An anonymous reader quotes a report from The Guardian: The societal cost of using toxic PFAS or "forever chemicals" across the global economy totals about $17.5 trillion annually, a new analysis of the use of the dangerous compounds has found. Meanwhile, the chemicals yield comparatively paltry profits for the world's largest PFAS manufacturers -- about $4 billion annually. The report, compiled by ChemSec, a Sweden-based NGO that works with industry and policymakers to limit the use of toxic chemicals, partially aims to highlight how the "astronomical" cost of using PFAS is shouldered by governments typically forced to fund the cleanup of pollution and individuals who suffer from health consequences. "If you compare the profits that they make and the cost to society -- it's ridiculous," said Peter Pierrou, ChemSec's communications director.

PFAS are a class of about 15,000 chemicals often used to make products resistant to water, stains and heat. The chemicals are ubiquitous, and linked at low levels of exposure to cancer, thyroid disease, kidney dysfunction, birth defects, autoimmune disease and other serious health problems. They are called "forever chemicals" because they do not naturally degrade. The chemicals are thought to be contaminating drinking water for at least 200 million Americans, while watchdogs have identified thousands of industrial polluters. Similar widespread contamination persists throughout Europe.

ChemSec found 12 companies account for most of the world's PFAS production and pollution. Among them are 3M, Chemours, Solvay, Daiki, Honeywell, BASF, Merk and Bayer, though 3M this year announced it would discontinue making PFAS in part because of regulatory pressure and litigation. [...] The analysis broke down societal costs into four categories. Soil and water remediation are the most expensive, followed by healthcare costs and bio-monitoring of PFAS pollution. While the average market price of PFAS is [about $20.75] for each kilogram, the price spikes to about [$20,456.78] for each kilogram when societal costs are factored in. Beyond profits and pollution, the analysis also provides a closer look at how the chemicals are used across the economy, and whether those uses are "essential" or "non-essential." Banning non-essential uses would probably spell the end of the chemicals in most consumer goods and cut deeply into the industry's profits.

Trend Micro researchers at Black Hat Asia are warning that millions of Android devices worldwide come pre-infected with malicious firmware before the devices leave their factories. "This hardware is mainly cheapo Android mobile devices, though smartwatches, TVs, and other things are caught up in it," reports The Register. From the report: This insertion of malware began as the price of mobile phone firmware dropped, we're told. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product. "But of course there's no free stuff," said [Trend Micro researcher Fyodor Yarochkin], who explained that, as a result of this cut-throat situation, firmware started to come with an undesirable feature -- silent plugins. The team analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed. The plugins that were the most impactful were those that had a business model built around them, were sold on the underground, and marketed in the open on places like Facebook, blogs, and YouTube.

The objective of the malware is to steal info or make money from information collected or delivered. The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud. One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more. "The user of the proxy will be able to use someone else's phone for a period of 1200 seconds as an exit node," said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.

Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million. As for where the threats are coming from, the duo wouldn't say specifically, although the word "China" showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world's OEMs are located and make their own deductions.

The team confirmed the malware was found in the phones of at least 10 vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end. That is to say, you'll find this sort of bad firmware in the cheaper end of the Android ecosystem, and sticking to bigger brands is a good idea though not necessarily a guarantee of safety. "Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market," said Yarochkin.

Discord has informed users of a data breach that occurred after a third-party support agent's account was compromised, exposing user email addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets. Discord immediately disabled the account and worked with the customer service partner to prevent similar incidents in the future, but users are advised to stay vigilant for any suspicious activity. BleepingComputer reports: "Due to the nature of the incident, it is possible that your email address, the contents of customer service messages and any attachments sent between you and Discord may have been exposed to a third party," Discord said in letters sent to affected users. "As soon as Discord was made aware of the issue, we deactivated the compromised account and completed malware checks on the affected machine."

They also worked with the customer service partner to implement effective measures to prevent similar incidents in the future. "While we believe the risk is limited, it is recommended that you be vigilant for any suspicious messages or activity, such as fraud or phishing attempts," the company said.

Epic Games has released a new update for Unreal Engine 5 that allows it to run natively on Apple Silicon. With the recent update, Mac users will no longer have to rely on Rosetta technology in order to run the software, resulting in a significant boost in performance on M1 and M2 Macs. Engadget reports: There's more news for Apple users as well. Epic unveiled a new iPad app (below) for virtual productions that works with the Unreal Engine's ICVFX (In-Camera VFX) editor. It offers "an intuitive touch-based interface for stage operations such as color grading, light card placement, and nDisplay management tasks from anywhere within the LED volume," the company said. In other words, it lets DPs, VFX folks and others tweak lighting and more on virtual sets from a simple, portable interface.

