IRS Has Loads of Legacy IT, Still Has No Firm Plans To Replace It

The IRS should reopen its Technology Retirement Office to effectively manage the retirement and replacement of legacy systems, according to a Treasury Inspector General for Tax Administration (TIGTA) audit. The Register reports: The report (PDF), from the Treasury Inspector General for Tax Administration (TIGTA), credits the IRS with fully implementing two out of four previous tech modernization recommendations, though argues the other two recommendations were ineffectively implemented. Those failures include the agency’s decision in 2023 to scrap its own Technology Retirement Office, which stood up in 2021 “to strategically reduce the [IRS’ IT] footprint.” Without that office, “there is no enterprise-wide program to identify, prioritize, and execute the updating, replacing, or retiring of legacy systems” at the IRS, the inspector general declared, adding the unit should be reestablished or brought back in some similar form.

The closure of the retirement office, in the eyes of the TIGTA, is part of the IRS’s failure to properly identify and plan for shutting down legacy systems and possibly replacing them with something modern. According to the audit report, the IRS identified 107 of its 334 legacy systems as up for retirement, yet only two of those 107 have specific decommissioning plans. The TIGTA would like to see clear plans for all of those identified systems, and had hoped the retirement office (or similar) would provide them. Then there’s the second incomplete recommendation, which the IG said is the IRS’ failure to properly apply its own definition of a legacy system to all of its tech. […] In its response to the IG report, the IRS said it had largely addressed the two incomplete recommendations, though not entirely as the Inspector General might want.

Read more of this story at Slashdot.

China-Linked Hackers Could Be Behind Cyberattacks On Russian State Agencies, Researchers Say

According to Kaspersky, hackers linked to Chinese threat actors have targeted Russian state agencies and tech companies in a campaign named EastWind. The Record reports: [T]he attackers used the GrewApacha remote access trojan (RAT), an unknown PlugY backdoor and an updated version of CloudSorcerer malware, which was previously used to spy on Russian organizations. The GrewApacha RAT has been used by the Beijing-linked hacking group APT31 since at least 2021, the researchers said, while PlugY shares many similarities with tools used by the suspected Chinese threat actor known as APT27.

According to Kaspersky, the hackers sent phishing emails containing malicious archives. In the first stage of the attack, they exploited a dynamic link library (DLL), commonly found in Windows computers, to collect information about the infected devices and load the additional malicious tools. While Kaspersky didn’t explicitly attribute the recent attacks to APT31 or APT27, they highlighted links between the tools that were used. Although PlugY malware is still being analyzed, it is highly likely that it was developed using the DRBControl backdoor code, the researchers said. This backdoor was previously linked to APT27 and bears similarities to PlugX malware, another tool typically used by hackers based in China.

Read more of this story at Slashdot.

A Species of Lungfish Claims Title of World’s Largest Animal Genome

FTC Finalizes Rule Banning Fake Reviews, Including Those Made With AI

TechCrunch’s Lauren Forristal reports: The U.S. Federal Trade Commission (FTC) announced on Wednesday a final rule that will tackle several types of fake reviews and prohibit marketers from using deceptive practices, such as AI-generated reviews, censoring honest negative reviews and compensating third parties for positive reviews. The decision was the result of a 5-to-0 vote. The new rule will start being enforced 60 days after it’s published in the official government publication called Federal Register. […]

According to the final rule, the maximum civil penalty for fake reviews is $51,744 per violation. However, the courts could impose lower penalties depending on the specific case. “Ultimately, courts will also decide how to calculate the number of violations in a given case,” the Commission wrote. […] The FTC initially proposed the rule on June 30, 2023, following an advanced notice of proposed rulemaking issued in November 2022. You can read the finalized rule here (PDF), but we also included a summary of it below:

– No fake or disingenuous reviews. This includes AI-generated reviews and reviews from anyone who doesn’t have experience with the actual product.
– Businesses can’t sell or buy reviews, whether negative or positive.
– Company insiders writing reviews need to clearly disclose their connection to the business. Officers or managers are prohibited from giving testimonials and can’t ask employees to solicit reviews from relatives.
– Company-controlled review websites that claim to be independent aren’t allowed.
– No using legal threats, physical threats or intimidation to forcefully delete or prevent negative reviews. Businesses also can’t misrepresent that the review portion of their website comprises all or most of the reviews when it’s suppressing the negative ones.
– No selling or buying fake engagement like social media followers, likes or views obtained through bots or hacked accounts.

Read more of this story at Slashdot.

Artists Claim ‘Big’ Win In Copyright Suit Fighting AI Image Generators

Ars Technica’s Ashley Belanger reports: Artists defending a class-action lawsuit are claiming a major win this week in their fight to stop the most sophisticated AI image generators from copying billions of artworks to train AI models and replicate their styles without compensating artists. In an order on Monday, US district judge William Orrick denied key parts of motions to dismiss from Stability AI, Midjourney, Runway AI, and DeviantArt. The court will now allow artists to proceed with discovery on claims that AI image generators relying on Stable Diffusion violate both the Copyright Act and the Lanham Act, which protects artists from commercial misuse of their names and unique styles.

“We won BIG,” an artist plaintiff, Karla Ortiz, wrote on X (formerly Twitter), celebrating the order. “Not only do we proceed on our copyright claims,” but “this order also means companies who utilize” Stable Diffusion models and LAION-like datasets that scrape artists’ works for AI training without permission “could now be liable for copyright infringement violations, amongst other violations.” Lawyers for the artists, Joseph Saveri and Matthew Butterick, told Ars that artists suing “consider the Court’s order a significant step forward for the case,” as “the Court allowed Plaintiffs’ core copyright-infringement claims against all four defendants to proceed.”

Read more of this story at Slashdot.

NIST Finalizes Trio of Post-Quantum Encryption Standards

“NIST has formally accepted three algorithms for post-quantum cryptography,” writes ancient Slashdot reader jd. “Two more backup algorithms are being worked on. The idea is to have backup algorithms using very different maths, just in case a flaw in the original approach is discovered later.” The Register reports: The National Institute of Standards and Technology (NIST) today released the long-awaited post-quantum encryption standards, designed to protect electronic information long into the future — when quantum computers are expected to break existing cryptographic algorithms. One — ML-KEM (PDF) (based on CRYSTALS-Kyber) — is intended for general encryption, which protects data as it moves across public networks. The other two — ML-DSA (PDF) (originally known as CRYSTALS-Dilithium) and SLH-DSA (PDF) (initially submitted as Sphincs+) — secure digital signatures, which are used to authenticate online identity. A fourth algorithm — FN-DSA (PDF) (originally called FALCON) — is slated for finalization later this year and is also designed for digital signatures.

NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future. One of the sets includes three algorithms designed for general encryption — but the technology is based on a different type of math problem than the ML-KEM general-purpose algorithm in today’s finalized standards. NIST plans to select one or two of these algorithms by the end of 2024. Despite the new ones on the horizon, NIST mathematician Dustin Moody encouraged system administrators to start transitioning to the new standards ASAP, because full integration takes some time. “There is no need to wait for future standards,” Moody advised in a statement. “Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event.”
From the NIST: This notice announces the Secretary of Commerce’s approval of three Federal Information Processing Standards (FIPS):

– FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
– FIPS 204, Module-Lattice-Based Digital Signature Standard
– FIPS 205, Stateless Hash-Based Digital Signature Standard

These standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions in the NIST Post-Quantum Cryptography Standardization Project.

Read more of this story at Slashdot.