×
Crime

San Francisco Police Make Arrest In Waymo Chinatown Arson Case (sfstandard.com) 8

According to the San Francisco police department, police have made the first arrest in relation to several recent vehicle arsons, including the crowd attack of a Waymo robotaxi last month in Chinatown. The San Francisco Standard reports: Police say officers arrested a man meeting the description of a person suspected of lighting several vehicles on fire. That man was arrested on Feb. 27 near Union Square. The department did not share the suspect's name because it said the case is open and remains under investigation. Nor did the department comment on which other vehicle fires the suspect may have been suspected of starting. Several Teslas were set alight in the weeks after the Waymo arson. The suspect was also found to have had methamphetamine on them.
The Courts

Discord Leaker Jack Teixeira Pleads Guilty, Seeks Light 11-Year Sentence (arstechnica.com) 50

An anonymous reader quotes a report from Ars Technica: Jack Teixeira, the National Guard airman who leaked confidential military documents on Discord, agreed Monday to plead guilty, promising to cooperate with officials attempting to trace the full extent of government secrets leaked. Under the plea deal, Teixeira will serve a much-reduced sentence, The Boston Globe reported, recommended between 11 years and 16 years and eight months. Previously, Teixeira had pleaded not guilty to six counts of "willful retention and transmission of national defense information," potentially facing up to 10 years per count. During a pretrial hearing, prosecutors suggested he could face up to 25 years, The Globe reported.

By taking the deal, Teixeira will also avoid being charged with violations of the Espionage Act, The New York Times reported, including allegations of unlawful gathering and unauthorized removal of top-secret military documents. According to prosecutors, it was clear that Teixeira, 22, was leaking sensitive documents -- including national security secrets tied to US foreign adversaries and allies, including Russia, China, Ukraine, and South Korea -- just to impress his friends on Discord -- some of them teenage boys. Investigators found no evidence of espionage. US District Judge Indira Talwani will decide whether or not to sign off on the deal at a hearing scheduled for September 27.

Television

Roku Disables Devices Until Users Agree To New Arbitration Rules 147

ZipK writes: Cord Cutters New reports that Roku has rolled out new terms of service that require users to accept individual arbitration. To gain acceptance, Roku devices pop up a dialog box that can only be dismissed if you accept the new terms or turn off your Roku and stop using it. As expected, much discussion has ensued in the Roku community.

Per the Roku Dispute Resolution Terms, users can opt out within 30 days of being subject to the new terms by sending a surface mail request to General Counsel, Roku Inc., 1701 Junction Court, Suite 100, San Jose, CA 95112. One poster in the community forum noted that the effective date of the change was Feb 20th, which may shorten the 30 day period for opting out.
Longtime Slashdot reader blastard also shared the news.
Emulation (Games)

Nintendo Switch Emulator Yuzu To Shut Down, Pay $2.4 Million To Settle Lawsuit (liliputing.com) 62

An anonymous reader quotes a report from Liliputing: Yuzu is a free and open source emulator that makes it possible to run Nintendo Switch games on Windows, Linux, and Android devices. First released in 2018, the software has been under constant development since then (the Android port was released less than a year ago). But last week Nintendo sued the developers, claiming that the primary purpose of the software is to circumvent Nintendo Switch encryption and allow users to play pirated games. Rather than fight the case in court, Tropic Haze (the developers behind Yuzu) have agreed to a settlement which involves paying $2.4 million in damages to Nintendo and basically shutting down Yuzu.

As part of a permanent injunction, Tropic Haze has agreed to stop distributing, advertising, or promoting Yuzu or any of its source code or features or any other "software or devices that circumvent Nintendo's technical protection measures." The court is also ordering the developers to turn over the yuzu-emu.org website to Nintendo and bars them "from supporting or facilitating access" to any other related websites, social media, chatrooms, or apps. In one of the more bizarre parts of the court order, the Yuzu team is told to delete all "circumvention devices," which includes any tools used for development of Yuzu and "all copies of Yuzu."

Crime

Decades-Old Missing Person Mystery Solved After Relative Uploads DNA To GEDMatch (npr.org) 30

In 1970 an Oregon man discovered a body with "clear signs of foul play".

NPR reports that "The identity of the young woman remained a mystery — until Thursday." State authorities identified the woman as Sandra Young, a teenager from Portland who went missing between 1968 and 1969. Her identity was discovered through advanced DNA technology, which has helped solve stubborn cold cases in recent years. The case's breakthrough came last year in January, when a person uploaded their DNA to the genealogy database GEDMatch and the tool immediately determined that the DNA donor was a distant family member of Young....

