storagedude shares a report from the Cyber Express: Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities -- including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc. E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods "that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases." The newly discovered vulnerabilities -- one of which (CVE-2024-38366) received a 10 out of 10 criticality score -- actually date from a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed. While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started. "Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code," the E.V.A researchers said. "The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package." [...] "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools." "While there is no direct evidence of any of these vulnerabilities being exploited in the wild, evidence of absence is not absence of evidence." the EVA researchers wrote. "Potential code changes could affect millions of Apple devices around the world across iPhone, Mac, AppleTV, and AppleWatch devices."

While no action is required by app developers or users, the EVA researchers recommend several ways to protect against these vulnerabilities. To ensure secure and consistent use of CocoaPods, synchronize the podfile.lock file with all developers, perform CRC validation for internally developed Pods, and conduct thorough security reviews of third-party code and dependencies. Furthermore, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, perform periodic security scans, and be cautious of widely used dependencies as potential attack targets.

"A federal grand jury has indicted an embattled Alzheimer's researcher for allegedly falsifying data to fraudulently obtain $16 million in federal research funding from the National Institutes of Health for the development of a controversial Alzheimer's drug and diagnostic test," writes Beth Mole via Ars Technica. "Wang is charged with one count of major fraud against the United States, two counts of wire fraud, and one count of false statements. If convicted, he faces a maximum penalty of 10 years in prison for the major fraud charge, 20 years in prison for each count of wire fraud, and five years in prison for the count of false statements [...]." From the report: Hoau-Yan Wang, 67, a medical professor at the City University of New York, was a paid collaborator with the Austin, Texas-based pharmaceutical company Cassava Sciences. Wang's research and publications provided scientific underpinnings for Cassava's Alzheimer's treatment, Simufilam, which is now in Phase III trials. Simufilam is a small-molecule drug that Cassava claims can restore the structure and function of a scaffolding protein in the brain of people with Alzheimer's, leading to slowed cognitive decline. But outside researchers have long expressed doubts and concerns about the research.

In 2023, Science magazine obtained a 50-page report from an internal investigation at CUNY that looked into 31 misconduct allegations made against Wang in 2021. According to the report, the investigating committee "found evidence highly suggestive of deliberate scientific misconduct by Wang for 14 of the 31 allegations," the report states. The allegations largely centered around doctored and fabricated images from Western blotting, an analytical technique used to separate and detect proteins. However, the committee couldn't conclusively prove the images were falsified "due to the failure of Dr. Wang to provide underlying, original data or research records and the low quality of the published images that had to be examined in their place." In all, the investigation "revealed long-standing and egregious misconduct in data management and record keeping by Dr. Wang," and concluded that "the integrity of Dr. Wang's work remains highly questionable." The committee also concluded that Cassava's lead scientist on its Alzheimer's disease program, Lindsay Burns, who was a frequent co-author with Wang, also likely bears some responsibility for the misconduct.

In March 2022, five of Wang's articles published in the journal PLOS One were retracted over integrity concerns with images in the papers. Other papers by Wang have also been retracted or had statements of concern attached to them. Further, in September 2022, the Food and Drug Administration conducted an inspection of the analytical work and techniques used by Wang to analyze blood and cerebrospinal fluid from patients in a simufilam trial. The investigation found a slew of egregious problems, which were laid out in a "damning" report (PDF) obtained by Science. In the indictment last week (PDF), federal authorities were explicit about the allegations, claiming that Wang falsified the results of his scientific research to NIH "by, among other things, manipulating data and images of Western blots to artificially add bands [which represent proteins], subtract bands, and change their relative thickness and/or darkness, and then drawing conclusions" based on those false results.

Microsoft revealed that the Russian hackers who breached its systems earlier this year stole more emails than initially reported. "We are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor," a Microsoft spokesperson told Bloomberg (paywalled). "This is increased detail for customers who have already been notified and also includes new notifications." The Register reports: We've been aware for some time that the digital Russian break-in at the Windows maker saw Kremlin spies make off with source code, executive emails, and sensitive U.S. government data. Reports last week revealed that the issue was even larger than initially believed and additional customers' data has been stolen. Along with Russia, Microsoft was also compromised by state actors from China not long ago, and that issue similarly led to the theft of emails and other data belonging to senior U.S. government officials.

