TikTok’s Head of Cybersecurity Is Stepping Down Amid Rising Privacy Concerns

TikTok’s chief security officer is leaving the role in September amid renewed calls from members of the government to look into the social media app’s ties to China. Insider reports: A TikTok spokesperson told the Wall Street Journal that the decision to replace Roland Cloutier as Chief Security Officer is unrelated to any data-privacy concerns. TikTok, which is currently the fastest growing social media company, has often faced scrutiny for being owned by the Chinese company ByteDance. Last month, Buzzfeed News reported that US user data had been repeatedly accessed by TikTok employees in China based on leaked audio from internal company meetings. […]

CEO Shou Zi Chew sent a note to TikTok employees about Cloutier’s exit as chief security officer, writing that “part of our evolving approach has been to minimize concerns about the security of user data in the U.S., including the creation of a new department to manage U.S. user data for TikTok. This is an important investment in our data protection practices, and it also changes the scope of the Global CSO role.” Cloutier will officially step down from his role as Chief Security Officer in September and transition to an advisory role at TikTok.

Read more of this story at Slashdot.

Some Beijing Travelers Asked To Wear COVID Monitoring Bracelets

Some Beijing residents returning from domestic travel were asked by local authorities to wear COVID-19 monitoring bracelets, prompting widespread criticism on Chinese social media by users concerned about excessive government surveillance. Reuters reports: According to posts published on Wednesday evening and Thursday morning on microblogging platform Weibo, some Beijing residents returning to the capital were asked by their neighborhood committees to wear an electronic bracelet throughout the mandatory home quarantine period. Chinese cities require those arriving from parts of China where COVID cases were found to quarantine. Authorities fit doors with movement sensors to monitor their movements but until now have not widely discussed the use of electronic bracelets.

The bracelets monitor users’ temperature and upload the data onto a phone app they had to download, the posts said. “This bracelet can connect to the Internet, it can definitely record my whereabouts, it is basically the same as electronic fetters and handcuffs, I won’t wear this,” Weibo user Dahongmao wrote on Wednesday evening, declining to comment further when contacted by Reuters. This post and others that shared pictures of the bracelets were removed by Thursday afternoon, as well as a related hashtag that had garnered over 30 million views, generating an animated discussion on the platform.

A community worker at Tiantongyuan, Beijing’s northern suburb, confirmed to state-backed news outlet Eastday that the measure was in effect in the neighbourhood, though she called the practice “excessive.” A Weibo post and a video published on the official account of Eastday.com was removed by Thursday afternoon. Weibo user Dahongmao wrote on Thursday afternoon his neighbourhood committee had already collected the bracelets, telling him that “there were too many complaints.”

Read more of this story at Slashdot.

Microsoft Moves To New Windows Development Cycle

Microsoft is shifting to a new engineering schedule for Windows which will see the company return to a more traditional three-year release cycle for major versions of the Windows client, while simultaneously increasing the output of new features shipping to the current version of Windows on the market. Zac Bowden writes via Windows Central: The news comes just a year after the company announced it was moving to a yearly release cadence for new versions of Windows. According to my sources, Microsoft now intends to ship “major” versions of the Windows client every three years, with the next release currently scheduled for 2024, three years after Windows 11 shipped in 2021. This means that the originally planned 2023 client release of Windows (codenamed Sun Valley 3) has been scrapped, but that’s not the end of the story. I’m told that with the move to this new development schedule, Microsoft is also planning to increase the output of new features rolling out to users on the latest version of Windows.

Starting with Windows 11 version 22H2 (Sun Valley 2), Microsoft is kicking off a new “Moments” engineering effort which is designed to allow the company to rollout new features and experiences at key points throughout the year, outside of major OS releases. I hear the company intends to ship new features to the in-market version of Windows every few months, up to four times a year, starting in 2023. Microsoft has already tested this system with the rollout of the Taskbar weather button on Windows 11 earlier this year. That same approach will be used for these Moments, where the company will group together a handful of new features that have been in testing with Insiders and roll them out to everyone on top the latest shipping release of Windows. Many of the features that were planned for the now-scrapped Sun Valley 3 client release will ship as part of one of these Moments on top of Sun Valley 2, instead of in a dedicated new release of the Windows client in the fall of 2023.

Read more of this story at Slashdot.

