The Seattle Times reports: After losing their jobs at one of Seattle's biggest tech companies, some workers find themselves facing an unexpected question: Do you want to return to the company that just let you go?

There's a catch. Those offers, from third-party recruiters eager to place workers at the companies they just left, are for contract positions rather than staff positions. They would come with an end date, a lower salary, no benefits and no stock options.

For workers the messages range from insensitive to insulting. "We all just got the shock of our life, the last thing I need is for you to continue to ask me to go to a company that just let me go," said one former Microsoft worker who was laid off in March and asked to remain anonymous during the job hunt. Another worker who was laid off from Amazon in January and also asked to remain anonymous out of concern for future job prospects said they've heard from several recruiters looking specifically for people with Amazon experience. In one response, the former Amazonian passed this message to the recruiter: "Tell Amazon if they want an engineer, they can just not fire me later this month...."

Because companies and recruiters cast such a wide net, workers who were recently cut are still getting caught in the pool of potential candidates — whether they want to be or not... [T]ech companies often ask recruiters to find workers who have already worked at their company, particularly when hiring for a contract position that would require a worker to get up to speed quickly, said Nabeel Chowdhury, senior vice president at recruiting firm 24 Seven Talent. That's what happened with the former Amazon worker. One recruiter sent a message that began "Reaching out to see if you might be open to returning to Amazon on a contract position?"
One former Microsoft worker told the Seattle Times "I do have a sense of pride. There's no way I want to go back ... making half the amount."

Bleeping Computer warned this week about compromised web sites "that display fake Google Chrome automatic update errors that distribute malware to unaware visitors." The campaign has been underway since November 2022, and according to NTT's security analyst Rintaro Koike, it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish. BleepingComputer has found numerous sites hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores...

If a targeted visitor browses the site, the scripts will display a fake Google Chrome error screen stating that an automatic update that is required to continue browsing the site failed to install. "An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update," reads the fake Chrome error message. The scripts will then automatically download a ZIP file called 'release.zip' that is disguised as a Chrome update the user should install.

However, this ZIP file contains a Monero miner that will utilize the device's CPU resources to mine cryptocurrency for the threat actors. Upon launch, the malware copies itself to C:\Program Files\Google\Chrome as "updater.exe" and then launches a legitimate executable to perform process injection and run straight from memory. According to VirusTotal, the malware uses the "BYOVD" (bring your own vulnerable driver) technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device.

The miner persists by adding scheduled tasks and performing Registry modifications while excluding itself from Windows Defender. Additionally, it stops Windows Update and disrupts the communication of security products with their servers by modifying the IP addresses of the latter in the HOSTS file. This hinders updates and threat detection and may even disable an AV altogether.

"Earlier this week, Google released an emergency security update for the Chrome browser due to a vulnerability that is being actively exploited in the wild," reports Hot Hardware: On Friday, Google highlighted CVE-2023-2033, reported by Clément Lecigne of Google's own Threat Analysis Group (TAG). This vulnerability is a 'type confusion' bug in the JavaScript engine for Chromium browsers useing the V8 Javascript engine. In short, type confusion is a bug that allows memory to be accessed with the wrong type, allowing for the reading or writing of memory out of bounds. The CVE page says that an attacker could create an HTML page that allows the exploitation of heap corruption.

While there is no Common Vulnerability Scoring System (CVSS) score attached to the vulnerability yet, Google is tracking this as a "high" severity issue. This is likely due in part to the fact that "Google is aware that an exploit for CVE-2023-2033 exists in the wild."
The article notes that Chrome updates are generally done automatically, but you can also check for updates by clicking Chrome's three-dots menu in the top-right corner, then "Help" and "About Chrome."

"The Spectre vulnerability that has haunted hardware and software makers since 2018 continues to defy efforts to bury it," reports the Register: On Thursday, Eduardo (sirdarckcat) Vela Nava, from Google's product security response team, disclosed a Spectre-related flaw in version 6.2 of the Linux kernel. The bug, designated medium severity, was initially reported to cloud service providers — those most likely to be affected — on December 31, 2022, and was patched in Linux on February 27, 2023.

