Open Source

Bose Open-Sources Its SoundTouch Home Theater Smart Speakers Ahead of End-of-Life (arstechnica.com) 22

Posted by BeauHD from the community-over-salvage dept.
Bose is end-of-lifing its SoundTouch smart speakers but softened the blow by open-sourcing the SoundTouch API and preserving limited local features, AirPlay, and Spotify Connect. Ars Technica reports: In October, Bose announced that its SoundTouch Wi-Fi speakers and soundbars would become dumb speakers on February 18. At the time, Bose said that the speakers would only work if a device was connected via AUX, HDMI, or Bluetooth (which has higher latency than Wi-Fi). After that date, the speakers would stop receiving security and software updates and lose cloud connectivity and their companion app, the Framingham, Massachusetts-based company said. Without the app, users would no longer be able to integrate the device with music services, such as Spotify, have multiple SoundTouch devices play the same audio simultaneously, or use or edit saved presets.

The announcement frustrated some of Bose's long-time customers, some of whom own multiple SoundTouch devices that still function properly. Many questioned companies' increasingly common practice of bricking expensive products to focus on new devices or to minimize costs, or because they've gone through acquisitions or bankruptcy. SoundTouch speakers released in 2013 and 2015 with prices ranging from $399 to $1,500.

Today, Bose had better news. In an email to customers, Bose announced that AirPlay and Spotify Connect will still work with SoundTouch speakers after EoL, expanding the wireless capabilities that people will still be able to access. Additionally, SoundTouch devices that support AirPlay 2 can play the same audio simultaneously. The SoundTouch app will also live on, albeit stripped of some functionality. "On May 6, 2026, the app will update to a version that supports the functions that can operate locally without the cloud. No action will be required on your part. Opening the app will apply the update automatically," Bose said. Bose also provided instructions (PDF) for a workaround for saving presets that uses the favorites options in music service apps.
AI

Slashdot Reader Mocks Databricks 'Context-Aware AI Assistant' for Odd Bar Chart 17

Posted by EditorDavid from the bar-exam dept.
Long-time Slashdot reader theodp took a good look at the images on a promotional web page for Databricks' "context-aware AI assistant": If there was an AI Demo Hall of Shame, the first inductee would have to be Amazon. Their demo tried to support its CEO's claims that Amazon Q Code Transformation AI saved it 4,500 developer-years and an additional $260 million in "annualized efficiency gains" by automatically and accurately upgrading code to a more current version of Java. But it showcased a program that didn't even spell "Java" correctly. (It was instead called 'Jave')...

Today's nominee for the AI Demo Hall of Shame inductee is analytics platform Databricks for the NYC Taxi Trips Analysis it's been showcasing on its Data Science page since last November. Not only for its choice of a completely trivial case study that requires no 'Data Science' skills — find and display the ten most expensive and longest taxi rides — but also for the horrible AI-generated bar chart used to present the results of the simple ranking that deserves its own spot in the Graph Hall of Shame. In response to a prompt of "Now create a new bar chart with matplotlib for the most expensive trips," the Databricks AI Assistant dutifully complies with the ill-advised request, spewing out Python code to display the ten rides on a nonsensical bar chart whose continuous x-axis hides points sharing the same distance. (One might also question why no annotation is provided to call out or explain the 3 trips with a distance of 0 miles that are among the ten most expensive rides, with fares of $260, $188, and $105).

Looked at with a critical eye, these examples used to sell data scientists, educators, management, investors, and Wall Street on AI would likely raise eyebrows rather than impress their intended audiences.
Social Networks

Reddit Mod Warns 'Do Not Trust' AI-Powered 'Reddit Answers' After It Posts Dangerous Health Advice 70

Posted by EditorDavid from the Reddit-drama dept.
In Reddit's "Family Medicine" subreddit, a moderator noticed earlier this week that the AI-powered "Reddit Answers" was automatically responding to posters, typically with "something related to what was posted." Unfortunately, that moderator says, Reddit Answers "has been spreading grossly dangerous misinformation."And yet Reddit's moderators "cannot disable this feature."

Elsewhere a healthcare worker described what happened when they tested Reddit Answers: I made a post in r/familymedicine and a link appeared below it with information on treating chronic pain. The first post it cited urged people to stop their prescribed medications and take high-dose kratom which is an illegal (in some states) and unregulated substance. I absolutely do not endorse this...

