An anonymous reader quotes a report from Ars Technica: After 20 years, it's now possible for solo players to finish storylines in the massively multiplayer online role-playing game World of Warcraft that previously required a group to do an intensive raid. That's thanks to "Story Mode," a new raid difficulty that was added for the final wing of the first raid of the recently released The War Within expansion. Over the years, developer Blizzard has expanded the difficulty options for raids to meet various players and communities where they are in terms of play styles. The top difficulty is Mythic, where the semi-pro hardcore guilds compete. Below that is Heroic, where serious, capital-G gamers coordinate with friends in weekly raid schedules to progress. Then there's Normal, which still requires some coordination but isn't nearly as challenging and can typically be completed within a few tries by a pick-up group. The most accessible difficulty is Raid Finder, where you're matched with random players automatically to complete a vastly easier version of a raid. Now Story Mode has been added to the mix, and it's even easier than Raid Finder. In Story Mode, you fight only the raid's final boss, which has been scaled back in stats and complexity so that it's beatable for a single player or a very small group of friends. Challenging encounter mechanics have been removed, and the whole fight has been retooled to focus exclusively on the narrative aspects. There are some rewards, but they're not the same as those on more difficult raids; the goal was to avoid cheapening the experience for those who do want to go all the way. So far, Story Mode is available exclusively for the newest raid, which is called Nerub-ar Palace. It hasn't been made available for other encounters yet, but Blizzard has hinted that this could be the long-term goal.

Read more of this story at Slashdot.

Amazon is joining the Motion Picture Association as its seventh member, alongside Paramount Pictures, Sony Pictures, Universal Studios, The Walt Disney Studios, Warner Bros. Discovery and Netflix. Engadget reports: Amazon was already involved with the MPA, having worked with its Alliance for Creativity and Entertainment, an anti-piracy coalition, as a governing board member since 2017. MGM (which Amazon bought in 2022) was previously an MPA member from 1928 until 2005. Amazon's involvement with the MPA speaks to the foothold that the company has in entertainment. The fact that Amazon and Netflix are both members also highlights the major influence of streaming over the industry at large. "The MPA is the global voice for a growing and evolving industry, and welcoming Prime Video & Amazon MGM Studios to our ranks will broaden our collective policymaking and content protection efforts on behalf of our most innovative and creative companies," Charles Rivkin, MPA chairman and CEO, said in a statement. "MPA studios fuel local economies, drive job creation, enrich cultures and bolster communities everywhere they work. With Prime Video & Amazon MGM Studios among our roster of extraordinary members, the MPA will have an even larger voice for the world's greatest storytellers."

Read more of this story at Slashdot.

