An anonymous reader quotes a report from Reuters: Britain said on Monday it had issued U.S. internet forum site 4chan with a $26,644 fine for failing to provide information about the risk of illegal content on its service, marking the first penalty under the new online safety regime. Media regulator Ofcom said 4chan had not responded to its request for a copy of its illegal harms risk assessment nor a second request relating to its qualifying worldwide. Ofcom said it would take action against any service which "flagrantly fails to engage with Ofcom and their duties under the Online Safety Act" and they should expect to face penalties.

The act, which is designed to protect children and vulnerable users from illegal content online, has caused tension between U.S. tech companies and Britain. Critics of the law have said it threatens free speech and targets U.S. companies. Technology minister Liz Kendall said the government "fully backed" Ofcom in taking action. "This fine is a clear warning to those who fail to remove illegal content or protect children from harmful material," she said. 4chan and Kiwi Farms filed a lawsuit in the United States against Ofcom in August, arguing that the threats and fines issued by the regulator "constitute foreign judgements that would restrict speech under U.S. law." The lawsuit claims that both entities are entirely based in the U.S., have no operations in the U.K., and therefore are not subject to its local laws.

"Dutch authorities have temporarily nationalized Nexperia, owned by Chinese company Wingtech, over fears of critical product unavailability," writes longtime Slashdot reader evil_aaronm. Reuters reports: The Hague invoked never-before-used powers under a Dutch law known as the "Availability of Goods Act." The decision led to a 10% fall in Wingtech's shares in Shanghai on Monday. The Dutch government will not take ownership of Nexperia, but it will now have the power to reverse or block management decisions it considers harmful. The company's regular production is continuing. [...] Wingtech called the Dutch government's intervention in Nexperia, once part of Dutch electronics group Philips, "excessive interference driven by geopolitical bias." Wingtech also alleged that non-Chinese Nexperia executives had tried to forcibly alter the company's equity structure through legal proceedings in a "cloaked power grab" on the company.

A copy of an Amsterdam commercial court ruling dated October 7 and seen by Reuters showed that the court decided on October 1 to suspend Wingtech CEO Zhang Xuezheng from his position as executive director at Nexperia after finding "well founded reasons to doubt" the company was pursuing correct management policy or actions under Dutch civil law. It appointed Dutch businessman Guido Dierick to take Zhang's position with a "deciding vote", and transferred control of almost all of Nexperia's shares to a Dutch lawyer for management. The Dutch state and the company's labour council had supported the moves, the document showed. [...]

In its statement, the Dutch government said that administrative problems at Nexperia posed a threat to the company's "crucial technological knowledge" without elaborating. "The loss of these capabilities could pose a risk to Dutch and European economic security," it said. Nexperia is one of the world's largest makers of simple computer chips such as diodes and transistors, though it also develops more advanced technologies such as "wide gap" semiconductors used in electrical settings and useful for electric cars, chargers and AI data centres. Wingtech said in a filing to the Shanghai stock exchange on Monday that its control over Nexperia would be temporarily restricted due to the Dutch order and court rulings, affecting decision making and operational efficiency.

California's Privacy Protection Agency "issued a record fine earlier this month to Tractor Supply," according to an EFF Deeplinks blog post — for "apparently ducking its responsibilities under the California Consumer Privacy Act." Under that law, companies are required to respect California customers' and job applicants' rights to know, delete, and correct information that businesses collect about them, and to opt-out of some types of sharing and use. The law also requires companies to give notice of these rights, along with other information, to customers, job applicants, and others. The CPPA said that Tractor Supply failed several of these requirements. This is the first time the agency has enforced this data privacy law to protect job applicants...

Tractor Supply, which has 2,500 stores in 49 states, will pay for their actions to the tune of $1,350,000 — the largest fine the agency has issued to date. Specifically, the agency said, Tractor Supply violated the law by:

- Failing to maintain a privacy policy that notified consumers of their rights;

- Failing to notify California job applicants of their privacy rights and how to exercise them;

- Failing to provide consumers with an effective mechanism to opt-out of the selling and sharing of their personal information, including through opt-out preference signals such as Global Privacy Control; and

- Disclosing personal information to other companies without entering into contracts that contain privacy protections.