From there, a genetic genealogist working with local law enforcement helped track down other possible relatives and encouraged them to provide their DNA. That work eventually led to Young's sister and other family members, who confirmed that Young went missing around the same time.

Thanks to Slashdot reader Tony Isaac for sharing the news.
Open Source

French Court Issues Damages Award For Violation of GPL (heathermeeker.com) 52

Some news from "Copyleft Currents", the blog of open-source/IP lawyer Heather Meeker: On February 14, 2024, the Court of Appeal of Paris issued an order stating that Orange, a major French telecom provider, had infringed the copyight of Entr'Ouvert's Lasso software and violated the GPL.

They ordered Orange to pay €500,000 in compensatory damages and €150,000 for moral damages.

This case has been ongoing for many years. Entr'ouvert is the publisher of Lasso, a reference library for the Security Assertion Markup Language (SAML) protocol, an open standard for identity providers to authenticate users and pass authentication tokens to online services. This is the open protocol that enables single sign-on (SSO). The Lasso product is dual licensed by Entr'Ouvert under GPL or commercial licenses.

In 2005, Orange won a contract with the French Agency for the Development of Electronic Administration to develop parts of the service-public.fr portal, which allows users to interact online with the government for administrative procedures. Orange used the Lasso software in the solution, but did not pass on the rights to its modifications free of charge under GPL, or make the source code to its modifications available. Entr'Ouvert sued Orange in 2010, and the case wended its way through the courts, turning on, among other things, issues of proof of Entr'Ouvert 's copyright interest in the software, and whether the case properly sounded in breach of contract or copyright infringement...

The compensatory damages were based on both lost profits of the plaintiff and disgorgement of profits of Orange. Moral damages compensate the plaintiff for harm to reputation or other non-monetary injury.

Thanks to long-time Slashdot reader AmiMoJo for sharing the article.
Transportation

Boeing Now Also Ordered to Fix Anti-Ice System on 737 Max, 787 Jets (seattletimes.com) 47

America's Federal Aviation administration "will require a fix for a new 737 MAX design problem discovered by Boeing that, although it's a remote possibility, could theoretically disable the jet's engine anti-ice system," reports the Seattle Times: A different flaw in the MAX's engine anti-ice system design drew scrutiny in January and forced the company to drop a request for an exemption from key safety regulations. And now, it's not just the MAX with an engine anti-ice system problem. Airlines have reported a separate issue with a similar system on Boeing's 787 Dreamliner that has caused what the FAA calls "relatively minor" damage to the engine inlets on some two dozen of these widebody jets in service.

Though the FAA considers neither problem to be an immediate risk to flight safety, in February it issued separate notices of two proposed airworthiness directives to require the fix for the engine anti-ice system on the MAX and to lay out inspection and repair procedures for that system on the 787, pending a redesign that provides a permanent fix... When there is an immediate safety risk, the FAA issues a more urgent emergency directive that must be acted upon before further flight. Jets are grounded until it's dealt with. That's not the case with these two proposed airworthiness directives. Indicating that the risk is considered slight, both of the proposed directives will be open for public comments until April. Only after that will action be mandated...

On the MAX, the proposed FAA directive states that Boeing identified a potential single point of failure when it reviewed the internal design of the unit that provides a backup power supply to aircraft systems if the primary electrical system fails. Such a failure could potentially result in the loss of the anti-ice systems on both engines, with no indication or warning that would alert the pilots, the FAA directive states... In November 2022, Boeing sent a service bulletin alerting airlines and describing the required fix, which the FAA will now mandate...

Unlike this MAX issue, the fault discovered on the 787 Dreamliner has resulted in actual damage to engines on passenger aircraft. The FAA airworthiness directive on the 787 states that "damage was found during overhaul on multiple inlets around the Engine Anti-Ice duct within the inlet aft compartment." Rather than a production issue, it was a matter of the seals being insufficiently durable. Even when the plane was flying in dry air and the anti-ice system was not switched on, the seal degradation led to hot air leaking into the inlet compartment, "exposing inlet components to high temperatures," the FAA states. Boeing said this resulted in "thermal damage and discoloration to a limited area of the surrounding composite and metallic structure inside the inlet...." The FAA's proposed airworthiness directive warns that heat damage to the inlet structure could lead to "reduced structural strength and departure of the inlet from the airplane."

