×
The Courts

AI-powered 'Undressing' Websites Are Getting Sued (theverge.com) 107

The San Francisco City Attorney's office is suing 16 of the most frequently visited AI-powered "undressing" websites, often used to create nude deepfakes of women and girls without their consent. From a report: The landmark lawsuit, announced at a press conference by City Attorney David Chiu, says that the targeted websites were collectively visited over 200 million times in the first six months of 2024 alone.

The offending websites allow users to upload images of real, fully clothed people, which are then digitally "undressed" with AI tools that simulate nudity. One of these websites, which wasn't identified within the complaint, reportedly advertises: "Imagine wasting time taking her out on dates, when you can just use [the redacted website] to get her nudes."

Crime

Florida Man Arrested For Causing $700,000 In Damage At Solar Power Facility (gizmodo.com) 146

A 43-year-old Jordanian national, Hashem Younis Hashem Hnaihen, was arrested in Orlando, Florida, and charged with threatening to use explosives and destroying a solar power facility. According to the U.S. Department of Justice, the charges could result in up to 60 years in prison. Gizmodo reports: Hashem Younis Hashem Hnaihen allegedly smashed windows at local businesses in Florida, leaving behind threatening letters about their perceived support of Israel, and broke into a solar power generation facility in Wedgefield, Florida back in June. Hnaihen allegedly spent hours smashing solar panels, cutting various wires, and destroying critical electronic equipment, according to a press release from the DOJ issued Thursday.

Hnaihen was wearing a mask when he allegedly smashed the glass front doors of businesses that he thought supported Israel in June, the DOJ says, leaving behind "warning letters" that included lines like a desire to, "destroy or explode everything here in whole America. Especially the companies and factories that support the racist state of Israel." [...] Hnaihen was arrested on July 11, though news of his arrest was only made public today. Hnaihen entered a plea of not guilty and faces a maximum of 10 years in prison for each threat made against the Florida businesses and a maximum of 20 years for the destruction of an energy facility, according to the DOJ.

China

China-Linked Hackers Could Be Behind Cyberattacks On Russian State Agencies, Researchers Say (therecord.media) 46

According to Kaspersky, hackers linked to Chinese threat actors have targeted Russian state agencies and tech companies in a campaign named EastWind. The Record reports: [T]he attackers used the GrewApacha remote access trojan (RAT), an unknown PlugY backdoor and an updated version of CloudSorcerer malware, which was previously used to spy on Russian organizations. The GrewApacha RAT has been used by the Beijing-linked hacking group APT31 since at least 2021, the researchers said, while PlugY shares many similarities with tools used by the suspected Chinese threat actor known as APT27.

According to Kaspersky, the hackers sent phishing emails containing malicious archives. In the first stage of the attack, they exploited a dynamic link library (DLL), commonly found in Windows computers, to collect information about the infected devices and load the additional malicious tools. While Kaspersky didn't explicitly attribute the recent attacks to APT31 or APT27, they highlighted links between the tools that were used. Although PlugY malware is still being analyzed, it is highly likely that it was developed using the DRBControl backdoor code, the researchers said. This backdoor was previously linked to APT27 and bears similarities to PlugX malware, another tool typically used by hackers based in China.

Android

Google Sold Android Phones With Hidden Insecure Feature, Companies Find (washingtonpost.com) 30

Google's master software for some Android phones includes a hidden feature that is insecure and could be activated to allow remote control or spying on users, according to a security company that found it inside phones at a U.S. intelligence contractor. From a report: The feature appears intended to give employees at stores selling Pixel phones and other models deep access to the devices so they can demonstrate how they work, according to researchers at iVerify who shared their findings with The Washington Post. The discovery and Google's lack of explanation alarmed the intelligence contractor, data analysis platform vendor Palantir Technologies, to the extent that it has stopped issuing Android phones to employees, Palantir told The Post.

"Mobile security is a very real concern for us, given where we're operating and who we're serving," Palantir Chief Information Security Officer Dane Stuckey said. "This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally." The security company said it contacted Google about its findings more than 90 days ago and that the tech giant has not indicated whether it would remove or fix the application. On Wednesday night, Google told The Post that it would issue an update to remove the application. "Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update," said company spokesperson Ed Fernandez. He said distributors of other Android phones would also be notified.