In addition to the fine, the company also must take an inventory of its digital properties and tracking technologies and will have to certify its compliance with the California privacy law for the next four years.
The agency's web site says it "continues to actively enforce California's cutting-edge privacy laws." It's recently issued decisions (and fines) against American Honda Motor Company and clothing retailer Todd Snyder. Other recent actions include:

• Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up "scary" amounts of information about people — to shut down or pay a steep fine.

• Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.

• Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

• The agency has secured more than half a dozen successful enforcement actions against unregistered data brokers following an investigative sweep launched late last year to assess compliance with the Delete Act.

Cryptologist/CS professor Daniel J. Bernstein is alleging that America's National Security Agency is attempting to influence NIST post-quantum cryptography standards.

Bernstein first emphasizes that it's normal for post-quantum cryptography (or "PQ") to be part of "hybrid" security that also includes traditional pre-quantum cryptography. (Bernstein says this is important because since 2016, "We've seen many breaks of post-quantum proposals...")

"The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ." Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing... I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.... The massive U.S. military budget now publicly requires cryptographic "components" to have NSA approval... In June 2024, NSA's William Layton wrote that "we do not anticipate supporting hybrid in national security systems"...

[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, "that's what they're willing to buy. Hence, Cisco will implement it".]

What do you do with your control over the U.S. military budget? That's another opportunity to "shape the worldwide commercial cryptography marketplace". You can tell people that you won't authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you're actually using double encryption.
This seems to be a speculative scenario. But Bernstein is also concerned about how the Internet Engineering Task Force handled two drafts specifying post-quantum encryption mechanisms for TLS ("the security layer inside HTTPS and inside various other protocols"). For a draft suggesting "non-hybrid" encryption, there were 20 statements of support (plus 2 more only conditionally supporting it), but 7 more statements unequivocally opposing adoption, including one from Bernstein. The IETF has at times said they aim for "rough consensus" — or for "broad consensus" — but Bernstein insists 7 opposers in a field of 29 (24.13%) can't be said to match the legal definition of consensus (which is "general agreement"). "I've filed a formal complaint regarding the claim of consensus to adopt."

He's also written a second blog post analyzing the IETF's decision-making process in detail. "It's already bad that the IETF TLS working group adopted non-hybrid post-quantum encryption without official answers to the objections that were raised. It's much worse if the objections can't be raised in the first place."

Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.

"California Governor Gavin Newsom signed the 'California Opt Me Out Act', which will require web browsers to include an easy, universal way for users to opt out of data collection and sales," reports the blog 9to5Mac: [The law] requires browsers to provide a clear, one-click mechanism for Californians to opt out of data sharing across websites. The bill reads: "A business shall not develop or maintain a browser that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses with which the consumer interacts through the browser...." Californians will need patience, though, as the law doesn't take effect until January 1, 2027.
Americans in some states — including California, Texas, Colorado, New Jersey and Maryland — "have the option to make those opt-out demands automatic whenever they surf the web," reports the Washington Post. "But they can only do so if they use small browsers that voluntarily offer that option, such as DuckDuckGo, Firefox and Brave. What's new in California's law is that all browsers must give people the same option." That means soon in California, just using Google's Chrome, Apple's Safari and Microsoft's Edge can command companies not to sell your data or pass it along for ad targeting... It's an imperfect but potent and simple way to flex privacy rights — and becomes even more powerful with another simple privacy measure in California. Starting on January 1, California residents can fill out an online form once to completely and repeatedly wipe their data from hundreds of data brokers that package your personal information for sale.
But their article also suggests other ways readers can "try a one-click privacy option now."

• "[S]ome national companies respect one-click privacy opt-out requests from everyone... This happens automatically if you use DuckDuckGo and Brave. You need to change a setting with Firefox."

