The Courts

Supreme Court Allows Texas To Require Age Verification For Mobile Apps (cnn.com) 12

The Supreme Court allowed Texas to enforce a law requiring app stores to verify users' ages and obtain parental consent before minors can download apps. Tech industry groups argue the law broadly restricts young people's access to digital speech, but the court let a 5th Circuit order stand without explanation or noted dissents. CNN notes that the Supreme Court's decision "doesn't resolve the case but rather will allow Texas to enforce the law while the litigation continues to play out." From the report: "A minor child who downloads a software application from an app store agrees to contractual terms of service, including whether the child's location will be tracked, whether the child's privacy will be protected, whether information from the child's phone can be sold by the developer, and whether the child waives the right to sue," Texas told the Supreme Court in urging the court to allow its law to take effect.

But the Computer & Communications Industry Association, a trade group whose members include Apple and Google, said the law would effectively bar young people from accessing a wide range of content, "be it a book by Ernest Hemingway or J.K. Rowling, a Taylor Swift album, or a subscription to National Geographic." Allowing the law to take effect, the group said, would have "profound consequences for the protection of digital speech."

[...] In the new case, involving Texas' age verification for apps, a federal district court blocked the law's enforcement in December -- days before it was set to take effect. But a three-judge panel of the conservative 5th US Circuit Court of Appeals put that decision on hold in early June, allowing the state to enforce it. By declining to take up the emergency appeal from the computer and student groups, the Supreme Court has left the 5th Circuit's decision in place.

Unix

Zombie 'Who Owns Unix?' Lawsuit Comes Alive Again (theregister.com) 41

The long-running SCO/IBM Unix and Linux ownership dispute has resurfaced yet again, this time through SCO successor Xinuos, which is trying to pursue old license and copyright claims tied to Project Monterey. "The core issue seems to be whether Xinuos even has the right to litigate the matter, or if some ancient legalese in the original agreements means the window for legal argument has long since expired," reports The Register. From the report: [T]he roots of the case are the 1998 alliance between IBM and a company called the Santa Cruz Operation which sold a version of UNIX for x86 CPUs. Those two companies, plus Intel and Sequent, created "Project Monterey" -- an effort to create a unified version of UNIX that could run on multiple processors. By 2001, Project Monterey was close to delivering a unified UNIX, an achievement made possible by blending code from IBM and SCO.

By then, a little project called "Linux" already ran on multiple processors. Big Blue decided Linux was the future and bailed from Project Monterey -- then allegedly contributed some Monterey code to the open-source project and to its own AIX and Z operating systems. SCO felt it owned some of that code, so sued IBM.

SCO and its successors struggled to survive, but interested parties kept the lawsuit alive because the chance to emerge as owner of parts of the Linux codebase, and IBM's code, had the potential to turn into a colossal payday. The case and its successors ended in 2021, with a settlement that saw litigants agree to end the matter without IBM admitting fault. But by then, SCO had sold its software to a biz called Xinuos that decided to fight on.

The Xinuos case has burbled along quietly since, and on June 22nd reached the milestone of a hearing. The matter has become a little more modern, if only because this hearing was held online and the presiding judge appeared to unwittingly be on mute at one point. But the arguments otherwise seemed to revisit Project Monterey, debated the relevance of past litigation, contested who owned what, when they owned it, and how they could prove it. Xinuos argued IBM never had a license for SCO code. Big Blue argued that it did nothing wrong.

Privacy

Secret Claude Tracker Shocks Users After Anthropic's Anti-Surveillance Stance (arstechnica.com) 22

An anonymous reader quotes a report from Ars Technica: Anthropic quickly removed a tracker secretly monitoring Claude Code users in China after a security researcher exposed the hidden code and condemned the spyware-like tracking as a "serious breach of user trust." Last week, a web developer known as "Thereallo" was researching privacy issues in Claude Code and was shocked to find that the AI firm was using "prompt steganography" to hide code that tracks Chinese users "in plain sight." This code wasn't malicious, but it was sending information to Anthropic that most users wouldn't detect, relying on shorthand markers to quietly flag users' timezone, proxy, and potential connection to Chinese AI labs that Anthropic has accused of distillation attacks.

