×
Open Source

OIN Expands Linux Patent Protection Yet Again (But Not To AI) (zdnet.com) 7

Steven Vaughan-Nichols reports via ZDNet: While Linux and open-source software (OSS) are no longer constantly under intellectual property (IP) attacks, the Open Invention Network (OIN) patent consortium still stands guard over its patents. Now, OIN, the largest patent non-aggression community, has expanded its protection once again by updating its Linux System definition. Covering more than just Linux, the Linux System definition also protects adjacent open-source technologies. In the past, protection was expanded to Android, Kubernetes, and OpenStack. The OIN accomplishes this by providing a shared defensive patent pool of over 3 million patents from over 3,900 community members. OIN members include Amazon, Google, Microsoft, and essentially all Linux-based companies.

This latest update extends OIN's existing patent risk mitigation efforts to cloud-native computing and enterprise software. In the cloud computing realm, OIN has added patent coverage for projects such as Istio, Falco, Argo, Grafana, and Spire. For enterprise computing, packages such as Apache Atlas and Apache Solr -- used for data management and search at scale, respectively -- are now protected. The update also enhances patent protection for the Internet of Things (IoT), networking, and automotive technologies. OpenThread and packages such as agl-compositor and kukusa.val have been added to the Linux System definition. In the embedded systems space, OIN has supplemented its coverage of technologies like OpenEmbedded by adding the OpenAMP and Matter, the home IoT standard. OIN has included open hardware development tools such as Edalize, cocotb, Amaranth, and Migen, building upon its existing coverage of hardware design tools like Verilator and FuseSoc.

Keith Bergelt, OIN's CEO, emphasized the importance of this update, stating, "Linux and other open-source software projects continue to accelerate the pace of innovation across a growing number of industries. By design, periodic expansion of OIN's Linux System definition enables OIN to keep pace with OSS's growth." [...] Looking ahead, Bergelt said, "We made this conscious decision not to include AI. It's so dynamic. We wait until we see what AI programs have significant usage and adoption levels." This is how the OIN has always worked. The consortium takes its time to ensure it extends its protection to projects that will be around for the long haul. The OIN practices patent non-aggression in core Linux and adjacent open-source technologies by cross-licensing their Linux System patents to one another on a royalty-free basis. When OIN signees are attacked because of their patents, the OIN can spring into action.

Google

Google's Privacy Sandbox Accused of Misleading Chrome Browser Users (theregister.com) 41

Richard Speed reports via The Register: Privacy campaigner noyb has filed a GDPR complaint regarding Google's Privacy Sandbox, alleging that turning on a "Privacy Feature" in the Chrome browser resulted in unwanted tracking by the US megacorp. The Privacy Sandbox API was introduced in 2023 as part of Google's grand plan to eliminate third-party tracking cookies. Rather than relying on those cookies, website developers can call the API to display ads matched to a user's interests. In the announcement, Google's VP of the Privacy Sandbox initiative called it "a significant step on the path towards a fundamentally more private web."

However, according to noyb, the problem is that although Privacy Sandbox is advertised as an improvement over third-party tracking, that tracking doesn't go away. Instead, it is done within the browser by Google itself. To comply with the rules, Google needs informed consent from users, which is where issues start. Noyb wrote today: "Google's internal browser tracking was introduced to users via a pop-up that said 'turn on ad privacy feature' after opening the Chrome browser. In the European Union, users are given the choice to either 'Turn it on' or to say 'No thanks,' so to refuse consent." Users would be forgiven for thinking that 'turn on ad privacy feature' would protect them from tracking. However, what it actually does is turn on first-party tracking.

Max Schrems, honorary chairman of noyb, claimed: "Google has simply lied to its users. People thought they were agreeing to a privacy feature, but were tricked into accepting Google's first-party ad tracking. "Consent has to be informed, transparent, and fair to be legal. Google has done the exact opposite." Noyb noted that Google had argued "choosing to click on 'Turn it on' would indeed be considered consent to tracking under Article 6(1)(a) of the GDPR."

