An anonymous reader shared this report from Insider: The recent tsunami of tech layoffs could leave a wave of union organizing in its wake. That's according to Skylar Hinnant, a senior QA tester at Microsoft's ZeniMax, who supported a successful union campaign at the gaming unit of the software giant... Within tech companies, roles such as quality assurance testers and contractors are less revered, so those workers are more likely to unionize, Hinnant explained. "In these roles, people will be treated differently, it's sort of derogatory," he added.

Layoffs, cuts in perks, and other benefits, and a slowing of pay increases have marred the tech industry's reputation as a great place to work. That has kicked off a power struggle between employees and management. "When an employer lays off 16,000 employees in a day, that's a power play making employees realize how powerless they are," Rahul Dhaundiyal, a director of engineering at Indeed, told Insider... Dhaundiyal agreed with Hinnant that for lower-level tech workers the call to unionize rings louder. "In certain lower paid jobs where decision-making is top-down, where you are seen as a resource and not a human being to invest in, those kinds of roles end up maximizing disbalance and would unionize first," Dhaundiyal said.

CNN explores tech-company efforts to curtail remote working. "Salesforce is trying to lure staff into offices by offering to donate $10 to a local charity for each day an employee comes in from June 12 to June 23, according to an internal Slack message reported on by Fortune."

CNN notes a recent walk-out at Amazon protesting (in part) new return-to-office policies, as well as Meta's upcoming three-days-a-week in-office mandate. But CNN adds that it's Google that "has long been a bellwether for workplace policies in the tech industry and beyond" — and that recently Google announced plans to factor in-person attendance into its performance reviews. "Overnight, workers' professionalism has been disregarded in favor of ambiguous attendance tracking practices tied to our performance evaluations," Chris Schmidt, a software engineer at Google and member of the grassroots Alphabet Workers Union, told CNN in a statement. "The practical application of this new policy will be needless confusion amongst workers and a disregard for our various life circumstances... "

Schmidt said that even if you go into the office, there's no guarantee you'll have people on your team to work with or even a desk to sit at. "Many teams are distributed, and for some of us there may not be anyone to collaborate with in our physical office locations," Schmidt said. "Currently, New York City workers do not even have enough desks and conference rooms for workers to use comfortably."
A Google spokesperson countered that its policy of working in the office three days a week is "going well, and we want to see Googlers connecting and collaborating in-person, so we're limiting remote work to exception only...."

An anonymous reader quotes a report from KrebsOnSecurity: It's not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware -- as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.

Campbell, Calif. based Barracuda said it hired incident response firm Mandiant on May 18 after receiving reports about unusual traffic originating from its Email Security Gateway (ESG) devices, which are designed to sit at the edge of an organization's network and scan all incoming and outgoing email for malware. On May 19, Barracuda identified that the malicious traffic was taking advantage of a previously unknown vulnerability in its ESG appliances, and on May 20 the company pushed a patch for the flaw to all affected appliances (CVE-2023-2868).

In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. More alarmingly, the company said it appears attackers first started exploiting the flaw in October 2022. But on June 6, Barracuda suddenly began urging its ESG customers to wholesale rip out and replace -- not patch -- affected appliances. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company's advisory warned. "Barracuda's recommendation at this time is full replacement of the impacted ESG." [...] In addition to replacing devices, Barracuda says ESG customers should also rotate any credentials connected to the appliance(s), and check for signs of compromise dating back to at least October 2022 using the network and endpoint indicators the company has released publicly.

Google is implementing stricter measures to enforce office attendance, including tracking badge data, confronting employees who don't come in as required, and factoring attendance into performance reviews. CNBC reports: Google's chief people officer, Fiona Cicconi, wrote an email to employees at the end of the day on Wednesday, which included doubling down on office attendance, reasoning that "there's just no substitute for coming together in person." "Of course, not everyone believes in 'magical hallway conversations,' but there's no question that working together in the same room makes a positive difference," Cicconi's email read. "Many of the products we unveiled at I/O and Google Marketing Live last month were conceived, developed and built by teams working side by side."