• "Download Privacy Badger: The software from the Electronic Frontier Foundation, a consumer privacy advocacy group, works in the background to order websites not to sell information they're collecting about you."

• "Use Permission Slip from Consumer Reports. Give the app basic information, and it will help you do much of the legwork to tell companies not to sell your information or to delete it, if you have the right to do so."

I uploaded a photo on my phone to Microsoft's "OneDrive" file-hosting app — and there was a surprise waiting under Privacy and Permissions. "OneDrive uses AI to recognize faces in your photos..."

And...

"You can only turn off this setting 3 times a year."



If I moved the slidebar for that setting to the left (for "No"), it moved back to the right, and said "Something went wrong while updating this setting." (Apparently it's not one of those three times of the year.)

The feature is already rolling out to a limited number of users in a preview, a Microsoft publicist confirmed to Slashdot. (For the record, I don't remember signing up for this face-recognizing "preview".) But there's a link at the bottom of the screen for a "Microsoft Privacy Statement" that leads to a Microsoft support page, which says instead that "This feature is coming soon and is yet to be released." And in the next sentence it's been saying "Stay tuned for more updates" for almost two years...

A Microsoft publicist agreed to answer Slashdot's questions...

"A 29-year-old man has been arrested on suspicion of starting the Pacific Palisades fire in Los Angeles that killed 12 people and destroyed more than 6,000 homes in January," reports the BBC.

"Evidence collected from Jonathan Rinderknecht's digital devices included an image he generated on ChatGPT depicting a burning city, justice department officials said." Mr Rinderknecht had been living and working in California, and moved to Florida shortly after the fire, according to authorities. The initial blaze Mr Rinderknecht allegedly started on New Year's Day was called the Lachman fire. Although it was quickly suppressed by firefighters, it continued to smoulder underground in the root structure of dense vegetation, according to investigators, before it flared up again above ground in a windstorm [nearly a week later]... He lit it with an open flame after he completed a ride as an Uber driver on New Year's Eve, according to the indictment.

Two passengers rode with Mr Rinderknecht earlier on New Year's Eve. One passenger told investigators he remembered the driver had appeared agitated and angry. Officials said they had used his phone data to pinpoint his location when the fire initially started on 1 January, but when they pressed him on details he allegedly lied to investigators, claiming he was near the bottom of the trail... The phone also showed that he repeatedly called 911 just after midnight on New Year's day, but could not get through because of patchy mobile reception on the trailhead. There was a screen recording of him trying to call emergency services and at one point being connected with a dispatcher. Mr Rinderknecht also asked ChatGPT: "Are you at fault if a fire is lift [sic] because of your cigarettes?"

Investigators said the suspect wanted to "preserve evidence of himself trying to assist in the suppression of the fire". "He wanted to create evidence regarding a more innocent explanation for the cause of the fire," the indictment said... In July 2024, five months before he allegedly set the fire, Mr Rinderknecht asked ChatGPT to create an image of a "dystopian painting" that included a burning forest and a crowd of people running away from a fire, according to investigators.
The announcement from officials suggests they retrieved data about Rinderknecht's iPhone. It says after walking up the trailer Rinderknecht "listened to a rap song — to which he had listened repeatedly in previous days — whose music video included things being lit on fire."

An anonymous reader quotes a report from CSO Online: On Sept. 17, security vendor SonicWall announced that cybercriminals had stolen backup files configured for cloud backup. At the time, the company claimed the incident was limited to "less than five percent" of its customers. Now, the firewall provider has admitted that "all customers" using the MySonicWall cloud backup feature were affected. According to the company, the stolen files contain encrypted credentials and configuration data. "[W]hile encryption remains in place, possession of these files could increase the risk of targeted attacks," SonicWall warns in its press release.

Security specialist Arctic Wolf also warns of the consequences of the incident. "Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization's network," explains Stefan Hostetler, threat intelligence researcher at Arctic Wolf. "These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates," he adds. Arctic Wolf has previously observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use for future attacks. SonicWall urges all customers and partners to regularly check their devices for updates. Admins can find additional information here.