Both incidents have led experts to call Microsoft a threat to U.S. national security, and president Brad Smith to issue a less-than-reassuring mea culpa to Congress. All the while, the U.S. government has actually invested more in its Microsoft kit. Bloomberg reported that emails being sent to affected Microsoft customers include a link to a secure environment where customers can visit a site to review messages Microsoft identified as having been compromised. But even that might not have been the most security-conscious way to notify folks: Several thought they were being phished.

Keith Gill, the investor known as "Roaring Kitty" online, is being used by GameStop investors for helping spur the meme stock mania of 2021. The plaintiffs said they lost money through his "pump-and-dump" scheme, which led to a "short squeeze" that caused losses for hedge funds betting stock prices would fall. Reuters reports: A proposed class action accusing Gill of securities fraud was filed on Friday in the Brooklyn, New York federal court. Investors led by Martin Radev, who lives in the Las Vegas area, said Gill manipulated GameStop securities between May 13 and June 13 by quietly accumulating large quantities of stock and call options, and then dumping some holdings after emerging from a three-year social media hiatus. They said Gill's activities caused GameStop's share price to gyrate wildly, generating "millions of dollars" in profit for him at their expense. "Defendant still enjoys celebrity status and commands a following of millions through his social media accounts," the complaint said. "Accordingly, Defendant was well aware of his ability to manipulate the market for GameStop securities, as well as the benefits he could reap."

He had on May 12 posted a cryptic meme on the social media platform X that was widely seen as a bullish signal for GameStop, whose stock he cheerleaded in 2021. GameStop's share price more than tripled over the next two days, but gave back nearly all the gains by May 24. On June 2, Gill revealed that he owned 5 million GameStop shares and 120,000 call options, and on June 13 revealed he had shed the call options but owned 9 million GameStop shares. Investors said the truth about Gill's investing became known on June 3 when the Wall Street Journal wrote about the timing of his options trades and said the online brokerage E*Trade considered kicking him off its platform.

An anonymous reader quotes an op-ed written by Kenneth Roth, former executive director of Human Rights Watch (1993-2022) and a visiting professor at Princeton's School of Public and International Affairs: Julian Assange's lengthy detention has finally ended, but the danger that his prosecution poses to the rights of journalists remains. As is widely known, the U.S. government's pursuit of Assange under the Espionage Act threatens to criminalize common journalistic practices. Sadly, Assange's guilty plea and release from custody have done nothing to ease that threat. That Assange was indicted under the Espionage Act, a U.S. law designed to punish spies and traitors, should not be considered the normal course of business. Barack Obama's justice department never charged Assange because it couldn't distinguish what he had done from ordinary journalism. The espionage charges were filed by the justice department of Donald Trump. Joe Biden could have reverted to the Obama position and withdrawn the charges but never did.

The 18-count indictment filed under Trump accused Assange of having solicited secret U.S. government information and encouraged Chelsea Manning to provide it. Manning committed a crime when she delivered that information because she was a government employee who had pledged to safeguard confidential information on pain of punishment. But Assange's alleged solicitation of that information, and the steps he was said to have taken to ensure that it could be transferred anonymously, are common procedure for many journalists who report on national security issues. If these practices were to be criminalized, our ability to monitor government conduct would be seriously compromised. To make matters worse, someone accused under the Espionage Act is not allowed to argue to a jury that disclosures were made in the public interest. The unauthorized disclosure of secret information deemed prejudicial to national security is sufficient for conviction regardless of motive.

