A U.S. government auction site was breached by an Oklahoma man, reports NBC News. So when it came time to pay up on his winning bids, he "falsified the true auction price to $1," according to the U.S. attorney's office.

He defrauded the government out of more than $150,000 between Jan. 31 and March 21, 2019, the indictment alleges. Included in the $1-buys were a 2010 Ford Escape Hybrid, for which Coker submitted a bid of $8,327; a Ford F550 pickup, with a bid of $9,000; and a Chevrolet C4500 box truck, bid $22,700; the U.S. attorney's office said...

Nineteen items in all were bought through the auctions, according to prosecutors. Coker used eight accounts and pre-paid debit cards with very little balances to make the purchases, the indictment says.
"Coker was indicted on three counts of wire fraud in March 2023 and pleaded guilty to one count Wednesday, according to court records."

Thanks to Slashdot reader Thelasko for sharing the news.

"If you drive a car in California, you may be in for a payday thanks to a lawsuit alleging privacy violations by a Texas company," report SFGate: The 2021 lawsuit, given class-action status in September, alleges that Digital Recognition Network is breaking a California law meant to regulate the use of automatic license plate readers. DRN, a Fort Worth-based company, uses plate-scanning cameras to create location data for people's vehicles, then sells that data to marketers, car repossessors and insurers.

What's particularly notable about the case is the size of the class. The court has established that if you're a California resident whose license plate data was collected by DRN at least 15 times since June 2017, you're a class member. The plaintiff's legal team estimates that the tally includes about 23 million people, alleging that DRN cameras were mounted to cars on public roads. The case website lets Californians check whether their plates were scanned.

Barring a settlement or delay, the trial to decide whether DRN must pay a penalty to those class members will begin on May 17 in San Diego County Superior Court... The company's cameras scan 220 million plates a month, its website says, and customers can use plate data to "create comprehensive vehicle stories."
A lawyer for the firm representing class members told SFGATE Friday that his team will try to show DRN's business is a "mass surveillance program."

"Crypto mines will have to start reporting their energy use in the U.S.," wrote the Verge in January, saying America's Energy department would "begin collecting data on crypto mines' electricity use, following criticism from environmental advocates over how energy-hungry those operations are."

But then "constitutional freedoms" group New Civil Liberties Alliance (founded with seed money from the Charles Koch Foundation) objected. And "on behalf of its clients" — the Texas Blockchain Council and Colorado bitcoin mining company Riot Platforms — the group said it "looks forward to derailing the Department of Energy's unlawful data collection effort once and for all."

While America's Energy department said the survey would take 30 minutes to complete, the complaint argued it would take 40 hours. According to the judge, the complaint "alleged three main sources of irreparable injury..."

- Nonrecoverable costs of compliance with the Survey
- A credible threat of prosecution if they do not comply with the Survey
- The disclosure of proprietary information requested by the Survey, thus risking disclosure of sensitive business strategy

But more importantly, the survey was implemented under "emergency" provisions, which the judge said is only appropriate when "public harm is reasonably likely to result if normal clearance procedures are followed."

Or, as Semafor.com puts it, the complaint was "seeking to push off the reporting deadline, on the grounds that the survey was rushed through...without a public comment period." The judge, Alan Albright, granted the request late Friday night, blocking the [Department of Energy's Information Administration] from collecting survey data or requiring bitcoin companies to respond to it, at least until a more comprehensive injunction hearing scheduled for Feb. 28. The ruling also concludes that the plaintiffs are "likely to succeed in showing that the facts alleged by the U.S. Energy Information Administration to support an emergency request fall far short of justifying such an action."
The U.S. Department of Energy is now...

• Restrained from requiring Plaintiffs or their members to respond to the Survey
• Restrained from collecting data required by the Survey
• "...and shall sequester and not share any such data that Defendants have already received from Survey respondents."

Thanks to long-time Slashdot reader schwit1 for sharing the news.

