TikTok is denying reports that it was breached after a hacking group posted images of what they claim is a TikTok database that contains the platform's source code and user information. In response to these allegations, TikTok said its team "found no evidence of a security breach." From a report: According to Bleeping Computer, hackers shared the images of the alleged database to a hacking forum, saying they obtained the data on a server used by TikTok. It claims the server stores over 2 billion records and 790GB worth of user data, platform statistics, code, and more. "We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases," TikTok spokesperson Maureen Shanahan said in a statement to The Verge. "We do not believe users need to take any proactive actions, and we remain committed to the safety and security of our global community."

"Quiet quitting" as a catchphrase "took off on TikTok among millennials and Gen Zers," according to Business Insider. They describe it as "employees doing what their job expects of them, and not offering to do more than what they get paid to do."

The Washington Post digs deeper: Quiet quitting looks to many like a reasonable retreat from the round-the-clock hustle culture. But to others, quiet quitting represents disengaged employees sandbagging and shirking all but the minimum effort, not expecting — or not caring — that their employers might fire them for it.

But if we're going to accuse workers of quiet quitting, we should also acknowledge the phenomenon of "quiet firing," in which employers avoid providing all but the bare legal minimum, possibly with the aim of getting unwanted employees to quit. They may deny raises for years, fail to supply resources while piling on demands, give feedback designed to frustrate and confuse, or grant privileges to select workers based on vague, inconsistent performance standards. Those who don't like it are welcome to leave.
Their article even provides an example. One reader (near retirement age) says their employer required them to return to the office for at least three days a week — "but those who left the area are allowed to continue to work fully remotely."

Seven years ago, Slashdot reader #66,542 announced "Panopticlick 2.0," a site showing how your web browser handles trackers.

But it was just one of the many privacy-protecting projects Peter Eckersley worked on, as a staff technologist at the EFF for more than a decade. Eckersley also co-created Let's Encrypt, which today is used by hundreds of millions of people.

Friday the EFF's director of cybersecurity announced the sudden death of Eckersley at age 43. "If you have ever used Let's Encrypt or Certbot or you enjoy the fact that transport layer encryption on the web is so ubiquitous it's nearly invisible, you have him to thank for it," the announcement says. "Raise a glass."

Peter Eckersley's web site is still online, touting "impactful privacy and cybersecurity projects" that he co-created, including not just Let's Encrypt, Certbot, and Panopticlick, but also Privacy Badger and HTTPS Everywhere. And in addition, "During the COVID-19 pandemic he convened the the stop-covid.tech group, advising many groups working on privacy-preserving digital contact tracing and exposure notification, assisting with several strategy plans for COVID mitigation." You can also still find Peter Eckersley's GitHub repositories online.

But Peter "had apparently revealed recently that he had been diagnosed with cancer," according to a tribute posted online by security company Sophos, noting his impact is all around us: If you click on the padlock in your browser [2022-09-0T22:37:00Z], you'll see that this site, like our sister blog site Sophos News, uses a web certificate that's vouched for by Let's Encrypt, now a well-established Certificate Authority (CA). Let's Encrypt, as a CA, signs TLS cryptographic certificates for free on behalf of bloggers, website owners, mail providers, cloud servers, messaging services...anyone, in fact, who needs or wants a vouched-for encryption certificate, subject to some easy-to-follow terms and conditions....

Let's Encrypt wasn't the first effort to try to build a free-as-in-freedom and free-as-in-beer infrastructure for online encryption certificates, but the Let's Encrypt team was the first to build a free certificate signing system that was simple, scalable and solid. As a result, the Let's Encrypt project was soon able to to gain the trust of the browser making community, to the point of quickly getting accepted as a approved certificate signer (a trusted-by-default root CA, in the jargon) by most mainstream browsers....

In recent years, Peter founded the AI Objectives Institute, with the aim of ensuring that we pick the right social and economic problems to solve with AI:

"We often pay more attention to how those goals are to be achieved than to what those goals should be in the first place. At the AI Objectives Institute, our goal is better goals."

Windows' "Defender" software is supposed to detect malware. But its Microsoft team is now investigating reports that it's mistakenly flagging Electron-based or Chromium-based applications — as malware.

"It's a false positive, and your computer is OK," wites the blog Windows Central: This morning, many people worldwide experienced Microsoft Defender warning them of a recurring virus threat.... People on Reddit are "freaking out" over not just a reported threat from Microsoft Defender but one that keeps popping up and recurring despite the alleged threat being blocked.

