wiredmikey shares a report from SecurityWeek: Microsoft on Tuesday raised an alarm for in-the-wild exploitation of a critical flaw in Windows Update, warning that attackers are rolling back security fixes on certain versions of its flagship operating system. The Windows flaw, tagged as CVE-2024-43491 and marked as actively exploited, is rated critical and carries a CVSS severity score of 9.8/10. Redmond's documentation of the bug suggests a downgrade-type attack similar to the 'Windows Downdate' issue discussed at this year's Black Hat conference. Microsoft's bulletin reads: "Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 -- KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability."

To protect against this exploit, Microsoft says Windows users should install this month's Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.

CrowdStrike CFO Burt Podbere says the cybersecurity firm has not faced lawsuits over July's global IT outage. Speaking at a conference, Podbere emphasized efforts to shift customer focus from legal threats to business discussions. The Register: There were dark rumblings from Delta Air Lines last month, for example, threatening litigation over alleged gross negligence. At the time, CrowdStrike reiterated its apologies, saying: "Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive to any party." During his time at the Citi conference, Podbere admitted: "We don't know how it's all going to shake out.

"Everything we're doing and trying to do is take the legal discussion away from our interaction with customers and move it to the business discussion. "And as time goes on, that does get easier because we're moving further away from the Sun, right? And that's how we think about it."

Workers get the right to request a four-day workweek under a new proposal by the U.K. government. But a professor of economics at the University of Leeds argues "There remain problems, however" — starting with the fact that "under current laws, employers can still resist the requests of workers, if they want to." There is also the problem of unevenness in the effect of the law. While workers in well-paid jobs have bargaining leverage to assert their legal rights, others in lower-paid jobs face minimal protection and risk direct exploitation... [A]dvancing the case for a four-day working week is likely to be more difficult if it is seen as benefiting only one section of society (one that already enjoys strong rights and privileges)....

Another problem is the scope for compressed hours — working a five-day week of around 40 hours in four days. Under the new proposal, workers requesting and getting a four-day working week will still be required to put in the same hours. Longer work days may be welcomed by some — for example, they may cut down on childcare costs. But they risk undermining the benefits of a shorter working week. Indeed, they may threaten the health of workers by creating heavier work days which they need longer to recover from. At worst, a three-day weekend may be needed to recover from a four-day working week with longer days.
While a four-day work week could improve the quality of life and help address climate change, the analysis argues that the government's proposal ultimately raises issues about the "purpose and potential" of a four-day working week, possibly suggesting other policy changes that may also be needed. "It is important that low wages are addressed alongside work-time reduction."

• "If the government is serious about achieving a four-day working week to raise productivity and improve employee wellbeing, it needs to encourage trials in the public sector... "

• "The government also needs to target a future date, say 2040, for the realisation of a four-day working week. This could be facilitated by establishing a partnership of unions and employers to identify barriers to a four-day working week and ways to overcome them."

Alorica — which runs customer-service centers around the world — has introduced an AI translation tool that lets its representatives talk with customers in 200 different languages. But according to the Associated Press, "Alorica isn't cutting jobs. It's still hiring aggressively." The experience at Alorica — and at other companies, including furniture retailer IKEA — suggests that AI may not prove to be the job killer that many people fear. Instead, the technology might turn out to be more like breakthroughs of the past — the steam engine, electricity, the internet: That is, eliminate some jobs while creating others. And probably making workers more productive in general, to the eventual benefit of themselves, their employers and the economy. Nick Bunker, an economist at the Indeed Hiring Lab, said he thinks AI "will affect many, many jobs — maybe every job indirectly to some extent. But I don't think it's going to lead to, say, mass unemployment.... "

[T]he widespread assumption that AI chatbots will inevitably replace service workers, the way physical robots took many factory and warehouse jobs, isn't becoming reality in any widespread way — not yet, anyway. And maybe it never will. The White House Council of Economic Advisers said last month that it found "little evidence that AI will negatively impact overall employment.'' The advisers noted that history shows technology typically makes companies more productive, speeding economic growth and creating new types of jobs in unexpected ways... The outplacement firm Challenger, Gray & Christmas, which tracks job cuts, said it has yet to see much evidence of layoffs that can be attributed to labor-saving AI. "I don't think we've started seeing companies saying they've saved lots of money or cut jobs they no longer need because of this,'' said Andy Challenger, who leads the firm's sales team. "That may come in the future. But it hasn't played out yet.''

