An anonymous reader quotes a report from TorrentFreak: A French court has ordered Google, Cloudflare, and Cisco to poison their DNS resolvers to prevent circumvention of blocking measures, targeting around 117 pirate sports streaming domains. The move is another anti-piracy escalation for broadcaster Canal+, which also has permission to completely deindex the sites from search engine results. [...] Two decisions were handed down by the Paris judicial court last month; one concerning Premier League matches and the other the Champions League. The orders instruct Google, Cloudflare, and Cisco to implement measures similar to those in place at local ISPs. To protect the rights of Canal+, the companies must prevent French internet users from using their services to access around 117 pirate domains.

According to French publication l'Informe, which broke the news, Google attorney Sebastien Proust crunched figures published by government anti-piracy agency Arcom and concluded that the effect on piracy rates, if any, is likely to be minimal. Starting with a pool of all users who use alternative DNS for any reason, users of pirate sites -- especially sites broadcasting the matches in question -- were isolated from the rest. Users of both VPNs and third-party DNS were further excluded from the group since DNS blocking is ineffective against VPNs. Proust found that the number of users likely to be affected by DNS blocking at Google, Cloudflare, and Cisco, amounts to 0.084% of the total population of French Internet users. Citing a recent survey, which found that only 2% of those who face blocks simply give up and don't find other means of circumvention, he reached an interesting conclusion. "2% of 0.084% is 0.00168% of Internet users! In absolute terms, that would represent a small group of around 800 people across France!"

In common with other courts presented with the same arguments, the Paris court said the number of people using alternative DNS to access the sites, and the simplicity of switching DNS, are irrelevant. Canal+ owns the rights to the broadcasts and if it wishes to request a blocking injunction, it has the legal right to do so. The DNS providers' assertion that their services are not covered by the legislation was also waved aside by the court. Google says it intends to comply with the order. As part of the original matter in 2023, it was already required to deindex the domains from search results under the same law. At least in theory, this means that those who circumvented the original blocks using these alternative DNS services, will be back to square one and confronted by blocks all over again. Given that circumventing this set of blocks will be as straightforward as circumventing the originals, that raises the question of what measures Canal+ will demand next, and from whom.

Proton, the secure-minded email and productivity suite, is becoming a nonprofit foundation, but it doesn't want you to think about it in the way you think about other notable privacy and web foundations. From a report: "We believe that if we want to bring about large-scale change, Proton can't be billionaire-subsidized (like Signal), Google-subsidized (like Mozilla), government-subsidized (like Tor), donation-subsidized (like Wikipedia), or even speculation-subsidized (like the plethora of crypto "foundations")," Proton CEO Andy Yen wrote in a blog post announcing the transition. "Instead, Proton must have a profitable and healthy business at its core."

The announcement comes exactly 10 years to the day after a crowdfunding campaign saw 10,000 people give more than $500,000 to launch Proton Mail. To make it happen, Yen, along with co-founder Jason Stockman and first employee Dingchao Lu, endowed the Proton Foundation with some of their shares. The Proton Foundation is now the primary shareholder of the business Proton, which Yen states will "make irrevocable our wish that Proton remains in perpetuity an organization that places people ahead of profits." Among other members of the Foundation's board is Sir Tim Berners-Lee, inventor of HTML, HTTP, and almost everything else about the web.

Of particular importance is where Proton and the Proton Foundation are located: Switzerland. As Yen noted, Swiss foundations do not have shareholders and are instead obligated to act "in accordance with the purpose for which they were established." While the for-profit entity Proton AG can still do things like offer stock options to recruits and even raise its own capital on private markets, the Foundation serves as a backstop against moving too far from Proton's founding mission, Yen wrote.

Thousands of people catching trains in the United Kingdom likely had their faces scanned by Amazon software as part of widespread artificial intelligence trials, new documents reveal. Wired: The image recognition system was used to predict travelers' age, gender, and potential emotions -- with the suggestion that the data could be used in advertising systems in the future. During the past two years, eight train stations around the UK -- including large stations such as London's Euston and Waterloo, Manchester Piccadilly, and other smaller stations -- have tested AI surveillance technology with CCTV cameras with the aim of alerting staff to safety incidents and potentially reducing certain types of crime.

