Long-time Slashdot reader sandbagger writes: Have you ever wondered if it's true you can instantly get malware? In this video, a person connects an XP instance directly to the internet with no firewall to see just how fast it gets compromised by malware, rootkits, malicious services and new user accounts. The answer — fast!
Malwarebytes eventually finds eight different viruses/Trojan horses -- and a DNS changer. (One IP address leads back to the Russian federation.) Itâ(TM)s fun to watch -- within just a few hours a new Windows user has even added themself. And for good measure, he also opens up Internet Explorer...

âoeWindows XP -- very insecure,â they conclude at the end of the video. âoeVery easy for random software from the internet to get more privileges than you, and it is very hard to solve that.

âoeAlso, just out of curiosity I tried this on Windows 7. And even with all of the same settings, nothing happened. I let it run for 10 hours. So it seems like this may be a problem in historical Windows.â

Investigative journalist and cybersecurity expert Brian Krebs writes: The Chinese company in charge of handing out domain names ending in ".top" has been given until mid-August 2024 to show that it has put in place systems for managing phishing reports and suspending abusive domains, or else forfeit its license to sell domains. The warning comes amid the release of new findings that .top was the most common suffix in phishing websites over the past year, second only to domains ending in ".com." On July 16, the Internet Corporation for Assigned Names and Numbers (ICANN) sent a letter to the owners of the .top domain registry. ICANN has filed hundreds of enforcement actions against domain registrars over the years, but in this case ICANN singled out a domain registry responsible for maintaining an entire top-level domain (TLD). Among other reasons, the missive chided the registry for failing to respond to reports about phishing attacks involving .top domains.

"Based on the information and records gathered through several weeks, it was determined that .TOP Registry does not have a process in place to promptly, comprehensively, and reasonably investigate and act on reports of DNS Abuse," the ICANN letter reads (PDF). ICANN's warning redacted the name of the recipient, but records show the .top registry is operated by a Chinese entity called Jiangsu Bangning Science & Technology Co. Ltd. Representatives for the company have not responded to requests for comment.

Domains ending in .top were represented prominently in a new phishing report released today by the Interisle Consulting Group, which sources phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. Interisle's newest study examined nearly two million phishing attacks in the last year, and found that phishing sites accounted for more than four percent of all new .top domains between May 2023 and April 2024. Interisle said .top has roughly 2.76 million domains in its stable, and that more than 117,000 of those were phishing sites in the past year.

An anonymous reader quotes a report from TorrentFreak: A French court has ordered Google, Cloudflare, and Cisco to poison their DNS resolvers to prevent circumvention of blocking measures, targeting around 117 pirate sports streaming domains. The move is another anti-piracy escalation for broadcaster Canal+, which also has permission to completely deindex the sites from search engine results. [...] Two decisions were handed down by the Paris judicial court last month; one concerning Premier League matches and the other the Champions League. The orders instruct Google, Cloudflare, and Cisco to implement measures similar to those in place at local ISPs. To protect the rights of Canal+, the companies must prevent French internet users from using their services to access around 117 pirate domains.

According to French publication l'Informe, which broke the news, Google attorney Sebastien Proust crunched figures published by government anti-piracy agency Arcom and concluded that the effect on piracy rates, if any, is likely to be minimal. Starting with a pool of all users who use alternative DNS for any reason, users of pirate sites -- especially sites broadcasting the matches in question -- were isolated from the rest. Users of both VPNs and third-party DNS were further excluded from the group since DNS blocking is ineffective against VPNs. Proust found that the number of users likely to be affected by DNS blocking at Google, Cloudflare, and Cisco, amounts to 0.084% of the total population of French Internet users. Citing a recent survey, which found that only 2% of those who face blocks simply give up and don't find other means of circumvention, he reached an interesting conclusion. "2% of 0.084% is 0.00168% of Internet users! In absolute terms, that would represent a small group of around 800 people across France!"