At the same time, the fear that AI poses a serious threat to some categories of jobs isn't unfounded. Consider Suumit Shah, an Indian entrepreneur who caused a uproar last year by boasting that he had replaced 90% of his customer support staff with a chatbot named Lina. The move at Shah's company, Dukaan, which helps customers set up e-commerce sites, shrank the response time to an inquiry from 1 minute, 44 seconds to "instant." It also cut the typical time needed to resolve problems from more than two hours to just over three minutes. "It's all about AI's ability to handle complex queries with precision,'' Shah said by email. The cost of providing customer support, he said, fell by 85%....

Similarly, researchers at Harvard Business School, the German Institute for Economic Research and London's Imperial College Business School found in a study last year that job postings for writers, coders and artists tumbled within eight months of the arrival of ChatGPT.
On the other hand, after Ikea introduced a customer-service chatbot in 2021 to handle simple inquiries, it didn't result in massive layoffs according to the article. Instead Ikea ended up retraining 8,500 customer-service workers to handle other tasks like advising customers on interior design and fielding complicated customer calls.

GitHub Actions let developers "automate software builds and tests," writes CSO Online, "by setting up workflows that trigger when specific events are detected, such as when new code is committed to the repository."

They also "can be reused and shared with others on the GitHub Marketplace, which currently lists thousands of public Actions that developers can use instead of coding their own. Actions can also be included as dependencies inside other Actions, creating an ecosystem similar to other open-source component registries." Researchers from Orca Security recently investigated the impact typosquatting can have in the GitHub Actions ecosystem by registering 14 GitHub organizations with names that are misspellings of popular Actions owners — for example, circelci instead of circleci, actons instead of actions, google-github-actons instead of google-github-actions... One might think that developers making typos is not very common, but given the scale of GitHub — over 100 million developers with over 420 million repositories — even a statistically rare occurrence can mean thousands of potential victims. For example, the researchers found 194 workflow files calling the "action" organization instead of "actions"; moreover, 12 public repositories started referencing the researchers' fake "actons" organization within two months of setting it up.

"Although the number may not seem that high, these are only the public repositories we can search for and there could be multiple more private ones, with numbers increasing over time," the researchers wrote... Ultimately this is a low-cost high-impact attack. Having the ability to execute malicious actions against someone else's code is very powerful and can result in software supply chain attacks, with organizations and users that then consume the backdoored code being impacted as well...

Out of the 14 typosquatted organizations that Orca set up for their proof-of-concept, GitHub only suspended one over a three-month period — circelci — and that's likely because someone reported it. CircleCI is one of the most popular CI/CD platforms.
Thanks to Slashdot reader snydeq for sharing the article.

SpyAgent is a new Android malware that uses optical character recognition (OCR) to steal cryptocurrency wallet recovery phrases from screenshots stored on mobile devices, allowing attackers to hijack wallets and steal funds. The malware primarily targets South Korea but poses a growing threat as it expands to other regions and possibly iOS. BleepingComputer reports: A malware operation discovered by McAfee was traced back to at least 280 APKs distributed outside of Google Play using SMS or malicious social media posts. This malware can use OCR to recover cryptocurrency recovery phrases from images stored on an Android device, making it a significant threat. [...] Once it infects a new device, SpyAgent begins sending the following sensitive information to its command and control (C2) server:

- Victim's contact list, likely for distributing the malware via SMS originating from trusted contacts.
- Incoming SMS messages, including those containing one-time passwords (OTPs).
- Images stored on the device to use for OCR scanning.
- Generic device information, likely for optimizing the attacks.