"The kernel failed to protect applications that attempted to protect against Spectre v2, leaving them open to attack from other processes running on the same physical core in another hyperthread," the vulnerability disclosure explains. The consequence of that attack is potential information exposure (e.g., leaked private keys) through this pernicous problem....

Spectre v2 — the variant implicated in this particular vulnerability — relies on timing side-channels to measure the misprediction rates of indirect branch prediction in order to infer the contents of protected memory. That's far from optimal in a cloud environment with shared hardware... The bug hunters who identified the issue found that Linux userspace processes to defend against Spectre v2 didn't work on VMs of "at least one major cloud provider."

Silicon Valley had $74.9 billion in venture-capital investments just in 2022, reports the Washington Post (citing data from PitchBook). With 3,206 deals, "that's about $45.36 billion and 1,058 deals more than New York, the second highest region for VC fundraising." And in addition, the Silicon Valley region "was also the home of 86% of start-ups, up from 53% last year, funded by famed start-up accelerator Y Combinator."

And yet Silicon Valley's share of U.S. venture capital investments last year was its lowest since 2012, "as lenient remote work policies and a spate of layoffs have fueled the departures of workers and cleared the way for rising investment in other tech hubs across the United States, notably Austin and Miami.... [N]early 250,000 people left the Silicon Valley region during the pandemic, according to census data from April 1, 2020, to July 1, 2022." Funding for companies in Miami has nearly quadrupled in the past three years, totaling $5.39 billion in 2022, while deal volume jumped 81 percent. Austin venture capital investments rose 77 percent to $4.95 billion with the number of deals jumping 23 percent. New York, Seattle, Philadelphia, Chicago, Denver and Houston also saw relatively large increases in investment and deals, data shows....

"There's no doubt that [Silicon Valley's] sort of exemplary, center-of-the-universe status has really absorbed some blows," said Mark Muro, senior fellow at Brookings Institution. Miami and Austin both benefited from fewer restrictions during the coronavirus pandemic. Early on, cryptocurrency and Web3 — a broad term for the next generation of the internet that would give people more control and ownership — were major drivers of Miami's growth. Seattle benefited from having Amazon and Microsoft in its backyard, attracting more enterprise technology and also biotech, said Kyle Stanford, lead venture capital analyst at PitchBook. "A redistribution [of funding] has definitely started. The pandemic, the fleeing of start-ups and remote work helped catalyze growth in those smaller markets," he said.

Brianne Kimmel, founder of investment firm Worklife Ventures, has noticed a change in identity for the Silicon Valley region as many tech workers have moved out of San Francisco to other places like Austin or Seattle. "That's really created room for young, very technical, traditional hacker types to come to San Francisco," she said. "It's giving the city a personality it may have lost in years prior."
The Post got this assessment from a VC company partner focused on investing in AI and software infrastructure. "Five years ago, 90 percent of companies would've been founded in San Francisco. Now it might be more like 70 percent, with others starting in places like Seattle and New York."

CIO magazine reports on "a growing number of managers and executives dropping degree requirements from job descriptions." Figures from the 2022 study The Emerging Degree Reset from The Burning Glass Institute quantify the trend, reporting that 46% of middle-skill and 31% of high-skill occupations experienced material degree resets between 2017 and 2019. Moreover, researchers calculated that 63% of those changes appear to be "'structural resets' representing a measured and potentially permanent shift in hiring practices" that could make an additional 1.4 million jobs open to workers without college degrees over the next five years.

Despite such statistics and testimony from Taylor and other IT leaders, the debate around whether a college education is needed in IT isn't settled. Some say there's no need for degrees; others say degrees are still preferred or required.... IBM is among the companies whose leaders have moved away from degree requirements; Big Blue is also one of the earliest, largest, and most prominent proponents of the move, introducing the term "new collar jobs" for the growing number of positions that require specific skills but not a bachelor's degree....

