Donald and Melania Trump have launched a pair of meme coins just before President Trump was sworn into office. The coins are already worth billions of dollars, raising "serious ethical questions and conflicts of interest," said Richard Painter, a law professor at the University of Minnesota. CNN reports: Melania Trump launched her cryptocurrency $MELANIA in a social media post Sunday, sending her husband's cryptocurrency $TRUMP, announced two days earlier, plummeting. "The Official Melania Meme is live! You can buy $MELANIA now. https://melaniameme.com," the future first lady wrote on X Sunday. Meme coins are a type of highly volatile cryptocurrency inspired by popular internet or cultural trends. They carry no intrinsic value but can soar, or plummet, in price. "My NEW Official Trump Meme is HERE!" Trump wrote on X Friday. "It's time to celebrate everything we stand for: WINNING! Join my very special Trump Community. GET YOUR $TRUMP NOW. Go to http://gettrumpmemes.com -- Have Fun!" Both coins are trading on the Solana blockchain. [...]

$TRUMP is the first cryptocurrency endorsed by the incoming president, who once trashed bitcoin as "based on thin air." [...] While executive branch employees must follow conflict of interest criminal statutes that prevent them from participating in matters that impact their own financial interests, the law does not apply to the president or the vice president. [...] The Trump coin's market capitalization, which is based on the 200 million coins circulating, is capped at $13 billion, according to CoinMarketCap. The meme coin's website said there will be 1 billion Trump coins over the next three years. Both $MELANIA and $TRUMP's websites contain disclaimers saying the coins are "intended to function as a support for, and engagement with" the values of their respective brands and "are not intended to be, or to be the subject of, an investment opportunity, investment contract, or security of any type."

The website says the meme coin is not politically affiliated. But 80% of the coin's supply is held by Trump Organization-affiliate CIC Digital and Fight Fight Fight LLC, which are both subject to a three-year unlocking schedule -- so they cannot sell all of their holdings at once. Trump coin's fully diluted value (which reflects the eventual total supply of Trump coins) stood at around $54 billion as of Monday morning, according to CoinMarketCap. At that value, the 80% linked to Trump is worth a staggering $43 billion, at least on paper. The $TRUMP coin's website says it is "the only official Trump meme. Now, you can get your piece of history. This Trump Meme celebrates a leader who doesn't back down, no matter the odds," the website reads. "Trump owning 80% and timing launch hours before inauguration is predatory and many will likely get hurt by it," Nick Tomaino, a former Coinbase executive, said in a post on X. "Trump should be airdropping to the people rather than enriching himself or his team on this."

Hackers could steal sensitive personal data from former startup employees by exploiting abandoned company domains and Google login systems, security researcher Dylan Ayrey revealed at ShmooCon conference. The vulnerability particularly affects startups that relied on "Sign in with Google" features for their business software.

Ayrey, CEO of Truffle Security, demonstrated the flaw by purchasing one failed startup's domain and accessing ChatGPT, Slack, Notion, Zoom and an HR system containing Social Security numbers. His research found 116,000 website domains from failed tech startups currently available for sale. While Google offers preventive measures through its OAuth "sub-identifier" system, some providers avoid it due to reliability concerns - which Google disputes. The company initially dismissed Ayrey's finding as a fraud issue before reversing course and awarding him a $1,337 bounty. Google has since updated its documentation but hasn't implemented a technical fix, TechCrunch reports.

Amazon has angered its workers again "after forcing them to return to the office five days a week," reports the New York Post. The problem? "Not enough desks for everyone." (As well as "packed parking lots" that are turning some workers away.)

The Post cites interviews conducted with seven Amazon employees by Business Insider (which notes that in mid-December Amazon had already delayed full return-to-office at dozens of locations, sometimes until as late as May, because of office-capacity issues).

Here in mid-January, the Post writes, many returning-to-office workers still aren't happy: Some meeting rooms have not had enough chairs — and there also have not been enough meeting rooms for everyone, one worker told the publication... [S]imply reaching the office is a challenge in itself, according to the report. Some complained they were turned away from company parking lots that were full, while others griped about having to join meetings from the road due to excess traffic on their way to the office, according to the Slack messages. Once staffers conquer the challenges of reaching the office and finding a desk, some lamented the lack of in-person discussions since many of the meetings remain virtual, according to BI.
Amazon acknowledged they had offices that were "not quite ready" to "welcome everyone back a full five days a week," according to Post, though Amazon believed the number of not-quite-ready offices were "relatively small".

