WordPress co-founder Matt Mullenweg has asserted his personal ownership of WordPress.org in a new interview, offering new insight into his clash with hosting provider WP Engine. "WordPress.org just belongs to me personally," Mullenweg told The Verge, justifying his decision to cut WP Engine's access to WordPress.org servers. He cited trademark concerns and insufficient ecosystem contributions as key reasons for the action.

Mullenweg said he altered WordPress Foundation's trademark policies to specifically target WP Engine, adding language about their lack of donations. He likened his approach to getting "Al Capone for taxes," using trademark leverage to pressure the company into greater contributions.

A sophisticated malware strain has infected thousands of Linux systems since 2021, exploiting over 20,000 common misconfigurations and a critical Apache RocketMQ vulnerability, researchers at Aqua Security reported. Dubbed Perfctl, the malware employs advanced stealth techniques, including rootkit installation and process name mimicry, to evade detection. It persists through system reboots by modifying login scripts and copying itself to multiple disk locations. Perfctl hijacks systems for cryptocurrency mining and proxy services, while also serving as a backdoor for additional malware. Despite some antivirus detection, the malware's ability to restart after removal has frustrated system administrators.

Cybersecurity firm IronNet, founded by former NSA director Keith Alexander, has collapsed after failing to deliver on its promise to revolutionize cyber defense. The company, which went public in 2021 with a $3 billion valuation, shut down in September 2023 after running out of money.

IronNet's downfall has left investors and former employees bitter, with some accusing the company of misleading them about its financial health. "I'm honestly ashamed that I was ever an executive at that company," said Mark Berly, a former IronNet vice president. He said the company's top leaders cultivated a culture of deceit "just like Theranos." Critics point to questionable business practices, subpar products, and associations that potentially exposed the firm to Russian influence. The company's board included high-profile national security figures, which helped attract investments and contracts. However, IronNet struggled to secure major deals and meet revenue projections.

Apple just fixed a duo of security bugs in iOS 18.0.1 and iPadOS 18.0.1, one of which might cause users' saved passwords to be read aloud. It's hardly an ideal situation for the visually impaired. From a report: For those who rely on the accessibility features baked into their iGadgets, namely Apple's VoiceOver screen reader, now is a good time to apply the latest update. In typical Apple fashion, the company hasn't released much in the way of details about the first security issue, tracked as CVE-2024-44204, which makes it tougher to understand the conditions under which this vulnerability could be triggered, or how to avoid it until the update is applied. What we do know is that it was characterized as a logic issue, which Apple rectified by improving validation. The disclosure of the bug comes less than a month after iOS 18 and iPadOS 18 debuted. Ironically, this release included Apple's first native password manager, the Passwords app.

Cloudflare has emerged victorious in a patent infringement lawsuit against Sable Networks, securing a $225,000 settlement and forcing the patent holder to dedicate its entire portfolio to the public domain. The case, which began in March 2021 with Sable asserting nearly 100 claims across four patents, concluded after a Texas jury found Cloudflare not guilty of infringement in February 2024.

Sable, described by Cloudflare as a "patent troll," had previously sued several tech companies, including Cisco and Juniper Networks, who settled out of court. Cloudflare's aggressive defense strategy included launching Project Jengo, a crowd-sourced initiative to invalidate Sable's patents. The settlement prevents Sable from asserting these patents against any other company in the future, marking a significant blow to patent trolling practices in the tech industry. In a blog post, Cloudflare adds: While this $225,000 can't fully compensate us for the time, energy and frustration of having to deal with this litigation for nearly three years, it does help to even the score a bit. And we hope that it sends an important message to patent trolls everywhere to beware before taking on Cloudflare.

An anonymous reader quotes a report from KrebsOnSecurity: Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which use custom jailbreaks to bypass content filtering, often veer into darker role-playing scenarios, including child sexual exploitation and rape. Researchers at security firm Permiso Security say attacks against generative artificial intelligence (AI) infrastructure like Bedrock from Amazon Web Services (AWS) have increased markedly over the last six months, particularly when someone in the organization accidentally exposes their cloud credentials or key online, such as in a code repository like GitHub.

