×
Privacy

Data Breach Exposes Millions of mSpy Spyware Customers (techcrunch.com) 5

An anonymous reader quotes a report from TechCrunch: A data breach at the phone surveillance operation mSpy has exposed millions of its customers who bought access to the phone spyware app over the past decade, as well as the Ukrainian company behind it. Unknown attackers stole millions of customer support tickets, including personal information, emails to support, and attachments, including personal documents, from mSpy in May 2024. While hacks of spyware purveyors are becoming increasingly common, they remain notable because of the highly sensitive personal information often included in the data, in this case about the customers who use the service. The hack encompassed customer service records dating back to 2014, which were stolen from the spyware maker's Zendesk-powered customer support system.

mSpy is a phone surveillance app that promotes itself as a way to track children or monitor employees. Like most spyware, it is also widely used to monitor people without their consent. These kinds of apps are also known as "stalkerware" because people in romantic relationships often use them to surveil their partner without consent or permission. The mSpy app allows whoever planted the spyware, typically someone who previously had physical access to a victim's phone, to remotely view the phone's contents in real-time. As is common with phone spyware, mSpy's customer records include emails from people seeking help to surreptitiously track the phones of their partners, relatives, or children, according to TechCrunch's review of the data, which we independently obtained. Some of those emails and messages include requests for customer support from several senior-ranking U.S. military personnel, a serving U.S. federal appeals court judge, a U.S. government department's watchdog, and an Arkansas county sheriff's office seeking a free license to trial the app. Even after amassing several million customer service tickets, the leaked Zendesk data is thought to represent only the portion of mSpy's overall customer base who reached out for customer support. The number of mSpy customers is likely to be far higher.
mSpy's owners, a Ukraine-based company called Brainstack, have yet to publicly disclose the breach. You can visit Have I Been Pwned to see if your email address was involved in a breach.
Python

Python GitHub Token Leak Shows Binary Files Can Burn Developers Too (csoonline.com) 20

snydeq shares a report from CSO Online, written by Lucian Constantin: A personal GitHub access token with administrative privileges to the official repositories for the Python programming language and the Python Package Index (PyPI) was exposed for over a year. The access token belonged to the Python Software Foundation's director of infrastructure and was accidentally included in a compiled binary file that was published as part of a container image on Docker Hub. [...] The incident shows that scrubbing access tokens from source code only, which some development tools do automatically, is not enough to prevent potential security breaches. Sensitive credentials can also be included in environment variables, configuration files and even binary artifacts as a result of automated build processes and developer mistakes. "Although we encounter many secrets that are leaked in the same manner, this case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands -- one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself," researchers from security firm JFrog, who found and reported the token, wrote in a report.
Government

Senators Strike Bipartisan Deal For a Ban On Stock Trading By Members of Congress (cnbc.com) 127

A bipartisan group of senators reached a new agreement on legislation that would ban members of Congress, their spouses and dependent children, as well as the president and vice president, from purchasing and selling stocks while in office. According to CNBC, it would also give lawmakers 90 days to sell their stocks. From the report: The proposal is the latest chapter in a yearslong saga in Congress to pass regulations that limit lawmakers' ability to buy and sell stocks, and the first one to get formal consideration by a Senate committee -- in this case the Homeland Security & Governmental Affairs Committee on July 24. Ethics experts say that legislators' access to the kind of information they receive gives them the potential of having an unfair advantage to the investing public.

Sens. Hawley, Jon Ossoff, D-Ga., Jeff Merkley, D-Ore., and Gary Peters, D-Mich., negotiated and announced the new details. If passed, the bill would also prohibit lawmakers' spouses and dependent children from trading stocks, beginning March 2027. Also starting that year, the U.S. president, vice president and all members of Congress would have to divest from any covered investments. The penalty for violating the divestment mandate, as proposed by the senators, would cost a lawmaker the greater amount of either their monthly salary, or 10% of the value of each covered asset in violation.

