"Apple, the world's biggest listed company, updated its general employee conduct policy about two years ago to explicitly prohibit discrimination on the basis of caste," reports Reuters, "which it added alongside existing categories such as race, religion, gender, age and ancestry.

Apple has more than 165,000 full-time employees, the article points out, and "The inclusion of the new category, which hasn't been previously reported, goes beyond U.S. discrimination laws, which do not explicitly ban casteism." The update came after the tech sector — which counts India as its top source of skilled foreign workers — received a wake-up call in June 2020 when California's employment regulator sued Cisco Systems on behalf of a low-caste engineer who accused two higher-caste bosses of blocking his career.... Since the suit was filed, several activist and employee groups have begun seeking updated U.S. discrimination legislation — and have also called on tech companies to change their own policies to help fill the void and deter casteism....

Elsewhere in tech, IBM told Reuters that it added caste, which was already in India-specific policies, to its global discrimination rules after the Cisco lawsuit was filed, though it declined to give a specific date or a rationale.
Meta, Amazon, and Google do not mention caste in internal polices, the article points out — but they all told Reuters it's already prohibited by their current policies against discrimination.

And yet, "Over 1,600 Google workers demanded the addition of caste to the main workplace code of conduct worldwide in a petition, seen by Reuters, which they emailed to CEO Sundar Pichai last month and re-sent last week after no response."

Union-organizing startup "Unit of Work" received a $1.4-million pre-seed investment led by the venture capital arm of billionaire Mike Bloomberg, reports the Los Angeles Times.

The startup's outside investors "have made fortunes backing technologies such as artificial intelligence, cryptocurrencies and video games. One is among California's foremost critics of public-sector labor unions." But the head of the startup's lead investment firm says that "whenever a community has a want that's going unfilled, there's an opportunity for companies." [T]hese people used to multibillion-dollar sales and IPOs see a big opportunity in the atomized, restive condition of America's workforce and the possibility of transforming it through a new era of unionization. "We only invest in areas where we think we can get a return," said Roy Bahat, head of Bloomberg Beta, the venture arm of billionaire Mike Bloomberg's media empire.

Unit's business model works like this: The startup's organizers provide free consulting to groups of workers organizing unions within their own workplaces — helping them build support to win elections, advising them on strategy in contract-bargaining sessions, guiding them through paperwork filings and around legal obstacles. Once a contract is in place, members of the new union can decide to pay Unit a monthly fee — similar to traditional union dues — to keep providing support.... Once the company starts earning income, it plans to buy out its investors and give their equity to the unions it helped organize, effectively transitioning corporate control to the customer base.

The approach has attracted some strange bedfellows. The second investment firm in the round, Draper Associates, is led by Tim Draper, a third-generation venture capitalist, bitcoin evangelist and outspoken critic of organized labor... [H]e launched a ballot initiative to ban public-sector unions in California.... "Unit of Work is making unions decentralized," Draper wrote in an email explaining his investment. "That will be awesome. Centralized unions tend to restrain trade, and government unions create bloated bureaucracy and poor government service on the whole.... "

Despite Draper's enthusiasm for independent unions, as opposed to nationally affiliated labor organizations, Unit's leaders and its website make clear that they support their clients if they decide to affiliate with a larger union.

The Independent reports that the UK's National Health System is experiencing a major outage "expected to last for more than three weeks" after a third-party supplying the NHS's "CareNotes" software was hit by ransomware.

Unfortunately, this leaves doctors unable to see their notes on patients, and the mental health trusts that provide care "across the country will be left unable to access patient notes for weeks, and possibly months." Oxford Health NHS Foundation Trust has declared a critical incident over the outage, which is believed to affect dozens of trusts, and has told staff it is putting emergency plans in place. One NHS trust chief said the situation could possibly last for "months" with several mental health trusts, and there was concern among leaders that the problem is not being prioritised.

In an email to staff, Oxford Health NHS Foundation Trust chief executive Nick Broughton, said: "The cyberattack targeted systems used to refer patients for care, including ambulances being dispatched, out of hours appointment bookings, triage, out of hours care, emergency prescriptions and safety alerts. It also targeted the finance system used by the trust.... An NHS director said: "The whole thing is down. It's really alarming...we're carrying a lot of risk as a result of it because you can't get records and details of assessments, prescribing, key observations, medical mental health act observations. You can't see any of it...Staff are going to have to write everything down and input it later."

