×
Privacy

US Military Notifies 20,000 of Data Breach After Cloud Email Leak (techcrunch.com) 11

An anonymous reader quotes a report from TechCrunch: The U.S. Department of Defense is notifying tens of thousands of individuals that their personal information was exposed in an email data spill last year. According to the breach notification letter sent out to affected individuals on February 1, the Defense Intelligence Agency -- the DOD's military intelligence agency -- said, "numerous email messages were inadvertently exposed to the Internet by a service provider," between February 3 and February 20, 2023. TechCrunch has learned that the breach disclosure letters relate to an unsecured U.S. government cloud email server that was spilling sensitive emails to the open internet. The cloud email server, hosted on Microsoft's cloud for government customers, was accessible from the internet without a password, likely due to a misconfiguration.

The DOD is sending breach notification letters to around 20,600 individuals whose information was affected. "As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure. DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing," said DOD spokesperson Cdr. Tim Gorman in an email to TechCrunch.

The Courts

Amazon Sued Over Prime Video Ads (variety.com) 68

Amazon faces a class-action lawsuit accusing the company of false advertising and deceptive practices because Prime Video now serves commercials by default. Variety reports: "For years, people purchased and renewed their Amazon Prime subscriptions believing that they would include ad-free streaming," the lawsuit says. "But last month, Amazon changed the deal. To stream movies and TV shows without ads, Amazon customers must now pay an additional $2.99 per month ... This is not fair, because these subscribers already paid for the ad-free version; these subscribers should not have to pay an additional $2.99/month for something that they already paid for."

The case was filed on behalf of Wilbert Napoleon, a resident of Eastvale, Calif., who says he's a Prime member. "Plaintiff brings this case for himself and for other Amazon Prime customers," the suit said. The complain alleged that Amazon violates Washington State and California state consumer protection laws that prohibit unfair competition and deceptive business acts and practices. Amazon's conduct, as alleged, "was immoral, unethical, oppressive, unscrupulous and substantially injurious to consumers,â according to the lawsuit. The suit seeks unspecific monetary damages, including punitive damages, as well as an injunction to block Amazon's alleged deceptive conduct.

The suit was filed Feb. 9, after Amazon starting on Jan. 29 began running ads in Prime Video content in major markets including the United States unless users opt to pay extra ($2.99/month in the U.S.) to have an ad-free experience. Some analysts have forecast Prime Video ads generating more than $3 billion in revenue in 2024.

Patents

US Patent Office Confirms AI Can't Hold Patents 44

The US Patent and Trademark Office (USPTO) asserts that only humans can be recognized as inventors on patent applications, not artificial intelligence systems, although the use of AI in the invention process is permitted and must be disclosed. The Verge reports: The agency published (PDF) its latest guidance following a series of "listening" tours to gather public feedback. It states that while AI systems and other "non-natural persons" can't be listed as inventors in patent applications, "the use of an AI system by a natural person does not preclude a natural person from qualifying as an inventor." People seeking patents must disclose if they used AI in the invention process, just as the USPTO asks all applicants to list all material information necessary to make a decision.

However, to be able to register a patent, the person using the AI must've contributed significantly to the invention's conception. A person simply asking an AI system to create something and overseeing it, the report says, does not make them an inventor. The office says that a person who simply presents the problem to an AI system or "recognizes and appreciates" its output as a good invention can't claim credit for that patent.

"However, a significant contribution could be shown by the way the person constructs the prompt in view of a specific problem to elicit a particular solution from the AI system," the USPTO says. The office also says that "maintaining 'intellectual domination' over an AI system does not, on its own, make a person an inventor" -- so simply overseeing or owning an AI that creates things doesn't mean you can file a patent for them.
Encryption

Backdoors That Let Cops Decrypt Messages Violate Human Rights, EU Court Says (arstechnica.com) 30

An anonymous reader quotes a report from Ars Technica: The European Court of Human Rights (ECHR) has ruled that weakening end-to-end encryption disproportionately risks undermining human rights. The international court's decision could potentially disrupt the European Commission's proposed plans to require email and messaging service providers to create backdoors that would allow law enforcement to easily decrypt users' messages. This ruling came after Russia's intelligence agency, the Federal Security Service (FSS), began requiring Telegram to share users' encrypted messages to deter "terrorism-related activities" in 2017, ECHR's ruling said. [...] In the end, the ECHR concluded that the Telegram user's rights had been violated, partly due to privacy advocates and international reports that corroborated Telegram's position that complying with the FSB's disclosure order would force changes impacting all its users.

