Several government cybersecurity agencies united to urge secure-by-design and secure-by-default software. Releasing "joint guidance" for software manufactuers were two U.S. security agencies — the FBI and the NSA — joined with the U.S. Cybersecurity and Infrastructure Security Agency and the cybersecurity authorities of Australia, Canada, the United Kingdom, Germany, Netherlands, and New Zealand. "To create a future where technology and associated products are safe for customers," they wrote in a joint statement, "the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers."

The Washington Post reports: Software manufacturers should put an end to default passwords, write in safer programming languages and establish vulnerability disclosure programs for reporting flaws, a collection of U.S. and international government agencies said in new guidelines Thursday. [The guidelines also urge rigorous code reviews.]

The "principles and approaches" document, which isn't mandatory but lays out the agencies' views on securing software, is the first major step by the Biden administration as part of its push to make software products secure as part of the design process, and to make their default settings secure as well. It's part of a potentially contentious multiyear effort that aims to shift the way software makers secure their products. It was a key feature of the administration's national cybersecurity strategy, which was released last month and emphasized shifting the burden of security from consumers — who have to manage frequent software updates — to the companies that make often insecure products... The administration has also raised the prospect of legislation on secure-by-design and secure-by-default, but officials have said it could be years away....

The [international affairs think tank] Atlantic Council's Cyber Statecraft Initiative has praised the Biden administration's desire to address economic incentives for insecurity. Right now, the costs of cyberattacks fall on users more than they do tech providers, according to many policymakers. "They're on a righteous mission," Trey Herr, director of the Atlantic Council initiative, told me. If today's guidelines are the beginning of the discussion on secure-by-design and secure-by-default, Herr said, "this is a really strong start, and an important one."

"It really takes aim at security features as a profit center," which for some companies has led to a lot of financial growth, Herr said. "I do think that's going to rub people the wrong way and quick, but that's good. That's a good fight."
In the statement CISA's director says consumers also have a role to play in this transition. "As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else."

Among other things, the new guidelines say that manufacturers "are encouraged make hard tradeoffs and investments, including those that will be 'invisible' to the customers, such as migrating to programming languages that eliminate widespread vulnerabilities."

The Python Software Foundation is "concerned that proposed EU cybersecurity laws will leave open source organizations and individuals unfairly liable for distributing incorrect code," according to the Register. The PSF reviewed the EU's proposed "Cyber Resilience Act" and "Product Liability Act" and reports "issues that put the mission of our organization and the health of the open-source software community at risk."

From the Register's report: "If the proposed law is enforced as currently written, the authors of open-source components might bear legal and financial responsibility for the way their components are applied in someone else's commercial product," the PSF said in a statement shared on Tuesday by executive director Deb Nicholson. "The existing language makes no differentiation between independent authors who have never been paid for the supply of software and corporate tech behemoths selling products in exchange for payments from end-users...."

The PSF argues the EU lawmakers should provide clear exemptions for public software repositories that serve the public good and for organizations and developers hosting packages on public repositories. "We need it to be crystal clear who is on the hook for both the assurances and the accountability that software consumers deserve," the PSF concludes. The PSF is asking anyone who shares its concerns to convey that sentiment to an appropriate EU Member of Parliament by April 26, while amendments focused on protecting open source software are being considered.

Bradley Kuhn, policy fellow at the Software Freedom Conservancy, told The Register that the free and open source (FOSS) community should think carefully about the scope of the exemptions being sought. "I'm worried that many in FOSS are falling into a trap that for-profit companies have been trying to lay for us on this issue," he said. "While it seems on the surface that a blanket exception for FOSS would be a good thing for FOSS, in fact, this an attempt for companies to get the FOSS community to help them skirt their ordinary product liability. For profit companies that deploy FOSS should have the same obligations for security and certainty for their users as proprietary software companies do."
The article points out that numerous tech organizations are urging clarifications in the proposed regulations, including NLnet Labs and the Eclipse Foundation.

