An OpenSSL vulnerability once signaled as the first critical-level patch since the Internet-reshaping Heartbleed bug has just been patched. It ultimately arrived as a "high" security fix for a buffer overflow, one that affects all OpenSSL 3.x installations, but is unlikely to lead to remote code execution. From a report: OpenSSL version 3.0.7 was announced last week as a critical security fix release. The specific vulnerabilities (now CVE-2022-37786 and CVE-2022-3602) had been largely unknown until today, but analysts and businesses in the web security field hinted there could be notable problems and maintenance pain. Some Linux distributions, including Fedora, held up releases until the patch was available. Distribution giant Akamai noted before the patch that half of their monitored networks had at least one machine with a vulnerable OpenSSL 3.x instance, and among those networks, between 0.2 and 33 percent of machines were vulnerable. But the specific vulnerabilities -- limited-circumstance, client-side overflows that are mitigated by the stack layout on most modern platforms -- are now patched, and rated as "High." And with OpenSSL 1.1.1 still in its long-term support phase, OpenSSL 3.x is not nearly as widespread. Malware expert Marcus Hutchins points to an OpenSSL commit on GitHub that details the code issues: "fixed two buffer overflows in puny code decoding functions." A malicious email address, verified within an X.509 certificate, could overflow bytes on a stack, resulting in a crash or potentially remote code execution, depending on the platform and configuration.

US financial institutions spent nearly $1.2 billion on likely ransomware-related payments last year, most commonly in response to breaches originating with Russian criminal groups, according to the Treasury Department. From a report: The payments more than doubled from 2020, underscoring the pernicious damage that ransomware continues to wreak on the private sector. The Financial Crimes Enforcement Network, or FinCEN, said its analysis "indicates that ransomware continues to pose a significant threat to U.S. critical infrastructure sectors, businesses and the public." Financial institutions filed 1,489 incidents related to ransomware in 2021, up from 487 the year before, according to data collected under the Bank Secrecy Act. FinCEN's analysis included extortion amounts, attempted transactions and payments that were unpaid. FinCEN said the top five highest-grossing ransomware variants from the second half of 2021 are connected to Russian cybercriminals. The damage from Russian-related ransomware during that period totaled more than $219 million, according to the data.

An anonymous reader quotes a report from the Associated Press: The White House is bringing together three dozen nations, the European Union and a slew of private-sector companies for a two-day summit starting Monday that looks at how best to combat ransomware attacks. The second International Counter Ransomware Summit will focus on priorities such as ensuring systems are more resilient to better withstand attacks and disrupt bad actors planning such assaults. A senior Biden administration official cited recent attacks such as one that targeted the Los Angeles school district last month to underscore the urgency of the issue and the summit. The official previewed the event on the condition of anonymity.

Among the administration officials planning to participate in the event are FBI Director Christopher Wray, national security adviser Jake Sullivan, Deputy Treasury Secretary Wally Adeyemo and Deputy Secretary of State Wendy Sherman. President Joe Biden is not expected to attend. Participating countries are Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Croatia, the Czech Republic, the Dominican Republic, Estonia, the European Commission, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Poland, the Republic of Korea, Romania, Singapore, South Africa, Spain, Sweden, Switzerland, Ukraine, the United Arab Emirates, the United Kingdom and the United States.

The Federal Trade Commission on Monday cracked down on Chegg, an education technology firm based in Santa Clara, Calif., saying the company's "careless" approach to cybersecurity had exposed the personal details of tens of millions of users. From a report: In a legal complaint, filed on Monday morning, regulators accused Chegg of numerous data security lapses dating to 2017. Among other problems, the agency said, Chegg had issued root login credentials, essentially an all-access pass to certain databases, to multiple employees and outside contractors. Those credentials enabled many people to look at user account data, which the company kept on Amazon Web Services' online storage system.

As a result, the agency said, a former Chegg contractor was able to use company-issued credentials to steal the names, email addresses and passwords of about 40 million users in 2018. In certain cases, sensitive details on students' religion, sexual orientation, disabilities and parents' income were also taken. Some of the data was later found for sale online. Chegg's popular homework help app is used regularly by millions of high school and college students. To settle the F.T.C.'s charges, the agency said Chegg had agreed to adopt a comprehensive data security program.

