wiredmikey shares a report from SecurityWeek: Microsoft on Tuesday raised an alarm for in-the-wild exploitation of a critical flaw in Windows Update, warning that attackers are rolling back security fixes on certain versions of its flagship operating system. The Windows flaw, tagged as CVE-2024-43491 and marked as actively exploited, is rated critical and carries a CVSS severity score of 9.8/10. Redmond's documentation of the bug suggests a downgrade-type attack similar to the 'Windows Downdate' issue discussed at this year's Black Hat conference. Microsoft's bulletin reads: "Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 -- KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability."

To protect against this exploit, Microsoft says Windows users should install this month's Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.

An anonymous reader quotes a report from Reuters: The U.S. Commerce Department said Monday it is proposing to require detailed reporting requirements for advanced artificial intelligence developers and cloud computing providers to ensure the technologies are safe and can withstand cyberattacks. The proposal from the department's Bureau of Industry and Security would set mandatory reporting to the federal government about development activities of "frontier" AI models and computing clusters. It would also require reporting on cybersecurity measures as well as outcomes from so-called red-teaming efforts like testing for dangerous capabilities including the ability to assist in cyberattacks or lowering barriers to entry for non-experts to develop chemical, biological, radiological, or nuclear weapons. External red-teaming has been used for years in cybersecurity to identify new risks, with the term referring to U.S. Cold War simulations where the enemy was termed the "red team." [...] Commerce said the information collected under the proposal "will be vital for ensuring these technologies meet stringent standards for safety and reliability, can withstand cyberattacks, and have limited risk of misuse by foreign adversaries or non-state actors." Further reading: Biden Signs Executive Order To Oversee and Invest in AI

CrowdStrike CFO Burt Podbere says the cybersecurity firm has not faced lawsuits over July's global IT outage. Speaking at a conference, Podbere emphasized efforts to shift customer focus from legal threats to business discussions. The Register: There were dark rumblings from Delta Air Lines last month, for example, threatening litigation over alleged gross negligence. At the time, CrowdStrike reiterated its apologies, saying: "Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive to any party." During his time at the Citi conference, Podbere admitted: "We don't know how it's all going to shake out.

"Everything we're doing and trying to do is take the legal discussion away from our interaction with customers and move it to the business discussion. "And as time goes on, that does get easier because we're moving further away from the Sun, right? And that's how we think about it."

Steven Levy, writing for Wired: My first story for WIRED -- yep, 31 years ago -- looked at a group of "crypto rebels" who were trying to pry strong encryption technology from the government-classified world and send it into the mainstream. Naturally I attempted to speak to someone at the National Security Agency for comment and ideally get a window into its thinking. Unsurprisingly, that was a no-go, because the NSA was famous for its reticence. Eventually we agreed that I could fax (!) a list of questions. In return I got an unsigned response in unhelpful bureaucratese that didn't address my queries. Even that represented a loosening of what once was total blackout on anything having to do with this ultra-secretive intelligence agency. For decades after its post-World War II founding, the government revealed nothing, not even the name, of this agency and its activities. Those in the know referred to it as "No Such Agency."

In recent years, the widespread adoption of encryption technology and the vital need for cybersecurity has led to more openness. Its directors began to speak in public; in 2012, NSA director Keith Alexander actually keynoted Defcon. I'd spent the entire 1990s lobbying to visit the agency for my book Crypto; in 2013, I finally crossed the threshold of its iconic Fort Meade Headquarters for an on-the-record conversation with officials, including Alexander. NSA now has social media accounts on Twitter, Instagram, Facebook. And there is a form on the agency website for podcasters to request guest appearances by an actual NSA-ite.

So it shouldn't be a total shock that NSA is now doing its own podcast. You don't need to be an intelligence agency to know that pods are a unique way to tell stories and hold people's attention. The first two episodes of the seven-part season dropped this week. It's called No Such Podcast, earning some self-irony points from the get-go. In keeping with the openness vibe, the NSA granted me an interview with an official in charge of the project -- one of the de facto podcast producers, a title that apparently is still not an official NSA job posting. Since NSA still gotta NSA, I can't use this person's name. But my source did point out that in the podcast itself, both the hosts and the guests -- who are past and present agency officials -- speak under their actual identities.