An anonymous reader shares a report: Control of NSO Group is set to leave Israeli hands. A group of American investors led by Hollywood producer Robert Simonds has agreed to acquire the controversial spyware developer in a deal valued at several tens of millions of dollars. The transaction is expected to be signed in the coming days, though its completion will require approval from Israel's Defense Export Control Agency (DECA) at the Ministry of Defense.

Since March 2023, NSO's shares have been held by a Luxembourg-based holding company wholly owned by founder Omri Lavie. The company's lender syndicate, which had extended roughly $500 million in loans to finance a share buyback from the private equity fund Francisco Partners, transferred ownership to Lavie following the restructuring.

An anonymous reader quotes a report from Gizmodo: The City of New York is reaching across the country to sue tech giants headquartered in California over allegations that their platforms have created a youth mental health crisis. The city, along with its school districts and health department, alleges that "gross negligence" on the part of Meta, Alphabet, Snap, and ByteDance has gotten kids hooked on social media, which has created a "public nuisance" that is placing a strain on the city's resources.

In a 327-page complaint filed in the US District Court for the Southern District of New York, the city alleges that tech companies have designed their platforms in a way that seeks to "maximize the number of children" using them, and have built "algorithms that wield user data as a weapon against children and fuel the addiction machine." The city also alleges that these companies "know children and adolescents are in a developmental stage that leaves them particularly vulnerable to the addictive effects of these features," but "target them anyway, in pursuit of additional profit."

[...] It cites data from the New York City Police Department, for instance, that show at least 16 teens have died while "subway surfing" -- riding outside of a moving train -- a dangerous behavior which the lawsuit claims has been encouraged by social media trends. Two girls, ages 12 and 13, died earlier this month while subway surfing. It also cited survey data collected from New York high school students, which shows that 77.3% of the city's teens spend three or more hours per day on screens, which it claims has contributed to lost sleep and, in turn, absences from school -- corroborated by the city's school districts, which provided data to show that 36.2% of all public school students are considered chronically absent, missing at least 10% of the school year.

An anonymous reader quotes a report from Ars Technica: Apple yesterday announced a plan to comply with a Texas age verification law and warned that changes required by the law will reduce privacy for app users. "Beginning January 1, 2026, a new state law in Texas -- SB2420 -- introduces age assurance requirements for app marketplaces and developers," Apple said yesterday in a post for developers. "While we share the goal of strengthening kids' online safety, we are concerned that SB2420 impacts the privacy of users by requiring the collection of sensitive, personally identifiable information to download any app, even if a user simply wants to check the weather or sports scores."

The Texas App Store Accountability Act requires app stores to verify users' ages and imposes restrictions on those under 18. Apple said that developers will have "to adopt new capabilities and modify behavior within their apps to meet their obligations under the law." Apple's post noted that similar laws will take effect later in 2026 in Utah and Louisiana. Google also recently announced plans for complying with the three state laws and said the new requirements reduce user privacy. "While we have user privacy and trust concerns with these new verification laws, Google Play is designing APIs, systems, and tools to help you meet your obligations," Google told developers in an undated post.

The Utah law is scheduled to take effect May 7, 2026, while the Louisiana law will take effect July 1, 2026. The Texas, Utah, and Louisiana "laws impose significant new requirements on many apps that may need to provide age appropriate experiences to users in these states," Google said. "These requirements include ingesting users' age ranges and parental approval status for significant changes from app stores and notifying app stores of significant changes."

An anonymous reader shares a report: A website set up by an unknown Dane over the course of one weekend in August is giving a massive headache to those trying to pass a European bill aimed at stopping child sexual abuse material from spreading online.

The website, called Fight Chat Control, was set up by Joachim, a 30-year-old software engineer living in Aalborg, Denmark. He made it after learning of a new attempt to approve a European Union proposal to fight child sexual abuse material (CSAM) -- a bill seen by privacy activists as breaking encryption and leading to mass surveillance.

