Apple promised faster turnaround times for security patches with iOS 16 and macOS Ventura, and it's now delivering on that claim. From a report: The company has released its first Rapid Security Response updates for devices running iOS 16.4.1, iPadOS 16.4.1 and macOS 13.3.1. They're available through Software Update as usual, but are small downloads that don't require much time to install. MacRumors says the fix is deploying over the course of 48 hours, so don't be surprised if you have to wait a short while.

The Washington Post's "Tech Friend" newsletter suggests some "tech fears you can stop worrying about." And it starts by reasuring readers, "You're fine using the WiFi in a coffee shop, hotel or airport. "Yes, it is safe," said Chester Wisniewski, a digital security specialist with the firm Sophos. Five or 10 years ago, it wasn't secure to use the shared WiFi in a coffee shop or another place outside your home. But now, most websites and apps scramble whatever you do online. That makes it tough for crooks to snoop on you when you're connected to public WiFi. It's not impossible, but criminals have easier targets.

Even Wisniewski, whose job involves sensitive information, said he connected to the WiFi at the airport and hotel on a recent business trip. He plans to use the WiFi at a conference in Las Vegas attended by the world's best computer hackers. Wisniewski generally does not use an extra layer of security called a VPN, although your company might require it. He avoids using WiFi in China.

You should be wary of public WiFi if you know you're a target of government surveillance or other snooping. But you are probably not Edward Snowden or Brad Pitt... For nearly all of us and nearly all of the time, you can use public WiFi without stress.
The newsletter also suggests we stop worrying about public phone chargers. ("Security experts told me that 'juice jacking' is extremely unlikely... Don't worry about the phone chargers unless you know you're being targeted by criminals or spies.")

Beyond that, "Focus your energy on digital security measures that really matter" — things like using strong and unique passwords for online accounts. ("This is a pain. Do it anyway.") And it calls two-factor authentication possibly the single best thing you can do to protect yourself online.

Phoronix reports: With the financial backing of Amazon Web Services, sudo and su are being rewritten in the Rust programming language in order to increase the memory safety for the widely relied upon software... to further enhance Linux/open-source security.
"[B]ecause it's written in C, sudo has experienced many vulnerabilities related to memory safety issues," according to a blog post announcing the project: It's important that we secure our most critical software, particularly from memory safety vulnerabilities. It's hard to imagine software that's much more critical than sudo and su.

This work is being done by a joint team from Ferrous Systems and Tweede Golf with generous support from Amazon Web Services. The work plan is viewable here. The GitHub repository is here.

CNBC reports that 84 Amazon delivery drivers at a California facility "joined the International Brotherhood of Teamsters, the union said Monday, in a win for labor organizers that have long sought to gain a foothold at the e-retailer."

An anonymous reader shared this follow-up report from Vox: [T]hey unanimously ratified the contract, which will bring their wages from around $20 currently to $30 by September and would allow them to refuse to do deliveries they consider unsafe. But that victory is a bit complicated... They wear Amazon vests and drive Amazon-branded vehicles, have schedules dictated by Amazon, and can even be fired by Amazon. But they're technically employed by Battle Tested Strategies (BTS), one of approximately 3,000 delivery contract companies that make up Amazon's extensive delivery network. BTS voluntarily recognized the union after a majority of workers signed union authorization cards and negotiated the union contract.

Amazon has told Vox that its contract with BTS, which exclusively delivers for Amazon, was terminated "well before" workers notified the tech giant Monday, but that the contract hasn't expired yet. The union said that the delivery people are still working for Amazon and that the contract goes through October, when it typically would auto-renew. What happens next depends on Amazon, the workers, and the interpretation of outdated US labor law... At the crux of the delivery driver issue is whether Amazon controls enough of what the workers do to be considered a joint employer. "If Amazon is able to get away with ignoring the workers' decision and hiding behind the subcontractor relationships, then I'm afraid we'll have yet another story of the failure of American labor law," said Benjamin Sachs, a labor professor at Harvard Law School. "If this leads to a recognition that these drivers are Amazon employees, joint employees, then this could be massively important."

One element of note: These workers organized in California, which has a lower bar for who is considered an employee, and by extension, who enjoys union protections... Another element that the National Labor Relations Board will likely have to decide is whether Amazon terminated the contract with BTS in order to avoid working with a union, something that would be illegal if they were considered employees.
The article also notes that elsewhere, 50 YouTube contractors also voted to unionize this week.