But the parking lot situation may continue. Business Insider says one employee from Amazon's Nashville office "said the wait time for a company parking pass was backed up for months." (Although another Nashville staffer said Amazon was handing out passes for them to take mass-transit for free, which they'd described as "incredibly generous.")

There's also Amazon shuttle busses, according to the article. Although other staffers "said they were denied a spot on Amazon shuttle buses because the vehicles were full..." Others said they just drove back home, while some staffers found street parking nearby, according to multiple Slack messages seen by Business Insider...

This month, some employees were still questioning the logic behind the policy. They said being in the office has had little effect on their work routine and has not generated much of a productivity gain. A considerable portion of their in-office work is still being done through video calls with customers who are elsewhere, these employees told BI. Many Amazon colleagues are at other office locations, so face-to-face meetings still don't happen very often, they added.
The Post adds another drawback of returning to the office. "Employees at Amazon's Toronto office said their personal belongings have repeatedly been stolen from their desks."

America's outgoing national security adviser has "wide access to the world's secrets," writes Axios, adding that the security adviser delivered a "chilling" warning that "The next few years will determine whether AI leads to catastrophe — and whether China or America prevails in the AI arms race."

But in addition, Sullivan "said in our phone interview that unlike previous dramatic technology advancements (atomic weapons, space, the internet), AI development sits outside of government and security clearances, and in the hands of private companies with the power of nation-states... 'There's going to have to be a new model of relationship because of just the sheer capability in the hands of a private actor,' Sullivan says..." Somehow, government will have to join forces with these companies to nurture and protect America's early AI edge, and shape the global rules for using potentially God-like powers, he says. U.S. failure to get this right, Sullivan warns, could be "dramatic, and dramatically negative — to include the democratization of extremely powerful and lethal weapons; massive disruption and dislocation of jobs; an avalanche of misinformation..."

To distill Sullivan: America must quickly perfect a technology that many believe will be smarter and more capable than humans. We need to do this without decimating U.S. jobs, and inadvertently unleashing something with capabilities we didn't anticipate or prepare for. We need to both beat China on the technology and in shaping and setting global usage and monitoring of it, so bad actors don't use it catastrophically. Oh, and it can only be done with unprecedented government-private sector collaboration — and probably difficult, but vital, cooperation with China...

There's no person we know in a position of power in AI or governance who doesn't share Sullivan's broad belief in the stakes ahead...

That said, AI is like the climate: America could do everything right — but if China refuses to do the same, the problem persists and metastasizes fast. Sullivan said Trump, like Biden, should try to work with Chinese leader Xi Jinping on a global AI framework, much like the world did with nuclear weapons.
"I personally am not an AI doomer," Sullivan says in the interview. "I am a person who believes that we can seize the opportunities of AI. But to do so, we've got to manage the downside risks, and we have to be clear-eyed and real about those risks."

Thanks to long-time Slashdot reader Mr_Blank for sharing the article.

The Washington Post reports: Ruptures of undersea cables that have rattled European security officials in recent months were likely the result of maritime accidents rather than Russian sabotage, according to several U.S. and European intelligence officials.

The determination reflects an emerging consensus among U.S. and European security services, according to senior officials from three countries involved in ongoing investigations of a string of incidents in which critical seabed energy and communications lines have been severed... [S]o far, officials said, investigations involving the United States and a half-dozen European security services have turned up no indication that commercial ships suspected of dragging anchors across seabed systems did so intentionally or at the direction of Moscow. Instead, U.S. and European officials said that the evidence gathered to date — including intercepted communications and other classified intelligence — points to accidents caused by inexperienced crews serving aboard poorly maintained vessels.

U.S. officials cited "clear explanations" that have come to light in each case indicating a likelihood that the damage was accidental, and a lack of evidence suggesting Russian culpability. Officials with two European intelligence services said that they concurred with U.S. assessments. Despite initial suspicions that Russia was involved, one European official said there is "counter evidence" suggesting otherwise. The U.S. and European officials declined to elaborate and spoke on the condition of anonymity, citing the sensitivity of ongoing investigations...