An anonymous reader quotes a report from TechCrunch: The hackers who breached data storage giant Western Digital claim to have stolen around 10 terabytes of data from the company, including reams of customer information. The extortionists are pushing the company to negotiate a ransom -- of "minimum 8 figures" -- in exchange for not publishing the stolen data. On April 3, Western Digital disclosed "a network security incident" saying hackers had exfiltrated data after hacking into "a number of the Company's systems." At the time, Western Digital provided few details about exactly what data the hackers stole, saying in a statement that the hackers "obtained certain data from its systems and [Western Digital] is working to understand the nature and scope of that data."

One of the hackers spoke with TechCrunch and provided more details, with the goal of verifying their claims. The hacker shared a file that was digitally signed with Western Digital's code-signing certificate, showing they could now digitally sign files to impersonate Western Digital. Two security researchers also looked at the file and agreed it is signed with the company's certificate. The hackers also shared phone numbers allegedly belonging to several company executives. TechCrunch called the numbers. Most of the calls rang but went to automated voicemail messages. Two of the phone numbers had voicemail greetings that mentioned the names of the executives that the hackers claimed were associated with the numbers. The two phone numbers are not public.

Screenshots shared by the hacker show a folder from a Box account apparently belonging to Western Digital, an internal email, files stored in a PrivateArk instance (a cybersecurity product), and a screenshot of a group call where one of the participants is identified as Western Digital's chief information security officer. They also said they were able to steal data from the company's SAP Backoffice, a backend interface that helps companies manage e-commerce data. The hacker said that their goal when they hacked Western Digital was to make money, though they decided against using ransomware to encrypt the company's files. [...] If Western Digital doesn't get back to them, the hacker said, they are ready to start publishing the stolen data on the website of the ransomware gang Alphv. The hacker said they are not directly affiliated with Alphv but "I know them to be professional." Western Digital said they're declining to comment or answer questions about the hacker's claims.

The new management of FTX, headed by CEO John Ray III, on Sunday released its first interim report on control failures at the collapsed crypto exchange. There is a lot to digest. The Block: The 45-page report -- published Sunday afternoon by FTX Trading Ltd and its affiliated debtors -- describes in painstaking detail FTX's slapdash record-keeping, near non-existent cybersecurity defenses and its sparse expertise in key areas like finance. One of the more eye-catching items concerned Alameda Research, the trading firm that allegedly had access to billions of dollars in customer funds stored with FTX. The report states that Alameda "often had difficulty understanding what its positions were, let alone hedging or accounting for them."

Former CEO Sam Bankman-Fried, now under house arrest and facing a litany of criminal charges, described Alameda in internal communications as "hilariously beyond any threshold of any auditor being able to even get partially through an audit," according to the report. He went on: "Alameda is unauditable. I don't mean this in the sense of 'a major accounting firm will have reservations about auditing it'; I mean this in the sense of 'we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.' We sometimes find $50m of assets lying around that we lost track of; such is life."

"Thieves has discovered new ways to steal cars by pulling off smart devices (like smart headlights) to get at and attack via the Controller Area Network (CAN) bus," writes longtime Slashdot reader KindMind. The Register reports: A Controller Area Network (CAN) bus is present in nearly all modern cars, and is used by microcontrollers and other devices to talk to each other within the vehicle and carry out the work they are supposed to do. In a CAN injection attack, thieves access the network, and introduce bogus messages as if it were from the car's smart key receiver. These messages effectively cause the security system to unlock the vehicle and disable the engine immobilizer, allowing it to be stolen. To gain this network access, the crooks can, for instance, break open a headlamp and use its connection to the bus to send messages. From that point, they can simply manipulate other devices to steal the vehicle.

"In most cars on the road today, these internal messages aren't protected: the receivers simply trust them," [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor's RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.

Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota -- which among other things allows you to inspect the data logs of your vehicle -- helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, "Ian's car dropped a lot of DTCs." Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn't failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.