"Since the pandemic began, Lyft employees have been able to work remotely," notes the New York Times, "logging into videoconferences from their homes and dispersing across the country like many other tech workers. Last year, the company made that policy official, telling staff that work would be 'fully flexible' and subleasing floors of its offices in San Francisco and elsewhere." No longer. On Friday, David Risher, the company's new chief executive, told employees in an all-hands meeting that they would be required to come back into the office at least three days a week, starting this fall. [Although the Times adds later that "People will be allowed to work remotely for one month each year, and those living far from offices would not be required to come in."]

It was one of the first major changes he has made at the struggling ride-hailing company since starting this month, and it came just a day after he laid off 26 percent of Lyft's work force. "Things just move faster when you're face to face," Mr. Risher said in an interview. Remote work in the tech industry, he said, had come at a cost, leading to isolation and eroding culture. "There's a real feeling of satisfaction that comes from working together at a whiteboard on a problem."

The decision, combined with the layoffs and other changes, signals the beginning of a new chapter at Lyft. It could also be an indication that some tech companies — particularly firms that are struggling — may be changing their minds on flexibility about where employees work. Nudges toward working in the office could soon turn into demands, as they have at companies like Disney and Apple...

Lyft also planned to tell employees that it would reduce their stock grants this year, according to a person familiar with the decision.
Risher "said the cost savings from the layoffs would go toward lower prices for riders and higher earnings for drivers," the Times adds, noting that last month Lyft's two founders said they'd step down after disappointing financial results. (Lyft's stock price closed Friday at $10.25 — down from a peak of $78.)

Bob Sutton, a Stanford professor and organizational psychologist, suggests another possible motivation to the Times: executives worried about financial stress "feel compelled to increase their own illusion of control."

An anonymous reader quotes a report from Wired: The U.S. Department of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, WIRED has learned, but were unaware of the significance of what they had found. The breach, publicly announced in December 2020, involved Russian hackers compromising the software maker SolarWinds and inserting a backdoor into software served to about 18,000 of its customers. That tainted software went on to infect at least nine US federal agencies, among them the Department of Justice (DOJ), the Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms including Microsoft, Mandiant, Intel, Cisco, and Palo Alto Networks. The hackers had been in these various networks for between four and nine months before the campaign was exposed by Mandiant.

WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020 -- but the scale and significance of the breach wasn't immediately apparent. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. The software, used by system administrators to manage and configure networks, was communicating externally with an unfamiliar system on the internet. The DOJ asked the security firm Mandiant to help determine whether the server had been hacked. It also engaged Microsoft, though it's not clear why the software maker was also brought onto the investigation.

It's not known what division of the DOJ experienced the breach, but representatives from the Justice Management Division and the US Trustee Program participated in discussions about the incident. The Trustee Program oversees the administration of bankruptcy cases and private trustees. The Management Division advises DOJ managers on budget and personnel management, ethics, procurement, and security. Investigators suspected the hackers had breached the DOJ server directly, possibly by exploiting a vulnerability in the Orion software. They reached out to SolarWinds to assist with the inquiry, but the company's engineers were unable to find a vulnerability in their code. In July 2020, with the mystery still unresolved, communication between investigators and SolarWinds stopped. A month later, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite, the sources say. According to WIRED, the DOJ said it "notified the US Cybersecurity and Infrastructure Agency (CISA) about the breach at the time it occurred -- though a US National Security Agency spokesperson expressed frustration that the agency was not also notified."

"But in December 2020, when the public learned that a number of federal agencies were compromised in the SolarWinds campaign -- the DOJ among them -- neither the DOJ nor CISA revealed to the public that the operation had unknowingly been found months earlier. The DOJ initially said its chief information officer had discovered the breach on December 24."

According to FBI Director Christopher Wray, Chinese hackers vastly outnumber U.S. cyber intelligence staff "by at least 50 to 1." CNBC reports: "To give you a sense of what we're up against, if each one of the FBI's cyber agents and intel analysts focused exclusively on the China threat, Chinese hackers would still outnumber FBI Cyber personnel by at least 50 to 1," Wray said in prepared remarks for a budget hearing before a House Appropriations subcommittee on Thursday. The disclosure highlights the massive scale of cyber threats the U.S. is facing, particularly from China. Wray said the country has "a bigger hacking program than every other major nation combined and have stolen more of our personal and corporate data than all other nations -- big or small -- combined."

The agency is requesting about $63 million to help it beef up its cyber staff with 192 new positions. Wray said this would also help the FBI put more cyber staff in field offices to be closer to where victims of cyber crimes actually are.