The Courts

Artists Claim 'Big' Win In Copyright Suit Fighting AI Image Generators (arstechnica.com) 53

Ars Technica's Ashley Belanger reports: Artists defending a class-action lawsuit are claiming a major win this week in their fight to stop the most sophisticated AI image generators from copying billions of artworks to train AI models and replicate their styles without compensating artists. In an order on Monday, US district judge William Orrick denied key parts of motions to dismiss from Stability AI, Midjourney, Runway AI, and DeviantArt. The court will now allow artists to proceed with discovery on claims that AI image generators relying on Stable Diffusion violate both the Copyright Act and the Lanham Act, which protects artists from commercial misuse of their names and unique styles.

"We won BIG," an artist plaintiff, Karla Ortiz, wrote on X (formerly Twitter), celebrating the order. "Not only do we proceed on our copyright claims," but "this order also means companies who utilize" Stable Diffusion models and LAION-like datasets that scrape artists' works for AI training without permission "could now be liable for copyright infringement violations, amongst other violations." Lawyers for the artists, Joseph Saveri and Matthew Butterick, told Ars that artists suing "consider the Court's order a significant step forward for the case," as "the Court allowed Plaintiffs' core copyright-infringement claims against all four defendants to proceed."

Government

FTC Finalizes Rule Banning Fake Reviews, Including Those Made With AI (techcrunch.com) 35

TechCrunch's Lauren Forristal reports: The U.S. Federal Trade Commission (FTC) announced on Wednesday a final rule that will tackle several types of fake reviews and prohibit marketers from using deceptive practices, such as AI-generated reviews, censoring honest negative reviews and compensating third parties for positive reviews. The decision was the result of a 5-to-0 vote. The new rule will start being enforced 60 days after it's published in the official government publication called Federal Register. [...]

According to the final rule, the maximum civil penalty for fake reviews is $51,744 per violation. However, the courts could impose lower penalties depending on the specific case. "Ultimately, courts will also decide how to calculate the number of violations in a given case," the Commission wrote. [...] The FTC initially proposed the rule on June 30, 2023, following an advanced notice of proposed rulemaking issued in November 2022. You can read the finalized rule here (PDF), but we also included a summary of it below:

- No fake or disingenuous reviews. This includes AI-generated reviews and reviews from anyone who doesn't have experience with the actual product.
- Businesses can't sell or buy reviews, whether negative or positive.
- Company insiders writing reviews need to clearly disclose their connection to the business. Officers or managers are prohibited from giving testimonials and can't ask employees to solicit reviews from relatives.
- Company-controlled review websites that claim to be independent aren't allowed.
- No using legal threats, physical threats or intimidation to forcefully delete or prevent negative reviews. Businesses also can't misrepresent that the review portion of their website comprises all or most of the reviews when it's suppressing the negative ones.
- No selling or buying fake engagement like social media followers, likes or views obtained through bots or hacked accounts.

Businesses

Disney Says Disney+ TOS Means Man Can't Sue For Wife's Fatal Allergic Reaction 205

New submitter beamdriver writes: As is being reported in Newsday, Disney has asked a Florida court to dismiss a wrongful-death lawsuit filed by the husband of a Carle Place physician who suffered a fatal allergic reaction after eating at a Disney Springs restaurant.

The company cited legal language agreed to years earlier when Jeffrey Piccolo, widower of Kanokporn Tangsuan, 42, of Plainview, signed up for a one-month trial of the Disney+ streaming service that requires users to arbitrate all disputes with the company, records show.

Kanokporn Tangsuan, died in October after dining with her husband, Jeffrey Piccolo, at a restaurant in a section of the Walt Disney World Resort. Despite informing the waitstaff several times of her severe peanut and dairy allergies and receiving assurances that her meal would be allergen-free, she began having severe difficulty breathing shortly after dinner. She self-administered an epi-pen and was transported to a hospital, where she later died.

