"Sometimes, government makes a bad bet..." writes the Los Angeles Times. Opening in 2014, the Ivanpah concentrated solar plant "quickly became known as an expensive, bird-killing eyesore." Assuming that state officials sign off — which they most likely will, because the deal will lead to lower bills for PG&E customers — two of the three towers will shut down come 2026. Ivanpah's owners haven't paid off the project's $1.6-billion federal loan, and it's unclear whether they'll be able to do so. Houston-based NRG Energy, which operates Ivanpah and is a co-owner with Kelvin Energy and Google, said that federal officials took part in the negotiations to close PG&E's towers and that the closure agreement will allow the federal government "to maximize the recovery of its loans." It's possible Ivanpah's third and final tower will close, too. An Edison spokesperson told me the utility is in "ongoing discussions" with the project's owners and the federal government over ending the utility's contract.

It might be tempting to conclude government should stop placing bets and just let the market decide. But if it weren't for taxpayers dollars, large-scale solar farms, which in 2023 produced 17% of California's power, might never have matured into low-cost, reliable electricity sources capable of displacing planet-warming fossil fuels. More than a decade ago, federal loans helped finance some of the nation's first big solar-panel farms.

Not every government investment will be a winner. Renewable energy critics still raise the specter of Solyndra, a solar panel manufacturer that filed for bankruptcy in 2011 after receiving a $535-million federal loan. But on the whole, clean power investments have worked out. The U.S. Department of Energy reported that as of Dec. 31, it had disbursed $40.5 billion in loans. Of that amount, $15.2 billion had already been repaid. The federal government was on the hook for $1.03 billion in estimated losses but had reaped $5.6 billion in interest.
The article notes recent U.S. energy-related loans to a lithium mine in Nevada (close to $1 billion) and $15 billion to expand hydropower, upgrade power lines, and add batteries. Some of the loans won't get paid back "If federal officials are doing their jobs well," the article adds. "That's the risk inherent to betting on early-stage technologies." About the Ivanpah solar towers, they write "Maybe they never should have been built. They're too expensive, they don't work right, they kill too many birds... It's good that their time is coming to an end. But we should take inspiration from them, too: Don't get complacent. Keep trying new things."

PG&E says their objective at the time was partly to "support new technologies," with one senior director of commercial procurement noting "It's not clear in the early stages what technologies will work best and be most affordable for customers. Solar photovoltaic panels and battery energy storage were once unaffordable at large scale." But today they've calculated that ending their power agreements with Ivanpah would cost customers "substantially less." And once deactivated, Ivanpah's units "will be decommissioned, providing an opportunity for the site to potentially be repurposed for renewable PV energy production," NRG said in a statement.

The Las Vegas Review-Journal notes that instead the 3,500-acre, 386-megawatt concentrated thermal power plant used a much older technology, "a system of mirrors to reflect sunlight and generate thermal energy, which is then concentrated to power a steam engine." Throughout the day, 350,000 computer-controlled mirrors track the sunlight and reflect it onto boilers atop 459-foot towers to generate AC. Nowadays, photovoltaic solar has surpassed concentrated solar power and become the dominant choice for renewable, clean energy, being more cost effective and flexible... So many birds have been victims of the plant's concentrated sun rays that workers referred to them as "streamers," for the smoke plume that comes from birds that ignite in midair. When federal wildlife investigators visited the plant around 10 years ago, they reported an average of one "streamer" every two minutes.
"Meanwhile, environmentalists continue to blame the Mojave Desert plant for killing thousands of birds and tortoises," reports the Associated Press. And a Sierra Club campaign organizer also says several rare plant species were destroyed during the plant's construction. "While the Sierra Club strongly supports innovative clean energy solutions and recognizes the urgent need to transition away from fossil fuels, Ivanpah demonstrated that not all renewable technologies are created equal."

"A jury may never see the gun that authorities say was used to kill Blake Story last year," reports Cleveland.com.

"That's because Cleveland police used a facial recognition program — one that explicitly says its results are not admissible in court — to obtain a search warrant, according to court documents." The search turned up what police say is the murder weapon in the suspect's home. But a Cuyahoga County judge tossed that evidence after siding with defense attorneys who argued that the search warrant affidavit was misleading and relied on inadmissible evidence. If an appeals court upholds the judge's ruling to suppress the evidence, prosecutors acknowledge their case is likely lost...