Privacy

Hidden Camera Concerns Plague Short-Term Rental Industry (cnn.com) 86

An anonymous reader shares a report: A CNN investigation found the use of hidden cameras is a persistent problem in the industry. Regulations are sparse, and the punishments for those that commit these crimes are lenient -- video voyeurism is typically charged as a misdemeanor. Meanwhile, the people who are recorded -- often naked or engaging in sexual activities -- say they suffer from long-term trauma and the fear that their images could, at any moment, be disseminated on the internet. An Airbnb spokesperson told CNN that hidden camera complaints are rare, but when they do occur, "we take appropriate, swift action, which can include removing hosts and listings that violate the policy."

At a court-ordered deposition last year, an Airbnb representative was supposed to answer a key question from the attorney suing the company: How many complaints or reports had been made to Airbnb since December 1, 2013, of people who had been recorded by surveillance devices? The Airbnb representative testified that the company generated 35,000 customer support tickets about surveillance devices in the preceding decade. An Airbnb spokesperson told CNN that a single report could create multiple tickets. The company declined to specify how many unique complaints there have been. In the deposition, which has not been previously reported, the company representative sought to downplay the significance of the number of tickets, testifying they could reflect instances such as a malfunctioning doorbell camera or a tablet with recording capabilities left out on a coffee table. The representative did not provide any statistics detailing the number of claims she suggested were innocuous among the 35,000 tickets.

The Courts

Judge Dismisses Lawsuit Over GitHub Copilot AI Coding Assistant (infoworld.com) 83

A US District Court judge in San Francisco has largely dismissed a class-action lawsuit against GitHub, Microsoft, and OpenAI, which challenged the legality of using code samples to train GitHub Copilot. The judge ruled that the plaintiffs failed to establish a claim for restitution or unjust enrichment but allowed the claim for breach of open-source license violations to proceed. InfoWorld reports: The lawsuit, first filed in Nov. 2022, claimed that GitHub's training of the Copilot AI on public GitHub code repositories violated the rights of the "vast number of creators" who posted code under open-source licenses on GitHub. The complaint (PDF) alleged that "Copilot ignores, violates, and removes the Licenses offered by thousands -- possibly millions -- of software developers, thereby accomplishing software piracy on an unprecedented scale." [...]

In a decision first announced on June 24, but only unsealed and made public on July 5, California Northern District judge Jon S. Tigar wrote that "In sum, plaintiff's claims do not support the remedy they seek. Plaintiffs have failed to establish, as a matter of law, that restitution for any unjust enrichment is available as a measure of plaintiffs' damages for their breach of contract claims." Judge Tigar went on to state that "court dismisses plaintiffs' section 1202(b) claim, this time with prejudice. The Court declines to dismiss plaintiffs' claim for breach of contract of open-source license violations against all defendants. Finally, the court dismisses plaintiffs' request for monetary relief in the form of unjust enrichment, as well as plaintiffs' request for punitive damages."

The Courts

Oregon County Seeks To Hold Fossil Fuel Companies Accountable For Extreme Heat 220

An anonymous reader quotes a report from Ars Technica: Northwest Oregon had never seen anything like it. Over the course of three days in June 2021, Multnomah County -- the state's most populous county, which rests in the swayback along Oregon's northern border -- recorded highs of 108, 112, and 116 degrees Fahrenheit. Temperatures were so hot that the metal on cable cars melted and the asphalt on roadways buckled. Nearly half the homes in the county lacked cooling systems because of Oregon's typically gentle summers, where average highs top out at 81 degrees. Sixty-nine people perished from heat stroke, most of them in their homes. When scientific studies showed that the extreme temperatures were caused by heat domes, which experts say are influenced by climate change, county officials didn't just chalk it up to a random weather occurrence. They started researching the large fossil fuel companies whose emissions are driving the climate crisis -- including ExxonMobil, Shell, and Chevron -- and sued them (PDF).

