Robert Grupe's AppSecNewsBits 2025-02-08

This week's Lame List: More secrets in code, Supply Chain attacks from not using SCA scanning, SSDF/SSDLC fails, etc.

February 08, 2025

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response

GrubHub data breach impacts customers, drivers, and merchants
"Our investigation found that the intrusion originated with an account belonging to a third-party service provider that provided support services to Grubhub." The attackers gained access to names, email addresses, and phone numbers, as well as partial payment card information (including card type and last four digits of the card number).
The unauthorized party also accessed hashed passwords for certain legacy systems.

 

Microsoft Identifies 3,000 Leaked ASP[.]NET Keys Enabling Code Injection Attacks
In December 2024 an unknown threat actor used a publicly available, static ASP[.]NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework. Over 3,000 publicly disclosed keys that could be used for these types of attacks, which it's calling ViewState code injection attacks.
Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification.
ViewState is a method used in the ASP[.]NET framework to preserve page and control values between postbacks. If these keys are stolen or made accessible to unauthorized third-parties, it opens the door to a scenario where the threat actor can leverage the keys to send a malicious ViewState request and execute arbitrary code.
To mitigate the risk posed by such attacks, it's advised to not copy keys from publicly available sources and to regularly rotate keys.
[rG SSDLC: Also ensure continuous (daily or commit/merge events) scanning of code repositories to detect credential secrets in code, along with high priorty remediation of found issues.]

 

7-Zip 0-day was exploited in Russia’s ongoing invasion of Ukraine
The vulnerability allowed a Russian cybercrime group to override a Windows protection designed to limit the execution of files downloaded from the Internet. The defense is commonly known as MotW, short for Mark of the Web. It works by placing a “Zone.Identifier” tag on all files downloaded from the Internet or from a networked share. This tag, a type of NTFS Alternate Data Stream and in the form of a ZoneID=3, subjects the file to additional scrutiny from Windows Defender SmartScreen and restrictions on how or when it can be executed.
Exploits worked by embedding an executable file within an archive and then embedding the archive into another archive. While the outer archive carried the MotW tag, the inner one did not.
To better disguise the attacks, the extension of the executable files was rendered with what are known as homoglyphs. These are characters that aren’t part of the ASCII standard, even though they appear to be identical or similar to certain ASCII characters.
The vulnerability, tracked as CVE-2025-0411, was fixed with the release of version 24.09 in late November. Anyone using 7-Zip, particularly on Windows, should ensure they’re using the latest version, which at the moment is 24.09.

 

Go Module Mirror served backdoor to devs for 3+ years
A mirror proxy Google runs on behalf of developers of the Go programming language pushed a backdoored package for more than three years until Monday, after researchers who spotted the malicious code petitioned for it to be taken down twice. the Go Module Mirror, caches open source packages available on GitHub and elsewhere so that downloads are faster and to ensure they are compatible with the rest of the Go ecosystem. By default, when someone uses command-line tools built into Go to download or install packages, requests are routed through the service. A description on the site says the proxy is provided by the Go team and “run by Google.”
The malicious module was named boltdb-go/bolt, a variation of widely adopted boltdb/bolt, which 8,367 other packages depend on to run.
[rG DevSecOps: Illustrating the important need to continuously use of SCA scanners on all application coding projects to ensure notification of know vulnerable components.]

 

Experts Flag Security, Privacy Risks in DeepSeek AI App
Many of DeepSeek’s design choices — such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies — introduce a number of glaring security and privacy risks. The device information shared, combined with the user’s Internet address and data gathered from mobile advertising companies, could be used to deanonymize users. The iOS app transmits device information “in the clear,” without any encryption to encapsulate the data. This means the data being handled by the app could be intercepted, read, and even modified by anyone who has access to any of the networks that carry the app’s traffic. The app selectively encrypt portions of the responses coming from DeepSeek servers. But they also found it uses an insecure and now deprecated encryption algorithm called 3DES (aka Triple DES), and that the developers had hard-coded the encryption key. That means the cryptographic key needed to decipher those data fields can be extracted from the app itself.
Researchers link DeepSeek’s blockbuster chatbot to Chinese telecom banned from doing business in US
The web login page of DeepSeek’s chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructure owned by China Mobile. The U.S. Federal Communications Commission unanimously denied China Mobile authority to operate in the United States in 2019, citing “substantial” national security concerns about links between the company and the Chinese state. In 2021, the Biden administration also issued sanctions limiting the ability of Americans to invest in China Mobile after the Pentagon linked it to the Chinese military.

