In the heart of Silicon Valley, the city of Mountain View, California "just approved its biggest development ever," reports SFGate, "and it's for exactly the company you'd expect." Google got the go-ahead to build a 153-acre mixed-use neighborhood just south of its headquarters in north Mountain View on June 13, with unanimous city council approval.

Plans for the 30-year project, which will supplant the Google offices and parking lots currently in the area, include over 3 million square feet of office space and 7,000 residential units... Originally, the developers planned to dedicate 20% of the new housing to affordable units, but the approved plan sets aside only 15% for lower- and middle-income housing. Google lowered the target to make the project viable in an uncertain economic climate, a spokesperson told SFGATE. This past January, the firm laid off 12,000 workers.

The new development sounds an awful lot like the "company towns" of 1900-era American settlement — firms ran all the stores and housing for their workers — but a Google spokesperson said the new project's restaurants, housing and services would serve the broader Mountain View community. Along with the housing and Google office space, the plans include 26 acres of public parks and open space, up to 288,990 square feet of ground-floor commercial space, land for a school, new streets and a private utility system. The developers have 30 years to complete the project, as long as Google and Lendlease hit permit benchmarks and complete other terms within the first 15.

An anonymous reader shared this report from the nonprofit journalism site, the San Francisco Standard: The San Francisco Board of Supervisors on Tuesday approved legislation that aims to shore up the city's beleaguered Downtown by filling empty storefronts and expediting the conversion of underused office buildings into housing. The bill is a major component of Mayor London Breed's recovery agenda. Co-sponsored by Board President Aaron Peskin, it amends the city's planning code to expand residential uses and Downtown office conversions. It also streamlines the review of certain projects, among other changes...

Even with speedier project approvals, converting San Francisco office buildings to housing remains a costly endeavor; few developers have explored the option to date. At an April 3 hearing of the board's Land Use Committee, lawmakers outlined the need for multiple reforms to make conversions economically feasible; Supervisor Dean Preston voiced concerns that even those reforms would not accommodate low-income housing. Many say San Francisco's Downtown is currently caught in a "doom loop" driven by economic knock-on effects of the pandemic, including an office vacancy rate approaching 30% and trophy office towers changing hands at deep discounts...

The bill passed Tuesday is one of several legislative efforts to aid Downtown and the city's overall economy. Initiatives have included legislation to delay tax increases for retail, food service and other businesses hit hard by the pandemic, an "Office Attraction Tax Credit" for new companies opening in the city and a program called "Vacant to Vibrant," which provides grants to businesses which open "pop-up" shops and art spaces in Downtown's empty storefronts.

The Washington Post reports that "Since the pandemic, employers — particularly in major cities — have been struggling to get their workers to return to the office, while others have given up and allowed workers to go fully remote.

"That trend is finally starting to catch up with the owners of office buildings in the form of rising vacancy rates and declining property values." Earlier this month, real estate data provider Trepp reported that an estimated $270 billion in commercial bank loans are coming due in 2023 — and warned of the potential for defaults. Office delinquencies spiked in May, signaling a "tipping point," according to Manus Clancy, senior managing director at Trepp. Asked about commercial real estate concerns in a television appearance on Wednesday, [U.S.] Treasury Secretary Janet L. Yellen said she thinks banks are "broadly preparing for some restructuring and difficulties going ahead...."

"If office and retail owners are having trouble generating rental income because people just aren't going into the office and shopping, then it increases the odds that they aren't going to be able to pay back those loans in timely way," said Mark Zandi, chief economist for Moody's Analytics. "That means losses will start to mount on those loans. And because the banking and financial system more broadly is already struggling with lots of other problems ... there's going to be more banking failures." Despite the public debate over return-to-office mandates at major companies, experts say office occupancy will never return to the levels experienced before 2020. In February, workplace data company Kastle Systems estimated that half of workers in the United States had returned, but that figure has stagnated since...