"This catastrophe was not caused by an act of God," said Jeffrey B. Simon, a lawyer for the county, "but rather by several of the world's largest energy companies playing God with the lives of innocent and vulnerable people by selling as much oil and gas as they could." Now, 11 months after the suit was filed, Multnomah County is preparing to move forward with the case in Oregon state court after a federal judge in June settled (PDF) a monthslong debate over where the suit should be heard. About three dozen lawsuits have been filed by states, counties, and cities seeking damages from oil and gas companies for harms caused by climate change. Legal experts said the Oregon case is one of the first focused on public health costs related to high temperatures during a specific occurrence of the "heat dome effect." Most of the other lawsuits seek damages more generally from such ongoing climate-related impacts as sea level rise, increased precipitation, intensifying extreme weather events, and flooding. [...]

The Multnomah County lawsuit says that Exxon, Shell, Chevron, and others engaged in a range of improper practices, including negligence, creating a public nuisance, fraud, and deceit. The suit alleges that the companies were aware of the harms of fossil fuels and engaged in a "scheme to rapaciously sell fossil fuel products and deceptively promote them as harmless to the environment, while they knew that carbon pollution emitted by their products into the atmosphere would likely cause deadly extreme heat events like that which devastated Multnomah County." "We know that climate-induced weather events like the 2021 Heat Dome harm the residents of Multnomah County and cause real financial costs to our local government," Multnomah County Chair Jessica Vega Pederson said in a statement. "The Court's decision to hear this lawsuit in State Court validates our assertion that the case should be resolved here -- it's an important win for this community."
In the suit, officials in Portland's Multnomah County said that they will ultimately incur costs in excess of $1.5 billion to deal with the effects of the 2021 heat dome.

"We allege that this is just like any other kind of public health crisis and mass destruction of property that is caused by corporate wrongdoing," said Simon, partner in the law firm of Simon Greenstone Panatier. "We contend that these companies polluted the atmosphere with carbon from the burning of fossil fuels; that they foresaw that extreme environmental harm would be caused by it; that some of them, we contend, deliberately misled the public about that."
Education

British Boarding School Bans Smartphones, Hands Out Nokia Phones Instead (engadget.com) 66

Eton College, Britain's elite boarding school with alumni that includes Princes William and Harry, as well as George Orwell and a long list of others, is banning incoming students from having smartphones. Instead, the school will provide students with a Nokia "brick" phone, which will only be capable of making calls and sending text messages. CBS News reports: Parents of first-year students at Eton -- where tuition exceeds $60,000 per year -- were informed of the changes in a letter, which said that incoming 13-year-old boarders should have their smart devices taken home after their SIM cards are transferred to offline Nokia phones provided by the school, which can only make calls and send simple text messages. Eton's previous rules on smartphones required first-year students to hand over their devices overnight.

"Eton routinely reviews our mobile phone and devices policy to balance the benefits and challenges that technology brings to schools," a spokesperson for the school told CBS News on Tuesday, adding that those joining in Year 9, essentially the equivalent of freshman year in high school for American students, "will receive a 'brick' phone for use outside the school day, as well as a school-issued iPad to support academic study." The spokesperson added that "age-appropriate controls remain in place for other year groups."
The ban follows a recent guidance issued by the UK government backing school principals who decide to ban smartphones during the school day. The goal is to help minimize disruption and improve classroom behavior.
AI

Spain Sentences 15 Schoolchildren Over AI-Generated Naked Images (theguardian.com) 119

An anonymous reader quotes a report from The Guardian: A court in south-west Spain has sentenced 15 schoolchildren to a year's probation for creating and spreading AI-generated images of their female peers in a case that prompted a debate on the harmful and abusive uses of deepfake technology. Police began investigating the matter last year after parents in the Extremaduran town of Almendralejo reported that faked naked pictures of their daughters were being circulated on WhatsApp groups. The mother of one of the victims said the dissemination of the pictures on WhatsApp had been going on since July.

