In a first-of-its-kind prosecution, a California man was arrested and charged Monday with allegedly smuggling potent, greenhouse gases from Mexico. From a report: Michael Hart, a 58-year-old man from San Diego, pleaded not guilty to smuggling hydrofluorocarbons, or HFCs -- commonly used in air conditioning and refrigeration -- and selling them for profit, in a federal court hearing Monday. According to the indictment, Hart allegedly purchased the HFCs in Mexico and smuggled them into the US in the back of his truck, concealed under a tarp and tools. He is then alleged to have sold them for a profit on sites including Facebook Marketplace and OfferUp. [...] Hart has pleaded not guilty to 13 charges including conspiracy, importation contrary to law and sale of merchandise imported contrary to law. The charges carry potential prison sentences ranging from five to 20 years.

HFCs, which are also used in building insulation, fire extinguishing systems and aerosols, are banned from import into the US without permission from the Environmental Protection Agency. These greenhouse gases are short-lived in the atmosphere," but powerful -- some are thousands of times more potent than carbon dioxide in the near-term. "The illegal smuggling of hydrofluorocarbons, a highly potent greenhouse gas, undermines international efforts to combat climate change," said David M. Uhlmann, the assistant administrator for the EPA's Office of Enforcement and Compliance Assurance. "Anyone who seeks to profit from illegal actions that worsen climate change must be held accountable," he added. "Today is a significant milestone for our country," said US Attorney Tara McGrath in a statement. "This is the first time the Department of Justice is prosecuting someone for illegally importing greenhouse gases, and it will not be the last."

Longtime Slashdot reader SonicSpike shares a report from The Intercept: With the new version of Signal, you will no longer broadcast your phone number to everyone you send messages to by default, though you can choose to if you want. Your phone number will still be displayed to contacts who already have it stored in their phones. Going forward, however, when you start a new conversation on Signal, your number won't be shared at all: Contacts will just see the name you use when you set up your Signal profile. So even if your contact is using a custom Signal client, for example, they still won't be able to discover your phone number since the service will never tell it to them.

You also now have the option to set a username, which Signal lets you change whenever you want and delete when you don't want it anymore. Rather than directly storing your username as part of your account details, Signal stores a cryptographic hash of your username instead; Signal uses the Ristretto 25519 hashing algorithm, essentially storing a random block of data instead of usernames themselves. This is like how online services can confirm a user's password is valid without storing a copy of the actual password itself. "As far as we're aware, we're the only messaging platform that now has support for usernames that doesn't know everyone's usernames by default," said Josh Lund, a senior technologist at Signal. The move is yet another piece of the Signal ethos to keep as little data on hand as it can, lest the authorities try to intrude on the company. Whittaker explained, "We don't want to be forced to enumerate a directory of usernames." [...]

If Signal receives a subpoena demanding that they hand over all account data related to a user with a specific username that is currently active at the time that Signal looks it up, they would be able to link it to an account. That means Signal would turn over that user's phone number, along with the account creation date and the last connection date. Whittaker stressed that this is "a pretty narrow pipeline that is guarded viciously by ACLU lawyers," just to obtain a phone number based on a username. Signal, though, can't confirm how long a given username has been in use, how many other accounts have used it in the past, or anything else about it. If the Signal user briefly used a username and then deleted it, Signal wouldn't even be able to confirm that it was ever in use to begin with, much less which accounts had used it before.

In short, if you're worried about Signal handing over your phone number to law enforcement based on your username, you should only set a username when you want someone to contact you, and then delete it afterward. And each time, always set a different username. Likewise, if you want someone to contact you securely, you can send them your Signal link, and, as soon as they make contact, you can reset the link. If Signal receives a subpoena based on a link that was already reset, it will be impossible for them to look up which account it was associated with. If the subpoena demands that Signal turn over account information based on a phone number, rather than a username, Signal could be forced to hand over the cryptographic hash of the account's username, if a username is set. It would be difficult, however, for law enforcement to learn the actual username itself based on its hash. If they already suspect a username, they could use the hash to confirm that it's real. Otherwise, they would have to guess the username using password cracking techniques like dictionary attacks or rainbow tables.

