An anonymous reader shares a report: For years, people who have found Google search frustrating have been adding "Reddit" to the end of their search queries. This practice is so common that Google even acknowledged the phenomenon in a post announcing that it will be scraping Reddit posts to train its AI. And so, naturally, there are now services that will poison Reddit threads with AI-generated posts designed to promote products.

A service called ReplyGuy advertises itself as "the AI that plugs your product on Reddit" and which automatically "mentions your product in conversations naturally." Examples on the site show two different Redditors being controlled by AI posting plugs for a text-to-voice product called "AnySpeech" and a bot writing a long comment about a debt consolidation program called Debt Freedom Now. A video demo shows a dashboard where a user adds the name of their company and URL they want to direct users to. It then auto-suggests keywords that "help the bot know what types of subreddits and tweets to look for and when to respond."

Moments later, the dashboard shows how Reply Guy is "already in the responses" of the comments section of different Reddit posts. "Many of our responses will get lots of upvotes and will be well-liked." The creator of the company, Alexander Belogubov, has also posted screenshots of other bot-controlled accounts responding all over Reddit. Begolubov has another startup called "Stealth Marketing" that also seeks to manipulate the platform by promising to "turn Reddit into a steady stream of customers for your startup."

An anonymous reader quotes a report from Ars Technica: Amid a flurry of lawsuits over AI models' training data, US Representative Adam Schiff (D-Calif.) has introduced (PDF) a bill that would require AI companies to disclose exactly which copyrighted works are included in datasets training AI systems. The Generative AI Disclosure Act "would require a notice to be submitted to the Register of Copyrights prior to the release of a new generative AI system with regard to all copyrighted works used in building or altering the training dataset for that system," Schiff said in a press release.

The bill is retroactive and would apply to all AI systems available today, as well as to all AI systems to come. It would take effect 180 days after it's enacted, requiring anyone who creates or alters a training set not only to list works referenced by the dataset, but also to provide a URL to the dataset within 30 days before the AI system is released to the public. That URL would presumably give creators a way to double-check if their materials have been used and seek any credit or compensation available before the AI tools are in use. All notices would be kept in a publicly available online database.

Currently, creators who don't have access to training datasets rely on AI models' outputs to figure out if their copyrighted works may have been included in training various AI systems. The New York Times, for example, prompted ChatGPT to spit out excerpts of its articles, relying on a tactic to identify training data by asking ChatGPT to produce lines from specific articles, which OpenAI has curiously described as "hacking." Under Schiff's law, The New York Times would need to consult the database to ID all articles used to train ChatGPT or any other AI system. Any AI maker who violates the act would risk a "civil penalty in an amount not less than $5,000," the proposed bill said. Schiff described the act as championing "innovation while safeguarding the rights and contributions of creators, ensuring they are aware when their work contributes to AI training datasets."

"This is about respecting creativity in the age of AI and marrying technological progress with fairness," Schiff said.

An anonymous reader quotes a report from Ars Technica: Owners of Intel's latest 13th and 14th Gen Core i9 desktop processors have been noticing an increase in game crashes in recent months. It's happening in games like The Finals, Fortnite, and Tekken 8, and has even led Epic Games to issue a support notice to encourage Intel Core i9 13900K and 14900K owners to adjust BIOS settings. Now, Intel says it's investigating the reports. "Intel is aware of problems that occur when executing certain tasks on 13th and 14th generation core processors for desktop PCs, and is analyzing them with major affiliates," says an Intel spokesperson in a statement to ZDNet Korea.

The crashes vary in severity depending on the game, with some titles producing an "out of memory" error, others simply exiting out to the desktop, and some locking up a machine entirely. Most of the games affected seem to be based on the Unreal Engine, which could point to a stability issue that Intel needs to address. The only workarounds that seem to improve stability involve manually downclocking or undervolting Intel's processors. Epic Games has suggested changing the SVID behavior to Intel Fail Safe in the BIOS settings of Asus, Gigabyte, or MSI motherboards. Custom PC builders Power GPU recommend reducing the performance core ratio limit, which seems to help with stability in certain games.

The Federal Trade Commission (FTC) has a new way to combat the impersonation scams that it says cost people $1.1 billion last year alone. Effective today, the agency's rule "prohibits the impersonation of government, businesses, and their officials or agents in interstate commerce." The rule also lets the FTC directly file federal court complaints to force scammers to return money stolen by business or government impersonation. From a report: Impersonation scams are wide-ranging -- creators are on the lookout for fake podcast invites that turn into letting scammers take over their Facebook pages via a hidden "datasets" URL, while Verge reporters have been impersonated by criminals trying to steal cryptocurrency via fake Calendly meeting links.