Still, many experts say the worst can still be avoided. The issues have been known for a while, giving lenders plenty of time to consider what to do. Banks can always renegotiate the terms of their loans to landlords... Although cities themselves could be in trouble because of property taxes and budget shortfalls, the financial system as a whole is more protected, said Brookings Institution fellow Tracy Hadden Loh, who researches real estate and cities. "It's in no one's interest to have them all fall into foreclosure at once, because that could destabilize the banking system," she said. "So banks will take what they can get in terms of payment and work through this."

Wednesday BleepingComputer reported: Malwarebytes confirmed today that the Windows 11 22H2 KB5027231 cumulative update released this Patch Tuesday breaks Google Chrome on its customers' systems... While uninstalling the KB5027231 update fixes the issue, admins report that it's not possible to do so via Windows Server Update Services because of a "catastrophic error..." The Google Chrome process is actually running but is prevented from fully launching the application and loading the user interface due to the conflict.
Then Friday BleepingComputer reported that the same update "also breaks Google Chrome on systems protected by Cisco and WatchGuard EDR and antivirus solutions." "We deploy Secure Endpoint 8.1.7 to our few thousand devices, and we started getting a mountain of reports this morning that Google Chrome would not appear on the screen after attempting to open it," one admin said. "With a little trial & error, I found that killing the Secure Endpoint service or uninstalling Secure Endpoint will allow Chrome to open again..."

WatchGuard staff also confirmed on Friday that Google Chrome wouldn't open on Windows 11 after installing KB5027231 if anti-exploit protection is enabled in the company's Endpoint Security software.
Thanks to Slashdot reader boley1 for sharing the news.

Long-time Slashdot reader waspleg shared this story from Hot Hardware: Red Hat Linux developer Richard WM Jones has shared an eyebrow raising tale of Linux bug hunting. Jones noticed that Linux 6.4 has a bug which means it will hang on boot about 1 in 1,000 times. Jones set out to pinpoint the bug, and prove he had caught it red handed. However, his headlining travail, involving booting Linux 292,612 times (and another 1,000 times to confirm the bug) apparently "only took 21 hours." It also seems that the bug is less common with Intel hardware than AMD based machines.

New submitter ole_timer shares a report from Wired: TikTok to Huawei routers to DJI drones, rising tensions between China and the US have made Americans -- and the US government -- increasingly wary of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by the subsidiary of a company specifically flagged in warnings from the US Department of Commerce for its ties to the Chinese military have found their way into the storage hardware of military and intelligence networks across the West. In July of 2021, the Commerce Department's Bureau of Industry and Security added the Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, to its so-called "Entity List," a vaguely named trade restrictions list that highlights companies "acting contrary to the foreign policy interests of the United States." Specifically, the bureau noted that Hualan had been added to the list for "acquiring and ... attempting to acquire US-origin items in support of military modernization for [China's] People's Liberation Army."

Yet nearly two years later, Hualan -- and in particular its subsidiary known as Initio, a company originally headquartered in Taiwan that it acquired in 2016 -- still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments' aerospace, military, and intelligence agencies: NASA, NATO, and the US and UK militaries. Federal procurement records show that US government agencies from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy have bought encrypted hard drives that use the chips, too. The disconnect between the Commerce Department's warnings and Western government customers means that chips sold by Hualan's subsidiary have ended up deep inside sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and its Taiwanese origin prior to 2016. The chip vendor's Chinese ownership has raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China's government to stealthily decrypt Western agencies' secrets. And while no such backdoor has been found, security researchers warn that if one did exist, it would be virtually impossible to detect it.

"If a company is on the Entity List with a specific warning like this one, it's because the US government says this company is actively supporting another country's military development," says Dakota Cary, a China-focused research fellow at the Atlantic Council, a Washington, DC-based think tank. "It's saying you should not be purchasing from them, not just because the money you're spending is going to a company that will use those proceeds in the furtherance of another country's military objectives, but because you can't trust the product." [...] The mere fact that so many Western government agencies are buying products that include chips sold by the subsidiary of a company on the Commerce Department's trade restrictions list points to the complexities of navigating the computing hardware supply chain, says the Atlantic Council's Cary. "At minimum, it's a real oversight. Organizations that should be prioritizing this level of security are apparently not able to do so, or are making mistakes that have allowed for these products to get into their environments," he says. "It seems very significant. And it's probably not a one-off mistake."