A small asteroid, 2024 PT5, will temporarily become a mini-moon for Earth, orbiting in a horseshoe shape from September 29 to November 25, 2024. CBS News reports: Researchers at the Asteroid Terrestrial-impact Last Alert System, an asteroid monitoring system funded by NASA, spotted the asteroid using an instrument in Sutherland, South Africa and labeled it 2024 PT5. Scientists from the Universidad Complutense de Madrid have tracked the asteroid's orbit for 21 days and determined its future path. 2024 PT5 is from the Arjuna asteroid belt, which orbits the sun, according to their study published in Research Notes of the AAs. But Earth's gravitational pull will draw 2024 PT5 towards it and, much like our moon, it will orbit our planet -- but only for 56.6 days. 2024 PT5, which is larger than some of the other mini-moons, will also return to Earth's orbit -- in 2055. [...] The study's lead author Carlos de la Fuente Marcos told Space.com the mini-moon will be too small to see with amateur telescopes or binoculars but professional astronomers with stronger tools will be able to spot it.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Bloomberg: Walmart customers will soon have the option to pay directly from their bank accounts with instant transfers for online purchases. The enhanced feature is a flash point in the escalating tensions between merchants and the card networks setting the fees for payment processing. The world's largest retailer has offered pay-by-bank through Walmart Pay since earlier this year. Until now, the transactions were akin to digital checks and took roughly three days to finalize when being processed through The Automated Clearing House, the same network often used for bill payments or paycheck deposits. Soon, customers opting for pay-by-bank transactions will see the purchase reflected in their bank account balance instantly -- and Walmart will receive the funds immediately. [...] Walmart's upgraded pay-by-bank offering will be rolled out in 2025. The transactions will occur over bank technology provider Fiserv's NOW Network, which integrates with The Clearing House's Real Time Payments network and the Federal Reserve's FedNow. Until now, large retailers hesitated to launch real time payment options because many banks were not connected to an instant settlement system, meaning their customers would not be able to use the product. NOW Network aims to connect to as many banks as possible to reach 100% of deposit accounts by combining its own network with RTP and FedNow. The instant pay-by-bank product will be available for online checkout on Walmart.com. The Bentonville, Arkansas-based retailer already has customers set up a profile when they shop online. If they opt to add pay-by-bank as a payment option on their profile, they will enter their bank login credentials to connect their account. Fiserv's AllData platform connects with their bank clients and vendors including Plaid, MX, Akoya and Finicity to link and authenticate consumer accounts. With this instant pay-by-bank product, consumers will avoid stacked pending transactions, which can open them up to the risk of overdraft or non-sufficient fund fees from their bank. "When the transaction processes as a real time payment, customers get immediate access to see that payment come through, I see it hit my account and I can properly budget," said Jamie Henry, vice president of emerging payments at Walmart. "It's not as if I've got this phantom payment out there that's going to take place a couple days down the road."

Read more of this story at Slashdot.

Longtime Slashdot reader SonicSpike shares a report from Politico: The creator of a video that used artificial intelligence to imitate Kamala Harris is suing the state of California after Gov. Gavin Newsom signed laws restricting the use of digitally altered political "deepfakes," alleging First and 14th Amendment violations. Christopher Kohls, who goes by the name "Mr Reagan" on X, has been at the center of a debate over the use of AI-generated material in elections since he posted the video in July, calling it a parody of a Harris campaign ad. It features AI-generated clips mimicking Harris' voice and saying she's the "ultimate diversity hire." The video was shared by X owner Elon Musk without calling it parody and attracted the ire of Newsom, who vowed to ban such content. The suit (PDF), filed Tuesday in federal court, seeks permanent injunctions against the laws. One of the laws in question, the Defending Democracy from Deepfake Deception Act, specifies that it does not apply to satire or parody content. It requires large online platforms to remove or label deceptive, digitally altered media during certain periods before or after an election. Newsom spokesperson Izzy Gardon said in a statement that Kohls had already labeled the post as a parody on X. "Requiring them to use the word 'parody' on the actual video avoids further misleading the public as the video is shared across the platform," Gardon said. "It's unclear why this conservative activist is suing California. This new disclosure law for election misinformation isn't any more onerous than laws already passed in other states, including Alabama."

Read more of this story at Slashdot.

Disney plans to transition away from using Slack as its companywide collaboration tool after a hacking group leaked over a terabyte of data from the platform. Many teams at Disney have already begun moving to other enterprise-wide tools, with the full transition expected later this year. Reuters reports: Hacking group NullBulge had published data from thousands of Slack channels at the entertainment giant, including computer code and details about unreleased projects, the Journal reported in July. The data spans more than 44 million messages from Disney's Slack workplace communications tool, WSJ reported earlier this month. The company had said in August it was investigating an unauthorized release of over a terabyte of data from one of its communication systems.

Read more of this story at Slashdot.

Residents of California can now store their driver's license or state ID in Apple or Google Wallet, according to an announcement today. Apple also shared the news. TechCrunch reports: Californians with an ID in the Apple Wallet or Google Wallet app can use their mobile devices to present their ID in person at select TSA security checkpoints and businesses. They can also use the app to verify their age or identity in select apps. Other states that already support digital driver's licenses and state IDs include Arizona, Colorado, Georgia, Maryland, and Ohio.