A Nordic official briefed on the investigation said conditions on the tanker were abysmal. "We've always gone out with the assumption that shadow fleet vessels are in bad shape," the official said. "But this was even worse than we thought...." European security officials said that Finland's main intelligence service is in agreement with Western counterparts that the Dec. 25 incident appears to have been an accident, though they cautioned that it may be impossible to rule out a Russian role.
The article points out another reason Russia might not want to draw attention to the waterways around NATO countries. Doing so "could endanger oil smuggling operations Russia has relied on to finance the war in Ukraine, and possibly provoke more aggressive efforts by Western governments to choke off Russia's route to the North Atlantic."

ABC News reported that the official newspaper of China's communist party is claiming TikTok refugees on RedNote found a "new home," and "openness, communication, and mutual learning are... the heartfelt desires of people from all countries."

But in fact, Wired reports, "China's Cyberspace Administration, the country's top internet watchdog, has reportedly already grown concerned about content being shared by foreigners on Xiaohongshu," and "warned the platform earlier this week to 'ensure China-based users can't see posts from U.S. users,' according to The Information."

And that's just the beginning. Wired reports that RedNote is now also "scrambling to hire English-speaking moderators." Social media platforms in China are legally required to remove a wide range of content, including nudity and graphic violence, but especially information that the government deems politically sensitive... "RedNote — like all platforms owned by Chinese companies — is subject to the Chinese Communist Party's repressive laws," wrote Allie Funk, research director for technology and democracy at the nonprofit human rights organization Freedom House, in an email to WIRED. "Independent researchers have documented how keywords deemed sensitive to those in power, such as discussion of labor strikes or criticism of Xi Jinping, can be scrubbed from the platform."

But the influx of American TikTok users — as many as 700,000 in merely two days, according to Reuters — could be stretching Xiaohongshu's content moderation abilities thin, says Eric Liu, an editor at China Digital Times, a California-based publication documenting censorship in China, who also used to work as a content moderator himself for the Chinese social media platform Weibo... Liu reposted a screenshot on Bluesky showing that some people who recently joined Xiaohongshu have received notifications that their posts can only be shown to other users after 48 hours, seemingly giving the company time to determine whether they may be violating any of the platform's rules. This is a sign that Xiaohongshu's moderation teams are unable to react swiftly, Liu says...

While the majority of the new TikTok refugees still appear to be enjoying their time on Xiaohongshu, some have already had their posts censored. Christine Lu, a Taiwanese-American tech entrepreneur who created a Xiaohongshu account on Wednesday, says she was suspended after uploading three provocative posts about Tiananmen, Tibet, and Taiwan. "I support more [Chinese and American] people engaging directly. But also, knowing China, I knew it wouldn't last for long," Lu tells WIRED.
Despite the 700,000 signups in two days, "It's also worth nothing that the migration to RedNote is still very small, and only a fraction of the 170 million people in the US who use TikTok," notes The Conversation. (And they add that "The US government also has the authority to pressure Apple to remove RedNote from the US App Store if it thinks the migration poses a national security threat.")

One nurse told the Los Angeles Times Americans signed up for the app because they "just don't want to give in" to "bullying" by the U.S. government. (The Times notes she later recorded a video acknowledging that on the Chinese-language app, "I don't know what I'm doing, I don't know what I'm reading, I'm just pressing buttons.") On Tuesday, the Wall Street Journal reported that Chinese officials had discussed the possibility of selling TikTok to a trusted non-Chinese party such as Elon Musk, who already owns social media platform X. However, analysts said that Bytedance is unlikely to agree to a sale of the underlying algorithm that powers the app, meaning the platform under a new owner could still look drastically different.

CNN reports: TikTok appears to be coming back online just hours after President-elect Donald Trump pledged Sunday that he would sign an executive order Monday that aims to restore the banned app. Around 12 hours after first shutting itself down, U.S. users began to have access to TikTok on a web browser and in the app, although the page still showed a warning about the shutdown.
The brief outage was "the first time in history the U.S. government has outlawed a widely popular social media network," reports NPR. Apple and Google removed TikTok from their app stores. (And Apple also removed Lemon8).

The incoming president announced his pending executive order "in a post on his Truth Social account," reports the Associated Press, "as millions of TikTok users in the U.S. awoke to discover they could no longer access the TikTok app or platform."