"Departure of the inlet" is a bland way of describing the front of the pod around the engine fan detaching, potentially striking the jet's wing, tail or fuselage. Such disintegration could result in "subsequent loss of continued safe flight and landing or injury to occupants," the airworthiness directive states...

"A separate question is how this flaw with the 787 anti-ice duct seals and the single point of failure in the backup power supply on the MAX slipped through the FAA's original certification of these aircraft."

Business Insider also reports that Boeing "is holding off on a planned expansion of production for its 737 Max planes after an Alaska Airlines flight lost a chunk of the plane while airborne in January."
United States

TurboTax and H&R Block Want 'Permission to Blab Your Money Secrets' (yahoo.com) 29

Americans filing their taxes could face privacy threats, reports the Washington Post: "We just need your OK on a couple of things," TurboTax says as you prepare your tax return.

Alarm bells should be ringing in your head at the innocuous tone.

This is where America's most popular tax-prep website asks you to sign away the ironclad privacy protections of your tax return, including the details of your income, home mortgage and student loan payments. With your permission to blab your money secrets, the company earns extra income from showing you advertisements for the next three years for things like credit cards and mortgage offers targeted to your financial situation.

You have the legal right to say no when TurboTax asks for your permission to "share your data" or use your tax information to "improve your experience...."

The article complains that granting permission allows TurboTax to share details with "sibling" companies "such as your salary, the amount of your tax refund, whether you received a tax break for student loans and the day you printed your tax return..."

"You'll see that permission request once near the beginning of the tax prep process. If you skip it then, you'll see the same screen again near the end. You'll have to say yes or no..." This is part of the corporate arms race for your personal data. Everyone including the grocery store, your apps and the manufacturer of your car are gobbling information to profit from details of your life. With TurboTax, though, you have the power to refuse to participate...

TurboTax and the online tax prep service from H&R Block have been asking every year to blab your tax return. We've cautioned you about it for each of the past two tax filing seasons. (I focused only on TurboTax this year.)

Crime

Ransomware Attack Hampers Prescription Drug Sales at 90% of US Pharmacies (msn.com) 81

"A ransomware gang once thought to have been crippled by law enforcement has snarled prescription processing for millions of Americans over the past week..." reports the Washington Post.

"The hackers stole data about patients, encrypted company files and demanded money to unlock them, prompting the company to shut down most of its network as it worked to recover." Insurance giant UnitedHealthcare Group said the hackers struck its Change Health business unit, which routes prescription claims from pharmacies to companies that determine whether patients are covered by insurance and what they should pay... Change Health and a rival, CoverMyMeds, are the two biggest players in the so-called switch business, charging pharmacies a small fee for funneling claims to insurers. "When one of them goes down, obviously it's a major problem," said Patrick Berryman, a senior vice president at the National Community Pharmacists Association...

UnitedHealth estimated that more than 90 percent of the nation's 70,000-plus pharmacies have had to alter how they process electronic claims as a result of the Change Health outage. But it said only a small number of patients have been unable to get their prescriptions at some price. At CVS, which operates one of the largest pharmacy networks in the nation, a spokesperson said there are "a small number of cases in which our pharmacies are not able to process insurance claims" as a result of the outage. It said workarounds were allowing it to fill prescriptions, however...

For pharmacies that were not able to quickly route claims to a different company, the Change Health outage left pharmacists to try to manually calculate a patient's co-pay or offer them the cash price. Compounding the impact, thousands of organizations cut off Change Health from their systems to ensure the hackers did not infect their networks as well... The attack on Change Health has left many pharmacies in a cash-flow bind, as they face bills from the companies that deliver the medication without knowing when they will be reimbursed by insurers. Some pharmacies are requiring customers to pay full price for their prescriptions when they cannot tell if they are covered by insurance. In some cases, that means people are paying more than $1,000 out of pocket, according to social media posts.