Windows 10 22H2 will be the final version of the operating system, Microsoft said in a blog post on Thursday. From a report: Moving forward, all editions of Windows 10 will be supported with monthly security updates until October 14th, 2025, when Microsoft will end support. (Some releases on the Long-Term Servicing Channel, or LTSC, will get updates past that end of support date.) Microsoft is encouraging users to now transition to Windows 11 because Windows 10 won't be getting any new features.

An anonymous reader quotes a report from The Hacker News: Google on Wednesday said it obtained a temporary court order in the U.S. to disrupt the distribution of a Windows-based information-stealing malware called CryptBot and "decelerate" its growth. The tech giant's Mike Trinh and Pierre-Marc Bureau said the efforts are part of steps it takes to "not only hold criminal operators of malware accountable, but also those who profit from its distribution." CryptBot is estimated to have infected over 670,000 computers in 2022 with the goal of stealing sensitive data such as authentication credentials, social media account logins, and cryptocurrency wallets from users of Google Chrome. The harvested data is then exfiltrated to the threat actors, who then sell the data to other attackers for use in data breach campaigns. CryptBot was first discovered in the wild in December 2019.

The malware has been traditionally delivered via maliciously modified versions of legitimate and popular software packages such as Google Earth Pro and Google Chrome that are hosted on fake websites. [...] The major distributors of CryptBot, per Google, are suspected to be operating a "worldwide criminal enterprise" based out of Pakistan. Google said it intends to use the court order, granted by a federal judge in the Southern District of New York, to "take down current and future domains that are tied to the distribution of CryptBot," thereby kneecapping the spread of new infections.

After security researchers criticized Google for not including end-to-end encryption with Authenticator's account-syncing update, the company announced "plans to offer E2EE" in the future. "Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use," writes Google product manager Christiaan Brand on Twitter. "However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves." The Verge reports: Earlier this week, Google Authenticator finally started giving users the option to sync two-factor authentication codes with their Google accounts, making it much easier to sign into accounts on new devices. While this is a welcome change, it also poses some security concerns, as hackers who break into someone's Google account could potentially gain access to a trove of other accounts as a result. If the feature supported E2EE, hackers and other third parties, including Google, wouldn't be able to see this information.

Security researchers Mysk highlighted some of these risks in a post on Twitter, noting that "if there's ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised." They added that Google could potentially use the information linked to your accounts to serve personalized ads and also advised users not to use the syncing feature until it supports E2EE. Brand pushed back against the criticism, stating that while Google encrypts "data in transit, and at rest, across our products, including in Google Authenticator," applying E2EE comes at the "cost of enabling users to get locked out of their own data without recovery."

Microsoft will no longer manufacture mice, keyboards, and webcams that are Microsoft-branded. Instead, Microsoft is now focusing on its Surface-branded PC accessories, which include mice, keyboards, pens, and more. From a report: It brings an end to the legacy of Microsoft-branded PC hardware after the company first launched its first mouse in 1983 and bundled it with Microsoft Word and Notepad. "Going forward, we are focusing on our Windows PC accessories portfolio under the Surface brand," says Dan Laycock, senior communications manager at Microsoft, in a statement to The Verge. "We will continue to offer a range of Surface branded PC Accessories -- including mice, keyboards, pens, docks, adaptive accessories, and more. Existing Microsoft branded PC accessories like mice, keyboards, and webcams will continue to be sold in existing markets at existing sell-in prices while supplies last."

Brave browser: Every Web search result seen in Brave Search is now served by our own index. We've removed all search API calls to Bing, which previously represented about 7% of query results.

Google Authenticator just got an update that should make it more useful for people who frequently use the service to sign in to apps and websites. From a report: As of today, Google Authenticator will now sync any one-time two-factor authentication (2FA) codes that it generates to users' Google Accounts. Previously, one-time Authenticator codes were stored locally, on a single device, meaning losing that device often meant losing the ability to sign in to any service set up with Authenticator's 2FA. To take advantage of the new sync feature, simply update the Authenticator app. If you're signed in to a Google Account within Google Authenticator, your codes will automatically be backed up and restored on any new device you use. You can also manually transfer your codes to another device even if you're not signed in to a Google Account by following the steps on this support page.

Some users might be wary of syncing their sensitive codes with Google's cloud -- even if they did originate from a Google product. But Christiaan Brand, a group product manager at Google, asserts it's in the pursuit of convenience without sacrificing security. "We released Google Authenticator in 2010 as a free and easy way for sites to add 'something you have' 2FA that bolsters user security when signing in," Brand wrote in the blog post announcing today's change. "With this update we're rolling out a solution to this problem, making one time codes more durable by storing them safely in users' Google Account."