Crime

Police Arrest Conti and LockBit Ransomware Crypter Specialist (bleepingcomputer.com) 25

The Ukraine cyber police, supported by information from the Dutch police, arrested a 28-year-old Russian man in Kyiv for aiding Conti and LockBit ransomware operations by making their malware undetectable and conducting at least one attack himself. He was arrested on April 18, 2024, as part of a global law enforcement operation known as "Operation Endgame," which took down various botnets and their main operators. "As the Conti ransomware group used some of those botnets for initial access on breached endpoints, evidence led investigators to the Russian hacker," reports BleepingComputer. From the report: The Ukrainian police reported that the arrested individual was a specialist in developing custom crypters for packing the ransomware payloads into what appeared as safe files, making them FUD (fully undetectable) to evade detection by the popular antivirus products. The police found that the man was selling his crypting services to both the Conti and LockBit cybercrime syndicates, helping them significantly increase their chances of success on breached networks. The Dutch police confirmed at least one case of the arrested individual orchestrating a ransomware attack in 2021, using a Conti payload, so he also operated as an affiliate for maximum profit.

"As part of the pre-trial investigation, police, together with patrol officers of the special unit "TacTeam" of the TOR DPP battalion, conducted a search in Kyiv," reads the Ukraine police announcement. "Additionally, at the international request of law enforcement agencies in the Netherlands, a search was conducted in the Kharkiv region." [...] The suspect has already been charged with Part 5 of Article 361 of the Criminal Code of Ukraine (Unauthorized interference in the work of information, electronic communication, information and communication systems, electronic communication networks) and faces up to 15 years imprisonment.

Censorship

Firefox Browser Blocks Anti-Censorship Add-Ons At Russia's Request (theintercept.com) 129

An anonymous reader quotes a report from The Intercept: The Mozilla Foundation,the entity behind the web browser Firefox, is blocking various censorship circumvention add-ons for its browser, including ones specifically to help those in Russia bypass state censorship. The add-ons were blocked at the request of Russia's federal censorship agency, Roskomnadzor -- the Federal Service for Supervision of Communications, Information Technology, and Mass Media -- according to a statement by Mozilla to The Intercept. "Following recent regulatory changes in Russia, we received persistent requests from Roskomnadzor demanding that five add-ons be removed from the Mozilla add-on store," a Mozilla spokesperson told The Intercept in response to a request for comment. "After careful consideration, we've temporarily restricted their availability within Russia. Recognizing the implications of these actions, we are closely evaluating our next steps while keeping in mind our local community."

Developers of digital tools designed to get around censorship began noticing recently that their Firefox add-ons were no longer available in Russia. On June 8, the developer of Censor Tracker, an add-on for bypassing internet censorship restrictions in Russia and other former Soviet countries, made a post on the Mozilla Foundation's discussion forums saying that their extension was unavailable to users in Russia. The developer of another add-on, Runet Censorship Bypass, which is specifically designed to bypass Roskomnadzor censorship, posted in the thread that their extension was also blocked. The developer said they did not receive any notification from Mozilla regarding the block. Two VPN add-ons, Planet VPN and FastProxy -- the latter explicitly designed for Russian users to bypass Russian censorship -- are also blocked. VPNs, or virtual private networks, are designed to obscure internet users' locations by routing users' traffic through servers in other countries.
"It's a kind of unpleasant surprise because we thought the values of this corporation were very clear in terms of access to information, and its policy was somewhat different," said Stanislav Shakirov, the chief technical officer of Roskomsvoboda, a Russian open internet group. "And due to these values, it should not be so simple to comply with state censors and fulfill the requirements of laws that have little to do with common sense."
The Courts

Chemical Makers Sue Over Rule To Rid Water of 'Forever Chemicals' (thehill.com) 101

