Crime

Windows 11 Identifier Code Used to Arrest 19-Year-Old Over Alleged Ransomware Spree (tomshardware.com) 35

America's Justice Department and FBI teamed joined Finland's National Bureau of Investigation to arrest a teenager they say is part of one of the world's biggest cybercrime syndicates, reports Tom's Hardware. The "Scattered Spider" syndicate has extorted over $100 million in ransom payments, according to Department of Justice figures: 19-year-old Peter Stokes is a dual U.S.-Estonian citizen who was trying to board a flight to Japan from Helsinki, when law enforcement caught up with him. [T]he main criminal complaint against Stokes stems from a May 2025 attack on a luxury jewelry dealer based in the United States. The attackers apparently called the company's IT helpdesk using Google Voice, posing as employees. They were able to convince the help desk into resetting their credentials, which allowed them to infiltrate three accounts, two of which had admin privileges. From there, the group, allegedly including Stokes, stole important data and held the jeweler at ransom, demanding an $8 million payment in crypto. The company ultimately regained access to their infrastructure and avoided paying the ransom, but the operational disruption still caused a purported $2 million in losses. This served as the spark that led to Stokes' eventual arrest in Helsinki, as the prosecutors slowly followed the paper and digital trail laid by the attackers.

Microsoft played a key role in the process by providing GDID [Global Device Identifier] data to the FBI to help them apprehend the alleged criminal... [I]t's a unique identifier assigned to every Windows install that tracks device-specific telemetry. It's the reason why sometimes changing a major component in your PC can revoke your Windows license... [T]he court documents from the case reveal that Stokes used Windows, from which investigators were able to link his physical hardware to specific internet activity and locations... Stokes' web activity, videogame history, IP addresses, tool usage (including Ngrok), Azure status, and more were logged with timestamps, and were provided to the investigators by Microsoft...

Stokes was carrying two hard drives full of incriminating evidence with him when boarding his flight to Japan... His real identity has actually been known since 2024, but since he was a minor living across Estonia and the UAE at the time, he could only be monitored until the time was right.

The official criminal complaint even includes a selfie photo that Stokes posted on Snapchat (hiding his face behind dozens of hundred dollar bills). It then notes that behind Stokes the wallpaper, carpet, and furniture match New York's Empire Hotel — and that Stokes had visited the hotel's web site in Germany before then flying to New York...

"Following the arrest, Stokes was extradited to the U.S., where he appeared in front of a federal court in Chicago for the first time on June 30, 2026, and he remains in custody," adds Tom's Hardware.

"The accused is now awaiting trial, having been charged with conspiracy, cyber intrusion, and fraud..."
The Internet

GoDaddy Warns India's Crackdown on Fake Site Registrars Could Upend Internet Privacy Everywhere (reuters.com) 18

"The internet is filled with fakes," writes Gizmodo. "A court in India is setting out to address the problem by requiring more transparency from domain registrars to make it easier to crack down on fraud. And while the intentions might be good, Reuters is reporting that major American domain registrar GoDaddy is sounding the warning bells that the court's decision could fundamentally reshape the internet well beyond India's borders."

GoDaddy argues the move would even make the internet less safe, reports Reuters : [Online fraud] is a key challenge for Prime Minister Narendra Modi's government, which last year received 2.4 million complaints of alleged cyber fraud amounting to $2.4 billion. Starting in 2019, lawsuits were brought by dozens of Indian and global firms — Amazon against fake shopping sites trading on its name and McDonald's complaining against bogus sites offering franchises. [More than 20 companies filed a complaint, the article notes, including Microsoft.] In December, an Indian court blocked more than 1,100 such websites. The New Delhi judge however went further, ordering sweeping new measures that tech experts say have rewritten rules of internet governance: Domain sellers should not offer buyers free privacy protection by default, the buyer's details should be released to anyone with a "legitimate interest" within 72 hours, and website addresses that are variations of protected brand names must be prohibited.