Linus Media Group was victimized by a thief who pretended to be a potential sponsor and managed to take over three of the company's YouTube channels. Some scams can also be very intricate, as in The Cut financial columnist Charlotte Cowles' story of how she lost a shoebox holding $50,000 to an elaborate scam involving a fake Amazon business account, the FTC, and the CIA. (See also: gift card scams.) The agency is also taking public comment until April 30th on changes to the rule that would allow it to also target impersonation of individuals, such as through the use of video deepfakes or AI voice cloning. That would let it take action against, say, scams involving impersonations of Elon Musk on X or celebrities in YouTube ads. Others have used AI for more sinister fraud, such as voice clones of loved ones claiming to be kidnapped.

A recent survey found that academic organizations are failing to preserve digital material -- "including science paid for with taxpayer money," reports Ars Technica, highlighting the need for improved archiving standards and responsibilities in the digital age. From the report: The work was done by Martin Eve, a developer at Crossref. That's the organization that organizes the DOI system, which provides a permanent pointer toward digital documents, including almost every scientific publication. If updates are done properly, a DOI will always resolve to a document, even if that document gets shifted to a new URL. But it also has a way of handling documents disappearing from their expected location, as might happen if a publisher went bankrupt. There are a set of what's called "dark archives" that the public doesn't have access to, but should contain copies of anything that's had a DOI assigned. If anything goes wrong with a DOI, it should trigger the dark archives to open access, and the DOI updated to point to the copy in the dark archive. For that to work, however, copies of everything published have to be in the archives. So Eve decided to check whether that's the case.

Using the Crossref database, Eve got a list of over 7 million DOIs and then checked whether the documents could be found in archives. He included well-known ones, like the Internet Archive at archive.org, as well as some dedicated to academic works, like LOCKSS (Lots of Copies Keeps Stuff Safe) and CLOCKSS (Controlled Lots of Copies Keeps Stuff Safe). The results were... not great. When Eve broke down the results by publisher, less than 1 percent of the 204 publishers had put the majority of their content into multiple archives. (The cutoff was 75 percent of their content in three or more archives.) Fewer than 10 percent had put more than half their content in at least two archives. And a full third seemed to be doing no organized archiving at all. At the individual publication level, under 60 percent were present in at least one archive, and over a quarter didn't appear to be in any of the archives at all. (Another 14 percent were published too recently to have been archived or had incomplete records.)

The good news is that large academic publishers appear to be reasonably good about getting things into archives; most of the unarchived issues stem from smaller publishers. Eve acknowledges that the study has limits, primarily in that there may be additional archives he hasn't checked. There are some prominent dark archives that he didn't have access to, as well as things like Sci-hub, which violates copyright in order to make material from for-profit publishers available to the public. Finally, individual publishers may have their own archiving system in place that could keep publications from disappearing. The risk here is that, ultimately, we may lose access to some academic research.

Microsoft has abruptly pulled a feature from OneDrive that allows users to upload files to the cloud storage service directly from a URL. From a report: The feature turned up as a preview in 2021 and was intended for scenarios "where the file contents aren't available, or are expensive to transfer," according to Microsoft. It was particularly useful for mobile users, for whom uploading files directly through their apps could be costly. Much better to simply point OneDrive at a given URL and let it handle the upload itself.

However, the experimental feature never made it past the consumer version of OneDrive. It also didn't fit with Microsoft's "vision for OneDrive as a cloud storage service that syncs your files across devices." Indeed, the idea of hosing data into OneDrive from a remote source sits at odds with the file synchronization model being championed by Microsoft and conveniently available from macOS and Windows.

An anonymous reader quotes a report from The Week Magazine: The advancement of new technologies appears to have given rise to a new problem across the United States: a crippling power shortage on the horizon. The advent of these technologies, such as eco-friendly factories and data centers, has renewed concerns that America could run out of electrical power. These worries also come at a time when the United States' aging power grid is in desperate need of repair. Heavily publicized incidents such as the 2021 Texas power outage, which was partially blamed on crypto-farming, exposed how vulnerable the nation's power supply is, especially during emergencies. There have also been warnings from tech moguls such as Elon Musk, who has stated that the United States is primed to run out of electricity and transformers for artificial intelligence in 2025. But the push to extend the life of the nation's power grid, while also maintaining eco-friendly sustainability, begs the question: Is the United States really at risk of going dark?

