From the Washington Post: The U.S. government said Thursday that Russian government hackers who recently stole Microsoft corporate emails had obtained passwords and other secret material that might allow them to breach multiple U.S. agencies.

The Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, on Tuesday issued a rare binding directive to an undisclosed number of agencies requiring them to change any log-ins that were taken and investigate what else might be at risk. The directive was made public Thursday, after recipients had begun shoring up their defenses. The "successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies," CISA wrote. "This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure."
"CISA officials told reporters it is so far unclear whether the hackers, associated with Russian military intelligence agency SVR, had obtained anything from the exposed agencies," according to the article. And the article adds that CISA "did not spell out the extent of any risks to national interests."

But the agency's executive assistant director for cybersecurity did tell the newspaper that "the potential for exposure of federal authentication credentials...does pose an exigent risk to the federal enterprise, hence the need for this directive and the actions therein." Microsoft's Windows operating system, Outlook email and other software are used throughout the U.S. government, giving the Redmond, Washington-based company enormous responsibility for the cybersecurity of federal employees and their work. But the longtime relationship is showing increasing signs of strain.... [T]he breach is one of a few severe intrusions at the company that have exposed many others elsewhere to potential hacking. Another of those incidents — in which Chinese government hackers cracked security in Microsoft's cloud software offerings to steal email from State Department and Commerce Department officials — triggered a major federal review that last week called on the company to overhaul its culture, which the Cyber Safety Review Board cited as allowing a "cascade of avoidable errors."

An anonymous reader quotes a report from Ars Technica: Influential US Senator Sherrod Brown (D-Ohio) has called on U.S. President Joe Biden to ban electric vehicles from Chinese brands. Brown calls Chinese EVs "an existential threat" to the U.S. automotive industry and says that allowing imports of cheap EVs from Chinese brands "is inconsistent with a pro-worker industrial policy." Brown's letter to the president (PDF) is the most recent to sound alarms about the threat of heavily subsidized Chinese EVs moving into established markets. Brands like BYD and MG have been on sale in the European Union for some years now, and last October, the EU launched an anti-subsidy investigation into whether the Chinese government is giving Chinese brands an unfair advantage.

The EU probe won't wrap until November, but another report published this week found that government subsidies for green technology companies are prevalent in China. BYD, which now sells more EVs than Tesla, has benefited from almost $4 billion (3.7 billion euro) in direct help from the Chinese government in 2022, according to a study by the Kiel Institute. Last month, the EU even started paying extra attention to imports of Chinese EVs, issuing a threat of retroactive tariffs that could start being imposed this summer. Chinese EV imports to the EU have increased by 14 percent since the start of its investigation, but they have yet to really begin in the U.S., where there are a few barriers in their way. Chinese batteries make an EV ineligible for the IRS's clean vehicle tax credit, for one thing. And Chinese-made vehicles (like the Lincoln Nautilus, Buick Envision, and Polestar 2) are already subject to a 27.5 percent import tax.

But Chinese EVs are on sale in Mexico already, and that has American automakers worried. Last year, Ford CEO Jim Farley said he saw Chinese automakers "as the main competitors, not GM or Toyota." And in January, Tesla CEO Elon Musk said he believed that "if there are no trade barriers established, they will pretty much demolish most other car companies in the world." [...] It's not just the potential damage to the U.S. auto industry that has prompted this letter. Brown wrote that he is concerned about the risk of China having access to data collected by connected cars, "whether it be information about traffic patterns, critical infrastructure, or the lives of Americans," pointing out that "China does not allow American-made electric vehicles near their official buildings." At the end of February, the Commerce Department also warned of the security risk from Chinese-connected cars and revealed it has launched an investigation into the matter. "When the goal is to dominate a sector, tariffs are insufficient to stop their attack on American manufacturing," Brown wrote. "Instead, the Administration should act now to ban Chinese EVs before they destroy the potential for the U.S. EV market. For this reason, no solution should be left off the table, including the use of Section 421 (China Safeguard) of the Trade Act of 1974, or some other authority."

An anonymous reader quotes a report from Wired: A controversial US wiretap program days from expiration cleared a major hurdle on its way to being reauthorized. After months of delays, false starts, and interventions by lawmakers working to preserve and expand the US intelligence community's spy powers, the House of Representatives voted on Friday to extend Section 702 (PDF) of the Foreign Intelligence Surveillance Act (FISA) for two years. Legislation extending the program -- controversial for being abused by the government -- passed in the House in a 273-147 vote. The Senate has yet to pass its own bill.

