miles of metro L.A. after invasive and destructive Mediterranean fruit flies were found at a home in the Leimert Park neighborhood," notes The Hill. Officials are now planning to use small planes to drop millions of fruit flies over Los Angeles in an effort to eradicate an invasive and destructive species of the insects. From the report: Jay Van Rein, a spokesperson for the CDFA, told SFGATE that officials plan to drop approximately 250,000 sterile male fruit flies per square mile in the quarantine area every week for six months, or perhaps longer. The sterile males mate with the females, which fail to produce offspring, reducing the population over time. Van Rein says the Preventative Release Program (PRP), as it's called, has been used effectively to manage invasive species since 1996.

The quarantine radius includes parts of downtown and South L.A., Hyde Park, Baldwin Hills, Culver City, Inglewood, Pico-Robertson and Mid-Wilshire. Those who live within the zone are urged not to transport any fruits or vegetables from their property and to double-bag them in plastic before tossing them in the trash. The Mediterranean fruit fly is very tiny -- only about 1/4 inch in length -- but they can potentially cause hundreds of millions of dollars in damage to crops if left unchecked, officials said. When a female lays eggs in a fruit or vegetable, they hatch into maggots that tunnel through it and cause rot.

Bug

Asahi Linux Goes From Apple Silicon Port Project To macOS Bug Hunters (theregister.com) 33

Richard Speed reports via The Register: Asahi Linux, a project to port Linux to Apple Silicon Macs, has reported a combination of bugs in Apple's macOS that could leave users with hardware in a difficult-to-recover state. The issues revolve around how recent versions of macOS handle refresh rates, and MacBook Pro models with ProMotion displays (the 14 and 16-inch versions) are affected. According to the Asahi team, the bugs lurk in the upgrade and boot process and, when combined, can create a condition where a machine always boots to a black screen, and a Device Firmware Update (DFU) recovery is needed.

Asahi Linux's techies have looked into the issue, having first suspected it had something to do with either having an Asahi Linux installation on a Mac and then upgrading to macOS Sonoma or installing Asahi Linux after a Sonoma upgrade. However, the issue appears to be unconnected to the project. The team said: "As far as we can tell, ALL users who upgraded to Sonoma the normal way have an out-of-date or even broken System RecoveryOS, and in particular MacBook Pro 14" and 16" owners are vulnerable to ending up with a completely unbootable system." While this might sound alarming, the team was at pains to assure users that data was not at risk and only certain versions of macOS were affected -- Sonoma 14.0+ and Ventura 13.6+.

The first bug is related to macOS Sonoma using the previously installed version as System Recovery, which can cause problems when an older RecoveryOS runs into newer firmware. The second occurs if a display is configured to a refresh rate other than ProMotion. According to the Asahi Linux team, the system will no longer be able to boot into old macOS installs or Asahi Linux. "This includes recovery mode when those systems are set as the default boot OS, and also System Recovery at least until the next subsequent OS upgrade."
The team noted: "Even users with just 13.6 installed single-boot are affected by this issue (no Asahi Linux needed).

"We do not understand how Apple managed to release an OS update that, when upgraded to normally, leaves machines unbootable if their display refresh rate is not the default. This seems to have been a major QA oversight by Apple."
Iphone

Mass Lawsuit Against Apple Over iPhone Batteries Can Go Ahead, London Tribunal Rules (reuters.com) 20

Apple on Wednesday lost a bid to block a mass London lawsuit worth up to $2 billion which accuses the tech giant of hiding defective batteries in millions of iPhones. From a report: The lawsuit was brought by British consumer champion Justin Gutmann on behalf of around 24 million iPhone users in the United Kingdom. Gutmann is seeking damages from Apple on their behalf of up to 1.6 billion pounds ($1.9 billion) plus interest, with the claim's midpoint range being 853 million pounds. His lawyers argued Apple concealed issues with batteries in certain phone models by "throttling" them with software updates and installed a power management tool which limited performance.