Cybersecurity experts at CyberCX have demonstrated a simple method for consistently accessing older BIOS-locked laptops by shorting pins on the EEPROM chip with a screwdriver, enabling full access to the BIOS settings and bypassing the password. Tom's Hardware reports: Before we go further, it is worth pointing out that CyberCX's BIOS password bypass demonstration was done on several Lenovo laptops that it had retired from service. The blog shows that the easily reproducible bypass is viable on the Lenovo ThinkPad L440 (launched Q4 2013) and the Lenovo ThinkPad X230 (launched Q3 2012). Other laptop and desktop models and brands that have a separate EEPROM chip where passwords are stored may be similarly vulnerable. [...] From reading various documentation and research articles, CyberCX knew that it needed to follow the following process on its BIOS-locked Lenovo laptops: Locate the correct EEPROM chip; Locate the SCL and SDA pins; and Short the SCL and SDA pins at the right time.

Checking likely looking chips on the mainboard and looking up series numbers eventually lead to being able to target the correct EEPROM. In the case of the ThinkPad L440, the chip is marked L08-1 X (this may not always be the case). An embedded video in the CyberCX blog post shows just how easy this 'hack' is to do. Shorting the L08-1 X chip pins requires something as simple as a screwdriver tip being held between two of the chip legs. Then, once you enter the BIOS, you should find that all configuration options are open to be changed. There is said to be some timing needed, but the timing isn't so tight, so there is some latitude. You can watch the video for a bit of 'technique.'

CyberCX includes some quite in-depth analysis of how its BIOS hack works and explains that you can't just short the EEPROM chips straight away as you turn the machine on (hence the need for timing). Some readers may be wondering about their own laptops or BIOS-locked machines they have seen on eBay and so on. CyberCX says that some modern machines with the BIOS and EEPROM packages in one Surface Mount Device (SMD) would be more difficult to hack in this way, requiring an "off-chip attack." The cyber security firm also says that some motherboard and system makers do indeed already use an integrated SMD. Those particularly worried about their data, rather than their system, should implement "full disk encryption [to] prevent an attacker from obtaining data from the laptop's drive," says the security outfit.

Millions of people in Louisiana and Oregon have had their data compromised in the sprawling cyberattack that has also hit the US federal government, state agencies said late Thursday. From a report: The breach has affected 3.5 million Oregonians with driver's licenses or state ID cards, and anyone with that documentation in Louisiana, authorities said. The Louisiana governor's office did not put a number on the number of victims but over 3 million Louisianians hold driver's licenses, according to public data. The states did not blame anyone in particular for the hack, but federal officials have attributed a broader hacking campaign using the same software vulnerability to a Russian ransomware gang. The sweeping hack has likely exposed data at hundreds of organizations across the globe and also compromised multiple US federal agencies, including the Department of Energy, as well as data from major corporations in Britain like the BBC and British Airways. The Russian-speaking hackers that claimed credit are known to demand multimillion-dollar ransoms, though US and state governments say they have not received any demands.

What's old is new again, at least in the European Union. The European Parliament recently voted in favor of new legislation that would overhaul the entire battery life cycle, from design to end-of-life, which includes important caveats for smartphone users. From a report: Among the many changes, the new rules would require batteries in consumer devices like smartphones to be easily removable and replaceable. That's far from the case today with most phones, but that wasn't always the case.

Alphabet is winding down its Google Domains business and selling its assets to Squarespace, according to a statement Thursday. From a report: Squarespace is acquiring the assets associated with the business for about $180 million, according to a person familiar with the matter, who asked to not be identified because the financial details of the transaction aren't public. The assets include "10 million domains hosted on Google Domains spread across millions of customers," according to the statement, confirming a Bloomberg News report. "We are exceptionally proud to be chosen to serve the customers of the Google Domains business," Anthony Casalena, founder and chief executive officer of Squarespace, said in the statement. "Domains are a critical part of web infrastructure and an essential piece of every business's online presence."

