As unprecedented weather leads to increasing climate anxiety, there's a raft of different apps catering for every kind of forecast. From a report: Preoccupation with weather apps is commonplace in our current unsettled atmosphere. On social media there is almost as much chat about weather apps as there is about the weather: much of it is ire about inaccurate forecasts; some of it is from users who admit checking weather apps more than seems logical. There is still palpable grief, in the wake of the closure of the short-term weather prediction app Dark Sky, late last year, after its acquisition by Apple. In April, when Apple's weather app went down, there was such outrage that the temporary glitch became an international news story.

Fifty per cent of US smartphone users regularly use weather apps; according to Statista, weather apps will make approximately $1.5bn in revenue in 2023, a leap from $530m in 2017. Jeremiah Lasquety-Reyes, a senior analyst for Statista, says this new weather app ecosystem is only going to grow, owing to the climate crisis, as well as a general trend towards "digitizing one's life and schedule." There are certainly plenty out there, catering to a variety of needs: more than 10,000 apps have the word "weather" in the title in Android and iPhone app stores.

Wix, a longtime fixture of the web building space, is betting that today's customers don't particularly care to spend time customizing every aspect of their site's appearance. TechCrunch: The company's new AI Site Generator tool, announced today, will let Wix users describe their intent and generate a website complete with a homepage, inner pages and text and images -- as well as business-specific sections for events, bookings and more. Avishai Abrahami, Wix's co-founder and CEO, says that the goal was to provide customers with "real value" as they build their sites and grow their businesses. [...] AI Site Generator takes several prompts -- any descriptions of sites -- and uses a combination of in-house and third-party AI systems to create the envisioned site. In a chatbot-like interface, the tool asks a series of questions about the nature of the site and business, attempting to translate this into a custom web template. ChatGPT generates the text for the website while Wix's AI creates the site design and images.

A bill requiring social media companies, encrypted communications providers and other online services to report drug activity on their platforms to the U.S. Drug Enforcement Administration (DEA) advanced to the Senate floor Thursday, alarming privacy advocates who say the legislation turns the companies into de facto drug enforcement agents and exposes many of them to liability for providing end-to-end encryption. From a report: The bipartisan Cooper Davis Act -- named for a Kansas teenager who died after unknowingly taking a fentanyl-laced pill he bought on Snapchat -- requires social media companies and other web communication providers to give the DEA users' names and other information when the companies have "actual knowledge" that illicit drugs are being distributed on their platforms.

Many privacy advocates caution that, if passed in its current form, the bill could be a death blow to end-to-end encryption services because it includes particularly controversial language holding companies accountable for conduct they don't report if they "deliberately blind" themselves to the violations. Officials from the DEA have spent several months honing the bill with key senators, Judiciary Committee Chairman Dick Durbin (D-IL) said Thursday. Providers of encrypted services would face a difficult choice should the bill pass, said Greg Nojeim, Senior Counsel & Director of Security and Surveillance Project at the Center for Democracy and Technology. "They could maintain end-to-end encryption and risk liability that they had willfully blinded themselves to illegal content on their service and face the music later," Nojeim said. "Or they could opt to remove end-to-end encryption and subject all of their users who used to be protected by one of the best cybersecurity tools available to new threats and new privacy violations."

Everyone seems to be buying a mechanical keyboard company these days. Corsair has one-upped them all by buying its own mechanical keyboard company. From a report: The Fremont, California-based peripheral maker today announced that it's acquiring "certain assets" from Drop for an undisclosed, all-cash deal. "Drop has been acquired by Corsair," Drop CEO Jef Holove wrote in a blog post confirming the news. "I am sure front-of-mind for you is what this will mean for Drop and our focus on our discerning, engaged enthusiast community -- especially at a time when we've been watching other players in the community struggle or outright fold. Obviously, we are convinced this move is good for us, for you and for the hobby, and I'll give you a sense of why here."

