US chipmaker AMD advised customers last week to disable a new performance feature if they plan to use CPUs for sensitive operations, as this feature is vulnerable to Spectre-like side-channel attacks. From a report: Called Predictive Store Forwarding (PSF), this feature was added to AMD CPUs part of the company's Zen 3 core architecture, a processor series dedicated to gaming and high-performance computing, which launched in November 2020. The feature implements a technique called speculative execution, which works by running multiple alternative CPU operations in advance to make results available faster, and then discarding "predicted" data once deemed unneeded.

Long-time Slashdot reader theshowmecanuck writes: A grandmother let her 13 year old grandson use her credit card to buy added content for one of his games for which she thought would be a $15 charge. After the account opened up because of the credit card on it, he started downloading other things not realizing they were adding substantial charges to her credit card. She asked Sony to refund the charges, it's not like they can't disable the added content if they wanted, but they told her basically too bad so sad.
From the article: When CTV News Toronto reached on to PlayStation on Liscoumb's behalf a spokesperson said "We reviewed this case at your request and determined that it did not qualify for a refund as outlined in our terms of service and user agreement."

"I'm just heartbroken and Visa said they can't do anything, because I'm the one that put the credit card into the system," [the grandmother, Diana] Liscoumb said... Liscoumb said it will be difficult to pay back the $1,400 in charges and says her grandson is upset too. "He even offered to get a job when he turns 14 to help pay for it."
This story drew a range of reactions from Slashdot readers:

• "This was a $1400 lesson that hopefully they both learned. Never trust a corporation to do the right thing."

• "This is not on the vendor it is on the grandson, his parents and his grandmother... This should not be a news story at all. This should be a private learning lesson for the child, and his guardians."

• "The real problem is still that companies are putting addictive gambling mechanics into games."

• "Someone at Sony should fix the problem."

An anonymous reader quotes a report from Ars Technica: Google is officially bringing its "Live Caption" technology to any website with the new version of Chrome. The feature, which debuted on Pixel phones and should be available on most Android 10+ devices, lets you easily apply Google's speech-to-text technology to any audio source, making it simple to get closed-captioning on audio that's lacking in the accessibility department. Starting today, Google is beginning to roll out the feature to Chrome 89 and up on desktop PCs.

You can enable the feature from the Chrome settings by going to "Advanced" and "Accessibility" and then turning on "Live Caption." Live captions appear on webpages as a gray box that fills with text as the video or audio plays. You can drag the box around so it never gets in the way, and you can even pick between two sizes. Live Caption will attempt to work with every audio source on the web; you can temporarily close the box each time you load a page, but there's no way to enable it on some websites and disable it on others. Google says all the processing happens locally on your device and won't end up on the Internet. For now, Google says Live Caption "currently supports English and is available globally on the latest release of Chrome on Windows, Mac and Linux devices and will be coming soon to ChromeOS."

Dustin Curtis, writing on his blog: About ten days ago, when I went to update a few apps in the App Store on my Mac, I was met with a curious error: "Your account has been disabled in the App Store and iTunes." The internet is filled with stories from people whose Google accounts were locked for unexplained reasons, causing them to lose all of their data, including years of email, so I was somewhat concerned. But I'd never heard of similar cases involving Apple's services, and I wouldn't expect such behavior from a customer-focused company like Apple, so I figured it was a glitch and made a mental note to try again later. The next day, Music.app stopped working: "You cannot login because your account has been locked."

Now I was genuinely worried. I checked my phone and neither the App Store nor Apple Music would work there, either. A few minutes later, Calendar popped up an error â" it had stopped syncing. I immediately tried to call Apple Support from my Mac, but Apple's Handoff feature had been disabled as well. The first person I spoke to at Apple spent a while researching the issue and then told me there was nothing she could do but escalate the issue, and that I should expect a call "hopefully" within the next day. I asked what the problem might be, and she seemed as confused as I was. Although some Apple services were still working, like iMessage (thank God) and Photos, I was terrified that more services would suddenly become inaccessible or that I would lose the considerable amount of data I have stored in iCloud.

