Researchers have discovered a new attack that can force VPN applications to route traffic outside the encrypted tunnel, thereby exposing the user's traffic to potential snooping or manipulation. This vulnerability, named TunnelVision, is found in almost all VPNs on non-Linux and non-Android systems. It's believe that the vulnerability "may have been possible since 2002 and may already have been discovered and used in the wild since then," reports Ars Technica. From the report: The effect of TunnelVision is "the victim's traffic is now decloaked and being routed through the attacker directly," a video demonstration explained. "The attacker can read, drop or modify the leaked traffic and the victim maintains their connection to both the VPN and the Internet." The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. [...]

The attack can most effectively be carried out by a person who has administrative control over the network the target is connecting to. In that scenario, the attacker configures the DHCP server to use option 121. It's also possible for people who can connect to the network as an unprivileged user to perform the attack by setting up their own rogue DHCP server. The attack allows some or all traffic to be routed through the unencrypted tunnel. In either case, the VPN application will report that all data is being sent through the protected connection. Any traffic that's diverted away from this tunnel will not be encrypted by the VPN and the Internet IP address viewable by the remote user will belong to the network the VPN user is connected to, rather than one designated by the VPN app.

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there's a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation. The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn't in bridged mode or to connect the VPN to the Internet through the Wi-Fi network of a cellular device. You can learn more about the research here.

Jack Dorsey is no longer on the board of Bluesky, the Twitter alternative he helped start. The announcement comes shortly after Dorsey unfollowed all but three accounts on X and referred to Elon Musk's platform as "freedom technology." The Verge reports: In two posts today, Bluesky thanked Dorsey while confirming his departure and adding that it's searching for a new board member "who shares our commitment to building a social network that puts people in control of their experience." [...] Neither Bluesky nor Dorsey himself seem to have said how or why he left the board. For now, two board members remain: CEO, Jay Graeber, and Jabber / XMPP inventor Jeremie Miller. Dorsey originally backed Bluesky in 2019 as a project to develop an open-source social media standard that he wanted Twitter to move to. He later joined its board of directors when it split from Twitter in 2022.

The Rabbit R1 is one of the first standalone AI companion devices to hit the market, offering the ability to translate languages, identify objects in your environment, and order DoorDash, among other things. It's been in the news last week for its all around poor reviews that cite poor battery life, painfully slow responses, and missing features (sound familiar?). Now, it's been confirmed that the Rabbit R1 is powered by an Android app that can run on existing Android phones. Android Authority reports: What ended up souring a lot of people's opinions on the product was the revelation -- in an Android Authority original report -- that the R1 is basically an Android app in a box. Many consumers who believed that the product would be better suited as a mobile app felt validated after our report, but there was one stickler in it that we needed to address: how we got the R1 launcher up and running on an Android phone. See, in our preliminary report, we mentioned that the Rabbit R1's launcher app is intended to be preinstalled in the firmware and be granted several privileged, system-level permissions. While that statement is still true, we should've clarified that the R1 launcher doesn't actually need those permissions. In fact, none of the system-level permissions that the R1 launcher requests are at all necessary for the app to perform its core functionality.

To prove this, we got the Rabbit R1 launcher up and running again on a stock, unrooted Android device (a Xiaomi 13T Pro), thanks to help from a team of reverse engineers including ChromMob, EmilyLShepherd, marceld505, thel3l, and uwukko. We were able to go through the entire setup process as if our device was an actual Rabbit R1. Afterwards, we were able to talk to ChatGPT, use the Vision function to identify objects, play music from Spotify, and even record voice notes. As demonstrated in our hands-on video at the top of this article, all of the existing core functionality that the Rabbit R1 offers would work as an Android or even iOS app. The only functions that wouldn't work are unrelated to the product's core functionality and are things your phone can already do, such as powering off or rebooting the device, toggling Bluetooth, connecting to a cellular or Wi-Fi network, or setting a screen lock.

