×
Privacy

iPhones Have Been Exposing Your Unique MAC Despite Apple's Promises Otherwise (arstechnica.com) 69

Dan Goodin reports via Ars Technica: Three years ago, Apple introduced a privacy-enhancing feature that hid the Wi-Fi address of iPhones and iPads when they joined a network. On Wednesday, the world learned that the feature has never worked as advertised. Despite promises that this never-changing address would be hidden and replaced with a private one that was unique to each SSID, Apple devices have continued to display the real one, which in turn got broadcast to every other connected device on the network. [...]

In 2020, Apple released iOS 14 with a feature that, by default, hid Wi-Fi MACs when devices connected to a network. Instead, the device displayed what Apple called a "private Wi-Fi address" that was different for each SSID. Over time, Apple has enhanced the feature, for instance, by allowing users to assign a new private Wi-Fi address for a given SSID. On Wednesday, Apple released iOS 17.1. Among the various fixes was a patch for a vulnerability, tracked as CVE-2023-42846, which prevented the privacy feature from working. Tommy Mysk, one of the two security researchers Apple credited with discovering and reporting the vulnerability (Talal Haj Bakry was the other), told Ars that he tested all recent iOS releases and found the flaw dates back to version 14, released in September 2020. "From the get-go, this feature was useless because of this bug," he said. "We couldn't stop the devices from sending these discovery requests, even with a VPN. Even in the Lockdown Mode."

When an iPhone or any other device joins a network, it triggers a multicast message that is sent to all other devices on the network. By necessity, this message must include a MAC. Beginning with iOS 14, this value was, by default, different for each SSID. To the casual observer, the feature appeared to work as advertised. The "source" listed in the request was the private Wi-Fi address. Digging in a little further, however, it became clear that the real, permanent MAC was still broadcast to all other connected devices, just in a different field of the request. Mysk published a short video showing a Mac using the Wireshark packet sniffer to monitor traffic on the local network the Mac is connected to. When an iPhone running iOS prior to version 17.1 joins, it shares its real Wi-Fi MAC on port 5353/UDP.

Youtube

Privacy Advocate Challenges YouTube's Ad Blocking Detection Scripts Under EU Law (theregister.com) 85

"Privacy advocate Alexander Hanff has filed a complaint with the Irish Data Protection Commission (DPC) challenging YouTube's use of JavaScript code to detect the presence of ad blocking extensions in the browsers of website visitors," writes long-time Slashdot reader Dotnaught. "He claims that under Europe's ePrivacy Directive, YouTube needs to ask permission to run its detection script because it's not technically necessary. If the DPC agrees, it would be a major win for user privacy." The Register reports: Asked how he hopes the Irish DPC will respond, Hanff replied via email, "I would expect the DPC to investigate and issue an enforcement notice to YouTube requiring them to cease and desist these activities without first obtaining consent (as per [Europe's General Data Protection Regulation (GDPR)] standard) for the deployment of their -spyware- detection scripts; and further to order YouTube to unban any accounts which have been banned as a result of these detections and to delete any personal data processed unlawfully (see Article 5(1) of GDPR) since they first started to deploy their -spyware- detection scripts."

Hanff's use of strikethrough formatting to acknowledges the legal difficulty of using the term "spyware" to refer to YouTube's ad block detection code. The security industry's standard defamation defense terminology for such stuff is PUPs, or potentially unwanted programs. Hanff, who reports having a Masters in Law focused on data and privacy protection, added that the ePrivacy Directive is lex specialis to GPDR. That means where laws overlap, the specific one takes precedence over the more general one. Thus, he argues, personal data collected without consent is unlawful under Article 5(1) of GDPR and cannot be lawfully processed for any purpose.

With regard to YouTube's assertion that using an ad blocker violates the site's Terms of Service, Hanff argued, "Any terms and conditions which restrict the legal rights and freedoms of an EU citizen (and the point of Article 5(3) of the ePrivacy Directive is specifically to protect the fundamental right to Privacy under Article 7 of the Charter of Fundamental Rights of the European Union) are void under EU law." Therefore, in essence, "Any such terms which restrict the rights of EU persons to limit access to their terminal equipment would, as a result, be void and unenforceable," he added.