In common with other courts presented with the same arguments, the Paris court said the number of people using alternative DNS to access the sites, and the simplicity of switching DNS, are irrelevant. Canal+ owns the rights to the broadcasts and if it wishes to request a blocking injunction, it has the legal right to do so. The DNS providers' assertion that their services are not covered by the legislation was also waved aside by the court. Google says it intends to comply with the order. As part of the original matter in 2023, it was already required to deindex the domains from search results under the same law. At least in theory, this means that those who circumvented the original blocks using these alternative DNS services, will be back to square one and confronted by blocks all over again. Given that circumventing this set of blocks will be as straightforward as circumventing the originals, that raises the question of what measures Canal+ will demand next, and from whom.

A server maintained by Cogent Communications, one of the 13 root servers crucial to the Internet's domain name system, fell out of sync with its peers for over four days due to an unexplained glitch. This issue, which could have caused worldwide stability and security problems, was resolved on Wednesday.

The root servers store cryptographic keys necessary for authenticating intermediate servers under the DNSSEC mechanism. Inconsistencies in these keys across the 13 servers could lead to an increased risk of attacks such as DNS cache poisoning. Engineers postponed planned updates to the .gov and .int domain name servers' DNSSEC to use ECDSA cryptographic keys until the situation stabilized. Cogent stated that it became aware of the issue on Tuesday and resolved it within 25 hours. ArsTechnica, which has a great writeup about the incident, adds: Initially, some people speculated that the depeering of Tata Communications, the c-root site outage, and the update errors to the c-root itself were all connected somehow. Given the vagueness of the statement, the relation of those events still isn't entirely clear.

"We're migrating domains in batches..." announced web-hosting company Squarespace earlier this month.

"Squarespace has entered into an agreement to become the new home for Google Domains customers. When your domain transitions from Google to Squarespace, you'll become a Squarespace customer and manage your domain through an account with us."

Slashdot reader shortyadamk shares an email sent today to a Google Domains customer: "Today your domain, xyz.com, migrated from Google Domains to Squarespace Domains.

"Your WHOIS contact details and billing information (if applicable) were migrated to Squarespace. Your DNS configuration remains unchanged.

"Your migrated domain will continue to work with Google Services such as Google Search Console. To support this, your account now has a domain verification record — one corresponding to each Google account that currently has access to the domain."

Cloudflare, in a blog post: Key insights from the first quarter of 2024 include:
1. 2024 started with a bang. Cloudflare's defense systems automatically mitigated 4.5 million DDoS attacks during the first quarter -- representing a 50% year-over-year (YoY) increase.
2. DNS-based DDoS attacks increased by 80% YoY and remain the most prominent attack vector.
3. DDoS attacks on Sweden surged by 466% after its acceptance to the NATO alliance, mirroring the pattern observed during Finland's NATO accession in 2023.

We've just wrapped up the first quarter of 2024, and, already, our automated defenses have mitigated 4.5 million DDoS attacks -- an amount equivalent to 32% of all the DDoS attacks we mitigated in 2023. Breaking it down to attack types, HTTP DDoS attacks increased by 93% YoY and 51% quarter-over-quarter (QoQ). Network-layer DDoS attacks, also known as L3/4 DDoS attacks, increased by 28% YoY and 5% QoQ. When comparing the combined number of HTTP DDoS attacks and L3/4 DDoS attacks, we can see that, overall, in the first quarter of 2024, the count increased by 50% YoY and 18% QoQ. In total, our systems mitigated 10.5 trillion HTTP DDoS attack requests in Q1. Our systems also mitigated over 59 petabytes of DDoS attack traffic -- just on the network-layer.

An anonymous reader shares a report: Google offers a VPN via its "Google One" monthly subscription plan, and while it debuted on phones, a desktop app has been available for Windows and Mac OS for over a year now. Since a lot of people pay for Google One for the cloud storage increase for their Google accounts, you might be tempted to try the VPN on a desktop, but Windows users testing out the app haven't seemed too happy lately. An open bug report on Google's GitHub for the project says the Windows app "breaks" the Windows DNS, and this has been ongoing since at least November.