The executive called the Portland-based company "small but mighty," relative to a product portfolio that includes several keyboards, keycaps and audio accessories. Mechanical keyboards are the company's bread and butter, and it makes fine hardware. I've been using the Drop Shift keyboard now for several months. The firm is also notable for high-profile branding exercises that include keycaps featuring Lord of the Rings and Marvel IP.

Millions of US military emails have been misdirected to Mali through a "typo leak" that has exposed highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers. Financial Times: Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, the suffix to all US military email addresses. The problem was first identified almost a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur who has a contract to manage Mali's country domain.

Zuurbier has been collecting misdirected emails since January in an effort to persuade the US to take the issue seriously. He holds close to 117,000 misdirected messages -- almost 1,000 arrived on Wednesday alone. In a letter he sent to the US in early July, Zuurbier wrote: "This risk is real and could be exploited by adversaries of the US."

An anonymous reader shared Thursday's report from eSecurity Planet: After Microsoft warned earlier this week that some drivers certified by the Windows Hardware Developer Program (MWHDP) are being leveraged maliciously, a Cisco Talos security researcher said the number of malicious drivers could number in the thousands.

Talos researcher Chris Neal discussed how the security problem evolved in a blog post. "Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority," Neal wrote. "Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection." Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. "This process is intended to ensure that drivers meet Microsoft's requirements and security standards," he wrote.

Still, there are exceptions — most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015. If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won't be blocked. "As a result, multiple open source tools have been developed to exploit this loophole," Neal wrote. And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos "has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification...."

"Microsoft, in response to our notification, has blocked all certificates discussed in this blog post," he noted.

In July 2015, the marital infidelity website AshleyMadison.com was hacked by a group called the Impact Team, threatening to release data on all 37 million users unless the site shut down. In an article published earlier today, security researcher Brian Krebs explores the possible involvement of a former employee and self-describe expert in search engine optimization (SEO), William Brewster Harrison, who had a history of harassment towards then-CEO Noel Biderman and may have had the technical skills to carry out the hack. However, Harrison committed suicide in 2014, raising doubts about his role in the breach. Here's an excerpt from the report: [...] Does Harrison's untimely death rule him out as a suspect, as his stepmom suggested? This remains an open question. In a parting email to Biderman in late 2012, Harrison signed his real name and said he was leaving, but not going away. "So good luck, I'm sure we'll talk again soon, but for now, I've got better things in the oven," Harrison wrote. "Just remember I outsmarted you last time and I will outsmart you and out maneuver you this time too, by keeping myself far far away from the action and just enjoying the sideline view, cheering for the opposition." Nothing in the leaked Biderman emails suggests that Ashley Madison did much to revamp the security of its computer systems in the wake of Harrison's departure and subsequent campaign of harassment -- apart from removing an administrator account of his a year after he'd already left the company.

KrebsOnSecurity found nothing in Harrison's extensive domain history suggesting he had any real malicious hacking skills. But given the clientele that typically employed his skills -- the adult entertainment industry -- it seems likely Harrison was at least conversant in the dark arts of "Black SEO," which involves using underhanded or else downright illegal methods to game search engine results. Armed with such experience, it would not have been difficult for Harrison to have worked out a way to maintain access to working administrator accounts at Ashley Madison. If that in fact did happen, it would have been trivial for him to sell or give those credentials to someone else. Or to something else. Like Nazi groups. As KrebsOnSecurity reported last year, in the six months leading up to the July 2015 hack, Ashley Madison and Biderman became a frequent subject of derision across multiple neo-Nazi websites.