I also asked about the medical indications for heroin. One answer warned about addiction and linked to crisis and recovery resources. The other connects to a post where someone claims heroin saved their life and controls their chronic pain. The post was encouraging people to stop prescribed medications and use heroin instead. Heroin is a schedule I drug in the US which means there are no acceptable uses. It's incredibly addictive and dangerous. It is responsible for the loss of so many lives...

The AI-generated answers could easily be mistaken as information endorsed by the sub it appears in. r/familymedicine absolutely does not endorse using heroin to treat chronic pain. This feature needs to be disabled in medical and mental health subs, or allow moderators of these subreddits to opt out. Better filters are also needed when users ask Reddit Answers health related questions. If this continues there will be adverse outcomes. People will be harmed. This needs to change.
Two days ago an official Reddit "Admin" posted that "We've made some changes to where Answers appears based on this feedback," adding that beyond that Reddit "will continue to tweak based on what we're seeing and hearing." But the "Family Medicine" subreddit still has a top-of-page announcement warning every user there...

"We do NOT and CANNOT endorse Reddit Answers at this time and urge every user of this sub to disregard anything it says."
Cloud

Word Documents Will Now Be Saved To the Cloud Automatically On Windows (ghacks.net) 132

Posted by BeauHD from the heads-up dept.
Starting with Word for Windows version 2509, Microsoft is making cloud saving the default behavior. New documents will automatically save to OneDrive (or another cloud destination), with dated filenames, unless users manually revert to local saving in the settings. From the report: "Anything new you create will be saved automatically to OneDrive or your preferred cloud destination", writes Raul Munoz, product manager at Microsoft on the Office Shared Services and Experiences team. Munoz backs up the decision with half a dozen advantages for saving documents to the cloud. From never losing progress and access anywhere to easy collaboration and increased security and compliance. While cloud saving is without doubt beneficial in some cases, Munoz fails to address the elephant in the room. Some users may not want that their documents are stored in the cloud. There are good reasons for that, including privacy.

Summed up:
- If you do not mind that Word documents are stored in the cloud, you do not need to become active.
- If you mind that Word documents are stored in the cloud by default, you need to modify the default setting.
Python

New Code.org Curriculum Aims To Make Schoolkids Python-Literate and AI-Ready 50

Posted by BeauHD from the AI-future dept.
Longtime Slashdot reader theodp writes: The old Code.org curriculum page for middle and high school students has been changed to include a new Python Lab in the tech-backed nonprofit's K-12 offerings. Elsewhere on the site, a Computer Science and AI Foundations curriculum is described that includes units on 'Foundations of AI Programming [in Python]' and 'Insights from Data and AI [aka Data Science].' A more-detailed AI Foundations Syllabus 25-26 document promises a second semester of material is coming soon: "This semester offers an innovative approach to teaching programming by integrating learning with and about artificial intelligence (AI). Using Python as the primary language, students build foundational programming skills while leveraging AI tools to enhance computational thinking and problem-solving. The curriculum also introduces students to the basics of creating AI-powered programs, exploring machine learning, and applying data science principles."

Newly-posted videos on Code.org's YouTube channel appear to be intended to support the new Python-based CS & AI course. "Python is extremely versatile," explains a Walmart data scientist to open the video for Data Science: Using Python. "So, first of all, Python is one of the very few languages that can handle numbers very, very well." A researcher at the Univ. of Washington's Institute for Health Metrics and Evaluation (IHME) adds, "Python is the gold standard and what people expect data scientists to know [...] Key to us being able to handle really big data sets is our use of Python and cluster computing." Adding to the Python love, an IHME data analyst explains, "Python is a great choice for large databases because there's a lot of support for Python libraries."

Code.org is currently recruiting teachers to attend its CS and AI Foundations Professional Learning program this summer, which is being taught by Code.org's national network of university and nonprofit regional partners (teachers who signup have a chance to win $250 in DonorsChoose credits for their classrooms). A flyer for a five-day Michigan Professional Development program to prepare teachers for a pilot of the Code.org CS & A course touts the new curriculum as "an alternative to the AP [Computer Science] pathway" (teachers are offered scholarships covering registration, lodging, meals, and workshop materials).