An anonymous reader quotes a report from the New York Times: Chemical and manufacturing groups sued the federal government late Monday (Warning: source paywalled; alternative source) over a landmark drinking-water standard that would require cleanup of so-called forever chemicals linked to cancer and other health risks. The industry groups said that the government was exceeding its authority under the Safe Drinking Water Act by requiring that municipal water systems all but remove six synthetic chemicals, known by the acronym PFAS, that are present in the tap water of hundreds of millions of Americans. The Environmental Protection Agency has said that the new standard, put in place in April, will prevent thousands of deaths and reduce tens of thousands of serious illnesses. The E.P.A.'s cleanup standard was also expected to prompt a wave of litigation against chemical manufacturers by water utilities nationwide trying to recoup their cleanup costs. Utilities have also challenged the stringent new standard, questioning the underlying science and citing the cost of filtering the toxic chemicals out of drinking water.

In a joint filing late Monday, the American Chemistry Council and National Association of Manufacturers said the E.P.A. rule was "arbitrary, capricious and an abuse of discretion." The petition was filed in the Court of Appeals for the District of Columbia. In a separate petition, the American Water Works Association and the Association of Metropolitan Water Agencies said the E.P.A. had "significantly underestimated the costs" of the rule. Taxpayers could ultimately foot the bill in the form of increased water rates, they said. PFAS, a vast class of chemicals also called per- and polyfluoroalkyl substances, are widespread in the environment. They are commonly found in people's blood, and a 2023 government study of private wells and public water systems detected PFAS chemicals in nearly half the tap water in the country. Exposure to PFAS has been associated with developmental delays in children, decreased fertility in women and increased risk of some cancers, according to the E.P.A. [...] The E.P.A. estimates that it would cost water utilities about $1.5 billion annually to comply with the rule, though utilities have said the costs could be twice that amount.
Further reading: Lawyers To Plastic Makers: Prepare For 'Astronomical' PFAS Lawsuits
Japan

Japan Enacts Law Forcing Third-Party App Stores On Apple and Google (appleinsider.com) 97

Following in the European Union's footsteps, Japan's parliament has enacted a law on Wednesday that will prohibit big tech from blocking third-party app stores. AppleInsider reports: The intention of the bill is that it will facilitate competition and reduce app prices. Japan's government reportedly believes that Apple and Google are a duopoly, and that they charge developers high fees that are then passed on to users. Big tech companies with App Stores will also prohibit companies from prioritizing their own services. Google is likely to be hit hardest by this. Violators will initially be fined up to 20% of the domestic revenue of the specific service that broke the law. The fee can increase to 30%, if the behavior continues.

The Japanese government's Fair Trade Commission (FTC) will choose which firms to apply it to. Companies that will be regulated will be required to submit compliance reports annually. While it hasn't been explicitly said that Apple and Google must comply, It seems certain that the announcement that they'll be held to the provisions is imminent. The Japan FTC isn't expected to add any Japanese firms to the list. The law likely won't take effect until the end of 2025.

Transportation

One of Two Major Data Brokers Shuts Down Product Related To Driver Behavior Patterns (therecord.media) 35

An anonymous reader quotes a report from The Record: The revelation earlier this year that General Motors had been selling driver behavior patterns to data brokers -- who in turn packaged and resold it to insurers -- has led at least one of two major data brokers to shut down its related product. That data broker, Verisk, disclosed last month that it has stopped accepting data from car makers and no longer sells the information to insurers, according to the organization Privacy4Cars, which received the response after sending the data broker an inquiry.

"Verisk received driving data from vehicles manufactured by General Motors, Honda, and Hyundai and may have provided a Driving Behavior Data History Report ("Report") to insurers upon request, as a service provider to such insurers, that included certain data provided by these manufacturers," the Verisk response to Privacy4Cars said. "Please note that Verisk no longer receives this data from these automakers to generate Reports and also no longer provides Reports to insurers," the statement added.

