Remember that massive botnet run by Chinese government hackers? Flax Typhoon "compromised computer networks in North America, Europe, Africa, and across Asia, with a particular focus on Taiwan," according to the U.S. Treasury Department. (The group's botnet breaching this autumn affected "at least 260,000 internet-connected devices," reports the Washington Post, "roughly half of which were located in the United States.")

Friday America's Treasury Department sanctioned "a Beijing-based cybersecurity company for its role in multiple computer intrusion incidents against U.S. victims..." according to an announcement from the department's Office of Foreign Assets Control. "Between summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Tech during their computer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Tech infrastructure."

From the Washington Post: The group behind the attacks was active since at least 2021, but U.S. authorities only managed to wrest control of the devices from the hackers in September, after the FBI won a court order that allowed the agency to send commands to the infected devices...

Treasury's designation follows sanctions announced last month on Sichuan Silence Information Technology Company, in which U.S. officials accused the company of exploiting technology flaws to install malware in more than 80,000 firewalls, including those protecting U.S. critical infrastructure. The new sanctions on Beijing Integrity Technology are notable due to the company's public profile and outsize role in servicing China's police and intelligence services via state-run hacking competitions. The company, which is listed in Shanghai and has a market capitalization of more than $327 million, plays a central role in providing state agencies "cyber ranges" — technology that allows them to simulate cyberattacks and defenses...

In September, FBI Director Christopher A. Wray said the Flax Typhoon attack successfully infiltrated universities, media organizations, corporations and government agencies, and in some cases caused significant financial losses as groups raced to replace the infected hardware. He said at the time that the operation to shut down the network was "one round in a much longer fight...." A 2024 assessment by the Office of the Director of National Intelligence said China is the most "active and persistent" cyberthreat and that actors under Beijing's direction have made efforts to breach U.S. critical infrastructure with the intention of lying in wait to be able to launch attacks in the event of major conflict.
"The Treasury sanctions bar Beijing Integrity Technology from access to U.S. financial systems and freeze any assets the company might hold in the United States," according to the article, "but the moves are unlikely to have a significant effect on the company," (according to Dakota Cary, a fellow at the Atlantic Council who has studied the company's role in state-sponsored hacking).

The Register's Jude Karabus reports: IBM and semiconductor maker GlobalFoundries have settled all of their litigation against each other, including breach of contract, patent, and trade secret suits, the pair say. The details of the settlement are confidential. All that both companies were prepared to say in yesterday's statements was that the deal they'd agreed would resolve "all litigation matters, inclusive of breach of contract, trade secrets, and intellectual property claims between the two companies." They added that the settlement would allow the companies to "explore new opportunities for collaboration in areas of mutual interest." In 2021, IBM sued GlobalFoundries for $2.5 billion, accusing it of failing to deliver on 10nm and 7nm chip production commitments, which disrupted IBM's hardware roadmap. GlobalFoundries poaching engineers countersued in 2023, alleging IBM misused trade secrets and poached engineers to support partnerships with Intel and Rapidus, potentially compromising proprietary technologies.

An anonymous reader quotes a report from TechCrunch: A U.S. online gift card store has secured an online storage server that was publicly exposing hundreds of thousands of customer government-issued identity documents to the internet. A security researcher, who goes by the online handle JayeLTee, found the publicly exposed storage server late last year containing driving licenses, passports, and other identity documents belonging to MyGiftCardSupply, a company that sells digital gift cards for customers to redeem at popular brands and online services.

MyGiftCardSupply's website says it requires customers to upload a copy of their identity documents as part of its compliance efforts with U.S. anti-money laundering rules, often known as "know your customer" checks, or KYC. But the storage server containing the files had no password, allowing anyone on the internet to access the data stored inside. JayeLTee alerted TechCrunch to the exposure last week after MyGiftCardSupply did not respond to the researcher's email about the exposed data. [...]

According to JayeLTee, the exposed data -- hosted on Microsoft's Azure cloud -- contained over 600,000 front and back images of identity documents and selfie photos of around 200,000 customers. It's not uncommon for companies subject to KYC checks to ask their customers to take a selfie while holding a copy of their identity documents to verify that the customer is who they say they are, and to weed out forgeries. MyGiftCardSupply founder Sam Gastro told TechCrunch: "The files are now secure, and we are doing a full audit of the KYC verification procedure. Going forward, we are going to delete the files promptly after doing the identity verification." It's not known how long the data was exposed or if the company would commit to notifying affected individuals.

