×
Transportation

America's Car Industry Seeks to Crush AM Radio. Will Congress Rescue It? (msn.com) 262

The Wall Street Journal reports that "a motley crew of AM radio advocates," including conservative talk show hosts and federal emergency officials, are lobbying Congress to stop carmakers from dropping AM radio from new vehicles: Lawmakers say most car companies are noncommittal about the future of AM tuners in vehicles, so they want to require them by law to keep making cars with free AM radio. Supporters argue it is a critical piece of the emergency communication network, while the automakers say Americans have plenty of other ways, including their phones, to receive alerts and information. The legislation has united lawmakers who ordinarily want nothing to do with one another. Sens. Ted Cruz (R., Texas) and Ed Markey (D., Mass.) are leading the Senate effort, and on the House side, Speaker Mike Johnson — himself a former conservative talk radio host in Louisiana — and progressive "squad" member Rep. Rashida Tlaib of Michigan are among about 200 co-sponsors...

A spring 2023 Nielsen survey, the most recent one available, showed that AM radio reaches about 78 million Americans every month. That is down from nearly 107 million in the spring of 2016, one of the earliest periods for which Nielsen has data... Automakers say the rise of electric vehicles is driving the shift away from AM, because onboard electronics create interference with AM radio signals — a phenomenon that "makes the already fuzzy analog AM radio frequency basically unlistenable," according to the Alliance for Automotive Innovation, a car-industry trade group. Shielding cables and components to reduce interference would cost carmakers $3.8 billion over seven years, the group estimates.

Markey and other lawmakers say they want to preserve AM radio because of its role in emergency communications. The Federal Emergency Management Agency says that more than 75 radio stations, most of which operate on the AM band and cover at least 90% of the U.S. population, are equipped with backup communications equipment and generators that allow them to continue broadcasting information to the public during and after an emergency. Seven former FEMA administrators urged Congress in a letter last year to seek assurances from automakers that they would keep broadcast radio available. The companies' noncommittal response spurred legislation, lawmakers said.

Automakers increasingly want to put radio and other car features "behind a paywall," Markey said in an interview. "They see this as another profit center for them when the American driving public has seen it as a safety resource for them and their families...." He compared the auto industry's resistance to the bill to previous opposition to government mandates like seat belts and air bags. "Leaving safety decisions to the auto industry is very dangerous," Markey said.

Lawmakers have heard from over 400,000 AM radio supporters, according to the president of the National Association of Broadcasters.

But the article also cites an executive at the Consumer Technology Association, who says automakers and tech advocacy groups have told lawmakers that requiring AM radio "would be "inconsistent with the principles of a free market.... It's strange that Congress is focused on a 100-year-old technology."
United Kingdom

London Accused of Wrongly Fining Hundreds of Thousands of EU Drivers (theguardian.com) 91

The Guardian reports that "Hundreds of thousands of EU citizens were wrongly fined for driving in London's Ulez clean air zone, according to European governments..." The Guardian can reveal Transport for London (TfL) has been accused by five EU countries of illegally obtaining the names and addresses of their citizens in order to issue the fines, with more than 320,000 penalties, some totalling thousands of euros, sent out since 2021...

Since Brexit, the UK has been banned from automatic access to personal details of EU residents. Transport authorities in Belgium, Spain, Germany and the Netherlands have confirmed to the Guardian that driver data cannot be shared with the UK for enforcement of London's ultra-low emission zone (Ulez), and claim registered keeper details were obtained illegally by agents acting for TfL's contractor Euro Parking Collection. In France, more than 100 drivers have launched a lawsuit claiming their details were obtained fraudulently, while Dutch lorry drivers are taking legal action against TfL over £6.5m of fines they claim were issued unlawfully.

According to the Belgian MP Michael Freilich, who has investigated the issue on behalf of his constituents, TfL is treating European drivers as a "cash cow" by using data obtained illegitimately to issue unjustifiable fines.

Freilich describes the situation as "possibly one of the largest privacy and data breaches in EU history," according to the article.

Some drivers have even received penalties of up to five-figure sums — for compliant vehicles which had simply not yet been registered. And "some low-emission cars have been misclassed as heavy goods diesel vehicles and fined under the separate low-emission zone scheme, which incurs penalties of up to £2,000 a day."

