Computer security experts were struggling this week to assess a startling claim by Chinese researchers that they have found a way to break the most common form of online encryption [the link may be paywalled] using the current generation of quantum computers, years before the technology was expected to pose a threat. Financial Times: The method, outlined in a scientific paper [PDF] published in late December, could be used to break the RSA algorithm that underpins most online encryption using a quantum machine with only 372 qubits -- or quantum bits, a basic unit of quantum computing -- according to the claims from 24 researchers from a number of academic bodies and state laboratories. IBM has already said that its 433 qubit Osprey system, the most powerful quantum computer to have been publicly unveiled, will be made available to its customers early this year.

If correct, the research would mark a significant moment in the history of computer security, said Roger Grimes, a computer security expert and author. "It's a huge claim," he said. "It would mean that governments could crack other governments secrets. If it's true -- a big if -- it would be a secret like out of the movies, and one of the biggest things ever in computer science." Other experts said that while the theory outlined in the research paper appeared sound, trying to apply it in practice could well be beyond the reach of today's quantum technology. "As far as I can tell, the paper isn't wrong," said Peter Shor, the Massachusetts Institute of Technology scientist whose 1994 algorithm proving that a quantum machine could defeat online encryption helped to trigger a research boom in quantum computing. Shor's method requires machines with many hundreds of thousands, or even millions, of qubits, something that many experts believe is a decade or more away.

WhatsApp is launching proxy support for its users all over the world, the company announced on Thursday. The support will allow users to maintain access to WhatsApp if their connection is blocked or disrupted. From a report: Choosing a proxy enables users to connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely. WhatsApp says connecting via proxy maintains the same level of privacy and security the app provides, and that personal messages will still be protected by end-to-end encryption. The company says messages will not be visible to anyone in between, not the proxy servers, WhatsApp or Meta.

"Our wish for 2023 is that these internet shutdowns never occur," WhatsApp wrote in a blog post. "Disruptions like we've seen in Iran for months on end deny people's human rights and cut people off from receiving urgent help. Though in case these shutdowns continue, we hope this solution helps people wherever there is a need for secure and reliable communication."

Malware that exploits unpatched vulnerabilities in 30 different WordPress plugins has infected hundreds if not thousands of sites and may have been in active use for years, according to a writeup published last week. Ars Technica reports: The Linux-based malware installs a backdoor that causes infected sites to redirect visitors to malicious sites, researchers from security firm Dr.Web said. It's also able to disable event logging, go into standby mode, and shut itself down. It gets installed by exploiting already-patched vulnerabilities in plugins that website owners use to add functionality like live chat or metrics-reporting to the core WordPress content management system. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Dr.Web researchers wrote. "As a result, when users click on any area of an attacked page, they are redirected to other sites."

Searches such as this one indicate that more than 1,300 sites contain the JavaScript that powers the backdoor. It's possible that some of those sites have removed the malicious code since the last scan. Still, it provides an indication of the reach of the malware. "If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server," the Dr.Web writeup explained. "With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first -- regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to." The researchers found two versions of the backdoor: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. They said the malware may have been in use for three years.

An anonymous reader shares a report: If you bought an Apple MacBook with an ill-fated butterfly keyboard and ended up having to replace either individual keycaps or the whole keyboard, you may be eligible to claim part of a $50 million settlement reached after a class-action lawsuit. The law firm handling the settlement has been emailing class members since mid-December but we wanted to highlight that the deadline for making a claim is fast approaching on March 6th, 2023. Claims can be submitted via the keyboardsettlement.com website, which says that the settlement class includes "all persons and entities in the United States" who purchased a butterfly-equipped MacBook, MacBook Air, or MacBook Pro between 2015 and 2019.

Computers using Windows 7 and Windows 8.1 will no longer get the latest version of Google Chrome, beginning with the latest version, Chrome 110, which will be launched on Feb. 7. From a report: The new version is designed to run on Windows 10 or later.ÂGoogle support announced the move in October 2022. As with most programs whose updates won't work on older operating systems, you can use the older version of Chrome, you just won't get the newer stuff Google is working on.

An anonymous reader shares a report: EA says that a temporary "data storage issue" led to the corruption of many Madden NFL 23 players' Connected Franchise Mode (CFM) save files last week. What's worse, the company now estimates it can recover fewer than half of those corrupted files from a backup. The issue started last Monday, December 26, when EA tweeted that it was "aware of players experiencing connection issues when trying to connect to CFM." That problem lasted until Wednesday, December 28, when EA announced that subsequent server maintenance meant that "users should now be able to play CFM without issue."