They added: "There is increased risk to patients. We're finding it hard to discharge people, for example to housing providers, because we can't access records."
"'Weeks' is an unreasonable period," argues Slashdot reader Bruce66423, wondering why it couldn't be resolved with a seemingly simple restore from backups?

And Alan Woodward, a professor of cybersecurity at Surrey University, warns the Guardian that "Even if it was ransomware ... that doesn't mean data was not stolen."

Google uses Linux "in almost everything," according to the leader of Google's "product security response" team — including Chromebooks, Android smartphones, and even Google Cloud.

"Because of this, we have heavily invested in Linux's security — and today, we're announcing how we're building on those investments and increasing our rewards." In 2020, we launched an open-source Kubernetes-based Capture-the-Flag (CTF) project called, kCTF. The kCTF Vulnerability Rewards Program lets researchers connect to our Google Kubernetes Engine (GKE) instances, and if they can hack it, they get a flag, and are potentially rewarded.

All of GKE and its dependencies are in scope, but every flag caught so far has been a container breakout through a Linux kernel vulnerability.

We've learned that finding and exploiting heap memory corruption vulnerabilities in the Linux kernel could be made a lot harder. Unfortunately, security mitigations are often hard to quantify, however, we think we've found a way to do so concretely going forward....

First, we are indefinitely extending the increased reward amounts we announced earlier this year, meaning we'll continue to pay $20,000 — $91,337 USD for vulnerabilities on our lab kCTF deployment to reward the important work being done to understand and improve kernel security. This is in addition to our existing patch rewards for proactive security improvements.

Second, we're launching new instances with additional rewards to evaluate the latest Linux kernel stable image as well as new experimental mitigations in a custom kernel we've built. Rather than simply learning about the current state of the stable kernels, the new instances will be used to ask the community to help us evaluate the value of both our latest and more experimental security mitigations. Today, we are starting with a set of mitigations we believe will make most of the vulnerabilities (9/10 vulns and 10/13 exploits) we received this past year more difficult to exploit. For new exploits of vulnerabilities submitted which also compromise the latest Linux kernel, we will pay an additional $21,000 USD. For those which compromise our custom Linux kernel with our experimental mitigations, the reward will be another $21,000 USD (if they are clearly bypassing the mitigations we are testing). This brings the total rewards up to a maximum of $133,337 USD.

We hope this will allow us to learn more about how hard (or easy) it is to bypass our experimental mitigations.....

With the kCTF VRP program, we are building a pipeline to analyze, experiment, measure and build security mitigations to make the Linux kernel as safe as we can with the help of the security community. We hope that, over time, we will be able to make security mitigations that make exploitation of Linux kernel vulnerabilities as hard as possible.
"We don't care about vulnerabilities; we care about exploits," Vela told the Register. "We expect the vulnerabilities are there, they will get patched, and that's nice and all. But the whole idea is what do to beyond just patching a couple of vulnerabilities." In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year. "We are just one actor in the whole community that happens to have economic resources, financial resources, but we need the community to help us make the Kernel better," Vela said.

"If the community is engaged and helps us validate the mitigations that we have, then, we will continue growing on top of that. But the whole idea is that we need to see where the community wants us to go with this...."

[I]t's not always about the cash payout, according to Vela, and different bug hunters have different motivations. Some want money, some want fame and some just want to solve an interesting problem, Vela said. "We are trying to find the right combination to captivate people."

AmiMoJo shares a report from Wired: Since 2018, ELON Musk's Starlink has launched more than 3,000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia's war in Ukraine. Thousands more satellites are planned for launch as the industry booms. Now, like any emerging technology, those satellite components are being hacked. Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink's user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people's homes and buildings. At the Black Hat security conference in Las Vegas, Wouters will detail how a series of hardware vulnerabilities allow attackers to access the Starlink system and run custom code on the devices.

To access the satellite dish's software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attack -- temporarily shorting the system -- to help bypass Starlink's security protections. This 'glitch' allows Wouters to get into previously locked parts of the Starlink system. The researcher notified Starlink of the flaws last year and the company paid Wouters through its bug bounty scheme for identifying the vulnerabilities. Wouters says that while SpaceX has issued an update to make the attack harder (he changed the modchip in response), the underlying issue can't be fixed unless the company creates a new version of the main chip. All existing user terminals are vulnerable, Wouters says. Wouters is making his hacking tool open source on GitHub. Following his presentation, Starlink says it plans to release a "public update" to address the issue but additional details were not shared.

joshuark shares a report from Computerworld: Despite previously claiming the DogWalk vulnerability did not constitute a security issue, Microsoft has now released a patch to stop attackers from actively exploiting the vulnerability. [...] The vulnerability, known as CVE-2022-34713 or DogWalk, allows attackers to exploit a weakness in the Windows Microsoft Support Diagnostic Tool (MSDT). By using social engineering or phishing, attackers can trick users into visiting a fake website or opening a malicious document or file and ultimately gain remote code execution on compromised systems. DogWalk affects all Windows versions under support, including the latest client and server releases, Windows 11 and Windows Server 2022.