SpyAgent can also receive commands from the C2 to change the sound settings or send SMS messages, likely used to send phishing texts to distribute the malware. McAfee found that the operators of the SpyAgent campaign did not follow proper security practices in configuring their servers, allowing the researchers to gain access to them. Admin panel pages, as well as files and data stolen from victims, were easily accessible, allowing McAfee to confirm that the malware had claimed multiple victims. The stolen images are processed and OCR-scanned on the server side and then organized on the admin panel accordingly to allow easy management and immediate utilization in wallet hijack attacks.

Kaspersky has reached an agreement to transfer its U.S. customers to UltraAV, a Boston-based antivirus provider. The move comes in the wake of a White House ban on Kaspersky products. Under the deal, U.S. users will maintain their existing subscriptions and receive "reliable anti-virus protection" through UltraAV, which will offer additional features such as VPN and identity theft protection. Kaspersky will contact customers in the coming days with instructions for activating their new accounts.

Typing skills among Generation Z have declined sharply, despite their digital nativity, according to recent data. The U.S. Department of Education reports that only 2.5% of high school graduates in 2019 took a keyboarding course, down from 44% in 2000.

Many educators assume Gen Z already possesses typing skills due to their familiarity with technology. However, access to devices doesn't automatically translate into proficiency, WSJ reports. Some schools are addressing this gap by introducing typing competitions and formal instruction when students receive Chromebooks.

The shift towards mobile devices is contributing to the decline in traditional typing skills. Canvas, an online learning platform, reports that 39% of student assignments between March and May were uploaded from mobile devices, contrasting sharply with teachers who completed over 90% of their work on computers.

An anonymous reader shares a report: Passport numbers for a group of Disney cruise line workers. Disney+ streaming revenue. Sales of Genie+ theme park passes. The trove of data from Disney that was leaked online by hackers earlier this summer includes a range of financial and strategy information that sheds light on the entertainment giant's operations, according to files viewed by The Wall Street Journal. It also includes personally identifiable information of some staff and customers.

The leaked files include granular details about revenue generated by such products as Disney+ and ESPN+; park pricing offers the company has modeled; and what appear to be login credentials for some of Disney's cloud infrastructure. (The Journal didn't attempt to access any Disney systems.) "We decline to comment on unverified information The Wall Street Journal has purportedly obtained as a result of a bad actor's illegal activity," a Disney spokesman said. Disney told investors in an August regulatory filing that it is investigating the unauthorized release of "over a terabyte of data" from one of its communications systems. It said the incident hadn't had a material impact on its operations or financial performance and doesn't expect that it will.

Data that a hacking entity calling itself Nullbulge released online spans more than 44 million messages from Disney's Slack workplace communications tool, upward of 18,800 spreadsheets and at least 13,000 PDFs, the Journal found. The scope of the material taken appears to be limited to public and private channels within Disney's Slack that one employee had access to. No private messages between executives appear to be included. Slack is only one online forum in which Disney employees communicate at work.

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday. ArsTechnica: The cryptographic flaw, known as a side channel, resides in a small microcontroller that's used in a vast number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven't tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contain the same vulnerability.

YubiKey-maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7 -- which was released in May and replaces the Infineon cryptolibrary with a custom one -- are vulnerable. Updating key firmware on the YubiKey isn't possible. That leaves all affected YubiKeys permanently vulnerable.

U.S. oilfield services firm Halliburton said on Tuesday an unauthorized third party had accessed and removed data from its systems, providing details regarding the cyberattack in August. From a report: The company said it is evaluating the nature and scope of information that was removed, but added that the incident is not reasonably likely to have a material impact. Halliburton declined to comment in response to Reuters' requests for additional information on the nature of data removed and expenses incurred due to the cyber incident. It also did not immediately confirm whether it had been contacted by the hackers. U.S energy firms have suffered multiple cyberattacks, including ransomware attacks, in recent years. In 2021, Colonial Pipeline was forced to pay $4.4 million in ransom as its executives were not sure about the severity of the breach.