"Many girls were completely terrified and had tremendous anxiety attacks because they were suffering this in silence," she told Reuters at the time. "They felt bad and were afraid to tell and be blamed for it." On Tuesday, a youth court in the city of Badajoz said it had convicted the minors of 20 counts of creating child abuse images and 20 counts of offenses against their victims' moral integrity. Each of the defendants was handed a year's probation and ordered to attend classes on gender and equality awareness, and on the "responsible use of technology." [...] Police identified several teenagers aged between 13 and 15 as being responsible for generating and sharing the images. Under Spanish law minors under 14 cannot be charged but their cases are sent to child protection services, which can force them to take part in rehabilitation courses.
Further reading: First-Known TikTok Mob Attack Led By Middle Schoolers Tormenting Teachers
United States

US Nuke Agency Buys Internet Backbone Data (404media.co) 24

A U.S. government agency tasked with supporting the nation's nuclear deterrence capability has bought access to a data tool that claims to cover more than 90 percent of the world's internet traffic, and can in some cases let users trace activity through virtual private networks, according to documents obtained by 404 Media. From the report: The documents provide more insight into the use cases and customers of so-called netflow data, which can show which server communicated with another, information that is ordinarily only available to the server's owner, or the internet service provider (ISP) handling the traffic. Other agencies that have purchased the data include the U.S. Army, NCIS, FBI, IRS, with some government clients saying it would take too long to get data from the NSA, so they bought this tool instead. In this case, the Defense Threat Reduction Agency (DTRA) says it is using the data to perform vulnerability assessments of U.S. and allied systems.

A document written by the DTRA and obtained by 404 Media says the agency "has a requirement to support ongoing assessments of the vulnerability of critical U.S. and allied national/theater mission systems, networks, architectures, infrastructures, and assets." The tool "is capable of following communications between servers, even private servers," which allows the agency to identify infrastructure used by malicious actors, the document continues. That contract was for $490,000 in 2023, according to the document. 404 Media obtained the document and others under a Freedom of Information Act (FOIA) request.

Crime

What Happens If You Shoot Down a Delivery Drone? (techcrunch.com) 152

An anonymous reader quotes a report from TechCrunch: As deep-pocketed companies like Amazon, Google and Walmart invest in and experiment with drone delivery, a phenomenon reflective of this modern era has emerged. Drones, carrying snacks and other sundries, are being shot out of the sky. Incidents are still rare. However, a recent arrest in Florida, in which a man allegedly shot down a Walmart drone, raises questions of what the legal ramifications are and whether those consequences could escalate if these events become more common. [...] While consumer drones have been proliferating for well over a decade, the question of legal ramifications hasn't been wholly clear. The Federal Aviation Administration (FAA) gave us a partial answer following a 2016 drone shooting in Arkansas. At the time, the FAA pointed interested parties to 18 U.S.C. 32. The law, titled "Aircraft Sabotage," is focused on the wanton destruction of "any aircraft in the special aircraft jurisdiction of the United States or any civil aircraft used, operated or employed in interstate, overseas, or foreign air commerce."

At first glance, the law appears primarily focused on manned aircraft, including a provision that "makes it a Federal offense to commit an act of violence against any person on the aircraft, not simply crew members, if the act is likely to endanger the safety of the aircraft." In responding to the Arkansas drone shooting, however, the FAA asserts that such protections can be interpreted to also include UAVs (unmanned aerial vehicles). The language does, indeed, appear broad enough to cover drones. That means, in turn, that the penalties are potentially as stiff. The subject was revived after a 2020 incident in Minnesota. In that case, the suspect was hit with felony charges relating to criminal damage and discharging a weapon within city limits. Those would likely also be the charges in most scenarios involving property, rather than bodily damage, drone or not. Even with these examples, there is not a rigid rule that predicts if or when prosecutors might also introduce a federal charge like 18 U.S.C. 32.

