Microsoft

Microsoft's Bing Chat AI is Now Open To Everyone, With Plug-ins Coming Soon (theverge.com) 30

Microsoft is making its Bing GPT-4 chatbot available to everyone today, no more waitlist necessary. From a report: All you need to do is sign in to the new Bing or Edge with your Microsoft account, and you'll now access the open preview version that's powered by GPT-4. Microsoft is also massively upgrading Bing Chat with lots of new features and even plug-in support. Microsoft is now adding more smart features to Bing Chat, including image and video results, new Bing and Edge Actions feature, persistent chat and history, and plug-in support. The plug-in support will be the key addition for developers and for the future of Bing Chat.
Google

Passwordless Google Accounts Are Here - You Can Now Switch To Passkey-Only (arstechnica.com) 72

Google is taking a big step toward our supposedly passwordless future by enabling passkey-only Google accounts. From a report: In the blog post, titled "The beginning of the end of the password," Google says: "We've begun rolling out support for passkeys across Google Accounts on all major platforms. They'll be an additional option that people can use to sign in, alongside passwords, 2-Step Verification (2SV), etc." Previously, you've been able to use a passkey with a Google account as part of two-factor authentication, but that was always in addition to a password. Now it's possible to use a Google account with a passkey instead of a password.

A passkey, if you haven't heard of the new authentication method, is a new way to log in to apps and websites and may someday replace a password. Password entry began as a simple text box for humans, and those text boxes slowly had automation and complication bolted onto them as the desire for higher security arrived. While you used to type a remembered word into a password field, today, the right way to use a password is to have a password manager paste a random string of characters into the password box. Since few of us physically type in our passwords, passkeys remove the password box. Passkeys have your operating system directly swap public-private keypairs -- the "WebAuthn" standard -- with a website, and that's how you get authenticated. Google's demo of how this will work on a phone looks great -- the usual box asks for your Google username, then instead of a password, it asks for a fingerprint, which unlocks the passkey system, and you're logged in. Google's passwordless support is headed for consumer devices right now, while business Google Workspace accounts will "soon" have the option to enable passkeys for end users.

Microsoft

Microsoft is Forcing Outlook and Teams To Open Links in Edge, and IT Admins Are Angry (theverge.com) 139

An anonymous reader shares a report: Microsoft has now started notifying IT admins that it will force Outlook and Teams to ignore the default web browser on Windows and open links in Microsoft Edge instead. Reddit users have posted messages from the Microsoft 365 admin center that reveal how Microsoft is going to roll out this change. "Web links from Azure Active Directory (AAD) accounts and Microsoft (MSA) accounts in the Outlook for Windows app will open in Microsoft Edge in a single view showing the opened link side-by-side with the email it came from," reads a message to IT admins from Microsoft. While this won't affect the default browser setting in Windows, it's yet another part of Microsoft 365 and Windows that totally ignores your default browser choice for links. Microsoft already does this with the Widgets system in Windows 11 and even the search experience, where you'll be forced into Edge if you click a link even if you have another browser set as default. Further reading: Microsoft Broke a Chrome Feature To Promote Its Edge Browser.
Chrome

Chrome To Drop Lock Icon Showing HTTPS Status (itnews.com.au) 88

Google will remove the familiar lock icon that allows users to check a website's Transport Layer Security status for the connection, citing research that only a few users correctly understood its precise meaning. From a report: The lock icon has been displayed by web browsers since the 1990s, indicating that the connection to web sites is secured and authenticated with encryption. However, Google said its 2021 research showed that only 11 percent of participants in a study correctly understood the meaning of the lock icon. This, Google argued, is not harmless since most phishing sites also use the hyper text transfer protocol secure extension (HTTPS) and also display the lock icon. Ergo, a lock icon is not in actual fact an indicator of a site's security. [...] Starting with Chrome version 117, Google will introduce a new "tune" icon, which does not imply a site is trustworthy, and is more obviously clickable. The "tune" icon is more commonly associated with settings and other control, and Google said a more neutral indicator like that prevents the misunderstanding around site security that the lock icon is causing.
Security