The extensive trials, overseen by rail infrastructure body Network Rail, have used object recognition -- a type of machine learning that can identify items in videofeeds -- to detect people trespassing on tracks, monitor and predict platform overcrowding, identify antisocial behavior ("running, shouting, skateboarding, smoking"), and spot potential bike thieves. Separate trials have used wireless sensors to detect slippery floors, full bins, and drains that may overflow. The scope of the AI trials, elements of which have previously been reported, was revealed in a cache of documents obtained in response to a freedom of information request by civil liberties group Big Brother Watch. "The rollout and normalization of AI surveillance in these public spaces, without much consultation and conversation, is quite a concerning step," says Jake Hurfurt, the head of research and investigations at the group.

ASUS has suddenly agreed "to overhaul its customer support and warranty systems," writes the hardware review site Gamers Nexus — after a three-video series on its YouTube channel documented bad and "potentially illegal" handling of customer warranties for the channel's 2.2 million viewers.

The Verge highlights ASUS's biggest change: If you've ever been denied a warranty repair or charged for a service that was unnecessary or should've been free, Asus wants to hear from you at a new email address. It claims those disputes will be processed by Asus' own staff rather than outsourced customer support agents.... The company is also apologizing today for previous experiences you might have had with repairs. "We're very sorry to anyone who has had a negative experience with our service team. We appreciate your feedback and giving us a chance to make amends."
It started five weeks ago when Gamers Nexus requested service for a joystick problem, according to a May 10 video. First they'd received a response wrongly telling them their damage was out of warranty — which also meant Asus could add a $20 shipping charge for the requested repair. "Somehow that turned into ASUS saying the LCD needs to be replaced, even though the joystick is covered under their repair policies," the investigators say in the video. [They also note this response didn't even address their original joystick problem — "only that thing that they had decided to find" — and that ASUS later made an out-of-the-blue reference to "liquid damage."] The repair would ultimately cost $191.47, with ASUS mentioning that otherwise "the unit will be sent back un-repaired and may be disassembled." ASUS gave them four days to respond, with some legalese adding that an out-of-warranty repair fee is non-refundable, yet still "does not guarantee that repairs can be made."

Even when ASUS later agreed to do a free "partial" repair (providing the requested in-warranty service), the video's investigators still received another email warning of "pending service cancellation" and return of the unit unless they spoke to "Invoice Quotation Support" immediately. The video-makers stood firm, and the in-warranty repair was later performed free — but they still concluded that "It felt like ASUS tried to scam us." ASUS's response was documented in a second video, with ASUS claiming it had merely been sending a list of "available" repairs (and promising that in the future ASUS would stop automatically including costs for the unrequested repair of "cosmetic imperfections" — and that they'd also change their automatic emails.)

Gamers Nexus eventually created a fourth, hour-long video confronting various company officials at Computex — which finally led to them publishing a list of ASUS's promised improvements on Friday. Some highlights:

• ASUS promises it's "created a Task Force team to retroactively go back through a long history of customer surveys that were negative to try and fix the issues." (The third video from Gamers Nexus warned ASUS was already on the government's radar over its handling of warranty issues.)

• ASUS also announced their repairs centers were no longer allowed to claim "customer-induced damage" (which Gamers Nexus believes "will remove some of the financial incentive to fail devices" to speed up workloads).

• ASUS is creating a new U.S. support center allowing customers to choose either a refurbished board or a longer repair.

Gamers Nexus says they already have devices at ASUS repair centers — under pseudonyms — and that they "plan to continue sampling them over the next 6-12 months so we can ensure these are permanent improvements." And there's one final improvement, according to Gamers Nexus. "After over a year of refusing to acknowledge the microSD card reader failures on the ROG Ally [handheld gaming console], ASUS will be posting a formal statement next week about the defect."

The Los Angeles Times reports that "The personal information of more than 200,000 people in Los Angeles County was potentially exposed after a hacker used a phishing email to steal the login credentials of 53 public health employees, the county announced Friday." Details that were possibly accessed in the February data breach include the first and last names, dates of birth, diagnoses, prescription information, medical record numbers, health insurance information, Social Security numbers and other financial information of Department of Public Health clients, employees and other individuals. "Affected individuals may have been impacted differently and not all of the elements listed were present for each individual," the agency said in a news release...

The data breach happened between Feb. 19 and 20 when employees received a phishing email, which tries to trick recipients into providing important information such as passwords and login credentials. The employees clicked on a link in the body of the email, thinking they were accessing a legitimate message, according to the agency...

