ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

If 23andMe Is Up for Sale, So Is All That DNA (msn.com)

(Saturday September 28, 2024 @11:34AM (msmash) from the PSA dept.)

23andMe is not doing well. Its stock is [1]on the verge of being delisted . It shut down its in-house drug-development unit last month, only the latest in several rounds of layoffs. Last week, the [2]entire board of directors quit , save for Anne Wojcicki, a co-founder and the company's CEO. Amid this downward spiral, Wojcicki has said she'll consider selling 23andMe -- which means [3]the DNA of 23andMe's 15 million customers would be up for sale, too . The Atlantic:

> 23andMe's trove of genetic data might be its most valuable asset. For about two decades now, since human-genome analysis became quick and common, the A's, C's, G's, and T's of DNA have allowed long-lost relatives to connect, revealed family secrets, and helped police catch serial killers. Some people's genomes contain clues to what's making them sick, or even, occasionally, how their disease should be treated. For most of us, though, consumer tests don't have much to offer beyond a snapshot of our ancestors' roots and confirmation of the traits we already know about. 23andMe is floundering in part because it hasn't managed to prove the value of collecting all that sensitive, personal information. And potential buyers may have very different ideas about how to use the company's DNA data to raise the company's bottom line. This should concern anyone who has used the service.



[1] https://slashdot.org/story/24/01/31/1532255/23andmes-fall-from-6-billion-to-nearly-0

[2] https://slashdot.org/story/24/09/18/1931220/23andme-board-resigns-in-new-blow-to-dna-testing-company

[3] https://www.msn.com/en-us/news/technology/if-23andme-is-up-for-sale-so-is-all-that-dna/ar-AA1rl1V1



Flaw In Kia's Web Portal Let Researchers Track, Hack Cars (arstechnica.com)

(Saturday September 28, 2024 @03:00AM (msmash) from the internet-of-useless-things dept.)

[1]SpzToid shares a report:

> Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers [2]reassign control of the Internet-connected features of most modern Kia vehicles -- dozens of models representing millions of cars on the road -- from the smartphone of a car's owner to the hackers' own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle's license plate and within seconds gain the ability to track that car's location, unlock the car, honk its horn, or start its ignition at will.

>

> After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group's findings and hasn't responded to WIRED's emails since then. But Kia's patch is far from the end of the car industry's web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they've reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they've discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.



[1] https://slashdot.org/~SpzToid

[2] https://arstechnica.com/cars/2024/09/flaw-in-kia-web-portal-let-researchers-track-hack-cars/



Europe's Space Agency Will Destroy a Brand-New Satellite in 2027 Just To See What Happens (theverge.com)

(Saturday September 28, 2024 @03:00AM (msmash) from the for-science dept.)

The European Space Agency (ESA) plans to launch a satellite into Earth's orbit in 2027 to [1]watch it get wrecked as it reenters the atmosphere . From a report:

> The project is intended to help understand how exactly satellites break apart so that scientists can learn how to prevent the creation of more space debris. Space junk is becoming a bigger problem as we send more satellites into orbit, but there are efforts to try and address it. This mission is part of the ESA's Zero Debris Charter initiative to stop the creation of additional space debris by 2030. The mission is called the Destructive Reentry Assessment Container Object (DRACO), and the insides of the satellite will collect data as the craft gets destroyed during reentry into the atmosphere. It will also contain a 40-centimeter capsule designed to survive the destruction that will transmit the collected data as the capsule moves toward the ocean.



[1] https://www.theverge.com/2024/9/27/24255990/esa-draco-mission-satellite-space-junk-zero-debris



White House Agonizes Over UN Cybercrime Treaty (politico.com)

(Saturday September 28, 2024 @03:00AM (msmash) from the balancing-acts dept.)