ChatGPT-related Malware on the Rise, Meta Says (reuters.com) 8

Facebook owner Meta said on Wednesday it had uncovered malware purveyors leveraging public interest in ChatGPT to lure users into downloading malicious apps and browser extensions, likening the phenomenon to cryptocurrency scams. From a report: Since March, the social media giant has found around 10 malware families and more than 1,000 malicious links that were promoted as tools featuring the popular artificial intelligence-powered chatbot, it said in a report. In some cases, the malware delivered working ChatGPT functionality alongside abusive files, the company said. Speaking at a press briefing on the report, Meta Chief Information Security Officer Guy Rosen said that for bad actors, "ChatGPT is the new crypto."
Security

Promising Jobs At the US Postal Service, 'US Job Services' Leaks Customer Data (krebsonsecurity.com) 12

An anonymous reader quotes a report from KrebsOnSecurity: A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network's chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016. KrebsOnSecurity was recently contacted by a security researcher who said he found a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the USPS. Further investigation revealed a long-running international operation that has been emailing and text messaging people for years to sign up at a slew of websites that all promise they can help visitors secure employment at the USPS.

Sites like FederalJobsCenter[.]com also show up prominently in Google search results for USPS employment, and steer applicants toward making credit card "registration deposits" to ensure that one's application for employment is reviewed. These sites also sell training, supposedly to help ace an interview with USPS human resources. FederalJobsCenter's website is full of content that makes it appear the site is affiliated with the USPS, although its "terms and conditions" state that it is not. Rather, the terms state that FederalJobsCenter is affiliated with an entity called US Job Services, which says it is based in Lawrenceville, Ga. The site says applicants need to make a credit card deposit to register, and that this amount is refundable if the applicant is not offered a USPS job within 30 days after the interview process. But a review of the public feedback on US Job Services and dozens of similar names connected to this entity over the years shows a pattern of activity: Applicants pay between $39.99 and $100 for USPS job coaching services, and receive little if anything in return. Some reported being charged the same amount monthly.
Michael Martel, spokesperson for the United States Postal Inspection Service, said in a written statement that the USPS has no affiliation with the websites or companies named in this story.

"To learn more about employment with USPS, visit USPS.com/careers," Martel wrote. "If you are the victim of a crime online report it to the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov. To report fraud committed through or toward the USPS, its employees, or customers, report it to the United States Postal Inspection Service (USPIS) at www.uspis.gov/report."

A list of all the current sites selling this product can be found in Krebs' report.
Security

T-Mobile Discloses 2nd Data Breach of 2023, This One Leaking Account PINs and More (arstechnica.com) 17

T-Mobile on Monday said it experienced a hack that exposed account PINs and other customer data in the company's second network intrusion this year and the ninth since 2018. From a report: The intrusion, which started on February 24 and lasted until March 30, affected 836 customers, according to a notification on the website of Maine Attorney General Aaron Frey. "The information obtained for each customer varied but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines," the company wrote in a letter sent to affected customers. Account PINs, which customers use to swap out SIM cards and authorize other important changes to their accounts, were reset once T-Mobile discovered the breach on March 27.

The incident is the second hack to hit T-Mobile this year. It's the ninth since 2018, based on reporting by TechCrunch. In January, T-Mobile said "bad actors" abused its application programming in a way that allowed them to access the data of 37 million customers. The hack started on November 25, 2022, and wasn't discovered by T-Mobile until January 5, TechCrunch said. Data obtained in that incident included names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and information such as the number of lines on accounts and plan features.

Social Networks

Pornhub Blocks All of Utah From Its Site 219

In response to a new law that requires porn sites to verify users' ages, Pornhub has completely disabled its websites for people located in Utah. From a report: As of today, anyone accessing Pornhub from a Utah-based IP address doesn't see the Pornhub homepage, but instead is met with a video of Cherie DeVille, adult performer and member of the Adult Performer Advocacy Committee, explaining that they won't be able to visit the site. "As you may know, your elected officials in Utah are requiring us to verify your age before allowing you access to our website," DeVille says. "While safety and compliance are at the forefront of our mission, giving your ID card every time you want to visit an adult platform is not the most effective solution for protecting our users, and in fact, will put children and your privacy at risk."
Security

Apple Releases Its First Rapid-Fire Security Updates for iPhone, iPad and Mac (engadget.com) 26

Apple promised faster turnaround times for security patches with iOS 16 and macOS Ventura, and it's now delivering on that claim. From a report: The company has released its first Rapid Security Response updates for devices running iOS 16.4.1, iPadOS 16.4.1 and macOS 13.3.1. They're available through Software Update as usual, but are small downloads that don't require much time to install. MacRumors says the fix is deploying over the course of 48 hours, so don't be surprised if you have to wait a short while.
Wireless Networking