Thanks to Slashdot reader Bruce66423 for sharing the article.
Businesses

The Great Freight-Train Heists of the 21st Century 78

Cargo theft from freight trains in the Los Angeles area has surged, with detectives estimating over 90 containers being opened daily and that theft on their freight trains in the Union Pacific area was up some 160 percent from the previous year. Nationally, cargo theft neared $1 billion in losses last year. Companies decline comment but California's governor publicly questioned the widespread railroad theft. Most arrested were not organized; many were homeless people nearby opportunistically taking fallen boxes off tracks. Theft stems largely from e-commerce boom that reshaped freight shipping to meet consumer demand, opening vulnerabilities. Railroad police forces and online retailers aim to combat this but concede difficulty tracking stolen goods resold anonymously online. Some products stolen from containers even get resold back on Amazon. The New York Times Magazine: Sometimes products stolen out of Amazon containers are resold by third-party sellers back on Amazon in a kind of strange ouroboros, in which the snakehead of capitalism hungrily swallows its piracy tail. Last June, California's attorney general created what was touted as a first-of-its-kind agreement among online retailers that committed them to doing a better job tracking, reporting and preventing stolen items from being resold on their platforms. While declining to comment on specific cases, a spokesperson for Amazon told me that the company is working to improve the process of vetting sellers: The number of "bad actor attempts" to create new selling accounts on Amazon decreased to 800,000 in 2022 from six million in 2020.
United States

NSA Buys Americans' Internet Data Without Warrants, Letter Says (nytimes.com) 96

The National Security Agency buys certain logs related to Americans' domestic internet activities from commercial data brokers, according to an unclassified letter by the agency. The New York Times: The letter [PDF], addressed to a Democratic senator and obtained by The New York Times, offered few details about the nature of the data other than to stress that it did not include the content of internet communications. Still, the revelation is the latest disclosure to bring to the fore a legal gray zone: Intelligence and law enforcement agencies sometimes purchase potentially sensitive and revealing domestic data from brokers that would require a court order to acquire directly.

It comes as the Federal Trade Commission has started cracking down on companies that trade in personal location data that was gathered from smartphone apps and sold without people's knowledge and consent about where it would end up and for what purpose it would be used. In a letter to the director of national intelligence dated Thursday, the senator, Ron Wyden, Democrat of Oregon, argued that "internet metadata" -- logs showing when two computers have communicated, but not the content of any message -- "can be equally sensitive" as the location data the F.T.C. is targeting. He urged intelligence agencies to stop buying internet data about Americans if it was not collected under the standard the F.T.C. has laid out for location records. "The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal," Mr. Wyden wrote.

Piracy

Streaming Pirates Are Hollywood's New Villains (bloomberg.com) 160

Illegal subscription services that steal films or TV shows bring in $2 billion a year in ads and subscriber fees (non-paywalled link). From a report: Ever since taking on Netflix at its own game, old Hollywood has struggled to turn a profit in streaming, with the likes of Disney+, Peacock and Paramount+ losing billions of dollars each year, sparking concerns on Wall Street that the services will never be as profitable as cable once was. But the age of streaming has been a boon for some unintended winners: pirates that use software to rip a film or television show in seconds from legitimate online video platforms and host the titles on their own, illegitimate services, which rake in about $2 billion annually from ads and subscriptions.

With no video production costs, illicit streaming sites such as myflixer and projectfreetv have achieved profit margins approaching 90%, according to the Motion Picture Association, a trade group representing Hollywood studios that's working to crack down on the thousands of illegal platforms that have cropped up in recent years. Initially the rise of legitimate online businesses such as Netflix actually helped curb digital piracy, which had largely been based on file uploads. But now piracy involving illegal streaming services as well as file-sharing costs the US economy about $30 billion in lost revenue a year and some 250,000 jobs, estimates the US Chamber of Commerce's Global Innovation Policy Center. The global impact is about $71 billion annually.

In the US, which counts almost 130 subscription piracy sites, the MPA estimates that the top three combined have about 2 million users paying $5 to $10 per month for films, TV shows and live sports. Analysts say the user number could soar as the cost of subscriptions from legitimate companies such as Walt Disney approach $20 per month as they seek to bolster the finances of their streaming platforms. "Some of these pirate websites have gotten more daily visits than some of the top 10 legitimate sites," says Karyn Temple, the MPA's general counsel. "That really shows how prolific they are."

Privacy

Inside a Global Phone Spy Tool Monitoring Billions (404media.co) 40

A wide-spanning investigation by 404 Media reveals more details about a secretive spy tool that can tracks billions of phone profiles through the advertising industry called Patternz. From the report: Hundreds of thousands of ordinary apps, including popular ones such as 9gag, Kik, and a series of caller ID apps, are part of a global surveillance capability that starts with ads inside each app, and ends with the apps' users being swept up into a powerful mass monitoring tool advertised to national security agencies that can track the physical location, hobbies, and family members of people to build billions of profiles, according to a 404 Media investigation.

404 Media's investigation, based on now deleted marketing materials and videos, technical forensic analysis, and research from privacy activists, provides one of the clearest examinations yet of how advertisements in ordinary mobile apps can ultimately lead to surveillance by spy firms and their government clients through the real time bidding data supply chain. The pipeline involves smaller, obscure advertising firms and advertising industry giants like Google. In response to queries from 404 Media, Google and PubMatic, another ad firm, have already cut-off a company linked to the surveillance firm.