The threat is revealed in a pop-up message noting that "Behavior:Win32/Hive.ZY" has been detected and is listed as "severe." However, after taking action to rectify the issue, it does not go away, and the user will keep receiving the same prompt. The reminder may return after 20 seconds, with the cycle repeating endlessly.

This detection appears to be a false positive, according to a Microsoft Support forum... From DaveM121, an Independent Advisor: [I]t is a bug currently being reported by hundreds of people at the moment, it seems to be related to all Chromium based web browsers and Electron based apps like Whatsapp, Discord, Spotify, etc....
Also affected are Google Chrome and even Microsoft Edge, as well as "anything that runs Visual Studio Code," according to the article.

"The problem seems to originate from Defender's Definition/Update Version 1.373.1508.0, meaning Microsoft needs to update that file, and the issue should be resolved."

So Australia's foreign intelligence cybersecurity agency marked its 75th anniversary by collaborating with the Australian mint to release a special commemorative coin with a four-layer secret code. The agency's director even said that if someone cracked all four layers of the code, "maybe they'll apply for a job."

A 14-year-old boy cracked their code "in just over an hour." Australia's national broadcaster reports: The ASD said the coin's four different layers of encryption were each progressively harder to solve, and clues could be found on both sides — but ASD director-general Rachel Noble said in a speech at the Lowy Institute on Friday that the 14-year-old managed it in just over an hour.... "Just unbelievable. Can you imagine being his mum?

"So we're hoping to meet him soon ... to recruit him...."

She also revealed on Friday that there was a fifth level of encryption on the coin which no one had broken yet.

Brian Krebs, reporting at Krebs on Security: In mid-June 2022, a flood of SMS phishing messages began targeting employees at commercial staffing firms that provide customer support and outsourcing to thousands of companies. The missives asked users to click a link and log in at a phishing page that mimicked their employer's Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. The phishers behind this scheme used newly-registered domains that often included the name of the target company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule.

The phishing sites leveraged a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. But because of the way the bot was configured, it was possible for security researchers to capture the information being sent by victims to the public Telegram server. This data trove was first reported by security researchers at Singapore-based Group-IB, which dubbed the campaign "0ktapus" for the attackers targeting organizations using identity management tools from Okta.com. "This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations," Group-IB wrote. "Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance." It's not clear how many of these phishing text messages were sent out, but the Telegram bot data reviewed by KrebsOnSecurity shows they generated nearly 10,000 replies over approximately two months of sporadic SMS phishing attacks targeting more than a hundred companies.

U.S. electronics giant Samsung has confirmed a data breach affecting customers' personal information. From a report: In a brief notice, Samsung said it discovered the security incident in late-July and that an "unauthorized third party acquired information from some of Samsung's U.S. systems." The company said it determined customer data was compromised on August 4. Samsung said Social Security numbers and credit card numbers were not affected, but some customer information -- name, contact and demographic information, date of birth, and product registration information -- was taken.

New submitter IsThisNickNameUsed writes: The Australian Mint has released a coin in partnership with the Australian Signals Directorate (ASD) that has incorporated a code-breaking challenge in the design. The coin is to mark the 75th anniversary of the spy agency and incorporates a code with four layers of encryption -- each layer progressively harder to solve. "We thought this was a really fun way to engage people in code-breaking with the hope that, if they make it through all four levels of coding on the coin, maybe they'll apply for a job at the Australian Signals Directorate," said ASD director-general Rachel Noble.

Fitting the codes on the faces of the coin was a complex process, she said. "Ensuring people could see the code to decrypt it was one of the challenges our people were able to solve with ASD, to create a unique and special product."

Ms Noble said that while there were no classified messages on the coin, those who crack the codes could discover "some wonderful, uplifting messages." "Like the early code breakers in ASD, you can get through some of the layers with but a pencil and paper but, right towards the end, you may need a computer to solve the last level," she said.

UPDATE: A 14-year-old boy cracked the code "in just over an hour."

"Major VPN services have shut down service in India, as there is no way to comply with a new law without breaching their own privacy protection standards," reports 9to5Mac. "The law also applies to iCloud Private Relay, but Apple has not yet commented on its own plans." The Wall Street Journal reports: Major global providers of virtual private networks, which let internet users shield their identities online, are shutting down their servers in India to protest new government rules they say threaten their customers' privacy [...] Such rules are "typically introduced by authoritarian governments in order to gain more control over their citizens," said a spokeswoman for Nord Security, provider of NordVPN, which has stopped operating its servers in India. "If democracies follow the same path, it has the potential to affect people's privacy as well as their freedom of speech," she said [...]

