Kategorie

Human rights activists in Morocco and the Western Sahara region are the targets of a new threat actor that leverages phishing attacks to trick victims into installing bogus Android apps and serve credential harvesting pages for Windows users. Cisco Talos is tracking the activity cluster under the name Starry Addax, describing it as primarily singling out activists associated with

Human rights activists in Morocco and the Western Sahara region are the targets of a new threat actor that leverages phishing attacks to trick victims into installing bogus Android apps and serve credential harvesting pages for Windows users. Cisco Talos is tracking the activity cluster under the name Starry Addax, describing it as primarily singling out activists associated with Newsroomhttp://www.blogger.com/profile/[email protected]

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024. The

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024. The Newsroomhttp://www.blogger.com/profile/[email protected]

Canonical , the company behind Ubuntu , has introduced Netplan 1.0 , a network configuration tool that simplifies networking configuration on Linux systems. Netplan acts as a control layer above network stacks like systemd-networkd and NetworkManager, allowing administrators to manage and configure them easily.

2023 CL0P Growth  Emerging in early 2019, CL0P was first introduced as a more advanced version of its predecessor the ‘CryptoMix’ ransomware, brought about by its owner CL0P ransomware, a cybercrime organisation. Over the years the group remained active with significant campaigns throughout 2020 to 2022. But in 2023 the CL0P ransomware gang took itself to new heights and became one of the

2023 CL0P Growth  Emerging in early 2019, CL0P was first introduced as a more advanced version of its predecessor the ‘CryptoMix’ ransomware, brought about by its owner CL0P ransomware, a cybercrime organisation. Over the years the group remained active with significant campaigns throughout 2020 to 2022. But in 2023 the CL0P ransomware gang took itself to new heights and became one of the The Hacker Newshttp://www.blogger.com/profile/[email protected]

Business users are picking up on Apple’s visionOS, exploring a range of mission-focused applications and prompting one leading SAP executive to call the tech, “a force multiplier for enterprises”. 

Apple improves its visionOS offer for the enterprise

Apple is aware of this and today Apple announced a new developer support module called the Enterprise Spatial Design Lab. These sessions will be available later this summer and are designed to provide enterprises with support to bring apps from concept to reality.

And in a second move, Deloitte announced today it is expanding its Apple practice to include a new Academy for Apple Vision Pro. With trained experts, the Academy aims to provide a series of one-week, instructor-led courses to help business users come to grips with the potential of visionOS

Why is business interested?

So, why are business tech leaders so excited? In the simplest terms, they see opportunities for new wearable computing interfaces using artificial intelligence (AI) to unlock productivity. Morgan Stanley analyst Eric Woodring got it right when he said in February, “The Vision Pro seems ripe for Enterprise adoption.”

Spatial computing isn’t just some kind of posh entertainment system (though it is also that); it’s an immersive augmentation environment in which computation becomes highly contextual. It also makes extensive use of AI and the on-chip Neural engine to handle tasks such as hand tracking, room mapping, and more. 

The hint that Apple expected leading edge users to work with the device first was — and still is, quite obviously — in the name (as well as the MDM support). Box CEO Aaron Levy is typical in sharing high expectations, telling me recently, “I think we’re going to look back on this period as probably the most transformative technology we’ve ever seen.”

What SAP says

SAP introduced a visionOS version of SAP Analytics Cloud on the day Apple shipped the product. It’s a tool that helps surface data-driven insights to improve business decisions. The app gives Vision Pro users a wide field of view, along with the capacity to drill deep down in data. This is not the only SAP application to make it to Apple’s new device – SAP Mobile Start is also available.

Philipp Herzig, chief AI officer for SAP SE, explained: “Going forward, we see the power of visionOS combined with generative AI being a force multiplier for enterprises.”

What Microsoft thinks

Apple and Microsoft worked together to ensure Microsoft 365 productivity apps were available with the introduction of Vision Pro. That also includes support for Microsoft’s own generative AI (gene) companion, Copilot. “Spatial computing has enabled us to rethink how professionals can be productive and work intelligently with the power of AI,” said Nicole Herskowitz, vice president for Microsoft 365 and Teams. “With Microsoft 365 and Teams on Apple Vision Pro, your office moves with you, allowing users to view apps side by side on an infinite canvas with spatial computing for incredible multitasking and collaboration. 