U.S.-based GoDaddy has challenged the directives before a larger bench of judges at the Delhi High Court, according to a Reuters review of non-public filings. It says the ruling will affect legitimate businesses that have names similar to big brands. Stopping privacy-by-default features, GoDaddy said, will result in public disclosure of name, address, telephone and email of legitimate website owners, exposing them to "foreseeable privacy and security risks" such as stalking and harassment.

As domain names operate globally, not locally, the order could force GoDaddy to regulate website addresses across the world, it said. On the court's order imposing a 72-hour deadline on companies to provide registration details to anyone with "legitimate interest", GoDaddy argues it has no wherewithal to assess who has legitimate interest or not. The "commercially destabilising" directives may force domain name companies to "exit India", said one of GoDaddy's appeal documents that ran into 5,121 pages... GoDaddy rivals, Arizona-based Namecheap and Netherlands-based Hosting Concepts, have also challenged the New Delhi ruling, court records show, although Reuters could not ascertain details of their appeals...

GoDaddy argues that diluting the privacy feature will run contrary to India's data protection law and the European Union GDPR law which mandates a "privacy by default" approach. Farzaneh Badii, a New York-based researcher on internet governance, criticised the New Delhi ruling, noting that Europe redacted such details because publishing them had been abused by harassment and targeted phishing. "The people exposed will be journalists, activists, small business owners, and private individuals. The brand impersonators will not," she said...

While the sweeping December directives were issued by a court, they followed government's submissions, documents showed... The judges will hear the appeals on July 16.

GoDaddy manages 80 million domains and serves over 20 million users, the article points out, with annual revenue over $5 billion.
Government

Are Wars Blurring Lines Between Corporate and National Security? (msn.com) 37

Subsea cables. Ukrainian power stations. Russian oil refineries. Even airports, water-desalination plants and Amazon data centers.

They've all become targets in wartime, notes the Wall Street Journal, and around the world now arguments "are already brewing between companies and governments over new regulations and potential costs." In Germany, powerful associations representing private companies and municipal utilities have pushed back against new standards for physical protection, warning they could spell financial ruin. New Zealand's government has faced resistance from industry groups over a proposal to fine critical-infrastructure companies and their directors for cybersecurity breaches... A sign of how lines are blurring: The North Atlantic Treaty Organization's 32 countries last year agreed that as part of a pact to spend 5% of economic output on defense and security, 1.5% would go to military-adjacent needs including protecting critical infrastructure and networks. Spending targets range from cybersecurity and industrial capacity to railroads, bridges and ports needed for military logistics... "We need a wide concept of defense — defense is no longer just military," said Italian Adm. Giuseppe Cavo Dragone, NATO's top military adviser.

Adding to the complexity, companies now need to protect the data networks that serve as gateways to critical infrastructure. Hackers increasingly target not just computer files to steal information but also systems managing vital functions like building access and factory control, remotely causing physical damage or enabling espionage. U.S. authorities in April warned that Iranian hackers were trying to disrupt American drinking-water systems by targeting computer equipment that connects hardware with software. A year earlier, suspected Russian hackers remotely manipulated valves on a Norwegian hydroelectric dam...

Another challenge will be parsing jurisdictions and liability for assets that cross international waters or are damaged in combat — such as subsea data cables or energy pipelines. Turf battles between law enforcement and militaries are already complicating efforts... "The private owner can invest in redundancy, monitoring, and repair capacity, but only governments and militaries can really deter, patrol, attribute, or respond to hostile state activity," said Marc Glasser, who worked on cybersecurity and infrastructure security for three decades at the U.S. Department of Transportation and the Department of Homeland Security.... Companies say they need greater clarity from governments on what protections they will provide and subsidies to help them defend privately owned assets that provide a public good. Most governments don't provide incentives for companies to invest more than the minimum legal resilience requirements.

The article notes that in May the chief executive of California's Port of Long Beach "launched a cyber-defense operations center to thwart tens of thousands of cyberattacks daily, which jeopardize computer systems and all equipment connected to them."