As the legal blog Above the Law notes, in most cases, the federal government has deferred to state law for enforcement. Meanwhile, in most cases where 18 U.S.C. 32 has been applied, if a human crew/passengers are involved, there could be other potential charges like murder. It certainly can be argued that shooting a large piece of hardware out of the sky in a heavily populated area invites its own potential for bodily harm, though it may not be prosecuted in the same manner. As drone delivery increases in the U.S., however, we may soon have an answer to the role federal legislation like 18 U.S.C. 32 will play in UAV shootings. Adding that into the picture brings penalties, including fines and up to 20 years in prison, potentially compounding those consequences. What is clear, though, is that the consequences can be severe, whether it is invoked.

The Courts

Anna's Archive Faces Millions In Damages, Permanent Injunction (torrentfreak.com) 28

Anna's Archive, a meta-search engine for pirated books and other sources, faces monetary damages and a permanent injunction at a U.S. court. According to TorrentFreak, the operators of the site "failed to respond to a lawsuit filed by [Online Computer Library Center (OCLC)], after its WorldCat database was scraped and published online." From the report: The site launched in the fall of 2022, just days after Z-Library was targeted in a U.S. criminal crackdown, to ensure continued availability of 'free' books and articles to the broader public. Late last year, Anna's Archive expanded its offering by making information from OCLC's proprietary WorldCat database available online. The site's operators took more than a year to scrape several terabytes of data and published roughly 700 million unique records online, for free.

This 'metadata' heist was a massive breakthrough in the site's quest to archive as much published content as possible. However, OCLC wasn't pleased and responded with a lawsuit (PDF) at an Ohio federal court, accusing the site and its operators of hacking and demanding damages. The non-profit says that it spent more than a million dollars responding to Anna's Archive's alleged hacking efforts. Even then, it couldn't prevent the data from being released through a torrent. "Defendants, through the Anna's Archive domains, have made, and continue to make, all 2.2 TB of WorldCat data available for public download through its torrents," OCLC wrote in the complaint it filed in an Ohio federal court.

In the months that passed since then, the operators of Anna's Archive didn't respond in court. The only named defendant flat-out denied all connections to the site, and OCLC didn't receive any response from any of the official Anna's Archive email addresses that were served. Meanwhile, the pirate library continues to offer the WorldCat data, which is a major problem for the organization. Without the prospect of a two-sided legal battle, OCLC has now moved for a default judgment. [...] In addition to monetary damages, the non-profit also seeks injunctive relief. The motion doesn't specify the requested measures, but the original complaint sought an order that prevents Anna's Archive from scraping WorldCat data going forward. In addition, all previously scraped data should no longer be distributed. Instead, it should be destroyed in full, including all the torrents that are currently being offered.

Piracy

Z-Library Admins 'Escape House Arrest' After Judge Approves US Extradition (torrentfreak.com) 28

Andy Maxwell reports via TorrentFreak: On November 4, 2022, the United States Department of Justice and the FBI began seizing Z-Library's domains as part of a major operation to shut down the infamous 'shadow library' platform. A criminal investigation had identified two Russian nationals, Anton Napolsky and Valeriia Ermakova, as the alleged operators of the site. On October 21, 2022, at the U.S. District Court for the Eastern District of New York, Judge Sanket J. Bulsara ordered their arrest. They were detained in Argentina on November 3, 2022. After arriving at the Ambrosio Taravella International Airport, the unsuspecting couple cleared customs and hired a car from a popular rental company. The United States Embassy informed local authorities that the pair were subject to an Interpol Red Notice.

At what point the Russians' phones were tapped is unclear but, under the authority of a Federal Court arrest warrant, Argentinian law enforcement began tracking the couple's movements as they traveled south in their rented Toyota Corolla. [...] [F]ollowing a visit to El Calafate, the pair were arrested by airport security police as they arrived in Rio Gallegos, Santa Cruz. They were later transferred to Cordoba. In January 2023, Judge Miguel Hugo Vaca Narvaja authorized the Russians to be detained under house arrest. Approval from Cordoba prosecutor Maximiliano Hairabedian, who was responsible for the request to extradite Napolsky and Ermakova to the United States, was not obtained. With a federal indictment, alleging criminal copyright infringement, wire fraud, and money laundering offenses, waiting for them in the United States, the priority for Napolsky and Ermakova would soon be their fight against extradition. [...]

