An anonymous reader quotes a report from TechCrunch: A U.S. online gift card store has secured an online storage server that was publicly exposing hundreds of thousands of customer government-issued identity documents to the internet. A security researcher, who goes by the online handle JayeLTee, found the publicly exposed storage server late last year containing driving licenses, passports, and other identity documents belonging to MyGiftCardSupply, a company that sells digital gift cards for customers to redeem at popular brands and online services.

MyGiftCardSupply's website says it requires customers to upload a copy of their identity documents as part of its compliance efforts with U.S. anti-money laundering rules, often known as "know your customer" checks, or KYC. But the storage server containing the files had no password, allowing anyone on the internet to access the data stored inside. JayeLTee alerted TechCrunch to the exposure last week after MyGiftCardSupply did not respond to the researcher's email about the exposed data. [...]

According to JayeLTee, the exposed data -- hosted on Microsoft's Azure cloud -- contained over 600,000 front and back images of identity documents and selfie photos of around 200,000 customers. It's not uncommon for companies subject to KYC checks to ask their customers to take a selfie while holding a copy of their identity documents to verify that the customer is who they say they are, and to weed out forgeries. MyGiftCardSupply founder Sam Gastro told TechCrunch: "The files are now secure, and we are doing a full audit of the KYC verification procedure. Going forward, we are going to delete the files promptly after doing the identity verification." It's not known how long the data was exposed or if the company would commit to notifying affected individuals.

A federal judge in Connecticut refused to dismiss a long-running lawsuit accusing the former Nestle Waters North America of defrauding consumers by labeling its Poland Spring bottled water as "spring water." From a report: While rejecting some claims in the proposed class action, U.S. District Judge Jeffrey Alker Meyer in New Haven called it an open question whether Poland Spring qualified as spring water under the laws of Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania and Rhode Island. Poland Spring is now owned by Tampa, Florida-based Primo Brands, following multiple corporate transactions. Consumers sued Nestle Waters, then owned by Nestle, in 2017, saying it deceived them into overpaying for Poland Spring with labels declaring it to be "Natural Spring Water" or "100% Natural Spring Water."

The plaintiffs said "not one drop" of the 1 billion gallons sold annually in the United States came from a natural spring, and that the actual Poland Spring in Maine "ran dry" two decades before Nestle bought the brand in 1992. In seeking a dismissal, Nestle Waters said geologists and officials in the eight states agreed that Poland Spring complied with a U.S. Food and Drug Administration rule defining spring water, and each state authorized its sale as "spring water."

More than half-a-dozen VPN apps, including Cloudflare's widely-used 1.1.1.1, have been pulled from India's Apple App Store and Google Play Store following intervention from government authorities, TechCrunch reported Friday. From the report: The Indian Ministry of Home Affairs issued removal orders for the apps, according to a document reviewed by TechCrunch and a disclosure made by Google to Lumen, Harvard University's database that tracks government takedown requests globally.

An anonymous reader quotes a report from Reuters: Constellation Energy has been awarded a record $1 billion in contracts to supply nuclear power to the U.S. government over the next decade, the company said on Thursday. Constellation, the country's largest operator of nuclear power plants, will deliver electricity to more than 13 federal agencies as part of the agreements with the U.S. General Services Administration. The deal is the biggest energy purchase in the history of the GSA, which constructs and manages federal buildings, and is among the first major climate-focused energy agreement by the U.S. government to include electricity generated from existing nuclear reactors.

The GSA estimated that the contracts, set to begin on April 25, will comprise over 10 million megawatt-hours over 10 years and provide electricity equivalent to powering more than 1 million homes annually. The procurement will deliver electricity to 80 federal facilities located throughout the PJM Interconnection, a regional transmission operator with service covering more than 65 million people. The U.S. Department of Transportation, the Federal Reserve Board of Governors and the Army Corps of Engineers are some of the facilities that will receive the power. [...] Constellation said the deal will enable it to extend the licenses of existing nuclear plants and invest in new equipment and technology that will increase output by about 135 megawatts. "The investments we make as a result of this contract will keep these plants operating reliably for decades to come and put new, clean nuclear energy on the grid while making the best use of taxpayer dollars," Constellation CEO Joe Dominguez said in a release.

