Gmail's end-to-end encryption is now available on all Android and iOS devices, letting enterprise users send and read encrypted emails directly in the app without any extra tools. "This launch combines the highest level of privacy and data encryption with a user-friendly experience for all users, enabling simple encrypted email for all customers from small businesses to enterprises and public sector," Google announced in a blog post. BleepingComputer reports: Starting this week, encrypted messages will be delivered as regular emails to Gmail recipients' inboxes if they use the Gmail app. Recipients who don't have the Gmail mobile app and use other email services can read them in a web browser, regardless of the device and service they're using.

[...] This feature is now available for all client-side encryption (CSE) users with Enterprise Plus licenses and the Assured Controls or Assured Controls Plus add-on after admins enable the Android and iOS clients in the CSE admin interface via the Admin Console. Gmail's end-to-end encryption (E2EE) feature is powered by the client-side encryption (CSE) technical control, which allows Google Workspace organizations to use encryption keys they control and are stored outside Google's servers to protect sensitive documents and emails.

Berkeley, California is "the latest city to try to block landlords from using algorithms when deciding rents," reports the Associated Press (noting that officials in many cities claim the practice is driving up the price of housing).

But then real estate software company RealPage filed a federal lawsuit against Berkeley on Wednesday: Texas-based RealPage said Berkeley's ordinance, which goes into effect this month, violates the company's free speech rights and is the result of an "intentional campaign of misinformation and often-repeated false claims" about its products.

The U.S. Department of Justice sued Realpage in August under former President Joe Biden, saying its algorithm combines confidential information from each real estate management company in ways that enable landlords to align prices and avoid competition that would otherwise push down rents. That amounts to cartel-like illegal price collusion, prosecutors said. RealPage's clients include huge landlords who collectively oversee millions of units across the U.S. In the lawsuit, the Department of Justice pointed to RealPage executives' own words about how their product maximizes prices for landlords. One executive said, "There is greater good in everybody succeeding versus essentially trying to compete against one another in a way that actually keeps the entire industry down."

San Francisco, Philadelphia and Minneapolis have since passed ordinances restricting landlords from using rental algorithms. The Department of Justice case remains ongoing, as do lawsuits against RealPage brought by tenants and the attorneys general of Arizona and Washington, D.C...

[On a conference call, RealPage attorney Stephen Weissman told reporters] RealPage officials were never given an opportunity to present their arguments to the Berkeley City Council before the ordinance was passed and said the company is considering legal action against other cities that have passed similar policies, including San Francisco.
RealPage blames high rents not on the software they make, but on a lack of housing supply...

AI startups are poised to disrupt the $300 billion business process outsourcing (BPO) industry, as advances in language models and voice technology enable automation of tasks traditionally handled by human workers.

The BPO market, which reached $300 billion in 2024 and is projected to hit $525 billion by 2030, faces mounting pressure from AI companies offering faster, more scalable alternatives to manual processing of customer support, IT services and financial claims, venture capital firm a16z wrote in a thesis post. Early AI implementations have shown promising results, with customer service startup Decagon reporting 80% resolution rates and improved satisfaction scores. In healthcare, AI company Juniper said its clients saw 80% fewer insurance claim denials and 50% faster processing times.

Major BPO providers are responding to the threat, with Wipro reporting a 140% increase in AI adoption across projects and Infosys deploying over 100 AI agents. However, industry analysts say BPOs face structural challenges in transitioning from their labor-based business model to AI-first operations. The shift threatens traditional BPO companies like Cognizant, Infosys and Wipro, which reported revenues between $10-20 billion in their latest fiscal years.

CSO Online reports that North Korea "is actively infiltrating Western companies using skilled IT workers who use fake identities to pose as remote workers with foreign companies, typically but not exclusively in the U.S."

Slashdot reader snydeq shares their report, which urges information security officers "to carry out tighter vetting of new hires to ward off potential 'moles' — who are increasingly finding their way onto company payrolls and into their IT systems." The schemes are part of illicit revenue generation efforts by the North Korean regime, which faces financial sanctions over its nuclear weapons program, as well as a component of the country's cyberespionage activities.