The vulnerability was first reported in January 2020 but at the time, Microsoft said it didn't consider the exploit to be a security issue. This is the second time in recent months that Microsoft has been forced to change its position on a known exploit, having initially rejected reports that another Windows MSDT zero-day, known as Follina, posed a security threat. A patch for that exploit was released in June's Patch Tuesday update.

Facebook announced on Thursday it will begin testing end-to-end encryption as the default option for some users of its Messenger app on Android and iOS. The Guardian reports: Facebook messenger users currently have to opt in to make their messages end-to-end encrypted (E2E), a mechanism that theoretically allows only the sender and recipient of a message to access its content. Facebook spokesperson Alex Dziedzan said on Thursday that E2E encryption is a complex feature to implement and that the test is limited to a couple of hundred users for now so that the company can ensure the system is working properly. Dziedzan also said the move was "not a response to any law enforcement requests." Meta, Facebook's parent company, said it had planned to roll out the test for months. The company had previously announced plans to make E2E encryption the default in 2022 but pushed the date back to 2023. "The only way for companies like Facebook to meaningfully protect people is for them to ensure that they do not have access to user data or communications when a law enforcement agency comes knocking," Evan Greer, the director of the digital rights group Fight for the Future, said. "Expanding end-to-end encryption by default is a part of that, but companies like Facebook also need to stop collecting and retaining so much intimate information about us in the first place."

Software sold by market leaders tend to be primary purchases for regular consumers. Brand comfort is important but so too is affordability, especially when pirate copies are available for free. Some find a middle ground with purchases of discounted activation keys but, as a new Microsoft lawsuit shows, that can amount to copyright infringement for buyers and sellers alike. From a report: In a complaint filed at a Washington court this week, Microsoft targets Canadian company The Search People Enterprises Ltd (TSPE), assumed director Mehtabjit Singh, and 'John Doe' defendants 1-10. The defendants are described as prolific distributors of "black market access devices," aka activation keys and tokens for Microsoft software. Those who bought keys and tokens may have been under the impression that they were purchasing official software but as Microsoft explains, that is not only misleading but a mischaracterization of the things they were sold.

Products including Microsoft Office, Project, Visio, Windows 10, and Windows 11 are all subject to licensing terms that restrict how the products can be used. Microsoft can also provide a product activation key to be entered as part of the installation process, with data about the activation sent to the company's servers. Like software tokens, which enable downloads and automatic software activation, activation keys are anti-piracy tools, and exchanging money for them is not the same as buying a license. Indeed, Microsoft makes itself very clear -- the activation of a piece of software means nothing in the absence of a license. Microsoft's problem is that product activation keys can be 'decoupled' from the software they were meant to authorize and then reused to activate more copies of the software, in some cases more copies than the attached Microsoft license permits.

Matt Edmondson, a hacker and digital forensics expert, built a Raspberry Pi-powered anti-tracking tool that "scans for nearby devices and alerts you if the same phone is detected multiple times within the past 20 minutes," reports Wired. The device, which can be carried around or placed in a car, consists of parts that cost around $200 in total. From the report: The homemade system works by scanning for wireless devices around it and then checking its logs to see whether they also were present within the past 20 minutes. It was designed to be used while people are on the move rather than sitting in, say, a coffee shop, where it would pick up too many false readings. The anti-tracking tool, which can sit inside a shoebox-sized case, is made up of a few components. A Raspberry Pi 3 runs its software, a Wi-Fi card looks for nearby devices, a small waterproof case protects it, and a portable charger powers the system. A touchscreen shows the alerts the device produces. Each alert may be a sign that you are being tailed. The device runs Kismet, which is a wireless network detector, and is able to detect smartphones and tablets around it that are looking for Wi-Fi or Bluetooth connections. The phones we use are constantly looking for wireless networks around them, including networks they've connected to before as well as new networks.