A VPN would naturally route all your traffic through a secure tunnel, but you've still got to do DNS lookups somewhere. A lot of VPN services also come with a DNS service, and Google is no different. The problem is that Google's VPN app changes the Windows DNS settings of all network adapters to always use Google's DNS, whether the VPN is on or off. Even if you change them, Google's program will change them back. Most VPN apps don't work this way, and even Google's Mac VPN program doesn't work this way. The users in the thread (and the ones emailing us) expect the app, at minimum, to use the original Windows settings when the VPN is off. Since running a VPN is often about privacy and security, users want to be able to change the DNS away from Google even when the VPN is running.

BleepingComputer reports on "a new denial-of-service attack dubbed 'Loop DoS' targeting application layer protocols."

According to their article, the attack "can pair network services into an indefinite communication loop that creates large volumes of traffic." Devised by researchers at the CISPA Helmholtz-Center for Information Security, the attack uses the User Datagram Protocol (UDP) and impacts an estimated 300,000 host and their networks. The attack is possible due to a vulnerability, currently tracked as CVE-2024-2169, in the implementation of the UDP protocol, which is susceptible to IP spoofing and does not provide sufficient packet verification. An attacker exploiting the vulnerability creates a self-perpetuating mechanism that generates excessive traffic without limits and without a way to stop it, leading to a denial-of-service (DoS) condition on the target system or even an entire network. Loop DoS relies on IP spoofing and can be triggered from a single host that sends one message to start the communication.

According to the Carnegie Mellon CERT Coordination Center (CERT/CC) there are three potential outcomes when an attacker leverages the vulnerability:

— Overloading of a vulnerable service and causing it to become unstable or unusable.
— DoS attack on the network backbone, causing network outages to other services.
— Amplification attacks that involve network loops causing amplified DOS or DDOS attacks.

CISPA researchers Yepeng Pan and Professor Dr. Christian Rossow say the potential impact is notable, spanning both outdated (QOTD, Chargen, Echo) and modern protocols (DNS, NTP, TFTP) that are crucial for basic internet-based functions like time synchronization, domain name resolution, and file transfer without authentication... The researchers warned that the attack is easy to exploit, noting that there is no evidence indicating active exploitation at this time. Rossow and Pan shared their findings with affected vendors and notified CERT/CC for coordinated disclosure. So far, vendors who confirmed their implementations are affected by CVE-2024-2169 are Broadcom, Cisco, Honeywell, Microsoft, and MikroTik.

To avoid the risk of denial of service via Loop DoS, CERT/CC recommends installing the latest patches from vendors that address the vulnerability and replace products that no longer receive security updates. Using firewall rules and access-control lists for UDP applications, turning off unnecessary UDP services, and implementing TCP or request validation are also measures that can mitigate the risk of an attack. Furthermore, the organization recommends deploying anti-spoofing solutions like BCP38 and Unicast Reverse Path Forwarding (uRPF), and using Quality-of-Service (QoS) measures to limit network traffic and protect against abuse from network loops and DoS amplifications.

Slashdot reader Unpopular Opinions requests suggestions from the Slashdot community: Lately a boom of companies decided to play their "nice guy" card, providing us with a trove of information about our own sites, DNS servers, email servers, pretty much anything about any online service you host.

Which is not anything new... Companies have been doing this for decades, except as paid services you requested. Now the trend is basically anyone can do it over my systems, and they are always more than happy to sell anyone, me included, my data they collected without authorization or consent. It's data they never had the rights to collect and/or compile to begin with, including data collected thru access attempts via known default accounts (Administrator, root, admin, guest) and/or leaked credentials provided by hacked databases when a few elements seemingly match...