Investigating the abuse of AWS accounts for several organizations, Permiso found attackers had seized on stolen AWS credentials to interact with the large language models (LLMs) available on Bedrock. But they also soon discovered none of these AWS users had enabled logging (it is off by default), and thus they lacked any visibility into what attackers were doing with that access. So Permiso researchers decided to leak their own test AWS key on GitHub, while turning on logging so that they could see exactly what an attacker might ask for, and what the responses might be. Within minutes, their bait key was scooped up and used in a service that offers AI-powered sex chats online.

"After reviewing the prompts and responses it became clear that the attacker was hosting an AI roleplaying service that leverages common jailbreak techniques to get the models to accept and respond with content that would normally be blocked," Permiso researchers wrote in a report released today. "Almost all of the roleplaying was of a sexual nature, with some of the content straying into darker topics such as child sexual abuse," they continued. "Over the course of two days we saw over 75,000 successful model invocations, almost all of a sexual nature."

An anonymous reader shares a report: It's not exactly breaking news that people reuse passwords, but you might expect password manager subscribers to avoid the practice. You'd be wrong, according to a new study. Dashlane's downer of a report draws on saved logins analyzed on-device by Dashlane's software across "millions" of individual and business accounts. It finds dismally high percentages of password reuse worldwide. The US and Canada rank the worst of every region Dashlane tracked, with 48% of passwords in individual password vaults being reused. Another 15% rate as compromised, meaning those passwords have shown up in data breaches.

Combined with other security data points, the US and Canada land at a security score of 72.6 out of 100 in Dashlane's report, the lowest of all 14 regions covered in the study. The report, along with the Password Health score that Dashlane's software computes for individual users, emphasizes the longstanding problem of password reuse because that practice leaves its practitioners so vulnerable to getting hacked.Â

An anonymous reader quotes a report from Ars Technica: Attackers are actively exploiting a critical vulnerability in mail servers sold by Zimbra in an attempt to remotely execute malicious commands that install a backdoor, researchers warn. The vulnerability, tracked as CVE-2024-45519, resides in the Zimbra email and collaboration server used by medium and large organizations. When an admin manually changes default settings to enable the postjournal service, attackers can execute commands by sending maliciously formed emails to an address hosted on the server. Zimbra recently patched the vulnerability. All Zimbra users should install it or, at a minimum, ensure that postjournal is disabled.

On Tuesday, Security researcher Ivan Kwiatkowski first reported the in-the-wild attacks, which he described as "mass exploitation." He said the malicious emails were sent by the IP address 79.124.49[.]86 and, when successful, attempted to run a file hosted there using the tool known as curl. Researchers from security firm Proofpoint took to social media later that day to confirm the report. On Wednesday, security researchers provided additional details that suggested the damage from ongoing exploitation was likely to be contained. As already noted, they said, a default setting must be changed, likely lowering the number of servers that are vulnerable. [...]

Proofpoint has explained that some of the malicious emails used multiple email addresses that, when pasted into the CC field, attempted to install a webshell-based backdoor on vulnerable Zimbra servers. The full cc list was wrapped as a single string and encoded using the base64 algorithm. When combined and converted back into plaintext, they created a webshell at the path: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp. Proofpoint went on to say: "Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field; if present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection."

The Verge's Gaby Del Valle reports: New York City Mayor Eric Adams, who was indicted last week on charges including fraud, bribery, and soliciting donations from foreign nationals, told federal investigators he forgot his phone password before handing it over, according to charging documents. That was almost a year ago, and investigators still can't get into the phone, prosecutors said Wednesday.

During a federal court hearing, prosecutor Hagan Scotten said the FBI's inability to get into Adams' phone is a "significant wild card," according to a report from the New York Post. The FBI issued a search warrant for Adams' devices in November 2023. Adams initially handed over two phones but didn't have his personal device on him. The indictment does not mention what type of device Adams uses. When Adams turned in his personal cellphone the following day, charging documents say, he said he had changed the password a day prior -- after learning about the investigation -- and couldn't remember it. Adams told investigators he changed the password "to prevent members of his staff from inadvertently or intentionally deleting the contents of his phone," the indictment alleges. The FBI just needs the right tools. When investigators failed to break into the Trump rally shooter's phone in July, they sent the device to the FBI lab in Quantico, Virginia, where agents used an unreleased tool from the Israeli company Cellebrite to crack it in less than an hour.