Apple, however, said the lawsuit was "baseless" and strongly denied batteries in iPhones were defective, apart from in a small number of iPhone 6s models for which it offered free battery replacements. The company sought to get the case thrown out of court, but the Competition Appeal Tribunal (CAT) said Gutmann's case can proceed in a written ruling on Wednesday.

Microsoft

Microsoft Calls Time on Windows Insider MVP Program (theregister.com) 12

Microsoft has decided to axe the Windows Insider MVP program, which is now scheduled to be discontinued at the end of the year. From a report: A Microsoft spokesperson told The Register: "In an effort to consolidate MVP-style programs across Microsoft, we have decided to retire the Windows Insider MVP Program effective December 31, 2023. All our existing Windows Insider MVPs will be nominated to participate in the Microsoft MVP Program which has similar benefits and opportunities to continue networking with us and interacting with many other Microsoft MVPs globally."

The Windows Insider MVPs are usually enthusiasts of Microsoft's wares who are rewarded for their loyalty with access to the engineering teams, complimentary subscriptions to products such as Visual Studio Enterprise and Office 365, as well as the odd paperweight or two. A nomination must come from another MVP or a Microsoft employee to achieve this coveted status. An application is then scrutinized, and if one has demonstrated sufficient passion for all things Microsoft, the nod is given. Microsoft has plenty of Insider programs where users can play with pre-release versions of the company's software.

Crime

Two Russian Nationals Charged For Hacking Taxi System At JFK Airport (theregister.com) 48

Thomas Claburn reports via The Register: For a period of two years between September 2019 and September 2021, two Americans and two Russians allegedly compromised the taxi dispatch system at John F. Kennedy International Airport in New York to sell cabbies a place at the front of the dispatch line. The two Russian nationals, Aleksandr Derebenetc and Kirill Shipulin, were indicted by a grand jury for conspiring to commit computer intrusions, the US Justice Department said on Tuesday. They remain at large. In early October, the two American nationals, Daniel Abayev and Peter Leyman, who were indicted last year, pleaded guilty, each to one count of conspiring to commit computer intrusions.

The scheme represented an attempt to monetize the demand among taxi drivers for lucrative airport fares -- the current flat rate for JFK to Manhattan is $70 plus additional charges. As described in the indictment (PDF), taxi drivers are required to wait in a holding lot at JFK, often for several hours, before being dispatched in the order of their arrival to airport terminals. And because time spent waiting in line is not paid, drivers have a financial incentive to avoid waiting in line. The conspirators allegedly developed a plan to hack the dispatch system around September 2019. The indictment describes several approaches that were tried, "including bribing someone to insert a flash drive containing malware into computers connected to the dispatch system, obtaining unauthorized access to the dispatch system via a Wi-Fi connect, and stealing computer tablets connected to the dispatch system."

The government's filing suggests that the group gained and lost access to the dispatch system several times. When they did have access, the alleged conspirators offered to move drivers to the front of the dispatch queue for a $10 fee, and waived the fee for those who found other drivers willing to pay to play. Many drivers took advantage of the service. According to the Justice Department, the group booked 2,463 queue cuts in a single week around December 2019. The scheme allegedly enabled as many as 1,000 trips per day that skipped the queue at JFK. The American conspirators are said to have collected the money from participating drivers and to have sent payments to the alleged Russian conspirators, describing the money transfers as "payment for software development" or "payment for services rendered." The indictment indicates that the Russians received more than $100,000 for their work. If apprehended -- which appears unlikely given current US relations with Russia -- the Russians face charges that carry a maximum sentence of ten years in prison. Abayev and Leyman each face up to five years in prison. They're scheduled to be sentenced early next year.

