Hmmmmmm shares a report from The Guardian: The French government is planning to harden counter-terrorism laws, permitting the use of algorithms to detect online extremist activity, amid a growing political row over security in the run up to next year's presidential race. The interior minister, Gerald Darmanin, said attackers were now "isolated individuals, increasingly younger, unknown to intelligence services, and often without any links to established Islamist groups." This was a growing problem for France because they self-radicalized very quickly, within days or weeks. These attackers no longer used text messages or mobile phones to communicate but instead went online or used social media direct messaging, he said. Darmanin said algorithms would allow the state to potentially pick up if a person was repeatedly searching online for a topic such as beheadings. He argued that Google and other online commercial sites already used algorithms and the state should be able to as well, with independent oversight -- despite concern from some rights lawyers that there would not be enough transparency.

"The last nine attacks on French soil were committed by individuals who were unknown to the security services, who were not on a watchlist and were not suspected of being radicalised," Darmanin told France Inter radio. This meant new methods were needed, he said, adding that of 35 attacks prevented by the state since 2017, two were stopped by intelligence work online. Since 2017, French security agencies have been able to use algorithms to monitor messaging apps. The new bill would make that experimental use permanent and extend the use of algorithms to websites and web searches. The legislation makes permanent several temporary measures in use since France's state of emergency after the Islamist terrorist attacks in 2015. It would give security agencies more power to watch over and limit the movements of high-risk individuals after release from jail, for two years rather than one.

Artem S. Tashkinov shares a report from Ars Technica: Health regulators in Brazil say that doses of Russia's Sputnik V COVID-19 vaccine contain a cold-causing virus capable of replicating in human cells. The unintended presence of the virus in the vaccine can "lead to infections in humans and can cause damage and death, especially in people with low immunity and respiratory problems, among other health problems," Brazil's Health Regulatory Agency, Anvisa, said Wednesday in a translated statement. Russia has unequivocally denied the claim, lobbed legal threats at Anvisa, and accused the respected regulators of being politically motivated to reject the vaccine. Still, Brazil's findings raise serious questions about the quality and safety of the vaccine, which is now being used in many countries. The findings also support concerns of Slovak regulators, who said earlier this month that batches of Sputnik V they received did not "have the same characteristics and properties" as the Sputnik V vaccine that was described in a peer-reviewed publication and found to be 91.6 percent effective.

Moreover, quality-control issues weren't the end of Anvisa's concerns. In an overall evaluation of the Russian vaccine, Brazil's regulators found its safety and efficacy were based on insufficient, limited, and sometimes faulty data and analyses. "Flaws... were identified in all stages of clinical studies," Anvisa said. The agency also reported that its inspectors who traveled to Russia to assess the vaccine's production were barred from vaccine facilities at Gamaleya Institute, which developed Sputnik V. Russia touts that "the safety and efficacy of Sputnik V has been confirmed by 61 regulators in countries where the vaccine has been authorized." However, Brazil's regulators said that of the 51 countries it contacted, only 14 were using the vaccine, and most of those countries did not have a tradition of vigilant drug-safety monitoring.

An anonymous reader quotes a report from Scientific American: Since the novel coronavirus began its global spread, influenza cases reported to the World Health Organization have dropped to minuscule levels. The reason, epidemiologists think, is that the public health measures taken to keep the coronavirus from spreading also stop the flu. Influenza viruses are transmitted in much the same way as SARS-CoV-2, but they are less effective at jumping from host to host. As Scientific American reported last fall, the drop-off in flu numbers was both swift and universal. Since then, cases have stayed remarkably low. "There's just no flu circulating," says Greg Poland, who has studied the disease at the Mayo Clinic for decades. The U.S. saw about 600 deaths from influenza during the 2020-2021 flu season. In comparison, the Centers for Disease Control and Prevention estimated there were roughly 22,000 deaths in the prior season and 34,000 two seasons ago.

Because each year's flu vaccine is based on strains that have been circulating during the past year, it is unclear how next year's vaccine will fare, should the typical patterns of the disease return. [...] Public health experts are grateful for the reprieve. Some are also worried about a lost immune response, however. If influenza subsides for several years, today's toddlers could miss a chance to have an early-age response imprinted on their immune system. That could be good or bad, depending on what strains circulate during the rest of their life. For now, future flu transmission remains a roll of the dice.