The company that produced the facial recognition report, Clearview AI, has been used in hundreds of law enforcement investigations throughout Ohio and has faced lawsuits over privacy violations.

Not only does Cleveland lack a policy governing the use of artificial intelligence, Ohio lawmakers also have failed to set standards for how police use the tool to investigate crimes. "It's the wild, wild west in Ohio," said Gary Daniels, a lobbyist for the American Civil Liberties Union. The lack of state regulation of how law enforcement uses advanced technologies — no laws similarly govern the use of drones or license plate readers — means it is essentially up to agencies how they use the tools.
The affidavit for the search warrant was signed by a 28-year police force veteran, according to the article — but it didn't disclose the use of Clearview's technology.

Clearview's report acknowledged their results were not admissible in court — but then provided the suspect's name, arrest record, Social Security number, according to the article, and "noted he was the most likely match for the person in the convenience store."

Thanks to tlhIngan (Slashdot reader #30,335) for sharing the news.

Earlier this month, a civilian drone collided with a Canadian CL-415 firefighting plane combating the Palisades Fire, causing damage that grounded the aircraft and temporarily halted all aerial firefighting operations. Federal and state officials have since identified the operator of that drone as Peter Tripp Akemann of Culver City, who has agreed to plead guilty to a misdemeanor, pay a fine and complete community service. Prosecutors said he could still face up to a year in federal prison. The Los Angeles Times reports: The drone, which authorities say was flying in restricted airspace on Jan. 9, put a fist-sized hole in the left wing of a Super Scooper -- a massive fixed-wing plane that can drop large amounts of water onto a fire. The collision knocked the plane out of commission for about five days and destroyed the drone.

"Like a lot of individuals, he was curious about what was happening in that area," acting U.S. Atty. Joseph T. McNally said on Friday. "The problem with that... is with the amount of firefighting planes you have in that area dropping so they can get water in the Pacific Ocean it interferes with those operations. It's not the time to fly drones anytime that we have these emergencies in Southern California."

As part of the plea agreement, Akemann agreed to pay full restitution to the government of Quebec, Canada, which supplied the plane, and the company that repaired the plane. It cost at least $65,169 to fix the aircraft, prosecutors said. Akemann also agreed to complete 150 hours of community service in support of wildfire relief efforts.

Nearly 100 journalists and other members of civil society using WhatsApp, the popular messaging app owned by Meta, were targeted by spyware owned by Paragon, an Israeli maker of hacking software, the company alleged today. From a report: The journalists and other civil society members were being alerted of a possible breach of their devices, with WhatsApp telling the Guardian it had "high confidence" that the users in question had been targeted and "possibly compromised."

The company declined to disclose where the journalists and members of civil society were based, including whether they were based in the US. The company said it had sent Paragon a "cease and desist" letter and that it was exploring its legal options. WhatsApp said the alleged attacks had been disrupted in December and that it was not clear how long the targets may have been under threat.

Italy's data protection agency has blocked the Chinese AI chatbot DeekSeek after its developers failed to disclose how it collects user data or whether it is stored on Chinese servers. Reuters reports: DeepSeek could not be accessed on Wednesday in Apple or Google app stores in Italy, the day after the authority, known also as the Garante, requested information on its use of personal data. In particular, it wanted to know what personal data is collected, from which sources, for what purposes, on what legal basis and whether it is stored in China. The authority's decision -- aimed at protecting Italian users' data -- came after the Chinese companies that supply chatbot service to DeepSeek provided information that "was considered to totally insufficient," the authority said in a note on its website. The Garante added that the decision had "immediate effect" and that it had also opened an investigation. Thanks to new submitter axettone for sharing the news.

An anonymous reader quotes a report from 404 Media: Datasets aggregated on data.gov, the largest repository of U.S. government open data on the internet, are being deleted, according to the website's own information. Since Donald Trump was inaugurated as president, more than 2,000 datasets have disappeared from the database. As people in the Data Hoarding and archiving communities have pointed out, on January 21, there were 307,854 datasets on data.gov. As of Thursday, there are 305,564 datasets. Many of the deletions happened immediately after Trump was inaugurated, according to snapshots of the website saved on the Internet Archive's Wayback Machine. Harvard University researcher Jack Cushman has been taking snapshots of Data.gov's datasets both before and after the inauguration, and has worked to create a full archive of the data.