A federal judge in Connecticut refused to dismiss a long-running lawsuit accusing the former Nestle Waters North America of defrauding consumers by labeling its Poland Spring bottled water as "spring water." From a report: While rejecting some claims in the proposed class action, U.S. District Judge Jeffrey Alker Meyer in New Haven called it an open question whether Poland Spring qualified as spring water under the laws of Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania and Rhode Island. Poland Spring is now owned by Tampa, Florida-based Primo Brands, following multiple corporate transactions. Consumers sued Nestle Waters, then owned by Nestle, in 2017, saying it deceived them into overpaying for Poland Spring with labels declaring it to be "Natural Spring Water" or "100% Natural Spring Water."

The plaintiffs said "not one drop" of the 1 billion gallons sold annually in the United States came from a natural spring, and that the actual Poland Spring in Maine "ran dry" two decades before Nestle bought the brand in 1992. In seeking a dismissal, Nestle Waters said geologists and officials in the eight states agreed that Poland Spring complied with a U.S. Food and Drug Administration rule defining spring water, and each state authorized its sale as "spring water."

More than half-a-dozen VPN apps, including Cloudflare's widely-used 1.1.1.1, have been pulled from India's Apple App Store and Google Play Store following intervention from government authorities, TechCrunch reported Friday. From the report: The Indian Ministry of Home Affairs issued removal orders for the apps, according to a document reviewed by TechCrunch and a disclosure made by Google to Lumen, Harvard University's database that tracks government takedown requests globally.

An anonymous reader quotes a report from Reuters: Constellation Energy has been awarded a record $1 billion in contracts to supply nuclear power to the U.S. government over the next decade, the company said on Thursday. Constellation, the country's largest operator of nuclear power plants, will deliver electricity to more than 13 federal agencies as part of the agreements with the U.S. General Services Administration. The deal is the biggest energy purchase in the history of the GSA, which constructs and manages federal buildings, and is among the first major climate-focused energy agreement by the U.S. government to include electricity generated from existing nuclear reactors.

The GSA estimated that the contracts, set to begin on April 25, will comprise over 10 million megawatt-hours over 10 years and provide electricity equivalent to powering more than 1 million homes annually. The procurement will deliver electricity to 80 federal facilities located throughout the PJM Interconnection, a regional transmission operator with service covering more than 65 million people. The U.S. Department of Transportation, the Federal Reserve Board of Governors and the Army Corps of Engineers are some of the facilities that will receive the power. [...] Constellation said the deal will enable it to extend the licenses of existing nuclear plants and invest in new equipment and technology that will increase output by about 135 megawatts. "The investments we make as a result of this contract will keep these plants operating reliably for decades to come and put new, clean nuclear energy on the grid while making the best use of taxpayer dollars," Constellation CEO Joe Dominguez said in a release.

An anonymous reader quotes a report from The Record: Cybersecurity researchers have uncovered dozens of attacks that involve malicious updates for Chrome browser extensions, one week after a security firm was compromised in a similar incident. As of Wednesday, a total of 36 Chrome extensions injected with data-stealing code have been detected, mostly related to artificial intelligence (AI) tools and virtual private networks (VPNs), according to a report by ExtensionTotal, a platform that analyzes extensions listed on various marketplaces and public registries. These extensions, collectively used by roughly 2.6 million people, include third-party tools such as ChatGPT for Google Meet, Bard AI Chat, YesCaptcha Assistant, VPNCity and Internxt VPN. Some of the affected companies have already addressed the issue by removing the compromised extensions from the store or updating them, according to ExtensionTotal's analysis. [...]

It remains unclear whether all the compromised extensions are linked to the same threat actor. Security researchers warn that browser extensions "shouldn't be treated lightly," as they have deep access to browser data, including authenticated sessions and sensitive information. Extensions are also easy to update and often not subjected to the same scrutiny as traditional software. ExtensionTotal recommends that organizations use only pre-approved versions of extensions and ensure they remain unchanged and protected from malicious automatic updates. "Even when we trust the developer of an extension, it's crucial to remember that every version could be entirely different from the previous one," researchers said. "If the extension developer is compromised, the users are effectively compromised as well -- almost instantly."