Read more of this story at Slashdot.

Microsoft has launched a new Windows app that serves as a hub for streaming Windows environments from services like Windows 365 and Azure Virtual Desktop. However, it's limited to Microsoft work and school accounts with "no signs that Microsoft plans to support consumer accounts," notes The Verge's Tom Warren. From the report: This new unified app has been in testing for nearly a year, and includes a customizable home screen, multi-monitor support, and USB redirection so you can use local devices like webcams, storage devices, and printers as if they were plugged directly into a cloud PC. This Windows app is limited to Microsoft work and school accounts, as it's primarily designed for existing users of Remote Desktop clients for Windows and other operating systems to move to. Microsoft has had similar apps for connecting to PCs remotely in Windows for decades, including the Remote Desktop Connection app that still ships as part of Windows 11. These apps, including the new Windows one, are useful for connecting to work PCs from a personal laptop or PC. The Windows app is available from the Microsoft Store and Apple App Store. An Android version enters public preview mode today.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Register: Germany's Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrike's outage in July are dropping their current vendor's products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to do so in the near future. It wasn't explicitly said whether this referred to CrowdStrike's Falcon product specifically or was a knee-jerk reaction to security vendors generally. One in five will also change the selection criteria when it comes to reviewing which security vendor gets their business. The whole fiasco doesn't seem to have hurt the company much though, at least not yet. The findings come from a report examining the experiences of 311 affected organizations in Germany, published today. Of those affected in one way or another, most said they first heard about the issues from social media (23 percent) rather than CrowdStrike itself (22 percent). The report also revealed that half of the 311 surveyed orgs had to halt operations -- 48 percent experienced temporary downtime. Ten hours, on average. Aside from the obvious business continuity impacts, this led to various issues with customers too. Forty percent said their collaboration with customers was damaged because they couldn't provide their usual services, while more than one in ten organizations didn't even want to address the topic. The majority of respondents (66 percent) said they will improve their incident response plans in light of what happened, or have done so already, despite largely considering events like these as unavoidable. The report highlights a curious finding that over half of CrowdStrike customers wanted to install updates more regularly, even though that would have been worse for an organization. "Regardless, with the number of urgent patch warnings we and the infosec community dish out every week, it's probably a net positive, even if it's slightly misguided," concludes The Register.

Read more of this story at Slashdot.

Google is updating its Password Manager to allow users to sync passkeys across multiple devices, including Windows, macOS, Linux, and Android, with iOS and ChromeOS support coming soon. Engadget reports: Once saved, the passkey automatically syncs across other devices using Google Password Manager. The company says this data is end-to-end encrypted, so it'll be pretty tough for someone to go in and steal credentials. [...] Today's update also brings another layer of security to passkeys on Google Password Manager. The company has introduced a six-digit PIN that will be required when using passkeys on a new device. This would likely stop nefarious actors from logging into an account even if they've somehow gotten ahold of the digital credentials. Just don't leave the PIN number laying on a sheet of paper directly next to the computer.

Read more of this story at Slashdot.

An anonymous reader quotes a report from NPR: The State Department announced Wednesday that its online renewal system is now fully operational, after testing in pilot programs, and available to adult passport holders whose passport has expired within the past five years or will expire in the coming year. It is not available for the renewal of children's passports, for first-time passport applicants for renewal applicants who live outside the United States or for expedited applications. "By offering this online alternative to the traditional paper application process, the Department is embracing digital transformation to offer the most efficient and convenient passport renewal experience possible," Secretary of State Antony Blinken said in a statement. The department said it estimated that about 5 million Americans would be able to use this service a year. In 2023, it processed 24 million passports, about 40% of which were renewals. Assistant Secretary of State for Consular Affairs Rena Bitter, whose bureau oversees passport processing said the department hoped to expand the program in the coming years to possibly include Americans living abroad, those seeking to renew a second passport and children's passports. "This is not going to be the last thing that we do," she told reporters. "We want to see how this goes and then we'll start looking at ways to continue to make this service available to more American citizens in the coming months and years." You can renew your passport at www.Travel.State.Gov/renewonline.