The White House is bringing together three dozen nations, the European Union and a slew of private-sector companies for a two-day summit starting Monday that looks at how best to combat ransomware attacks. From a report: The second International Counter Ransomware Summit will focus on priorities such as ensuring systems are more resilient to better withstand attacks and disrupt bad actors planning such assaults. A senior Biden administration official cited recent attacks such as one that targeted the Los Angeles school district last month to underscore the urgency of the issue and the summit. The official previewed the event on the condition of anonymity. Among the administration officials planning to participate in the event are FBI Director Christopher Wray, national security adviser Jake Sullivan, Deputy Treasury Secretary Wally Adeyemo and Deputy Secretary of State Wendy Sherman. President Joe Biden is not expected to attend.

Here's the Guardian's report on new cryptographic techniques where "you can share data while keeping that data private" — known by the umbrella term "privacy-enhancing technologies" (or "Pets). They offer opportunities for data holders to pool their data in new and useful ways. In the health sector, for example, strict rules prohibit hospitals from sharing patients' medical data. Yet if hospitals were able to combine their data into larger datasets, doctors would have more information, which would enable them to make better decisions on treatments. Indeed, a project in Switzerland using Pets has since June allowed medical researchers at four independent teaching hospitals to conduct analysis on their combined data of about 250,000 patients, with no loss of privacy between institutions. Juan Troncoso, co-founder and CEO of Tune Insight, which runs the project, says: "The dream of personalised medicine relies on larger and higher-quality datasets. Pets can make this dream come true while complying with regulations and protecting people's privacy rights. This technology will be transformative for precision medicine and beyond."

The past couple of years have seen the emergence of dozens of Pet startups in advertising, insurance, marketing, machine learning, cybersecurity, fintech and cryptocurrencies. According to research firm Everest Group, the market for Pets was $2bn last year and will grow to more than $50bn in 2026. Governments are also getting interested. Last year, the United Nations launched its "Pet Lab", which was nothing to do with the welfare of domestic animals, but instead a forum for national statistical offices to find ways to share their data across borders while protecting the privacy of their citizens.

Jack Fitzsimons, founder of the UN Pet Lab, says: "Pets are one of the most important technologies of our generation. They have fundamentally changed the game, because they offer the promise that private data is only used for its intended purposes...." The emergence of applications has driven the theory, which is now sufficiently well developed to be commercially viable. Microsoft, for example, uses fully homomorphic encryption when you register a new password: the password is encrypted and then sent to a server who checks whether or not that password is in a list of passwords that have been discovered in data breaches, without the server being able to identify your password. Meta, Google and Apple have also over the last year or so been introducing similar tools to some of their products.
The article offers quick explanations of zero-knowledge proofs, secure multiparty computation, and fully homomorphic encryption (which allows the performance of analytics on data by a second party who never reads the data or learns the result).

And "In addition to new cryptographic techniques, Pets also include advances in computational statistics such as 'differential privacy', an idea from 2006 in which noise is added to results in order to preserve the privacy of individuals."

Security certification body (ISC)Â — the International Information System Security Certification Consortium — "is a non-profit organization providing training and certification for cybersecurity professionals," writes PortSwigger "Daily Swig" blog for cybersecurity news. "Over the last two years, it has been carrying out a review of its practices around committees, nominations, and governance."

But some of the proposed bylaw amendments (announced earlier this month) drew criticism: According to Wim Remes, a former board member who spent three years as (ISC)Â chair, the organization currently has a poor record on member engagement, with election turnout averaging only around 4%. As things stand, 500 endorsements are required for members to raise a petition. However, the new proposals would see this figure raised to 1% of the 170,000-odd members. "This effectively shuts down an important relief valve in corporate governance, in my opinion, and is not in the interest of the membership," Remes told The Daily Swig. "It's already impossible to get up to 500. It's unthinkable anybody would make it to 1,600, [or] to 2,000."

Also in the pipeline is a significant change to the process for electing the board of directors. If approved, this would remove the option for a write-in candidate and witness the board submitting a slate of qualified candidates to the membership that would be equal to the number of open seats. "Combined with making the petition process harder — if not impossible — this is as close to a coup by governance as one could get," Remes argued. "They still call it an election, but it is officially a coronation."