An anonymous reader quotes a report from Ars Technica: Apple has agreed (PDF) to pay $95 million to settle a lawsuit alleging that its voice assistant Siri routinely recorded private conversations that were then sold to third parties for targeted ads. In the proposed class-action settlement (PDF) -- which comes after five years of litigation -- Apple admitted to no wrongdoing. Instead, the settlement refers to "unintentional" Siri activations that occurred after the "Hey, Siri" feature was introduced in 2014, where recordings were apparently prompted without users ever saying the trigger words, "Hey, Siri." Sometimes Siri would be inadvertently activated, a whistleblower told The Guardian, when an Apple Watch was raised and speech was detected. The only clue that users seemingly had of Siri's alleged spying was eerily accurate targeted ads that appeared after they had just been talking about specific items like Air Jordans or brands like Olive Garden, Reuters noted. It's currently unknown how many customers were affected, but if the settlement is approved, the tech giant has offered up to $20 per Siri-enabled device for any customers who made purchases between September 17, 2014, and December 31, 2024. That includes iPhones, iPads, Apple Watches, MacBooks, HomePods, iPod touches, and Apple TVs, the settlement agreement noted. Each customer can submit claims for up to five devices.

A hearing when the settlement could be approved is currently scheduled for February 14. If the settlement is certified, Apple will send notices to all affected customers. Through the settlement, customers can not only get monetary relief but also ensure that their private phone calls are permanently deleted. While the settlement appears to be a victory for Apple users after months of mediation, it potentially lets Apple off the hook pretty cheaply. If the court had certified the class action and Apple users had won, Apple could've been fined more than $1.5 billion under the Wiretap Act alone, court filings showed. But lawyers representing Apple users decided to settle, partly because data privacy law is still a "developing area of law imposing inherent risks that a new decision could shift the legal landscape as to the certifiability of a class, liability, and damages," the motion to approve the settlement agreement said. It was also possible that the class size could be significantly narrowed through ongoing litigation, if the court determined that Apple users had to prove their calls had been recorded through an incidental Siri activation -- potentially reducing recoverable damages for everyone.

A U.S. appeals court ruled on Thursday the Federal Communications Commission did not have legal authority to reinstate landmark net neutrality rules. From a report: The decision is a blow to the outgoing Biden administration that had made restoring the open internet rules a priority. President Joe Biden signed a 2021 executive order encouraging the FCC to reinstate the rules.

A three-judge panel of the Cincinnati-based 6th U.S. Circuit Court of Appeals said the FCC lacked authority to reinstate the rules initially implemented in 2015 by the agency under Democratic former President Barack Obama, but then repealed by the commission in 2017 under Republican former President Donald Trump.

The rules also forbid special arrangements in which ISPs give improved network speeds or access to favored users. The court cited the Supreme Court's June decision in a case known as Loper Bright to overturn a 1984 precedent that had given deference to government agencies in interpreting laws they administer, in the latest decision to curb the authority of federal agencies. "Applying Loper Bright means we can end the FCC's vacillations," the court ruled.

Earlier this year, Russia President Vladimir Putin called on the government to develop its own domestically produced gaming consoles with proprietary operating systems and cloud-based platforms. "With Russia heavily sanctioned and looking to promote its own products, one of its in-development consoles is powered by the Elbrus processor," notes TechSpot. However, the processor is "designed primarily for domestic applications in critical infrastructure, defense, and other sensitive areas" and "can't match high-end CPUs from Intel, AMD, and Arm." From the report: The Russian government admits that this device isn't going to be on the same level as current-gen machines. "I hope my colleagues will approach this task with full responsibility and come up with something truly groundbreaking," said Anton Gorelkin, Deputy Chairman of the State Duma Committee on Information Policy. "It is obvious to everyone: Elbrus processors are not yet at the level required to compete equally with the PS5 and Xbox, which means the solution must be unconventional." Gorelkin said that Russian consoles aren't being designed only to play ports of hundreds of old, less-demanding games. He added that they should primarily serve the purpose of promoting and popularizing domestic video game products.

Another organization following Putin's instructions is Russian telecommunications firm MTS. Its console (above) will use the company's cloud-based gaming platform, called Fog Play. It allows owners of high-end PCs to rent out their computing power to those with less-powerful equipment, charging an hourly price. Those with more powerful PCs can access games on the service and use their own hardware to play them. MTS' device is expected to cost no more than $45 and come with an Xbox-like controller, suggesting it's unlikely to appeal to those who enjoy current-gen console games.