But users who attempted to log in to play online franchise games during a 22-hour period ranging from Wednesday afternoon to Thursday morning saw their franchise save data corrupted by the aforementioned "data storage issue," as EA confirmed over the weekend. And while EA says some of those corrupted save files can be recovered from a backup, it adds that the development team is "currently projecting around 40% of leagues to be recovered." Players that didn't log in during the outage period last week should be unaffected, EA says, adding that CFM is now "up and running" and is "safe to log in and play." But the company offered a similar message on Wednesday afternoon, just before the period that led players who logged in to lose their save files in the first place.

At least three major torrent sites are currently exposing intimate details of their operations to anyone with a web browser. TorrentFreak understands that the sites use a piece of software that grabs brand-new content from other sites before automatically uploading it to their own. A security researcher tried to raise the alarm but nobody will listen. From the report: To get their hands on the latest releases as quickly as possible, [private torrent sites, or private trackers as they're commonly known] often rely on outside sources that have access to so-called 0-Day content, i.e, content released today. The three affected sites seem to have little difficulty obtaining some of their content within minutes. At least in part, that's achieved via automation. When outside suppliers of content are other torrent sites, a piece of software called Torrent Auto Uploader steps in. It can automatically download torrents, descriptions, and associated NFO files from one site and upload them to another, complete with a new .torrent file containing the tracker's announce URL. The management page [here] has been heavily redacted because the content has the potential to identify at least one of the sites. It's a web interface, one that has no password protection and is readily accessible by anyone with a web browser. The same problem affects at least three different servers operated by the three sites in question.

Torrent Auto Uploader relies on torrent clients to transfer content. The three sites in question all use rTorrent clients with a ruTorrent Web UI. We know this because the researcher sent over a whole bunch of screenshots and supporting information which confirms access to the torrent clients as well as the Torrent Auto Uploader software. The image [here] shows redactions on the tracker tab for good reason. In a regular setup, torrent users can see the names of the trackers coordinating their downloads. This setup is no different except that these URLs reference three different trackers supplying the content to one of the three compromised sites.

Rather than publish a sequence of completely redacted screenshots, we'll try to explain what they contain. One begins with a GET request to another tracker, which responds with a torrent file. It's then uploaded to the requesting site which updates its SQL database accordingly. From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that's only useful when nobody knows what it is. The same security hole also grants direct access to one of the sites tracker 'bots' through the panel that controls it. Then there's access to 'Staff Tools' on the same page which connect to other pages allowing username changes, uploader application reviews, and a list of misbehaving users that need to be monitored. That's on top of user profiles, the number of torrents they have active, and everything else one could imagine. Another screenshot featuring a torrent related to a 2022 movie reveals the URL of yet another third-party supplier tracker. Some basic queries on that URL lead to even more torrent sites. And from there, more, and more, and more -- revealing torrent passkeys for every single one on the way.

The Southwest Airlines meltdown that stranded thousands of passengers during one of the busiest travel weeks of the year exposed a major industry shortcoming: crew-scheduling technology that was largely built for a bygone era and is due for a major overhaul. From a report: Southwest relies on crew-assignment software called SkySolver, an off-the-shelf application that it has customized and updated, but is nearing the end of its life, according to the airline. The program was developed decades ago and is now owned by General Electric. During the winter storm, amid a huge volume of changes to crew schedules to work through, SkySolver couldn't handle the task of matching crew members and which flights they should work, executives of the Dallas-based carrier said.

Southwest's software wasn't designed to solve problems of that scale, Chief Operating Officer Andrew Watterson said Thursday, forcing the airline to revert to manual scheduling. Unlike some large rivals with hub-and-spoke networks, Southwest planes hopscotch from city to city, which may have been another complicating factor. Many carriers still rely on homegrown solutions, which largely were built on legacy mainframe computers, analysts say. Analysts and industry insiders say the airline industry is overdue for a massive technology overhaul that would take advantage of highly scalable cloud technologies and fully connect disparate sources of real-time data to better coordinate crews with aircraft. The airline sector has been among the slowest to adopt cloud-based and analytics technologies that could help solve complicated transportation network problems, those analysts say.

An anonymous reader writes: Recently, I had to set up a Windows 10 computer for one specific application in a semi-embedded use case. Anything else that Windows does or comes with is unnecessary for this. While there are plenty of internet scripts and apps for de-bloating Windows, I have found the easiest (and little known) way to debloat Windows without running any internet scripts is as follows:

1. Open Powershell.
2. Type Get-AppxPackage | Remove-AppxPackage.
3. Ignore any error messages about packages that can't be removed, it's fine.