The U.S. Treasury department first warned about the tactic in 2022. Thosands of highly skilled IT workers are taking advantage of the demand for software developers to obtain freelance contracts from clients around the world, including in North America, Europe, and East Asia. "Although DPRK [North Korean] IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK's malicious cyber intrusions," the Treasury department warned... North Korean IT workers present themselves as South Korean, Chinese, Japanese, or Eastern European, and as U.S.-based teleworkers. In some cases, DPRK IT workers further obfuscate their identities by creating arrangements with third-party subcontractors.

Christina Chapman, a resident of Arizona, faces fraud charges over an elaborate scheme that allegedly allowed North Korean IT workers to pose as U.S. citizens and residents using stolen identities to obtain jobs at more than 300 U.S. companies. U.S. payment platforms and online job site accounts were abused to secure jobs at more than 300 companies, including a major TV network, a car manufacturer, a Silicon Valley technology firm, and an aerospace company... According to a U.S. Department of Justice indictment, unsealed in May 2024, Chapman ran a "laptop farm," hosting the overseas IT workers' computers inside her home so it appeared that the computers were located in the U.S. The 49-year-old received and forged payroll checks, and she laundered direct debit payments for salaries through bank accounts under her control. Many of the overseas workers in her cell were from North Korea, according to prosecutors. An estimated $6.8 million were paid for the work, much of which was falsely reported to tax authorities under the name of 60 real U.S. citizens whose identities were either stolen or borrowed...

Ukrainian national Oleksandr Didenko, 27, of Kyiv, was separately charged over a years-long scheme to create fake accounts at U.S. IT job search platforms and with U.S.-based money service transmitters. "Didenko sold the accounts to overseas IT workers, some of whom he believed were North Korean, and the overseas IT workers used the false identities to apply for jobs with unsuspecting companies," according to the U.S. Department of Justice. Didenko, who was arrested in Poland in May, faces U.S. extradition proceedings...

How this type of malfeasance plays out from the perspective of a targeted firm was revealed by security awareness vendor KnowBe4's candid admission in July that it unknowingly hired a North Korean IT spy... A growing and substantial body of evidence suggests KnowBe4 is but one of many organizations targeted by illicit North Korean IT workers. Last November security vendor Palo Alto reported that North Korean threat actors are actively seeking employment with organizations based in the U.S. and other parts of the world...

Mandiant, the Google-owned threat intel firm, reported last year that "thousands of highly skilled IT workers from North Korea" are hunting work. More recently, CrowdStrike reported that a North Korean group it dubbed "Famous Chollima" infiltrated more than 100 companies with imposter IT pros.
The article notes the infiltrators use chatbots to tailor the perfect resume "and further leverage AI-created deepfakes to pose as real people." And the article includes this quote from a former intelligence analyst for the U.S. Air Force turned cybersecurity strategist at Sysdig. "In some cases, they may try to get jobs at tech companies in order to steal their intellectual property before using it to create their own knock-off technologies."

The article closes with its suggested "countermeasures," including live video-chats with prospective remote-work applicants — and confirming an applicant's home address.

An anonymous reader quotes a report from KrebsOnSecurity: Countless smartphones seized in arrests and searches by police forces across the United States are being auctioned online without first having the data on them erased, a practice that can lead to crime victims being re-victimized, a new study found (PDF). In response, the largest online marketplace for items seized in U.S. law enforcement investigations says it now ensures that all phones sold through its platform will be data-wiped prior to auction.

Researchers at the University of Maryland last year purchased 228 smartphones sold "as-is" from PropertyRoom.com, which bills itself as the largest auction house for police departments in the United States. Of phones they won at auction (at an average of $18 per phone), the researchers found 49 had no PIN or passcode; they were able to guess an additional 11 of the PINs by using the top-40 most popular PIN or swipe patterns. Phones may end up in police custody for any number of reasons -- such as its owner was involved in identity theft -- and in these cases the phone itself was used as a tool to commit the crime. "We initially expected that police would never auction these phones, as they would enable the buyer to recommit the same crimes as the previous owner," the researchers explained in a paper released this month. "Unfortunately, that expectation has proven false in practice."