An anonymous reader quotes a report from KrebsOnSecurity: Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea. Cameron John Wagenius was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records. The sparse, two-page indictment (PDF) doesn't reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius' mother -- Minnesota native Alicia Roen -- filled in the gaps.

Roen said that prior to her son's arrest he'd acknowledged being associated with Connor Riley Moucka, a.k.a. "Judische," a prolific cybercriminal from Canada who was arrested in late October for stealing data from and extorting dozens of companies that stored data at the cloud service Snowflake. In an interview with KrebsOnSecurity, Judische said he had no interest in selling the data he'd stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon. On November 26, KrebsOnSecurity published a story that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea.

[...] Immediately after news broke of Moucka's arrest, Kiberphant0m posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris. [...] On that same day, Kiberphant0m posted what they claimed was the "data schema" from the U.S. National Security Agency. On Nov. 5, Kiberphant0m offered call logs stolen from Verizon's push-to-talk (PTT) customers -- mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a "SIM-swapping" service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target's phone calls and text messages to a device they control.

Nobel laureate Geoffrey Hinton has backed Elon Musk's legal challenge against OpenAI, criticizing the AI startup's shift from its nonprofit origins toward a for-profit model. "OpenAI was founded as an explicitly safety-focused non-profit and made various safety related promises in its charter," Hinton said in a statement through AI advocacy group Encode. "Allowing it to tear all of that up when it becomes inconvenient sends a very bad message to other actors in the ecosystem."

Musk, who co-founded OpenAI in 2015 but left in 2018, filed an injunction last month to block the company's transition to a for-profit entity. OpenAI dismissed the filing as "utterly without merit." Hinton, who won the 2024 Physics Nobel Prize for his pioneering work in neural networks, has previously criticized OpenAI CEO Sam Altman in October for prioritizing profits over safety concerns.

An anonymous reader quotes a report from Reuters: Chinese state-sponsored hackers broke into the U.S. Treasury Department earlier this month and stole documents from its workstations, according to a letter to lawmakers that was provided to Reuters on Monday. The hackers compromised a third-party cybersecurity service provider and were able to access unclassified documents, the letter said, calling it a "major incident."

According to the letter, hackers "gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users." After being alerted by cybersecurity provider BeyondTrust, the Treasury Department said it was working with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the hack's impact. Developing...

America's aerospace industry is overseen by the Federal Aviation Administration (or FAA) — which also handles safety warnings from the industry's whistleblowers. But the Seattle Times says an analysis of reports to Congress found "an overwhelmed system delivering underwhelming results for whistleblowers... More than 90% of safety complaints from 2020 through 2023 ended with no violation found by the FAA, while whistleblowers reported them at great personal and professional risk." Aside from the FAA's in-house program, employees of Boeing, Spirit and the FAA can report safety hazards to the Office of Special Counsel, which has no FAA ties, or through internal employer complaint programs, such as Boeing's Speak Up and Spirit's Quality 360, to trigger company reviews... In the aftermath of the door-plug blowout over Portland, Boeing specifically asked its employees to use the Speak Up program or the FAA's internal process to report any concerns, according to Boeing spokesperson Jessica Kowal. Both have done a poor job protecting whistleblowers from retaliation, according to a congressionally appointed expert panel... While both were designed to guard against retaliation, critics say they have instead become enablers of it...

A panel of aviation safety experts in February rebuked Boeing's Speak Up program in a report to Congress. Whistleblower advocates criticized Speak Up for commonly outing whistleblowers to the supervisors they're complaining about, exposing them to retaliation. Managers sometimes investigated complaints against themselves. Employees mistrusted the program's promise of anonymity. Collectively, the befuddling maze of whistleblower options sowed "confusion about reporting systems that may discourage employees from submitting safety concerns," according to the expert panel's report....

[Boeing quality inspector Sam Mohawk, who alleged the 737 MAX line in Renton was losing track of subpar aircraft parts], continues to pursue his FAA claim, originally submitted through Boeing's Speak Up program. Months passed before Boeing addressed Mohawk's complaint. When it did, Mohawk's report was passed to the managers he was complaining about, according to Brian Knowles, Mohawk's South Carolina-based lawyer. "If you do Speak Up, just know that your report is going to go straight to the guys you're accusing of wrongdoing. They aren't going to say, 'Thanks for speaking up against us,'" Knowles said.
The article includes this quote about the FAA's in-house whistleblower program from Tom Devine, a whistleblower attorney with nearly a half-century of experience across a spectrum of federal agencies, and legal director of the nonprofit Government Accountability Project, which helps whistleblowers navigate the federal system. "It's been a disaster from the beginning. We tell everyone to avoid it because it's a trap... We've warned whistleblowers not to entrust their rights there."