Read more of this story at Slashdot.

Kenya signed a Memorandum of Understanding (MoU) with the U.S. on nuclear technology cooperation during the 2024 IAEA General Conference in Vienna, with the aim of safely integrating nuclear power into Kenya's energy mix by 2035. The agreement focuses on collaboration in nuclear safety, regulatory experience, and research. The Standard reports: The historic pact came a day after Prime Cabinet Secretary Musalia Mudavadi addressed the general session of the conference. Mudavadi had outlined Kenya's ambitious plans to integrate nuclear power into the country's energy mix by 2035, as part of a broader strategy to meet its growing energy demand. Kenya's current installed energy capacity, as of 2023, totals 3,321 MW, with significant contributions from geothermal (863 MW), hydroelectric power (838 MW), wind (436 MW), solar (173 MW), biomass (2 MW), and thermal energy (678 MW). However, despite these sources, the country still faces a shortfall in its energy supply. Experts say nuclear energy will be crucial in addressing this deficit and supporting Kenya's long-term industrialization goals. The MoU was signed by the Kenya Nuclear Regulatory Authority (KNRA) and the United States Nuclear Regulatory Commission (USNRC), with both parties expressing optimism about the future of nuclear cooperation between the two nations. [...] Areas of cooperation will include sharing of operating experience and regulatory experience, cooperation in joint programs of nuclear safety research and trainings. Kenya, along with several other developing nations, is exploring the potential use of nuclear energy beyond electricity generation, including its applications in health and agriculture. As the country moves forward with its nuclear aspirations, experts highlight the importance of robust regulatory frameworks and international cooperation to ensure the safe and effective deployment.

Read more of this story at Slashdot.

schwit1 shares a report from SpaceNews: The FAA announced Sept. 17 that it notified SpaceX of $633,009 in proposed fines for violating terms of its launch licenses during the June 2023 Falcon 9 launch of the Satria-1, or PSN Satria, broadband satellite and the July 2023 Falcon Heavy launch of Jupiter-3, or EchoStar-24, broadband satellite. Both launches were successful. For the Satria-1 launch, the FAA said in its enforcement notice (PDF) to the company that SpaceX had requested in May 2023 changes to its communications plan to allow the use of a new launch control center at the company's "Hangar X" facility at the Kennedy Space Center and to skip a poll of launch controllers at two hours before liftoff. The FAA notified SpaceX shortly before the scheduled launch that it would not be able to approve those changes and modify the license in time, although the enforcement notice did not state why. SpaceX went ahead and used the Hangar X control center and skipped the "T-2 hours" poll for the launch. The agency concluded that violated two conditions of its launch license, which allowed for civil penalties of up to $283,009 each. The FAA said it planned to fine SpaceX a combined $350,000 for that launch. A month later, SpaceX conducted the Falcon Heavy launch of Jupiter-3, but nine days before the launch the company requested a modification to its launch license to allow it to use a new tank farm for RP-1 fuel at KSC's Launch Complex 39A, according to a separate enforcement notice. The FAA notified SpaceX two days before the scheduled launch that the agency would not be able to modify the license in time, but SpaceX nonetheless used the new tank farm for the launch. The agency said it proposed to fine SpaceX the maximum $283,009 for that violation. Instead of participating in administrative procedures, SpaceX CEO Elon Musk said it would take the FAA to court. "SpaceX will be filing suit against the FAA for regulatory overreach," he posted on X.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: The Senate Judiciary Committee is scheduled to consider two bills Thursday that would effectively nullify the Supreme Court's rulings against patents on broad software processes and human genes. Open source and Internet freedom advocates are mobilizing and pushing back. The Patent Eligibility Restoration Act (or PERA, S. 2140), sponsored by Sens. Thom Tillis (R-NC) and Chris Coons (D-Del.), would amend US Code such that "all judicial exceptions to patent eligibility are eliminated." That would include the 2014 ruling in which the Supreme Court held, with Justice Clarence Thomas writing, that simply performing an existing process on a computer does not make it a new, patentable invention. "The relevant question is whether the claims here do more than simply instruct the practitioner to implement the abstract idea of intermediated settlement on a generic computer," Thomas wrote. "They do not." That case also drew on Bilski v. Kappos, a case in which a patent was proposed based solely on the concept of hedging against price fluctuations in commodity markets. [...] Another wrinkle in the PERA bill involves genetic patents. The Supreme Court ruled in June 2013 that pieces of DNA that occur naturally in the genomes of humans or other organisms cannot, themselves, be patented. Myriad Genetics had previously been granted patents on genes associated with breast and ovarian cancer, BRCA1 and BRCA2, which were targeted in a lawsuit led by the American Civil Liberties Union (ACLU). The resulting Supreme Court decision -- this one also written by Thomas -- found that information that naturally occurs in the human genome could not be the subject to a patent, even if the patent covered the process of isolating that information from the rest of the genome. As with broad software patents, PERA would seemingly allow for the patenting of isolated human genes and connections between those genes and diseases like cancer. [...] The Judiciary Committee is set to debate and potentially amend or rewrite PREVAIL and PERA (i.e. mark up) on Thursday.