Beyond what you would expect from unwiped second hand phones -- every text message, picture, email, browser history, location history, etc. -- the 61 phones they were able to access also contained significant amounts of data pertaining to crime -- including victims' data -- the researchers found. [...] Also, the researchers found that many of the phones clearly had personal information on them regarding previous or intended targets of crime: A dozen of the phones had photographs of government-issued IDs. Three of those were on phones that apparently belonged to sex workers; their phones contained communications with clients. "We informed [PropertyRoom] of our research in October 2022, and they responded that they would review our findings internally," said Dave Levin, an assistant professor of computer science at University of Maryland. "They stopped selling them for a while, but then it slowly came back, and then we made sure we won every auction. And all of the ones we got from that were indeed wiped, except there were four devices that had external SD [storage] cards in them that weren't wiped."

Sam Bankman-Fried instructed his FTX cofounder Gary Wang to create a "secret" backdoor to enable his trading firm Alameda to borrow $65 billion of clients' money from the exchange without their permission, the Delaware bankruptcy court was told Wednesday. Insider reports: Wang was told to create a "backdoor, a secret way for Alameda to borrow from customers on the exchange without permission," said FTX lawyer Andrew Dietderich. "Mr. Wang created this back door by inserting a single number into millions of lines of code for the exchange, creating a line of credit from FTX to Alameda, to which customers did not consent," he added. "And we know the size of that line of credit. It was $65 billion."

The Commodity Futures Trading Commission (CFTC) made similar allegations when it brought charges against Wang in December. But the value of that line of credit hasn't been discussed before now. The CFTC then described it as "virtually unlimited." [...] Dietderich told the court that with the $65 billion back door, Alameda "bought planes, houses, threw parties, made political donations." Dietderich said the rest of the money went towards personal loans, sponsorships, and investments. "We know that all this has left a shortfall, in value to repay customers and creditors," he added. That amount "will depend on the size of the claims pool and our recovery efforts."

Intel has officially revealed its Intel On Demand program that will activate select accelerators and features of the company's upcoming Xeon Scalable Sapphire Rapids processor. The new pay-as-you-go program will allow Intel to reduce the number of SKUs it ships while still capitalizing on the technologies it has to offer. From a report: Furthermore, its clients will be able to upgrade their machines without replacing actual hardware or offering additional services to their clients. Intel's upcoming Intel's 4th Generation Xeon Scalable Sapphire Rapids processors are equipped with various special-purpose accelerators and security technologies that all customers do not need at all times. To offer such end-users additional flexibility regarding investments, Intel will deliver them to buy its CPUs with those capabilities disabled but turn them on if they are needed at some point. The Software Defined Silicon (SDSi) technology will also allow Intel to sell fewer CPU models and then enable its clients or partners to activate certain features if needed (to use them on-prem or offer them as a service). The list of technologies that Intel wants to make available on demand includes Software Guard Extensions, Dynamic Load Balancer (DLB), Intel Data Streaming Accelerator (DSA), Intel In-Memory Analytics Accelerator (IAA), Intel In-Memory Analytics Accelerator, and Intel QuickAssist Technology (QAT) to accelerate specific workloads.

Microsoft is enabling a Microsoft Defender 'Attack Surface Reduction' security rule by default to block hackers' attempts to steal Windows credentials from the LSASS process. BleepingComputer reports: When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits. One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows. This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute-forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices. While Microsoft Defender block programs like Mimikatz, a LSASS memory dump can still be transferred to a remote computer to dump credentials without fear of being blocked.

