Google is reintroducing "digital fingerprinting" in five weeks, reports Mashable, describing it as "a data collection process that ingests all of your online signals (from IP address to complex browser information) and pinpoints unique users or devices." Or, to put it another way, Google "is tracking your online behavior in the name of advertising."

The UK's Information Commissioner's Office called Google's decision "irresponsible": it is likely to reduce people's choice and control over how their information is collected. The change to Google's policy means that fingerprinting could now replace the functions of third-party cookies... Google itself has previously said that fingerprinting does not meet users' expectations for privacy, as users cannot easily consent to it as they would cookies. This in turn means they cannot control how their information is collected. To quote Google's own position on fingerprinting from 2019: "We think this subverts user choice and is wrong...." When the new policy comes into force on 16 February 2025, organisations using Google's advertising technology will be able to deploy fingerprinting without being in breach of Google's own policies. Given Google's position and scale in the online advertising ecosystem, this is significant.
Their post ends with a warning that those hoping to use fingerprinting for advertising "will need to demonstrate how they are complying with the requirements of data protection law. These include providing users with transparency, securing freely-given consent, ensuring fair processing and upholding information rights such as the right to erasure."

But security and privacy researcher Lukasz Olejnik asks if Google's move is the biggest privacy erosion in 10 years.... Could this mark the end of nearly a decade of progress in internet and web privacy? It would be unfortunate if the newly developing AI economy started from a decrease of privacy and data protection standards. Some analysts or observers might then be inclined to wonder whether this approach to privacy online might signal similar attitudes in other future Google products, like AI... The shift is rather drastic. Where clear restrictions once existed, the new policy removes the prohibition (so allows such uses) and now only requires disclosure... [I]f the ICO's claims about Google sharing IP addresses within the adtech ecosystem are accurate, this represents a significant policy shift with critical implications for privacy, trust, and the integrity of previously proposed Privacy Sandbox initiatives.
Their post includes a disturbing thought. "Reversing the stance on fingerprinting could open the door to further data collection, including to crafting dynamic, generative AI-powered ads tailored with huge precision. Indeed, such applications would require new data..."

Thanks to long-time Slashdot reader sinij for sharing the news.

As the ecological disaster continues, CNN reports the Palisades Fire near Malibu, California has burned at least 22,660 acres, left 100,000 peope under evacuation orders, left at least 11 people dead and "destroyed thousands of homes and other structures." From the last reports it was only 11% contained, and "flames are now spreading east in the Mandeville Canyon area, approaching Interstate 405, one of LA's busiest freeways."

But the Atlantic's assistant editor wrote Friday that "I have received 11 alerts. As far as I can tell, they were all sent in error." My home is not in a mandatory evacuation zone or even a warning zone. It is, or is supposed to be, safe. Yet my family's phones keep blaring with evacuation notices, as they move in and out of service....

Earlier today, Kevin McGowan, the director of Los Angeles County's emergency-management office, acknowledged at a press conference that officials knew alerts like these had gone out, acknowledged some of them were wrong, and still had no idea why, or how to keep it from happening again. The office did not immediately respond to a request for comment, but shortly after this article was published, the office released a statement offering a preliminary assessment that the false alerts were sent "due to issues with telecommunications systems, likely due to the fires' impacts on cellular towers" and announcing that the county's emergency notifications would switch to being managed through California's state alert system...

The fifth, sixth, and seventh evacuation warnings came through at around 6 a.m. — on my phone.
At the same time a Los Angeles-area couple "spent two hours watching a live stream of flames closing in on their home," reports the Washington Post, and at one point "saw firefighters come through the house and extinguish flames in the backyard." At around 4:30 p.m. Eastern time on Tuesday, the camera feeds gave out and the updates from their security system stopped. About four hours later, [Zibby] Owens's husband got an alert on his cellphone that the indoor sprinkler system had gone off and the fire alarm had been activated. They do not know the current status of their home, Owens said on Tuesday.