Read more of this story at Slashdot.

Snapchat's terms of service for its "My Selfie" tool reserve the right to use users' AI-generated images in ads. While users can opt out by disabling the "See My Selfie in Ads" feature, it is enabled by default. 404 Media's Emanuel Maiberg reports: A support page on the Snapchat website titled "What is My Selfie?" explains further: "You'll take selfies with your Snap camera or select images from your camera roll. These images will be used to understand what you look like to enable you, Snap and your friends to generate novel images of you. If you're uploading images from the camera roll, only add images of yourself," Snapchat's site says. "After you've successfully onboarded, you may have access to some features powered by My Selfie, like Cameos stickers and AI Snaps. We are constantly adding features and functionality so stay tuned for more My Selfie features." After seeing the popup, I searched for instances of people getting ads featuring their own face on Snapchat, and found this thread on the r/Privacy Reddit community where a user claimed exactly this happened to them. In an email to 404 Media, Snapchat said that it couldn't confirm or deny whether this user was served an ad featuring their face, but if they did, the ad was not using My Selfie images. Snapchat also said that it investigated the claim in the Reddit thread and that the advertiser, yourdreamdegree.com, has a history of advertising on Snapchat and that Snapchat believes the ad in question does not violate any of its policies. "The photo that was used in the advertisement is clearly AI, however, it is very clearly me," the Reddit user said. "It has my face, my hair, the clothing I wear, and even has my lamp & part of a painting on my wall in the background. I have no idea how they got photos of me to be able to generate this ad." Snapchat confirmed the news but emphasized that advertisers do not have access to Snapchat users' generative AI data. "You are correct that our terms do reserve the right, in the future, to offer advertising based on My Selfies in which a Snapchatter can see themselves in a generated image delivered to them," a Snapchat spokesperson said. "As explained in the onboarding modal, Snapchatters have full control over this, and can turn this on and off in My Selfie Settings at any time."

Read more of this story at Slashdot.

"Apple has begun manufacturing its A16 SoC at the newly-opened TSCM Fab 21 in Arizona," writes Slashdot reader NoMoreACs. AppleInsider reports: According to sources of Tim Culpan, Phase 1 of TSMC's Fab 21 in Arizona is making the A16 SoC of the iPhone 14 Pro in "small, but significant, numbers. The production is largely a test for the facility at this stage, but more production is expected in the coming months. The volume will ramp up massively once the second stage of the Phase 1 fab actually concludes. If everything stays on schedule, the Arizona plant will hit a target for production sometime in the first half of 2025. Sources say TSMC is achieving yields that are marginally behind those of Taiwan-based factories. Yield parity is expected to happen within months. TSMC has also raised its investment and moved to build additional plants in Arizona, with three set to be constructed in total. The U.S. Commerce Department previously claimed this will create 6,000 direct manufacturing jobs, on top of an estimated 20,000 construction jobs.