The "confidentiality of communications is an essential element of the right to respect for private life and correspondence," the ECHR's ruling said. Thus, requiring messages to be decrypted by law enforcement "cannot be regarded as necessary in a democratic society." [...] "Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general, and indiscriminate surveillance of personal electronic communications," the ECHR's ruling said. "Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users' electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field."

Martin Husovec, a law professor who helped to draft EISI's testimony, told Ars that EISI is "obviously pleased that the Court has recognized the value of encryption and agreed with us that state-imposed weakening of encryption is a form of indiscriminate surveillance because it affects everyone's privacy." [...] EISI's Husovec told Ars that ECHR's ruling is "indeed very important," because "it clearly signals to the EU legislature that weakening encryption is a huge problem and that the states must explore alternatives." If the Court of Justice of the European Union endorses this ruling, which Husovec said is likely, the consequences for the EU's legislation proposing scanning messages to stop illegal content like CSAM from spreading "could be significant," Husovec told Ars. During negotiations this spring, lawmakers may have to make "major concessions" to ensure the proposed rule isn't invalidated in light of the ECHR ruling, Husovec told Ars.
Europol and the European Union Agency for Cybersecurity (ENISA) said in a statement: "Solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well, which makes an easy solution impossible."
Piracy

Apple Pulls Popular Movie Piracy App Kimi From the App Store (wired.com) 25

After climbing the charts of Apple's App Store, the trendy Kimi app, with its collection of bootlegged movies, has disappeared. From a report: Pretending to be a spot-the-difference vision-testing game, the widely downloaded app ranked above Netflix, Hulu, and Amazon Prime Video in Apple's charts this week for free entertainment apps before it was removed. Without having to pay for anything or log in to any kind of account, iPhone owners could previously use Kimi to browse a wide selection of bootlegs for popular movies and TV shows. Many of the movies up for Best Picture at this year's Oscars were on Kimi, at varying levels of quality.

Poor Things was included in a grainy, pixelated state, but a high-quality version of Killers of the Flower Moon was on Kimi to stream, although an intrusive ad for online casinos was splashed across the top. That definitely isn't the viewing experience Martin Scorsese imagined for audiences. Not just limited to movies, viewers were also able to access episodes of currently airing TV shows, like RuPaul's Drag Race, through the Kimi app. Who was behind this piracy app? It remains a mystery. The developer was listed as "Marcus Evans" in the app store before Kimi was taken down, and this was the only app listed under that name, likely a pseudonym.

Crime

Wi-Fi Jamming To Knock Out Cameras Suspected In Nine Minnesota Burglaries (tomshardware.com) 174

Mark Tyson reports via Tom's Hardware: A serial burglar in Edina, Minnesota is suspected of using a Wi-Fi jammer to knock out connected security cameras before stealing and making off with the victim's prized possessions. [...] Edina police suspect that nine burglaries in the last six months have been undertaken with Wi-Fi jammer(s) deployed to ensure incriminating video evidence wasnâ(TM)t available to investigators. The modus operandi of the thief or thieves is thought to be something like this:

- Homes in affluent areas are found - Burglars carefully watch the homes - The burglars avoid confrontation, so appear to wait until homes are empty - Seizing the opportunity of an empty home, the burglars will deploy Wi-Fi jammer(s) - "Safes, jewelry, and other high-end designer items," are usually taken

A security expert interviewed by the source publication, KARE11, explained that the jammers simply confused wireless devices rather than blocking signals. They usually work by overloading wireless traffic âoeso that real traffic cannot get through,â the news site was told. [...] Worryingly, Wi-Fi jamming is almost a trivial activity for potential thieves in 2024. KARE11 notes that it could buy jammers online very easily and cheaply, with prices ranging from $40 to $1,000. Jammers are not legal to use in the U.S. but they are very easy to buy online.