The emergence of new technologies means demand is soaring for power across the country; in Georgia, "demand for industrial power is surging to record highs, with the projection of electricity use for the next decade now 17 times what it was only recently," Evan Halper said for The Washington Post. Northern Virginia "needs the equivalent of several large nuclear power plants to serve all [its] new data centers," Halper said, while Texas faces a similar problem. This demand is resulting in a "scramble to try to squeeze more juice out of an aging power grid." At the same time, companies are "pushing commercial customers to go to extraordinary lengths to lock down energy sources, such as building their own power plants," Halper said. Much of this relates to the "rapid innovation in artificial intelligence, which is driving the construction of large warehouses of computing infrastructure," Halper said. This infrastructure requires significantly more power than traditional data centers, with the aforementioned crypto farms also sucking up massive amounts of power.

Climate change is also hurting sustainability efforts. A recent report from the North American Electric Reliability Corporation estimated that more than 300 million people in the U.S. and Canada could face power shortages in 2024. It also found that electricity demand is rising faster now than at any time in the past five years. This is partially because the "push for the electrification of heating and transportation systems -- including electric cars -- is also creating new winter peaks in electricity demand," Jeremy Hsu said for New Scientist. One of the main issues with these sustainability efforts is the push to move away from fossil fuels toward renewable power. Natural gas is often seen as a bridge between fossils and renewables, but this has also had unintended consequences for the power grid. The system delivering natural gas "doesn't have to meet the same reliability standards as the electric grid, and in many cases, there's no real way to guarantee that fuel is available for the gas plants in the winter," Thomas Rutigliano of the Natural Resources Defense Council said to New Scientist. As a result, the "North American electricity supply has become practically inseparable from the natural gas supply chain," John Moura of the North American Electric Reliability Corporation said to New Scientist. As such, a "reliable electricity supply that lowers the risk of power outages depends on implementing reliability standards for the natural gas industry moving forward," but this may be easier said than done.

CNN reports: AT&T is reimbursing customers for the nearly 12-hour network outage on Thursday, the company announced in a news release. The mobile network will issue a $5 credit to "potentially impacted" AT&T Wireless customers, which it says is the "average cost of a full day of service."
The credit will be applied automatically "within 2 bill cycles," according to an announcement at the URL att.com/makeitright. "We recognize the frustration this outage has caused and know we let many of our customers down."

In a much smaller font, they note that the credit "does not apply to AT&T Business, AT&T Prepaid or Cricket.

More from CNN: AT&T had encountered sporadic service interruptions in the days leading up to the outage, including a temporary 911 outage in some parts of the southeast. While regional disruptions to wireless service happen occasionally, prolonged nationwide outages are rare. The Federal Communications Commission confirmed Thursday it was investigating the incident...

Several hours after service was restored, AT&T released an update stating the outage seemed to be the result of an internal issue, not a cybersecurity threat. "Based on our initial review, we believe that today's outage was caused by the application and execution of an incorrect process used as we were expanding our network," the company said.

On Saturday, AT&T reiterated it was taking steps "to prevent this from happening again in the future," but did not elaborate.

An anonymous reader quotes a report from BleepingComputer: A new iOS and Android trojan named 'GoldPickaxe' employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. The new malware, spotted by Group-IB, is part of a malware suite developed by the Chinese threat group known as 'GoldFactory,' which is responsible for other malware strains such as 'GoldDigger', 'GoldDiggerPlus,' and 'GoldKefu.' Group-IB says its analysts observed attacks primarily targeting the Asia-Pacific region, mainly Thailand and Vietnam. However, the techniques employed could be effective globally, and there's a danger of them getting adopted by other malware strains. [...]

For iOS (iPhone) users, the threat actors initially directed targets to a TestFlight URL to install the malicious app, allowing them to bypass the normal security review process. When Apple remove the TestFlight app, the attackers switched to luring targets into downloading a malicious Mobile Device Management (MDM) profile that allows the threat actors to take control over devices. Once the trojan has been installed onto a mobile device in the form of a fake government app, it operates semi-autonomously, manipulating functions in the background, capturing the victim's face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device using 'MicroSocks.'