"Just block those crawlers"? That's what some of those companies advise, but not only does the site operator have to automate it themself, not all companies offer lists of their source IP addresses or identify them. Some use multiple/different crawler domain names from their commercial product, or use cloud providers such as Google Cloud, AWS and Azure â" so one can't just block access to their company's networks without massive implications. They also change their own information with no warning, and many times, no updates to their own lists. Then, there is the indirect cost: computing cost, network cost, development cost, review cycle cost. It is a cat-and-mice game that has become very boring.

With the raise of concerns and ethical questions about AI harvesting and learning from copyrighted work, how are those security companies any different from AI, and how could one legally put a stop on this?
Block those crawlers? Change your Terms of Service? What's the best fix... Share your own thoughts and suggestions in the comments.

How can you stop security firms from harvesting your data?

The Internet Corporation for Assigned Names and Numbers (ICANN) has proposed creating a new top-level domain (TLD) and never allowing it to be delegated in the global domain name system (DNS) root. From a report: The proposed TLD is .INTERNAL and, as the name implies, it's intended for internal use only. The idea is that .INTERNAL could take on the same role as the 192.168.x.x IPv4 bloc -- available for internal use but never plumbed into DNS or other infrastructure that would enable it to be accessed from the open internet.

ICANN's Security and Stability Advisory Committee (SSAC) advised the development of such a TLD in 2020. It noted at the time that "many enterprises and device vendors make ad hoc use of TLDs that are not present in the root zone when they intend the name for private use only. This usage is uncoordinated and can cause harm to Internet users" -- in part by forcing DNS servers to handle, and reject, queries for domains only used internally. DNS, however, can't prevent internal use of ad hoc TLDs. So the SSAC recommended creation of a TLD that would be explicitly reserved for internal use.

An anonymous reader quotes a report from TorrentFreak: A document detailing technical requirements of Italy's Piracy Shield anti-piracy system confirms that ISPs are not alone in being required to block pirate IPTV services. All VPN and open DNS services must also comply with blocking orders, including through accreditation to the Piracy Shield platform. [...] Italy's Piracy Shield anti-piracy system reportedly launched last week, albeit in limited fashion. Whether the platform had any impact on pirate IPTV providers offering the big game last Friday is unclear but plans supporting a full-on assault are pressing ahead.

When lawmakers gave Italy's new blocking regime the green light during the summer, the text made it clear that blocking instructions would not be limited to regular ISPs. The document issued by AGCOM [...] specifically highlights that VPN and DNS providers are no exception. "[A]ll parties in any capacity involved in the accessibility of illegally disseminated content -- and therefore also, by way of example and not limitation -- VPN and open DNS service providers, will have to execute the blocks requested by the Authority [AGCOM] including through accreditation to the Piracy Shield platform or otherwise implementing measures that prevent the user from reaching that content," the notice reads. [...]

The relevant section of the new law is in some ways even more broad when it comes to search engines such as Google. Whether they are directly involved in accessibility or not, they're still required to take action. AGCOM suggests that Google understands its obligations and is also prepared to take things further. The company says it will deindex offending platforms from search and also remove their ability to advertise. "Since this is a dynamic blocking, the search engine therefore undertakes to perform de-indexing of all websites/telematic addresses that are the subject of subsequent reports that can also be communicated by rights holders accredited to the platform," AGCOM writes. "Google has shared a procedural mode for the communication of the blocking list, and the Company has also committed to the timely removal of all advertisements that do not comply with the company's policies, having particular regard to those that invest the promotion of pirate sites referring to protected sporting events."

Long-time Slashdot reader jd writes: The Register is reporting that Akamai security researchers have found a way to hack Active Directory and obtain the information stored within it. The researchers go on to say that Microsoft is NOT planning to fix the vulnerability.
From the article: While the current report doesn't provide technical details or proof-of-concept exploits, Akamai has promised, in the near future, to publish code that implements these attacks called DDSpoof — short for DHCP DNS Spoof.

'We will show how unauthenticated attackers can collect necessary data from DHCP servers, identify vulnerable DNS records, overwrite them, and use that ability to compromise AD domains,' Akamai security researcher Ori David said.