Patronato del Liberado (Patronage of the Liberated) is responsible for assisting people who have previously been detained by the authorities with family and social reintegration. It's also tasked with monitoring compliance of those on probation or subject to house arrest. According to unnamed 'judicial sources' cited by La Voz, which receives full credit for a remarkable scoop, when the group conducted a regular visit in May, to verify that Napolsky and Ermakova were in compliance with the rules set by the state, there was no trace of them. Patronato del Liberado raised the alarm and Judge Sanchez Freytes was immediately notified. Counsel for the defense during the extradition hearings said that he hadn't been able to contact the Russians either. The Judge ordered an international arrest warrant although there appeared to be at least some hope the pair hadn't left the country. However, that was many weeks ago and with no obvious news suggesting their recapture, the pair could be anywhere by now.

United States

Boeing Will Plead Guilty To Fraud Related To Fatal 737 Max Crashes (cnbc.com) 86

Boeing agreed on Sunday to plead guilty to conspiring to defraud the government in a case linked to crashes of its 737 Max jets in Indonesia and Ethiopia that killed 346 people -- a stunning turn for the aerospace giant after the Justice Department determined that Boeing failed to live up to terms of a 2021 deal to avoid prosecution. Washington Post adds: Prosecutors alleged that two Boeing pilots concealed key information from the Federal Aviation Administration about a new automated control system on the Max. The system was implicated in both crashes, causing uncontrollable dives. By agreeing to plead guilty to the single felony count just before a midnight deadline Sunday, the company will avoid going to trial in the high-profile case.

The Justice Department filed documents related to the deal in federal court in Texas late Sunday night, setting up a planned hearing where family members -- who have criticized the pending agreement -- will be permitted to speak out. The court subsequently must decide whether to accept the plea agreement. Boeing had already agreed to $2.5 billion in penalties and payouts in 2021. As part of the new deal, the company will pay an additional $487.2 million in penalties, agree to oversight by an independent monitor, spend at least $455 million to strengthen compliance and safety programs and be placed on supervised probation for roughly three years, according to a Justice Department official. The agreement also included one thing crash victims' families long sought: a meeting with Boeing's board of directors.

Government

Jeff Bezos's Move From WA To FL Has Saved Him Close To $1B in Taxes This Year (geekwire.com) 332

As Amazon's stock hits a record high (rising 32% just this year), long-time Slashdot reader theodp writes: GeekWire reports that Jeff Bezos keeps selling Amazon stock after announcing his move away from Washington state — and its 7% tax on capital gains of more than $262,000 from the sale of stocks and bonds — to Florida, which does not have a capital gains tax (like WA, FL also does not tax personal income).

Taylor Soper writes, "Bezos saved more than $600 million by moving to Miami and avoiding Washington's capital gains tax, CNBC reported in February, based on his sale of 50 million shares [$8.5 billion] earlier this year. With the sale of 25 million additional shares [$5 billion], revealed this week in a regulatory filing, Bezos will likely have saved close to $1 billion in total so far. It's a giant chunk of change that would have otherwise gone to the state of Washington."

Government

GM Will Pay $146M Penalty Because 5.9 Million Older Vehicles Emit Excess CO2 (apnews.com) 53

General Motors will pay nearly $146 million in penalties to the U.S. government, reports the Associated Press, "because 5.9 million of its older vehicles do not comply with emissions and fuel economy standards." The National Highway Traffic Safety Administration said in a statement Wednesday that certain GM vehicles from the 2012 through 2018 model years did not comply with federal fuel economy requirements. The penalty comes after the Environmental Protection Agency said its testing showed the GM pickup trucks and SUVs emit over 10% more carbon dioxide on average than GM's initial compliance testing claimed.

