According to Bloomberg, Verizon is considering selling AOL and Yahoo -- two once high-flying dot-com brands it purchased in 2015 and 2017, respectively. Bloomberg reports: Verizon Media could fetch as much as $5 billion [...]. The company is talking to Apollo Global Management about a deal, they said. It couldn't immediately be learned how a deal would be structured or if other suitors may emerge. No final decision has been made and Verizon could opt to keep the unit. The move comes as Verizon divests tertiary media assets while ramping up its focus on its wireless business and the the rollout of its 5G service. Last year, it agreed to sell the HuffPost online news service to BuzzFeed Inc. and it unloaded the blogging platform Tumblr in 2019. This divestiture would mark Verizon's final retreat from an expensive foray into online advertising, a strategy that never really took off.

Read more of this story at Slashdot.

schwit1 shares a report from Threatpost: Quick-response (QR) codes used by a COVID-19 contact-tracing program were hijacked by a man who simply slapped up scam QR codes on top to redirect users to an anti-vaccination website, according to local police. He now faces two counts of "obstructing operations carried out relative to COVID-19 under the Emergency Management Act," the South Australia Police said in a statement announcing the arrest. His arrest may just be a drop in the bucket: Reports of other anti-vax campaigners doing the same thing abound. Law enforcement added an additional warning to would-be QR code scammers: "Any person found to be tampering or obstructing with business QR codes will likely face arrest and court penalty of up to $10,000." The police said no personal data was breached, but the incident highlights that truly all an attacker needs is a printer and a pack of Avery labels to do real damage. In this case, the QR codes were being used by the South Australian government's official CovidSafe app to access a device's camera, scan the code and collect real-time location data to be used for contact tracing in case of a COVID-19 outbreak, ABC News Australia reported. That's a lot of personal data linked to a single QR code just waiting to be stolen. "In this instance, people who scanned the illegitimate QR code were redirected to a website distributing misinformation from the anti-vaxxer community," Bill Harrod, vice president of public sector at Ivanti, told Threatpost. "While this is concerning, the outcome could have been far more perilous."

Read more of this story at Slashdot.

syn3rg shares a report from ZDNet: A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018. Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file. At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded -- two in 2018, one in 2020, and another in 2021. Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication. At present, the team says that they do not know the malware's "true purpose" beyond a focus on compromising Linux systems. There are 12 functions in total including exfiltrating and stealing data, file and plugin management -- including query/download/delete -- and reporting device information. However, the team cites a "lack of visibility" into the plugins that is preventing a more thorough examination of the malware's overall capabilities. In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.

Read more of this story at Slashdot.

An anonymous reader quotes a report from PC Gamer: The Oculus Quest 2 is a hell of a lot of hardware for $299. In fact, we're convinced that Facebook is making a loss on each unit sold. Even so, that pricing is one of the main reasons it's the most popular headset on Steam and our pick as the best VR headset. Well, that and the ease of use. [...] The thing is, that price seems too good to be true, with no other manufacturer's VR headset close to the specs list of the Quest 2 -- in either tethered or standalone form -- hitting the same low, low price. That money gets you a robust virtual reality headset with 6GB of RAM, a Qualcomm Snapdragon XR2 CPU, 64GB of storage, 1832x1920 per eye display and a pair of controllers. [...] But there's one factor that could potentially offset that price -- Facebook has access to a whole lot of your data. This is something the Oculus Quest 2 is upfront about: You absolutely need a Facebook account in order to use the device and it does have its data collection policies in black and white. Although what isn't quite so obvious is how much your data is worth to Facebook. At least it isn't without a tiny bit of digging. There is another version of the Quest 2 that isn't as discounted as the consumer version, and that's the one aimed at businesses. The actual hardware is identical, but the difference is you don't need to login in with a Facebook account in order to use it. The price for this model? $799. There's also an annual fee of $180 that kicks in a year after purchase, which covers Oculus' business services and support, but that just muddies the waters a little. The point being, the Quest 2 for business, the headset from which Facebook can't access your data directly, costs $500 more. So that's looking essentially like the value the social media giant attributes to your data, which either seems like a lot or barely anything at all, depending on your stance. The Supplemental Oculus Data Policy outlines what sort of data is actually being collected when you use the Quest 2. Such things as your physical dimension, including your hand size, how big your play area is using the Oculus Guardian system, data on any content you create using the Quest 2, as well as more obvious stuff like your device ID and IP address.