Reuters reports: Finnish police said on Sunday they had found tracks that drag on for dozens of kilometres along the bottom of the Baltic Sea where a tanker carrying Russian oil is suspected of breaking a power line and four telecoms cables with its anchor... A break in the 658 megawatt (MW) Estlink 2 power cable between Finland and Estonia occurred at midday on Wednesday, leaving only the 358 MW Estlink 1 linking the two countries, grid operators said. They said Estlink 2 might not be back in service before August.
In an interesting twist, the New York Times reports that the ship "bears all the hallmarks of vessels belonging to Russia's shadow fleet, officials said, and had embarked from a Russian port shortly before the cables were cut." If confirmed, it would be the first known instance of a shadow fleet vessel being used to intentionally sabotage critical infrastructure in Europe — and, officials and experts said, a clear escalation by Russia in its conflict with the West... NATO's general secretary, Mark Rutte, responding to requests from the leaders of Finland and Estonia, both member nations, said the Atlantic alliance would "enhance" its military presence in the Baltic Sea...

Since Russia began assembling its fleet, the number of shadow vessels traversing the oceans has grown by hundreds and now makes up 17 percent of the total global oil tanker fleet... Nearly 70 percent of Russia's oil is being transported by shadow tankers, according to an analysis published in October by the Kyiv School of Economics Institute, a research organization based in Ukraine... The authorities in Finland are still investigating whether the "Eagle S" engaged in a criminal act. But the sheer size of the shadow fleet might have made using some of these vessels for sabotage irresistible to Russia, [said Elisabeth Braw, a senior fellow at the Atlantic Council who has researched and written about shadow fleets]...

While it's still not certain that this week's cable cutting was done intentionally, the Baltic Sea, for a number of reasons, is an ideal arena to carry out sabotage operations. It is relatively shallow and is crisscrossed with essential undersea cables and pipelines that provide energy, as well as internet and phone services, to a number of European countries that are NATO members. Russia has relatively unfettered access to the sea from several ports, and its commercial vessels, protected by international maritime law, can move around international waters largely unmolested... The suspicions that Russia was using shadow vessels for more than just escaping sanctions existed before this week's cable cutting. Last April, the head of Sweden's Navy told a local news outlet that there was evidence such ships were being used to conduct signals intelligence on behalf of Russia and that some fishing vessels had been spotted with antennas and masts not normally seen on commercial vessels. Since the war began, there has also been an uptick in suspicious episodes resulting in damage to critical undersea infrastructure...

Hours after Finland's energy grid operator alerted the police that an undersea power cable was damaged on Wednesday, Finnish officers descended by helicopter to the ship's deck and took over the bridge, preventing the vessel from sailing farther. By Friday, it remained at anchor in the Gulf of Finland, guarded by a Finnish Defense Forces missile boat and a Border Guard patrol vessel.
The cable incident happened just weeks after the EU issued new sanctions targetting Russia's shadow fleet, Euronews reports. "A handful of Chinese companies suspected of enabling Russia's production of drones are also blacklisted as part of the agreement, a diplomat told Euronews." The "shadow fleet" has been accused of deceptive practices, including transmitting falsified data and turning off their transporters to become invisible to satellite systems, and conducting multiple ship-to-ship transfers to conceal the origin of the oil barrels...

Business Insider reports: The lead researcher for Sam Altman's basic-income study says guaranteed no-strings payments are not a silver bullet for issues facing lower-income Americans. Elizabeth Rhodes, the research director for the Basic Income Project at Open Research, told Business Insider that while basic-income payments are "beneficial in many ways," the programs also have "clear limitations...."

Rhodes headed up one of the largest studies in the space, which focused specifically on those on low incomes rather than making universal payments to adults across all economic demographics. The three-year experiment, backed by OpenAI boss Altman, provided 1,000 low-income participants with $1,000 a month without any stipulations for how they could spend it.... The initial findings, released in July, found that recipients put the bulk of their extra spending toward basic needs such as rent, transportation, and food. They also worked less on average but remained engaged in the workforce and were more deliberate in their job searches compared with a control group. But Rhodes says the research reinforced how difficult it is to solve complex issues such as poverty or economic insecurity, and that there is "a lot more work to do."

