An anonymous reader quotes a report from BleepingComputer: Over 45,000 VMware ESXi servers inventoried by Lansweeper just reached end-of-life (EOL), with VMware no longer providing software and security updates unless companies purchase an extended support contract. Lansweeper develops asset management and discovery software that allows customers to track what hardware and software they are running on their network. As of October 15, 2022, VMware ESXi 6.5 and VMware ESXi 6.7 reached end-of-life and will only receive technical support but no security updates, putting the software at risk of vulnerabilities.

The company analyzed data from 6,000 customers and found 79,000 installed VMware ESXi servers. Of those servers, 36.5% (28,835) run version 6.7.0, released in April 2018, and 21.3% (16,830) are on version 6.5.0, released in November 2016. In total, there are 45,654 VMware ESXi servers reaching End of Life as of today. The findings of Lansweeper are alarming because apart from the 57% that enter a period of elevated risk, there are also another 15.8% installations that run even older versions, ranging from 3.5.0 to 5.5.0, which reached EOL quite some time ago.

In summary, right now, only about one out of four ESXi servers (26.4%) inventoried by Lansweeper are still supported and will continue to receive regular security updates until April 02, 2025. However, in reality, the number of VMware servers reaching EOL today, is likely far greater, as this report is based only on Lansweeper's customers. The technical guidance for ESXi 6.5 and 6.7 will carry on until November 15, 2023, but this concerns implementation issues, not including security risk mitigation. The only way to ensure you can continue to use older versions securely is to apply for the two-year extended support, which needs to be purchased separately. However, this does not include updates for third-party software packages. For more details about EOL dates on all VMware software products, check out this webpage.

An anonymous reader quotes a report from Reuters: A former Wall Street Journal reporter is accusing a major U.S. law firm of having used mercenary hackers to oust him from his job and ruin his reputation. In a lawsuit filed late Friday, Jay Solomon, the Journal's former chief foreign correspondent, said Philadelphia-based Dechert LLP worked with hackers from India to steal emails between him and one of his key sources, Iranian American aviation executive Farhad Azima. Solomon said the messages, which showed Azima floating the idea of the two of them going into business together, were put into a dossier and circulated in a successful effort to get him fired.

The lawsuit, filed in federal court in Washington, said Dechert "wrongfully disclosed this dossier first to Mr. Solomon's employer, the Wall Street Journal, at its Washington DC bureau, and then to other media outlets in an attempt to malign and discredit him." It said the campaign "effectively caused Mr. Solomon to be blackballed by the journalistic and publishing community." Dechert said in an email that it disputed the claim and would fight it in court. The lawsuit is the latest in a series of legal actions related to hired hackers operating out of India, notes Reuters. "In June, Reuters reported on the activities of several hack-for-hire shops, including Delhi area-companies BellTroX and CyberRoot, that were involved in a decade-long series of espionage campaigns targeting thousands of people, including more than 1,000 lawyers at 108 different law firms."

Solomon said in a statement Saturday that the hack-and-leak he suffered was an example of "a trend that's becoming a great threat to journalism and media, as digital surveillance and hacking technologies become more sophisticated and pervasive. This is a major threat to the freedom of the press."

Drew DeVault, prolific FOSS blogger and hacker behind SourceHut, Sway, wlroots, and many other projects, writes in a blog post: I have relied on ffmpeg for many tasks and for many years. It has always been there to handle any little multimedia-related task I might put it to for personal use -- re-encoding audio files so they fit on my phone, taking clips from videos to share, muxing fonts into mkv files, capturing video from my webcam, live streaming hacking sessions on my own platform, or anything else I can imagine. It formed the foundation of MediaCrush back in the day, where we used it to optimize multimedia files for efficient viewing on the web, back when that was more difficult than "just transcode it to a webm."

ffmpeg is notable for being one of the first large-scale FOSS projects to completely eradicate proprietary software in its niche. Virtually all multimedia-related companies rely on ffmpeg to do their heavy lifting. It took a complex problem and solved it, with free software. The book is now closed on multimedia: ffmpeg is the solution to almost all of your problems. And if it's not, you're more likely to patch ffmpeg than to develop something new. The code is accessible and the community are experts in your problem domain.

ffmpeg is one of the foremost pillars of achievement in free software. It has touched the lives of every reader, whether they know it or not. If you've ever watched TV, or gone to a movie, or watched videos online, or listened to a podcast, odds are that ffmpeg was involved in making it possible. It is one of the most well-executed and important software projects of all time.