Real estate agent Shana Tavangarian Soboroff said in a phone interview Thursday that one set of clients had followed their Pacific Palisades home's ordeal this week in a foreboding play-by-play of text alerts from an ADT security system. The system first detected smoke, then motion, next that doors had been opened, and finally fire alerts before the system lost communication. Their home's destruction was later confirmed when someone returned to the neighborhood and recorded video, Tavangarian Soboroff said.
Soboroff also lost her home in the fire, the article adds. Burned to the ground are "the places where people raised their kids," Zibby Owens wrote in this update posted Friday. But "even if my one home, or 'structure' as newscasters call it, happens to be mostly OK, I've still lost something I loved more than anything. We've all lost it... [M]y heart and soul are aching across the country as I sit alone in my office and try to make sense of the devastation." [I]t isn't about our house.

It's about our life.

Our feelings. Our community. Our memories. Our beloved stores, restaurants, streets, sidewalks, neighbors. It's about the homes where we sat at friends' kitchen tables and played Uno, celebrated their birthdays, and truly connected.

It's all gone... [E]very single person I know and so many I don't who live in the Palisades have lost everything. Not just one or two friends. Everyone.

And then I saw video footage of our beloved village. The yogurt shop and Beach Street? Gone. Paliskates, our kids' favorite store? Gone. Burned to the ground.

Gelson's grocery store, where we just recently picked up the New York Post and groceries for the break? Gone...

The. Whole. Town.

How? How is it possible?

How could everyone have lost everything? Schools, homes, power, cell service, cars, everything. All their belongings...

All the schools, gone. It's unthinkable....

I've worked in the local library and watched the July 4 parade from streets that are now smoldering embers...

It is an unspeakable loss.
"Everyone I know in the Palisades has lost all of their possessions," the author writes, publishing what appear to be text messages from friends.

"It's gone."
"We lost everything."
"Nothing left."
"We lost it."

While CES wraps up this week, "Not all innovation is good innovation," warns Elizabeth Chamberlain, iFixit's Director of Sustainability (heading their Right to Repair advocacy team). So this year the group held its fourth annual "anti-awards ceremony" to call out CES's "least repairable, least private, and least sustainable products..." (iFixit co-founder Kyle Wiens mocked a $2,200 "smart ring" with a battery that only lasts for 500 charges. "Wanna open it up and change the battery? Well you can't! Trying to open it will completely destroy this device...") There's also a category for the worst in security — plus a special award titled "Who asked for this?" — and then a final inglorious prize declaring "the Overall Worst in Show..."

Thursday their "panel of dystopia experts" livestreamed to iFixit's feed of over 1 million subscribers on YouTube, with the video's description warning about manufacturers "hoping to convince us that they have invented the future. But will their vision make our lives better, or lead humanity down a dark and twisted path?" The video "is a fun and rollicking romp that tries to forestall a future clogged with power-hungry AI and data-collecting sensors," writes The New Stack — though noting one final irony.

"While the ceremony criticized these products, YouTube was displaying ads for them..."

UPDATE: Slashdot reached out to iFixit co-founder Kyle Wiens, who says this teaches us all a lesson. "The gadget industry is insidious and has their tentacles everywhere."

"Of course they injected ads into our video. The beast can't stop feeding, and will keep growing until we knife it in the heart."

Long-time Slashdot reader destinyland summarizes the article: "We're seeing more and more of these things that have basically surveillance technology built into them," iFixit's Chamberlain told The Associated Press... Proving this point was EFF executive director Cindy Cohn, who gave a truly impassioned takedown for "smart" infant products that "end up traumatizing new parents with false reports that their baby has stopped breathing." But worst for privacy was the $1,200 "Revol" baby bassinet — equipped with a camera, a microphone, and a radar sensor. The video also mocks Samsung's "AI Home" initiative which let you answer phone calls with your washing machine, oven, or refrigerator. (And LG's overpowered "smart" refrigerator won the "Overall Worst in Show" award.)

One of the scariest presentations came from Paul Roberts, founder of SecuRepairs, a group advocating both cybersecurity and the right to repair. Roberts notes that about 65% of the routers sold in the U.S. are from a Chinese company named TP-Link — both wifi routers and the wifi/ethernet routers sold for homes and small offices.Roberts reminded viewers that in October, Microsoft reported "thousands" of compromised routers — most of them manufactured by TP-Link — were found working together in a malicious network trying to crack passwords and penetrate "think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others" in North America and in Europe. The U.S. Justice Department soon launched an investigation (as did the U.S. Commerce Department) into TP-Link's ties to China's government and military, according to a SecuRepairs blog post.