To justify Espionage Act charges, the Trump-era prosecutors stressed that Assange was accused of not only soliciting and receiving secret government information but also agreeing to help crack a password that would provide access to U.S. government files. That is not ordinary journalistic behavior. An Espionage Act prosecution for computer hacking is very different from a prosecution for merely soliciting and receiving secret information. Even if it would not withdraw the Trump-era charges, Biden's justice department could have limited the harm to journalistic freedom by ensuring that the alleged computer hacking was at the center of Assange's guilty plea. In fact, it was nowhere to be found. The terms for the proceeding were outlined in a 23-page "plea agreement" filed with the U.S. District Court for the Northern Mariana Islands, where Assange appeared by consent. Assange agreed to plead guilty to a single charge of violating the Espionage Act, but under U.S. law, it is not enough to plead in the abstract. A suspect must concede facts that would constitute an offense. "One effect of the guilty plea is that there will be no legal challenge to the prosecution, and hence no judicial decision on whether this use of the Espionage Act violates the freedom of the media as protected by the first amendment of the U.S. constitution," notes Roth. "That means that just as prosecutors overreached in the case of Assange, they could do so again."

"[M]edia protections are not limited to journalists who are deemed responsible. Nor do we want governments to make judgments about which journalists deserve First Amendment safeguards. That would quickly compromise media freedom for all journalists."

Roth concludes: "Imperfect journalist that he was, Assange should never have been prosecuted under the Espionage Act. It is unfortunate that the Biden administration didn't take available steps to mitigate that harm."

An anonymous reader quotes a report from Ars Technica: Meta continues to hit walls with its heavily scrutinized plan to comply with the European Union's strict online competition law, the Digital Markets Act (DMA), by offering Facebook and Instagram subscriptions as an alternative for privacy-inclined users who want to opt out of ad targeting. Today, the European Commission (EC) announced preliminary findings that Meta's so-called "pay or consent" or "pay or OK" model -- which gives users a choice to either pay for access to its platforms or give consent to collect user data to target ads -- is not compliant with the DMA. According to the EC, Meta's advertising model violates the DMA in two ways. First, it "does not allow users to opt for a service that uses less of their personal data but is otherwise equivalent to the 'personalized ads-based service." And second, it "does not allow users to exercise their right to freely consent to the combination of their personal data," the press release said.

Now, Meta will have a chance to review the EC's evidence and defend its policy, with today's findings kicking off a process that will take months. The EC's investigation is expected to conclude next March. Thierry Breton, the commissioner for the internal market, said in the press release that the preliminary findings represent "another important step" to ensure Meta's full compliance with the DMA. "The DMA is there to give back to the users the power to decide how their data is used and ensure innovative companies can compete on equal footing with tech giants on data access," Breton said. A Meta spokesperson told Ars that Meta plans to fight the findings -- which could trigger fines up to 10 percent of the company's worldwide turnover, as well as fines up to 20 percent for repeat infringement if Meta loses. The EC agreed that more talks were needed, writing in the press release, "the Commission continues its constructive engagement with Meta to identify a satisfactory path towards effective compliance." Meta continues to claim that its "subscription for no ads" model was "endorsed" by the highest court in Europe, the Court of Justice of the European Union (CJEU), last year.

"Subscription for no ads follows the direction of the highest court in Europe and complies with the DMA," Meta's spokesperson said. "We look forward to further constructive dialogue with the European Commission to bring this investigation to a close."

Meta rolled out its ad-free subscription service option last November. "Depending on where you purchase it will cost $10.5/month on the web or $13.75/month on iOS and Android," said the company in a blog post. "Regardless of where you purchase, the subscription will apply to all linked Facebook and Instagram accounts in a user's Accounts Center. As is the case for many online subscriptions, the iOS and Android pricing take into account the fees that Apple and Google charge through respective purchasing policies."

The Supreme Court on Monday ordered lower courts to take another look at a pair of laws from Florida and Texas that imposed restrictions on how social media companies can moderate the content posted to their platforms. From a report: Justice Elena Kagan delivered the court's opinion, which tossed out lower court rulings and sent the two cases back for additional proceedings. The court said neither lower court conducted the proper analysis of the First Amendment challenges to the laws regulating major social media platforms.