An anonymous reader quotes a report from Ars Technica: Oregon has joined the small but growing list of states that have passed right-to-repair legislation. Oregon's bill stands out for a provision that would prevent companies from requiring that official parts be unlocked with encrypted software checks before they will fully function. Bill SB 1596 passed Oregon's House by a 42 to 13 margin. Gov. Tina Kotek has five days to sign the bill into law. Consumer groups and right-to-repair advocates praised the bill as "the best bill yet," while the bill's chief sponsor, state Sen. Janeen Sollman (D), pointed to potential waste reductions and an improved second-hand market for closing a digital divide.

"Oregon improves on Right to Repair laws in California, Minnesota and New York by making sure that consumers have the choice of buying new parts, used parts, or third-party parts for the gadgets and gizmos," said Gay Gordon-Byrne, executive director of Repair.org, in a statement. Like bills passed in New York, California, and Minnesota, Oregon's bill requires companies to offer the same parts, tools, and documentation to individual and independent repair shops that are already offered to authorized repair technicians. Unlike other states' bills, however, Oregon's bill doesn't demand a set number of years after device manufacture for such repair implements to be produced. That suggests companies could effectively close their repair channels entirely rather than comply with the new requirements. California's bill mandated seven years of availability.

If signed, the law's requirements for parts, tools, and documentation would apply to devices sold after 2015, except for phones, which are covered after July 2021. The prohibition against parts pairing only covers devices sold in 2025 and later. Like other repair bills, a number of device categories are exempted, including video game consoles, HVAC and medical gear, solar systems, vehicles, and, very specifically, "Electric toothbrushes."

Microsoft has filed a motion seeking to dismiss key parts of a lawsuit The New York Times filed against the company and Open AI, accusing them of copyright infringement. From a report: If you'll recall, The Times sued both companies for using its published articles to train their GPT large language models (LLMs) without permission and compensation. In its filing, the company has accused The Times of pushing "doomsday futurology" by claiming that AI technologies pose a threat to independent journalism. It follows OpenAI's court filing from late February that's also seeking to dismiss some important elements on the case.

Like OpenAI before it, Microsoft accused The Times of crafting "unrealistic prompts" in an effort to "coax the GPT-based tools" to spit out responses matching its content. It also compared the media organization's lawsuit to Hollywood studios' efforts to " stop a groundbreaking new technology:" The VCR. Instead of destroying Hollywood, Microsoft explained, the VCR helped the entertainment industry flourish by opening up revenue streams. LLMs are a breakthrough in artificial intelligence, it continued, and Microsoft collaborated with OpenAI to "help bring their extraordinary power to the public" because it "firmly believes in LLMs' capacity to improve the way people live and work."

Piracy was traditionally seen as something that predominantly young males were interested in. This is a largely outdated representation of reality, as girls and women began to catch up a long time ago. In some countries, including Indonesia, more women pirate music, movies, and TV-shows than their male counterparts. TorrentFreak reports: [N]ew findings published by researchers from Northumbria University Newcastle, which include gender, are worth highlighting. The survey data, looking at piracy trends in Thailand and Indonesia, was released by Marketing professor Dr. Xuemei Bian and Ms. Humaira Farid. The results were presented to WIPO's Advisory Committee on Enforcement recently and the associated presentation (PDF) was published online. Through an online survey and in-person interviews, the research aims to map consumer attitudes and behaviors in Indonesia and Thailand, particularly in connection with online copyright infringement.

One of the overall conclusions is that piracy remains a common activity in both Asian countries. Pirates are present in all age groups but and music, movies en TV-shows tend to be in highest demand and younger people. Those under 40, are more likely to pirate than their older counterparts. These findings are not out of the ordinary and the same trends are visible in other countries too. Interestingly, however, some notable differences between the two countries appear when gender is added to the mix. The tables below show that women are more likely to pirate than men in Indonesia. This is true for all content categories, except for software, where men are slightly in the lead. In Thailand, however, men are more likely to pirate across all categories. The researchers do not attempt to explain these differences. However, they show once again that 'dated' gender stereotypes don't always match with reality. And when they have little explanatory value, one can question whether gender is even relevant in a piracy context.

Looking at other differences between Thai and Indonesian consumers there are some other notable findings. For example, in Indonesia, 64% of the respondents say they're aware of the availability of pirated movies and TV-shows on YouTube, compared to 'just' 32% in Thailand. Indonesian consumers are also more familiar with music piracy sites and pirate much more frequently than Thai consumers, as the table below shows. Finally, the researchers also looked at various attitudes toward piracy. This shows that Thai pirates would be most likely to stop if legal services were more convenient, while Indonesian pirates see cheaper legal services as the largest discouraging factor.