To prevent threat actors from abusing LSASS memory dumps, Microsoft has introduced security features that prevent access to the LSASS process. One of these security features is Credential Guard, which isolates the LSASS process in a virtualized container that prevents other processes from accessing it. However, this feature can lead to conflicts with drivers or applications, causing some organizations not to enable it. As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon be enabling a Microsoft Defender Attack Surface Reduction (ASR) rule by default. The rule, ' Block credential stealing from the Windows local security authority subsystem,' prevents processes from opening the LSASS process and dumping its memory, even if it has administrative privileges.

While enabling the ASR rule by default will significantly impact the stealing of Windows credentials, it is not a silver bullet by any means. This is because the full Attack Surface Reduction feature is only supported on Windows Enterprise licenses running Microsoft Defender as the primary antivirus. However, BleepingComputer's tests show that the LSASS ASR rule also works on Windows 10 and Windows 11 Pro clients. Unfortunately, once another antivirus solution is installed, ASR is immediately disabled on the device. Furthermore, security researchers have discovered built-in Microsoft Defender exclusion paths allowing threat actors to run their tools from those filenames/directories to bypass the ASR rules and continue to dump the LSASS process. Mimikatz developer Benjamin Delpy told BleepingComputer that Microsoft probably added these built-in exclusions for another rule, but as exclusions affect ALL rules, it bypasses the LSASS restriction.

According to CNBC, Morgan Stanley is the first big U.S. bank to offer its wealth management clients access to bitcoin funds. From the report: The investment bank, a giant in wealth management with $4 trillion in client assets, told its financial advisors Wednesday in an internal memo that it is launching access to three funds that enable ownership of bitcoin, according to people with direct knowledge of the matter. The move, a significant step for the acceptance of bitcoin as an asset class, was made by Morgan Stanley after clients demanded exposure to the cryptocurrency, said the people.

But, at least for now, the bank is only allowing its wealthier clients access to the volatile asset: The bank considers it suitable for people with "an aggressive risk tolerance" who have at least $2 million in assets held by the firm. Investment firms need at least $5 million at the bank to qualify for the new stakes. In either case, the accounts have to be at least 6 months old. And even for those accredited U.S. investors with brokerage accounts and enough assets to qualify, Morgan Stanley is limiting bitcoin investments to as much as 2.5% of their total net worth, said the people.

Two of the funds on offer are from Galaxy Digital, a crypto firm founded by Mike Novogratz, while the third is a joint effort from asset manager FS Investments and bitcoin company NYDIG. The Galaxy Bitcoin Fund LP and FS NYDIG Select Fund have minimum investments of $25,000, while the Galaxy Institutional Bitcoin Fund LP has a $5 million minimum. Clients can likely make investments as early as next month, after the bankâ(TM)s financial advisors complete training courses tied to the new offerings, said the people.

On Fortune's Leadership Next podcast yesterday, Visa CEO Alfred Kelly said that the payment processing behemoth is willing to facilitate not only bitcoin purchases, but also spending functionalities. "We're trying to do two things," said Kelly. "One is to enable the purchase of Bitcoin on Visa credentials. And secondly, working with Bitcoin wallets to allow the Bitcoin to be translated into a fiat currency and therefore immediately be able to be used at any of the 70 million places around the world where Visa is accepted." BTC Times reports: According to Kelly, Visa is working hard to earn its role as an intermediary in financial transactions even after Bitcoin sees mainstream adoption. Other than Bitcoin, the payment processor also plans to allow for the use of stablecoins. He admitted that the company recognizes "a strong potential for those to become a new payment vehicle." Kelly said Visa is collaborating with about 35 partners involved with stablecoins, explaining that "these are currencies that are fiat-backed, but we're allowing this translation, if you will, into a fiat currency and in a wallet where there's a Visa card and again that Visa card can be used with the translated digital currency over to the fiat currency to purchase at any one of our 70 million locations."

This is seemingly referring to Visa's partnership with Circle, the firm behind the USDC stablecoin. According to a report released by Forbes at the end of 2020, the payment processing giant partnered with Circle to integrate USDC into its infrastructure and allow credit card issuers to use USD Coin on their platforms and send and receive USDC payments. Visa's head of crypto Cuy Sheffield said at the time: "We continue to think of Visa as a network of networks. [...] Blockchain networks and stablecoins, like USDC, are just additional networks. So we think that there's a significant value that Visa can provide to our clients, enabling them to access them and enabling them to spend at our merchants."