An anonymous reader quotes a report from The Record: Cybersecurity researchers have uncovered dozens of attacks that involve malicious updates for Chrome browser extensions, one week after a security firm was compromised in a similar incident. As of Wednesday, a total of 36 Chrome extensions injected with data-stealing code have been detected, mostly related to artificial intelligence (AI) tools and virtual private networks (VPNs), according to a report by ExtensionTotal, a platform that analyzes extensions listed on various marketplaces and public registries. These extensions, collectively used by roughly 2.6 million people, include third-party tools such as ChatGPT for Google Meet, Bard AI Chat, YesCaptcha Assistant, VPNCity and Internxt VPN. Some of the affected companies have already addressed the issue by removing the compromised extensions from the store or updating them, according to ExtensionTotal's analysis. [...]

It remains unclear whether all the compromised extensions are linked to the same threat actor. Security researchers warn that browser extensions "shouldn't be treated lightly," as they have deep access to browser data, including authenticated sessions and sensitive information. Extensions are also easy to update and often not subjected to the same scrutiny as traditional software. ExtensionTotal recommends that organizations use only pre-approved versions of extensions and ensure they remain unchanged and protected from malicious automatic updates. "Even when we trust the developer of an extension, it's crucial to remember that every version could be entirely different from the previous one," researchers said. "If the extension developer is compromised, the users are effectively compromised as well -- almost instantly."

An anonymous reader quotes a report from Ars Technica: Apple has agreed (PDF) to pay $95 million to settle a lawsuit alleging that its voice assistant Siri routinely recorded private conversations that were then sold to third parties for targeted ads. In the proposed class-action settlement (PDF) -- which comes after five years of litigation -- Apple admitted to no wrongdoing. Instead, the settlement refers to "unintentional" Siri activations that occurred after the "Hey, Siri" feature was introduced in 2014, where recordings were apparently prompted without users ever saying the trigger words, "Hey, Siri." Sometimes Siri would be inadvertently activated, a whistleblower told The Guardian, when an Apple Watch was raised and speech was detected. The only clue that users seemingly had of Siri's alleged spying was eerily accurate targeted ads that appeared after they had just been talking about specific items like Air Jordans or brands like Olive Garden, Reuters noted. It's currently unknown how many customers were affected, but if the settlement is approved, the tech giant has offered up to $20 per Siri-enabled device for any customers who made purchases between September 17, 2014, and December 31, 2024. That includes iPhones, iPads, Apple Watches, MacBooks, HomePods, iPod touches, and Apple TVs, the settlement agreement noted. Each customer can submit claims for up to five devices.

A hearing when the settlement could be approved is currently scheduled for February 14. If the settlement is certified, Apple will send notices to all affected customers. Through the settlement, customers can not only get monetary relief but also ensure that their private phone calls are permanently deleted. While the settlement appears to be a victory for Apple users after months of mediation, it potentially lets Apple off the hook pretty cheaply. If the court had certified the class action and Apple users had won, Apple could've been fined more than $1.5 billion under the Wiretap Act alone, court filings showed. But lawyers representing Apple users decided to settle, partly because data privacy law is still a "developing area of law imposing inherent risks that a new decision could shift the legal landscape as to the certifiability of a class, liability, and damages," the motion to approve the settlement agreement said. It was also possible that the class size could be significantly narrowed through ongoing litigation, if the court determined that Apple users had to prove their calls had been recorded through an incidental Siri activation -- potentially reducing recoverable damages for everyone.

A U.S. appeals court ruled on Thursday the Federal Communications Commission did not have legal authority to reinstate landmark net neutrality rules. From a report: The decision is a blow to the outgoing Biden administration that had made restoring the open internet rules a priority. President Joe Biden signed a 2021 executive order encouraging the FCC to reinstate the rules.

A three-judge panel of the Cincinnati-based 6th U.S. Circuit Court of Appeals said the FCC lacked authority to reinstate the rules initially implemented in 2015 by the agency under Democratic former President Barack Obama, but then repealed by the commission in 2017 under Republican former President Donald Trump.

The rules also forbid special arrangements in which ISPs give improved network speeds or access to favored users. The court cited the Supreme Court's June decision in a case known as Loper Bright to overturn a 1984 precedent that had given deference to government agencies in interpreting laws they administer, in the latest decision to curb the authority of federal agencies. "Applying Loper Bright means we can end the FCC's vacillations," the court ruled.

Earlier this year, Russia President Vladimir Putin called on the government to develop its own domestically produced gaming consoles with proprietary operating systems and cloud-based platforms. "With Russia heavily sanctioned and looking to promote its own products, one of its in-development consoles is powered by the Elbrus processor," notes TechSpot. However, the processor is "designed primarily for domestic applications in critical infrastructure, defense, and other sensitive areas" and "can't match high-end CPUs from Intel, AMD, and Arm." From the report: The Russian government admits that this device isn't going to be on the same level as current-gen machines. "I hope my colleagues will approach this task with full responsibility and come up with something truly groundbreaking," said Anton Gorelkin, Deputy Chairman of the State Duma Committee on Information Policy. "It is obvious to everyone: Elbrus processors are not yet at the level required to compete equally with the PS5 and Xbox, which means the solution must be unconventional." Gorelkin said that Russian consoles aren't being designed only to play ports of hundreds of old, less-demanding games. He added that they should primarily serve the purpose of promoting and popularizing domestic video game products.