Security engineer Bryan Hance co-founded the nonprofit Bike Index, back in 2013, reports the Los Angeles Times, "where cyclists can register their bikes and contact information, making it easier to reunite lost or stolen bikes with their owners." It now holds descriptions and serial numbers of about 1.3 million bikes worldwide.

"But in spring 2020, Hance was tipped to something new: Scores of high-end bikes that matched the descriptions of bikes reported stolen from locations across the Bay Area were turning up for sale on Facebook Marketplace and Instagram pages attached to someone in Mexico, thousands of miles away..." The Facebook page he first spotted disappeared, replaced by pages that were blocked to U.S. computers; Hance managed to get in anyway, thanks to creative use of a VPN. He started reaching out to the owners whose stolen bikes he suspected he was seeing for sale. "Can you tell me a little bit about how your bike was stolen," he would ask. Often, the methods were sophisticated and selective. Thieves would break into a bicycle room at an apartment complex with a specialized saw and leave minutes later with only the fanciest mountain bikes...

Over time, he spoke to more than a dozen [police] officers in jurisdictions across the Bay Area, including Alameda, Santa Clara, Santa Cruz, Marin, Napa and Sonoma counties... [H]ere was Hance, telling officers that he believed he had located a stolen bike, in Mexico. "That's gone," the officer would inform him. Or, one time, according to Hance: "We're not Interpol." Hance also tried to get Meta to do something. After all, he had identified what could be hundreds of stolen bikes being sold on its platforms, valued, he estimated, at well over $2 million. He said he got nowhere...

[Hance] believed he'd figured out the identity of the seller in Jalisco, and was monitoring that person's personal social media accounts. In early 2021, he had spotted something that might break open the case: the name of a person who was sending the Jalisco seller photos of bikes that matched descriptions of those reported stolen by Bay Area cyclists. Hance theorized that person could be a fence who was collecting stolen bikes on this side of the border and sending photos to Jalisco so they could be posted for sale. Hance hunted through the Jalisco seller's Facebook friends until he found the name there: Victor Romero, of San Jose. More sleuthing revealed that a man by the name of Victor Romero ran an auto shop in San Jose, and, judging by his own Facebook photos, was an avid mountain biker. There was something else: Romero's auto shop in San Jose had distinctive orange shelves. One photo of a bike listed for sale on the Jalisco seller's site had similar orange shelves in the backdrop.

Hance contacted a San Francisco police detective who had seemed interested in what he was doing. Check out this guy's auto shop, he advised. San Francisco police raided Romero in the spring of 2021. They found more than $200,000 in cash, according to a federal indictment, along with screenshots from his phone they said showed Romero's proceeds from trafficking in stolen bikes. They also found a Kona Process 153 mountain bike valued at about $4,700 that had been reported stolen from an apartment garage in San Francisco, according to the indictment. It had been disassembled and packaged for shipment to Jalisco.

In January, a federal grand jury indicted Victoriano Romero on felony conspiracy charges for his alleged role in a scheme to purchase high-end stolen bicycles from thieves across the Bay Area and transport them to Mexico for resale.
But bikes continue to be stolen, and "The guy is still operating," Hance told the Los Angeles Times.

"We could do the whole thing again."

The Register reports that Google "recently rewrote the firmware for protected virtual machines in its Android Virtualization Framework using the Rust programming language." And they add that Google "wants you to do the same, assuming you deal with firmware."

A post on Google's security blog by Android engineers Ivan Lozano and Dominik Maier promises to show "how to gradually introduce Rust into your existing firmware," adding "You'll see how easy it is to boost security with drop-in Rust replacements, and we'll even demonstrate how the Rust toolchain can handle specialized bare-metal targets."