The United Nations is set to vote on a treaty later this year intended to create norms for fighting cybercrime -- and the Biden administration is [1]fretting over whether to sign on . Politico:

> The uncertainty over the treaty stems from fears that countries including Russia, Iran and China could use the text as a guise for U.N. approval of their widespread surveillance measures and suppression of the digital rights of their citizens. If the United States chooses not to vote in favor of the treaty, it could become easier for these adversarial nations -- named by the Cybersecurity and Infrastructure Security Agency as the biggest state sponsors of cybercrime -- to take the lead on cyber issues in the future. And if the U.S. walks away from the negotiating table now, it could upset other nations that spent several years trying to nail down the global treaty with competing interests in mind.

>

> While the treaty is not set for a vote during the U.N. General Assembly this week, it's a key topic of debate on the sidelines, following meetings in New York City last week, and committee meetings set for next month once the world's leaders depart. The treaty was troubled from its inception. A cybercrime convention was originally proposed by Russia, and the U.N. voted in late 2019 to start the process to draft it -- overruling objections by the U.S. and other Western nations. Those countries were worried Russia would use the agreement as an alternative to the Budapest Convention -- an existing accord on cybercrime administered by the Council of Europe, which Russia, China and Iran have not joined.



[1] https://www.politico.com/news/2024/09/26/un-cybercrime-treaty-white-house-russia-00181271



Steam Will Let You Sue Valve Now (theverge.com)

(Saturday September 28, 2024 @03:00AM (msmash) from the moving-forward dept.)

Steam just removed its forced arbitration policy, opening the door for [1]lawsuits against its parent company, Valve . From a report:

> In an update on Thursday, Steam says its subscriber agreement "now provides that any disputes are to go forward in court instead of arbitration." Many companies include a forced arbitration clause in their user agreement, waiving a person's right to a trial in court. Arbitration involves settling a dispute outside a legal system before an impartial third party. This method is often faster but may not get the best results for consumers, as arbitrators don't need to consider the law when issuing a decision.



[1] https://www.theverge.com/2024/9/27/24255841/steam-forced-arbitration-policy-lawsuit



Controversial Windows Recall AI Search Tool Returns (securityweek.com)

(Friday September 27, 2024 @11:30PM (msmash) from the second-time's-the-charm dept.)

[1]wiredmikey writes:

> Three months after [2]pulling previews of the controversial Windows Recall feature due to public backlash, Microsoft says it has [3]completely overhauled the security architecture with proof-of-presence encryption, anti-tampering and DLP checks, and screenshot data managed in secure enclaves outside the main operating system.

>

> In an [4]interview with SecurityWeek, Microsoft vice president David Weston said the company's engineers rewrote the security model of Windows Recall to reduce attack surface on Copilot+ PCs and minimize the risk of malware attackers targeting the screenshot data store.



[1] https://slashdot.org/~wiredmikey

[2] https://it.slashdot.org/story/24/06/14/0318213/microsoft-postpones-windows-recall-after-major-backlash

[3] https://www.securityweek.com/microsofts-controversial-recall-returns-with-proof-of-presence-encryption-data-isolation-opt-in-model/

[4] https://www.securityweek.com/microsofts-controversial-recall-returns-with-proof-of-presence-encryption-data-isolation-opt-in-model/



Iranian Operatives Charged in the US With Hacking Donald Trump's Presidential Campaign (apnews.com)

(Friday September 27, 2024 @05:20PM (msmash) from the breaking-news dept.)

The Justice Department unsealed criminal charges Friday [1]against three Iranian operatives suspected of hacking Donald Trump's presidential campaign and disseminating stolen information to media organizations. From a report:

> The three accused hackers were employed by Iran's paramilitary Revolutionary Guard and their operation also targeted a broad swath of targets, including government officials, members of the media and non-governmental organizations, the Justice Department said.

>

> The Trump campaign disclosed on Aug. 10 that it had been hacked and said Iranian actors had stolen and distributed sensitive internal documents. Multiple major news organizations that said they were leaked confidential information from inside the Trump campaign, including Politico, The New York Times and The Washington Post, declined to publish it.