Edmondson says Kismet makes a record of the first time it sees a device and then the most recent time it was detected. But to make the anti-tracking system work, he had to write code in Python to create lists of what Kismet detects over time. There are lists for devices spotted in the past five to 10 minutes, 10 to 15 minutes, and 15 to 20 minutes. If a device appears twice, an alert flashes up on the screen. The system can show a phone's MAC address, although this is not much use if it's been randomized. It can also record the names of Wi-Fi networks that devices around it are looking for -- a phone that's trying to connect to a Wi-Fi network called Langley may give some clues about its owner. "If you have a device on you, I should see it," he says. In an example, he showed WIRED that a device was looking for a network called SAMSUNGSMART.

To stop the system from detecting your own phone or those of other people traveling with you, it has an "ignore" list. By tapping one of the device's onscreen buttons, it's possible to "ignore everything that it has already seen." Edmondson says that in the future, the device could be modified to send a text alert instead of showing them on the screen. He is also interested in adding the capability to detect tire-pressure monitoring systems that could show recurring nearby vehicles. A GPS unit could also be added so you can see where you were when you were being tracked, he says. [...] Edmondson has no plans to make the device into a commercial product, but he says the design could easily be copied and reused by anyone with some technical knowledge. Many of the parts involved are easy to obtain or may be lying around the homes of people in tech communities. For those interested, Edmondson open-sourced its underlying code and plans to present the research project at the Black Hat security conference in Las Vegas this week.

An anonymous reader quotes a report from Motherboard: A group of security researchers found a series of vulnerabilities in the software underlying popular apps like Discord, Microsoft Teams, Spotify and many others, which are used by tens of millions of people all over the world. At the Black Hat cybersecurity conference in Las Vegas on Thursday, the researchers presented their findings, detailing how they could have hacked people who use Discord, Microsoft Teams, and the chat app Element by exploiting the software underlying all of them: Electron, which is a framework built on the open source Chromium and the cross-platform javascript environment Node JS. In all these cases, the researchers submitted vulnerabilities to Electron to get them fixed, which earned them more than $10,000 in rewards. The bugs were fixed before the researchers published their research.

Aaditya Purani, one of the researchers who found these vulnerabilities, said that "regular users should know that the Electron apps are not the same as their day-to-day browsers," meaning they are potentially more vulnerable. In the case of Discord, the bug Purani and his colleagues found only required them to send a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, hackers would have been able to take control of their computers, Purani explained in the talk. For him, one of the main takeaways of their research is that Electron is risky precisely because users are very likely to click on links shared in Discord or Microsoft Teams.

Mailchimp appears to have suspended the accounts of several crypto-related firms, according to the affected outlets. Crypto firms on the chopping board include intelligence platform Messari. From a report: Founder Ryan Selkis posted on Twitter revealing the suspension and expressing his disappointment. Crypto wallet provider Edge, NFT artist Ocarina, and Jesse Friedland -- the founder of NFT collection Cryptoon Goonz -- are among prominent names that appear to have had their accounts suspended in the last several weeks, according to the Decrypt report.

Google will stop giving snappy answers to stupid questions, the company has announced, as it seeks to improve its search engine's "featured snippets" service. From a report: That means users should see fewer answers to questions such as "When did Snoopy assassinate Abraham Lincoln?", to which the service would once merrily respond with "1865" -- the right date, but very much the wrong assassin. "This clearly isn't the most helpful way to display this result," said the company's head of search, Pandu Nayak, in a blogpost announcing the changes. "We've trained our systems to get better at detecting these sorts of false premises, which are not very common, but there are cases where it's not helpful to show a featured snippet. We've reduced the triggering of featured snippets in these cases by 40% with this update."

Snippets, which sometimes show up as a featured response to direct questions asked of Google Search, have long been a cornerstone of the company's AI strategy. The same technology powers its smart speakers and voice assistants, and lets the search engine satisfy search queries without visitors clicking away to other websites. But the snippets, which are automatically generated from the contents of websites, have also been a thorn in Google's side for just as long. [...] In an effort to address the root cause of such mistakes, Google is also rolling out new warnings for times when a search term has hit a "data void" -- a question where a good answer might simply not exist.

An anonymous reader quotes a report from BleepingComputer: Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online. The company revealed that the attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee's account. "Cisco experienced a security incident on our corporate network in late May 2022, and we immediately took action to contain and eradicate the bad actors," a Cisco spokesperson told BleepingComputer. "Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations. On August 10 the bad actors published a list of files from this security incident to the dark web. We have also implemented additional measures to safeguard our systems and are sharing technical details to help protect the wider security community."