Base Model MacBook Air With M2 Chip Has Slower SSD Speeds In Benchmarks

According to The Verge’s review of the new MacBook Air with the M2 chip, the $1,199 base model equipped with 256GB of storage has a single NAND chip, which will lead to slower SSD speeds in benchmark testing. MacRumors reports: The dilemma arises from the fact that Apple switched to using a single 256GB flash storage chip instead of two 128GB chips in the base models of the new MacBook Air and 13-inch MacBook Pro. Configurations equipped with 512GB of storage or more are equipped with multiple NAND chips, allowing for faster speeds in parallel. In a statement issued to The Verge, Apple said that while benchmarks of the new MacBook Air and 13-inch MacBook Pro with 256GB of storage “may show a difference” compared to previous-generation models, real-world performance is “even faster”:

“Thanks to the performance increases of M2, the new MacBook Air and the 13-inch MacBook Pro are incredibly fast, even compared to Mac laptops with the powerful M1 chip. These new systems use a new higher density NAND that delivers 256GB storage using a single chip. While benchmarks of the 256GB SSD may show a difference compared to the previous generation, the performance of these M2 based systems for real world activities are even faster.” It’s unclear if Apple’s statement refers explicitly to real-world SSD performance or overall system performance.

Read more of this story at Slashdot.

Weed Killer Glyphosate Found In Most Americans’ Urine

An anonymous reader quotes a report from U.S. News & World Report: More than 80% of Americans have a widely used herbicide lurking in their urine, a new government study suggests. The chemical, known as glyphosate, is “probably carcinogenic to humans,” the World Health Organization’s International Agency for Research on Cancer has said. Glyphosate is the active ingredient in Roundup, a well-known weed killer. The U.S. National Nutrition Examination Survey found the herbicide in 1,885 of 2,310 urine samples that were representative of the U.S. population. Nearly a third of the samples came from children ages 6 to 18.

Traces of the herbicide have previously been found in kids’ cereals, baby formula, organic beer and wine, hummus and chickpeas. In 2020, the EPA determined that the chemical was not a serious health risk and “not likely” to cause cancer in humans. However, a federal appeals court ordered the EPA to reexamine those findings last month, CBS News reported. In 2019, a second U.S. jury ruled Bayer’s Roundup weed killer was the cause of a man’s cancer. It was only the second of some 11,200 Roundup lawsuits to go to trial in the United States. Another California man was awarded $78 million (originally $289 million) in the first lawsuit alleging a glyphosate link to cancer.

A study published around the same time as those rulings found that glyphosate “destroys specialized gut bacteria in bees, leaving them more susceptible to infection and death from harmful bacteria.”

Further reading: ‘It’s a Non-Party Political Issue’: Banning the Weedkiller Glyphosate (The Guardian)

Read more of this story at Slashdot.

Lenovo Patches UEFI Code Execution Vulnerability Affecting More Than 70 Laptop Models

Lenovo has released a security advisory to inform customers that more than 70 of its laptops are affected by a UEFI/BIOS vulnerability that can lead to arbitrary code execution. SecurityWeek reports: Researchers at cybersecurity firm ESET discovered a total of three buffer overflow vulnerabilities that can allow an attacker with local privileges to affected Lenovo devices to execute arbitrary code. However, Lenovo says only one of the vulnerabilities (CVE-2022-1892) impacts all devices, while the other two impact only a handful of laptops. “The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features,” ESET explained. “These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call,” it added.

Lenovo has also informed customers about Retbleed, a new speculative execution attack impacting devices with Intel and AMD processors. The company has also issued an advisory for a couple of vulnerabilities affecting many products that use the XClarity Controller server management engine. These flaws can allow authenticated users to cause a DoS condition or make unauthorized connections to internal services.

Read more of this story at Slashdot.

Google Files a Lawsuit That Could Kick Tinder Out of the Play Store

Google has counter-sued Match seeking monetary damages and a judgement that would let it kick Tinder and the group’s other dating apps out of the Play Store, Bloomberg has reported. Engadget reports: Earlier this year, Match sued Google alleging antitrust violations over a decision requiring all Android developers to process “digital goods and services” payments through the Play Store billing system. Following the initial lawsuit in May, Google and Match reached a temporary agreement allowing Match to remain on the Play Store and use its own payments system. Google also agreed to make a “good faith” effort to address Match’s billing concerns. Match, in turn, was to make an effort to offer Google’s billing system as an alternative.

However, Google parent Alphabet claims that Match Group now wants to avoid paying “nothing at all” to Google, including its 15 to 30 percent Play Store fees, according to a court filing. “Match Group never intended to comply with the contractual terms to which it agreed… it would also place Match Group in an advantaged position relative to other app developers,” the document states. Match group said that Google’s Play Store policies violate federal and state laws. “Google doesn’t want anyone else to sue them so their counterclaims are designed as a warning shot,” Match told Bloomberg in a statement. “We are confident that our suit, alongside other developers, the US Department of Justice and 37 state attorneys general making similar claims, will be resolved in our favor early next year.”