On X, Anthropic engineer Thariq Shihipar confirmed that the tracker was added to Claude Code as an "experiment" in March. According to Shihipar, the code "was meant to prevent account abuse from unauthorized resellers and protect against distillation." Regarding the former, The Washington Post found unauthorized retailers have sold access to free models for $1 a month, and pro subscriptions that can cost $100 monthly sell for "as little as $12." Supposedly, Anthropic has "actually been meaning to take this down for a while," Shihipar said of the hidden code, because engineers have "landed stronger mitigations since then."

Privacy advocates were not happy with the explanation, though, warning that the code is evidence that Anthropic is willing to cross lines to surveil users. That's perhaps especially surprising, considering that Anthropic riled the Trump administration by refusing to allow the US government to use Claude to surveil US users. The AI firm has since sued the White House over the clash. The Post suggested that the tracker incident is a sign that US firms like Anthropic are taking "increasingly aggressive measures" to block Chinese AI firms from copying their models. A more defensive stance has apparently become critical. In the past year, Chinese firms have "consistently matched" US firms' model capabilities "within months," the Post reported. Most recently, "a new, free AI model from Chinese company Zhipu AI was better at finding computer vulnerabilities than Anthropic's Claude Opus 4.8 model, which was released in May," the Post reported.

Crime

How Tech Scammers Conned Four People Out of $673,000 in Three Days (peninsuladailynews.com) 48

USA Today reports on a Facebook post from a Washington state sheriff's office: Four residents of Clallam County, a coastal region west of Seattle along northern Washington's peninsula, lost more than $673,000 in just three days, according to the Clallam County Sheriff's Office... The smallest amount lost was $3,500, which someone purchased in Apple gift cards for a scammer posing as an employee with Microsoft technical support, the sheriff's office wrote. Another person lost $50,000 after they clicked on a malicious email and unwittingly granted the scammers access to their financial accounts.
The local Peninsula Daily News reports another scam involved a 64-year-old resident who attempted to contact Coinbase after seeing their account displayed shown as closed: "Believing they were speaking with a legitimate Coinbase representative, the victim was told there was fraudulent activity on the account and was instructed to download a 'rescue' application," the [sheriff's] release states. "The application allowed the scammer to remotely access the victim's phone." They then convinced the victim to transfer approximately $200,000 worth of cryptocurrency to what was described as a secure wallet. The funds were instead transferred to the scammer and could not be recovered...

In one scam, reported Monday, an 84-year-old Clallam County resident believed they had received an email from their daughter with a photo. After opening the email, a fake Microsoft security alert appeared on the computer directing the victim to call a support number, according to the release. "The victim was transferred to someone claiming to represent the Federal Trade Commission (FTC) and was falsely told they were under investigation in a child pornography and money laundering case," the release states. "The scammers instructed the victim not to contact local law enforcement and claimed local banks were also under investigation. The victim was told their bank accounts were in danger of being seized and was instructed to purchase gold to protect their assets." In three separate transactions, the victim purchased approximately $420,000 worth of gold and gave it to an unknown man waiting at the end of their driveway.

"Only after speaking with bank officials did the victim realize they had been defrauded," the release states.

USA Today offers this advice from the sheriff's press release. "These criminals are professional manipulators who prey on fear, trust and urgency. We encourage everyone to pause before sending money, purchasing gold or gift cards, or transferring cryptocurrency. A simple phone call to a trusted family member, your bank or local law enforcement can prevent a life-changing financial loss."
Crime

Hundreds Support Legal Defense for Engineer Charged with Destroying Flock Surveillance Cameras (futurism.com) 96

"Hundreds of freedom lovers are rallying behind a US Air Force engineer" who's been accused of damaging over a dozen AI-integrated surveillance cameras last year and even knocking down their poles. Long-time Slashdot reader schwit1 shares this article from Futurism: According to local channel WAVY, Virginia-based Air Force engineer and mechanic Jeffrey Sovern is facing 13 counts of destruction of property, as well as six counts of both petit larceny and possession of burglary tools related to the destruction of Flock license plate cameras... [Wavy reports the cameras were sometimes pointed in the wrong direction or thrown to the street.]