Group-IB says the Android version of the trojan performs more malicious activities than in iOS due to Apple's higher security restrictions. Also, on Android, the trojan uses over 20 different bogus apps as cover. For example, GoldPickaxe can also run commands on Android to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. The use of the victims' faces for bank fraud is an assumption by Group-IB, also corroborated by the Thai police, based on the fact that many financial institutes added biometric checks last year for transactions above a certain amount.

Nvidia is releasing an early version of Chat with RTX today, a demo app that lets you run a personal AI chatbot on your PC. From a report: You can feed it YouTube videos and your own documents to create summaries and get relevant answers based on your own data. It all runs locally on a PC, and all you need is an RTX 30- or 40-series GPU with at least 8GB of VRAM. I've been briefly testing out Chat with RTX over the past day, and although the app is a little rough around the edges, I can already see this being a valuable part of data research for journalists or anyone who needs to analyze a collection of documents. Chat with RTX can handle YouTube videos, so you simply input a URL, and it lets you search transcripts for specific mentions or summarize an entire video.

The Verge reports that Threads is "booming," according to figures shared by Mark Zuckerberg on Meta's earnings call, with 130 million active users a month.

TechCrunch reports: Threads is continuing to grow, having tripled its downloads month-over-month in December, which gave it a place in the top 10 most downloaded apps for the month across both the App Store and Google Play...

Threads famously had a record-breaking launch, reaching 100 million registered users within its first five days. However, the app saw its daily downloads decline starting last September through the end of the year. But in December, Threads once again returned to growth, likely due to the push Meta had given the app by displaying promos on Facebook that featured Threads' viral posts. Today, there are an estimated 160 million Threads users, according to one tracker...

The app could also be benefiting from its move into the "fediverse" — the social network comprised of interconnected servers that communicate via the ActivityPub protocol, like Mastodon... In addition, Threads recently announced the launch of an endpoint, allowing developers of third-party apps and websites to use a dynamic URL to refill text into the Threads composer. For example, there's now a website where anyone can generate Threads share links and profile badges. Marketing tool provider Shareaholic also just launched Threads Share buttons for websites, including both desktop and mobile sites. This flurry of activity around Threads is helping to move the app up in the chart rankings, though some inorganic boosts from Meta itself are likely also responsible for the jump in downloads, given the size.

Apple has tossed another crumb to investors wondering when the world will get to see some 'Made in Cupertino' GenAI: Expect Apple to reveal what it's been working on in this buzzy slice of AI "later this year," per CEO Tim Cook. TechCrunch: During an earnings call yesterday, Apple's chief exec emphasized its ongoing investment in AI, alongside other -- as he put it -- "groundbreaking innovation," such as the technologies which underpin Apple's Vision Pro VR/AR headset, saying: "We continue to spend a tremendous amount of time and effort and we're excited to share the details of our ongoing work in that space later this year." Very unusual for Apple to publicly admit anything in its future roadmap.

Dan Goodin, reporting for ArsTechnica: ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users, screenshots submitted by an Ars reader on Monday indicated. Two of the seven screenshots the reader submitted stood out in particular. Both contained multiple pairs of usernames and passwords that appeared to be connected to a support system used by employees of a pharmacy prescription drug portal. An employee using the AI chatbot seemed to be troubleshooting problems they encountered while using the portal.

"THIS is so f-ing insane, horrible, horrible, horrible, i cannot believe how poorly this was built in the first place, and the obstruction that is being put in front of me that prevents it from getting better," the user wrote. "I would fire [redacted name of software] just for this absurdity if it was my choice. This is wrong." Besides the candid language and the credentials, the leaked conversation includes the name of the app the employee is troubleshooting and the store number where the problem occurred. The entire conversation goes well beyond what's shown in the redacted screenshot above. A link Ars reader Chase Whiteside included showed the chat conversation in its entirety. The URL disclosed additional credential pairs. The results appeared Monday morning shortly after reader Whiteside had used ChatGPT for an unrelated query.

An anonymous reader quotes a report from BleepingComputer: Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware. Credential stuffing lists are collections of login name and password pairs stolen from previous data breaches that are used to breach accounts on other sites.

Information-stealing malware attempts to steal a wide variety of data from an infected computer, including credentials saved in browsers, VPN clients, and FTP clients. This type of malware also attempts to steal SSH keys, credit cards, cookies, browsing history, and cryptocurrency wallets. The stolen data is collected in text files and images, which are stored in archives called "logs." These logs are then uploaded to a remote server to be collected later by the attacker. Regardless of how the credentials are stolen, they are then used to breach accounts owned by the victim, sold to other threat actors on cybercrime marketplaces, or released for free on hacker forums to gain reputation amongst the hacking community.