While Verisk has stopped selling car company-provided driver behavior patterns to insurers, LexisNexis Risk Solutions continues to prominently promote its driver behavior data product for insurers despite the mounting backlash from state governments, federal officials and consumer groups. LexisNexis Risk Solutions' Telematics OnDemand page remains online, boasting that it is "bringing automakers and insurance carriers together." "By partnering directly with automotive OEMs, LexisNexis is able to turn connected car data into tangible driving behavior insights that can be leveraged within insurance carriers' existing workflows," the page says. Much of LexisNexis Risk Solutions' work remains shrouded in secrecy.

The Courts

Brazil Hires OpenAI To Cut Costs of Court Battles 16

Brazil's government is partnering with OpenAI to use AI for expediting the screening and analysis of thousands of lawsuits to reduce costly court losses impacting the federal budget. Reuters reports: The AI service will flag to government the need to act on lawsuits before final decisions, mapping trends and potential action areas for the solicitor general's office (AGU). AGU told Reuters that Microsoft would provide the artificial intelligence services from ChatGPT creator OpenAI through its Azure cloud-computing platform. It did not say how much Brazil will pay for the services. AGU said the AI project would not replace the work of its members and employees. "It will help them gain efficiency and accuracy, with all activities fully supervised by humans," it said.

Court-ordered debt payments have consumed a growing share of Brazil's federal budget. The government estimated it would spend 70.7 billion reais ($13.2 billion) next year on judicial decisions where it can no longer appeal. The figure does not include small-value claims, which historically amount to around 30 billion reais annually. The combined amount of over 100 billion reais represents a sharp increase from 37.3 billion reais in 2015. It is equivalent to about 1% of gross domestic product, or 15% more than the government expects to spend on unemployment insurance and wage bonuses to low-income workers next year. AGU did not provide a reason for Brazil's rising court costs.
United States

New York Launches Mobile Driver's Licenses (theverge.com) 65

New York has launched its mobile ID program, "giving residents the option to digitize their driver's license or non-driver ID," reports The Verge. From the report: Beginning today, the New York Mobile ID app is available from Apple's App Store and Google Play. The app can be used for identity verification at airports. A physical license, permit, or non-driver ID is required to activate a mobile ID; you'll need to take a photo of the front and back with your phone during the enrollment process. The news was announced during a media briefing at LaGuardia Airport on Tuesday that included New York's and Transportation Security Administration federal security director Robert Duffy, among other speakers. Their pitch is that mobile IDs "will revolutionize the way New Yorkers protect their identities and will significantly enhance the way they get through security at airports across the nation." State officials are also emphasizing that it's a voluntary option meant for convenience.

"When you offer your mobile ID to TSA or anyone else who accepts it, you are in full control of sharing that information. They can only see the information they request to see," Schroeder said. "If you only need to prove your age, you can withhold other information that a verifier doesn't need to see." The app is designed so that your phone remains in your possession at all times -- you should never freely hand a device over to law enforcement -- and shows a QR code that can be scanned to verify your identity. Any changes to your license status such as renewals or suspensions are automatically pushed to the mobile version, and the digital ID also mirrors data like whether you're an organ donor.

For now, acceptance of mobile IDs by businesses (and the police) is completely voluntary -- and there's no deadline in place for compliance -- so it's definitely too soon to start leaving your physical one at home. But bars and other small businesses can start accepting them immediately if they install the state's verifier app. The New York Mobile ID app can be used "at nearly 30 participating airports across the country including all terminals at LaGuardia and John F. Kennedy airports," according to a press release from Governor Kathy Hochul.
New York joins a small list of states that have rolled out mobile driver's licenses, including Arizona, Colorado, Delaware, Georgia, Florida, Iowa, Louisiana, Maryland, Mississippi, Missouri, and Utah.
Crime

British Duo Arrested For SMS Phishing Via Homemade Cell Tower (theregister.com) 25