Are Public Wifi and Phone Chargers Actually Safe? (msn.com) 85

The Washington Post's "Tech Friend" newsletter suggests some "tech fears you can stop worrying about." And it starts by reasuring readers, "You're fine using the WiFi in a coffee shop, hotel or airport. "Yes, it is safe," said Chester Wisniewski, a digital security specialist with the firm Sophos. Five or 10 years ago, it wasn't secure to use the shared WiFi in a coffee shop or another place outside your home. But now, most websites and apps scramble whatever you do online. That makes it tough for crooks to snoop on you when you're connected to public WiFi. It's not impossible, but criminals have easier targets.

Even Wisniewski, whose job involves sensitive information, said he connected to the WiFi at the airport and hotel on a recent business trip. He plans to use the WiFi at a conference in Las Vegas attended by the world's best computer hackers. Wisniewski generally does not use an extra layer of security called a VPN, although your company might require it. He avoids using WiFi in China.

You should be wary of public WiFi if you know you're a target of government surveillance or other snooping. But you are probably not Edward Snowden or Brad Pitt... For nearly all of us and nearly all of the time, you can use public WiFi without stress.

The newsletter also suggests we stop worrying about public phone chargers. ("Security experts told me that 'juice jacking' is extremely unlikely... Don't worry about the phone chargers unless you know you're being targeted by criminals or spies.")

Beyond that, "Focus your energy on digital security measures that really matter" — things like using strong and unique passwords for online accounts. ("This is a pain. Do it anyway.") And it calls two-factor authentication possibly the single best thing you can do to protect yourself online.
Programming

'sudo' and 'su' Are Being Rewritten In Rust For Memory Safety (phoronix.com) 143

Phoronix reports: With the financial backing of Amazon Web Services, sudo and su are being rewritten in the Rust programming language in order to increase the memory safety for the widely relied upon software... to further enhance Linux/open-source security.
"[B]ecause it's written in C, sudo has experienced many vulnerabilities related to memory safety issues," according to a blog post announcing the project: It's important that we secure our most critical software, particularly from memory safety vulnerabilities. It's hard to imagine software that's much more critical than sudo and su.

This work is being done by a joint team from Ferrous Systems and Tweede Golf with generous support from Amazon Web Services. The work plan is viewable here. The GitHub repository is here.

IT

84 Amazon Delivery Drivers Just Won a $30 an Hour Union Contract (vox.com) 36

CNBC reports that 84 Amazon delivery drivers at a California facility "joined the International Brotherhood of Teamsters, the union said Monday, in a win for labor organizers that have long sought to gain a foothold at the e-retailer."

An anonymous reader shared this follow-up report from Vox: [T]hey unanimously ratified the contract, which will bring their wages from around $20 currently to $30 by September and would allow them to refuse to do deliveries they consider unsafe. But that victory is a bit complicated... They wear Amazon vests and drive Amazon-branded vehicles, have schedules dictated by Amazon, and can even be fired by Amazon. But they're technically employed by Battle Tested Strategies (BTS), one of approximately 3,000 delivery contract companies that make up Amazon's extensive delivery network. BTS voluntarily recognized the union after a majority of workers signed union authorization cards and negotiated the union contract.

Amazon has told Vox that its contract with BTS, which exclusively delivers for Amazon, was terminated "well before" workers notified the tech giant Monday, but that the contract hasn't expired yet. The union said that the delivery people are still working for Amazon and that the contract goes through October, when it typically would auto-renew. What happens next depends on Amazon, the workers, and the interpretation of outdated US labor law... At the crux of the delivery driver issue is whether Amazon controls enough of what the workers do to be considered a joint employer. "If Amazon is able to get away with ignoring the workers' decision and hiding behind the subcontractor relationships, then I'm afraid we'll have yet another story of the failure of American labor law," said Benjamin Sachs, a labor professor at Harvard Law School. "If this leads to a recognition that these drivers are Amazon employees, joint employees, then this could be massively important."

One element of note: These workers organized in California, which has a lower bar for who is considered an employee, and by extension, who enjoys union protections... Another element that the National Labor Relations Board will likely have to decide is whether Amazon terminated the contract with BTS in order to avoid working with a union, something that would be illegal if they were considered employees.