Interestingly, Code.org's embrace of Python and Data Science comes as the nonprofit changes its mission to 'make CS and AI a core part of K-12 education' and launches a new national campaign with tech leaders to make CS and AI a graduation requirement. Prior to AI changing the education conversation, Code.org in 2021 boasted that it had lined up a consortium of tech giants, politicians, and educators to push its new $15 million Amazon-bankrolled Java AP CS A curriculum into K-12 classrooms. Just three years later, however, Amazon CEO Andy Jassy was boasting to investors that Amazon had turned to AI to automatically do Java coding that he claimed would have otherwise taken human coders 4,500 developer-years to complete.
AI

OpenAI Expands ChatGPT Memory To Draw on Full Conversation History (x.com) 72

Posted by msmash from the moving-forward dept.
OpenAI has expanded ChatGPT's memory functionality to include references from all past conversations. The system now builds upon existing saved memories by automatically incorporating previous interactions to deliver more contextually relevant responses for writing, learning, and advisory tasks, the startup said Thursday.

Subscribers can disable the feature through settings or request memory modifications directly in chat. Those already opted out of memory features won't have past-chat references enabled by default. Temporary chats remain available for interactions that users prefer to keep isolated from memory systems. The update is rolling out immediately to Plus and Pro subscribers, excluding users in the EEA, UK, Switzerland, and other European markets.
Chrome

Google Chrome May Soon Use 'AI' To Replace Compromised Passwords (arstechnica.com) 46

Posted by msmash from the potential-game-changer dept.
Google's Chrome browser might soon get a useful security upgrade: detecting passwords used in data breaches and then generating and storing a better replacement. From a report: Google's preliminary copy suggests it's an "AI innovation," though exactly how is unclear.

Noted software digger Leopeva64 on X found a new offering in the AI settings of a very early build of Chrome. The option, "Automated password Change" (so, early stages -- as to not yet get a copyedit), is described as, "When Chrome finds one of your passwords in a data breach, it can offer to change your password for you when you sign in."

Chrome already has a feature that warns users if the passwords they enter have been identified in a breach and will prompt them to change it. As noted by Windows Report, the change is that now Google will offer to change it for you on the spot rather than simply prompting you to handle that elsewhere. The password is automatically saved in Google's Password Manager and "is encrypted and never seen by anyone," the settings page claims.
Games

EA's Origin App For PC Gaming Will Shut Down In April 17

Posted by BeauHD from the end-of-the-line dept.
EA's Origin PC client will be shut down on April 17, 2025, as Microsoft ends support for 32-bit software. "Anyone still using Origin will need to swap over to the EA app before that date," adds Engadget. From the report: For those PC players who have not migrated over to the EA app, the company has an FAQ explaining the latest system requirements. The EA app runs on 64-bit architecture, and requires a machine using Windows 10 or Windows 11. [...] If you're simply downloading the EA app on a current machine, players won't need to re-download their games. And if you have cloud saves enabled, all of your data should transfer without any additional steps.

However, it's always a good idea to have physical backups with this type of transition, especially since not all games support cloud saves, and those titles will need to have saved game data manually transferred. Mods also may not automatically make the switch, and EA recommends players check with mod creators about transferring to the EA app.
AI

Perplexity's AI Search Engine Can Now Buy Products For You 30

Posted by BeauHD from the shop-like-a-pro dept.
An anonymous reader quotes a report from The Verge: Perplexity is rolling out a new feature that will let Pro subscribers purchase a product without leaving its AI search engine. When searching for a product using Perplexity, Pro members based in the US can now choose a "Buy with Pro" button that will automatically order the product using saved shipping and billing information. Perplexity says all products purchased through Buy with Pro come with free shipping. For products that don't support Buy with Pro, Perplexity will redirect users to the merchant's website to complete their purchase. [...]

Users who aren't subscribed to Perplexity's $20 / month Pro option will still see other updated AI shopping features, including new product cards that will appear for product-related searches. For users in the US, these cards show a product image and its price, along with AI-written summaries of key features and reviews. Perplexity is also launching a new AI-powered "Snap to Shop" search tool that will let all users take a picture of a product and ask questions about it, similar to Google Lens. This feature will only be available to Pro users at launch. Perplexity also already lets Pro users make visual searches unrelated to shopping.
Security

Google Passkeys Can Now Sync Across Devices On Multiple Platforms (engadget.com) 32