The Yanluowang threat actors gained access to Cisco's network using an employee's stolen credentials after hijacking the employee's personal Google account containing credentials synced from their browser. The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations. The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user. Once they gained a foothold on the company's corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.

"They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers," Cisco Talos said. After gaining domain admin, they used enumeration tools like ntdsutil, adfind, and secretsdump to collect more information and installed a series of payloads onto compromised systems, including a backdoor. Ultimately, Cisco detected and evicted them from its environment, but they continued trying to regain access over the following weeks. [...] Last week, the threat actor behind the Cisco hack emailed BleepingComputer a directory listing of files allegedly stolen during the attack. The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings.

The preliminary Mercury Research CPU market share results are in for the second quarter of 2022, arriving during what is becoming a more dire situation for the PC market as sales cool after several years of stratospheric growth. From a report: According to the recent earnings report from Intel, AMD, and Nvidia, the recovery will be a long one. Still, for now, AMD appears to be weathering the storm better than its opponents as it continued to steal market share from Intel in every segment of the CPU market. The desktop PC market is still on fire, but it isn't a good kind of fire. Intel issued a dire earnings report last week -- the company lost money for the first time in decades, partially driven by PC declines. Intel also announced it was delaying its critical Xeon Sapphire Rapids data center chips and killing off another failing business unit, Optane; the sixth unit retired since new CEO Pat Gelsinger took over.

In contrast, AMD's revenue was up 70% year-over-year as the company continued to improve its already-great profitability. AMD is firing on all cylinders and will launch its Ryzen 7000 CPUs, RDNA 3 GPUs, and EPYC Genoa data center processors on schedule. That consistent execution continues to pay off. AMD continued to take big strides in the mobile/laptop market, setting another record for unit share in that segment with 24.8%. AMD also gained in the server market for the 13th consecutive quarter, reaching 13.9% of the market. Notably, AMD's quarterly gain in servers is the highest we've seen with our historical data, which dates back to 2017.

True 5G wireless data, with its ultrafast speeds and enhanced security protections, has been slow to roll out around the world. As the mobile technology proliferates -- combining expanded speed and bandwidth with low-latency connections -- one of its most touted features is starting to come in to focus. But the upgrade comes with its own raft of potential security exposures. From a report: A massive new population of 5G-capable devices, from smart-city sensors to agriculture robots and beyond, are gaining the ability to connect to the internet in places where Wi-Fi isn't practical or available. Individuals may even elect to trade their fiber-optic internet connection for a home 5G receiver. But the interfaces that carriers have set up to manage internet-of-things data are riddled with security vulnerabilities, according to research that will be presented on Wednesday at the Black Hat security conference in Las Vegas. And those vulnerabilities could dog the industry long-term. After years of examining potential security and privacy issues in mobile-data radio frequency standards, Technical University of Berlin researcher Altaf Shaik says he was curious to investigate the application programming interfaces (APIs) that carriers are offering to make IoT data accessible to developers.

These are the conduits that applications can use to pull, say, real-time bus-tracking data or information about stock in a warehouse. Such APIs are ubiquitous in web services, but Shaik points out that they haven't been widely used in core telecommunications offerings. Looking at the 5G IoT APIs of 10 mobile carriers around the world, Shaik and his colleague Shinjo Park found common, but serious API vulnerabilities in all of them, and some could be exploited to gain authorized access to data or even direct access to IoT devices on the network. "There's a big knowledge gap. This is the beginning of a new type of attack in telecom," Shaik told WIRED ahead of his presentation. "There's a whole platform where you get access to the APIs, there's documentation, everything, and it's called something like 'IoT service platform.' Every operator in every country is going to be selling them if they're not already, and there are virtual operators and subcontracts, too, so there will be a ton of companies offering this kind of platform."

DNSFilter, a Washington, D.C.-based provider of DNS-based web content filtering and threat protection, has announced it's acquiring Guardian, a privacy-protecting firewall for iOS. Financial terms of the deal were not disclosed. From a report: Guardian was founded in 2013 by Will Strafach, a security researcher and former iPhone jailbreaker who in 2017 discovered that AccuWeather was secretly sending precise location data to a third-party company without a user's permission. The company's "smart firewall" iPhone app blocks apps from sharing users' personal information with third-parties, such as IP addresses and location data, by funneling data through an encrypted virtual private network (VPN). The startup, which claims to have so far blocked more than 5 billion data trackers and 1 billion location trackers, recently joined forces with Brave to integrate its firewall and VPN functionality into its eponymous non-tracking browser.