Some readers have suggested that the data leaked by the Impact Team could have originally been stolen by Harrison. But that timeline does not add up given what we know about the hack. For one thing, the financial transaction records leaked from Ashley Madison show charges up until mid-2015. Also, the final message in the archive of Biderman's stolen emails was dated July 7, 2015 -- almost two weeks before the Impact Team would announce their hack. Whoever hacked Ashley Madison clearly wanted to disrupt the company as a business, and disgrace its CEO as the endgame. The Impact Team's intrusion struck just as Ashley Madison's parent was preparing go public with an initial public offering (IPO) for investors. Also, the hackers stated that while they stole all employee emails, they were only interested in leaking Biderman's. Also, the Impact Team had to know that ALM would never comply with their demands to dismantle Ashley Madison and Established Men. In 2014, ALM reported revenues of $115 million. There was little chance the company was going to shut down some of its biggest money machines. Hence, it appears the Impact Team's goal all along was to create prodigious amounts of drama and tension by announcing the hack of a major cheating website, and then let that drama play out over the next few months as millions of exposed Ashley Madison users freaked out and became the targets of extortion attacks and public shaming.

After the Impact Team released Biderman's email archives, several media outlets pounced on salacious exchanges in those messages as supposed proof he had carried on multiple affairs. Biderman resigned as CEO of Ashley Madison on Aug. 28, 2015. Complicating things further, it appears more than one malicious party may have gained access to Ashley's Madison's network in 2015 or possibly earlier. Cyber intelligence firm Intel 471 recorded a series of posts by a user with the handle "Brutium" on the Russian-language cybercrime forum Antichat between 2014 and 2016. Brutium routinely advertised the sale of large, hacked databases, and on Jan. 24, 2015, this user posted a thread offering to sell data on 32 million Ashley Madison users. However, there is no indication whether anyone purchased the information. Brutium's profile has since been removed from the Antichat forum. Note: This is Part II of a story published last week on reporting that went into a new Hulu documentary series on the 2015 Ashley Madison hack.

An anonymous reader quotes a report from MacRumors: The macOS Sonoma update that is in testing allows Mac owners who opt to use Google Chrome, Microsoft Edge, or another browser to use Apple's Password Manager for filling passwords. Developers and public beta testers running macOS Sonoma can use their iCloud Keychain passwords with non-Safari browsers at this time, autofilling passwords and one-time codes. Third-party browsers can also save new passwords.

Apple has made an iCloud Passwords Chrome extension available for macOS Sonoma users, and it can be downloaded and installed to access Apple passwords on the Chrome browser or any Chromium-based browser. Apple plans to release a similar extension for the Microsoft Edge browser in the near future. Google and other browser developers are also working on implementing support for Passkeys, the password alternative that Apple introduced last year.

Chinese hackers exploited a flaw in Microsoft's cloud email service to gain access to the email accounts of U.S. government employees, the technology giant has confirmed. From a report: The hacking group, tracked as Storm-0558, compromised approximately 25 email accounts, including government agencies, as well as related consumer accounts linked to individuals associated with these organizations, according to Microsoft. [...]

Microsoft's investigation determined that Storm-0558, a China-based hacking group that the firm describes as a "well-resourced" adversary, gained access to email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user accounts.

Linus Torvalds has delivered the first release candidate for version 6.5 of the Linux kernel, but warned this release may not go entirely smoothly. From a report: Torvalds's headline assessment of rc1 is "none of it looks hugely unusual." "The biggest single mention probably goes to what wasn't merged, with the bcachefs pull request resulting in a long thread (we didn't hit a hundred emails yet, but it's not far away)." As The Register reported in 2022, bcachefs is a filesystem that's been in development for nigh on a decade without being added to the kernel.

Kernel-watching outlet Phoronix on Sunday wrote that the filesystem is in good shape but debate over "code changes needed to the kernel outside of the kernel module itself" have proved contentious. As a result, conversation on the Linux kernel mailing list is "often becoming heated" when the topic turns to bcachefs. In his announcement post for rc1, Torvalds wrote "Let's calm this party down."