The Altman-backed study is still reporting results. New findings released in December showed recipients valued work more after receiving the recurring monthly payments — a result that may challenge one of the main arguments against basic income payments. Participants also reported significant reductions in stress, mental distress, and food insecurity during the first year, though those effects faded by the second and third years of the program. "Poverty and economic insecurity are incredibly difficult problems to solve," Rhodes said. "The findings that we've had thus far are quite nuanced."

She added: "There's not a clear through line in terms of, this helps everyone, or this does that. It reinforced to me the idea that these are really difficult problems that, maybe, there isn't a singular solution."
In an earlier article coauthor David Broockman told Business Insider that the study's results might offer insights into how future programs could be successful — but said that the study's results didn't necessarily confirm the fears or hopes expressed by skeptics or supporters of a basic income.

Thanks to Slashdot reader jjslash for sharing the news.

Thursday New York's governor signed new legislation "to hold polluters responsible for the damage done to our environment" by establishing a Climate Superfund that's paid for by big fossil-fuel companies.

The money will be used for "climate change adaptation," according to New York state senator Liz Krueger, who notes that the legislation follows "the polluter-pays model" used in America's already-existing federal and state superfund laws. Spread out over 25 years, the legislation collects an average of $3 billion each year — or $75 billion — "from the parties most responsible for causing the climate crisis — big oil and gas companies."

"The Climate Change Superfund Act is now law, and New York has fired a shot that will be heard round the world: the companies most responsible for the climate crisis will be held accountable," said Senator Krueger. "Too often over the last decade, courts have dismissed lawsuits against the oil and gas industry by saying that the issue of climate culpability should be decided by legislatures. Well, the Legislature of the State of New York — the 10th largest economy in the world — has accepted the invitation, and I hope we have made ourselves very clear: the planet's largest climate polluters bear a unique responsibility for creating the climate crisis, and they must pay their fair share to help regular New Yorkers deal with the consequences.

"And there's no question that those consequences are here, and they are serious," Krueger continued. "Repairing from and preparing for extreme weather caused by climate change will cost more than half a trillion dollars statewide by 2050. That's over $65,000 per household, and that's on top of the disruption, injury, and death that the climate crisis is causing in every corner of our state. The Climate Change Superfund Act is a critical piece of affordability legislation that will deliver billions of dollars every year to ease the burden on regular New Yorkers...."

Starting in the 1970s, scientists working for Exxon made "remarkably accurate projections of just how much burning fossil fuels would warm the planet." Yet for years, "the oil giant publicly cast doubt on climate science, and cautioned against any drastic move away from burning fossil fuels, the main driver of climate change."
"The oil giant Saudi Aramco of Saudi Arabia could be slapped with the largest annual assessment of any company — $640 million a year — for emitting 31,269 million tons of greenhouse gases from 2000 to 2020," notes the New York Post.

And "The law will also standardize the number of emissions tied to the fuel produced by companies," reports the Times Union newspaper. "[F]or every 1 million pounds of coal, for example, the program assigns over 942 metric tons of carbon dioxide. For every 1 million barrels of crude oil, an entity is considered to have produced 432,180 metric tons of carbon dioxide." Among the infrastructure programs the superfund program aims to pay for: coastal wetlands restoration, energy efficient cooling systems in buildings, including schools and new housing developments, and stormwater drainage upgrades.
New York is now the second U.S. state with a "climate Superfund" law, according to Bloomberg Law, with New York following the lead of Vermont. "Maryland, Massachusetts, and California are also considering climate Superfund laws to manage mounting infrastructure costs." The American Petroleum Institute, which represents about 600 members of the industry, condemned the law. "This type of legislation represents nothing more than a punitive new fee on American energy, and we are evaluating our options moving forward," an API spokesperson said in an emailed statement... The bills — modeled after the federal Comprehensive Environmental Response, Compensation, and Liability Act, known as Superfund — would almost certainly spur swift litigation from fossil fuel companies upon enactment, legal educators say.

Valerie Warner is 71 years old — and owes $268,000 in student loans.