Microsoft will stop forcing customers of its popular Office software to also have its Teams video conferencing and messaging app automatically installed on their devices, in a move designed to prevent an official antitrust probe by EU regulators. From a report: The US tech giant has made the concession to avoid a formal investigation, said two people with direct knowledge of the decision, following a 2020 complaint by rival Slack which claimed Microsoft's practice of bundling the two services together was anti-competitive. These people said that, in future, when companies buy Office they can do it with or without Teams if they wished, but the mechanism on how to do this remains unclear. The people stressed talks are still ongoing and a deal is not certain. The move is part of an effort by Microsoft to try to avoid what would be its first antitrust probe in more than a decade, having sought to avoid legal battles with the European Commission that have proved bruising in the past.

An anonymous reader shares a report: Over the weekend, users on Reddit and YouTube began posting about problems with AMD's newest Ryzen 7000X3D processors. In some cases, the systems simply stopped booting. But in at least one instance, a Ryzen 7800X3D became physically deformed, bulging out underneath and bending the pins on the motherboard's processor socket. In a separate post, motherboard maker MSI indicated that the damage "may have been caused by abnormal voltage issues." Ryzen 7000X3D processors already impose limits on overclocking and power settings, but new BIOS updates from MSI specifically disallow any kind of "overvolting" features that could give the CPUs more power than they were built to handle.

You can still undervolt your CPU to attempt to reduce temperatures and energy usage by giving the CPU a bit less power than it was designed for. The Ryzen 7000X3D processors are set to a lower voltage than regular Ryzen 7000 CPUs by default because the extra L3 cache layered on top of the processor die can raise temperatures and make the CPU more difficult to cool. This has also made the chips much more power-efficient than the standard Ryzen chips, but that efficiency comes at the cost of overclocking settings and other features that some enthusiasts use to squeeze more performance out of their PCs.

Google is leaning into flexibility as part of a new strategy to stymie the impact of belt-tightening among cyber chiefs. From a report: Google Cloud and Mandiant, the threat intelligence unit it acquired last year, unveiled at the RSA Conference in San Francisco today that they're opening their security products to integrations from competitors, as well as offering new Google plug-ins for other vendors' tools. The news, which was shared first with Axios, means that Google customers will now have more options to embed Google's tools in partner companies' products, like CrowdStrike, Trellix and SentinelOne. Other companies, like Accenture and login management company Okta, will also be integrating their products into Google's as part of the plan. Chief information security officers are facing increasing board pressure during a wobbly economy to cut down the number of vendors they work with and simplify their security programs. As a result, vendors have started to intertwine their competitors' products into their own tools in recent years to reach more customers.

Hackers, particularly state-sponsored and organized cybercriminals, wreak havoc worldwide. However, their aliases, such as Fancy Bear and Refined Kitten, often undermine the seriousness of their actions, Wired argues. Microsoft's cybersecurity division recently revamped its naming taxonomy for the hundreds of hacker groups it tracks, adopting two-word names with a weather-based term to indicate the hackers' suspected country and affiliation.

For instance, the Iranian group Phosphorous is now dubbed Mint Sandstorm, while Russia's Iridium (Sandworm) goes by Seashell Blizzard. Critics, like Rob Lee, founder and CEO of cybersecurity firm Dragos, argue that the whimsical new names could hinder the perception of the profession and be counterproductive for cybersecurity analysis. Furthermore, the new naming scheme forces analysts and customers to revise their databases and products to align with Microsoft's terminology. The revised system also risks cementing educated guesses about hackers' national loyalties without clarity on the confidence of those assessments.

Long-time Slashdot reader theodp writes: According to Google Trends, peak "Lean to Code" occurred in early 2019 when laid-off Buzzfeed and Huffpost journalists were taunted with the phrase on Twitter... As Meta founder and CEO Mark Zuckerberg recently put it, "We're in a different world." Indeed. Encouraging kids to pursue CS careers in Code.org's viral 2013 launch video, Zuckerberg explained, "Our policy at Facebook is literally to hire as many talented engineers as we can find."