According to Bloomberg, Verizon is considering selling AOL and Yahoo -- two once high-flying dot-com brands it purchased in 2015 and 2017, respectively. Bloomberg reports: Verizon Media could fetch as much as $5 billion [...]. The company is talking to Apollo Global Management about a deal, they said. It couldn't immediately be learned how a deal would be structured or if other suitors may emerge. No final decision has been made and Verizon could opt to keep the unit. The move comes as Verizon divests tertiary media assets while ramping up its focus on its wireless business and the the rollout of its 5G service. Last year, it agreed to sell the HuffPost online news service to BuzzFeed Inc. and it unloaded the blogging platform Tumblr in 2019. This divestiture would mark Verizon's final retreat from an expensive foray into online advertising, a strategy that never really took off.

schwit1 shares a report from Threatpost: Quick-response (QR) codes used by a COVID-19 contact-tracing program were hijacked by a man who simply slapped up scam QR codes on top to redirect users to an anti-vaccination website, according to local police. He now faces two counts of "obstructing operations carried out relative to COVID-19 under the Emergency Management Act," the South Australia Police said in a statement announcing the arrest. His arrest may just be a drop in the bucket: Reports of other anti-vax campaigners doing the same thing abound. Law enforcement added an additional warning to would-be QR code scammers: "Any person found to be tampering or obstructing with business QR codes will likely face arrest and court penalty of up to $10,000." The police said no personal data was breached, but the incident highlights that truly all an attacker needs is a printer and a pack of Avery labels to do real damage.

In this case, the QR codes were being used by the South Australian government's official CovidSafe app to access a device's camera, scan the code and collect real-time location data to be used for contact tracing in case of a COVID-19 outbreak, ABC News Australia reported. That's a lot of personal data linked to a single QR code just waiting to be stolen. "In this instance, people who scanned the illegitimate QR code were redirected to a website distributing misinformation from the anti-vaxxer community," Bill Harrod, vice president of public sector at Ivanti, told Threatpost. "While this is concerning, the outcome could have been far more perilous."

syn3rg shares a report from ZDNet: A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018. Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file.

At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded -- two in 2018, one in 2020, and another in 2021. Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication. At present, the team says that they do not know the malware's "true purpose" beyond a focus on compromising Linux systems.

There are 12 functions in total including exfiltrating and stealing data, file and plugin management -- including query/download/delete -- and reporting device information. However, the team cites a "lack of visibility" into the plugins that is preventing a more thorough examination of the malware's overall capabilities. In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.

An anonymous reader quotes a report from PC Gamer: The Oculus Quest 2 is a hell of a lot of hardware for $299. In fact, we're convinced that Facebook is making a loss on each unit sold. Even so, that pricing is one of the main reasons it's the most popular headset on Steam and our pick as the best VR headset. Well, that and the ease of use. [...] The thing is, that price seems too good to be true, with no other manufacturer's VR headset close to the specs list of the Quest 2 -- in either tethered or standalone form -- hitting the same low, low price. That money gets you a robust virtual reality headset with 6GB of RAM, a Qualcomm Snapdragon XR2 CPU, 64GB of storage, 1832x1920 per eye display and a pair of controllers. [...]

But there's one factor that could potentially offset that price -- Facebook has access to a whole lot of your data. This is something the Oculus Quest 2 is upfront about: You absolutely need a Facebook account in order to use the device and it does have its data collection policies in black and white. Although what isn't quite so obvious is how much your data is worth to Facebook. At least it isn't without a tiny bit of digging.

There is another version of the Quest 2 that isn't as discounted as the consumer version, and that's the one aimed at businesses. The actual hardware is identical, but the difference is you don't need to login in with a Facebook account in order to use it. The price for this model? $799. There's also an annual fee of $180 that kicks in a year after purchase, which covers Oculus' business services and support, but that just muddies the waters a little. The point being, the Quest 2 for business, the headset from which Facebook can't access your data directly, costs $500 more. So that's looking essentially like the value the social media giant attributes to your data, which either seems like a lot or barely anything at all, depending on your stance. The Supplemental Oculus Data Policy outlines what sort of data is actually being collected when you use the Quest 2. Such things as your physical dimension, including your hand size, how big your play area is using the Oculus Guardian system, data on any content you create using the Quest 2, as well as more obvious stuff like your device ID and IP address.