Meanwhile, the Ethics Committee is to be eliminated as a standing committee of the board.
Clar Rosso, CEO of (ISC)2, tells the site that the bylaw changes will be voted on by members, and will move the ethics process "from one that is majority board-run to a process that is adjudicated by a broader cross-section of members."

"Additionally, many of these bylaw changes are reflective of best practices of other similarly-sized associations, and some simply provide clarity and ensure legal compliance with applicable state and federal laws. The (ISC)Â board of directors, comprised entirely of member volunteers, supports the proposed changes."

Long-time Slashdot reader mencik shares a page offering nine alternate proposals to increase transparency — along with a petition for including them on the agenda of the group's next annual meeting. (Reminder: only ISC2 members can vote.)

Slashdot reader storagedude writes: Ransomware groups have been busy improving their data exfiltration tools, and with good reason: As ransomware decryption fails to work most of the time, victims are more likely to pay a ransom to keep their stolen data from being publicly leaked.

But some security researchers think the trend suggests that ransomware groups may change their tactics entirely and abandon ransomware in favor of a combined approach of data destruction and exfiltration, stealing the data before destroying it and any backups, thus leaving the stolen copy of the data as the only hope for victims to recover their data. After all, if ransomware just destroys data anyway, why waste resources developing it?

"With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavor compared to corrupting files and using the exfiltrated copies as the means of data recovery," Cyderes researchers wrote after analyzing an attack last month.

"Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data," they added. "Data destruction is rumored to be where ransomware is going to go, but we haven't actually seen it in the wild. During a recent incident response, however, Cyderes and Stairwell discovered signs that threat actors are actively in the process of staging and developing this capability."

That incident – involving BlackCat/ALPHV ransomware – turned up an exfiltration tool with hardcoded sftp credentials that was analyzed by Stairwell's Threat Research Team, which found partially-implemented data destruction functionality.

"The use of data destruction by affiliate-level actors in lieu of RaaS deployment would mark a large shift in the data extortion landscape and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs," the Stairwell researchers wrote.

An anonymous reader quotes a report from Phys.Org: Bumble bees play, according to new research led by Queen Mary University of London published in Animal Behavior. It is the first time that object play behavior has been shown in an insect, adding to mounting evidence that bees may experience positive "feelings." The team of researchers set up numerous experiments to test their hypothesis, which showed that bumble bees went out of their way to roll wooden balls repeatedly despite there being no apparent incentive for doing so. The study also found that younger bees rolled more balls than older bees, mirroring human behavior of young children and other juvenile mammals and birds being the most playful, and that male bees rolled them for longer than their female counterparts.

The study followed 45 bumble bees in an arena and gave them the options of walking through an unobstructed path to reach a feeding area or deviating from this path into the areas with wooden balls. Individual bees rolled balls between 1 and, impressively, 117 times over the experiment. The repeated behavior suggested that ball-rolling was rewarding. This was supported by a further experiment where another 42 bees were given access to two colored chambers, one always containing movable balls and one without any objects. When tested and given a choice between the two chambers, neither containing balls, bees showed a preference for the color of the chamber previously associated with the wooden balls. The set-up of the experiments removed any notion that the bees were moving the balls for any greater purpose other than play. Rolling balls did not contribute to survival strategies, such as gaining food, clearing clutter, or mating and was done under stress-free conditions. [...] The new research showed the bees rolling balls repeatedly without being trained and without receiving any food for doing so -- it was voluntary and spontaneous -- therefore akin to play behavior as seen in other animals. Study first-author, Samadi Galpayage, Ph.D. student at Queen Mary University of London says that "it is certainly mind-blowing, at times amusing, to watch bumble bees show something like play. They approach and manipulate these 'toys' again and again. It goes to show, once more, that despite their little size and tiny brains, they are more than small robotic beings."

"They may actually experience some kind of positive emotional states, even if rudimentary, like other larger fluffy, or not so fluffy, animals do. This sort of finding has implications to our understanding of sentience and welfare of insects and will, hopefully, encourage us to respect and protect life on Earth ever more."