The Courts

OpenAI Gets Some of Sarah Silverman's Suit Cut in Mixed Ruling (bloomberglaw.com) 64

OpenAI must face a claim that it violated California unfair competition law by using copyrighted books from comedian Sarah Silverman and other authors to train ChatGPT without permission. From a report: But US District Judge Araceli Martinez-Olguin on Monday also dismissed a number of Silverman and her coplaintiffs' other legal claims, including allegations of vicarious copyright infringement, violations of the Digital Millennium Copyright Act, negligence, and unjust enrichment. The judge gave the authors the opportunity to amend their proposed class action by March 13 to fix the defects in the complaint.

The core of the lawsuit remains alive, as OpenAI's motion to dismiss, filed last summer, didn't address Silverman's claim of direct copyright infringement for copying millions of books across the internet without permission. Courts haven't yet determined whether using copyrighted work to train AI models falls under copyright law's fair use doctrine, shielding the companies from liability. Although Martinez-Olguin allowed the unfair competition claim to advance, she said the claim could be preempted by the federal Copyright Act, which prohibits state law claims that allege the same violation as a copyright claim.

Patents

Cloudflare Defeats Another Patent Troll With Crowd-Sourced Prior-Art Army (theregister.com) 23

When it comes to defeating patent trolls with crowd-sourced prior art, Cloudflare is now two-for-two after winning its latest case against Sable Networks. The Register: Sable Networks, which owns patents originally given to defunct "flow-based router" company Caspian Networks, sued Cloudflare and five other companies in 2021 alleging a whole host of violations of four patents now owned by Sable. A lot has changed since the case was filed in the US District Court for the Western District of Texas, leading to a jury verdict last week that found Cloudflare not only didn't infringe on the single patent that made it to trial, but that the final patent claim at issue was invalid as well. It took the jury just two hours to return the result, Cloudflare said.

"Since Sable first sued us, we've invalidated significant parts of three Sable patents, hamstringing their ability to bring lawsuits against other companies," Cloudflare's in-house counsel boasted on Monday. Cloudflare said that it managed to whittle the case down from four patents and "approximately 100 claims" to a single claim on one patent -- number 7,012,919 -- over the past three years. This is thanks in part to the assistance of outside investigators on Project Jengo, a scheme first launched in 2017 to get help digging up prior-art patents when Cloudflare sued by another patent troll, Blackbird Technologies.
More: Cloudflare blog.
The Courts

Amazon Hides Cheaper Items With Faster Delivery, Lawsuit Alleges (arstechnica.com) 23

A class-action lawsuit alleges (PDF) that Amazon manipulates its platform through a biased algorithm to favor the "Buy Box" for items that generate higher fees for Amazon, often leading consumers to overpay for products that could be obtained cheaper and just as quickly from other sellers on the platform. Ars Technica reports: The lawsuit claims that a biased algorithm drives Amazon's "Buy Box," which appears on an item's page and prompts shoppers to "Buy Now" or "Add to Cart." According to customers suing, nearly 98 percent of Amazon sales are of items featured in the Buy Box, because customers allegedly "reasonably" believe that featured items offer the best deal on the platform.

"But they are often wrong," the complaint said, claiming that instead, Amazon features items from its own retailers and sellers that participate in Fulfillment By Amazon (FBA), both of which pay Amazon higher fees and gain secret perks like appearing in the Buy Box. "The result is that consumers routinely overpay for items that are available at lower prices from other sellers on Amazonâ"not because consumers don't care about price, or because they're making informed purchasing decisions, but because Amazon has chosen to display the offers for which it will earn the highest fees," the complaint said.