Porsche races into spatial

The Porsche Race Engineer app is a unique deployment that combines data in interesting ways for use in real life situations on the racetrack. What the app does is combine critical car data, such as speed and braking performance, and puts this beside track conditions, car positioning, and live video from the car’s dashboard.

 The idea is that the engineering teams have more insight into vehicle performance than ever before. Armed with the app, Porsche broke the US record for electric vehicles with the new Porsche Taycan Turbo GT earlier this year. This data may also be a glimmer of a future for car racing fans. “At Porsche, we’ve always been driven by dreams, and Apple Vision Pro has enabled us to reimagine track experiences,” said Oliver Blume, Porsche’s CEO. 

Take to the skies

KLM Royal Dutch Airlines is building an app it calls The Engine Shop. This is designed to teach aircraft maintenance to engineering technicians using real-life “digital twins” of the aircraft concerned. The idea is that technicians can learn about these machines without the cost of taking the plane offline for the hundreds of hours such training requires. 

“We see Apple Vision Pro as a tremendous value-add that will improve our fleet availability and operations,” said Bob Tulleken, KLM’s vice president of Operations Decision Support. “Training our employees with spatial computing will lead to fewer costly errors, because the most current information they need to do their job is there in front of them as they perform the task. This means we not only get vastly more efficient in our work, but also provide a better work environment for our employees to succeed.”  

NVIDIA gets spatial design

Every professional is aware that developing design and manufacturing processes is complex and requires large amounts of data from various sources. This has led many to ponder the use of digital twins. This is realized in Vision Pro, with NVIDIA Omniverse Cloud APIs enabling developers to stream massive 3D engineering and simulation data sets from the cloud to the device, which can then run highly detailed visuals and renderings that can also be manipulated in real time. This really matters to many industries and could help them optimize product and process design.

“The world’s industries are racing to build digital twins of products, facilities, and processes to better test and optimize designs well before constructing them in the physical world,” said Rev Lebaredian, NVIDIA’s vice president of Omniverse and Simulation Technology. “Enterprises can now combine the power and capabilities of Apple Vision Pro and the physically accurate renderings of OpenUSD content with NVIDIA accelerated computing to power the next generation of immersive digital experiences.”

What Apple said

“There’s tremendous opportunity for businesses to reimagine what’s possible using Apple Vision Pro at work,” said Susan Prescott, Apple’s vice president of Worldwide Developer Relations and Enterprise Marketing. “Combined with enterprise-grade capabilities like mobile device management built into visionOS, we believe spatial computing has the potential to revolutionize industries around the world.”

While there’s evidently some build-up of hype, the proof of any dessert is in its eating, and Apple today published first-hand insights from an array of business users already exploring the potential of Vision OS in scenarios as diverse as business management, training, engineering and beyond.

So, what else are enterprises devising?

Apple has published an extensive list that pretty much proves the claim that many enterprises are exploring use of Vision Pro to get things done. The activity is similar in the healthcare industry which seems to be rapidly embracing Apple’s product for use during surgery — including use in a shoulder operation. 

Webex by Cisco, Zoom, and Box are all visionOS savvy. Video conferencing gains support for Personas and Spatial Audio, while Box makes it easy for users to collaborate and securely manage files and content, including 3D objects, allowing them to intuitively bring this content into the world around them.

There’s also a new and extensive family of emergency response apps for the device. These combine real time with historical and location data to help improve incident management. For example, the FireOps app, developed by About Objects and DigitalCM, provides a unified operational view of Incident Action Plans (IAPs) to improve decisions made in life or death situations.