A Redditor says they've managed to get a hold of an old Netflix server for free, and has posted a detailed online look at the once mysterious hardware. The devices were part of Netflix's Open Connect Content Delivery Network (CDN), and can often be found embedded within major ISP networks to ensure your Netflix streams don't suck. From a report: Reddit user PoisonWaffle3 said the ISP he currently works for has been offloading old Netflix servers as they upgrade to more modern equipment. In a Reddit thread titled "So I got a Netflix cache server..." he posted a photo of the server, which is bright Netflix red, and explained how he was curious about what's inside the boxes given how little public information was available.

"All I could find online was overviews, installation/config guides for their proprietary software, etc.," he said. "No specs, no clue what was inside the red box." Dave Temkin, Netflix's former Vice President of Network Systems Infrastructure told Motherboard there's nothing too mysterious about what the servers can do, though they significantly help improve video streaming by shortening overall content transit time. "They're just an Intel FreeBSD box," he said. "We got Linux running on some of the generations of that box as well."

Netflix's Open Connect Content Delivery Network hardware caches popular Netflix content to reduce overall strain across broadband networks. Netflix lets major broadband ISPs embed a CDN server on the ISP network for free; the shorter transit time then helps improve video delivery, of benefit to broadband providers and Netflix alike. It took all of three screws for PoisonWaffle3 to get inside the mysterious red unit, at which point users discovered a "fairly standard" Supermicro board, a single Xeon E5 2650L v2 processor, 64GB of DDR3 memory, and a 10 gigabit ethernet card. They also found 36 7.2TB 7200RPM drives and six 500GB Micron solid state drives, for a grand total of 262 terabytes of storage.

An anonymous reader quotes a report from ZDNet: Everyone depends on OpenSSL. You may not know it, but OpenSSL is what makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems. It's also what is used to lock down pretty much every secure communications and networking application and device out there. So we should all be concerned that Mark Cox, a Red Hat Distinguished Software Engineer and the Apache Software Foundation (ASF)'s VP of Security, this week tweeted, "OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC." How bad is "Critical"? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable. It's likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely. In other words, pretty much everything you don't want happening on your production systems.

The last time OpenSSL had a kick in its security teeth like this one was in 2016. That vulnerability could be used to crash and take over systems. Even years after it arrived, security company Check Point estimated it affected over 42% of organizations. This one could be worse. We can only hope it's not as bad as that all-time champion of OpenSSL's security holes, 2014's HeartBleed. [...] There is another little silver lining in this dark cloud. This new hole only affects OpenSSL versions 3.0.0 through 3.0.6. So, older operating systems and devices are likely to avoid these problems. For example, Red Hat Enterprise Linux (RHEL) 8.x and earlier and Ubuntu 20.04 won't be smacked by it. RHEL 9.x and Ubuntu 22.04, however, are a different story. They do use OpenSSL 3.x. [...] But, if you're using anything with OpenSSL 3.x in -- anything -- get ready to patch on Tuesday. This is likely to be a bad security hole, and exploits will soon follow. You'll want to make your systems safe as soon as possible.

From Tokyo to San Francisco, mobile game studios have sparred for years to captivate a fickle audience, fostering an overlooked problem -- the average title has become so huge that players can no longer fit more than a few on their phones. From a report: Japanese games publisher Gree expects an impending reckoning over escalating costs and ballooning file sizes, as developers pack their games with increasingly intricate graphics, voice acting and larger storylines, all to get players spending. That's creating a winner-takes-all situation that could winnow out smaller studios in coming years, Gree Senior Vice President Yuta Maeda said in an interview. The situation will only get worse as console veteran Sony -- no stranger to space-hogging hits -- prepares to invade the mobile arena. "Production of mobile games can't avoid becoming more complex, time-consuming and larger-scale, which will inevitably result in bigger app sizes," Maeda said. "Companies that survive in the market will only be the ones that can keep up with that trend."

The spending poured into today's A-list mobile titles -- MiHoYo's Genshin Impact, for instance, started with a $100 million budget -- rivals Hollywood blockbusters and is yielding better production values than ever, but also an outsized footprint. That game can occupy upwards of 20 gigabytes of storage, which is a huge chunk of what most people have available on their phones. With memory upgrades not keeping pace, the result is fewer games can vie for attention. Sony, one of the giants of console gaming, has laid out plans to bring its high-profile PlayStation franchises to mobile platforms. Rival Microsoft is also building an Xbox mobile gaming store. All of that piles pressure on the entrenched free-to-play business model followed by Gree and others. These publishers rely on monetizing in-game items and upgrades, regularly adding more content players can buy and play with. The most common workaround from game studios is to put only a basic installer in app stores, which then downloads further game assets once the player starts. Gree uses it with Heaven Burns Red, which is an initial 1GB and grows beyond 10GB for players who want the full experience.