An anonymous reader quotes a report from MIT Technology Review: When computer science students and faculty at Carnegie Mellon University's Institute for Software Research returned to campus in the summer of 2020, there was a lot to adjust to. Beyond the inevitable strangeness of being around colleagues again after months of social distancing, the department was also moving into a brand-new building: the 90,000-square-foot, state-of-the-art TCS Hall. The hall's futuristic features included carbon dioxide sensors that automatically pipe in fresh air, a rain garden, a yard for robots and drones, and experimental super-sensing devices called Mites. Mounted in more than 300 locations throughout the building, these light-switch-size devices can measure 12 types of data -- including motion and sound. Mites were embedded on the walls and ceilings of hallways, in conference rooms, and in private offices, all as part of a research project on smart buildings led by CMU professor Yuvraj Agarwal and PhD student Sudershan Boovaraghavan and including another professor, Chris Harrison. "The overall goal of this project," Agarwal explained at an April 2021 town hall meeting for students and faculty, is to "build a safe, secure, and easy-to-use IoT [Internet of Things] infrastructure," referring to a network of sensor-equipped physical objects like smart light bulbs, thermostats, and TVs that can connect to the internet and share information wirelessly.

Not everyone was pleased to find the building full of Mites. Some in the department felt that the project violated their privacy rather than protected it. In particular, students and faculty whose research focused more on the social impacts of technology felt that the device's microphone, infrared sensor, thermometer, and six other sensors, which together could at least sense when a space was occupied, would subject them to experimental surveillance without their consent. "It's not okay to install these by default," says David Widder, a final-year PhD candidate in software engineering, who became one of the department's most vocal voices against Mites. "I don't want to live in a world where one's employer installing networked sensors in your office without asking you first is a model for other organizations to follow." All technology users face similar questions about how and where to draw a personal line when it comes to privacy. But outside of our own homes (and sometimes within them), we increasingly lack autonomy over these decisions. Instead, our privacy is determined by the choices of the people around us. Walking into a friend's house, a retail store, or just down a public street leaves us open to many different types of surveillance over which we have little control. Against a backdrop of skyrocketing workplace surveillance, prolific data collection, increasing cybersecurity risks, rising concerns about privacy and smart technologies, and fraught power dynamics around free speech in academic institutions, Mites became a lightning rod within the Institute for Software Research.

Voices on both sides of the issue were aware that the Mites project could have an impact far beyond TCS Hall. After all, Carnegie Mellon is a top-tier research university in science, technology, and engineering, and how it handles this research may influence how sensors will be deployed elsewhere. "When we do something, companies [and] other universities listen," says Widder. Indeed, the Mites researchers hoped that the process they'd gone through "could actually be a blueprint for smaller universities" looking to do similar research, says Agarwal, an associate professor in computer science who has been developing and testing machine learning for IoT devices for a decade. But the crucial question is what happens if -- or when -- the super-sensors graduate from Carnegie Mellon, are commercialized, and make their way into smart buildings the world over. The conflict is, in essence, an attempt by one of the world's top computer science departments to litigate thorny questions around privacy, anonymity, and consent. But it has deteriorated from an academic discussion into a bitter dispute, complete with accusations of bullying, vandalism, misinformation, and workplace retaliation. As in so many conversations about privacy, the two sides have been talking past each other, with seemingly incompatible conceptions of what privacy means and when consent should be required. Ultimately, if the people whose research sets the agenda for technology choices are unable to come to a consensus on privacy, where does that leave the rest of us?

Several domain names tied to Genesis Market, a bustling cybercrime store that sold access to passwords and other data stolen from millions of computers infected with malicious software, were seized by the Federal Bureau of Investigation (FBI) today. KrebsOnSecurity reports: Sources tell KrebsOnsecurity the domain seizures coincided with "dozens" of arrests in the United States and abroad targeting those who allegedly operated the service, as well as suppliers who continuously fed Genesis Market with freshly-stolen data. Active since 2018, Genesis Market's slogan has long been, "Our store sells bots with logs, cookies, and their real fingerprints." Customers could search for infected systems with a variety of options, including by Internet address or by specific domain names associated with stolen credentials.