Privacy

Amazon's Ring To Stop Letting Police Request Doorbell Video From Users 64

Amazon's Ring home doorbell unit says it will stop letting police departments request footage from users' video doorbells and surveillance cameras, retreating from a practice that was criticized by civil liberties groups and some elected officials. Bloomberg: Next week, the company will disable its Request For Assistance tool (non-paywalled link), the program that had allowed law enforcement to seek footage from users on a voluntary basis, Eric Kuhn, who runs Ring's Neighbors app, said in a blog post on Wednesday. Police and fire departments will have to seek a warrant to request footage from users or show the company evidence of an ongoing emergency.

Kuhn didn't say why Ring was disabling the tool. Yassi Yarger, a spokesperson, said Ring had decided to devote its resources to new products and experiences in the Neighbors app that better fit with the company's vision. The aim is to make Neighbors, which had been focused on crime and safety, into more of a community hub, she said. New features announced on Wednesday -- one called Ring Moments that lets users post clips and a company-produced Best of Ring -- highlight that push.
United States

Biden Aims To Stop Countries From Exploiting Americans' Data for Blackmail, Espionage (bloomberg.com) 119

The Biden administration is preparing an executive order that seeks to prevent foreign adversaries from accessing troves of highly sensitive personal data about Americans and people connected to the US government, Bloomberg News reported, citing documents. From the report: The administration plans to soon unveil the new executive order, which will direct the US Attorney General and Department of Homeland Security to issue new restrictions on transactions involving data that, if obtained, could threaten national security, according to three people familiar with the matter, who asked not to be named as the details are still private.

The draft order focuses on ways that foreign adversaries are gaining access to Americans' "highly sensitive" personal data -- from genetic information to location -- through legal means. That includes obtaining information through intermediaries, such as data brokers, third-party vendor agreements, employment agreements or investment agreements, according to a draft of the proposed order. In addition, organizations owned, controlled or operated by "countries of concern" are often obligated to hand such data over to the government when asked.

Electronic Frontier Foundation

EFF Adds Street Surveillance Hub So Americans Can Check Who's Checking On Them (theregister.com) 56

An anonymous reader quotes a report from The Register: For a country that prides itself on being free, America does seem to have an awful lot of spying going on, as the new Street Surveillance Hub from the Electronic Frontier Foundation shows. The Hub contains detailed breakdowns of the type of surveillance systems used, from bodycams to biometrics, predictive policing software to gunshot detection microphones and drone-equipped law enforcement. It also has a full news feed so that concerned citizens can keep up with the latest US surveillance news; they can also contribute to the Atlas of Surveillance on the site.

The Atlas, started in 2019, allows anyone to check what law enforcement is being used in their local area -- be it license plate readers, drones, or gunshot detection microphones. It can also let you know if local law enforcement is collaborating with third parties like home security vendor Ring to get extra information. EFF policy analyst Matthew Guariglia told The Register that once people look into what's being deployed using their tax dollars, a lot of red flags are raised. Over the last few years America's thin blue line have not only been harvesting huge amounts of data themselves, but also buying it in from commercial operators. The result is a perfect storm on privacy -- with police, homeowners, and our personal technology proving to be a goldmine of intrusive information that's often misused.

Crime

IT Consultant Fined For Daring To Expose Shoddy Security (theregister.com) 102

Thomas Claburn reports via The Register: A security researcher in Germany has been fined $3,300 for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records. Back in June 2021, according to our pals at Heise, an contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor. It turned out the password to access that remote server was stored in plain text in the program file MSConnect.exe, and opening it in a simple text editor would reveal the unencrypted hardcoded credential.

With that easy-to-find password in hand, anyone could log into the remote server and access data belonging to not just that one customer of Modern Solution, but data belonging to all of the vendor's clients stored on that database server. That info is said to have included personal details of those customers' own customers. And we're told that Modern Solution's program files were available for free from the web, so truly anyone could inspect the executables in a text editor for plain-text hardcoded database passwords. The contractor's findings were discussed in a June 23, 2021 report by Mark Steier, who writes about e-commerce. That same day Modern Solution issued a statement [PDF] -- translated from German -- summarizing the incident [...]. The statement indicates that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and conversation and call histories. But it claims that only a limited amount of data -- names and addresses -- about shoppers who made purchases from these retail clients was exposed. Steier contends that's incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data, which he said included extensive customer data from the online stores operated by Modern Solution's clients.

In September 2021 police in Germany seized the IT consultant's computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge â" he worked previously for a related firm -- and the biz claimed he was a competitor. Hendrik H. was charged with unlawful data access under Section 202a of Germany's Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation's cybersecurity law. In June, 2023, a Julich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected. But the Aachen regional court directed the district court to hear the complaint. Now, the district court has reversed its initial decision. On January 17, a Julich District Court fined Hendrik H. and directed him to pay court costs.