A medical examiner attributed her death to anaphylaxis due to elevated levels of dairy and nuts in her system, according to the suit.
The Courts

Lawsuit Attacks Florida's Lab-Grown Meat Ban As Unconstitutional (wired.com) 183

An anonymous reader quotes a report from Wired: Florida's ban on cultivated meat is being challenged in federal court in a lawsuit that was filed yesterday. The case is being brought by the cultivated meat firm Upside Foods and the Institute of Justice (IJ), a nonprofit public interest law firm. Florida governor Ron DeSantis signed the legislation making the sale of cultivated meat illegal in Florida on May 1, and the bill came into effect on July 1. Alabama passed a similar bill banning cultivated meat that will come into effect from October 1. The case brought by Upside Foods and the IJ argues that Florida's ban is unconstitutional in three different ways. First, they argue, the ban violates theSupremacy Clause that gives federal law priority over state law in certain instances. The court case argues that the Florida ban violates two different provisions in the Federal Meat Inspection Act and Poultry Products Inspection Act.

The legal complaint (PDF) also alleges that the ban violates theCommerce Clause, which gives the US Congress exclusive power to regulate interstate commerce. The IJ argues that the Commerce Clause restricts states from enacting laws that unduly restrict interstate commerce, and that Florida's ban in its current form has the effect of discriminating against it. "Florida's law has nothing to do with protecting health and safety," said IJ senior attorney Paul Sherman in a press conference today. "It is a transparent example of economic protectionism." Sherman said that Upside Foods and the IJ would also apply for a preliminary injunction that would allow the company to sell cultivated meat in Florida while the legal challenge is still ongoing. The complaint says that Upside had planned to distribute its cultivated chicken at Art Basel in Miami in early December 2024. The company protested the Florida ban by holding a tasting of its chicken on June 27 in Miami, shortly before the ban came into effect. Sherman said that the Alabama ban was also "in our sights" but that the IJ had targeted the Florida law as it came into effect before the Alabama ban. "We're hoping we'll be able to get a quick ruling [in Florida] on a preliminary injunction there," and use that as a precedent to challenge the Alabama ban, he said.
"Consumers should decide what kind of meat they want to buy and feed their families -- not politicians," said the Good Food Institute (GFI), a nonprofit focused on advancing alternative proteins and which is serving as a consulting consul in this case. "This lawsuit seeks to protect these consumer rights, along with the rights of companies to compete in a fair and open marketplace."
Transportation

Texas Sues General Motors, Alleging Illegal Selling of Driver Data (cnn.com) 25

In a press release today, Texas Attorney General Ken Paxton said he has filed a lawsuit against General Motors, alleging the carmaker illegally collected and sold drivers' data to insurance companies without their consent or knowledge. CNN reports: In car models from 2015 and later, the Detroit-based car manufacturer allegedly used technology to "collect, record, analyze, and transmit highly detailed driving data about each time a driver used their vehicle," according to the AG's statement. General Motors sold this information to several other companies, including to at least two companies for the purpose of generating "Driving Scores" about GM's customers, the AG alleged. The suit said those two companies then sold these scores to insurance companies.

Insurance companies can use data to see how many times people exceeded a speed limit or obeyed other traffic laws. Some insurance firms ask customers if they want to voluntarily opt-in to such programs, promising lower rates for safer drivers. But the attorney general's office claimed GM "deceived" its Texan customers by encouraging them to enroll in programs such as OnStar Smart Driver. But by agreeing to join these programs, customers also unknowingly agreed to the collection and sale of their data, the attorney general's office said. "Despite lengthy and convoluted disclosures, General Motors never informed its customers of its actual conduct -- the systematic collection and sale of their highly detailed driving data," the AG's office said in a statement.
The filing can be read here (PDF).
The Courts

OceanGate Submersible Victim's Family Sues For $50 Million, Partly Blames $30 Logitech Controller (extremetech.com) 92

An anonymous reader quotes a report from ExtremeTech: The family of a French mariner who died on the imploded Titan submersible last year has sued Titan's maker, OceanGate Expeditions, for more than $50 million. The lawsuit claims OceanGate is responsible for explorers' suffering immediately preceding their deaths, as well as for failing to disclose the extent of the submersible's risks. Among those risks are Titan's cheap materials, including the $30 Logitech gaming controller used aboard the vehicle. [...]