"Some of [the entries link to] actual data," Cushman told 404 Media. "And some of them link to a landing page [where the data is hosted]. And the question is -- when things are disappearing, is it the data it points to that is gone? Or is it just the index to it that's gone?" For example, "National Coral Reef Monitoring Program: Water Temperature Data from Subsurface Temperature Recorders (STRs) deployed at coral reef sites in the Hawaiian Archipelago from 2005 to 2019," a NOAA dataset, can no longer be found on data.gov but can be found on one of NOAA's websites by Googling the title. "Stetson Flower Garden Banks Benthic_Covage Monitoring 1993-2018 -- OBIS Event," another NOAA dataset, can no longer be found on data.gov and also appears to have been deleted from the internet. "Three Dimensional Thermal Model of Newberry Volcano, Oregon," a Department of Energy resource, is no longer available via the Department of Energy but can be found backed up on third-party websites. [...]

Data.gov serves as an aggregator of datasets and research across the entire government, meaning it isn't a single database. This makes it slightly harder to archive than any individual database, according to Mark Phillips, a University of Northern Texas researcher who works on the End of Term Web Archive, a project that archives as much as possible from government websites before a new administration takes over. "Some of this falls into the 'We don't know what we don't know,'" Phillips told 404 Media. "It is very challenging to know exactly what, where, how often it changes, and what is new, gone, or going to move. Saving content from an aggregator like data.gov is a bit more challenging for the End of Term work because often the data is only identified and registered as a metadata record with data.gov but the actual data could live on another website, a state .gov, a university website, cloud provider like Amazon or Microsoft or any other location. This makes the crawling even more difficult."

Phillips said that, for this round of archiving (which the team does every administration change), the project has been crawling government websites since January 2024, and that they have been doing "large-scale crawls with help from our partners at the Internet Archive, Common Crawl, and the University of North Texas. We've worked to collect 100s of terabytes of web content, which includes datasets from domains like data.gov." [...] It is absolutely true that the Trump administration is deleting government data and research and is making it harder to access. But determining what is gone, where it went, whether it's been preserved somewhere, and why it was taken down is a process that is time intensive and going to take a while. "One thing that is clear to me about datasets coming down from data.gov is that when we rely on one place for collecting, hosting, and making available these datasets, we will always have an issue with data disappearing," Phillips said. "Historically the federal government would distribute information to libraries across the country to provide greater access and also a safeguard against loss. That isn't done in the same way for this government data."

A proposed class-action lawsuit accuses Amazon of secretly tracking consumers' movements through their cellphones via its Amazon Ads SDK embedded in third-party apps, allegedly collecting sensitive geolocation data without consent. The complaint, filed by a California resident in a San Francisco federal court, claims Amazon violated state laws on unauthorized computer access in the process. Reuters reports: This allegedly enabled Amazon to collect an enormous amount of timestamped geolocation data about where consumers live, work, shop and visit, revealing sensitive information such as religious affiliations, sexual orientations and health concerns. "Amazon has effectively fingerprinted consumers and has correlated a vast amount of personal information about them entirely without consumers' knowledge and consent," the complaint said.

The complaint was filed by Felix Kolotinsky of San Mateo, California, who said Amazon collected his personal information through the "Speedtest by Ookla" app on his phone. He said Amazon's conduct violated California's penal law and a state law against unauthorized computer access, and seeks unspecified damages for millions of Californians.

Longtime Slashdot reader nunya_bizns shares a report from Reuters: The U.S. Department of Justice has sued to block Hewlett Packard Enterprise's $14 billion deal to acquire networking gear maker Juniper Networks, arguing that it would stifle competition, according to a complaint filed on Thursday. The DOJ argued that the acquisition would eliminate competition and would lead to only two companies -- Cisco Systems and HPE -- controlling more than 70% of the U.S. market for networking equipment. More than a year ago, the server maker said that it would buy Juniper Networks for $14 billion in an all-cash deal, as it looks to spruce up its artificial intelligence offerings.