But two Republican Senators said Sunday that the incoming president doesn't have the power to pause the TikTok ban. Tom Cotton of Arkansas and Peter Ricketts of Nebraska posted on X.com that "Now that the law has taken effect, there's no legal basis for any kind of 'extension' of its effective date. For TikTok to come back online in the future, ByteDance must agree to a sale... severing all ties between TikTok and Communist China. Only then will Americans be protected from the grave threat posted to their privacy and security by a communist-controlled TikTok."

The Associated Press reports that the incoming president offered this rationale for the reprieve in his Truth Social post. "Americans deserve to see our exciting Inauguration on Monday, as well as other events and conversations." The law gives the sitting president authority to grant a 90-day extension if a viable sale is underway. Although investors made a few offers, ByteDance previously said it would not sell. In his post on Sunday, Trump said he "would like the United States to have a 50% ownership position in a joint venture," but it was not immediately clear if he was referring to the government or an American company...

"A law banning TikTok has been enacted in the U.S.," a pop-up message informed users who opened the TikTok app and tried to scroll through videos on Saturday night. "Unfortunately that means you can't use TikTok for now." The service interruption TikTok instituted hours earlier caught most users by surprise. Experts had said the law as written did not require TikTok to take down its platform, only for app stores to remove it. Current users had been expected to continue to have access to videos until the app stopped working due to a lack of updates... "We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned," read the pop-up message...

Apple said the apps would remain on the devices of people who already had them installed, but in-app purchases and new subscriptions no longer were possible and that operating updates to iPhones and iPads might affect the apps' performance.

In the nine months since Congress passed the sale-or-ban law, no clear buyers emerged, and ByteDance publicly insisted it would not sell TikTok. But Trump said he hoped his administration could facilitate a deal to "save" the app. TikTok CEO Shou Chew is expected to attend Trump's inauguration with a prime seating location. Chew posted a video late Saturday thanking Trump for his commitment to work with the company to keep the app available in the U.S. and taking a "strong stand for the First Amendment and against arbitrary censorship...."

On Saturday, artificial intelligence startup Perplexity AI submitted a proposal to ByteDance to create a new entity that merges Perplexity with TikTok's U.S. business, according to a person familiar with the matter...
The article adds that TikTok "does not operate in China, where ByteDance instead offers Douyin, the Chinese sibling of TikTok that follows Beijing's strict censorship rules."

Sunday morning Republican House speaker Mike Johnson offered his understanding of Trump's planned executive order, according to Politico. Speaking on Meet the Press, Johnson said "the way we read that is that he's going to try to force along a true divestiture, changing of hands, the ownership.

"It's not the platform that members of Congress are concerned about. It's the Chinese Communist Party and their manipulation of the algorithms."

Thanks to long-time Slashdot reader ArchieBunker for sharing the news.

In 2022 Google released a tool to easily scan for vulnerabilities in dependencies named OSV-Scanner. "Together with the open source community, we've continued to build this tool, adding remediation features," according to Google's security blog, "as well as expanding ecosystem support to 11 programming languages and 20 package manager formats... Users looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities..."

Thursday they also announced an extensible library for "software composition analysis" scanning (as well as file-system scanning) named OSV-SCALIBR (Open Source Vulnerability — Software Composition Analysis LIBRary). The new library "combines Google's internal vulnerability management expertise into one scanning library with significant new capabilities such as:

• Software composition analysis for installed packages, standalone binaries, as well as source code

• OSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and Mac

• Artifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more)

• Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and Mac

• Software Bill of Materials (SBOM) generation in SPDX and CycloneDX, the two most popular document formats

• Optimization for on-host scanning of resource constrained environments where performance and low resource consumption is critical

"OSV-SCALIBR is now the primary software composition analysis engine used within Google for live hosts, code repos, and containers. It's been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users' data at Google scale. We offer OSV-SCALIBR primarily as an open source Go library today, and we're working on adding its new capabilities into OSV-Scanner as the primary CLI interface."

