An anonymous reader quotes a report from The New York Times: The European Union unveiled strict regulations on Wednesday to govern the use of artificial intelligence, a first-of-its-kind policy that outlines how companies and governments can use a technology seen as one of the most significant, but ethically fraught, scientific breakthroughs in recent memory. The draft rules would set limits around the use of artificial intelligence in a range of activities, from self-driving cars to hiring decisions, bank lending, school enrollment selections and the scoring of exams. It would also cover the use of artificial intelligence by law enforcement and court systems -- areas considered "high risk" because they could threaten people's safety or fundamental rights.

Some uses would be banned altogether, including live facial recognition in public spaces, though there would be several exemptions for national security and other purposes. The108-page policy is an attempt to regulate an emerging technology before it becomes mainstream. The rules have far-reaching implications for major technology companies that have poured resources into developing artificial intelligence, including Amazon, Google, Facebook and Microsoft, but also scores of other companies that use the software to develop medicine, underwrite insurance policies and judge credit worthiness. Governments have used versions of the technology in criminal justice and the allocation of public services like income support. Companies that violate the new regulations, which could take several years to move through the European Union policymaking process, could face fines of up to 6 percent of global sales.

The European Union regulations would require companies providing artificial intelligence in high-risk areas to provide regulators with proof of its safety, including risk assessments and documentation explaining how the technology is making decisions. The companies must also guarantee human oversight in how the systems are created and used. Some applications, like chatbots that provide humanlike conversation in customer service situations, and software that creates hard-to-detect manipulated images like "deepfakes," would have to make clear to users that what they were seeing was computer generated. [...] Release of the draft law by the European Commission, the bloc's executive body, drew a mixed reaction. Many industry groups expressed relief that the regulations were not more stringent, while civil society groups said they should have gone further.

FlatEric521 shares a report: Moxie Marlinspike, the founder of the popular encrypted chat app Signal claims to have hacked devices made by the infamous phone unlocking company Cellebrite, which has famously worked with cops to circumvent encryption such as Signal's. In a blog post Wednesday, Marlinspike not only published details about the new exploits for Cellebrite devices but seemed to suggest that Signal's code could be theoretically altered to hack Cellebrite devices en masse. "We were surprised to find that very little care seems to have been given to Cellebrite's own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present," Marlinspike wrote in the post. "Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices."

Marlinspike claims (whether you believe this portion of the post or not is up to you) that while he was on a walk he happened to find a Cellebrite phone unlocking device: "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters." Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access.

A group of hackers executed a ransomware attack on Hoya, marking the second successful attack suffered by the Japanese firm in two years. From a report: "We can confirm that Hoya Vision Care US has experienced a cyberattack. Based on our initial forensics, the disruption appears to have been limited to our United States systems," a Hoya spokesperson said. "After identifying the threat, we quickly took action to contain it and contacted law enforcement. The company has engaged external experts to determine the nature and scope of this event. We will provide updates as more information becomes available." Hoya, named after the West Tokyo neighborhood where it was founded in 1941, is a glassmaker with about 37,000 employees worldwide and about $5 billion in annual revenue. The company gets last year 65% of its sales from contact lenses and glasses, while the rest comes Information technology devices and services such glass substrate used in the manufacturing of semiconductors and hard disk drives, according to 2020 company's report. The hacker group called Astro Team said on its blog last week that it targeted Hoya servers and stole about 300 gigabytes of confidential corporate data including finance, production, email messages, passwords and safety reports. In 2019, Hoya suffered a major cyberattack, infectong over 100 computers and forcing the company to shut down its factories for three days.

The law enforcement arm of the U.S. Postal Service has been quietly running a program that tracks and collects Americans' social media posts, including those about planned protests, according to a document obtained by Yahoo News. From the report: The details of the surveillance effort, known as iCOP, or Internet Covert Operations Program, have not previously been made public. The work involves having analysts trawl through social media sites to look for what the document describes as "inflammatory" postings and then sharing that information across government agencies. "Analysts with the United States Postal Inspection Service (USPIS) Internet Covert Operations Program (iCOP) monitored significant activity regarding planned protests occurring internationally and domestically on March 20, 2021," says the March 16 government bulletin, marked as "law enforcement sensitive" and distributed through the Department of Homeland Security's fusion centers. "Locations and times have been identified for these protests, which are being distributed online across multiple social media platforms, to include right-wing leaning Parler and Telegram accounts."