But earlier today, multiple domains associated with Genesis had their homepages replaced with a seizure notice from the FBI, which said the domains were seized pursuant to a warrant issued by the U.S. District Court for the Eastern District of Wisconsin. But sources close to the investigation tell KrebsOnSecurity that law enforcement agencies in the United States, Canada and across Europe are currently serving arrest warrants on dozens of individuals thought to support Genesis, either by maintaining the site or selling the service bot logs from infected systems. The seizure notice includes the seals of law enforcement entities from several countries, including Australia, Canada, Denmark, Germany, the Netherlands, Spain, Sweden and the United Kingdom. [...]

One feature of Genesis that sets it apart from other bot shops is that customers can retain access to infected systems in real-time, so that if the rightful owner of an infected system creates a new account online, those new credentials will get stolen and displayed in the web-based panel of the Genesis customer who purchased that bot. "While some infostealers are designed to remove themselves after execution, others create persistent access," reads a March 2023 report from cybersecurity firm SpyCloud. "That means bad actors have access to the current data for as long as the device remains infected, even if the user changes passwords. SpyCloud says Genesis even advertises its commitment to keep the stolen data and the compromised systems' fingerprints up to date. "According to our research, Genesis Market had more than 430,000 stolen identities for sale as of early last year -- and there are many other marketplaces like this one," the SpyCloud report concludes.

China has opened a cybersecurity review of imports from America's largest memory chipmaker, Micron Technology, opening a new front in the escalating battle between the two countries over dominance in the semiconductor market. From a report: The Chinese government is conducting the review to ensure the security of its information infrastructure supply chain, prevent network security risks and maintain national security, it said in a statement Friday. The move stands to further escalate trade tensions between the Biden administration and China. The US has already blacklisted Chinese tech firms, sought to cut off the flow of sophisticated processors and banned its citizens from providing certain help to the country's chip industry. It has called on other nations to join its efforts, and earlier on Friday, Japan said it will expand restrictions on exports of 23 types of leading-edge chipmaking technology.

"The Gaurdian reports on a document leak from Russian cyber 'security' company Vulkan," writes Slashdot reader Falconhell. From the report: Inside the six-storey building, a new generation is helping Russian military operations. Its weapons are more advanced than those of Peter the Great's era: not pikes and halberds, but hacking and disinformation tools. The software engineers behind these systems are employees of NTC Vulkan. On the surface, it looks like a run-of-the-mill cybersecurity consultancy. However, a leak of secret files from the company has exposed its work bolstering Vladimir Putin's cyberwarfare capabilities.

Thousands of pages of secret documents reveal how Vulkan's engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation and control sections of the internet. The company's work is linked to the federal security service or FSB, the domestic spy agency; the operational and intelligence divisions of the armed forces, known as the GOU and GRU; and the SVR, Russia's foreign intelligence organization.

One document links a Vulkan cyber-attack tool with the notorious hacking group Sandworm, which the US government said twice caused blackouts in Ukraine, disrupted the Olympics in South Korea and launched NotPetya, the most economically destructive malware in history. Codenamed Scan-V, it scours the internet for vulnerabilities, which are then stored for use in future cyber-attacks. Another system, known as Amezit, amounts to a blueprint for surveilling and controlling the internet in regions under Russia's command, and also enables disinformation via fake social media profiles. A third Vulkan-built system -- Crystal-2V -- is a training program for cyber-operatives in the methods required to bring down rail, air and sea infrastructure. A file explaining the software states: "The level of secrecy of processed and stored information in the product is 'Top Secret'."

Microsoft, extending a frenzy of artificial intelligence software releases, is introducing new chat tools that can help cybersecurity teams ward off hacks and clean up after an attack. From a report: The latest of Microsoft's AI assistant tools -- the software giant likes to call them Copilots -- uses OpenAI's new GPT-4 language system and data specific to the security field, the company said Tuesday. The idea is to help security workers more quickly see connections between various parts of a hack, such as a suspicious email, malicious software file or the parts of the system that were compromised. Microsoft and other security software companies have been using machine-learning techniques to root out suspicious behavior and spot vulnerabilities for several years. But the newest AI technologies allow for faster analysis and add the ability to use plain English questions, making it easier for employees who may not be experts in security or AI. That's important because there's a shortage of workers with these skills, said Vasu Jakkal, Microsoft's vice president for security, compliance, identity and privacy. Hackers, meanwhile, have only gotten faster.