Her note said the company will start including their three days per week as a part of their performance reviews and teams will start sending reminders to workers "who are consistently absent from the office." Cicconi even asked already-approved remote workers to reconsider. "For those who are remote and who live near a Google office, we hope you'll consider switching to a hybrid work schedule. Our offices are where you'll be most connected to Google's community." A separate internal document showed that already-approved remote workers may be subject to reevaluation if the company determines "material changes in business need, role, team, structure or location."

In the U.S., the company will periodically track whether employees are adhering to the office attendance policy using badge data, and executives are currently reviewing local requirements to implement in other countries, one of the documents states. If workers don't follow the policy after an extended period of time, human resources will reach out about "next steps." Going forward, Cicconi said, new fully remote work will only be granted "by exception only." In a statement to CNBC, Google spokesperson Ryan Lamont said, "our hybrid approach is designed to incorporate the best of being together in person with the benefits of working from home for part of the week. Now that we're more than a year into this way of working, we're formally integrating this approach into all of our workplace policies."

Lamont added that the badge data viewed by company leaders is aggregate data and not individualized.

Google has reversed the suspension of an Android TV app that was hit with a copyright complaint simply because it is able to load a pirate website that can also be loaded in any standard web browser. From a report: The Downloader app, which combines a web browser with a file manager, is back in the Google Play Store after an absence of nearly three weeks. As we previously reported, Google suspended the app based on a Digital Millennium Copyright Act (DMCA) complaint from several Israeli TV companies that said the app "allows users to view the infamous copyright infringing website known as SDAROT." But that same website could be viewed on any standard browser, including Google's own Chrome app.

"The app was removed on May 19th due to the DMCA takedown request," developer Elias Saba wrote in a blog post today. "Instead of recognizing the absurdity of the claim that a web browser is somehow liable for all the unauthorized use of copyrighted content on the Internet, Google took a backseat and denied my appeal to have the app reinstated." The free app has been downloaded over 5 million times on Google Play and is available on the Amazon app store for devices such as Fire TVs. In addition to the rejected appeal, Saba filed a DMCA counter notification with Google. That "started a 10-business-day countdown for the [TV companies'] law firm to file legal actions against me," Saba wrote today. "Due to the app being removed on a Friday and the Memorial Day holiday, 10 business days had elapsed with no word from the law firm on June 6th and I contacted Google to have the app reinstated."

Google's aiming to make it easier to use and secure passwords -- at least, for users of the Password Manager tool built into its Chrome browser. From a report: Today, the tech giant announced that Password Manager, which generates unique passwords and autofills them across platforms, will soon gain biometric authentication on PC. (Android and iOS have had biometric authentication for some time.) When enabled, it'll require an additional layer of security, like fingerprint recognition or facial recognition, before Chrome autofills passwords.

Exactly which types of biometrics are available in Password Manager on desktop will depend on the hardware attached to the PC, of course (e.g. a fingerprint reader), as well as whether the PC's operating system supports it. Beyond "soon," Google didn't say when to expect the feature to arrive.

iOS 17 and macOS Sonoma include even more privacy-preserving features while browsing the web. From a report: Link Tracking Protection is a new feature automatically activated in Mail, Messages, and Safari in Private Browsing mode. It detects user-identifiable tracking parameters in link URLs, and automatically removes them.

Adding tracking parameters to links is one way advertisers and analytics firms try to track user activity across websites. Rather than storing third-party cookies, a tracking identifier is simply added to the end of the page URL. This would circumvent Safari's standard intelligent tracking prevention features that block cross-site cookies and other methods of session storage. Navigating to that URL allows an analytics or advertising service at the destination to read the URL, extract those same unique parameters, and associate it with their backend user profile to serve personalized ads.