According to the San Francisco police department, police have made the first arrest in relation to several recent vehicle arsons, including the crowd attack of a Waymo robotaxi last month in Chinatown. The San Francisco Standard reports: Police say officers arrested a man meeting the description of a person suspected of lighting several vehicles on fire. That man was arrested on Feb. 27 near Union Square. The department did not share the suspect's name because it said the case is open and remains under investigation. Nor did the department comment on which other vehicle fires the suspect may have been suspected of starting. Several Teslas were set alight in the weeks after the Waymo arson. The suspect was also found to have had methamphetamine on them.

An anonymous reader quotes a report from Ars Technica: Jack Teixeira, the National Guard airman who leaked confidential military documents on Discord, agreed Monday to plead guilty, promising to cooperate with officials attempting to trace the full extent of government secrets leaked. Under the plea deal, Teixeira will serve a much-reduced sentence, The Boston Globe reported, recommended between 11 years and 16 years and eight months. Previously, Teixeira had pleaded not guilty to six counts of "willful retention and transmission of national defense information," potentially facing up to 10 years per count. During a pretrial hearing, prosecutors suggested he could face up to 25 years, The Globe reported.

By taking the deal, Teixeira will also avoid being charged with violations of the Espionage Act, The New York Times reported, including allegations of unlawful gathering and unauthorized removal of top-secret military documents. According to prosecutors, it was clear that Teixeira, 22, was leaking sensitive documents -- including national security secrets tied to US foreign adversaries and allies, including Russia, China, Ukraine, and South Korea -- just to impress his friends on Discord -- some of them teenage boys. Investigators found no evidence of espionage. US District Judge Indira Talwani will decide whether or not to sign off on the deal at a hearing scheduled for September 27.

ZipK writes: Cord Cutters New reports that Roku has rolled out new terms of service that require users to accept individual arbitration. To gain acceptance, Roku devices pop up a dialog box that can only be dismissed if you accept the new terms or turn off your Roku and stop using it. As expected, much discussion has ensued in the Roku community.

Per the Roku Dispute Resolution Terms, users can opt out within 30 days of being subject to the new terms by sending a surface mail request to General Counsel, Roku Inc., 1701 Junction Court, Suite 100, San Jose, CA 95112. One poster in the community forum noted that the effective date of the change was Feb 20th, which may shorten the 30 day period for opting out. Longtime Slashdot reader blastard also shared the news.

An anonymous reader quotes a report from Liliputing: Yuzu is a free and open source emulator that makes it possible to run Nintendo Switch games on Windows, Linux, and Android devices. First released in 2018, the software has been under constant development since then (the Android port was released less than a year ago). But last week Nintendo sued the developers, claiming that the primary purpose of the software is to circumvent Nintendo Switch encryption and allow users to play pirated games. Rather than fight the case in court, Tropic Haze (the developers behind Yuzu) have agreed to a settlement which involves paying $2.4 million in damages to Nintendo and basically shutting down Yuzu.

As part of a permanent injunction, Tropic Haze has agreed to stop distributing, advertising, or promoting Yuzu or any of its source code or features or any other "software or devices that circumvent Nintendo's technical protection measures." The court is also ordering the developers to turn over the yuzu-emu.org website to Nintendo and bars them "from supporting or facilitating access" to any other related websites, social media, chatrooms, or apps. In one of the more bizarre parts of the court order, the Yuzu team is told to delete all "circumvention devices," which includes any tools used for development of Yuzu and "all copies of Yuzu."

In 1970 an Oregon man discovered a body with "clear signs of foul play".

NPR reports that "The identity of the young woman remained a mystery — until Thursday." State authorities identified the woman as Sandra Young, a teenager from Portland who went missing between 1968 and 1969. Her identity was discovered through advanced DNA technology, which has helped solve stubborn cold cases in recent years. The case's breakthrough came last year in January, when a person uploaded their DNA to the genealogy database GEDMatch and the tool immediately determined that the DNA donor was a distant family member of Young....

From there, a genetic genealogist working with local law enforcement helped track down other possible relatives and encouraged them to provide their DNA. That work eventually led to Young's sister and other family members, who confirmed that Young went missing around the same time.
Thanks to Slashdot reader Tony Isaac for sharing the news.

