News

A sophisticated extortion campaign has targeted 110,000 domains by exploiting misconfigured AWS environment files, security firm Cyble reports. The attackers scanned for exposed .env files containing cloud access keys and other sensitive data. Organizations that failed to secure their AWS environments found their S3-stored data replaced with ransom notes. The attackers used a series of API calls to verify data, enumerate IAM users, and locate S3 buckets. Though initial access lacked admin privileges, they created new IAM roles to escalate permissions. Cyble researchers noted the attackers' use of AWS Lambda functions for automated scanning operations.

Read more of this story at Slashdot.

The old Sonos app won't be making a return to replace the buggy new version. According to Sonos CEO Patrick Spence, rereleasing the old app would make things worse now that updated software has already been sent out to the company's speakers and cloud infrastructure. The Verge reports: In a Reddit AMA response posted Tuesday, Sonos CEO Spence says that he was hopeful "until very recently" that the company could rerelease the app, confirming a report from The Verge that the company was considering doing so. [...] Since the new app was released on May 7th, Spence has issued a formal apology and announced in August that the company would be delaying the launch of two products "until our app experience meets the level of quality that we, our customers, and our partners expect from Sonos." "The trick of course is that Sonos is not just the mobile app, but software that runs on your speakers and in the cloud too," writes Spence in the Reddit AMA. "In the months since the new mobile app launched we've been updating the software that runs on our speakers and in the cloud to the point where today S2 is less reliable & less stable then what you remember. After doing extensive testing we've reluctantly concluded that re-releasing S2 would make the problems worse, not better. I'm sure this is disappointing. It was disappointing to me."

Read more of this story at Slashdot.

According to Bloomberg's Mark Gurman (paywalled), App Store vice president Matt Fischer is departing the company in October as Apple prepares for organizational changes in response to regulatory pressure. MacRumors reports: Apple plans to split its App Store group into two teams, one that handles the App Store and a second team that oversees alternative app distribution. As of earlier this year, Apple has supported iOS app downloads from alternative app stores and from websites in the European Union, a change that the company had to make to comply with the Digital Markets Act. To handle ongoing compliance with EU regulations for app distribution and alternative payment methods, App Store chief Phil Schiller is changing the App Store's hierarchy. Fischer joined Apple in 2003 to oversee iTunes marketing, but he has served as the vice president of the App Store since 2010. In an email to Apple employees today, Fischer said that he had been thinking about leaving Apple for some time, and the reorganization provided the right opportunity. With Fischer leaving, App Store senior director Carson Oliver will oversee the App Store, and Ann Thai, a director who oversees App Store features, will head up the team that handles alternative app distribution.

Read more of this story at Slashdot.

Google has reached a groundbreaking deal with California lawmakers to contribute millions to local newsrooms, aiming to support journalism amid its decline as readers migrate online and advertising dollars evaporate. The agreement also includes a controversial provision for artificial intelligence funding. Politico reports: California emulated a strategy that other countries like Canada have used to try and reverse the journalism industry's decline as readership migrated online and advertising dollars evaporated. [...] Under the deal, the details of which were first reported by POLITICO on Monday, Google and the state of California would jointly contribute a minimum of $125 million over five years to support local newsrooms through a nonprofit public charity housed at UC Berkeley's journalism school. Google would contribute at least $55 million, and state officials would kick in at least $70 million. The search giant would also commit $50 million over five years to unspecified "existing journalism programs." The deal would also steer millions in tax-exempt private dollars toward an artificial intelligence initiative that people familiar with the negotiations described as an effort to cultivate tech industry buy-in. Funding for artificial intelligence was not included in the bill at the core of negotiations, authored by Assemblymember Buffy Wicks. The agreement has drawn criticism from a journalists' union that had so far championed Wicks' effort. Media Guild of the West President Matt Pearce in an email to union members Sunday evening said such a deal would entrench "Google's monopoly power over our newsrooms." "This public-private partnership builds on our long history of working with journalism and the local news ecosystem in our home state, while developing a national center of excellence on AI policy," said Kent Walker, chief legal officer for Alphabet, the parent company of Google. Media Guild of the West President Matt Pearce wasn't so chipper. He criticized the plan in emails with union members, calling it a "total rout of the state's attempts to check Google's stranglehold over our newsrooms."

Read more of this story at Slashdot.