An anonymous reader shares a report: While the latest update to Windows 11 makes it look like the upcoming Recall feature can be easily removed by users, Microsoft tells us it's just a bug and a fix is coming. Deskmodder spotted the change last week in the latest 24H2 version of Windows 11, with KB5041865 seemingly delivering the ability to uninstall Recall from the Windows Features section. "We are aware of an issue where Recall is incorrectly listed as an option under the 'Turn Windows features on or off' dialog in Control Panel," says Windows senior product manager Brandon LeBlanc in a statement to The Verge. "This will be fixed in an upcoming update."

Politico reports U.S. states have no uniform way of policing the use of overseas subcontractors in election technology, "let alone to understand which individual software components make up a piece of code."

For example, to replace New Hampshire's old voter registration database, state election officials "turned to one of the best — and only — choices on the market," Politico: "a small, Connecticut-based IT firm that was just getting into election software." But last fall, as the new company, WSD Digital, raced to complete the project, New Hampshire officials made an unsettling discovery: The firm had offshored part of the work. That meant unknown coders outside the U.S. had access to the software that would determine which New Hampshirites would be welcome at the polls this November.

The revelation prompted the state to take a precaution that is rare among election officials: It hired a forensic firm to scour the technology for signs that hackers had hidden malware deep inside the coding supply chain. The probe unearthed some unwelcome surprises: software misconfigured to connect to servers in Russia ["probably by accident," they write later] and the use of open-source code — which is freely available online — overseen by a Russian computer engineer convicted of manslaughter, according to a person familiar with the examination and granted anonymity because they were not authorized to speak about it... New Hampshire officials say the scan revealed another issue: A programmer had hard-coded the Ukrainian national anthem into the database, in an apparent gesture of solidarity with Kyiv.

None of the findings amounted to evidence of wrongdoing, the officials said, and the company resolved the issues before the new database came into use ahead of the presidential vote this spring. This was "a disaster averted," said the person familiar with the probe, citing the risk that hackers could have exploited the first two issues to surreptitiously edit the state's voter rolls, or use them and the presence of the Ukrainian national anthem to stoke election conspiracies. [Though WSD only maintains one other state's voter registration database — Vermont] the supply-chain scare in New Hampshire — which has not been reported before — underscores a broader vulnerability in the U.S. election system, POLITICO found during a six-month-long investigation: There is little oversight of the supply chain that produces crucial election software, leaving financially strapped state and county offices to do the best they can with scant resources and expertise.

The technology vendors who build software used on Election Day face razor-thin profit margins in a market that is unforgiving commercially and toxic politically. That provides little room for needed investments in security, POLITICO found. It also leaves states with minimal leverage over underperforming vendors, who provide them with everything from software to check in Americans at their polling stations to voting machines and election night reporting systems. Many states lack a uniform or rigorous system to verify what goes into software used on Election Day and whether it is secure.
The article also points out that many state and federal election officials "insist there has been significant progress" since 2016, with more regular state-federal communication. "The Cybersecurity and Infrastructure Security Agency, now the lead federal agency on election security, didn't even exist back then.

"Perhaps most importantly, more than 95% of U.S. voters now vote by hand or on machines that leave some type of paper trail, which officials can audit after Election Day."

Long-time Slashdot reader theodp writes: The Contingency Contingent, is Leigh Claire La Berge's amazing tale of what she calls her "fake job in Y2K preparedness." La Berge offers an insider's view of the madness that ensued when Y2K panic gave rise to seemingly-limitless spending at mega-corporations for massive enterprise-wide Y2K remediation projects led by management consulting firms that left clients with little to show for their money. (La Berge was an analyst for consulting firm Arthur Andersen, where "the Andersen position was that 'Y2K is a documentation problem, not a technology problem'.... At a certain point all that had happened yesterday was our documenting, so then we documented that. Then, exponentially, we had to document ourselves documenting our own documentation."). In what reads like the story treatment for an Office Space sequel, La Berge writes that it was a fake job "because Andersen was faking it."
From the article: The firm spent the late 1990s certifying fraudulent financial statements from Enron, the Texas-based energy company that made financial derivatives a household phrase, until that company went bankrupt in a cloud of scandal and suicide and Andersen was convicted of obstruction of justice, surrendered its accounting licenses, and shuttered. But that was later.