Some news from "Copyleft Currents", the blog of open-source/IP lawyer Heather Meeker: On February 14, 2024, the Court of Appeal of Paris issued an order stating that Orange, a major French telecom provider, had infringed the copyight of Entr'Ouvert's Lasso software and violated the GPL.

They ordered Orange to pay €500,000 in compensatory damages and €150,000 for moral damages.

This case has been ongoing for many years. Entr'ouvert is the publisher of Lasso, a reference library for the Security Assertion Markup Language (SAML) protocol, an open standard for identity providers to authenticate users and pass authentication tokens to online services. This is the open protocol that enables single sign-on (SSO). The Lasso product is dual licensed by Entr'Ouvert under GPL or commercial licenses.

In 2005, Orange won a contract with the French Agency for the Development of Electronic Administration to develop parts of the service-public.fr portal, which allows users to interact online with the government for administrative procedures. Orange used the Lasso software in the solution, but did not pass on the rights to its modifications free of charge under GPL, or make the source code to its modifications available. Entr'Ouvert sued Orange in 2010, and the case wended its way through the courts, turning on, among other things, issues of proof of Entr'Ouvert 's copyright interest in the software, and whether the case properly sounded in breach of contract or copyright infringement...

The compensatory damages were based on both lost profits of the plaintiff and disgorgement of profits of Orange. Moral damages compensate the plaintiff for harm to reputation or other non-monetary injury.
Thanks to long-time Slashdot reader AmiMoJo for sharing the article.

America's Federal Aviation administration "will require a fix for a new 737 MAX design problem discovered by Boeing that, although it's a remote possibility, could theoretically disable the jet's engine anti-ice system," reports the Seattle Times: A different flaw in the MAX's engine anti-ice system design drew scrutiny in January and forced the company to drop a request for an exemption from key safety regulations. And now, it's not just the MAX with an engine anti-ice system problem. Airlines have reported a separate issue with a similar system on Boeing's 787 Dreamliner that has caused what the FAA calls "relatively minor" damage to the engine inlets on some two dozen of these widebody jets in service.

Though the FAA considers neither problem to be an immediate risk to flight safety, in February it issued separate notices of two proposed airworthiness directives to require the fix for the engine anti-ice system on the MAX and to lay out inspection and repair procedures for that system on the 787, pending a redesign that provides a permanent fix... When there is an immediate safety risk, the FAA issues a more urgent emergency directive that must be acted upon before further flight. Jets are grounded until it's dealt with. That's not the case with these two proposed airworthiness directives. Indicating that the risk is considered slight, both of the proposed directives will be open for public comments until April. Only after that will action be mandated...

On the MAX, the proposed FAA directive states that Boeing identified a potential single point of failure when it reviewed the internal design of the unit that provides a backup power supply to aircraft systems if the primary electrical system fails. Such a failure could potentially result in the loss of the anti-ice systems on both engines, with no indication or warning that would alert the pilots, the FAA directive states... In November 2022, Boeing sent a service bulletin alerting airlines and describing the required fix, which the FAA will now mandate...

Unlike this MAX issue, the fault discovered on the 787 Dreamliner has resulted in actual damage to engines on passenger aircraft. The FAA airworthiness directive on the 787 states that "damage was found during overhaul on multiple inlets around the Engine Anti-Ice duct within the inlet aft compartment." Rather than a production issue, it was a matter of the seals being insufficiently durable. Even when the plane was flying in dry air and the anti-ice system was not switched on, the seal degradation led to hot air leaking into the inlet compartment, "exposing inlet components to high temperatures," the FAA states. Boeing said this resulted in "thermal damage and discoloration to a limited area of the surrounding composite and metallic structure inside the inlet...." The FAA's proposed airworthiness directive warns that heat damage to the inlet structure could lead to "reduced structural strength and departure of the inlet from the airplane."

"Departure of the inlet" is a bland way of describing the front of the pod around the engine fan detaching, potentially striking the jet's wing, tail or fuselage. Such disintegration could result in "subsequent loss of continued safe flight and landing or injury to occupants," the airworthiness directive states...
"A separate question is how this flaw with the 787 anti-ice duct seals and the single point of failure in the backup power supply on the MAX slipped through the FAA's original certification of these aircraft."

