Mark Tyson reports via Tom's Hardware: A serial burglar in Edina, Minnesota is suspected of using a Wi-Fi jammer to knock out connected security cameras before stealing and making off with the victim's prized possessions. [...] Edina police suspect that nine burglaries in the last six months have been undertaken with Wi-Fi jammer(s) deployed to ensure incriminating video evidence wasnâ(TM)t available to investigators. The modus operandi of the thief or thieves is thought to be something like this:

- Homes in affluent areas are found - Burglars carefully watch the homes - The burglars avoid confrontation, so appear to wait until homes are empty - Seizing the opportunity of an empty home, the burglars will deploy Wi-Fi jammer(s) - "Safes, jewelry, and other high-end designer items," are usually taken

A security expert interviewed by the source publication, KARE11, explained that the jammers simply confused wireless devices rather than blocking signals. They usually work by overloading wireless traffic âoeso that real traffic cannot get through,â the news site was told. [...] Worryingly, Wi-Fi jamming is almost a trivial activity for potential thieves in 2024. KARE11 notes that it could buy jammers online very easily and cheaply, with prices ranging from $40 to $1,000. Jammers are not legal to use in the U.S. but they are very easy to buy online.

Backblaze has published a report on hard drive failures for 2023, finding that rates increased during the year due to aging drives that it plans to upgrade. From a report: Backblaze, which focuses on cloud-based storage services, claims to have more than three exabytes of data storage under its management. As of the end of last year, the company monitored 270,222 hard drives used for data storage, some of which are excluded from the statistics because they are still being evaluated. That still left a collection of 269,756 hard drives comprised of 35 drive models. Statistics on SSDs used as boot drives are reported separately.

Backblaze found one drive model exhibited zero failures for all of 2023, the Seagate 8 TB ST8000NM000A. However, this came with the caveat that there are only 204 examples in service, and these were deployed only since Q3 2022, so have accumulated a limited number of drive days (total time operational). Nevertheless, as Backblaze's principal cloud storage evangelist Andy Klein pointed out: "Zero failures over 18 months is a nice start."

Indian tech services giant Infosys has been named as the source of a data leak suffered by the Bank of America. From a report: Infosys disclosed the breach in a November 3, 2023, filing that revealed its US subsidiary Infosys McCamish Systems LLC (IMS) "has become aware of a cyber security incident resulting in non-availability of certain applications and systems in IMS." A data breach notification filed in the US state of Maine this week describes the incident as "External system breach (hacking)" and reveals the improperly accessed data includes "Name or other personal identifier in combination with: Social Security Number."

The notification was submitted by an outside attorney working on behalf of the Bank of America, names IMS as the source, and revealed that information on 57,028 people was leaked. A sample of the letter sent to those impacted by the incident reveals that on November 24, "IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America's systems were not compromised." Things then get a bit scary: "It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information."

Starting today, telcos in American will need to disclose system break-ins within seven days. "[T]he same deadline now exists to report any data leaks to the FBI and US Secret Service as well," adds The Register. From the report: After releasing a proposed rule in early January and giving the industry 30 days to respond, the FCC's final rule was published today. It solidifies what the agency proposed a little more than a month ago, and what was teased in early 2022 when FCC chairwoman Jessica Rosenworcel drafted initial changes to the commission's 16-year old security "breach" reporting duties.

Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service as well. As the FCC planned, the new rule also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers. The FCC now "requires carriers to notify customers of breaches of covered data without unreasonable delay ... and in no case more than 30 days following reasonable determination of a breach."

"Reasonable determination" of a data blurt is further defined as "when the carrier has information indicating that it is more likely than not that there was a breach" and "does not mean reaching a conclusion regarding every fact surrounding a data security incident that may constitute a breach." In other words, if customers are affected then they had better be notified post-haste. The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of. Prior to the passage of the new rule customers only had to be told if Customer proprietary network information (CPNI) was exposed to the world.