This prompts the Register to quip that easy "is not a term commonly heard with regard to a programming language known for its steep learning curve." Citing the lack of high-level security mechanisms in firmware, which is often written in memory-unsafe languages such as C or C++, Lozano and Maier argue that Rust provides a way to avoid the memory safety bugs like buffer overflows and use-after-free that account for the majority of significant vulnerabilities in large codebases. "Rust provides a memory-safe alternative to C and C++ with comparable performance and code size," they note. "Additionally it supports interoperability with C with no overhead."
At one point the blog post explains that "You can replace existing C functionality by writing a thin Rust shim that translates between an existing Rust API and the C API the codebase expects." But their ultimate motivation is greater security. "Android's use of safe-by-design principles drives our adoption of memory-safe languages like Rust, making exploitation of the OS increasingly difficult with every release."

And the Register also got this quote from Lars Bergstrom, Google's director of engineering for Android Programming Languages (and chair of the Rust Foundation's board of directors). "At Google, we're increasing Rust's use across Android, Chromium, and more to reduce memory safety vulnerabilities. We're dedicated to collaborating with the Rust ecosystem to drive its adoption and provide developers with the resources and training they need to succeed.

"This work on bringing Rust to embedded and firmware addresses another critical part of the stack."

GitHub Actions let developers "automate software builds and tests," writes CSO Online, "by setting up workflows that trigger when specific events are detected, such as when new code is committed to the repository."

They also "can be reused and shared with others on the GitHub Marketplace, which currently lists thousands of public Actions that developers can use instead of coding their own. Actions can also be included as dependencies inside other Actions, creating an ecosystem similar to other open-source component registries." Researchers from Orca Security recently investigated the impact typosquatting can have in the GitHub Actions ecosystem by registering 14 GitHub organizations with names that are misspellings of popular Actions owners — for example, circelci instead of circleci, actons instead of actions, google-github-actons instead of google-github-actions... One might think that developers making typos is not very common, but given the scale of GitHub — over 100 million developers with over 420 million repositories — even a statistically rare occurrence can mean thousands of potential victims. For example, the researchers found 194 workflow files calling the "action" organization instead of "actions"; moreover, 12 public repositories started referencing the researchers' fake "actons" organization within two months of setting it up.

"Although the number may not seem that high, these are only the public repositories we can search for and there could be multiple more private ones, with numbers increasing over time," the researchers wrote... Ultimately this is a low-cost high-impact attack. Having the ability to execute malicious actions against someone else's code is very powerful and can result in software supply chain attacks, with organizations and users that then consume the backdoored code being impacted as well...

Out of the 14 typosquatted organizations that Orca set up for their proof-of-concept, GitHub only suspended one over a three-month period — circelci — and that's likely because someone reported it. CircleCI is one of the most popular CI/CD platforms.
Thanks to Slashdot reader snydeq for sharing the article.

SpyAgent is a new Android malware that uses optical character recognition (OCR) to steal cryptocurrency wallet recovery phrases from screenshots stored on mobile devices, allowing attackers to hijack wallets and steal funds. The malware primarily targets South Korea but poses a growing threat as it expands to other regions and possibly iOS. BleepingComputer reports: A malware operation discovered by McAfee was traced back to at least 280 APKs distributed outside of Google Play using SMS or malicious social media posts. This malware can use OCR to recover cryptocurrency recovery phrases from images stored on an Android device, making it a significant threat. [...] Once it infects a new device, SpyAgent begins sending the following sensitive information to its command and control (C2) server:

- Victim's contact list, likely for distributing the malware via SMS originating from trusted contacts.
- Incoming SMS messages, including those containing one-time passwords (OTPs).
- Images stored on the device to use for OCR scanning.
- Generic device information, likely for optimizing the attacks.