Read more of this story at Slashdot.

Late last month, Brazilian Justice Alexandre de Moraes ordered X to suspend operations in Brazil after a months-long dispute with X owner Elon Musk. The conflict centered on Musk's refusal to appoint a legal representative in the country and his refusal to take down disinformation and far-right accounts. However, on Wednesday, X bypassed the court-ordered block by utilizing third-party cloud services, allowing many Brazilian users to access the platform without the need for a virtual private network (VPN). From a report: The number of Brazilians accessing X is unknown, according to [Abrint, the Brazilian Association of Internet and Telecommunications Providers]. "I believe the change was probably intentional. Why would X use a third-party service that ends up being slower than its own?" said Basilio Perez, a board member at Abrint. Any revised order from Brazil's national telecommunications agency Anatel, which is responsible for implementing the court ruling, will need to be more specific, because blocking cloud access is complex and may jeopardize government agencies and financial services providers, Perez said. Anatel has identified the problem and is working to first notify content delivery network providers, followed by telecom companies to block access again to X in Brazil, according to a person familiar with the situation. The same person said it is not clear how long it will take for the providers to comply with the order.

Read more of this story at Slashdot.

ZDNet's Steven Vaughan-Nichols reports: After 20 years, Real-Time Linux (PREEMPT_RT) is finally -- finally -- in the mainline kernel. Linus Torvalds blessed the code while he was at Open Source Summit Europe. [...] The real-time Linux code is now baked into all Linux distros as of the forthcoming Linux 6.12 kernel. This means Linux will soon start appearing in more mission-critical devices and industrial hardware. But it took its sweet time getting here. An RTOS is a specialized operating system designed to handle time-critical tasks with precision and reliability. Unlike general-purpose operating systems like Windows or macOS, an RTOS is built to respond to events and process data within strict time constraints, often measured in milliseconds or microseconds. As Steven Rostedt, a prominent real-time Linux developer and Google engineer, put it, "Real-time is the fastest worst-case scenario." He means that the essential characteristic of an RTOS is its deterministic behavior. An RTOS guarantees that critical tasks will be completed within specified deadlines. [...] So, why is Real-Time Linux only now completely blessed in the kernel? "We actually would not push something up unless we thought it was ready," Rostedt explained. "Almost everything was usually rewritten at least three times before it went into mainline because we had such a high bar for what would go in." In addition, the path to the mainline wasn't just about technical challenges. Politics and perception also played a role. "In the beginning, we couldn't even mention real-time," Rostedt recalled. "Everyone said, 'Oh, we don't care about real-time.'" Another problem was money. For many years funding for real-time Linux was erratic. In 2015, the Linux Foundation established the Real-Time Linux (RTL) collaborative project to coordinate efforts around mainlining PREEMPT_RT. The final hurdle for full integration was reworking the kernel's print_k function, a critical debugging tool dating back to 1991. Torvalds was particularly protective of print_k --He wrote the original code and still uses it for debugging. However, print_k also puts a hard delay in a Linux program whenever it's called. That kind of slowdown is unacceptable in real-time systems. Rostedt explained: "Print_k has a thousand hacks to handle a thousand different situations. Whenever we modified print_k to do something, it would break one of these cases. The thing about print_k that's great about debugging is you can know exactly where you were when a process crashed. When I would be hammering the system really, really hard, and the latency was mostly around maybe 30 microseconds, and then suddenly it would jump to five milliseconds." That delay was the print_k message. After much work, many heated discussions, and several rejected proposals, a compromise was reached earlier this year. Torvalds is happy, the real-time Linux developers are happy, print_K users are happy, and, at long last, real-time Linux is real.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Data Center Dynamics: BlackRock plans to launch a new $30 billion artificial intelligence (AI) investment fund focused on data centers and energy projects. Microsoft and Abu Dhabi-backed investment company MGX are general partners of the fund. GPU giant Nvidia will also advise. Run through BlackRock's Global Infrastructure Partners fund, which it acquired for $12.5 billion earlier this year, the 'Global AI Investment Partnership,' plans to raise up to $30 billion in equity investments. Another $70 billion could come via leveraged debt financing. "Mobilizing private capital to build AI infrastructure like data centers and power will unlock a multi-trillion-dollar long-term investment opportunity," said Larry Fink, chairman and CEO of BlackRock. "Data centers are the bedrock of the digital economy, and these investments will help power economic growth, create jobs, and drive AI technology innovation." Brad Smith, Microsoft's president, added: "The capital spending needed for AI infrastructure and the new energy to power it goes beyond what any single company or government can finance. This financial partnership will not only help advance technology, but enhance national competitiveness, security, and economic prosperity." Bayo Ogunlesi, CEO of Global Infrastructure Partners, said: "There is a clear need to mobilize significant amounts of private capital to fund investments in essential infrastructure. One manifestation of this is the capital required to support the development of AI. We are highly confident that the combined capabilities of our partnership will help accelerate the pace of investments in AI-related infrastructure."