The situation has been "extremely disruptive," said Erin Fox, associate chief pharmacy officer at University of Utah Health. "At our system, our retail pharmacies were providing three-day gratis emergency supplies for patients who could not afford to pay the cash price," Fox said by email. "In some cases, like for inhalers, we had to send product out at risk, not knowing if we will ever get paid, but we need to take care of the patients." Axis Pharmacy Northwest near Seattle is "going out on a limb and dispensing product with absolutely no inkling if we'll get paid or not," said Richard Molitor, the pharmacist in charge.
UPDATE: CNN reports Change Healthcare has now announced "plans for a temporary loan program to get money flowing to health care providers affected by the outage." It's a stop-gap measure meant to give some financial relief to health care providers, which analysts say are losing millions of dollars per day because of the outage. Some US officials and health care executives told CNN it may be weeks before Change Healthcare returns to normal operations.
"Once standard payment operations resume, the funds will simply need to be repaid," the company said in a statement. Change Healthcare has been under pressure from senior US officials to get their systems back online. Officials from the White House and multiple federal agencies, including the department of Health and Human Services, have been concerned by the broad financial and health impact of the hack and have been pressing for ways to get Change Healthcare back online, sources told CNN...

In a message on its website Friday afternoon, Change Healthcare also said that it was launching a new version of its online prescribing service following the cyberattack.

Thanks to Slashdot reader CaptainDork for sharing the news.
Canada

Police Now Need Warrant For IP Addresses, Canada's Top Court Rules (www.cbc.ca) 36

The Supreme Court of Canada ruled today that police must now have a warrant or court order to obtain a person or organization's IP address. CBC News reports: The top court was asked to consider whether an IP address alone, without any of the personal information attached to it, was protected by an expectation of privacy under the Charter. In a five-four split decision, the court said a reasonable expectation of privacy is attached to the numbers making up a person's IP address, and just getting those numbers alone constitutes a search. Writing for the majority, Justice Andromache Karakatsanis wrote that an IP address is "the crucial link between an internet user and their online activity." "Thus, the subject matter of this search was the information these IP addresses could reveal about specific internet users including, ultimately, their identity." Writing for the four dissenting judges, Justice Suzanne Cote disagreed with that central point, saying there should be no expectation of privacy around an IP address alone. [...]

In the Supreme Court majority decision, Karakatsanis said that only considering the information associated with an IP address to be protected by the Charter and not the IP address itself "reflects piecemeal reasoning" that ignores the broad purpose of the Charter. The ruling said the privacy interests cannot be limited to what the IP address can reveal on its own "without consideration of what it can reveal in combination with other available information, particularly from third-party websites." It went on to say that because an IP address unlocks a user's identity, it comes with a reasonable expectation of privacy and is therefore protected by the Charter. "If [the Charter] is to meaningfully protect the online privacy of Canadians in today's overwhelmingly digital world, it must protect their IP addresses," the ruling said.

Justice Cote, writing on behalf of justices Richard Wagner, Malcolm Rowe and Michelle O'Bonsawin, acknowledged that IP addresses "are not sought for their own sake" but are "sought for the information they reveal." "However, the evidentiary record in this case establishes that an IP address, on its own, reveals only limited information," she wrote. Cote said the biographical personal information the law was designed to protect are not revealed through having access to an IP address. Police must use that IP address to access personal information that is held by an ISP or a website that tracks customers' IP addresses to determine their habits. "On its own, an IP address does not even reveal browsing habits," Cote wrote. "What it reveals is a user's ISP -- hardly a more private piece of information than electricity usage or heat emissions." Cote said placing a reasonable expectation of privacy on an IP address alone upsets the careful balance the Supreme Court has struck between Canadians' privacy interests and the needs of law enforcement. "It would be inconsistent with a functional approach to defining the subject matter of the search to effectively hold that any step taken in an investigation engages a reasonable expectation of privacy," the dissenting opinion said.

Databases

A Leaky Database Spilled 2FA Codes For the World's Tech Giants (techcrunch.com) 11

An anonymous reader quotes a report from TechCrunch: A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted users' access to their Facebook, Google and TikTok accounts. The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services. SMS routing helps to get time-critical text messages to their proper destination across various regional cell networks and providers, such as a user receiving an SMS security code or link for logging in to online services. YX International claims to send 5 million SMS text messages daily. But the technology company left one of its internal databases exposed to the internet without a password, allowing anyone to access the sensitive data inside using only a web browser, just with knowledge of the database's public IP address.

Anurag Sen, a good-faith security researcher and expert in discovering sensitive but inadvertently exposed datasets leaking to the internet, found the database. Sen said it was not apparent who the database belonged to, nor who to report the leak to, so Sen shared details of the exposed database with TechCrunch to help identify its owner and report the security lapse. Sen told TechCrunch that the exposed database included the contents of text messages sent to users, including one-time passcodes and password reset links for some of the world's largest tech and online companies, including Facebook and WhatsApp, Google, TikTok, and others. The database had monthly logs dating back to July 2023 and was growing in size by the minute. In the exposed database, TechCrunch found sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database. The database went offline a short time later.