[1] https://apnews.com/article/trump-hacking-iran-justice-department-1d7d83ccdc6c879be2802142f1c47191



Apple Rolls Back Its Big Plans to Release Movies in Theaters (bloomberg.com)

(Friday September 27, 2024 @05:20PM (msmash) from the entertainment-play dept.)

An anonymous reader shares a report:

> Apple is [1]rethinking its movie strategy after the disappointing box office performance of several big-budget films, including Martin Scorsese's Killers of the Flower Moon, Napoleon, Argylle and Fly Me to the Moon. Apple canceled plans to release Wolfs -- an action comedy starring George Clooney and Brad Pitt -- in thousands of theaters globally. Instead, the picture made its debut in a limited number of venues before it became available on the Apple TV+ streaming service on Sept. 27. Apple plans to use a similar approach with the next few titles on its calendar, including the World War II drama Blitz. Apple, which previously had intended to spend about $1 billion annually on blockbusters for cinemas, won't return to the big screen with a wide, global theatrical release until June with F1 -- a film starring Pitt as a former Formula One driver who returns to racing to mentor a rising star.

>

> [...] Apple is pulling back from theaters at the same time Netflix Inc. and Amazon are reworking their movie strategies. Earlier this year, Netflix hired producer Dan Lin to oversee its film studio, which had spent billions of dollars a year to produce more films than any other company in Hollywood. Yet Netflix struggled to control the quality and cost of its slate, which in some years approached 50 movies. For every hit, such as Bird Box, there were several misses. Lin's predecessor Scott Stuber also clashed with management over its strategy for movie theaters. Stuber wanted to release movies such as Scorsese's The Irishman and the Knives Out sequel Glass Onion widely in cinemas, but he couldn't persuade Netflix co-Chief Executive Officer Ted Sarandos. Lin aims to make fewer movies and develop more projects in-house to keep costs down. He has considered scrapping several of the more expensive projects in development at Netflix.



[1] https://www.bloomberg.com/news/articles/2024-09-27/apple-movies-won-t-be-coming-to-theaters-anytime-soon



TSMC Execs Dismiss OpenAI Chief's $7 Trillion Chip Plan as 'Podcasting Bro' Vision (msn.com)

(Friday September 27, 2024 @05:20PM (msmash) from the not-mincing-words dept.)

Taiwan Semiconductor Manufacturing Co (TSMC) executives have dismissed OpenAI CEO Sam Altman's ambitious chip-making proposal as unrealistic, according to The New York Times. Altman, seeking to boost AI computing power, pitched a $7 trillion plan to build 36 semiconductor plants over several years during a visit to TSMC's Taiwan headquarters. TSMC leaders reportedly found Altman's proposal so far-fetched that they [1]privately referred to him as a "podcasting bro," reflecting skepticism about his grasp of the semiconductor industry's complexities. The world's largest contract chipmaker, already grappling with multi-billion dollar expansion projects, viewed Altman's scheme as overly risky given the massive capital requirements and market uncertainties.



[1] https://www.msn.com/en-in/money/news/behind-openais-audacious-plan-to-make-ai-flow-like-electricity/ar-AA1rjhlB



Dell Mandates Five-Day Office Presence For Global Sales Team

(Friday September 27, 2024 @05:20PM (msmash) from the party-time's-over dept.)

Dell is requiring global sales employees to [1]work from offices five days a week starting September 30, according to an internal memo. The move aims to foster collaboration and skill development. Field representatives must spend five days weekly with customers, partners, or in-office, up from the previous three-day requirement, Dell says in the memo, according to Reuters. Remote workers unable to access Dell offices will continue working from home.



[1] https://www.reuters.com/technology/dell-asks-global-sales-team-work-five-days-week-office-memo-says-2024-09-26/



Turning OpenAI Into a Real Business Is Tearing It Apart (msn.com)

(Friday September 27, 2024 @05:20PM (msmash) from the how-about-that dept.)