Armed with garbage bags, spray paint, and even chainsaws, a not insignificant number of privacy vigilantes have taken the fight to Flock, using any means to free their neighborhoods of the ominous surveillance poles. On a GoFundMe page to raise money for his legal defense, the 41-year-old Sovern explained that this kind of privacy-minded vandalism has far more support than would outwardly appear...

Sovern kicked off the campaign late in December of 2025, where he encouraged his supporters to "reach out to the local governments and demand that these systems are taken down." The Virginia resident initially set his funding goal to $8,500. As news of his case has spread across the web, the amount of support has far outpaced those already-hopeful aspirations. [Two hours ago the legal fund stood at $23,326 from over 680 donors].

Crime

Windows 11 Identifier Code Used to Arrest 19-Year-Old Over Alleged Ransomware Spree (tomshardware.com) 69

America's Justice Department and FBI teamed joined Finland's National Bureau of Investigation to arrest a teenager they say is part of one of the world's biggest cybercrime syndicates, reports Tom's Hardware. The "Scattered Spider" syndicate has extorted over $100 million in ransom payments, according to Department of Justice figures: 19-year-old Peter Stokes is a dual U.S.-Estonian citizen who was trying to board a flight to Japan from Helsinki, when law enforcement caught up with him. [T]he main criminal complaint against Stokes stems from a May 2025 attack on a luxury jewelry dealer based in the United States. The attackers apparently called the company's IT helpdesk using Google Voice, posing as employees. They were able to convince the help desk into resetting their credentials, which allowed them to infiltrate three accounts, two of which had admin privileges. From there, the group, allegedly including Stokes, stole important data and held the jeweler at ransom, demanding an $8 million payment in crypto. The company ultimately regained access to their infrastructure and avoided paying the ransom, but the operational disruption still caused a purported $2 million in losses. This served as the spark that led to Stokes' eventual arrest in Helsinki, as the prosecutors slowly followed the paper and digital trail laid by the attackers.

Microsoft played a key role in the process by providing GDID [Global Device Identifier] data to the FBI to help them apprehend the alleged criminal... [I]t's a unique identifier assigned to every Windows install that tracks device-specific telemetry. It's the reason why sometimes changing a major component in your PC can revoke your Windows license... [T]he court documents from the case reveal that Stokes used Windows, from which investigators were able to link his physical hardware to specific internet activity and locations... Stokes' web activity, videogame history, IP addresses, tool usage (including Ngrok), Azure status, and more were logged with timestamps, and were provided to the investigators by Microsoft...

Stokes was carrying two hard drives full of incriminating evidence with him when boarding his flight to Japan... His real identity has actually been known since 2024, but since he was a minor living across Estonia and the UAE at the time, he could only be monitored until the time was right.

The official criminal complaint even includes a selfie photo that Stokes posted on Snapchat (hiding his face behind dozens of hundred dollar bills). It then notes that behind Stokes the wallpaper, carpet, and furniture match New York's Empire Hotel — and that Stokes had visited the hotel's web site in Germany before then flying to New York...

"Following the arrest, Stokes was extradited to the U.S., where he appeared in front of a federal court in Chicago for the first time on June 30, 2026, and he remains in custody," adds Tom's Hardware.

"The accused is now awaiting trial, having been charged with conspiracy, cyber intrusion, and fraud..."
The Internet

GoDaddy Warns India's Crackdown on Fake Site Registrars Could Upend Internet Privacy Everywhere (reuters.com) 19

"The internet is filled with fakes," writes Gizmodo. "A court in India is setting out to address the problem by requiring more transparency from domain registrars to make it easier to crack down on fraud. And while the intentions might be good, Reuters is reporting that major American domain registrar GoDaddy is sounding the warning bells that the court's decision could fundamentally reshape the internet well beyond India's borders."