Section 702 permits the US government to wiretap communications between Americans and foreigners overseas. Hundreds of millions of calls, texts, and emails are intercepted by government spies each with the "compelled assistance" of US communications providers. The government may strictly target foreigners believed to possess "foreign intelligence information," but it also eavesdrops on the conversations of an untold number of Americans each year. (The government claims it is impossible to determine how many Americans get swept up by the program.) The government argues that Americans are not themselves being targeted and thus the wiretaps are legal. Nevertheless, their calls, texts, and emails may be stored by the government for years, and can later be accessed by law enforcement without a judge's permission. The House bill also dramatically expands the statutory definition for communication service providers, something FISA experts, including Marc Zwillinger -- one of the few people to advise the Foreign Intelligence Surveillance Court (FISC) -- have publicly warned against.

The FBI's track record of abusing the program kicked off a rare detente last fall between progressive Democrats and pro-Trump Republicans -- both bothered equally by the FBI's targeting of activists, journalists, anda sitting member of Congress. But in a major victory for the Biden administration, House members voted down an amendment earlier in the day that would've imposed new warrant requirements on federal agencies accessing Americans' 702 data. The warrant amendment was passed earlier this year by the House Judiciary Committee, whose long-held jurisdiction over FISA has been challenged by friends of the intelligence community. Analysis by the Brennan Center this week found that 80 percent of the base text of the FISA reauthorization bill had been authored by intelligence committee members.

Scientists from Oxford University Physics have developed a breakthrough in cloud-based quantum computing that could allow it to be harnessed by millions of individuals and companies. The findings have been published in the journal Physical Review Letters. Phys.Org reports: In the new study, the researchers use an approach dubbed "blind quantum computing," which connects two totally separate quantum computing entities -- potentially an individual at home or in an office accessing a cloud server -- in a completely secure way. Importantly, their new methods could be scaled up to large quantum computations. "Using blind quantum computing, clients can access remote quantum computers to process confidential data with secret algorithms and even verify the results are correct, without revealing any useful information. Realizing this concept is a big step forward in both quantum computing and keeping our information safe online," said study lead Dr. Peter Drmota, of Oxford University Physics.

The researchers created a system comprising a fiber network link between a quantum computing server and a simple device detecting photons, or particles of light, at an independent computer remotely accessing its cloud services. This allows so-called blind quantum computing over a network. Every computation incurs a correction that must be applied to all that follow and needs real-time information to comply with the algorithm. The researchers used a unique combination of quantum memory and photons to achieve this. The results could ultimately lead to commercial development of devices to plug into laptops, to safeguard data when people are using quantum cloud computing services. "We have shown for the first time that quantum computing in the cloud can be accessed in a scalable, practical way which will also give people complete security and privacy of data, plus the ability to verify its authenticity," said Professor David Lucas, who co-heads the Oxford University Physics research team and is lead scientist at the UK Quantum Computing and Simulation Hub, led from Oxford University Physics.

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening. New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that "certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)" In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.

Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company's code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense's Amazon S3 buckets in the cloud. Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers. It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards. The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time -- sometimes indefinitely. And depending on which service we're talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials. Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they've previously entrusted to Sisense. "If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted," said Nicholas Weaver, a researcher at University of California, Berkeley's International Computer Science Institute (ICSI) and lecturer at UC Davis. "If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable."

An anonymous reader quotes a report from Ars Technica: Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products. Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs. For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests. [...] "All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code. Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. "A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process," Binarly researchers wrote in an advisory. "This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR." Advisories are available here, here, and here.

Microsoft has started showing full screen warnings about the upcoming end of support date on Windows 10 PCs. From a report: Users on Reddit have reported seeing the prompt, which began appearing after this week's Patch Tuesday updates were installed, and encourages the user to learn more about how they can transition to Windows 11. Windows 10's end of support date is currently set for October 14, 2025. After that date, Windows 10 users will no longer receive critical security and bug fix updates, leaving any Windows 10 PC connected to the internet vulnerable to any newly discovered security exploits. The full screen prompt that is now appearing on some Windows 10 PCs thanks the user for their loyalty using Windows 10, and warns that this end of life (EOL) date is approaching. It also wastes no time advertising Windows 11, encouraging the user to learn more about how they can transition to a new Windows 11 PC. Notably, there's no button to tell the prompt to never show again.