Microsoft is bringing some new AI-powered Paint and Photos features to Copilot Plus PCs that could make creatives less reliant on more powerful image editing software. From a report: Generative Fill and Generative Erase -- which appear to be heavily inspired by similar AI tools in Adobe Photoshop -- are being introduced to Paint, allowing users to precisely add or remove objects in their images.

Both tools utilize a size-adjustable brush to "paint" over specific areas of an image to edit. Generative Erase will remove unwanted figures, objects like background clutter, and other distractions, similar to the Magic Eraser feature on Google's Pixel phones. Generative Fill allows Paint users to add new AI-generated assets to an image using a text description and select precisely where they should be placed -- much like the Photoshop tool that shares the same name. These build on the Cocreator tool for Paint announced for Copilot Plus PCs earlier this year that can generate images using a combination of text prompts and reference sketches. The company says the diffusion-based model powering these features has been updated to improve output quality and speed and now includes "built-in moderation" to help prevent it from being abused.

Microsoft has unveiled new features for its Copilot AI assistant, including screen analysis and voice interaction capabilities. Copilot Vision, available to Copilot Pro subscribers, can analyze web content in Microsoft Edge and answer queries about on-screen information. The company said processed data is immediately deleted and not used for model training.

A new Think Deeper function aims to tackle complex problems using advanced reasoning models. Copilot Voice introduces synthetic speech output and voice input in select English-speaking countries. Microsoft also announced personalization features, leveraging user history to tailor Copilot recommendations. This functionality will be limited initially, with the company evaluating options for European Economic Area users due to regulatory considerations.

A Russian criminal gang secretly conducted cyberattacks and espionage operations against NATO allies on the orders of the Kremlin's intelligence services, according to the UK's National Crime Agency. From a report: Evil Corp., which includes a man who gained notoriety for driving a Lamborghini luxury sports car, launched the hacks prior to 2019, the NCA said in statement on Tuesday. The gang has been accused of using malicious software to extort millions of dollars from hundreds of banks and financial institutions in more than 40 countries. In December 2019, the US government sanctioned Evil and accused its alleged leader, Maksim Yakubets, of providing "direct assistance" to the Russian state, including by "acquiring confidential documents." The NCA's statement on Tuesday provides new detail on the work Yakubets and other members allegedly carried out to aid the Kremlin's geopolitical aims. The exact nature of the hacks against the North Atlantic Treaty Organization allies wasn't immediately clear.

Sonos CEO Patrick Spence has unveiled a plan to address the fallout from the company's botched app release in May 2024. The audio equipment maker aims to overhaul its software development practices and rebuild customer trust after the controversial update sparked widespread criticism, The Verge reports.

The company will extend warranties by one year for select products and implement more rigorous testing processes, including an expanded beta program. Sonos has also pledged to introduce major app changes gradually and create an opt-in system for experimental features.

To improve internal accountability, Sonos will appoint a "quality ombudsperson" to escalate concerns and report to leadership. The firm also plans to establish a customer advisory board for pre-launch feedback. Executive bonuses will be tied to app quality improvements and regaining customer confidence.

Thousands of Verizon users across the United States reported having little or no cellphone service on Monday morning in major cities, including in Atlanta, Chicago, Denver, New York and Phoenix. From a report: According to the website Downdetector, which tracks user reports of internet disruptions, more than 104,000 cases of Verizon outages were reported across the country as of 11:20 a.m. Eastern, more than an hour after the first issues were reported.

A map posted on the site showed cities with the most reports. On the site, many users said their cellphones were intermittently displaying SOS mode and that they could not place calls or send or receive text messages. "We're aware of the issue affecting service for some customers," a spokesman for Verizon, Ilya Hemlin, said in a telephone interview at 11:30 a.m. "Our engineers are engaged and we are working quickly to solve the issue," he added.