Other new features introduced with the Unreal Engine 5.2 update include a "Procedural Content Generation framework" that lets you populate large scenes with the Unreal Engine assets of your choice, making it faster to build large worlds. And another feature called Substrate allows material creation with more control over the look and feel of objects used in in real-time applications like games or for linear content creation. Epic demonstrated that using its previous Rivian demo, giving a metallic-looking paint job to the R1T electric pickup.

An anonymous reader quotes a report from Ars Technica: After the release of Apple's AirTags, Google suddenly has interest in the Bluetooth tracker market. The company has already quietly rolled out what must be the world's largest Bluetooth tracking network via Android's 3 billion active devices, and now trackers are starting to plug in to that network. Google is taking the ecosystem approach and letting various companies plug in to the Android Bluetooth tracking network, which has the very derivative name of "Find My Device." While these Bluetooth trackers are great for finding your lost car keys on a messy desk, they can also work as worldwide GPS trackers and locate items much farther away, even though they don't have GPS. The IDs of Bluetooth devices are public, so Tile started this whole idea of crowdsourced Bluetooth tracker location, called the "Tile Network." Every phone with the Tile app installed scans Bluetooth devices in the background and, using the phone GPS, uploads their last seen location to the cloud. This location data is only available to the person who owns the Tile, but every Tile user works to scan the environment and upload any Tiles the app can see. [...]

Now, third-party Bluetooth trackers for Android's network are starting to arrive. The two companies that have announced products are Chipolo and Pebblebee, both of which seem to be cloning the Tile line of products. Both offer normal keychain tracker tags and slim credit card format trackers. The worst habits of Tile include making completely disposable products because the batteries can't be changed, but it looks like our clones have mostly avoided that. All of Pebblebee's Find My Device products are rechargeable, which is great, while the Chipolo keychain tracker has a replaceable CR2032 battery. Only the Chipolo wallet tracker is disposable (boo!). All these tags will show up in the Find My Device app, right alongside your Android phones, headphones, and whatever else you have that plugs in to the network. They also have a speaker, like normal, so you can make them ring when you're near them. Both sets of products are up for preorder now.

According to The Information, Microsoft wants to bid to make Bing Firefox's default search engine. Android Police reports: The browser's contract with Google is set to expire this year, at which point Mozilla could either renew it or switch to a different search engine. Microsoft would very much like to take Google's place in Firefox. It's not a guarantee that it will actually help boost Bing's usage -- after all, Firefox users who don't want to use Bing could just switch to a different search engine, as Yahoo found out a few years ago -- but Microsoft sees potential in such a deal.

The report also notes that there's also a potentially more juicy opportunity coming up for Microsoft if it really wants to get serious about pushing Bing. Apple's Safari browser, which is the main web browser on Apple devices, will have its Google contract expire next year. Despite throwing shade constantly, Google really benefits from the deal it currently has with Apple, and Microsoft could sweep in and try to get Bing to become the main browser on iPhones.

Ahead of Imgur's ban of sexually explicit content, Reddit announced Thursday that it will allow users to upload NSFW images from desktops in adult subreddits. The feature was already available on the social network's mobile app. TechCrunch reports: "This now gives us feature parity with our mobile apps, which (as you know) already has this functionality. You must set your community to 18+ if your community's content will primarily be not safe for work (NSFW)," the company said.

Reddit's announcement comes days after Imgur said that the image hosting platform was banning explicit photos from May 15. At that time, the company said that explicit content formed a risk to Imgur's "community and its business." Banning this type of content would "protect the future of the Imgur community." Many of Reddit's communities rely on Imgur's hosting services. However, the social network allowing native NSFW uploads through desktop might be the most logical solution going forward.

An anonymous reader quotes a report from Ars Technica: Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008. The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. PCs running Windows 11 must have it enabled to meet the software's system requirements.

Microsoft says that the vulnerability can be exploited by an attacker with either physical access to a system or administrator rights on a system. It can affect physical PCs and virtual machines with Secure Boot enabled. We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it's installed and partly because it will eventually render current Windows boot media unbootable. The fix requires changes to the Windows boot manager that can't be reversed once they've been enabled. Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn't include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft's ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.