SpyAgent can also receive commands from the C2 to change the sound settings or send SMS messages, likely used to send phishing texts to distribute the malware. McAfee found that the operators of the SpyAgent campaign did not follow proper security practices in configuring their servers, allowing the researchers to gain access to them. Admin panel pages, as well as files and data stolen from victims, were easily accessible, allowing McAfee to confirm that the malware had claimed multiple victims. The stolen images are processed and OCR-scanned on the server side and then organized on the admin panel accordingly to allow easy management and immediate utilization in wallet hijack attacks.

Kaspersky has reached an agreement to transfer its U.S. customers to UltraAV, a Boston-based antivirus provider. The move comes in the wake of a White House ban on Kaspersky products. Under the deal, U.S. users will maintain their existing subscriptions and receive "reliable anti-virus protection" through UltraAV, which will offer additional features such as VPN and identity theft protection. Kaspersky will contact customers in the coming days with instructions for activating their new accounts.

An anonymous reader shares a report: It's been a rough week for OSOM Products. The company has been embroiled in legal controversy stemming from a lawsuit filed by a former executive. Now, Android Authority has learned that the company is effectively shutting down later this week. OSOM Products was formed in 2020 following the disbanding of Essential, a smartphone startup led by Andy Rubin, the founder of Android.

Essential collapsed following the poor sales of its first smartphone, the Essential Phone, as well as a loss of confidence in Rubin due to allegations of sexual misconduct at his previous stint at Google. Although Essential as a company was on its way out after Rubin's departure, many of its most talented hardware designers and software engineers remained at the company, looking for another opportunity to build something new. In 2020, the former head of R&D at Essential, Jason Keats, along with several other former executives and employees came together to form OSOM, which stands for "Out of Sight, Out of Mind." The name reflected their desire to create privacy-focused products such as the OSOM Privacy Cable, a USB-C cable with a switch to disable data signaling, and the OSOM OV1, an Android smartphone with lots of privacy and security-focused features.

The United States, United Kingdom and European Union have signed the first "legally binding" international AI treaty on Thursday, the Council of Europe human rights organization said. Called the AI Convention, the treaty promotes responsible innovation and addresses the risks AI may pose. Reuters reports: The AI Convention mainly focuses on the protection of human rights of people affected by AI systems and is separate from the EU AI Act, which entered into force last month. The EU's AI Act entails comprehensive regulations on the development, deployment, and use of AI systems within the EU internal market. The Council of Europe, founded in 1949, is an international organization distinct from the EU with a mandate to safeguard human rights; 46 countries are members, including all the 27 EU member states. An ad hoc committee in 2019 started examining the feasibility of an AI framework convention and a Committee on Artificial Intelligence was formed in 2022 which drafted and negotiated the text. The signatories can choose to adopt or maintain legislative, administrative or other measures to give effect to the provisions.

Francesca Fanucci, a legal expert at ECNL (European Center for Not-for-Profit Law Stichting) who contributed to the treaty's drafting process alongside other civil society groups, told Reuters the agreement had been "watered down" into a broad set of principles. "The formulation of principles and obligations in this convention is so overbroad and fraught with caveats that it raises serious questions about their legal certainty and effective enforceability," she said. Fanucci highlighted exemptions on AI systems used for national security purposes, and limited scrutiny of private companies versus the public sector, as flaws. "This double standard is disappointing," she added.

AT&T has filed a lawsuit against Broadcom, alleging that Broadcom is refusing to honor an extended support agreement for VMware software unless AT&T purchases additional subscriptions it doesn't need. The company warns the consequences could risk massive outages for AT&T's customer support operations and critical federal services, including the U.S. President's office. The Register reports: A complaint [PDF] filed last week in the Supreme Court of New York State explains that AT&T holds perpetual licenses for VMware software and paid for support services under a contract that ends on September 8. The complaint also alleges that AT&T has an option to extend that support deal for two years -- provided it activates the option before the end of the current deal. AT&T's filing claims it exercised that option, but that Broadcom "is refusing to honor" the contract. Broadcom has apparently told AT&T it will continue to provide support if the comms giant "agrees to purchase scores of subscription services and software." AT&T counters that it "does not want or need" those subscriptions, because they:

- Would impose significant additional contractual and technological obligations on AT
- Would require AT&T to invest potentially millions to develop its network to accommodate the new software;
- May violate certain rights of first refusal that AT&T has granted to third parties;
- Would cost AT&T tens of millions more than the price of the support services alone.