Apple sent threat notifications to iPhone users in 92 countries on Wednesday, warning them that may have been targeted by mercenary spyware attacks. From a report: The company said it sent the alerts to individuals in 92 nations at 12pm Pacific Time Wednesday. The notification, which TechCrunch has seen, did not disclose the attackers' identities or the countries where users received notifications.

"Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-," it wrote in the warning to affected customers. "This attack is likely targeting you specifically because of who you are or what you do. Although it's never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning -- please take it seriously," Apple added in the text.

Zack Whittaker and Carly Page report via TechCrunch: Microsoft has resolved a security lapse that exposed internal company files and credentials to the open internet. Security researchers Can Yoleri, Murat Ozfidan and Egemen Kochisarli with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft's Azure cloud service that was storing internal information relating to Microsoft's Bing search engine. The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems. But the storage server itself was not protected with a password and could be accessed by anyone on the internet.

Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files. Identifying those storage locations "could result in more significant data leaks and possibly compromise the services in use," Yoleri said. The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5. It's not known for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside.

Vinod Khosla, the founder of venture capital firm Khosla Ventures, opines on the bill that seeks to ban TikTok or force its parent firm to divest the U.S. business: Even if one could argue that this bill strikes at the First Amendment, there is legal precedent for doing so. In 1981, Haig vs Agee established that there are circumstances under which the government can lawfully impinge upon an individual's First Amendment rights if it is necessary to protect national security and prevent substantial harm. TikTok and the AI that can be channelled through it are national and homeland security issues that meet these standards.

Should this bill turn into law, the president would have the power to force any foreign-owned social media to be sold if US intelligence agencies deem them a national security threat. This broader scope should protect against challenges that this is a bill of attainder. Similar language helped protect effective bans on Huawei and Kaspersky Lab. As for TikTok's value as a boon to consumers and businesses, there are many companies that could quickly replace it. In 2020, after India banned TikTok amid geopolitical tensions between Beijing and New Delhi, services including Instagram Reels, YouTube Shorts, MX TakaTak, Chingari and others filled the void.Â

Few appreciate that TikTok is not available in China. Instead, Chinese consumers use Douyin, the sister app that features educational and patriotic videos, and is limited to 40 minutes per day of total usage. Spinach for Chinese kids, fentanyl -- another chief export of China's -- for ours. Worse still, TikTok is a programmable fentanyl whose effects are under the control of the CCP.

After 64 years of service, ULA on Tuesday launched its last-ever Delta rocket carrying a classified payload for the U.S. National Reconnaissance Office (NRO). "The powerful booster departed Space Launch Complex-37 (SLC-37) at Cape Canaveral Space Force Station in Florida at 12:53 p.m. EDT (1653 GMT), literally setting itself on fire for the 16th and final time," reports Space.com. From the report: That spectacle, which was unique to the Delta IV in its heaviest configuration, was the result of hydrogen building up in the flame trench and then rising up alongside the rocket after it was used to cool down the three RS-68A engines to cryogenic temperatures. When the engines fired, the hydrogen ignited and flames lapped at the orange insulation covering the core stage and its two side-mounted boosters. The two boosters were jettisoned about four minutes into the flight, followed by the core, or first stage, separating one minute and 45 seconds later. A single RL10C-2-1 engine on the Delta cryogenic second stage then took over, propelling the NROL-70 payload into space. Due to national security concerns, coverage of the launch ceased following fairing jettison at about 6 minutes and 40 seconds into the flight.

ULA is retiring the Delta IV, and eventually its other legacy rocket, the Atlas V, in favor of its newly introduced Vulcan, which flew a near-perfect first mission in January. The Vulcan was developed to replace both long-flying rockets in all of their configurations. "This is a great mission to think about that transition, because national security space missions is our core and the unique set of missions there require a high-energy launch vehicle. We designed Vulcan specifically for that," said [Tory Bruno, chief executive officer of United Launch Alliance]. In addition to being the 16th Delta IV Heavy, Tuesday's launch was also the 45th liftoff of a Delta IV, the 35th Delta IV to fly from Florida and the 389th Delta launch of any kind since 1960 (of which 294 were sent skyward from Cape Canaveral). Half of the Delta IV Heavy launches were devoted to sending NRO payloads into orbit. The rocket and its less powerful configurations were also used in support of NASA, NOAA (the U.S. National Oceanic and Atmospheric Administration), U.S. Air Force and commercial payloads.