The list of apps is growing

Additional enterprise-focused apps that show what’s available include:

• Lowe’s Style Studio, which lets customers visualize and design kitchens using Vision Pro.
• JigSpace, which brings intuitive, hands-on inspection and effortless collaboration to help users communicate complex ideas, products, and processes with spatial context.
• EnBW Energie, which enables visualization of renewable energy infrastructure projects.
• Taqtile Manifest, which makes digital work instructions actionable with gesture or glance.
• TeamViewer Spatial Support, which enables remote experts and service technicians to troubleshoot repair and maintenance processes.
• BILT, which provides 3D interactive instructions with voice, text, and animated guidance for training and more.
• Guided Work, a tool for architects, builders, and maintenance workers that provides contextual location based information, such as building schematics, work orders, and the position (if known) of plumbing, wiring and more.

Let me know as new solutions appear; I’m watching this space with interest.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Apple, Artificial Intelligence, Augmented Reality, Vendors and Providers

In early April, the US Department of Homeland Security (DHS)  delivered a blistering report excoriating Microsoft’s lax security practices, which allowed Chinese spies to hack into the accounts of high-level government officials, including Commerce Secretary Gina Raimondo, Ambassador to China Nicholas Burns, and Rep. Don Bacon (R-NE). (All are in charge of the country’s relationship with China.)

Typically, government investigations like this are staid affairs, ending in pallid reports offering wishy-washy critiques and even weaker recommendations. But this 29-page DHS report pulled no punches. It laced into Microsoft, calling out its security failures and pointing to “the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.” Microsoft’s security infrastructure is so weak, the DHS said, that the company failed “to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed.”

It added that Microsoft had purposely issued misleading statements about the attack, with the company claiming last fall it had found the root cause of the intrusion, when even today it still doesn’t know how it happened.

The report concluded the company’s security is “inadequate and requires an overhaul.”

There’s a long history of foreign governments targeting Microsoft security holes to hack top government officials and private companies. (In January, for example, I wrote about a  breach in which Russians hacked into the corporate accounts of Microsoft’s top executive team and staff and stole email and documents.)

Nothing seems to have changed since then, and it’s not clear whether the company’s security practices will change. To get a better sense of what the company might (or might not) do, let’s look at the Chinese hack.

What Microsoft did wrong

The DHS Cyber Safety Review Board’s report lays out the Chinese hack and Microsoft’s response in exquisite detail, revealing what the Washington Post calls Microsoft’s “shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency.”

The attack was engineered by the Storm-0558 hacking group — doing the bidding of China’s most powerful spy service, the Ministry of State Security. Storm-0558 has a history of carrying out espionage-related hacks of government agencies and private companies dating back to 2000. Until now, the best-known one was Operation Aurora, brought to light by Google in 2010. The Council on Foreign Relations called that attack “a milestone in the recent history of cyber operations because it raised the profile of cyber operations as a tool for industrial espionage.”

According to the DHS report, the most recent hack took place after Storm-0558 got its hands on a “Microsoft Services Account (MSA)17 cryptographic key that Microsoft had issued in 2016.” Using the key, Storm-0558 forged user credentials and used them to log into government accounts and steal emails of Raimondo, Burns, Bacon, and others. 

There are other unsolved mysteries. The key should only have been able to create credentials for the consumer version of Outlook Web Access (OWA), yet Storm-0558 used it to create credentials for Enterprise Exchange Online, which the government uses. Microsoft can’t explain how that can be done.

There’s worse. That 2016 key should have been retired in 2021, but Microsoft never did so because the company had problems with making its consumer keys more secure. So the key, and presumably many others like it, remained as powerful as ever. And Storm-0558 did its dirty work with it.

This series of events — a key that should have been retired was allowed to stay active, the theft of the key by Storm-0558 stole the key, and then Storm-0558’s ability to use it to forge credentials to get access to enterprise email accounts used by top government officials, even though the key shouldn’t have allowed them to do so — represents the “cascade of errors” the DHS said Microsoft committed.

Making it all worse was the claim by Microsoft that it knew how the hack had been done, which was untrue. 

Will Microsoft really change its security culture?

Microsoft has been criticized for years for these kinds of attacks, and yet they continue. Will this time around be different?

Microsoft’s public response sounds as if it’s going to be business as usual. The company didn’t even take direct responsibility for the hacks. It told the Washington Post, “recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.”

That’s about as mealy-mouthed a statement you can make. And it’s especially mealy-mouthed because this hack required no feats of legendary hacking — just the use of an old encryption key that should have been deleted years ago. If Microsoft had followed basic security practices and taken that one simple step, none of this would have happened.