The EPA says the vehicles will remain on the road and cannot be repaired. The GM vehicles on average consume at least 10% more fuel than the window sticker numbers say, but the company won't be required to reduce the miles per gallon on the stickers, the EPA said... GM said in a statement that it complied with all regulations in pollution and mileage certification of its vehicles. The company said it is not admitting to any wrongdoing nor that it failed to comply with the Clean Air Act...

The enforcement action involves about 4.6 million full-size pickups and SUVs and about 1.3 million midsize SUVs, the EPA said. The affected models include the Chevy Tahoe, Cadillac Escalade and Chevy Silverado. About 40 variations of GM vehicles are covered. GM will be forced to give up credits used to ensure that manufacturers' greenhouse gas emissions are below the fleet standard for emissions that applies for that model year, the EPA said. In a quarterly filing with the Securities and Exchange Commission, GM said it expects the total cost to resolve the matter will be $490 million. Because GM agreed to address the excess emissions, EPA said it was not necessary to make a formal determination regarding the reasons for the excess pollution.

According to the article, David Cooke, senior vehicles analyst for the Union of Concerned Scientists, "said it's possible that GM owners could sue the company because they are getting lower gas mileage than advertised."

The article also notes that in 2014, Hyundai and Kia "entered into a settlement in which they had to pay a $100 million civil penalty to end a two year investigation into overstated gas mileage on window stickers of 1.2 million vehicles."
Crime

Stolen Campaign Lawn Signs Tracked with Hidden Apple AirTags (businessinsider.com) 79

An anonymous reader shared this report from Business Insider: It's a political tale as old as time: put up a campaign poster in your yard, and thieves come to snatch it. But according to The Wall Street Journal, those fed up with front lawn looting are embracing a modern solution. Apple's geo-tracking AirTag devices are helping owners find their signs — and sometimes, even the people who stole them.

The practice has already led to charges. In one example cited by the outlet, Florida politician John Dittmore decided to hide the coin-sized gadget on one of his posters after waking up to a number of thefts in May... [Two teenagers were charged with criminal mischief and the theft of nine signs.]

In other cited cases, stolen signs don't end up with teens, but in the homes of electoral opponents. After Chris Torre became the victim of poster snatching, AirTags led him to the residence of Renee Rountree, the Journal said. Both were running for a seat on the Isle of Wight County Board of Supervisors in Virginia. Her son-in-law was charged with a misdemeanor for stealing the property, while Rountree faced a misdemeanor for receiving stolen goods. In a December trial, she noted plans to return the signs. Rountree has since been ordered to 250 hours of community service.

"I would like to think that this will have a huge deterrent effect," the trial's judge said in the court's transcript, quoted by WSJ.

Privacy

New SnailLoad Attack Exploits Network Latency To Spy On Users' Web Activities (thehackernews.com) 13

Longtime Slashdot reader Artem S. Tashkinov shares a report from The Hacker News: A group of security researchers from the Graz University of Technology have demonstrated a new side-channel attack known as SnailLoad that could be used to remotely infer a user's web activity. "SnailLoad exploits a bottleneck present on all Internet connections," the researchers said in a study released this week. "This bottleneck influences the latency of network packets, allowing an attacker to infer the current network activity on someone else's Internet connection. An attacker can use this information to infer websites a user visits or videos a user watches." A defining characteristic of the approach is that it obviates the need for carrying out an adversary-in-the-middle (AitM) attack or being in physical proximity to the Wi-Fi connection to sniff network traffic. Specifically, it entails tricking a target into loading a harmless asset (e.g., a file, an image, or an ad) from a threat actor-controlled server, which then exploits the victim's network latency as a side channel to determine online activities on the victim system.