Read more of this story at Slashdot.

For at least the third time since the beginning of this year, the U.S. government is investigating a hack against federal agencies that began during the Trump administration but was only recently discovered, according to senior U.S. officials and private sector cyber defenders. Reuters reports: The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it. More than a dozen federal agencies run Pulse Secure on their networks, according to public contract records. An emergency cybersecurity directive last week demanded that agencies scan their systems for related compromises and report back. The results, collected on Friday and analyzed this week, show evidence of potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency. "This is a combination of traditional espionage with some element of economic theft," said one cybersecurity consultant familiar with the matter. "We've already confirmed data exfiltration across numerous environments." The maker of Pulse Secure, Utah-based software company Ivanti, said it expected to provide a patch to fix the problem by this Monday, two weeks after it was first publicized. Only a "very limited number of customer systems" had been penetrated, it added. Over the last two months, CISA and the FBI have been working with Pulse Secure and victims of the hack to kick out the intruders and uncover other evidence, said another senior U.S. official who declined to be named but is responding to the hacks. The FBI, Justice Department and National Security Agency declined to comment. The U.S. government's investigation into the Pulse Secure activity is still in its early stages, said the senior U.S. official, who added the scope, impact and attribution remain unclear. Security researchers at U.S. cybersecurity firm FireEye and another firm, which declined to be named, say they've watched multiple hacking groups, including an elite team they associate with China, exploiting the new flaw and several others like it since 2019.

Read more of this story at Slashdot.

Zoe Roth, the centerpiece of the "Disaster Girl" meme, has made nearly half a million dollars after selling the original copy as a non-fungible token (NFT), the New York Times reports. From a report: The market for ownership rights to digital art and media as NFTs has recently soared in popularity. Roth's photo was taken in 2005 when she was 4 years old. Her family went to go see a controlled fire in their Mebane, North Carolina, neighborhood. Her father entered the picture in a photo contest in 2007 and won, and for the past decade the "image [has been] endlessly repurposed as a vital part of meme canon," the Times writes. Most Americans are not at all familiar with NFTs, though they have become major buzzwords among asset managers and market participants. All NFTs contain a unique segment of digital code as an identifier of authenticity and are stored on the blockchain, a public digital ledger.

Read more of this story at Slashdot.

Today, Blue Origin revealed that it will be selling the first tickets for rides on its space tourism rocket called New Shepard. According to CNBC, the first ticket (or tickets?) will go on sale starting next week, on Wednesday, May 5. From the report: Blue Origin did not reveal how much tickets will cost, only saying that more details will come on May 5 to those who submit their name and email on a form on the company's website. "Sign up to learn how you can buy the very first seat on New Shepard," according to the company's website. The announcement's video features Bezos going out to the capsule of New Shepard after the company's test flight earlier this month. It shows him driving across the Texas desert, the remote location of the New Shepard launch facility -- notably at the wheel of a Rivian R1T electric truck, which is emblazoned with Blue Origin's signature feather. New Shepard is designed to carrying as many as six people at a time on a ride past the edge of space, with the capsules on previous test flights reaching an altitude of more than 340,000 feet (or more than 100 km). The capsule, which has massive windows to give passengers a view, spends as much as 10 minutes in zero gravity before returning to Earth. The rocket launches vertically, with the booster detaching and returning to land at a concrete pad nearby. The capsule's return is slowed down by a set of parachutes, before softly landing in the desert.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Motherboard: The IRS is looking for help to break into cryptocurrency hardware wallets, according to a document posted on the agency website in March of this year. Many cryptocurrency investors store their cryptographic keys, which confer ownership of their funds, with the exchange they use to transact or on a personal device. Some folks, however, want a little more security and use hardware wallets -- small physical drives which store a user's keys securely, unconnected to the internet. The law enforcement arm of the tax agency, IRS Criminal Investigation, and more specifically its Digital Forensic Unit, is now asking contractors to come up with solutions to hack into cryptowallets that could be of interest in investigations, the document states. "The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations," the document reads. "There is a portion of this cryptographic puzzle that continues to elude organizations -- millions, perhaps even billions of dollars, exist within cryptowallets." The security of hardware wallets presents a problem for investigators. The document states that agencies may be in possession of a hardware wallet as part of a case, but may not be able to access it if the suspect does not comply. This means that authorities cannot effectively "investigate the movement of currencies" and it may "prevent the forfeiture and recovery" of the funds. "The explicit outcome of this contract is to tame the cybersecurity research into measured, repeatable, consistent digital forensics processes that can be trained and followed in a digital forensics' laboratory," the document says.