Enigma software group has won a crucial case in the U.S. Court of Appeals for the Ninth Circuit, allowing it to proceed with its lawsuit against Malwarebytes for flagging its anti-spyware software as a 'potentially unwanted program.' The lawsuit alleges that Malwarebytes has engaged in anti-competitive conduct under the Lanham Act and tortious interference with Enigma's business. TechSpot reports: The ruling has been lambasted by some legal experts, who believe it could hamper cybersecurity service providers from doing their job effectively. Talking to The Register, Eric Goldman, professor at Santa Clara University School of Law, claimed that the Ninth Circuit's decision was erroneous, as it failed to differentiate between facts and opinions properly. According to him, in deciding in favor of Enigma, the Ninth Circuit failed to comprehend how the cybersecurity industry operates, and how security companies use the terms 'malicious' and 'threat.' He also felt that thanks to the judgment, there will now be more disputes over such classifications in the future, making the job of cybersecurity companies tougher than ever before.

Goldman further argued that the Ninth Circuit's decision would mean anti-malware software vendors will now simply minimize their financial and legal risks by leaving out supposed anti-threat programs from their list of suspect apps even if they display dangerous behavior, which could pose a major threat to consumers. Some smaller players could also exit the industry altogether, which would further hurt consumers by reducing competition. Goldman was also critical of the Supreme Court for denying Malwarebytes' appeal, and called out Justice Clarence Thomas in particular for writing what he called a "gratuitous error-riddled statement about Section 230 that spurred many regulators to pursue their censorship agendas." Enigma said in a statement: "Malwarebytes (has) disparaged Enigma's products for commercial advantage by making misleading statements of fact. ... Trying to wrap them in a First Amendment flag does not make them any less offensive or any less actionable."

Eric Goldman, professor at Santa Clara University School of Law, told The Register in an email, "This case is like a wrecking ball for internet law." He added: "The Ninth Circuit already damaged Section 230 by creating an exception to its coverage (for 'anticompetitive animus') that no one understands and has not benefited anyone. Then, when the Supreme Court denied the appeal, Justice Thomas wrote a gratuitous error-riddled statement about Section 230 that spurred many regulators to pursue their censorship agendas. Now, the Ninth Circuit has redefined the standards for what constitutes a statement of 'fact' as opposed to an opinion in a way that hurts businesses in the anti-threat software space and well beyond."

"If each classification could similarly support weaponization in court by businesses unhappy with the classifications, then anti-threat software vendors will avoid the financial and legal risks by lowering their cybersecurity standards or exiting the industry," said Goldman. "That puts all of us at greater risk."

An anonymous reader quotes a report from TechCrunch: Security researchers have linked to the notorious Clop ransomware gang a new wave of mass-hacks targeting a popular file transfer tool, as the first victims of the attacks begin to come forward. It was revealed last week that hackers are exploiting a newly discovered vulnerability in MOVEit Transfer, a file-transfer tool widely used by enterprises to share large files over the internet. The vulnerability allows hackers to gain unauthorized access to an affected MOVEit server's database. Progress Software, which develops the MOVEit software, has already released some patches. Over the weekend, the first victims of the attacks began to come forward.

Zellis, a U.K.-based human resources software maker and payroll provider, confirmed in a statement that its MOVEit system was compromised, with the incident affecting a "small number" of its corporate customers. One of those customers is U.K. airline giant British Airways, which told TechCrunch that the breach included the payroll data of all of its U.K.-based employees. [...] The U.K.'s BBC also confirmed it was affected by the incident affecting Zellis. [...] The government of Nova Scotia, which uses MOVEit to share files across departments, said in a statement that some citizens' personal information may have been compromised. The Nova Scotia government said it took its affected system offline, and is working to determine "exactly what information was stolen, and how many people have been impacted."