The site lets visitors compile a mass email warning about the bill and send it to national government officials, members of the European Parliament and others with ease. Since launching, it has broken the inboxes of MEPs and caused a stir in Brussels' corridors of power. "We are getting hundreds per day about it," said Evin Incir, a Swedish Socialists and Democrats MEP, of the email deluge.

An anonymous reader quotes a report from The Verge: Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge. A tweet by vx-underground said that the company was being extorted over a breach of its Zendesk instance by a group claiming to have "1.5TB of age verification related photos. 2,185,151 photos." In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach. "All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts," said Wexler. "We've secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause."

An anonymous reader quotes a report from The Register: London cops on Tuesday arrested two teenagers on suspicion of computer misuse and blackmail following a ransomware attack on a chain of London preschools. London's Metropolitan Police said the two men, both aged 17, were taken into custody during an operation at residential properties in Bishop's Stortford, Hertfordshire. The arrests followed a September 25 referral from the UK's Action Fraud reporting center detailing a ransomware attack on the preschools. While the Met police didn't name the schools, the timing of the referral coincides with a digital break-in at Kido International, a preschool and daycare organization that operates in the UK, US, and India.

In a very aggressive -- and disgusting -- attempt to extort a ransom payment from Kido, the criminals published profiles of 10 children, including photos, names, and home addresses, along with their parents' contact details and in some cases places of work, threatening to expose more if the ransom demand wasn't met. A new crime crew calling itself the Radiant Group claimed responsibility for the attack, and posted the preschool's name, along with its pupils' profiles, as the first leak on its dark web site. The ransomware gang later deleted the kids' and parents' data, apparently under pressure from other criminals -- but not before some of the parents reported receiving threatening calls.

Salesforce says it's refusing to pay an extortion demand made by a crime syndicate that claims to have stolen roughly 1 billion records from dozens of Salesforce customers. From a report: The threat group making the demands began their campaign in May, when they made voice calls to organizations storing data on the Salesforce platform, Google-owned Mandiant said in June. The English-speaking callers would provide a pretense that necessitated the target connect an attacker-controlled app to their Salesforce portal. Amazingly -- but not surprisingly -- many of the people who received the calls complied.

[...] Earlier this month, the group created a website that named Toyota, FedEx, and 37 other Salesforce customers whose data was stolen in the campaign. In all, the number of records recovered, Scattered LAPSUS$ Hunters claimed, was "989.45m/~1B+." The site called on Salesforce to begin negotiations for a ransom amount "or all your customers [sic] data will be leaked." The site went on to say: "Nobody else will have to pay us, if you pay, Salesforce, Inc." The site said the deadline for payment was Friday.

An anonymous reader shares a report: Universities in the UK reassured arms companies they would monitor students' chat groups and social media accounts after firms raised concerns about campus protests, according to internal emails. One university said it would conduct "active monitoring of social media" for any evidence of plans to demonstrate against Rolls-Royce at a careers fair.

A second appeared to agree to a request from Raytheon UK, the British wing of a major US defence contractor, to "monitor university chat groups" before a campus visit. Another university responded to a defence company's "security questionnaire" seeking information about social media posts suggestive of imminent protests over the firm's alleged role in fuelling war, including in Gaza. The universities' apparent compliance with the sensitivities of arms companies before careers fairs has emerged in emails obtained by the Guardian and Liberty Investigates after freedom of information (FoI) requests.

California biotech entrepreneur and former magician Serhat Gumrukcu has been found guilty of orchestrating the 2018 murder of his business rival Gregory Davis, who had threatened to expose Gumrukcu's fraudulent dealings. He faces sentencing in November. SFGATE reports: Seven years ago, Turkish national Serhat Gumrukcu, 42, of Los Angeles, was negotiating a multimillion-dollar biotech merger built off his work on a supposed HIV cure. The deal was put in jeopardy by a former business partner named Gregory Davis, 49, who had threatened to bring legal action against Gumrukcu for fraudulent activities relating to a previous failed oil commodities deal, the U.S. Attorney's Office said in a news release last week. Gumrukcu, a magician-turned-scientist who admitted to buying his medical degree from a Russian university, lived in a Hollywood mansion and partied with Oscar winners and movie producers, according to VTDigger. He stood to make millions from the merger of his biotech company Enochian BioSciences. [...]