The article also points out that the EU adopted new regulations requiring countries to reduce vulnerabilities, and new laws proposed in the U.K. now "seek to increase penalties for subsea sabotage, updating codes that date to when telegraph cables were first laid in the 19th century."
Microsoft

Did Microsoft Shift Its Profits to Low-Tax Countries? (nytimes.com) 64

Microsoft is apparently shifting its profits to countries with low taxes — and out of countries where they have many more employees and significant sales. Back in 2005 Former Microsoft CEO Steve Ballmer even said that a low corporate tax rate "is part of the overall advantage of doing business in Ireland," remembers long-time Slashdot reader theodp. (Ballmer added "It would be disingenuous to say otherwise.")

But in 2026 the EU now requires a country-by-country compliance report, and the New York Times notes that Microsoft "was most likely the first major U.S. technology company to make a so-called country by country report of its finances to comply..." Like other big companies, Microsoft uses transactions between subsidiaries to shift profits around to reduce its tax bill. The report revealed a consistent pattern: high returns in low-tax jurisdictions and slim margins in higher-tax ones. The report showed the sometimes absurd results. Microsoft said it had generated almost 40 percent of its pretax income in tax-friendly Ireland, where it employed about 3 percent of its global work force. In higher-tax Germany, the largest economy in Europe, Microsoft earned barely half of 1 percent of its global profits, it said.

Excluding Ireland, the company said, it generated less than 2 percent of its worldwide pretax earnings in Europe... [In Luxembourg Microsoft said it had $283 million in pretax income with only 34 employees.]

[America's] Internal Revenue Service is challenging profit-shifting transactions used by Microsoft, and is seeking back taxes of nearly $29 billion4. The company has said it disagrees with the I.R.S. and said in a securities filing that it "will vigorously contest" the proposed tax bills.

This week a Microsoft blog post offered their own "context," arguing that tax is "one important measure of contribution, but it is not the only one.

"Our investments, partnerships, infrastructure, and long-term presence in countries around the world also reflect a commitment to helping strengthen the economies and communities where we operate, today and for the future."
Piracy

Video Game History Foundation Says Piracy Remains the Only Viable Preservation Method (techspot.com) 86

An anonymous reader quotes a report from TechSpot: Video Game History Foundation founder Frank Cifaldi recently supported claims that piracy is the only effective way to preserve video games. The comments lay the blame squarely on game companies' refusal to keep legacy content available or allow archivists to build legal repositories. Sony's announcement that all PlayStation games will be digital-only from 2028 onward has sparked concern that titles will become harder to preserve and more easily vanish, since the company's servers will become the sole point of distribution. In an official statement, Cifaldi noted that the end of physical PlayStation games has surprisingly little impact on the Foundation's efforts because the majority of games from the last two decades are already digital-only.

According to the Foundation, most games nowadays are not released for consoles, let alone on physical discs. Furthermore, many discs for major titles require downloading updates before they are playable, although the DoesItPlay database reveals that, even today, most are playable offline out of the box. Cifaldi claimed that the true reason piracy remains the best option for preservation is that the Entertainment Software Association, which lobbies for game publishers, has closed off other routes. For example, in 2018, the Association opposed efforts to grant copyright exemptions for museums, libraries, and archives to retain copies of abandoned online games for research.

This is the same organization that recently helped defeat a proposed California bill to preserve premium-priced online-only games by falsely claiming that community servers are illegal. The Foundation accused the ESA of repeatedly blocking attempts by cultural heritage institutions to reform DRM legislation. Cifaldi also described the Library of Congress' outdated software preservation process, which currently only requires tiny snippets of source code. For example, Capcom once asked the Foundation to provide the LoC with "the first and last ten pages of code" for a Mega Man game. Unable to discern where digital records began and ended, the group simply chose random segments. Platform holders' habit of closing online storefronts and removing media from users' accounts is also unhelpful.
"What continues to baffle us is what the industry expects institutions like ours to do about it," the Video Game History Foundation said. "If platform owners are deciding to eliminate physical media and older digital storefronts, then we'd also like to see trade groups like the Entertainment Software Association offer meaningful solutions for archives and museums to legally preserve digital-only content and make it accessible for research.
Security