Will this work for everyone? No, of course not, but it's a great one-line, easily memorable tool for cleaning up a PC quickly for an industrial use case without any security risks.

"Imagine starting your work day with a fresh coconut juice perched by your laptop as you gaze over the ocean or a tropical rainforest...." writes the Conversation.

"More than 40 nations or territories now offer "digital nomad" visas to attract those able to be employed in one country while living, and spending their income, in another." Fancy the beach? A bunch of exotic islands are on the list. Prefer tropical forests? Try Brazil or Costa Rica. Looking for history? There's Spain or Greece. Love Wim Hof-style ice-bathing? Iceland beckons.

Think of a "digital nomad" visa as a cross between a tourist and temporary migrant visa — a working-on-holiday visa. Instead of the visa giving you the right to work in the country, it's allowing you to stay so long as you're gainfully employed and bringing money into the local economy. How long you can stay varies, from 90 days in Aruba in the Caribbean to up to two years in the Cayman Islands. Most are for 12 months, with an option to renew. Some places, such as Latvia, restrict visas to employers registered in an OECD country. But generally the key requirement is that you can show you have no need to find local work and can meet minimum income requirements.

Generally, the visa conditions simplify taxation issues: you continue to pay your income tax in the country of your employer. But this varies. For example, in Greece (which offers a two-year renewable visa) you are exempt from paying local income tax only for the first six months.

A key driver of the digital nomad trend is the ability to maintain a career while ticking off other personal goals, particularly travel and the ability to experience a different way of life. Moving somewhere with a cheaper cost of living could be another motivation.
The article warns that "Living a long way away from family and friends and support networks is likely to be more challenging, no matter how idyllic your location.

"If you like predictable structure and routine, the uncertainty and inevitable inconveniences that arise may mean it isn't for you."

Computer programmer Zeynep Tufekci now writes about the impact of technology on society. In an opinion piece for the New York Times, Tufekci writes on "the shameful open secret" that earlier this week led Southwest airlines to suddenly cancel 5,400 flights in less than 48 hours. "The recent meltdown was avoidable, but it would have cost them."

Long-time Slashdot reader theodp writes that the piece "takes a crack at explaining 'technical debt' to the masses." Tufekci writes: Computers become increasingly capable and powerful by the year and new hardware is often the most visible cue for technological progress. However, even with the shiniest hardware, the software that plays a critical role inside many systems is too often antiquated, and in some cases decades old. This failing appears to be a key factor in why Southwest Airlines couldn't return to business as usual the way other airlines did after last week's major winter storm. More than 15,000 of its flights were canceled starting on Dec. 22, including more than 2,300 canceled this past Thursday — almost a week after the storm had passed.

It's been an open secret within Southwest for some time, and a shameful one, that the company desperately needed to modernize its scheduling systems. Software shortcomings had contributed to previous, smaller-scale meltdowns, and Southwest unions had repeatedly warned about it. Without more government regulation and oversight, and greater accountability, we may see more fiascos like this one, which most likely stranded hundreds of thousands of Southwest passengers — perhaps more than a million — over Christmas week.

And not just for a single company, as the problem is widespread across many industries.
"The reason we made it through Y2K intact is that we didn't ignore the problem," the piece argues. But in comparison, it points out, Southwest had already experienced another cancellation crisis in October of 2021 (while the president of the pilots' union "pointed out that the antiquated crew-scheduling technology was leading to cascading disruptions.") "In March, in its open letter to the company, the union even placed updating the creaking scheduling technology above its demands for increased pay."

Speaking about this week's outage, a Southwest spokesman concedes that "We had available crews and aircraft, but our technology struggled to align our resources due to the magnitude and scale of the disruptions."

But Tufekci concludes that "Ultimately, the problem is that we haven't built a regulatory environment where companies have incentives to address technical debt, rather than passing the burden on to customers, employees or the next management.... For airlines, it might mean holding them responsible for the problems their miserly approach causes to the flying public."

Windows Central reports: The Surface Earbuds are a weird product in Microsoft's line of Surface devices. Now over two years old, and still available to buy at a close to launch price of $160, the Surface Earbuds might be the worst "Surface" branded device you can buy brand new right now. They launched at a time when the wireless earbuds space was heating up and offered less than the competition while charging more. Are they the best in audio quality? Definitely not. Are they the best designed? Most would argue that they aren't. Are they the most comfortable? That depends, but I know a lot of people claim they don't properly fit in their ears. Do they support wireless charging? Nope. Is the case premium? Mine scratches easily and the lid feels flimsy. Nothing about the product screams $160 premium earbuds.

