Former Ubiquiti Dev Charged For Trying To Extort His Employer

Long-time Slashdot reader tinskip shares a report from BleepingComputer: Nickolas Sharp, a former employee of networking device maker Ubiquiti, was arrested and charged today with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker. “As alleged, Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand,” U.S. Attorney Damian Williams said today. “As further alleged, after the FBI searched his home in connection with the theft, Sharp, now posing as an anonymous company whistleblower, planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company’s computer systems.”

According to the indictment (PDF), Sharp stole gigabytes of confidential data from Ubiquiti’s AWS (on December 10, 2020) and GitHub (on December 21 and 22, 2020) infrastructure using his cloud administrator credentials, cloning hundreds of GitHub repositories over SSH. Throughout this process, the defendant tried hiding his home IP address using Surfshark’s VPN services. However, his actual location was exposed after a temporary Internet outage. To hide his malicious activity, Sharp also altered log retention policies and other files that would have exposed his identity during the subsequent incident investigation. “Among other things, SHARP applied one-day lifecycle retention policies to certain logs on AWS which would have the effect of deleting certain evidence of the intruder’s activity within one day,” the court documents read.

After Ubiquiti disclosed a security incident in January following Sharp’s data theft, while working to assess the scope and remediate the security breach effects he also tried extorting the company (posing as an anonymous hacker). His ransom note demanded almost $2 million in exchange for returning the stolen files and the identification of a remaining vulnerability. The company refused to pay the ransom and, instead, found and removed a second backdoor from its systems, changed all employee credentials, and issued the January 11 security breach notification. After his extortion attempts failed, Sharp shared information with the media while pretending to be a whistleblower and accusing the company of downplaying the incident. This caused Ubiquiti’s stock price to fall by roughly 20%, from $349 on March 30 to $290 on April 1, amounting to losses of over $4 billion in market capitalization.

Read more of this story at Slashdot.

Google Readies ‘Pixel Watch’ For 2022 Launch

According to Insider, Google is planning to launch its own in-house smartwatch in 2022. “Two employees said a spring launch was possible if the latest testing round is a success, however all sources stressed that details and timelines were subject to change depending on feedback from employees testing the device,” reports Insider. From the report: The device, which is internally codenamed “Rohan,” will showcase the latest version of Google’s smartwatch software to customers and partners […]. To date, Google has opted to create software for smartwatches built by partners such as Samsung, but has not made a device of its own. […] Unlike the Apple Watch, Google’s smartwatch is round and has no physical bezel, according to artistic renders viewed by Insider and employees who have seen it. Like Apple’s device, it will capture health and fitness metrics.

The watch has sometimes been referred to internally as the “Pixel watch” or “Android watch,” but executives have used a variety of names to refer to the project and it is unclear what branding Google will land on if and when it launches the device. […] The Rohan watch has a heart-rate monitor and offers basic health-tracking features such as step counting. In its current form the watch will require daily charging, according to a feedback document seen by Insider. One employee testing the watch lamented the charging was slow. Like the Apple Watch, Google’s wearable will also use proprietary watchbands. […]

Read more of this story at Slashdot.

Trump’s Social Media Site Quietly Admits It’s Based On Mastodon

mrflash818 shares a report from PCMag: To avoid a lawsuit, Donald Trump’s social media site is quietly acknowledging the computer code powering the platform comes from Mastodon. Trump’s “Truth Social” site now features a dedicated section labeled “open source,” which contains a Zip archive to Mastodon’s source code. “Our goal is to support the open source community no matter what your political beliefs are. That’s why the first place we go to find amazing software is the community and not ‘Big Tech,'” the site adds. Truth Social created the section on Nov. 12, two weeks after social networking provider Mastodon threatened to sue Trump’s platform for violating its open-source license.

Since Mastodon is an open-source software project, anyone can use it for free. But if you do, the software license demands the code and any ensuing modifications to your Mastodon-powered platform be made publicly available, allowing the entire Mastodon community to benefit. (This doesn’t include publishing any user data or disclosing admin access, though.) […] However, it appears the uploaded Zip archive is simply a barebones version of the existing Mastodon source code you can already find on GitHub. The archive itself is only a mere 30MB in size. Nevertheless, Rochko said the Zip archive might “become more interesting” once Truth Social finally launches.

Read more of this story at Slashdot.