During our research, Android Authority was also able to obtain a copy of the Rabbit R1's firmware. Our analysis reveals that Rabbit did not make significant modifications to the BSP (Board Support Package) provided by MediaTek. The R1, in fact, still ships with all the standard apps included in AOSP, as well as the many apps provided by MediaTek. This is despite the fact that none of these apps are needed nor ever shown to the user, obviously. Rabbit only made a few changes to the AOSP build that MediaTek provided them, such as adding the aforementioned R1 launcher app, adding a fork of the open-source "AnySoftKeyboard" app with a custom theme, adding an OTA updater app, and adding a custom boot animation. [...] Yes, it's true that all the R1 launcher does is act as a local client to the cloud services offered by Rabbit, which is what truly handles the core functionality. It's also true that there's nothing wrong or unusual with companies using AOSP for their own hardware. But the fact of the matter is that Rabbit does little to justify its use of custom hardware except by making the R1 have an eye-catching design.

PlayStation has reversed course on the Helldivers 2 PSN account requirement, walking back the unpopular policy after a weekend long backlash that included tens of thousands of negative reviews, some of which spread to Sony's other Steam games. From a report: "Helldivers fans -- we've heard your feedback on the Helldivers 2 account linking update. The May 6 update, which would have required Steam and PlayStation Network account linking for new players and for current players beginning May 30, will not be moving forward," PlayStation wrote on its official account.

"We're still learning what is best for PC players and your feedback has been invaluable. Thanks again for your continued support of Helldivers 2 and we'll keep you updated on future plans." PlayStation's decision means that Helldivers 2 players on Steam won't have to link a PSN account in order to play. The unpopular policy, which would have seen new players confronted with a mandatory login beginning this week, resulted in Helldivers 2 being delisted in around 177 countries.

Wednesday Rest of World noticed an overlooked tech story in Argentina: Olga de León looked confused as she walked out of a nightclub on the edge of Buenos Aires on a recent Tuesday afternoon. She had just had her iris scanned. "No one told me what they'll do with my eye," de León, 57, told Rest of World. "But I did this out of need." De León, who lives off the $95 pension she receives from the state, had been desperate for money. Persuaded by her nephew, she agreed to have one of her irises scanned by Worldcoin, Sam Altman's blockchain project. In exchange, she received nearly $50 worth of WLD, the company's cryptocurrency.

De León is one of about half a million Argentines who have handed their biometric data over to Worldcoin. Beaten down by the country's 288% inflation rate and growing unemployment, they have flocked to Worldcoin Orb verification hubs, eager to get the sign-up crypto bonus offered by the company. A network of intermediaries — who earn a commission from every iris scan — has lured many into signing up for the practice in Argentina, where data privacy laws remain weak. But as the popularity of Worldcoin skyrockets in the country, experts have sounded the alarm about the dangers of giving away biometric data. Two provinces are now pushing for legal investigations. "Seeing that [iris scans have] been banned in European countries, shouldn't we be trying to stop it, too?" Javier Smaldone, a software consultant and digital security expert, told Rest of World.
Last month Worldcoin's web site announced that more than 10 million people in 160 countries had created a World ID and compatible wallet (performing 75 million transactions) — and that 5,195,475 people had also verified their World ID using Worldcoin's iris-scanning Orb.

But the article notes a big drop in the number of countries even allowing Worldcoin's iris-scanning — from 25 to just eight. While in less than a year Worldcoin opened nearly 60 centers across Argentina...

The blog Its FOSS has 15,000 followers for its Mastodon account — which they think is causing problems: When you share a link on Mastodon, a link preview is generated for it, right? With Mastodon being a federated platform (a part of the Fediverse), the request to generate a link preview is not generated by just one Mastodon instance. There are many instances connected to it who also initiate requests for the content almost immediately. And, this "fediverse effect" increases the load on the website's server in a big way.

Sure, some websites may not get overwhelmed with the requests, but Mastodon does generate numerous hits, increasing the load on the server. Especially, if the link reaches a profile with more followers (and a broader network of instances)... We tried it on our Mastodon profile, and every time we shared a link, we were able to successfully make our website unresponsive or slow to load.
Slashdot reader nunojsilva is skeptical that "blurbs with a thumbnail and description" could create the issue (rather than, say, poorly-optimized web content). But the It's Foss blog says they found three GitHub issues about the same problem — one from 2017, and two more from 2023. And other blogs also reported the same issue over a year ago — including software developer Michael Nordmeyer and legendary Netscape programmer Jamie Zawinski.