Read more of this story at Slashdot.

Facebook has joined the Rust Foundation, the organization driving the Rust programming language, alongside Amazon Web Services, Google, Huawei, Microsoft, and Mozilla. From a report: Facebook is the latest tech giant to ramp up its adoption of Rust, a language initially developed by Mozilla that's become popular for systems programming because of its memory safety guarantees compared to fast languages C and C++. Rust is appealing for writing components like drivers and compilers. The Rust Foundation was established in February with initial backing from Amazon Web Services, Google, Huawei, Microsoft, and Mozilla. Microsoft is exploring Rust for some components of Windows and Azure while Google is using Rust to build new parts of the Android operating system and supporting an effort to bring Rust to the Linux kernel. Facebook's engineering team has now detailed its use of Rust beginning in 2016, a year after Rust reached its 1.0 milestone. "For developers, Rust offers the performance of older languages like C++ with a heavier focus on code safety. Today, there are hundreds of developers at Facebook writing millions of lines of Rust code," Facebook's software engineering team said.

Read more of this story at Slashdot.

The European Parliament approved a new law on terrorist content takedowns yesterday, paving the way for one-hour removals to become the legal standard across the EU. From a report: The regulation "addressing the dissemination of terrorist content online" will come into force shortly after publication in the EU's Official Journal -- and start applying 12 months after that. The incoming regime means providers serving users in the region must act on terrorist content removal notices from Member State authorities within one hour of receipt, or else provide an explanation why they have been unable to do so. There are exceptions for educational, research, artistic and journalistic work -- with lawmakers aiming to target terrorism propaganda being spread on online platforms like social media sites. The types of content they want speedily removed under this regime includes material that incites, solicits or contributes to terrorist offences; provides instructions for such offences; or solicits people to participate in a terrorist group. Material posted online that provides guidance on how to make and use explosives, firearms or other weapons for terrorist purposes is also in scope. However concerns have been raised over the impact on online freedom of expression -- including if platforms use content filters to shrink their risk, given the tight turnaround times required for removals.

Read more of this story at Slashdot.

tsu doh nimh writes: Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau. Bill Demirkapi, an independent security researcher who's currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online. Demirkapi encountered one lender's site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API -- a capability that allows lenders to automate queries for FICO credit scores from the credit bureau. "No one should be able to perform an Experian credit check with only publicly available information," Demirkapi said. "Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian's system." Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the "date of birth" field let him then pull a person's credit score. He even built a handy command-line tool to automate the lookups, which he dubbed "Bill's Cool Credit Score Lookup Utility."

Read more of this story at Slashdot.

President Joe Biden's top labor official said Thursday that most gig workers in the United States should be classified as "employees" deserving of related benefits, in what could be a policy shift that is likely to raise costs for companies that depend on contractors such as Uber and Lyft and impact millions of workers. From a report: Shares of Uber fell as much as 8 percent while Lyft dived as much as 12 percent. Doordash fell nearly 9 percent and Grubhub was down 3.3 percent. Labor Secretary Marty Walsh, a son of Irish immigrants and a former union member, has been expected to boost President Biden's efforts to expand workers' protections and deliver a win for the country's organized labor movement. "We are looking at it but in a lot of cases gig workers should be classified as employees... in some cases they are treated respectfully and in some cases they are not and I think it has to be consistent across the board," Walsh told Reuters in an interview, expressing his view on the topic for the first time. "These companies are making profits and revenue and I'm not (going to) begrudge anyone for that because that's what we are about in America... but we also want to make sure that success trickles down to the worker," he said.

Read more of this story at Slashdot.

China is poised to report its first population decline in five decades following a once-in-a-decade census, the Financial Times newspaper said, citing sources familiar with the matter. Reuters: A population drop will add pressure on Beijing to roll out measures to encourage couples to have more children and avert an irreversible decline. The National Bureau of Statistics (NBS), which is due to release the results of the census conducted late last year in early April, did not immediately respond to a Reuters request for comment. The population figure is very sensitive and will not be published until government departments have a consensus on the data and its implications, the Financial Times added on Tuesday, citing its sources. "If China confirms such a decline, it would be a big deal," said Zhiwei Zhang, the Shenzhen-based chief economist at Pinpoint Asset Management. "The consensus expects China's population to peak at 2027, based on the projection made by the United Nations. This would be much earlier than the market and policy makers expected."