The reason? "As a China-based company, TP-Link is required by law to disclose flaws it discovers in its software to China's Ministry of Industry and Information Technology before making them public." Inevitably, this creates a window "to exploit the publicly undisclosed flaw... That fact, and the coincidence of TP-Link devices playing a role in state-sponsored hacking campaigns, raises the prospects of the U.S. government declaring a ban on the sale of TP-Link technology at some point in the next year."

TP-Link won the award for the worst in security.

"Microsoft's Digital Crimes Unit is taking legal action to ensure the safety and integrity of our AI services," according to a Friday blog post by the unit's assistant general counsel. Microsoft blames "a foreign-based threat-actor group" for "tools specifically designed to bypass the safety guardrails of generative AI services, including Microsoft's, to create offensive and harmful content.

Microsoft "is accusing three individuals of running a 'hacking-as-a-service' scheme," reports Ars Technica, "that was designed to allow the creation of harmful and illicit content using the company's platform for AI-generated content" after bypassing Microsoft's AI guardrails: They then compromised the legitimate accounts of paying customers. They combined those two things to create a fee-based platform people could use. Microsoft is also suing seven individuals it says were customers of the service. All 10 defendants were named John Doe because Microsoft doesn't know their identity.... The three people who ran the service allegedly compromised the accounts of legitimate Microsoft customers and sold access to the accounts through a now-shuttered site... The service, which ran from last July to September when Microsoft took action to shut it down, included "detailed instructions on how to use these custom tools to generate harmful and illicit content."

The service contained a proxy server that relayed traffic between its customers and the servers providing Microsoft's AI services, the suit alleged. Among other things, the proxy service used undocumented Microsoft network application programming interfaces (APIs) to communicate with the company's Azure computers. The resulting requests were designed to mimic legitimate Azure OpenAPI Service API requests and used compromised API keys to authenticate them. Microsoft didn't say how the legitimate customer accounts were compromised but said hackers have been known to create tools to search code repositories for API keys developers inadvertently included in the apps they create. Microsoft and others have long counseled developers to remove credentials and other sensitive data from code they publish, but the practice is regularly ignored. The company also raised the possibility that the credentials were stolen by people who gained unauthorized access to the networks where they were stored...

The lawsuit alleges the defendants' service violated the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Lanham Act, and the Racketeer Influenced and Corrupt Organizations Act and constitutes wire fraud, access device fraud, common law trespass, and tortious interference.

"What if they ban TikTok and people keep using it anyway?" asks the New York Times, saying a pending ban in America "is vague on how it would be enforced" Some experts say that even if TikTok is actually banned this month or soon, there may be so many legal and technical loopholes that millions of Americans could find ways to keep TikTok'ing. The law is "Swiss cheese with lots of holes in it," said Glenn Gerstell, a former top lawyer at the National Security Agency and a senior adviser at the Center for Strategic and International Studies, a policy research organization. "There are obviously ways around it...." When other countries ban apps, the government typically orders internet providers and mobile carriers to block web traffic to and from the blocked website or app. That's probably not how a ban on TikTok in the United States would work. Two lawyers who reviewed the law said the text as written doesn't appear to order internet and mobile carriers to stop people from using TikTok.

There may not be unanimity on this point. Some lawyers who spoke to Bloomberg News said internet providers would be in legal hot water if they let their customers continue to use a banned TikTok. Alan Rozenshtein, a University of Minnesota associate law professor, said he suspected internet providers aren't obligated to stop TikTok use "because Congress wanted to allow the most dedicated TikTok users to be able to access the app, so as to limit the First Amendment infringement." The law also doesn't order Americans to stop using TikTok if it's banned or to delete the app from our phones....