An anonymous reader quotes a report from the Record: A national association of current and former military digital security leaders is calling on Congress to establish a separate cyber service, arguing that the lack of one creates an "unnecessary risk" to U.S. national security. In a March 26 memorandum, the Military Cyber Professional Association urged lawmakers to establish a U.S. Cyber Force in this year's annual defense policy bill.

"For over a decade, each service has taken their own approach to providing United States Cyber Command forces to employ and the predictable results remain inconsistent readiness and effectiveness," according to the group, which boasts around 3,700 members. "Only a service, with all its trappings, can provide the level of focus needed to achieve optimal results in their given domain," the memo states. "Cyberspace, being highly contested and increasingly so, is the only domain of conflict without an aligned service. How much longer will our citizenry endure this unnecessary risk?"

The creation of a Cyber Force would follow the arrival of the Space Force in 2019. It was the first new branch of the U.S. military in 72 years, bringing the total to six. The association's missive is likely to spark fresh debate on Capitol Hill, where an increasing number of policymakers see a cyber-specific military service as an inevitability. [..] In its memo, the association says that while "steps should be taken to establish such a service, with urgency, pursuing it in a hasty manner would likely prove to be a source of great disruption and risk to our own forces and operations." Therefore, any legislative approval of a Cyber Force should be accompanied by a "thorough study to determine what this military service should look like, how it be implemented, and the applicable timeline," according to the group.

Security researchers at Moscow-based Kaspersky Lab have identified and outlined potential malware in versions of PDD Holdings' Chinese shopping app Pinduoduo, days after Google suspended it from its Android app store. From a report: In one of the first public accountings of the malicious code, Kaspersky laid out how the app could elevate its own privileges to undermine user privacy and data security. It tested versions of the app distributed through a local app store in China, where Huawei Technologies, Tencent Holdings and Xiaomi run some of the biggest app markets. Kaspersky's findings, shared with Bloomberg News, were among the clearest explanations from an independent security team for what triggered Google's action and malware warning last week. The cybersecurity firm, which has played a role in uncovering some of the biggest cyberattacks in history, said it found evidence that earlier versions of Pinduoduo exploited system software vulnerabilities to install backdoors and gain unauthorized access to user data and notifications. Those conclusions agreed in large part with those of researchers that had posted their discoveries online in past weeks, though Bloomberg News hasn't verified the authenticity of the earlier reports.

Long-time Slashdot reader theodp notes Microsoft's friendly relationship with North Dakota, pointing out that in 2017 Microsoft's president Brad Smith said the company would provide the state "cash grants, technology, curriculum and resources to nonprofits" and also "partner with schools to strengthen their ability to offer digital skills and computer science education to the youth they serve." "We just have such a good relationship with the community. We were also excited about Doug Burgum's election as governor. We had confidence that Doug, as governor, would bring a real focus on innovation that would focus on both changes in government and changes in technology." Before being elected Governor in 2016 (with the endorsement of Microsoft CEO Satya Nadella and financial backing from Bill Gates), former Microsoft exec Burgum sold his Fargo-based Great Plains Software business to Microsoft in 2002 for $1.1 billion and joined the software giant, where he reported directly to Steve Ballmer (a college friend) and managed Nadella (who became chief of Microsoft Business Solutions after Burgum's 2007 departure).

"We need a national movement for coding and computer science in our public schools [...] We need to influence, we need to support, we need to reform public policy as we're seeing here in North Dakota," Microsoft's Smith exhorted to TEDxFargo attendees in his return to North Dakota. "We need to make sure that computer science counts towards high school graduation." Mission accomplished. On Friday, North Dakota's governor Doug Burgum and School Superintendent Kirsten Baesler celebrated the governor's signing of HB1398, the Microsoft-supported bill which requires the teaching of computer science and cybersecurity and the integration of these content standards into school coursework from kindergarten through 12th grade. (Two of the ten members of North Dakota's K-12 CS and Cybersecurity Standards Review Committee were from Microsoft).