It was initially unclear who was behind this new wave of hacks, but Microsoft security researchers are attributing the cyberattacks to a group it tracks as "Lace Tempest." This gang is a known affiliate of the Russia-linked Clop ransomware group, which was previously linked to mass-attacks exploiting flaws in Fortra's GoAnywhere file transfer tool and Accellion's file transfer application. Microsoft researchers said that the exploitation of the MOVEit vulnerability is often followed by data exfiltration. Mandiant isn't yet making the same attribution as Microsoft, but noted in a blog post over the weekend that there are "notable" similarities between a newly created threat cluster it's calling UNC4857 that has as-of-yet "unknown motivations," and FIN11, a well-established ransomware group known to operate Clop ransomware. "Ongoing analysis of emerging activity may provide additional insights," Mandiant said. "It's likely many more victims of the MOVEit breach will come to light over the next few days," adds TechCrunch.

"Shodan, a search engine for publicly exposed devices and databases, showed that more than 2,500 MOVEit Transfer servers were discoverable on the internet."

Millions of storage devices are being shredded each year, even though they could be reused. "You don't need an engineering degree to understand that's a bad thing," says Jonmichael Hands. From a report: He is the secretary and treasurer of the Circular Drive Initiative (CDI), a partnership of technology companies promoting the secure reuse of storage hardware. He also works at Chia Network, which provides a blockchain technology. Chia Network could easily reuse storage devices that large data centres have decided they no longer need. In 2021, the company approached IT Asset Disposition (ITAD) firms, who dispose of old technology for businesses that no longer need it. The answer came back: "Sorry, we have to shred old drives."

"What do you mean, you destroy them?" says Mr Hands, relating the story. "Just erase the data, and then sell them! They said the customers wouldn't let them do that. One ITAD provider said they were shredding five million drives for a single customer." Storage devices are typically sold with a five-year warranty, and large data centres retire them when the warranty expires. Drives that store less sensitive data are spared, but the CDI estimates that 90% of hard drives are destroyed when they are removed. The reason? "The cloud service providers we spoke to said security, but what they actually meant was risk management," says Mr Hands. "They have a zero-risk policy. It can't be one in a million drives, one in 10 million drives, one in 100 million drives that leaks. It has to be zero."

Google has taken a significant step toward a passwordless future with the start of an open beta for passkeys on Workspace accounts. From a report: Starting today, June 5th, over 9 million organizations can allow their users to sign in to a Google Workspace or Google Cloud account using a passkey instead of their usual passwords.

Passkeys are a new form of passwordless sign-in tech developed by the FIDO Alliance, whose members include industry giants like Google, Apple, and Microsoft. Passkeys allow users to log in to websites and apps using their device's own authentication, such as a laptop with Windows Hello, an Android phone with a fingerprint sensor, or an iPhone with Face ID, instead of traditional passwords and other sign-in systems like 2FA or SMS verification. Because passkeys are based on public key cryptographic protocols, there's no fixed "sequence" that can be stolen or leaked in phishing attacks.

Reuters reports: Hackers have stolen data from the systems of a number of users of the popular file transfer tool MOVEit Transfer, U.S. security researchers said on Thursday, one day after the maker of the software disclosed that a security flaw had been discovered. Software maker Progress Software Corp, after disclosing the vulnerability on Wednesday, said it could lead to potential unauthorized access into users' systems.

The managed file transfer software made by the Burlington, Massachusetts-based company allows organizations to transfer files and data between business partners and customers. It was not immediately clear which or how many organizations use the software or were impacted by potential breaches. Chief Information Officer Ian Pitt declined to share those details, but said Progress Software had made fixes available since it discovered the vulnerability late on May 28...

Cybersecurity firm Rapid7 Inc and Mandiant Consulting — owned by Alphabet Inc's Google — said they had found a number of cases in which the flaw had been exploited to steal data. "Mass exploitation and broad data theft has occurred over the past few days," Charles Carmakal, chief technology officer of Mandiant Consulting, said in a statement... "Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data," Carmakal said.
Thanks to long-time Slashdot reader rexx mainframe for sharing the story.