A couple of days later, I became impatient and contacted Apple Support again. This time, the representative mumbled something about Apple Card before saying that he also had no power to help me. Apple ID was a different department, he said, and they could only be contacted by email. He emailed them. I continued to wait. The next time I tried to use my Apple Card, it was declined. Strange. I checked the Wallet app, and the balance was below the limit. I remembered the Apple support representative mumbling about Apple Card, so I did some digging through my email to see if I could find a connection. As it turns out, my bank account number changed in January, causing Apple Card autopay to fail. Then the Apple Store made a charge on the card. Less than fifteen days after that, my App Store, iCloud, Apple Music, and Apple ID accounts had all been disabled by Apple Card. Tim Sweeney, CEO of Epic Games, which is fighting a legal battle with Apple, offered some commentary on this: "It's terrifying how much leverage Apple has over consumers and developers by integrating everything, locking us all in, and exerting total control. Normal companies respect the natural boundaries that exist between platforms and services. Apple does not! For Apple, every choke point they create is both a profit center and a lever to exert control. After blocking Fortnite updates from over a billion iOS users, Apple threatened to block Sign in With Apple -- which they forced us to adopt -- affecting Fortnite players on 7 platforms."

An anonymous reader shares a report: If you go out and purchase a new TV today, it's going to have smart TV features allowing access to streaming services and the internet. However, if that new TV is running on the Google TV platform, it's possible to easily disable all the smart features during setup. The option to make your TV dumb was spotted by 9To5Google. During the setup of a TV running Google's smart TV platform, multiple features are offered including the ability to run apps, receive content recommendations, and enable Google Assistant. That's alongside the core options you'd expect from a TV: the ability to watch live broadcasts through an aerial and having access to attached devices via its HDMI ports. [...] However, Google decided to offer a more user-friendly way of doing this. As part of the setup process you can select "Set up basic TV." What this does is allow your TV to receive live broadcasts and access the HDMI ports, but nothing else. There's no apps, no Google Assistant, and no content recommendations. You also have the option to go back into the setup process and enable these smart features whenever you like.

Thanks to the hard work of the SwitchRoot team, it's now possible to enjoy an Android 10-based LineageOS 17.1 port on your Nintendo Switch console. XDA Developers reports: The Android 10 release is based on the LineageOS 17.1 build for the NVIDIA SHIELD TV and brings many improvements over the previous release, including a much-needed deep sleep mode so the OS doesn't murder your console's battery life. It's also generally faster and more responsive than the previous Android 8.1 Oreo version, according to the SwitchRoot team.

The ROM comes in two flavors: a Tablet build that offers a standard Android UI with support for all apps and an Android TV build that supports both docked and undocked use cases but has more limited app support. The former is recommended if you primarily use your Nintendo Switch while undocked, while the latter will offer a much-better docked experience. As for bugs and broken things, the developer says games built for the SHIELD (Half-Life 2, Tomb Raider, etc.) aren't supported, and you might notice some stuttering with Bluetooth audio. Some apps also may not support the Joy-Con D-Pad.

In order to install this build, you'll need an RCM-exploitable Nintendo Switch, a USB-C cable, a high-speed microSD card (formatted to FAT32), and a PC. If you already have the Android 8.1 Oreo build installed on your SD card, just make sure to back up your data before installing the Android 10 build, as flashing this new ROM will wipe all data. After installing the ROM itself, be sure to flash the Google Apps package, Alarm Disable ZIP, and Xbox Joycon Layout ZIP if you use an Xbox controller. You can download LineageOS 17.1 for Nintendo Switch here.

In 2019 two New York Times opinion writers obtained cellphone app data "containing the precise locations of more than 12 million individual smartphones for several months in 2016 and 2017." (It's data that they say is "supposed to be anonymous, but it isn't. We found celebrities, Pentagon officials and average Americans.")

Now they've obtained a remarkable new trove of data, "this time following the smartphones of thousands of Trump supporters, rioters and passers-by in Washington, D.C., on January 6, as Donald Trump's political rally turned into a violent insurrection."