"Juniper has also introduced innovative tools that have materially decreased the cost of operating a wireless network for many customers. This competitive pressure has forced HPE to discount its offerings and invest in its own innovation," the DOJ said in its complaint. Stiff competition from Juniper forced HPE to sell its products at a discount and spend to introduce new features under the "Beat Mist" campaign, named after the networking gear company's rival product, the DOJ wrote. "Having failed to beat Mist on the merits, HPE changed tactics and in January 2024 opted to try to buy Juniper instead," the agency added.

An anonymous reader quotes a report from Ars Technica: On Thursday, OpenAI announced that it is deepening its ties with the US government through a partnership with the National Laboratories and expects to use AI to "supercharge" research across a wide range of fields to better serve the public. "This is the beginning of a new era, where AI will advance science, strengthen national security, and support US government initiatives," OpenAI said. The deal ensures that "approximately 15,000 scientists working across a wide range of disciplines to advance our understanding of nature and the universe" will have access to OpenAI's latest reasoning models, the announcement said.

For researchers from Los Alamos, Lawrence Livermore, and Sandia National Labs, access to "o1 or another o-series model" will be available on Venado -- an Nvidia supercomputer at Los Alamos that will become a "shared resource." Microsoft will help deploy the model, OpenAI noted. OpenAI suggested this access could propel major "breakthroughs in materials science, renewable energy, astrophysics," and other areas that Venado was "specifically designed" to advance. Key areas of focus for Venado's deployment of OpenAI's model include accelerating US global tech leadership, finding ways to treat and prevent disease, strengthening cybersecurity, protecting the US power grid, detecting natural and man-made threats "before they emerge," and " deepening our understanding of the forces that govern the universe," OpenAI said.

Perhaps among OpenAI's flashiest promises for the partnership, though, is helping the US achieve a "a new era of US energy leadership by unlocking the full potential of natural resources and revolutionizing the nation's energy infrastructure." That is urgently needed, as officials have warned that America's aging energy infrastructure is becoming increasingly unstable, threatening the country's health and welfare, and without efforts to stabilize it, the US economy could tank. But possibly the most "highly consequential" government use case for OpenAI's models will be supercharging research safeguarding national security, OpenAI indicated. "The Labs also lead a comprehensive program in nuclear security, focused on reducing the risk of nuclear war and securing nuclear materials and weapons worldwide," OpenAI noted. "Our partnership will support this work, with careful and selective review of use cases and consultations on AI safety from OpenAI researchers with security clearances." The announcement follows the launch earlier this week of ChatGPT Gov, "a new tailored version of ChatGPT designed to provide US government agencies with an additional way to access OpenAI's frontier models." It also worked with the Biden administration to voluntarily commit to give officials early access to its latest models for safety inspections.

The company that Jeff Bezos founded has gone to court to keep the newspaper he owns from finding out too much about the inner workings of its business. From a report: Amazon is suing Washington state to limit the release of public records to The Washington Post from a series of state Department of Labor and Industries investigations of an Amazon Project Kuiper satellite facility in the Seattle area.

The lawsuit, filed this week in King County Superior Court in Seattle, says the newspaper on Nov. 26 requested "copies of inspection records, investigation notes, interview notes, complaints," and other documents related to four investigations at the Redmond, Wash., facility between August and October 2024. It's not an unusual move by the company, and in some ways it's a legal technicality.

Amazon says it's not seeking to block the records release entirely, but rather seeking to protect from public disclosure certain records that contain proprietary information and trade secrets about the company's satellite internet operations. The lawsuit cites a prior situation in which Amazon and the Department of Labor and Industries similarly worked through the court to respond to a Seattle Times public records request without disclosing proprietary information.

An anonymous reader quotes a report from Techdirt: While most of our conversations about Nintendo recently have focused on the somewhat bizarre patent lawsuit the company filed against Pocketpair over the hit game Palworld, traditionally our coverage of the company has focused more on the very wide net of IP bullying it engages in. This is a company absolutely notorious for behaving in as protectionist a fashion as possible with anything even remotely related to its IP. That reputation is so well known, in fact, that it serves the company's bullying purposes. When smaller entities get threat letters or oppositions to applied-for trademarks and the like, some simply back down without a fight.