An anonymous reader quotes a report from CNN: Several US federal government agencies have been hit in a global cyberattack that exploits a vulnerability in widely used software, according to a top US cybersecurity agency. The US Cybersecurity and Infrastructure Security Agency "is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications," Eric Goldstein, the agency's executive assistant director for cybersecurity, said in a statement on Thursday to CNN, referring to the software impacted. "We are working urgently to understand impacts and ensure timely remediation." It was not immediately clear if the hackers responsible for breaching the federal agencies were a Russian-speaking ransomware group that has claimed credit for numerous other victims in the hacking campaign.

Agencies were much quicker Thursday to deny they'd been affected by the hacking than to confirm they were. The Transportation Security Administration and the State Department said they were not victims of the hack. CISA Director Jen Easterly told MSNBC on Thursday that she was "confident" that there will not be "significant impacts" to federal agencies from the hacks because of the government's defensive improvements. But the news adds to a growing tally of victims of a sprawling hacking campaign that began two weeks ago and has hit major US universities and state governments. The hacking spree mounts pressure on federal officials who have pledged to put a dent in the scourge of ransomware attacks that have hobbled schools, hospitals and local governments across the US.

The new hacking campaign shows the widespread impact that a single software flaw can have if exploited by skilled criminals. The hackers -- a well-known group whose favored malware emerged in 2019 -- in late May began exploiting a new flaw in a widely used file-transfer software known as MOVEit, appearing to target as many exposed organizations as they could. The opportunistic nature of the hack left a broad swath of organizations vulnerable to extortion. Progress, the US firm that owns the MOVEit software, has also urged victims to update their software packages and has issued security advice.

Security researchers at Mandiant say China-backed hackers are likely behind the mass-exploitation of a recently discovered security flaw in Barracuda Networks' email security gear, which prompted a warning to customers to remove and replace affected devices. From a report: Mandiant, which was called in to run Barracuda's incident response, said the hackers exploited the flaw to compromise hundreds of organizations likely as part of an espionage campaign in support of the Chinese government. Almost a third of the targeted organizations are government agencies, Mandiant said in a report published Thursday.

Last month, Barracuda discovered the security flaw affecting its Email Security Gateway (ESG) appliances, which sit on a company's network and filter email traffic for malicious content. Barracuda issued patches and warned that hackers had been exploiting the flaw since October 2022. But the company later recommended customers remove and replace affected ESG appliances, regardless of patch level, suggesting the patches failed or were unable to block the hacker's access. In its latest guidance, Mandiant also warned customers to replace affected gear after finding evidence that the China-backed hackers gained deeper access to networks of affected organizations.

PDF Association, in a blog post: We live in a world where the only constant is accelerating change. The twists and turns in the technology landscape over the last 30 years have drained some of the hype from the early days of the consumer digital era. Today we are confronted with all-new, even more disruptive, possibilities. Along with the drama of the internet, the web, broadband, smart-phones, mobile broadband, social media, and AI, the last thirty years have revealed some persistent truths about how people use and think about information and communication. From the vantage-point of 2023 we are positioned to recognize 1993 as a year of two key developments; the first specification of HTML, the language of the web, and the first specification of PDF, the language of documents. Today, both technologies predominate in their respective use cases. They coexist because they meet deeply-related but distinct needs.

NASA's Jet Propulsion Laboratory (JPL) has created the largest open-source archive of PDFs as part of DARPA's Safe Documents program, with the aim of improving internet security. The corpus consists of approximately 8 million PDFs collected from the internet. From a press release: "PDFs are used everywhere and are important for contracts, legal documents, 3D engineering designs, and many other purposes. Unfortunately, they are complex and can be compromised to hide malicious code or render different information for different users in a malicious way," said Tim Allison, a data scientist at JPL in Southern California. "To confront these and other challenges from PDFs, a large sample of real-world PDFs needs to be collected from the internet to create a shared, freely available resource for software experts." Building the corpus was no easy task. As a starting point, Allison's team used Common Crawl, an open-source public repository of web-crawl data, to identify a wide variety of PDFs to be included in the corpus -- files that are publicly available and not behind firewalls or in private networks. Conducted between July and August 2021, the crawl identified roughly 8 million PDFs.