More disturbing is that the Russian hack of Microsoft officials in January was caused by a similar oversight: Microsoft forgot to delete an old test account, and hackers used basic techniques to break into it. Once they did that, they used the account’s permissions to steal emails and documents from Microsoft’s senior management and people who worked on its cybersecurity and legal teams, among other functions.

The Biden administration released a new National Cybersecurity Strategy more than a year ago. A fact sheet that went along with it warns, “Poor software security greatly increases systemic risk across the digital ecosystem and leave American citizens bearing the ultimate cost. We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software.” 

In the Russian and Chinese hacks, by no stretch of the imagination can you say Microsoft has taken “reasonable precautions” when it comes to cybersecurity — very much the opposite. But Congress has yet to take action against the company, for example, by taking away some of the many billions of dollars a year the government pays the company for software, the cloud, and other services.

There’s no way to know whether this time Microsoft will clean up its cybersecurity oversight. But if it doesn’t, the company isn’t the only one to blame. The federal government will share the fault as well, because so far it hasn’t even bothered to slap the company on the wrist.

Email Security, Government IT, Industry, Microsoft, Security

Cybersecurity researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets. The email messages come with Scalable Vector Graphics (SVG) file attachments that, when clicked, activate the infection sequence, Fortinet

Cybersecurity researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets. The email messages come with Scalable Vector Graphics (SVG) file attachments that, when clicked, activate the infection sequence, Fortinet Newsroomhttp://www.blogger.com/profile/[email protected]

Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices. Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in

Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices. Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in Newsroomhttp://www.blogger.com/profile/[email protected]

As cyber threats loom around every corner and privileged accounts become prime targets, the significance of implementing a robust Privileged Access Management (PAM) solution can't be overstated. With organizations increasingly migrating to cloud environments, the PAM Solution Market is experiencing a transformative shift toward cloud-based offerings. One Identity PAM Essentials stands

As cyber threats loom around every corner and privileged accounts become prime targets, the significance of implementing a robust Privileged Access Management (PAM) solution can't be overstated. With organizations increasingly migrating to cloud environments, the PAM Solution Market is experiencing a transformative shift toward cloud-based offerings. One Identity PAM Essentials stands The Hacker Newshttp://www.blogger.com/profile/[email protected]

Great news: Nominations are now open for Computerworld’s 2025 Best Places to Work in IT list. Nominate your organization today!

About the Best Places to Work in IT program

Computerworld conducts an annual survey to identify the best places to work for IT professionals. We invite readers, PR professionals and other interested parties to nominate companies they consider great employers for IT workers. You may nominate your own company. We then ask those nominated companies that meet our basic criteria to participate in our survey.

Once again, we are excited to extend this program, which has a 31-year history in the United States, to companies worldwide.

The employers in the Best Places list are evaluated by company size: Large companies have 5,000 or more employees; midsize have between 1,001 and 4,999 employees; and small companies employ from 100 to 1,000.

For a list of the 2024 honorees and more, please see our Best Places to Work in IT 2024 special report.

To be eligible, companies must have a minimum of 5 IT employees and a minimum of 100 total employees. We consider IT employees to be those IT workers who provide technology support and services to their own company — or to multiple companies through their work at an IT service provider. Workers who would *not* be included are administrative support staff for the IT department, staff who work in communications or PR for the technology department, IT contractors, or those staff whose primary role is in product development for outside sales.

Best Places to Work in IT is a global program. We ask that companies submit no more than one survey within any one country. If your company operates in multiple countries and you would like to submit a survey for your location only, please note this in the company name field (e.g., “Foundry North America” or “Foundry Germany”). If no location is specified in the company name, we will assume that the entry represents all locations worldwide.

In most cases, we prefer to have the parent company, rather than subsidiaries or affiliates, apply for the Best Places to Work in IT list. However, a subsidiary or affiliate may be eligible, providing that it stands out as a separate entity from the parent company, with separate business functions, IT leadership and so on. A subsidiary may also be eligible to apply separately if its parent company is a holding company. In those cases, the parent company and subsidiary may be able to apply separately. We encourage companies to complete the nomination form or contact us at [email protected], and our Best Places research team will evaluate the submissions on a case-by-case basis.

