Technology

Java Development Kit (JDK) 21, due in September as the next long-term support release of Oracle’s standard Java implementation, now has 16 features officially proposed for it, with three more features added in recent days.

The latest proposals include previews of structured concurrency and scoped values and preparations to disallow the dynamic loading of agents. Other recently added features include a key encapsulation mechanism (KEM) API and deprecation of the 32-bit x86 Windows port. Three other features—a generational Shenandoah garbage collector, unnamed classes and instance main methods, and unnamed patterns and variables—also were added last month.

To read this article in full, please click here

Even though many IT budgets are down, and belt tightening seems to be the clear trend, next year many enterprises are preparing for a rush to generative AI that they are not ready to pay for. It’s time to start thinking about how we’re going to make this work, and how cloud computing can be of assistance.

AI-driven supply chains, AI-driven manufacturing, AI-driven healthcare are all business cases that are on the table. Industries are clamoring for them and for good reason. The value that generative AI can bring (or at least what’s been bantered about) is unheard of compared to any technology trend I’ve seen in my long career. I understand why those predictions are being made.

To read this article in full, please click here

GitHub Actions is a platform built into GitHub that automates software building, testing, and deployment. GitHub, owned by Microsoft, is a hosting service for software development using Git, an open source version control and collaboration program developed by Linus Torvalds. Git and GitHub are already used by many programmers and software shops as the basis for their development practices, including the automated continuous integration and continuous delivery pipelines that carry projects through the build, test, and deploy cycle. GitHub Actions provides GitHub users with what GitHub calls an "API for cause and effect." You can use the platform to automate all sorts of behaviors based on various triggers.

To read this article in full, please click here

Bootstrap 5.3.0, the latest version of the CSS, JavaScript, and HTML web framework, has arrived with an emphasis on dark mode and custom color modes.

The final stable release of this update to the mobile-first application framework was announced May 30 and can be accessed from GetBootstrap.com. In this version, Bootstrap’s core was rewritten to offer “first class” support for dark mode, which is opt-in by default. Bootstrap also now supports any number of color modes for building custom themes or more-nuanced color modes. Dark mode styles are generated via a new color-mode() Sass mixin, allowing developers to write styles specific to a particular color mode. A new _variables-dark.scss stylesheet, meanwhile, houses dark-mode-specific Sass variables. Also in Bootstrap 5.3.0:

To read this article in full, please click here

Microsoft has come out with a new integration that will allow Snowflake and AWS S3 users to bring their data to its Azure Machine Learning (ML) service for AI model training and development.

The integration is being done via a new data import command line interface (CLI) and software development kit (SDK) that allows data to be brought in from data repositories outside the platform, Amar Badal, senior manager for Azure Machine Learning, wrote in a blog post.

To read this article in full, please click here

Code-signing certificates are supposed to help authenticate the identity of software publishers, and provide cryptographic assurance that a signed piece of software has not been altered or tampered with. Both of these qualities make stolen or ill-gotten code-signing certificates attractive to cybercriminal groups, who prize their ability to add stealth and longevity to malicious software. This post is a deep dive on “Megatraffer,” a veteran Russian hacker who has practically cornered the underground market for malware focused code-signing certificates since 2015.

One of Megatraffer’s ads on an English-language cybercrime forum.

A review of Megatraffer’s posts on Russian crime forums shows this user began peddling individual stolen code-signing certs in 2015 on the Russian-language forum Exploit, and soon expanded to selling certificates for cryptographically signing applications and files designed to run in Microsoft Windows, Java, Adobe AIR, Mac and Microsoft Office.

Megatraffer explained that malware purveyors need a certificate because many antivirus products will be far more interested in unsigned software, and because signed files downloaded from the Internet don’t tend to get blocked by security features built into modern web browsers. Additionally, newer versions of Microsoft Windows will complain with a bright yellow or red alert message if users try to install a program that is not signed.

“Why do I need a certificate?” Megatraffer asked rhetorically in their Jan. 2016 sales thread on Exploit. “Antivirus software trusts signed programs more. For some types of software, a digital signature is mandatory.”