Government

How the Pentagon Learned To Use Targeted Ads To Find Its Targets (wired.com) 55

An anonymous reader quotes an excerpt from a Wired article: In 2019, a government contractor and technologist named Mike Yeagley began making the rounds in Washington, DC. He had a blunt warning for anyone in the country's national security establishment who would listen: The US government had a Grindr problem. A popular dating and hookup app, Grindr relied on the GPS capabilities of modern smartphones to connect potential partners in the same city, neighborhood, or even building. The app can show how far away a potential partner is in real time, down to the foot. But to Yeagley, Grindr was something else: one of the tens of thousands of carelessly designed mobile phone apps that leaked massive amounts of data into the opaque world of online advertisers. That data, Yeagley knew, was easily accessible by anyone with a little technical know-how. So Yeagley -- a technology consultant then in his late forties who had worked in and around government projects nearly his entire career -- made a PowerPoint presentation and went out to demonstrate precisely how that data was a serious national security risk.

As he would explain in a succession of bland government conference rooms, Yeagley was able to access the geolocation data on Grindr users through a hidden but ubiquitous entry point: the digital advertising exchanges that serve up the little digital banner ads along the top of Grindr and nearly every other ad-supported mobile app and website. This was possible because of the way online ad space is sold, through near-instantaneous auctions in a process called real-time bidding. Those auctions were rife with surveillance potential. You know that ad that seems to follow you around the internet? It's tracking you in more ways than one. In some cases, it's making your precise location available in near-real time to both advertisers and people like Mike Yeagley, who specialized in obtaining unique data sets for government agencies.

Working with Grindr data, Yeagley began drawing geofences -- creating virtual boundaries in geographical data sets -- around buildings belonging to government agencies that do national security work. That allowed Yeagley to see what phones were in certain buildings at certain times, and where they went afterwards. He was looking for phones belonging to Grindr users who spent their daytime hours at government office buildings. If the device spent most workdays at the Pentagon, the FBI headquarters, or the National Geospatial-Intelligence Agency building at Fort Belvoir, for example, there was a good chance its owner worked for one of those agencies. Then he started looking at the movement of those phones through the Grindr data. When they weren't at their offices, where did they go? A small number of them had lingered at highway rest stops in the DC area at the same time and in proximity to other Grindr users -- sometimes during the workday and sometimes while in transit between government facilities. For other Grindr users, he could infer where they lived, see where they traveled, even guess at whom they were dating.

Intelligence agencies have a long and unfortunate history of trying to root out LGBTQ Americans from their workforce, but this wasn't Yeagley's intent. He didn't want anyone to get in trouble. No disciplinary actions were taken against any employee of the federal government based on Yeagley's presentation. His aim was to show that buried in the seemingly innocuous technical data that comes off every cell phone in the world is a rich story -- one that people might prefer to keep quiet. Or at the very least, not broadcast to the whole world. And that each of these intelligence and national security agencies had employees who were recklessly, if obliviously, broadcasting intimate details of their lives to anyone who knew where to look. As Yeagley showed, all that information was available for sale, for cheap. And it wasn't just Grindr, but rather any app that had access to a user's precise location -- other dating apps, weather apps, games. Yeagley chose Grindr because it happened to generate a particularly rich set of data and its user base might be uniquely vulnerable.
The report goes into great detail about how intelligence and data analysis techniques, notably through a program called Locomotive developed by PlanetRisk, enabled the tracking of mobile devices associated with Russian President Vladimir Putin's entourage. By analyzing commercial adtech data, including precise geolocation information collected from mobile advertising bid requests, analysts were able to monitor the movements of phones that frequently accompanied Putin, indicating the locations and movements of his security personnel, aides, and support staff.

This capability underscored the surveillance potential of commercially available data, providing insights into the activities and security arrangements of high-profile individuals without directly compromising their personal devices.
Government

Government Watchdog Hacked US Federal Agency To Stress-Test Its Cloud Security (techcrunch.com) 21

In a series of tests using fake data, a U.S. government watchdog was able to steal more than 1GB of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The experiment is detailed in a new report by the Department of the Interior's Office of the Inspector General (OIG), published last week. TechCrunch reports: The goal of the report was to test the security of the Department of the Interior's cloud infrastructure, as well as its "data loss prevention solution," software that is supposed to protect the department's most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report. The Department of the Interior manages the country's federal land, national parks and a budget of billions of dollars, and hosts a significant amount of data in the cloud. According to the report, in order to test whether the Department of the Interior's cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that "would appear valid to the Department's security tools."