Microsoft

iFixit Now Sells Microsoft Surface Parts For Repair (theverge.com) 4

iFixit has started selling genuine replacement parts for Microsoft Surface devices. From a report: The company now offers SSDs, batteries, screens, kickstands, and a whole bunch of other parts for 15 Surface products. Some of the devices on that list include the Surface Pro 9, Surface Laptop 5, Surface Go 4, Surface Studio 2 Plus, and others. You can check out the entire list of supported products and parts in this post on Microsoft's website. In addition to supplying replacement parts, iFixit also offers disassembly videos and guides for each product, as well as toolkits that include things like an opening tool, tweezers, drivers, and more.
United Kingdom

The UK's Controversial Online Safety Bill Finally Becomes Law (theverge.com) 185

An anonymous reader shares a report: The UK's Online Safety Bill, a wide-ranging piece of legislation that aims to make the country "the safest place in the world to be online" received royal assent today and became law. The bill has been years in the making and attempts to introduce new obligations for how tech firms should design, operate, and moderate their platforms. Specific harms the bill aims to address include underage access to online pornography, "anonymous trolls," scam ads, the nonconsensual sharing of intimate deepfakes, and the spread of child sexual abuse material and terrorism-related content.

Although it's now law, online platforms will not need to immediately comply with all of their duties under the bill, which is now known as the Online Safety Act. UK telecoms regulator Ofcom, which is in charge of enforcing the rules, plans to publish its codes of practice in three phases. The first covers how platforms will have to respond to illegal content like terrorism and child sexual abuse material, and a consultation with proposals on how to handle these duties is due to be published on November 9th.

Government

Network State Conference Announced in Amsterdam for October 30 4

Balaji Srinivasan, former CTO of Coinbase and author of the Network State, has announced his first Network State Conference. This is a conference for people interested in founding, funding, and finding new communities.
Topics include startup societies, network states, digital nomadism, competitive government, legalizing innovation, and building alternatives. Speakers include Glenn Greenwald, Vitalik Buterin, Anatoly Yakovenko, Garry Tan, the Winklevosses, and Tyler Cowen. See presentations by startup society founders around the world, invest in them, and search for the community that fits you.

With this and Joseon, the first legally recognized cyber state, the network state movement is beginning to get interesting.

Another anonymous reader quotes from the Joseon Official X Account's reply to Balaji's announcement:

Joseon, the first legally recognized cyber nation state, will be there.
Interestingly, Joseon dons the same grey checkmark that is for governments on its X account.
Government

Biden Administration Moves To Ban Solvent Trichloroethylene, Linked To Cancer (nytimes.com) 85

An anonymous reader quotes a report from the New York Times: The Biden administration has proposed to ban all uses of trichloroethylene, an industrial solvent used in glues, other adhesives, spot removers and metal cleaners, saying exposure to even small amounts can cause cancer, damage to the central nervous system and other health effects. The proposed ban is the latest twist in a yearslong debate over whether to regulate trichloroethylene, commonly referred to as TCE. In its final weeks, the Obama administration tried to ban some uses of the chemical, only to have the Trump administration place it on an Environmental Protection Agency list for long-term consideration, a move that essentially suspended any action. Monday's proposal goes further than the Obama-era plan by prohibiting all uses of TCE.

Under the E.P.A. proposal, most uses of TCE, including those in processing commercial and consumer products, would be prohibited within one year. For other uses the agency categorized as "limited," such as use in electric vehicle batteries and the manufacturing of certain refrigerants, there would be a longer transition period and more stringent worker protections. The administration said that safer alternatives exist for most uses of TCE as a solvent. In a final evaluation this year, the E.P.A. said the chemical posed an "unreasonable risk to human health." Short-term exposure could affect a developing fetus, and high concentrations can irritate the respiratory system, the agency said. Prolonged exposure has been associated with effects in the liver, kidneys, immune system and central nervous system, it said.
"This is extremely important," said Maria Doa, senior director for chemicals policy at the Environmental Defense Fund, a nonprofit advocacy organization. She said TCE "causes so many different harms at such low levels" that banning it would have widespread impacts. "It's a long time coming," she said.
Privacy