Not wanting to suddenly render any users' systems unbootable, Microsoft will be rolling the update out in phases over the next few months. The initial version of the patch requires substantial user intervention to enable -- you first need to install May's security updates, then use a five-step process to manually apply and verify a pair of "revocation files" that update your system's hidden EFI boot partition and your registry. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs. A second update will follow in July that won't enable the patch by default but will make it easier to enable. A third update in "first quarter 2024" will enable the fix by default and render older boot media unbootable on all patched Windows PCs. Microsoft says it is "looking for opportunities to accelerate this schedule," though it's unclear what that would entail.

AI company Anthropic has announced it has given its ChatGPT-like Claude AI language model the ability to analyze an entire book's worth of material in under a minute. This new ability comes from expanding Claude's context window to 100,000 tokens, or about 75,000 words. From a report: Like OpenAI's GPT-4, Claude is a large language model (LLM) that works by predicting the next token in a sequence when given a certain input. Tokens are fragments of words used to simplify AI data processing, and a "context window" is similar to short-term memory -- how much human-provided input data an LLM can process at once. A larger context window means an LLM can consider larger works like books or participate in very long interactive conversations that span "hours or even days."

Fifteen years after launching Google Docs and Sheets with file sharing, Google is adding what sounds like adequate safety controls to the feature. From a report: Google Drive (the file repository interface that contains your Docs, Sheets, and Slides files) is finally getting a spam folder and algorithmic spam filters, just like Gmail has. It sounds like the update will provide a way to limit Drive's unbelievably insecure behavior of allowing random people to add files to your Drive account without your consent or control. Because Google essentially turned Drive file-sharing into email, Google Drive needs every spam control that Gmail has. Anyone with your email address can "share" a file with you, and a ton of spammers already have your email address. Previously, Drive assumed that all shared files were legitimate and wanted, with the only "control" being "security by obscurity" and hoping no one else knew your email address.

Drive shows any shared files in your shared documents folder, notifies you of the share on your phone, highlights the "new recent file" at the top of the Drive interface, lists the file in searches, and sends you an email about it, all without any indication that you know the file sharer at all. For years, some people in my life have been inundated with shared Google Drive files containing porn, ads, dating site scams, and malware. For a long time, there was nothing you could do to support affected users other than disabling Drive notifications, telling them to ignore the highlighted porn ads at the top of their Drive account, and warning them to never click on the "shared files" folder.

The European Union plans to force crypto companies to give tax authorities details of their clients' holdings, according to a draft bill released to CoinDesk under freedom of information laws. From a report: The data-sharing law, based on a model from the Organization for Economic Cooperation and Development (OECD), is set to be agreed by finance ministers next week, and will allow tax authorities to share data within the 27-nation bloc. Commission officials have said the bill received unanimous acclaim at a meeting on Wednesday, though people familiar with the matter told CoinDesk that some finance ministers have not yet received formal approval from parliaments.

The bill, dated May 5, closely matches proposals made by the European Commission in December 2022, as part of a bid to stop EU residents stashing crypto abroad to hide it from the taxman. The commission would have to set up a register of crypto asset operators' by December 2025, bringing forward a previous deadline by one year, and the rules will apply as of Jan. 1, 2026. Controversially, the law -- known as the eighth directive on administrative cooperation (DAC8) -- still includes platforms for trading non-fungible tokens that can be used for payment or investment, and providers from outside the bloc that have EU clients.

The EU is planning an undersea internet cable to improve connectivity to Georgia and reduce dependence on lines running through Russia, amid growing concerns about vulnerabilities to infrastructure transmitting global data. From a report: The $49mn cable will link EU member states to the Caucasus via international waters in the Black Sea, stretching a span of 1,100km. The project aims to reduce the region's "dependency on terrestrial fibre-optic connectivity transiting via Russia," the European Commission said in a policy document. The EU and Georgia jointly identified the need for the Black Sea internet cable in 2021 to improve Georgia's digital connectivity. However, the war in Ukraine has added impetus to the project, given the need to avoid relying on "connections that are not secure or stable," said a person with knowledge of the proposal.

Internet cables have come under scrutiny because of global concerns around espionage, as land-based lines and the stations where submarine cables come ashore are seen as vulnerable to interception by governments, hackers and thieves. Concerns around intentional sabotage of undersea cables and other maritime infrastructure have also grown since multiple explosions on the Nord Stream gas pipelines last September, which media reports recently linked to Russian vessels. Two cables off the coast of Norway were cut in 2021 and 2022, sparking concerns about malicious attacks.