Odds are that if the Supreme Court declares the TikTok law constitutional and if a ban goes into effect, blacklisting the app from the Apple and Google app stores will be enough to stop most people from using TikTok... If a ban goes into effect and Apple and Google block TikTok from pushing updates to the app on your phone, it may become buggy or broken over time. But no one is quite sure how long it would take for the TikTok app to become unusable or compromised in this situation.
Users could just sideload the app after downloading it outside a phone's official app store, the article points out. (More than 10 million people sideloaded Fortnite within six weeks of its removal from Apple and Google's app stores.) And there's also the option of just using a VPN — or watching TikTok's web site.

(I've never understood why all apps haven't already been replaced with phone-optimized web sites...)

An anonymous reader quotes a report from TechCrunch: On Saturday, Triplegangers CEO Oleksandr Tomchuk was alerted that his company's e-commerce site was down. It looked to be some kind of distributed denial-of-service attack. He soon discovered the culprit was a bot from OpenAI that was relentlessly attempting to scrape his entire, enormous site. "We have over 65,000 products, each product has a page," Tomchuk told TechCrunch. "Each page has at least three photos." OpenAI was sending "tens of thousands" of server requests trying to download all of it, hundreds of thousands of photos, along with their detailed descriptions. "OpenAI used 600 IPs to scrape data, and we are still analyzing logs from last week, perhaps it's way more," he said of the IP addresses the bot used to attempt to consume his site. "Their crawlers were crushing our site," he said "It was basically a DDoS attack."

Triplegangers' website is its business. The seven-employee company has spent over a decade assembling what it calls the largest database of "human digital doubles" on the web, meaning 3D image files scanned from actual human models. It sells the 3D object files, as well as photos -- everything from hands to hair, skin, and full bodies -- to 3D artists, video game makers, anyone who needs to digitally recreate authentic human characteristics. [...] To add insult to injury, not only was Triplegangers knocked offline by OpenAI's bot during U.S. business hours, but Tomchuk expects a jacked-up AWS bill thanks to all of the CPU and downloading activity from the bot. Triplegangers initially lacked a properly configured robots.txt file, which allowed the bot to freely scrape its site since the system interprets the absence of such a file as permission. It's not an opt-in system.

Once the file was updated with specific tags to block OpenAI's bot, along with additional defenses like Cloudflare, the scraping stopped. However, robots.txt is not foolproof since compliance by AI companies is voluntary, leaving the burden on website owners to monitor and block unauthorized access proactively. "[Tomchuk] wants other small online business to know that the only way to discover if an AI bot is taking a website's copyrighted belongings is to actively look," reports TechCrunch.

An anonymous reader quotes a report from The Register: A leading education software maker has admitted its IT environment was compromised in a cyberattack, with students and teachers' personal data -- including some Social Security Numbers and medical info -- stolen. PowerSchool says its cloud-based student information system is used by 18,000 customers around the globe, including the US and Canada, to handle grading, attendance records, and personal information of more than 60 million K-12 students and teachers. On December 28 someone managed to get into its systems and access their contents "using a compromised credential," the California-based biz told its clients in an email seen by Register this week.

[...] "We believe the unauthorized actor extracted two tables within the student information system database," a spokesperson told us. "These tables primarily include contact information with data elements such as name and address information for families and educators. "For a certain subset of the customers, these tables may also include Social Security Number, other personally identifiable information, and limited medical and grade information. "Not all PowerSchool student information system customers were impacted, and we anticipate that only a subset of impacted customers will have notification obligations." While the company has tightened security measures and offered identity protection services to affected individuals, cybersecurity firm Cyble suggests the intrusion "may have been more serious and gone on much longer than has been publicly acknowledged so far," reports The Register. The cybersecurity vendor says the intrusion could have occurred as far back as June 16, 2011, with it ending on January 2 of this year.

"Critical systems and applications such as Oracle Netsuite ERP, HR software UltiPro, Zoom, Slack, Jira, GitLab, and sensitive credentials for platforms like Microsoft login, LogMeIn, Windows AD Azure, and BeyondTrust" may have been compromised, too.

Automattic is cutting its weekly contributions to WordPress.org from 3,988 hours to 45 hours, escalating tensions with rival WP Engine amid their ongoing legal dispute. The dramatic reduction comes after a federal court granted WP Engine an injunction over Automattic's handling of a disputed plugin.