An anonymous reader shares a report: If you have any interest in retro-computing, you know it can be difficult to round up the last official bug fixes and updates available for early Internet-era versions of Windows like 95, 98, and NT 4.0. A new independent project called "Windows Update Restored" is aiming to fix that, hosting lightly modified versions of old Windows Update sites and the update files themselves so that fresh installs of these old operating systems can grab years' worth of fixes that aren't present on old install CDs and disks. These old versions of Windows relied primarily on a Windows Update web app to function rather than built-in updaters like the ones used in current Windows versions. Microsoft took down the version of the site that could scan and update Windows 95 and 98 sometime in mid-2011. The Windows Update Restored site is a lightly modified version of Microsoft's original code, and the site itself doesn't use any kind of SSL or TLS encryption, so ancient Internet Explorer versions can still access it without modification. You'll need at least Internet Explorer 5 to access the Windows Update Restored update sites; that browser is no longer available directly from Microsoft, but the Windows Update Restored site offers download links to IE5 and IE5.5 in all supported languages.

The U.K.'s largest NHS trust has confirmed it's investigating a ransomware incident as the country's public sector continues to battle a rising wave of cyberattacks. From a report: Barts Health NHS Trust, which runs five London-based hospitals and serves more than 2.5 million patients, was recently added to the dark web leak site of the ALPHV ransomware gang. The gang, also known as BlackCat, says it has stolen 70 terabytes of sensitive data in what it claims is the biggest breach of healthcare data in the United Kingdom. Samples of the allegedly stolen data, seen by TechCrunch, include employee identification documents, including passports and driver licenses, and internal emails labeled "confidential."

When asked by TechCrunch, a Barts Health spokesperson did not dispute that it was affected by a security incident that involved the exfiltration of data, nor did they dispute the legitimacy of the stolen data samples shared by ALPHV. "We are aware of claims of a ransomware attack and are urgently investigating," the spokesperson, who did not provide their name, told TechCrunch.

"According to the federal Bureau of Labor Statistics, nearly 73% of businesses reported that their workers rarely or never engaged in remote work in 2022 — closing in on pre-pandemic levels," writes a Seattle Times business columnist. "But this minority of the civilian workforce working remotely casts a large shadow over our economy, especially central business districts."

The column's headline argues that Seattle "is still facing the reckoning from remote work" — which may also be true in other big tech cities. Kastle Systems, which tracks back-to-the-office moves, estimated 49.8% occupancy as of late June. Kastle uses a 10-city average ranging from New York to Los Angeles but doesn't include Seattle. In the latest report, Houston led at nearly 61% occupancy. San Jose, Calif., in the heart of Silicon Valley, where remote work flourishes, was the lowest at 38%. As of May, 48% of workers in Seattle's central core have returned to the office compared with 2019, according to the Downtown Seattle Association. The most significant boost has come from Amazon, which mandated employees must work in the office at least three days a week.

So, you can be an offices-half-full or an offices-half-empty kind of person.

Still, Capital Economics, an independent research firm, estimated this past month that remote work will shave 35% from the value of the U.S. office sector. In addition, it predicted many office buildings won't return to their previous peak values until 2040 or later... As loans come due for commercial real estate properties, many cities face a reckoning. Refinancing is difficult with high interest rates. In some cases, buildings are worth less than the land they occupy. Foreclosures and defaults are rising. This is already spilling over to hurt sectors that are dependent on offices, such as architects, cleaning services, construction and others. The Wall Street Journal estimates this accounts for a "multibillion-dollar ecosystem."

As a result, many American cities are struggling to convert office buildings unlikely to see workers again into other uses, especially apartments. Rigid zoning and building codes, the footprint of the structures, and resistance from nearby homeowners to increased density all make this difficult. Seattle is facing some of the same challenges. Mayor Bruce Harrell announced a "call for ideas" to alter some of the city's office space to residential or other uses...