At I/O 2023 earlier this week, Google announced that it's expanding its AI chatbot Google Bard to 180 countries. However, what Google didn't mention is that Bard still isn't available in the European Union. From a report: On a support page, Google details the full list of 180 countries in which Bard is now available. This includes countries all over the globe, but very noticeably not any countries that are a part of the European Union. It's a big absence from what is otherwise a global expansion for Google's AI. The reason why isn't officially stated by Google, but it seems reasonable to believe that it's related to GDPR. Just last month, Italy briefly banned ChatGPT over similar concerns that the AI couldn't comply with the regulations. Google also slyly hints this might be the case saying that further Bard expansions will be made "consistent with local regulations."

Mike Lynch, co-founder of UK software firm Autonomy, has been extradited to the United States to face criminal charges in a near decade-long legal battle and fall from grace for a man once hailed as Britain's answer to Bill Gates. From a report: Lynch faces 17 charges over Hewlett Packard's (HP) $11 billion acquisition of Autonomy, the company he grew into Britain's leading tech company, before it spectacularly unravelled after being bought by HP in 2011. Britain's interior ministry said on Friday that Lynch was extradited on May 11. He arrived in San Francisco on a commercial flight accompanied by U.S. Marshals, court documents show.

Appearing in court on Thursday, Lynch was ordered by a judge to pay a $100 million bond, hand over his passport and to be placed under 24 hour guard to secure his release. Lynch, 57, who has always denied any wrongdoing, could face 20 years in prison. Once lauded by academics, scientists and politicians for setting up a software giant from his ground-breaking research at Cambridge University, he has spent the last decade fighting lawsuits related to the HP takeover.

From a Science magazine report, shared by schwit1: When neuropsychologist Bernhard Sabel put his new fake-paper detector to work, he was "shocked" by what it found. After screening some 5000 papers, he estimates up to 34% of neuroscience papers published in 2020 were likely made up or plagiarized; in medicine, the figure was 24%. Both numbers, which he and colleagues report in a medRxiv preprint posted on 8 May, are well above levels they calculated for 2010 -- and far larger than the 2% baseline estimated in a 2022 publishers' group report. "It is just too hard to believe" at first, says Sabel of Otto von Guericke University Magdeburg and editor-in-chief of Restorative Neurology and Neuroscience. It's as if "somebody tells you 30% of what you eat is toxic." His findings underscore what was widely suspected: Journals are awash in a rising tide of scientific manuscripts from paper mills -- secretive businesses that allow researchers to pad their publication records by paying for fake papers or undeserved authorship.

"Paper mills have made a fortune by basically attacking a system that has had no idea how to cope with this stuff," says Dorothy Bishop, a University of Oxford psychologist who studies fraudulent publishing practices. A 2 May announcement from the publisher Hindawi underlined the threat: It shut down four of its journals it found were "heavily compromised" by articles from paper mills. Sabel's tool relies on just two indicators -- authors who use private, noninstitutional email addresses, and those who list an affiliation with a hospital. It isn't a perfect solution, because of a high false-positive rate. Other developers of fake-paper detectors, who often reveal little about how their tools work, contend with similar issues. Still, the detectors raise hopes for gaining the advantage over paper mills, which churn out bogus manuscripts containing text, data, and images partly or wholly plagiarized or fabricated, often massaged by ghost writers.

Some papers are endorsed by unrigorous reviewers solicited by the authors. Such manuscripts threaten to corrupt the scientific literature, misleading readers and potentially distorting systematic reviews. The recent advent of artificial intelligence tools such as ChatGPT has amplified the concern. To fight back, the International Association of Scientific, Technical, and Medical Publishers (STM), representing 120 publishers, is leading an effort called the Integrity Hub to develop new tools. STM is not revealing much about the detection methods, to avoid tipping off paper mills. "There is a bit of an arms race," says Joris van Rossum, the Integrity Hub's product director. He did say one reliable sign of a fake is referencing many retracted papers; another involves manuscripts and reviews emailed from internet addresses crafted to look like those of legitimate institutions. Twenty publishers -- including the largest, such as Elsevier, Springer Nature, and Wiley -- are helping develop the Integrity Hub tools, and 10 of the publishers are expected to use a paper mill detector the group unveiled in April.