Read more of this story at Slashdot.

destinyland writes: LWN has a terrific update what's happened since the discovery of University of Minnesota researchers intentionally submitting buggy code to the Linux kernel: The writing of a paper on this research [PDF] was not the immediate cause of the recent events; instead, it was the posting of a buggy patch originating from an experimental static-analysis tool run by another developer at UMN. That led developers in the kernel community to suspect that the effort to submit intentionally malicious patches was still ongoing. Since then, it has become apparent that this is not the case, but by the time the full story became clear, the discussion was already running at full speed. The old saying still holds true: one should not attribute to malice that which can be adequately explained by incompetence. On April 22, a brief statement was issued by the Linux Foundation technical advisory board (TAB) stating that, among other things, the recent patches appeared to have been submitted in good faith. Meanwhile, the Linux Foundation and the TAB sent a letter to the UMN researchers outlining how the situation should be addressed; that letter has not been publicly posted, but ZDNet apparently got a copy from somewhere. Among other things, the letter asked for a complete disclosure of the buggy patches sent as part of the UMN project and the withdrawal of the paper resulting from this work. In response, the UMN researchers posted an open letter apologizing to the community, followed a few days later by a summary of the work they did [PDF] as part of the "hypocrite commits" project. Five patches were submitted overall from two sock-puppet accounts, but one of those was an ordinary bug fix that was sent from the wrong account by mistake. Of the remaining four, one of them was an attempt to insert a bug that was, itself, buggy, so the patch was actually valid; the other three (1, 2, 3) contained real bugs. None of those three were accepted by maintainers, though the reasons for rejection were not always the bugs in question. The paper itself has been withdrawn and will not be presented in May as was planned... One of the first things that happened when this whole affair exploded was the posting by Greg Kroah-Hartman of a 190-part patch series reverting as many patches from UMN as he could find... As it happens, these "easy reverts" also needed manual review; once the initial anger passed there was little desire to revert patches that were not actually buggy. That review process has been ongoing over the course of the last week and has involved the efforts of a number of developers. Most of the suspect patches have turned out to be acceptable, if not great, and have been removed from the revert list; if your editor's count is correct, 42 patches are still set to be pulled out of the kernel... A look at the full set of UMN patches reinforces some early impressions, though. First is that almost all of them do address some sort of real (if obscure and hard to hit) problem...

Read more of this story at Slashdot.

Plans for 3D-printed, self-assembled "ghost guns" can be posted online without U.S. State Department approval, a federal appeals court ruled Tuesday. From a report: A divided panel of the 9th U.S. Circuit Court of Appeals in San Francisco reinstated a Trump administration order that permitted removal of the guns from the State Department's Munitions List. Listed weapons need State Department approval for export. In 2015, federal courts applied the requirement to weapons posted online and intended for production on 3D printers, the San Francisco Chronicle reported. However, three years later the State Department under then-President Donald Trump settled a lawsuit by a 3D gun company and ordered their removal. California, 21 other states and the District of Columbia sued and a federal judge in Seattle issued an injunction last year, saying that posting the designs without restrictions could put unregistered weapons into the hands of terrorists. In overturning the injunction, the appellate panel found 2-1 that a 1989 federal law prohibits courts from overruling the State Department's decision to add or remove a weapon from the Munitions List, the Chronicle reported.

Read more of this story at Slashdot.

Instacart is increasing the number of stores where it accepts online payments for Supplemental Nutrition Assistance Program participants, moving the online grocery delivery giant into competition with Amazon.com and Walmart for a growing pool of consumers using federal assistance to buy food online. From a report: The San Francisco-based startup is partnering with three retailers, Publix Super Markets, The Save Mart Companies and Golub's Price Chopper/Market 32, to allow Electronic Benefits Transfer (EBT) payments in more than 1,500 additional U.S. stores. The expansion is about a 60% increase in availability for SNAP online purchasing through Instacart, which began in October with a partnership with ALDI. Food-stamp recipients will be able to order same-day delivery or pickup through the Instacart website and mobile app in more than 4,000 stores across 38 states and Washington D.C.

Read more of this story at Slashdot.