The OIG team then used a virtual machine inside the Department's cloud environment to imitate "a sophisticated threat actor" inside of its network, and subsequently used "well-known and widely documented techniques to exfiltrate data." "We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system," the report read. The OIG said it conducted more than 100 tests in a week, monitoring the government department's "computer logs and incident tracking systems in real time," and none of its tests were detected nor prevented by the department's cybersecurity defenses.

"Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data," said the OIG's report. "In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system's controls for protecting sensitive data from unauthorized access." That's the bad news: The weaknesses in the Department's systems and practices "put sensitive [personal information] for tens of thousands of Federal employees at risk of unauthorized access," read the report. The OIG also admitted that it may be impossible to stop "a well-resourced adversary" from breaking in, but with some improvements, it may be possible to stop that adversary from exfiltrating the sensitive data.

The Courts

ExxonMobil Is Suing Investors Who Want Faster Climate Action (npr.org) 110

An anonymous reader quotes a report from NPR: ExxonMobil faces dozens of lawsuits from states and localities alleging the company lied for decades about its role in climate change and the dangers of burning fossil fuels. But now, ExxonMobil is going on the offensive with a lawsuit targeting investors who want the company to slash pollution that's raising global temperatures. Investors in publicly-traded companies like ExxonMobil try to shape corporate policies by filing shareholder proposals that are voted on at annual meetings. ExxonMobil says it's fed up with a pair of investor groups that it claims are abusing the system by filing similar proposals year after year in an effort to micromanage its business.

ExxonMobil's lawsuit points to growing tensions between companies and activist investors calling for corporations to do more to shrink their climate impact and prepare for a hotter world. Interest groups on both sides of the case say it could unleash a wave of corporate litigation against climate activists. It is happening at a time when global temperatures continue to rise, and corporate analysts say most companies aren't on track to meet targets they set to reduce their heat-trapping emissions. "Exxon is really upping the ante here in a big way by bringing this case," says Josh Zinner, chief executive of an investor coalition called the Interfaith Center on Corporate Accountability, whose members include a defendant in the ExxonMobil case. "Other companies could use this tactic not just to block resolutions," Zinner says, "but to intimidate their shareholders from even bringing these [climate] issues to the table."

ExxonMobil said in an email that it is suing the investor groups Arjuna Capital and Follow This because the U.S. Securities and Exchange Commission (SEC) isn't enforcing rules governing when investors can resubmit shareholder proposals. A court is the "the right place to get clarity on SEC rules," ExxonMobil said, adding that the case "is not about climate change." Other corporations are watching ExxonMobil's case, says Charles Crain, a vice president at the National Association of Manufacturers, which represents ExxonMobil and other industrial companies. "If companies are decreasingly able to get the SEC to allow them to exclude proposals that are obviously politically motivated, then the next question is, well, can the courts succeed where the SEC has failed -- or, more accurately, not even tried?," Crain says.
"The shareholder proposal from Arjuna and Follow This called for ExxonMobil to cut emissions faster from its own operations and from its supply chain, including the pollution that's created when customers burn its oil and natural gas," notes NPR. "That indirect pollution, known as Scope 3 emissions, accounts for 90% of ExxonMobil's carbon footprint."

"ExxonMobil says it is committed to cutting emissions from its operations. But the idea that activist investors like Arjuna and Follow This can quickly push the company out of the oil and gas business with new climate policies is 'simplistic and against the interests of the vast majority of ExxonMobil shareholders,' the company said in a court filing in Texas." The company added that while shareholders are entitled to submit proposals, they don't have "an unlimited right to put forth any proposal to do anything."

"Their intent is to advance their agenda rather than creating long-term value for shareholders," ExxonMobil said of Arjuna and Follow This.
Software

Court Orders Maker of Pegasus Spyware To Hand Over Code To WhatsApp (theguardian.com) 53

Stephanie Kirchgaessner reports via The Guardian: NSO Group, the maker of one the world's most sophisticated cyber weapons, has been ordered by a US court to hand its code for Pegasus and other spyware products to WhatsApp as part of the company's ongoing litigation. The decision by Judge Phyllis Hamilton is a major legal victory for WhatsApp, the Meta-owned communication app which has been embroiled in a lawsuit against NSO since 2019, when it alleged that the Israeli company's spyware had been used against 1,400 WhatsApp users over a two-week period.