Finally, it was a fake job because the problem that the Conglomerate had hired Andersen to solve was not real, at least not in the sense that it needed to be solved or that Andersen could solve it. The problem was known variously as Y2K, or the Year 2000, or the Y2K Bug, and it prophesied that on January 1, 2000, computers the world over would be unable to process the thousandth-digit change from 19 to 20 as 1999 rolled into 2000 and would crash, taking with them whatever technology they were operating, from email to television to air-traffic control to, really, the entire technological infrastructure of global modernity. Hospitals might have emergency power generators to stave off the worst effects (unless the generators, too, succumbed to the Y2K Bug), but not advertising firms.

With a world-ending scenario on the horizon, employment standards were being relaxed. The end of the millennium had produced a tight labor market in knowledge workers, and new kinds of companies, called dot-coms, were angling to dominate the emergent world of e-commerce. Flush with cash, these companies were hoovering up any possessors of knowledge they could find. Friends from my gradeless college whose only experience in business had been parking-lot drug deals were talking stock options.
Looking back, the author remembers being "surprised by how quickly Y2K disappeared from office discourse as though censored..."

Their upcoming book is called Fake Work: How I Began to Suspect Capitalism is a Joke.

CSO Online reports that North Korea "is actively infiltrating Western companies using skilled IT workers who use fake identities to pose as remote workers with foreign companies, typically but not exclusively in the U.S."

Slashdot reader snydeq shares their report, which urges information security officers "to carry out tighter vetting of new hires to ward off potential 'moles' — who are increasingly finding their way onto company payrolls and into their IT systems." The schemes are part of illicit revenue generation efforts by the North Korean regime, which faces financial sanctions over its nuclear weapons program, as well as a component of the country's cyberespionage activities.

The U.S. Treasury department first warned about the tactic in 2022. Thosands of highly skilled IT workers are taking advantage of the demand for software developers to obtain freelance contracts from clients around the world, including in North America, Europe, and East Asia. "Although DPRK [North Korean] IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK's malicious cyber intrusions," the Treasury department warned... North Korean IT workers present themselves as South Korean, Chinese, Japanese, or Eastern European, and as U.S.-based teleworkers. In some cases, DPRK IT workers further obfuscate their identities by creating arrangements with third-party subcontractors.

Christina Chapman, a resident of Arizona, faces fraud charges over an elaborate scheme that allegedly allowed North Korean IT workers to pose as U.S. citizens and residents using stolen identities to obtain jobs at more than 300 U.S. companies. U.S. payment platforms and online job site accounts were abused to secure jobs at more than 300 companies, including a major TV network, a car manufacturer, a Silicon Valley technology firm, and an aerospace company... According to a U.S. Department of Justice indictment, unsealed in May 2024, Chapman ran a "laptop farm," hosting the overseas IT workers' computers inside her home so it appeared that the computers were located in the U.S. The 49-year-old received and forged payroll checks, and she laundered direct debit payments for salaries through bank accounts under her control. Many of the overseas workers in her cell were from North Korea, according to prosecutors. An estimated $6.8 million were paid for the work, much of which was falsely reported to tax authorities under the name of 60 real U.S. citizens whose identities were either stolen or borrowed...

Ukrainian national Oleksandr Didenko, 27, of Kyiv, was separately charged over a years-long scheme to create fake accounts at U.S. IT job search platforms and with U.S.-based money service transmitters. "Didenko sold the accounts to overseas IT workers, some of whom he believed were North Korean, and the overseas IT workers used the false identities to apply for jobs with unsuspecting companies," according to the U.S. Department of Justice. Didenko, who was arrested in Poland in May, faces U.S. extradition proceedings...