Ashley Belanger reports via Ars Technica: Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting facial-recognition data without their consent. The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, "Invenda.Vending.FacialRecognitionApp.exe," displayed after the machine failed to launch a facial recognition application that nobody expected to be part of the process of using a vending machine. "Hey, so why do the stupid M&M machines have facial recognition?" SquidKid47 pondered. The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS. [...]

MathNEWS' investigation tracked down responses from companies responsible for smart vending machines on the University of Waterloo's campus. Adaria Vending Services told MathNEWS that "what's most important to understand is that the machines do not take or store any photos or images, and an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface -- never taking or storing images of customers." According to Adaria and Invenda, students shouldn't worry about data privacy because the vending machines are "fully compliant" with the world's toughest data privacy law, the European Union's General Data Protection Regulation (GDPR). "These machines are fully GDPR compliant and are in use in many facilities across North America," Adaria's statement said. "At the University of Waterloo, Adaria manages last mile fulfillment services -- we handle restocking and logistics for the snack vending machines. Adaria does not collect any data about its users and does not have any access to identify users of these M&M vending machines." [...]

But University of Waterloo students like Stanley now question Invenda's "commitment to transparency" in North American markets, especially since the company is seemingly openly violating Canadian privacy law, Stanley told CTV News. On Reddit, while some students joked that SquidKid47's face "crashed" the machine, others asked if "any pre-law students wanna start up a class-action lawsuit?" One commenter summed up students' frustration by typing in all caps, "I HATE THESE MACHINES! I HATE THESE MACHINES! I HATE THESE MACHINES!"

Florida lawmakers passed a bill on Thursday that forces social media companies to keep most minors off their platforms. The Hill reports: The legislation, which passed the state House Thursday after earlier being approved by the Senate, now heads to Gov. Ron DeSantis's (R) desk, though he says he's not quite ready to sign on. DeSantis told reporters Friday that he thinks there needs to be a "proper balance" between government regulations and parental input on the social media issue. "We'll be wrestling with that," he said. The governor said he'll be assessing the final version of the legislation likely through the weekend. "Federal law says 13 and under can't have social media accounts. That's not really enforced," he said.

The lawmakers who championed the proposed social media ban, which would require platforms check the ages of users through a third-party source, argue it will make the online landscape safer for youths. The legislation passed 108-7 in the state House and 23-14 in the Florida Senate within a matter of hours Thursday.

Kalyeena Makortoff reports via The Guardian: US regulators have accused a man of making $1.8 million by trading on confidential information he overheard while his wife was on a remote call, in a case that could fuel arguments against working from home. The Securities and Exchange Commission (SEC) said it charged Tyler Loudon with insider trading after he "took advantage of his remote working conditions" and profited from private information related to the oil firm BP's plans to buy an Ohio-based travel centre and truck-stop business last year.

The SEC claims that Loudon, who is based in Houston, Texas, listened in on several remote calls held by his wife, a BP merger and acquisitions manager who had been working on the planned deal in a home office 20ft (6 meters) away. The regulator said Loudon went on a buying spree, purchasing more than 46,000 shares in the takeover target, TravelCenters of America, without his wife's knowledge, weeks before the deal was announced on 16 February 2023. TravelCenters's stock soared by nearly 71% after the deal was announced. Loudon then sold off all of his shares, making a $1.8m profit.

Loudon eventually confessed to his wife, and claimed that he had bought the shares because he wanted to make enough money so that she did not have to work long hours anymore. She reported his dealings to her bosses at BP, which later fired her despite having no evidence that she knowingly leaked information to her husband. She eventually moved out of the couple's home and filed for divorce.

Bruce66423 writes: The data watchdog has ordered a leisure centre group to stop using facial recognition tech to monitor its staff. The Information Commissioner's Office (ICO) says Serco Leisure has been unlawfully processing the biometric data of more than 2,000 employees at 38 UK leisure facilities. It did so to check staff attendance - a practice the ICO said was "neither fair nor proportionate."

Serco Leisure says it will comply with the enforcement notice. But it added it had taken legal advice prior to installing the cameras, and said staff had not complained about them during the five years they had been in place. The firm said it was to "make clocking-in and out easier and simpler" for workers. "We engaged with our team members in advance of its roll-out and its introduction was well-received by colleagues," the company said in a statement.