To perform such a fingerprinting attack and glean what video or a website a user might be watching or visiting, the attacker conducts a series of latency measurements of the victim's network connection as the content is being downloaded from the server while they are browsing or viewing. It then involves a post-processing phase that employs a convolutional neural network (CNN) trained with traces from an identical network setup to make the inference with an accuracy of up to 98% for videos and 63% for websites. In other words, due to the network bottleneck on the victim's side, the adversary can deduce the transmitted amount of data by measuring the packet round trip time (RTT). The RTT traces are unique per video and can be used to classify the video watched by the victim. The attack is so named because the attacking server transmits the file at a snail's pace in order to monitor the connection latency over an extended period of time.

Anime

Popular Pirate Site Animeflix Shuts Down 'Voluntarily' (torrentfreak.com) 13

An anonymous reader quotes a report from TorrentFreak: With dozens of millions of monthly visits, Animeflix positioned itself as one of the most popular anime piracy portals. The site also has an active Discord community of around 35k members, who actively participate in discussions, art competitions, even a chess tournament. While rightsholders take no offense at these side-projects, the site's core business was streaming pirated videos. That hasn't gone unnoticed; last December Animeflix was listed as one of the shutdown targets of anti-piracy coalition ACE.

Whether these early enforcement efforts were responsible for the site's closure is unclear. In May, rightsholders increased the pressure through the High Court of India, obtaining a broad injunction that effectively suspended Animeflix's main domain name; Animeflix.live. This follow-up action didn't seem to hurt the site too much. It simply moved to new domains, Animeflix.gg and Animeflix.li, informing its users that the old domain name had become "unavailable." Yesterday, the site became unreachable again, initially returning a Cloudflare error message. This time, the domain wasn't the problem but, for reasons unknown, the team decided to shut down the site without prior notice.

"It is with a heavy heart that we announce the closure of Animeflix. After careful consideration, we have decided to shut down our service effective immediately. We deeply appreciate your support and enthusiasm over the years." "Thank you for being a part of our journey. We hope the joy and excitement of anime continue to brighten your days through other wonderful platforms," the Animeflix team adds. The Animeflix team doesn't provide any insight into its reasoning, but it's clear that keeping a site like that online isn't without challenges. And, when a pirate site shuts down, voluntarily or not, copyright issues typically play a role. It's clear that rightsholders were keeping an eye on the site, and were actively seeking out options to take it offline. That might have played a role in the shutdown decision but without more information from the team, we can only speculate.

AI

China Dominates Generative AI Patent Filings, UN Says (apnews.com) 12

China has requested significantly more generative AI patents than any other country, the U.N. intellectual property agency (the World Intellectual Property Organization) is reporting. According to WIPO's first-ever report on GenAI patents, China submitted over 38,200 inventions in the past decade, dwarfing the United States' 6,300 filings. South Korea, Japan, and India rounded out the top five. The study tracked approximately 54,000 GenAI-related patent applications from 2014 to 2023, with over a quarter emerging in the last year alone.
Privacy

Europol Says Mobile Roaming Tech Making Its Job Too Hard (theregister.com) 33

Top Eurocops are appealing for help from lawmakers to undermine a privacy-enhancing technology (PET) they say is hampering criminal investigations -- and it's not end-to-end encryption this time. Not exactly. From a report: Europol published a position paper today highlighting its concerns around SMS home routing -- the technology that allows telcos to continue offering their services when customers visit another country. Most modern mobile phone users are tied to a network with roaming arrangements in other countries. EE customers in the UK will connect to either Telefonica or Xfera when they land in Spain, or T-Mobile in Croatia, for example.

While this usually provides a fairly smooth service for most roamers, Europol is now saying something needs to be done about the PETs that are often enabled in these home routing setups. According to the cops, they pointed out that when roaming, a suspect in a criminal case who's using a SIM from another country will have all of their mobile communications processed through their home network. If a crime is committed by a Brit in Germany, for example, then German police couldn't issue a request for unencrypted data as they could with a domestic operator such as Deutsche Telekom.

Slashdot Top Deals