The DHCP attack research builds on earlier work by NETSPI's Kevin Roberton, who detailed ways to exploit flaws in DNS zones.

An anonymous reader quotes a report from Ars Technica: Russia's military intelligence unit has been targeting Ukrainian Android devices with "Infamous Chisel," the tracking name for new malware that's designed to backdoor devices and steal critical information, Western intelligence agencies said on Thursday. "Infamous Chisel is a collection of components which enable persistent access to an infected Android device over the Tor network, and which periodically collates and exfiltrates victim information from compromised devices," intelligence officials from the UK, US, Canada, Australia, and New Zealand wrote (PDF). "The information exfiltrated is a combination of system device information, commercial application information and applications specific to the Ukrainian military."

Infamous Chisel gains persistence by replacing the legitimate system component known as netd with a malicious version. Besides allowing Infamous Chisel to run each time a device is restarted, the malicious netd is also the main engine for the malware. It uses shell scripts and commands to collate and collect device information and also searches directories for files that have a predefined set of extensions. Depending on where on the infected device a collected file is located, netd sends it to Russian servers either immediately or once a day. When exfiltrating files of interest, Infamous Chisel uses the TLS protocol and a hard-coded IP and port. Use of the local IP address is likely a mechanism to relay the network traffic over a VPN or other secure channel configured on the infected device. This would allow the exfiltration traffic to blend in with expected encrypted network traffic. In the event a connection to the local IP and port fails, the malware falls back to a hard-coded domain that's resolved using a request to dns.google.

Infamous Chisel also installs a version of the Dropbear SSH client that can be used to remotely access a device. The version installed has authentication mechanisms that have been modified from the original version to change the way users log in to an SSH session. [...] The report didn't say how the malware gets installed. In the advisory Ukraine's security service issued earlier this month (PDF), officials said that Russian personnel had "captured Ukrainian tablets on the battlefield, pursuing the aim to spread malware and abuse available access to penetrate the system." It's unclear if this was the vector.

The United Nations' proposed Global Digital Compact will exclude technical experts as a distinct voice in internet governance, ignoring their enormous contributions to growing and sustaining the internet, according to ICANN and two of the world's regional internet registries. From a report: The Global Digital Compact is an effort to "outline shared principles for an open, free and secure digital future for all." The UN hopes the compact will address issues such as digital inclusion, internet fragmentation, giving individuals control over how their data is used, and making the internet trustworthy "by introducing accountability criteria for discrimination and misleading content." But ICANN, the Asia Pacific Network Information Centre (APNIC), and the American Registry for Internet Numbers (ARIN) worry that recent articulations of the Compact suggest it should use a tripartite model for digital cooperation with three stakeholder groups: the private sector, governments, and civil society. That's dangerous, ICANN and co argue, because technical stakeholders would lose their distinct voice.

They've therefore co-signed and published a document criticizing the Compact as it stands today. "The technical community is not part of civil society and it has never been," the document states, citing outcomes of the World Summit of the Information Society (WSIS) -- a UN event staged in 2003 and 2005 that defined a multi-stakeholder internet governance framework. 2015's WSIS+10 event affirmed that strategy. "This model excludes the technical community as a distinct component, and overlooks the unique and essential roles played by that community's members separately and collectively," DNS overlord ICANN and the registries added.

Friday Microsoft told Bleeping Computer "that they have fixed the issue and Hotmail should no longer fail SPF checks."

But earlier in the day the site reported that "Hotmail users worldwide have problems sending emails, with messages flagged as spam or not delivered after Microsoft misconfigured the domain's DNS SPF record." The email issues began late Thursday night, with users and admins reporting on Reddit, Twitter, and Microsoft forums that their Hotmail emails were failing due to SPF validation errors... The Sender Policy Framework (SPF) is an email security feature that reduces spam and prevents threat actors from spoofing domains in phishing attacks... When a mail server receives an email, it will verify that the hostname/IP address for the sending email servers is part of a domain's SPF record, and if it is, allows the email to be delivered as usual...