The Federal Trade Commission is investigating whether Visa and Mastercard's security tokens restrict debit-card routing competition on online payments, WSJ reported Monday, citing people familiar with the matter. From the report: The FTC for the past few years has already been probing whether Visa and Mastercard block merchants from routing payments over other debit-card networks. The networks acknowledged an FTC probe in regulatory filings in recent years. In recent months, the FTC expanded its focus to routing challenges that stem from the networks' security tokens, the people familiar with the matter said. It isn't clear if the investigation is a new probe or part of the previous one.

Visa and Mastercard are by far the two biggest card networks in the U.S., building and maintaining the plumbing that allows Americans to use credit and debit cards at stores and online. Their lion's share of that market has drawn increasing scrutiny from regulators and fueled tension with merchants, which pay fees set by the networks when a customer pays via card. A Justice Department investigation on whether Visa has unlawfully maintained a dominant market share in debit cards is ongoing, according to people familiar with the matter. Federal law requires that merchants have the ability to choose from at least two unaffiliated debit-card networks to route transactions. That is supposed to give merchants the option to send debit-card payments over the network that sets lower fees. In most cases, when a person stores a card in a digital wallet such as Apple Pay, the 16-digit card number gets replaced by a "security token" -- essentially a line of random numbers. The token is typically provided by the network listed on the card -- often Visa or Mastercard.

Mark Zuckerberg, writing in a Facebook post: WhatsApp is far more private and secure than iMessage, with end-to-end encryption that works across both iPhones and Android, including group chats. With WhatsApp you can also set all new chats to disappear with the tap of a button. And last year we introduced end-to-end encrypted backups too. All of which iMessage still doesn't have.

"Europe is aiming to launch a technology demonstration satellite for secure, quantum-encrypted communications in 2024," reports Space.com, "with a view to developing a larger constellation." The satellite, Eagle-1, will be the first space-based quantum key distribution (QKD) system for the European Union and could lead to an ultrasecure communications network for Europe, according to a statement from the European Space Agency (ESA).

Eagle-1 will spend three years in orbit testing the technologies needed for a new generation of secure communications. The satellite will demonstrate the "feasibility of quantum key distribution technology — which uses the principles of quantum mechanics to distribute encryption keys in such a way that any attempt to eavesdrop is immediately detected — within the EU using a satellite-based system," according to ESA...

"European security and sovereignty in a future world of quantum computing is critical to the success of Europe and its Member States," Steve Collar, CEO of SES, said in the statement. He added that the goal is "to advance quantum communications and develop the Eagle-1 system to support secure and sovereign European networks of the future."
SES will be leading a consortium of more than 20 European countries, according to the ESA's statement: Eagle-1 will demonstrate the feasibility of quantum key distribution technology — which uses the principles of quantum mechanics to distribute encryption keys in such a way that any attempt to eavesdrop is immediately detected — within the EU using a satellite-based system. To do so, the system will build on key technologies developed under ESA's Scylight programme, with the aim of validating vital components supplied within the EU....

It will allow the EU to prepare for a sovereign, autonomous cross-border quantum secure communications network.

The system will initially use an upgraded optical ground terminal from the German Aerospace Centre (DLR) alongside a new optical ground terminal to be developed by a team from the Netherlands. The Eagle-1 platform satellite from Italian company Sitael will carry a quantum-key payload built by Tesat Spacecom of Germany and will be operated by Luxembourg-headquartered SES.

"A researcher from cloud and endpoint protection provider WithSecure has discovered an unpatchable flaw in Microsoft Office 365 Message Encryption," reports VentureBeat. "The flaw enables a hacker to infer the contents of encrypted messages." OME uses the electronic codebook (ECB) block cipher, which leaks structural information about the message. This means if an attacker obtains many emails they can infer the contents of the messages by analyzing the location and frequency of patterns in the messages and matching these to other emails. For enterprises, this highlights that just because your emails are encrypted, doesn't mean they're safe from threat actors. If someone steals your email archives or backups, and accesses your email server, they can use this technique to sidestep the encryption.

The discovery comes shortly after researchers discovered hackers were chaining two new zero-day Exchange exploits to target Microsoft Exchange servers.

WithSecure originally shared its discovery of the Office 365 vulnerability with Microsoft in January 2022. Microsoft acknowledged it and paid the researcher through its vulnerability reward program, but hasn't issued a fix.