The article also notes that elsewhere, 50 YouTube contractors also voted to unionize this week.
Businesses

Lyft Demands Employees Return to Office in September (spokesman.com) 131

"Since the pandemic began, Lyft employees have been able to work remotely," notes the New York Times, "logging into videoconferences from their homes and dispersing across the country like many other tech workers. Last year, the company made that policy official, telling staff that work would be 'fully flexible' and subleasing floors of its offices in San Francisco and elsewhere." No longer. On Friday, David Risher, the company's new chief executive, told employees in an all-hands meeting that they would be required to come back into the office at least three days a week, starting this fall. [Although the Times adds later that "People will be allowed to work remotely for one month each year, and those living far from offices would not be required to come in."]

It was one of the first major changes he has made at the struggling ride-hailing company since starting this month, and it came just a day after he laid off 26 percent of Lyft's work force. "Things just move faster when you're face to face," Mr. Risher said in an interview. Remote work in the tech industry, he said, had come at a cost, leading to isolation and eroding culture. "There's a real feeling of satisfaction that comes from working together at a whiteboard on a problem."

The decision, combined with the layoffs and other changes, signals the beginning of a new chapter at Lyft. It could also be an indication that some tech companies — particularly firms that are struggling — may be changing their minds on flexibility about where employees work. Nudges toward working in the office could soon turn into demands, as they have at companies like Disney and Apple...

Lyft also planned to tell employees that it would reduce their stock grants this year, according to a person familiar with the decision.

Risher "said the cost savings from the layoffs would go toward lower prices for riders and higher earnings for drivers," the Times adds, noting that last month Lyft's two founders said they'd step down after disappointing financial results. (Lyft's stock price closed Friday at $10.25 — down from a peak of $78.)

Bob Sutton, a Stanford professor and organizational psychologist, suggests another possible motivation to the Times: executives worried about financial stress "feel compelled to increase their own illusion of control."
Privacy

The DOJ Detected the SolarWinds Hack 6 Months Earlier Than First Disclosed (wired.com) 19

An anonymous reader quotes a report from Wired: The U.S. Department of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, WIRED has learned, but were unaware of the significance of what they had found. The breach, publicly announced in December 2020, involved Russian hackers compromising the software maker SolarWinds and inserting a backdoor into software served to about 18,000 of its customers. That tainted software went on to infect at least nine US federal agencies, among them the Department of Justice (DOJ), the Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms including Microsoft, Mandiant, Intel, Cisco, and Palo Alto Networks. The hackers had been in these various networks for between four and nine months before the campaign was exposed by Mandiant.

WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020 -- but the scale and significance of the breach wasn't immediately apparent. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. The software, used by system administrators to manage and configure networks, was communicating externally with an unfamiliar system on the internet. The DOJ asked the security firm Mandiant to help determine whether the server had been hacked. It also engaged Microsoft, though it's not clear why the software maker was also brought onto the investigation.

It's not known what division of the DOJ experienced the breach, but representatives from the Justice Management Division and the US Trustee Program participated in discussions about the incident. The Trustee Program oversees the administration of bankruptcy cases and private trustees. The Management Division advises DOJ managers on budget and personnel management, ethics, procurement, and security. Investigators suspected the hackers had breached the DOJ server directly, possibly by exploiting a vulnerability in the Orion software. They reached out to SolarWinds to assist with the inquiry, but the company's engineers were unable to find a vulnerability in their code. In July 2020, with the mystery still unresolved, communication between investigators and SolarWinds stopped. A month later, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite, the sources say.
According to WIRED, the DOJ said it "notified the US Cybersecurity and Infrastructure Agency (CISA) about the breach at the time it occurred -- though a US National Security Agency spokesperson expressed frustration that the agency was not also notified."

"But in December 2020, when the public learned that a number of federal agencies were compromised in the SolarWinds campaign -- the DOJ among them -- neither the DOJ nor CISA revealed to the public that the operation had unknowingly been found months earlier. The DOJ initially said its chief information officer had discovered the breach on December 24."
China

Chinese Hackers Outnumber FBI Cyber Staff 50 To 1, Bureau Director Says (cnbc.com) 48

According to FBI Director Christopher Wray, Chinese hackers vastly outnumber U.S. cyber intelligence staff "by at least 50 to 1." CNBC reports: "To give you a sense of what we're up against, if each one of the FBI's cyber agents and intel analysts focused exclusively on the China threat, Chinese hackers would still outnumber FBI Cyber personnel by at least 50 to 1," Wray said in prepared remarks for a budget hearing before a House Appropriations subcommittee on Thursday. The disclosure highlights the massive scale of cyber threats the U.S. is facing, particularly from China. Wray said the country has "a bigger hacking program than every other major nation combined and have stolen more of our personal and corporate data than all other nations -- big or small -- combined."