GoDaddy argues the move would even make the internet less safe, reports Reuters : [Online fraud] is a key challenge for Prime Minister Narendra Modi's government, which last year received 2.4 million complaints of alleged cyber fraud amounting to $2.4 billion. Starting in 2019, lawsuits were brought by dozens of Indian and global firms — Amazon against fake shopping sites trading on its name and McDonald's complaining against bogus sites offering franchises. [More than 20 companies filed a complaint, the article notes, including Microsoft.] In December, an Indian court blocked more than 1,100 such websites. The New Delhi judge however went further, ordering sweeping new measures that tech experts say have rewritten rules of internet governance: Domain sellers should not offer buyers free privacy protection by default, the buyer's details should be released to anyone with a "legitimate interest" within 72 hours, and website addresses that are variations of protected brand names must be prohibited.

U.S.-based GoDaddy has challenged the directives before a larger bench of judges at the Delhi High Court, according to a Reuters review of non-public filings. It says the ruling will affect legitimate businesses that have names similar to big brands. Stopping privacy-by-default features, GoDaddy said, will result in public disclosure of name, address, telephone and email of legitimate website owners, exposing them to "foreseeable privacy and security risks" such as stalking and harassment.

As domain names operate globally, not locally, the order could force GoDaddy to regulate website addresses across the world, it said. On the court's order imposing a 72-hour deadline on companies to provide registration details to anyone with "legitimate interest", GoDaddy argues it has no wherewithal to assess who has legitimate interest or not. The "commercially destabilising" directives may force domain name companies to "exit India", said one of GoDaddy's appeal documents that ran into 5,121 pages... GoDaddy rivals, Arizona-based Namecheap and Netherlands-based Hosting Concepts, have also challenged the New Delhi ruling, court records show, although Reuters could not ascertain details of their appeals...

GoDaddy argues that diluting the privacy feature will run contrary to India's data protection law and the European Union GDPR law which mandates a "privacy by default" approach. Farzaneh Badii, a New York-based researcher on internet governance, criticised the New Delhi ruling, noting that Europe redacted such details because publishing them had been abused by harassment and targeted phishing. "The people exposed will be journalists, activists, small business owners, and private individuals. The brand impersonators will not," she said...

While the sweeping December directives were issued by a court, they followed government's submissions, documents showed... The judges will hear the appeals on July 16.

GoDaddy manages 80 million domains and serves over 20 million users, the article points out, with annual revenue over $5 billion.
Government

Are Wars Blurring Lines Between Corporate and National Security? (msn.com) 44

Subsea cables. Ukrainian power stations. Russian oil refineries. Even airports, water-desalination plants and Amazon data centers.

They've all become targets in wartime, notes the Wall Street Journal, and around the world now arguments "are already brewing between companies and governments over new regulations and potential costs." In Germany, powerful associations representing private companies and municipal utilities have pushed back against new standards for physical protection, warning they could spell financial ruin. New Zealand's government has faced resistance from industry groups over a proposal to fine critical-infrastructure companies and their directors for cybersecurity breaches... A sign of how lines are blurring: The North Atlantic Treaty Organization's 32 countries last year agreed that as part of a pact to spend 5% of economic output on defense and security, 1.5% would go to military-adjacent needs including protecting critical infrastructure and networks. Spending targets range from cybersecurity and industrial capacity to railroads, bridges and ports needed for military logistics... "We need a wide concept of defense — defense is no longer just military," said Italian Adm. Giuseppe Cavo Dragone, NATO's top military adviser.

Adding to the complexity, companies now need to protect the data networks that serve as gateways to critical infrastructure. Hackers increasingly target not just computer files to steal information but also systems managing vital functions like building access and factory control, remotely causing physical damage or enabling espionage. U.S. authorities in April warned that Iranian hackers were trying to disrupt American drinking-water systems by targeting computer equipment that connects hardware with software. A year earlier, suspected Russian hackers remotely manipulated valves on a Norwegian hydroelectric dam...