In a tragic update to Monday's story, authorities have recovered the bodies of former Autonomy CEO Mike Lynch and his teenage daughter Hannah. The Register reports: Italian divers are said to have found the billionaire father and his daughter, 18, inside one of the sunken vessel's cabins, according to The Telegraph. The capsized ship presently rests 49 meters below the surface, about half a mile from the coast. [...] Angela Bacares, Lynch's wife, was rescued at sea and is recovering. Canadian Broadcasting Company News has reported that the body of Recaldo Thomas, a Canadian-born man who resided in Antigua and served as the ship's cook, has been recovered. Other missing individuals have been identified by The Independent as: Christopher Morvillo, a lawyer who had represented Lynch and wife Neda Morvillo; Jonathan Bloomer, chairman of investment bank Morgan Stanley International and wife Judy Bloomer. The Register has published an obituary for Mike Lynch.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Dark Reading: Researchers have exploited a vulnerability in Microsoft's Copilot Studio tool allowing them to make external HTTP requests that can access sensitive information regarding internal services within a cloud environment -- with potential impact across multiple tenants. Tenable researchers discovered the server-side request forgery (SSRF) flaw in the chatbot creation tool, which they exploited to access Microsoft's internal infrastructure, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances, they revealed in a blog post this week. Tracked by Microsoft as CVE-2024-38206, the flaw allows an authenticated attacker to bypass SSRF protection in Microsoft Copilot Studio to leak sensitive cloud-based information over a network, according to a security advisory associated with the vulnerability. The flaw exists when combining an HTTP request that can be created using the tool with an SSRF protection bypass, according to Tenable. "An SSRF vulnerability occurs when an attacker is able to influence the application into making server-side HTTP requests to unexpected targets or in an unexpected way," Tenable security researcher Evan Grant explained in the post. The researchers tested their exploit to create HTTP requests to access cloud data and services from multiple tenants. They discovered that "while no cross-tenant information appeared immediately accessible, the infrastructure used for this Copilot Studio service was shared among tenants," Grant wrote. Any impact on that infrastructure, then, could affect multiple customers, he explained. "While we don't know the extent of the impact that having read/write access to this infrastructure could have, it's clear that because it's shared among tenants, the risk is magnified," Grant wrote. The researchers also found that they could use their exploit to access other internal hosts unrestricted on the local subnet to which their instance belonged. Microsoft responded quickly to Tenable's notification of the flaw, and it has since been fully mitigated, with no action required on the part of Copilot Studio users, the company said in its security advisory. Further reading: Slack AI Can Be Tricked Into Leaking Data From Private Channels

Read more of this story at Slashdot.

Rotten Tomatoes and Fandango are rolling out a new "Verified Hot" rating for users who actually bought a ticket to the movie being reviewed. "The designation is only given to theatrical movies that have reached an audience score above 90 percent among user ratings," adds IndieWire. From the report: Movie ticketing app Fandango is the parent company to Rotten Tomatoes, so if you bought your ticket through Fandango and then rated a movie using that same user info on Rotten Tomatoes, RT is able to confirm you bought a ticket and can filter out anyone else who may just be rating things blindly. A rep for RT tells IndieWire the goal is to work with other partners so that other people who don't use Fandango can still be considered verified. Rotten Tomatoes also expanded its Popcornmeter designations. Anything with an audience score above 60 percent of people rating it as 3.5 stars or higher will be labeled "Hot," and movies below that 60 percent threshold are now "Stale." The "Certified Fresh" badge for movies that achieve a strong enough critics score has been around for a while, but in 2020 RT introduced a "Top Critics" feature such that you could filter out the dozens or hundreds of aggregated critics from unreliable sources who could be skewing a film's score. Anyone can vote or rate movies on Rotten Tomatoes if you're an audience member, but you can also filter out ratings from those not considered "verified." Rotten Tomatoes made some other tweaks too under the hood: Both the Popcornmeter and Tomatometer need to meet a new minimum number of reviews published for a score to appear. Not everything gets reviewed widely, so the threshold varies depending on a film's total projected domestic box office forecast. A full list of "Verified Hot" films can be found here.

Read more of this story at Slashdot.