Late last year the messaging app Beeper raised the ire of Apple when it found a way to recreate Apple's infamous "blue bubble" messaging on Android. Apple later hobbled Beeper, but it's not an entirely unhappy ending: The startup has been acquired in a deal valued at $125 million. From a report: Founded three years ago, Beeper is being snapped up by Automattic, the respected parent company of WordPress, the blogging and content management platform, as well as Tumblr, which it acquired in 2019. Beeper cofounder Eric Migicovsky said that the company will continue to exist as a stand-alone product within Automattic, and that all of Beeper's 27 employees -- who, like Automattic's employees, are entirely remote -- will be absorbed into the larger entity.

Exact financial terms of the acquisition weren't disclosed. According to Migicovsky, Beeper will be part of Automattic's broader strategy to offer more messaging features. Automattic first invested in Beeper in 2022, and late last year snatched up another messaging app, Texts, for $50 million. The acquisition comes on the heels of a highly publicized battle between Beeper and Apple, in which Beeper tried to bridge the gap between Android messaging and iMessage but was ultimately thwarted. It was unable to monetize its app and, with 30,000 users as of writing, hadn't reached critical mass.

Japan's largest telecommunications company and the country's biggest newspaper called for speedy legislation to restrain generative AI, saying democracy and social order could collapse if AI is left unchecked. From a report: Nippon Telegraph and Telephone, or NTT, and Yomiuri Shimbun Group Holdings made the proposal in an AI manifesto to be released Monday. Combined with a law passed in March by the European Parliament restricting some uses of AI, the manifesto points to rising concern among American allies about the AI programs U.S.-based companies have been at the forefront of developing.

The Japanese companies' manifesto, while pointing to the potential benefits of generative AI in improving productivity, took a generally skeptical view of the technology. Without giving specifics, it said AI tools have already begun to damage human dignity because the tools are sometimes designed to seize users' attention without regard to morals or accuracy. Unless AI is restrained, "in the worst-case scenario, democracy and social order could collapse, resulting in wars," the manifesto said. It said Japan should take measures immediately in response, including laws to protect elections and national security from abuse of generative AI.

The U.S. Commerce Department said on Monday it would award Taiwan Semiconductor Manufacturing Co's unit a $6.6 billion subsidy for advanced semiconductor production in Phoenix, Arizona and up to $5 billion in low-cost government loans. From a report: TSMC agreed to expand its planned investment by $25 billion to $65 billion and to add a third Arizona fab by 2030, Commerce said in announcing the preliminary award. The Taiwanese company will produce the world's most advanced 2 nanometer technology at its second Arizona fab expected to begin production in 2028, the department said.

"These are the chips that underpin all artificial intelligence, and they are the chips that are necessary components for the technologies that we need to underpin our economy, but frankly, a 21st century military and national security apparatus," Commerce Secretary Gina Raimondo said in a statement. TSMC, the world's largest contract chipmaker and a major supplier to Apple and Nvidia had previously announced plans to invest $40 billion in Arizona. TSMC expects to begin high-volume production in its first U.S. fab there by the first half of 2025, Commerce said. The $65 billion-plus investment by TSMC is the largest foreign direct investment in a completely new project in U.S. history, the department said.

It's the world's most widely used vulnerability database, reports SC Magazine, offering standards-based data on CVSS severity scores, impacted software and platforms, contributing weaknesses, and links to patches and additional resources.

But "there is a growing backlog of vulnerabilities" submitted to America's National Vulnerability Database and "requiring analysis", according to a new announcement from the U.S. Commerce Department's National Institute of Standards. "This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support." From SC Magazine: According to NIST's website, the institute analyzed only 199 of 3370 CVEs it received last month. [And this month another 677 came in — of which 24 have been analyzed.]

Other than a short notice advising it was working to establish a new consortium to improve the NVD, NIST had not provided a public explanation for the problems prior to a statement published [April 2]... "Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well."

NIST, which had its budget cut by almost 12% this year by lawmakers, said it was committed to continuing to support and manage the NVD, which it described as "a key piece of the nation's cybersecurity infrastructure... We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD," the statement said. "We will provide more information as these plans develop..."