Business Insider also reports that Boeing "is holding off on a planned expansion of production for its 737 Max planes after an Alaska Airlines flight lost a chunk of the plane while airborne in January."

Americans filing their taxes could face privacy threats, reports the Washington Post: "We just need your OK on a couple of things," TurboTax says as you prepare your tax return.

Alarm bells should be ringing in your head at the innocuous tone.

This is where America's most popular tax-prep website asks you to sign away the ironclad privacy protections of your tax return, including the details of your income, home mortgage and student loan payments. With your permission to blab your money secrets, the company earns extra income from showing you advertisements for the next three years for things like credit cards and mortgage offers targeted to your financial situation.

You have the legal right to say no when TurboTax asks for your permission to "share your data" or use your tax information to "improve your experience...."
The article complains that granting permission allows TurboTax to share details with "sibling" companies "such as your salary, the amount of your tax refund, whether you received a tax break for student loans and the day you printed your tax return..."

"You'll see that permission request once near the beginning of the tax prep process. If you skip it then, you'll see the same screen again near the end. You'll have to say yes or no..." This is part of the corporate arms race for your personal data. Everyone including the grocery store, your apps and the manufacturer of your car are gobbling information to profit from details of your life. With TurboTax, though, you have the power to refuse to participate...

TurboTax and the online tax prep service from H&R Block have been asking every year to blab your tax return. We've cautioned you about it for each of the past two tax filing seasons. (I focused only on TurboTax this year.)

"A ransomware gang once thought to have been crippled by law enforcement has snarled prescription processing for millions of Americans over the past week..." reports the Washington Post.

"The hackers stole data about patients, encrypted company files and demanded money to unlock them, prompting the company to shut down most of its network as it worked to recover." Insurance giant UnitedHealthcare Group said the hackers struck its Change Health business unit, which routes prescription claims from pharmacies to companies that determine whether patients are covered by insurance and what they should pay... Change Health and a rival, CoverMyMeds, are the two biggest players in the so-called switch business, charging pharmacies a small fee for funneling claims to insurers. "When one of them goes down, obviously it's a major problem," said Patrick Berryman, a senior vice president at the National Community Pharmacists Association...

UnitedHealth estimated that more than 90 percent of the nation's 70,000-plus pharmacies have had to alter how they process electronic claims as a result of the Change Health outage. But it said only a small number of patients have been unable to get their prescriptions at some price. At CVS, which operates one of the largest pharmacy networks in the nation, a spokesperson said there are "a small number of cases in which our pharmacies are not able to process insurance claims" as a result of the outage. It said workarounds were allowing it to fill prescriptions, however...

For pharmacies that were not able to quickly route claims to a different company, the Change Health outage left pharmacists to try to manually calculate a patient's co-pay or offer them the cash price. Compounding the impact, thousands of organizations cut off Change Health from their systems to ensure the hackers did not infect their networks as well... The attack on Change Health has left many pharmacies in a cash-flow bind, as they face bills from the companies that deliver the medication without knowing when they will be reimbursed by insurers. Some pharmacies are requiring customers to pay full price for their prescriptions when they cannot tell if they are covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket, according to social media posts.

The situation has been "extremely disruptive," said Erin Fox, associate chief pharmacy officer at University of Utah Health. "At our system, our retail pharmacies were providing three-day gratis emergency supplies for patients who could not afford to pay the cash price," Fox said by email. "In some cases, like for inhalers, we had to send product out at risk, not knowing if we will ever get paid, but we need to take care of the patients." Axis Pharmacy Northwest near Seattle is "going out on a limb and dispensing product with absolutely no inkling if we'll get paid or not," said Richard Molitor, the pharmacist in charge. UPDATE: CNN reports Change Healthcare has now announced "plans for a temporary loan program to get money flowing to health care providers affected by the outage." It's a stop-gap measure meant to give some financial relief to health care providers, which analysts say are losing millions of dollars per day because of the outage. Some US officials and health care executives told CNN it may be weeks before Change Healthcare returns to normal operations.
"Once standard payment operations resume, the funds will simply need to be repaid," the company said in a statement. Change Healthcare has been under pressure from senior US officials to get their systems back online. Officials from the White House and multiple federal agencies, including the department of Health and Human Services, have been concerned by the broad financial and health impact of the hack and have been pressing for ways to get Change Healthcare back online, sources told CNN...