The company, which runs WordPress.com, blamed the cutback on legal costs from its battle with WP Engine, which CEO Matt Mullenweg previously called a "cancer" to the community. Automattic said remaining contributions will focus on "security and critical updates" through the Five for the Future program.

An anonymous reader quotes a report from 404 Media: Some of the world's most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement. The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games likeCandy Crushand dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem -- not code developed by the app creators themselves -- this data collection is likely happening without users' or even app developers' knowledge.

"For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising 'bid stream,'" rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data. The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples' mobile phones.

"This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way," Edwards says. Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps. The list includes dating sites Tinder and Grindr; massive games such asCandy Crush,Temple Run,Subway Surfers, andHarry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo's email client; Microsoft's 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy. 404 Media's full list of apps included in the data can be found here. There are also other lists available from other security researchers.

The Biden administration plans one additional round of restrictions on the export of AI chips before leaving office, "a final push in his effort to keep advanced technologies out of the hands of China and Russia," reports Bloomberg. From the report: The US wants to curb the sale of AI chips used in data centers on both a country and company basis, with the goal of concentrating AI development in friendly nations and getting businesses around the world to align with American standards, according to people familiar with the matter. The result would be an expansion of semiconductor caps to most of the world -- an attempt to control the spread of AI technology at a time of soaring demand. The regulations, which could be issued as soon as Friday, would create three tiers of chip trade restrictions, said the people, who asked not to be identified because the discussions are private.

At the top level, a small number of US allies would maintain essentially unmitigated access to American chips. A group of adversaries, meanwhile, would be effectively blocked from importing the semiconductors. And the vast majority of the world would face limits on the total computing power that can go to one country. Countries in the last group would be able to bypass their national limits -- and get their own, significantly higher caps -- by agreeing to a set of US government security requirements and human rights standards, one of the people said. That type of designation -- called a validated end user, or VEU -- aims to create a set of trusted entities that develop and deploy AI in secure environments around the world.

Microsoft kicks off the new year with more job cuts, as fewer than 1% of employees reportedly face the axe. From a report: As first reported by Business Insider, Microsoft is trimming its workforce again, including roles in its security division, with the cuts targeting underperforming employees. A Microsoft spokesperson confirmed the layoffs with BI but declined to specify how many staffers are affected, stating, "At Microsoft, we focus on high-performance talent."

"We are always working on helping people learn and grow. When people are not performing, we take the appropriate action," the spokesperson told The Register.

U.S. software giant Ivanti has warned that a zero-day vulnerability in its widely-used enterprise VPN appliance has been exploited to compromise the networks of its corporate customers. From a report: Ivanti said on Wednesday that the critical-rated vulnerability, tracked as CVE-2025-0282, can be exploited without any authentication to remotely plant malicious code on Ivanti's Connect Secure, Policy Secure, and ZTA Gateways products. Ivanti says its Connect Secure remote-access VPN solution is "the most widely adopted SSL VPN by organizations of every size, across every major industry."

This is the latest exploited security vulnerability to target Ivanti's products in recent years. Last year, the technology maker pledged to overhaul its security processes after hackers targeted vulnerabilities in several of its products to launch mass-hacks against its customers. The company said it became aware of the latest vulnerability after its Ivanti Integrity Checker Tool (ICT) flagged malicious activity on some customer appliances.

An anonymous reader quotes a report from Bloomberg: Italy is in advanced talks with Elon Musk's SpaceX for a deal to provide secure telecommunications for the nation's government -- the largest such project in Europe, people with knowledge of the matter said Sunday. Discussions are ongoing, and a final agreement on the five-year contract hasn't been reached, said the people, who asked not to be identified citing confidential discussions. The project has already been approved by Italy's Intelligence Services as well as Italy's Defense Ministry, they said. Italy on Monday confirmed discussions are ongoing, saying no deal had yet been reached. "The talks with SpaceX are part of normal government business," the government said.