After analyzing what was causing email delivery errors, admins noted that Microsoft removed the 'include:spf.protection.outlook.com' record from hotmail.com's SPF record.
Thanks to long-time Slashdot reader Archangel Michaelfor sharing the news.

An anonymous reader quotes a report from TorrentFreak: Italy's brand new anti-piracy law has just received full approval from telecoms regulator AGCOM. In a statement issued Thursday, AGCOM noted its position "at the forefront of the European scene in combating online piracy." The new law comes into force on August 8 and authorizes nationwide ISP blocking of live events and enables the state to issue fines of up to 5,000 euros to users of pirate streams .

In a statement published Thursday, AGCOM welcomed the amendments to Online Copyright Enforcement regulation 680/13/CONS, which concern measures to counter the illegal distribution of live sports streams, as laid out in Resolution 189/23/CONS. The new provisions grant AGCOM the power to issue "dynamic injunctions" against online service providers of all kinds, a privilege usually reserved for judges in Europe's highest courts. The aim is to streamline blocking measures against unlicensed IPTV services, with the goal of rendering them inaccessible across all of Italy.

"With such measures, it will be possible to disable access to pirated content in the first 30 minutes of the event broadcast by blocking DNS resolution of domain names and blocking the routing of network traffic to IP addresses uniquely intended for illicit activities," AGCOM says. "With this amendment, in perfect synchrony with the changes introduced by Parliament, AGCOM is once again at the forefront of the European scene in combating online piracy activity," says AGCOM Commissioner Massimiliano Capitanio.

A recent move by Google to populate the Internet with eight new top-level domains is prompting concerns that two of the additions could be a boon to online scammers who trick people into clicking on malicious links. From a report: Two weeks ago, Google added eight new TLDs to the Internet, bringing the total number of TLDs to 1,480, according to the Internet Assigned Numbers Authority, the governing body that oversees the DNS Root, IP addressing, and other Internet protocol resources. Two of Google's new TLDs -- .zip and .mov -- have sparked scorn in some security circles. While Google marketers say the aim is to designate "tying things together or moving really fast" and "moving pictures and whatever moves you," respectively, these suffixes are already widely used to designate something altogether different. Specifically, .zip is an extension used in archive files that use a compression format known as zip. The format .mov, meanwhile, appears at the end of video files, usually when they were created in Apple's QuickTime format. Many security practitioners are warning that these two TLDs will cause confusion when they're displayed in emails, on social media, and elsewhere. The reason is that many sites and software automatically convert strings like "arstechnica.com" or "mastodon.social" into a URL that, when clicked, leads a user to the corresponding domain. The worry is that emails and social media posts that refer to a file such as setup.zip or vacation.mov will automatically turn them into clickable links -- and that scammers will seize on the ambiguity.

An anonymous reader shares a report from Tom's Hardware: According to the PC Security Channel (via TechSpot), Microsoft's Windows 11 sends data not only to the Redmond, Washington-based software giant, but also to multiple third parties. To analyze DNS traffic generated by a freshly installed copy of Windows 11 on a brand-new notebook, the PC Security Channel used the Wireshark network protocol analyzer that reveals precisely what is happening on a network. The results were astounding enough for the YouTube channel to call Microsoft's Windows 11 "spyware."

As it turned out, an all-new Windows 11 PC that was never used to browse the Internet contacted not only Windows Update, MSN and Bing servers, but also Steam, McAfee, geo.prod.do, and Comscore ScorecardResearch.com. Apparently, the latest operating system from Microsoft collected and sent telemetry data to various market research companies, advertising services, and the like.
When Tom's Hardware contacted Microsoft, their spokesperson argued that flowing data is common in modern operating systems "to help them remain secure, up to date, and keep the system working as anticipated."

"We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy."