FT Alphaville: Last year, Norway's $1.5tn sovereign wealth fund revealed that it had lost NKr980mn, roughly $92mn, on an error relating to how it calculated its mandated benchmark. Here's what Norges Bank Investment Management said at the time: "In February this year, a calculation error was discovered in the composition of the index we're measured against. This error led to a marginal overweight in US fixed income relative to global fixed income. When this was discovered, we immediately set about correcting it, but because the fund is so large, the return was 0.7 basis points. Due to this our previously reported positive relative return of NOK 118 billion was adjusted down to NOK 117 billion."

It is a good example of how even tiny operational mistakes can have mammoth-sized consequences in nominal terms when you manage one of the world's biggest pools of capital. Sometimes a mistake can even lead to a windfall -- such as in 2021, when NBIM apparently made NKr582mn by accidentally accumulating an outsized position in a rising stock. But the 2023 index snafu is by far the biggest the fund has registered, almost twice as large as the cumulative operational-accidental losses it suffered from 2010-20. Alphaville was intrigued. What exactly went wrong? Well, in a recently-released anthropological report commissioned to investigate its own culture, NBIM seems to have inadvertently revealed just how minuscule the mistake was.

Here's an NBIM employee called "Simon" recounting the debacle to the report's author, Tone Danielsen. Alphaville's emphasis below: "Last year (spring 2022) we had an off-site. One of our workshops was on 'Mistakes and how to deal with them.' We wrote post-it notes, classifying them into different categories from harmless to no-goes. One of my post-it notes, I remember it vividly, read: Miscalculation of the Ministry of Finance benchmark. I placed it in the category unforgivable.

When I wrote that note, I honestly couldn't even dare to think about the consequences. And less than a year later, I did exactly that. My worst nightmare. It was a manual mistake. My mistake. I used the wrong date, December 1st instead of November 1st which is clearly stated in our mandate. The mistake was not revealed until months later, by the Ministry of Finance. They reported back that the numbers did not add up. I did all the numbers once more, and the cause of the mistake was identified. I immediately reported to Patrick [Global Head] and Dag [Chief]. I openly express that this was my mistake, and mine alone. I felt miserable and was ready to take the consequences -- whatever they might be."

Abstract of a paper [PDF] the on pre-print server Arxiv: Citations are widely considered in scientists' evaluation. As such, scientists may be incentivized to inflate their citation counts. While previous literature has examined self-citations and citation cartels, it remains unclear whether scientists can purchase citations. Here, we compile a dataset of about 1.6 million profiles on Google Scholar to examine instances of citation fraud on the platform. We survey faculty at highly-ranked universities, and confirm that Google Scholar is widely used when evaluating scientists. Intrigued by a citationboosting service that we unravelled during our investigation, we contacted the service while undercover as a fictional author, and managed to purchase 50 citations. These findings provide conclusive evidence that citations can be bought in bulk, and highlight the need to look beyond citation counts.

Microsoft appears to be readying its own DLSS-like AI upscaling feature for PC games. From a report: X user PhantomOcean3 discovered the feature inside the latest test versions of Windows 11 over the weekend, with Microsoft describing its automatic super resolution as a way to "use AI to make supported games play more smoothly with enhanced details." That sounds a lot like Nvidia's Deep Learning Super Sampling (DLSS) technology, which uses AI to upscale games and improve frame rates and image quality. AMD and Intel also offer their own variants, with FSR and XeSS both growing in popularity in recent PC game releases.

An anonymous reader shares a report: The startup that develops the phone app for casino resort giant WinStar has secured an exposed database that was spilling customers' private information to the open web. Oklahoma-based WinStar bills itself as the "world's biggest casino" by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings.

The app is developed by a Nevada software startup called Dexiga. The startup left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser. Dexiga took the database offline after TechCrunch alerted the company to the security lapse. Anurag Sen, a good-faith security researcher who has a knack for discovering inadvertently exposed sensitive data on the internet, found the database containing personal information, but it was initially unclear who the database belonged to. Sen said the personal data included full names, phone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch to help identify its owner and disclose the security lapse.