At the time, Megatraffer was selling unique code-signing certificates for $700 apiece, and charging more than twice that amount ($1,900) for an “extended validation” or EV code-signing cert, which is supposed to only come with additional identity vetting of the certificate holder. According to Megatraffer, EV certificates were a “must-have” if you wanted to sign malicious software or hardware drivers that would reliably work in newer Windows operating systems.

Part of Megatraffer’s ad. Image: Ke-la.com.

Megatraffer has continued to offer their code-signing services across more than a half-dozen other Russian-language cybercrime forums, mostly in the form of sporadically available EV and non-EV code-signing certificates from major vendors like Thawte and Comodo.

More recently, it appears Megatraffer has been working with ransomware groups to help improve the stealth of their malware. Shortly after Russia invaded Ukraine in February 2022, someone leaked several years of internal chat logs from the Conti ransomware gang, and those logs show Megatraffer was working with the group to help code-sign their malware between July and October 2020.

WHO IS MEGATRAFFER?

According to cyber intelligence firm Intel 471, Megatraffer has been active on more than a half-dozen crime forums from September 2009 to the present day. And on most of these identities, Megatraffer has used the email address 774748@gmail.com. That same email address also is tied to two forum accounts for a user with the handle “O.R.Z.”

Constella Intelligence, a company that tracks exposed databases, finds that 774748@gmail.com was used in connection with just a handful of passwords, but most frequently the password “featar24“. Pivoting off of that password reveals a handful of email addresses, including akafitis@gmail.com.

Intel 471 shows akafitis@gmail.com was used to register another O.R.Z. user account — this one on Verified[.]ru in 2008. Prior to that, akafitis@gmail.com was used as the email address for the account “Fitis,” which was active on Exploit between September 2006 and May 2007. Constella found the password “featar24” also was used in conjunction with the email address spampage@yandex.ru, which is tied to yet another O.R.Z. account on Carder[.]su from 2008.

The email address akafitis@gmail.com was used to create a Livejournal blog profile named Fitis that has a large bear as its avatar. In November 2009, Fitis wrote, “I am the perfect criminal. My fingerprints change beyond recognition every few days. At least my laptop is sure of it.”

Fitis’s Livejournal account. Image: Archive.org.

Fitis’s real-life identity was exposed in 2010 after two of the biggest sponsors of pharmaceutical spam went to war with each other, and large volumes of internal documents, emails and chat records seized from both spam empires were leaked to this author. That protracted and public conflict formed the backdrop of my 2014 book — “Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.”

One of the leaked documents included a Microsoft Excel spreadsheet containing the real names, addresses, phone numbers, emails, street addresses and WebMoney addresses for dozens of top earners in Spamit — at the time the most successful pharmaceutical spam affiliate program in the Russian hacking scene and one that employed most of the top Russian botmasters.

That document shows Fitis was one of Spamit’s most prolific recruiters, bringing more than 75 affiliates to the Spamit program over several years prior to its implosion in 2010 (and earning commissions on any future sales from all 75 affiliates).

The document also says Fitis got paid using a WebMoney account that was created when its owner presented a valid Russian passport for a Konstantin Evgenievich Fetisov, born Nov. 16, 1982 and residing in Moscow. Russian motor vehicle records show two different vehicles are registered to this person at the same Moscow address.

The most interesting domain name registered to the email address spampage@yahoo.com, fittingly enough, is fitis[.]ru, which DomainTools.com says was registered in 2005 to a Konstantin E. Fetisov from Moscow.

The Wayback Machine at archive.org has a handful of mostly blank pages indexed for fitis[.]ru in its early years, but for a brief period in 2007 it appears this website was inadvertently exposing all of its file directories to the Internet.

One of the exposed files — Glavmed.html — is a general invitation to the infamous Glavmed pharmacy affiliate program, a now-defunct scheme that paid tens of millions of dollars to affiliates who advertised online pill shops mainly by hacking websites and manipulating search engine results. Glavmed was operated by the same Russian cybercriminals who ran the Spamit program.

A Google translated ad circa 2007 recruiting for the pharmacy affiliate program Glavmed, which told interested applicants to contact the ICQ number used by Fitis, a.k.a. MegaTraffer. Image: Archive.org.

Archive.org shows the fitis[.]ru webpage with the Glavmed invitation was continuously updated with new invite codes. In their message to would-be Glavmed affiliates, the program administrator asked applicants to contact them at the ICQ number 165540027, which Intel 471 found was an instant messenger address previously used by Fitis on Exploit.

