An anonymous reader shares a report: ChromeOS Flex extends the lifespan of older hardware and contributes to reducing e-waste, making it an environmentally conscious choice. Unfortunately, recent developments hint at a potential end for ChromeOS Flex. As detailed in a June 12 blog post by Prajakta Gudadhe, senior director of engineering for ChromeOS, and Alexander Kuscher, senior director of product management for ChromeOS, Google's announcement about integrating ChromeOS with Android to enhance AI capabilities suggests that Flex might not be part of this future.

Google's plan, as detailed, suggests that ChromeOS Flex could be phased out, leaving its current users in a difficult position. The ChromiumOS community around ChromeOS Flex may attempt to adjust to these changes if Google open sources ChromeOS Flex, but this is not a guarantee. In the meantime, users may want to consider alternatives, such as various Linux distributions, to keep their older hardware functional.

Design startup Figma is temporarily disabling its "Make Design" AI feature that was said to be ripping off the designs of Apple's own Weather app. TechCrunch: The problem was first spotted by Andy Allen, the founder of NotBoring Software, which makes a suite of apps that includes a popular, skinnable Weather app and other utilities. He found by testing Figma's tool that it would repeatedly reproduce Apple's Weather app when used as a design aid. John Gruber, writing at DaringFireball: This is even more disgraceful than a human rip-off. Figma knows what they trained this thing on, and they know what it outputs. In the case of this utter, shameless, abject rip-off of Apple Weather, they're even copying Weather's semi-inscrutable (semi-scrutable?) daily temperature range bars.

"AI" didn't do this. Figma did this. And they're handing this feature to designers who trust Figma and are the ones who are going to be on the hook when they present a design that, unbeknownst to them, is a blatant rip-off of some existing app.

storagedude shares a report from the Cyber Express: Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities -- including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc. E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods "that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases." The newly discovered vulnerabilities -- one of which (CVE-2024-38366) received a 10 out of 10 criticality score -- actually date from a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed. While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started. "Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code," the E.V.A researchers said. "The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package." [...] "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools." "While there is no direct evidence of any of these vulnerabilities being exploited in the wild, evidence of absence is not absence of evidence." the EVA researchers wrote. "Potential code changes could affect millions of Apple devices around the world across iPhone, Mac, AppleTV, and AppleWatch devices."

While no action is required by app developers or users, the EVA researchers recommend several ways to protect against these vulnerabilities. To ensure secure and consistent use of CocoaPods, synchronize the podfile.lock file with all developers, perform CRC validation for internally developed Pods, and conduct thorough security reviews of third-party code and dependencies. Furthermore, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, perform periodic security scans, and be cautious of widely used dependencies as potential attack targets.

An anonymous reader shares a report: The money transfer and fintech company Wise says some of its customers' personal data may have been stolen in the recent data breach at Evolve Bank and Trust. The news highlights that the fallout from the Evolve data breach on third-party companies -- and their customers and users -- is still unclear, and it's likely that it includes companies and startups that are yet unknown.

In a statement published on its official website, Wise wrote that the company worked with Evolve from 2020 until 2023 "to provide USD account details." And given that Evolve was breached recently, "some Wise customers' personal information may have been involved." [...] So far, Affirm, EarnIn, Marqeta, Melio and Mercury -- all Evolve partners -- have acknowledged that they are investigating how the Evolve breach impacted their customers.

Microsoft revealed that the Russian hackers who breached its systems earlier this year stole more emails than initially reported. "We are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor," a Microsoft spokesperson told Bloomberg (paywalled). "This is increased detail for customers who have already been notified and also includes new notifications." The Register reports: We've been aware for some time that the digital Russian break-in at the Windows maker saw Kremlin spies make off with source code, executive emails, and sensitive U.S. government data. Reports last week revealed that the issue was even larger than initially believed and additional customers' data has been stolen. Along with Russia, Microsoft was also compromised by state actors from China not long ago, and that issue similarly led to the theft of emails and other data belonging to senior U.S. government officials.

Both incidents have led experts to call Microsoft a threat to U.S. national security, and president Brad Smith to issue a less-than-reassuring mea culpa to Congress. All the while, the U.S. government has actually invested more in its Microsoft kit. Bloomberg reported that emails being sent to affected Microsoft customers include a link to a secure environment where customers can visit a site to review messages Microsoft identified as having been compromised. But even that might not have been the most security-conscious way to notify folks: Several thought they were being phished.