Not all are convinced that dropping degree requirements is the way to go, however. Jane Zhu, CIO and senior vice president at Veritas Technologies, says she sees value in degrees, value that isn't always replicated through other channels. "Though we don't necessarily require degrees for all IT roles here at Veritas, I believe that they do help candidates demonstrate a level of formal education and commitment to the field and provide a foundation in fundamental concepts and theories of IT-related fields that may not be easily gained through self-study or on-the-job training," she says. "Through college education, candidates have usually acquired basic technical knowledge, problem-solving skills, the ability to collaborate with others, and ownership and accountability. They also often gain an understanding of the business and social impacts of their actions."
The article notes an evolving trend of "more openness to skills-based hiring for many technical roles but a desire for a bachelor's degree for certain positions, including leadership." (Kelli Jordan, vice president of IBMer Growth and Development tells CIO that more than half of the job openings posted by IBM no longer require degrees.)

Thanks to Slashdot reader snydeq for sharing the article.

Several government cybersecurity agencies united to urge secure-by-design and secure-by-default software. Releasing "joint guidance" for software manufactuers were two U.S. security agencies — the FBI and the NSA — joined with the U.S. Cybersecurity and Infrastructure Security Agency and the cybersecurity authorities of Australia, Canada, the United Kingdom, Germany, Netherlands, and New Zealand. "To create a future where technology and associated products are safe for customers," they wrote in a joint statement, "the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers."

The Washington Post reports: Software manufacturers should put an end to default passwords, write in safer programming languages and establish vulnerability disclosure programs for reporting flaws, a collection of U.S. and international government agencies said in new guidelines Thursday. [The guidelines also urge rigorous code reviews.]

The "principles and approaches" document, which isn't mandatory but lays out the agencies' views on securing software, is the first major step by the Biden administration as part of its push to make software products secure as part of the design process, and to make their default settings secure as well. It's part of a potentially contentious multiyear effort that aims to shift the way software makers secure their products. It was a key feature of the administration's national cybersecurity strategy, which was released last month and emphasized shifting the burden of security from consumers — who have to manage frequent software updates — to the companies that make often insecure products... The administration has also raised the prospect of legislation on secure-by-design and secure-by-default, but officials have said it could be years away....

The [international affairs think tank] Atlantic Council's Cyber Statecraft Initiative has praised the Biden administration's desire to address economic incentives for insecurity. Right now, the costs of cyberattacks fall on users more than they do tech providers, according to many policymakers. "They're on a righteous mission," Trey Herr, director of the Atlantic Council initiative, told me. If today's guidelines are the beginning of the discussion on secure-by-design and secure-by-default, Herr said, "this is a really strong start, and an important one."

"It really takes aim at security features as a profit center," which for some companies has led to a lot of financial growth, Herr said. "I do think that's going to rub people the wrong way and quick, but that's good. That's a good fight."
In the statement CISA's director says consumers also have a role to play in this transition. "As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else."

Among other things, the new guidelines say that manufacturers "are encouraged make hard tradeoffs and investments, including those that will be 'invisible' to the customers, such as migrating to programming languages that eliminate widespread vulnerabilities."

An anonymous reader shares a report from KrebsOnSecurity: KrebsOnSecurity received a nice bump in traffic this week thanks to tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about "juice jacking," a term first coined here in 2011 to describe a potential threat of data theft when one plugs their mobile device into a public charging kiosk. It remains unclear what may have prompted the alerts, but the good news is that there are some fairly basic things you can do to avoid having to worry about juice jacking.

The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas who'd set up a mobile charging station designed to educate the unwary to the reality that many mobile devices were set up to connect to a computer and immediately sync data by default. Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place. On the other hand, the technology needed to conduct a sneaky juice jacking attack has become far more miniaturized, accessible and cheap. And there are now several products anyone can buy that are custom-built to enable juice jacking attacks. [...]

How seriously should we take the recent FBI warning? An investigation by the myth-busting site Snopes suggests the FBI tweet was just a public service announcement based on a dated advisory. Snopes reached out to both the FBI and the FCC to request data about how widespread the threat of juice jacking is in 2023. "The FBI replied that its tweet was a 'standard PSA-type post' that stemmed from the FCC warning," Snopes reported. "An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on "juice-jacking," first issued in 2019 and later updated in 2021, was up-to-date so as to ensure 'the consumers have the most up-to-date information.' The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking." The best way to protect yourself from juice jacking is by using your own gear to charge and transfer data from your device(s) to another.