Crime

Walmart's Financial Services 'Became a Fraud Magnet', Says ProPublica (propublica.org) 83

One man living in Virginia oversaw "the laundering of some $7 million in fraudulently obtained gift cards" from Walmart in an international operation which over five years scammed hundreds of victims into sending the numbers over the phone, reports a new ProPublica investigation. (Citing court evidence that emerged after his arrested in 2021). Earlier that year, he complained to an associate that more and more people were competing to resell cards in China, eating into his profits. So many scammers were flocking to Walmart that he and his team regularly encountered them at self-checkout counters.... "We ran into quite a few at the store, and we even started chatting."
It was apparently so common that federal prosecutors started calling it "The Walmart scheme." And while the store is supposed to watch for customers who appear to be acting on a scammer's instructions, "Too often, Walmart has failed." America's largest retailer has long been a facilitator of fraud on a mass scale, a ProPublica investigation has found. For roughly a decade, Walmart has resisted tougher enforcement while breaking promises to regulators and skimping on employee training, according to more than 50 interviews, internal documents supplied by former industry executives, court filings and other public records...More than $1 billion in fraud losses were routed through the company's financial systems between 2013 and 2022, according to filings by the Federal Trade Commission and court cases analyzed by ProPublica. That has helped fuel a boom in financial chicanery. Americans, many of them elderly, were swindled out of $27 billion between 2013 and 2022, according to the FTC...

Walmart has a financial incentive to avoid cracking down. It makes money each time a Walmart gift card is used and earns a fee when another brand of card is bought. And it receives one commission when a person sends a money transfer and a second when the recipient picks it up. The company's financial services business generates hundreds of millions in annual profits. (Its filings do not provide specific figures for gift cards and money transfers.) "They were concerned about the bucks. That's all," Nick Alicea, a former fraud team leader for the U.S. Postal Inspection Service who investigated Walmart for years, told ProPublica. Walmart's deficiencies have repeatedly attracted government scrutiny. In 2017, the attorneys general of New York and Pennsylvania investigated Walmart over concerns that it was "reaping the benefits" of gift card fraud. The investigation concluded a year later with Walmart promising to restrict or eliminate the use of its gift cards to purchase other gift cards...

Instead, the company let the practice continue until 2022 — even after it knew that millions of dollars were being laundered through its stores. The FTC sued Walmart in 2022, alleging it "turned a blind eye" as criminals took advantage of its money transfer service. Walmart, the FTC claimed, pocketed millions in fees while "letting fraudsters fleece its customers." Summarizing the FTC's evidence, a federal judge in the case wrote that "Walmart knew that its services were used by fraudsters" and that the company was repeatedly warned about certain stores where "twenty-five, fifty, or even seventy-five percent of money transfer activity was fraudulent." Separately, a federal grand jury in Pennsylvania is hearing evidence of possible criminal conduct in Walmart's money transfer business, according to corporate filings that did not detail the allegations.

While the FTC says Americans were swindled out of $27 billion between 2013 and 2022, Walmart responded to ProPublica's investigation by pointing out it's refunded $4 million to gift-card fraud victims, and also blocked more than $700 million in suspicious money transfers. "We have a robust anti-fraud program and other controls to help stop scammers and other criminals who may use the financial services we offer to harm our customers." The company's legal filings in the FTC case struck a different tone. Walmart is seeking to dismiss the suit, partly on the grounds that it has "no responsibility to protect against the criminal conduct of third parties." Though fraud is "deeply unfortunate," Walmart argues, such schemes are "reasonably avoidable by consumers."
Other interesting quotes from the article:
  • "Walmart outlets at one point accounted for the top 20 locations for fraud nationally among chains that partnered with MoneyGram, according to internal documents."
  • "In a single week in March 2017, consumers claiming they'd been duped into a money transfer filed 610 complaints about Walmart, according to documents obtained by ProPublica. CVS ranked second, with 47."
  • "Site inspections routinely found that Walmart staff lacked anti-fraud training and that employees failed to ask screening questions..."
  • Walmart resisted MoneyGram's attempts to fight fraud [according to the former fraud team leader for the postal inspector's office in Harrisburg, Pennsylvania, who investigated MoneyGram and Walmart].

Cellphones

Could Apostrophy OS Be the Future of Cellphone Privacy? (stuff.co.za) 100

"Would you pay $15 a month so Android doesn't track you and send all of that data back to Google?" asks Stuff South Africa: A new Swiss-based privacy company thinks $15 is a fair fee for that peace of mind. "A person's data is the original digital currency," argues Apostrophy, which has created its own operating system, called Apostrophy OS.

It's based on Android — don't panic — but the version that has already been stripped of Google's intrusiveness by another privacy project called GrapheneOS, which used to be known as CopperheadOS. Launched in 2014, it which was briefly known as the Android Hardening project, before being rebranded as GrapheneOS in 2019. Apostrophy OS is "focused on empowering our users, not leveraging them," it says and is "purposely Swiss-based, so we can be champions of data sovereignty".