[...] My sources have said that Microsoft was working on a successor to the Surface Earbuds, codenamed Ella, that was supposed to launch before the end of this year. We're now at the end of the year and that never happened. I hope they've simply been delayed and not canceled, though I wouldn't be surprised if they have. Microsoft's abandonment of the first Surface Earbuds should be a huge red flag for any potential buyers of a second-generation pair. Why should anyone buy them if Microsoft is going to abandon them the second they hit the market? This product segment is competitive, and there are many other brands that will commit to supporting their own wireless earbuds for longer.

The FBI is investigating the 3Commas data breach, CoinDesk is reporting. From the report: The investigation comes after weeks of criticism from users of the Estonia-based crypto trading service, who say its CEO repeatedly brushed off warning signs that the platform had leaked user data. This week, 100,000 Binance and KuCoin API keys linked to 3Commas were leaked by an anonymous person. On Thursday, two 3Commas users told CoinDesk that they were contacted by agents from the FBI's Cincinnati Field Office in connection to the leak.

Over the last several months, dozens of 3Commas users found that the service had, without their consent, traded away funds on crypto exchanges they'd linked to it. Initially, 3Commas said that these users were most likely phished and insisted that the platform was safe. The API database leaker insinuated that the 3Commas keys had been sold by someone from within the company, but 3Commas CEO Yuriy Sorokin said in a statement on Thursday that "3Commas stresses that it has found no evidence during the internal investigation that any employee of 3Commas was somehow involved in attacks against the API data."

Google has announced that it's adding a red "suspected spam caller" warning to Google Voice calls if it doesn't think they're legitimate. From a report: In a post on Thursday, the company says it's identifying spam "using the same advanced artificial intelligence" system as it does with its traditional phone app for Android. If the spam label appears, you'll also have the option of confirming that a call was spam -- in which case any future calls will be sent straight to your voicemail -- or clarifying that it wasn't, which will get rid of the label for future calls.

Google Voice has had the ability to automatically filter calls identified as spam to voicemail for years, and has also allowed you to screen calls before actually picking them up, but those options may not have been great if you're the type of person who gets a lot of important calls from unknown numbers. Google does say that you'll have to turn off the Filter Spam feature by going to Settings > Security > Filter spam if you want the automatic spam labeling.

The Ohio Supreme Court has unanimously overruled a judgment of the Ohio Second District Court of Appeals and moved that there must be "direct" physical loss or physical damage in the company's computer software for insurance policy coverage. From a report: In the three-year court proceedings between the greater Dayton medical billing software maker EMOI and its insurance service provider Lansing, Michigan-based Owners Insurance Company, the latter asserted that the insurance contract unambiguously stated only "direct physical loss" or "direct physical damage" to media would be covered under the insurance policy.

The court in its final ruling gave the rationale that a computer might have physical electronic components that are "tangible" in nature but the information stored there has no "physical presence"; thus a ransomware attack on the company software has no coverage under the company's insurance policy. The judgment against EMOI concludes that a software developer can't use its property insurance to cover losses. A district judge had dismissed EMOI's case against Owners, which the developer brought forth just months after the attack. But the appellate court in November 2021 had ruled in favor of EMOI stating that the claimant could sue the insurance company for allegedly treating its claim in bad faith by failing to properly examine "the various types of damage that can occur to media such as software."

Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible. BleepingComputer reports: The flaw impacts multiple Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models. Although Netgear did not disclose any information about the component affected by this bug or its impact, it did say that it is a pre-authentication buffer overflow vulnerability. The impact of a successful buffer overflow exploitation can range from crashes following denial of service to arbitrary code execution, if code execution is achieved during the attack. Attackers can exploit this flaw in low-complexity attacks without requiring permissions or user interaction. In a security advisory published on Wednesday, Netgear said it "strongly recommends that you download the latest firmware as soon as possible." A list of vulnerable routers and the patched firmware versions can be found here.

HandBrake, the popular free and open source video transcoder, has been updated to version 1.6.0. This major point upgrade is notable for facilitating AV1 video encoding for the first time in a general release. Moreover, those with Intel Quick Sync Video (QSV) enabled processors, and those with Intel Arc GPUs will be able to encode AV1 video with hardware acceleration. From a report: HandBrake 1.6.0 can encode AV1 videos on any of its supported systems. In the current release its SVT-AV1 encoder offers the widest support, encoding on your processor through software. However, those with Intel QSV supporting CPUs or discrete Arc graphics can use the QSV-AV1 encoder for hardware accelerated processing. QSV isn't supported if your CPU is an 'F' suffixed model (i.e. it doesn't have an iGPU), or it is older than the Skylake generation. If you are lucky enough to have multiple QSV accelerators in your system, support for Intel Deep Link Hyper Encode should accelerate processing further. While AMD and Nvidia have AV1 encoders available for their latest GPUs, they currently aren't integrated with HandBrake. AV1 video is set to become the dominant codec across app-based streaming services and the wider internet, offering attractions such as; an open and royalty-free architecture, improved compression enabling efficient 8K video streaming, and support for the newest HDR standards.