AI Agent Executes 'First' End-To-End Ransomware Attack 30

Sysdig says it has documented the first ransomware attack carried out end to end by an AI agent, which autonomously exploited exposed systems, stole credentials, established persistence, compromised a production database, and destroyed data. The research team named the attacker "JadePuffer" and said it gained initial access to an internet-facing Langflow instance by exploiting CVE-2025-3248. "The most striking characteristic, however, was the LLM's behavior," Sysdig director of threat research Michael Clark said in a blog post. An anonymous reader quotes an excerpt from The Register: JadePuffer's "self-narrating" payloads "contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don't often write but LLM-generated code produces reflexively," Clark added. "The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds." After exploiting CVE-2025-3248, a missing authentication vulnerability in Langflow that allows remote, unauthenticated attackers to execute arbitrary Python on the host, the AI agent began scanning for and collecting secrets, including LLM provider API keys, cloud credentials "with explicit coverage of Chinese providers" including Alibaba, Aliyun, Tencent, and Huawei, while also scanning for AWS, Azure and Google Cloud Platform, cryptocurrency wallets, and database credentials.

The AI also installed a crontab entry on the Langflow server to maintain persistence and call back to the attacker's infrastructure every 30 minutes. JadePuffer's intended target was a separate internet-exposed production server running a MySQL database and an Alibaba Nacos configuration service, we're told. Nacos is an open-source service-discovery and dynamic configuration platform developed by Alibaba and used in the cloud provider's microservices applications. The agent connected to the server's exposed MySQL port using root credentials, although Sysdig doesn't know how the attacker obtained them. These credentials weren't stolen from the victim's environment.

JadePuffer then attacked Nacos via multiple vectors including an authorization bypass flaw (CVE-2021-29441) and forging a valid JSON web token (JWT) using Nacos's default signing key. Additionally, using its root database access, the LLM injected a backdoor administrator into the Nacos backing database. It ultimately encrypted all 1,342 Nacos service configuration items using MySQL's built-in AES encryption function, and created an extortion demand, ransom note, Bitcoin payment address, and a Proton Mail contact [...]. However, according to the threat hunters, the victim can't recover the encrypted data, even if they paid the ransom demand, because the agent escalated "from row-level deletion to dropping entire database schemas, narrating its own targeting rationale," without backing up any of the encrypted data.
AI

OpenAI 'In Early Talks To Give 5% Stake To US Government' 113

OpenAI is reportedly in early talks to give the U.S. government a 5% stake, potentially alongside similar contributions from other major AI companies. "Such a deal would help improve the industry's relations with the Trump administration and could help garner political support by sharing wealth generated by the AI boom with the public," reports The Guardian. From the report: [OpenAI CEO Sam Altman] and other OpenAI bosses have suggested that each of the biggest AI developers in the US should give 5% to their equity to an investment vehicle such as the Alaska Permanent Fund, a sovereign fund that invests US oil wealth into stocks and pays dividends to the state, the FT reported.

The talks are "conceptual" and in early stages, it said, and any deal could require an act of Congress to implement. Both OpenAI and Anthropic have previously suggested in policy papers that a public or sovereign wealth fund may be required in the future to distribute shares to the public. In April, OpenAI said that a "public wealth fund" could provide "every citizen -- including those not invested in financial markets -- with a stake in AI-driven economic growth."
Further reading: Bernie Sanders Unveils $7 Trillion Plan To Give Americans Control of AI Industry
Privacy

WhatsApp Usernames Are Already Raising Impersonation Red Flags (techcrunch.com) 30

An anonymous reader quotes a report from TechCrunch: WhatsApp this week started rolling out username reservations ahead of the broader launch planned later this year. The feature -- which lets people find and message each other by handle instead of phone number -- is already raising impersonation concerns, drawing scrutiny from security experts and regulators in India, the app's largest market, with more than 500 million users. The rollout marks a shift in how people identify one another on WhatsApp. Instead of relying on phone numbers as the primary identifier, users will increasingly interact through platform-managed usernames, a change that Meta says improves privacy but that critics argue could create new opportunities for impersonation.