And here the stakes for a privacy violation were even higher: [The data set] shows how Trump supporters traveled from South Carolina, Florida, Ohio and Kentucky to the nation's capital, with pings tracing neatly along major highways, in the days before the attack. Stops at gas stations, restaurants and motels dot the route like bread crumbs, each offering corroborating details. In many cases, these trails lead from the Capitol right back to their homes... Unlike the data we reviewed in 2019, this new data included a remarkable piece of information: a unique ID for each user that is tied to a smartphone. This made it even easier to find people, since the supposedly anonymous ID could be matched with other databases containing the same ID, allowing us to add real names, addresses, phone numbers, email addresses and other information about smartphone owners in seconds.

The IDs, called mobile advertising identifiers, allow companies to track people across the internet and on apps. They are supposed to be anonymous, and smartphone owners can reset them or disable them entirely. Our findings show the promise of anonymity is a farce. Several companies offer tools to allow anyone with data to match the IDs with other databases. We were quickly able to match more than 2,000 supposedly anonymous devices in the data set with email addresses, birthdays, ethnicities, ages and more...

Smartphone users will never know if they are included in the data or whether their precise movements were sold. There are no laws forcing companies to disclose what the data is used for or for how long. There are no legal requirements to ever delete the data. Even if anyone could figure out where records of their locations were sold, in most states, you can't request that the data be deleted. Their movements could be bought and sold to innumerable parties for years. And the threat that those movements could be tied back to their identity will never go away.

If the January 6 rioters didn't know before, they surely know now the cost of leaving a digital footprint...
The article argues that de-anonymizing the data "gets easier by the day," warning this latest data set demonstrates "the looming threat to our liberties posed by a surveillance economy that monetizes the movements of the righteous and the wicked alike."

But it also warns that "The location-tracking industry exists because those in power allow it to exist... The dark truth is that, despite genuine concern from those paying attention, there's little appetite to meaningfully dismantle this advertising infrastructure that undergirds unchecked corporate data collection.

"This collection will only grow more sophisticated."

The U.S. agency overseeing elections has "quietly weakened a key element of proposed security standards..." reports the Associated Press, "raising concern among voting-integrity experts that many such systems will remain vulnerable to hacking." The Election Assistance Commission (EAC) is poised to approve its first new security standards in 15 years after an arduous process involving multiple technical and elections community bodies and open hearings. But ahead of a scheduled February 10 ratification vote by commissioners, the EAC leadership tweaked the draft standards to remove language that stakeholders interpreted as banning wireless modems and chips from voting machines as a condition for federal certification. The mere presence of such wireless hardware poses unnecessary risks for tampering that could alter data or programs on election systems, say computer security specialists and activists, some of whom have long complained than the EAC bends too easily to industry pressure.

Agency leaders argue that overall, the revised guidelines represent a major security improvement. They stress that the rules require manufacturers to disable wireless functions present in any machines, although the wireless hardware can remain.

In a February 3 letter to the agency, computer scientists and voting integrity activists say the change "profoundly weakens voting system security and will introduce very real opportunities to remotely attack election systems." They demand the wireless hardware ban be restored...

The ban on wireless hardware in voting machines would force vendors who currently build systems with off-the-shelf components to rely on more expensive custom-built hardware, said EAC Chair Benjamin Hovland, which could hurt competition in an industry already dominated by a trio of companies. He also argued that the guidelines are voluntary, although many state laws are predicated on them... Hovland stressed that the amended guidelines say all wireless capability must be disabled in voting equipment. But computer experts say that if the hardware is present, the software that activates it can be introduced. And the threat is not just from malign actors but also from the vendors and their clients, who could enable the wireless capability for maintenance purposes then forget to turn it off, leaving machines vulnerable...

Experts are pushing for universal use of hand-marked paper ballots and better audits to bolster confidence in election results.

Google has threatened to disable its search engine in Australia if it's forced to pay local publishers for news, a dramatic escalation of a months-long standoff with the government. From a report: The proposed law, intended to compensate publishers for the value their stories generate for the company, is "unworkable," Mel Silva, managing director for Australia and New Zealand, told a parliamentary hearing Friday. She specifically opposed the requirement that Google pay media companies for displaying snippets of articles in search results.

The threat is Google's most potent yet as the digital giant tries to stem a flow of regulatory action worldwide. At least 94% of online searches in Australia go through the Alphabet unit, according to the local competition regulator. "We don't respond to threats," Australia Prime Minister Scott Morrison said Friday. "Australia makes our rules for things you can do in Australia. That's done in our parliament. It's done by our government. And that's how things work here in Australia."