"The outdoor-apparel brand Patagonia has given 90 U.S. employees a choice," reports Business Insider: "tell the company by Friday that you're willing to relocate or leave your job." [Alternate URL here.] The employees all work in customer services, known at Patagonia as the customer-experience, or CX, team, and have been allowed to work remotely to field calls and inquiries. These workers received a text and email Tuesday morning about an "important" meeting... Two company executives, Amy Velligan and Bruce Old, told staff in a 15-minute video meeting that the team would be moving to a new "hub" model. CX employees are now expected to live within 60 miles of one of seven "hubs" — Atlanta; Salt Lake City; Reno, Nevada; Dallas; Austin; Chicago; or Pittsburgh. Workers were offered $4,000 toward relocation costs and extra paid time off. Those willing to relocate were told to do so by September 30.

If CX staff are not willing to live near a hub city, they must leave the company. They were given 72 hours, until Friday, to confirm their decision... Access to company laptops and phones was shut off later that day until employees either agreed to relocate or said they wanted the severance, one affected CX worker said...

Both employees who spoke to Business Insider believed this was because Patagonia didn't want to handle the increased demands of employees in states with higher costs of living. "We've been asking for raises for a long time, and they keep telling us that your wage is based on a Reno cost of living and where you choose to live is on you."
According to the article, "The company hopes to bring staff together at the hubs at least once every six weeks for in-person training, company gatherings, or 'Activism Hours'." A company spokesperson described the changes as "crucial for us to build a vibrant team culture," and said there were workers who had been complaining about feeling disconnected. Though there may be another motive: "The reality is that our CX team has been running at 200% to 300% overstaffed for much of this year," she added. "While we hoped to reach the needed staffing levels through attrition, those numbers were very low, and retention remained high."
One affected worker told Business Insider that the company's proposal "was very factual. If you don't live in these seven metro areas, you either need to move there or give us your stuff and hit the brick. If we don't respond by Friday, they will assume that we have chosen the severance package and we'll start that process."

One worker added that the severance package they received was generous...

Thanks to Slashdot reader NoWayNoShapeNoForm for sharing the article.

An anonymous reader shares a report: Starting with those builds, Windows 11 will show a Game Pass recommendation / ad within the Settings app. The advertisement will appear on both Windows 11 Home and Windows 11 Pro if you actively play games on your PC. Microsoft lists this feature first under the "Highlights" section of its blog post about the update. Some users aren't pleased. "Microsoft has gone too far," news blog TechRadar wrote.

Indonesian President Joko Widodo ordered on Friday an audit of government data centres after officials said the bulk of data affected by a recent ransomware cyberattack was not backed up, exposing the country's vulnerability to such attacks. From a report: Last week's cyberattack, the worst in Indonesia in recent years, has disrupted multiple government services including immigration and operations at major airports. The government has said more than 230 public agencies, including ministries, had been affected, but has refused to pay an $8 million ransom demanded to retrieve the encrypted data.

Responding to the cyberattack, Indonesia's state auditor said the president instructed it to examine the country's data centres. The audit would cover "governance and the financial aspect", said Muhammad Yusuf Ateh, who heads Indonesia's Development and Finance Controller, after attending a cabinet meeting led by Widodo on Friday. Hinsa Siburian, an official who chairs Indonesia's cyber security agency known by its acronym BSSN, has said 98% of the government data stored in one of the two compromised data centres had not been backed up.

TeamViewer, the company that makes widely used remote access tools for companies, has confirmed an ongoing cyberattack on its corporate network. TechCrunch: In a statement Friday, the company attributed the compromise to government-backed hackers working for Russian intelligence, known as APT29 (and Midnight Blizzard). The Germany-based company said its investigation so far points to an initial intrusion on June 26 "tied to credentials of a standard employee account within our corporate IT environment."

TeamViewer said that the cyberattack "was contained" to its corporate network and that the company keeps its internal network and customer systems separate. The company added that it has "no evidence that the threat actor gained access to our product environment or customer data." Martina Dier, a spokesperson for TeamViewer, declined to answer a series of questions from TechCrunch, including whether the company has the technical ability, such as logs, to determine what, if any, data was accessed or exfiltrated from its network.