Microsoft is shaking up the world of PC gaming today with a big cut to the amount of revenue it takes from games on Windows. From a report: The software giant is reducing its cut from 30 percent to just 12 percent from August 1st, in a clear bid to compete with Steam and entice developers and studios to bring more PC games to its Microsoft Store. "Game developers are at the heart of bringing great games to our players, and we want them to find success on our platforms," says Matt Booty, head of Xbox Game Studios at Microsoft. "A clear, no-strings-attached revenue share means developers can bring more games to more players and find greater commercial success from doing so." These changes will only affect PC games and not Xbox console games in Microsoft's store. While Microsoft hasn't explained why it's not reducing the 30 percent it takes on Xbox game sales, it's likely because the console business model is entirely different to PC. Microsoft, Sony, and Nintendo subsidize hardware to make consoles more affordable, and offer marketing deals in return for a 30 percent cut on software sales. Microsoft's new reduction on the PC side is significant, and it matches the same revenue split that Epic Games offers PC game developers while also putting more pressure on Valve to reduce its Steam store cut. Valve still takes a 30 percent cut on sales in its Steam store, which is reduced to 25 percent when sales hit $10 million, and then 20 percent for every sale after $50 million.

Read more of this story at Slashdot.

Cybersecurity experts, law enforcement agencies and governments urged the White House to root out safe havens for criminals engaging in ransomware and step up regulation of cryptocurrencies, the lifeblood of hackers, in the hopes of controlling a growing wave of attacks. From a report: These are two of 48 recommendations made by a task force in a report Thursday to the Biden administration aimed at fighting the continuing ransomware episodes that plague major corporations, local governments and health-care providers across the world. The task force, organized by the Institute for Security and Technology, said the cyber-attacks have become a $350 million criminal industry -- a four-fold increase from the previous year. Last week, the U.S. Justice Department created its own, independent ransomware task force, signaling growing awareness inside the U.S. government of the now decade-old threat. Ransomware is a type of malicious code that typically encrypts a victim's data or network of computers. The hackers then demand a ransom to decrypt the information. More recently, ransomware gangs have also stolen data and threatened to make it public unless the victim pays a fee.

Read more of this story at Slashdot.

Rei_is_a_dumbass shares a report from CNBC: Tesla is defending itself in the U.S. and Germany against allegations that it has violated environmental rules and regulations, according to a new financial filing. In the U.S., the Environmental Protection Agency accused Tesla last week of failing to prove it is in compliance with federal emissions standards for hazardous air pollutants. Specifically, the EPA is seeking details about how Tesla handles "surface coating" of its vehicles. As CNBC has previously reported, the "paint shop" at Tesla's main U.S. car plant in Fremont, California, has a history of problems, including fires, improper cleaning and maintenance. Some vehicle re-touching, to fix flaws in paint on the cars, has been done in a tented "paint hospital" at the Fremont factory, employees previously told CNBC. In 2020, Tesla embarked on massive improvements to its paint facilities, Fremont building permits revealed. Tesla said in the filing Wednesday that the company "has responded to all information requests from the EPA and refutes the allegations." The company does not expect any "material adverse impact" on its business from its dealings with the EPA in this matter. Tesla is also still tangling with local air quality authorities in California -- the Bay Area Air Quality Management District -- over previously disclosed "notices of violation," relating to "air permitting and related compliance for the Fremont Factory." In Germany, Wednesday's financial filing said, authorities have fined Tesla 12 million euros, or about $14.5 million, for allegedly failing to make public notifications and properly fulfill their obligations to take back old batteries from customers. German law requires automakers selling electric cars to take back batteries and dispose of them in an environmentally sustainable manner. Tesla wrote in the filing: "This is primarily relating to administrative requirements, but Tesla has continued to take back battery packs." Tesla filed an objection in Germany and said that the matter should not have a material impact on Tesla's business.

Read more of this story at Slashdot.

DigitalOcean has emailed customers warning of a data breach involving customers' billing data, TechCrunch has learned. Zack Whittaker reports: The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has "confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account." The company said the person "gained access to some of your billing account details through a flaw that has been fixed" over a two-week window between April 9 and April 22. The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date and the name of the card-issuing bank. The company said that customers' DigitalOcean accounts were "not accessed," and passwords and account tokens were "not involved" in this breach. "To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future," the email said. DigitalOcean said it fixed the flaw and notified data protection authorities, but it's not clear what the apparent flaw was that put customer billing information at risk. In a statement, DigitalOcean's security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.

Read more of this story at Slashdot.