John Gruber, writing at DaringFireball: In my piece yesterday about email tracking images ("spy pixels" or "spy trackers"), I complained about the fact that Apple -- a company that rightfully prides itself for its numerous features protecting user privacy -- offers no built-in defenses for email tracking. A slew of readers wrote to argue that Apple Mail does offer such a feature: the option not to load any remote resources at all. It's a setting for Mail on both Mac and iOS, and I know about it -- I've had it enabled for years. But this is a throwing-the-baby-out-with-bath-water approach. What Hey offers -- by default -- is the ability to load regular images automatically, so your messages look "right", but block all known images from tracking sources (which are generally 1 x 1 px invisible GIFs).

Typical users are never going to enable Mail's option not to load remote content. It renders nearly all marketing messages and newsletters as weird-looking at best, unreadable at worst. And when you get a message whose images you do want to see, when you tell Mail to load them, it loads all of them -- including trackers. Apple Mail has no knowledge of spy trackers at all, just an all-or-nothing ability to turn off all remote images and load them manually. Mail's "Load remote content in messages" option is a great solution to bandwidth problems -- remember to turn it on the next time you're using Wi-Fi on an airplane, for example. It's a terrible solution to tracking. No one would call it a good solution to tracking if Safari's only defense were an option not to load any images at all until you manually click a button in each tab to load them all. But that's exactly what Apple offers with Mail. "Don't get me started on how predictable this entire privacy disaster was, once we lost the war over whether email messages should be plain text only or could contain embedded HTML. Effectively all email clients are web browsers now, yet don't have any of the privacy protection features actual browsers do," he adds.

The U.S. agency overseeing elections has "quietly weakened a key element of proposed security standards..." reports the Associated Press, "raising concern among voting-integrity experts that many such systems will remain vulnerable to hacking." The Election Assistance Commission (EAC) is poised to approve its first new security standards in 15 years after an arduous process involving multiple technical and elections community bodies and open hearings. But ahead of a scheduled February 10 ratification vote by commissioners, the EAC leadership tweaked the draft standards to remove language that stakeholders interpreted as banning wireless modems and chips from voting machines as a condition for federal certification. The mere presence of such wireless hardware poses unnecessary risks for tampering that could alter data or programs on election systems, say computer security specialists and activists, some of whom have long complained than the EAC bends too easily to industry pressure.

Agency leaders argue that overall, the revised guidelines represent a major security improvement. They stress that the rules require manufacturers to disable wireless functions present in any machines, although the wireless hardware can remain.

In a February 3 letter to the agency, computer scientists and voting integrity activists say the change "profoundly weakens voting system security and will introduce very real opportunities to remotely attack election systems." They demand the wireless hardware ban be restored...

The ban on wireless hardware in voting machines would force vendors who currently build systems with off-the-shelf components to rely on more expensive custom-built hardware, said EAC Chair Benjamin Hovland, which could hurt competition in an industry already dominated by a trio of companies. He also argued that the guidelines are voluntary, although many state laws are predicated on them... Hovland stressed that the amended guidelines say all wireless capability must be disabled in voting equipment. But computer experts say that if the hardware is present, the software that activates it can be introduced. And the threat is not just from malign actors but also from the vendors and their clients, who could enable the wireless capability for maintenance purposes then forget to turn it off, leaving machines vulnerable...

Experts are pushing for universal use of hand-marked paper ballots and better audits to bolster confidence in election results.

Last Thursday, Israeli phone-hacking firm Cellebrite said in a blog post that it can now break into Signal, an encrypted app considered safe from external snooping. Haaretz reports: Cellebrite's flagship product is the UFED (Universal Forensic Extraction Device), a system that allows authorities to unlock and access the data of any phone in their possession. Another product it offers is the Physical Analyzer, which helps organize and process data lifted from the phone. Last Thursday, the company announced that the analyzer has now been updated with a new capability, developed by the firm, that allows clients to decode information and data from Signal. Signal, owned by the Signal Technology Foundation, uses a special open source encryption system called Signal Protocol, which was thought to make it nigh-on impossible for a third party to break into a conversation or access data being shared on the platform. It does so by employing what's called "end-to-end encryption."