Another challenge will be parsing jurisdictions and liability for assets that cross international waters or are damaged in combat — such as subsea data cables or energy pipelines. Turf battles between law enforcement and militaries are already complicating efforts... "The private owner can invest in redundancy, monitoring, and repair capacity, but only governments and militaries can really deter, patrol, attribute, or respond to hostile state activity," said Marc Glasser, who worked on cybersecurity and infrastructure security for three decades at the U.S. Department of Transportation and the Department of Homeland Security.... Companies say they need greater clarity from governments on what protections they will provide and subsidies to help them defend privately owned assets that provide a public good. Most governments don't provide incentives for companies to invest more than the minimum legal resilience requirements.

The article notes that in May the chief executive of California's Port of Long Beach "launched a cyber-defense operations center to thwart tens of thousands of cyberattacks daily, which jeopardize computer systems and all equipment connected to them."

The article also points out that the EU adopted new regulations requiring countries to reduce vulnerabilities, and new laws proposed in the U.K. now "seek to increase penalties for subsea sabotage, updating codes that date to when telegraph cables were first laid in the 19th century."
Microsoft

Did Microsoft Shift Its Profits to Low-Tax Countries? (nytimes.com) 81

Microsoft is apparently shifting its profits to countries with low taxes — and out of countries where they have many more employees and significant sales. Back in 2005 Former Microsoft CEO Steve Ballmer even said that a low corporate tax rate "is part of the overall advantage of doing business in Ireland," remembers long-time Slashdot reader theodp. (Ballmer added "It would be disingenuous to say otherwise.")

But in 2026 the EU now requires a country-by-country compliance report, and the New York Times notes that Microsoft "was most likely the first major U.S. technology company to make a so-called country by country report of its finances to comply..." Like other big companies, Microsoft uses transactions between subsidiaries to shift profits around to reduce its tax bill. The report revealed a consistent pattern: high returns in low-tax jurisdictions and slim margins in higher-tax ones. The report showed the sometimes absurd results. Microsoft said it had generated almost 40 percent of its pretax income in tax-friendly Ireland, where it employed about 3 percent of its global work force. In higher-tax Germany, the largest economy in Europe, Microsoft earned barely half of 1 percent of its global profits, it said.

Excluding Ireland, the company said, it generated less than 2 percent of its worldwide pretax earnings in Europe... [In Luxembourg Microsoft said it had $283 million in pretax income with only 34 employees.]

[America's] Internal Revenue Service is challenging profit-shifting transactions used by Microsoft, and is seeking back taxes of nearly $29 billion4. The company has said it disagrees with the I.R.S. and said in a securities filing that it "will vigorously contest" the proposed tax bills.

This week a Microsoft blog post offered their own "context," arguing that tax is "one important measure of contribution, but it is not the only one.

"Our investments, partnerships, infrastructure, and long-term presence in countries around the world also reflect a commitment to helping strengthen the economies and communities where we operate, today and for the future."
Piracy

Video Game History Foundation Says Piracy Remains the Only Viable Preservation Method (techspot.com) 92

An anonymous reader quotes a report from TechSpot: Video Game History Foundation founder Frank Cifaldi recently supported claims that piracy is the only effective way to preserve video games. The comments lay the blame squarely on game companies' refusal to keep legacy content available or allow archivists to build legal repositories. Sony's announcement that all PlayStation games will be digital-only from 2028 onward has sparked concern that titles will become harder to preserve and more easily vanish, since the company's servers will become the sole point of distribution. In an official statement, Cifaldi noted that the end of physical PlayStation games has surprisingly little impact on the Foundation's efforts because the majority of games from the last two decades are already digital-only.