Questions about the Best Places to Work in IT program can be emailed to [email protected].

Frequently asked questions Survey requirements and eligibility Does my company have to be nominated to complete the survey?

No. Companies may participate even if they were not nominated. In lieu of a nomination, please send an email to [email protected] with the name and contact information (including email address) of the individual who should receive the company survey and other information; we’ll take care of the rest.

Does the Best Places to Work in IT list include public companies only?

No. The survey includes private as well as public companies.

What criteria must my company meet to participate?

To be considered for our Best Places to Work in IT list:

• Companies must have a minimum of 5 IT employees.
• Companies must have a minimum of 100 total employees worldwide.
• In most cases, we prefer to have the parent company, rather than subsidiaries or affiliates, apply for the Best Places to Work in IT list. However, a subsidiary or affiliate may be eligible, providing that it stands out as a separate entity from the parent company, with separate business functions, IT leadership and so on. A subsidiary may also be eligible to apply separately if its parent company is a holding company. In those cases, the parent company and subsidiary may be able to apply separately. We encourage companies to complete the nomination form or contact us at [email protected], and our Best Places research team will evaluate the submissions on a case-by-case basis.

Who should complete the survey?

An individual familiar with employment statistics, benefits, policies and programs of your IT department and your company should complete the survey. This could be a human resources representative, a CIO or corporate PR representative — or a team of all the above.

Survey contents and procedures What does the company survey ask?

Our online survey includes questions about companies’ benefits, training and development, IT salary changes, percent of IT employees promoted, IT turnover rates, and the percentage of women employees in management in IT departments. In addition, we will collect information about diversity, equity and inclusion (DEI) programs, remote/hybrid working, and company growth.

Which employees are considered “IT workers” in this survey?

Answers to the survey should be based on those IT workers who provide technology support and services to their own company — or to multiple companies through their work at an IT service provider. Workers who wouldn’t be included are administrative support staff for the IT department, staff who work in communications or PR for the technology department, IT contractors, or those staff whose primary role is in product development for outside sales.

What happens if I leave a question blank on the survey?

You can’t leave a question blank if it is required. Many of the questions on the survey are required; the survey can’t be processed if they aren’t answered. Please answer to the best of your ability for questions with lists or options included. If any open-ended/text based questions aren’t applicable to your company, please indicate “NA” for “not applicable.” If there is a question you can’t answer fully given the format of the survey, you may briefly explain your answers in an addendum field that follows each survey section.

Companies that withhold information used to rank the finalists will have points deducted from their ranking. Answers that are left blank or have unexplained N/As will be assumed to be 0 (zero).

Companies must provide answers to questions related to data we run in our feature story and graphics in order to be considered. Please see below for the types of required information that are typically shared publicly.

Can I save my survey and come back to it at a later date?

Yes. You will be able to save your partially completed survey and can save a partially completed survey as many times as necessary. Please save your unique URL to re-enter the survey. When you return to the survey, you will be able to review/modify questions that you have already answered. However, we will continue to provide a printer-friendly version of the survey, and we recommend that you complete this survey, then enter your answers online.

How should I send my company’s information to Computerworld?

We accept company information from the online survey only. Please enter all data as accurately as possible. Provide company name, location, web address and other information, as you would like it to appear in print.

Can I get a copy of the survey to review before I go to the online survey and submit my company’s information?

Yes. A printer-friendly version of the 2025 Best Places company survey can be downloaded for reference. We encourage participants to complete the printer-friendly version offline before filling out the online survey.

Download: 2025 Best Places to Work in IT Company Survey
Printer-friendly copy of the 2025 Best Places to Work in IT company survey. Will Computerworld provide us with a copy of our submitted survey?

Upon request, Computerworld will email you a PDF of your company’s survey responses.

Is there an employee portion to the survey?

There is no longer an employee survey portion to the survey. Computerworld decided to make this change in the 2023 program to streamline the process for global participation and to enable companies with smaller IT departments to participate. In lieu of the employee survey portion of the program, Computerworld will be inviting a panel of judges consisting of industry experts to evaluate entries and confirm this year’s honorees.