Read more of this story at Slashdot.

The Register's Jessica Lyons reports: Chinese state-sponsored spies have been spotted inside a global engineering firm's network, having gained initial entry using an admin portal's default credentials on an IBM AIX server. In an exclusive interview with The Register, Binary Defense's Director of Security Research John Dwyer said the cyber snoops first compromised one of the victim's three unmanaged AIX servers in March, and remained inside the US-headquartered manufacturer's IT environment for four months while poking around for more boxes to commandeer. It's a tale that should be a warning to those with long- or almost-forgotten machines connected to their networks; those with shadow IT deployments; and those with unmanaged equipment. While the rest of your environment is protected by whatever threat detection you have in place, these legacy services are perfect starting points for miscreants. This particular company, which Dwyer declined to name, makes components for public and private aerospace organizations and other critical sectors, including oil and gas. The intrusion has been attributed to an unnamed People's Republic of China team, whose motivation appears to be espionage and blueprint theft. It's worth noting the Feds have issued multiple security alerts this year about Beijing's spy crews including APT40 and Volt Typhoon, which has been accused of burrowing into American networks in preparation for destructive cyberattacks. After discovering China's agents within its network in August, the manufacturer alerted local and federal law enforcement agencies and worked with government cybersecurity officials on attribution and mitigation, we're told. Binary Defense was also called in to investigate. Before being caught and subsequently booted off the network, the Chinese intruders uploaded a web shell and established persistent access, thus giving them full, remote access to the IT network -- putting the spies in a prime position for potential intellectual property theft and supply-chain manipulation. If a compromised component makes it out of the supply chain and into machinery in production, whoever is using that equipment or vehicle will end up feeling the brunt when that component fails, goes rogue, or goes awry. "The scary side of it is: With our supply chain, we have an assumed risk chain, where whoever is consuming the final product -- whether it is the government, the US Department of the Defense, school systems â" assumes all of the risks of all the interconnected pieces of the supply chain," Dwyer told The Register. Plus, he added, adversarial nations are well aware of this, "and the attacks continually seem to be shifting left." That is to say, attempts to meddle with products are happening earlier and earlier in the supply-chain pipeline, thus affecting more and more victims and being more deep-rooted in systems. Breaking into a classified network to steal designs or cause trouble is not super easy. "But can I get into a piece of the supply chain at a manufacturing center that isn't beholden to the same standards and accomplish my goals and objectives?" Dwyer asked. The answer, of course, is yes. [...]

Read more of this story at Slashdot.