But not the Super Mario shop in Costa Rica, it seems. The supermarket store owned by a man named Mario (hence the name), has had a trademark on its name since 2013. But when Mario's son, Charlito, went to renew the registration, Nintendo's lawyers suddenly came calling. Last year it was time to renew the registration, Charlito stated, which prompted Nintendo to get involved. While Nintendo has trademarked the use of Super Mario worldwide under numerous categories, including video games, clothing and toys, it appears the company did not specifically state anything about the names of supermarkets. This, Charlito says, was the key factor in the decision by Costa Rica's trademark authority, the National Register, to side with the supermarket. "As you will see from the picture [here], it is extremely clear, based on the rest of the store's signage and branding, that there is absolutely no attempt in any of this to draw any kind of association with Nintendo's iconic character," writes Techdirt's Timothy Geigner. "The shop already had the name for over a decade, and had a trademark on the name for over a decade, all apparently without any noticeable effect on Nintendo's enormous business. For a renewal of that mark to trigger this kind of conflict is absurd."

An anonymous reader quotes a report from Ars Technica: US Rep. Zoe Lofgren (D-Calif.) today proposed a law that would let copyright owners obtain court orders requiring Internet service providers to block access to foreign piracy websites. The bill would also force DNS providers to block sites. Lofgren said in a press release that she "work[ed] for over a year with the tech, film, and television industries" on "a proposal that has a remedy for copyright infringers located overseas that does not disrupt the free Internet except for the infringers." Lofgren said she plans to work with Republican leaders to enact the bill. [...]

Lofgren's bill (PDF) would impose site-blocking requirements on broadband providers with at least 100,000 subscribers and providers of public domain name resolution services with annual revenue of over $100 million. The bill has exemptions for VPN services and "similar services that encrypt and route user traffic through intermediary servers"; DNS providers that offer service "exclusively through encrypted DNS protocols"; and operators of premises that provide Internet access, like coffee shops, bookstores, airlines, and universities. Lofgren released a summary of the bill explaining how copyright owners can obtain blocking orders. "A copyright owner or exclusive licensee may file a petition in US District Court to obtain a preliminary order against a foreign website or online service engaging in copyright infringement," the summary said.

For non-live content, the petition must show that "transmission of a work through a foreign website likely infringes exclusive rights under Section 106 [of US law] and is causing irreparable harm." For live events, a petition must show that "an imminent or ongoing unauthorized transmission of a live event is likely to infringe, and will cause irreparable harm." The proposed law says that after a preliminary order is issued, copyright owners would be able to obtain orders directing service providers "to take reasonable and technically feasible measures to prevent users of the service provided by the service provider from accessing the foreign website or online service identified in the order." Judges would not be permitted to "prescribe any specific technical measures" for blocking and may not require any action that would prevent Internet users from using virtual private networks.Consumer advocacy group Public Knowledge described the bill as a "censorious site-blocking" measure "that turns broadband providers into copyright police at Americans' expense."

"Rather than attacking the problem at its source -- bringing the people running overseas piracy websites to court -- Congress and its allies in the entertainment industry has decided to build out a sweeping infrastructure for censorship," Public Knowledge Senior Policy Counsel Meredith Rose said. "Site-blocking orders force any service provider, from residential broadband providers to global DNS resolvers, to disrupt traffic from targeted websites accused of copyright infringement. More importantly, applying blocking orders to global DNS resolvers results in global blocks. This means that one court can cut off access to a website globally, based on one individual's filing and an expedited procedure. Blocking orders are incredibly powerful weapons, ripe for abuse, and we've seen the messy consequences of them being implemented in other countries."

The U.S. Copyright Office has ruled that AI-assisted works can receive copyright protection if they contain perceptible human creativity, such as creative modifications or arrangements. However, fully machine-generated content remains ineligible for copyright. The Associated Press reports: An AI-assisted work could be copyrightable if an artist's handiwork is perceptible. A human adapting an AI-generated output with "creative arrangements or modifications" could also make it fall under copyright protections. The report follows a review that began in 2023 and fielded opinions from thousands of people that ranged from AI developers, to actors and country singers.

It shows the copyright office will continue to reject copyright claims for fully machine-generated content. A person simply prompting a chatbot or AI image generator to produce a work doesn't give that person the ability to copyright that work, according to the report. "Extending protection to material whose expressive elements are determined by a machine ... would undermine rather than further the constitutional goals of copyright," [said Register of Copyrights Shira Perlmutter]. The copyright office says it's working on a separate report that "will turn to the training of AI models on copyrighted works, licensing considerations, and allocation of any liability."