The Naz.API is a dataset allegedly containing over 1 billion lines of stolen credentials compiled from credential stuffing lists and from information-stealing malware logs. It should be noted that while the Naz.API dataset name includes the word "Naz," it is not related to network attached storage (NAS) devices. This dataset has been floating around the data breach community for quite a while but rose to notoriety after it was used to fuel an open-source intelligence (OSINT) platform called illicit.services. This service allows visitors to search a database of stolen information, including names, phone numbers, email addresses, and other personal data. The service shut down in July 2023 out of concerns it was being used for Doxxing and SIM-swapping attacks. However, the operator enabled the service again in September. Illicit.services use data from various sources, but one of its largest sources of data came from the Naz.API dataset, which was shared privately among a small number of people. Each line in the Naz.API data consists of a login URL, its login name, and an associated password stolen from a person's device, as shown [here]. "Here's the back story: this week I was contacted by a well-known tech company that had received a bug bounty submission based on a credential stuffing list posted to a popular hacking forum," explained Troy Hunt, the creator of Have I Been Pwned, in blog post. "Whilst this post dates back almost 4 months, it hadn't come across my radar until now and inevitably, also hadn't been sent to the aforementioned tech company."

"They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list."

To check if your credentials are in the Naz.API dataset, you can visit Have I Been Pwned.

Version 9.0 of Wine, the free and open-source compatibility layer that lets you run Windows apps on Unix-like operating systems, has been released. "Highlights of Wine 9.0 include an experimental Wayland graphics driver with features like basic window management, support for multiple monitors, high-DPI scaling, relative motion events, as well as Vulkan support," reports 9to5Linux. From the report: The Vulkan driver has been updated to support Vulkan 1.3.272 and later, the PostScript driver has been reimplemented to work from Windows-format spool files and avoid any direct calls from the Unix side, and there's now a dark theme option on WinRT theming that can be enabled in WineCfg. Wine 9.0 also adds support for many more instructions to Direct3D 10 effects, implements the Windows Media Video (WMV) decoder DirectX Media Object (DMO), implements the DirectShow Audio Capture and DirectShow MPEG-1 Video Decoder filters, and adds support for video and system streams, as well as audio streams to the DirectShow MPEG-1 Stream Splitter filter.

Desktop integration has been improved in this release to allow users to close the desktop window in full-screen desktop mode by using the "Exit desktop" entry in the Start menu, as well as support for export URL/URI protocol associations as URL handlers to the Linux desktop. Audio support has been enhanced in Wine 9.0 with the implementation of several DirectMusic modules, DLS1 and DLS2 sound font loading, support for the SF2 format for compatibility with Linux standard MIDI sound fonts, Doppler shift support in DirectSound, Indeo IV50 Video for Windows decoder, and MIDI playback in dmsynth.

Among other noteworthy changes, Wine 9.0 brings loader support for ARM64X and ARM64EC modules, along with the ability to run existing Windows binaries on ARM64 systems and initial support for building Wine for the ARM64EC architecture. There's also a new 32-bit x86 emulation interface, a new WoW64 mode that supports running of 32-bit apps on recent macOS versions that don't support 32-bit Unix processes, support for DirectInput action maps to improve compatibility with many old video games that map controller inputs to in-game actions, as well as Windows 10 as the default Windows version for new prefixes. Last but not least, the kernel has been updated to support address space layout randomization (ASLR) for modern PE binaries, better memory allocation performance through the Low Fragmentation Heap (LFH) implementation, and support memory placeholders in the virtual memory allocator to allow apps to reserve virtual space. Wine 9.0 also adds support for smart cards, adds support for Diffie-Hellman keys in BCrypt, implements the Negotiate security package, adds support for network interface change notifications, and fixes many bugs. For a full list of changes, check out the release notes. You can download Wine 9.0 from WineHQ.

An anonymous reader shared this report from The Hacker News: Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices.

The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down...

The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script ("unmi.sh") that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab. The ELF binary file is then executed in the background using the nohup command, thus ensuring that the process continues to run even after exiting the session. "Echoing the approach of the earlier 'culturestreak' package, these packages conceal their payload, effectively reducing the detectability of their malicious code by hosting it on a remote URL," said Fortinet FortiGuard Labs researcher Gabby Xiong. "The payload is then incrementally released in various stages to execute its malicious activities."