List publication and notification When will the list of honorees be published?

The Best Places to Work in IT honorees will be announced in December 2024 on Computerworld.com.

When can I find out if my company is on the list?

Computerworld will notify companies that will be honored as a 2025 Best Place to Work in IT several weeks in advance of publication. Computerworld’s marketing group contacts honorees to offer assistance with press releases.

Is there a timeline to which I can refer for survey action items?

Below is the 2025 Best Places to Work in IT timeline.

Week of April 8, 2024

Nominations open for the 2025 Best Places to Work in IT. Nominated companies receive an email with a unique link to the Best Places company survey from Computerworld by the second week of April. Thereafter, company surveys will be sent on a rolling basis.

Monday, July 1, 2024

DEADLINE: Completed Best Places company survey is due to Computerworld.

November 2024

Best Places to Work in IT honorees are notified of their status.

December 2024

List of Best Places to Work in IT honorees is available online.

What information will be shared publicly?

Computerworld tries to avoid printing information that a company may consider competitive. The following information may appear publicly:

• Company name
• Location
• Industry
• Website
• Total number of employees
• Total number of IT employees
• Percentage of IT employee turnover
• Percentage of IT employee promotions
• Number of training days offered per IT employee
• Information from a 300-word essay outlining what’s special about your company and IT department

Please note that revenue, overall IT budget and other sensitive information will not be reported. Such information will be used only in aggregate format or for ranking purposes.

What if I have a question that was not answered in this FAQ?

Please email your questions to the following address: [email protected].

In the subject line, please include your company name and be as descriptive as possible in the subject line as to the nature of your inquiry.

Careers, IT Leadership

Posted by Dave Kleidermacher, VP Engineering, Android Security and Privacy

Keeping people safe and their data secure and private is a top priority for Android. That is why we took our time when designing the new Find My Device, which uses a crowdsourced device-locating network to help you find your lost or misplaced devices and belongings quickly – even when they’re offline. We gave careful consideration to the potential user security and privacy challenges that come with device finding services.

During development, it was important for us to ensure the new Find My Device was secure by default and private by design. To build a private, crowdsourced device-locating network, we first conducted user research and gathered feedback from privacy and advocacy groups. Next, we developed multi-layered protections across three main areas: data safeguards, safety-first protections, and user controls. This approach provides defense-in-depth for Find My Device users.

How location crowdsourcing works on the Find My Device network

The Find My Device network locates devices by harnessing the Bluetooth proximity of surrounding Android devices. Imagine you drop your keys at a cafe. The keys themselves have no location capabilities, but they may have a Bluetooth tag attached. Nearby Android devices participating in the Find My Device network report the location of the Bluetooth tag. When the owner realizes they have lost their keys and logs into the Find My Device mobile app, they will be able to see the aggregated location contributed by nearby Android devices and locate their keys.

Find My Device network protections

Let’s dive into key details of the multi-layered protections for the Find My Device network:

• Data Safeguards: We’ve implemented protections that help ensure the privacy of everyone participating in the network and the crowdsourced location data that powers it.
  • Location data is end-to-end encrypted. When Android devices participating in the network report the location of a Bluetooth tag, the location is end-to-end encrypted using a key that is only accessible to the Bluetooth tag owner and anyone the owner has shared the tag with in the Find My Device app. Only the Bluetooth tag owner (and those they’ve chosen to share access with) can decrypt and view the tag’s location. With end-to-end encrypted location data, Google cannot decrypt, see, or otherwise use the location data.
  • Private, crowdsourced location reports. These end-to-end encrypted locations are contributed to the Find My Device network in a manner that does not allow Google to identify the owners of the nearby Android devices that provided the location data. And when the Find My Device network shows the location and timestamp to the Bluetooth tag’s owner to help them find their belongings, no other information about the nearby Android devices that contributed the data is included.
  • Minimizing network data. End-to-end encrypted location data is minimally buffered and frequently overwritten. In addition, if the network can help find a Bluetooth tag using the owner’s nearby devices (e.g., if their own phone detects the tag), the network will discard crowdsourced reports for the tag.
    
