An anonymous reader quotes a report from The Verge: Google violated US labor laws by spying on workers who were organizing employee protests, then firing two of them, according to a complaint to be filed by the National Labor Relations Board (NLRB) today. The complaint names two employees, Laurence Berland and Kathryn Spiers, both of whom were fired by the company in late 2019 in connection with employee activism. Berland was organizing against Google's decision to work with IRI Consultants, a firm widely known for its anti-union efforts, when he was let go for reviewing other employees' calendars. Now, the NLRB has found Google's policy against employees looking at certain coworkers' calendars is unlawful. "Google's hiring of IRI is an unambiguous declaration that management will no longer tolerate worker organizing," Berland said in a statement. "Management and their union busting cronies wanted to send that message, and the NLRB is now sending their own message: worker organizing is protected by law." Spiers was fired after she created a pop-up for Google employees visiting the IRI Consultants website. "Googlers have the right to participate in protected concerted activities," the notification read, according to The Guardian. The company said Spiers had violated security policies, a statement that hurt her reputation in the tech community. Now, the NLRB has found the firing was unlawful. "This week the NLRB issued a complaint on my behalf. They found that I was illegally terminated for trying to help my colleagues," Spiers said. "Colleagues and strangers believe I abused my role because of lies told by Google management while they were retaliating against me. The NLRB can order Google to reinstate me, but it cannot reverse the harm done to my credibility."

Read more of this story at Slashdot.

The US Federal Bureau of Investigation says that cyber-criminals are increasingly relying on email forwarding rules in order to disguise their presence inside hacked email accounts. From a report: In a PIN (Private Industry Notification) alert sent last week and made public today, the FBI says the technique has been seen and abused in recent BEC (Business Email Compromise) attacks reported over the summer. The hackers' technique relies on a feature found in some email services called "auto-forwarding email rules." As its name implies, the feature allows the owner of an email address to set up "rules" that forward (redirect) an incoming email to another address if a certain criteria is met. Threat actors absolutely love email auto-forwarding rules as they allow them to receive copies of all incoming emails without having to log into an account each day -- and be at risk of triggering a security warning for a suspicious login.

Read more of this story at Slashdot.

I don't know what HBO Max is. I also don't know what HBO Go or HBO Now was. I do remember HBO. I started subscribing in the late 70s, when I was a grad student. It was a miracle. It means what its name said. Home Box Office. First-run movies just after they finished in theaters, no commercials. The really good stuff. Much later they started producing their own shows, but for many years it was just movies. And it was great. Before that TV was so awful, but we didn't know, until HBO showed us how it should really work.

Anyway, for a long time I got HBO with my cable subscription, until earlier this year I decided to cut the cord, and around the same time HBO cut the cord with Roku, the company that makes the operating system that my TV runs on.

So no more HBO for Davey. I missed it. I tried buying in as part of Hulu, but I didn't like that. HBO is its own thing, not something I want mixed in with all of Hulu's stuff. It would be like having to go through a minor cola brand to get a Coke. There's this institution called HBO. It's like the Statue of Liberty or the Eifel Tower, it's grand and revered, it's not something to be folded in with Hulu, which is great too, but it's just nowhere near the stature of HBO.

Then I saw something somewhere that maybe HBO and Roku are sort of getting it together, and I checked and lo and behold I can subscribe to HBO using the same HBO app that I love, not Go, Now, Pro or Max, just HBO. Maybe they've come to their senses! Okay, no Max but who cares, I never understood what it was anyway (probably because I don't care). Only when I tried to use it on my iPad, it wouldn't accept my login. It said something incomprehensible. I'll let you see if you can decipher it.

So I posted something on Twitter, and they responded, I gave them the info and they did something no company should ever do, they told me to talk to Roku. I get it. A really shitty company bought HBO, and they're remarketing it, and in doing so, taking something that once was grand and superior, above the fray, beyond reproach, the gold standard of quality and turning it into schlock and schmutz. A schmatte. I'm watching slowly a great brand dismantling itself.

HBO can't help you watch HBO. See if Roku cares.

So here's the problem. I have paid them $14.99 for the first month of the subscription, assuming I would be able to watch it on my iPad. I can't. I've been an HBO subscriber for decades. They decided to cut off Roku, leaving users like me to figure it out on our own. And it turns out there is no way to get the experience we used to take for granted.