Security

[Dot]US Harbors Prolific Malicious Link Shortening Service (krebsonsecurity.com) 17

Security reporter Brian Krebs: The top-level domain for the United States -- .US -- is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests. The findings come close on the heels of a report that identified .US domains as among the most prevalent in phishing attacks over the past year. Researchers at Infoblox say they've been tracking what appears to be a three-year-old link shortening service that is catering to phishers and malware purveyors. Infoblox found the domains involved are typically three to seven characters long, and hosted on bulletproof hosting providers that charge a premium to ignore any abuse or legal complaints. The short domains don't host any content themselves, but are used to obfuscate the real address of landing pages that try to phish users or install malware.

Infoblox says it's unclear how the phishing and malware landing pages tied to this service are being initially promoted, although they suspect it is mainly through scams targeting people on their phones via SMS. A new report says the company mapped the contours of this link shortening service thanks in part to pseudo-random patterns in the short domains, which all appear on the surface to be a meaningless jumble of letters and numbers. "This came to our attention because we have systems that detect registrations that use domain name generation algorithms," said Renee Burton, head of threat intelligence at Infoblox. "We have not found any legitimate content served through their shorteners."

Apple

Apple M3 Pro Chip Has 25% Less Memory Bandwidth Than M1/M2 Pro (macrumors.com) 78

Apple's latest M3 Pro chip in the new 14-inch and 16-inch MacBook Pro has 25% less memory bandwidth than the M1 Pro and M2 Pro chips used in equivalent models from the two previous generations. From a report: Based on the latest 3-nanometer technology and featuring all-new GPU architecture, the M3 series of chips is said to represent the fastest and most power-efficient evolution of Apple silicon thus far. For example, the 14-inch and 16-inch MacBook Pro with M3 Pro chip is up to 40% faster than the 16-inch model with M1 Pro, according to Apple.

However, looking at Apple's own hardware specifications, the M3 Pro system on a chip (SoC) features 150GB/s memory bandwidth, compared to 200GB/s on the earlier M1 Pro and M2 Pro. As for the M3 Max, Apple says it is capable of "up to 400GB/s." This wording is because the less pricey scaled-down M3 Max with 14-core CPU and 30-core GPU has only 300GB/s of memory bandwidth, whereas the equivalent scaled-down M2 Max with 12-core CPU and 30-core GPU featured 400GB/s bandwidth, just like its more powerful 12-core CPU, 38-core GPU version.

Notably, Apple has also changed the core ratios of the higher-tier M3 Pro chip compared to its direct predecessor. The M3 Pro with 12-core CPU has 6 performance cores (versus 8 performance cores on the 12-core M2 Pro) and 6 efficiency cores (versus 4 efficiency cores on the 12-core M2 Pro), while the GPU has 18 cores (versus 19 on the equivalent M2 Pro chip).

Security

Alliance of 40 Countries To Vow Not To Pay Ransom To Cybercriminals, US Says (reuters.com) 52

Forty countries in a U.S.-led alliance plan to sign a pledge never to pay ransom to cybercriminals and to work toward eliminating the hackers' funding mechanism, a senior White House official said on Tuesday. From a report: The International Counter Ransomware Initiative comes as the number of ransomware attacks grows worldwide. The United States is by far the worst hit, with 46% of such attacks, Anne Neuberger, U.S. deputy national security adviser in the Biden administration for cyber and emerging technologies, told reporters on a virtual briefing. "As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow," she said.
Privacy

Apple Warns Indian Opposition Leaders of State-Sponsored iPhone Attacks (techcrunch.com) 29