The lawsuit points at Titan's "hip, contemporary, wireless electronics system" and then alleges that none of the controllers or gauges inside Titan would operate without a constant source of power and a wireless signal. One of those controllers was a modified Logitech F710 Gamepad, a $30 to $40 device designed for, well, gaming. The gamepad quickly became the subject of internet mockery following the loss of Titan; some speculators said the submersible must have been doomed to fail if it used such cheap components. The lawsuit even claims the controller's Bluetooth (rather than wired) connectivity set it up for failure. Still, other speculators believe the controller wouldn't have had much impact on the submersible's operational durability. Instead, the issue would have been with the vehicle's carbon fiber pressure cylinder, which Rush allegedly bought off Boeing at a discount after the material passed its "airplane shelf life." Regardless of the exact material, it seems the consensus among members of the public is that for OceanGate, quality was an afterthought.

Crime

Locking Up Items To Deter Shoplifting Is Pushing Shoppers Online (axios.com) 276

Longtime Slashdot reader schwit1 shares a report from Axios: Locking up merchandise at drugstores and discount retailers hasn't curbed retail theft but is driving frustrated consumers to shop online more, retail experts tell Axios. Retail crime is eating into retailers' profits and high theft rates are also leading to a rise in store closures. Secured cases can cause sales to drop 15% to 25%, Joe Budano, CEO of anti-theft technology company Indyme, previously told Axios. Barricading everything from razors to laundry detergent has largely backfired and broken shopping in America, Bloomberg reports.

Aisles full of locked plexiglass cases are common at many CVS and Walgreens stores where consumers have to wait for an employee to unlock them. Target, Walmart, Dollar General and other retailers have also pulled back on self-checkout to deter shoplifting. "Locking up products worsens the shopping experience, and it makes things inconvenient and difficult," GlobalData retail analyst Neil Saunders said, adding it pushes shoppers to other retailers or to move purchases online.

Driving the news: Manmohan Mahajan, Walgreens global chief financial officer, said in a June earnings call that the retailer was experiencing "higher levels of shrink." Amazon CEO Andy Jassy spoke of the "speed and ease" of ordering online versus walking into pharmacies on a call with investors last week. "It's a pretty tough experience with how much is locked behind cabinets, where you have to press a button to get somebody to come out and open the cabinets for you," Jassy said.
schwit1 adds: "The American-style retail shopping experience was invented in a high-trust environment. As trust erodes, so does the experience."
Privacy

Federal Appeals Court Finds Geofence Warrants Are 'Categorically' Unconstitutional (eff.org) 41

An anonymous reader quotes a report from the Electronic Frontier Foundation (EFF): In a major decision on Friday, the federal Fifth Circuit Court of Appeals held (PDF) that geofence warrants are "categorically prohibited by the Fourth Amendment." Closely following arguments EFF has made in a number of cases, the court found that geofence warrants constitute the sort of "general, exploratory rummaging" that the drafters of the Fourth Amendment intended to outlaw. EFF applauds this decision because it is essential that every person feels like they can simply take their cell phone out into the world without the fear that they might end up a criminal suspect because their location data was swept up in open-ended digital dragnet. The new Fifth Circuit case, United States v. Smith, involved an armed robbery and assault of a US Postal Service worker at a post office in Mississippi in 2018. After several months of investigation, police had no identifiable suspects, so they obtained a geofence warrant covering a large geographic area around the post office for the hour surrounding the crime. Google responded to the warrant with information on several devices, ultimately leading police to the two defendants.