Microsoft is making a big change to its Windows 10 taskbar soon, with the addition of a news and weather widget. The Verge reports: The new feature is available to testers today, and it will allow Windows 10 users to access a feed of news, stocks, and weather information straight from the taskbar. You'll be able to quickly glance at the weather without having to open the Start menu, install a third-party app, or check online. The taskbar feature will pop out into a mini feed of content that can be personalized with the latest sports news, headlines, and weather information. Microsoft is using its Microsoft News network to surface news and content from more than 4,500 sources. The company has been curating this through artificial intelligence in recent months, and this particular feature will also learn what news is relevant to you when you dismiss or like stories in the feed.

This new taskbar feature will also require Microsoft's Chromium-based Edge to be installed on a PC. That means any link you click within the feature will force you into Edge to read it, and Microsoft is presenting content in the reading view by default. You can of course disable this new taskbar feature, and Microsoft says it will be an ad-free experience.

An anonymous reader quotes a report from Ars Technica: After over a year of requests from fans and enthusiasts, and months of official teases, Microsoft Flight Simulator has a virtual reality mode. Whether you play the game via Steam or the Windows Store, you can now take advantage of "OpenXR" calls to seemingly any PC-VR system on the market, aided by an "enable/disable VR" keyboard shortcut at any time. This summer, ahead of the game's final-stretch beta test, the developers at Asobo Studio used a screen-share feature in a video call to tease the VR mode to us at Ars Technica. This is never an ideal way to show off VR, in part because the platform requires high refresh rates for comfortable play, which can't be smoothly sent in a pandemic-era video call. But even for a video call, it looked choppy. Asobo's team assured us that the incomplete VR mode was running well -- but of course, we're all on edge about game-preview assurances as of late. Now that users have been formally invited to slap Microsoft Flight Simulator onto their faces, I must strongly urge users not to do so -- or at least heavily temper their expectations. Honestly, Asobo Studio should've issued these warnings, not me, because this mode is nowhere near retail-ready.

Ultimately, trying to use the 2020 version of MSFS within its VR mode's "potato" settings is a stupid idea until some kinks get worked out. It's bad enough how many visual toggles must be dropped to PS2 levels to reach a comfortable 90 fps refresh; what's worse is that even in this low-fidelity baseline, you'll still face serious stomach-turning anguish in the form of constant frametime spikes. Turn the details up to a "medium" level in order to savor the incredible graphics engine Asobo built, of course, and you're closer to 45 fps. I didn't even bother finding an average performance for the settings at maximum. That test made me sick enough to delay this article by a few hours. [...] The thing is, my VR stomach can always survive the first few minutes of a bumpy refresh before I have to rip my headset off in anguish -- and this was long enough to see the absolute potential of MSFS as a must-play VR library addition. I don't have an ultrawide monitor, so testing MSFS has always been an exercise in wishing for a better field of view -- to replicate the glance-all-over behavior of actual flight. Getting a taste of that in my headset -- with accurate cockpit lighting, impressive volumetric clouds, and 3D modeling of my plane's various sounds -- made me want to sit for hours in this mode and get lost in compelling, realistic flight. But even the most iron stomachs can only take so much screen flicker within VR before churning, and that makes MSFS's demanding 3D engine a terrible fit for the dream of hours-long VR flight... at least, for the time being.

The iPhone's original -- and unofficial -- app store has sued Apple, accusing the company of having a monopoly on the distribution of apps. Cydia, an app store created and launched in 2007 by Jay "Saurik" Freeman, one of the original jailbreakers filed the lawsuit against Apple on Thursday. From a report: "Were it not for Apple's anti competitive acquisition and maintenance of an illegal monopoly over iOS app distribution, users today would actually be able to choose how and where to locate and obtain iOS apps, and developers would be able to use the iOS app distributor of their choice," the lawsuit reads. Before Apple created the App Store, Freeman and a group of iPhone hackers created an unofficial app store where users that were willing to jailbreak -- a technique to exploit one or more bug to disable the iPhone security mechanism called code-signing enforcement that allows for only Apple-approved code to run on the phone -- could download and install apps. In 2010, according to Freeman, Cydia had around 4.5 million users.