The superintendent said North Dakota is the first state in the nation to approve legislation requiring cybersecurity education. "Today is the culmination of years of work by stakeholders from all sectors to recognize and promote the importance of cybersecurity and computer science education in our elementary, middle and high schools," superintendent Baesler said at Friday's bill signing ceremony.

Baesler said EduTech, a division of bill supporter North Dakota Information Technology that provides IT support and professional development for K-12 educators, will be developing examples of cybersecurity and computer science education integration plans that may be used to assist local schools develop their own plans. EduTech is a Regional Partner of tech-backed nonprofit Code.org, which also voiced its support for HB1398. Code.org's Board of Directors include Microsoft President Brad Smith and CTO Kevin Scott.

Burgum, who joined Code.org's Governors Partnership for K-12 Computer Science in 2017, was also among 45 of the nation's State Governors who last July signed a Compact To Expand K-12 Computer Science Education in their states in response to a public letter from the CEOs for CS (including Microsoft's Nadella and Smith), part of a campaign organized by Code.org that called for state governments and education leaders to bring more CS to K-12 students to meet the future demands of the American workforce. Code.org has set a goal to make CS a high school graduation requirement for every student in all 50 states by the end of the decade.

Slashdot reader quonset writes: In an effort to more personalize a customer's experience, the U.S. restaurant chain Panera Bread is rolling out palm-scanning technology which will link the palm print with the customer's loyalty program. According to Panera Bread CEO Niren Chaudhary, the move will allow a "frictionless, personalized, and convenient" evolution of Panera's loyalty program, which boasts 52 million members. The claim is this will allow the company to offer menu choices based on a customer's order history, allow staff to personally greet the customer, and offer further suggestions.

Privacy advocates are not so sure. From the story:

Panera says the technology will securely store its customers' biometric data. However, digital rights activists worry that information could be tapped by federal agencies or accessed by hackers.

"Federal agencies like Customs and Border Protection have experienced devastating hacks where large databases of biometric information have been stolen," Fight for the Future told CBS MoneyWatch in an email. "Do we really expect Amazon, or Panera, to have better cybersecurity practices?"
The scanners are already installed at locations in St. Louis, Panera announced Wednesday, and scanners will "expand to additional locations in the coming months." (Panera has 2,113 locations in 48 states.) "After a simple scan of the palm, Panera associates will be able to greet guests by name, communicate their available rewards, reorder their favorite menu items, or take another order of their choice," the announcement gushes, "extending the guest experience into a true and meaningful relationship.

"When they are done ordering, guests can simply scan their palm again to pay."

France announced Friday it is banning the "recreational" use of TikTok, Twitter, Instagram and other apps on government employees' phones because of concern about insufficient data security measures. Reuters reports: The French Minister for Transformation and Public Administration, Stanislas Guerini, said in a statement that ''recreational" apps aren't secure enough to be used in state administrative services and "could present a risk for the protection of data." The ban will be monitored by France's cybersecurity agency. The statement did not specify which apps are banned but noted that the decision came after other governments took measures targeting TikTok.

Guerini's office said in a message to The Associated Press that the ban also will include Twitter, Instagram, Netflix, gaming apps like Candy Crush and dating apps. Exceptions will be allowed. If an official wants to use a banned app for professional purposes, like public communication, they can request permission to do so. Case in point: Guerini posted the announcement of the ban on Twitter.

An anonymous reader quotes a report from Ars Technica, written by Jonathan M. Gitlin: A perennial question that has accompanied the spread of Android Automotive has been the question of support. A car has a much longer expected service life than a smartphone, especially an Android smartphone, and with infotainment systems so integral to a car's operations now, how long can we reasonably expect those infotainment systems to be supported? I got the chance to put this question to Dirk Hilgenberg, CEO of CARIAD, Volkswagen Group's software division: Given the much longer service life of a car compared to a smartphone, how does VW plan to keep those cars patched and safe 10 or 15 years from now?