Apple Loses Key Autos Engineer To Electric Aviation Startup Archer

Michael Schwekutsch, a director of engineering in the Apple Special Projects Group that’s reportedly working on self-driving cars, has left to join electric air taxi start-up Archer as its senior VP of engineering. Schwekutsch noted the change on his LinkedIn page on Wednesday. CNBC reports: The move is the latest example of staff turnover in Apple’s secretive car project. Former VP of special projects Doug Field left in September to lead Ford’s emerging technology efforts, a priority for the legacy automaker under its new Ford+ turnaround plan. The move also indicates that tech start-ups attacking climate issues can attract the most qualified engineers. A former VP of engineering at Tesla, Schwekutsch holds more than 100 patents related to vehicle design, worked on prototypes for the Tesla Plaid systems, and led production of electric drive systems for several vehicle models from Tesla, Porsche, BMW and others, according to his online resume.

Archer is working on electric-powered air taxis that take off and land vertically. Like competitors Lilium and Joby Aviation, Archer aims to transport passengers on short trips, avoiding traffic on the ground and the noise and emissions generated by traditional fuel-burning aircraft and cars. It’s already developed a model known as the Maker that can carry one passenger and a pilot, and is working on a four-passenger model. The company aims to operate urban air mobility services starting in Los Angeles once its aircraft are cleared by the Federal Aviation Administration for commercial use. Founded in 2018 and based in Palo Alto, Calif., Archer went public in September after merging with a special purpose acquisition company (SPAC), Atlas Crest Investment Corp.

Read more of this story at Slashdot.

Apple’s AR Headset Coming Next Year With ‘Mac-level’ Power, Report Says

Apple’s first AR headset will be released in the fourth quarter of 2022, according to a research note from analyst Ming-chi Kuo. The Verge: Kuo predicted back in March that the headset would be released sometime next year, and is now also providing more technical information on the device. The headset will have two processors, according to Kuo, one with “the same level of computing power as M1” and one lower-end chip to handle input from the various sensors. For example, Kuo says that the headset has “at least 6-8 optical modules to simultaneously provide continuous video see-through AR services.” The headset is also said to have two 4K OLED microdisplays from Sony. Kuo cites the headset’s “Mac-level (PC-level) computing power,” its ability to be operated untethered, and its wide range of applications as factors that will differentiate it from competitors. Various reports on the device have disagreed as to whether it will be wholly independent or rely on an iPhone or a separate processor box to stream content.

Read more of this story at Slashdot.

Apple Renews Bid To Halt Court-Ordered App Store Change

Over 300,000 Android Users Have Downloaded These Banking Trojan Malware Apps, Say Security Researchers

Over 300,000 Android smartphone users have downloaded what turned out to be banking trojans after falling victim to malware that has bypassed detection by the Google Play app store. ZDNet reports: Detailed by cybersecurity researchers at ThreatFabric, the four different forms of malware are delivered to victims via malicious versions of commonly downloaded applications, including document scanners, QR code readers, fitness monitors and cryptocurrency apps. The apps often come with the functions that are advertised in order to avoid users getting suspicious. In each case, the malicious intent of the app is hidden and the process of delivering the malware only begins once the app has been installed, enabling them to bypass Play Store detections.

The most prolific of the four malware families is Anatsa, which has been installed by over 200,000 Android users — researchers describe it as an “advanced” banking trojan that can steal usernames and passwords, and uses accessibility logging to capture everything shown on the user’s screen, while a keylogger allows attackers to record all information entered into the phone. […] The second most prolific of the malware families detailed by researchers at ThreatFabric is Alien, an Android banking trojan that can also steal two-factor authentication capabilities and which has been active for over a year. The malware has received 95,000 installations via malicious apps in the Play Store. […] The other two forms of malware that have been dropped using similar methods in recent months are Hydra and Ermac, which have a combined total of at least 15,000 downloads. ThreatFabric has linked Hydra and Ermac to Brunhilda, a cyber-criminal group known to target Android devices with banking malware. Both Hydra and Ermac provide attackers with access to the device required to steal banking information. ThreatFabric has reported all of the malicious apps to Google and they’ve either already been removed or are under review.

Read more of this story at Slashdot.