What it does, they say, is separate the apps from the underlying architecture of the operating system and therefore prevent apps from accessing miscellaneous personal data, especially the all-important location data so beloved of surveillance capitalism... Apostrophy OS has its own app store, but also cleverly allows users to access the Google Play Store. If you think that is defeating the point, Apostrophy argues that those apps can't get to the vitals of your digital life. Apostrophy OS has "partitioned segments prioritising application integrity and personal data privacy".

The service is free for one year with the purchase of the new MC02 phone from Swiss manufacturer Punkt, according to PC Magazine. "The phone costs $749 and is available for preorder now. It will ship at the end of January." Additional features include a built-in VPN called Digital Nomad based on the open-source Wireguard framework to secure your activity against outside snooping, which includes "exit addresses" in the US, Germany, and Japan with the base subscription.
Open Source

Hans Reiser Sends a Letter From Prison (arstechnica.com) 181

In 2003, Hans Reiser answered questions from Slashdot's readers...

Today Wikipedia describes Hans Reiser as "a computer programmer, entrepreneur, and convicted murderer... Prior to his incarceration, Reiser created the ReiserFS computer file system, which may be used by the Linux kernel but which is now scheduled for removal in 2025, as well as its attempted successor, Reiser4."

This week alanw (Slashdot reader #1,822), spotted a development on the Linux kernel mailing list. "Hans Reiser (imprisoned for the murder of his wife) has written a letter, asking it to be published to Slashdot." Reiser writes: I was asked by a kind Fredrick Brennan for my comments that I might offer on the discussion of removing ReiserFS V3 from the kernel. I don't post directly because I am in prison for killing my wife Nina in 2006.

I am very sorry for my crime — a proper apology would be off topic for this forum, but available to any who ask.

A detailed apology for how I interacted with the Linux kernel community, and some history of V3 and V4, are included, along with descriptions of what the technical issues were. I have been attending prison workshops, and working hard on improving my social skills to aid my becoming less of a danger to society. The man I am now would do things very differently from how I did things then.

Click here for the rest of Reiser's introduction, along with a link to the full text of the letter...

The letter is dated November 26, 2023, and ends with an address where Reiser can be mailed. Ars Technica has a good summary of Reiser's lengthy letter from prison — along with an explanation for how it came to be. With the ReiserFS recently considered obsolete and slated for removal from the Linux kernel entirely, Fredrick R. Brennan, font designer and (now regretful) founder of 8chan, wrote to the filesystem's creator, Hans Reiser, asking if he wanted to reply to the discussion on the Linux Kernel Mailing List (LKML). Reiser, 59, serving a potential life sentence in a California prison for the 2006 murder of his estranged wife, Nina Reiser, wrote back with more than 6,500 words, which Brennan then forwarded to the LKML. It's not often you see somebody apologize for killing their wife, explain their coding decisions around balanced trees versus extensible hashing, and suggest that elementary schools offer the same kinds of emotional intelligence curriculum that they've worked through in prison, in a software mailing list. It's quite a document...

It covers, broadly, why Reiser believes his system failed to gain mindshare among Linux users, beyond the most obvious reason. This leads Reiser to detail the technical possibilities, his interpersonal and leadership failings and development, some lingering regrets about dealings with SUSE and Oracle and the Linux community at large, and other topics, including modern Russian geopolitics... Reiser asks that a number of people who worked on ReiserFS be included in "one last release" of the README, and to "delete anything in there I might have said about why they were not credited." He says prison has changed him in conflict resolution and with his "tendency to see people in extremes...."

Reiser writes that he understood the difficulty ahead in getting the Linux world to "shift paradigms" but lacked the understanding of how to "make friends and allies of people" who might initially have felt excluded. This is followed by a heady discussion of "balanced trees instead of extensible hashing," Oracle's history with implementing balanced trees, getting synchronicity just right, I/O schedulers, block size, seeks and rotational delays on magnetic hard drives, and tails. It leads up to a crucial decision in ReiserFS' development, the hard non-compatible shift from V3 to Reiser 4. Format changes, Reiser writes, are "unwanted by many for good reasons." But "I just had to fix all these flaws, fix them and make a filesystem that was done right. It's hard to explain why I had to do it, but I just couldn't rest as long as the design was wrong and I knew it was wrong," he writes. SUSE didn't want a format change, but Reiser, with hindsight, sees his pushback as "utterly inarticulate and unsociable." The push for Reiser 4 in the Linux kernel was similar, "only worse...."

He encourages people to "allow those who worked so hard to build a beautiful filesystem for the users to escape the effects of my reputation." Under a "Conclusion" sub-heading, Reiser is fairly succinct in summarizing a rather wide-ranging letter, minus the minutiae about filesystem architecture.