Roughly 40 years ago she went to law school, but was only able to find work as a legal aid and later work in the public school system, which the Washington Post calls "a rewarding job but one that didn't pay enough to wipe out her loans." Later she earned a masters of education degree: All told, Warner borrowed a total of about $60,000 for her two advanced degrees. The amount seemed reasonable given the career trajectory that both credentials promised, but that path never materialized. Working a series of low-wage jobs, she went in and out of forbearance before ultimately defaulting. The balance ballooned to the current $268,000 total over the years due to collection fees and interest capitalization.
And she's not the only one in debt. "On a dreary December afternoon, a group of senior citizens stood in the rain outside the Education Department pleading for relief from a debt that many fear will burden them for the rest of their lives..." Some sat in rocking chairs, cross-stitching their debt number in a pattern. Others held signs that read, "Time is running out, sunset our debt." Or wore T-shirts saying, "Debt relief before we die...."

[A]ctivists are urging the U.S. Education Department to discharge the student debt of older borrowers who they say are in no position to repay. They say the department could use a little-known federal statute that considers a person's ability to pay within a reasonable time and the inability of the government to collect the debt in full. There are 2.8 million federal student loan borrowers aged 62 and older with a total of $121.5 billion in debt, more than 726,300 of them over the age of 71, according to the Education Department. Older borrowers are one of the fastest-growing segments of the government's student loan portfolio, and their Social Security benefits are subject to garnishment...

The Education Department would only acknowledge receiving a memo from the Debt Collective, the group organizing the campaign, outlining the agency's authority to cancel the debt of older borrowers. The activist organization said it has been meeting with members of Congress, White House committees and Education Department officials about the matter since September. "Many of these folks have been borrowers for 20 or 30 years, with punishingly high interest rates. Their balances and the way they have dragged on for decades is just an indictment of the broken system and the failure of past relief efforts," said Eleni Schirmer, an organizer with the Debt Collective... According to the think tank New America, the number of Americans approaching retirement age with student loan debt has skyrocketed over 500 percent in the last two decades. Some have loans they took out to finance their college educations, while others took out federal Parent Plus loans or co-signed private loans for their children.
The article points out that the U.S. government will garnish up to 15 percent of the Social Security income to recoup student loan debt, even if it means leaving recipients below the poverty line.

But it also includes this quote from Adam Minsky, an attorney who specializes in student debt, about the prospects for federal action that survives challenges in the U.S. court system. "[A]s a practical matter, I don't think that judges and courts that have been hostile to mass debt relief would treat this differently from other programs that have been blocked or struck down."

An anonymous reader quotes a report from TechCrunch: Lyft is suing the city of San Francisco, claiming the city unfairly charged the ride-hailing company over $100 million in taxes, Bloomberg reports. The lawsuit alleges that, over the course of five years, San Francisco unfairly labeled money earned by Lyft drivers as company revenue. In the complaint, Lyft maintains that its drivers are its customers, not employees. "Accordingly, Lyft recognizes revenue from rideshare as being comprised of fees paid to Lyft by drivers, not charges paid by riders to drivers," the complaint reads.

A new report reveals that the VW Group left sensitive data for 800,000 electric vehicles from Audi, VW, Seat, and Skoda poorly secured on an Amazon cloud, exposing precise GPS locations, battery statuses, and user habits for months. Carscoops reports: It gets worse. A more tech-savvy user could reportedly connect vehicles to their owners' personal credentials, thanks to additional data accessible through VW Group's online services Crucially, in 466,000 of the 800,000 cases, the location data was so precise that anyone with access could create a detailed profile of each owner's daily habits. As reported by Spiegel, the massive list of affected owners isn't just a who's-who of regular folks. It includes German politicians, entrepreneurs, Hamburg police officers (the entire EV fleet, no less), and even suspected intelligence service employees. Yes, even spies may have been caught up in this digital debacle.

This glaring error originated from Cariad, a VW Group company that focuses on software, due to an error that occurred in the summer of 2024. An anonymous whistleblower used freely accessible software to dig up the sensitive information and promptly alerted Chaos Computer Club (CCC), Europe's largest hacker association. CCC wasted no time contacting Lower Saxony's State Data Protection Officer, the Federal Ministry of the Interior, and other security bodies. They also gave VW Group and Cariad 30 days to address the issue before going public. According to CCC, Cariad's technical team "responded quickly, thoroughly and responsibly," blocking unauthorized access to its customers' data.