And back in 2022, security engineer Chris Partridge wrote: [A] single roughly ~3KB POST to Mastodon caused servers to pull a bit of HTML and... an image. In total, 114.7 MB of data was requested from my site in just under five minutes — making for a traffic amplification of 36704:1. [Not counting the image.]
Its Foss reports Mastodon's official position that the issue has been "moved as a milestone for a future 4.4.0 release. As things stand now, the 4.4.0 release could take a year or more (who knows?)."

They also state their opinion that the issue "should have been prioritized for a faster fix... Don't you think as a community-powered, open-source project, it should be possible to attend to a long-standing bug, as serious as this one?"

Markos Moulitsas is the poll-watching founder of the political blog Daily Kos. Thursday he wrote that in 2021, future third-party presidential candidate RFK Jr. had sued their web site.

"Things are not going well for him." Back in 2021, Robert F. Kennedy Jr. sued Daily Kos to unmask the identity of a community member who posted a critical story about his dalliance with neo-Nazis at a Berlin rally. I updated the story here, here, here, here, and here.

To briefly summarize, Kennedy wanted us to doxx our community member, and we stridently refused.
The site and the politician then continued fighting for more than three years. "Daily Kos lost the first legal round in court," Moulitsas posted in 2021, "thanks to a judge who is apparently unconcerned with First Amendment ramifications given the chilling effect of her ruling."

But even then, Moulitsas was clear on his rights: Because of Section 230 of the Communications Decency Act, [Kennedy] cannot sue Daily Kos — the site itself — for defamation. We are protected by the so-called safe harbor. That's why he's demanding we reveal what we know about "DowneastDem" so they can sue her or him directly.
Moulitsas also stressed that his own 2021 blog post was "reiterating everything that community member wrote, and expanding on it. And so instead of going after a pseudonymous community writer/diarist on this site, maybe Kennedy will drop that pointless lawsuit and go after me... consider this an escalation." (Among other things, the post cited a German-language news account saying Kennedy "sounded the alarm concerning the 5G mobile network and Microsoft founder Bill Gates..." Moulitsas also noted an Irish Times article which confirmed that at the rally Kennedy spoke at, "Noticeable numbers of neo-Nazis, kitted out with historic Reich flags and other extremist accessories, mixed in with the crowd.")

So what happened? Moulitsas posted an update Thursday: Shockingly, Kennedy got a trial court judge in New York to agree with him, and a subpoena was issued to Daily Kos to turn over any information we might have on the account. However, we are based in California, not New York, so once I received the subpoena at home, we had a California court not just quash the subpoena, but essentially signal that if New York didn't do the right thing on appeal, California could very well take care of it.

It's been a while since I updated, and given a favorable court ruling Thursday, it's way past time to catch everyone up.
New York is one of the U.S. states that doesn't have a strict "Dendrite standard" law protecting anonymous speech. But soon the blog founder discovered he had allies: The issues at hand are so important that The New York Times, the E.W.Scripps Company, the First Amendment Coalition, New York Public Radio, and seven other New York media companies joined the appeals effort with their own joint amicus brief. What started as a dispute over a Daily Kos diarist has become a meaningful First Amendment battle, with major repercussions given New York's role as a major news media and distribution center.

After reportedly spending over $1 million on legal fees, Kennedy somehow discovered the identity of our community member sometime last year and promptly filed a defamation suit in New Hampshire in what seemed a clumsy attempt at forum shopping, or the practice of choosing where to file suit based on the belief you'll be granted a favorable outcome. The community member lives in Maine, Kennedy lives in California, and Daily Kos doesn't publish specifically in New Hampshire. A perplexed court threw out the case this past February on those obvious jurisdictional grounds....

Then, last week, the judge threw out the appeal of that decision because Kennedy's lawyer didn't file in time — and blamed the delay on bad Wi-Fi...

Kennedy tried to dismiss the original case, the one awaiting an appellate decision in New York, claiming it was now moot. His legal team had sued to get the community member's identity, and now that they had it, they argued that there was no reason for the case to continue. We disagreed, arguing that there were important issues to resolve (i.e., Dendrite), and we also wanted lawyer fees for their unconstitutional assault on our First Amendment rights...