Another organization following Putin's instructions is Russian telecommunications firm MTS. Its console (above) will use the company's cloud-based gaming platform, called Fog Play. It allows owners of high-end PCs to rent out their computing power to those with less-powerful equipment, charging an hourly price. Those with more powerful PCs can access games on the service and use their own hardware to play them. MTS' device is expected to cost no more than $45 and come with an Xbox-like controller, suggesting it's unlikely to appeal to those who enjoy current-gen console games.

An anonymous reader quotes a report from KrebsOnSecurity: Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea. Cameron John Wagenius was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records. The sparse, two-page indictment (PDF) doesn't reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius' mother -- Minnesota native Alicia Roen -- filled in the gaps.

Roen said that prior to her son's arrest he'd acknowledged being associated with Connor Riley Moucka, a.k.a. "Judische," a prolific cybercriminal from Canada who was arrested in late October for stealing data from and extorting dozens of companies that stored data at the cloud service Snowflake. In an interview with KrebsOnSecurity, Judische said he had no interest in selling the data he'd stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon. On November 26, KrebsOnSecurity published a story that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea.

[...] Immediately after news broke of Moucka's arrest, Kiberphant0m posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris. [...] On that same day, Kiberphant0m posted what they claimed was the "data schema" from the U.S. National Security Agency. On Nov. 5, Kiberphant0m offered call logs stolen from Verizon's push-to-talk (PTT) customers -- mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a "SIM-swapping" service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target's phone calls and text messages to a device they control.

Nobel laureate Geoffrey Hinton has backed Elon Musk's legal challenge against OpenAI, criticizing the AI startup's shift from its nonprofit origins toward a for-profit model. "OpenAI was founded as an explicitly safety-focused non-profit and made various safety related promises in its charter," Hinton said in a statement through AI advocacy group Encode. "Allowing it to tear all of that up when it becomes inconvenient sends a very bad message to other actors in the ecosystem."

Musk, who co-founded OpenAI in 2015 but left in 2018, filed an injunction last month to block the company's transition to a for-profit entity. OpenAI dismissed the filing as "utterly without merit." Hinton, who won the 2024 Physics Nobel Prize for his pioneering work in neural networks, has previously criticized OpenAI CEO Sam Altman in October for prioritizing profits over safety concerns.

An anonymous reader quotes a report from Reuters: Chinese state-sponsored hackers broke into the U.S. Treasury Department earlier this month and stole documents from its workstations, according to a letter to lawmakers that was provided to Reuters on Monday. The hackers compromised a third-party cybersecurity service provider and were able to access unclassified documents, the letter said, calling it a "major incident."

According to the letter, hackers "gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users." After being alerted by cybersecurity provider BeyondTrust, the Treasury Department said it was working with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the hack's impact. Developing...

America's aerospace industry is overseen by the Federal Aviation Administration (or FAA) — which also handles safety warnings from the industry's whistleblowers. But the Seattle Times says an analysis of reports to Congress found "an overwhelmed system delivering underwhelming results for whistleblowers... More than 90% of safety complaints from 2020 through 2023 ended with no violation found by the FAA, while whistleblowers reported them at great personal and professional risk." Aside from the FAA's in-house program, employees of Boeing, Spirit and the FAA can report safety hazards to the Office of Special Counsel, which has no FAA ties, or through internal employer complaint programs, such as Boeing's Speak Up and Spirit's Quality 360, to trigger company reviews... In the aftermath of the door-plug blowout over Portland, Boeing specifically asked its employees to use the Speak Up program or the FAA's internal process to report any concerns, according to Boeing spokesperson Jessica Kowal. Both have done a poor job protecting whistleblowers from retaliation, according to a congressionally appointed expert panel... While both were designed to guard against retaliation, critics say they have instead become enablers of it...

A panel of aviation safety experts in February rebuked Boeing's Speak Up program in a report to Congress. Whistleblower advocates criticized Speak Up for commonly outing whistleblowers to the supervisors they're complaining about, exposing them to retaliation. Managers sometimes investigated complaints against themselves. Employees mistrusted the program's promise of anonymity. Collectively, the befuddling maze of whistleblower options sowed "confusion about reporting systems that may discourage employees from submitting safety concerns," according to the expert panel's report....