OpenAI, creator of ChatGPT, is [1]experiencing significant internal turmoil as a wave of high-profile departures, including [2]Chief Technology Officer Mira Murati , rocks the company. Over 20 researchers and executives have left this year, reflecting deepening tensions between the organization's original nonprofit mission and its new profit-driven focus, WSJ reported Friday.

Employees report rushed product launches and inadequate safety testing, raising concerns about OpenAI's technological edge. CEO Sam Altman's global promotional efforts have reportedly left him detached from daily operations. The shift towards a conventional business model, with new C-suite appointments and [3]a $6.5 billion funding drive , has alienated longtime staff who fear the company is abandoning its founding principles.



[1] https://www.msn.com/en-us/money/careersandeducation/turning-openai-into-a-real-business-is-tearing-it-apart/ar-AA1ririU

[2] https://slashdot.org/story/24/09/25/1959208/openai-cto-mira-murati-is-leaving-firm

[3] https://slashdot.org/story/24/09/12/0549238/openai-fundraising-set-to-vault-startups-valuation-to-150-billion



South Korea Criminalizes Watching Or Possessing Sexually Explicit Deepfakes (reuters.com)

(Friday September 27, 2024 @05:20PM (BeauHD) from the deepfake-crisis dept.)

An anonymous reader quotes a report from Reuters:

> South Korean lawmakers on Thursday passed a bill that [1]criminalizes possessing or watching sexually explicit deepfake images and videos , with penalties set to include prison terms and fines. There has been an outcry in South Korea over Telegram group chats where sexually explicit and illegal deepfakes were [2]created and widely shared , prompting calls for tougher punishment. Anyone purchasing, saving or watching such material could face up to three years in jail or be fined up to 30 million won ($22,600), according to the bill.

>

> Currently, making sexually explicit deepfakes with the intention of distributing them is punishable by five years in prison or a fine of 50 million won under the Sexual Violence Prevention and Victims Protection Act. When the new law takes effect, the maximum sentence for such crimes will also increase to seven years regardless of the intention. The bill will now need the approval of President Yoon Suk Yeol in order to be enacted. South Korean police have so far handled more than 800 deepfake sex crime cases this year, the Yonhap news agency reported on Thursday. That compares with 156 for all of 2021, when data was first collated. Most victims and perpetrators are teenagers, police say.



[1] https://www.reuters.com/world/asia-pacific/south-korea-criminalise-watching-or-possessing-sexually-explicit-deepfakes-2024-09-26/

[2] https://tech.slashdot.org/story/24/08/28/2112225/south-korea-faces-deepfake-porn-emergency



Promises of 'Passive Income' On Amazon Led To Death Threats For Negative Online Review, FTC Says (cnbc.com)

(Friday September 27, 2024 @05:20PM (BeauHD) from the money-making-schemes dept.)

"The Federal Trade Commission is [1]cracking down on 'automation' companies that launch and manage online businesses on behalf of customers in exchange for an upfront investment," reports CNBC's Annie Palmer. "The latest case targets Ascend Ecom, which ran an e-commerce money-making scheme, primarily on Amazon." The FTC accuses the e-commerce company of [2]defrauding consumers of at least $25 million through false claims, deceptive marketing practices, and attempts to suppress negative reviews. From the report:

> Jamaal Sanford received a disturbing email in May of last year. The message, whose sender claimed to be part of a "Russian shadow team," contained Sanford's home address, social security number and his daughter's college. It came with a very specific threat. The sender said Sanford, who lives in Springfield, Missouri, would only only be safe if he removed a negative online review. "Do not play tough guy," the email said. "You have nothing to gain by keeping the reviews and EVERYTHING to lose by not cooperating."