"Apple workers in Oklahoma City have voted to form the second-ever labor union at one of the company's US stores," reports CNN, "in the latest sign that organizing efforts are gaining traction inside and outside the tech and retail industries." In a preliminary tally by the National Labor Relations Board on Friday evening, 56 workers, or 64% of those casting ballots at the Penn Square Mall Apple store, voted to be represented the Communication Workers of America, and 32 voted against it. Turnout was strong, with 88 of a potential 95 workers participating in the vote.

The union victory comes four months after Apple store workers in Towson, Maryland, made history by voting to form Apple's first US unionized location.... Workers at both locations have said they're looking to unionize in an effort to have more of a say in how their stores are run. Some also said they were inspired by union pushes this year at Amazon and Starbucks.

Apple did not immediately respond to a request for comment after the late night vote count Friday....

Between January and July of this year there were 826 union elections, up 45% from the number held in the same period of 2021, according to a CNN analysis of data from the NLRB. And the 70% success rate by unions in those votes is far better than the 42% success rate in the first seven months of 2021.

AmiMoJo shares a report from MacRumors: iOS 16 continues to leak data outside an active VPN tunnel, even when Lockdown mode is enabled, security researchers have discovered. Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that iOS 16's approach to VPN traffic is the same whether Lockdown mode is enabled or not. The news is significant since iOS has a persistent, unresolved issue with leaking data outside an active VPN tunnel.

According to a report from privacy company Proton, an iOS VPN bypass vulnerability had been identified in iOS 13.3.1, which persisted through three subsequent updates. Apple indicated it would add Kill Switch functionality in a future software update that would allow developers to block all existing connections if a VPN tunnel is lost, but this functionality does not appear to prevent data leaks as of iOS 15 and iOS 16. Mysk and Bakry have now discovered that iOS 16 communicates with select Apple services outside an active VPN tunnel and leaks DNS requests without the user's knowledge.

Mysk and Bakry also investigated whether iOS 16's Lockdown mode takes the necessary steps to fix this issue and funnel all traffic through a VPN when one is enabled, and it appears that the exact same issue persists whether Lockdown mode is enabled or not, particularly with push notifications. This means that the minority of users who are vulnerable to a cyberattack and need to enable Lockdown mode are equally at risk of data leaks outside their active VPN tunnel. [...] Due to the fact that iOS 16 leaks data outside the VPN tunnel even where Lockdown mode is enabled, internet service providers, governments, and other organizations may be able to identify users who have a large amount of traffic, potentially highlighting influential individuals. It is possible that Apple does not want a potentially malicious VPN app to collect some kinds of traffic, but seeing as ISPs and governments are then able to do this, even if that is what the user is specifically trying to avoid, it seems likely that this is part of the same VPN problem that affects iOS 16 as a whole.

Zoetop, the firm that owns Shein and its sister brand Romwe, has been fined (PDF) $1.9 million by New York for failing to properly disclose a data breach from 2018. TechCrunch reports: A cybersecurity attack that originated in 2018 resulted in the theft of 39 million Shein account credentials, including those of more than 375,000 New York residents, according to the AG's announcement. An investigation by the AG's office found that Zoetop only contacted "a fraction" of the 39 million compromised accounts, and for the vast majority of the users impacted, the firm failed to even alert them that their login credentials had been stolen. The AG's office also concluded that Zoetop's public statements about the data breach were misleading. In one instance, the firm falsely stated that only 6.42 million consumers had been impacted and that it was in the process of informing all the impacted users.

A young man who was not even old enough to drive back in 2018 managed to yoink nearly $24 million from a major crypto investor's account. Now, over four years later and thousands likely invested in both an investigation and lawyers fees, Michael Terpin can now claim he has reclaimed $22 million from the the original hack, according to a recently filed agreement. From a report: The original complaint filed in New York Southern District Court back in 2020 named the then-18-year-old Ellis Pinsky of leading a 20-person group that met on the OGUsers' forum that attacked people's crypto wallets using stolen SIM card data. Pinsky allegedly performed this hack when he was only 15 years old while living with his mother in upstate New York. The only other hacker named in the original complaint was 20-year-old Nick Truglia, who had been previously jailed on federal charges for a separate crypto theft. Terpin was a major name in the tech and crypto world, especially back in the late 20-teens as the co-founder of crypto investment firm BitAngels along with early work launching Motley Fool and Match.com. At the time, Terpin's phone hack was one of the largest crypto hacks of its kind. Nowadays, however, $24 million would be chump change to some of the funds modern crypto hackers seem to be rolling in by attacking crypto exchanges, protocols, and cross-chain bridges.

schwit1 shares a blog post from Signal, the popular instant messaging app: In the interest of privacy, security, and clarity we're beginning to phase out SMS support from the Android app. You'll have several months to export your messages and either find a new app for SMS or tell your friends to download Signal.