In Learning to Code Isn't Enough, a new MIT Technology Review article, Joy Lisi Rankin reports on the long history of learn-to-code efforts, which date back to the 1960s. "Then as now," Lisi Rankin writes, "just learning to code is neither a pathway to a stable financial future for people from economically precarious backgrounds nor a panacea for the inadequacies of the educational system."
But is that really true? Vox does note that the latest round of layoffs at Meta "is impacting workers in core technical roles like data scientists and software engineers — positions once thought to be beyond reproach." Yet while that's also true at other companies, those laid-off tech workers also seem to be finding similar positions by working in other industries: Software engineers were the most overrepresented position in layoffs in 2023, relative to their employment, according to data requested by Vox from workforce data company Revelio Labs. Last year, when major tech layoffs first began, recruiters and customer success specialists experienced the most outsize impact. So far this year, nearly 20 percent of the 170,000 tech company layoffs were software engineers, even though they made up roughly 14 percent of employees at these companies. "Early layoffs were dominated by recruiters, which is forgoing future hiring," Revelio senior economist Reyhan Ayas told Vox. "Whereas in 2023 we see a shift toward more core engineering and software engineering, which signals a change in focus of current business priorities."

In other words, tech companies aren't just trimming the fat by firing people who fill out their extensive ecosystem, which ranges from marketers to massage therapists. They're also, many for the first time, making cuts to the people who build the very products they're known for, and who enjoyed a sort of revered status since they, like the founders of the companies, were coders. Software engineers are still important, but they don't have the power they used to...

The latest monthly jobs report by tech industry association CompTIA found that even though employment at tech companies (which includes all roles at those companies) declined slightly in March, employment in technical occupations across industry sectors increased by nearly 200,000 positions. So even if tech companies are laying off tech workers, other industries are snatching them up. Unfortunately for software engineers and the like, that means they might also have to follow those industries' pay schemes. The average software engineer base pay in the US is $90,000, according to PayScale, but can be substantially higher at tech firms like Facebook, where such workers also get bonuses and stock options.

ChatGPT, OpenAI's large language model for chatbots, not only produces mostly insecure code but also fails to alert users to its inadequacies despite being capable of pointing out its shortcomings. The Register reports: Amid the frenzy of academic interest in the possibilities and limitations of large language models, four researchers affiliated with Universite du Quebec, in Canada, have delved into the security of code generated by ChatGPT, the non-intelligent, text-regurgitating bot from OpenAI. In a pre-press paper titled, "How Secure is Code Generated by ChatGPT?" computer scientists Raphael Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara answer the question with research that can be summarized as "not very."

"The results were worrisome," the authors state in their paper. "We found that, in several cases, the code generated by ChatGPT fell well below minimal security standards applicable in most contexts. In fact, when prodded to whether or not the produced code was secure, ChatGPT was able to recognize that it was not." [...] In all, ChatGPT managed to generate just five secure programs out of 21 on its first attempt. After further prompting to correct its missteps, the large language model managed to produce seven more secure apps -- though that's "secure" only as it pertains to the specific vulnerability being evaluated. It's not an assertion that the final code is free of any other exploitable condition. [...]

The academics observe in their paper that part of the problem appears to arise from ChatGPT not assuming an adversarial model of code execution. The model, they say, "repeatedly informed us that security problems can be circumvented simply by 'not feeding an invalid input' to the vulnerable program it has created." Yet, they say, "ChatGPT seems aware of -- and indeed readily admits -- the presence of critical vulnerabilities in the code it suggests." It just doesn't say anything unless asked to evaluate the security of its own code suggestions.

Initially, ChatGPT's response to security concerns was to recommend only using valid inputs -- something of a non-starter in the real world. It was only afterward, when prompted to remediate problems, that the AI model provided useful guidance. That's not ideal, the authors suggest, because knowing which questions to ask presupposes familiarity with specific vulnerabilities and coding techniques. The authors also point out that there's ethical inconsistency in the fact that ChatGPT will refuse to create attack code but will create vulnerable code.

An anonymous reader shares a report: You know that you're supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there's a lot of valuable personal data on there that should stay in your control. Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn't fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to. The researchers bought 18 used routers in different models made by three mainstream vendors: Cisco, Fortinet, and Juniper Networks. Of those, nine were just as their owners had left them and fully accessible, while only five had been properly wiped. Two were encrypted, one was dead, and one was a mirror copy of another device.

All nine of the unprotected devices contained credentials for the organization's VPN, credentials for another secure network communication service, or hashed root administrator passwords. And all of them included enough identifying data to determine who the previous owner or operator of the router had been. Eight of the nine unprotected devices included router-to-router authentication keys and information about how the router connected to specific applications used by the previous owner. Four devices exposed credentials for connecting to the networks of other organizations -- like trusted partners, collaborators, or other third parties. Three contained information about how an entity could connect as a third party to the previous owner's network. And two directly contained customer data.