Several trend lines are moving in the right direction — return of workers, number of residents, visitors and hotel occupancy are all going up, and crime is going down, with violent crime and property crime down the first five months of the year compared with 2022. Downtown has seen a 13.8% decrease in violent crime and a 35.1% drop in property crime over the same period... To be sure, we're in undiscovered territory. But giving up on downtown Seattle is not an option. It accounts for the majority of the city's business taxes and majority of its workers...

Whether remote or hybrid work remains for much of the local workforce or a gradual return to the office continues, the heart of the city must be healthy.

"The Reddit community is still reckoning with the consequences of the platform's API price hike..." reports Ars Technica.

"The latest group to announce its departure is BotDefense." BotDefense, which helps remove rogue submission and comment bots from Reddit and which is maintained by volunteer moderators, is said to help moderate 3,650 subreddits. BotDefense's creator told Ars Technica that the team is now quitting over Reddit's "antagonistic actions" toward moderators and developers, with concerning implications for spam moderation on some large subreddits like r/space.

BotDefense started in 2019 as a volunteer project and has been run by volunteer mods, known as "dequeued" and "abrownn" on Reddit. Since then, it claims to have populated its ban list with 144,926 accounts, and it helps moderate subreddits with huge followings, like r/gaming (37.4 million members), /r/aww (34.2 million), r/music (32.4 million), r/Jokes (26.2 million), r/space (23.5 million), and /r/LifeProTips (22.2 million). Dequeued told Ars that other large subreddits BotDefense helps moderates include /r/food, /r/EarthPorn, /r/DIY, and /r/mildlyinteresting. On Wednesday, dequeued announced that BotDefense is ceasing operations. BotDefense has already stopped accepting bot account submissions and will disable future action on bots. BotDefense "will continue to review appeals and process unbans for a minimum of 90 days or until Reddit breaks the code running BotDefense," the announcement said...

Dequeued, who said they've been moderating for nearly nine years, said Reddit's "antagonistic actions" toward devs and mods are the only reason BotDefense is closing. The moderator said there were plans for future tools, like a new machine learning system for detecting "many more" bots. Before the API battle turned ugly, dequeued had no plans to stop working on BotDefense...

[S]ubreddits that have relied on BotDefense are uncertain about managing their subreddits without the tool, and the tool's impending departure are new signs of a deteriorating Reddit community.
Ironically, Reddit's largest shareholder — Advance Publications — owns Ars Technica's parent company Conde Naste.

The article notes that Reddit "didn't respond to Ars' request for comment on BotDefense closing, how Reddit fights spam bots and karma farms, or about users quitting Reddit."

Wednesday Greg Kroah-Hartman announced the release of the 6.4.2 kernel. "All users of the 6.4 kernel series must upgrade."

The Hacker News reports: Details have emerged about a newly identified security flaw in the Linux kernel that could allow a user to gain elevated privileges on a target host. Dubbed StackRot (CVE-2023-3269, CVSS score: 7.8), the flaw impacts Linux versions 6.1 through 6.4. There is no evidence that the shortcoming has been exploited in the wild to date.

"As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger," Peking University security researcher Ruihan Li said. "However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging."

Following responsible disclosure on June 15, 2023, it has been addressed in stable versions 6.1.37, 6.3.11, and 6.4.1 as of July 1, 2023, after a two-week effort led by Linus Torvalds. A proof-of-concept (PoC) exploit and additional technical specifics about the bug are expected to be made public by the end of the month.
ZDNet points out that Linux 6.4 "offers improved hardware enablement for ARM boards" and does a better job with the power demands of Steam Deck gaming devices. And "On the software side, the Linux 6.4 release includes more upstreamed Rust code. We're getting ever closer to full in-kernel Rust language support."

The Register also notes that Linux 6.4 also includes "the beginnings of support for Apple's M2 processors," along with support for hibernation of RISC-V CPUs, "a likely presage to such silicon powering laptop computers."