"Juice jacking isn't possible if a device is charged via a trusted AC adapter, battery backup device, or through a USB cable with only power wires and no data wires present," says security researcher Brian Krebs. "If you lack these things in a bind and still need to use a public charging kiosk or random computer, at least power your device off before plugging it in."

The "right to repair" movement has made considerable inroads over the past five years, partially due to support from the Biden FTC. State-level legislation aimed at dismantling repair monopolies has made progress, despite industry lobbying efforts to weaken the proposals (e.g., Kathy Hochul in New York State). Federal legislation, however, faces challenges in a troubled Congress. In response, a bipartisan group of 28 state attorneys general has penned a letter to key congressional committee leaders, urging them to advance stalled right to repair bills. From the letter: "The Right-to-Repair is a bipartisan issue that impacts every consumer, household, and farm in a time of increasing inflation. It is about ensuring that consumers have choices as to who, where, when and at what cost their vehicles can be repaired. It is about ensuring that farmers can repair their tractors for a reasonable price and quickly enough to harvest their crops."

The stock market, real estate and cryptocurrencies did poorly in 2022, but the global luxury goods market grew 20 percent. People may have had less, but they spent more on fine arts and collectibles that serve no function except to provide pleasure. From a report: The culture is bursting with new material -- every day, thousands of new books are published and 100,000 new songs are released on Spotify -- but the old stuff offers a sweeter emotional payoff for many. It could be tapes or posters or pictures or comics or coins or sports cards or memorabilia. It might be from their childhood or the childhood they never had, or it might merely express a longing to be anywhere but 2023. The common element is this: People like to own a thing from a thing they love. For Mr. Carlson and millions like him, the nostalgia factory is working overtime.

When Mr. Carlson first began to look for sealed VHS cassettes, they were considered so much plastic trash. "Back to the Future," "The Goonies," "Blade Runner," were about $20 each on eBay. He put them on a shelf, little windows into his past, and started an Instagram account called Rare and Sealed. Then tapes began to get scarcer and much more expensive. People trapped at home had lots of money to spend during the pandemic. But it was more than that. Objects with a bit of history have an obvious attraction in a high-tech world. The current cultural tumult, with its boom in fake images, endless arguments over everything and now the debut of imperious A.I. chatbots, increases the appeal of things that can't be plugged in. At the same time, advances in technology mean it is ever easier to buy expensive things online. Bids at auctions routinely reach tens, even hundreds, of thousands of dollars.

An anonymous reader quotes a report from TechCrunch: The hackers who breached data storage giant Western Digital claim to have stolen around 10 terabytes of data from the company, including reams of customer information. The extortionists are pushing the company to negotiate a ransom -- of "minimum 8 figures" -- in exchange for not publishing the stolen data. On April 3, Western Digital disclosed "a network security incident" saying hackers had exfiltrated data after hacking into "a number of the Company's systems." At the time, Western Digital provided few details about exactly what data the hackers stole, saying in a statement that the hackers "obtained certain data from its systems and [Western Digital] is working to understand the nature and scope of that data."

One of the hackers spoke with TechCrunch and provided more details, with the goal of verifying their claims. The hacker shared a file that was digitally signed with Western Digital's code-signing certificate, showing they could now digitally sign files to impersonate Western Digital. Two security researchers also looked at the file and agreed it is signed with the company's certificate. The hackers also shared phone numbers allegedly belonging to several company executives. TechCrunch called the numbers. Most of the calls rang but went to automated voicemail messages. Two of the phone numbers had voicemail greetings that mentioned the names of the executives that the hackers claimed were associated with the numbers. The two phone numbers are not public.