Authorities in the US and the European Union have investigated Amazon's allegedly anticompetitive Buy Box algorithm, confirming that it's "favored FBA sellers since at least 2016," the complaint said. In 2021, Amazon was fined more than $1 billion by the Italian Competition Authority over these unfair practices, and in 2022, the European Commission ordered Amazon to "apply equal treatment to all sellers when deciding what to feature in the Buy Box." These investigations served as the first public notice that Amazon's Buy Box couldn't be trusted, customers suing said. Amazon claimed that the algorithm was fixed in 2020, but so far, Amazon does not appear to have addressed all concerns over its Buy Box algorithm. As of 2023, European regulators have continued pushing Amazon "to take further action to remedy its Buy Box bias in their respective jurisdictions," the customers' complaint said.

Crime

WhatsApp Image Sender Becomes First Convicted Cyber-Flasher (bbc.com) 24

A registered sex offender has become the first person in England and Wales to be convicted of cyber-flashing. The BBC reports: Nicholas Hawkes, 39, of Basildon, Essex, sent unsolicited photos of his erect penis to a 15-year-old girl and a woman on Friday. The woman took screenshots of the image on WhatsApp and reported Hawkes to Essex Police the same day. Hawkes admitted two charges when he appeared before magistrates in Southend earlier. He is the first person to be convicted of the new offense of cyber-flashing, which was brought in under the Online Safety Act and came into effect on January 31.

After pleading guilty to two counts of sending a photograph or film of genitals to cause alarm, distress, or humiliation, he was remanded in custody until March 11, when he will be sentenced at Basildon Crown Court. Hawkes is a registered sex offender until November 2033 after he was convicted and given a community order for sexual activity with a child under 16 and exposure last year at Basildon Crown Court, the CPS said. He will also be sentenced for breaching the order when he is sentenced in March.

Communications

The US Government Makes a $42 Million Bet On Open Cell Networks (theverge.com) 26

An anonymous reader quotes a report from The Verge: The US government has committed $42 million to further the development of the 5G Open RAN (O-RAN) standard that would allow wireless providers to mix and match cellular hardware and software, opening up a bigger market for third-party equipment that's cheaper and interoperable. The National Telecommunications and Information Administration (NTIA) grant would establish a Dallas O-RAN testing center to prove the standard's viability as a way to head off Huawei's steady cruise toward a global cellular network hardware monopoly.

Verizon global network and technology president Joe Russo promoted the funding as a way to achieve "faster innovation in an open environment." To achieve the standard's goals, AT&T vice president of RAN technology Robert Soni says that AT&T and Verizon have formed the Acceleration of Compatibility and Commercialization for Open RAN Deployments Consortium (ACCoRD), which includes a grab bag of wireless technology companies like Ericsson, Nokia, Samsung, Dell, Intel, Broadcom, and Rakuten. Japanese wireless carrier Rakuten formed as the first O-RAN network in 2020. The company's then CEO, Tareq Amin, told The Verge's Nilay Patel in 2022 that Open RAN would enable low-cost network build-outs using smaller equipment rather than massive towers -- which has long been part of the promise of 5G.

But O-RAN is about more than that; establishing interoperability means companies like Verizon and AT&T wouldn't be forced to buy all of their hardware from a single company to create a functional network. For the rest of us, that means faster build-outs and "more agile networks," according to Rakuten. In the US, Dish has been working on its own O-RAN network, under the name Project Genesis. The 5G network was creaky and unreliable when former Verge staffer Mitchell Clarke tried it out in Las Vegas in 2022, but the company said in June last year that it had made its goal of covering 70 percent of the US population. Dish has struggled to become the next big cell provider in the US, though -- leading satellite communications company EchoStar, which spun off from Dish in 2008, to purchase the company in January.
The Washington Post writes that O-RAN "is Washington's anointed champion to try to unseat the Chinese tech giant Huawei Technologies" as the world's biggest supplier of cellular infrastructure gear.

According to the Post, Biden has emphasized the importance of O-RAN in conversations with international leaders over the past few years. Additionally, it notes that Congress along with the NTIA have dedicated approximately $2 billion to support the development of this standard.
Privacy

'World's Biggest Casino' App Exposed Customers' Personal Data (techcrunch.com) 10

An anonymous reader shares a report: The startup that develops the phone app for casino resort giant WinStar has secured an exposed database that was spilling customers' private information to the open web. Oklahoma-based WinStar bills itself as the "world's biggest casino" by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings.