On appeal, the Fifth Circuit reached several important holdings. First, it determined that under the Supreme Court's landmark ruling in Carpenter v. United States, individuals have a reasonable expectation of privacy in the location data implicated by geofence warrants. As a result, the court broke from the Fourth Circuit's deeply flawed decision last month in United States v. Chatrie, noting that although geofence warrants can be more "limited temporally" than the data sought in Carpenter, geofence location data is still highly invasive because it can expose sensitive information about a person's associations and allow police to "follow" them into private spaces. Second, the court found that even though investigators seek warrants for geofence location data, these searches are inherently unconstitutional. As the court noted, geofence warrants require a provider, almost always Google, to search "the entirety" of its reserve of location data "while law enforcement officials have no idea who they are looking for, or whether the search will even turn up a result." Therefore, "the quintessential problem with these warrants is that they never include a specific user to be identified, only a temporal and geographic location where any given user may turn up post-search. That is constitutionally insufficient."

Unsurprisingly, however, the court found that in 2018, police could have relied on such a warrant in "good faith," because geofence technology was novel, and police reached out to other agencies with more experience for guidance. This means that the evidence they obtained will not be suppressed in this case.

Republicans

FBI Investigating After Trump Campaign Says It Was Hacked (thehill.com) 75

Over the weekend, former President Donald Trump's campaign said that it had been hacked, with internal documents reportedly obtained illegally by foreign sources to interfere with the 2024 election. While the Trump campaign claimed that Iran was responsible, it is unclear who exactly was behind the incident. The FBI said it was aware of the allegations and confirmed Monday that it is "investigating this matter." The Hill reports: U.S. agencies have thus far failed to comment on the claims that Iran was responsible for the hack, even as recent intelligence community reports have noted growing Iranian efforts to influence the U.S. election. "This is something we've raised for some time, raised concerns that Iranian cyber actors have been seeking to influence elections around the world including those happening in the United States," John Kirby, the White House's national security communications adviser, told reporters Monday. "These latest attempts to interfere in U.S. elections is nothing new for the Iranian regime, which from our vantage point has attempted to undermine democracies for many years now."

A report from the Office of the Director of National Intelligence released last month noted Iranian efforts designed to "fuel distrust in U.S. political institutions and increase social discord." "The IC has observed Tehran working to influence the presidential election, probably because Iranian leaders want to avoid an outcome they perceive would increase tensions with the United States. Tehran relies on vast webs of online personas and propaganda mills to spread disinformation," the report states, including being particularly active on exacerbating tensions over the Israel-Gaza conflict.

Printer

Stratasys Sues Bambu Lab Over Patents Used Widely By Consumer 3D Printers (arstechnica.com) 36

An anonymous reader quotes a report from Ars Technica: A patent lawsuit filed by one of 3D printing's most established firms against a consumer-focused upstart could have a big impact on the wider 3D-printing scene. In two complaints, (1, 2, PDF) filed in the Eastern District of Texas, Marshall Division, against six entities related to Bambu Lab, Stratasys alleges that Bambu Lab infringed upon 10 patents that it owns, some through subsidiaries like Makerbot (acquired in 2013). Among the patents cited are US9421713B2, "Additive manufacturing method for printing three-dimensional parts with purge towers," and US9592660B2, "Heated build platform and system for three-dimensional printing methods."

f There are not many, if any, 3D printers sold to consumers that do not have a heated bed, which prevents the first layers of a model from cooling during printing and potentially shrinking and warping the model. "Purge towers" (or "prime towers" in Bambu's parlance) allow for multicolor printing by providing a place for the filament remaining in a nozzle to be extracted and prevent bleed-over between colors. Stratasys' infringement claims also target some fundamental technologies around force detection and fused deposition modeling (FDM) that, like purge towers, are used by other 3D-printer makers that target entry-level and intermediate 3D-printing enthusiasts.

Crime

Are Banks Doing Enough to Protect Customers from Zelle Scams? US Launches Federal Probe (yahoo.com) 82

"Zelle payments can't be reversed once they're sent," notes the Los Angeles Times — which could be why they're popular with scammers. "You can't simply stop the payment (like a check) or dispute it (like a credit card). Now, the federal regulator overseeing financial products is probing whether banks that offer Zelle to their account holders are doing enough to protect them against scams. Two major banks — JPMorgan Chase and Wells Fargo — disclosed in their security filings in the last week that they'd been contacted by the Consumer Financial Protection Bureau. According to the Wall Street Journal, which reported the filings Wednesday, the CFPB is exploring whether banks are moving quickly enough to shut down scammers' accounts and whether they're doing enough to identify and prevent scammers from signing up for accounts in the first place...