An anonymous reader quotes a report from Ars Technica: Temu -- the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it -- is "dangerous malware" that's secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit (PDF) filed Tuesday. Griffin cited research and media reports exposing Temu's allegedly nefarious design, which "purposely" allows Temu to "gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications."

"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place." Griffin fears that Temu is capable of accessing virtually all data on a person's phone, exposing both users and non-users to extreme privacy and security risks. It appears that anyone texting or emailing someone with the shopping app installed risks Temu accessing private data, Griffin's suit claimed, which Temu then allegedly monetizes by selling it to third parties, "profiting at the direct expense" of users' privacy rights. "Compounding" risks is the possibility that Temu's Chinese owners, PDD Holdings, are legally obligated to share data with the Chinese government, the lawsuit said, due to Chinese "laws that mandate secret cooperation with China's intelligence apparatus regardless of any data protection guarantees existing in the United States."

Griffin's suit cited an extensive forensic investigation into Temu by Grizzly Research -- which analyzes publicly traded companies to inform investors -- last September. In their report, Grizzly Research alleged that PDD Holdings is a "fraudulent company" and that "Temu is cleverly hidden spyware that poses an urgent security threat to United States national interests." As Griffin sees it, Temu baits users with misleading promises of discounted, quality goods, angling to get access to as much user data as possible by adding addictive features that keep users logged in, like spinning a wheel for deals. Meanwhile hundreds of complaints to the Better Business Bureau showed that Temu's goods are actually low-quality, Griffin alleged, apparently supporting his claim that Temu's end goal isn't to be the world's biggest shopping platform but to steal data. Investigators agreed, the lawsuit said, concluding "we strongly suspect that Temu is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure." Seeking an injunction to stop Temu from allegedly spying on users, Griffin is hoping a jury will find that Temu's alleged practices violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act. If Temu loses, it could be on the hook for $10,000 per violation of the ADTPA and ordered to disgorge profits from data sales and deceptive sales on the app. In a statement to Ars, a Temu spokesperson discredited Grizzly Research's investigation and said that the company was "surprised and disappointed by the Arkansas Attorney General's Office for filing the lawsuit without any independent fact-finding."

"The allegations in the lawsuit are based on misinformation circulated online, primarily from a short-seller, and are totally unfounded," Temu's spokesperson said. "We categorically deny the allegations and will vigorously defend ourselves."

"We understand that as a new company with an innovative supply chain model, some may misunderstand us at first glance and not welcome us. We are committed to the long-term and believe that scrutiny will ultimately benefit our development. We are confident that our actions and contributions to the community will speak for themselves over time." Last year, Temu was the most downloaded app in the U.S. and has only become more popular as reports of security and privacy risks have come out.

Intel has introduced an advanced optical input/output chiplet, marking what it claims to be a significant leap in data center technology. The optical compute interconnect (OCI) chiplet, unveiled at the Optical Fiber Communication Conference 2024, is designed for integration with CPUs and GPUs and boasts 64 PCIe 5.0 channels transmitting 4 Tbps over 100 meters using fiber optics. Tom's Hardware adds: The chiplet uses dense wavelength division multiplexing (DWDM) wavelengths and consumes only five pico-Joules per bit, significantly more energy-efficient than pluggable optical transceiver modules, which consume about 15 pico-Joules per bit, according to Intel. This device is crucial for next-generation data centers and AI/HPC applications. It will enable high-performance connections for CPU and GPU clusters, coherent memory expansion, and resource disaggregation. These features will be handy for operating supercomputers for large-scale AI models and machine learning tasks that require tremendous data bandwidth.

Brandon Vigliarolo reports via The Register: American healthcare provider Geisinger fears highly personal data on more than a million of its patients has been stolen -- and claimed a former employee at a Microsoft subsidiary is the likely culprit. Geisinger on Monday announced the results of a probe into a November computer security breach, placing the blame on Microsoft-owned Nuance Communications for not cutting off one of its employees' access to corporate files after that person was fired. The Pennsylvania-based healthcare giant uses Nuance as an IT provider. We're told that after the Microsoft-owned entity terminated one of its workers, that staffer two days later may have accessed and taken copies of sensitive records on a huge number of Geisinger patients -- for reasons as yet unknown.