Face Search Engine PimEyes Blocks Searches of Children's Faces (nytimes.com) 25

PimEyes, a search engine that relies on facial recognition to help people scan billions of images to find photos of themselves on the internet, announced that it has banned searches of minors as part of the company's "no harm policy." The New York Times reports: PimEyes, a subscription-based service that uses facial recognition technology to find online photos of a person, has a database of nearly three billion faces and enables about 118,000 searches per day, according to [PimEyes CEO Giorgi Gobronidze]. The service is advertised as a way for people to search for their own face to find any unknown photos on the internet, but there are no technical measures in place to ensure that users are searching only for themselves. Parents have used PimEyes to find photos of their children on the internet that they had not known about. But the service could also be used nefariously by a stranger. It had previously banned more than 200 accounts for inappropriate searches of children's faces, Mr. Gobronidze said.

"Images of children might be used by the individuals with twisted moral compass and values, such as pedophiles, child predators," Mr. Gobronidze said. PimEyes will still allow searches of minors' faces by human rights organizations that work on children's rights issues, he added. Mr. Gobronidze said that blocking searches of children's faces had been on "the road map" since he acquired the site in 2021, but the protection was fully deployed only this month after the publication of a New York Times article on A.I.-based threats to children. Still, the block isn't airtight. PimEyes is using age detection A.I. to identify photos of minors. Mr. Gobronidze said that it worked well for children under the age of 14 but that it had "accuracy issues" with teenagers.

It also may be unable to identify children as such if they're not photographed from a certain angle. To test the blocking system, The Times uploaded a photo of Mary-Kate and Ashley Olsen from their days as child stars to PimEyes. It blocked the search for the twin who was looking straight at the camera, but the search went through for the other, who is photographed in profile. The search turned up dozens of other photos of the twin as a child, with links to where they appeared online. Mr. Gobronidze said PimEyes was still perfecting its detection system.

Databases

ICE Uses Tool To Find 'Derogatory' Speech Online (404media.co) 63

An anonymous reader quotes a report from 404 Media: Immigration and Customs Enforcement (ICE) has used a system called Giant Oak Search Technology (GOST) to help the agency scrutinize social media posts, determine if they are "derogatory" to the U.S., and then use that information as part of immigration enforcement, according to a new cache of documents reviewed by 404 Media. The documents peel back the curtain on a powerful system, both in a technological and a policy sense -- how information is processed and used to decide who is allowed to remain in the country and who is not.

GOST's catchphrase included in one document is "We see the people behind the data." A GOST user guide included in the documents says GOST is "capable of providing behavioral based internet search capabilities." Screenshots show analysts can search the system with identifiers such as name, address, email address, and country of citizenship. After a search, GOST provides a "ranking" from zero to 100 on what it thinks is relevant to the user's specific mission. The documents further explain that an applicant's "potentially derogatory social media can be reviewed within the interface." After clicking on a specific person, analysts can review images collected from social media or elsewhere, and give them a "thumbs up" or "thumbs down." Analysts can also then review the target's social media profiles themselves too, and their "social graph," potentially showing who the system believes they are connected to.

DHS has used GOST since 2014, according to a page of the user guide. In turn, ICE has paid Giant Oak Inc., the company behind the system, in excess of $10 million since 2017, according to public procurement records. A Giant Oak and DHS contract ended in August 2022, according to the records. Records also show Customs and Border Protection (CBP), the Drug Enforcement Administration (DEA), the State Department, the Air Force, and the Bureau of the Fiscal Service which is part of the U.S. Treasury have all paid for Giant Oak services over the last nearly ten years. The FOIA documents specifically discuss Giant Oak's use as part of an earlier 2016 pilot called the "HSI [Homeland Security Investigations] PATRIOT Social Media Pilot Program." For this, the program would "target potential overstay violators from particular visa issuance Posts located in countries of concern."
"The government should not be using algorithms to scrutinize our social media posts and decide which of us is 'risky.' And agencies certainly shouldn't be buying this kind of black box technology in secret without any accountability. DHS needs to explain to the public how its systems determine whether someone is a 'risk' or not, and what happens to the people whose online posts are flagged by its algorithms," Patrick Toomey, Deputy Director of the ACLU's National Security Project, told 404 Media in an email. The documents come from a Freedom of Information Act (FOIA) lawsuit brought by both the ACLU and the ACLU of Northern California. Toomey from the ACLU then shared the documents with 404 Media.
United States