The agency is requesting about $63 million to help it beef up its cyber staff with 192 new positions. Wray said this would also help the FBI put more cyber staff in field offices to be closer to where victims of cyber crimes actually are.

Microsoft

Microsoft is Done With Major Windows 10 Updates 163

Windows 10 22H2 will be the final version of the operating system, Microsoft said in a blog post on Thursday. From a report: Moving forward, all editions of Windows 10 will be supported with monthly security updates until October 14th, 2025, when Microsoft will end support. (Some releases on the Long-Term Servicing Channel, or LTSC, will get updates past that end of support date.) Microsoft is encouraging users to now transition to Windows 11 because Windows 10 won't be getting any new features.
The Courts

Google Gets Court Order To Take Down CryptBot That Infected Over 670,000 Computers (thehackernews.com) 14

An anonymous reader quotes a report from The Hacker News: Google on Wednesday said it obtained a temporary court order in the U.S. to disrupt the distribution of a Windows-based information-stealing malware called CryptBot and "decelerate" its growth. The tech giant's Mike Trinh and Pierre-Marc Bureau said the efforts are part of steps it takes to "not only hold criminal operators of malware accountable, but also those who profit from its distribution." CryptBot is estimated to have infected over 670,000 computers in 2022 with the goal of stealing sensitive data such as authentication credentials, social media account logins, and cryptocurrency wallets from users of Google Chrome. The harvested data is then exfiltrated to the threat actors, who then sell the data to other attackers for use in data breach campaigns. CryptBot was first discovered in the wild in December 2019.

The malware has been traditionally delivered via maliciously modified versions of legitimate and popular software packages such as Google Earth Pro and Google Chrome that are hosted on fake websites. [...] The major distributors of CryptBot, per Google, are suspected to be operating a "worldwide criminal enterprise" based out of Pakistan. Google said it intends to use the court order, granted by a federal judge in the Southern District of New York, to "take down current and future domains that are tied to the distribution of CryptBot," thereby kneecapping the spread of new infections.

Encryption

Google Plans To Add End-To-End Encryption To Authenticator (theverge.com) 24

After security researchers criticized Google for not including end-to-end encryption with Authenticator's account-syncing update, the company announced "plans to offer E2EE" in the future. "Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use," writes Google product manager Christiaan Brand on Twitter. "However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves." The Verge reports: Earlier this week, Google Authenticator finally started giving users the option to sync two-factor authentication codes with their Google accounts, making it much easier to sign into accounts on new devices. While this is a welcome change, it also poses some security concerns, as hackers who break into someone's Google account could potentially gain access to a trove of other accounts as a result. If the feature supported E2EE, hackers and other third parties, including Google, wouldn't be able to see this information.

Security researchers Mysk highlighted some of these risks in a post on Twitter, noting that "if there's ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised." They added that Google could potentially use the information linked to your accounts to serve personalized ads and also advised users not to use the syncing feature until it supports E2EE. Brand pushed back against the criticism, stating that while Google encrypts "data in transit, and at rest, across our products, including in Google Authenticator," applying E2EE comes at the "cost of enabling users to get locked out of their own data without recovery."

Microsoft

Microsoft's Mice, Keyboards, and Webcams Are Being Discontinued in Favor of Surface Accessories (theverge.com) 35

Microsoft will no longer manufacture mice, keyboards, and webcams that are Microsoft-branded. Instead, Microsoft is now focusing on its Surface-branded PC accessories, which include mice, keyboards, pens, and more. From a report: It brings an end to the legacy of Microsoft-branded PC hardware after the company first launched its first mouse in 1983 and bundled it with Microsoft Word and Notepad. "Going forward, we are focusing on our Windows PC accessories portfolio under the Surface brand," says Dan Laycock, senior communications manager at Microsoft, in a statement to The Verge. "We will continue to offer a range of Surface branded PC Accessories -- including mice, keyboards, pens, docks, adaptive accessories, and more. Existing Microsoft branded PC accessories like mice, keyboards, and webcams will continue to be sold in existing markets at existing sell-in prices while supplies last."

Slashdot Top Deals