Geisinger -- which says it operates 13 hospitals and has more than 600,000 members -- said it discovered the improper access on November 29, informed Nuance, and the IT supplier immediately cut off the former employee from the healthcare group's data before involving police. "Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now," Geisinger claimed, explaining why only now this is coming to light. "The former Nuance employee has been arrested and is facing federal charges." It's not immediately clear if or what charges have been laid -- we've asked Geisinger for details.

Speech recognition firm Nuance performed its own probe, according to Geisinger, and determined that the former employee may have stolen information on a million-plus people. That info would include birth dates, addresses, hospital admission and discharge records, demographic information, and other medical data. The ex-employee didn't swipe insurance or other financial information, the multi-billion-dollar healthcare group stated. "We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges," Geisinger chief privacy officer Jonathan Friesen alleged, adding: "I am sorry that this happened."

National Australia Bank seems to think that monitoring the angle customers hold their phones will offer extra protection against scammers. "Speaking during the Australian Banking Association Conference in Melbourne Wednesday (June 26), CEO Andrew Irvine said the lender introduced more 'friction' to payments processes and new predictive protection tools to spot scammers," reports PYMNTS.com, citing a (paywalled) Bloomberg report. From the report: "We've added tooling that looks at biometrics and the way you actually interact with your devices and how you think about keystrokes," said Irvine, per the report. "If these things are different to how you've used your phone in the past, our intelligence will kick in." Irvine, who called fraudsters the "scourge of our times," also noted that Australia is one of the few countries where bank fraud has declined, the report said.

Still, he said that as scammers have embraced new technology like artificial intelligence, banks have had to shift from making payments fast and simple to adding more steps to protect against fraudulent transactions, per the report. "These threat actors go where the money is," Irvine said, according to the report. "You want to be the best alarm system in the street and right now Australia's leading the way."

Security researchers claim to have discovered exposed API keys in the code of Rabbit's R1 AI device, potentially allowing access to all user responses and company services. The group, known as Rabbitude, says they could send emails from internal Rabbit addresses to demonstrate the vulnerability. 404 Media adds: In a statement, Rabbit said, "Today we were made aware of an alleged data breach. Our security team immediately began investigating it. As of right now, we are not aware of any customer data being leaked or any compromise to our systems. If we learn of any other relevant information, we will provide an update once we have more details."

The U.S. government last week announced an unprecedented ban on selling Russian cybersecurity firm Kaspersky's software, citing national security concerns. The move, effective July 20, has left American resellers confused and worried about its impact. Kaspersky can provide updates to existing customers until September 29, after which the software's effectiveness will diminish. From a report: Avi Fleischer, the founder of Technical Difficulties, told TechCrunch that not only does he sell Kaspersky to his customers, he also uses its products on his phone and personal computer. He added that the ban is "annoying, to say the least," because he will now have to find another antivirus company and migrate all his customers to the new product, which will cost him time and money. "It's just a lot of time lost for nothing. And I don't see how I can even really charge end users for this," Fleischer said in a phone call. "It was my suggestion that they use Kaspersky and now Kaspersky is being banned by the United States government. What am I supposed to do?"

An anonymous reader quotes a report from TorrentFreak: Last week, an in-depth investigative report from JBTC revealed that Korean Internet provider KT, formerly known as Korea Telecom, distributed malware onto subscribers' computers to interfere with and block torrent traffic. File-sharing continues to be very popular in South Korea, but operates differently than in most other countries. "Webhard" services, short for Web Hard Drive, are particularly popular. These are paid BitTorrent-assisted services, which also offer dedicated web seeds, to ensure that files remain available.

Webhard services rely on the BitTorrent-enabled 'Grid System', which became so popular in Korea that ISPs started to notice it. Since these torrent transfers use a lot of bandwidth, which is very costly in the country, providers would rather not have this file-sharing activity on their networks. KT, one of South Korea's largest ISPs with over 16 million subscribers, was previously caught meddling with the Grid System. In 2020, their throttling activities resulted in a court case, where the ISP cited 'network management' costs as the prime reason to interfere. The Court eventually sided with KT, ending the case in its favor, but that wasn't the end of the matter. An investigation launched by the police at the time remains ongoing. New reports now show that the raid on KT's datacenter found that dozens of devices were used in the 'throttling process' and they were doing more than just limiting bandwidth.