[...] The complaint also suggests Broadcom's refusal to extend support creates enormous risk for US national security -- some of the ~8,600 servers that host AT&T's ~75,000 VMs "are dedicated to various national security and public safety agencies within the federal government as well as the Office of the President." Other VMs are relied upon by emergency responders, and still more "deliver services to millions of AT&T customers worldwide" according to the suit. Without support from Broadcom, AT&T claims it fears "widespread network outages that could cripple the operations of millions of AT&T customers worldwide" because it may not be able to fix VMware's software.

The Bluetooth Special Interest Group (SIG) has released version 6.0 of the Bluetooth Core Specification, introducing several new features and enhancements. The update includes Bluetooth Channel Sounding, which brings true distance awareness to devices, potentially improving "Find My" solutions and digital key security.

Other additions include decision-based advertising filtering to improve scanning efficiency, and a monitoring advertisers feature to inform devices when other Bluetooth units move in and out of range. The specification also enhances the Isochronous Adaptation Layer to reduce latency in certain use cases. Version 6.0 expands the Link Layer Extended Feature Set to support a larger number of features, reflecting Bluetooth LE's growing sophistication. Additionally, it introduces negotiable frame spacing in connections and connected isochronous streams, moving away from the fixed 150 us value in previous versions.

An anonymous reader shares a report: Passport numbers for a group of Disney cruise line workers. Disney+ streaming revenue. Sales of Genie+ theme park passes. The trove of data from Disney that was leaked online by hackers earlier this summer includes a range of financial and strategy information that sheds light on the entertainment giant's operations, according to files viewed by The Wall Street Journal. It also includes personally identifiable information of some staff and customers.

The leaked files include granular details about revenue generated by such products as Disney+ and ESPN+; park pricing offers the company has modeled; and what appear to be login credentials for some of Disney's cloud infrastructure. (The Journal didn't attempt to access any Disney systems.) "We decline to comment on unverified information The Wall Street Journal has purportedly obtained as a result of a bad actor's illegal activity," a Disney spokesman said. Disney told investors in an August regulatory filing that it is investigating the unauthorized release of "over a terabyte of data" from one of its communications systems. It said the incident hadn't had a material impact on its operations or financial performance and doesn't expect that it will.

Data that a hacking entity calling itself Nullbulge released online spans more than 44 million messages from Disney's Slack workplace communications tool, upward of 18,800 spreadsheets and at least 13,000 PDFs, the Journal found. The scope of the material taken appears to be limited to public and private channels within Disney's Slack that one employee had access to. No private messages between executives appear to be included. Slack is only one online forum in which Disney employees communicate at work.

During a 2023 deployment, senior enlisted leaders aboard the Navy ship USS Manchester secretly installed a Starlink Wi-Fi network, allowing them exclusive internet access in violation of Navy regulations. "Unauthorized Wi-Fi systems like the one [then-Command Senior Chief Grisel Marrero] set up are a massive no-no for a deployed Navy ship, and Marrero's crime occurred as the ship was deploying to the West Pacific, where such security concerns become even more paramount among heightened tensions with the Chinese," reports Navy Times. From the report: As the ship prepared for a West Pacific deployment in April 2023, the enlisted leader onboard conspired with the ship's chiefs to install the secret, unauthorized network aboard the ship, for use exclusively by them. So while rank-and-file sailors lived without the level of internet connectivity they enjoyed ashore, the chiefs installed a Starlink satellite internet dish on the top of the ship and used a Wi-Fi network they dubbed "STINKY" to check sports scores, text home and stream movies. The enjoyment of those wireless creature comforts by enlisted leaders aboard the ship carried serious repercussions for the security of the ship and its crew. "The danger such systems pose to the crew, the ship and the Navy cannot be understated," the investigation notes.

Led by the senior enlisted leader of the ship's gold crew, then-Command Senior Chief Grisel Marrero, the effort roped in the entire chiefs mess by the time it was uncovered a few months later. Marrero was relieved in late 2023 after repeatedly misleading and lying to her ship's command about the Wi-Fi network, and she was convicted at court-martial this spring in connection to the scheme. She was sentenced to a reduction in rank to E-7 after the trial and did not respond to requests for comment for this report. The Navy has yet to release the entirety of the Manchester investigation file to Navy Times, including supplemental enclosures. Such records generally include statements or interview transcripts with the accused.

But records released so far show the probe, which wrapped in November, found that the entire chiefs mess knew about the secret system, and those who didn't buy into it were nonetheless culpable for not reporting the misconduct. Those chiefs and senior chiefs who used, paid for, helped hide or knew about the system were given administrative nonjudicial punishment at commodore's mast, according to the investigation. All told, more than 15 Manchester chiefs were in cahoots with Marrero to purchase, install and use the Starlink system aboard the ship. "This agreement was a criminal conspiracy, supported by the overt act of bringing the purchased Starlink onboard USS MANCHESTER," the investigation said. "Any new member of the CPO Mess which then paid into the services joined that conspiracy following the system's operational status."

Records obtained by Navy Times via a Freedom of Information Act request reveal a months-long effort by Marrero to obtain, install and then conceal the chiefs Wi-Fi network from superiors, including the covert installation of a Starlink satellite dish on the outside of the Manchester. When superiors became suspicious about the existence of the network and confronted her about it, Marrero failed to come clean on multiple occasions and provided falsified documents to further mislead Manchester's commanding officer, the investigation states. "The installation and usage of Starlink, without the approval of higher headquarters, poses a serious risk to mission, operational security, and information security," the investigation states.

An anonymous reader quotes a Bloomberg article, written by Jason Leopold: The aurora borealis, or northern lights, is a colorful display in the night sky that comes from geomagnetic storms in space. When charged particles from the sun smash into the Earth's upper atmosphere, they create bright, kaleidoscopic ribbons of light, typically in polar regions. Really big solar action can interfere with GPS systems and power grids. That's exactly what happened on May 10, when there were three "coronal mass ejections" (my future metal band name) that produced one of the most powerful solar storms in 500 years, hence the dazzling, polychromatic sky visible even from South America. Turns out, the extreme space weather also disrupted life on Earth.

Six days after the northern lights, I filed a Freedom of Information Act request with NOAA. I was curious how the agency reacted to the atmospheric event and whether the public deserved to be concerned. I asked NOAA's Space Weather Prediction Center and National Weather Service for a wide range of records, including emails, photographs, satellite images and threat assessments. A couple of weeks ago, NOAA turned over some interesting documents. The short version is, while we marveled at the light show, scientists were concerned. According to one internal memo, the geomagnetic storm was an "extreme," rare event and if NOAA scientists hadn't been on their game it could have been catastrophic.

A May 14, three-page after action memo disseminated by Clinton Wallace, the director of the Space Weather Prediction Center, described the storm's impact and explained the celestial phenomenon. He said "Solar Cycle 25," a phase of solar sunspot activity that began in December 2019 and continues through 2030, "has been more active than anticipated, with an intense surge in solar activity marking the beginning of May." "A large group of unstable sunspots on the Sun's surface unleashed several powerful solar flares, immediately affecting the Earth's outer atmosphere and causing disruptions in high-frequency (HF) radio communications," he wrote. "This had significant implications for trans-oceanic aviation, which relies heavily on HF radio for communication over long distances."