In 2017, upon learning that Davis, a father of six from Danville, Vermont, could potentially spoil his fortune-making deal, Gumrukcu set in motion a hit on the former business partner. The murder-for-hire plot involved four men in total, prosecutors said. Gumrukcu had a close friend from Las Vegas, Berk Eratay, approach a third man, Aron Ethridge to find a hit man to kill Davis. The shooter, 37-year-old Montana man Jerry Banks, arrived at Davis' home on Jan. 6, 2018, in a vehicle fitted with flashing red and blue lights and posed as a deputy U.S. marshal. After abducting Davis, Banks shot him dead in the vehicle and left the body partially buried in a snowbank nearby.

Investigators soon narrowed in on Gumrukcu after discovering emails between him and Davis revealing tensions over the failed oil deal. Gumrukcu was interviewed twice by the FBI and made false statements on both occasions, federal prosecutors said. Further inspection of cellphone data, bank information and messages identified the four men involved in the kidnapping and killing of Davis.

Police arrested 33-year-old Joseph Mayuyo after a series of online threats forced TikTok to evacuate its Culver City headquarters. TechCrunch reports: A press release from the Culver City Police Department says that TikTok employees reported receiving multiple threats, across various social media platforms, from 33-year-old Hawthorne resident Joseph Mayuyo. After an additional message threatened TikTok's Culver City headquarters, police say company security evacuated the office "out of an abundance of caution."

Police then investigated Mayuyo's home, according to the press release. During the investigation, he allegedly posted additional threatening statements, including one declaring that he would not be taken alive. Detectives obtained search and arrest warrants, and they negotiated with Mayuyo for 90 minutes before he voluntarily exited his home and was taken into custody, the police department says.

Business Insider reports that one TikTok employee described the threats as "really scary," while another was concerned that they seemed to specifically target the e-commerce department. Mayuyo's X account has reportedly been suspended for violating the platform's hateful content policy. A Medium account under his name published a post in July criticizing TikTokShop USA as a "scam."

"More than 800,000 drivers for ride-hailing companies in California will soon be able to join a union," reports the Associated Press, "and bargain collectively for better wages and benefits under a measure signed Friday by Gov. Gavin Newsom." Supporters said the new law will open a path for the largest expansion of private sector collective bargaining rights in the state's history. The legislation is a significant compromise in the yearslong battle between labor unions and tech companies.

California is the second state where Uber and Lyft drivers can unionize as independent contractors. Massachusetts voters passed a ballot referendum in November allowing unionization, while drivers in Illinois and Minnesota are pushing for similar rights...

The collective bargaining measure now allows rideshare workers in California to join a union while still being classified as independent contractors and requires gig companies to bargain in good faith.
"The new law doesn't apply to drivers for delivery apps like DoorDash."

Friday OpenAI CEO Sam Altman announced two changes coming "soon" to Sora: First, we will give rightsholders more granular control over generation of characters, similar to the opt-in model for likeness but with additional controls...

Second, we are going to have to somehow make money for video generation. People are generating much more than we expected per user, and a lot of videos are being generated for very small audiences. We are going to try sharing some of this revenue with rightsholders who want their characters generated by users. The exact model will take some trial and error to figure out, but we plan to start very soon. Our hope is that the new kind of engagement is even more valuable than the revenue share, but of course we we want both to be valuable.
"We are hearing from a lot of rightsholders who are very excited for this new kind of 'interactive fan fiction'," Altman wrote, "and think this new kind of engagement will accrue a lot of value to them, but want the ability to specify how their characters can be used (including not at all)."