[...] To give some context, when we started supporting SMS, Signal didn't exist yet. Our Android app was called TextSecure and the Signal encryption protocol was called Axolotl. Almost a decade has passed since then, and a lot has changed. In this time we changed our name, built iOS and desktop apps, and grew from a small project to the most widely used private messaging service on the planet. And we continued supporting the sending and receiving of plaintext SMS messages via the Signal interface on Android. We did this because we knew that Signal would be easier for people to use if it could serve as a homebase for most of the messages they were sending or receiving, without having to convince the people they wanted to talk to to switch to Signal first. But this came with a tradeoff: it meant that some messages sent and received via the Signal interface on Android were not protected by Signal's strong privacy guarantees.

We have now reached the point where SMS support no longer makes sense. For those of you interested, we walk through our reasoning in more detail below. In order to enable a more streamlined Signal experience, we are starting to phase out SMS support from the Android app. You will have several months to transition away from SMS in Signal, to export your SMS messages to another app, and to let the people you talk to know that they might want to switch to Signal, or find another channel if not.

An anonymous reader quotes a report from The Register: Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place. Greg Linares, a security researcher, recently recounted an incident that he said occurred over the summer at a US East Coast financial firm focused on private investment. He told The Register that he was not involved directly with the investigation but interacted with those involved as part of his work in the finance sector. In a Twitter thread, Linares said the hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network.

The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device. "This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained. The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing, according to Linares. The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable. "During their investigation, they determined that the DJI Phantom drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi," Linares said. "This data was later hard coded into the tools that were deployed with the Matrice."

According to Linares, the tools on the drones were used to target the company's internal Confluence page in order to reach other internal devices using the credentials stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he's seen over the past two years. "The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register. "This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT confluence server that contained other credentials for accessing other resources and storing IT procedures." [...] While the identity of the attacker has not been disclosed, Linares believes those responsible did their homework. "This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget and knew their physical security limitations," he said.

Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the "Block connections without VPN," or "Always-on VPN," features is enabled. BleepingComputer reports: The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic. This behavior is built into the Android operating system and is a design choice. However, Android users likely didn't know this until now due to the inaccurate description of the "VPN Lockdown" features in Android's documentation. Mullvad discovered the issue during a security audit that hasn't been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

Android offers a setting under "Network & Internet" to block network connections unless you're using a VPN. This feature is designed to prevent accidental leaks of the user's actual IP address if the VPN connection is interrupted or drops suddenly. Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features. This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the "Block connections without VPN" setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks. "This is a feature request for adding the option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled for a VPN app," explains Mullvad in a feature request on Google's Issue Tracker. "This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy." In response to Mullvad's request, a Google engineer said this is the intended functionality and that it would not be fixed for the following reasons:

- Many VPNs actually rely on the results of these connectivity checks to function,
- The checks are neither the only nor the riskiest exemptions from VPN connections,
- The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and the case remains open.

Microsoft today announced a few user-facing updates to its Edge browser. The most important of these is likely Edge Workspaces, a new feature (currently in preview) that will allow teams to share browser tabs. From a report: Microsoft argues that this feature can be useful when bringing on new team members to an existing project. Instead of sharing lots of links and files, the team can simply share a single like to an Edge Workspace (which will then likely consist of lots of links and files, but hey, at least it's just one link to share). As the project evolves, the tabs are updated in real time. I guess that's a use case. We've seen our share of extensions that do similar things, none of which ever get very popular. Meanwhile, teams share these links and files in other ways (think Confluent, etc.). On the security front, Microsoft is bringing typo protection for website URLs to the browser, promising to protect "users from accidentally navigating to online fraud sites after misspelling the website address by suggesting the website that the user intended." Nothing too complicated here, and a useful feature for sure.

Android Developers Blog: Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don't leak in server breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps. Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint. Passkeys on users' phones and computers are backed up and synced through the cloud to prevent lockouts in the case of device loss. Additionally, users can use passkeys stored on their phone to sign in to apps and websites on other nearby devices.