The county is offering free identity monitoring through Kroll, a financial and risk advisory firm, to those affected by the breach. Individuals whose medical records were potentially accessed by the hacker should review them with their doctor to ensure the content is accurate and hasn't been changed. Officials say people should also review the Explanation of Benefits statement they receive from their insurance company to make sure they recognize all the services that have been billed. Individuals can also request credit reports and review them for any inaccuracies.
From the official statement by the county's Public Health department: Upon discovery of the phishing attack, Public Health disabled the impacted e-mail accounts, reset and re-imaged the user's device(s), blocked websites that were identified as part of the phishing campaign and quarantined all suspicious incoming e-mails. Additionally, awareness notifications were distributed to all workforce members to remind them to be vigilant when reviewing e-mails, especially those including links or attachments. Law enforcement was notified upon discovery of the phishing attack, and they investigated the incident.

An anonymous reader quotes a report from Reuters: Alphabet's Google must face trial on U.S. antitrust enforcers' claim that the internet search juggernaut illegally dominates the online advertising technology market, a federal judge ruled on Friday. U.S. District Judge Leonie Brinkema in Alexandria, Virginia, denied Google's motion during a hearing, according to court records. Google had argued for a win without a trial, saying that antitrust laws do not block companies from refusing to deal with rivals and that regulators had not accurately defined the ad tech market. Court papers did not specify what reasons the judge provided at the hearing. Motions like the one Google filed are only granted where a judge determines there is no factual dispute to send to trial. Last year, the U.S. Justice department and eight states sued Google, calling for the break up of the search giant's ad-technology business over alleged illegal monopolization of the digital advertising market.

An anonymous reader shares a report: Itâ(TM)s been a rocky couple of months for Sonos -- so much so that CEO Patrick Spence now has a canned autoreply for customers emailing him to vent about the redesigned app. But as the company works to right the ship, restore trust, and get the new Sonos Ace headphones off to a strong start, it finds itself in the middle of yet another controversy.

As highlighted by repair technician and consumer privacy advocate Louis Rossmann, Sonos has made a significant change to its privacy policy, at least in the United States, with the removal of one key line. The updated policy no longer contains a sentence that previously said, "Sonos does not and will not sell personal information about our customers." That pledge is still present in other countries, but it's nowhere to be found in the updated US policy, which went into effect earlier this month.

A facial recognition start-up, accused of invasion of privacy in a class-action lawsuit, has agreed to a settlement, with a twist: Rather than cash payments, it would give a 23 percent stake in the company to Americans whose faces are in its database. From a report: Clearview AI, which is based in New York, scraped billions of photos from the web and social media sites like Facebook, LinkedIn and Instagram to build a facial recognition app used by thousands of police departments, the Department of Homeland Security and the F.B.I. After The New York Times revealed the company's existence in 2020, lawsuits were filed across the country. They were consolidated in federal court in Chicago as a class action.

The litigation has proved costly for Clearview AI, which would most likely go bankrupt before the case made it to trial, according to court documents. The company and those who sued it were "trapped together on a sinking ship," lawyers for the plaintiffs wrote in a court filing proposing the settlement. "These realities led the sides to seek a creative solution by obtaining for the class a percentage of the value Clearview could achieve in the future," added the lawyers, from Loevy + Loevy in Chicago.

Anyone in the United States who has a photo of himself or herself posted publicly online -- so almost everybody -- could be considered a member of the class. The settlement would collectively give the members a 23 percent stake in Clearview AI, which is valued at $225 million, according to court filings. (Twenty-three percent of the company's current value would be about $52 million.) If the company goes public or is acquired, those who had submitted a claim form would get a cut of the proceeds. Alternatively, the class could sell its stake. Or the class could opt, after two years, to collect 17 percent of Clearview's revenue, which it would be required to set aside.

Steven Vaughan-Nichols reports via ZDNet: While Linux and open-source software (OSS) are no longer constantly under intellectual property (IP) attacks, the Open Invention Network (OIN) patent consortium still stands guard over its patents. Now, OIN, the largest patent non-aggression community, has expanded its protection once again by updating its Linux System definition. Covering more than just Linux, the Linux System definition also protects adjacent open-source technologies. In the past, protection was expanded to Android, Kubernetes, and OpenStack. The OIN accomplishes this by providing a shared defensive patent pool of over 3 million patents from over 3,900 community members. OIN members include Amazon, Google, Microsoft, and essentially all Linux-based companies.