They create a dedicated desktop icon for your favorite web-based application — a simplified browser that opens to that single URL. Yet while Linux usually offers the same functionality as other operating systems, "Peppermint OS's Ice and its successor Kumo are the only free software versions of Site-Specific Browsers available on Linux," according to Linux magazine.

"Fortunately for those who want this functionality, Peppermint OS is a Debian derivative, and both can be installed on Debian and most other derivatives." Since SSBs first appeared in 2005, they have been available on both Windows and macOS. On Linux, however, the availability has come and gone. On Linux, Firefox once had an SSB mode, but it was discontinued in 2020 on the grounds that it had multiple bugs that were time-consuming to fix and there was "little to no perceived user benefit to the feature." Similarly, Chromium once had a basic SSB menu item, Create Application Shortcut, which no longer appears in recent versions. As for GNOME Web's (Epiphany's) Install Site as Web Application, while it still appears in the menu, it is no longer functional. Today, Linux users who want to try SSBs have no choices except Ice or Kumo.

Neither Ice or Kumo appears in any repository except Peppermint OS's. But because Peppermint OS installs packages from Debian 12 ("bookworm"), either can be installed to Debian or a derivative... To install successfully, at least one of Firefox, Chrome, Chromium, or Vivaldi also must be installed... Because both Ice and Kumo are written in Python, they can be run on any desktop.
The article concludes that Site-Specific Browsers might make more sense "on a network or in a business where their isolation provides another layer of security. Or perhaps the time for SSBs is past and there's a reason browsers have tried to implement them, and then discarded them."

"Share this holiday fairy tale with your loved ones," urges the Free Software Foundation.

A company offers you a tool to make your life easier, but, when you use it, you find out that the tool forces you to use it only in the way the tool's manufacturer approves. Does this story ring a bell? It's what millions of software users worldwide experience again and again, day after day. It's also the story of Wendell the Elf and the ShoeTool.
They suggest enjoying the video "to remind yourself why you shouldn't let your tools tell you how to use them." First released in 2019, it's available on the free/open-source video site PeerTube, a decentralized (and ActivityPub-federated) platform powered by WebTorrent.

They've also created a shortened URL for sharing on social media (recommending the hashtag #shoetool ). "And, of course, you can adapt the video to your liking after downloading the source files." Or, you can share the holiday fairy tale with your loved ones so that they can learn not to let their tools control them.

If we use free software, we don't need anyone's permission to, for example, modify our tools ourselves or install modifications shared by others. We don't need permission to ask someone else to tailor our tools to serve our wishes, exercise our creativity. The Free Software Foundation believes that everyone deserves full control over their computers and phones, and we hope this video helps you explain the importance of free software to your friends and family.
"Don't let your tools tell you how to use them," the video ends. "Join the Free Software Foundation!"

An anonymous reader quotes a report from Ars Technica: Security researchers are tracking what they say is the "mass exploitation" of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open source file-sharing server app. The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said, they began observing "mass exploitation" in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.

CVE-2023-49103 resides in versions 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, depending on the way they're configured. A third-party code library used by the app provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In last week's disclosure, ownCloud officials said that in containerized configurations -- such as those using the Docker virtualization tool -- the URL can reveal data used to log in to the vulnerable server. The officials went on to warn that simply disabling the app in such cases wasn't sufficient to lock down a vulnerable server. [...]

To fix the ownCloud vulnerability under exploitation, ownCloud advised users to: "Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities.

We also advise to change the following secrets:
- ownCloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key"

Google Play has reversed its latest ban on a web browser that keeps getting targeted by vague Digital Millennium Copyright Act (DMCA) notices. Downloader, an Android TV app that combines a browser with a file manager, was restored to Google Play last night. From a report: Downloader, made by app developer Elias Saba, was suspended on Sunday after a DMCA notice submitted by copyright-enforcement firm MarkScan on behalf of Warner Bros. Discovery. It was the second time in six months that Downloader was suspended based on a complaint that the app's web browser is capable of loading websites.

The first suspension in May lasted three weeks, but Google reversed the latest one much more quickly. As we wrote on Monday, the MarkScan DMCA notice didn't even list any copyrighted works that Downloader supposedly infringed upon. Instead of identifying specific copyrighted works, the MarkScan notice said only that Downloader infringed on "Properties of Warner Bros. Discovery Inc." In the field where a DMCA complainant is supposed to provide an example of where someone can view an authorized example of the work, MarkScan simply entered the main Warner Bros. URL: https://www.warnerbros.com/.