I wish I had learned the things I have been learning in prison about talking through problems, and believing I can talk through problems and doing it, before I had married or joined the LKML. I hope that day when they teach these things in Elementary School comes.

I thank Richard Stallman for his inspiration, software, and great sacrifices,

It has been an honor to be of even passing value to the users of Linux. I wish all of you well.



It both is and is not a response to Brennan's initial prompt, asking how he felt about ReiserFS being slated for exclusion from the Linux kernel. There is, at the moment, no reply to the thread started by Brennan.

Government

US Government Opens 22 Million Acres of Federal Lands To Solar 106

An anonymous reader quotes a report from Electrek: The Biden administration has updated the roadmap for solar development to 22 million acres of federal lands in the US West. The Bureau of Land Management (BLM) and the Department of Energy's National Renewable Energy Laboratory have determined that 700,000 acres of federal lands will be needed for solar farms over the next 20 years, so BLM recommended 22 million acres to give "maximum flexibility" to help the US reach its net zero by 2035 power sector goal. The plan is an update of the Bureau of Land Management's 2012 Western Solar Plan, which originally identified areas for solar development in six states -- Arizona, California, Colorado, Nevada, New Mexico, and Utah.

The updated roadmap refines the analysis in the original six states and expands to five more states -- Idaho, Montana, Oregon, Washington, and Wyoming. It also focuses on lands within 10 miles of existing or planned transmission lines and moves away from lands with sensitive resources. [...] BLM under the Biden administration has approved 47 clean energy projects and permitted 11,236 megawatts (MW) of wind, solar, and geothermal energy on public lands, enough to power more than 3.5 million homes.
Ben Norris, vice president of regulatory affairs at the Solar Energy Industries Association (SEIA), said in response to BLM's announced Western Solar Plan updates: "The proposal ... identifies 200,000 acres of land near transmission infrastructure, helping to correct an important oversight and streamline solar development. Under the current policy, there are at least 80 million acres of federal lands open to oil and gas development, which is 100 times the amount of public land available for solar. BLM's proposal is a big step in the right direction and recognizes the key role solar plays in our energy economy."
Security

Microsoft Executive Emails Hacked By Russian Intelligence Group, Company Says (cnbc.com) 25

In a regulatory filing today, Microsoft said that a Russian intelligence group hacked into some of the company's top executives' email accounts. CNBC reports: Nobelium, the same group that breached government supplier SolarWinds in 2020, carried out the attack, which Microsoft detected last week, according to the company. The announcement comes after new U.S. requirements for disclosing cybersecurity incidents went into effect. A Microsoft spokesperson said that while the company does not believe the attack had a material impact, it still wanted to honor the spirit of the rules.

In late November, the group accessed "a legacy non-production test tenant account," Microsoft's Security Response Center wrote in the blog post. After gaining access, the group "then used the account's permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents," the corporate unit wrote. The company's senior leadership team, including finance chief Amy Hood and president Brad Smith, regularly meets with CEO Satya Nadella. Microsoft said it has not found signs that Nobelium had accessed customer data, production systems or proprietary source code.

The U.S. government and Microsoft consider Nobelium to be part of the Russian foreign intelligence service SVR. The hacking group was responsible for one of the most prolific breaches in U.S. history when it added malicious code to updates to SolarWinds' Orion software, which some U.S. government agencies were using. Microsoft itself was ensnared in the hack. Nobelium, also known as APT29 or Cozy Bear, is a sophisticated hacking group that has attempted to breach the systems of U.S. allies and the Department of Defense. Microsoft also uses the name Midnight Blizzard to identify Nobelium. It was also implicated alongside another Russian hacking group in the 2016 breach of the Democratic National Committee's systems.

Crime

Crime Rings Are Trafficking in an Unlikely Treasure: Sand 53

Organized crime is mining sand from rivers and coasts to feed demand worldwide, ruining ecosystems and communities. Can it be stopped? Scientific American reports: Very few people are looking closely at the illegal sand system or calling for changes, however, because sand is a mundane resource. Yet sand mining is the world's largest extraction industry because sand is a main ingredient in concrete, and the global construction industry has been soaring for decades. Every year the world uses up to 50 billion metric tons of sand, according to a United Nations Environment Program report. The only natural resource more widely consumed is water. A 2022 study by researchers at the University of Amsterdam concluded that we are dredging river sand at rates that far outstrip nature's ability to replace it, so much so that the world could run out of construction-grade sand by 2050. The U.N. report confirms that sand mining at current rates is unsustainable.

The greatest demand comes from China, which used more cement in three years (6.6 gigatons from 2011 through 2013) than the U.S. used in the entire 20th century (4.5 gigatons), notes Vince Beiser, author of The World in a Grain. Most sand gets used in the country where it is mined, but with some national supplies dwindling, imports reached $1.9 billion in 2018, according to Harvard's Atlas of Economic Complexity. Companies large and small dredge up sand from waterways and the ocean floor and transport it to wholesalers, construction firms and retailers. Even the legal sand trade is hard to track. Two experts estimate the global market at about $100 billion a year, yet the U.S. Geological Survey Mineral Commodity Summaries indicates the value could be as high as $785 billion.