AMD has released BIOS updates to boost performance and reduce latency for its Ryzen 9600X and 9700X processors. The updates come a month after disappointing Zen 5 desktop CPU reviews and coincide with Windows 11 optimizations for AMD chips. The new AGESA PI 1.2.0.2 firmware addresses high core-to-core latency issues and introduces a 105-watt cTDP option, promising up to 10% performance gains for multithreaded workloads.

Long-time Slashdot reader AsylumWraith writes: Visual Capitalist has posted an article and graph showing that, on average, 67% of US tech workers would be interested in joining a union.

The percentage is highest at companies like Intuit, with 94% or respondents indicating they'd be interested in joining a union. On the other end of the scale, fewer than half of the employees at Apple, Tesla, and Google, who were surveyed were interested in such a move.

"After complaining that Gen Z grads are difficult to work with for the best part of two years, bosses are no longer all talk, no action — now they're rapidly firing young workers who aren't up to scratch just months after hiring them," writes Fortune.

"According to a new report, six in 10 employers say they have already sacked some of the Gen Z workers they hired fresh out of college earlier this year." Intelligent.com, a platform dedicated to helping young professionals navigate the future of work, surveyed nearly 1,000 U.S. leaders... After experiencing a raft of problems with young new hires, one in six bosses say they're hesitant to hire college grads again. Meanwhile, one in seven bosses have admitted that they may avoid hiring them altogether next year. Three-quarters of the companies surveyed said some or all of their recent graduate hires were unsatisfactory in some way...

Employers' gripe with young people today is their lack of motivation or initiative — 50% of the leaders surveyed cited that as the reason why things didn't work out with their new hire. Bosses also pointed to Gen Z being unprofessional, unorganized and having poor communication skills as their top reasons for having to sack grads. Leaders say they have struggled with the latest generation's tangible challenges, including being late to work and meetings often, not wearing office-appropriate clothing, and using language appropriate for the workspace.

Now, more than half of hiring managers have come to the conclusion that college grads are unprepared for the world of work. Meanwhile, over 20% say they can't handle the workload.
Thanks to long-time Slashdot reader smooth wombat for sharing the article.

Meta has been fined $101.5 million by the Irish Data Protection Commission (DPC) for storing over half a billion user passwords in plain text for years, with some engineers having access to this data for over a decade. The issue, discovered in 2019, predominantly affected non-US users, especially those using Facebook Lite. AppleInsider reports: Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union. It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.

SpzToid shares a report: Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles -- dozens of models representing millions of cars on the road -- from the smartphone of a car's owner to the hackers' own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle's license plate and within seconds gain the ability to track that car's location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group's findings and hasn't responded to WIRED's emails since then. But Kia's patch is far from the end of the car industry's web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they've reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they've discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

The United Nations is set to vote on a treaty later this year intended to create norms for fighting cybercrime -- and the Biden administration is fretting over whether to sign on. Politico: The uncertainty over the treaty stems from fears that countries including Russia, Iran and China could use the text as a guise for U.N. approval of their widespread surveillance measures and suppression of the digital rights of their citizens. If the United States chooses not to vote in favor of the treaty, it could become easier for these adversarial nations -- named by the Cybersecurity and Infrastructure Security Agency as the biggest state sponsors of cybercrime -- to take the lead on cyber issues in the future. And if the U.S. walks away from the negotiating table now, it could upset other nations that spent several years trying to nail down the global treaty with competing interests in mind.

While the treaty is not set for a vote during the U.N. General Assembly this week, it's a key topic of debate on the sidelines, following meetings in New York City last week, and committee meetings set for next month once the world's leaders depart. The treaty was troubled from its inception. A cybercrime convention was originally proposed by Russia, and the U.N. voted in late 2019 to start the process to draft it -- overruling objections by the U.S. and other Western nations. Those countries were worried Russia would use the agreement as an alternative to the Budapest Convention -- an existing accord on cybercrime administered by the Council of Europe, which Russia, China and Iran have not joined.