How this type of malfeasance plays out from the perspective of a targeted firm was revealed by security awareness vendor KnowBe4's candid admission in July that it unknowingly hired a North Korean IT spy... A growing and substantial body of evidence suggests KnowBe4 is but one of many organizations targeted by illicit North Korean IT workers. Last November security vendor Palo Alto reported that North Korean threat actors are actively seeking employment with organizations based in the U.S. and other parts of the world...

Mandiant, the Google-owned threat intel firm, reported last year that "thousands of highly skilled IT workers from North Korea" are hunting work. More recently, CrowdStrike reported that a North Korean group it dubbed "Famous Chollima" infiltrated more than 100 companies with imposter IT pros.
The article notes the infiltrators use chatbots to tailor the perfect resume "and further leverage AI-created deepfakes to pose as real people." And the article includes this quote from a former intelligence analyst for the U.S. Air Force turned cybersecurity strategist at Sysdig. "In some cases, they may try to get jobs at tech companies in order to steal their intellectual property before using it to create their own knock-off technologies."

The article closes with its suggested "countermeasures," including live video-chats with prospective remote-work applicants — and confirming an applicant's home address.

The Pidgin messaging app removed the ScreenShareOTR plugin from its third-party plugin list after it was found to be used to install keyloggers, information stealers, and malware targeting corporate networks. BleepingComputer reports: The plugin was promoted as a screen-sharing tool for secure Off-The-Record (OTR) protocol and was available for both Windows and Linux versions of Pidgin. According to ESET, the malicious plugin was configured to infect unsuspecting users with DarkGate malware, a powerful malware threat actors use to breach networks since QBot's dismantling by the authorities. [...] Those who installed it are recommended to remove it immediately and perform a full system scan with an antivirus tool, as DarkGate may be lurking on their system.

After publishing our story, Pidgin's maintainer and lead developer, Gary Kramlich, notified us on Mastodon to say that they do not keep track of how many times a plugin is installed. To prevent similar incidents from happening in the future, Pidgin announced that, from now on, it will only accept third-party plugins that have an OSI Approved Open Source License, allowing scrutiny into their code and internal functionality.

New submitter meisdug writes: A new feature has been submitted for inclusion in Linux 6.12, allowing the display of a QR code when a kernel panic occurs using the DRM Panic handler. This QR code can capture detailed error information that is often missed in traditional text-based panic messages, making it more user-friendly. The feature, written in Rust, is optional and can be enabled via a specific build switch. This implementation follows similar ideas from other operating systems and earlier discussions in the Linux community.

An anonymous reader shares a report: When French prosecutors charged Pavel Durov, the chief executive of the messaging app Telegram, with a litany of criminal offenses on Wednesday, one accusation stood out to Silicon Valley companies. Telegram, French authorities said in a statement, had provided cryptology services aimed at ensuring confidentiality without a license. In other words, the topic of encryption was being thrust into the spotlight.

The cryptology charge raised eyebrows at U.S. tech companies including Signal, Apple and Meta's WhatsApp, according to three people with knowledge of the companies. These companies provide end-to-end encrypted messaging services and often stand together when governments challenge their use of the technology, which keeps online conversations between users private and secure from outsiders.

But while Telegram is also often described as an encrypted messaging app, it tackles encryption differently than WhatsApp, Signal and others. So if Mr. Durov's indictment turned Telegram into a public exemplar of the technology, some Silicon Valley companies believe that could damage the credibility of encrypted messaging apps writ large, according to the people, putting them in a tricky position of whether to rally around their rival.

Encryption has been a long-running point of friction between governments and tech companies around the world. For years, tech companies have argued that encrypted messaging is crucial to maintain people's digital privacy, while law enforcement and governments have said that the technology enables illicit behaviors by hiding illegal activity. The debate has grown more heated as encrypted messaging apps have become mainstream. Signal has grown by tens of millions of users since its founding in 2018. Apple's iMessage is installed on the hundreds of millions of iPhones that the company sells each year. WhatsApp is used by more than two billion people globally.