The exposed files in the archived version of fitis[.]ru include source code for malicious software, lists of compromised websites used for pharmacy spam, and a handful of what are apparently personal files and photos. Among the photos is a 2007 image labeled merely “fitis.jpg,” which shows a bespectacled, bearded young man with a ponytail standing next to what appears to be a newly-married couple at a wedding ceremony.

Mr. Fetisov did not respond to requests for comment.

As a veteran organizer of affiliate programs, Fitis did not waste much time building a new moneymaking collective after Spamit closed up shop. New York City-based cyber intelligence firm Flashpoint found that Megatraffer’s ICQ was the contact number for Himba[.]ru, a cost-per-acquisition (CPA) program launched in 2012 that paid handsomely for completed application forms tied to a variety of financial instruments, including consumer credit cards, insurance policies, and loans.

“Megatraffer’s entrenched presence on cybercrime forums strongly suggests that malicious means are used to source at least a portion of traffic delivered to HIMBA’s advertisers,” Flashpoint observed in a threat report on the actor.

Intel 471 finds that Himba was an active affiliate program until around May 2019, when it stopping paying its associates.

Fitis’s Himba affiliate program, circa February 2014. Image: Archive.org.

Flashpoint notes that in September 2015, Megatraffer posted a job ad on Exploit seeking experienced coders to work on browser plugins, installers and “loaders” — basically remote access trojans (RATs) that establish communication between the attacker and a compromised system.

“The actor specified that he is looking for full-time, onsite help either in his Moscow or Kiev locations,” Flashpoint wrote.

The Dapper ORM (object-relational mapper) has gained widespread popularity for working with databases in .NET because of its high speed and simplicity. We learned the basics of working with Dapper in a previous article here. We also discussed working with the Dapper Extensions library in an earlier article. In this article, we’ll take a look at some advanced features of Dapper.

To use the code examples provided in this article, you should have Visual Studio 2022 installed in your system. If you don’t already have a copy, you can download Visual Studio 2022 here.

To read this article in full, please click here

You can’t manage what you can’t measure. Just as software engineers need a comprehensive picture of the performance of applications and infrastructure, data engineers need a comprehensive picture of the performance of data systems. In other words, data engineers need data observability.

Data observability can help data engineers and their organizations ensure the reliability of their data pipelines, gain visibility into their data stacks (including infrastructure, applications, and users), and identify, investigate, prevent, and remediate data issues. Data observability can help solve all kinds of common enterprise data issues.

[ The InfoWorld Technology of the Year Awards 2023 are open for nominations | Submission deadline: June 30, 2023 5:00PM ET ]

Data observability can help resolve data and analytics platform scaling, optimization, and performance issues, by identifying operational bottlenecks. Data observability can help avoid cost and resource overruns, by providing operational visibility, guardrails, and proactive alerts. And data observability can help prevent data quality and data outages, by monitoring data reliability across pipelines and frequent transformations.

To read this article in full, please click here

pat rocks out.

Wasmer, builder of technology leveraging the WebAssembly (Wasm) binary instruction format, is unveiling WASIX, a specification and toolchain extending WASI (WebAssembly System Interface) to build applications with full Posix (Portable Operating System Interface) compatibility. The intent is to streamline compilation to Wasm.

Announced May 30 as a superset of WASI, WASIX can be used for both building apps and completing runtimes, supporting threads, Berkeley sockets, forking, and other capabilities available for almost all of the life of Posix. In developing WASIX, the Wasmer team and community have worked to enhance the existing WASI ABI, stabilizing it and making it more compatible with Posix, Wasmer said. Proponents believe WASIX will make it easier to compile any apps to Wasm, which has been positioned to bring high performance to web applications and allow other languages besides JavaScript to be used in the browser. The WASIX specification can be found at wasix.org. Developers can try it out WASIX at wasmer.sh.

To read this article in full, please click here

The command-line interface (CLI) is the inner world of software development. From the shell, we have direct access to all the operating system's capabilities, and with that comes the power to compose and orchestrate all aspects of the software. Many tools and frameworks incorporate command lines. Not only that, but the command prompt is the root magic of working with software systems; it's the home of near unlimited possibilities. 