According to the Foundation, most games nowadays are not released for consoles, let alone on physical discs. Furthermore, many discs for major titles require downloading updates before they are playable, although the DoesItPlay database reveals that, even today, most are playable offline out of the box. Cifaldi claimed that the true reason piracy remains the best option for preservation is that the Entertainment Software Association, which lobbies for game publishers, has closed off other routes. For example, in 2018, the Association opposed efforts to grant copyright exemptions for museums, libraries, and archives to retain copies of abandoned online games for research.

This is the same organization that recently helped defeat a proposed California bill to preserve premium-priced online-only games by falsely claiming that community servers are illegal. The Foundation accused the ESA of repeatedly blocking attempts by cultural heritage institutions to reform DRM legislation. Cifaldi also described the Library of Congress' outdated software preservation process, which currently only requires tiny snippets of source code. For example, Capcom once asked the Foundation to provide the LoC with "the first and last ten pages of code" for a Mega Man game. Unable to discern where digital records began and ended, the group simply chose random segments. Platform holders' habit of closing online storefronts and removing media from users' accounts is also unhelpful.
"What continues to baffle us is what the industry expects institutions like ours to do about it," the Video Game History Foundation said. "If platform owners are deciding to eliminate physical media and older digital storefronts, then we'd also like to see trade groups like the Entertainment Software Association offer meaningful solutions for archives and museums to legally preserve digital-only content and make it accessible for research.
Security

AI Agent Executes 'First' End-To-End Ransomware Attack 33

Sysdig says it has documented the first ransomware attack carried out end to end by an AI agent, which autonomously exploited exposed systems, stole credentials, established persistence, compromised a production database, and destroyed data. The research team named the attacker "JadePuffer" and said it gained initial access to an internet-facing Langflow instance by exploiting CVE-2025-3248. "The most striking characteristic, however, was the LLM's behavior," Sysdig director of threat research Michael Clark said in a blog post. An anonymous reader quotes an excerpt from The Register: JadePuffer's "self-narrating" payloads "contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don't often write but LLM-generated code produces reflexively," Clark added. "The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds." After exploiting CVE-2025-3248, a missing authentication vulnerability in Langflow that allows remote, unauthenticated attackers to execute arbitrary Python on the host, the AI agent began scanning for and collecting secrets, including LLM provider API keys, cloud credentials "with explicit coverage of Chinese providers" including Alibaba, Aliyun, Tencent, and Huawei, while also scanning for AWS, Azure and Google Cloud Platform, cryptocurrency wallets, and database credentials.

The AI also installed a crontab entry on the Langflow server to maintain persistence and call back to the attacker's infrastructure every 30 minutes. JadePuffer's intended target was a separate internet-exposed production server running a MySQL database and an Alibaba Nacos configuration service, we're told. Nacos is an open-source service-discovery and dynamic configuration platform developed by Alibaba and used in the cloud provider's microservices applications. The agent connected to the server's exposed MySQL port using root credentials, although Sysdig doesn't know how the attacker obtained them. These credentials weren't stolen from the victim's environment.

JadePuffer then attacked Nacos via multiple vectors including an authorization bypass flaw (CVE-2021-29441) and forging a valid JSON web token (JWT) using Nacos's default signing key. Additionally, using its root database access, the LLM injected a backdoor administrator into the Nacos backing database. It ultimately encrypted all 1,342 Nacos service configuration items using MySQL's built-in AES encryption function, and created an extortion demand, ransom note, Bitcoin payment address, and a Proton Mail contact [...]. However, according to the threat hunters, the victim can't recover the encrypted data, even if they paid the ransom demand, because the agent escalated "from row-level deletion to dropping entire database schemas, narrating its own targeting rationale," without backing up any of the encrypted data.
AI

OpenAI 'In Early Talks To Give 5% Stake To US Government' 113

OpenAI is reportedly in early talks to give the U.S. government a 5% stake, potentially alongside similar contributions from other major AI companies. "Such a deal would help improve the industry's relations with the Trump administration and could help garner political support by sharing wealth generated by the AI boom with the public," reports The Guardian. From the report: [OpenAI CEO Sam Altman] and other OpenAI bosses have suggested that each of the biggest AI developers in the US should give 5% to their equity to an investment vehicle such as the Alaska Permanent Fund, a sovereign fund that invests US oil wealth into stocks and pays dividends to the state, the FT reported.