"[T]he question in such a case is whether a law's unconstitutional applications are substantial compared to its constitutional ones. To make that judgment, a court must determine a law's full set of applications, evaluate which are constitutional and which are not, and compare the one to the other," Kagan wrote. "Neither court performed that necessary inquiry."

America's Justice Department "is pushing for Boeing to plead guilty to a criminal charge," reports Reuters, "after finding the planemaker violated a settlement over fatal 737 MAX crashes in 2018 and 2019 that killed 346 people, two people familiar with the matter said on Sunday." Boeing previously paid $2.5 billion as part of the deal with prosecutors that granted the company immunity from criminal prosecution over a fraud conspiracy charge related to the 737 MAX's flawed design. Boeing had to abide by the terms of the deferred prosecution agreement for a three-year period that ended on Jan. 7. Prosecutors would then have been poised to ask a judge to dismiss the fraud conspiracy charge. But in May, the Justice Department found Boeing breached the agreement, exposing the company to prosecution.
A guilty plea could "carry implications for Boeing's ability to enter into government contracts," the article points out, "such as those with the U.S. military that make up a significant portion of its revenue..." The proposal would require Boeing to plead guilty to conspiring to defraud the U.S. Federal Aviation Administration in connection with the fatal crashes, the sources said. The proposed agreement also includes a $487.2 million financial penalty, only half of which Boeing would be required to pay, they added. That is because prosecutors are giving the company credit for a payment it made as part of the previous settlement related to the fatal crashes of the Lion Air and Ethiopian Airlines flights. Boeing could also likely be forced to pay restitution under the proposal's terms, the amount of which will be at a judge's discretion, the sources said.

The offer also contemplates subjecting Boeing to three years of probation, the people said. The plea deal would also require Boeing's board to meet with victims' relatives and impose an independent monitor to audit the company's safety and compliance practices for three years, they said.
"Should Boeing refuse to plead guilty, prosecutors plan to take the company to trial, they said..." the article points out.

"Justice Department officials revealed their decision to victims' family members during a call earlier on Sunday."

Today the Wall Street Journal reported that restoring net neutrality to America is "on shakier legal footing after a Supreme Court decision on Friday shifted power away from federal agencies." "It's hard to overstate the impact that this ruling could have on the regulatory landscape in the United States going forward," said Leah Malone, a lawyer at Simpson Thacher & Bartlett. "This could really bind U.S. agencies in their efforts to write new rules." Now that [the "Chevron deference"] is gone, the Federal Communications Commission is expected to have a harder time reviving net neutrality — a set of policies barring internet-service providers from assigning priority to certain web traffic...

The Federal Communications Commission reclassified internet providers as public utilities under the Communications Act. There are pending court cases challenging the FCC's reinterpretation of that 1934 law, and the demise of Chevron deference heightens the odds of the agency losing in court, some legal experts said. "Chevron's thumb on the scale in favor of the agencies was crucial to their chances of success," said Geoffrey Manne, president of the International Center for Law and Economics. "Now that that's gone, their claims are significantly weaker."
Other federal agencies could also be affected, according to the article. The ruling could also make it harder for America's Environmental Protection Agency to crack down on power-plant pollution. And the Federal Trade Commission face more trouble in court defending its recent ban on noncompete agreements. Lawyer Daniel Jarcho tells the Journal that the Court's decision "will unquestionably lead to more litigation challenging federal agency actions, and more losses for federal agencies."

Friday a White House press secretary issued a statement calling the court's decision "deeply troubling," and arguing that the court had "decided in the favor of special interests".

In November of 2022, "More than 800 people were selected to participate in the Denver Basic Income Project," reports the Colorado Sun, "while they were living on the streets, in shelters, on friends' couches or in vehicles.

One group received $1,000 a month, according to the article, while a second group received $6,500 in the first month, and then $500 for the next 11 months. (And a "control" group received $50 a month.) Amazingly, about 45% of participants in all three groups "were living in a house or apartment that they rented or owned by the study's 10-month check-in point, according to the research." The number of nights spent in shelters among participants in the first and second groups decreased by half. And participants in those two groups reported an increase in full-time work, while the control group reported decreased full-time employment. The project also saved tax dollars, according to the report. Researchers tallied an estimated $589,214 in savings on public services, including ambulance rides, visits to hospital emergency departments, jail stays and shelter nights...