Other VPN services that have stopped operating servers in India in recent months are some of the world's best known. They include U.S.-based Private Internet Access and IPVanish, Canada-based TunnelBear, British Virgin Islands-based ExpressVPN, and Lithuania-based Surfshark. ExpressVPN said it "refuses to participate in the Indian government's attempts to limit internet freedom." The government's move "severely undermines the online privacy of Indian residents," Private Internet Access said. "Customers in India will be able to connect to VPN servers in other countries," adds 9to5Mac. "This is the same approach taken in Russia and China, where operating servers within those countries would require VPN companies to comply with similar legislation."

"Cloud storage services are also subjected to the new rules, though there would be little practical impact on Apple here. iCloud does not use end-to-end encryption, meaning that Apple holds a copy of your decryption key, and can therefore already comply with government demands for information."

Shopify is pushing back on Amazon's one-click checkout service. The e-commerce platform is warning merchants who try to install Amazon's "Buy With Prime" button on their storefront that it violates Shopify's terms of service, and is also raising the specter of security risks, according to research firm Marketplace Pulse. CNBC: Amazon introduced Buy With Prime in April, pitching it as a way for merchants to grow traffic on their own websites. The service lets merchants add the Prime logo and offer Amazon's speedy delivery options on their sites. Members of the retail giant's Prime loyalty club can check out using their Amazon account. Shopify will not protect merchants who try to use Buy With Prime against fraudulent orders, according to a screenshot of a notice Shopify sent to merchants. The notice also warns that Amazon's service could steal customer data, and charge customers incorrectly. Shopify's terms of service require merchants to use Shopify Checkout "for any sales associated with your online store," seemingly prohibiting them from offering alternative checkout options.

According to Twitter user @runews, someone hacked the largest taxi service in Russia, Yandex Taxi, and ordered all the available taxis to an address on Kutuzovsky Prospekt. The tweet includes a video showing the traffic jam that this caused in the middle of Moscow. It's not known who was behind the attack.

In a statement to SouthFront, the company said: "The security service promptly stopped attempts to artificially accumulate cars. Drivers spent about 40 minutes in traffic due to fake orders. The issue of compensation will be resolved in the very near future." The company stressed that in order to exclude such incidents in the future, "the algorithm for detecting and preventing such attacks has already been improved."

The next generation of USB devices might support data transfer speeds as high as 80 Gbps, which would be twice as fast as current-gen Thunderbolt 4 products. From a report: The USB Promotor Group says it plans to publish the new USB4 version 2.0 specification ahead of this year's USB Developer Days events scheduled for November, but it could take a few years before new cables, hubs, PCs, and mobile devices featuring the new technology are available for purchase. According to the group, the new protocol will make use of the same USB Type-C cables and connectors as USB4 version 1.0. In fact, if you've already got a USB Type-C passive cable that's capable of 40 Gbps speeds, you should be able to use that same cable with next-gen hardware to achieve speeds up to 80 Gbps. But the new standard will also introduce a new USB Type-C active cable designed specifically for speeds up to 80 Gbps. The new standard is also backward compatible, which means that if you buy a new device with USB 4 v2 support, it will still work with older hardware featuring USB 2.0, 3.2, or Thunderbolt 3 connectivity. You just won't be able to take advantage of the full speeds.

Apple has released an iOS 12 update users of older iPhone and iPad devices should download as soon as possible. Engadget reports: The new version of the company's 2018 operating system addresses a major vulnerability that Apple recently patched within iOS 15. According to a support document, the WebKit flaw could have allowed a website to run malicious code on your device. In its usual terse manner, Apple notes it is "aware of a report that this issue may have been actively exploited."

For that reason, you should download the update as soon as possible if you're still using an iOS 12 device. That's a list that includes the iPhone 5s, iPhone 6, as well as iPad Air, iPad mini 2 and iPad mini 3. You can download iOS 12.5.6 by opening the Settings app, tapping on "General" and then selecting "Software Update."

Dashlane announced today that it's integrating passkeys into its cross-platform password manager. "We said, you know what, our job is to make security simple for users," says Dashlane CEO JD Sherman, "and this is a great tool to do that. So we should actually be thinking about ushering in this passwordless era." The Verge reports: Passwords are dying, long live passkeys. Practically the entire tech industry seems to agree that hexadecimal passwords need to die, and that the best way to replace them is with the cryptographic keys that have come to be known as passkeys. Basically, rather than having you type a phrase to prove you're you, websites and apps use a standard called WebAuthn to connect directly to a token you have saved -- on your device, in your password manager, ultimately just about anywhere -- and authenticate you automatically. It's more secure, it's more user-friendly, it's just better. The transition is going to take a while, though, and even when you can use passkeys, it'll be a while before all your apps and websites let you do so.