Phoronix's Michael Larabel reports: As part of Intel's Scalable Video Technology (SVT) initiative they had been developing SVT-HEVC as a BSD-licensed high performance H.265/HEVC video encoder optimized for Xeon Scalable and Xeon D processors. But recently they've changed course and the project has been officially discontinued. [...] The SVT-AV1 project a while ago was already punted to the Alliance for Open Media (AOMedia) project and one of its lead maintainers having joined Meta from Intel two years ago. SVT-AV1 continues excelling great outside the borders of Intel but SVT-HEVC (and SVT-VP9) have remained Intel open-source projects but at least officially SVT-HEVC has ended. SVT-HEVC hadn't seen a new release since 2021 and there are already several great open-source H.265 encoders out there like x265 and Kvazaar. But as of a few weeks ago, SVT-HEVC upstream is now discontinued. The GitHub repository was put into a read-only state [with a discontinuation notice]. Meanwhile SVT-VP9 doesn't have any discontinuation notice at this time. The SVT-VP9 GitHub repository remains under Intel's Open Visual Cloud account although it hasn't seen any new commits in four months and the last tagged release was back in 2020.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Chrome users who declined to sync their Google accounts with their browsing data secured a big privacy win this week after previously losing a proposed class action claiming that Google secretly collected personal data without consent from over 100 million Chrome users who opted out of syncing. On Tuesday, the 9th US Circuit Court of Appeals reversed (PDF) the prior court's finding that Google had properly gained consent for the contested data collection. The appeals court said that the US district court had erred in ruling that Google's general privacy policies secured consent for the data collection. The district court failed to consider conflicts with Google's Chrome Privacy Notice (CPN), which said that users' "choice not to sync Chrome with their Google accounts meant that certain personal information would not be collected and used by Google," the appeals court ruled. Rather than analyzing the CPN, it appears that the US district court completely bought into Google's argument that the CPN didn't apply because the data collection at issue was "browser agnostic" and occurred whether a user was browsing with Chrome or not. But the appeals court -- by a 3-0 vote -- did not. In his opinion, Circuit Judge Milan Smith wrote that the "district court should have reviewed the terms of Google's various disclosures and decided whether a reasonable user reading them would think that he or she was consenting to the data collection." "By focusing on 'browser agnosticism' instead of conducting the reasonable person inquiry, the district court failed to apply the correct standard," Smith wrote. "Viewed in the light most favorable to Plaintiffs, browser agnosticism is irrelevant because nothing in Google's disclosures is tied to what other browsers do." Smith seemed to suggest that the US district court wasted time holding a "7.5-hour evidentiary hearing which included expert testimony about 'whether the data collection at issue'" was "browser-agnostic." "Rather than trying to determine how a reasonable user would understand Google's various privacy policies," the district court improperly "made the case turn on a technical distinction unfamiliar to most 'reasonable'" users, Smith wrote. Now, the case has been remanded to the district court where Google will face a trial over the alleged failure to get consent for the data collection. If the class action is certified, Google risks owing currently unknown damages to any Chrome users who opted out of syncing between 2016 and 2024. According to Smith, the key focus of the trial will be weighing the CPN terms and determining "what a 'reasonable user' of a service would understand they were consenting to, not what a technical expert would."

Read more of this story at Slashdot.

A growing body of scientific evidence shows that microplastics are accumulating in critical human organs, including the brain, leading researchers to call for more urgent actions to rein in plastic pollution. From a report: Studies have detected tiny shards and specks of plastics in human lungs, placentas, reproductive organs, livers, kidneys, knee and elbow joints, blood vessels and bone marrow. Given the research findings, "it is now imperative to declare a global emergency" to deal with plastic pollution, said Sedat Gundogdu, who studies microplastics at Cukurova University in Turkey. Humans are exposed to microplastics -- defined as fragments smaller than 5mm in diameter -- and the chemicals used to make plastics from widespread plastic pollution in air, water and even food. The health hazards of microplastics within the human body are not yet well-known. Recent studies are just beginning to suggest they could increase the risk of various conditions such as oxidative stress, which can lead to cell damage and inflammation, as well as cardiovascular disease. Animal studies have also linked microplastics to fertility issues, various cancers, a disrupted endocrine and immune system, and impaired learning and memory.

Read more of this story at Slashdot.

bobdevine writes: The Linux operating system has reached a notable milestone in desktop market share, according to the latest data from StatCounter. As of July 2024, Linux has achieved a 4.45% market share for desktop operating systems worldwide. While this percentage might seem small to those unfamiliar with the operating system landscape, it represents a significant milestone for Linux and its dedicated community. What makes this achievement even more thrilling is the upward trajectory of Linux's adoption rate.