Common Crawl limits downloaded data to 1 megabyte per file, meaning larger files were incomplete. But researchers need the entire PDF, not a truncated version, in order to conduct meaningful research on them. The file-size limit reduced the number of complete, untruncated files extracted directly from Common Crawl to 6 million. To get the other 2 million PDFs and ensure the corpus was complete, the JPL team re-fetched the truncated files using specialized software that downloaded the whole files from the incomplete PDFs' web addresses. Various metadata, such as the software used to create each PDF, was extracted and is included with the corpus. The JPL team also relied on free, publicly available geolocation software to identify the server location of the source website for each PDF. The complete data set totals about 8 terabytes, making it the largest publicly available corpus of its kind.

The corpus will do more than help researchers identify threats. Privacy researchers, for example, could study these files to determine how file-creation and editing software can be improved to better protect personal information. Software developers could use the files to find bugs in their code and to check if old versions of software are still compatible with newer versions of PDFs. The Digital Corpora project hosts the huge data archive as part of Amazon Web Services' Open Data Sponsorship Program, and the files have been packaged in easily downloadable zip files.

An anonymous reader quotes a report from Ars Technica: Researchers have devised a novel attack that recovers the secret encryption keys stored in smart cards and smartphones by using cameras in iPhones or commercial surveillance systems to video record power LEDs that show when the card reader or smartphone is turned on. The attacks enable a new way to exploit two previously disclosed side channels, a class of attack that measures physical effects that leak from a device as it performs a cryptographic operation. By carefully monitoring characteristics such as power consumption, sound, electromagnetic emissions, or the amount of time it takes for an operation to occur, attackers can assemble enough information to recover secret keys that underpin the security and confidentiality of a cryptographic algorithm. [...]

On Tuesday, academic researchers unveiled new research demonstrating attacks that provide a novel way to exploit these types of side channels. The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader -- or of an attached peripheral device -- during cryptographic operations. This technique allowed the researchers to pull a 256-bit ECDSA key off the same government-approved smart card used in Minerva. The other allowed the researchers to recover the private SIKE key of a Samsung Galaxy S8 phone by training the camera of an iPhone 13 on the power LED of a USB speaker connected to the handset, in a similar way to how Hertzbleed pulled SIKE keys off Intel and AMD CPUs. Power LEDs are designed to indicate when a device is turned on. They typically cast a blue or violet light that varies in brightness and color depending on the power consumption of the device they are connected to.

There are limitations to both attacks that make them unfeasible in many (but not all) real-world scenarios (more on that later). Despite this, the published research is groundbreaking because it provides an entirely new way to facilitate side-channel attacks. Not only that, but the new method removes the biggest barrier holding back previously existing methods from exploiting side channels: the need to have instruments such as an oscilloscope, electric probes, or other objects touching or being in proximity to the device being attacked. In Minerva's case, the device hosting the smart card reader had to be compromised for researchers to collect precise-enough measurements. Hertzbleed, by contrast, didn't rely on a compromised device but instead took 18 days of constant interaction with the vulnerable device to recover the private SIKE key. To attack many other side channels, such as the one in the World War II encrypted teletype terminal, attackers must have specialized and often expensive instruments attached or near the targeted device. The video-based attacks presented on Tuesday reduce or completely eliminate such requirements. All that's required to steal the private key stored on the smart card is an Internet-connected surveillance camera that can be as far as 62 feet away from the targeted reader. The side-channel attack on the Samsung Galaxy handset can be performed by an iPhone 13 camera that's already present in the same room. Videos here and here show the video-capture process of a smart card reader and a Samsung Galaxy phone, respectively, as they perform cryptographic operations. "To the naked eye, the captured video looks unremarkable," adds Ars.

"But by analyzing the video frames for different RGB values in the green channel, an attacker can identify the start and finish of a cryptographic operation."