British police have arrested two individuals involved in an SMS-based phishing campaign using a unique device police described as a "homemade mobile antenna," "an illegitimate telephone mast," and a "text message blaster." This first-of-its-kind device in the UK was designed to send fraudulent texts impersonating banks and other official organizations, "all while allegedly bypassing network operators' anti-SMS-based phishing, or smishing, defenses," reports The Register. From the report: Thousands of messages were sent using this setup, City of London Police claimed on Friday, with those suspected to be behind the operation misrepresenting themselves as banks "and other official organizations" in their texts. [...] Huayong Xu, 32, of Alton Road in Croydon, was arrested on May 23 and remains the only individual identified by police in this investigation at this stage. He has been charged with possession of articles for use in fraud and will appear at Inner London Crown Court on June 26. The other individual, who wasn't identified and did not have their charges disclosed by police, was arrested on May 9 in Manchester and was bailed. [...]

Without any additional information to go on, it's difficult to make any kind of assumption about what these "text message blaster" devices might be. However, one possibility, judging from the messaging from the police, is that the plod are referring to an IMSI catcher aka a Stingray, which acts as a cellphone tower to communicate with people's handhelds. But those are intended primarily for surveillance. What's more likely is that the suspected UK device is perhaps some kind of SIM bank or collection of phones programmed to spam out shedloads of SMSes at a time.

Security

The Mystery of an Alleged Data Broker's Data Breach (techcrunch.com) 4

An anonymous reader shares a report: Since April, a hacker with a history of selling stolen data has claimed a data breach of billions of records -- impacting at least 300 million people -- from a U.S. data broker, which would make it one of the largest alleged data breaches of the year. The data, seen by TechCrunch, on its own appears partly legitimate -- if imperfect.

The stolen data, which was advertised on a known cybercrime forum, allegedly dates back years and includes U.S. citizens' full names, their home address history and Social Security numbers -- data that is widely available for sale by data brokers. But confirming the source of the alleged data theft has proven inconclusive; such is the nature of the data broker industry, which gobbles up individuals' personal data from disparate sources with little to no quality control. The alleged data broker in question, according to the hacker, is National Public Data, which bills itself as "one of the biggest providers of public records on the Internet."

On its official website, National Public Data claimed to sell access to several databases: a "People Finder" one where customers can search by Social Security number, name and date of birth, address or telephone number; a database of U.S. consumer data "covering over 250 million individuals;" a database containing voter registration data that contains information on 100 million U.S. citizens; a criminal records one; and several more. Malware research group vx-underground said on X (formerly Twitter) that they reviewed the whole stolen database and could "confirm the data present in it is real and accurate."

Privacy

New York Times Source Code Stolen Using Exposed GitHub Token (bleepingcomputer.com) 52

The New York Times has confirmed that its internal source code was leaked on 4chan after being stolen from the company's GitHub repositories in January 2024. BleepingComputer reports: As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data. "Basically all source code belonging to The New York Times Company, 270GB," reads the 4chan forum post. "There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar."

While BleepingComputer did not download the archive, the threat actor shared a text file containing a complete list of the 6,223 folders stolen from the company's GitHub repository. The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game. A 'readme' file in the archive states that the threat actor used an exposed GitHub token to access the company's repositories and steal the data. The company said that the breach of its GitHub account did not affect its internal corporate systems and had no impact on its operations.
The Times said in a statement to BleepingComputer: "The underlying event related to yesterday's posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity."
Encryption

Apple Introduces Standalone 'Passwords' App (macrumors.com) 39

An anonymous reader quotes a report from MacRumors: iOS 18, iPadOS 18, and macOS Sequoia feature a new, dedicated Passwords app for faster access to important credentials. The Passwords app replaces iCloud Keychain, which is currently only accessible via a menu in Settings. Now, passwords are available directly via a standalone app for markedly quicker access, bringing it more in line with rival services. The Passwords app consolidates various credentials, including passwords, passkeys, and Wi-Fi passwords, into a single, easily accessible location. Users can filter and sort their accounts based on various criteria, such as recently created accounts, credential type, or membership in shared groups.