The app is developed by a Nevada software startup called Dexiga. The startup left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser. Dexiga took the database offline after TechCrunch alerted the company to the security lapse. Anurag Sen, a good-faith security researcher who has a knack for discovering inadvertently exposed sensitive data on the internet, found the database containing personal information, but it was initially unclear who the database belonged to. Sen said the personal data included full names, phone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch to help identify its owner and disclose the security lapse.

Google

Google Shareholders to Receive $350 Million in Lawsuit Settlement (cpomagazine.com) 39

A lawsuit involving the now-defunct Google+ social media site "has been settled for $350 million," reports CPO magazine, "after a lengthy appeals process played out..."

"[T]he total pool after attorney and legal fees are deducted is likely to be well over $200 million." [The lawsuit] dates all the way back to 2018, when Google internally discovered that the Google+ API was being abused to access the private data of about half a million of the social media service's users. Google opted not to publicly declare the breach, as they were not legally compelled to.

News of it came via the Wall Street Journal in late 2018. Google shareholders contend that the company kept the issue under wraps due to the Cambridge Analytica scandal that Facebook was experiencing at the time, believing that they would suffer a similar negative PR blow. This was supported by an internal company memo that became public.

As the news of the exploitable software glitch gradually came out, Google shareholders took a hit as the company collectively lost tens of billions of dollars in market value. The lead plaintiff in the case is Rhode Island Treasurer James Diossa, who was responsible for overseeing a state pension fund that held stock in Google parent company Alphabet.

Google+ was shuttered in 2019 after an eight-year run due in part to repeated technical issues with unauthorized API access (as well as low user engagement).

"If the settlement is approved by the 9th Circuit judge, the proceeds will be available to Google shareholders who held stock at any time from April 23, 2018, to April 30, 2019...

"A separate class-action privacy lawsuit involving users who had private data exposed during the incident was settled in 2018 for $7.5 million, leading to very low payments for each of the claimants."
Government

Oversight of Boeing 'is Not Delivering Safe Aircraft', Says America's Top Aviation Regulator (apnews.com) 99

America's Federal Aviation Administration "is midway through a review of manufacturing at Boeing," reports the Associated Press, but "already knows that changes must be made in how the government oversees the aircraft manufacturer." FAA Administrator Michael Whitaker suggested that Boeing — under pressure from airlines to produce large numbers of planes — is not paying enough attention to safety.

Whitaker said that FAA has had two challenges since January 5, when an emergency door panel blew off a Boeing 737 Max 9 jetliner over Oregon. "One, what is wrong with this airplane? But two, what's going on with the production at Boeing?" Whitaker told a House subcommittee. "There have been issues in the past. They don't seem to be getting resolved, so we feel like we need to have a heightened level of oversight."

Whitaker, who took over the FAA about three months ago, was making his first appearance on Capitol Hill since the blowout over Oregon.... Whitaker said the FAA is halfway through a six-week audit that has involved placing "about two dozen" inspectors in Boeing's 737 plant in Renton, Washington, and "maybe half a dozen" at a Wichita, Kansas, plant where supplier Spirit AeroSystems makes the fuselages for 737s. The inspectors are looking for gaps in the quality of work during the manufacturing process that might have contributed to a door plug blowing off an Alaska Airlines Max 9 at 16,000 feet over Oregon. Whitaker said he expects the FAA will keep people in the Boeing and Spirit factories after the audit is done, but he said the numbers haven't been determined.

For many years, the FAA has relied on employees of aircraft manufacturers to perform some safety-related work on planes being built by their companies. That saves money for the government, and in theory taps the expertise of industry employees, but it was criticized after two deadly crashes involving Boeing Max 8 planes in 2018 and 2019. "In order to have a truly safe system, it seems to me that we can't rely on the manufacturers themselves to be their own watchdogs," Rep. Colin Allred, D-Texas, said during Tuesday's hearing. Whitaker has said that the self-checking practice — in theory, overseen by FAA inspectors — should be reconsidered, but he again stopped short of saying it should be scrapped. But he said closer monitoring of Boeing is needed.