Long-time Slashdot reader 93 Escort Wagon writes: Age discrimination is something many tech workers think about — especially once they get into their 40s and 50s. But imagine what it would be like if you thought that every job in every field shunned you at an even earlier age. In China, you apparently don't have to imagine, the New York Times reports...

"When Sean Liang turned 30, he started thinking of the Curse of 35 — the widespread belief in China that white-collar workers like him confront unavoidable job insecurity after they hit that age. In the eyes of employers, the Curse goes, they're more expensive than new graduates and not as willing to work overtime.

Liang, now 38, is a technology support professional turned personal trainer. He has been unemployed for much of the past three years, partly because of the pandemic and China's sagging economy. But he believes the main reason is his age. He's too old for many employers, including the Chinese government, which caps the hiring age for most civil servant positions at 35. If the Curse of 35 is a legend, it's one supported by some facts."
"It's not clear how the phenomenon started, and it's hard to know how much truth there is to it," the article points out. But it also notes that age discrimination "is not against the law in China," which with a weak job market forms "a double whammy for workers in their mid-30s who are making big decisions about career, marriage and children...

"In 2022, the number of marriage registrations fell 10.5% from a year earlier, to the lowest number since China began disclosing the data in 1986. The country's birthrate fell to a low point last year, and its population shrank for the first time since 1961, the end of the Great Famine."

Open-world sci-fi RPG Cyberpunk 2077's biggest subreddit recently switched to NSFW (not safe for work,) with the explanation that the game it is focused on is a mature game filled with nudity and gore. However, Reddit allegedly demanded that mods of the subreddit quickly revert the change. From a report: The mods aren't complying and users are now posting nude images of in-game characters as part of a protest to show why the subreddit deserves to be NSFW. Since May, Reddit has been at war with its users and subreddits as the company clamps down on third-party apps and their ability to access the site's backend or API. It's not gone well for Reddit, leading to popular subreddits like r/bestof, r/sports, and r/music going dark. And as part of this ongoing backlash, some subreddits switched to NSFW. This designation is reserved mainly for porn-y subreddits and blocks ads from appearing, but also lets users freely post nudity and more adult content.

Some mods and subreddits have used this designation to punch back at Reddit and its despised CEO. Now the Cyberpunk 2077 subreddit has seemingly wandered into this mess. According to a post from July 5 by moderator Tabnam, the decision to make the Cyberpunk 2077 subreddit NSFW was made because the game is "an 18+ game" and happened now because the mods had "never thought to change it until recently." Tabnam added that this subreddit should have already been NSFW. This decision apparently didn't go over well with Reddit.

An anonymous reader quotes a report from Gizmodo: Amidst ongoing protests in France, the country has just passed a new bill that will allow police to remotely access suspects' cameras, microphones, and GPS on cell phones and other devices. As reported by Le Monde, the bill has been criticized by the French people as a "snoopers" charter that allows police unfettered access to the location of its citizens. Moreover, police can activate cameras and microphones to take video and audio recordings of suspects. The bill will reportedly only apply to suspects in crimes that are punishable by a minimum of five years in jail and Justice Minister Eric Dupond-Moretti claimed that the new provision would only affect a few dozen cases per year. During a debate over the bill yesterday, French politicians added an amendment that orders judge approval for any surveillance conducted under the scope of the bill and limits the duration of surveillance to six months, according to Le Monde.

"For organized crime, the police can have access to the sound and image of a device. This concerns any connected device: telephone, speaker microphone, computer camera, computer system of a car... all without the knowledge of the persons concerned," French advocacy group La Quadrature du Net said in a statement on Twitter last month, machine translated by Gizmodo. "In view of the growing place of digital tools in our lives, accepting the very principle that they are transformed into police auxiliaries without our being aware of it poses a serious problem in our societies." In 2021, France passed a bill that would expand the French police force's ability to monitor civilians using drones -- all in an effort to protect officers from increasingly violent protestors, according to French President Emmanuel Macron.