[Boeing quality inspector Sam Mohawk, who alleged the 737 MAX line in Renton was losing track of subpar aircraft parts], continues to pursue his FAA claim, originally submitted through Boeing's Speak Up program. Months passed before Boeing addressed Mohawk's complaint. When it did, Mohawk's report was passed to the managers he was complaining about, according to Brian Knowles, Mohawk's South Carolina-based lawyer. "If you do Speak Up, just know that your report is going to go straight to the guys you're accusing of wrongdoing. They aren't going to say, 'Thanks for speaking up against us,'" Knowles said.
The article includes this quote about the FAA's in-house whistleblower program from Tom Devine, a whistleblower attorney with nearly a half-century of experience across a spectrum of federal agencies, and legal director of the nonprofit Government Accountability Project, which helps whistleblowers navigate the federal system. "It's been a disaster from the beginning. We tell everyone to avoid it because it's a trap... We've warned whistleblowers not to entrust their rights there."

Reuters reports: Finnish police said on Sunday they had found tracks that drag on for dozens of kilometres along the bottom of the Baltic Sea where a tanker carrying Russian oil is suspected of breaking a power line and four telecoms cables with its anchor... A break in the 658 megawatt (MW) Estlink 2 power cable between Finland and Estonia occurred at midday on Wednesday, leaving only the 358 MW Estlink 1 linking the two countries, grid operators said. They said Estlink 2 might not be back in service before August.
In an interesting twist, the New York Times reports that the ship "bears all the hallmarks of vessels belonging to Russia's shadow fleet, officials said, and had embarked from a Russian port shortly before the cables were cut." If confirmed, it would be the first known instance of a shadow fleet vessel being used to intentionally sabotage critical infrastructure in Europe — and, officials and experts said, a clear escalation by Russia in its conflict with the West... NATO's general secretary, Mark Rutte, responding to requests from the leaders of Finland and Estonia, both member nations, said the Atlantic alliance would "enhance" its military presence in the Baltic Sea...

Since Russia began assembling its fleet, the number of shadow vessels traversing the oceans has grown by hundreds and now makes up 17 percent of the total global oil tanker fleet... Nearly 70 percent of Russia's oil is being transported by shadow tankers, according to an analysis published in October by the Kyiv School of Economics Institute, a research organization based in Ukraine... The authorities in Finland are still investigating whether the "Eagle S" engaged in a criminal act. But the sheer size of the shadow fleet might have made using some of these vessels for sabotage irresistible to Russia, [said Elisabeth Braw, a senior fellow at the Atlantic Council who has researched and written about shadow fleets]...

While it's still not certain that this week's cable cutting was done intentionally, the Baltic Sea, for a number of reasons, is an ideal arena to carry out sabotage operations. It is relatively shallow and is crisscrossed with essential undersea cables and pipelines that provide energy, as well as internet and phone services, to a number of European countries that are NATO members. Russia has relatively unfettered access to the sea from several ports, and its commercial vessels, protected by international maritime law, can move around international waters largely unmolested... The suspicions that Russia was using shadow vessels for more than just escaping sanctions existed before this week's cable cutting. Last April, the head of Sweden's Navy told a local news outlet that there was evidence such ships were being used to conduct signals intelligence on behalf of Russia and that some fishing vessels had been spotted with antennas and masts not normally seen on commercial vessels. Since the war began, there has also been an uptick in suspicious episodes resulting in damage to critical undersea infrastructure...

Hours after Finland's energy grid operator alerted the police that an undersea power cable was damaged on Wednesday, Finnish officers descended by helicopter to the ship's deck and took over the bridge, preventing the vessel from sailing farther. By Friday, it remained at anchor in the Gulf of Finland, guarded by a Finnish Defense Forces missile boat and a Border Guard patrol vessel.
The cable incident happened just weeks after the EU issued new sanctions targetting Russia's shadow fleet, Euronews reports. "A handful of Chinese companies suspected of enabling Russia's production of drones are also blacklisted as part of the agreement, a diplomat told Euronews." The "shadow fleet" has been accused of deceptive practices, including transmitting falsified data and turning off their transporters to become invisible to satellite systems, and conducting multiple ship-to-ship transfers to conceal the origin of the oil barrels...

Business Insider reports: The lead researcher for Sam Altman's basic-income study says guaranteed no-strings payments are not a silver bullet for issues facing lower-income Americans. Elizabeth Rhodes, the research director for the Basic Income Project at Open Research, told Business Insider that while basic-income payments are "beneficial in many ways," the programs also have "clear limitations...."