"Amazon employees staged a walkout Wednesday," reports CNBC, "in protest of the company's recent return-to-office mandate, layoffs and its environmental record." Approximately 2,000 employees worldwide walked off the job shortly after 3 p.m. EST, with about 1,000 of those workers gathering outside the Spheres, the massive glass domes that anchor Amazon's Seattle headquarters, according to employee groups behind the effort. Amazon disputed the figure and said about 300 employees participated.

The walkout was organized in part by Amazon Employees for Climate Justice, an influential worker organization that has repeatedly pressed the e-retailer on its climate stance... One employee spoke about how remote work had allowed her to spend more time with her family, while coworkers told her it enabled them to care for newborn children and relatives with special needs. "Today looks like it might be the start of a new chapter in Amazon's history, when tech workers coming out of the pandemic stood up and said we still want a say in this company and the direction of this company," said Eliza Pan, a cofounder of AECJ and a former program manager at Amazon. "We still want a say in the important decisions that affect all of our lives, and tech workers are going to stand up for ourselves, for each other, for our families, the communities where Amazon operates and for life on planet Earth...."

Amazon spokesperson Brad Glasser said in a statement that the company has so far been pleased with the results of its return-to-office push. "There's more energy, collaboration, and connections happening, and we've heard this from lots of employees and the businesses that surround our offices," Glasser added. "

Shadow has decided to cut the price of its cloud storage service Shadow Drive. Users can now get 2TB of storage for $5.3 per month instead of $9.6 per month. From a report: As for the free tier, things aren't changing. Users who sign up get 20GB of online storage for free. Shadow is also the company behind Shadow PC, a cloud computing service that lets you rent a virtual instance of a Windows PC in a data center near you. It works particularly well to play demanding PC games on any device, such as a cheap laptop, a connected TV or a smartphone. Coming back to Shadow Drive, as the name suggests, Shadow Drive works a lot like Google Drive, OneDrive, iCloud Drive or Dropbox. Users can upload and download files from a web browser. They are stored in a data center based in France so that you can access them later.

Speaking of Brave, the browser-maker is introducing vertical tabs. From a blog post: With today's 1.52 desktop release, the vertical tabs setting is available to Brave users on Windows, macOS, and Linux. Enabling the vertical tabs setting relocates your open tabs from the top of your browser window (i.e. above the address bar) to the left side of the window, where they'll appear stacked vertically rather than horizontally. To do so, right-click an existing horizontal tab and select "use vertical tabs" from the menu. With open tabs arranged vertically, you'll be able to scroll through them as needed. To open a new tab, simply click the button to create a new tab at the bottom of the vertical tabs sidebar.

Russian cybersecurity firm Kaspersky says some iPhones on its network were hacked using an iOS vulnerability that installed malware via iMessage zero-click exploits. From a report: The delivery of the message exploits a vulnerability that leads to code execution without requiring any user interaction, leading to the download of additional malicious from the attackers' server. Subsequently, the message and attachment are wiped from the device. At the same time, the payload stays behind, running with root privileges to collect system and user information and execute commands sent by the attackers.

Kaspersky says the campaign started in 2019 and reports the attacks are still ongoing. The cybersecurity firm has named the campaign "Operation Triangulation" and is inviting anyone who knows more about it to share information. [...] In a statement coinciding with Kaspersky's report, Russia's FSB intelligence and security agency claims that Apple deliberately provided the NSA with a backdoor it can use to infect iPhones in the country with spyware. The FSB alleges that it has discovered malware infections on thousands of Apple iPhones belonging to officials within the Russian government and staff from the embassies of Israel, China, and several NATO member nations in Russia. Despite the seriousness of the allegations, the FSB has provided no proof of its claims.

The National Eating Disorder Association (Neda) has taken down an artificial intelligence chatbot, "Tessa," after reports that the chatbot was providing harmful advice. From a report: Neda has been under criticism over the last few months after it fired four employees in March who worked for its helpline and had formed a union. The helpline allowed people to call, text or message volunteers who offered support and resources to those concerned about an eating disorder. Members of the union, Helpline Associates United, say they were fired days after their union election was certified. The union has filed unfair labor practice charges with the National Labor Relations Board.