This latest update extends OIN's existing patent risk mitigation efforts to cloud-native computing and enterprise software. In the cloud computing realm, OIN has added patent coverage for projects such as Istio, Falco, Argo, Grafana, and Spire. For enterprise computing, packages such as Apache Atlas and Apache Solr -- used for data management and search at scale, respectively -- are now protected. The update also enhances patent protection for the Internet of Things (IoT), networking, and automotive technologies. OpenThread and packages such as agl-compositor and kukusa.val have been added to the Linux System definition. In the embedded systems space, OIN has supplemented its coverage of technologies like OpenEmbedded by adding the OpenAMP and Matter, the home IoT standard. OIN has included open hardware development tools such as Edalize, cocotb, Amaranth, and Migen, building upon its existing coverage of hardware design tools like Verilator and FuseSoc.

Keith Bergelt, OIN's CEO, emphasized the importance of this update, stating, "Linux and other open-source software projects continue to accelerate the pace of innovation across a growing number of industries. By design, periodic expansion of OIN's Linux System definition enables OIN to keep pace with OSS's growth." [...] Looking ahead, Bergelt said, "We made this conscious decision not to include AI. It's so dynamic. We wait until we see what AI programs have significant usage and adoption levels." This is how the OIN has always worked. The consortium takes its time to ensure it extends its protection to projects that will be around for the long haul. The OIN practices patent non-aggression in core Linux and adjacent open-source technologies by cross-licensing their Linux System patents to one another on a royalty-free basis. When OIN signees are attacked because of their patents, the OIN can spring into action.

Richard Speed reports via The Register: Privacy campaigner noyb has filed a GDPR complaint regarding Google's Privacy Sandbox, alleging that turning on a "Privacy Feature" in the Chrome browser resulted in unwanted tracking by the US megacorp. The Privacy Sandbox API was introduced in 2023 as part of Google's grand plan to eliminate third-party tracking cookies. Rather than relying on those cookies, website developers can call the API to display ads matched to a user's interests. In the announcement, Google's VP of the Privacy Sandbox initiative called it "a significant step on the path towards a fundamentally more private web."

However, according to noyb, the problem is that although Privacy Sandbox is advertised as an improvement over third-party tracking, that tracking doesn't go away. Instead, it is done within the browser by Google itself. To comply with the rules, Google needs informed consent from users, which is where issues start. Noyb wrote today: "Google's internal browser tracking was introduced to users via a pop-up that said 'turn on ad privacy feature' after opening the Chrome browser. In the European Union, users are given the choice to either 'Turn it on' or to say 'No thanks,' so to refuse consent." Users would be forgiven for thinking that 'turn on ad privacy feature' would protect them from tracking. However, what it actually does is turn on first-party tracking.

Max Schrems, honorary chairman of noyb, claimed: "Google has simply lied to its users. People thought they were agreeing to a privacy feature, but were tricked into accepting Google's first-party ad tracking. "Consent has to be informed, transparent, and fair to be legal. Google has done the exact opposite." Noyb noted that Google had argued "choosing to click on 'Turn it on' would indeed be considered consent to tracking under Article 6(1)(a) of the GDPR."

The Ukraine cyber police, supported by information from the Dutch police, arrested a 28-year-old Russian man in Kyiv for aiding Conti and LockBit ransomware operations by making their malware undetectable and conducting at least one attack himself. He was arrested on April 18, 2024, as part of a global law enforcement operation known as "Operation Endgame," which took down various botnets and their main operators. "As the Conti ransomware group used some of those botnets for initial access on breached endpoints, evidence led investigators to the Russian hacker," reports BleepingComputer. From the report: The Ukrainian police reported that the arrested individual was a specialist in developing custom crypters for packing the ransomware payloads into what appeared as safe files, making them FUD (fully undetectable) to evade detection by the popular antivirus products. The police found that the man was selling his crypting services to both the Conti and LockBit cybercrime syndicates, helping them significantly increase their chances of success on breached networks. The Dutch police confirmed at least one case of the arrested individual orchestrating a ransomware attack in 2021, using a Conti payload, so he also operated as an affiliate for maximum profit.