[...] Asked about how it protects against impersonation, Meta told TechCrunch it reserves usernames for public figures, government entities, and "some variations" of those names so only the legitimate owner can claim them. The company did not explain, however, how it decides which lookalike usernames get proactively reserved and which don't. The concerns have already reached regulators in India, where cyber fraud schemes frequently exploit messaging platforms to impersonate police, banks, and government officials. [...] Rachel Tobac, chief executive of SocialProof Security, called usernames a net privacy gain because they reduce the need to share phone numbers, which can expose users to SIM-swap attacks, phishing, and account takeovers. Still, she said, lookalike usernames still create opportunities for impersonation. "Ultimately, usernames are a great idea to avoid leaking your phone number to folks you don't know, but it's important to verify identity with the username function too," Tobac told TechCrunch. Her advice for most users: Pick a username that isn't easily guessable, so it's harder for attackers to find you, message you cold, or harass and spam you.

[...] The Mozilla Foundation said the introduction of usernames is likely to bring new tradeoffs. "Increased scams and impersonation from fake handles are potentially a big one," it told TechCrunch. "Checking a phone number can be a useful verification tool, but these harms are also permitted by the platform's fundamental design choices." Mozilla also flagged a broader interoperability question -- one worth logging if you're building on top of, or competing with, Meta's ecosystem. While letting users claim their existing Facebook and Instagram usernames may cut down on impersonation, it also shows how easily Meta can stitch identity together across its own apps, even as users still can't take that identity, or their contacts, to a rival platform. For now, WhatsApp says it is taking a gradual approach to the rollout. "We're taking our time and listening to feedback so that when it rolls out later this year we get it right," the company said in its FAQ.

The Courts

T-Mobile Appears To Be Quitting VMware Amid Support Rights Lawsuit With Broadcom (theregister.com) 56

T-Mobile appears to be migrating its 303,000-core VMware environment to another platform while fighting Broadcom in court for the extended support it says its perpetual-license agreement guarantees. "The matter is somewhat urgent," The Register reports, because a court-ordered support arrangement expires August 3, "so T-Mobile may soon be unable to get support for its very substantial VMware estate." The Register reports: The dispute relates to a deal T-Mobile struck with VMware in August 2023, which saw the telco acquire perpetual licenses and two years of support for some software, plus the option for a further year of support. When Broadcom acquired VMware in 2023, it stopped selling perpetual licenses and standalone support deals for customers with those licenses. Broadcom also reduced the virtualization giant's product range from over 150 products to two subscription-only bundles. Broadcom now mostly sells its Cloud Foundation (VCF) private cloud suite. Customers including AT&T and Tesco tried to exercise their right to extended support, but Broadcom declined to do so. AT&T settled on confidential terms. Tesco is pursuing the matter in the courts.

When customers exercise their option for extended support, Broadcom argues it can't deliver because the products covered by the contract don't exist anymore, its contracts allow it to deny support for dead products, and subscriptions are now the industry standard. T-Mobile started using VMware's products in 2008. In one hearing, the carrier's counsel described T-Mobile's VMware implementation as "the base of the entire internal network" and "the place where 1,000 applications reside." Another filing, from Broadcom, says the telco runs VMware software on over 303,000 CPU cores.

Court documents allege that in 2024 Broadcom notified T-Mobile it would not renew support after the initial two-year deal expired in 2025. The two parties kept talking about possible new arrangements. T-Mobile also sought an injunction that would compel Broadcom to provide extended support. Broadcom opposed the injunction, arguing that T-Mobile deliberately waited too long to seek it. At one point T-Mobile suggested a $20 million deal for another two years of support. An affirmation filed last week by T-Mobile vice president of technology Kevin Luu says the carrier sought that arrangement "to be able to complete T-Mobile's transition away from VMware at a more deliberate pace."