Screenshots shared by the hacker show a folder from a Box account apparently belonging to Western Digital, an internal email, files stored in a PrivateArk instance (a cybersecurity product), and a screenshot of a group call where one of the participants is identified as Western Digital's chief information security officer. They also said they were able to steal data from the company's SAP Backoffice, a backend interface that helps companies manage e-commerce data. The hacker said that their goal when they hacked Western Digital was to make money, though they decided against using ransomware to encrypt the company's files. [...] If Western Digital doesn't get back to them, the hacker said, they are ready to start publishing the stolen data on the website of the ransomware gang Alphv. The hacker said they are not directly affiliated with Alphv but "I know them to be professional." Western Digital said they're declining to comment or answer questions about the hacker's claims.

Instant messaging platform Discord says it was cooperating with U.S. law enforcement's investigation into a leak of secret U.S. documents that has grabbed attention around the world. From a report: The statement comes as questions continue to swirl over who leaked the documents, whether they are genuine and whether the intelligence assessments in them are reliable. The documents, which carry markings suggesting that they are highly classified, have led to a string of stories about the war in Ukraine, protests in Israel and how the U.S. surveils friend and foe alike. The source of the documents is not publicly known, but reporting by the open-source investigative site Bellingcat has traced their earliest appearance to Discord, a communications platform popular with gamers. Discord's statement suggested it was already in touch with investigators. The White House also urged social media companies on Thursday to prevent the circulation of information that could hurt national security.

The Ethereum blockchain, the most important commercial highway in the digital-asset sector, successfully implemented a widely anticipated software upgrade. From a report: The so-called Shanghai update enables investors to queue up to withdraw Ether coins that they had pledged to help operate the network in return for rewards, a process called staking. Tim Beiko, who helps to co-ordinate the development of Ethereum, posted on Twitter on Wednesday that the upgrade is now "official." The network revamp -- also known as Shapella -- is designed to let people exit an Ether staking investment and has stirred debate on whether the appeal of the largest token after Bitcoin will increase over time.

"Ethereum is updating and navigating with great skill -- so far anyway -- and cementing its position as the No. 2 crypto," said Aaron Brown, a crypto investor who writes for Bloomberg Opinion. He added that the network is "moving to the future much faster than Bitcoin." About 1.2 million of Ether tokens -- worth approximately $2.3 billion at current prices -- are expected to be withdrawn over the next five days, according to researcher Coin Metrics. Some $36.7 billion of Ether is locked up for staking, data from Staking Rewards shows.

Hyper-volumetric DDoS (distributed denial of service) attacks in the first quarter of 2023 have shifted from relying on compromised IoT devices to leveraging breached Virtual Private Servers (VPS). BleepingComputer reports: According to internet security company Cloudflare, the newer generation of botnets gradually abandoned the tactic of building large swarms of individually weak IoT devices and are now shifting towards enslaving vulnerable and misconfigured VPS servers using leaked API credentials or known exploits. This approach helps the threat actors build high-performance botnets easier and often quicker, which can be up to 5,000 times stronger than IoT-based botnets.

"The new generation of botnets uses a fraction of the amount of devices, but each device is substantially stronger," explains Cloudflare in the report. "Cloud computing providers offer virtual private servers to allow start ups and businesses to create performant applications. The downside is that it also allows attackers to create high-performance botnets that can be as much as 5,000x stronger." Cloudflare has been working with key cloud computing providers and partners to crack down on these emerging VPS-based threats and says it has succeeded in taking down substantial portions of these novel botnets.

An anonymous reader shares a report: About a year ago, Google announced its Assured Open Source Software (Assured OSS) service, a service that helps developers defend against supply chain security attacks by regularly scanning and analyzing some of the world's most popular software libraries for vulnerabilities. Today, Google is launching Assured OSS into general availability with support for well over a thousand Java and Python packages -- and while Google didn't initially disclose pricing when it first announced the service, the company has now revealed that it will be available for free.

Software development has long depended on third-party libraries (which are often maintained by only a single developer), but it wasn't until the industry got hit with a number of high-profile exploits that everyone (including the White House) perked up and started taking software supply chain security seriously. Now, you can't attend an open source conference without hearing about Software Bills of Materials (SBOMs), artifact registries and similar topics. It's no surprise then that Google, which has long been at the forefront of releasing open-source products, launched a service like Assured OSS.