>

> Months earlier, Sanford had left a scathing review for an e-commerce "automation" company called Ascend Ecom on the rating site Trustpilot. Ascend's purported business was the launching and managing of Amazon storefronts on behalf of clients, who would pay money for the service and the promise of earning thousands of dollars in "passive income." Sanford had invested $35,000 in such a scheme. He never recouped the money and is now in debt, according to a Federal Trade Commission lawsuit unsealed on Friday. His experience is a key piece of the FTC's suit, which accuses Ascend of breaking federal laws by making false claims related to earnings and business performance, and threatening or penalizing customers for posting honest reviews, among other violations. The FTC is seeking monetary relief for Ascend customers and to prevent Ascend from doing business permanently.



[1] https://www.ftc.gov/news-events/news/press-releases/2024/09/ftc-announces-crackdown-deceptive-ai-claims-schemes

[2] https://www.cnbc.com/2024/09/25/amazon-automation-scammers-sued-by-ftc-for-false-claims-death-threats.html



Starlink Is Now Available on All Hawaiian Airlines Airbus Flights (cnet.com)

(Friday September 27, 2024 @05:20PM (BeauHD) from the can-you-hear-me-now? dept.)

Hot on the heels of [1]United Airlines' Starlink announcement , Hawaiian Airlines [2]said it, too, is offering "fast and free Starlink Wi-Fi" [3]across its entire Airbus fleet . CNET reports:

> Hawaiian Airlines is now the first major carrier to use Elon Musk's satellite internet service, which taps more than 7,000 satellites in low earth orbit to deliver high-speed internet worldwide. "In Starlink's low earth orbit constellation of advanced satellites, the latest of which utilize a revolutionary laser mesh network, we found an ideal solution to ensure reliable, high-speed, low-latency Wi-Fi on transpacific flights," a Hawaiian Airlines representative told CNET. "Working with Starlink has allowed us to offer a fast and consistent in-flight connectivity experience that meets our high standard for guest service."

>

> The company first debuted Starlink on its planes in February on a flight from Honolulu to Long Beach, California. It first struck a deal with Starlink in 2022 and has now completed installation across its entire Airbus fleet, which includes 24 A330 planes and 18 A321neos. Hawaiian Airlines will also deploy the service on its two Boeing 787-9 planes, but not its Boeing 717 aircraft, which are used on shorter flights between the Hawaiian Islands.



[1] https://tech.slashdot.org/story/24/09/13/1520205/united-airlines-taps-starlink-for-free-in-flight-wi-fi

[2] https://newsroom.hawaiianairlines.com/releases/hawaiian-airlines-now-offering-fast-and-free-starlink-wi-fi-across-entire-airbus-fleet

[3] https://www.cnet.com/home/internet/starlink-is-now-available-on-all-hawaiian-airlines-airbus-flights/



HP Is Adding AI To Its Printers

(Friday September 27, 2024 @11:20AM (BeauHD) from the AI-all-the-things dept.)

An anonymous reader quotes a report from PCWorld, written by Michael Crider:

> The latest perpetrator of questionable AI branding? HP. The company is introducing "Print AI," what it calls the "industry's first intelligent print experience for home, office, and large format printing." What does that mean? It's essentially a new beta software driver package for some HP printers. According to the [1]press release , it can deliver "Perfect Output" -- capital P capital O -- a branded tool that [2]reformats the contents of a page in order to more ideally fit it onto physical paper .

>

> Despite my skeptical tone, this is actually a pretty cool idea. "Perfect Output can detect unwanted content like ads and web text, printing only the desired text and images, saving time, paper, and ink." That's neat! If the web page you're printing doesn't offer a built-in print format, the software will make one for you. It'll also serve to better organize printed spreadsheets and images, too. But I don't see anything in this software that's actually AI -- or even machine learning, for that matter. This is applying the same tech (functionally, if not necessarily the same code) as the "reader mode" formatting we've seen in browsers for about a decade now. Take the text and images of a page, strip out everything else that's unnecessary, and present it as efficiently as possible. [...]