An anonymous reader quotes a report from Ars Technica: Hundreds of Internet-exposed devices inside solar farms remain unpatched against a critical and actively exploited vulnerability that makes it easy for remote attackers to disrupt operations or gain a foothold inside the facilities. The devices, sold by Osaka, Japan-based Contec under the brand name SolarView, help people inside solar facilities monitor the amount of power they generate, store, and distribute. Contec says that roughly 30,000 power stations have introduced the devices, which come in various packages based on the size of the operation and the type of equipment it uses.

Searches on Shodan indicate that more than 600 of them are reachable on the open Internet. As problematic as that configuration is, researchers from security firm VulnCheck said Wednesday, more than two-thirds of them have yet to install an update that patches CVE-2022-29303, the tracking designation for a vulnerability with a severity rating of 9.8 out of 10. The flaw stems from the failure to neutralize potentially malicious elements included in user-supplied input, leading to remote attacks that execute malicious commands. Security firm Palo Alto Networks said last month the flaw was under active exploit by an operator of Mirai, an open source botnet consisting of routers and other so-called Internet of Things devices. The compromise of these devices could cause facilities that use them to lose visibility into their operations, which could result in serious consequences depending on where the vulnerable devices are used.

"The fact that a number of these systems are Internet facing and that the public exploits have been available long enough to get rolled into a Mirai-variant is not a good situation," VulnCheck researcher Jacob Baines wrote. "As always, organizations should be mindful of which systems appear in their public IP space and track public exploits for systems that they rely on." Baines said that the same devices vulnerable to CVE-2022-29303 were also vulnerable to CVE-2023-23333, a newer command-injection vulnerability that also has a severity rating of 9.8. Although there are no known reports of it being actively exploited, exploit code has been publicly available since February. Incorrect descriptions for both vulnerabilities are one factor involved in the patch failures, Baines said. Both vulnerabilities indicate that SolarView versions 8.00 and 8.10 are patched against CVE-2022-29303 and CVE-2023-293333. In fact, the researcher said, only 8.10 is patched against the threats.

An anonymous reader quotes a report from TechCrunch: Nearly 70 IT security and privacy academics have added to the clamor of alarm over the damage the U.K.'s Online Safety Bill could wreak to, er, online safety unless it's amended to ensure it does not undermine strong encryption. Writing in an open letter (PDF), 68 U.K.-affiliated security and privacy researchers have warned the draft legislation poses a stark risk to essential security technologies that are routinely used to keep digital communications safe.

"As independent information security and cryptography researchers, we build technologies that keep people safe online. It is in this capacity that we see the need to stress that the safety provided by these essential technologies is now under threat in the Online Safety Bill," the academics warn, echoing concerns already expressed by end-to-end encrypted comms services such as WhatsApp, Signal and Element -- which have said they would opt to withdraw services from the market or be blocked by U.K. authorities rather than compromise the level of security provided to their users. [...] "We understand that this is a critical time for the Online Safety Bill, as it is being discussed in the House of Lords before being returned to the Commons this summer," they write. "In brief, our concern is that surveillance technologies are deployed in the spirit of providing online safety. This act undermines privacy guarantees and, indeed, safety online."

The academics, who hold professorships and other positions at universities around the country -- including a number of Russell Group research-intensive institutions such as King's College and Imperial College in London, Oxford and Cambridge, Edinburgh, Sheffield and Manchester to name a few -- say their aim with the letter is to highlight "alarming misunderstandings and misconceptions around the Online Safety Bill and its interaction with the privacy and security technologies that our daily online interactions and communication rely on." "There is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties," the experts warn, adding: "The history of 'no one but us' cryptographic backdoors is a history of failures, from the Clipper chip to DualEC. All technological solutions being put forward share that they give a third party access to private speech, messages and images under some criteria defined by that third party."

Last week, Apple publicly voiced its opposition to the bill. The company said in a statement: "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."