On Thursday, in a unanimous decision, a four-judge New York Supreme Court appellate panel ordered the case to continue, keeping the Dendrite issue alive and also allowing us to proceed in seeking damages based on New York's anti-SLAPP law, which prohibits "strategic lawsuits against public participation."
Thursday's blog post concludes with this summation. "Kennedy opened up a can of worms and has spent millions fighting this stupid battle. Despite his losses, we aren't letting him weasel out of this."

An anonymous reader quotes a report from Wired: Join your localMilitia or III% Patriot Group," a post urged the more than 650 members of a Facebook group called the Free American Army. Accompanied by the logo for the Three Percenters militia network and an image of a man in tactical gear holding a long rifle, the post continues: "Now more than ever. Support the American militia page." Other content and messaging in the group is similar. And despite the fact that Facebook bans paramilitary organizing and deemed the Three Percenters an "armed militia group" on its 2021 Dangerous Individuals and Organizations List, the post and group remained up until WIRED contacted Meta for comment about its existence.

Free American Army is just one of around 200 similar Facebook groups and profiles, most of which are still live, that anti-government and far-right extremists are using to coordinate local militia activity around the country. After lying low for several years in the aftermath of the US Capitol riot on January 6, militia extremists have been quietly reorganizing, ramping up recruitment and rhetoric on Facebook -- with apparently little concern that Meta will enforce its ban against them, according to new research by the Tech Transparency Project, shared exclusively with WIRED.

Individuals across the US with long-standing ties to militia groups are creating networks of Facebook pages, urging others to recruit "active patriots" and attend meetups, and openly associating themselves with known militia-related sub-ideologies like that of the anti-government Three Percenter movement. They're also advertising combat training and telling their followers to be "prepared" for whatever lies ahead. These groups are trying to facilitate local organizing, state by state and county by county. Their goals are vague, but many of their posts convey a general sense of urgency about the need to prepare for "war" or to "stand up" against many supposed enemies, including drag queens, immigrants, pro-Palestine college students, communists -- and the US government. These groups are also rebuilding at a moment when anti-government rhetoric has continued to surge in mainstream political discourse ahead of a contentious, high-stakes presidential election. And by doing all of this on Facebook, they're hoping to reach a broader pool of prospective recruits than they would on a comparatively fringe platform like Telegram. "Many of these groups are no longer fractured sets of localized militia but coalitions formed between multiple militia groups, many with Three Percenters at the helm," said Katie Paul, director of the Tech Transparency Project. "Facebook remains the largest gathering place for extremists and militia movements to cast a wide net and funnel users to more private chats, including on the platform, where they can plan and coordinate with impunity."

Paul has been monitoring "hundreds" of these groups and profiles since 2021 and found that they have been growing "increasingly emboldened with more serious and coordinated organizing" in the past year.

"Players who made Steam purchases of Helldivers 2 are now, months after the fact, being told by Sony that their games will be useless unless linked to a PSN account," writes longtime Slashdot reader Baron_Yam. From a report: Publisher Sony Interactive Entertainment announced today that Helldivers 2 players on Steam will soon be required to link their in-game profiles to a PlayStation Network account -- a feature that was optional at launch due to "technical issues" -- or risk losing access to the game. SIE explained that account linking allows players to take advantage of "safety and security" provided by PlayStation, as it can more easily protect folks from "griefing and abuse by enabling the banning of players that engage in that type of behavior."

Many Steam players haven't responded well to the news. As of the time of writing, over 2,500 negative user reviews have been submitted to the game's storefront page today, blemishing an otherwise spotless "Very Positive" rating. Some reviews cite data harvesting and security concerns as potential worries. Others point to the fact that Sony waited months after launch to make account linking mandatory. How this affects players in regions that don't have access to the PlayStation Network is a bigger concern, though. In the Helldivers 2 Discord, community manager Thomas 'Twinbeard' Petersson said they aren't yet sure what these rule changes meant for players in areas without PSN access, which could be another factor contributing to the negative downturn.

Plumpaquatsch writes: Investigators teamed up with colleagues from the Balkans and Lebanon in raids set up by months of intense surveillance. Authorities say the operation thwarted over 10 million euro in damages and led to 21 arrests.