Browser Extension Shows How Many Brands On Amazon Are Actually Just Amazon

A new browser extension promises to show you which products in your Amazon search results are sold by brands that are either owned by or are exclusive to Amazon, giving you a better idea of who’s selling what you’re buying. The Verge reports: It’s called Amazon Brand Detector, and it uses a list of Amazon brands created by The Markup, along with filters and other techniques (detailed here) to detect and highlight products that are a part of Amazon’s Our Brands program. The Markup created this extension after its investigation into how Amazon ranks its in-house brands in search results and says the tool (available for Chrome-like browsers and Firefox) is designed to make searches more transparent. When we tested it, it obviously highlighted Amazon Basics and Essentials products, but it also drew attention to results that were otherwise indistinguishable from ones not affiliated with Amazon: a dog leash labeled as being made by Panykoo, socks by Teebulen, a sweater by Ofeefan.

While Amazon marked some of those results as “featured from our brands,” that wasn’t the case for all of them. That advisory text is also small and grey, making it easy to miss if you’re casually browsing (especially since there may not be any notice of the affiliation on the actual product page), and it didn’t show up on every result the tool highlighted. Amazon isn’t necessarily shadowy about these brands: it has a page that lists its “private and select exclusive brands,” many of which have legit-sounding names: Happy Belly, Wag, Nature’s Wonder. Some are private labels owned by Amazon, where some are “curated selections” sold exclusively on Amazon but not necessarily operated by the company. According to The Markup, the extension “does not collect any data” and should be compatible with other extensions.

Read more of this story at Slashdot.

‘Massive’ Startup Wants To Rent Your Spare Compute Power To Pay For Apps

What if users could pay for apps or services not with money or attention, but with their spare compute power? A startup called “Massive” is working to take this concept “into the modern world as an alternative to charging users or pounding them with advertisements to generate revenue,” writes TechCrunch’s Alex Wilhelm. From the report: Massive announced an $11 million round this morning, led by Point72 Ventures with participation from crypto-themed entities, including CoinShares Ventures and Coinbase Ventures. Several angels also participated in the funding event. The model is interesting, and Massive’s funding round is an indication that it has found some market traction. So, we get the company on the horn to learn more.

Massive co-founder and CEO Jason Grad described the startup’s work as something akin to an Airbnb or Turo for users’ computers, comparing its service to some of the more popular consumer-sharing startups that folks already know. It’s a reasonable comparison. Some 50,000 desktop computer users — nodes, in the company’s parlance — have opted into its service. Which is white hat, it goes without saying. Given that Massive is asking for compute power, it will have constant work to do to ensure that it is a good steward of user trust and partner selection; no one wants their spare CPU cycles to go to something illegal. The company has a good early stance toward caring for its nascent compute exchange, with a hard requirement of getting users to opt into its service before joining.

To start, Massive is working with crypto-focused companies. They have an obvious need for compute power, and the work they execute — running blockchain calculations — is monetized through block rewards and other fees, making them easy choices for partnerships. You can now see why the company’s investor list includes a number of crypto-focused venture capital firms. The startup’s goal is broader, however. It wants to build a two-sided marketplace for compute power, Grad explained. That means lots more users offering up a slice of their computing power, future acceptance of mobile devices, and a broader partner list. Part of the company’s perspective is rooted in the belief that the dominant business models of the internet today are lacking. “Shit,” to quote Grad directly.

Read more of this story at Slashdot.

Microsoft Edge’s Latest Feature Called a ‘Shameless Cash Grab’ by Critics

Microsoft Edge recently gained a feature that allows people to pay for online purchases in installments. It’s known as buy now, pay later (BNPL), and it’s currently in testing on Microsoft Edge Dev and Canary. The option drew criticism from fans and users of the browser that expressed frustration in the comments section of the post announcing the feature. From a report: The center of most complaints is the belief that Microsoft Edge is becoming bloated with shopping features rather than delivering a pure browsing experience. BNPL is optional, but its detractors are against the concept of Edge having shopping features built in. “It’s impressive how quickly you can throw away years of hard work and good will with a ridiculous feature like this,” said vyrotek. “The Edge teams need to pause and think how they possibly thought this was a good idea. Even the Bing features are getting too aggressive.” Cameron_Bush states asks for Microsoft to reconsider the addition. “This sounds like an awful idea that will only be seen as a shameless cashgrab are/or bloat by media outlets. I beg you reconsider pushing this to live. The negative press this feature is going to receive isn’t worth it.”

Read more of this story at Slashdot.