According to researcher samczsun at Paradigm, Curve Finance has had its front end compromised, with over $500K stolen within a matter of minutes. The automated market maker is warning users to exercise caution when interacting with the site. Binance CEO Changpeng Zhao also shared the news and is monitoring the situation. CoinTelegraph reports: Curve stated via Twitter that its exchange -- which is a separate product -- appeared to be unaffected by the attack, as it uses a different DNS provider. Twitter user LefterisJP speculated that the alleged attacker had likely utilized DNS spoofing to execute the exploit on the service: "It's DNS spoofing. Cloned the site, made the DNS point to their ip where the cloned site is deployed and added approval requests to a malicious contract."

Other participants in the DeFi space quickly took to Twitter to spread the warning to their own followers, with some noting that the alleged thief appears to have stolen more than $573K USD at time of publication: "Alert to all @CurveFinance users, their frontend has been compromised! Do not interact with it until further notice! It appears around $570k stolen so far."

An anonymous reader quotes a report from Ars Technica: Microsoft has published a knowledge base article acknowledging a problem with encryption acceleration in the newest versions of Windows that could result in data corruption. The company recommends installing the June 2022 security updates for Windows 11 and Windows Server 2022 "to prevent further damage," though there are no suggested solutions for anyone who has already lost data because of the bug.

The problems only affect relatively recent PCs and servers that support Vector Advanced Encryption Standard (VAES) instructions for accelerating cryptographic operations. Microsoft says affected systems use AES-XTS or AES-GCM instructions "on new hardware." Part of the AVX-512 instruction set, VAES instructions are supported by Intel's Ice Lake, Tiger Lake, Rocket Lake, and Alder Lake architectures -- these power some 10th-generation Core CPUs for laptops, as well as all 11th- and 12th-gen Core CPUs. AMD's upcoming Zen 4 architecture also supports VAES, though by the time these chips are released in the fall, the patches will have had plenty of time to proliferate. Microsoft says that the problem was caused when it added "new code paths" to support the updated encryption instructions in SymCrypt, Windows' cryptographic function library. These code paths were added in the initial release of Windows 11 and Windows Server 2022, so the problem shouldn't affect older versions like Windows 10 or Windows Server 2019.

The initial fix for the problem, provided in Windows' June 2022 security update package (Windows 11 build 22000.778), will prevent further damage at the cost of reduced performance, suggesting that the initial fix was to disable encryption acceleration on these processors entirely. Using Bitlocker-encrypted disks or the Transport Layer Security (TLS) protocol or accessing encrypted storage on servers will all be slower with the first patch installed, though installing the July 2022 security updates (Windows 11 build 22000.795) should restore performance to its previous level.

Intel's latest generation of CPUs contains a vulnerability that allows attackers to obtain encryption keys and other confidential information protected by the company's software guard extensions, the advanced feature that acts as a digital vault for security users' most sensitive secrets. From a report: Abbreviated as SGX, the protection is designed to provide a fortress of sorts for the safekeeping of encryption keys and other sensitive data, even when the operating system or a virtual machine running on top is maliciously compromised. SGX works by creating trusted execution environments that protect sensitive code and the data it works with from monitoring or tampering by anything else on the system.

SGX is a cornerstone of the security assurances many companies provide to users. Servers used to handle contact discovery for the Signal Messenger, for instance, rely on SGX to ensure the process is anonymous. Signal says running its advanced hashing scheme provides a "general recipe for doing private contact discovery in SGX without leaking any information to parties that have control over the machine, even if they were to attach physical hardware to the memory bus." The example is purely hypothetical. Signal spokesperson Jun Harada wrote in an email: "Intel alerted us to this paper... and we were able to verify that the CPUs that Signal uses are not impacted by the findings of this paper and therefore are not vulnerable to the stated attack." Key to the security and authenticity assurances of SGX is its creation of what are called "enclaves," or blocks of secure memory. Enclave contents are encrypted before they leave the processor and are written in RAM. They are decrypted only after they return. The job of SGX is to safeguard the enclave memory and block access to its contents by anything other than the trusted part of the CPU.

An anonymous user sent a slew of Tornado Cash transactions to high-profile Ethereum addresses on Tuesday in what appears to be a troll implicating them in a potential regulatory mess. From a report: Affected wallets include those controlled by Coinbase CEO Brian Armstrong, TV host Jimmy Fallon, clothing brand Puma and a wallet created for donations to Ukraine, according to Etherscan. Prominent crypto figures such as artist Beeple and more mainstream celebrities such as comedian Dave Chappelle received ether (ETH).