Mozilla today launched Firefox 83 for Windows, Mac, and Linux. An anonymous reader shares a report: Firefox 83's highlight feature is HTTPS-Only Mode, in which the browser attempts to establish fully secure connections to every website (just like the EFF's HTTPS Everywhere). If it can't, Firefox asks for your permission before connecting to a website that doesn't support secure connections. To enable HTTPS-Only Mode, click on Firefox's menu button, hit Preferences, then Privacy & Security, scroll down to HTTPS-Only Mode, and choose "Enable HTTPS-Only Mode in all windows." [...] Firefox 83 also brings performance improvements (improved page load performance by up to 15%, page responsiveness by up to 12%, and reduced memory usage by up to 8%). Firefox 83 is also the penultimate version of the web browser that will run Flash software; Firefox 85 will completely disable it when it arrives on Jan. 12, 2021.

According to Windows Latest, "Microsoft is A/B testing a new feature that is designed to nag users with fullscreen window-less Microsoft Edge recommendations in the OOBE screen." From the report: The nag will appear when users set up their PC, sign in to their system after applying updates, or when they click on a new ad banner within the Settings. [...] Microsoft is trying to convince users of rival browsers who are visiting Windows Settings of the benefits of trying the Chromium Edge. In the Settings app, there's a new banner that appears to be rolling out to non-Insiders. As you can see in the above screenshot, the advert appears across the top of the Settings app window, just above the settings options.

The banner states that you can "get even more out of Windows" and it surprisingly launches the OOBE (out of the box experience) screen. [...] This ad appeared only when our devices were set to use Google Chrome and Firefox as the default web browser. The user can easily close the advert by clicking the second option "Don't update your browser settings." If you try to skip the setup, the pop-up will appear again in future. Unfortunately, you cannot permanently disable these recommendations in Windows 10.

"[I]n the coming weeks," Google will show a new blanket setting to "turn off smart features" which will disable features like Smart Compose, Smart Reply, in apps like Gmail; the second half of the same prompt will disable whether additional Google products -- like Maps or Assistant, for example -- are allowed to be personalized based on data from Gmail, Meet, and Chat. Gizmodo reports: Google writes in its blog post about the new-ish settings that humans are not looking at your emails to enable smart features, and Google ads are "not based on your personal data in Gmail," something CEO Sundar Pichai has likewise said time and again. Google claims to have stopped that practice in 2017, although the following year the Wall Street Journal reported that third-party app developers had freely perused inboxes with little oversight. (When asked whether this is still a problem, the spokesperson pointed us to Google's 2018 effort to tighten security.)

A Google spokesperson emphasized that the company only uses email contents for security purposes like filtering spam and phishing attempts. These personalization changes aren't so much about tightening security as they are another informed consent defense which Google can use to repel the current regulatory siege being waged against it by lawmakers. [...] Inquiries in the U.S. and EU have found that Google's privacy settings have historically presented the appearance of privacy, rather than privacy itself. [...] So this is nice, and also Google's announcement reads as a letter to regulators. "This new setting is designed to reduce the work of understanding and managing [a choice over how data is processed], in view of what we've learned from user experience research and regulators' emphasis on comprehensible, actionable user choices over data."

Security researcher Jeffrey Paul, writes in a blog post: On modern versions of macOS, you simply can't power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored. It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn't realize this, because it's silent and invisible and it fails instantly and gracefully when you're offline, but today the server got really slow and it didn't hit the fail-fast code path, and everyone's apps failed to open if they were connected to the internet. Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings: Date, Time, Computer, ISP, City, State, Application Hash; Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.

This means that Apple knows when you're at home. When you're at work. What apps you open there, and how often. They know when you open Premiere over at a friend's house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city. "Who cares?" I hear you asking. Well, it's not just Apple. This information doesn't stay with them: These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables. These requests go to a third-party CDN run by another company, Akamai. Since October of 2012, Apple is a partner in the US military intelligence community's PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.