For at least the third time since the beginning of this year, the U.S. government is investigating a hack against federal agencies that began during the Trump administration but was only recently discovered, according to senior U.S. officials and private sector cyber defenders. Reuters reports: The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it. More than a dozen federal agencies run Pulse Secure on their networks, according to public contract records. An emergency cybersecurity directive last week demanded that agencies scan their systems for related compromises and report back.

The results, collected on Friday and analyzed this week, show evidence of potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency. "This is a combination of traditional espionage with some element of economic theft," said one cybersecurity consultant familiar with the matter. "We've already confirmed data exfiltration across numerous environments." The maker of Pulse Secure, Utah-based software company Ivanti, said it expected to provide a patch to fix the problem by this Monday, two weeks after it was first publicized. Only a "very limited number of customer systems" had been penetrated, it added.

Over the last two months, CISA and the FBI have been working with Pulse Secure and victims of the hack to kick out the intruders and uncover other evidence, said another senior U.S. official who declined to be named but is responding to the hacks. The FBI, Justice Department and National Security Agency declined to comment. The U.S. government's investigation into the Pulse Secure activity is still in its early stages, said the senior U.S. official, who added the scope, impact and attribution remain unclear. Security researchers at U.S. cybersecurity firm FireEye and another firm, which declined to be named, say they've watched multiple hacking groups, including an elite team they associate with China, exploiting the new flaw and several others like it since 2019.

Zoe Roth, the centerpiece of the "Disaster Girl" meme, has made nearly half a million dollars after selling the original copy as a non-fungible token (NFT), the New York Times reports. From a report: The market for ownership rights to digital art and media as NFTs has recently soared in popularity. Roth's photo was taken in 2005 when she was 4 years old. Her family went to go see a controlled fire in their Mebane, North Carolina, neighborhood. Her father entered the picture in a photo contest in 2007 and won, and for the past decade the "image [has been] endlessly repurposed as a vital part of meme canon," the Times writes. Most Americans are not at all familiar with NFTs, though they have become major buzzwords among asset managers and market participants. All NFTs contain a unique segment of digital code as an identifier of authenticity and are stored on the blockchain, a public digital ledger.

Today, Blue Origin revealed that it will be selling the first tickets for rides on its space tourism rocket called New Shepard. According to CNBC, the first ticket (or tickets?) will go on sale starting next week, on Wednesday, May 5. From the report: Blue Origin did not reveal how much tickets will cost, only saying that more details will come on May 5 to those who submit their name and email on a form on the company's website. "Sign up to learn how you can buy the very first seat on New Shepard," according to the company's website. The announcement's video features Bezos going out to the capsule of New Shepard after the company's test flight earlier this month. It shows him driving across the Texas desert, the remote location of the New Shepard launch facility -- notably at the wheel of a Rivian R1T electric truck, which is emblazoned with Blue Origin's signature feather.

New Shepard is designed to carrying as many as six people at a time on a ride past the edge of space, with the capsules on previous test flights reaching an altitude of more than 340,000 feet (or more than 100 km). The capsule, which has massive windows to give passengers a view, spends as much as 10 minutes in zero gravity before returning to Earth. The rocket launches vertically, with the booster detaching and returning to land at a concrete pad nearby. The capsule's return is slowed down by a set of parachutes, before softly landing in the desert.

An anonymous reader quotes a report from Motherboard: The IRS is looking for help to break into cryptocurrency hardware wallets, according to a document posted on the agency website in March of this year. Many cryptocurrency investors store their cryptographic keys, which confer ownership of their funds, with the exchange they use to transact or on a personal device. Some folks, however, want a little more security and use hardware wallets -- small physical drives which store a user's keys securely, unconnected to the internet. The law enforcement arm of the tax agency, IRS Criminal Investigation, and more specifically its Digital Forensic Unit, is now asking contractors to come up with solutions to hack into cryptowallets that could be of interest in investigations, the document states.