NSO's Pegasus code, and code for other surveillance products it sells, is seen as a closely and highly sought state secret. NSO is closely regulated by the Israeli ministry of defense, which must review and approve the sale of all licences to foreign governments. In reaching her decision, Hamilton considered a plea by NSO to excuse it of all its discovery obligations in the case due to "various US and Israeli restrictions."

Ultimately, however, she sided with WhatsApp in ordering the company to produce"all relevant spyware" for a period of one year before and after the two weeks in which WhatsApp users were allegedly attacked: from 29 April 2018 to 10 May 2020. NSO must also give WhatsApp information "concerning the full functionality of the relevant spyware." Hamilton did, however, decide in NSO's favor on a different matter: the company will not be forced at this time to divulge the names of its clients or information regarding its server architecture.

Cellphones

The FBI Is Using Push Notifications To Catch Sexual Predators (gizmodo.com) 34

According to the Washington Post (paywalled), the FBI is using mobile push notification data to unmask people suspected of serious crimes, such as pedophilia, terrorism, and murder. Gizmodo reports: The Post did a little digging into court records and found evidence of at least 130 search warrants filed by the feds for push notification data in cases spanning 14 states. In those cases, FBI officials asked tech companies like Google, Apple, and Facebook to fork over data related to a suspect's mobile notifications, then used the data to implicate the suspect in criminal behavior linked to a particular app, even though many of those apps were supposedly anonymous communication platforms, like Wickr.

How exactly is this possible? Push notifications, which are provided by a mobile operating system provider, include embedded metadata that can be examined to understand the use of the mobile apps on a particular phone. Apps come laced with a quiet identifier, a "push token," which is stored on the corporate servers of a company like Apple or another phone manufacturer after a user signs up to use a particular app. Those tokens can later be used to identify the person using the app, based on the information associated with the device on which the app was downloaded. Even turning off push notifications on your device doesn't necessarily disable this feature, experts contend. [...]

If finding new ways to catch pedophiles and terrorists doesn't seem like the worst thing in the world, the Post article highlights the voices of critics who fear that this kind of mobile data could be used to track people who have not committed serious crimes -- like political activists or women seeking abortions in states where the procedure has been restricted.

AI

BC Lawyer Reprimanded For Citing Fake Cases Invented By ChatGPT 42

A B.C. lawyer has been ordered to pay costs for opposing counsel for the time they took to discover that two cases she cited as precedent were created by ChatGPT. CBC News reports: The cases would have provided compelling precedent for a divorced dad to take his children to China -- had they been real. But instead of savouring courtroom victory, the Vancouver lawyer for a millionaire embroiled in an acrimonious split has been told to personally compensate her client's ex-wife's lawyers for the time it took them to learn the cases she hoped to cite were conjured up by ChatGPT. In a decision released Monday, a B.C. Supreme Court judge reprimanded lawyer Chong Ke for including two AI "hallucinations" in an application filed last December. The cases never made it into Ke's arguments; they were withdrawn once she learned they were non-existent.

Justice David Masuhara said he didn't think the lawyer intended to deceive the court -- but he was troubled all the same. "As this case has unfortunately made clear, generative AI is still no substitute for the professional expertise that the justice system requires of lawyers," Masuhara wrote in a "final comment" appended to his ruling. "Competence in the selection and use of any technology tools, including those powered by AI, is critical."
Privacy

Cheap Doorbell Cameras Can Be Easily Hijacked, Says Consumer Reports (arstechnica.com) 23

An anonymous reader quotes a report from Ars Technica: Video doorbell cameras have been commoditized to the point where they're available for $30-$40 on marketplaces like Amazon, Walmart, Temu, and Shein. The true cost of owning one might be much greater, however. Consumer Reports (CR) has released the findings of a security investigation into two budget-minded doorbell brands, Eken and Tuck, which are largely the same hardware produced by the Eken Group in China, according to CR. The cameras are further resold under at least 10 more brands. The cameras are set up through a common mobile app, Aiwit. And the cameras share something else, CR claims: "troubling security vulnerabilities."