Apple To Make Tools and Parts To Fix Phones and Computers Available Nationwide, White House Says (reuters.com) 32

Mac computer and iPhone maker Apple on Tuesday will announce plans to make parts, tools and documentation needed to repair its products available to independent repair shops and consumers nationwide, at fair and reasonable prices, the White House said. From a report: National Economic Council Director Lael Brainard made the announcement in remarks prepared for a White House event later Tuesday focused on the so-called "right to repair," calling on Congress to pass legislation requiring such action across the country.

The event is part of U.S. President Joe Biden's push to promote competition and crack down on so-called junk fees and other actions that increase prices for consumers. The latest effort is aimed at giving consumers more control over fixing what they own, from tractors to smart phones. Brainard said California, Colorado, New York and Minnesota had already passed right to repair laws, and 30 other states had introduced similar legislation.

China

China Widens Lead Over US in AI Patents After Beijing Tech Drive (bloomberg.com) 33

China is increasing its lead over the US in AI patent filings, underscoring the Asian nation's determination to shape and influence a technology that could have broad implications for the world's richest economies. From a report: Chinese institutions applied for 29,853 AI-related patents in 2022, climbing from 29,000 the year prior, according to data that the World Intellectual Property Organization provided to Bloomberg News. That's almost 80% more than US filings, which shrank 5.5%. Overall, China accounted for more than 40% of global AI applications over the past year, the data from the United Nations-affiliated agency showed. Japan and South Korea rounded out the 2022 leaders, with a combined 16,700 applications. The numbers illustrate how Beijing has pushed Chinese companies and agencies to gain an edge in areas such as chipmaking, space exploration and military sciences. More recently, President Xi Jinping has ordered the nation to accelerate fundamental research in response to US efforts to curtail its access to advanced technologies. That's triggered a flood of investment by Chinese companies in AI and quantum computing.
Security

1Password Discloses Security Incident Linked To Okta Breach (bleepingcomputer.com) 27

Lawrence Abrams reports via BleepingComputer: 1Password, a popular password management platform used by over 100,000 businesses, suffered a security breach after hackers gained access to its Okta ID management tenant. "We detected suspicious activity on our Okta instance related to their Support System incident. After a thorough investigation, we concluded that no 1Password user data was accessed," reads a very brief security incident notification from 1Password CTO Pedro Canahuati. "On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing."

On Friday, Okta disclosed that threat actors breached its support case management system using stolen credentials. As part of these support cases, Okta routinely asks customers to upload HTTP Archive (HAR) files to troubleshoot customer problems. However, these HAR files contain sensitive data, including authentication cookies and session tokens that can be used to impersonate a valid Okta customer. Okta first learned of the breach from BeyondTrust, who shared forensics data with Okta, showing that their support organization was compromised. However, it took Okta over two weeks to confirm the breach.

Bitcoin

California Law Limits Bitcoin ATM Transactions to $1,000 to Thwart Scammers (msn.com) 37

One 80-year-old retired teacher in Los Angeles lost $69,000 in bitcoin to scammers. And 46,000 people lost over $1 billion to crypto scams since 2021 (according to America's Federal Trade Commission).

Now the Los Angeles Times reports California's new moves against scammers using bitcoin ATMs, with a bill one representative says "is about ensuring that people who have been frauded in our communities don't continue to watch our state step aside when we know that these are real problems that are happening." Starting in January, California will limit cryptocurrency ATM transactions to $1,000 per day per person under Senate Bill 401, which Gov. Gavin Newsom signed into law. Some bitcoin ATM machines advertise limits as high as $50,000... Victims of bitcoin ATM scams say limiting the transactions will give people more time to figure out they're being tricked and prevent them from using large amounts of cash to buy cryptocurrency.