"We actually have a contract with the brands, which took a while to negotiate, but lifetime support was utterly important," Hilgenberg told me. The follow-up was obvious: How long is "lifetime"? "Fifteen years after service, and an extra option for brands who would like to have it even longer; you know, we have to guarantee updatability on all legal aspects," he said. "So that's why we are, as you can imagine, very cautious with branches of releases because every branch we need to maintain over this long time. So when you have end of operation and EOP [end of production] and it's 15 years longer, we still have to maintain that; plus, some brands actually said 'because my vehicle is a unicorn, it's something that people want even more, they only occasionally drive it but they want to be safe,'" Hilgenberg told me.

(The unicorn reference should make sense in the context of VW Group owning Bugatti, Lamborghini, and Porsche, whose cars are often collected and can be on the road for many decades.) In those cases, CARIAD would provide continued support, Hilgenberg said. "Especially as cybersecurity, all the legal things are concerned, you see that already. Now we do upgrades and releases, whether it's in China, whether it's in the US, whether it's in Europe, we take very cautious steps. Security and safety has, in the Volkswagen group, you know, the utmost importance, and we see it actually as an opportunity to differentiate," he said. In an update to the article, Ars said CARIAD got in touch with them to add some clarifications. "As part of its development services to Volkswagen's automotive brands, CARIAD provides operational services, updates, upgrades and new releases as well as bug fixes and patches relating to its hardware- and software-products. We usually support our hard- and software releases for extended periods of time. In some cases this can be up to 15 years after the end of production ('EOP') for hardware and 10 years after EOP for software releases. Moreover, there are legally mandatory periods we comply with, e.g. cybersecurity as well as safety updates and patches are provided for as long as a function is available. In addition, there may be individual agreements with brands for longer support periods to specifically satisfy their customers' needs," wrote a CARIAD spokesperson.

Ars notes: "there's no guarantee that OEMs can make the business model work for this long-term support."

And starting in 2021 — long before the run on Silicon Valley Bank — the Federal Reserve had "repeatedly warned the bank that it had problems," reports the New York Times: In 2021, a Fed review of the growing bank found serious weaknesses in how it was handling key risks. Supervisors at the Federal Reserve Bank of San Francisco, which oversaw Silicon Valley Bank, issued six citations. Those warnings, known as "matters requiring attention" and "matters requiring immediate attention," flagged that the firm was doing a bad job of ensuring that it would have enough easy-to-tap cash on hand in the event of trouble.

But the bank did not fix its vulnerabilities. By July 2022, Silicon Valley Bank was in a full supervisory review — getting a more careful look — and was ultimately rated deficient for governance and controls. It was placed under a set of restrictions that prevented it from growing through acquisitions. Last autumn, staff members from the San Francisco Fed met with senior leaders at the firm to talk about their ability to gain access to enough cash in a crisis and possible exposure to losses as interest rates rose.

It became clear to the Fed that the firm was using bad models to determine how its business would fare as the central bank raised rates: Its leaders were assuming that higher interest revenue would substantially help their financial situation as rates went up, but that was out of step with reality. y early 2023, Silicon Valley Bank was in what the Fed calls a "horizontal review," an assessment meant to gauge the strength of risk management. That checkup identified additional deficiencies — but at that point, the bank's days were numbered. In early March, it faced a run and failed within a matter of days....

The picture that is emerging is one of a bank whose leaders failed to plan for a realistic future and neglected looming financial and operational problems, even as they were raised by Fed supervisors. For instance, according to a person familiar with the matter, executives at the firm were told of cybersecurity problems both by internal employees and by the Fed — but ignored the concerns.
The Federal Reserve Bank system has 12 distircts, and the one overseeing California had a board of directors which included SVB's CEO Greg Becker, the article points out. "While board members do not play a role in bank supervision, the optics of the situation are bad."