The court eventually granted the injunction forcing Broadcom to offer support beyond August 2025, but required T-Mobile to pay $5.28 million and post a $500,000 undertaking. Broadcom continued to provide support but also sought damages on grounds that the injunction meant it missed out on a new deal with T-Mobile. The telco has rubbished that argument in part because the two parties were still talking about a new deal. Broadcom later proposed to charge $24 million for extended support covering six products, a sum it said would cover over 20 staff needed to support T-Mobile. The carrier fired back by pointing out that it has made just two support calls in 2026, which hardly justifies such a massive staff and expense.

The Courts

Meta Loses Bid To Dismiss US States' Claims That Facebook, Instagram Addict Children (reuters.com) 29

A federal judge rejected Meta's bid to dismiss claims from 29 state attorneys general alleging that Facebook and Instagram were designed to addict children while concealing the harms. The judge found significant factual disputes that must be decided at trial. They also ruled that Meta failed to comply with federal parental notice and consent requirements for children under 13, "and granted summary judgement to the states on that issue," reports Reuters. From the report: In a separate statement, California Attorney General Rob Bonta called the decision a "critical win" in holding Meta accountable for fueling a mental health crisis among American children. Gonzalez Rogers also oversees related multidistrict litigation by more than 2,600 individuals, school districts and local governments over whether social media platforms such as Facebook, Instagram, Google and YouTube, Snapchat and TikTok addict children.

The states said research has shown that children's use of Facebook and Instagram could lead to depression, anxiety, insomnia, interference with education and daily life, and self-harm including suicide. Meta countered that the attorneys general had no evidence it misled consumers about its platforms' alleged addictiveness, including in congressional testimony by Chief Executive Mark Zuckerberg. The Menlo Park, California-based company said this was because "social media addiction" is not an established psychiatric condition, and therefore statements that its platforms are not addictive could not be false. Meta also said it didn't violate the children's online privacy law because it directed Facebook and Instagram to a general audience, not just children under age 13.

In a 38-page decision, Gonzalez Rogers found material factual disputes over whether Meta's social media platforms are addictive, whether Meta falsely denied it designed them that way, and whether it "partially" directed the platforms at children. "The AGs present a reasonable interpretation of [Meta's] statements that Facebook and Instagram are not designed in ways that cause teens to compulsively use the platforms to their detriment," the judge wrote. "To the extent plaintiffs' evidence shows that the platforms are in fact designed to do just that, a jury could reasonably find the statements were untrue to a reasonable person," she added. A trial over California, Colorado, Kentucky and New Jersey's claims against Meta is scheduled for August 18, court records show.
Further reading: Will Social Media Change After YouTube and Meta's Court Defeat?
AI

Trump Drops Restrictions On Anthropic's Mythos and Fable Models 67

The Trump administration has lifted export restrictions that forced Anthropic to shut off public access to its Mythos and Fable models. After weeks of talks, Secretary of Commerce Howard Lutnick said Anthropic "has agreed to proactively detect and address security risks associated with the models; to work diligently with the U.S. government on protocols and standards and releases for Mythos, Fable and future models; and to inform the US government of any malicious activity." Access is set to begin returning July 1. TechCrunch reports: Anthropic had already publicly pledged to do much of this voluntarily, months before the export rule existed. That's part of why cybersecurity experts were skeptical of the restrictions in the first place. To them, the ban looked less like a security fix and more like leverage, a way for the Trump administration to punish Anthropic for its executives' public criticism of how the government, and the president's political opponents, might use the technology.

Mythos was originally made available to a select group of organizations beginning in April to allay concerns about its ability to identify and exploit vulnerabilities in software, while a version called Fable was released to the public in June with additional security guardrails. However, with Asian AI companies beginning to release their own AI models approaching Mythos-level capabilities -- among them Fugu and Tulonfeng -- the US government was under pressure to ease its restrictions on Anthropic to ensure that American AI could compete globally.