Going forward, Dashlane users can start to set up passkeys to log into sites and apps where they previously would have created passwords. And whereas systems like Apple's upcoming implementation in iOS 16 will often involve taking a picture of a QR code to log in, Dashlane says it can make the process even simpler because it has apps for most platforms and an extension for most browsers.

Cyberinsurance doesn't cover acts of war. But even as cyberattacks mount, the definition of "warlike" actions remains blurry. From a report: This summer marks the fifth anniversary of the most expensive cyberattack ever: the NotPetya malware, released by Russia in June 2017, that shut down computer systems at companies and government agencies around the world, causing upward of $10 billion in damage due to lost business, repairs, and other operational disruptions. Half a decade later, the businesses affected by NotPetya are still sorting out who will pay those considerable costs in a series of legal disputes that will have serious ramifications for the rapidly growing cyberinsurance industry, as well as for the even more rapidly growing number of state-sponsored cyberattacks that blur the line between cyberwar and standard-issue government cyberactivity.

Whether or not insurers cover the costs of a cyberattack can depend, in part, on being able to make clear-cut distinctions in this blurry space: When Russian government hackers targeted Ukraine's electric grid earlier this year, was that an act of war because the two countries were already at war? What about when Russia hacked Ukraine's electric grid in 2015, or when pro-Russian hackers targeted servers in countries like the United States, Germany, Lithuania, and Norway because of their support for Ukraine? Figuring out which of these types of intrusions are "warlike" is not an academic matter for victims and their insurers -- it is sometimes at the heart of who ends up paying for them. And the more that countries like Russia exercise their offensive cyber capabilities, the harder and more critical it becomes to make those distinctions and sort out who is on the line to cover the costs.

When insurers first began offering policies that covered costs related to computer security breaches more than 20 years ago, the promise was that the industry would do for cybersecurity what it had done for other types of risks like car accidents, fires, or robbery. In other words, cyberinsurance was supposed to insulate policyholders from some of the most burdensome short-term costs associated with these events while simultaneously requiring those same policyholders to adopt best practices (seat belts, smoke detectors, security cameras) for reducing the likelihood of these risks in the first place. But the industry has fallen well short of that goal, in many cases failing both to help breached companies cover the costs of major cyberattacks like NotPetya, and to help companies reduce their exposure to cyber risk.

Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open-source software or in the building blocks that its software is built on. It'll pay anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party dependencies that are included in those projects' codebases. From a report: While it's important for Google to fix bugs in its own projects (and in the software that it uses to keep track of changes to its code, which the program also covers), perhaps the most interesting part is the bit about third-party dependencies. Programmers often use code from open-source projects so they don't continuously have to reinvent the same wheel. But since developers often directly import that code, as well as any updates to it, that introduces the possibility of supply chain attacks. That's when hackers don't target the code directly controlled by Google itself but go after these third-party dependencies instead.

As SolarWinds showed, this type of attack isn't limited to open-source projects. But in the past few years, we've seen several stories where big companies have had their security put at risk thanks to dependencies. There are ways to mitigate this sort of attack vector -- Google itself has begun vetting and distributing a subset of popular open-source programs, but it's almost impossible to check over all the code a project uses. Incentivizing the community to check through dependencies and first-party code helps Google cast a wider net.

An anonymous reader shares a report: As the mechanical keyboard hobby exploded during the early days of the pandemic, a lot of companies raced to launch new products. Drop, however, which maybe did more than anybody to popularize custom mechanical keyboards by making them and lots of accessories available to a larger audience, mostly added third-party keyboards to its lineup during this time. Now, however, it is launching the Sense75, its first brand-new in-house keyboard in two years.

As the name implies, this is a 75% keyboard, meaning you get the full set of function and arrow keys, as well as three buttons on the right side (by default, these are delete, page up and page down) and, as has become standard these days, a knob. They're are RGB LEDs, of course, including underside diffusers that will create what Drop calls a "visually appealing halo' and, of course, hot-swap sockets so you can easily change out your switches." The keyboard will support customization through QMK and VIA to adapt it to your typing needs. The pre-built version will set you back $349 for the black edition and $399 for the white one, while the barebones version will cost $249 in black and $299 in white.