 

Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant'
Researchers say they identified about 150 Amazon-hosted cloud storage buckets that were long gone yet applications and websites were still trying to pull software updates and other code from them. If someone were to take over those buckets, they could use them to feed malicious software into people's devices.
The S3 buckets received more than eight million requests for resources including Windows, Linux, and macOS executables; virtual machine images; JavaScript files; CloudFormation templates; and SSL VPN server configurations. These incoming requests came from NASA and other US government networks, along with government orgs in the UK and other countries, judging from domain records.
Military networks, plus those belonging to Fortune 500 and Fortune 100 companies, a "major payment card network," and a "major industrial product company," also pinged the S3 buckets.
In one example from the research: The team spotted a CISA industrial control system security advisory from 2012 that directed users to a patch accessed via an S3 bucket. The bucket has since been abandoned, but was still referenced on the CISA webpage.
[rG: Orgs need to regularly verify all data stores to ensure still in active valid use, and to decommission and delete those that aren't.]

 

Cloudflare outage caused by botched blocking of phishing URL
An attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired, triggering a widespread outage that brought down multiple services for nearly an hour.
An employee responded to an abuse report about a phishing URL in Cloudflare's R2 platform. However, instead of blocking the specific endpoint, the employee mistakenly turned off the entire R2 Gateway service.
"This was a failure of multiple system level controls (first and foremost) and operator training." Cloudflare has now implemented immediate fixes like removing the ability to turn off systems in the abuse review interface and restrictions in the Admin API to prevent service disablement in internal accounts. Additional measures to be implemented in the future include improved account provisioning, stricter access control, and a two-party approval process for high-risk actions.
In November 2024, Cloudflare experienced another notable outage for 3.5 hours, resulting in the irreversible loss of 55% of all logs in the service. That incident was caused by cascading failures in Cloudflare's automatic mitigation systems triggered by pushing a wrong configuration to a key component in the company's logging pipeline.
[rG SSDLC Roulette: The consequences of inadequate system design security reviews and implementation controls prior to production operations; resulting in reputation damage and increased remediation costs.]

 

HPE notifies employees of data breach after Russian Office 365 hack from 2023 Hewlett Packard Enterprise (HPE) is notifying employees whose data was stolen from the company's Office 365 email environment by Russian state-sponsored hackers in a May 2023 cyberattack. HPE started sending the breach notification letters last month to at least 16 people who had their driver's licenses, credit card numbers, and Social Security numbers stolen.
"We determined that this nation-state actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions. We believe the nation-state actor is Midnight Blizzard, also known as Cozy Bear."
In the SEC filing, HPE added that the Office 365 incident was likely related to another May 2023 breach, when threat actors accessed the company's SharePoint server and stole files.
[rG: With Single-Sign-Ons, I suspect the intrusion with persistence is probably much deeper than this.]

 

What's Weak This Week 
[Vendors who could have avoided public shaming with secure software development and testing practices.] 

  • CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability: Microsoft Outlook contains an improper input validation vulnerability that allows for remote code execution. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode.

  • CVE-2025-0411 7-Zip Mark of the Web Bypass Vulnerability: 7-Zip contains a protection mechanism failure vulnerability that allows remote attackers to bypass the Mark-of-the-Web security feature to execute arbitrary code in the context of the current user.

  • CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability: Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server.

  • CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability: CyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely.

  • CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability: Paessler PRTG Network Monitor contains an OS command injection vulnerability that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console.

  • CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability: Paessler PRTG Network Monitor contains a local file inclusion vulnerability that allows a remote, unauthenticated attacker to create users with read-write privileges (including administrator).

  • CVE-2022-23748 Dante Discovery Process Control Vulnerability: Dante Discovery contains a process control vulnerability in mDNSResponder.exe that all allows for a DLL sideloading attack. A local attacker can leverage this vulnerability in the Dante Application Library to execute arbitrary code.

  • CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability: Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature.

  • CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability: Linux kernel contains an out-of-bounds write vulnerability in the uvc_parse_streaming component of the USB Video Class (UVC) driver that could allow for physical escalation of privilege.

  • CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability: Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access.

  • CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability: Microsoft .NET Framework contains an information disclosure vulnerability that exposes the ObjRef URI to an attacker, ultimately enabling remote code execution.

 

HACKING

22-year-old math wiz indicted for alleged DeFI hack that stole $65M
Andean Medjedovic, now 22 years old, exploited vulnerabilities in the KyberSwap and Indexed Finance smart contracts by using “manipulative trading practices.”
A Canadian national who holds a master’s degree in mathematics from the University of Waterloo, Medjedovic has been at large since 2021, when officials in Ontario charged him with pulling off the heist against Indexed Finance to steal $16.5 million in cryptocurrency.
In November 2023, he allegedly used hundreds of millions of dollars in borrowed cryptocurrency to cause artificial prices in the KyberSwap liquidity pools. He then calculated precise combinations of trades that would induce the KyberSwap smart contract system—known as the AMM, or automated market makers—to “glitch.” The scheme allegedly allowed Medjedovic to steal roughly $48.8 million from 77 KyberSwap liquidity pools on six public blockchains. He allegedly also tried to extort developers of the KyberSwap protocol, investors, and members of the decentralized autonomous organization (DAO), and offered to return 50 percent of the stolen cryptocurrency in return for him receiving control of the KyberSwap protocol.
The alleged hack is only the latest to target smart contracts [aka blockchain], which in theory are enforced by code that can't be interfered with by humans once executed.

 

Ransomware payments declined in 2024 despite massive. well-known hacks 
The numbers tell a surprising story: Ransomware payments actually fell overall in 2024—and in the second half of the year dropped more precipitously than in any six-month period on record. Researchers theorized that the dropoff is likely due to law enforcement takedowns and disruptions, some of which had delayed effects that weren't immediately apparent in the first half of the year as ransomware victims and the cybersecurity industry grappled with catastrophic attacks. US and UK law enforcement scored two significant disruptions of major ransomware groups around the beginning of 2024.
Initially, however, both groups seemed to bounce back from those busts. AlphV in February announced that it had hacked Change Healthcare, disabling payments at hundreds of US clinics and pharmacies and extracting $22 million from the United Healthcare–owned company in one of the worst health-care-related ransomware incidents in history. Lockbit, too, seemed to shake off the NCA’s blows, immediately launching a new dark-web site where it continued to extort victims old and new.
If the baddies had a couple of brilliant quarters, a dip will follow, same as if the goodies had some good quarters. That's why we really need to analyze trends over a longer period, because increases and decreases over shorter periods don't really tell us much.

 

Research Reveals Data Breaches On The Rise at UK Law Firms
The number of data breaches in the UK's legal sector had grown by 39% between Q3 2023 and Q2 2024 to 2,284 cases, compared to 1,633 the same period 12 months earlier.
Furthermore, data related to 7.9 million people had been compromised, a figure which amounts to one in every eight members of the British population. External breaches jumped from 40% of all incidents in the past 12 months to 50%, with phishing attacks being the most common threat encountered by legal firms (56% of all external attacks.)
Of course, that still means insider breaches account for half of all reported data breach incidents, with over a third (39%) of those blamed on human error.

 

Malicious AI Models on Hugging Face Exploit Novel Attack Technique
While these models contain malicious code, they were not flagged as “unsafe” by Hugging Face’s security scanning mechanisms. Researchers saw that these malicious models exploit a novel malware distribution technique by abusing Pickle file serialization.
The two malicious models the researchers detected are stored in PyTorch format, a compressed Pickle file. However, they are compressed using the 7z format instead of the ZIP format PyTorch traditionally uses. This means they cannot be loaded using PyTorch’s default function, torch.load(). This trick is likely the reason why Picklescan did not flag these models as unsafe.
However, the two malicious models used broken Pickle files, suggesting they were proof-of-concept models for testing a novel attack method rather than actual malicious ones.