Last week, Lutnick cleared Mythos to be released to select customers approved by the White House. OpenAI's latest models were also released to a group of organizations approved by the Trump team, instead of the public. The Trump administration's erratic approach to AI policymaking has left companies across the industry with little clarity about what will govern future model releases. An executive order issued in June that signaled a desire to review models ahead of release was criticized by influential analysts like Dean W. Ball, who recently started a policy position at OpenAI.
Government

New Florida Law Bans Local Net-Zero Emissions Policies 124

An anonymous reader quotes a report from Inside Climate News: A new state law limits Florida communities' aims to offset greenhouse gas emissions that are warming the global climate and intensifying disasters such as hurricanes. Specifically, HB 1217 prohibits local governments from pursuing net-zero emissions goals. At least 10 cities and counties have implemented such policies, including Fort Lauderdale, Miami, Orlando and Leon County, where Tallahassee, the state capital, is located. But the new law will not necessarily upend these policies, said Bradley Marshall, senior attorney at Earthjustice, an advocacy group. "It's certainly meant to scare municipalities and local governments from trying to do things to further net-zero policies," he said. "Now, its exact impact and what it exactly prohibits is probably up for some debate. Things that are adjacent to it -- emissions reductions and even climate change reduction policies -- on their face will not run afoul at all of a ban on adopting a net zero policy."

The measure requires local governments to submit an affidavit annually to the state Department of Revenue verifying compliance. Gov. Ron DeSantis, a Republican, signed the measure on April 22, Earth Day, and the law will take effect July 1. It states that "net zero policies, carbon taxes and assessments, and emission trading programs are detrimental to this state's energy security and economic interests and inconsistent with the energy policy and the environmental policy of this state." [...] HB 1217 also prevents local governments from purchasing items such as vehicles or appliances based on the fuels they use or production of the items. Local governments may not participate in carbon-trading programs or use public funds to support other organizations with net-zero policies. Cities and counties also may not charge a tax or fee tied with carbon emissions.
"This bill is definitely part of a larger coordinated push by the political enablers of the fossil fuel industry to obstruct any tools -- legal or legislative tools -- to hold the industry accountable for its contributions to climate change," said Laura Peterson, senior analyst at the Union for Concerned Scientists, an advocacy group. "Florida is really on the front lines. So I imagine the governor is taking this step because he sees what's coming down the pike. It's not getting better. So I can only assume that this is an effort to satisfy some of the pressures that he's getting from donors and from his party to protect the industry. And he's doing it at the expense of his constituents."
Piracy

Amazon Blames Piracy Apps With Malware For Killing New Fire Stick Sideloading (arstechnica.com) 32

Amazon says it is ending sideloading on new Fire Sticks because "apps that facilitate piracy, and other apps, can carry malware," adding that there is "a good amount of evidence" that sideloaded apps may contain unwanted code or behavior. However, the company did not provide specific examples of Fire Stick users being harmed. Ars Technica reports: Amazon has released two Fire Stick models that use its proprietary, Linux-based operating system, Vega OS. Previous Fire Sticks ran Fire OS, which is an Android fork based on the Android Open Source Project. One of the biggest differences between Vega OS and Fire OS is that the former doesn't support sideloading. [...] In a recent interview, Or Goren, editor-in-chief of Cord Busters, a UK-based streaming news outlet, noted the negative reaction to Vega being a closed OS. [Aidan Marcuss, VP of Fire TV, advertising, and Appstore] responded, per the publication, by saying that Vega OS was Amazon's opportunity to "innovate and deliver more capabilities, even on the least expensive devices."

He also said that making a platform around security and privacy was "sort of utmost in my mind." The statement is somewhat ironic, considering Vega OS blocks custom launchers and other third-party apps that helped users avoid Amazon tracking and ads. Goren asked whether Amazon had evidence that sideloaded devices caused users harm. "Apps that facilitate piracy, and other apps, can carry malware," Marcuss responded. Marcuss also said that there is "a good amount of evidence that apps can carry unwanted code and behavior on them when they're sideloaded."