A recent indictment (PDF) of an Alaska man stands out due to the sophisticated use of multiple encrypted communication tools, privacy-focused apps, and dark web technology. "I've never seen anyone who, when arrested, had three Samsung Galaxy phones filled with 'tens of thousands of videos and images' depicting CSAM, all of it hidden behind a secrecy-focused, password-protected app called 'Calculator Photo Vault,'" writes Ars Technica's Nate Anderson. "Nor have I seen anyone arrested for CSAM having used all of the following: [Potato Chat, Enigma, nandbox, Telegram, TOR, Mega NZ, and web-based generative AI tools/chatbots]." An anonymous reader shares the report: According to the government, Seth Herrera not only used all of these tools to store and download CSAM, but he also created his own -- and in two disturbing varieties. First, he allegedly recorded nude minor children himself and later "zoomed in on and enhanced those images using AI-powered technology." Secondly, he took this imagery he had created and then "turned to AI chatbots to ensure these minor victims would be depicted as if they had engaged in the type of sexual contact he wanted to see." In other words, he created fake AI CSAM -- but using imagery of real kids.

The material was allegedly stored behind password protection on his phone(s) but also on Mega and on Telegram, where Herrera is said to have "created his own public Telegram group to store his CSAM." He also joined "multiple CSAM-related Enigma groups" and frequented dark websites with taglines like "The Only Child Porn Site you need!" Despite all the precautions, Herrera's home was searched and his phones were seized by Homeland Security Investigations; he was eventually arrested on August 23. In a court filing that day, a government attorney noted that Herrera "was arrested this morning with another smartphone -- the same make and model as one of his previously seized devices."

The government is cagey about how, exactly, this criminal activity was unearthed, noting only that Herrera "tried to access a link containing apparent CSAM." Presumably, this "apparent" CSAM was a government honeypot file or web-based redirect that logged the IP address and any other relevant information of anyone who clicked on it. In the end, given that fatal click, none of the "I'll hide it behind an encrypted app that looks like a calculator!" technical sophistication accomplished much. Forensic reviews of Herrera's three phones now form the primary basis for the charges against him, and Herrera himself allegedly "admitted to seeing CSAM online for the past year and a half" in an interview with the feds.

An anonymous reader shares a report: Every day for the last four years, dozens of people have shown up in the comments of one particular YouTube, declaring their love and appreciation for the content. The content: two minutes and six seconds of deep, low buzzing, the kind that makes your phone vibrate on the table, underscoring a vaguely trippy animation of swirled stained glass. It's not a good video. But it's not meant to be. The video is called "Sound To Remove Water From Phone Speaker ( GUARANTEED )." [...] If you believe the comments, about half the video's 45 million views come from people who bring their phone into the shower or bathtub and trust that they can play this video and everything will be fine.

The theory goes like this: all a speaker is really doing is pushing air around, and if you can get it to push enough air, with enough force, you might be able to push droplets of liquid out from where they came. "The lowest tone that that speaker can reproduce, at the loudest level that it can play," says Eric Freeman, a senior director of research at Bose. "That will create the most air motion, which will push on the water that's trapped inside the phone." Generally, the bigger the speaker, the louder and lower it can go. Phone speakers tend to be tiny. "So those YouTube videos," Freeman says, "it's not, like, really deep bass. But it's in the low range of where a phone is able to make sound."

The best real-world example of how this can work is probably the Apple Watch, which has a dedicated feature for ejecting water after you've gotten it wet. When I first reached out to iFixit to ask about my water-expulsion mystery, Carsten Frauenheim, a repairability engineer at the company, said the Watch works on the same theory as the videos. "It's just a specific oscillating tone that pushes the water out of the speaker grilles," he said. "Not sure how effective the third-party versions are for phones since they're probably not ideally tuned? We could test."