Apple has warned over a half dozen Indian lawmakers from Prime Minister Narendra Modi's main opposition of their iPhones being targets of state-sponsored attacks, these people said Tuesday, in a remarkable turn of events just months before the general elections in the South Asian nation. From a report: Rahul Gandhi, Indian opposition leader, said in a media briefing Tuesday that his team had received the said alert from Apple. Shashi Tharoor, a key figure from the Congress party; Akhilesh Yadav, the head of the Samajwadi Party; Mahua Moitra, a national representative from the All India Trinamool Congress; Priyanka Chaturvedi of Shiv Sena, a party with notable influence in Maharashtra reported that they too had been notified by Apple regarding a potential security attack on their iPhones. Asaduddin Owaisi, the leader of the All-India Majlis-e-Ittehadul Muslimeen (AIMIM); Raghav Chadha from AAP, originating from an anti-corruption crusade a decade prior and later securing a political foothold in the national capital region; Sitaram Yechury, the General Secretary of the Communist Party of India; alongside Congress spokesperson Pawan Khera were also impacted, they said. Journalists Siddharth Varadarajan and Sriram Karri, along with Observer Research Foundation (ORF) India President Samir Saran shared that they had been served with identical warnings from Apple.
Android

Google Promises a Rescue Patch For Android 14's 'Ransomware' Bug (arstechnica.com) 33

Google says it'll issue a system update to fix a major storage bug in Android 14 that has caused some users to be locked out of their devices. Ars Technica reports: Apparently one more round of news reports was enough to get the gears moving at Google. Over the weekend the Issue tracker bug has been kicked up from a mid-level "P2" priority to "P0," the highest priority on the issue tracker. The bug has been assigned to someone now, and Googlers have jumped into the thread to make official statements that Google is looking into the matter. Here's the big post from Google on the bug tracker [...]. The highlights here are that Google says the bug affects devices with multiple Android users, not multiple Google accounts or (something we thought originally) users with work profiles. Setting up multiple users means going to the system settings, then "Multiple users," then "Allow multiple users," and you can add a user other than the default one. If you do this, you'll have a user switcher at the bottom of the quick settings. Multiple users all have separate data, separate apps, and separate Google accounts. Child users are probably the most popular reason to use this feature since you can lock kids out of things, like purchasing apps.

Shipping a Google Play system update as a quick Band-Aid is an interesting solution, but as Google's post suggests, this doesn't mean the problem is fixed. Play system updates (these are alternatively called Project Mainline or APEX modules) allow Google to update core system components via the Play Store, but they are really not meant for critical fixes. The big problem is that the Play system updates don't aggressively apply themselves or even let you know they have been downloaded. They just passively, silently wait for a reboot to happen so they can apply. For Pixel users, it feels like the horse has already left the barn anyway -- like most Pixel phones have automatically applied the nearly 13-day-old update by now. Users can force Play system updates to happen themselves by going to the system settings, then "Security & Privacy," then "System & updates," then "Google Play system update." If you have an update, you'll be prompted to reboot the phone. Also note that this differs from the usual OS update checker location, which is in system settings, then "System," then "System update." The system update screen will happily tell you "Your system is up to date" even if you have a pending Google Play system update. It would be great to have a single location for OS updates, Google Play System/Mainline updates, and app updates, but they are scattered everywhere and give conflicting "up to date" messages.

Security

Hackers Accessed 632,000 Email Addresses at US Justice, Defense Departments (bloomberg.com) 9

A Russian-speaking hacking group obtained access to the email addresses of about 632,000 US federal employees at the departments of Defense and Justice as part of the sprawling MOVEit hack last summer, according to a report on the wide-ranging attack obtained through a Freedom of Information Act request. From a report: The report, by the US Office of Personnel Management, provides new details about a cyberattack in which hackers exploited flaws in MOVEit, a popular file-transfer tool. Federal cybersecurity officers previously confirmed that government agencies were compromised by the attack but have provided little information on the scope of the attack, nor did they name the agencies affected.

The Office of Personnel Management, in a July report on the incident submitted to a congressional committee, said an unauthorized actor obtained access to government email addresses, links to government employee surveys administered by OPM and internal OPM tracking codes. The impacted employees were at the Department of Justice and various parts of the Defense Department: the Air Force, Army, US Army Corps of Engineers, the Office of the Secretary of Defense, the Joint Staff and Defense Agencies and Field Activities.

Slashdot Top Deals