Posted by BeauHD from the widely-supported dept.
Google is updating its Password Manager to allow users to sync passkeys across multiple devices, including Windows, macOS, Linux, and Android, with iOS and ChromeOS support coming soon. Engadget reports: Once saved, the passkey automatically syncs across other devices using Google Password Manager. The company says this data is end-to-end encrypted, so it'll be pretty tough for someone to go in and steal credentials. [...] Today's update also brings another layer of security to passkeys on Google Password Manager. The company has introduced a six-digit PIN that will be required when using passkeys on a new device. This would likely stop nefarious actors from logging into an account even if they've somehow gotten ahold of the digital credentials. Just don't leave the PIN number laying on a sheet of paper directly next to the computer.
Bug

macOS Sonoma 14.4 Bug 'Destroys Saved Versions In iCloud Drive' (macrumors.com) 32

Posted by BeauHD from the don't-update-yet dept.
The macOS Sonoma 14.4 update introduces a bug affecting iCloud Drive's versioning system, where users with "Optimize Mac Storage" enabled can lose all previous versions of a file removed from local storage. MacRumors reports: Versions are normally created automatically when users save files using apps that work with the version system in macOS. According to The Eclectic Light Company's Howard Oakley, users running macOS 14.4 that have "Optimize Mac Storage" enabled should be aware that they are at risk of losing all previously saved versions of a file if they opt to remove it from iCloud Drive local storage: "In previous versions of macOS, when a file is evicted from local storage in iCloud Drive [using the Remove Download option in the right-click contextual menu], all its saved versions have been preserved. Download that file again from iCloud Drive, and versions saved on that Mac (but not other Macs or devices) have remained fully accessible. Do that in 14.4, and all previous versions are now removed, and lost forever."

Oakley said his own tests confirmed that this behavior does not happen in macOS Sonoma 14.3 or macOS Ventura, so it is exclusive to macOS 14.4. For users who have already updated, he suggests either not saving files to iCloud Drive at all, or turning off Optimize Mac Storage. To perform the latter in System Settings, click your Apple ID, select iCloud, and then toggle off the switch next to "Optimize Mac Storage." You may need to perform this action twice -- reports suggest it can turn back on by itself. For a more exhaustive account of the problem, see Oakley's subsequent post.
Chrome

Chrome's Password Safety Tool Will Now Automatically Run in the Background (theverge.com) 39

Posted by msmash from the improved-security dept.
Google's Safety Check feature for Chrome, which, among other things, checks the internet to see if any of your saved passwords have been compromised, will now "run automatically in the background" on desktop, the company said in a blog post on Thursday. From a report: The constant checks could mean that you're alerted about a password that you should change sooner than you would have before. Safety Check also watches for bad extensions or site permissions you need to look at, and you can act on Safety Check alerts from Chrome's three-dot menu. In addition, Google says that Safety Check can revoke a site's permissions if you haven't visited it in a while. Google also announced an upcoming feature for Chrome's tab groups, also on desktop: Chrome will let you save tab groups so that you can use those groups across devices, which might be handy when moving between a PC at home and a laptop when traveling. Google says this feature will roll out "over the next few weeks."
Security

Android Vulnerability Exposes Credentials From Mobile Password Managers (techcrunch.com) 22

Posted by BeauHD from the PSA dept.
An anonymous reader quotes a report from TechCrunch: A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps. The vulnerability, dubbed "AutoSpill," can expose users' saved credentials from mobile password managers by circumventing Android's secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week. The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, password managers can get "disoriented" about where they should target the user's login information and instead expose their credentials to the underlying app's native fields, they said. This is because WebView, the preinstalled engine from Google, lets developers display web content in-app without launching a web browser, and an autofill request is generated.

"Let's say you are trying to log into your favorite music app on your mobile device, and you use the option of 'login via Google or Facebook.' The music app will open a Google or Facebook login page inside itself via the WebView," Gangwal explained to TechCrunch prior to their Black Hat presentation on Wednesday. "When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app." Gangwal notes that the ramifications of this vulnerability, particularly in a scenario where the base app is malicious, are significant. He added: "Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information."

The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper and Enpass, on new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability. Gangwal says he alerted Google and the affected password managers to the flaw. Gangwal tells TechCrunch that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.
AI

Fakespot Chat, Mozilla's First LLM, Lets Online Shoppers Research Products Via an AI Chatbot (techcrunch.com) 12

Posted by BeauHD from the time-is-money dept.
An anonymous reader quotes a report from TechCrunch: Earlier this year, Mozilla acquired Fakespot, a startup that leverages AI and machine learning to identify fake and deceptive product reviews. Now, Mozilla is launching its first LLM (large language model) with the arrival of Fakespot Chat, an AI agent that will help consumers as they shop online by answering questions about the product or even suggesting questions that could be useful in your product research. [...] Fakespot has been using AI, including generative AI technologies, to make the online shopping process more trustworthy, not less. For instance, it launched a generative AI feature called Pros and Cons last year, that could replace the need for reading reviews by writing up its own summaries of a product's positives and negatives. The feature was trained on billions of data points, with the model itself using five different models under its hood, the company said.