 

DeepSeek AI tools impersonated by infostealer malware on PyPI
The packages were named "deepseeek" and "deepseekai" after the Chinese artificial intelligence startup, developer of the R1 large-language model that recently saw a meteoric surge in popularity. Interestingly, the packages were uploaded by an "aged" account created in June 2023 with no prior activity.
Once executed on the developer's machine, the malicious payload stole user and system data as well as environment variables such as API keys, database credentials, and infrastructure access tokens.
Next, the stolen information was exfiltrated to a command and control (C2) server at eoyyiyqubj7mquj.m.pipedream[.]net using Pipedream, a legitimate automation platform. [rG DevSecOps: Always use 3rd party components that are stored in an enterprise binary repository that has continuous SCA scanning to provide early warning of malicious or vulnerable libraries.]

 

Cybercriminals Weaponize SVG Graphics Files in Phishing Attacks
The use of graphics files to steal credentials and deliver malware highlights the novel phishing tactics being employed to bypass defenses. This includes the types malicious links and files used, such as QR codes, which are designed to evade optical character recognition (OCR)-based defenses.
Researchers first observed the spread of malicious SVG file attachments in late 2024 and this approach has accelerated since mid-January 2025.
Sophos said it has observed attackers use multiple subject lines and lures to entice targets to click on malicious SVG images. These lures included new voicemails, contracts, payment confirmation and health and benefits enrollment. The attacks also impersonate a number of well-known brands and services, including DocuSign, Microsoft SharePoint, Dropbox and Google Voice. Additionally, versions were discovered that targeted difference languages, based on the top-level domain of the recipient.
[rG: I'm not sure why the article calls this "novel" and Sophos would now claims "first observed" because we have seen SVGs attachments used as attack vectors in various campaigns for many years. But attack trends come and go, so this serves as a reminder not to neglect protections from past exploits.]

 

North Korean hackers impersonated recruiters to steal credentials from over 1,500 developer systems
Attackers copied legitimate applications used in cryptocurrency and authentication systems and set up rogue GitLab repositories for them with backdoored versions of those packages. The developer would be tricked into executing the repo thinking they had a legitimate interaction with a recruiter or other technical expert. Once the backdoor was executed it collected data from the system and sent additional payloads to find developers secrets.
In November, attackers targeted 181 developers, primarily from European technology sectors. In December, the campaign expanded globally targeting hundreds of developers, with certain hotspots like India (284 victims). In January, a new wave added 233 more victims, including 110 systems in India’s technology sector alone.

 

Apple missed screenshot-snooping malware in code that made it into the App Store
Researchers found the malware in an iOS app called ComeCome, which is also available from Google’s Play store, and claims to offer food delivery services. It is “embedded with a malicious SDK/framework” that at an unspecified moment decrypts an optical character recognition (OCR) plugin.
Once that OCR code is running, the app hunts for screenshots on mobile devices in the hope that some include cryptocurrency wallet recovery phrases, aka seed phrases, that the OCR will extract and the spyware will exfiltrate. With those stolen seed phrases in hand, the app's masterminds can take control of victims' wallets, and transfer funds out of them.
That's why your seed phrase needs to be kept a secret, offline and not as an image on your phone. 

 

APPSEC, DEVSECOPS, DEV

BSP considers removing OTPs to shift to more secure methods
The Bangko Sentral ng Pilipinas is considering removing one-time passwords (OTP) for digital bank transactions as this security method is becoming "obsolete."
OTPs are widely adopted by financial institutions as a security measure for online transactions. These are unique, temporary codes sent to a user's phone or email to verify their identity.
However, these OTPs are sought after by scammers, who trick individuals into sharing the password to gain access to their accounts. OTPs are becoming obsolete. The Monetary Authority of Singapore and the Bank of International Settlements have discouraged relying on OTP. A transition period would be needed before shifting to other measures. The central bank is looking at other security methods that banks can adopt like biometric authentication.
To protect yourself from OTP scams, you should never share your OTP. Several banks remind users that they will never ask for your personal or bank details, especially OTPs. If you receive a request for your OTP, contact the official website or company using trusted details like their official phone numbers, emails, or social media pages. It's best to report to your bank immediately if you get an OTP request for an unfamiliar transaction. Additionally, you should make sure you're on a secure network when making online banking transactions.