Sand in riverbeds, lake beds and shorelines is the best for construction, but scarcity opens the market to less suitable sand from beaches and dunes, much of it scraped illegally and cheaply. With a shortage looming and prices rising, sand from Moroccan beaches and dunes is sold inside the country and is also shipped abroad, using organized crime's extensive transport networks, Abderrahmane has found. More than half of Morocco's sand is illegally mined, he says.
Bitcoin

'Stablecoins' Enabled $40 Billion In Crypto Crime Since 2022 (wired.com) 21

An anonymous reader quotes a report from Wired: Stablecoins, cryptocurrencies pegged to a stable value like the US dollar, were created with the promise of bringing the frictionless, border-crossing fluidity of Bitcoin to a form of digital money with far less volatility. That combination has proved to be wildly popular, rocketing the total value of stablecoin transactions since 2022 past even that of Bitcoin itself. It turns out, however, that as stablecoins have become popular among legitimate users over the past two years, they were even more popular among a different kind of user: those exploiting them for billions of dollars of international sanctions evasion and scams.

As part of itsannual crime report, cryptocurrency-tracing firm Chainalysis today released new numbers on the disproportionate use of stablecoins for both of those massive categories of illicit crypto transactions over the last year. By analyzing blockchains, Chainalysis determined that stablecoins were used in fully 70 percent of crypto scam transactions in 2023, 83 percent of crypto payments to sanctioned countries like Iran and Russia, and 84 percent of crypto payments to specifically sanctioned individuals and companies. Those numbers far outstrip stablecoins' growing overall use -- including for legitimate purposes -- which accounted for 59 percent of all cryptocurrency transaction volume in 2023.

In total, Chainalysis measured $40 billion in illicit stablecoin transactions in 2022 and 2023 combined. The largest single category of that stablecoin-enabled crime was sanctions evasion. In fact, across all cryptocurrencies, sanctions evasion accounted for more than half of the $24.2 billion in criminal transactions Chainalysis observed in 2023, with stablecoins representing the vast majority of those transactions. [...] Chainalysis concedes that the analysis in its report excludes some cryptocurrencies like Monero and Zcash that are designed to be harder or impossible to trace with blockchain analysis. It also says it based its numbers on the type of cryptocurrency sent directly to an illicit actor, which may leave out other currencies used in money laundering processes that repeatedly swap one type of cryptocurrency for another to make tracing more difficult.
"Whether it's an individual located in Iran or a bad guy trying to launder money -- either way, there's a benefit to the stability of the US dollar that people are looking to obtain," says Andrew Fierman, Chainalysis' head of sanctions strategy. "If you're in a jurisdiction where you don't have access to the US dollar due to sanctions, stablecoins become an interesting play."

Fierman points to Nobitex, the largest cryptocurrency exchange operating in the sanctioned country of Iran, as well as Garantex, a notorious exchange based in Russia that has been specifically sanctioned for its widespread criminal use. According to Chainalysis, "Stablecoin usage on Nobitex outstrips bitcoin by a 9:1 ratio, and on Garantex by a 5:1 ratio," reports Wired. "That's a stark difference from the roughly 1:1 ratio between stablecoins and bitcoins on a few nonsanctioned mainstream exchanges that Chainalysis checked for comparison."
Space

US Must Beat China Back To the Moon, Congress Tells NASA (space.com) 114

With NASA's Artemis moon program now targeting September 2025 for its Artemis 2 mission and September 2026 for Artemis 3, some members of Congress are concerned about the potential repercussions, particularly with China's growing ambitions in lunar exploration. "For the United States and its partners not to be on the moon when others are on the moon is unacceptable," said Mike Griffin, former NASA administrator. "We need a program that is consistent with that theme. Artemis is not that program. We need to restart it, not keep it on track." Space.com reports: The U.S. House of Representatives' Committee on Science, Space and Technology held a hearing about the new Artemis plan today (Jan. 17), and multiple members voiced concern about the slippage. "I remind my colleagues that we are not the only country interested in sending humans to the moon," Committee Chairman Frank Lucas (R-OK) said in his opening remarks. "The Chinese Communist Party is actively soliciting international partners for a lunar mission -- a lunar research station -- and has stated its ambition to have human astronauts on the surface by 2030," he added. "The country that lands first will have the ability to set a precedent for whether future lunar activities are conducted with openness and transparency, or in a more restricted manner."

The committee's ranking member, California Democrat Zoe Lofgren (D-CA), voiced similar sentiments. "Let me be clear: I support Artemis," she said in her opening remarks. "But I want it to be successful, especially with China at our heels. And we want to be helpful here in the committee in ensuring that Artemis is strong and staying on track as we look to lead the world, hand-in-hand with our partners, in the human exploration of the moon and beyond." Several other committee members stressed that the new moon race is part of a broader competition with China, and that coming in second could imperil U.S. national security.