Read more of this story at Slashdot.

Edits To a Cholesterol Gene Could Stop the Biggest Killer On Earth

A volunteer in New Zealand has become the first person to undergo DNA editing in order to lower their blood cholesterol, a step that may foreshadow wide use of the technology to prevent heart attacks. MIT Technology Review reports: The experiment, part of a clinical trial by the US biotechnology company Verve Therapeutics, involved injecting a version of the gene-editing tool CRISPR in order to modify a single letter of DNA in the patient’s liver cells. According to the company, that tiny edit should be enough to permanently lower a person’s levels of “bad” LDL cholesterol, the fatty molecule that causes arteries to clog and harden with time. The patient in New Zealand had an inherited risk for extra-high cholesterol and was already suffering from heart disease. However, the company believes the same technique could eventually be used on millions of people in order to prevent cardiovascular disease.

In New Zealand, where Verve’s clinical trial is taking place, doctors will give the gene treatment to 40 people who have an inherited form of high cholesterol known as familial hypercholesterolemia, or FH. People with FH can have cholesterol readings twice the average, even as children. Many learn they have a problem only when they get hit with a heart attack, often at a young age. The study also marks an early use of base editing, a novel adaptation of CRISPR that was first developed in 2016. Unlike traditional CRISPR, which cuts a gene, base editing substitutes a single letter of DNA for another.

The gene Verve is editing is called PCSK9. It has a big role in maintaining LDL levels and the company says its treatment will turn the gene off by introducing a one-letter misspelling. […] One reason Verve’s base-editing technique is moving fast is that the technology is substantially similar to mRNA vaccines for covid-19. Just like the vaccines, the treatment consists of genetic instructions wrapped in a nanoparticle, which ferries everything into a cell. While the vaccine instructs cells to make a component of the SARS-CoV-2 virus, the particles in Verve’s treatment carry RNA directions for a cell to assemble and aim a base-editing protein, which then modifies that cell’s copy of PCSK9, introducing the tiny mistake. In experiments on monkeys, Verve found that the treatment lowered bad cholesterol by 60%. The effect has lasted more than a year in the animals and could well be permanent. The report notes that the human experiment does carry some risk. “Nanoparticles are somewhat toxic, and there have been reports of side effects, like muscle pain, in people taking other drugs to lower PCSK9,” reports MIT Technology Review. “And whereas treatment with ordinary drugs can be discontinued if problems come up, there’s as yet no plan to undo gene editing once it’s performed.”

Read more of this story at Slashdot.

New Working Speculative Execution Attack Sends Intel and AMD Scrambling

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability. Ars Technica reports: Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which was introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled. […] The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures and AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations. […] Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don’t have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place. “Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today’s public disclosure date,” Intel wrote in a blog post. “Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.” AMD, meanwhile, has also published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” a spokesman wrote in an email. The company has also published a whitepaper.

[Research Kaveh Razavi added:] “Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs.” The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD and be sure to follow the mitigation guidance.

Read more of this story at Slashdot.

TikTok Hits Pause On Its Most Controversial Privacy Update Yet

Early last month, TikTok users across Europe were told that, starting July 13th, the platform would begin using their on-app data to serve up targeted ads, even if those users didn’t consent to the practice. Now, less than a day before that change would have rolled out European Union-wide, it looks like the company’s reconsidering things a bit. Gizmodo reports: A company spokesperson told TechCrunch on Tuesday that TikTok is “pausing” the update while it “engage[s] on the questions from stakeholders,” about the way it handles personalized ads. And needless to say, there are quite a lot of questions about that right now — from data protection authorities in the EU, from lawmakers in the US, and from privacy experts pretty much everywhere.

For context: until this point, European users that opened the TikTok app needed to offer express consent to let the company use their data for targeted ads. This update planned to do away with the need for that pesky consent by on a legal basis known as “legitimate interest” to target those ads instead. In a nutshell, the “legitimate interest” clause would let TikTok process people’s data, consent-free, if it was for a purpose that TikTok deemed reasonable. This means the company could say, for example, that because targeted ads bring in more money than their un-targeted equivalent, it would be reasonable to serve all users — consenting or otherwise — targeted ads. Reasonable, right?

Read more of this story at Slashdot.