The BBC brings news from the Baltic Sea. After critical undersea cables were damaged or severed last year, "NATO has launched a new mission to increase the surveillance of ships..." Undersea infrastructure is essential not only for electricity supply but also because more than 95% of internet traffic is secured via undersea cables, [said NATO head Mark Rutte], adding that "1.3 million kilometres (800,000 miles) of cables guarantee an estimated 10 trillion-dollar worth of financial transactions every day". In a post on X, he said Nato would do "what it takes to ensure the safety and security of our critical infrastructure and all that we hold dear".... Estonia's Foreign Minister Margus Tsahkna said in December that damage to submarine infrastructure had become "so frequent" that it cast doubt on the idea the damage could be considered "accidental" or "merely poor seamanship".
The article also has new details about a late-December cable-cutting by the Eagle S (which was then boarded by Finland's coast guard and steered into Finnish waters). "On Monday, Risto Lohi of Finland's National Bureau of Investigation told Reuters that the Eagle S was threatening to cut a second power cable and a gas pipe between Finland and Estonia at the time it was seized." And there's reports that the ship was loaded with spying equipment.

UPDATE (1/19/2024): The Washington Post reports that the undersea cable ruptures "were likely the result of maritime accidents rather than Russian sabotage, according to several U.S. and European intelligence officials."

But whatever they're watching for, NATO's new surveillance of the Baltic Sea will include "uncrewed surface vessels," according to defense-news web site TWZ.com: The uncrewed surface vessels [or USVs], also known as drone boats, will help establish an enhanced common operating picture to give participating nations a better sense of potential threats and speed up any response. It is the first time NATO will use USVs in this manner, said a top alliance commander... There will be at least 20 USVs assigned [a NATO spokesman told The War Zone Friday]... In the first phase of the experiment, the USVs will "have the capabilities under human control" while "later phases will include greater autonomy." The USVs will augment the dozen or so vessels as well as an unspecified number of crewed maritime patrol aircraft committed
One highly-placed NATO official tells the site that within weeks "we will begin to use these ships to give a persistent, 24-7 surveillance of critical areas."

Last week the U.K. government also announced "an advanced UK-led reaction system to track potential threats to undersea infrastructure and monitor the Russian shadow fleet."

The system "harnesses AI to assess data from a range of sources, including the Automatic Identification System (AIS) ships use to broadcast their position, to calculate the risk posed by each vessel entering areas of interest." Harnessing the power of AI, this UK-led system is a major innovation which allows us the unprecedented ability to monitor large areas of the sea with a comparatively small number of resources, helping us stay secure at home and strong abroad.

Smithsonian Magazine reports: A homeowner on Prince Edward Island in Canada has had a very unusual near-death experience: A meteorite landed exactly where he'd been standing roughly two minutes earlier. What's more, his home security camera caught the impact on video -- capturing a rare clip that might be the first known recording of both the visual and audio of a meteorite striking the planet. The shocking event took place in July 2024 and was announced in a statement by the University of Alberta on Monday.

"It sounded like a loud, crashing, gunshot bang," the homeowner, Joe Velaidum, tells the Canadian Press' Lyndsay Armstrong. Velaidum wasn't home to hear the sound in person, however. Last summer, he and his partner Laura Kelly noticed strange, star-shaped, grey debris in front of their house after returning from a walk with their dogs. They checked their security camera footage, and that's when they saw and heard it: a small rock plummeting through the sky and smashing into their walkway. It landed so quickly that the space rock itself is only visible in two of the video's frames.

The U.S. Department of the Treasury's OFAC has sanctioned Yin Kecheng and Sichuan Juxinhe Network Technology Co. for their roles in a recent Treasury breach and espionage operations targeting U.S. telecommunications. BleepingComputer reports: "Yin Kecheng has been a cyber actor for over a decade and is affiliated with the People's Republic of China Ministry of State Security (MSS)," reads the Treasury's announcement. "Yin Kecheng was associated with the recent compromise of the Department of the Treasury's Departmental Offices network," says the agency.

OFAC also announced sanctions against Sichuan Juxinhe Network Technology Co., a Chinese cybersecurity firm believed to be directly involved with the Salt Typhoon state hacker group. Salt Typhoon was recently linked to several breaches on major U.S. telecommunications and internet service providers to spy on confidential communications of high-profile targets. "Sichuan Juxinhe Network Technology Co., LTD. (Sichuan Juxinhe) had direct involvement in the exploitation of these U.S. telecommunication and internet service provider companies," the U.S. Treasury explains, adding that "the MSS has maintained strong ties with multiple computer network exploitation companies, including Sichuan Juxinhe." [...]