An anonymous reader quotes a report from Ars Technica: A judge has dismissed (PDF) a complaint from a parent and guardian of a girl, now 15, who was sexually assaulted when she was 12 years old after Snapchat recommended that she connect with convicted sex offenders. According to the court filing, the abuse that the girl, C.O., experienced on Snapchat happened soon after she signed up for the app in 2019. Through its "Quick Add" feature, Snapchat "directed her" to connect with "a registered sex offender using the profile name JASONMORGAN5660." After a little more than a week on the app, C.O. was bombarded with inappropriate images and subjected to sextortion and threats before the adult user pressured her to meet up, then raped her. Cops arrested the adult user the next day, resulting in his incarceration, but his Snapchat account remained active for three years despite reports of harassment, the complaint alleged.

Two years later, at 14, C.O. connected with another convicted sex offender on Snapchat, a former police officer who offered to give C.O. a ride to school and then sexually assaulted her. The second offender is also currently incarcerated, the judge's opinion noted. The lawsuit painted a picture of Snapchat's ongoing neglect of minors it knows are being targeted by sexual predators. Prior to C.O.'s attacks, both adult users sent and requested sexually explicit photos, seemingly without the app detecting any child sexual abuse materials exchanged on the platform. C.O. had previously reported other adult accounts sending her photos of male genitals, but Snapchat allegedly "did nothing to block these individuals from sending her inappropriate photographs."

Among other complaints, C.O.'s lawsuit alleged that Snapchat's algorithm for its "Quick Add" feature was the problem. It allegedly recklessly works to detect when adult accounts are seeking to connect with young girls and, by design, sends more young girls their way -- continually directing sexual predators toward vulnerable targets. Snapchat is allegedly aware of these abuses and, therefore, should be held liable for harm caused to C.O., the lawsuit argued. Although C.O.'s case raised difficult questions, Judge Barbara Bellis ultimately agreed with Snapchat that Section 230 of the Communications Decency Act barred all claims and shielded Snap because "the allegations of this case fall squarely within the ambit of the immunity afforded to" platforms publishing third-party content. According to Bellis, C.O.'s family had "clearly alleged" that Snap had failed to design its recommendations systems to block young girls from receiving messages from sexual predators. Specifically, Section 230 immunity shields Snap from liability in this case because Bellis considered the messages exchanged to be third-party content. Snapchat designing its recommendation systems to deliver content is a protected activity, Bellis ruled. Despite a seemingly conflicting ruling in Los Angeles that found that "Section 230 didn't protect Snapchat from liability for allegedly connecting teens with drug dealers," Bellis didn't appear to consider it persuasive. She did, however, critique Section 230's broad application, suggesting courts are limited without legislative changes, despite the morally challenging nature of some cases.

jbmartin6 shares a report from Phys.Org: Threatening messages aimed to prevent digital piracy have the opposite effect if you're a man, a new study from the University of Portsmouth has found. According to the research, women tend to respond positively to this kind of messaging, but men typically increase their piracy behaviors by 18%. [...] This paper studies how effective anti-piracy messages are as a deterrent, examining the change in TV and film piracy intentions among 962 adults compared with their past behavior. The three messages examined in the study were verbatim copies of three real-world anti-piracy campaigns. Two of the campaigns used threatening messages to try to combat piracy and the third was educational in tone.

One of the threatening messages was from crime reduction charity, Crimestoppers, which focused on the individual's risk of computer viruses, identity fraud, money and data theft and hacking. The other message was based on a campaign by the French government, which used a "three strike" process, whereby infringers were given two written warnings before their internet access was terminated. The educational message was taken from the campaign "Get It Right from a Genuine Site," which focuses on the cost to the economy and to the individual creative people, and signposts consumers away from piracy sites and towards legal platforms such as Spotify or Netflix.