Do you have a laptop that's either "pretty old" or "weird in some other way"? Did it ship without Windows from the factory, or did you flash its firmware with coreboot? You could help the Linux kernel move its backlight code forward without abandoning quirky gear like yours. ArsTechnica: Hans de Goede, a longtime Linux developer and principal engineer at Red Hat, writes on his Livejournal about the need to test "a special group of laptops" to prevent their backlight controls from disappearing in Linux kernel 6.1. Old laptop tests are needed because de Goede is initiating some major changes to user-space backlight controls, something he has been working on since 2014. As detailed at Linux blog Phoronix, there are multiple issues with how Linux tries to address the wide variety of backlight schemes in displays, which de Goede laid out at the recent Linux Plumbers Conference. There can be multiple backlight devices operating a single display, leaving high-level controls to "guess which one will work." Brightness control requires root permissions at the moment. And "0" passed along as a backlight value remains a conundrum, as the engineer pointed out in 2014: Is that entirely off, or as low as the display can be lit?

Thomson Reuters, a multinational media conglomerate, left an open database with sensitive customer and corporate data, including third-party server passwords in plaintext format. Attackers could use the details for a supply-chain attack. Cybernews: The Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone to look at. One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive, up-to-date information from across the company's platforms. The company recognized the issue and fixed it immediately. Thomson Reuters provides customers with products such as the business-to-business media tool Reuters Connect, legal research service and database Westlaw, the tax automation system ONESOURCE, online research suite of editorial and source materials Checkpoint, and other tools. The size of the open database the team discovered corresponds with the company using ElasticSearch, a data storage favored by enterprises dealing with extensive, constantly updated volumes of data.

An anonymous reader quotes a report from ZDNet: Low-code and no-code development is often seen as the realm of citizen developers, but the segment of the enterprise where low-code and no-code has gained significant traction is among professional developers themselves. And, importantly, it's making their jobs better in two ways: providing tools for faster software development and deployment, as well as elevating their roles in enterprises to that of teachers and facilitators for potential citizen developers.

A recent survey of 860 developers by OutSystems finds a majority of low-code users -- most of whom also use traditional coding languages alongside low-code -- report that they are "very satisfied" with their team productivity (59%), compared to 41% of traditional developers. Most low-coders, 57%, are also very satisfied with the quality of tools at their disposal to complete their work, compared to 36% of their traditional coding counterparts. In addition, 71% of low-code users said they were able to stick to the typical 40-hour work week, compared to only 44% of traditional developers. Additionally, 63% of low-code developers indicate they are happy with their salary and benefits compared to 40% of traditional developers.

Not only is low-code and no-code making things easier, it is also elevating the roles of technology professionals within their enterprises, to facilitator, educators, and consultants. Industry observers agree. "The professional's role is now to customize and connect the low-code solution to the organization's resources," relates Moses Guttmann, CEO and co-founder of ClearML. Their roles "shift towards mainly automation and orchestration, taking a low-code process and helping the low-code infrastructure gain access to different resources within the organization. Think of it as abstracting the databases and providing access to the orchestration -- such as cloud infrastructure to execute the low-code application." This can only mean more Agile development for the next generation of applications, with business-savvy developers and tech-savvy business users working side by side. "Citizen developers are typically growth-minded, innovative problem solvers with an active understanding of the business' overarching goals," says Aaron White, CTO and co-founder of Vendr. "In tandem with overseeing the work completed in a low-code or no-code environment, professional developers -- especially those leading teams -- should strive to recognize these employees' talents, actively enabling them to contribute to the development process." "It takes away a lot of the day-to-day implementation-related tasks and allows developers to focus on more architectural and strategic concerns," says Om Vyas, co-founder and chief product officer for oak9. "It puts them in a position to have a greater business impact. But also, with low-code and no-code approaches, when the one-size-fits-all pattern does not work for you, it will create work for these professionals to amend or customize to add their own implementations."