"The current system is not working because it is not delivering safe aircraft," Whitaker said. "Maybe we need to look at the incentives to make sure safety is getting the appropriate first rung of consideration that it deserves."

The Courts

Apple Is Settling Chip Secrets Theft Case Against Startup Rivos, Former Employees (yahoo.com) 5

In 2022 Apple filed a lawsuit against startup Rivos. The lawsuit said that in one year Rivos had hired more than 40 former Apple employees to work on competing system-on-a-chip technology, according to Reuters, "and that at least two former Apple engineers took gigabytes of confidential information with them to Rivos."

But Friday Bloomberg reported that the two companies told a judge that they'd "signed an agreement that potentially settles the case." "The agreement provides for remediation of Apple confidential information based on a forensic examination of Rivos systems and other activities," according to the filing in federal court in San Jose, California. "The parties currently are working through that process."
More details from Engadget: Apple also accused the defendant of instructing the employees it hired away to steal presentations and other proprietary information for unreleased iPhone chip designs that cost billions of dollars to develop. Rivos countersued Apple last year, accusing the larger company of restricting employees' ability to work elsewhere and of hindering emerging startups' growth by using anticompetitive measures.

The court dismissed Apple's trade secret claims against Rivos in April 2023, though the company was allowed to file a revised complaint. Apple already settled with its six former employees who filed a countersuit against the iPhonemaker along with Rivos after they dropped their claims against each other last month.

Both companies are now requesting the court to put their cases on hold until March 15, when they expect the settlement to be completed.

AI

In Big Tech's Backyard, a California State Lawmaker Unveils a Landmark AI Bill (msn.com) 50

An anonymous reader shared this report from the Washington Post: A California state lawmaker introduced a bill on Thursday aiming to force companies to test the most powerful artificial intelligence models before releasing them — a landmark proposal that could inspire regulation around the country as state legislatures increasingly tackle the swiftly evolving technology.

The new bill, sponsored by state Sen. Scott Wiener, a Democrat who represents San Francisco, would require companies training new AI models to test their tools for "unsafe" behavior, institute hacking protections and develop the tech in such a way that it can be shut down completely, according to a copy of the bill. AI companies would have to disclose testing protocols and what guardrails they put in place to the California Department of Technology. If the tech causes "critical harm," the state's attorney general can sue the company.

Wiener's bill comes amid an explosion of state bills addressing artificial intelligence, as policymakers across the country grow wary that years of inaction in Congress have created a regulatory vacuum that benefits the tech industry. But California, home to many of the world's largest technology companies, plays a singular role in setting precedent for tech industry guardrails. "You can't work in software development and ignore what California is saying or doing," said Lawrence Norden, the senior director of the Brennan Center's Elections and Government Program... Wiener says he thinks the bill can be passed by the fall.

The article notes there's now 407 AI-related bills "active in 44 U.S. states (according to an analysis by an industry group called BSA the Software Alliance) — with several already signed into law. "The proliferation of state-level bills could lead to greater industry pressure on Congress to pass AI legislation, because complying with a federal law may be easier than responding to a patchwork of different state laws."

Even the proposed California law "largely builds off an October executive order by President Biden," according to the article, "that uses emergency powers to require companies to perform safety tests on powerful AI systems and share those results with the federal government. The California measure goes further than the executive order, to explicitly require hacking protections, protect AI-related whistleblowers and force companies to conduct testing."

They also add that as America's most populous U.S. state, "California has unique power to set standards that have impact across the country." And the group behind last year's statement on AI risk helped draft the legislation, according to the article, though Weiner says he also consulted tech workers, CEOs, and activists. "We've done enormous stakeholder outreach over the past year."
The Almighty Buck

Will FTX Customers Fully Recoup Their Money? (cnbc.com) 27

Former FTX customers "have reasons to believe they could actually recoup their money," reports CNBC: Bankman-Fried, who could spend the rest of his life behind bars, was found guilty in November on seven criminal counts after roughly $10 billion in customer funds from his company went missing. Some of that money went to pay for Bankman-Fried's lavish lifestyle, but much of it went towards other investments that have, of late, appreciated dramatically in value. Lawyers representing the bankruptcy estate of FTX told a judge in Delaware last week that they expect to fully repay customers and creditors with legitimate claims. Bankruptcy attorney Andrew Dietderich, who works with FTX's new leadership team, said "there is still a great amount of work and risk" ahead in getting all the money back to clients, but that the team has a "strategy to achieve it."