A J.D. Power survey this year found that 3% of the people who'd used Zelle said they had lost money to scammers, which was less than the average for peer-to-peer money transfer services such as Venmo, CashApp and PayPal. The chief executive of Early Warning Services, which runs Zelle, told a Senate subcommittee in July that only 0.1% of the transactions on Zelle involved a scam or fraud; in 2023, the company said, that percentage was 0.05%. But Zelle operates at such a large scale — 120 million users, 2.9 billion transactions and $806 billion transferred in 2023, according to Early Warning Services — that even a tiny percentage of scam and fraud problems translates into a large number of users and dollars... From 2022 to 2023, Zelle cut the rate of scams by nearly 50% even as the volume of transactions grew 28%, resulting in less money scammed in 2023 than in 2022, said Ben Chance, the chief fraud risk management officer for Zelle. The company didn't disclose the amounts involved, but if 0.05% of the $806 billion transferred in 2023 involved scam or fraud, that would translate to $403 million.

Do Zelle users get reimbursed for scams? Only in certain cases, and this is where the banks that offer Zelle have drawn the most heat. If you use Zelle to pay a scammer, banks say, that's a payment you authorized, so they're not obliged under law to refund your money... Some banks, such as Bank of America, say they will put a freeze on transfers by a suspected scammer as soon as a report comes in, then investigate and, if the report is substantiated, seize and return the money. But that works only if the scam is reported right away, before the scammer has the chance to withdraw the funds — which many will do immediately, said Iskander Sanchez-Rola, director of innovation at the cybersecurity company Gen.

Government

Can a Free Business Rent Program Revive San Francisco's Downtown? (yahoo.com) 95

The New York Times visits the downtown of one of America's biggest tech cities to explore San Francisco's "Vacant to Vibrant" initiative, where "city and business leaders provide free rent for up to six months" to "entrepreneurs who want to set up shop in empty spaces, many of which are on the ground floor of office buildings."

The program also offers funding for business expenses (plus technical and business permit assistance) — and it seems to be working. One cafe went on to sign a five-year lease for a space in the financial district's iconic One Embarcadero Center building — and the building's landlord says the program also resulted in another three long leases. Can the progress continue? The hope is that these pop-up operations will pay rent and sign longer leases after the free-rent period is over, and that their presence will regenerate foot traffic in the area. Some 850 entrepreneurs initially applied for a slot, and 17 businesses were chosen to occupy nine storefront spaces in the fall. Out of those businesses, seven extended their leases and now pay rent. Eleven businesses were selected in May for the program's second cohort, which started operating their storefronts this summer...

The city's office vacancy rate hit 33.7%, a record high, in the second quarter this year, according to JLL, a commercial real estate brokerage. That's one of the bleakest office markets in the nation, which has an average vacancy rate of about 22%. For the moment, however, San Francisco has a silver lining in Vacant to Vibrant. Rod Diehl, the BXP executive vice president who oversees its West Coast properties, said the pop-up strategy was good not just for local business owners to test their concepts and explore growth opportunities, but also for office leasing efforts... Beyond free rent, which is typically given for three months with a possibility for another three months, Vacant to Vibrant provides up to $12,000 to the businesses to help cover insurance and other expenses. The program also offers grants up to $5,000 for building owners to cover costs for tenant improvements in the spaces as well as for other expenses like utilities...

In addition to the Vacant to Vibrant program — which received $1 million from the city initially and is set to receive another $1 million for the current fiscal year, which began July 1 — the city is directing nearly $2 million toward a similar pop-up program. This new program would help businesses occupy larger empty spaces along Powell Street, as crime and other retail pressures have driven out several retailers, including Anthropologie, Banana Republic and Crate & Barrel, in the Union Square area.

One business owner who joined "Vacant to Vibrant" in May says they haven't decided yet whether to sign a lease. "It's not as crowded as before the pandemic." But according to the article, "she was hopeful that more businesses opening nearby would attract more people."