This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns. For some people, this can even pose a physical danger to them. Now, it's been possible up until today to block this sort of stuff on your Mac using a program called Little Snitch (really, the only thing keeping me using macOS at this point). In the default configuration, it blanket allows all of this computer-to-Apple communication, but you can disable those default rules and go on to approve or deny each of these connections, and your computer will continue to work fine without snitching on you to Apple. The version of macOS that was released today, 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working the same way. The new APIs don't permit Little Snitch to inspect or block any OS level processes. Additionally, the new rules in macOS 11 even hobble VPNs so that Apple apps will simply bypass them.

According to Phoronix, a Dell privacy driver is is being prepared for the Linux kernel. From the report: Beginning in Dell's 2021 laptop models they are providing hardware-based "privacy buttons" to disable microphone and camera support. These new Dell privacy buttons are basically hardware kill switches for the microphone and web camera video stream. The Dell privacy driver sent out on Tuesday for the Linux kernel is about manipulating the relevant LEDs and tracking the status of the hardware-based controls where as the actual toggling of the audio/video support is handled by the hardware.

The Dell privacy driver in its current form is talked about for the camera and microphone support but the patch does also note a "PRIVACY_SCREEN_STATUS" bit as well. Presumably they will be extending this privacy driver as well for privacy screen handling around reducing the horizontal/vertical viewing angles of the display. The dell-privacy Linux driver in its initial form can be found via the kernel mailing list. It's great seeing Dell working on this driver punctually for Linux ahead of their next-gen laptops.

As part of the October 2020 Patch Tuesday security updates, Microsoft has added a new option to Windows to let system administrators disable the JScript component inside Internet Explorer. ZDNet reports: The JScript scripting engine is an old component that was initially included with Internet Explorer 3.0 in 1996 and was Microsoft's own dialect of the ECMAScript standard (the JavaScript language). Development on the JScript engine ended, and the component was deprecated with the release of Internet Explorer 8.0 in 2009, but the engine remained in all Windows OS versions as a legacy component inside IE. Across the years, threat actors realized they could attack the JScript engine, as Microsoft wasn't actively developing it and only rarely shipped security updates, usually only when attacked by threat actors. [...]

Now, 11 years after deprecating the component, Microsoft is finally giving system administrators a way to disable JScript execution by default. According to Microsoft, the October 2020 Patch Tuesday introduces new registry keys that system administrators can apply and block the jscript.dll file from executing code. Details on how this can be done are available below, as taken from Microsoft's documentation.

A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple's trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately unfixable in every Mac that has a T2 inside. From a report: In general, the jailbreak community haven't paid as much attention to macOS and OS X as it has iOS, because they don't have the same restrictions and walled gardens that are built into Apple's mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple's "Find My" services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple's A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.

On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro's Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware. "The T2 is meant to be this little secure black box in Macs -- a computer inside your computer, handling things like Lost Mode enforcement, integrity checking, and other privileged duties," says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. "So the significance is that this chip was supposed to be harder to compromise -- but now it's been done."

A coalition of technology companies used a federal court order unsealed Monday to begin dismantling one of the world's most dangerous botnets in an effort to preempt disruptive cyber-attacks before next month's U.S. presidential election. From a report: The takedown is a highly coordinated event, spearheaded by the software giant Microsoft and involving telecommunications providers in multiple countries. If the operation succeeds, it will disable a global network of infected computers created by a popular malicious software known as Trickbot. Beginning early Monday, Trickbot operators are expected to began losing communication with the millions of computers they had painstakingly infected over a period of months, even years. The loss of the botnet -- as a network of infected computers is known -- will make it more difficult for Russian-based cybercriminals and other digital marauders to do their work. It will likely take months or years for the criminals to recover, if at all.

By dramatically dismantling Trickbot's network, Microsoft and its partners believe they will likely head-off ransomware attacks that could compromise voting systems before the U.S. presidential election on Nov. 3, said Tom Burt, vice president of Microsoft's customer security and trust division. "They could tie-up voter registration roles, election night reporting results and generally be extremely disruptive," Burt said. "Taking out one of the most notorious malware groups, we hope, will reduce the risk of ransomware's impact on the election this year." Coordinated takedowns like the one Monday have become increasingly common in the last several years, although the legal and technical hurdles involved are substantial. In this case, Microsoft and its partners were able to obtain a federal court order founded on Trickbot's infringement of Microsoft's trademarks, but ultimately aimed at disconnecting communications channels the attackers use to control the malicious software.