>

> The press release does mention that support and formatting tasks can be accomplished with "simple conversational prompts," which at least might be leveraging some of the large language models that have become synonymous with AI as consumers understand it. But based on the description, it's more about selling you something than helping you. "Customers can choose to print or explore a curated list of partners that offer unique photo printing capabilities, gift certificates to be printed on the card, and so much more." Whoopee.



[1] https://www.hp.com/us-en/newsroom/press-releases/2024/hp-print-ai.html?cjdata=MXxOfDB8WXww&jumpID=af_gen_nc_ns&utm_medium=af&utm_source=cj&utm_campaign=IDG+Communications&utm_content=4832273_IDG+Communications_8200811&cjevent=9543a96a7c6711ef8341837a0a1cb82a&subacctname=IDG+Communications

[2] https://www.pcworld.com/article/2470105/hp-printers-have-ai-now-because-of-course-they-do.html



NIST Proposes Barring Some of the Most Nonsensical Password Rules (arstechnica.com)

(Friday September 27, 2024 @11:20AM (BeauHD) from the password-hygiene dept.)

Ars Technica's Dan Goodin reports:

> Last week, NIST released its second public draft of [1]SP 800-63-4 , the latest version of its Digital Identity Guidelines. At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully. It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance. A section devoted to passwords [2]injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

>

> Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember. Another requirement that often does more harm than good is the required use of certain characters, such as at least one number, one special character, and one upper- and lowercase letter. When passwords are sufficiently long and random, there's no benefit from requiring or restricting the use of certain characters. And again, rules governing composition can actually lead to people choosing weaker passcodes.

>

> The latest NIST guidelines now state that:

> - Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and

> - Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. ("Verifiers" is bureaucrat speak for the entity that verifies an account holder's identity by corroborating the holder's authentication credentials. Short for credential service provider, "CSPs" are a trusted entity that assigns or registers authenticators to the account holder.) In previous versions of the guidelines, some of the rules used the words "should not," which means the practice is not recommended as a best practice. "Shall not," by contrast, means the practice must be barred for an organization to be in compliance.

Several other common sense practices mentioned in the document include:

> 1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.

> 2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.

> 3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.

> 4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.

> 5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.

> 6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

> 7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.

> 8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., "What was the name of your first pet?") or security questions when choosing passwords.

> 9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).



[1] https://pages.nist.gov/800-63-4/sp800-63b.html

[2] https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-most-nonsensical-password-rules/



Dozens of Fortune 100 Companies Have Unwittingly Hired North Korean IT Workers (therecord.media)

(Friday September 27, 2024 @11:20AM (BeauHD) from the hiring-blunders dept.)

"Dozens of Fortune 100 organizations" have [1]unknowingly hired North Korean IT workers using fake identities, generating revenue for the North Korean government while potentially compromising tech firms, according to Google's Mandiant unit. "In [2]a report published Monday [...], researchers describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018," reports The Record. "In most cases, the IT workers 'consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.'" From the report:

> The remote workers "often gain elevated access to modify code and administer network systems," Mandiant found, warning of the downstream effects of allowing malicious actors into a company's inner sanctum. [...] Using stolen identities or fictitious ones, the actors are generally hired as remote contractors. Mandiant has seen the workers hired in a variety of complex roles across several sectors. Some workers are employed at multiple companies, bringing in several salaries each month. The tactic is facilitated by someone based in the U.S. who runs a laptop farm where workers' laptops are sent. Remote technology is installed on the laptops, allowing the North Koreans to log in and conduct their work from China or Russia.

>

> Workers typically asked for their work laptops to be sent to different addresses than those listed on their resumes, raising the suspicions of companies. Mandiant said it found evidence that the laptops at these farms are connected to a "keyboard video mouse" device or multiple remote management tools including LogMeIn, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer and others. "Feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops," Mandiant reported.