According to Cellebrite's announcement last week, "Law enforcement agencies are seeing a rapid rise in the adoption of highly encrypted apps like Signal, which incorporate capabilities like image blurring to stop police from reviewing data. "Criminals are using this application to communicate, send attachments, and making [sic] illegal deals that they want to keep discrete [sic] and out of sight from law enforcement," the blog post added. Despite support for the app's encryption capabilities, Cellebrite noted that "Signal is an encrypted communication application designed to keep sent messages and attachments as safe as possible from 3rd-party programs.

"Cellebrite Physical Analyzer now allows lawful access to Signal app data. At Cellebrite, we work tirelessly to empower investigators in the public and private sector to find new ways to accelerate justice, protect communities, and save lives." In an earlier, now deleted, version of the blog post, the company went as far as to say: "Decrypting Signal messages and attachments was not an easy task. It required extensive research on many different fronts to create new capabilities from scratch. At Cellebrite, however, finding new ways to help those who make our world a safer place is what we're dedicated to doing every day." The initial post, which was stored on the Internet Archive, also included a detailed explanation of how Cellebrite "cracked the code" by reviewing Signal's own open source protocol and using it against it. The company noted in the deleted blog post that "because [Signal] encrypts virtually all its metadata to protect its users, efforts have been put forward by legal authorities to require developers of encrypted software to enable a 'backdoor' that makes it possible for them to access people's data. Until such agreements are reached, Cellebrite continues to work diligently with law enforcement to enable agencies to decrypt and decode data from the Signal app."

Video conferencing platform Zoom announced today plans to roll out end-to-end encryption (E2EE) capabilities starting next week. From a report: E2EE will allow Zoom users to generate individual encryption keys that will be used to encrypt voice or video calls between them and other conference participants. These keys will be stored locally and will not be shared with Zoom servers, meaning the software company won't be able to access or intercept any ongoing E2EE meetings. Support for E2EE calls will first be part of Zoom clients to be released next week. To use the new feature, users must update theri clients next week and enable support for E2EE calls at the account level. This green shield will contain a lock if E2EE is active. If the lock is absent, Zoom will use its default AES 256-bit GCM encryption scheme, which the company uses to secure current communications, but which the company can also intercept. Further reading: Zoom Adds Ability To Open Apps Like Dropbox And Slack, Event-Hosting Tools As Part Of Push Beyond Video Meetings.

YouTubers are using AI to bring history to life. But historians argue the process is nonsense. From a report: The first time you see Denis Shiryaev's videos, they feel pretty miraculous. You can walk through New York as it was in 1911, or ride on Wuppertal's flying train at the turn of the 20th century, or witness the birth of the moving image in a Leeds garden in 1888. Shiryaev's YouTube channel is a showcase for his company Neural Love, based in Gdansk, Poland, which uses a combination of neural networks and algorithms to overhaul historic images. Some of the very earliest surviving film has been cleaned, unscuffed, repaired, colourised, stabilised, corrected to 60 frames per second and upscaled to vivid 4K resolution. For viewers, it almost feels like time travel. "That is something that our clients and even the commenters on YouTube have pointed out consistently," says Elizabeth Peck, one of Shiryaev's colleagues at Neural Love. "It brings you more into that real-life feeling of, 'I'm here watching someone do this', whereas before you're looking more at something more artistic or cinematic."