Tessa, which Neda claims was never meant to replace the helpline workers, almost immediately ran into problems. On Monday, activist Sharon Maxwell posted on Instagram that Tessa offered her "healthy eating tips" and advice on how to lose weight. The chatbot recommended a calorie deficit of 500 to 1,000 calories a day and weekly weighing and measuring to keep track of weight. "If I had accessed this chatbot when I was in the throes of my eating disorder, I would NOT have gotten help for my ED. If I had not gotten help, I would not still be alive today," Maxwell wrote. "It is beyond time for Neda to step aside."

An anonymous reader quotes a report from TechCrunch: An apparent ransomware attack on one of America's largest dental health insurers has compromised the personal information of almost nine million individuals in the United States. The Atlanta-based Managed Care of North America (MCNA) Dental claims to be the largest dental insurer in the nation for government-sponsored plans covering children and seniors. In a notice posted on Friday, the company said it became aware of "certain activity in our computer system that happened without our permission" on March 6 and later learned that a hacker "was able to see and take copies of some information in our computer system" between February 26 and March 7, 2023.

The information stolen includes a trove of patients' personal data, including names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, and driver's licenses or other government-issued ID numbers. Hackers also accessed patients' health insurance data, including plan information and Medicaid ID numbers, along with bill and insurance claim information. In some cases, some of this data pertained to a patient's "parent, guardian, or guarantor," according to MCNA Dental, suggesting that children's personal data was accessed during the breach. According to a data breach notification filed with Maine's attorney general, the hack affected more than 8.9 million clients of MCNA Dental. That makes this incident the largest breach of health information of 2023 so far, after the PharMerica breach that saw hackers access the personal data of almost 6 million patients. The LockBit ransomware group took responsibility for the cyberattack and published 700GB of files after the company refused to pay a $10 million ransom demand.

Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs -- a feature ripe for abuse, researchers say. From a report: Hiding malicious programs in a computer's UEFI firmware, the deep-seated code that tells a PC how to load its operating system, has become an insidious trick in the toolkit of stealthy hackers. But when a motherboard manufacturer installs its own hidden backdoor in the firmware of millions of computers -- and doesn't even put a proper lock on that hidden back entrance -- they're practically doing hackers' work for them. Researchers at firmware-focused cybersecurity company Eclypsium revealed today that they've discovered a hidden mechanism in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte, whose components are commonly used in gaming PCs and other high-performance computers. Whenever a computer with the affected Gigabyte motherboard restarts, Eclypsium found, code within the motherboard's firmware invisibly initiates an updater program that runs on the computer and in turn downloads and executes another piece of software.

While Eclypsium says the hidden code is meant to be an innocuous tool to keep the motherboard's firmware updated, researchers found that it's implemented insecurely, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte's intended program. And because the updater program is triggered from the computer's firmware, outside its operating system, it's tough for users to remove or even discover. "If you have one of these machines, you have to worry about the fact that it's basically grabbing something from the internet and running it without you being involved, and hasn't done any of this securely," says John Loucaides, who leads strategy and research at Eclypsium. "The concept of going underneath the end user and taking over their machine doesn't sit well with most people."

Rest now, little Chromecast. Google has announced the decade-old Chromecast 1 is finally hitting end of life. From a report: A message on Google's Chromecast firmware support page announced the wind-down of support, saying, "Support for Chromecast (1st gen) has ended, which means these devices no longer receive software or security updates, and Google does not provide technical support for them. Users may notice a degradation in performance." The 1st-gen Chromecast launched in 2013 for $35.

The original Chromecast was wildly successful and sold 10 million units in 2014 alone. For years, the device was mentioned in Google earnings calls as the highlight of the company's hardware efforts, and it was essentially the company's first successful piece of hardware. The Chromecast made it easy to beam Internet videos to your TV at a time when that was otherwise pretty complicated.