On May 9, a day before the northern lights extravaganza, staff at the Space Weather Prediction Center "activated" the North American Electric Reliability Corp. hotline to make sure the regulator was prepared. Wallace's memo said NERC gave about 3,000 electric utility companies a six-hour head start to get ready. The space weather officials also advised the Federal Emergency Management Agency and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency on preparedness. Wallace wrote in his memo that the storm caused "significant disruptions across multiple sectors, including navigation, power grids, aviation, and satellite operations." He also noted that the severity of the geomagnetic storm "underscored the interconnectedness and vulnerability of modern infrastructure to space weather." Although Wallace said the space weather scientists took steps to mitigate any potential disaster, their work "highlighted areas for improvement in preparedness and response." He didn't elaborate.

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday. ArsTechnica: The cryptographic flaw, known as a side channel, resides in a small microcontroller that's used in a vast number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven't tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contain the same vulnerability.

YubiKey-maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7 -- which was released in May and replaces the Infineon cryptolibrary with a custom one -- are vulnerable. Updating key firmware on the YubiKey isn't possible. That leaves all affected YubiKeys permanently vulnerable.

U.S. oilfield services firm Halliburton said on Tuesday an unauthorized third party had accessed and removed data from its systems, providing details regarding the cyberattack in August. From a report: The company said it is evaluating the nature and scope of information that was removed, but added that the incident is not reasonably likely to have a material impact. Halliburton declined to comment in response to Reuters' requests for additional information on the nature of data removed and expenses incurred due to the cyber incident. It also did not immediately confirm whether it had been contacted by the hackers. U.S energy firms have suffered multiple cyberattacks, including ransomware attacks, in recent years. In 2021, Colonial Pipeline was forced to pay $4.4 million in ransom as its executives were not sure about the severity of the breach.

Efforts to add Rust code to the Linux kernel has suffered a setback as one of the maintainers of the Rust for Linux project has stepped down -- citing frustration with "nontechnical nonsense," according to The Register: Wedson Almeida Filho, a software engineer at Microsoft who has overseen the Rust for Linux project, announced his resignation in a message to the Linux kernel development mailing list. "I am retiring from the project," Filho declared. "After almost four years, I find myself lacking the energy and enthusiasm I once had to respond to some of the nontechnical nonsense, so it's best to leave it up to those who still have it in them."

[...] Memory safety bugs are regularly cited as the major source of serious software vulnerabilities by organizations overseeing large projects written in C and C++. So in recent years there's been a concerted push from large developers like Microsoft and Google, as well as from government entities like the US Cybersecurity and Infrastructure Security Agency, to use memory-safe programming languages -- among them Rust. Discussions about adding Rust to Linux date back to 2020 and were realized in late 2022 with the release of Linux 6.1. "I truly believe the future of kernels is with memory-safe languages," Filho's note continued. "I am no visionary but if Linux doesn't internalize this, I'm afraid some other kernel will do to it what it did to Unix."

Notorious for a hardworking culture, Japan launched an initiative to help people cut back. But three years into the effort, the country is having a hard time coaxing people to take a four-day workweek. From a report: Japanese lawmakers first proposed a shorter work week in 2021. The guidelines aimed to encourage staff retention and cut the number of workers falling ill or dying from overwork in an economy already suffering from a huge labor shortage. The guidelines also included overtime limits and paid annual leave. However, the initiative has had a slow start: According to the Ministry of Health, Labor, and Welfare, only about 8% of companies in Japan allow employees to take three or more days off a week.

It's not just companies -- employees are hesitant, too. Electronics manufacturer Panasonic, one of Japan's largest companies, opted into the effort in early 2022. Over two years in, only 150 of its 63,000 eligible employees have chosen to take up four-day schedules, a representative of the company told the Associated Press. Other major companies to introduce a four-day workweek include Uniqlo parent Fast Retailing, electronics giant Hitachi, and financial firm Mizuho. About 85% of employers report giving workers the usual two days off a week. Much of the reluctance to take an extra day off boils down to a culture of workers putting companies before themselves, including pressure to appear like team players and hard workers. This intense culture stems from Japan's postwar era, where, in an effort to boost the economy, then-Prime Minister Shigeru Yoshida enlisted major corporations to offer their employees lifelong job security, asking only that workers repay them with loyalty.