The company that currently owns the Atari name and trademarks has decided to give owners of the old Atari Video Computer System (aka the Atari 2600) something new to do. From a report: Mr. Run and Jump is a new Atari-published platformer that is coming to vintage Atari consoles in cartridge form, complete with a box and instruction manual. Preorders for the cartridge begin on July 31 for $59.99. The version of Mr. Run and Jump coming to the 2600 is a primitive version of a much different-looking game with the same name that's coming to PCs and all major game consoles on July 25. We've got to hand it to Atari here -- as a PR gambit for a new game, porting a rough version of your game to a 46-year-old game console and then giving it a physical release complete with box and manual is pretty good.

Atari is billing this release as "the first 2600 cartridge launch for a new Atari title since 1990," though there have also been some limited-run cartridge releases for games like 2005's Yars' Return. There were also a few new 2600-inspired games and remakes, including Vctr Sctr, in Atari's 50th-anniversary collection, which also got a physical release on modern consoles. Although modern game development for the 2600, NES, Game Boy, and other retro consoles are mostly the provenance of homebrew developers working in emulators, physical cartridge releases aren't uncommon. Limited Run Games and other independent and crowdfunded outfits have released plenty of physical cartridges for old consoles, including a Smash Bros-style NES game that includes a Wi-Fi chip to support online play.

In an internal memo sent Monday afternoon to Reddit staff, CEO Steve Huffman addressed the recent blowback directed at the company, telling employees to block out the "noise" and that the ongoing blackout of thousands of subreddits will eventually pass. From a report: The memo, a copy of which was obtained by The Verge, is in response to popular subreddits going dark this week in protest of the company's increased API pricing for third-party apps. Some of the most popular Reddit clients say the bill for keeping their apps up and running could cost them millions of dollars a year. More than 8,000 Reddit communities have gone dark in protest, and while many plan to open up again on Wednesday, some have said they'll stay private indefinitely until Reddit makes changes.

Huffman says the blackout hasn't had "significant revenue impact" and that the company anticipates that many of the subreddits will come back online by Wednesday. "There's a lot of noise with this one. Among the noisiest we've seen. Please know that our teams are on it, and like all blowups on Reddit, this one will pass as well," the memo reads. "We absolutely must ship what we said we would. The only long term solution is improving our product, and in the short term we have a few upcoming critical mod tool launches we need to nail."

theodp writes: "My advice to all the young tech enthusiasts, future engineering managers, and CTOs is simple," writes Vadim Kravcenko in The Surprising Power of Documentation. "Cultivate a love for documentation. You may view it as a chore, an afterthought, or a nuisance. But trust me when I say this: Documentation isn't just a task on your to-do list; it's a pillar for success and a bridge that connects ideas, people, and vision. Treat it not as a burden but as an opportunity to learn, share, and create an impact."

So, what would Goldilocks make of your organization's documentation -- Too much? Too little? Just right? Got any recommended tools and management tips for creating useful and sustainable documentation?

The hackers responsible for the MOVEit cyberattack downloaded confidential information from UK communications regulator Ofcom about companies it regulates, as well as its own employees -- adding to a string of victims which includes IAG SA's British Airways and the British Broadcasting Corporation. From a report: "A limited amount of information about certain companies we regulate -- some of it confidential -- along with personal data of 412 Ofcom employees, was downloaded during the attack," an Ofcom spokesman said by email. "We took immediate action to prevent further use of the MOVEit service and to implement the recommended security measures. We also swiftly alerted all affected Ofcom-regulated companies, and we continue to offer support and assistance to our colleagues."

Reddit has been going through some issues for many on Monday, with the outage happening the same day as thousands of subreddits going dark to protest the site's new API pricing terms. From a report: According to Reddit, the blackout is responsible for the problems. "A significant number of subreddits shifting to private caused some expected stability issues, and we've been working on resolving the anticipated issue," spokesperson Tim Rathschmidt tells The Verge. Reddit's status page reported a "major outage" affecting Reddit's desktop and mobile sites and its native mobile apps. [...] More than 7,000 subreddits have gone private or read-only in response to the API pricing terms, which is forcing the developers of apps like Apollo for Reddit to shut down at the end of the month.