But these vivid videos and images haven't wowed everyone. Digital upscalers and the millions who've watched their work on YouTube say they're making the past relatable for viewers in 2020, but for some historians of art and image-making, modernising century-old archives brings a host of problems. Even adding colour to black and white photographs is hotly contested. "The problem with colourisation is it leads people to just think about photographs as a kind of uncomplicated window onto the past, and that's not what photographs are," says Emily Mark-FitzGerald, Associate Professor at University College Dublin's School of Art History and Cultural Policy. Peck says Neural Love makes clear to clients the huge difference the company sees between "the restoration aspect and the enhancement aspect." They see the removal of scratches, noise, dust or other imperfections picked up during processing as a less ethically fraught process to upscaling and colourising. "You're really returning the film to its original state," she says. That's not a view many academics hold, however. Luke McKernan, lead curator of news and moving images at the British Library, was particularly scathing about Peter Jackson's 2018 World War One documentary They Shall Not Grow Old, which upscaled and colourised footage from the Western Front. Making the footage look more modern, he argued, undermined it. "It is a nonsense," he wrote. "Colourisation does not bring us closer to the past; it increases the gap between now and then. It does not enable immediacy; it creates difference."

SmartAboutThings tipped us off to an interesting bug reported by ZDNet Thursday: For the fourth time in three months, a Symantec security product is crashing user apps, and this time it's the latest Chrome release, v78, which rolled out earlier this week, on Tuesday, October 22. According to reports on Reddit [1, 2] the Google support forums [1, 2], and in comments on the official Google Chrome blog, Symantec Endpoint Protection 14 is crashing Chrome 78 instances with an "Aw, Snap! Something went wrong while displaying this webpage" error... The errors have been plaguing users for the past two days, with the vast majority of reports coming from enterprise environments, where SEP installs are more prevalent....

According to the antivirus maker, the issues are only affecting SEP 14 users on Windows 10 RS1, Windows Server 2012, and Windows Server 2016 operating systems. Symantec users on other OS versions can fix this by updating to the latest SEP 14.2 release. Users of Microsoft Edge Chromium are also impacted, but the Chromium-based Edge version has not been officially released; hence there are almost no users impacted by this issue in the real world...

Symantec blamed the issue on Microsoft's Code Integrity security feature, which Google uses to protect the Chrome browser process. As a temporary solution, Symantec recommends that users exclude Chrome from receiving protection from their antivirus product, or modify their Chrome clients, so the browser starts without Code Integrity protections. However, this opens the browser to various attacks and is not recommended as long as users can simply use another browser until this is fixed.
ZDNet adds that the issue "should have not surprised Symantec staff, who received early warnings about this more than three months ago, according to a bug report filed in early August while Chrome 78 was still in testing in the Canary channel."

International Business Machines (IBM) is acquiring software maker Red Hat in a deal valued at $34 billion, the companies said Sunday. From a report: The purchase, announced on Sunday afternoon, is the latest competitive step among large business software companies to gain an edge in the fast-growing market for Internet-style cloud computing. In June, Microsoft acquired GitHub, a major code-sharing platform for software developers, for $7.5 billion. IBM said its acquisition of Red Hat was a move to open up software development on computer clouds, in which software developers write applications that run on remote data centers. From a press release: This acquisition brings together the best-in-class hybrid cloud providers and will enable companies to securely move all business applications to the cloud. Companies today are already using multiple clouds. However, research shows that 80 percent of business workloads have yet to move to the cloud, held back by the proprietary nature of today's cloud market. This prevents portability of data and applications across multiple clouds, data security in a multi-cloud environment and consistent cloud management.

IBM and Red Hat will be strongly positioned to address this issue and accelerate hybrid multi-cloud adoption. Together, they will help clients create cloud-native business applications faster, drive greater portability and security of data and applications across multiple public and private clouds, all with consistent cloud management. In doing so, they will draw on their shared leadership in key technologies, such as Linux, containers, Kubernetes, multi-cloud management, and cloud management and automation. IBM's and Red Hat's partnership has spanned 20 years, with IBM serving as an early supporter of Linux, collaborating with Red Hat to help develop and grow enterprise-grade Linux and more recently to bring enterprise Kubernetes and hybrid cloud solutions to customers. These innovations have become core technologies within IBM's $19 billion hybrid cloud business. Between them, IBM and Red Hat have contributed more to the open source community than any other organization.