Until 2020 Neustar was the domain name registry "for a number of top-level domains," according to its page on Wikipedia, "including .biz, .us (on behalf of United States Department of Commerce), .co, .nyc (on behalf of the city of New York), and .in.

But now U.S. Senator Ron Wyden has asked America's Federal Trade Commission to investigate whether Neustar violated the privacy rights of millions, reports the Washington Post, "when it sold records of where they went online to the federal government."

America's Department of Defense funded a research team at Georgia Tech who purchased Neustar's data starting in 2016, notes a letter from Senator Wyden. Wyden has obtained emails between those researchers and "both the FBI and the Department of Justice, indicating that government officials asked the researchers to run specific queries and that the researchers wrote affidavits and reports for the government describing their findings."

But in addition, Wyden now cites a Department of Justice statement (entered an unrelated court case) which he says makes a concerning assertion: that Neustar executive Rodney Joffe, "who led the company's efforts to sell data to Georgia Tech, was also involved in the sale of DNS data directly to the U.S. government. The court documents say: Rodney Joffe and certain companies with which he was affiliated, including officers and employees of those companies, have provided assistance to and received payment from multiple agencies of the United States government. This has included assistance to the United States intelligence community and law enforcement agencies on cyber security matters. Certain of those companies have maintained contracts with the United States government resulting in payment by the United States of tens of millions of dollars for the provision of, among other things, Domain Name System ('DNS') data. These contracts included classified contracts that required company personnel to maintain security clearances.
From The Washington Post: The stipulation naming entrepreneur Rodney Joffe was the clearest confirmation to date of web histories being sold directly to federal law enforcement and intelligence agencies, instead of through information brokers exempt from restrictions on what telephone companies and websites can share with the government.
Wyden adds: The data that Neustar sold to Georgia Tech may have also included data collected from consumers who were explicitly promised that their data would not be sold to third parties. Between 2018 and 2020, Neustar acquired a competing recursive DNS service, which had previously been operated by Verisign. That service had been advertised to the public by Verisign with unqualified promises that "your public DNS data will not be sold to third parties."

When the product changed hands, users of Verisign's service were seamlessly transitioned to DNS servers that Neustar controlled. This meant that Neustar now received information about the websites accessed by these former Verisign-users, even though neither Verisign nor Neustar provided those users with meaningful, effective notice that the change of ownership had taken place, or that Neustar did not intend to honor the privacy promises that Verisign had previously made to those users. It is unclear if the data Neustar sold to Georgia Tech included data from users who had been promised by Verisign that their data would not be sold.

This is because both Neustar and Verisign have refused to answer questions from my office necessary to determine this important detail.

Last year, Google announced Android Open Source Project (AOSP) support for Rust, and today the company provided an update, while highlighting the decline in memory safety vulnerabilities. 9to5Google reports: Google says the "number of memory safety vulnerabilities have dropped considerably over the past few years/releases."; Specifically, the number of annual memory safety vulnerabilities fell from 223 to 85 between 2019 and 2022. They are now 35% of Android's total vulnerabilities versus 76% four years ago. In fact, "2022 is the first year where memory safety vulnerabilities do not represent a majority of Android's vulnerabilities."

That count is for "vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through our vulnerability rewards program (VRP) and vulnerabilities reported internally." During that period, the amount of new memory-unsafe code entering Android has decreased: "Android 13 is the first Android release where a majority of new code added to the release is in a memory safe language. "

Rust makes up 21% of all new native code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other components and their open source dependencies." Google considers it significant that there have been "zero memory safety vulnerabilities discovered in Android's Rust code" so far across Android 12 and 13. Google's blog post today also talks about non-memory-safety vulnerabilities, and its future plans: "... We're implementing userspace HALs in Rust. We're adding support for Rust in Trusted Applications. We've migrated VM firmware in the Android Virtualization Framework to Rust. With support for Rust landing in Linux 6.1 we're excited to bring memory-safety to the kernel, starting with kernel drivers.