Passwords is also compatible with Windows via the iCloud for Windows app, extending its utility to users who operate across different platforms. The developer beta versions of iOS 18, iPadOS 18, and macOS Sequoia are available today with official release to the public scheduled for the fall, providing an early look at the Passwords app.

AI

Scammers' New Way of Targeting Small Businesses: Impersonating Them (wsj.com) 17

Copycats are stepping up their attacks on small businesses. Sellers of products including merino socks and hummingbird feeders say they have lost customers to online scammers who use the legitimate business owners' videos, logos and social-media posts to assume their identities and steer customers to cheap knockoffs or simply take their money. WSJ: "We used to think you'd be targeted because you have a brand everywhere," said Alastair Gray, director of anticounterfeiting for the International Trademark Association, a nonprofit that represents brand owners. "It now seems with the ease at which these criminals can replicate websites, they can cut and paste everything." Technology has expanded the reach of even the smallest businesses, making it easy to court customers across the globe. But evolving technology has also boosted opportunities for copycats; ChatGPT and other advances in artificial intelligence make it easier to avoid language or spelling errors, often a signal of fraud.

Imitators also have fine-tuned their tactics, including by outbidding legitimate brands for top position in search results. "These counterfeiters will market themselves just like brands market themselves," said Rachel Aronson, co-founder of CounterFind, a Dallas-based brand-protection company. Policing copycats is particularly challenging for small businesses with limited financial resources and not many employees. Online giants such as Amazon.com and Meta Platforms say they use technology to identify and remove misleading ads, fake accounts or counterfeit products.

EU

Birmingham's $125M 'Oracle Disaster' Blamed on Poor IT Project Management (computerweekly.com) 117

It was "a catastrophic IT failure," writes Computer Weekly. It was nearly two years ago that Birmingham City Council, the largest local authority in Europe, "declared itself in financial distress" — effectively declaring bankruptcy — after the costs on an Oracle project costs ballooned from $25 million to around $125.5 million.

But Computer Weekly's investigation finds signs that the program board and its manager wanted to go live in April of 2022 "regardless of the state of the build, the level of testing undertaken and challenges faced by those working on the programme." One manager's notes "reveal concerns that the program manager and steering committee could not be swayed, which meant the system went live despite having known flaws." Computer Weekly has seen notes from a manager at BCC highlighting a number of discrepancies in the Birmingham City Council report to cabinet published in June 2023, 14 months after the Oracle system went into production. The report stated that some critical elements of the Oracle system were not functioning adequately, impacting day-to-day operations. The manager's comments reveal that this flaw in the implementation of the Oracle software was known before the system went live in April 2022... An insider at Birmingham City Council who has been closely involved in the project told Computer Weekly it went live "despite all the warnings telling them it wouldn't work"....

Since going live, the Oracle system effectively scrambled financial data, which meant the council had no clear picture of its overall finances. The insider said that by January 2023, Birmingham City Council could not produce an accurate account of its spending and budget for the next financial year: "There's no way that we could do our year-end accounts because the system didn't work."

A June 2023 report to cabinet "stated that due to issues with the council's bank reconciliation system, a significant number of transactions had to be manually allocated to accounts rather than automatically via the Oracle system," according to the article. But Computer Weekly has seen a 2019 presentation slide deck showing the council was already aware that Oracle's out-of-the-box bank reconciliation system "did not handle mixed debtor/non-debtor bank files. The workaround suggested was either a lot of manual intervention or a platform as a service (PaaS) offering from Evosys, the Oracle implementation partner contracted by BCC to build the new IT system."