A group of cybersecurity professionals have signed an open letter to Congress and Commerce Secretary Gina Raimondo in which they say the enrichment issue is the result of a recent 20% cut in NVD funding.
The article also cites remarks from NVD program manager Tanya Brewer (reported by Infosecurity Magazine) from last week's VulnCon conference on plans to establish a NVD consortium. "We're not going to shut down the NVD; we're in the process of fixing the current problem. And then, we're going to make the NVD robust again and we'll make it grow."

Thanks to Slashdot reader spatwei for sharing the article.

The foundations behind Rust, Python, Apache, Eclipse, PHP, OpenSSL, and Blender announced plans to create "common specifications for secure software development," based on "existing open source best practices."

From the Eclipse Foundation: This collaborative effort will be hosted at the Brussels-based Eclipse Foundation [an international non-profit association] under the auspices of the Eclipse Foundation Specification Process and a new working group... Other code-hosting open source foundations, SMEs, industry players, and researchers are invited to join in as well.

The starting point for this highly technical standardisation effort will be today's existing security policies and procedures of the respective open source foundations, and similar documents describing best practices.

The governance of the working group will follow the Eclipse Foundation's usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence... While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation.

The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.
The Apache Foundation notes the working group is forming partly "to demonstrate our commitment to cooperation with and implementation of" the EU's Cyber Resilience Act. But the Eclipse Foundation adds that even before it goes into effect in 2027, they're recognizing open source software's "increasingly vital role in modern society" and an increasing need for reliability, safety, and security, so new regulations like the CRA "underscore the urgency for secure by design and robust supply chain security standards."

Their announcement adds that "It is also important to note that it is similarly necessary that these standards be developed in a manner that also includes the requirements of proprietary software development, large enterprises, vertical industries, and small and medium enterprises." But at the same time, "Today's global software infrastructure is over 80% open source... [W]hen we discuss the 'software supply chain,' we are primarily, but not exclusively, referring to open source."

"We invite you to join our collaborative effort to create specifications for secure open source development," their announcement concludes," promising initiative updates on a new mailing list. "Contribute your ideas and participate in the magic that unfolds when open source foundations, SMEs, industry leaders, and researchers combine forces to tackle big challenges."

The Python Foundation's announcement calls it a "community-driven initiative" that will have "a lasting impact on the future of cybersecurity and our shared open source communities."

On Mozilla's blog, engineer Martin Thomson explores Google's "Privacy Sandbox" initiative (which proposes sharing a subset of private user information — but without third-party cookies).

The blog post concludes that Google's Protected Audience "protects advertisers (and Google) more than it protects you." But it's not all bad — in theory: The idea behind Protected Audience is that it creates something like an alternative information dimension inside of your (Chrome) browser... Any website can push information into that dimension. While we normally avoid mixing data from multiple sites, those rules are changed to allow that. Sites can then process that data in order to select advertisements. However, no one can see into this dimension, except you. Sites can only open a window for you to peek into that dimension, but only to see the ads they chose...

Protected Audience might be flawed, but it demonstrates real potential. If this is possible, that might give people more of a say in how their data is used. Rather than just have someone spy on your every action then use that information as they like, you might be able to specify what they can and cannot do. The technology could guarantee that your choice is respected. Maybe advertising is not the first thing you would do with this newfound power, but maybe if the advertising industry is willing to fund investments in new technology that others could eventually use, that could be a good thing.
But here's some of the blog post's key criticisms:

• "[E]ntities like Google who operate large sites, might rely less on information from other sites. Losing the information that comes from tracking people might affect them far less when they can use information they gather from their many services... [W]e have a company that dominates both the advertising and browser markets, proposing a change that comes with clear privacy benefits, but it will also further entrench its own dominance in the massively profitable online advertising market..."

• "[T]he proposal fails to meet its own privacy goals. The technical privacy measures in Protected Audience fail to prevent sites from abusing the API to learn about what you did on other sites.... Google loosened privacy protections in a number of places to make it easier to use. Of course, by weakening protections, the current proposal provides no privacy. In other words, to help make Protected Audience easier to use, they made the design even leakier..."

• "A lot of these leaks are temporary. Google has a plan and even a timeline for closing most of the holes that were added to make Protected Audience easier to use for advertisers. The problem is that there is no credible fix for some of the information leaks embedded in Protected Audience's architecture... In failing to achieve its own privacy goals, Protected Audience is not now — and maybe not ever — a good addition to the Web."