The talks are "conceptual" and in early stages, it said, and any deal could require an act of Congress to implement. Both OpenAI and Anthropic have previously suggested in policy papers that a public or sovereign wealth fund may be required in the future to distribute shares to the public. In April, OpenAI said that a "public wealth fund" could provide "every citizen -- including those not invested in financial markets -- with a stake in AI-driven economic growth."
Further reading: Bernie Sanders Unveils $7 Trillion Plan To Give Americans Control of AI Industry
Privacy

WhatsApp Usernames Are Already Raising Impersonation Red Flags (techcrunch.com) 30

An anonymous reader quotes a report from TechCrunch: WhatsApp this week started rolling out username reservations ahead of the broader launch planned later this year. The feature -- which lets people find and message each other by handle instead of phone number -- is already raising impersonation concerns, drawing scrutiny from security experts and regulators in India, the app's largest market, with more than 500 million users. The rollout marks a shift in how people identify one another on WhatsApp. Instead of relying on phone numbers as the primary identifier, users will increasingly interact through platform-managed usernames, a change that Meta says improves privacy but that critics argue could create new opportunities for impersonation.

[...] Asked about how it protects against impersonation, Meta told TechCrunch it reserves usernames for public figures, government entities, and "some variations" of those names so only the legitimate owner can claim them. The company did not explain, however, how it decides which lookalike usernames get proactively reserved and which don't. The concerns have already reached regulators in India, where cyber fraud schemes frequently exploit messaging platforms to impersonate police, banks, and government officials. [...] Rachel Tobac, chief executive of SocialProof Security, called usernames a net privacy gain because they reduce the need to share phone numbers, which can expose users to SIM-swap attacks, phishing, and account takeovers. Still, she said, lookalike usernames still create opportunities for impersonation. "Ultimately, usernames are a great idea to avoid leaking your phone number to folks you don't know, but it's important to verify identity with the username function too," Tobac told TechCrunch. Her advice for most users: Pick a username that isn't easily guessable, so it's harder for attackers to find you, message you cold, or harass and spam you.

[...] The Mozilla Foundation said the introduction of usernames is likely to bring new tradeoffs. "Increased scams and impersonation from fake handles are potentially a big one," it told TechCrunch. "Checking a phone number can be a useful verification tool, but these harms are also permitted by the platform's fundamental design choices." Mozilla also flagged a broader interoperability question -- one worth logging if you're building on top of, or competing with, Meta's ecosystem. While letting users claim their existing Facebook and Instagram usernames may cut down on impersonation, it also shows how easily Meta can stitch identity together across its own apps, even as users still can't take that identity, or their contacts, to a rival platform. For now, WhatsApp says it is taking a gradual approach to the rollout. "We're taking our time and listening to feedback so that when it rolls out later this year we get it right," the company said in its FAQ.

The Courts

T-Mobile Appears To Be Quitting VMware Amid Support Rights Lawsuit With Broadcom (theregister.com) 56

T-Mobile appears to be migrating its 303,000-core VMware environment to another platform while fighting Broadcom in court for the extended support it says its perpetual-license agreement guarantees. "The matter is somewhat urgent," The Register reports, because a court-ordered support arrangement expires August 3, "so T-Mobile may soon be unable to get support for its very substantial VMware estate." The Register reports: The dispute relates to a deal T-Mobile struck with VMware in August 2023, which saw the telco acquire perpetual licenses and two years of support for some software, plus the option for a further year of support. When Broadcom acquired VMware in 2023, it stopped selling perpetual licenses and standalone support deals for customers with those licenses. Broadcom also reduced the virtualization giant's product range from over 150 products to two subscription-only bundles. Broadcom now mostly sells its Cloud Foundation (VCF) private cloud suite. Customers including AT&T and Tesco tried to exercise their right to extended support, but Broadcom declined to do so. AT&T settled on confidential terms. Tesco is pursuing the matter in the courts.