The study found that one threatening message influences women to reduce their piracy intentions by over 50%, but men increase their piracy behaviors. The educational messages had no effect on either men or women. "The research shows that anti-piracy messages can inadvertently increase piracy, which is a phenomenon known as psychological reactance," explained [lead author, Kate Whitman, from the University of Portsmouth's Centre for Cybercrime and Economic Crime]. "From an evolutionary psychology point of view, men have a stronger reaction to their freedom being threatened and therefore they do the opposite." Moreover, the study found that participants with the most favorable attitudes towards piracy demonstrated the most polarized changes in piracy intentions -- the threatening messages increased their piracy even more. The study has been published in the Journal of Business Ethics.

"I'm not so sure about the author's attribution of this difference to evolutionary psychology, so looking forward to some educational comments on that," adds Slashdot reader jbmartin6.

An anonymous reader quotes a report from PBS: Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation's top policing agency and other parts of its government -- a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners. Among the apparent targets of tools provided by the impacted company, I-Soon: ethnicities and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the heavily Muslim region of Xinjiang in China's far west. The dump of scores of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security. The dump, which analysts consider highly significant even if it does not reveal any especially novel or potent tools, includes hundreds of pages of contracts, marketing presentations, product manuals, and client and employee lists. They reveal, in detail, methods used by Chinese authorities used to surveil dissidents overseas, hack other nations and promote pro-Beijing narratives on social media.

The documents show apparent I-Soon hacking of networks across Central and Southeast Asia, as well as Hong Kong and the self-ruled island of Taiwan, which Beijing claims as its territory. The hacking tools are used by Chinese state agents to unmask users of social media platforms outside China such as X, formerly known as Twitter, break into email and hide the online activity of overseas agents. Also described are devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks. I-Soon and Chinese police are investigating how the files were leaked, the two I-Soon employees told the AP. One of the employees said I-Soon held a meeting Wednesday about the leak and were told it wouldn't affect business too much and to "continue working as normal." The AP is not naming the employees -- who did provide their surnames, per common Chinese practice -- out of concern about possible retribution. The source of the leak is not known. Jon Condra, an analyst with Recorded Future, a cybersecurity company, called it the most significant leak ever linked to a company "suspected of providing cyber espionage and targeted intrusion services for the Chinese security services." According to Condra, citing the leaked material, I-Soon's targets include governments, telecommunications firms abroad and online gambling companies within China.

An anonymous reader quotes a report from Ars Technica: The Alabama Supreme Court on Friday ruled that frozen embryos are "children," entitled to full personhood rights, and anyone who destroys them could be liable in a wrongful death case. The first-of-its-kind ruling throws into question the future use of assisted reproductive technology (ART) involving in vitro fertilization for patients in Alabama -- and beyond. For this technology, people who want children but face challenges to conceiving can create embryos in clinical settings, which may or may not go on to be implanted in a uterus.

In the Alabama case, a hospital patient wandered through an unlocked door, removed frozen, preserved embryos from subzero storage and, suffering an ice burn, dropped the embryos, killing them. Affected IVF patients filed wrongful-death lawsuits against the IVF clinic under the state's Wrongful Death of a Minor Act. The case was initially dismissed in a lower court, which ruled the embryos did not meet the definition of a child. But the Alabama Supreme Court ruled that "it applies to all children, born and unborn, without limitation." In a concurring opinion, Chief Justice Tom Parker cited his religious beliefs and quoted the Bible to support the stance.

"Human life cannot be wrongfully destroyed without incurring the wrath of a holy God, who views the destruction of His image as an affront to Himself," Parker wrote. "Even before birth, all human beings bear the image of God, and their lives cannot be destroyed without effacing his glory." In 2020, the US Department of Health and Human Services estimated that there were over 600,000 embryos frozen in storage around the country, a significant percentage of which will likely never result in a live birth. The result of this ruling "could mean that any embryos that are destroyed or discarded in the process of IVF or afterward could be the subject of wrongful death lawsuits," notes Ars. [According to national ART data collected by the Centers for Disease Control and Prevention, the percentage of egg retrievals that fail to result in a live birth ranges from 46 percent to 91 percent, depending on the patient's age. Meanwhile, the percentage of fertilized egg or embryo transfers that fail to result in a live birth range from 51 percent to 76 percent, depending on age.]