Among the camera's vulnerabilities cited by CR:
- Sending public IP addresses and Wi-Fi SSIDs (names) over the Internet without encryption
- Takeover of the cameras by putting them into pairing mode (which you can do from a front-facing button on some models) and connecting through the Aiwit app
- Access to still images from the video feed and other information by knowing the camera's serial number.

CR also noted that Eken cameras lacked an FCC registration code. More than 4,200 were sold in January 2024, according to CR, and often held an Amazon "Overall Pick" label (as one model did when an Ars writer looked on Wednesday). CR issued vulnerability disclosures to Eken and Tuck regarding its findings. The disclosures note the amount of data that is sent over the network without authentication, including JPEG files, the local SSID, and external IP address. It notes that after a malicious user has re-paired a doorbell with a QR code generated by the Aiwit app, they have complete control over the device until a user sees an email from Eken and reclaims the doorbell.
"These video doorbells from little known manufacturers have serious security and privacy vulnerabilities, and now they've found their way onto major digital marketplaces such as Amazon and Walmart," said Justin Brookman, director of tech policy at Consumer Reports, in a statement. "Both the manufacturers and platforms that sell the doorbells have a responsibility to ensure that these products are not putting consumers in harm's way."
AI

The Intercept, Raw Story, and AlterNet Sue OpenAI and Microsoft (theverge.com) 58

The Intercept, Raw Story, and AlterNet have filed separate lawsuits against OpenAI and Microsoft, alleging copyright infringement and the removal of copyright information while training AI models. The Verge reports: The publications said ChatGPT "at least some of the time" reproduces "verbatim or nearly verbatim copyright-protected works of journalism without providing author, title, copyright or terms of use information contained in those works." According to the plaintiffs, if ChatGPT trained on material that included copyright information, the chatbot "would have learned to communicate that information when providing responses."

Raw Story and AlterNet's lawsuit goes further (PDF), saying OpenAI and Microsoft "had reason to know that ChatGPT would be less popular and generate less revenue if users believed that ChatGPT responses violated third-party copyrights." Both Microsoft and OpenAI offer legal cover to paying customers in case they get sued for violating copyright for using Copilot or ChatGPT Enterprise. The lawsuits say that OpenAI and Microsoft are aware of potential copyright infringement. As evidence, the publications point to how OpenAI offers an opt-out system so website owners can block content from its web crawlers.
The New York Times also filed a lawsuit in December against OpenAI, claiming ChatGPT faithfully reproduces journalistic work. OpenAI claims the publication exploited a bug on the chatbot to regurgitate its articles.
Bitcoin

SBF Asks For 5-Year Prison Sentence, Calls 100-Year Recommendation 'Grotesque' (arstechnica.com) 189

An anonymous reader quotes a report from Ars Technica: Convicted FTX fraudster Sam Bankman-Fried pleaded for a lenient prison sentence in a court filing yesterday, saying that he isn't motivated by greed and "is already being punished." Bankman-Fried requested a sentence of 63 to 78 months, or 5.25 to 6.5 years. Because of "Sam's charitable works and demonstrated commitment to others, a sentence that returns Sam promptly to a productive role in society would be sufficient, but not greater than necessary, to comply with the purposes of sentencing," the court filing (PDF) said. Bankman-Fried's filing also said that he maintains his innocence and intends to appeal his convictions.

A presentence investigation report (PSR) prepared by a probation officer recommended that Bankman-Fried be sentenced to 100 years in prison, according to the filing. "That recommendation is grotesque," SBF's filing said, arguing that it is based on an erroneously calculated loss of $10 billion. The $10 billion loss asserted in the PSR is "illusory" because the "victims are poised to recover -- were always poised to recover -- a hundred cents on the dollar" in bankruptcy proceedings, SBF's filing said. The filing urged the court to "reject the PSR's barbaric proposal" of 100 years, saying that such sentences should only be for "heinous conduct" like terrorism and child sexual abuse.

The founder and ex-CEO of cryptocurrency exchange FTX, Bankman-Fried was convicted on seven charges with a combined maximum sentence of 110 years after a monthlong trial in US District Court for the Southern District of New York. The charges included wire fraud and conspiracy to commit wire fraud, securities fraud, commodities fraud, and money laundering. US government prosecutors are required to make a sentencing recommendation by March 15, and US District Judge Lewis Kaplan is scheduled to issue a sentence on March 28.

Slashdot Top Deals