"In addition to filling empty storefronts, the program has the opportunity to bring in a fresher and more localized downtown shopping vibe, said Laurel Arvanitidis, director for business development at San Francisco's Office of Economic and Workplace Development." Victor Gonzalez, an entrepreneur who founded GCS Agency to stage showings for artists, is embracing the opportunity to get a foothold downtown despite the city's challenges. When he opened a storefront as part of the first Vacant to Vibrant cohort in the Financial District last year, he immediately knew that he wanted to stay there as long as possible. He has since signed a three-year lease. "San Francisco is no stranger to big booms and busts," he said. "So if we're in the midst of a bust, what's next? It's a boom. And I want to be positioned to be part of it."
Transportation

Kia and Hyundai's New Anti-Theft Software is Lowering Car-Stealing Rates (cnn.com) 43

An anonymous reader shared this report from CNN: More than a year after Hyundai and Kia released new anti-theft software updates, thefts of vehicles with the new software are falling — even as thefts overall remain astoundingly high, according to a new analysis of insurance claim data. The automakers released the updates starting last February, after a tenfold increase in thefts of certain Hyundai and Kia models in just the past three years — sparked by a series of social media posts that showed people how to steal the vehicles. "Whole vehicle" theft claims — insurance claims for the loss of the entire vehicle — are 64% lower among the Hyundai and Kia cars that have had the software upgrade, compared to cars of the same make, model and year without the upgrade, according to the Highway Loss Data Institute. "The companies' solution is extremely effective," Matt Moore, senior vice president of HLDI, an industry group backed by auto insurers, said in a statement...

Between early 2020 and the first half of 2023, thefts of Hyundai and Kia models rose more than 1,000%.

The article points out that HDLI's analysis covered 2023, and "By the end of that year, only about 30% of vehicles eligible for the security software had it installed. By now, around 61% of eligible Hyundai vehicles have the software upgrade, a Hyundai spokesperson said."

The car companies told CNN that more than 2 million Hyundai and Kia vehicles have gotten the update (part of a $200 million class action settlement reached in May of 2023).
Crime

Cyber-Heist of 2.9 Billion Personal Records Leads to Class Action Lawsuit (theregister.com) 18

"A lawsuit has accused a Florida data broker of carelessly failing to secure billions of records of people's private information," reports the Register, "which was subsequently stolen from the biz and sold on an online criminal marketplace." California resident Christopher Hofmann filed the potential class-action complaint against Jerico Pictures, doing business as National Public Data, a Coral Springs-based firm that provides APIs so that companies can perform things like background checks on people and look up folks' criminal records. As such National Public Data holds a lot of highly personal information, which ended up being stolen in a cyberattack. According to the suit, filed in a southern Florida federal district court, Hofmann is one of the individuals whose sensitive information was pilfered by crooks and then put up for sale for $3.5 million on an underworld forum in April.

If the thieves are to be believed, the database included 2.9 billion records on all US, Canadian, and British citizens, and included their full names, addresses, and address history going back at least three decades, social security numbers, and the names of their parents, siblings, and relatives, some of whom have been dead for nearly 20 years.

Hofmann's lawsuit says he 'believes that his personally identifiable information was scraped from non-public sources," according to the article — which adds that Hofmann "claims he never provided this sensitive info to National Public Data...

"The Florida firm stands accused of negligently storing the database in a way that was accessible to the thieves, without encrypting its contents nor redacting any of the individuals' sensitive information." Hofmann, on behalf of potentially millions of other plaintiffs, has asked the court to require National Public Data to destroy all personal information belonging to the class-action members and use encryption, among other data protection methods in the future... Additionally, it seeks unspecified monetary relief for the data theft victims, including "actual, statutory, nominal, and consequential damages."
Government

How America's FBI Sabotaged Tech-Stealing Spies from the USSR (politico.com) 27

FBI agent Rick Smith remembered seeing that Austrian-born Silicon Valley entrepreneur one year earlier — walking into San Francisco's Soviet Consulate in the early 1980s. Their chance reunion at a bar "would sow the seeds for a major counterintelligence campaign," writes a national security journalist in Politico, describing the collaboration as "an FBI-led operation that sold the Soviet Bloc millions in secretly sabotaged U.S. hi-tech."