"As part of the pre-trial investigation, police, together with patrol officers of the special unit "TacTeam" of the TOR DPP battalion, conducted a search in Kyiv," reads the Ukraine police announcement. "Additionally, at the international request of law enforcement agencies in the Netherlands, a search was conducted in the Kharkiv region." [...] The suspect has already been charged with Part 5 of Article 361 of the Criminal Code of Ukraine (Unauthorized interference in the work of information, electronic communication, information and communication systems, electronic communication networks) and faces up to 15 years imprisonment.

An anonymous reader quotes a report from The Intercept: The Mozilla Foundation,the entity behind the web browser Firefox, is blocking various censorship circumvention add-ons for its browser, including ones specifically to help those in Russia bypass state censorship. The add-ons were blocked at the request of Russia's federal censorship agency, Roskomnadzor -- the Federal Service for Supervision of Communications, Information Technology, and Mass Media -- according to a statement by Mozilla to The Intercept. "Following recent regulatory changes in Russia, we received persistent requests from Roskomnadzor demanding that five add-ons be removed from the Mozilla add-on store," a Mozilla spokesperson told The Intercept in response to a request for comment. "After careful consideration, we've temporarily restricted their availability within Russia. Recognizing the implications of these actions, we are closely evaluating our next steps while keeping in mind our local community."

Developers of digital tools designed to get around censorship began noticing recently that their Firefox add-ons were no longer available in Russia. On June 8, the developer of Censor Tracker, an add-on for bypassing internet censorship restrictions in Russia and other former Soviet countries, made a post on the Mozilla Foundation's discussion forums saying that their extension was unavailable to users in Russia. The developer of another add-on, Runet Censorship Bypass, which is specifically designed to bypass Roskomnadzor censorship, posted in the thread that their extension was also blocked. The developer said they did not receive any notification from Mozilla regarding the block. Two VPN add-ons, Planet VPN and FastProxy -- the latter explicitly designed for Russian users to bypass Russian censorship -- are also blocked. VPNs, or virtual private networks, are designed to obscure internet users' locations by routing users' traffic through servers in other countries. "It's a kind of unpleasant surprise because we thought the values of this corporation were very clear in terms of access to information, and its policy was somewhat different," said Stanislav Shakirov, the chief technical officer of Roskomsvoboda, a Russian open internet group. "And due to these values, it should not be so simple to comply with state censors and fulfill the requirements of laws that have little to do with common sense."

An anonymous reader quotes a report from the New York Times: Chemical and manufacturing groups sued the federal government late Monday (Warning: source paywalled; alternative source) over a landmark drinking-water standard that would require cleanup of so-called forever chemicals linked to cancer and other health risks. The industry groups said that the government was exceeding its authority under the Safe Drinking Water Act by requiring that municipal water systems all but remove six synthetic chemicals, known by the acronym PFAS, that are present in the tap water of hundreds of millions of Americans. The Environmental Protection Agency has said that the new standard, put in place in April, will prevent thousands of deaths and reduce tens of thousands of serious illnesses. The E.P.A.'s cleanup standard was also expected to prompt a wave of litigation against chemical manufacturers by water utilities nationwide trying to recoup their cleanup costs. Utilities have also challenged the stringent new standard, questioning the underlying science and citing the cost of filtering the toxic chemicals out of drinking water.

In a joint filing late Monday, the American Chemistry Council and National Association of Manufacturers said the E.P.A. rule was "arbitrary, capricious and an abuse of discretion." The petition was filed in the Court of Appeals for the District of Columbia. In a separate petition, the American Water Works Association and the Association of Metropolitan Water Agencies said the E.P.A. had "significantly underestimated the costs" of the rule. Taxpayers could ultimately foot the bill in the form of increased water rates, they said. PFAS, a vast class of chemicals also called per- and polyfluoroalkyl substances, are widespread in the environment. They are commonly found in people's blood, and a 2023 government study of private wells and public water systems detected PFAS chemicals in nearly half the tap water in the country. Exposure to PFAS has been associated with developmental delays in children, decreased fertility in women and increased risk of some cancers, according to the E.P.A. [...] The E.P.A. estimates that it would cost water utilities about $1.5 billion annually to comply with the rule, though utilities have said the costs could be twice that amount. Further reading: Lawyers To Plastic Makers: Prepare For 'Astronomical' PFAS Lawsuits

Following in the European Union's footsteps, Japan's parliament has enacted a law on Wednesday that will prohibit big tech from blocking third-party app stores. AppleInsider reports: The intention of the bill is that it will facilitate competition and reduce app prices. Japan's government reportedly believes that Apple and Google are a duopoly, and that they charge developers high fees that are then passed on to users. Big tech companies with App Stores will also prohibit companies from prioritizing their own services. Google is likely to be hit hardest by this. Violators will initially be fined up to 20% of the domestic revenue of the specific service that broke the law. The fee can increase to 30%, if the behavior continues.