Google has appealed a record $4.5 billion EU antitrust fine to the European Court of Justice, arguing that the European Commission's decision punished its innovation and imposed unfair penalties for agreements requiring pre-installation of its apps on Android devices. Reuters reports: Google's appeal to the Luxembourg-based Court of Justice of the European Union comes two years after a lower tribunal sided with the European Commission which said the company used its Android mobile operating system to quash rivals. The lower court trimmed the fine to 4.1 billion euros.

"Google does not contest or shy away from its responsibility under the law, but the Commission also has a responsibility when it runs investigations, when it seeks to reshape markets and second-guess pro-competitive business models, and when it imposes multi-billion-euro fines," Google lawyer Alfonso Lamadrid told the court. "In this case, the Commission failed to discharge its burden and its responsibility and, relying on multiple errors of law, punished Google for its superior merits, attractiveness and innovation," he said. The final ruling is expected in the coming months and cannot be appealed.

During the first press briefing of Donald Trump's second administration, White House press secretary, Karoline Leavitt, said that the National Security Council was "looking into" the potential security implications of China's DeepSeek AI startup. Axios reports: DeepSeek's low-cost but highly advanced models have shaken the consensus that the U.S. had a strong lead in the AI race with China. Responding to a question from Axios' Mike Allen, Leavitt said President Trump saw this as a "wake-up call" for the U.S. AI industry, but remained confident "we'll restore American dominance." Leavitt said she had personally discussed the matter with the NSC earlier on Tuesday.

In the combative tone that characterized much of her first briefing, Leavitt claimed the Biden administration "sat on its hands and allowed China to rapidly develop this AI program," while Trump had moved quickly to appoint an AI czar and loosen regulations on the AI industry. Leavitt also commented on the mysterious drones spotted flying around New Jersey at the end of last year, saying they were "authorized to be flown by the FAA."

An anonymous reader quotes a report from the Hill: Two federal employees are suing the Office of Personnel Management (OPM) to block the agency from creating a new email distribution system -- an action that comes as the information will reportedly be directed to a former staffer to Elon Musk now at the agency. The suit (PDF), launched by two anonymous federal employees, ties together two events that have alarmed members of the federal workforce and prompted privacy concerns. That includes an unusual email from OPM last Thursday reviewed by The Hill said the agency was testing "a new capability" to reach all federal employees -- a departure from staffers typically being contacted directly by their agency's human resources department.

Also cited in the suit is an anonymous Reddit post Monday from someone purporting to be an OPM employee, saying a new server was installed at their office after a career employee refused to set up a direct line of communication to all federal employees. According to the post, instructions have been given to share responses to the email to OPM chief of staff Amanda Scales, a former employee at Musk's AI company. Federal agencies have separately been directed to send Scales a list of all employees still on their one-year probationary status, and therefore easier to remove from government. The suit says the actions violate the E-Government Act of 2002, which requires a Privacy Impact Assessment before pushing ahead with creation of databases that store personally identifiable information.

Kel McClanahan, executive director of National Security Counselors, a non-profit law firm, noted that OPM has been hacked before and has a duty to protect employees' information. "Because they did that without any indications to the public of how this thing was being managed -- they can't do that for security reasons. They can't do that because they have not given anybody any reason to believe that this server is secure.that this server is storing this information in the proper format that would prevent it from being hacked," he said. McClanahan noted that the emails appear to be an effort to create a master list of federal government employees, as "System of Records Notices" are typically managed by each department. "I think part of the reason -- and this is just my own speculation -- that they're doing this is to try and create that database. And they're trying to sort of create it by smushing together all these other databases and telling everyone who receives the email to respond," he said.

During the first press briefing of Donald Trump's second administration, White House press secretary, Karoline Leavitt, said the mysterious drones spotted flying around New Jersey at the end of last year were "authorized to be flown by the FAA."

"After research and study, the drones that were flying over New Jersey in large numbers were authorized to be flown by the FAA for research and various other reasons," she said, adding that "many of these drones were also hobbyists, recreational and private individuals that enjoy flying drones." Leavitt added: "In time, it got worse due to curiosity. This was not the enemy."