The negotiations, which had stalled until recently, appeared to move forward after Italian Prime Minister Giorgia Meloni visited President-elect Donald Trump in Florida on Saturday. The Italian government said the two didn't discuss the issue during their meeting. Italian officials have been negotiating on a $1.6 billion deal aimed at supplying Italy with a full range of top-level encryption for telephone and Internet services used by the government, the people said. The plan also includes communications services for the Italian military in the Mediterranean area as well as the rollout of so-called direct-to-cell satellite services in Italy for use in emergencies like terror attacks or natural disasters, they said. The possible deal has been under review since mid-2023. It's been opposed by some Italian officials concerned about how the services may detract from local carriers.

BleepingComputer's Sergiu Gatlan reports: "Today, the White House announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for internet-connected consumer devices. The Cyber Trust Mark label, which will appear on smart products sold in the United States later this year, will help American consumers determine whether the devices they want to buy are safe to install in their homes. It's designed for consumer smart devices, such as home security cameras, TVs, internet-connected appliances, fitness trackers, climate control systems, and baby monitors, and it signals that the internet-connected device comes with a set of security features approved by NIST.

Vendors will label their products with the Cyber Trust Mark logo if they meet the National Institute of Standards and Technology (NIST) cybersecurity criteria. These criteria include using unique and strong default passwords, software updates, data protection, and incident detection capabilities. Consumers can scan the QR code included next to the Cyber Trust Mark labels for additional security information, such as instructions on changing the default password, steps for securely configuring the device, details on automatic updates (including how to access them if they are not automatic), the product's minimum support period, and a notification if the manufacturer does not offer updates for the device. "Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations," the Biden administration said on Tuesday.

"The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devise [sic], much as EnergyStar labels did for energy efficiency.

The Register's Connor Jones reports: Marc Rogers, DEF CON's head of security, faces tens of thousands of dollars in medical bills following an accident that left him with a broken neck and temporary quadriplegia. The prominent industry figure, whose work has spanned roles at tech companies such as Vodafone and Okta, including ensuring the story lines on Mr Robot and The Real Hustle were factually sound, is recovering in hospital. [...] Rogers said it will be around four to six weeks before he returns to basic independence and is able to travel, but a full recovery will take up to six months. He begins a course of physical therapy today, but his insurance will only cover the first of three required weeks, prompting friends to set up a fundraiser to cover the difference.

Rogers has an impressive cyber CV. Beginning life in cybersecurity back in the '80s when he went by the handle Cjunky, he has gone on to assume various high profile roles in the industry. In addition to the decade leading Vodafone UK's cybersecurity and being the VP of cybersecurity strategy at Okta, as already mentioned, Rogers has also worked as head of security at Cloudflare and founded Vectra, among other experiences. Now he heads up security at DEF CON, is a member of the Ransomware Taskforce, and is the co-founder and CTO at AI observability startup nbhd.ai.

If you hadn't heard of him from any of these roles, or from his work in the entertainment biz, he's also known for his famous research into Apple's Touch ID sensor, which he was able to compromise on both the iPhone 5S and 6 during his time as principal researcher at Lookout. Other consumer-grade kit to get the Rogers treatment include the short-lived Google Glass devices, also while he was at Lookout, and the Tesla Model S back in 2015. "It's a sad fact that in the US GoFundMe has become the de facto standard for covering insurance shortfalls," Rogers said. "I will be forever grateful to my friends who stood it up for me and those who donated to it so that I can resume making bad guys cry as soon as feasibly possible."

The cybersecurity community has rallied together to support Rogers' fundraiser, which has accrued over $83,000 in donations. The goal is $100,000.

The Japanese government published an alert on Wednesday accusing a Chinese hacking group of targeting and breaching dozens of government organizations, companies, and individuals in the country since 2019. From a report: Japan's National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity attributed the years-long hacking spree to a group called MirrorFace.

"The MirrorFace attack campaign is an organized cyber attack suspected to be linked to China, with the primary objective of stealing information related to Japan's national security and advanced technology," the authorities wrote in the alert, according to a machine translation. A longer version of the alert said the targets included Japan's Foreign and Defense ministries, the country's space agency, as well as politicians, journalists, private companies and tech think tanks, according to the Associated Press. In July 2024 Japan's Computer Emergency Response Team Coordination Center (JPCERT/CC) wrote in a blog post that MirrorFace's "targets were initially media, political organisations, think tanks and universities, but it has shifted to manufacturers and research institutions since 2023."

An anonymous reader shares a report: Akamai has decided to end its content delivery network services in China, but not because it's finding it hard to do business in the Middle Kingdom. News of Akamai's decision to end CDN services in China emerged in a letter it recently published and sent to customers and partners that opens by reminding them the company has a "commitment to providing world-class delivery and security solutions" -- and must therefore inform them that "Effective June 30, 2026, all China CDN services will reach their decommission date."

Customers are offered a choice: do nothing and then be moved to an Akamai CDN located outside China, or use similar services from Chinese companies Tencent Cloud and Wangsu Science & Technology.

Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government. 404 Media: The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples' precise movements, and they are threatening to publish the data publicly.

The news is a crystalizing moment for the location data industry. For years, companies have harvested location information from smartphones, either through ordinary apps or the advertising ecosystem, and then built products based on that data or sold it to others. In many cases, those customers include the U.S. government, with arms of the military, DHS, the IRS, and FBI using it for various purposes. But collecting that data presents an attractive target to hackers.

A widely used DNA sequencer lacks crucial firmware security protections, potentially exposing genetic research facilities to cyberattacks, security researchers said on Tuesday. The Illumina iSeq 100, deployed at 23andMe and thousands of laboratories worldwide, runs on outdated BIOS firmware from 2018 that doesn't enforce Secure Boot protection against malware infections, ArsTechnica reported today, citing researchers from Eclypsium.

The device's manufacturer, IEI Integration Corp, supplies motherboards to numerous medical equipment makers, suggesting similar vulnerabilities could affect other devices, Eclypsium said. Illumina said the issues were "not high-risk" and would notify customers if mitigations were needed.

Toyota's Woven City, a $10 billion "living laboratory" on the site of a former car factory, is set to welcome its first 100 residents in fall 2025. The first residents will be Toyota employees and affiliates, but the city aims to expand to include "external inventors and their families." The Verge reports: Toyota said it completed "phase 1" of the construction, with the official launch planned for 2025. "Woven City is more than just a place to live, work, and play," Toyota Chairman Akio Toyoda said during today's press conference at CES. "Woven City is a place where people can invent and develop all kinds of new products and ideas. It's a living laboratory where the residents are willing participants, giving inventors the opportunity to freely test their ideas in a secure, real-life setting." [...] In fall 2025, Toyota said it will welcome the first 100 residents to Woven City, all of whom will be employees of Toyota or its subsidiary, Woven by Toyota. The community will gradually expand to include "external inventors and their families" who will be invited to relocate to the new city. In total, the first phase of the city will eventually house 360 residents, Toyota says.

Toyota dubs these first residents "Weavers," adding that they are people who "share a passion for the 'expansion of mobility' and a commitment to building a more flourishing society. Through their participation in co-creation activities, Weavers will contribute to realizing the full potential of Woven City." That said, the first "inventors" confirmed for Woven City are mostly in the food services business, including a vending machine company and a startup that wants to explore "the potential value of coffee through futuristic cafe experiences." Toyoda mentioned several other ideas during his press conference, including high-powered motorized wheelchairs for people with disabilities who want to experience the thrill of racing. He also pitched the idea of a personal drone that follows joggers for added security, and "pet robots" for elderly people.

The Woven City site, which is located at the base of Mount Fuji, includes buildings that are designed by famed Danish architect Bjarke Ingels. The goal, through phase 2 and subsequent phases, is to build enough housing and facilities for up to 2,000 people to live year-around, with utilities powered by the company's hydrogen fuel cell technology. The site is private for now, though Toyota says it plans on inviting the general public to see it in 2026. The name "Woven City" is a reference to weaving together three different types of streets or pathways, each for a specific type of user. One street would be for faster vehicles only. The second would be a mix of lower-speed personal mobility vehicles, like bikes and scooters, as well as pedestrians. And the third would be a park-like promenade for pedestrians only. Japan first announced the "prototype city of the future" at CES 2020.