The sanctions imposed on Kecheng and the Chinese cybersecurity firm under Executive Order (E.O.) 13694 block all property and financial assets located in the United States or are in the possession of U.S. entities, including banks, businesses, and individuals. Additionally, U.S. entities are prohibited from conducting any transactions with the sanctioned entities without OFAC's explicit authorization. It's worth noting that these sanctions come after OFAC sanctioned Beijing-based cybersecurity company Integrity Tech for its involvement in cyberattacks attributed to the Chinese state-sponsored Flax Typhoon hacking group. U.S. Treasury's announcement reiterates that the U.S. Department of State offers, through its Rewards for Justice program, up to $10,000,000 for information leading to uncovering the identity of hackers who have targeted the U.S. government or critical infrastructure in the country.

An anonymous reader shares a report: FBI leaders have warned that they believe hackers who broke into AT&T's system last year stole months of their agents' call and text logs, setting off a race within the bureau to protect the identities of confidential informants, a document reviewed by Bloomberg News shows.

FBI officials told agents across the country that details about their use on the telecom carrier's network were believed to be among the billions of records stolen, according to the document and interviews with a current and a former law enforcement official. They asked not to be named to discuss sensitive information. Data from all FBI devices under the bureau's AT&T service for public safety agencies were presumed taken, the document shows.

The cache of hacked AT&T records didn't reveal the substance of communications but, according to the document, could link investigators to their secret sources. The data was believed to include agents' mobile phone numbers and the numbers with which they called and texted, the document shows. Records for calls and texts that weren't on the AT&T network, such as through encrypted messaging apps, weren't part of the stolen data.

Microsoft researchers who tested more than 100 of the company's AI products concluded that AI systems can never be made fully secure, according to a new pre-print paper. The 26-author study, which included Azure CTO Mark Russinovich, found that large language models amplify existing security risks and create new vulnerabilities. While defensive measures can increase the cost of attacks, the researchers warned that AI systems will remain vulnerable to threats ranging from gradient-based attacks to simpler techniques like interface manipulation for phishing.

An anonymous reader shares a report: The Supreme Court on Friday unanimously upheld the federal law banning TikTok beginning Sunday unless it's sold by its China-based parent company, holding that the risk to national security posed by its ties to China overcomes concerns about limiting speech by the app or its 170 million users in the United States.

A sale does not appear imminent and, although experts have said the app will not disappear from existing users' phones once the law takes effect on Jan. 19, new users won't be able to download it and updates won't be available. That will eventually render the app unworkable, the Justice Department has said in court filings.

Microsoft has patched a Windows vulnerability that allowed attackers to bypass Secure Boot, a critical defense against firmware infections, the company said. The flaw, tracked as CVE-2024-7344, affected Windows devices for at least seven months. Security researcher Martin Smolar discovered the vulnerability in a signed UEFI application within system recovery software from seven vendors, including Howyar.

The application, reloader.efi, circumvented standard security checks through a custom PE loader. Administrative attackers could exploit the vulnerability to install malicious firmware that persists even after disk reformatting. Microsoft revoked the application's digital signature, though the vulnerability's impact on Linux systems remains unclear.

U.S. President Joe Biden has issued a comprehensive cybersecurity executive order, four days before leaving office, mandating improvements to government network monitoring, software procurement, AI usage, and foreign hacker penalties.

The 40-page directive aims to leverage AI's security benefits, implement digital identities for citizens, and address vulnerabilities that have allowed Chinese and Russian intrusions into U.S. government systems. It requires software vendors to prove secure development practices and gives the Commerce Department eight months to establish mandatory cybersecurity standards for government contractors.

An anonymous reader quotes a report from TechCrunch: On Tuesday, the United Nations Security Council held a meeting to discuss the dangers of commercial spyware, which marks the first time this type of software -- also known as government or mercenary spyware -- has been discussed at the Security Council. The goal of the meeting, according to the U.S. Mission to the UN, was to "address the implications of the proliferation and misuse of commercial spyware for the maintenance of international peace and security." The United States and 15 other countries called for the meeting. While the meeting was mostly informal and didn't end with any concrete proposals, most of the countries involved, including France, South Korea, and the United Kingdom, agreed that governments should take action to control the proliferation and abuse of commercial spyware. Russia and China, on the other hand, dismissed the concerns.