Today's announcement is a major milestone in our work with passkeys, and enables two key capabilities: Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager. Developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms. To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year. Our next milestone in 2022 will be an API for native Android apps. Passkeys created through the web API will work seamlessly with apps affiliated with the same domain, and vice versa. The native API will give apps a unified way to let the user pick either a passkey or a saved password. Seamless, familiar UX for both passwords and passkeys helps users and developers gradually transition to passkeys.

For the end-user, creating a passkey requires just two steps: (1) confirm the passkey account information, and (2) present their fingerprint, face, or screen lock when prompted. Signing in is just as simple: (1) The user selects the account they want to sign in to, and (2) presents their fingerprint, face, or screen lock when prompted. A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device. Since passkeys are built on industry standards, this works across different platforms and browsers - including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.

An anonymous reader quotes a report from BleepingComputer: Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers. This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.

On September 17, 2022, the database's keys were changed, purging all potential access from unauthorized third parties. The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren't stored in the exposed database. Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused. The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data. For this reason, all users of T-Connect who registered between July 2017 and September 2022 are advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota.

German Interior Minister Nancy Faeser wants to dismiss the country's cybersecurity chief due to possible contacts with people involved with Russian security services, German media reported late on Sunday, citing government sources. Reuters reports: Arne Schoenbohm, president of the BSI federal information security agency, could have had such contacts through the Cyber Security Council of Germany, various outlets reported. Schoenbohm was a founder of the association, which counts as a member a German company that is a subsidiary of a Russian cybersecurity firm founded by a former KGB employee, they wrote. "These accusations must be decisively investigated," said Konstantin von Notz, the head of the parliamentary oversight committee for Germany's intelligence agencies.

More than a dozen public-facing airport websites, including those for some of the nation's largest airports, appeared inaccessible Monday morning, and Russian-speaking hackers claimed responsibility. From a report: No immediate signs of impact to actual air travel were reported, suggesting the issue may be an inconvenience for people seeking travel information. "Obviously, we're tracking that, and there's no concern about operations being disrupted," Kiersten Todt, Chief of Staff of the US Cybersecurity and Infrastructure Security Agency (CISA), said Monday at a security conference in Sea Island, Georgia. The 14 websites include the one for Atlanta's Hartsfield-Jackson International Airport. An employee there told CNN there were no operational impacts. The Los Angeles International Airport website was offline earlier but appeared to be restored shortly before 9 a.m. Eastern.

"Your boss probably has enough data about your digital activities to get a snapshot of your workday — without using any special monitoring software...." reports the Washington Post.

"Workers should be aware that many online work apps offer data about their daily activities...." Commonly used network-connected apps such as Zoom, Slack and Microsoft Office give managers the ability to find everything from the number of video meetings in which you've actively participated, to how much you chatted online with co-workers and the number of documents you saved to the cloud....

At the beginning of 2022, global demand for employee monitoring software increased 65 percent from 2019, according to internet security and digital rights firm Top10VPN. But popular work apps also offer data. On Microsoft 365, an account administrator can pull data — though it may not be easy and would be tracked in compliance logs — on how many emails workers sent, how many files they saved on a shared drive and how many messages they sent as well as video meetings they participated in on the messaging and video tool Microsoft Teams. Google Workspace, Google's suite of work tools, allows administrators, for security and audit purposes, to see how many emails a user sent and received, how many files they saved and accessed on Google Drive, and when a user started a video meeting, from where they joined meetings, and who was in a meeting. Select administrators on both services can also access the content of emails and calendar items.

On paid Slack accounts, managers can see how many days users have been active and how many messages they've sent over a set period of time. Zoom allows account administrators to see how many meetings users participated in, the length of the meetings, and whether users enabled their camera and microphone during them. And if employees have company-issued phones or use office badges or tech that requires them to sign in at the office, managers can track phone usage and office attendance.

To be sure, several software companies say their reports are not for employee evaluation and surveillance. Microsoft has stated that using technology to monitor employees is counterproductive and suggested that some managers may have "productivity paranoia." In the help section of its website, Slack states that the analytics data it offers should be "used for understanding your whole team's use of Slack, not evaluating an individual's performance."
"Several workplace experts agree on one thing: The data doesn't properly represent a worker's productivity," the article concludes.

"Activities such as in-person mentoring, taking time to brainstorm, sketching out a plan or using offline software won't appear in the data. And measuring quantity might discount the quality of one's work or interactions."