>

> In several incident response engagements, Mandiant found the workers used the same resumes that had links to fabricated software engineer profiles hosted on Netlify, a platform often used for quickly creating and deploying websites. Many of the resumes and profiles included poor English and other clues indicating the actor was not based in the U.S. One characteristic repeatedly seen was the use of U.S-based addresses accompanied by education credentials from universities outside of North America, frequently in countries such as Singapore, Japan or Hong Kong. Companies, according to Mandiant, typically don't verify credentials from universities overseas.

Further reading: [3]How Not To Hire a North Korean IT Spy



[1] https://therecord.media/major-us-companies-unwittingly-hire-north-korean-remote-it-workers

[2] https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat

[3] https://it.slashdot.org/story/24/08/31/052207/how-not-to-hire-a-north-korean-it-spy



Mozilla Hit With Privacy Complaint In EU Over Firefox Tracking Tech (techcrunch.com)

(Friday September 27, 2024 @11:20AM (BeauHD) from the unusual-complaints dept.)

Mozilla has been [1]hit with a complaint by EU privacy group noyb , accusing it of violating GDPR by tracking Firefox users by default without their consent. TechCrunch reports:

> Mozilla calls the feature at issue "Privacy Preserving Attribution" (PPA). But noyb argues this is misdirection. And if EU privacy regulators agree with the complaint the Firefox-maker could be slapped with orders to change tack -- or even face a penalty (the GDPR allows for fines of up to 4% of global revenue). "Contrary to its reassuring name, this technology allows Firefox to track user behaviour on websites," noyb wrote in a [2]press release . "In essence, the browser is now controlling the tracking, rather than individual websites. While this might be an improvement compared to even more invasive cookie tracking, the company never asked its users if they wanted to enable it. Instead, Mozilla decided to turn it on by default once people installed a recent software update. This is particularly worrying because Mozilla generally has a reputation for being a privacy-friendly alternative when most other browsers are based on Google's Chromium."

>

> Another component of noyb's objection is that Mozilla's move "doesn't replace cookies either" -- Firefox simply wouldn't have the market share and power to shift industry practices -- so all it's done is produce another additional way for websites to target ads. [...] The noyb-backed [3]complaint (PDF), which has been filed with the Austrian data protection authority, accuses Mozilla of failing to inform users about the processing of their personal data and of using an opt-out -- rather than an affirmative "opt-in" -- mechanism. The privacy rights group also wants the regulator to order the deletion of all data collected so far.

In a statement attributed to Christopher Hilton, its director of policy and corporate communications, Mozilla said that it has only conducted a "limited test" of a PPA prototype on its own websites.While acknowledging poor communication around the effort, the company emphasized that no user data has been collected or shared and expressed its commitment to engaging with stakeholders as it develops the technology further.



[1] https://techcrunch.com/2024/09/25/mozilla-hit-with-privacy-complaint-in-eu-over-firefox-tracking-tech/

[2] https://noyb.eu/en/firefox-tracks-you-privacy-preserving-feature

[3] https://noyb.eu/sites/default/files/2024-09/C089%20Firefox%20Beschwerde%20Redacted.pdf



Paralyzed Jockey Loses Ability To Walk After Manufacturer Refuses To Fix Battery For His $100,000 Exoskeleton

(Friday September 27, 2024 @11:20AM (BeauHD) from the dystopian-nightmares dept.)

An anonymous reader quotes a report from 404 Media:

> After a horseback riding accident left him paralyzed from the waist down in 2009, former jockey Michael Straight learned to walk again with the help of a $100,000 ReWalk Personal exoskeleton. Earlier this month, that exoskeleton broke because of a malfunctioning piece of wiring in an accompanying watch that makes the exoskeleton work. The manufacturer refused to fix it, saying the machine was now too old to be serviced, and Straight [1]once again couldn't walk anymore . "After 371,091 steps my exoskeleton is being retired after 10 years of unbelievable physical therapy," Straight [2]posted on Facebook on September 16. "The reasons [sic] why it has stopped is a pathetic excuse for a bad company to try and make more money. The reason it stopped is because of a battery in the watch I wear to operate the machine. I called thinking it was no big deal, yet I was told they stopped working on any machine that was 5 years or older. I find it very hard to believe after paying nearly $100,000 for the machine and training that a $20 battery for the watch is the reason I can't walk anymore?"