This week, Fakespot Chat launched into testing, allowing shoppers to ask an AI chatbot about a product they're considering, similar to how you could ask a salesperson for help if you were shopping in a physical store in the real world. The technology uses AI and machine learning to sort through the product reviews, sorting real from fake, to answer the user's questions. The information from your chat session is saved to improve the experience for others, Mozilla notes, but users don't have to create an account or divulge personal information for the experience to work. The feature is available via the Fakespot Analyzer or it can be used on an Amazon.com product from Fakespot's browser extension. For the former, you'd copy and paste the URL of the product into the analyzer to ask your questions, but if using the browser add-on, the analysis starts automatically. When the analysis is complete, Fakespot Chat appears on the right-hand side of the analysis page alongside other features, like Pros and Cons, as well as Fakespot's Review Grades and Highlights. You can then interrogate the AI agent about the product as you weigh your purchase decisions.
Open Source

If VanMoof eBikes Locks You Out of Your Own Bike, a Rival Company's App Could Help (9to5mac.com) 64

Posted by EditorDavid from the bicycle-built-for-zero dept.
VanMoof ebikes is currently "exploring all possible routes out of its debt" after rumors of a pending bankruptcy. But the blog 9to5Mac highlights another concern.

"If the company goes under, and the servers go offline, that could leave ebike owners unable to even unlock their bikes." While unlocking is activated by Bluetooth when your phone comes into range of the bike, it relies on a rolling key code — and that function in turn relies on access to a VanMoof server. If the company goes bust, then no server, no key code generation, no unlock.

A rival ebike company, Belgian company Cowboy, has stepped in to offer a solution. TNW reports that it has created an app which allows VanMoof owners to generate and save their own digital key, which can be used in place of one created by a VanMoof server. If you have a VanMoof bike, grab the app now, as it requires an initial connection to the VanMoof server to fetch your current keycode.
"We don't capture any data," explains the app's page in the Apple store. "Everything is saved securely on your phone so you can have a direct connexion to your bike if VanMoof services are down. Just generate your local key and enjoy peace of mind again." (They add that the app was developed during a one-day hackathon, "as we share the belief that every single bike deserves to be on the road.")

But 9to5Mac also suggests a longer-term solution. "Perhaps there should be a legal requirement for essential software to be automatically open-sourced in the event of bankruptcy, so that there would be the option of techier owners banding together to host and maintain the server-side code?"
Firefox

Firefox 115 Released (mozilla.org) 61

Posted by msmash from the moving-forward dept.
williamyf writes: Today, Mozilla released Firefox 115. Changes most visible to users include:

* Hardware video decoding is now enabled for Intel GPUs on Linux..

* Migrating from another browser? Now you can bring over payment methods you've saved in Chrome-based browsers to Firefox.

* The Tab Manager dropdown now features close buttons, so you can close tabs more quickly.

* The Firefox for Android address bar's new search button allows you to easily switch between search engines and search your bookmarks and browsing history.

* We've refreshed and streamlined the user interface for importing data in from other browsers.

* Users without platform support for H264 video decoding can now fallback to Cisco's OpenH264 plugin for playback.

But the most important feature is that this release is the new ESR. Why this is important? y'all ask, well:

* Many a "downstream" project depends on Firefox ESR, for example the famous email client Thunderbird, or KaiOS (a mobile OS very popular in India, SE Asia, Africa and LatAm), so, for better or worse, whatever made it to (or is lacking from) this version of the browser, those projects have to use for the next year.

* Firefox ESR is the default browser of many distros, like Debian and Kali Linux, so, whatever made it to this version will be there for next year, ditto to whatever is lacking.