New Zealand will ban TikTok on devices with access to the parliamentary network because of cybersecurity concerns, a government official said on Friday. CNBC reports: TikTok will be banned on all devices with access to New Zealand's parliamentary network by the end of March, said Parliamentary Service Chief Executive Rafael Gonzalez-Montero. Gonzalez-Montero, in an email to Reuters, said the decision was taken after advice from cybersecurity experts and discussions within government and with other countries.

"Based on this information the Service has determined that the risks are not acceptable in the current New Zealand Parliamentary environment," he said. Special arrangements can be made for those who require the app to do their jobs, he added.

Britain is to ban the Chinese-owned video-sharing app TikTok from ministers' and civil servants' mobile phones, bringing the UK in line with the US and the European Commission and reflecting deteriorating relations with Beijing. From a report: The decision marks a sharp U-turn from the UK's previous position and came a few hours after TikTok said its owner, ByteDance, had been told by Washington to sell the app or face a possible ban in the country. The UK government's announcement was made on Thursday by Oliver Dowden, the Cabinet Office minister, in the Commons. He said the ban was taking place "with immediate effect."

The decision follows a review of TikTok by government cybersecurity experts at the National Cyber Security Centre, and will cover ministers' and civil servants' work phones, but not their personal phones. "This is a proportionate move based on a specific risk with government devices," Dowden added. At least two cabinet ministers use TikTok. Michelle Donelan, the science and technology secretary, and Grant Shapps, the energy security and net zero secretary have an account on the app, which is used by millions of young people and many celebrities and influencers.

"Crypto firms should do their work within the bounds of the law, or they shouldn't do it at all," says the head of America's Securities and Exchange Commission, which regulates US. investment markets.

In an editorial published in The Hill, SEC chair Gary Gensler warns that instead cryptocurrency has many "trusted" intermediaries that are in fact non-compliant with U.S. securities law. Today, crypto is dominated by a handful of trading, lending, staking, and other financial intermediaries. The investing public is trusting these entities to be responsible with investors' assets. According to some data, the three largest crypto trading platforms purportedly account for almost three quarters of all trading volume. Crypto entrepreneurs might claim, in their own marketing materials, that they're transparent and regulated. But make no mistake: Very few, if any, are actually registered with the SEC and fully compliant with the federal securities laws.

The lack of compliance puts investors' hard-earned assets at risk. Investors lack fundamental disclosures about the crypto assets themselves and the firms who execute their trades and custody their assets: What are firms doing with customer assets? How are they funding their promised returns? Are they putting their hands in investors' pockets? When you buy or sell a token, are you trading against the house? What are the rules to protect against manipulation and fraud? Without disclosure and other investor protections, we simply don't know.

In essence, these firms are saying, "trust us." What's more, when firms go bankrupt (as many have of late), they turn to bankruptcy courts to sort out their mess.
"[B]ased upon how crypto platforms generally operate, investment advisers cannot rely on them today as qualified custodians," the editorial concludes. Rather than comply with the relevant laws, "it has felt like some have sought a stamp of approval for noncompliant activity, rather than changing a fundamentally non-compliant business model rife with conflicts." Of course, another tool in our toolbox is rooting out noncompliance through investigations and enforcement actions. The SEC has successfully brought or settled more than 100 cases against crypto intermediaries and token issuers, including some who operated Ponzi or pyramid schemes, engaged in unlawful touting, or committed other forms of fraud....

Some have said that we should let the innovation flourish or risk it going overseas. But forsaking investor protection puts real people's life savings at risk.
"It's a basic bargain in finance: If you want to raise money from the public, disclose certain facts and figures," Gensler told Politico this week. Their article notes "crypto giants are threatening to move their businesses across the Atlantic" from America to Europe, but with Gensler responding "We lose more if investors get harmed here." Crypto lobbyists have framed Gensler's push to force their industry to comply with 90-year-old securities laws as a war against financial innovation. Whatever changes brought by crypto markets will pale compared to what could come as brokerages and financial data aggregators move to incorporate artificial intelligence into their offerings, Gensler said.

"The much more transformative technology right now of our times is predictive data analytics and everything underlying artificial intelligence," he said, adding that he looked forward to working with lawmakers on how those tools could be regulated.