• Safety-first Protections: The Find My Device network protects against risks such as use of an unknown Bluetooth tag to stalk or identify another user, including:
  • Aggregation by default. This is a first-of-its-kind safety protection that makes unwanted tracking to a private location, like your home, more difficult. By default, the Find My Device network requires multiple nearby Android devices to detect a tag before reporting its location to the tag's owner. Our research found that the Find My Device network is most valuable in public settings like cafes and airports, where there are likely many devices nearby. By implementing aggregation before showing a tag’s location to its owner, the network can take advantage of its biggest strength – over a billion Android devices that can participate. This helps tag owners find their lost devices in these busier locations while prioritizing safety from unwanted tracking near private locations. In less busy areas, last known location and Nest finding are reliable ways to locate items.
  • At home protection. If a user has chosen to save their home address in their Google Account, their Android device will also ensure that it does not contribute crowdsourced location reports to the Find My Device network when it is near the user’s home. This provides additional protection on top of aggregation by default against unwanted tracking near private locations.
  • Rate limiting and throttling. The Find My Device network limits the number of times that a nearby Android device can contribute a location report for a particular Bluetooth tag. The network also throttles how frequently the owner of a Bluetooth tag can request an updated location for the tag. We've found that lost items are typically left behind in stationary spots. For example, you lose your keys at the cafe, and they stay at the table where you had your morning coffee. Meanwhile, a malicious user is often trying to engage in real-time tracking of a person. By applying rate limiting and throttling to reduce how often the location of a device is updated, the network continues to be helpful for finding items, like your lost checked baggage on a trip, while helping mitigate the risk of real-time tracking.
  • Unknown tracker alerts. The Find My Device network is also compliant with the integration version of the joint industry standard for unwanted tracking. Being compliant with the integration version of the standard means that both Android and iOS users will receive unknown tracker alerts if the on-device algorithm detects that someone may be using a Find My Device network-compatible tag to track them without their knowledge, proactively alerting the user through a notification on their phone.
• User Controls: Android users always have full control over which of their devices participate in the Find My Device network and how those devices participate. Users can either stick with the default and contribute to aggregated location reporting, opt into contributing non-aggregated locations, or turn the network off altogether. Find My Device also provides the ability to secure or erase data from a lost device.

In addition to careful security architectural design, the new Find My Device network has undergone internal Android red team testing. The Find My Device network has also been added to the Android security vulnerability rewards program to take advantage of Android’s global ecosystem of security researchers. We’re also engaging with select researchers through our private grant program to encourage more targeted research.

Prioritizing user safety on Find My Device

Together, these multi-layered user protections help mitigate potential risks to user privacy and safety while allowing users to effectively locate and recover lost devices.

As bad actors continue to look for new ways to exploit users, our work to help keep users safe on Android is never over. We have an unwavering commitment to continue to improve user protections on Find My Device and prioritize user safety.

For more information about Find My Device on Android, please visit our help center. You can read the Find My Device Network Accessory specification here.

Google has announced support for what's called a V8 Sandbox in the Chrome web browser in an effort to address memory corruption issues. The sandbox, according to V8 security technical lead Samuel Groß, aims to prevent "memory corruption in V8 from spreading within the host process." The search behemoth has described V8 Sandbox as a lightweight, in-process sandbox

Google has announced support for what's called a V8 Sandbox in the Chrome web browser in an effort to address memory corruption issues. The sandbox, according to V8 security technical lead Samuel Groß, aims to prevent "memory corruption in V8 from spreading within the host process." The search behemoth has described V8 Sandbox as a lightweight, in-process sandbox Newsroomhttp://www.blogger.com/profile/[email protected]

A significant change has been merged into the x86 fixes for Linux 6.9, requiring the seeding of RNG (Random Number Generation) with RdRand for CoCo (Confidential Computing) environments. The change focuses on CoCo virtual machines , designed to be as isolated as possible, assuming the VM host is untrusted. RdRand is critical as a hardware random number generator instruction for entropy to guest VMs. Security expert and WireGuard developer Jason Donenfeld authored this change.