In a message on its website Friday afternoon, Change Healthcare also said that it was launching a new version of its online prescribing service following the cyberattack.
Thanks to Slashdot reader CaptainDork for sharing the news.

The Supreme Court of Canada ruled today that police must now have a warrant or court order to obtain a person or organization's IP address. CBC News reports: The top court was asked to consider whether an IP address alone, without any of the personal information attached to it, was protected by an expectation of privacy under the Charter. In a five-four split decision, the court said a reasonable expectation of privacy is attached to the numbers making up a person's IP address, and just getting those numbers alone constitutes a search. Writing for the majority, Justice Andromache Karakatsanis wrote that an IP address is "the crucial link between an internet user and their online activity." "Thus, the subject matter of this search was the information these IP addresses could reveal about specific internet users including, ultimately, their identity." Writing for the four dissenting judges, Justice Suzanne Cote disagreed with that central point, saying there should be no expectation of privacy around an IP address alone. [...]

In the Supreme Court majority decision, Karakatsanis said that only considering the information associated with an IP address to be protected by the Charter and not the IP address itself "reflects piecemeal reasoning" that ignores the broad purpose of the Charter. The ruling said the privacy interests cannot be limited to what the IP address can reveal on its own "without consideration of what it can reveal in combination with other available information, particularly from third-party websites." It went on to say that because an IP address unlocks a user's identity, it comes with a reasonable expectation of privacy and is therefore protected by the Charter. "If [the Charter] is to meaningfully protect the online privacy of Canadians in today's overwhelmingly digital world, it must protect their IP addresses," the ruling said.

Justice Cote, writing on behalf of justices Richard Wagner, Malcolm Rowe and Michelle O'Bonsawin, acknowledged that IP addresses "are not sought for their own sake" but are "sought for the information they reveal." "However, the evidentiary record in this case establishes that an IP address, on its own, reveals only limited information," she wrote. Cote said the biographical personal information the law was designed to protect are not revealed through having access to an IP address. Police must use that IP address to access personal information that is held by an ISP or a website that tracks customers' IP addresses to determine their habits. "On its own, an IP address does not even reveal browsing habits," Cote wrote. "What it reveals is a user's ISP -- hardly a more private piece of information than electricity usage or heat emissions." Cote said placing a reasonable expectation of privacy on an IP address alone upsets the careful balance the Supreme Court has struck between Canadians' privacy interests and the needs of law enforcement. "It would be inconsistent with a functional approach to defining the subject matter of the search to effectively hold that any step taken in an investigation engages a reasonable expectation of privacy," the dissenting opinion said.

An anonymous reader quotes a report from TechCrunch: A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted users' access to their Facebook, Google and TikTok accounts. The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services. SMS routing helps to get time-critical text messages to their proper destination across various regional cell networks and providers, such as a user receiving an SMS security code or link for logging in to online services. YX International claims to send 5 million SMS text messages daily. But the technology company left one of its internal databases exposed to the internet without a password, allowing anyone to access the sensitive data inside using only a web browser, just with knowledge of the database's public IP address.

Anurag Sen, a good-faith security researcher and expert in discovering sensitive but inadvertently exposed datasets leaking to the internet, found the database. Sen said it was not apparent who the database belonged to, nor who to report the leak to, so Sen shared details of the exposed database with TechCrunch to help identify its owner and report the security lapse. Sen told TechCrunch that the exposed database included the contents of text messages sent to users, including one-time passcodes and password reset links for some of the world's largest tech and online companies, including Facebook and WhatsApp, Google, TikTok, and others. The database had monthly logs dating back to July 2023 and was growing in size by the minute. In the exposed database, TechCrunch found sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database. The database went offline a short time later.

An anonymous reader quotes an excerpt from a Wired article: In 2019, a government contractor and technologist named Mike Yeagley began making the rounds in Washington, DC. He had a blunt warning for anyone in the country's national security establishment who would listen: The US government had a Grindr problem. A popular dating and hookup app, Grindr relied on the GPS capabilities of modern smartphones to connect potential partners in the same city, neighborhood, or even building. The app can show how far away a potential partner is in real time, down to the foot. But to Yeagley, Grindr was something else: one of the tens of thousands of carelessly designed mobile phone apps that leaked massive amounts of data into the opaque world of online advertisers. That data, Yeagley knew, was easily accessible by anyone with a little technical know-how. So Yeagley -- a technology consultant then in his late forties who had worked in and around government projects nearly his entire career -- made a PowerPoint presentation and went out to demonstrate precisely how that data was a serious national security risk.