The CEOs of Uber and Just Eat Takeaway on Wednesday became engaged in a public spat after Uber announced it is planning to launch in Germany -- a market that is currently dominated by Just Eat Takeaway. From a report: Uber Eats will launch in Berlin in the next few weeks and potentially expand into other German cities in the coming months. The news was first reported by The Financial Times and confirmed to CNBC. Just Eat Takeaway CEO Jitse Groen accused Uber CEO Dara Khosrowshahi of trying to "depress" his firm's share price on Twitter on Wednesday. Shares of Just Eat Takeaway closed down almost 3%. Khosrowshahi responded: "Advice: pay a little less attention to your short term stock price and more attention to your Tech and Ops." Shortly thereafter, Groen replied: "If I may ... start paying taxes, minimum wage and social security premiums before giving a founder advice on how he should run his business."

wiredmikey shares a report from SecurityWeek: Google late Tuesday shipped another urgent security patch for its dominant Chrome browser and warned that attackers are exploiting one of the zero-days in active attacks. This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC data or any meaningful information about the attacks continue to raise eyebrows among security experts.

The newest Chrome update -- 90.0.4430.85 -- is available for Windows, Mac and Linux users and is being rolled out via the browser's automatic update mechanism. The vulnerability being exploited is identified as CVE-2021-21224 and simply described as a "type confusion" in the V8 Chrome rendering engine. Google credited the Jose Martinez (tr0y4) from VerSprite Inc. for reporting the vulnerability. "Google is aware of reports that exploits for CVE-2021-21224 exist in the wild," the company said, with no additional details.

According to the United Kingdom's Security Service, known as MI5, hostile states are creating fake LinkedIn profiles to trick users into spilling secrets. The BBC reports: At least 10,000 UK nationals have been approached by fake profiles linked to hostile states, on the professional social network LinkedIn, over the past five years, according to MI5. "Malicious profiles" are being used on "an industrial scale," the security agency's chief, Ken McCallum, said. A campaign has been launched to educate government workers about the threat. The effort -- Think Before You Link -- warns foreign spies are targeting those with access to sensitive information. One concern is the victims' colleagues, in turn, become more willing to accept follow-up requests - because it looks as if they share a mutual acquaintance.

MI5 did not specifically name LinkedIn but BBC News has learned the Microsoft-owned service is indeed the platform involved. The 10,000-plus figure includes staff in virtually every government departments as well as key industries, who might be offered speaking or business and travel opportunities that could lead to attempts to recruit them to provide confidential information. And it is thought a large number of those approached engaged initially with the profiles that contacted them online.

An anonymous reader quotes a report from Ars Technica: Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere, researchers said. At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. Besides CVE-2021-22893, as the zero-day is tracked, multiple hacking groups -- at least one of which likely works on behalf of the Chinese government -- are also exploiting several Pulse Secure vulnerabilities fixed in 2019 and 2020.

Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices. Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesday's post reported. Separately, the US Cybersecurity and Infrastructure Security Agency said that targets also include US government agencies, critical infrastructure entities, and other private sector organizations." Mandiant said that it has uncovered "limited evidence" that tied one of the hacker groups to the Chinese government. Dubbed UNC2630, this previously unknown team is one of at least two hacking groups known to be actively exploiting the vulnerabilities. Tuesday's blog post also referred to another previously unseen group that Mandiant is calling UNC2717. In March, the group used malware Mandiant identifies as RADIALPULSE, PULSEJUMP, and HARDPULSE against Pulse Secure systems at a European organization. Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug.

An anonymous reader writes: The operators of the REvil ransomware are demanding that Apple pay a ransom demand to avoid having confidential information leaked on the dark web. The REvil crew claims it came into possession of Apple product data after breaching Quanta Computer, a Taiwanese company that is the biggest laptop manufacturer in the world and which is also one of the companies that assemble official Apple products based on pre-supplied product designs and schematics.

The REvil gang posted 21 screenshots depicting Macbook schematics and threatened to publish new data every day until May 1, or until Apple or Quanta pay the ransom demand. The extortion attempt was also perfectly timed for maximum visibility to coincide with the Spring Loaded event, where Apple announced new products and software updates.

Facebook wants you to believe that the scraping of 533 million people's personal data from its platform, and the dumping of that data online by nefarious people, is something to be "normalised." The Register: A blundering Facebook public relations operative managed to send a journalist a copy of an internal document detailing the social network's strategy for containing the leaking of 533 million accounts -- and what the memo contained was infuriating though unsurprising. Belgian tech journalist Pieterjan van Leemputten asked the Mark Zuckerberg-owned company some questions about the theft and dumping online of account data earlier this month.

Miscreants had helped themselves to 70GB of names, phone numbers, dates of birth, email addresses, and more from people's Facebook profiles, thanks to a security weakness in the platform. Having stolen the data in 2019, crims bought and sold it among themselves before one shared it via a Tor-hidden site in early April, inviting anyone to come and help themselves to it all. Yet when van Leemputten asked Facebook's mouthpieces to respond, what he got in return was quite unexpected. As he told The Register: "Facebook accidentally sent me an internal email where they literally state that they will frame the recent 533 million data leak as a 'broad industry issue' and that they want to normalize this." The memo added, "To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we're doing in this area."

Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers' driver's license numbers from its website. From a report: In a data breach notice filed with the California attorney general's office, Geico said information gathered from other sources was used to "obtain unauthorized access to your driver's license number through the online sales system on our website." The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver's license numbers between January 21 and March 1. Companies are required to alert the state's attorney general's office when more than 500 state residents are affected by a security incident. Geico said it had "reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Many financially driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID -- like a driver's license -- to file for unemployment benefits. To get a driver's license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer's driver's license number. That allows the fraudsters to obtain unemployment benefits in another person's name.

The White House unveiled on Tuesday a 100-day plan intended to protect the U.S. power grid from cyber-attacks, mainly by creating a stronger relationship between U.S. national security agencies and the mostly private utilities that run the electrical system. From a report: The plan is among the first big steps toward fulfilling the Biden administration's promise to urgently improve the country's cyber defenses. The nation's power system is both highly vulnerable to hacking and a target for nation-state adversaries looking to counter the U.S. advantage in conventional military and economic power. "The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses," Secretary of Energy Jennifer Granholm said. Although the plan is billed as a 100-day sprint -- which includes a series of consultations between utilities and the government -- it will likely take years to fully implement, experts say. It will ask utilities to pay for and install technology to better detect hacks of the specialized computers that run the country's power systems, known as industrial control systems. The Edison Electric Institute, the trade group that represents all U.S. investor-owned electric companies, praised the White House plan and the Biden administration's focus on cybersecurity. "Given the sophisticated and constantly changing threats posed by adversaries, America's electric companies remain focused on securing the industrial control systems that operate the North American energy grid," said EEI president Tom Kuhn.

AmiMoJo writes: WordPress announced over the weekend that they plan on treating Google's new FLoC tracking technology as a security concern and hence block it by default on WordPress sites. For some time, browsers have begun to increasingly block third-party browser cookies used by advertisers for interest-based advertising. In response, Google introduced a new ad tracking technology called Federated Learning of Cohorts, or FLoC, that uses a web browser to anonymously place users into interest or behavioral buckets based on how they browse the web. After Google began testing FLoC this month in Google Chrome, there has been a consensus among privacy advocates that Google's FLoC implementation just replaces one privacy risk with another one.

"WordPress powers approximately 41% of the web -- and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code," says WordPress. WordPress states that this code is planned for WordPress 5.8, scheduled for release in July 2021. As FLoC is expected to roll out sooner, WordPress is considering back-porting this code to earlier versions to "amplify the impact" on current versions of the blogging platform. Further reading: Nobody is Flying To Join Google's FLoC.

As online identity management grows in importance, Mastercard swooped in this morning and bought identity verification company Ekata for $850 million. From a report: Mastercard certainly sees the rapid digital transformation that is happening in online commerce, a move that was accelerated by COVID. It's a transformation that once started isn't likely to change back to the old ways of doing business, even when we get past the pandemic. With Ekata, the company gets a solution that can verify the online identity of a person making the transaction in real time using various signals that can indicate if this is fraudulent or true as they open an account or transact business. The company provides a score and other data that predicts the likelihood this person is who they say they are. It's not unlike a credit risk score, except for identity. That was one of the primary reasons Mastercard decided to acquire Ekata, according to Ajay Bhalla, president of cyber and intelligence solutions at the company. "With the addition of Ekata, we will advance our identity capabilities and create a safer, seamless way for consumers to prove who they say they are in the new digital economy," Bhalla said in a statement.

Several U.S. banks have started deploying camera software that can analyze customer preferences, monitor workers and spot people sleeping near ATMs, even as they remain wary about possible backlash over increased surveillance, Reuters reported Monday, citing more than a dozen banking and technology sources. From the report: Previously unreported trials at City National Bank of Florida and JPMorgan Chase & Co as well as earlier rollouts at banks such as Wells Fargo & Co offer a rare view into the potential U.S. financial institutions see in facial recognition and related artificial intelligence systems. Widespread deployment of such visual AI tools in the heavily regulated banking sector would be a significant step toward their becoming mainstream in corporate America. Bobby Dominguez, chief information security officer at City National, said smartphones that unlock via a face scan have paved the way. "We're already leveraging facial recognition on mobile," he said. "Why not leverage it in the real world?"

City National will begin facial recognition trials early next year to identify customers at teller machines and employees at branches, aiming to replace clunky and less secure authentication measures at its 31 sites, Dominguez said. Eventually, the software could spot people on government watch lists, he said. JPMorgan said it is "conducting a small test of video analytic technology with a handful of branches in Ohio." Wells Fargo said it works to prevent fraud but declined to discuss how.