The Japanese government's Fair Trade Commission (FTC) will choose which firms to apply it to. Companies that will be regulated will be required to submit compliance reports annually. While it hasn't been explicitly said that Apple and Google must comply, It seems certain that the announcement that they'll be held to the provisions is imminent. The Japan FTC isn't expected to add any Japanese firms to the list. The law likely won't take effect until the end of 2025.

An anonymous reader quotes a report from The Record: The revelation earlier this year that General Motors had been selling driver behavior patterns to data brokers -- who in turn packaged and resold it to insurers -- has led at least one of two major data brokers to shut down its related product. That data broker, Verisk, disclosed last month that it has stopped accepting data from car makers and no longer sells the information to insurers, according to the organization Privacy4Cars, which received the response after sending the data broker an inquiry.

"Verisk received driving data from vehicles manufactured by General Motors, Honda, and Hyundai and may have provided a Driving Behavior Data History Report ("Report") to insurers upon request, as a service provider to such insurers, that included certain data provided by these manufacturers," the Verisk response to Privacy4Cars said. "Please note that Verisk no longer receives this data from these automakers to generate Reports and also no longer provides Reports to insurers," the statement added.

While Verisk has stopped selling car company-provided driver behavior patterns to insurers, LexisNexis Risk Solutions continues to prominently promote its driver behavior data product for insurers despite the mounting backlash from state governments, federal officials and consumer groups. LexisNexis Risk Solutions' Telematics OnDemand page remains online, boasting that it is "bringing automakers and insurance carriers together." "By partnering directly with automotive OEMs, LexisNexis is able to turn connected car data into tangible driving behavior insights that can be leveraged within insurance carriers' existing workflows," the page says. Much of LexisNexis Risk Solutions' work remains shrouded in secrecy.

Brazil's government is partnering with OpenAI to use AI for expediting the screening and analysis of thousands of lawsuits to reduce costly court losses impacting the federal budget. Reuters reports: The AI service will flag to government the need to act on lawsuits before final decisions, mapping trends and potential action areas for the solicitor general's office (AGU). AGU told Reuters that Microsoft would provide the artificial intelligence services from ChatGPT creator OpenAI through its Azure cloud-computing platform. It did not say how much Brazil will pay for the services. AGU said the AI project would not replace the work of its members and employees. "It will help them gain efficiency and accuracy, with all activities fully supervised by humans," it said.

Court-ordered debt payments have consumed a growing share of Brazil's federal budget. The government estimated it would spend 70.7 billion reais ($13.2 billion) next year on judicial decisions where it can no longer appeal. The figure does not include small-value claims, which historically amount to around 30 billion reais annually. The combined amount of over 100 billion reais represents a sharp increase from 37.3 billion reais in 2015. It is equivalent to about 1% of gross domestic product, or 15% more than the government expects to spend on unemployment insurance and wage bonuses to low-income workers next year. AGU did not provide a reason for Brazil's rising court costs.

New York has launched its mobile ID program, "giving residents the option to digitize their driver's license or non-driver ID," reports The Verge. From the report: Beginning today, the New York Mobile ID app is available from Apple's App Store and Google Play. The app can be used for identity verification at airports. A physical license, permit, or non-driver ID is required to activate a mobile ID; you'll need to take a photo of the front and back with your phone during the enrollment process. The news was announced during a media briefing at LaGuardia Airport on Tuesday that included New York's and Transportation Security Administration federal security director Robert Duffy, among other speakers. Their pitch is that mobile IDs "will revolutionize the way New Yorkers protect their identities and will significantly enhance the way they get through security at airports across the nation." State officials are also emphasizing that it's a voluntary option meant for convenience.