The study, which began in November 2022 with payments to the first group of participants, has been extended for an additional eight months, until September, and organizers are attempting to raise money to extend it further.

Samantha Cole reports via 404 Media: A woman is suing Microsoft and two major U.S. sex toy retailers with claims that their websites are tracking users without their consent, despite promising they wouldn't do that. In a complaint (PDF) filed on June 25 in the Northern District of California, San Francisco resident Stella Tatola claims that Babeland and Good Vibrations -- both owned by Barnaby Ltd., LLC -- allowed Microsoft to see what visitors to their websites searched for and bought.

"Unbeknownst to Plaintiff and other Barnaby website users, and constituting the ultimate violation of privacy, Barnaby allows an undisclosed third-party, Microsoft, to intercept, read, and utilize for commercial gain consumers' private information about their sexual practices and preferences, gleaned from their activity on Barnaby's websites," the complaint states. "This information includes but is not limited to product searches and purchase initiations, as well as the consumer's unique Microsoft identifier." The complaint claims that Good Vibrations and Babeland sites have installed trackers using Microsoft's Clarity software, which does "recording in real time," and tracks users' mouse movements, clicks or taps, scrolls, and site navigation. Microsoft says on the Clarity site that it "processes a massive amount of anonymous data around user behavior to gain insights and improve machine learning models that power many of our products and services."

"By allowing undisclosed third party Microsoft to eavesdrop and intercept users' PPSI in such a manner -- including their sexual orientation, preferences, and desires, among other highly sensitive, protected information -- Barnaby violates its Privacy Policies, which state it will never share such information with third parties," the complaint states. The complaint includes screenshots of code from the sexual health sites that claims to show them using Machine Unique Identifier ("MUID") cookies that "identifies unique web browsers visiting Microsoft sites," according to Microsoft, and are used for "advertising, site analytics, and other operational purposes." The complaint claims that this violates the California Invasion of Privacy Act, the Federal Wiretap Act, and Californians' reasonable expectation of privacy.

An anonymous reader quotes a report from Ars Technica: The Internet Archive (IA) went before a three-judge panel Friday to defend its open library's controlled digital lending (CDL) practices after book publishers last year won a lawsuit claiming that the archive's lending violated copyright law. In the weeks ahead of IA's efforts to appeal that ruling, IA was forced to remove 500,000 books from its collection, shocking users. In an open letter to publishers, more than 30,000 readers, researchers, and authors begged for access to the books to be restored in the open library, claiming the takedowns dealt "a serious blow to lower-income families, people with disabilities, rural communities, and LGBTQ+ people, among many others," who may not have access to a local library or feel "safe accessing the information they need in public."

During a press briefing following arguments in court Friday, IA founder Brewster Kahle said that "those voices weren't being heard." Judges appeared primarily focused on understanding how IA's digital lending potentially hurts publishers' profits in the ebook licensing market, rather than on how publishers' costly ebook licensing potentially harms readers. However, lawyers representing IA -- Joseph C. Gratz, from the law firm Morrison Foerster, and Corynne McSherry, from the nonprofit Electronic Frontier Foundation -- confirmed that judges were highly engaged by IA's defense. Arguments that were initially scheduled to last only 20 minutes stretched on instead for an hour and a half. Ultimately, judges decided not to rule from the bench, with a decision expected in the coming months or potentially next year. McSherry said the judges' engagement showed that the judges "get it" and won't make the decision without careful consideration of both sides.

"They understand this is an important decision," McSherry said. "They understand that there are real consequences here for real people. And they are taking their job very, very seriously. And I think that's the best that we can hope for, really." On the other side, the Association of American Publishers (AAP), the trade organization behind the lawsuit, provided little insight into how the day went. When reached for comment, AAP simply said, "We thought it was a strong day in court, and we look forward to the opinion." [...] "There is no deadline for them to make a decision," Gratz said, but it "probably won't happen until early fall" at the earliest. After that, whichever side loses will have an opportunity to appeal the case, which has already stretched on for four years, to the Supreme Court. Since neither side seems prepared to back down, the Supreme Court eventually weighing in seems inevitable.