Many websites are using AI tools to generate fake obituaries about average people for profit. These articles lack substantiating details but are optimized for SEO, frequently outranking legitimate obituaries, The Verge reports. The fake obituaries, as one can imagine, are causing distress for grieving families and friends. In response, Google told The Verge that it aims to surface high-quality information but struggles with "data voids." The company terminated some YouTube channels sharing fake notices but declined to say if the flagged websites violate policies.

Martin Hellman "achieved legendary status as co-inventor of the Diffie-Hellman public key exchange algorithm, a breakthrough in software and computer cryptography," notes a new interview in InfoWorld.

Nine years after winning the Turing award, the 78-year-old cryptologist shared his perspective on some other issues: What do you think about the state of digital spying today?

Hellman: There's a need for greater international cooperation. How can we have true cyber security when nations are planning — and implementing — cyber attacks on one another? How can we ensure that AI is used only for good when nations are building it into their weapons systems? Then, there's the grandaddy of all technological threats, nuclear weapons. If we keep fighting wars, it's only a matter of time before one blows up.

The highly unacceptable level of nuclear risk highlights the need to look at the choices we make around critical decisions, including cyber security. We have to take into consideration all participants' needs for our strategies to be effective....

Your battle with the government to make private communication available to the general public in the digital age has the status of folklore. But, in your recent book (co-authored with your wife Dorothie [and freely available as a PDF]), you describe a meeting of minds with Admiral Bobby Ray Inman, former head of the NSA. Until I read your book, I saw the National Security Agency as bad and Diffie-Hellman as good, plain and simple. You describe how you came to see the NSA and its people as sincere actors rather than as a cynical cabal bent on repression. What changed your perspective?

Hellman: This is a great, real-life example of how taking a holistic view in a conflict, instead of just a one-sided one, resolved an apparently intractable impasse. Those insights were part of a major change in my approach to life. As we say in our book, "Get curious, not furious." These ideas are effective not just in highly visible conflicts like ours with the NSA, but in every aspect of life.
Hellman also had an interesting answer when asked if math, game theory, and software development teach any lessons applicable to issues like nuclear non-proliferation or national defense.

"The main thing to learn is that the narrative we (and other nations) tell ourselves is overly simplified and tends to make us look good and our adversaries bad."

An anonymous reader shared this report from the New York Times When it's after hours, and the boss is on the line, Australian workers — already among the world's best-rested and most personally fulfilled employees — can soon press "decline" in favor of the seductive call of the beach. In yet another buttress against the scourge of overwork, Australia's Senate on Thursday passed a bill giving workers the right to ignore calls and messages outside of working hours without fear of repercussion. It will now return to the House of Representatives for final approval.

The bill, expected to pass in the House with ease, will let Australian workers refuse "unreasonable" professional communication outside of the workday. Workplaces that punish employees for not responding to such demands could be fined. "Someone who is not being paid 24 hours a day shouldn't be penalized if they're not online and available 24 hours a day," Prime Minister Anthony Albanese said at a news conference Wednesday...

Australia follows in the footsteps of European nations such as France, which in 2017 introduced the right of workers to disconnect from employers while off duty, a move later emulated by Germany, Italy and Belgium. The European Parliament has also called for a law across the European Union that would alleviate the pressure on workers to answer communications off the clock...

Australians already enjoy a host of standardized benefits, including 20 days of paid annual leave, mandatory paid sick leave, "long service" leave of six weeks for those who have remained at an employer for at least seven years, 18 weeks of paid maternity leave and a nationwide minimum wage of about $15 an hour.

InfoWorld reports: Don't look now, but 25% of organizations surveyed in the United Kingdom have already moved half or more of their cloud-based workloads back to on-premises infrastructures. This is according to a recent study by Citrix, a Cloud Software Group business unit. The survey questioned 350 IT leaders on their current approaches to cloud computing. The survey also showed that 93% of respondents had been involved with a cloud repatriation project in the past three years. That is a lot of repatriation. Why?

Security issues and high project expectations were reported as the top motivators (33%) for relocating some cloud-based workloads back to on-premises infrastructures such as enterprise data centers, colocation providers, and managed service providers (MSPs). Another significant driver was the failure to meet internal expectations, at 24%... Those surveyed also cited unexpected costs, performance issues, compatibility problems, and service downtime. The most common motivator for repatriation I've been seeing is cost. In the survey, more than 43% of IT leaders found that moving applications and data from on-premises to the cloud was more expensive than expected.