One could argue that the web is already decentralized. But with major websites like Google and Facebook, it's increasingly harder to stay decentralized. Paul Ford writes: There's a good research report that was just published. It's called "Defending Internet Freedom through Decentralization: Back to the Future?" (That's a PDF so watch yourself.) What is decentralization? Take the web: Anyone can set up a web page and link to any other web page. That's decentralized. Anyone can make a search engine to find those web pages. That's centralized. The search engine can add blogging. That's Google + Blogger. Now it's both a publisher and a search engine. It has more power. Decentralized things are harder to manage and use. Centralized things end up easy to use and make money for relatively few people. The web is inherently decentralized, which has made it much easier for large companies to create large, centralized platforms. It's a paradox and very thorny. God bless the authors of this paper, they don't make you wade through. They pop up with recommendations by page 5: "We advise investors -- whether motivated by civic or fiscal concerns -- both to watch this space closely and to advocate for the pre-conditions that we believe will enable a healthier marketplace for online publishing. A precondition for the success of these distributed platforms is a shift towards user-controlled data, the ownership of a user's social graph and her intellectual property created online. It will be difficult for new platforms to develop without widespread support for efforts towards data portability and rights over data ownership. Data portability also enables new models for aggregation. Small, thoughtfully curated news sources will be made more powerful by having access to the user data currently locked inside mega-platforms, but right now, federated clients that interoperate between different platforms are borderline illegal -- fixing this may require adjusting overly broad regulations, like the Digital Millennium Copyright Act."

neutrino38 warns that iOS 10 includes a significant change "overlooked by the general public": It deprecates an API that is crucial for VoIP and other instant messaging applications that enable keeping one socket active despite the fact that the application would run in the background. As a replacement, developers need to use PushKit: when an incoming call is to be forwarded to an iOS VoIP client, the VoIP infrastructure needs to:

- withold the call
- contact Apple push infrastructure using a proprietary protocol to wake up the client app remotely
- wait for the application to reconnect to the infrastructure and release the call when it is ready

This "I know better than you" approach is meant to further optimize battery life on iOS devices by avoiding the use of resources by apps running in background. It has also the positive effect of forcing developers to switch to a push model and remove all periodic pollings that ultimately use mobile data and clog the Internet. However, the decision to use an Apple infrastructure has many consequences for VoIP providers:

- the reliability of serving incoming calls is directly bound to Apple service
- Apple may revoke the PushKit certificate. It thus has life and death decision power over third-party communication infrastructures
- organizations wanting to setup IPBX and use iOS client have no option but to open access for the push services of Apple in their firewall
- It is not possible to have iOS VoIP or communication clients in network disconnected from the Internet - Pure standard SIP clients are now broken on iOS
The original submission argues that Apple is creating "the perfect walled garden," adding that "Ironically, the only VoIP 'app' that is not affected is the (future?) VoLTE client that will be added to iOS one day."

An anonymous reader writes: Debian Linux "sid" is deprecating TLS 1.0 Encryption. A new version of OpenSSL has been uploaded to Debian Linux unstable. This version disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version. This will likely break certain things that for whatever reason still don't support TLS 1.2. I strongly suggest that if it's not supported that you add support for it, or get the other side to add support for it. OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don't need to enable them again. This move caused some concern among Debian users and sysadmins. If you are running Debian Unstable on server tons of stuff is going to broken cryptographically. Not to mention legacy hardware and firmware that still uses TLS 1.0. On the client side (i.e. your users), you need to use the latest version of a browser such as Chrome/Chromium and Firefox. The Older version of Android (e.g. Android v5.x and earlier) do not support TLS 1.2. You need to use minimum iOS 5 for TLS 1.2 support. Same goes with SMTP/mail servers, desktop email clients, FTP clients and more. All of them using old outdated crypto.

This move will also affect for Android 4.3 users or stock MS-Windows 7/IE users (which has TLS 1.2 switched off in Internet Options.) Not to mention all the mail servers out there running outdated crypto.