"The ruling creates potentially paralyzing liability for ART clinics and patients who use them. Doctors may choose to only attempt creating embryos one at a time to avoid liability attached to creating extras, or they may decline to provide IVF altogether to avoid liability when embryos do not survive the process. This could exacerbate the already financially draining and emotionally exhausting process of IVF, potentially putting it entirely out of reach for those who want to use the technology and putting clinics out of business."

Internet service provider Cox Communications has been cleared of a $1 billion jury verdict in favor of several major record labels that had accused it of failing to curb user piracy. "The 4th U.S. Circuit Court of Appeals in Richmond, Virginia, ruled on Tuesday that the amount of damages was not justified and that a federal district court should hold a new trial to determine the appropriate amount," reports Reuters. From the report: A Virginia jury in 2019 found Cox, the largest unit of privately-owned Cox Enterprises, liable for its customers' violations of over 10,000 copyrights belonging to labels including Sony Music Entertainment, Warner Music Group, and Universal Music Group. The labels' attorney Matt Oppenheim said that the appeals court "affirmed the jury's verdict that Cox is a willful infringer," and that "the evidence of Cox's complete disregard for copyright law and copyright owners has not changed." "A second jury will get to hear that same compelling evidence, and we fully expect it will render a significant verdict," Oppenheim said.

More than 50 labels teamed up to sue Cox in 2018, in what was seen as a test of the obligations of internet service providers (ISPs) to thwart piracy. The labels accused Cox of failing to address thousands of infringement notices, cut off access for repeat infringers, or take reasonable measures to deter pirates. Atlanta-based Cox had told the 4th Circuit that upholding the verdict would force ISPs to boot households or businesses based on "isolated and potentially inaccurate allegations," or require intrusive oversight of customers' internet usage. Other ISPs, including Charter Communications, Frontier Communications and Astound Broadband, formerly RCN, have also been sued by the record labels.

Starting in July, the Vietnamese government will begin collecting biometric information from its citizens when issuing new identification cards. The Register reports: Prime minister Pham Minh Chinh instructed the nation's Ministry of Public Security to collect the data in the form of iris scans, voice samples and actual DNA, in accordance with amendments to Vietnam's Law on Citizen Identification. The ID cards are issued to anyone over the age of 14 in Vietnam, and are optional for citizens between the ages of 6 and 14, according to a government news report. Amendments to the Law on Citizen Identification that allow collection of biometrics passed on November 27 of last year.

The law allows recording of blood type among the DNA-related information that will be contained in a national database to be shared across agencies "to perform their functions and tasks." The ministry will work with other parts of the government to integrate the identification system into the national database. [...] Vietnam's future identity cards will incorporate the functions of health insurance cards, social insurance books, driver's licenses, birth certificates, and marriage certificates, as defined by the amendment.

As for how the information will be collected, the amendments state: "Biometric information on DNA and voice is collected when voluntarily provided by the people or the agency conducting criminal proceedings or the agency managing the person to whom administrative measures are applied in the process of settling the case according to their functions and duties whether to solicit assessment or collect biometric information on DNA, people's voices are shared with identity management agencies for updating and adjusting to the identity database."

An anonymous reader shares a report: Wyze's problems with letting its security camera customers briefly see into other customer homes is a lot worse than we thought. Last week, co-founder David Crosby said that "so far" the company had identified 14 people who were able to briefly see into a stranger's property because they were shown an image from someone else's Wyze camera. Now we're being told that number of affected customers has ballooned to 13,000.

The revelation came from an email sent to customers entitled "An Important Security Message from Wyze," in which the company copped to the breach and apologized, while also attempting to lay some of the blame on its web hosting provider AWS. [...] The breach, however, occurred as Wyze was attempting to bring its cameras back online. Customers were reporting seeing mysterious images and video footage in their own Events tab. Wyze disabled access to the tab and launched its own investigation.