It's a welcome development for the many thousands of customers (reportedly up to a million) who collectively lost billions of dollars in FTX's collapse 15 months ago, when the crypto exchange spiraled into bankruptcy in a matter of days. Given the lightly regulated and unsecured nature of FTX — and the crypto industry at large — those clients faced the real possibility that the vast majority of their money had evaporated. Plenty of failed hedge funds and lenders lost virtually everything during the 2022 crypto winter... [C]rypto was mired in a bear market, with bitcoin trading at around $16,000. It's now above $47,000... FTX's bitcoin stash, which was worth $560 million at the time of the September report, is today valued north of $1 billion.

Bankman-Fried's investments weren't limited to crypto. He also used client money to back startups like Anthropic, the artificial intelligence company founded by ex-OpenAI employees. FTX invested $500 million in Anthropic in 2021, before the generative AI boom. Anthropic's valuation hit $18 billion in December 2023, which would value FTX's roughly 8% stake at about $1.4 billion.

CNBC suggests this could affect the length of Bankman-Fried's prison sentence (which will be determined next month).

There's now also a so-called "FTX IOU" market where investors are selling their debt, CNBC adds. "One financial firm that had lost around $100 million initially sold its FTX debt for 6 cents on the dollar in a new secondary market out of concern that he may never get a better deal. As of December, those claims were going for more than 70 cents on the dollar."

CNBC also reports that FTX "had been negotiating with bidders about a potential reboot of the company, but those efforts were scrapped last month."
Electronic Frontier Foundation

EFF Challenges 'Legal Bullying' of Sites Reporting on Alleged Appin 'Hacking-for-Hire' (eff.org) 16

Long-time Slashdot reader v3rgEz shared this report from MuckRock: Founded in 2003, Appin has been described as a cybersecurity company and an educational consulting firm. Appin was also, according to Reuters reporting and extensive marketing materials, a prolific "hacking for hire" service, stealing information from politicians and militaries as well as businesses and even unfaithful spouses.

Legal letters, being sent to newsrooms and organizations around the world, are trying to remove that story from the internet — and are often succeeding.

Reuters investigation, published in November, was based in part on corroborated marketing materials, detailing a range of "hacking for hire" services Appin provided. After publication, Reuters was targeted by a legal campaign to shut down critical reporting, an effort which expanded to target news organizations around the world, including MuckRock. With the help of the Electronic Frontier Foundation, MuckRock is now sharing more details on this effort while continuing to host materials the Association of Appin Training Centers has gone to great lengths to remove from the web.

The original story, by Reuters' staff writers Raphael Satter, Zeba Siddiqui and Chris Bing, is no longer available on the Reuters website. Following a preliminary court ruling issued in New Delhi, the story has been replaced with an editor's note, stating that Reuters "stands by its reporting and plans to appeal the decision." The story has since been reposted on Distributed Denial of Secrets, while the primary source materials that Reuters reporters and editors used in their reporting are available on MuckRock's DocumentCloud service.

Representatives of the company's founders denied the assertions in the Reuters story, insisting instead that rogue actors "were misusing the Appin name."

TechDirt titled their article "Sorry Appin, We're Not Taking Down Our Article About Your Attempts To Silence Reporters."