Google promises that it will constantly keep these libraries up to date (without creating forks) and continuously scan for known vulnerabilities, do fuzz tests to discover new ones and then fix these issues and contribute these fixes back upstream. The company notes that when it first launched the service with around 250 Java libraries, it was responsible for discovering 48% of the new CVEs for these libraries and subsequently addressing them.

An anonymous reader quotes a report from Reuters: Ukrainian hackers claim to have broken into the emails of a senior Russian military spy wanted by the Federal Bureau of Investigation for hacking the Hillary Clinton campaign and other senior U.S. Democrats ahead of Donald Trump's election to the presidency in 2016. In a message posted to Telegram on Monday, a group calling itself Cyber Resistance said it had stolen correspondence from Lt. Col. Sergey Morgachev, who was charged in 2018 with helping organize the hack and leak of emails from the Democratic National Committee (DNC) and the Clinton campaign.

InformNapalm said in an article about the breach that it had confirmed Morgachev's identity by poring through personnel files and a curriculum vitae stolen by the hackers, including one document that identified him as a department head in Unit 26165 -- the same position which the FBI accused him of holding in 2018. [...] It wasn't immediately clear what information the hackers had managed to steal or how significant it was. Morgachev's inbox could potentially hold insight into Russia's hacking operations, including the operation against Clinton and the Democrats.

In its indictment, the FBI described him as an officer in the Russia's military spy agency, still known by its old acronym, GRU. It said his department was "dedicated to developing and managing malware," including the "X-Agent" spy software used to hack the DNC. In its message announcing the theft, the group said of Morgachev: "A very cool and clever hacker, but ... We hacked him."

An anonymous reader quotes a report from Motherboard: Over the past month, classified Pentagon documents have circulated on 4chan, Telegram, and various Discord servers. The documents contain daily intelligence briefings, sensitive information about Ukrainian military positions, and a handwritten character sheet for a table-top roleplaying game. No one knows who leaked the Pentagon documents or how. They appeared online as photographs of printed pages, implying someone printed them out and removed them from a secure location, similar to how NSA translator Reality Winner leaked documents. The earliest documents Motherboard has seen are dated February 23, though the New York Times and Bellingcat reported that some are dated as early as January. According to Bellingcat, the earliest known instances of the leaks appearing online can be traced back to a Discord server.

At some point, a Discord user uploaded a zip file of 32 images from the leak onto a Minecraft Discord server. Included in this pack alongside highly sensitive, Top Secret and other classified documents about the Pentagon's strategy and assessment of the war in Ukraine, was a handwritten piece of paper that appeared to be a character sheet for a roleplaying game. It's written on a standard piece of notebook paper, three holes punched out on the side, blue lines crisscrossing the page. The character's name is Doctor "Izmer Trotzky," his character class is "Professor Scientist." They've got a strength of 5, a charisma of 4, and 19 rubles to their name. Doctor Trotzky has 10 points in first aid and occult skills, and 24 in spot hidden. He's carrying a magnifying glass, a fountain pen, a sword cane, and a deringer. [...]

But what game is it from? Motherboard reached out to game designer Jacqueline Bryk to find out. Bryk is an award-winning designer of roleplaying games who has worked on Kult: Divinity Lost, Changeling: the Lost, Fading Suns: Pax Alexius, and Vampire: the Masquerade. "I strongly suspect this is Call Of Cthulhu," Bryk said when first looking at the sheet. Call of Cthulhu (COC) is an RPG based on the work of H.P. Lovecraft where players attempt to stave off madness while investigating eldritch horrors. "This is a pretty classic Professor build. The sword cane really clinches it for me. I notice he's currently carrying a derringer and a dagger but took no points in firearms or fighting. I'm not sure which edition this is but it seems like the most he could do with his weapons is throw them." "After some research, Bryk concluded that the game is a homebrewed combination of COC and the Fallout tabletop game based on the popular video game franchise," adds Motherboard. "My best guest here is Fallout: Cthulhu the Homebrew," Bryk said, giving the home designed game a name.