When customers exercise their option for extended support, Broadcom argues it can't deliver because the products covered by the contract don't exist anymore, its contracts allow it to deny support for dead products, and subscriptions are now the industry standard. T-Mobile started using VMware's products in 2008. In one hearing, the carrier's counsel described T-Mobile's VMware implementation as "the base of the entire internal network" and "the place where 1,000 applications reside." Another filing, from Broadcom, says the telco runs VMware software on over 303,000 CPU cores.

Court documents allege that in 2024 Broadcom notified T-Mobile it would not renew support after the initial two-year deal expired in 2025. The two parties kept talking about possible new arrangements. T-Mobile also sought an injunction that would compel Broadcom to provide extended support. Broadcom opposed the injunction, arguing that T-Mobile deliberately waited too long to seek it. At one point T-Mobile suggested a $20 million deal for another two years of support. An affirmation filed last week by T-Mobile vice president of technology Kevin Luu says the carrier sought that arrangement "to be able to complete T-Mobile's transition away from VMware at a more deliberate pace."

The court eventually granted the injunction forcing Broadcom to offer support beyond August 2025, but required T-Mobile to pay $5.28 million and post a $500,000 undertaking. Broadcom continued to provide support but also sought damages on grounds that the injunction meant it missed out on a new deal with T-Mobile. The telco has rubbished that argument in part because the two parties were still talking about a new deal. Broadcom later proposed to charge $24 million for extended support covering six products, a sum it said would cover over 20 staff needed to support T-Mobile. The carrier fired back by pointing out that it has made just two support calls in 2026, which hardly justifies such a massive staff and expense.

The Courts

Meta Loses Bid To Dismiss US States' Claims That Facebook, Instagram Addict Children (reuters.com) 29

A federal judge rejected Meta's bid to dismiss claims from 29 state attorneys general alleging that Facebook and Instagram were designed to addict children while concealing the harms. The judge found significant factual disputes that must be decided at trial. They also ruled that Meta failed to comply with federal parental notice and consent requirements for children under 13, "and granted summary judgement to the states on that issue," reports Reuters. From the report: In a separate statement, California Attorney General Rob Bonta called the decision a "critical win" in holding Meta accountable for fueling a mental health crisis among American children. Gonzalez Rogers also oversees related multidistrict litigation by more than 2,600 individuals, school districts and local governments over whether social media platforms such as Facebook, Instagram, Google and YouTube, Snapchat and TikTok addict children.

The states said research has shown that children's use of Facebook and Instagram could lead to depression, anxiety, insomnia, interference with education and daily life, and self-harm including suicide. Meta countered that the attorneys general had no evidence it misled consumers about its platforms' alleged addictiveness, including in congressional testimony by Chief Executive Mark Zuckerberg. The Menlo Park, California-based company said this was because "social media addiction" is not an established psychiatric condition, and therefore statements that its platforms are not addictive could not be false. Meta also said it didn't violate the children's online privacy law because it directed Facebook and Instagram to a general audience, not just children under age 13.

In a 38-page decision, Gonzalez Rogers found material factual disputes over whether Meta's social media platforms are addictive, whether Meta falsely denied it designed them that way, and whether it "partially" directed the platforms at children. "The AGs present a reasonable interpretation of [Meta's] statements that Facebook and Instagram are not designed in ways that cause teens to compulsively use the platforms to their detriment," the judge wrote. "To the extent plaintiffs' evidence shows that the platforms are in fact designed to do just that, a jury could reasonably find the statements were untrue to a reasonable person," she added. A trial over California, Colorado, Kentucky and New Jersey's claims against Meta is scheduled for August 18, court records show.
Further reading: Will Social Media Change After YouTube and Meta's Court Defeat?

Slashdot Top Deals