Although not a part of the survey, the cost of operating applications and storing data on the cloud has also been significantly more expensive than most enterprises expected. The cost-benefit analysis of cloud versus on-premises infrastructure varies greatly depending on the organization... The cloud is a good fit for modern applications that leverage a group of services, such as serverless, containers, or clustering. However, that doesn't describe most enterprise applications.
The article cautions, "Don't feel sorry for the public cloud providers."

"Any losses from repatriation will be quickly replaced by the vast amounts of infrastructure needed to build and run AI-based systems... As I've said a few times here, cloud conferences have become genAI conferences, which will continue for several years."

Clay Risen reports via the New York Times: David Kahn, whose 1967 book, "The Codebreakers," established him as the world's pre-eminent authority on cryptology -- the science of making and breaking secret codes -- died on Jan. 24 in the Bronx. He was 93. His son Michael said the death, at a senior-living facility, was from the long-term effects of a stroke in 2015.

Before Mr. Kahn's book, cryptology itself was something of a secret. Despite an explosion in cryptological technology and techniques during the 20th century and the central role they played during World War II, the subject was typically overlooked by historians, if only because their possible sources were still highly classified. "Codebreaking is the most important form of secret intelligence in the world today," Mr. Kahn wrote in his book's preface. "Yet it has never had a chronicler."

Over the course of more than 1,000 pages, along with some 150 pages of notes, Mr. Kahn laid out cryptology's long history, starting with ancient Egypt 4,000 years ago and proceeding through the French and American revolutions, the innovations wrought by the advent of the telegraph and telephone to the mid-20th century and the dawn of computer-assisted code breaking.

An anonymous reader quotes a report from TechCrunch: The maker of a popular smart ski and bike helmet has fixed a security flaw that allowed the easy real-time location tracking of anyone wearing its helmets. Livall makes internet-connected helmets that allow groups of skiers or bike riders to talk with each other using the helmet's in-built speaker and microphone, and share their real-time location in a friend's group using Livall's smartphone apps. Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, said Livall's smartphone apps had a simple flaw allowing easy access to any group's audio chats and location data. Munro says the two apps, one for skiers and one for bike riders, collectively have about a million users.

At the heart of the bug, Munro found that anyone using Livall's apps for group audio chat and sharing their location must be part of the same friends group, which could be accessed using only that group's six-digit numeric code. "That 6-digit group code simply isn't random enough," Munro said in a blog post describing the flaw. "We could brute force all group IDs in a matter of minutes." In doing so, anyone could access any of the 1 million possible permutations of group chat codes.

"As soon as one entered a valid group code, one joined the group automatically," said Munro, adding that this happened without alerting other group members. "It was therefore trivial to silently join any group, giving us access to any users' location and the ability to listen in to any group audio communications," said Munro. "The only way a rogue group user could be detected was if the legitimate user went to check on the members of that group." [...] In an email, Livall's R&D director Richard Yi explained that the company improved the randomness of group codes by also adding letters, and including alerts for new members joining groups. Yi also said the app now allows the shared location to be turned off at the user level.

Longtime Slashdot reader Alain Williams shares a report from the BBC: Users of Ring video doorbells have reacted angrily to a huge price hike being introduced in March. After buying the devices, customers can pay a subscription to store footage on the cloud, download clips and get discounted products. That subscription is going up 43%, from $44 to $63 per device, per year, for basic plan customers. The firm, which is owned by Amazon, insisted it still provided "some of the best value in the industry." Its customers appear not to to agree.

It appears that the government of Canada is going to ban the Flipper Zero, the tiny, modular hacking device that's become popular with techies for its deviant digital powers. From a report: On Thursday, following a summit that focused on "the growing challenge of auto theft in Canada," the country's Minister of Innovation, Science and Industry posted a statement on X, saying "Criminals have been using sophisticated tools to steal cars...Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.