For the fourth time since 2007, an internal audit shows the Department of Homeland Security isn't deactivating access cards in the hands of ex-employees, leaving its secure facilities vulnerable to intruders. From a report: A new report by Homeland Security's Office of Inspector General shows that the department is systemically failing to revoke tens of thousands of "personal identity verification" cards that allow staff to enter sensitive, secure facilities and access internal data networks, despite being warned about the problem for 15 years. The issue is made worse, the report continues, by the fact that Homeland Security's internal record-keeping is so shoddy that it was impossible to determine how many ex-staffers have working access cards they aren't supposed to.

Like many modern office workers, Homeland Security hands out office-unlocking keycards to its employees to make sure strangers can't wander in off the street. And, like most workplaces, the department is supposed to follow a standard policy: When an employee is no longer an employee, for whatever reason, their card is to be promptly deactivated. Unlike most employers, though, Homeland Security is a component of the U.S. Intelligence Community, meaning these credit card-sized badges have a "grave potential for misuse if lost, stolen, or compromised," according to the inspector general report. Unfortunately for the department -- and potentially the homeland -- the OIG's latest audit found that's exactly what's happening, and on a vast scale.

An anonymous reader quotes a report from SecurityWeek: As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user's conversations, according to a team of researchers from several universities in the United States. The attack method, named EarSpy, is described in a paper published just before Christmas by researchers from Texas A&M University, Temple University, New Jersey Institute of Technology, Rutgers University, and the University of Dayton. EarSpy relies on the phone's ear speaker -- the speaker at the top of the device that is used when the phone is held to the ear -- and the device's built-in accelerometer for capturing the tiny vibrations generated by the speaker.

The researchers discovered that attacks such as EarSpy are becoming increasingly feasible due to the improvements made by smartphone manufacturers to ear speakers. They conducted tests on the OnePlus 7T and the OnePlus 9 smartphones -- both running Android -- and found that significantly more data can be captured by the accelerometer from the ear speaker due to the stereo speakers present in these newer models compared to the older model OnePlus phones, which did not have stereo speakers. The experiments conducted by the academic researchers analyzed the reverberation effect of ear speakers on the accelerometer by extracting time-frequency domain features and spectrograms. The analysis focused on gender recognition, speaker recognition, and speech recognition.

In the gender recognition test, whose goal is to determine whether the target is male or female, the EarSpy attack had a 98% accuracy. The accuracy was nearly as high, at 92%, for detecting the speaker's identity. When it comes to actual speech, the accuracy was up to 56% for capturing digits spoken in a phone call. "[This] accuracy still exhibits five times greater accuracy than a random guess, which implies that vibration due to the ear speaker induced a reasonable amount of distinguishable impact on accelerometer data," the researchers said.

Last week, LastPass announced that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. "While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager," reports The Verge. Here's an excerpt from the report: LastPass' December 22nd statement was "full of omissions, half-truths and outright lies," reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it's being; he accuses the company of trying to portray the August incident where LastPass says "some source code and technical information were stolen" as a separate breach when he says that in reality the company "failed to contain" the breach. He also highlights LastPass' admission that the leaked data included "the IP addresses from which customers were accessing the LastPass service," saying that could let the threat actor "create a complete movement profile" of customers if LastPass was logging every IP address you used with its service.

Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. "LastPass's claim of 'zero knowledge' is a bald-faced lie," he says, alleging that the company has "about as much knowledge as a password manager can possibly get away with." LastPass claims its "zero knowledge" architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesn't dispute that particular point, he does say that the phrase is misleading. "I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted."

Palant also notes that the encryption only does you any good if the hackers can't crack your master password, which is LastPass' main defense in its post: if you use its defaults for password length and strengthening and haven't reused it on another site, "it would take millions of years to guess your master password using generally-available password-cracking technology" wrote Karim Toubba, the company's CEO. "This prepares the ground for blaming the customers," writes Palant, saying that "LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn't follow their best practices." However, he also points out that LastPass hasn't necessarily enforced those standards. Despite the fact that it made 12-character passwords the default in 2018, Palant says, "I can log in with my eight-character password without any warnings or prompts to change it."