The article ultimately concludes that "project management failures over a number of years contributed to the IT failure."
HP

Jury Finds Autonomy Founder Mike Lynch Not Guilty of Defrauding HP (bbc.co.uk) 28

The BBC reports that British tech tycoon Mike Lynch "has been cleared of fraud charges he faced in the U.S. over the $11bn (£8.6bn) sale of his software firm to Hewlett-Packard in 2011." A jury in San Francisco found him not guilty on all counts in a stunning victory for Mr Lynch, who had been accused of inflating the value of Autonomy, his company, ahead of its sale. Mr Lynch, who faced more than 20 years in prison if convicted, had denied the charges and took the stand to defend himself.

In his testimony, he maintained he had focused on technology not accounting, distancing himself from other executives, including the company's former chief financial officer who was already successfully prosecuted for fraud... Mr Lynch made £500m from the sale. Just a year later, HP wrote down the value of Autonomy by $8.8bn. Years of legal battles followed. The company's chief financial officer, Sushovan Hussain, was found guilty of fraud in 2018 and later sentenced to five years in prison...

Mr Lynch's team pushed the argument that HP had failed to properly vet the deal and mismanaged the takeover, while he testified he was uninvolved with the transactions being described.

Lynch's lawyers said the verdict "closes the book on a relentless 13-year effort to pin HP's well-documented ineptitude on Dr Lynch. Thankfully, the truth has finally prevailed."

Thanks to Slashdot reader Bruce66423 for sharing the news.
Crime

Should Police Departments Use Drones? (wired.com) 195

Wired visits Chula Vista, California (population: 275,487) — where since 2018 drones have been dispatched by police "teleoperators" monitoring 911 calls. ("Noise complaints, car accidents, overdoses, domestic disputes...") After nearly 20,000 drone flights, it's become the envy of other police departments, according to Wired's article, as other police departments "look to expand their use of unmanned aerial aircraft." The [Chula Vista] department says that its drones provide officers with critical intelligence about incidents they are responding to ahead of initiating in-person contact — which the CVPD says has reduced unnecessary police contacts, decreased response times, and saved lives. But a WIRED investigation paints a complicated picture of the trade-offs between public safety and privacy. In Chula Vista, drone flight paths trace a map of the city's inequality, with poorer residents experiencing far more exposure to the drones' cameras and rotors than their wealthier counterparts, a WIRED analysis of nearly 10,000 drone flight records from July 2021 to September 2023 found. The drones, often dispatched for serious incidents like reports of armed individuals, are also routinely deployed for minor issues such as shoplifting, vandalism, and loud music. [Drones are sent in response to about 1 in every 14 calls.] Early in the Covid-19 pandemic, the city even used drones to broadcast public service announcements to homeless encampments.

Despite the police promoting the benefits of the "Drone as First Responder" program, residents who encounter the technology day-to-day report feeling constantly watched. Some say they are afraid to spend time in their backyards; they fear that the machines are following them down the street, spying on them while they use the public pool or change their clothes. One resident says that he was so worried that the drones were harassing him that he went to the emergency room for severe depression and exhaustion. [A 60-year-old professor told Wired that the sound of drones kept them awake at night.]

The police drones, equipped with cameras and zoom lenses powerful enough to capture faces clearly and constantly recording while in flight, have amassed hundreds of hours of video footage of the city's residents. Their flight paths routinely take them over backyards and above public pools, high schools, hospitals, churches, mosques, immigration law firms, and even the city's Planned Parenthood facility. Privacy advocates argue that the extensive footage captured by the drones makes it difficult to distinguish between flights responding to specific incidents and mass surveillance from the sky. Department secrecy around the recordings remains the subject of ongoing litigation... At the time of our analysis, approximately one in 10 drone flights listed on the department's transparency portal lacked a stated purpose and could not be connected to any relevant 911 call.