Read more of this story at Slashdot.

South Africa's telecoms industry body is pushing for digital content and service providers to help pay for the roll out of network infrastructure because they generate a huge part of the internet traffic. From a report: The Association of Comms and Technology (ACT) CEO Nomvuyiso Batyi said that the revenues generated by over-the-top (OTT) platforms and the continued success of the OTT model was dependent on the availability of high-quality, reliable and efficient network infrastructure. So "what we're saying is that the OTTs should contribute towards the network upgrades, the network building," she added. OTT platforms or services deliver digital content such as video, audio and messaging directly to consumers over the internet. "Fair share" arrangements ensure that OTT providers contribute to the costs of building, maintaining, and upgrading the infrastructure that supports their business.

Read more of this story at Slashdot.

CrowdStrike's president hit out at "shady" efforts by its cyber security rivals to scare its customers and steal market share in the month since its botched software update sparked a global IT outage. From a report: Michael Sentonas told the Financial Times that attempts by competitors to use the July 19 disruption to promote their own products were "misguided." After criticism from rivals including SentinelOne and Trellix, the CrowdStrike executive said no vendor could "technically" guarantee that their own software would never cause a similar incident. "Our industry is built on trust," Sentonas said. For rivals to take advantage of the meltdown to push their own products "lets themselves down because, ultimately, people know really quickly fact from, possibly, some shady commentary." Texas-based CrowdStrike had a reputation as many major companies' first line of defense against cyber attacks, but the high-profile nature of its clients exacerbated the impact of July's global disruption that shut down 8.5 million Windows devices. Insurers have estimated that losses from the disruption, which grounded flights and shut down hospital systems, could run into billions of dollars. Delta Air Lines, which canceled more than 6,000 flights, has estimated that the outages will cost it $500 million and has threatened litigation.

Read more of this story at Slashdot.

An anonymous reader shares a report: U.S. agencies are increasingly accessing parts of a half-billion encrypted chat message haul that has rocked the global organized crime underground, using the chats as part of multiple drug trafficking prosecutions, according to a 404 Media review of U.S. court records. In particular, U.S. authorities are using the chat messages to prosecute alleged maritime drug smugglers who traffic cocaine using speedboats and commercial ships. The court records show the continued fallout of the massive hack of encrypted phone company Sky in 2021, in which European agencies obtained the intelligence goldmine of messages despite Sky being advertised as end-to-end encrypted. European authorities have used those messages as the basis for many prosecutions and drug seizures across the continent. Now, it's clear that the blast radius extends to the United States.

Read more of this story at Slashdot.

Slack AI, an add-on assistive service available to users of Salesforce's team messaging service, is vulnerable to prompt injection, according to security firm PromptArmor. From a report: The AI service provides generative tools within Slack for tasks like summarizing long conversations, finding answers to questions, and summarizing rarely visited channels. "Slack AI uses the conversation data already in Slack to create an intuitive and secure AI experience tailored to you and your organization," the messaging app provider explains in its documentation. Except it's not that secure, as PromptArmor tells it. A prompt injection vulnerability in Slack AI makes it possible to fetch data from private Slack channels.

Read more of this story at Slashdot.

Microsoft is launching three new Xbox Series S / X console options in October. From a report: There's the $449.99 white discless Xbox Series X, a 2TB "Galaxy Black" special-edition Xbox Series X priced at $599.99, and a $349.99 1TB Xbox Series S. All three models will be available in the US on October 15th, with other markets to follow on October 29th. The white coating on the exterior of this new discless Xbox Series X matches the "robot white" found on the Xbox Series S, Microsoft's smaller $299 console. While leaks of the white Xbox Series X hinted that Microsoft may upgrade the heatsink used to cool the console, the company hasn't detailed any hardware changes beyond the removal of the disc drive here.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Register: Thirty-six flights were cancelled at Japan's New Chitose airport on Saturday after a pair of scissors went missing. Japanese media report that retail outlets at the airport -- which serves the regional city of Chitose on Japan's northernmost island, Hokkaido -- are required to store scissors in a locker. When staff need to cut something, they withdraw the scissors and then replace them after they're done snipping. But last Saturday, an unnamed retailer at the airport was unable to find a pair of scissors. A lengthy search ensued, during which security checks for incoming passengers were paused for at least two hours. Chaos ensued as queues expanded, passengers were denied entry, and airport authorities scrambled to determine whether the scissors had been swiped by somebody with malicious intent. The incident saw over 200 flights delayed, and 36 cancelled altogether. The mess meant some artists didn't appear at a music festival. Happily, the scissors were eventually found -- in the very same shop from which they had gone missing, and not in the hands of someone nefarious. But it took time for authorities to verify the scissors were the missing cutters and not another misplaced pair.

Read more of this story at Slashdot.

The Verge's Tom Warren reports: Valve is banning Counter-Strike 2 players from using keyboard features to automate perfect counter-strafes. Razer was the first keyboard maker to add a Simultaneous Opposing Cardinal Directions (SOCD) feature to its range of Huntsman V3 Pro keyboards last month, followed shortly by Wooting. Using Snap Tap as Razer calls it or Wooting's Snappy Tappy will now get you kicked from Counter-Strike 2 games. "Recently, some hardware features have blurred the line between manual input and automation, so we've decided to draw a clear line on what is or isn't acceptable in Counter-Strike," says Valve. "We are no longer going to allow automation (via scripting or hardware) that circumvent these core skills and, moving forward, (and initially -- exclusively on Valve Official Servers) players suspected of automating multiple player actions from a single game input may be kicked from their match." [...] Razer and Wooting's SOCD features both let players automate switching strafe directions without having to learn the skill. Normally, to switch strafe directions in a first-person shooter, you have to fully release one key before pressing the other. If both are pressed, they cancel each other, and you stand there for a moment until you release one of the keys. SOCD means you don't need to release a key and you can rapidly tap the A or D key to counter-strafe with little to no effort.

Read more of this story at Slashdot.

Approvals for new coal-fired power plants in China dropped by 80% in the first half of this year compared to last, according to an analysis from Greenpeace and the Shanghai Institutes for International Studies. The Associated Press reports: A review of project documents by Greenpeace East Asia found that 14 new coal plants were approved from January to June with a total capacity of 10.3 gigawatts, down 80% from 50.4 gigawatts in the first half of last year. Authorities approved 90.7 gigawatts in 2022 and 106.4 gigawatts in 2023, a surge that raised alarm among climate experts. China leads the world in solar and wind power installations but the government has said that coal plants are still needed for periods of peak demand because wind and solar power are less reliable. While China's grid gives priority to greener sources of energy, experts worry that it won't be easy for China to wean itself off coal once the new capacity is built. "We may now be seeing a turning point," Gao Yuhe, the project lead for Greenpeace East Asia, said in a statement. "One question remains here. Are Chinese provinces slowing down coal approvals because they've already approved so many coal projects ...? Or are these the last gasps of coal power in an energy transition that has seen coal become increasingly impractical? Only time can tell." [...] Gao said that China should focus its resources on better connecting wind and solar power to the grid rather than building more coal power plants. Coal provides more than 60% of the country's electricity. "Coal plays a foundation role in China's energy security," Li Fulong, an official of National Energy Administration, said at a news conference in June. The report notes that China is also looking to nuclear power to help reach its carbon reduction targets. The country approved five nuclear power projects on Monday with 11 units and a total cost of $28 billion.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Hill: Births in the United States dropped again between 2022 and 2023, according to new data from the Centers for Disease Control and Prevention (CDC). The national birth rate has been steadily declining for the last 17 years, with a particularly steep drop in births between 2007 and 2009 during the Great Recession. Between 2007 and 2022, the U.S. birth rate fell by nearly 23 percent, according to CDC data. There were 3,596,017 registered births in 2023, about 2 percent fewer than in 2022, when there were 3,667,758 registered births, according to CDC data. The general fertility rate fell by nearly 3 percent last year to 54.5 births per 1,000 women between the ages of 15 and 44. That's down from the 2022 rate of 56 births per 1,000 women, CDC data shows. Teen births have declined almost every year since the 1990s and are continuing to fall. The teenage birth rate dropped by 4 percent between 2022 and 2023, from 13.6 to 13.1 births per 1,000 girls aged 15 to 19, according to the CDC. And the birth rate for teens between the ages of 15 and 17, specifically, declined by 2 percent from 5.6 to 5.5 births per 1,000 girls. In 2007, the general fertility rate reached a height not seen since the 1990s at 69.5 births per 1,000 women between the ages of 15 and 44, 1 percentage point higher than the year before, according to CDC data.

Read more of this story at Slashdot.