And Thursday the EFF wrote its own take on "a campaign of bullying and censorship seeking to wipe out stories about the mercenary hacking campaigns of a less well-known company, Appin Technology, in general, and the company's cofounder, Rajat Khare, in particular." These efforts follow a familiar pattern: obtain a court order in a friendly international jurisdiction and then misrepresent the force and substance of that order to bully publishers around the world to remove their stories. We are helping to push back on that effort, which seeks to transform a very limited and preliminary Indian court ruling into a global takedown order. We are representing Techdirt and MuckRock Foundation, two of the news entities asked to remove Appin-related content from their sites... On their behalf, we challenged the assertions that the Indian court either found the Reuters reporting to be inaccurate or that the order requires any entities other than Reuters and Google to do anything. We requested a response — so far, we have received nothing...

At the time of this writing, more than 20 of those stories have been taken down by their respective publications, many at the request of an entity called "Association of Appin Training Centers (AOATC)...." It is not clear who is behind The Association of Appin Training Centers, but according to documents surfaced by Reuters, the organization didn't exist until after the lawsuit was filed against Reuters in Indian court....

If a relatively obscure company like AOATC or an oligarch like Rajat Khare can succeed in keeping their name out of the public discourse with strategic lawsuits, it sets a dangerous precedent for other larger, better-resourced, and more well-known companies such as Dark Matter or NSO Group to do the same. This would be a disaster for civil society, a disaster for security research, and a disaster for freedom of expression.

United States

California Bill Would Ban All Plastic Shopping Bags At Grocery Stores (sfstandard.com) 276

An anonymous reader quotes a report from the San Francisco Standard: California would ban all plastic shopping bags in 2026 under a new bill announced Thursday in the state Legislature. California already bans thin plastic shopping bags at grocery stores and other shops, but shoppers at checkout can purchase bags made with a thicker plastic that purportedly makes them reusable and recyclable. Democratic state Sen. Catherine Blakespear said people are not reusing or recycling those bags. She points to a state study that found the amount of plastic shopping bags trashed per person grew from 8 pounds per year in 2004 to 11 pounds per year in 2021. "It shows that the plastic bag ban that we passed in this state in 2014 did not reduce the overall use of plastic. It actually resulted in a substantial increase in plastic," Blakespear, a Democrat from Encinitas, said Thursday. "We are literally choking our planet with plastic waste."

While California's bag ban would apply statewide, it would only end up impacting about half the state's population, according to Mark Murray, lead advocate for the environmental advocacy group Californians Against Waste. That's because most of the state's major cities already ban these types of thicker plastic bags. But a state law passed in 2014 and approved by voters in a 2016 referendum bans cities from passing new laws restricting plastic bag use. If the Legislature passes this bill, it would be up to Democratic Gov. Gavin Newsom to decide whether to sign it into law. As San Francisco's mayor in 2007, Newsom signed the nation's first plastic bag ban.

Privacy

Security Flaw In a Popular Smart Helmet Allowed Silent Location Tracking (techcrunch.com) 3

An anonymous reader quotes a report from TechCrunch: The maker of a popular smart ski and bike helmet has fixed a security flaw that allowed the easy real-time location tracking of anyone wearing its helmets. Livall makes internet-connected helmets that allow groups of skiers or bike riders to talk with each other using the helmet's in-built speaker and microphone, and share their real-time location in a friend's group using Livall's smartphone apps. Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, said Livall's smartphone apps had a simple flaw allowing easy access to any group's audio chats and location data. Munro says the two apps, one for skiers and one for bike riders, collectively have about a million users.

At the heart of the bug, Munro found that anyone using Livall's apps for group audio chat and sharing their location must be part of the same friends group, which could be accessed using only that group's six-digit numeric code. "That 6-digit group code simply isn't random enough," Munro said in a blog post describing the flaw. "We could brute force all group IDs in a matter of minutes." In doing so, anyone could access any of the 1 million possible permutations of group chat codes.

"As soon as one entered a valid group code, one joined the group automatically," said Munro, adding that this happened without alerting other group members. "It was therefore trivial to silently join any group, giving us access to any users' location and the ability to listen in to any group audio communications," said Munro. "The only way a rogue group user could be detected was if the legitimate user went to check on the members of that group." [...] In an email, Livall's R&D director Richard Yi explained that the company improved the randomness of group codes by also adding letters, and including alerts for new members joining groups. Yi also said the app now allows the shared location to be turned off at the user level.

Slashdot Top Deals