An anonymous reader shares a report: Partha Ranganathan came to realize about seven years ago that Moore's law was dead. No longer could the Google engineering VP expect chip performance to double roughly every 18 months without major cost increases, and that was a problem considering he helped Google construct its infrastructure spending budget each year. Faced with the prospect of getting a chip twice as fast every four years, Ranganathan knew they needed to mix things up. Ranganathan and other Google engineers looked at the overall picture and realized transcoding (for YouTube) was consuming a large fraction of compute cycles in its data centers. The off-the-shelf chips Google was using to run YouTube weren't all that good at specialized tasks like transcoding. YouTube's infrastructure uses transcoding to compress video down to the smallest possible size for your device, while presenting it at the best possible quality.

What they needed was an application-specific integrated circuit, or ASIC -- a chip designed to do a very specific task as effectively and efficiently as possible. Bitcoin miners, for example, use ASIC hardware and are designed for that sole purpose. "The thing that we really want to be able to do is take all of the videos that get uploaded to YouTube and transcode them into every format possible and get the best possible experience," said Scott Silver, VP of engineering at YouTube. It didn't take long to sell upper management on the idea of ASICs. After a 10-minute meeting with YouTube chief Susan Wojcicki, the company's first video chip project was approved. Google started deploying its Argos Video Coding Units (VCUs) in 2018, but didn't publicly announce the project until 2021. At the time, Google said the Argos VCUs delivered a performance boost of anywhere between 20 to 33 times compared to traditional server hardware running well-tuned transcoding software. Google has since flipped the switch on thousands of second-gen Argos chips in servers around the world, and at least two follow-ups are already in the pipeline.

Following a preview in April, Microsoft this morning announced the general availability of virtual machines (VMs) on Azure featuring the Ampere Altra, a processor based on the Arm architecture. From a report: The first Azure VMs powered by Arm chips, Microsoft says that they're accessible in 10 Azure regions today and can be included in Kubernetes clusters managed using Azure Kubernetes Service beginning on September 1.

The Azure Arm-based VMs have up to 64 virtual CPU cores, 8 GB of memory per core and 40 Gbps of networking bandwidth as well as SSD local and attachable storage. Microsoft describes them as "engineered to efficiently run scale-out, cloud-native workloads," including open source databases, Java and .NET applications and gaming, web, app and media servers. Preview releases of Windows 11 Pro and Enterprise and Linux OS distributions including Canonical Ubuntu, Red Hat Enterprise Linux, SUSE Enterprise Linux, CentOS and Debian are available on the VMs day one, with support for Alma Linux and Rocky Linux to arrive in the future. Microsoft notes that Java apps in particular can run with few additional code changes, thanks to the company's contributions to the OpenJDK project.

"Google employees are receiving regular notifications from management of Covid-19 infections," CNBC report Friday — "causing some to question the company's return-to-office mandates." The employees, who spoke with CNBC on the condition of anonymity, said since they have been asked to return to offices, infections notifications pop up in their email inboxes regularly....

The company began requiring most employees to return to physical offices at least three days a week in April. Since then, staffers have pushed back on the mandate after they worked efficiently for so long at home while the company enjoyed some of its fastest revenue growth in 15 years. Google has offered full-time employees the option to request permanent remote work, but it's unclear how many workers have been approved.

Google's Covid-19 outbreak in Los Angeles is currently the largest of any employer in LA., according to the city's public health dashboard. Deadline.com first reported that the tech giant's trendy Silicon Beach campus in Venice, Calif., recorded 145 infections while 135 cases were recorded at the company's large Playa Vista campus.

Staffers have been filling Memegen, an internal company image-sharing site, with memes about the increased number of exposure notifications they're receiving. One meme, which was upvoted 2,840 times, showed a photo of an inbox with the email subject from a San Francisco-based facilities manager stating "We're so excited to see you back in the office!" and a subsequent email subject line stating "Notification of Confirmed COVID-19 Case...."

Some employees said they received a spike in notifications from the Mountain View, Calif. headquarters and in San Francisco offices after the company held a return-to-office celebration, where Grammy award-winning artist Lizzo performed for thousands of employees at the Shoreline Amphitheater, near Google's main campus.
Defending the safety of working on-site, a Google spokesperson told CNBC they hadn't been experiencing a sudden recent spike in their Covid cases, arguing that instead the hundreds of Covid cases had been occurring over "the last few months."