The UK government will look into the national security implications of U.S. group Nvidia's purchase of British chip designer ARM, it said on Monday, putting a question mark over the $40 billion deal. From a report: Digital minister Oliver Dowden said on Monday he had issued a so-called "intervention notice" over the sale of ARM by Japan's SoftBank to Nvidia. "As a next step and to help me gather the relevant information, the UK's independent competition authority will now prepare a report on the implications of the transaction, which will help inform any further decisions," he said. Nvidia said it did not believe the deal posed any material national security issues.

Gizmodo reports: The latest big name to get in on the NFT craze is former intelligence contractor and whistleblower Edward Snowden, who on Friday auctioned off an original NFT art piece for roughly $5.4 million worth of the cryptocurrency Ether. Titled "Stay Free", it's a digital self-portrait made out of pages from a U.S. Court of Appeals decision that ruled the National Security Agency's widespread surveillance of phone records violated the law, a practice Snowden brought to light in 2013 by leaking classified NSA secrets to journalists...

The NFT sold for 2,224 Ether, worth just over $5.4 million at the time of publishing. All proceeds from this sale will go to the Freedom of the Press Foundation, a non-profit that develops open-source tools for whistleblowers and works to shield journalists from state-sponsored hackers and government surveillance. Snowden has led the organization as president since 2017.

"Renting is terrible. Owning is worse. A third option is necessary," argues a recent article in the Atlantic, "a way to rent without making someone else rich."

It's written by Shane Phillips, who's the Housing Inititiative Project Manager at UCLA's Lewis Center for Regional Policy Studies: Largely as a consequence of housing prices, Generation X held less than half as much wealth in 2019 as Baby Boomers of the same age did two decades earlier, and Millennials are on course to hold even less. Something has gone catastrophically wrong, and the problem won't be solved by doubling down on homeownership; we've seen where that leads. But our current model of renting — a lifetime of uncertainty only to make someone else rich — won't do the job either. We need something new, an innovation on par with the government's development of 30-year mortgages nearly a century ago. We need a housing option that combines the accessibility, flexibility, and limited risk of renting with some of the stability and wealth-generating potential of homeownership.
His suggested solutiion? A public-ownership rental option: The foundation of the program would be quite simple: public ownership of housing, acquired or built with government loans — though run by local for-profit or nonprofit property managers — and rented at market prices. No saving for a down payment (or being given one by family) and no qualifying for a mortgage. The only requirements for participation in the public-ownership option would be (1) move in, and (2) pay rent.

As the loans were paid down, the equity would accrue to the tenants, minus the cost of operating and maintaining the building, administrative costs, and so on. Unlike rent-to-own programs, however, this option would never require that the tenant take out a mortgage. A renter would never truly "own" her unit. But she would claim a stake in the public portfolio of properties and be able to draw on that asset, perhaps in the form of monthly payments after a few years of renting, or larger dividends later in life, much like Social Security. The benefit could be transferred to any publicly owned apartment, allowing tenants to build wealth without being locked in place. After 35 or 40 years, a tenant might no longer owe any rent at all...

Renting in a public-ownership building would be an option for the large number of middle-income individuals who lack the resources or the immediate desire to become homeowners.

Long-time Slashdot reader xiando shares news from LinuxReviews: Linux Kernel Runtime Guard (LKRG) is a security module for the Linux kernel developed by Openwall. The latest release adds compatibility with Linux kernels up to soon to be released 5.12, support for building LKRG into kernel images, support for old 32-bit x86 machines and more...

The Linux Kernel Runtime Guard is an out-of-tree kernel module you can install as a kernel module, or, with the 0.9.0 release, build into your Linux kernel. It does run-time integrity checks to detect security vulnerability exploits against the Linux kernel.
An Openwall developer also notes in the announcement that "During LKRG development and testing I've found 7 Linux kernel bugs, 4 of them have CVE numbers."

Long-time Slashdot reader schwit1 shared this analysis from Just Security: Huawei's plans for 6G and beyond make U.S. concerns over 5G look paltry: Huawei is proposing a fundamental internet redesign, which it calls "New IP," designed to build "intrinsic security" into the web. Intrinsic security means that individuals must register to use the internet, and authorities can shut off an individual user's internet access at any time. In short, Huawei is looking to integrate China's "social credit," surveillance, and censorship regimes into the internet's architecture...

To avoid scrutiny of New IP's shortcomings, Huawei has circumvented international standards bodies where experts might challenge the technical shortcomings of the proposal. Instead, Huawei has worked through the United Nations' International Telecommunications Union (ITU), where Beijing holds more political sway...

Huawei dominance on New IP and 6G would not only create a less free, less interoperable internet, it would pave the way for authoritarian governments to gain expanded say over future changes to the internet for years to come.