Dubbed 'Operation Pandora,' the sting began in Germany in December 2023, after a suspicious bank teller contacted police when a 76-year-old customer from Freiburg sought to hurriedly withdraw 120,000 euro ($128,232) from her savings account to hand over to a fake police officer. When real police investigators tracked the internet-based telephone number that had been used to lure the woman, they discovered a veritable goldmine.

Rather than shutting down the number, authorities instead went on the offensive, setting up their own call center in which hundreds of officers from Baden-Wurttemberg, Bavaria, Berlin and Saxony worked around the clock monitoring some 1.3 million calls in real time, as the number from the initial scam was tied to an entire network of fraud call centers. Police were able to trace and record data from the calls, as well as warn potential victims of what was in fact happening, in turn winning valuable time to put together the April 18 sting.

Police say their efforts allowed them to thwart some 10 million euro in damages in roughly 6,000 cases of attempted fraud.

Aria Alamalhodaei reports via TechCrunch: Hubble Network has become the first company in history to establish a Bluetooth connection directly to a satellite -- a critical technology validation for the company, potentially opening the door to connecting millions more devices anywhere in the world. The Seattle-based startup launched its first two satellites to orbit on SpaceX's Transporter-10 ride-share mission in March; since that time, the company confirmed that it has received signals from the onboard 3.5mm Bluetooth chips from over 600 kilometers away.

The sky is truly the limit for space-enabled Bluetooth devices: the startup says its technology can be used in markets including logistics, cattle tracking, smart collars for pets, GPS watches for kids, car inventory, construction sites, and soil temperature monitoring. Haro said the low-hanging fruit is those industries that are desperate for network coverage even once per day, like remote asset monitoring for the oil and gas industry. As the constellation scales, Hubble will turn its attention to sectors that may need more frequent updates, like soil monitoring, to continuous coverage use cases like fall monitoring for the elderly. Once its up and running, a customer would simply need to integrate their devices' chipsets with a piece of firmware to enable connection to Hubble's network.

The National Archives and Records Administration (NARA) told employees Wednesday that it is blocking access to ChatGPT on agency-issued laptops to "protect our data from security threats associated with use of ChatGPT," 404 Media reported Wednesday. From the report: "NARA will block access to commercial ChatGPT on NARANet [an internal network] and on NARA issued laptops, tablets, desktop computers, and mobile phones beginning May 6, 2024," an email sent to all employees, and seen by 404 Media, reads. "NARA is taking this action to protect our data from security threats associated with use of ChatGPT."

The move is particularly notable considering that this directive is coming from, well, the National Archives, whose job is to keep an accurate historical record. The email explaining the ban says the agency is particularly concerned with internal government data being incorporated into ChatGPT and leaking through its services. "ChatGPT, in particular, actively incorporates information that is input by its users in other responses, with no limitations. Like other federal agencies, NARA has determined that ChatGPT's unrestricted approach to reusing input data poses an unacceptable risk to NARA data security," the email reads. The email goes on to explain that "If sensitive, non-public NARA data is entered into ChatGPT, our data will become part of the living data set without the ability to have it removed or purged."

LinkedIn, the professional network known for job listings and unsolicited career advice, is jumping into gaming. From a report: The platform is officially introducing a set of Wordle-style puzzle games, weeks after they were first spotted in the app. The company is starting with three games: Pinpoint, a word game where players must guess the theme that ties a series of words together; Queens, a puzzle game that's a bit like a cross between Sudoku and Minesweeper; and Crossclimb, a trivia game that involves guessing a series of four-letter words and placing them in the correct order.

LinkedIn describes them as "thinking-oriented games," though the format will likely look familiar to fans of The New York Times Games app. Each game can only be played once a day, and players can share their score with friends in cute emoji-filled messages reminiscent of the "Wordle grid." The service will also keep track of "streaks," to encourage players to come back every day. Given the similarities, it shouldn't be surprising that games were developed by LinkedIn's news team, which recently hired a dedicated games editor.