Crime

New Linux Version of Ransomware Targets VMware ESXi (bleepingcomputer.com) 23

"Researchers observed a new Linux variant of the TargetCompany ransomware family that targets VMware ESXi environments," reports BleepingComputer: In a report Wednesday, cybersecurity company Trend Micro says that the new Linux variant for TargetCompany ransomware makes sure that it has administrative privileges before continuing the malicious routine... Once on the target system, the payload checks if it runs in a VMware ESXi environment by executing the 'uname' command and looking for 'vmkernel.' Next, a "TargetInfo.txt" file is created and sent to the command and control (C2) server. It contains victim information such as hostname, IP address, OS details, logged-in users and privileges, unique identifiers, and details about the encrypted files and directories. The ransomware will encrypt files that have VM-related extensions (vmdk, vmem, vswp, vmx, vmsn, nvram), appending the ".locked" extension to the resulting files.

Finally, a ransom note named "HOW TO DECRYPT.txt" is dropped, containing instructions for the victim on how to pay the ransom and retrieve a valid decryption key.
"After all tasks have been completed, the shell script deletes the payload using the 'rm -f x' command so all traces that can be used in post-incident investigations are wiped from impacted machines."

Thanks to long-time Slashdot reader joshuark for sharing the article.
Crime

Apple Watch Leads to Luggage Stolen By an Airport Store Worker (cnn.com) 44

A worker at a retail store in an airport has been charged with stealing thousands of dollars in electronics and clothing, reports the Washington Post. But what's more interesting is what led to his arrest...

A woman showed up at his home looking for the missing luggage that she'd tracked with her Apple Watch. CNN reports: Paola Garcia told CNN affiliate WPLG in Miami that she usually takes her suitcase onboard, but this time, she was told she had to check it. Garcia waited at least two hours for her pink roller bag, which contained an Apple MacBook, Apple iPad, Apple Watch, jewelry, high-end woman's clothing and toiletries. It never came out on the luggage belt. In her WPLG interview, Garcia said that Spirit Airlines told her that her luggage had been sent to her house. The luggage never came.

But Garcia explored another avenue with her own electronic tracker. Garcia, not named in the affidavit, later pinged the electronic items inside the bag to try and locate them, and the ping showed them at an address in Fort Lauderdale, the affidavit said... While at the house, she took video and still pictures, where she saw "several pieces of luggage in the front of the home," none of which were her own, the affidavit said. Garcia told WPLG that she dialed 911. "The first thing I remember the police told me is: 'What are you doing here? This is so dangerous for you to be here.' "

When a detective with the Broward County Sheriff's Office searched the address within the airport's employee databases, he found that Bazile reportedly lived at the address. Bazile was listed as working at a Paradies Lagardère Travel Retail store at the airport and was working on the day of the theft, according to the affidavit.

So apparently when the airline said the luggage had been sent to her house — they were wrong. In fact when police contacted a store manager, "he provided the detective with internal CCTV footage from the day of the incident," CNN reports, "which allegedly showed Bazile entering the store's storage room with a pink shell roller bag, matching the description of the stolen bag, and rummaging through the luggage, the affidavit said.

"He then appeared to take the MacBook and other smaller items out of the luggage and put them in other bags."
The Courts

Yelp Can Sue Reputation Company For Promising To Suppress Bad Reviews (reuters.com) 8

Yelp can pursue a lawsuit accusing a reputation management company of fraudulently advertising its ability to remove "bad" reviews from the business review website. From a report: In a decision late Thursday night, U.S. District Judge William Alsup in San Francisco said Yelp can pursue trademark infringement and unfair competition claims against ReviewVio, which operates as Dandy. Yelp said ReviewVio's ads, which include the Yelp logo, harmed its reputation by suggesting that businesses could pay for artificially inflated star ratings.

This allegedly undercut honest businesses that will not pay to remove negative reviews, and undermined the usefulness of Yelp's website to consumers. Yelp also said it lost ad revenue from businesses that paid for "review gating," which the company prohibits, or incorrectly believed that Yelp endorsed the practice.

Slashdot Top Deals