Marcuss didn't provide specific examples of Fire Stick users being hurt by sideloaded apps. There are some potential examples, though. In 2025, Amazon claimed to blacklist (which blocked the apps from being sideloaded to Fire Sticks) four video streaming apps for malicious behavior. At the time, AFTVnews reported that two of the apps served as residential proxy providers and were considered riskware, and that the other two had APK files that were flagged by virus-scanning tools. Safari and Chrome also flagged one of the apps' official websites, the publication reported. And in 2018, a botnet that infected Android devices with cryptocurrency-mining malware appeared on some Fire Sticks, per discussion on XDA Forums. That said, Amazon also has a history of disabling apps that let users circumnavigate its home screen that Fire devices, including Fire Sticks and Fire TVs, have increasingly used for ads.
Worth noting: developers can continue sideloading apps onto Vega OS devices if they register them with Amazon.
Government

California Bill To Preserve Online Games Fails Committee Vote (engadget.com) 19

California's Protect Our Games Act, which would require publishers to warn players before shutting down paid online games and offer refunds or continued access, failed to advance after a state Senate committee vote. Four state senators voted in favor, three voted against, and four abstained. Engadget reports: The committee unanimously voted in favor of granting the bill reconsideration, meaning it could come back before this group of state senators. Assemblymember Chris Ward introduced the bill in February and it passed the California State Assembly 43-16 in late May. That said, the abstentions prevented the bill's progression for now. "Not enough yeses means the bill stops here for this session," a volunteer with the Stop Killing Games campaign (which supported the bill) noted on Reddit. "That is the loss."

The volunteer also claimed this was the movement's first attempt to nudge such legislation through in the U.S., and that the bill got this far without paid staff or an in-person lobbying campaign. They said the Entertainment Software Association -- a trade organization of major game industry publishers -- brought in a lobbyist to halt the bill's progress (including by claiming private servers for the likes of Minecraft would be "illegal") and that Stop Killing Games would be more prepared to counter that in the future.

"Next session, we come back with an in-person lobbying presence, the funding to do this properly and a long list of organizations and developers signed on in support," the volunteer, u/Mr_Presidentle, wrote. "We are not limiting this to California. We intend to introduce versions of this in other state legislatures, and we are seriously looking at the federal level."

Security

Apple iPhone 18 Details Leaked In Tata Data Breach (yahoo.com) 13

"Another breach at Tata has leaked details about Apple's iPhone 18, along with documents belonging to several other Tata clients," writes Longtime Slashdot reader Ritz_Just_Ritz. "It's becoming a recurring theme for the company." Reuters reports: Reuters has previously reported the Tata Electronics leak of more than 200,000 files on the dark web by World Leaks had files with purported component design papers of older iPhones and some parts of Tesla -- both Tata clients. They also included documents of Taiwan Semiconductor Manufacturing Co and Qualcomm, both of which make parts used in iPhones. New documents reviewed by Reuters show there are at least six files that map many components in the iPhone 18 Pro models to the specific company that supplies them. These include details of chips on its main circuit board and parts of the battery and cameras.

Apple considers this detail sensitive and is concerned about the documents being shared on the dark web as they relate to unreleased models, according to the person familiar with the matter. The data maps suppliers to iPhone parts, which Apple does not disclose in its public database of suppliers, the person added. In all, the documents detail hundreds of parts to be on the upcoming iPhone 18 Pro models. The records also show where Apple draws a part from several suppliers and where it relies on just a few, laying bare both its bargaining leverage and its vulnerabilities.
More broadly, the leak threatens Apple's trust in Tata just as Tata is becoming central to its effort to shift iPhone production away from China. With India expected to produce roughly a quarter of the world's iPhones in 2026, any deterioration in that relationship could complicate Apple's diversification strategy and force tighter security controls across its suppliers.

Slashdot Top Deals