As he would explain in a succession of bland government conference rooms, Yeagley was able to access the geolocation data on Grindr users through a hidden but ubiquitous entry point: the digital advertising exchanges that serve up the little digital banner ads along the top of Grindr and nearly every other ad-supported mobile app and website. This was possible because of the way online ad space is sold, through near-instantaneous auctions in a process called real-time bidding. Those auctions were rife with surveillance potential. You know that ad that seems to follow you around the internet? It's tracking you in more ways than one. In some cases, it's making your precise location available in near-real time to both advertisers and people like Mike Yeagley, who specialized in obtaining unique data sets for government agencies.

Working with Grindr data, Yeagley began drawing geofences -- creating virtual boundaries in geographical data sets -- around buildings belonging to government agencies that do national security work. That allowed Yeagley to see what phones were in certain buildings at certain times, and where they went afterwards. He was looking for phones belonging to Grindr users who spent their daytime hours at government office buildings. If the device spent most workdays at the Pentagon, the FBI headquarters, or the National Geospatial-Intelligence Agency building at Fort Belvoir, for example, there was a good chance its owner worked for one of those agencies. Then he started looking at the movement of those phones through the Grindr data. When they weren't at their offices, where did they go? A small number of them had lingered at highway rest stops in the DC area at the same time and in proximity to other Grindr users -- sometimes during the workday and sometimes while in transit between government facilities. For other Grindr users, he could infer where they lived, see where they traveled, even guess at whom they were dating.

Intelligence agencies have a long and unfortunate history of trying to root out LGBTQ Americans from their workforce, but this wasn't Yeagley's intent. He didn't want anyone to get in trouble. No disciplinary actions were taken against any employee of the federal government based on Yeagley's presentation. His aim was to show that buried in the seemingly innocuous technical data that comes off every cell phone in the world is a rich story -- one that people might prefer to keep quiet. Or at the very least, not broadcast to the whole world. And that each of these intelligence and national security agencies had employees who were recklessly, if obliviously, broadcasting intimate details of their lives to anyone who knew where to look. As Yeagley showed, all that information was available for sale, for cheap. And it wasn't just Grindr, but rather any app that had access to a user's precise location -- other dating apps, weather apps, games. Yeagley chose Grindr because it happened to generate a particularly rich set of data and its user base might be uniquely vulnerable. The report goes into great detail about how intelligence and data analysis techniques, notably through a program called Locomotive developed by PlanetRisk, enabled the tracking of mobile devices associated with Russian President Vladimir Putin's entourage. By analyzing commercial adtech data, including precise geolocation information collected from mobile advertising bid requests, analysts were able to monitor the movements of phones that frequently accompanied Putin, indicating the locations and movements of his security personnel, aides, and support staff.

This capability underscored the surveillance potential of commercially available data, providing insights into the activities and security arrangements of high-profile individuals without directly compromising their personal devices.

In a series of tests using fake data, a U.S. government watchdog was able to steal more than 1GB of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The experiment is detailed in a new report by the Department of the Interior's Office of the Inspector General (OIG), published last week. TechCrunch reports: The goal of the report was to test the security of the Department of the Interior's cloud infrastructure, as well as its "data loss prevention solution," software that is supposed to protect the department's most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report. The Department of the Interior manages the country's federal land, national parks and a budget of billions of dollars, and hosts a significant amount of data in the cloud. According to the report, in order to test whether the Department of the Interior's cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that "would appear valid to the Department's security tools."

The OIG team then used a virtual machine inside the Department's cloud environment to imitate "a sophisticated threat actor" inside of its network, and subsequently used "well-known and widely documented techniques to exfiltrate data." "We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system," the report read. The OIG said it conducted more than 100 tests in a week, monitoring the government department's "computer logs and incident tracking systems in real time," and none of its tests were detected nor prevented by the department's cybersecurity defenses.

"Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data," said the OIG's report. "In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system's controls for protecting sensitive data from unauthorized access." That's the bad news: The weaknesses in the Department's systems and practices "put sensitive [personal information] for tens of thousands of Federal employees at risk of unauthorized access," read the report. The OIG also admitted that it may be impossible to stop "a well-resourced adversary" from breaking in, but with some improvements, it may be possible to stop that adversary from exfiltrating the sensitive data.

An anonymous reader quotes a report from NPR: ExxonMobil faces dozens of lawsuits from states and localities alleging the company lied for decades about its role in climate change and the dangers of burning fossil fuels. But now, ExxonMobil is going on the offensive with a lawsuit targeting investors who want the company to slash pollution that's raising global temperatures. Investors in publicly-traded companies like ExxonMobil try to shape corporate policies by filing shareholder proposals that are voted on at annual meetings. ExxonMobil says it's fed up with a pair of investor groups that it claims are abusing the system by filing similar proposals year after year in an effort to micromanage its business.

ExxonMobil's lawsuit points to growing tensions between companies and activist investors calling for corporations to do more to shrink their climate impact and prepare for a hotter world. Interest groups on both sides of the case say it could unleash a wave of corporate litigation against climate activists. It is happening at a time when global temperatures continue to rise, and corporate analysts say most companies aren't on track to meet targets they set to reduce their heat-trapping emissions. "Exxon is really upping the ante here in a big way by bringing this case," says Josh Zinner, chief executive of an investor coalition called the Interfaith Center on Corporate Accountability, whose members include a defendant in the ExxonMobil case. "Other companies could use this tactic not just to block resolutions," Zinner says, "but to intimidate their shareholders from even bringing these [climate] issues to the table."

ExxonMobil said in an email that it is suing the investor groups Arjuna Capital and Follow This because the U.S. Securities and Exchange Commission (SEC) isn't enforcing rules governing when investors can resubmit shareholder proposals. A court is the "the right place to get clarity on SEC rules," ExxonMobil said, adding that the case "is not about climate change." Other corporations are watching ExxonMobil's case, says Charles Crain, a vice president at the National Association of Manufacturers, which represents ExxonMobil and other industrial companies. "If companies are decreasingly able to get the SEC to allow them to exclude proposals that are obviously politically motivated, then the next question is, well, can the courts succeed where the SEC has failed -- or, more accurately, not even tried?," Crain says. "The shareholder proposal from Arjuna and Follow This called for ExxonMobil to cut emissions faster from its own operations and from its supply chain, including the pollution that's created when customers burn its oil and natural gas," notes NPR. "That indirect pollution, known as Scope 3 emissions, accounts for 90% of ExxonMobil's carbon footprint."

"ExxonMobil says it is committed to cutting emissions from its operations. But the idea that activist investors like Arjuna and Follow This can quickly push the company out of the oil and gas business with new climate policies is 'simplistic and against the interests of the vast majority of ExxonMobil shareholders,' the company said in a court filing in Texas." The company added that while shareholders are entitled to submit proposals, they don't have "an unlimited right to put forth any proposal to do anything."

"Their intent is to advance their agenda rather than creating long-term value for shareholders," ExxonMobil said of Arjuna and Follow This.

Stephanie Kirchgaessner reports via The Guardian: NSO Group, the maker of one the world's most sophisticated cyber weapons, has been ordered by a US court to hand its code for Pegasus and other spyware products to WhatsApp as part of the company's ongoing litigation. The decision by Judge Phyllis Hamilton is a major legal victory for WhatsApp, the Meta-owned communication app which has been embroiled in a lawsuit against NSO since 2019, when it alleged that the Israeli company's spyware had been used against 1,400 WhatsApp users over a two-week period.

NSO's Pegasus code, and code for other surveillance products it sells, is seen as a closely and highly sought state secret. NSO is closely regulated by the Israeli ministry of defense, which must review and approve the sale of all licences to foreign governments. In reaching her decision, Hamilton considered a plea by NSO to excuse it of all its discovery obligations in the case due to "various US and Israeli restrictions."

Ultimately, however, she sided with WhatsApp in ordering the company to produce"all relevant spyware" for a period of one year before and after the two weeks in which WhatsApp users were allegedly attacked: from 29 April 2018 to 10 May 2020. NSO must also give WhatsApp information "concerning the full functionality of the relevant spyware." Hamilton did, however, decide in NSO's favor on a different matter: the company will not be forced at this time to divulge the names of its clients or information regarding its server architecture.