Satellite operator SES plans to buy fellow satellite operator Intelsat, in a $3.1 billion deal that's expected to close next year. According to Space Magazine, the combined company could help it "compete with SpaceX's huge Starlink broadband network." From the report: SES and Intelsat both operate communications satellites in geostationary orbit, which lies 22,236 miles (35,785 kilometers) above Earth. SES also runs a constellation called O3b in medium Earth orbit, at an altitude of about 5,000 miles (8,000 km). As [SES CEO Adel Al-Saleh] noted, there is increasingly fierce competition for the services provided by these satellites -- for example, from SpaceX's Starlink megaconstellation in low Earth orbit. And other LEO megaconstellations are in the works as well. For instance, Amazon launched the first two prototypes for its planned 3,200-satellite Project Kuiper network this past October.

"By combining our financial strength and world-class team with that of SES, we create a more competitive, growth-oriented solutions provider in an industry going through disruptive change," Intelsat CEO David Wajsgras said in the same statement. "The combined company will be positioned to meet customers' needs around the world and exceed their expectations," he added.

An anonymous reader quotes a report from Foss Outpost: Systemd lead developer Lennart Poettering has posted on Mastodon about their upcoming v256 release of Systemd, which is expected to include a sudo replacement called "run0". The developer talks about the weaknesses of sudo, and how it has a large possible attack surface. For example, sudo supports network access, LDAP configurations, other types of plugins, and much more. But most importantly, its SUID binary provides a large attack service according to Lennart: "I personally think that the biggest problem with sudo is the fact it's a SUID binary though -- the big attack surface, the plugins, network access and so on that come after it it just make the key problem worse, but are not in themselves the main issue with sudo. SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended for and controlled by unprivileged code. By execution context I mean the myriad of properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on."

He's saying that sudo is a Unix concept from many decades ago, and a better privilege escalation system should be in place for 2024 security standards: "So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful manual clean-up is just not how security engineering should be done in 2024 anymore." [...]

He also mentioned that there will be more features in run0 that are not just related to the security backend such as: "The tool is also a lot more fun to use than sudo. For example, by default, it will tint your terminal background in a reddish tone while you are operating with elevated privileges. That is supposed to act as a friendly reminder that you haven't given up the privileges yet, and marks the output of all commands that ran with privileges appropriately. It also inserts a red dot (unicode ftw) in the window title while you operate with privileges, and drops it afterwards."

An anonymous reader quotes a report from TechCrunch: The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company's systems that weren't protected by multifactor authentication (MFA), according to the chief executive of its parent company, UnitedHealth Group (UHG). UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing on Wednesday into the February ransomware attack that caused months of disruption across the U.S. healthcare system. This is the first time the health insurance giant has given an assessment of how hackers broke into Change Healthcare's systems, during which massive amounts of health data were exfiltrated from its systems. UnitedHealth said last week that the hackers stole health data on a "substantial proportion of people in America."

According to Witty's testimony, the criminal hackers "used compromised credentials to remotely access a Change Healthcare Citrix portal." Organizations like Change use Citrix software to let employees access their work computers remotely on their internal networks. Witty did not elaborate on how the credentials were stolen. However, Witty did say the portal "did not have multifactor authentication," which is a basic security feature that prevents the misuse of stolen passwords by requiring a second code sent to an employee's trusted device, such as their phone. It's not known why Change did not set up multifactor authentication on this system, but this will likely become a focus for investigators trying to understand potential deficiencies in the insurer's systems. "Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data," said Witty. Witty said the hackers deployed ransomware nine days later on February 21, prompting the health giant to shut down its network to contain the breach. Last week, the medical firm admitted that it paid the ransomware hackers roughly $22 million via bitcoin.

Meanwhile, UnitedHealth said the total costs associated with the ransomware attack amounted to $872 million. "The remediation efforts spent on the attack are ongoing, so the total costs related to business disruption and repairs are likely to exceed $1 billion over time, potentially including the reported $22 million payment made [to the hackers]," notes The Register.

Richard Speed reports via The Register: NASA's optical communications demonstration has hit 25 Mbps in a test transmitting engineering data back to Earth from 140 million miles (226 million kilometers) away. The payload is riding aboard the Psyche probe, which is headed for an asteroid of the same name. On December 11, when the spacecraft was 19 million miles (30 million kilometers) away, it reached 267 Mbps, which NASA described as "comparable to broadband internet download speeds."