 

How attackers abuse S3 Bucket Namesquatting — And How to Stop Them
To prevent S3 bucket namesquatting, make sure that your S3 buckets are locked down. It’s important to understand that the naming conventions can be predicted and to ensure that your S3 buckets are not public. Unlike the other bootstrap resources, Amazon S3 bucket names are global. This means that each bucket name must be unique across all AWS accounts in all AWS Regions within a partition.
Beyond that, it’s important to identify issues, such as when default bucket names have not been changed on a large scale. AWS allows users to make configurations, and simple misconfigurations or incorrect policies can negatively impact your customers. If namesquatting is detected, here are some practical steps to take:

  • Decommission the domain to prevent further exposure

  • Request and confirm that AWS takes down the bucket

  • Point DNS records at non-S3 resources until fraudulent DNS records are purged

 

Phishing Tests, the Bane of Work Life, Are Getting Meaner
IT departments are crafting increasingly sensational ruses in what they say is a necessary response to increasingly sophisticated scams. Employees say they sow chaos, confusion and shame. Safety is one thing. Tricking a worker into thinking there’s a lost puppy in the parking lot is just cruel.
Matt Linton once made a NASA staffer cry with a phishing test that promised employees a chance to win a trip to Kennedy Space Center to view the final launch of the Space Shuttle. “Now everyone hates me,” Linton thought after the test. “Phishing education is good,” said Linton. “Tricking people to falling for a phish so you can lecture them that they failed, that’s the part that is terrible.”
But a growing body of academic research, based on randomized controlled trials, suggests the tests don’t work. A 2021 study of 14,000 corporate workers by researchers at ETH Zurich university found that phishing tests, combined with voluntary training, made employees more susceptible to phishing, possibly by giving trainees a false sense of security. Last year, a follow-up study by researchers at the University of California, San Diego, which looked at a wider range of training programs, found the tests led to a measly 2% reduction in phishing success rates. “These are just an ineffective and inefficient way to educate users.”
For Luis Taveras, chief information officer with Lehigh Valley Health Network, the tests don’t work unless there are real-life consequences. The first time employees at the healthcare organization fail a phishing test, they lose external email access for three months. The second time, it gets cut for a year. The third, they’re fired. His most-successful phishing test: a fake email offering free Philadelphia Eagles tickets. That got a 4% click-through rate.
[rG: The lesson being taught here? Don’t trust internal communication emails with links: sent to distribution lists or from departmental email addresses. Also bin any emails tagged by the gateway as “external” ever though your organization uses partner SaaS solutions. :-)
Better would be to put email and browsers in sandboxes (like security researchers do) with AI monitors to provide automated analysis and suspicion warnings.]

 

Mainframe: Securing terminal emulation and green screen access from evolving threats
Terminal emulation is critical for organizations to enable their employees to access host systems through a terminal-like interface. And with green screen capabilities, organizations can maintain access to mainframe systems through a desktop interface. Regulators have long taken steps to protect sensitive information and guide businesses on what protections and policies they must have in place—this includes policies like GDPR or the Digital Operational Resilience Act (DORA).
And now, with the rise in compromised credentials, many of these regulations are evolving to go deeper into identity and access management (IAM), with tools like encryption or multi-factor authentication for remote access. For instance, recent changes in New York State’s 23 NYRCRR 500 policy tackle challenges with remote access around governance, encryption, and incident response
Particularly, these policies require multi-factor authentication (MFA) for remote access to information systems, third-party applications where nonpublic information (NPI) is accessible, as well as privileged accounts. Vendor products can provide IAM solutions to users accessing host applications with MFA, securing the terminal emulation authentication process, and offers centrally managed, high-availability host application access that is deployable across infrastructures.

 

Why rebooting your phone daily is your best defense against zero-click hackers
People should treat their phone like a computer. This means that, just as one would apply a body of best practices that exist to protect traditional endpoints like laptops, from exploitation and compromise -- those same standards and practices should just be applied to phones.
This includes rebooting your phone daily because a lot of these exploits exist in memory only. They're not files, and if you reboot your phone, in theory, you should be able to wipe the malware as well.

 

UK industry leaders unleash hurricane-grade scale for cyberattacks
The Cyber Monitoring Centre (CMC) is the brainchild of cyber insurance industry figures and a handful of the UK's foremost cybersecurity thought leaders. It brings a severity classification system for the most severe computer assaults similar to the Saffir-Simpson Scale, which differentiates hurricanes based on the damage they cause to affected regions.
Public communications about the CMC began in January 2024, at which point the literature suggested it was a system that would be used to help cyber insurance companies, and their reinsurers, independently define what constituted a systemic event.
The system categorizes cyber events on a 1-5 scale, with five being the most severe. The severity score will be determined by examining the financial impact of the event and the number of organizations affected. The finances factored into the decision include, but are not limited to, incident response costs, notification costs, ransom payments, data restoration costs, and business interruption costs. It won't consider liability payments or fines issued after the fact. 