Great brands like HBO should be protected, cherished, coddled, honored, revered -- loved.

Anyway at least HBO should refund me the $14.99. Probably they should apologize, not just for wasting my time online, but for leaving us without a way to watch HBO the way we've become accustomed to. With interop between our devices.

And they should get rid of the Max stuff. I don't understand what's so max about it. Maybe it would be better to call it HBO Mess.

If journalism is supposedly how we save democracy then I guess journalism isn't doing a great job. In other words, when you hear that hype, go through it. If I sold you a laundry detergent that gets out stains, you'd be right to ask if it actually gets out stains.

Discovery is the latest media company to jump into the ever more crowded streaming wars. It will launch its streaming service Discovery+ on Jan. 4, 2021. The service will include a $4.99 per month ad-supported tier and a $6.99 per month ad-free tier. From a report: The lower $4.99 tier costs the same as NBCUniversal-owned Peacock's premium tier with ads. The ad-free $6.99 tier is on par with what Disney+ costs. Both offerings are much less expensive than WarnerMedia's HBO Max, which costs $14.99 a month, and Netflix, which raised its standard plan to $13.99 a month in Oct. Discovery is also partnering with Verizon, which will give 55 million customers up to 12 months of the ad-free Discovery+ plan for free, depending on their wireless plan with the carrier.

Read more of this story at Slashdot.

Dan Goodin, writing for ArsTechnica: Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device -- over Wi-Fi, with no user interaction required at all. Oh, and exploits were wormable -- meaning radio-proximity exploits could spread from one nearby device to another, once again, with no user interaction needed. This Wi-Fi packet of death exploit was devised by Ian Beer, a researcher at Project Zero, Google's vulnerability research arm. In a 30,000-word post published on Tuesday afternoon, Beer described the vulnerability and the proof-of-concept exploit he spent six months developing single-handedly. Almost immediately, fellow security researchers took notice. "This is a fantastic piece of work," Chris Evans, a semi-retired security researcher and executive and the founder of Project Zero, said in an interview. "It really is pretty serious. The fact you don't have to really interact with your phone for this to be set off on you is really quite scary. This attack is just you're walking along, the phone is in your pocket, and over Wi-Fi someone just worms in with some dodgy Wi-Fi packets." Beer's attack worked by exploiting a buffer overflow bug in a driver for AWDL, an Apple-proprietary mesh networking protocol that makes things like Airdrop work. Because drivers reside in the kernel -- one of the most privileged parts of any operating system -- the AWDL flaw had the potential for serious hacks. And because AWDL parses Wi-Fi packets, exploits can be transmitted over the air, with no indication that anything is amiss.

Read more of this story at Slashdot.

Dan Goodin, writing for ArsTechnica: Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device -- over Wi-Fi, with no user interaction required at all. Oh, and exploits were wormable -- meaning radio-proximity exploits could spread from one nearby device to another, once again, with no user interaction needed. This Wi-Fi packet of death exploit was devised by Ian Beer, a researcher at Project Zero, Google's vulnerability research arm. In a 30,000-word post published on Tuesday afternoon, Beer described the vulnerability and the proof-of-concept exploit he spent six months developing single-handedly. Almost immediately, fellow security researchers took notice. "This is a fantastic piece of work," Chris Evans, a semi-retired security researcher and executive and the founder of Project Zero, said in an interview. "It really is pretty serious. The fact you don't have to really interact with your phone for this to be set off on you is really quite scary. This attack is just you're walking along, the phone is in your pocket, and over Wi-Fi someone just worms in with some dodgy Wi-Fi packets." Beer's attack worked by exploiting a buffer overflow bug in a driver for AWDL, an Apple-proprietary mesh networking protocol that makes things like Airdrop work. Because drivers reside in the kernel -- one of the most privileged parts of any operating system -- the AWDL flaw had the potential for serious hacks. And because AWDL parses Wi-Fi packets, exploits can be transmitted over the air, with no indication that anything is amiss.

Read more of this story at Slashdot.