John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, gave testimony in which he sounded the alarm on the proliferation of spyware made by "a secretive global ecosystem of developers, brokers, middlemen, and boutique firms," which "is threatening international peace and security as well as human rights." Scott-Railton called Europe "an epicenter of spyware abuses" and a fertile ground for spyware companies, referencing a recent TechCrunch investigation that showed Barcelona has become a hub for spyware companies in the last few years.

Representatives of Poland and Greece, countries that had their own spyware scandals involving software made by NSO Group and Intellexa, respectively, also intervened. Poland's representative pointed at local legislative efforts to put "more control, including by the judiciary, on the relevant operational activities of the security and intelligence services," while also recognizing that spyware can be used in a legal way. "We are not saying that the use of spyware is never justified or even required," said Poland's representative. And the Greek representative pointed to the country's 2022 bill to ban the sale of spyware.

Roseltorg, Russia's main electronic trading platform for government and corporate procurement, confirmed it was targeted by a cyberattack claimed by the pro-Ukraine hacker group Yellow Drift. The group allegedly deleted 550 terabytes of data, causing significant operational delays and client concerns. The Record reports: The company initially confirmed last Thursday that its services had been temporarily suspended, without providing further details. In a recent Telegram statement, Roseltorg disclosed that it had been targeted by "an external attempt to destroy data and the entire infrastructure of electronic trading." Roseltorg stated that all data and infrastructure affected by the recent attack had been fully restored, and trading systems are expected to resume operations shortly. However, as of the time of writing, the company's website remains offline.

Last week, the previously unknown pro-Ukraine hacker group Yellow Drift claimed responsibility for the attack on Roseltorg, stating they had deleted 550 terabytes of data, including emails and backups. As proof, the hackers published screenshots from the platform's allegedly compromised infrastructure on their Telegram channel. "If you support tyranny and sponsor wars, be prepared to return to the Stone Age," the hackers said.

The cyberattack on Roseltorg is already impacting clients who rely on the platform's operations, including government agencies, state-owned companies and suppliers. Following the company's announcement, many clients expressed concerns in the comments section, complaining about potential financial losses and delays in the procurement process. Roseltorg said in a statement that once access to the trading systems is reinstated, all deadlines for procedures, including contract signings, will be automatically extended without requiring any requests from users.

An anonymous reader quotes a report from Ars Technica: Lots of startups use Google's productivity suite, known as Workspace, to handle email, documents, and other back-office matters. Relatedly, lots of business-minded webapps use Google's OAuth, i.e. "Sign in with Google." It's a low-friction feedback loop -- up until the startup fails, the domain goes up for sale, and somebody forgot to close down all the Google stuff. Dylan Ayrey, of Truffle Security Co., suggests in a report that this problem is more serious than anyone, especially Google, is acknowledging. Many startups make the critical mistake of not properly closing their accounts -- on both Google and other web-based apps -- before letting their domains expire.

Given the number of people working for tech startups (6 million), the failure rate of said startups (90 percent), their usage of Google Workspaces (50 percent, all by Ayrey's numbers), and the speed at which startups tend to fall apart, there are a lot of Google-auth-connected domains up for sale at any time. That would not be an inherent problem, except that, as Ayrey shows, buying a domain allows you to re-activate the Google accounts for former employees if the site's Google account still exists.

With admin access to those accounts, you can get into many of the services they used Google's OAuth to log into, like Slack, ChatGPT, Zoom, and HR systems. Ayrey writes that he bought a defunct startup domain and got access to each of those through Google account sign-ins. He ended up with tax documents, job interview details, and direct messages, among other sensitive materials. A Google spokesperson said in a statement: "We appreciate Dylan Ayrey's help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk."

Change Healthcare has hidden its data breach notification webpage from search engines using "noindex" code, TechCrunch found, making it difficult for affected individuals to find information about the massive healthcare data breach that compromised over 100 million people's medical records last year.

The UnitedHealth subsidiary said Tuesday it had "substantially" completed notifying victims of the February 2024 ransomware attack. The cyberattack caused months of healthcare disruptions and marked the largest known U.S. medical data theft.