In this article, we’ll take a tour of building sophisticated interactive command-line interface (CLI) applications and REPLs (read–eval–print loops, or interactive shells) in Java. We'll set up a basic demo application in Java and use the JLine and ConsoleUI libraries to add the features that we need.

To read this article in full, please click here

• Picture of the Week.
• HP = "Huge Pile"
• The ".ZIP" TLD — What could possibly go wrong?
• PyPI gets more serious about security AND privacy.
• "No logs saved anywhere"???
• Twitter in the EU?
• Bitwarden's support for Passkeys.
• A €1.2 billion fine will grab your attention.
• Editing WhatsApp messages.
• A new Google Bug Bounty.
• SpinRite.
• Brave's Brilliant Off the Record Request.

Show Notes: https://www.grc.com/sn/SN-925-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

• cs.co/twit
• drata.com/twit
• Melissa.com/twit

A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark.

This attack involves malicious Javascript that is added to one’s browser by dragging a component from a web page to one’s browser bookmarks.

According to interviews with victims, several of the attacks began with an interview request from someone posing as a reporter for a crypto-focused news outlet online. Those who take the bait are sent a link to a Discord server that appears to be the official Discord of the crypto news site, where they are asked to complete a verification step to validate their identity.

As shown in this Youtube video, the verification process involves dragging a button from the phony crypto news Discord server to the bookmarks bar in one’s Web browser. From there, the visitor is instructed to go back to discord.com and then click the new bookmark to complete the verification process.

However, the bookmark is actually a clever snippet of Javascript that quietly grabs the user’s Discord token and sends it to the scammer’s website. The attacker then loads the stolen token into their own browser session and (usually late at night after the admins are asleep) posts an announcement in the targeted Discord about an exclusive “airdrop,” “NFT mint event” or some other potential money making opportunity for the Discord members.

The unsuspecting Discord members click the link provided by the compromised administrator account, and are asked to connect their crypto wallet to the scammer’s site, where it asks for unlimited spend approvals on their tokens, and subsequently drains the balance of any valuable accounts.

Meanwhile, anyone in the compromised Discord channel who notices the scam and replies is banned, and their messages are deleted by the compromised admin account.

Nicholas Scavuzzo is an associate at Ocean Protocol, which describes itself as an “open-source protocol that aims to allow businesses and individuals to exchange and monetize data and data-based services.” On May 22, an administrator for Ocean Protocol’s Discord server clicked a link in a direct message from a community member that prompted them to prove their identity by dragging a link to their bookmarks.

Scavuzzo, who is based in Maine, said the attackers waited until around midnight in his timezone time before using the administrator’s account to send out an unauthorized message about a new Ocean airdrop.

Scavuzzo said the administrator’s account was hijacked even though she had multi-factor authentication turned on.

“A CAPTCHA bot that allows Discord cookies to be accessed by the person hosting the CAPTCHA,” was how Scavuzzo described the attack. “I’ve seen all kinds of crypto scams, but I’ve never seen one like this.”

In this conversation, “Ana | Ocean” is a compromised Discord server administrator account promoting a phony airdrop.

Importantly, the stolen token only works for the attackers as long as its rightful owner doesn’t log out and back in, or else change their credentials.

Assuming the administrator can log in, that is. In Ocean’s case, one of the first things the intruders did once they swiped the administrator’s token was change the server’s access controls and remove all core Ocean team members from the server.

Fortunately for Ocean, Scavuzzo was able to reach the operator of the server that hosts the Discord channel, and have the channel’s settings reverted back to normal.

“Thankfully, we are a globally distributed team, so we have people awake at all hours,” Scavuzzo said, noting that Ocean is not aware of any Discord community members who fell for the phony airdrop offer, which was live for about 30 minutes. “This could have been a lot worse.”

On May 26, Aura Network reported on Twitter that its Discord server was compromised in a phishing attack that resulted in the deletion of Discord channels and the dissemination of fake Aura Network Airdrop Campaign links.

On May 27, Nahmii — a cryptocurrency technology based on the Ethereum blockchain — warned on Twitter that one of its community moderators on Discord was compromised and posting fake airdrop details.

On May 9, MetrixCoin reported that its Discord server was hacked, with fake airdrop details pushed to all users.