According to Interpol, nearly 4,000 people around the world have been arrested for a variety of online crimes, with $257 million in assets seized. The Record reports: The operation, dubbed First Light, was conducted by police officers from 61 countries and targeted phishing, investment fraud, fake online shopping sites, romance scams, and impersonation scams, according to a statement by Interpol. In addition to arresting thousands of potential cybercriminals, the police also identified over 14,600 other possible suspects across all continents.

During the searches, law enforcement seized suspects' real estate, high-end vehicles, expensive jewelry, and many other high-value items and collections. They also froze 6,745 bank accounts used for transferring money obtained through illegal operations. In one case, the police intercepted $331,000 gleaned from a business email compromise fraud involving a Spanish victim who unknowingly transferred money to someone in Hong Kong. In another case, authorities in Australia successfully recovered $3.7 million on behalf of an impersonation scam victim after the funds were fraudulently transferred to bank accounts in Malaysia and Hong Kong.

The criminal networks identified during the operation were spread around the globe. In Namibia, for example, the police rescued 88 local youths who were forced into conducting scams as part of a sophisticated international crime network, according to Interpol. Law enforcement from Singapore, Hong Kong, and China prevented an attempted tech support scam, saving a 70-year-old victim from losing $281,200 worth of savings.

The Supreme Court on Friday overturned a long-standing legal doctrine in the US, making a transformative ruling that could hamper federal agencies' ability to regulate all kinds of industry. The Verge adds: Six Republican-appointed justices voted to overturn the doctrine, called Chevron deference, a decision that could affect everything from pollution limits to consumer protections in the US.

Chevron deference allows courts to defer to federal agencies when there are disputes over how to interpret ambiguous language in legislation passed by Congress. That's supposed to lead to more informed decisions by leaning on expertise within those agencies. By overturning the Chevron doctrine, the conservative-dominated SCOTUS decided that judges ought to make the call instead of agency experts.

The SEC sued Ethereum software provider ConsenSys over its MetaMask service on Friday, alleging the wallet product was an unregistered broker that "engaged in the offer and sale of securities." From a report: MetaMask also offered an unregistered securities program through its staking service, the SEC alleged in a filing in the courthouse in the Eastern District of New York. The SEC alleged in its lawsuit that it offered staking services for Lido and Rocket Pool as investment contracts, meaning they are also unregistered securities. "Consensys has collected over $250 million in fees," the SEC alleged. You can read the full lawsuit here [PDF].

Amazon's cloud arm is investigating Perplexity AI for potential violations of its web services rules, the e-commerce giant told Wired. The startup, backed by Jeff Bezos' family fund and Nvidia, allegedly scraped websites that had explicitly forbidden such access.

Earlier this month, WIRED uncovered evidence of Perplexity using an unmarked IP address to bypass restrictions on major news sites. The company's CEO, Aravind Srinivas, claimed a third-party contractor was responsible but declined to name them.

Russian hackers who broke into Microsoft's systems and spied on staff inboxes earlier this year also stole emails from its customers, the tech giant said on Thursday, around six months after it first disclosed the intrusion. Reuters: The disclosure underscores the breadth of the breach as Microsoft faces increasing regulatory scrutiny over the security of its software and systems against foreign threats. An allegedly Chinese hacking group that separately breached Microsoft last year stole thousands of U.S. government emails. Microsoft said it was also sharing the compromised emails with its customers, but did not say how many customers had been impacted, nor how many emails may have been stolen.

The Center for Investigative Reporting (CIR), the nation's oldest nonprofit newsroom, sued OpenAI and Microsoft in federal court on Thursday for allegedly using its content to train AI models without consent or compensation. CIR, founded in 1977 in San Francisco, evolved into a multi-platform newsroom with its flagship distribution platform Reveal. In February, it merged with Mother Jones.