Tech workers are accused of driving up rents in America's major cities — but in fact, the problem may be everywhere. Half of America's renters "are paying more than a third of their salary in housing costs," reports NPR's Weekend Edition, "and for those looking to buy, scant few homes on the market are affordable for a typical household.

"To ramp up supply, cities are taking a fresh look at their zoning rules and the regulations that spell out what can be built where and what can't." And many are finding that their old rules are too rigid, making it too hard and too expensive to build many new homes. So these cities, as well as some states, are undertaking a process called zoning reform. They're crafting new rules that do things like allow multifamily homes in more neighborhoods, encourage more density near transit and streamline permitting processes for those trying to build... Minneapolis was ahead of the pack as it made a series of changes to its zoning rules in recent years: allowing more density downtown and along transit corridors, getting rid of parking requirements, permitting construction of accessory dwelling units, which are secondary dwellings on the same lot. And one change in particular made national news: The city ended single-family zoning, allowing two- and three-unit homes to be built in every neighborhood.

Researchers at The Pew Charitable Trusts examined the effects of the changes between 2017 and 2022, as many of the city's most significant zoning reforms came into effect. They found what they call a "blueprint for housing affordability." "We saw Minneapolis add 12% to its housing stock in just that five-year period, far more than other cities," Alex Horowitz, director of housing policy initiatives at Pew, told NPR... "The zoning reforms made apartments feasible. They made them less expensive to build. And they were saying yes when builders submitted applications to build apartment buildings. So they got a lot of new housing in a short period of time," says Horowitz. That supply increase appears to have helped keep rents down too. Rents in Minneapolis rose just 1% during this time, while they increased 14% in the rest of Minnesota.

Horowitz says cities such as Minneapolis, Houston and Tysons, Va., have built a lot of housing in the last few years and, accordingly, have seen rents stabilize while wages continue to rise, in contrast with much of the country... Now, these sorts of changes are happening in cities and towns around the country. Researchers at the University of California, Berkeley built a zoning reform tracker and identified zoning reform efforts in more than 100 municipal jurisdictions in the U.S. in recent years.
Other cities reforming their codes include Milwaukee, Columbus, New York City, Walla Walla, and South Bend, Indiana, according to the article — which also includes this quote from Nolan Gray, the urban planner who wrote the book Arbitrary Lines: How Zoning Broke the American City and How to Fix It.

"Most American cities and most American states have rules on the books that make it really, really hard to build more infill housing. So if you want a California-style housing crisis, don't do anything. But if you want to avoid the fate of states like California, learn some of the lessons of what we've been doing over the last few years and allow for more of that infill, mixed-income housing."

Although interestingly, the article points out that California in recent years has been pushing zoning reform at the state level, "passing lots of legislation to address the state's housing crisis, including a law that requires cities and counties to permit accessory dwelling units. Now, construction of ADUs is booming, with more than 28,000 of the units permitted in California in 2022."

Connor Jones reports via The Register: A Ukrainian cybercrime kingpin who ran some of the most pervasive malware operations faces 40 years in prison after spending nearly a decade on the FBI's Cyber Most Wanted List. Vyacheslav Igorevich Penchukov, 37, pleaded guilty this week in the US to two charges related to his leadership role in both the Zeus and IcedID malware operations that netted millions of dollars in the process. Penchukov's plea will be seen as the latest big win for US law enforcement in its continued fight against cybercrime and those that enable it. However, authorities took their time getting him in 'cuffs. [...]

"Malware like IcedID bleeds billions from the American economy and puts our critical infrastructure and national security at risk," said US attorney Michael Easley for the eastern district of North Carolina. "The Justice Department and FBI Cyber Squad won't stand by and watch it happen, and won't quit coming for the world's most wanted cybercriminals, no matter where they are in the world. This operation removed a key player from one of the world's most notorious cybercriminal rings. Extradition is real. Anyone who infects American computers had better be prepared to answer to an American judge."