While the European Parliament passed a wide-ranging "AI Act" in March, "Leaders from Microsoft, Google, and OpenAI have all called for AI regulations in the U.S.," writes CIO magazine. Even the Chamber of Commerce, "often opposed to business regulation, has called on Congress to protect human rights and national security as AI use expands," according to the article, while the White House has released a blueprint for an AI bill of rights.

But even though the U.S. Congress hasn't passed AI legislation — 16 different U.S. states have, "and state legislatures have already introduced more than 400 AI bills across the U.S. this year, six times the number introduced in 2023." Many of the bills are targeted both at the developers of AI technologies and the organizations putting AI tools to use, says Goli Mahdavi, a lawyer with global law firm BCLP, which has established an AI working group. And with populous states such as California, New York, Texas, and Florida either passing or considering AI legislation, companies doing business across the US won't be able to avoid the regulations. Enterprises developing and using AI should be ready to answer questions about how their AI tools work, even when deploying automated tools as simple as spam filtering, Mahdavi says. "Those questions will come from consumers, and they will come from regulators," she adds. "There's obviously going to be heightened scrutiny here across the board."
There's sector-specific bills, and bills that demand transparency (of both development and output), according to the article. "The third category of AI bills covers broad AI bills, often focused on transparency, preventing bias, requiring impact assessment, providing for consumer opt-outs, and other issues."

One example the article notes is Senate Bill 1047, introduced in the California State Legislature in February, "would require safety testing of AI products before they're released, and would require AI developers to prevent others from creating derivative models of their products that are used to cause critical harms."

Adrienne Fischer, a lawyer with Basecamp Legal, a Denver law firm monitoring state AI bills, tells CIO that many of the bills promote best practices in privacy and data security, but said the fragmented regulatory environment "underscores the call for national standards or laws to provide a coherent framework for AI usage."

Thanks to Slashdot reader snydeq for sharing the article.

Slashdot reader Mononymous writes: The latest release of OpenBSD, the FOSS Unix-like operating system focused on correctness and security over features and performance, has been released. This version includes newer driver support, performance improvements, stability fixes, and lots of package updates. One highlight is a complete port of KDE Plasma 5.

You can view the announcement and get the bits at OpenBSD.org.
Phoronix reports that with OpenBSD 7.5 "there is a number of improvements for ARM (AArch64) hardware, never-ending kernel optimizations and other tuning work, countless package updates, and other adjustments to this popular BSD platform."

Matthew Connatser reports via The Register: A study has concluded that Apple's privacy practices aren't particularly effective, because default apps on the iPhone and Mac have limited privacy settings and confusing configuration options. The research was conducted by Amel Bourdoucen and Janne Lindqvist of Aalto University in Finland. The pair noted that while many studies had examined privacy issues with third-party apps for Apple devices, very little literature investigates the issue in first-party apps -- like Safari and Siri. The aims of the study [PDF] were to investigate how much data Apple's own apps collect and where it's sent, and to see if users could figure out how to navigate the landscape of Apple's privacy settings.

The lengths to which Apple goes to secure its ecosystem -- as described in its Platform Security Guide [PDF] -- has earned it kudos from the information security world. Cupertino uses its hard-earned reputation as a selling point and as a bludgeon against Google. Bourdoucen and Janne Lindqvist don't dispute Apple's technical prowess, but argue that it is undermined by confusing user interfaces. "Our work shows that users may disable default apps, only to discover later that the settings do not match their initial preference," the paper states. "Our results demonstrate users are not correctly able to configure the desired privacy settings of default apps. In addition, we discovered that some default app configurations can even reduce trust in family relationships."

The researchers criticize data collection by Apple apps like Safari and Siri, where that data is sent, how users can (and can't) disable that data tracking, and how Apple presents privacy options to users. The paper illustrates these issues in a discussion of Apple's Siri voice assistant. While users can ostensibly choose not to enable Siri in the initial setup on macOS-powered devices, it still collects data from other apps to provide suggestions. To fully disable Siri, Apple users must find privacy-related options across five different submenus in the Settings app. Apple's own documentation for how its privacy settings work isn't good either. It doesn't mention every privacy option, explain what is done with user data, or highlight whether settings are enabled or disabled. Also, it's written in legalese, which almost guarantees no normal user will ever read it. "We discovered that the features are not clearly documented," the paper concludes. "Specifically, we discovered that steps required to disable features of default apps are largely undocumented and the data handling practices are not completely disclosed."