>

> Straight's experience is a nightmare scenario that highlights what happens when companies decide to stop supporting their products and do not actively support independent repair. It's also what happens without the protection of right to repair legislation that requires manufacturers to make repair parts, guides, and tools available to the general public. Specifically, a connection wire became desoldered from the battery in a watch that connects to the exoskeleton: "It's not the actual battery, but it's the little green connection piece we need to be the right fit and that's been our problem," Straight posted on Facebook. Straight's personal exoskeleton was broken for two months, he said in a video on Facebook. He was eventually able to get the device fixed after attention from an article in the Paulick Report, a website about the horse industry, and a spot on local TV. "It took me two months, and I got no results," he said in the video. With social media and news attention, "it only took you all four days, and look at the results," he said earlier this week while standing in the exoskeleton.

"This is the dystopian nightmare that we've kind of entered in, where the manufacturer perspective on products is that their responsibility completely ends when it hands it over to a customer. That's not good enough for a device like this, but it's also the same thing we see up and down with every single product," Nathan Proctor, head of citizen rights group US PIRG's right to repair project told 404 Media. "People need to be able to fix things, there needs to be a plan in place. A $100,000 product you can only use as long as the battery lasts, that's enraging. We should not have to tolerate a society where this happens."

"We have all this technology we release into the wild and it changes people's lives, but there's no long-term thinking. Manufacturers currently have no legal obligation to support the equipment indefinitely and there's no requirements that they publish sufficient documentation to allow others to do it," Proctor said. "We need to set minimum standards for documentation so that, even if a company goes bankrupt or falls off the face of the earth, a technician with sufficient knowledge can fix it."



[1] https://www.404media.co/paralyzed-jockey-loses-ability-to-walk-after-manufacturer-refuses-to-fix-battery-for-his-100-000-exoskeleton/

[2] https://www.facebook.com/mj.straight.9/posts/pfbid08WJkmwePBXPXrktEKT1PpbTutQkysBh8nRoAy6dC1SSZKAe5Ti9q4ETYg7fHC5hDl



Google's NotebookLM Can Help You Dive Deeper Into YouTube Videos

(Friday September 27, 2024 @11:20AM (BeauHD) from the new-and-improved dept.)

The Verge's Emma Roth reports:

> [1]NotebookLM , Google's AI note-taking app, can now summarize and [2]help you dig deeper into YouTube videos . The new capability works by analyzing the text in a YouTube video's transcript, including autogenerated ones. Once you add a YouTube link to NotebookLM, it will use AI to provide a brief summary of key topics discussed in the transcript. You can then click on these topics to get more detailed information as well as ask questions. (If you're struggling to come up with something to ask, NotebookLM will suggest some questions.)

>

> After clicking on some of the topics, I found that NotebookLM backs up the information provided in its chat window with a citation that links you directly to the point in the transcript where it's mentioned. You can also create an Audio Overview based on the content, which is a podcast-style discussion hosted by AI. I found that the feature worked on most of the videos I tried, except for ones published within the past two days or so. [...] In addition to adding support for YouTube videos, Google announced that NotebookLM now supports audio recordings as well, allowing you to search transcribed conversations for certain information and create study guides.



[1] https://notebooklm.google/

[2] https://www.theverge.com/2024/9/26/24255176/google-notebooklm-summarize-youtube-videos-ai



More

Pecor's Health-Food Principle:
Never eat rutabaga on any day of the week that has a "y" in it.