KrebsOnSecurity recently heard from a trusted source in the cybersecurity industry who dealt firsthand with one of these attacks and asked to remain anonymous.

“I do pro bono Discord security work for a few Discords, and I was approached by one of these fake journalists,” the source said. “I played along and got the link to their Discord, where they were pretending to be journalists from the Cryptonews website using several accounts.”

The source took note of all the Discord IDs of the admins of the fake Cryptonews Discord, so that he could ensure they were blocked from the Discords he helps to secure.

“Since I’ve been doing this for a while now, I’ve built up a substantial database of Discord users and messages, so often I can see these scammers’ history on Discord,” the source said.

In this case, he noticed a user with the “CEO” role in the fake Cryptonews Discord had been seen previously under another username — “Levatax.” Searching on that Discord ID and username revealed a young Turkish coder named Berk Yilmaz whose Github page linked to the very same Discord ID as the scammer CEO.

Reached via instant message on Telegram, Levatax said he’s had no involvement in such schemes, and that he hasn’t been on Discord since his Microsoft Outlook account was hacked months ago.

“The interesting thing [is] that I didn’t use Discord since few months or even social media because of the political status of Turkey,” Levatax explained, referring to the recent election in his country. “The only thing I confirm is losing my Outlook account which connected to my Discord, and I’m already in touch with Microsoft to recover it.”

The verification method used in the above scam involves a type of bookmark called a “bookmarklet” that stores Javascript code as a clickable link in the bookmarks bar at the top of one’s browser.

While bookmarklets can be useful and harmless, malicious Javascript that is executed in the browser by the user is especially dangerous. So please avoid adding (or dragging) any bookmarks or bookmarklets to your browser unless it was your idea in the first place.

Frontegg’s new entitlement engine will be powered by context-aware logic controls (CALC) technology to effect context-based, fine-grained authorization controls.

Without fine-tuning or being trained on a specific topic, ChatGPT can answer questions about a wide range of technology subjects—including how to write R code. That means ChatGPT's power is available to any R programmer, even one who knows little about large language models. (A large language model, or LLM, is the technology underpinning AI chatbots like OpenAI's ChatGPT.)

An ecosystem is forming around ChatGPT and R, making it easy to incorporate the AI technology into your R language workflow. But before you begin using ChatGPT and tools associated with it for projects in R, there are a few important things to keep in mind:

1. Everything you ask with these tools gets sent to OpenAI's servers. Don't use ChatGPT tools to process sensitive information.
2. ChatGPT may confidently return answers that are wrong. Even incorrect responses can be a time-saving starting point, but don't assume the code will do exactly what you expect. Kyle Walker, an associate professor at Texas Christian University and author of the popular tidycensus R package, recently tweeted that ChatGPT can "supercharge your work if you understand a topic well," or it can leave you "exposed for not knowing what you are doing." The difference is in knowing when the AI output isn't right. Always check ChatGPT's responses.
3. ChatGPT can generate different responses to the same query—and some answers might be accurate while others aren't. For instance, when I asked multiple times for a ggplot2 bar chart with blue bars, the code generated a graph with blue bars sometimes but not others, even though I submitted the exact same request. This is obviously less than ideal if you need a reproducible workflow.
4. If there's been a recent update to a package you're using, ChatGPT won't know about it, since its training data ends in 2021.
5. Most of the resources in this article require you to have your own OpenAI API key, and the API isn't free to use. While pricing is low at the moment, there's no guarantee it will stay that way. Current pricing is 2 cents per 10,000 tokens for the ChatGPT 3.5 turbo model. What does a token get you? As one example, the request to create a scatter plot from a 234-row mpg data set cost 38 tokens, a fraction of a cent.
6. Asking ChatGPT for coding help is unlikely to ensnare you in the ethics of AI racial and gender bias. However, there are heated discussions about the wisdom of furnishing OpenAI with yet more data; the ethics of how the training data was scraped and repurposed; and if it's better to use open source large language models (such as H2O.ai's h2oGPT) rather than OpenAI's. Those dilemmas are for every individual and organization to parse for themselves. However, as of this writing, there simply aren't R-specific LLM tools that are comparable to those building up around ChatGPT. 

Now, let's look at some of the most notable R-focused ChatGPT resources currently available.