In a press release issued on Thursday, the Canadian government confirmed that it will be pursuing "all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero." The Flipper, which is technically a penetration testing device, has been controversial due to its ability to hack droves of smart products. Alex Kulagin, the COO of Flipper Devices, said in a statement shared with Gizmodo that the device couldn't be used to "hijack any car" and that certain circumstances would have to be met for it to happen:

An Apple executive lobbied against a strong right-to-repair bill in Oregon Thursday, which is the first time the company has had an employee actively outline its stance on right to repair at an open hearing. 404 Media: Apple's position in Oregon shows that despite supporting a weaker right to repair law in California, it still intends to control its own repair ecosystem. It also sets up a highly interesting fight in the state because Google has come out in favor of the same legislation Apple is opposing. "It is our belief that the bill's current language around parts pairing will undermine the security, safety, and privacy of Oregonians by forcing device manufacturers to allow the use of parts of unknown origin in consumer devices," John Perry, Apple's principal secure repair architect, told the legislature. This is a quick about-face for the company, which after years of lobbying against right to repair, began to lobby for it in California last fall. The difference now is that Oregon's bill includes a critical provision that Google says it can easily comply with but that is core for Apple to maintain its dominance over the repair market.

On Tuesday, The Independent, Tom's Hardware, and many other tech outlets reported on a story about how three million smart toothbrushes were used in a DDoS attack. The only problem? It "didn't actually happen," writes Jason Koebler via 404 Media. "There are no additional details about this apparent attack, and most of the article cites general research by a publicly traded cybersecurity company called Fortinet which has detected malicious, hijacked internet of things devices over the years. A search on Fortinet's website shows no recent published research about hacked smart toothbrushes." From the report: The original article, called "The toothbrushes are attacking," starts with the following passage: "She's at home in the bathroom, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused. This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become." [...]

The "3 million hacked smart toothbrushes" story has now been viral for more than 24 hours and literally no new information about it has emerged despite widespread skepticism from people in the security industry and its virality. The two Fortinet executives cited in the original report did not respond to an email and LinkedIn message seeking clarification, and neither did Fortinet's PR team. The author of the Aargauer Zeitung story also did not respond to a request for more information. I called Fortinet's headquarters, asked to speak to the PR contact listed on the press release about its earnings, which was published after the toothbrush news began to go viral, and was promptly disconnected. The company has continued to tweet about other, unrelated things. They have not responded to BleepingComputer either, nor the many security researchers who are asking for further proof that this actually happened. While we don't know how this happened, Fortinet has been talking specifically about the dangers of internet-connected toothbrushes for years, and has been using it as an example in researcher talks. In a statement to 404 Media, Fortinet said "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred."

LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. From a report: The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface made to appear close to the brand's authentic design. However, the fake app's name is 'LassPass,' instead of 'LastPass,' and it has a publisher of 'Parvati Patel.' In addition, there's only a single rating (the real app has over 52 thousand), with only four reviews that warn about it being fake.

An anonymous reader shares a report: Apple has argued for years that developers who don't want to abide by its rules for native iOS apps can always write web apps. It has done so in its platform guidelines, in congressional testimony, and in court. Web developers, for their part, maintain that Safari and its underlying WebKit engine still lack the technical capabilities to allow web apps to compete with native apps on iOS hardware. To this day, it's argued, the fruit cart's laggardly implementation of Push Notifications remains subpar.

The enforcement of Europe's Digital Markets Act was expected to change that -- to promote competition held back by gatekeepers. But Apple, in a policy change critics have called "malicious compliance," appears to be putting web apps at an even greater disadvantage under the guise of compliance with European law. In the second beta release of iOS 17.4, which incorporates code to accommodate Europe's Digital Markets Act, Progressive Web Apps (PWAs) have been demoted from standalone apps that use the whole screen to shortcuts that open within the default browser. This appears to solely affect users in the European Union, though your mileage may vary. Concerns about this demotion of PWAs surfaced earlier this month, with the release of the initial iOS 17.4 beta. As noted by Open Web Advocacy -- a group that has lobbied to make the web platform more capable -- "sites installed to the home screen failed to launch in their own top-level activities, opening in Safari instead."