Dan Goodin, writing for ArsTechnica: Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device -- over Wi-Fi, with no user interaction required at all. Oh, and exploits were wormable -- meaning radio-proximity exploits could spread from one nearby device to another, once again, with no user interaction needed. This Wi-Fi packet of death exploit was devised by Ian Beer, a researcher at Project Zero, Google's vulnerability research arm. In a 30,000-word post published on Tuesday afternoon, Beer described the vulnerability and the proof-of-concept exploit he spent six months developing single-handedly. Almost immediately, fellow security researchers took notice. "This is a fantastic piece of work," Chris Evans, a semi-retired security researcher and executive and the founder of Project Zero, said in an interview. "It really is pretty serious. The fact you don't have to really interact with your phone for this to be set off on you is really quite scary. This attack is just you're walking along, the phone is in your pocket, and over Wi-Fi someone just worms in with some dodgy Wi-Fi packets." Beer's attack worked by exploiting a buffer overflow bug in a driver for AWDL, an Apple-proprietary mesh networking protocol that makes things like Airdrop work. Because drivers reside in the kernel -- one of the most privileged parts of any operating system -- the AWDL flaw had the potential for serious hacks. And because AWDL parses Wi-Fi packets, exploits can be transmitted over the air, with no indication that anything is amiss.

Read more of this story at Slashdot.

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects. From a report: The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications. Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis. According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries. The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.

Read more of this story at Slashdot.

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects. From a report: The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications. Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis. According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries. The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.

Read more of this story at Slashdot.

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects. From a report: The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications. Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis. According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries. The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.

Read more of this story at Slashdot.

Boris Johnson is set to unveil plans for world-leading emissions UK cuts - but are they enough?

Uber is in advanced talks to sell its Uber Elevate unit to Joby Aviation, Axios reported Wednesday, citing multiple sources. A deal could be announced later this month. From the report: Uber Elevate was formed to develop a network of self-driving air taxis, but to date has been most notable for its annual conference devoted to the nascent industry. The sale comes as Uber CEO Dara Khosrowshahi's works to attain profitability, and follows partial sales of Uber's money-losing freight and self-driving units. Axios had previously reported that Uber was seeking a buyer. Elevate had a helicopter service running in New York City, but suspended those operations during the pandemic. At last check, the unit had around 80 employees.

Read more of this story at Slashdot.

The American Civil Liberties Union is suing federal authorities over their alleged use of cellphone location data -- particularly in immigration enforcement. From a report: The nonprofit organization today filed a lawsuit against the Department of Homeland Security, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement to force the agencies to release records about purchasing cellphone location data for immigration enforcement and other purposes. The lawsuit follows multiple news reports earlier this year about the Trump administration buying access to commercial databases that track cellphone locations and then using that data to detect people who might be entering the country illegally. "It's critical we uncover how federal agencies are accessing bulk databases of Americans' location data and why," Nathan Freed Wessler, senior staff attorney with the ACLU's Speech, Privacy, and Technology Project, said in a statement. "There can be no accountability without transparency." Senate Democrats, such as privacy advocate Sen. Ron Wyden (D-Ore.), had written a letter to DHS asking for more information on how such data was being used. On Wednesday morning, they disclosed that the department's inspector general would take up the matter.

Read more of this story at Slashdot.

Spotify's $100 million-plus Anchor acquisition is seemingly paying off. From a report: In data released today as part of its annual Wrapped look-back on the year, the company says Anchor, which makes podcast creation software, powered 80 percent of new podcasts on Spotify this year, meaning the software contributed more than 1 million shows to Spotify's catalog in 2020 alone. Overall, Anchor powers 70 percent of Spotify's total podcast catalog, or around 1.3 million out of over 1.9 million shows. People also seem to be listening to that content. Spotify says Anchor shows account for more consumption, in terms of time spent listening, than any other third-party podcast hosting or distribution provider on its platform. (Not counting shows owned or operated by Spotify.) This sounds surprising, at least to me, especially given that big networks like NPR, The New York Times, and Wondery all put their shows on Spotify. But Mike Mignano, head of podcast mission at Spotify, says the data point speaks to the large global podcasting ecosystem that people might not know exists. With more than a million Anchor shows on the platform, listening time adds up fast, even if some shows only have a small group of dedicated fans.

Read more of this story at Slashdot.