Rhodes headed up one of the largest studies in the space, which focused specifically on those on low incomes rather than making universal payments to adults across all economic demographics. The three-year experiment, backed by OpenAI boss Altman, provided 1,000 low-income participants with $1,000 a month without any stipulations for how they could spend it.... The initial findings, released in July, found that recipients put the bulk of their extra spending toward basic needs such as rent, transportation, and food. They also worked less on average but remained engaged in the workforce and were more deliberate in their job searches compared with a control group. But Rhodes says the research reinforced how difficult it is to solve complex issues such as poverty or economic insecurity, and that there is "a lot more work to do."

The Altman-backed study is still reporting results. New findings released in December showed recipients valued work more after receiving the recurring monthly payments — a result that may challenge one of the main arguments against basic income payments. Participants also reported significant reductions in stress, mental distress, and food insecurity during the first year, though those effects faded by the second and third years of the program. "Poverty and economic insecurity are incredibly difficult problems to solve," Rhodes said. "The findings that we've had thus far are quite nuanced."

She added: "There's not a clear through line in terms of, this helps everyone, or this does that. It reinforced to me the idea that these are really difficult problems that, maybe, there isn't a singular solution."
In an earlier article coauthor David Broockman told Business Insider that the study's results might offer insights into how future programs could be successful — but said that the study's results didn't necessarily confirm the fears or hopes expressed by skeptics or supporters of a basic income.

Thanks to Slashdot reader jjslash for sharing the news.

Thursday New York's governor signed new legislation "to hold polluters responsible for the damage done to our environment" by establishing a Climate Superfund that's paid for by big fossil-fuel companies.

The money will be used for "climate change adaptation," according to New York state senator Liz Krueger, who notes that the legislation follows "the polluter-pays model" used in America's already-existing federal and state superfund laws. Spread out over 25 years, the legislation collects an average of $3 billion each year — or $75 billion — "from the parties most responsible for causing the climate crisis — big oil and gas companies."

"The Climate Change Superfund Act is now law, and New York has fired a shot that will be heard round the world: the companies most responsible for the climate crisis will be held accountable," said Senator Krueger. "Too often over the last decade, courts have dismissed lawsuits against the oil and gas industry by saying that the issue of climate culpability should be decided by legislatures. Well, the Legislature of the State of New York — the 10th largest economy in the world — has accepted the invitation, and I hope we have made ourselves very clear: the planet's largest climate polluters bear a unique responsibility for creating the climate crisis, and they must pay their fair share to help regular New Yorkers deal with the consequences.

"And there's no question that those consequences are here, and they are serious," Krueger continued. "Repairing from and preparing for extreme weather caused by climate change will cost more than half a trillion dollars statewide by 2050. That's over $65,000 per household, and that's on top of the disruption, injury, and death that the climate crisis is causing in every corner of our state. The Climate Change Superfund Act is a critical piece of affordability legislation that will deliver billions of dollars every year to ease the burden on regular New Yorkers...."

Starting in the 1970s, scientists working for Exxon made "remarkably accurate projections of just how much burning fossil fuels would warm the planet." Yet for years, "the oil giant publicly cast doubt on climate science, and cautioned against any drastic move away from burning fossil fuels, the main driver of climate change."
"The oil giant Saudi Aramco of Saudi Arabia could be slapped with the largest annual assessment of any company — $640 million a year — for emitting 31,269 million tons of greenhouse gases from 2000 to 2020," notes the New York Post.

And "The law will also standardize the number of emissions tied to the fuel produced by companies," reports the Times Union newspaper. "[F]or every 1 million pounds of coal, for example, the program assigns over 942 metric tons of carbon dioxide. For every 1 million barrels of crude oil, an entity is considered to have produced 432,180 metric tons of carbon dioxide." Among the infrastructure programs the superfund program aims to pay for: coastal wetlands restoration, energy efficient cooling systems in buildings, including schools and new housing developments, and stormwater drainage upgrades.
New York is now the second U.S. state with a "climate Superfund" law, according to Bloomberg Law, with New York following the lead of Vermont. "Maryland, Massachusetts, and California are also considering climate Superfund laws to manage mounting infrastructure costs." The American Petroleum Institute, which represents about 600 members of the industry, condemned the law. "This type of legislation represents nothing more than a punitive new fee on American energy, and we are evaluating our options moving forward," an API spokesperson said in an emailed statement... The bills — modeled after the federal Comprehensive Environmental Response, Compensation, and Liability Act, known as Superfund — would almost certainly spur swift litigation from fossil fuel companies upon enactment, legal educators say.