This week, he admitted one count of conspiracy to commit a racketeer influenced and corrupt organizations (RICO) act offense relating to Zeus, and one count of conspiracy to commit wire fraud in relation to IcedID. Each count carries a maximum sentence of 20 years. His sentencing date is set for May 9, 2024. Zeus malware, a banking trojan that formed a botnet for financial theft, caused over $100 million in losses before its 2014 dismantlement. Its successor, SpyEye, incorporated enhanced features for financial fraud. Despite the 2014 takedown of Zeus, Penchukov moved on to lead IcedID, a similar malware first found in 2017. IcedID evolved from banking fraud to ransomware, severely affecting the University of Vermont Medical Center in 2020 with over $30 million in damages.

An anonymous reader quotes a report from the San Francisco Chronicle: San Francisco's leaders have spent the past few years desperately trying to figure out how to deal with a glut of empty offices, shuttered retail and public safety concerns plaguing the city's once vibrant downtown. Now, a California lawmaker wants to try a sweeping plan to revive the city's core by exempting most new real estate projects from environmental review, potentially quickening development by months or even years. State Sen. Scott Wiener, D-San Francisco, introduced SB1227 on Friday as a proposal to exempt downtown projects from the California Environmental Quality Act, or CEQA, for a decade. The 1970 landmark law requires studies of a project's expected impact on air, water, noise and other areas, but Wiener said it has been abused to slow down or kill infill development near public transit.

"Downtown San Francisco matters to our city's future, and it's struggling -- to bring people back, we need to make big changes and have open minds," Wiener said in a statement. "That starts with remodeling, converting, or even replacing buildings that may have become outdated and that simply aren't going to succeed going forward." Eligible projects would include academic institutions, sports facilities, mixed-use projects including housing, biotech labs, offices, public works and even smaller changes such as modifying an existing building's exterior. The city's existing zoning and permit requirements would remain intact. "We're not taking away any local control," Wiener said in an interview with the Chronicle on Friday.

California Sen. Scott Wiener is proposing a bill that, he said, would make it easier for San Francisco's downtown area to recover from the pandemic. However, it's not clear how much of an impact the bill would have if it's eventually passed since other factors are at play. New construction has been nearly frozen in San Francisco since the pandemic, amid consistently high labor costs, elevated interest rates and weakening demand for both apartments and commercial space.Major developers have reiterated that they have no plans to start work on significant new projects any time soon. Last week, Kilroy Realty, which has approval for a massive 2.3 million-square-foot redevelopment ofSouth of Market's Flower Mart, said no groundbreakings are planned this year -- anywhere.

A paper (PDF) from researchers at the University of Cambridge, supported by voices from numerous academic institutions including OpenAI, proposes remote kill switches and lockouts as methods to mitigate risks associated with advanced AI technologies. It also recommends tracking AI chip sales globally. The Register reports: The paper highlights numerous ways policymakers might approach AI hardware regulation. Many of the suggestions -- including those designed to improve visibility and limit the sale of AI accelerators -- are already playing out at a national level. Last year US president Joe Biden put forward an executive order aimed at identifying companies developing large dual-use AI models as well as the infrastructure vendors capable of training them. If you're not familiar, "dual-use" refers to technologies that can serve double duty in civilian and military applications. More recently, the US Commerce Department proposed regulation that would require American cloud providers to implement more stringent "know-your-customer" policies to prevent persons or countries of concern from getting around export restrictions. This kind of visibility is valuable, researchers note, as it could help to avoid another arms race, like the one triggered by the missile gap controversy, where erroneous reports led to massive build up of ballistic missiles. While valuable, they warn that executing on these reporting requirements risks invading customer privacy and even lead to sensitive data being leaked.

Meanwhile, on the trade front, the Commerce Department has continued to step up restrictions, limiting the performance of accelerators sold to China. But, as we've previously reported, while these efforts have made it harder for countries like China to get their hands on American chips, they are far from perfect. To address these limitations, the researchers have proposed implementing a global registry for AI chip sales that would track them over the course of their lifecycle, even after they've left their country of origin. Such a registry, they suggest, could incorporate a unique identifier into each chip, which could help to combat smuggling of components.