The Austrian was already selling American tech goods to European countries, and "By the early 1980s, the FBI knew the Soviet Union was desperate for cutting-edge American technology, like the U.S.-produced microchips then revolutionizing a vast array of digital devices, including military systems..." Moscow's spies worked assiduously to steal such dual use tech or purchase it covertly. The Soviet Union's ballistic missile programs, air defense systems, electronic spying platforms, and even space shuttles, depended on it.... But such tech-focused sanctions-evasion schemes by America's foes offer opportunities for U.S. intelligence, too — including the opportunity to launch ultra-secret sabotage campaigns to alter sensitive technologies before they reach their final destination... Working under the FBI's direction, the Austrian agreed to pose as a crook, a man willing to sell prohibited technology to the communist Eastern Bloc... [T]he FBI and the Austrian would seed faulty tech to Moscow and its allies; drain the Soviet Bloc's coffers; expose its intelligence officers and secret American conspirators; and reveal to American counterspies exactly what tech the Soviets were after...

[T]he Soviet Bloc would unknowingly purchase millions of dollars' worth of sabotaged U.S. goods. Communist spies, ignorant that they were being played, would be feted with a literal parade in a Warsaw Pact capital for their success in purchasing this forbidden technology from the West... The Austrian's connections now presented a major opportunity. The Bulgarians, and their East German and Russia allies, were going to get that forbidden tech. But not before the FBI tampered with it first...

Some of the tech was subtly altered before the Bulgarians could get their hands on it. Some was rendered completely unusable. Some of it was shipped unadulterated to keep the operation humming — and allay any suspicions from the Eastern Bloc about what might be going on. And some of it never made its way to the Bulgarians at all. In one case, the bureau intercepted a $400,000 order of computer hardware from the San Jose-based firm Proquip and shipped out 6,000 pounds of sandbags instead.... Some suffered what appeared to be "accidental" wear-and-tear during the long journey to the Eastern Bloc, recalled Ed Appel [a former senior FBI official]. Other times, the FBI would tamper with the electronics so they would experience "chance" voltage overloads once Soviet Bloc operatives plugged them in. The sabotage could also be more subtle, designed to degrade machine parts or microchips over time, or to render hi-tech tools that required intense precision slightly, if imperceptibly, inaccurate.

The article concludes that "While the Soviet Union might have imploded over three decades ago... Russia's intelligence services are still scouring the globe for prohibited U.S. tech, particularly since Moscow's February 2022 invasion of Ukraine...

"Russia has reportedly even covertly imported household items like refrigerators and washing machines to rip out the microchips within them for use in military equipment."
Crime

North Korean Group Infiltrated 100-Plus Firms with Imposter IT Pros (csoonline.com) 16

"CrowdStrike has continued doing what gave it such an expansive footprint in the first place," writes CSO Online — "detecting cyber threats and protecting its clients from them."

They interviewed Adam Meyers, CrowdStrike's SVP of counter adversary operations, whose team produced their 2024 Threat Hunting Report (released this week at the Black Hat conference). Of seven case studies presented in the report, the most daring is that of a group CrowdStrike calls Famous Chollima, an alleged DPRK-nexus group. Starting with a single incident in April 2024, CrowdStrike discovered that a group of North Koreans, posing as American workers, had been hired for multiple remote IT worker jobs in early 2023 at more than thirty US-based companies, including aerospace, defense, retail, and technology organizations.

CrowdStrike's threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The workers leveraged these RMM tools with company network credentials, enabling numerous IP addresses to connect to victims' systems.

CrowdStrike's OverWatch hunters, a team of experts conducting analysis, hunted for RMM tooling combined with suspicious connections surfaced by the company's Falcon Identity Protection module to find more personas and additional indicators of compromise. CrowdStrike ultimately found that over 100 companies, most US-based technology entities, had hired Famous Chollima workers. The OverWatch team contacted victimized companies to inform them about potential insider threats and quickly corroborated its findings.

Thanks to Slashdot reader snydeq for sharing the news.

Slashdot Top Deals