"When you offer your mobile ID to TSA or anyone else who accepts it, you are in full control of sharing that information. They can only see the information they request to see," Schroeder said. "If you only need to prove your age, you can withhold other information that a verifier doesn't need to see." The app is designed so that your phone remains in your possession at all times -- you should never freely hand a device over to law enforcement -- and shows a QR code that can be scanned to verify your identity. Any changes to your license status such as renewals or suspensions are automatically pushed to the mobile version, and the digital ID also mirrors data like whether you're an organ donor.

For now, acceptance of mobile IDs by businesses (and the police) is completely voluntary -- and there's no deadline in place for compliance -- so it's definitely too soon to start leaving your physical one at home. But bars and other small businesses can start accepting them immediately if they install the state's verifier app. The New York Mobile ID app can be used "at nearly 30 participating airports across the country including all terminals at LaGuardia and John F. Kennedy airports," according to a press release from Governor Kathy Hochul. New York joins a small list of states that have rolled out mobile driver's licenses, including Arizona, Colorado, Delaware, Georgia, Florida, Iowa, Louisiana, Maryland, Mississippi, Missouri, and Utah.

British police have arrested two individuals involved in an SMS-based phishing campaign using a unique device police described as a "homemade mobile antenna," "an illegitimate telephone mast," and a "text message blaster." This first-of-its-kind device in the UK was designed to send fraudulent texts impersonating banks and other official organizations, "all while allegedly bypassing network operators' anti-SMS-based phishing, or smishing, defenses," reports The Register. From the report: Thousands of messages were sent using this setup, City of London Police claimed on Friday, with those suspected to be behind the operation misrepresenting themselves as banks "and other official organizations" in their texts. [...] Huayong Xu, 32, of Alton Road in Croydon, was arrested on May 23 and remains the only individual identified by police in this investigation at this stage. He has been charged with possession of articles for use in fraud and will appear at Inner London Crown Court on June 26. The other individual, who wasn't identified and did not have their charges disclosed by police, was arrested on May 9 in Manchester and was bailed. [...]

Without any additional information to go on, it's difficult to make any kind of assumption about what these "text message blaster" devices might be. However, one possibility, judging from the messaging from the police, is that the plod are referring to an IMSI catcher aka a Stingray, which acts as a cellphone tower to communicate with people's handhelds. But those are intended primarily for surveillance. What's more likely is that the suspected UK device is perhaps some kind of SIM bank or collection of phones programmed to spam out shedloads of SMSes at a time.

An anonymous reader shares a report: Since April, a hacker with a history of selling stolen data has claimed a data breach of billions of records -- impacting at least 300 million people -- from a U.S. data broker, which would make it one of the largest alleged data breaches of the year. The data, seen by TechCrunch, on its own appears partly legitimate -- if imperfect.

The stolen data, which was advertised on a known cybercrime forum, allegedly dates back years and includes U.S. citizens' full names, their home address history and Social Security numbers -- data that is widely available for sale by data brokers. But confirming the source of the alleged data theft has proven inconclusive; such is the nature of the data broker industry, which gobbles up individuals' personal data from disparate sources with little to no quality control. The alleged data broker in question, according to the hacker, is National Public Data, which bills itself as "one of the biggest providers of public records on the Internet."

On its official website, National Public Data claimed to sell access to several databases: a "People Finder" one where customers can search by Social Security number, name and date of birth, address or telephone number; a database of U.S. consumer data "covering over 250 million individuals;" a database containing voter registration data that contains information on 100 million U.S. citizens; a criminal records one; and several more. Malware research group vx-underground said on X (formerly Twitter) that they reviewed the whole stolen database and could "confirm the data present in it is real and accurate."

The New York Times has confirmed that its internal source code was leaked on 4chan after being stolen from the company's GitHub repositories in January 2024. BleepingComputer reports: As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data. "Basically all source code belonging to The New York Times Company, 270GB," reads the 4chan forum post. "There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar."

While BleepingComputer did not download the archive, the threat actor shared a text file containing a complete list of the 6,223 folders stolen from the company's GitHub repository. The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game. A 'readme' file in the archive states that the threat actor used an exposed GitHub token to access the company's repositories and steal the data. The company said that the breach of its GitHub account did not affect its internal corporate systems and had no impact on its operations. The Times said in a statement to BleepingComputer: "The underlying event related to yesterday's posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity."