Crooks Bypassed Google's Email Verification To Create Workspace Accounts, Access 3rd-Party Services
Brian Krebs writes via KrebsOnSecurity: Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services that allow logins through Google's "Sign in with Google" feature. [...] Google Workspace offers a free trial that people can use to access services like Google Docs, but other services such as Gmail are only available to Workspace users who can validate control over the domain name associated with their email address. The weakness Google fixed allowed attackers to bypass this validation process. Google emphasized that none of the affected domains had previously been associated with Workspace accounts or services. "The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process," [said Anu Yamunan, director of abuse and safety protections at Google Workspace]. "The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on." Yamunan said none of the potentially malicious workspace accounts were used to abuse Google services, but rather the attackers sought to impersonate the domain holder to other services online.

Read more of this story at Slashdot.

(Comment on this)

Courts Close the Loophole Letting the Feds Search Your Phone At the Border
On Wednesday, Judge Nina Morrison ruled that cellphone searches at the border are "nonroutine" and require probable cause and a warrant, likening them to more invasive searches due to their heavy privacy impact. As reported by Reason, this decision closes the loophole in the Fourth Amendment's protection against unreasonable searches and seizures, which Customs and Border Protection (CBP) agents have exploited. Courts have previously ruled that the government has the right to conduct routine warrantless searches for contraband at the border. From the report: Although the interests of stopping contraband are "undoubtedly served when the government searches the luggage or pockets of a person crossing the border carrying objects that can only be introduced to this country by being physically moved across its borders, the extent to which those interests are served when the government searches data stored on a person's cell phone is far less clear," the judge declared. Morrison noted that "reviewing the information in a person's cell phone is the best approximation government officials have for mindreading," so searching through cellphone data has an even heavier privacy impact than rummaging through physical possessions. Therefore, the court ruled, a cellphone search at the border requires both probable cause and a warrant. Morrison did not distinguish between scanning a phone's contents with special software and manually flipping through it. And in a victory for journalists, the judge specifically acknowledged the First Amendment implications of cellphone searches too. She cited reporting by The Intercept and VICE about CPB searching journalists' cellphones "based on these journalists' ongoing coverage of politically sensitive issues" and warned that those phone searches could put confidential sources at risk. Wednesday's ruling adds to a stream of cases restricting the feds' ability to search travelers' electronics. The 4th and 9th Circuits, which cover the mid-Atlantic and Western states, have ruled that border police need at least "reasonable suspicion" of a crime to search cellphones. Last year, a judge in the Southern District of New York also ruled (PDF) that the government "may not copy and search an American citizen's cell phone at the border without a warrant absent exigent circumstances."

Read more of this story at Slashdot.

(Comment on this)

Nvidia's Open-Source Linux Kernel Driver Performing At Parity To Proprietary Driver
Nvidia's new R555 Linux driver series has significantly improved their open-source GPU kernel driver modules, achieving near parity with their proprietary drivers. Phoronix's Michael Larabel reports: The NVIDIA open-source kernel driver modules shipped by their driver installer and also available via their GitHub repository are in great shape. With the R555 series the support and performance is basically at parity of their open-source kernel modules compared to their proprietary kernel drivers. [...] Across a range of different GPU-accelerated creator workloads, the performance of the open-source NVIDIA kernel modules matched that of the proprietary driver. No loss in performance going the open-source kernel driver route. Across various professional graphics workloads, both the NVIDIA RTX A2000 and A4000 graphics cards were also achieving the same performance whether on the open-source MIT/GPLv2 driver or using NVIDIA's classic proprietary driver. Across all of the tests I carried out using the NVIDIA 555 stable series Linux driver, the open-source NVIDIA kernel modules were able to achieve the same performance as the classic proprietary driver. Also important is that there was no increased power use or other difference in power management when switching over to the open-source NVIDIA kernel modules. It's great seeing how far the NVIDIA open-source kernel modules have evolved and that with the upcoming NVIDIA 560 Linux driver series they will be defaulting to them on supported GPUs. And moving forward with Blackwell and beyond, NVIDIA is just enabling the GPU support along their open-source kernel drivers with leaving the proprietary kernel drivers to older hardware. Tests I have done using NVIDIA GeForce RTX 40 graphics cards with Linux gaming workloads between the MIT/GPL and proprietary kernel drivers have yielded similar (boring but good) results: the same performance being achieved with no loss going the open-source route. You can view Phoronix's performance results in charts here, here, and here.

Read more of this story at Slashdot.

(Comment on this)

How a Cheap Barcode Scanner Helped Fix CrowdStrike'd Windows PCs In a Flash
An anonymous reader quotes a report from The Register: Not long after Windows PCs and servers at the Australian limb of audit and tax advisory Grant Thornton started BSODing last Friday, senior systems engineer Rob Woltz remembered a small but important fact: When PCs boot, they consider barcode scanners no differently to keyboards. That knowledge nugget became important as the firm tried to figure out how to respond to the mess CrowdStrike created, which at Grant Thornton Australia threw hundreds of PCs and no fewer than 100 servers into the doomloop that CrowdStrike's shoddy testing software made possible. [...] The firm had the BitLocker keys for all its PCs, so Woltz and colleagues wrote a script that turned them into barcodes that were displayed on a locked-down management server's desktop. The script would be given a hostname and generate the necessary barcode and LAPS password to restore the machine. Woltz went to an office supplies store and acquired an off-the-shelf barcode scanner for AU$55 ($36). At the point when rebooting PCs asked for a BitLocker key, pointing the scanner at the barcode on the server's screen made the machines treat the input exactly as if the key was being typed. That's a lot easier than typing it out every time, and the server's desktop could be accessed via a laptop for convenience. Woltz, Watson, and the team scaled the solution -- which meant buying more scanners at more office supplies stores around Australia. On Monday, remote staff were told to come to the office with their PCs and visit IT to connect to a barcode scanner. All PCs in the firm's Australian fleet were fixed by lunchtime -- taking only three to five minutes for each machine. Watson told us manually fixing servers needed about 20 minutes per machine.

Read more of this story at Slashdot.

(Comment on this)

White House Announces New AI Actions As Apple Signs On To Voluntary Commitments
The White House announced that Apple has "signed onto the voluntary commitments" in line with the administration's previous AI executive order. "In addition, federal agencies reported that they completed all of the 270-day actions in the Executive Order on schedule, following their on-time completion of every other task required to date." From a report: The executive order "built on voluntary commitments" was supported by 15 leading AI companies last year. The White House said the agencies have taken steps "to mitigate AI's safety and security risks, protect Americans' privacy, advance equity and civil rights, stand up for consumers and workers, promote innovation and competition, advance American leadership around the world, and more." It's a White House effort to mobilize government "to ensure that America leads the way in seizing the promise and managing the risks of artificial intelligence," according to the White House.

Read more of this story at Slashdot.

(Comment on this)

RFK Jr. Says He'd Direct the Government to Buy $615 Billion in Bitcoin or 4 Million Bitcoins
US presidential candidate, Robert F. Kennedy Jr., announced during his keynote Friday at the Bitcoin Conference that he would direct the US government to buy Bitcoin until the size of its Bitcoin reserves matched its gold reserves. At current prices, that equates to $615 billion worth of gold. RFK Jr. said: "I will sign an executive order directing the US Treasury to purchase 550 Bitcoin daily until the US has built a reserve of at least 4,000,000 Bitcoins and a position of dominance that no other country will be able to usurp." 4 million Bitcoin is 19% of all Bitcoin that will ever exist.

Read more of this story at Slashdot.

(Comment on this)

Data From Deleted GitHub Repos May Not Actually Be Deleted, Researchers Claim
Thomas Claburn reports via The Register: Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn't necessarily deleted. Joe Leon, a security researcher with the outfit, said in an advisory on Wednesday that being able to access deleted repo data -- such as APIs keys -- represents a security risk. And he proposed a new term to describe the alleged vulnerability: Cross Fork Object Reference (CFOR). "A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks)," Leon explained. For example, the firm showed how one can fork a repository, commit data to it, delete the fork, and then access the supposedly deleted commit data via the original repository. The researchers also created a repo, forked it, and showed how data not synced with the fork continues to be accessible through the fork after the original repo is deleted. You can watch that particular demo [here]. According to Leon, this scenario came up last week with the submission of a critical vulnerability report to a major technology company involving a private key for an employee GitHub account that had broad access across the organization. The key had been publicly committed to a GitHub repository. Upon learning of the blunder, the tech biz nuked the repo thinking that would take care of the leak. "They immediately deleted the repository, but since it had been forked, I could still access the commit containing the sensitive data via a fork, despite the fork never syncing with the original 'upstream' repository," Leon explained. Leon added that after reviewing three widely forked public repos from large AI companies, Truffle Security researchers found 40 valid API keys from deleted forks. GitHub said it considers this situation a feature, not a bug: "GitHub is committed to investigating reported security issues. We are aware of this report and have validated that this is expected and documented behavior inherent to how fork networks work. You can read more about how deleting or changing visibility affects repository forks in our [documentation]." Truffle Security argues that they should reconsider their position "because the average user expects there to be a distinction between public and private repos in terms of data security, which isn't always true," reports The Register. "And there's also the expectation that the act of deletion should remove commit data, which again has been shown to not always be the case."

Read more of this story at Slashdot.

(Comment on this)

Automakers Sold Driver Data For Pennies, Senators Say
An anonymous reader quotes a report from the New York Times: If you drive a car made by General Motors and it has an internet connection, your car's movements and exact location are being collected and shared anonymously with a data broker. This practice, disclosed in a letter (PDF) sent by Senators Ron Wyden of Oregon and Edward J. Markey of Massachusetts to the Federal Trade Commission on Friday, is yet another way in which automakers are tracking drivers (source may be paywalled; alternative source), often without their knowledge. Previous reporting in The New York Times which the letter cited, revealed how automakers including G.M., Honda and Hyundai collected information about drivers' behavior, such as how often they slammed on the brakes, accelerated rapidly and exceeded the speed limit. It was then sold to the insurance industry, which used it to help gauge individual drivers' riskiness. The two Democratic senators, both known for privacy advocacy, zeroed in on G.M., Honda and Hyundai because all three had made deals, The Times reported, with Verisk, an analytics company that sold the data to insurers. In the letter, the senators urged the F.T.C.'s chairwoman, Lina Khan, to investigate how the auto industry collects and shares customers' data. One of the surprising findings of an investigation by Mr. Wyden's office was just how little the automakers made from selling driving data. According to the letter, Verisk paid Honda $25,920 over four years for information about 97,000 cars, or 26 cents per car. Hyundai was paid just over $1 million, or 61 cents per car, over six years. G.M. would not reveal how much it had been paid, Mr. Wyden's office said. People familiar with G.M.'s program previously told The Times that driving behavior data had been shared from more than eight million cars, with the company making an amount in the low millions of dollars from the sale. G.M. also previously shared data with LexisNexis Risk Solutions. "Companies should not be selling Americans' data without their consent, period," the letter from Senators Wyden and Markey stated. "But it is particularly insulting for automakers that are selling cars for tens of thousands of dollars to then squeeze out a few additional pennies of profit with consumers' private data."

Read more of this story at Slashdot.

(Comment on this)

ISPs Seeking Government Handouts Try To Avoid Offering Low-Cost Broadband
Internet service providers are pushing back against the Biden administration's requirement for low-cost options even as they are attempting to secure funds from a $42.45 billion government broadband initiative. The Broadband Equity, Access, and Deployment program, established by law to expand internet access, mandates that recipients offer affordable plans to eligible low-income subscribers, a stipulation the providers argue infringes on legal prohibitions against rate regulation. ISPs claim that the proposed $30 monthly rate for low-cost plans is economically unfeasible, especially in hard-to-reach rural areas, potentially undermining the program's goals by discouraging provider participation.

Read more of this story at Slashdot.

(Comment on this)

2U, Once a Giant in Online Education, Files for Chapter 11 Bankruptcy
Online education company 2U filed for Chapter 11 bankruptcy protection and is being taken private in a deal that will wipe out more than half of its $945 million debt [non-paywalled link]. From a report: 2U was a pioneer in the online education space, joining with schools including the University of Southern California, Georgetown University and the University of North Carolina at Chapel Hill to design and operate online courses in fields including nursing and social work. But it struggled in recent years amid new competition and changing regulations. It also had a highly leveraged balance sheet with looming loan-repayment deadlines. 2U closed Wednesday with a market value of about $11.5 million, down from more than $5 billion in 2018. In 2021, 2U bought edX, an online platform for classes that was founded by Harvard University and the Massachusetts Institute of Technology. The debt from that $800 million deal for edX proved debilitating to 2U, WSJ reports.

Read more of this story at Slashdot.

(Comment on this)

Pixel 9 AI Will Add You To Group Photos Even When You're Not There
Google's upcoming Pixel 9 smartphones are set to introduce new AI-powered features, including "Add Me," a tool that will allow users to insert themselves into group photos after those pictures have been taken, according to leaked promotional video obtained by Android Headlines. This feature builds on the Pixel 8's "Best Take" function, which allowed face swapping in group shots.

Read more of this story at Slashdot.

(Comment on this)

FTC's Khan Backs Open AI Models in Bid to Avoid Monopolies
Open AI models that allow developers to customize them with few restrictions are more likely to promote competition, FTC Chair Lina Khan said, weighing in on a key debate within the industry. From a report: "There's tremendous potential for open-weight models to promote competition," Khan said Thursday in San Francisco at startup incubator Y Combinator. "Open-weight models can liberate startups from the arbitrary whims of closed developers and cloud gatekeepers." "Open-weight" models disclose what an AI model picked up and was tweaked on during its training process. That allows developers to better customize them and makes them more accessible to smaller companies and researchers. But critics have warned that open models carry an increased risk of abuse and could potentially allow companies from geopolitical rivals like China to piggyback off the technology. Khan's comments come as the Biden administration is considering guidance on the use and safety of open-weight models.

Read more of this story at Slashdot.

(Comment on this)

Russia To Slow YouTube Speeds
Russia admitted that it's deliberately slowing YouTube's loading speeds and said it plans to throttle the download speeds on the Google platform by up to 70% by the end of next week. Russia is taking this stand in response to Google's refusal to comply with the demands of the Russian authorities, local lawmaker Alexander Khinshtein said. From a report: Khinshtein, the head of the State Duma's Information Policy Committee, claimed that the move is "not aimed against Russian users, but against the administration of a foreign resource that still believes that it can violate and ignore our legislation with impunity."

Read more of this story at Slashdot.

(Comment on this)

No Fix For Intel's Crashing 13th and 14th Gen CPUs - Any Damage is Permanent
An anonymous reader shares a report: On Monday, it initially seemed like the beginning of the end for Intel's desktop CPU instability woes -- the company confirmed a patch is coming in mid-August that should address the "root cause" of exposure to elevated voltage. But if your 13th or 14th Gen Intel Core processor is already crashing, that patch apparently won't fix it. Citing unnamed sources, Tom's Hardware reports that any degradation of the processor is irreversible, and an Intel spokesperson did not deny that when we asked. Intel is "confident" the patch will keep it from happening in the first place. But if your defective CPU has been damaged, your best option is to replace it instead of tweaking BIOS settings to try and alleviate the problems. And, Intel confirms, too-high voltages aren't the only reason some of these chips are failing. Intel spokesperson Thomas Hannaford confirms it's a primary cause, but the company is still investigating. Intel community manager Lex Hoyos also revealed some instability reports can be traced back to an oxidization manufacturing issue that was fixed at an unspecified date last year.

Read more of this story at Slashdot.

(Comment on this)

Marvel's Kevin Feige Defends Sequels as an 'Absolute Pillar of the Industry'
Marvel Studios President Kevin Feige, who has overseen the Marvel Cinematic Universe's unprecedented success, has expressed his longstanding appreciation for sequels and world-building in cinema at a time when Disney's top executive has admitted that the company has diluted audience's attention by making too many TV shows and movies. "I was never cynical or rolling my eyes the way people still do today for some reason, even though there've been sequels since the '30s and they're an absolute pillar of the industry," Feige told Variety in an interview, highlighting his enthusiasm for returning to beloved characters and expanding on established narratives. The studio's ambitious expansion into streaming content for Disney+ has led to what Disney CEO Bob Iger described as "some disappointments" in theatrical releases. In July 2023, Iger cited the increased output for streaming as a factor that "diluted focus and attention" at Marvel. In response to these challenges, Disney announced a strategic shift in May, with plans to reduce Marvel's output to a maximum of three films and two TV series per year. This move aligns with Iger's commitment to prioritize quality over quantity, a strategy he believes is "particularly true with Marvel."

Read more of this story at Slashdot.

(Comment on this)

Childhood Air Pollution Directly Linked To Adult Lung Health, Study Says
Air pollution breathed in during childhood is one of the factors in adult lung health, according to a new study. From a report: The origins of the study date back to 1992 when researchers began investigating the effects of air pollution on groups of children in California. Some of these children are now in their 40s. Dr Erika Garcia and colleagues from the University of Southern California decided to see how they were getting on. More than 1,300 people replied and filled in detailed questionnaires on their income, lifestyle (including smoking), homes and health. This was matched against their childhood health and the local air pollution when they were growing up. The first finding was that people with higher childhood exposures to particle pollution and nitrogen dioxide had a higher likelihood of bronchitic symptoms as an adult. This relationship was strongest for those who had developed asthma and lung problems as children, meaning these people had a vulnerability that continued into adulthood. The second finding was unexpected: a relationship existed between childhood air pollution and adult bronchitic symptoms for people who did not have lung problems as children. This suggests the damage from air pollution in childhood may only manifest in adult life. Garcia said: "This was surprising. We thought air pollutant effects on childhood asthma or bronchitic symptoms would be a major pathway by which childhood air pollution exposure affects adult respiratory health."

Read more of this story at Slashdot.

(Comment on this)

It Is Now Easier To Pass AP Tests
More students are getting high scores on Advanced Placement tests, long seen as a gateway to elite college admissions as well as a way to earn college credit during high school. From a report: Changes by the tests' maker in recent years have shifted scores upward. That has led to hundreds of thousands of additional students getting what's considered a passing score -- 3 or above on the 1-to-5 scale -- on exams in popular courses including AP U.S. History and AP U.S. Government. The nonprofit behind the tests, College Board, says it updated the scoring by replacing its panel of experts with a large-scale data analysis to better reflect the skills students learn in the courses. Some skeptical teachers, test-prep companies and college administrators see the recent changes as another form of grade inflation, and a way to boost the organization's business by making AP courses seem more attractive. "It is hard to argue with the premise of AP, that students who are talented and academically accomplished can get a head start on college," said Jon Boeckenstedt, the vice provost of enrollment at Oregon State University. "But I think it's a business move." The number of students cheering their higher AP scores could rise again next year. The College Board said it is still recalibrating several other subjects, including its most popular course, AP English Language, which attracts more than half a million test takers.

Read more of this story at Slashdot.

(Comment on this)

Windows 11 Will Soon Add Your Android Phone To File Explorer
Microsoft has started testing a new way to access your Android phone from directly within Windows 11's File Explorer. From a report: Windows Insiders are now able to test this new feature, which lets you wirelessly browse through folders and files on your Android phone. The integration in File Explorer means your Android device appears just like a regular USB device on the left-hand side, with the ability to copy or move files between a PC and Android phone, and rename or delete them. It's certainly a lot quicker than using the existing Phone Link app.

Read more of this story at Slashdot.

(Comment on this)

Microsoft Pushes for Windows Changes After CrowdStrike Incident
In the wake of a major incident that affected millions of Windows PCs, Microsoft is calling for significant changes to enhance the resilience of its operating system. John Cable, Microsoft's vice president of program management for Windows servicing and delivery, said there was a need for "end-to-end resilience" in a blog post, signaling a potential shift in Microsoft's approach to third-party access to the Windows kernel. While not explicitly detailing planned improvements, Cable pointed to recent innovations like VBS enclaves and the Azure Attestation service as examples of security measures that don't rely on kernel access. This move towards a "Zero Trust" approach could have far-reaching implications for the cybersecurity industry and Windows users worldwide, as Microsoft seeks to balance system security with the needs of its partners in the broader security community. The comment follows a Microsoft spokesman revealed last week that a 2009 European Commission agreement prevented the company from restricting third-party access to Windows' core functions.

Read more of this story at Slashdot.

(Comment on this)

New Chrome Feature Scans Password-Protected Files For Malicious Content
An anonymous reader quotes a report from The Hacker News: Google said it's adding new security warnings when downloading potentially suspicious and malicious files via its Chrome web browser. "We have replaced our previous warning messages with more detailed ones that convey more nuance about the nature of the danger and can help users make more informed decisions," Jasika Bawa, Lily Chen, and Daniel Rubery from the Chrome Security team said. To that end, the search giant is introducing a two-tier download warning taxonomy based on verdicts provided by Google Safe Browsing: Suspicious files and Dangerous files. Each category comes with its own iconography, color, and text to distinguish them from one another and help users make an informed choice. Google is also adding what's called automatic deep scans for users who have opted-in to the Enhanced Protection mode of Safe Browsing in Chrome so that they don't have to be prompted each time to send the files to Safe Browsing for deep scanning before opening them. In cases where such files are embedded within password-protected archives, users now have the option to "enter the file's password and send it along with the file to Safe Browsing so that the file can be opened and a deep scan may be performed." Google emphasized that the files and their associated passwords are deleted a short time after the scan and that the collected data is only used for improving download protections.

Read more of this story at Slashdot.

(Comment on this)