"It's no secret that China has a goal to surpass the United States by 2045 as global leaders in space. We can't allow this to happen," Rich McCormick (R-GA) said during the hearing. "I think the leading edge that we have in space technology will protect the United States -- not just the economy, but technologies that can benefit humankind." And Bill Posey (R-FL) referred to space as the "ultimate military high ground," saying that whoever leads in the final frontier "will control the destiny of this Earth."

Privacy

Have I Been Pwned Adds 71 Million Emails From Naz.API Stolen Account List (bleepingcomputer.com) 17

An anonymous reader quotes a report from BleepingComputer: Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware. Credential stuffing lists are collections of login name and password pairs stolen from previous data breaches that are used to breach accounts on other sites.

Information-stealing malware attempts to steal a wide variety of data from an infected computer, including credentials saved in browsers, VPN clients, and FTP clients. This type of malware also attempts to steal SSH keys, credit cards, cookies, browsing history, and cryptocurrency wallets. The stolen data is collected in text files and images, which are stored in archives called "logs." These logs are then uploaded to a remote server to be collected later by the attacker. Regardless of how the credentials are stolen, they are then used to breach accounts owned by the victim, sold to other threat actors on cybercrime marketplaces, or released for free on hacker forums to gain reputation amongst the hacking community.

The Naz.API is a dataset allegedly containing over 1 billion lines of stolen credentials compiled from credential stuffing lists and from information-stealing malware logs. It should be noted that while the Naz.API dataset name includes the word "Naz," it is not related to network attached storage (NAS) devices. This dataset has been floating around the data breach community for quite a while but rose to notoriety after it was used to fuel an open-source intelligence (OSINT) platform called illicit.services. This service allows visitors to search a database of stolen information, including names, phone numbers, email addresses, and other personal data. The service shut down in July 2023 out of concerns it was being used for Doxxing and SIM-swapping attacks. However, the operator enabled the service again in September. Illicit.services use data from various sources, but one of its largest sources of data came from the Naz.API dataset, which was shared privately among a small number of people. Each line in the Naz.API data consists of a login URL, its login name, and an associated password stolen from a person's device, as shown [here].
"Here's the back story: this week I was contacted by a well-known tech company that had received a bug bounty submission based on a credential stuffing list posted to a popular hacking forum," explained Troy Hunt, the creator of Have I Been Pwned, in blog post. "Whilst this post dates back almost 4 months, it hadn't come across my radar until now and inevitably, also hadn't been sent to the aforementioned tech company."

"They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list."

To check if your credentials are in the Naz.API dataset, you can visit Have I Been Pwned.
Privacy

Mobile Device Ambient Light Sensors Can Be Used To Spy On Users (ieee.org) 11

"The ambient light sensors present in most mobile devices can be accessed by software without any special permissions, unlike permissions required for accessing the microphone or the cameras," writes longtime Slashdot reader BishopBerkeley. "When properly interrogated, the data from the light sensor can reveal much about the user." IEEE Spectrum reports: While that may not seem to provide much detailed information, researchers have already shown these sensors can detect light intensity changes that can be used to infer what kind of TV programs someone is watching, what websites they are browsing or even keypad entries on a touchscreen. Now, [Yang Liu, a PhD student at MIT] and colleagues have shown in a paper in Science Advances that by cross-referencing data from the ambient light sensor on a tablet with specially tailored videos displayed on the tablet's screen, it's possible to generate images of a user's hands as they interact with the tablet. While the images are low-resolution and currently take impractically long to capture, he says this kind of approach could allow a determined attacker to infer how someone is using the touchscreen on their device. [...]

"The acquisition time in minutes is too cumbersome to launch simple and general privacy attacks on a mass scale," says Lukasz Olejnik, an independent security researcher and consultant who has previously highlighted the security risks posed by ambient light sensors. "However, I would not rule out the significance of targeted collections for tailored operations against chosen targets." But he also points out that, following his earlier research, the World Wide Web Consortium issued a new standard that limited access to the light sensor API, which has already been adopted by browser vendors.

Liu notes, however, that there are still no blanket restrictions for Android apps. In addition, the researchers discovered that some devices directly log data from the light sensor in a system file that is easily accessible, bypassing the need to go through an API. The team also found that lowering the resolution of the images could bring the acquisition times within practical limits while still maintaining enough detail for basic recognition tasks. Nonetheless, Liu agrees that the approach is too complicated for widespread attacks. And one saving grace is that it is unlikely to ever work on a smartphone as the displays are simply too small. But Liu says their results demonstrate how seemingly harmless combinations of components in mobile devices can lead to surprising security risks.

Slashdot Top Deals