An anonymous reader shares a report: Firefox has a reputation of being something of a resource hog, even among modern browsers. But it might not be entirely earned, because it looks like a CPU bug affecting Firefox users on Windows was actually the fault of Windows Defender. The latest update to the ubiquitous security tool addresses the issue, and should result in measurably lower CPU usage for the Windows version of Firefox. According to Mozilla senior software engineer Yannis Juglaret, the culprit was MsMpEng.exe, which you might recognize from your Task Manager. It handles the Real-Time protection feature that monitors web activity for malicious threats.

The bug was causing Firefox to call on the service much more frequently than comparable browsers like Chrome or Edge, resulting in notable CPU spikes. Said CPU spikes could reduce performance in other applications or affect a laptop's battery life. The issue was first reported on Mozilla's bug tracker system way back in 2018 and quickly assigned to the MsMpEng service, but some more recent and diligent documentation on the part of Juglaret resulted in more swift action from Microsoft's developers.

An anonymous reader shares a report:Weather apps are not all the same. There are tens of thousands of them, from the simply designed Apple Weather to the expensive, complex, data-rich Windy.App. But all of these forecasts are working off of similar data, which are pulled from places such as the National Oceanic and Atmospheric Administration (NOAA) and the European Centre for Medium-Range Weather Forecasts. Traditional meteorologists interpret these models based on their training as well as their gut instinct and past regional weather patterns, and different weather apps and services tend to use their own secret sauce of algorithms to divine their predictions. On an average day, you're probably going to see a similar forecast from app to app and on television. But when it comes to how people feel about weather apps, these edge cases -- which usually take place during severe weather events -- are what stick in a person's mind. "Eighty percent of the year, a weather app is going to work fine," Matt Lanza, a forecaster who runs Houston's Space City Weather, told me. "But it's that 20 percent where people get burned that's a problem."

No people on the planet have a more tortured and conflicted relationship with weather apps than those who interpret forecasting models for a living. "My wife is married to a meteorologist, and she will straight up question me if her favorite weather app says something different than my forecast," Lanza told me. "That's how ingrained these services have become in most peoples' lives." The basic issue with weather apps, he argues, is that many of them remove a crucial component of a good, reliable forecast: a human interpreter who can relay caveats about models or offer a range of outcomes instead of a definitive forecast. [...] What people seem to be looking for in a weather app is something they can justify blindly trusting and letting into their lives -- after all, it's often the first thing you check when you roll over in bed in the morning. According to the 56,400 ratings of Carrot in Apple's App Store, its die-hard fans find the app entertaining and even endearing. "Love my psychotic, yet surprisingly accurate weather app," one five-star review reads. Although many people need reliable forecasting, true loyalty comes from a weather app that makes people feel good when they open it.

Hackers using spyware made by a little known cyber mercenary company used malicious calendar invites to hack the iPhones of journalists, political opposition figures, and an NGO worker, according to two reports. From a report: Researchers at Microsoft and the digital rights group Citizen Lab analyzed samples of malware they say was created by QuaDream, an Israeli spyware maker that has been reported to develop zero-click exploits -- meaning hacking tools that don't require the target to click on malicious links -- for iPhones. QuaDream has been able to mostly fly under the radar until recently. In 2021, Israeli newspaper Haaretz reported that QuaDream sold its wares to Saudi Arabia. The next year, Reuters reported that QuaDream sold an exploit to hack iPhones that was similar to one provided by NSO Group, and that the company doesn't operate the spyware, its government customers do -- a common practice in the surveillance tech industry.

QuaDream's customers operated servers from several countries around the world: Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, United Arab Emirates (UAE), and Uzbekistan, according to internet scans done by Citizen Lab. Both Citizen Lab and Microsoft published groundbreaking new technical reports on QuaDream's alleged spyware on Tuesday. Microsoft said it found the original malware samples, and then shared them with Citizen Lab's researchers, who were able to identify more than five victims -- an NGO worker, politicians, and journalists -- whose iPhones were hacked. The exploit used to hack those targets was developed for iOS 14, and at the time was unpatched and unknown to Apple, making it a so-called zero-day. The government hackers who were equipped with QuaDream's exploit used malicious calendar invites with dates in the past to deliver the malware, according to Citizen Lab.