In many cases, "a low-code/no-code approach may operate as a complete solution. That said, IT and engineering may need to step in from time to time, to fine-tune the details," White adds.

Lennart Poettering's latest blog post proposes moving the Linux boot process into a "Brave New Trusted Boot World" of cryptographically signed Unified Kernel Images. From a report: Agent Poettering offers a mechanism for tightening up the security of the system startup process on Linux machines, using TPM 2.0 hardware. In brief, what he sees as the problem is that on hardware with Secure Boot enabled, while the boot process up to and including the kernel is signed, the next step, loading the initrd, is not. That's what he wants to fix.

Apple has given its most direct confirmation yet that a USB-C-equipped iPhone will happen, now that the European Union is mandating that all phones sold in its member countries use the connector if they have a physical charger. From a report: When asked by The Wall Street Journal if the company would replace Lightning, Apple's senior vp of worldwide marketing, Greg Joswiak, answered by saying: "Obviously, we'll have to comply; we have no choice."

WSJ brought the law up during a talk with Joswiak and software VP Craig Federighi at the WSJ's Tech Live conference and followed up by asking when we can expect to see USB-C on an iPhone. Joswiak replied, "the Europeans are the ones dictating timing for European customers." Currently, the law dictates that "all mobile phones and tablets" will have to use USB-C by "autumn 2024." Joswiak refused to answer whether the company would include the connector on phones sold outside the EU. But he made it abundantly clear that Apple isn't happy about being legally coerced into making the switch. Before acknowledging that the company must comply with the law, Joswiak went into a long explanation about how Apple has historically preferred to go its own way and trust its engineers rather than be forced into adopting hardware standards by lawmakers.

An anonymous reader quotes a report from Reuters: Australia's biggest health insurer, said on Wednesday a cyber hack had compromised the data of all of its of its nearly 4 million customers, as it warned of a $16 million to $22.3 million hit to first-half earnings. It said on Wednesday that all personal and significant amounts of health claims data of all its customers were compromised in the breach reported this month, a day after it warned the number of customers affected would grow.

Medibank, which covers one-sixth of Australians, said the estimated cost did not include further potential remediation or regulatory expenses. The company reiterated that its IT systems had not been encrypted by ransomware to date and that it would continue to monitor for any further suspicious activity. "Everywhere we have identified a breach, it is now closed," John Goodall, Medibank's top technology executive, told an analyst call on Wednesday. "Our investigation has now established that this criminal has accessed all our private health insurance customers' personal data and significant amounts of their health claims data," chief executive David Koczkar said in a statement. "I apologize unreservedly to our customers. This is a terrible crime -- this is a crime designed to cause maximum harm to the most vulnerable members of our community."

An anonymous reader shares a report: Nvidia's $1,599 GeForce RTX 4090 is an incredibly powerful graphics card, but its performance comes at the cost of high power draw. Like a few of the RTX 3000-series cards, Nvidia uses a new kind of 16-pin 12VHPWR power connector to supply all that power to the card -- you can plug up to four 8-pin GPU power cables into the 12VHPWR adapter, which then plugs into the connector on the GPU, saving some board space.

But at least two RT 4090 users are now reporting that their 12VHPWR connectors have overheated and melted during use. These complaints are sourced from Reddit (via Tom's Hardware), so take them with a grain of salt -- we don't know the exact configuration of either user's PC setup. The specific model of graphics card (a Gigabyte RTX 4090 Gaming OC for one user, an Asus RTX 4090 TUF Gaming OC Edition for the other), the power supply, and any number of other factors could have contributed to the connectors overheating.

An anonymous reader quotes a report from Ars Technica: Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What's different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.

On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn't yet available. In the coming months, all of that should be ironed out, though.

Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack. Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or -- in the absence of biometric capabilities -- the PIN that's associated with the token. What's more, hardware tokens use FIDO's Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in. "Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography)," said Andrew Shikiar, FIDO's executive director and chief marketing officer. "By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user and -- very significantly -- allows the service provider to start retiring passwords as a means of account recovery and re-enrollment."

In other words: "Passkeys just trade WebAuthn cryptographic keys with the website directly," says Ars Review Editor Ron Amadeo. "There's no need for a human to tell a password manager to generate, store, and recall a secret -- that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."

If you're eager to give passkeys a try, you can use this demo site created by security company Hanko.