At the more extreme end of the spectrum, researchers have suggested that kill switches could be baked into the silicon to prevent their use in malicious applications. [...] The academics are clearer elsewhere in their study, proposing that processor functionality could be switched off or dialed down by regulators remotely using digital licensing: "Specialized co-processors that sit on the chip could hold a cryptographically signed digital "certificate," and updates to the use-case policy could be delivered remotely via firmware updates. The authorization for the on-chip license could be periodically renewed by the regulator, while the chip producer could administer it. An expired or illegitimate license would cause the chip to not work, or reduce its performance." In theory, this could allow watchdogs to respond faster to abuses of sensitive technologies by cutting off access to chips remotely, but the authors warn that doing so isn't without risk. The implication being, if implemented incorrectly, that such a kill switch could become a target for cybercriminals to exploit.

Another proposal would require multiple parties to sign off on potentially risky AI training tasks before they can be deployed at scale. "Nuclear weapons use similar mechanisms called permissive action links," they wrote. For nuclear weapons, these security locks are designed to prevent one person from going rogue and launching a first strike. For AI however, the idea is that if an individual or company wanted to train a model over a certain threshold in the cloud, they'd first need to get authorization to do so. Though a potent tool, the researchers observe that this could backfire by preventing the development of desirable AI. The argument seems to be that while the use of nuclear weapons has a pretty clear-cut outcome, AI isn't always so black and white. But if this feels a little too dystopian for your tastes, the paper dedicates an entire section to reallocating AI resources for the betterment of society as a whole. The idea being that policymakers could come together to make AI compute more accessible to groups unlikely to use it for evil, a concept described as "allocation."

Lauren Feiner reports via The Verge: Reps. Mark Takano (D-CA) and Dwight Evans (D-PA) reintroduced the Justice in Forensic Algorithms Act on Thursday, which would allow defendants to access the source code of software used to analyze evidence in their criminal proceedings. It would also require the National Institute of Standards and Technology (NIST) to create testing standards for forensic algorithms, which software used by federal enforcers would need to meet.

The bill would act as a check on unintended outcomes that could be created by using technology to help solve crimes. Academic research has highlighted the ways human bias can be built into software and how facial recognition systems often struggle to differentiate Black faces, in particular. The use of algorithms to make consequential decisions in many different sectors, including both crime-solving and health care, has raised alarms for consumers and advocates as a result of such research.

Takano acknowledged that gaining or hiring the deep expertise needed to analyze the source code might not be possible for every defendant. But requiring NIST to create standards for the tools could at least give them a starting point for understanding whether a program matches the basic standards. Takano introduced previous iterations of the bill in 2019 and 2021, but they were not taken up by a committee.

An anonymous reader quotes a report from BleepingComputer: A new iOS and Android trojan named 'GoldPickaxe' employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. The new malware, spotted by Group-IB, is part of a malware suite developed by the Chinese threat group known as 'GoldFactory,' which is responsible for other malware strains such as 'GoldDigger', 'GoldDiggerPlus,' and 'GoldKefu.' Group-IB says its analysts observed attacks primarily targeting the Asia-Pacific region, mainly Thailand and Vietnam. However, the techniques employed could be effective globally, and there's a danger of them getting adopted by other malware strains. [...]

For iOS (iPhone) users, the threat actors initially directed targets to a TestFlight URL to install the malicious app, allowing them to bypass the normal security review process. When Apple remove the TestFlight app, the attackers switched to luring targets into downloading a malicious Mobile Device Management (MDM) profile that allows the threat actors to take control over devices. Once the trojan has been installed onto a mobile device in the form of a fake government app, it operates semi-autonomously, manipulating functions in the background, capturing the victim's face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device using 'MicroSocks.'

Group-IB says the Android version of the trojan performs more malicious activities than in iOS due to Apple's higher security restrictions. Also, on Android, the trojan uses over 20 different bogus apps as cover. For example, GoldPickaxe can also run commands on Android to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. The use of the victims' faces for bank fraud is an assumption by Group-IB, also corroborated by the Thai police, based on the fact that many financial institutes added biometric checks last year for transactions above a certain amount.