"OpenAI and Microsoft started vacuuming up our stories to make their product more powerful, but they never asked for permission or offered compensation, unlike other organizations that license our material," said Monika Bauerlein, CEO of the Center for Investigative Reporting, in a statement. "This free rider behavior is not only unfair, it is a violation of copyright. The work of journalists, at CIR and everywhere, is valuable, and OpenAI and Microsoft know it." Bauerlein said that OpenAI and Microsoft treat the work of nonprofit and independent publishers "as free raw material for their products," and added that such moves by generative AI companies hurt the public's access to truthful information in a "disappearing news landscape." Engadget reports: The CIR's lawsuit, which was filed in Manhattan's federal court, accuses OpenAI and Microsoft, which owns nearly half of the company, of violating the Copyright Act and the Digital Millennium Copyright Act multiple times.

News organizations find themselves at an inflection point with generative AI. While the CIR is joining publishers like The New York Times, New York Daily News, The Intercept, AlterNet and Chicago Tribune in suing OpenAI, others publishers have chosen to strike licensing deals with the company. These deals will allow OpenAI to train its models on archives and ongoing content published by these publishers and cite information from them in responses offered by ChatGPT.

Brandon Vigliarolo reports via The Register: American healthcare provider Geisinger fears highly personal data on more than a million of its patients has been stolen -- and claimed a former employee at a Microsoft subsidiary is the likely culprit. Geisinger on Monday announced the results of a probe into a November computer security breach, placing the blame on Microsoft-owned Nuance Communications for not cutting off one of its employees' access to corporate files after that person was fired. The Pennsylvania-based healthcare giant uses Nuance as an IT provider. We're told that after the Microsoft-owned entity terminated one of its workers, that staffer two days later may have accessed and taken copies of sensitive records on a huge number of Geisinger patients -- for reasons as yet unknown.

Geisinger -- which says it operates 13 hospitals and has more than 600,000 members -- said it discovered the improper access on November 29, informed Nuance, and the IT supplier immediately cut off the former employee from the healthcare group's data before involving police. "Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now," Geisinger claimed, explaining why only now this is coming to light. "The former Nuance employee has been arrested and is facing federal charges." It's not immediately clear if or what charges have been laid -- we've asked Geisinger for details.

Speech recognition firm Nuance performed its own probe, according to Geisinger, and determined that the former employee may have stolen information on a million-plus people. That info would include birth dates, addresses, hospital admission and discharge records, demographic information, and other medical data. The ex-employee didn't swipe insurance or other financial information, the multi-billion-dollar healthcare group stated. "We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges," Geisinger chief privacy officer Jonathan Friesen alleged, adding: "I am sorry that this happened."

Microsoft's canceled Xbox cloud console, codenamed Keystone, has been detailed in a new patent spotted by Windows Central's Zac Bowden. From the report: Back in 2021, Microsoft announced that it was working on a dedicated streaming device for Xbox Game Pass. That device was later revealed to be codenamed Keystone, which took the form of a streaming box that would sit under your TV, cost a fraction of the price of a normal Xbox, and enable the ability to play Xbox games via the cloud. Unfortunately, it appears Microsoft has since scrapped plans to ship Xbox Keystone due to an inability to bring the price down to a level where it made sense for customers. Xbox CEO Phil Spencer is on record saying the device should have costed around $99 or $129, but the company was unable to achieve this.

Thanks to a patent discovered by Windows Central, we can finally take a closer look at the box Microsoft had conjured up internally. First up, the patent reveals that the console took the form of an even square with a circle shape on top, similar to the black circular vent on an Xbox Series S. The front of the box had the Xbox power button, and a USB-A port. Around the back, there were three additional ports; HDMI, ethernet, and power. On the right side of the console there was appears to be an Xbox controller pairing button, and the underside featured a circular "Hello from Seattle" plate that the console sat on, similar to the Xbox Series X. This patent was filed in June 2022, which was around the time when the first details of Xbox Keystone were being revealed.