The drone sightings prompted local and federal officials to urge Congress to pass drone-defense legislation. The FAA issued a monthslong ban on drone flights over a large swatch of New Jersey while authorities invested the sightings. The Biden administration insisted that the drones were "nothing nefarious" and that there was "no sense of danger."

An anonymous reader quotes a report from Ars Technica: Apple-designed chips powering Macs, iPhones, and iPads contain two newly discovered vulnerabilities that leak credit card information, locations, and other sensitive data from the Chrome and Safari browsers as they visit sites such as iCloud Calendar, Google Maps, and Proton Mail. The vulnerabilities, affecting the CPUs in later generations of Apple A- and M-series chip sets, open them to side channel attacks, a class of exploit that infers secrets by measuring manifestations such as timing, sound, and power consumption. Both side channels are the result of the chips' use of speculative execution, a performance optimization that improves speed by predicting the control flow the CPUs should take and following that path, rather than the instruction order in the program. [...]

The researchers published a list of mitigations they believe will address the vulnerabilities allowing both the FLOP and SLAP attacks. They said that Apple officials have indicated privately to them that they plan to release patches. In an email, an Apple representative declined to say if any such plans exist. "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats," the spokesperson wrote. "Based on our analysis, we do not believe this issue poses an immediate risk to our users." FLOP, short for Faulty Load Operation Predictor, exploits a vulnerability in the Load Value Predictor (LVP) found in Apple's A- and M-series chipsets. By inducing the LVP to predict incorrect memory values during speculative execution, attackers can access sensitive information such as location history, email content, calendar events, and credit card details. This attack works on both Safari and Chrome browsers and affects devices including Macs (2022 onward), iPads, and iPhones (September 2021 onward). FLOP requires the victim to interact with an attacker's page while logged into sensitive websites, making it highly dangerous due to its broad data access capabilities.

SLAP, on the other hand, stands for Speculative Load Address Predictor and targets the Load Address Predictor (LAP) in Apple silicon, exploiting its ability to predict memory locations. By forcing LAP to mispredict, attackers can access sensitive data from other browser tabs, such as Gmail content, Amazon purchase details, and Reddit comments. Unlike FLOP, SLAP is limited to Safari and can only read memory strings adjacent to the attacker's own data. It affects the same range of devices as FLOP but is less severe due to its narrower scope and browser-specific nature. SLAP demonstrates how speculative execution can compromise browser process isolation.

chicksdaddy share a report from the Security Ledger: Vulnerabilities in Subaru's STARLINK telematics software enabled two, independent security researchers to gain unrestricted access to millions of Subaru vehicles deployed in the U.S., Canada and Japan. In a report published Thursday researchers Sam Curry and Shubham Shah revealed a now-patched flaw in Subaru's STARLINK connected vehicle service that allowed them to remotely control Subarus and access vehicle location information and driver data with nothing more than the vehicle's license plate number, or easily accessible information like the vehicle owner's email address, zip code and phone number. (Note: Subaru STARLINK is not to be confused with the Starlink satellite-based high speed Internet service.)

[Curry and Shah downloaded a year's worth of vehicle location data for Curry's mother's 2023 Impreza (Curry bought her the car with the understanding that she'd let him hack it.) The two researchers also added themselves to a friend's STARLINK account without any notification to the owner and used that access to remotely lock and unlock the friend's Subaru.] The details of Curry and Shah's hack of the STARLINK telematics system bears a strong resemblance to hacks documented in his 2023 report Web Hackers versus the Auto Industry as well as a September, 2024 discovery of a remote access flaw in web-based applications used by KIA automotive dealers that also gave remote attackers the ability to steal owners' personal information and take control of their KIA vehicle. In each case, Curry and his fellow researchers uncovered publicly accessible connected vehicle infrastructure intended for use by [employees and dealers was found to be trivially vulnerable to compromise and lack even basic protections around account creation and authentication].

Meta's AI chatbot will now use personal data from users' Facebook and Instagram accounts for personalized responses in the United States and Canada, the company said in a blog post. The upgraded Meta AI can remember user preferences from previous conversations across Facebook, Messenger, and WhatsApp, such as dietary choices and interests. CEO Mark Zuckerberg said the feature helps create personalized content like bedtime stories based on his children's interests. Users cannot opt out of the data-sharing feature, a Meta spokesperson told TechCrunch.