When Webhard users started reporting problems four years ago, they didn't simply complain about slow downloads. In fact, the main concern was that several Grid-based Webhard services went offline or reported seemingly unexplainable errors. Since all complaining users were KT subscribers, fingers were pointed in that direction. According to an investigation by Korean news outlet JBTC, the Internet provider actively installed malware on computers of Webhard services. This activity was widespread and effected an estimated 600,000 KT subscribers. The Gyeonggi Southern Police Agency, which carried out the raid and investigation, believes this was an organized hacking attempt. A dedicated KT team allegedly planted malware to eavesdrop on subscribers and interfere with their private file transfers. [...] Why KT allegedly distributed the malware and what it precisely intended to do is unclear. The police believe there were internal KT discussions about network-related costs, suggesting that financial reasons played a role.

Google is switching back to pagination for its search results, abandoning the continuous scroll feature introduced in 2022 for desktop and 2021 for mobile. The change, effective immediately for desktop users, aims to improve search result loading speeds, Google said, adding that infinite scrolling did not significantly enhance user satisfaction. Mobile users will see the change in coming months.

An anonymous reader shares a report: Over the weekend, a clip from a recent interview with Telegram's founder Pavel Durov went semi-viral on X (previously Twitter). In the video, Durov tells right-wing personality Tucker Carlson that he is the only product manager at the company, and that he only employs "about 30 engineers." Security experts say that while Durov was bragging about his Dubai-based company being "super efficient," what he said was actually a red flag for users.

"Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare," Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.) Green was referring to the fact that -- by default -- chats on Telegram are not end-to-end encrypted like they are on Signal or WhatsApp. A Telegram user has to start a "Secret Chat" to switch on end-to-end encryption, making the messages unreadable to Telegram or anyone other than the intended recipient.

Also, over the years, many people have cast doubt over the quality of Telegram's encryption, given that the company uses its own proprietary encryption algorithm, created by Durov's brother, as he said in an extended version of the Carlson interview. Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a longtime expert in the security of at-risk users, said that it's important to remember that Telegram, unlike Signal, is a lot more than just a messaging app.

The Biden administration is investigating China Mobile, China Telecom and China Unicom over concerns the firms could exploit access to American data through their U.S. cloud and internet businesses by providing it to Beijing, Reuters reported Tuesday, citing sources familiar with the matter. From the report: The companies still have a small presence in the United States, for example, providing cloud services and routing wholesale U.S. internet traffic. That gives them access to Americans' data even after telecom regulators barred them from providing telephone and retail internet services in the United States.

Reuters found no evidence the companies intentionally provided sensitive U.S. data to the Chinese government or committed any other type of wrongdoing. The investigation is the latest effort by Washington to prevent Beijing from exploiting Chinese firms' access to U.S. data to harm companies, Americans or national security, as part of a deepening tech war between the geopolitical rivals. It shows the administration is trying to shut down all remaining avenues for Chinese companies already targeted by Washington to obtain U.S. data.

An anonymous reader shares a report: Microsoft has made OneDrive slightly more annoying for Windows 11 users. Quietly and without any announcement, the company changed Windows 11's initial setup so that it could turn on the automatic folder backup without asking for it. Now, those setting up a new Windows computer the way Microsoft wants them to (in other words, connected to the internet and signed into a Microsoft account) will get to their desktops with OneDrive already syncing stuff from folders like Desktop Pictures, Documents, Music, and Videos.

Depending on how much is stored there, you might end up with a desktop and other folders filled to the brim with shortcuts to various stuff right after finishing a clean Windows installation. Automatic folder backup in OneDrive is a very useful feature when used properly and when the user deliberately enables it. However, Microsoft decided that sending a few notification prompts to enable folder backup was not enough, so it just turned the feature on without asking anybody or even letting users know about it, resulting in a flood of Reddit posts about users complaining about what the hell are those green checkmarks next to files and shortcuts on their desktops.