"The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations," the document reads. "There is a portion of this cryptographic puzzle that continues to elude organizations -- millions, perhaps even billions of dollars, exist within cryptowallets." The security of hardware wallets presents a problem for investigators. The document states that agencies may be in possession of a hardware wallet as part of a case, but may not be able to access it if the suspect does not comply. This means that authorities cannot effectively "investigate the movement of currencies" and it may "prevent the forfeiture and recovery" of the funds. "The explicit outcome of this contract is to tame the cybersecurity research into measured, repeatable, consistent digital forensics processes that can be trained and followed in a digital forensics' laboratory," the document says.

Facebook has joined the Rust Foundation, the organization driving the Rust programming language, alongside Amazon Web Services, Google, Huawei, Microsoft, and Mozilla. From a report: Facebook is the latest tech giant to ramp up its adoption of Rust, a language initially developed by Mozilla that's become popular for systems programming because of its memory safety guarantees compared to fast languages C and C++. Rust is appealing for writing components like drivers and compilers.

The Rust Foundation was established in February with initial backing from Amazon Web Services, Google, Huawei, Microsoft, and Mozilla. Microsoft is exploring Rust for some components of Windows and Azure while Google is using Rust to build new parts of the Android operating system and supporting an effort to bring Rust to the Linux kernel. Facebook's engineering team has now detailed its use of Rust beginning in 2016, a year after Rust reached its 1.0 milestone. "For developers, Rust offers the performance of older languages like C++ with a heavier focus on code safety. Today, there are hundreds of developers at Facebook writing millions of lines of Rust code," Facebook's software engineering team said.

The European Parliament approved a new law on terrorist content takedowns yesterday, paving the way for one-hour removals to become the legal standard across the EU. From a report: The regulation "addressing the dissemination of terrorist content online" will come into force shortly after publication in the EU's Official Journal -- and start applying 12 months after that. The incoming regime means providers serving users in the region must act on terrorist content removal notices from Member State authorities within one hour of receipt, or else provide an explanation why they have been unable to do so. There are exceptions for educational, research, artistic and journalistic work -- with lawmakers aiming to target terrorism propaganda being spread on online platforms like social media sites.

The types of content they want speedily removed under this regime includes material that incites, solicits or contributes to terrorist offences; provides instructions for such offences; or solicits people to participate in a terrorist group. Material posted online that provides guidance on how to make and use explosives, firearms or other weapons for terrorist purposes is also in scope. However concerns have been raised over the impact on online freedom of expression -- including if platforms use content filters to shrink their risk, given the tight turnaround times required for removals.

tsu doh nimh writes: Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau. Bill Demirkapi, an independent security researcher who's currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.

Demirkapi encountered one lender's site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API -- a capability that allows lenders to automate queries for FICO credit scores from the credit bureau. "No one should be able to perform an Experian credit check with only publicly available information," Demirkapi said. "Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian's system." Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the "date of birth" field let him then pull a person's credit score. He even built a handy command-line tool to automate the lookups, which he dubbed "Bill's Cool Credit Score Lookup Utility."

President Joe Biden's top labor official said Thursday that most gig workers in the United States should be classified as "employees" deserving of related benefits, in what could be a policy shift that is likely to raise costs for companies that depend on contractors such as Uber and Lyft and impact millions of workers. From a report: Shares of Uber fell as much as 8 percent while Lyft dived as much as 12 percent. Doordash fell nearly 9 percent and Grubhub was down 3.3 percent. Labor Secretary Marty Walsh, a son of Irish immigrants and a former union member, has been expected to boost President Biden's efforts to expand workers' protections and deliver a win for the country's organized labor movement.

"We are looking at it but in a lot of cases gig workers should be classified as employees... in some cases they are treated respectfully and in some cases they are not and I think it has to be consistent across the board," Walsh told Reuters in an interview, expressing his view on the topic for the first time. "These companies are making profits and revenue and I'm not (going to) begrudge anyone for that because that's what we are about in America... but we also want to make sure that success trickles down to the worker," he said.