However, as Psyche has continued on its trajectory, the distances have become greater, and the rate at which data can be transmitted and received has tumbled. At 140 million miles, the project's goal was to reach a lofty 1 Mbps. Instead, engineers managed to get 25 Mbps out of the demonstration. Earlier demonstrations tested the technology using preloaded data, such as a cat video. The latest experiment used a copy of engineering data also sent via Psyche's radio transmitter.

"We downlinked about 10 minutes of duplicated spacecraft data during a pass on April 8," said Meera Srinivasan, the project's operations lead at NASA's Jet Propulsion Laboratory (JPL) in Southern California. "Until then, we'd been sending test and diagnostic data in our downlinks from Psyche. This represents a significant milestone for the project by showing how optical communications can interface with a spacecraft's radio frequency comms system." The demonstrator is only along for the ride -- Psyche uses conventional radio technology for its mission. However, the demonstration does point to the potential for higher-bandwidth communications in future projects.

Millions of Americans pay for Netflix, doling out anywhere from $6.99 to $22.99 a month. It's a common belief that you can get out of recurring charges like this by canceling your credit card. Netflix won't be able to find you, and your account will just go away, right? You wouldn't be crazy for believing it, but it's a myth that canceling a credit card will definitely stop your recurring charges. From a report: Nearly 46% of Americans opened a new credit card last year, according to Forbes, which means millions of Americans also canceled old ones. When you switch cards, Netflix doesn't just stop your service -- they just start charging your new card. Granted, it might be easier to just cancel your Netflix subscription directly. There's a largely hidden service that enables Netflix and most other subscription services to keep throwing charges at you indefinitely.

"Banks may automatically update credit or debit card numbers when a new card is issued. This update allows your card to continue to be charged, even if it's expired," Netflix says in its help center. Most major card providers offer a feature that enables this, including Visa. In 2003, Visa U.S.A. started offering a new software product to merchants called Visa Account Updater (VAU), according to a 2003 American Banker article. The service works with a network of banks to create a virtual tracking service of Americans' financial profiles. Whenever someone renews, or switches a credit card within their bank, the institution automatically update the VAU. This system lets Netflix and countless other corporations charge whatever card you have on file.

The United Kingdom has become the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted. From a report: The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.

Manufacturing and design practices mean many IoT products introduce additional risks to the home and business networks they're connected to. In one often-cited case described by cybersecurity company Darktrace, hackers were allegedly able to steal data from a casino's otherwise well-protected computer network after breaking in through an internet-connected temperature sensor in a fish tank. Under the PSTI, weak or easily guessable default passwords such as "admin" or "12345" are explicitly banned, and manufacturers are also required to publish contact details so users can report bugs.

Oakland, California is now home to "the first commercial hydrogen fuel station for big-rig trucks in the United States," according to the Los Angeles Times — serving 30 hydrogen fuel-cell trucks.

The newspaper says the facility "could mark the start of a nationwide network for fuel-cell truck refueling. It could also flop." Hydrogen fuel is expensive — as much as four times more expensive than gasoline or diesel fuel. The fuel cells, which drive electric motors to drive the truck, are enormously expensive as well.... The vehicles themselves are expensive too. Both battery electric and hydrogen fuel-cell trucks can cost three times as much or more than a $120,000 diesel truck. Those buying the trucks can qualify for state and federal subsidies to make up most of the upfront costs.
But government regulations may spark some demand: New diesel truck sales will be outlawed in California by 2036. Only zero-tailpipe-emission new trucks will be allowed. Already, zero-emission requirements are in place for trucks that enter ocean ports. And only two technologies are available to achieve that goal: battery electric trucks and hydrogen fuel-cell trucks. "We believe a good portion of those will be hydrogen vehicles," said Matt Miyasato, chief of public policy for hydrogen fuel distributor FirstElement Fuel. FirstElement, through its True Zero brand fueling stations, is the largest hydrogen vehicle fuel distributor in the U.S...

Battery electric is gaining a strong foothold in the medium-sized delivery truck market, but hydrogen could have a leg up for long-haul trucking. While a fuel cell is comparable in size to a diesel engine, a battery big enough for long-haul trucks adds weight and size and cuts down on the total freight load the truck can deliver. And while an electric truck battery can take hours to recharge, the refill time for hydrogen is more comparable to filling up with diesel fuel.