* If you are on old -- unsupported OSs, like Windows 7, 8-8.1 or MacOS 10.14 (Mojave, the last MacOS with support for 32 Bit Apps), 10.13 or 10.12 you will automatically be migrated to Firefox ESR, so this will be your browser until Sept. 2024.
Android

Google Will Soon Let Pixel Phones Double As Dashcams (9to5google.com) 35

Posted by BeauHD from the extra-set-of-eyes-on-the-road dept.
Google mistakenly released a test version of its Personal Safety app that includes a new feature called "Dashcam" on select Android devices. As the name suggests, it allows users to record video and audio while driving in the event of an accident or unexpected situation, with automatic recording triggered when connecting to a specific Bluetooth device and videos automatically deleted after three days unless saved. 9to5Google reports: Once available, the feature can be launched through a new "Dashcam" shortcut in the "Be prepared" section of the home page. Here, you can begin recording manually or view your recent videos. While Dashcam is recording, your phone is still fully usable, including for navigating with Google Maps. Alternatively, you can save power by locking your screen, and the recording will continue. More importantly, Google has built this feature to work without you needing to think much about it. When setting up, you can choose to have recordings begin automatically when you connect to a particular Bluetooth device (e.g., your car stereo or infotainment system) and end when you disconnect.

To conserve storage space, your recordings are automatically deleted after three days unless you save them. Additionally, the app says that the videos themselves are compressed, averaging "30 MB per minute," with a maximum recording length of 24 hours. Overall, this feature seems to be impressively well thought out and looks essentially ready to launch. Using a smartphone as a dashcam also makes quite a bit of sense, as your phone probably has a better camera than some cheaper dashcams would offer. It's unclear if this feature will be available on other phones with Google's Personal Safety or exclusive to Pixel phones.
Security

KeePass Disputes Vulnerability Allowing Stealthy Password Theft (bleepingcomputer.com) 66

Posted by BeauHD from the security-vulnerability-or-not dept.
The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. BleepingComputer reports: KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden. To secure these local databases, users can encrypt them using a master password so that malware or a threat actor can't just steal the database and automatically gain access to the passwords stored within it. The new vulnerability is now tracked as CVE-2023-24055, and it enables threat actors with write access to a target's system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control. However, this export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords. [...]

While the CERT teams of Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this shouldn't be classified as a vulnerability given that attackers with write access to a target's device can also obtain the information contained within the KeePass database through other means. In fact, a "Security Issues" page on the KeePass Help Center has been describing the "Write Access to Configuration File" issue since at least April 2019 as "not really a security vulnerability of KeePass." If the user has installed KeePass as a regular program and the attackers have write access, they can also "perform various kinds of attacks." Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

"In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)," the KeePass developers explain. "These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment." If the KeePass devs don't release a version of the app that addresses this issue, BleepingComputer notes "you could still secure your database by logging in as a system admin and creating an enforced configuration file."

"This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thus mitigating the CVE-2023-24055 issue."
Privacy

Dashlane Is Ready To Replace All Your Passwords With Passkeys (theverge.com) 37

Posted by BeauHD from the passwordless-era dept.
Dashlane announced today that it's integrating passkeys into its cross-platform password manager. "We said, you know what, our job is to make security simple for users," says Dashlane CEO JD Sherman, "and this is a great tool to do that. So we should actually be thinking about ushering in this passwordless era." The Verge reports: Passwords are dying, long live passkeys. Practically the entire tech industry seems to agree that hexadecimal passwords need to die, and that the best way to replace them is with the cryptographic keys that have come to be known as passkeys. Basically, rather than having you type a phrase to prove you're you, websites and apps use a standard called WebAuthn to connect directly to a token you have saved -- on your device, in your password manager, ultimately just about anywhere -- and authenticate you automatically. It's more secure, it's more user-friendly, it's just better. The transition is going to take a while, though, and even when you can use passkeys, it'll be a while before all your apps and websites let you do so.

Going forward, Dashlane users can start to set up passkeys to log into sites and apps where they previously would have created passwords. And whereas systems like Apple's upcoming implementation in iOS 16 will often involve taking a picture of a QR code to log in, Dashlane says it can make the process even simpler because it has apps for most platforms and an extension for most browsers.
Cloud

Amazon is Shutting Down Its Cloud Storage Service Amazon Drive (geekwire.com) 29

Posted by msmash from the how-about-that dept.
Amazon sent emails out Friday morning to Amazon Drive users to notify them that the company is shutting down its cloud storage service on Dec. 31, 2023. From a report: "We are taking the opportunity to more fully focus our efforts on Amazon Photos to provide customers a dedicated solution for photos and video storage," Amazon says in an FAQ. Amazon says photos and videos in Amazon Drive accounts have been automatically saved to Amazon Photos. "If you rely on Amazon Drive for your file storage, you will need to go to the Amazon Drive website and download your files by December 31, 2023," Amazon noted.

Slashdot Top Deals