To read this article in full, please click here

It’s late on a Friday. You get a call from your CIO that data has been removed from XYZ public cloud server, and they need it back ASAP.

It gets worse. First, there is no current backup copy of the data. The backups you expected your cloud provider to perform on your behalf only include the provider’s core system backups. That means it’s functionally unusable. Second, there is no business continuity/disaster recovery (BCDR) strategy, procedures, or playbook in place to deal with breaches or disasters. Everyone assumed the cloud was doing that automatically. That’s why we’re in the cloud, right?

These are common misconceptions. Equally common is the assumption that those charged with keeping cloud systems working and safe would have a handle on this problem by now. There are too many cases where that assumption is incorrect. In other words, you’re probably doing cloud BCDR wrong and need to do something about it.

To read this article in full, please click here

In tech we are all, ultimately, parasites. As Drupal creator Dries Buytaert’s said years ago, we are all more “taker” than “maker.” Buytaert was referring to common practice in open source communities: “Takers don’t contribute back meaningfully to the open source project that they take from,” hurting the projects upon which they depend. Even the most ardent open source contributor takes more than she contributes.

This same parasitic trend has played out for Google, Facebook, and Twitter—each dependent on others’ content—and is arguably much more true of generative AI (GenAI) today. Sourcegraph developer Steve Yegge dramatically declares, “LLMs aren’t just the biggest change since social, mobile, or cloud—they’re the biggest thing since the World Wide Web,” and he’s likely correct. But those large language models (LLMs) are essentially parasitic in nature: They depend on scraping others’ repositories of code (GitHub), technology answers (Stack Overflow), literature, and much more.

To read this article in full, please click here

I’d been needing to refactor the pagination logic in the Mastodon plugin for Steampipe. After a couple of abortive tries, I took another run at it this week with the help of the latest generation of LLM-powered coding assistants.

Here was the problem. The pre-release version of the plugin consolidated pagination for many tables in one place. That was a good thing, but the downside was that there was only one Steampipe table which represented what should have been many of them. So you could say select * from mastodon_timeline but then you had qualify with where timeline = 'home' or where timeline = 'local' and so on. For a user of the plugin this was awkward, you’d rather say select * from mastodon_timeline_home or select * from mastodon_timeline_local, and reserve the where clause for more specific purposes.

To read this article in full, please click here

“The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.” —The Agile Manifesto

This principle was needed in 2001, when the Agile Manifesto was written, because most employees worked in cubicles, and many projects were managed as tasks and handoffs from one team to another. Waterfall-style project management methodologies had a high failure rate, which led a growing number of organizations to shift to scrum, Kanban, and other agile methodologies. 

[ Nominations are open for InfoWorld’s 2023 Technology of the Year Awards ]

Organizations that adopted agile development often chose to collocate their development teams. In some organizations, this move to collocation created a preference to staff agile development teams with full-time employees. Subsequently, there was backlash on distributing teams, using external service providers, and relying on freelancers. It was easy to blame outsourcing for poor project delivery or a marketing agency for developing unsupportable code.

To read this article in full, please click here

AI Spoof, Twitter and DeSantis

• Twitter Cut Key Software Before DeSantis Audio Glitch
• Elon Musk's Neuralink says has FDA approval for study of brain implants in humans
• Here's What Happens When Your Lawyer Uses ChatGPT
• Just Calm Down About GPT-4 Already
• The Seven Deadly Sins of AI Predictions
• 'Verified' Twitter accounts share fake image of 'explosion' near Pentagon, causing confusion
• An A.I.-Generated Spoof Rattles the Markets
• Politicians cheating (AI)
• Top 5 announcements from Microsoft Build 2023
• Google or Bing for Search Results
• Why Google Search Is Getting Bad According to Marissa Mayer
• Stop being ridiculous: Microsoft is NOT building its own processor for Surface
• This ridiculous shoe PC went from a 10-week mod project to a $6,000 custom Cooler Master gaming PC you can actually buy
• Social Media is a 'Profound Risk' to Youth, Surgeon General Warns
• The Pessimists Archive

Host: Leo Laporte

Guests: Owen Thomas, Daniel Rubino, and Glenn Fleishman

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

Sponsors:

• GO.ACILEARNING.COM/TWIT
• wwt.com/twit
• lookout.com