 

VENDORS & PLATFORMS

reCAPTCHA: 819 million hours of wasted human time and billions of dollars in Google profits
When you log into your bank's website, you might be presented with an image showing distorted numbers and letters and asked to enter them into a field to prove you're human. These tests, called CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart), are commonly used on websites to prevent bot attacks and spam. Google acquired reCAPTCHA in 2009 and used it to digitize Google Books and improve Google Street View by processing photos of street signs and house numbers.
By 2025, reCAPTCHA is easily defeated by bots. Yet Google continues to offer it because reCAPTCHA has evolved into a tracking tool that collects user data and generates billions in revenue for Google.
Re-captcha takes a pixel by pixel fingerprint of your browser, a realtime map of everything you do on the internet. They essentially get access to any user interaction on that web page. reCAPTCHA has cost society an estimated 819 million hours of human time valued at $6.1 billion in wages while generating massive profits for Google through its tracking capabilities and data collection, with the value of tracking cookies alone estimated at $888 billion.

 

  1. Restrict public access for new clusters by default, confining them within the user's Virtual Private Cloud (VPC) and preventing direct external access. Public access must be explicitly enabled if needed, with security groups and network access control lists (ACLs) recommended to users for restricted access.

  2. Enable encryption by default for all clusters to guarantee that even unauthorized access will not result in data exposure. Users will now have to specify an encryption key, or the clusters will be encrypted using an AWS-owned Key Management Service (KMS) key.

  3. Enforcing secure SSL (TLS) connections by default for all new and restored clusters, preventing data interception and "man-in-the-middle" attacks. Users with custom parameter groups are encouraged to enable SSL for enhanced security manually. It is important to note that these changes will impact newly created provisioned clusters, serverless workgroups, and restored clusters, so existing setups will not be immediately affected.

[rG: Yay, data stores and transit encryption by default!!!]

 

 

LEGAL & REGULATORY

The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies. Rather than break the security promises it made to its users everywhere, Apple is likely to stop offering encrypted storage in the US, the people said. Yet that concession would not fulfill the UK demand for backdoor access to the service in other countries, including the United States.
The office of the Home Secretary has served Apple with a document called a technical capability notice, ordering it to provide access under the sweeping U.K. Investigatory Powers Act of 2016, which authorizes law enforcement to compel assistance from companies when needed to collect evidencD. The law, known by critics as the Snoopers’ Charter, makes it a criminal offense to reveal that the government has even made such a demand.

 

US cranks up espionage charges against ex-Googler accused of trade secrets heist
Linwei Ding, 38, known to colleagues as Leon Ding, is accused of stealing and transmitting back to Chinese companies more than a thousand files related to Google's proprietary AI work between 2022 and 2023.
Despite Google deploying data loss prevention mechanisms designed to detect any suspicious movement of files, confidential or otherwise, across its network, it wasn't until December 2023 that the company became aware of Ding's alleged activity.
However there may be an interesting way of circumventing those data loss mechanisms. The indictment alleges that Ding copied the content from Google source files directly into an Apple Notes document on his company-issued MacBook, saved the document as a PDF, and transferred that PDF to his personal account.
Google examined surveillance footage and claims it showed a different employee (who wasn't Ding) badged in at the Google office to make it seem like Ding was working from Google HQ while he was actually in China. That employee claimed that Ding asked them to badge in for him while he was away.
If found guilty, Ding faces a maximum ten-year prison stint and a $250,000 fine for each of the trade secret counts, and 15 years in prison and a $5 million fine for each of the seven economic espionage counts.
[rG: Why wasn’t he caught earlier given PDFs should have easily set off DLP alarms, and what happened to his coffee badging accomplice?]

 

And Now For Something Completely Different …

WikiTok
Users can vertically swipe through an endless stream of Wikipedia article stubs in a manner similar to the interface for video-sharing app TikTok. It's a neat way to stumble upon interesting information randomly, learn new things, and spend spare moments of boredom without reaching for an algorithmically addictive social media app.