But crypto ATM operators say the new laws will harm their industry and the small businesses they pay to rent space for the machines. There are more than 3,200 bitcoin ATMs in California, according to Coin ATM Radar, a site that tracks the machines' locations. "This bill fails to adequately address how to crack down on fraud, and instead takes a punitive path focused on a specific technology that will shudder the industry and hurt consumers, while doing nothing to stop bad actors," said Charles Belle, executive director of the Blockchain Advocacy Coalition...

Law enforcement has cracked down on unlicensed crypto ATMs, but it can be tough for consumers to tell how serious the industry is about addressing the concerns. In 2020, a Yorba Linda man pleaded guilty to charges of operating unlicensed bitcoin ATMs and failing to maintain an anti-money-laundering program even though he knew criminals were using the funds. The illegal business, known as Herocoin, allowed people to buy and sell bitcoin in transactions of up to $25,000 and charged a fee of up to 25%.

So there's also provisions in the law against exorbitant fees: The new law also bars bitcoin ATM operators from collecting fees higher than $5 or 15% of the transaction, whichever is greater, starting in 2025. Legislative staff members visited a crypto kiosk in Sacramento and found markups as high as 33% on some digital assets when they compared the prices at which cryptocurrency is bought and sold. Typically, a crypto ATM charges fees between 12% and 25% over the value of the digital asset, according to a legislative analysis...

Another law would by July 2025 require digital financial asset businesses to obtain a license from the California Department of Financial Protection and Innovation.

Privacy

Mozilla Launches Annual Digital Privacy 'Creep-o-Meter'. This Year's Status: 'Very Creepy' (mozilla.org) 60

"In 2023, the state of our digital privacy is: Very Creepy." That's the verdict from Mozilla's first-ever "Annual Consumer Creep-o-Meter," which attempts to set benchmarks for digital privacy and identify trends: Since 2017, Mozilla has published 15 editions of *Privacy Not Included, our consumer tech buyers guide. We've reviewed over 500 gadgets, apps, cars, and more, assessing their security features, what data they collect, and who they share that data with. In 2023, we compared our most recent findings with those of the past five years. It quickly became clear that products and companies are collecting more personal data than ever before — and then using that information in shady ways...

Products are getting more secure, but also a lot less private. More companies are meeting Mozilla's Minimum Security Standards like using encryption and providing automatic software updates. That's good news. But at the same time, companies are collecting and sharing users' personal data like never before. And that's bad news. Many companies now view their hardware or software as a means to an end: collecting that coveted personal data for targeted advertising and training AI. For example: The mental health app BetterHelp shares your data with advertisers, social media platforms, and sister companies. The Japanese car manufacturer Nissan collects a wide range of information, including sexual activity, health diagnosis data, and genetic information — but doesn't specify how.

An increasing number of products can't be used offline. In the past, the privacy conscious could always buy a connected device but turn off connectivity, making it "dumb." That's no longer an option in many cases. The number of connected devices that require apps and can't be used offline are increasing. This trend, coupled with the first, means it's harder and harder to keep your data private.

Privacy policies also need improvement. "Legalese, ambiguity, and policies that sprawl across multiple documents and URLs are the status quo. And it's getting worse, not better. Companies use these policies as a shield, not an actual resource for consumers." They note that Toyota has more than 10 privacy policy documents, and that it would actually take five hours to read all the privacy documents the Meta Quest Pro VR headset.

In the end they advise opting out of data collection when possible, enabling security features, and "If you're not comfortable with a product's privacy, don't buy it. And, speak up. Over the years, we've seen companies respond to consumer demand for privacy, like when Apple reformed app tracking and Zoom made end-to-end encryption a free feature."

You can also take a quiz that calculates your own privacy footprint (based on whether you're using consumer tech products like the Apple Watch, Nintendo Switch, Nook, or Telegram). Mozilla's privacy advocates award the highest marks to privacy-protecting products like Signal, Sonos' SL Speakers, and the Pocketbook eReader (an alternative to Amazon's Kindle. (Although 100% of the cars reviewed by Mozilla "failed to meet our privacy and security standards.")

The graphics on the site help make its point. As you move your mouse across the page, the cartoon eyes follow its movement...
Social Networks

Online 'Information War' in Africa Rages on Social Media (yahoo.com) 46

The Washington Post tells the story of a veteran political operative and a former army intelligence officer hired to help keep in power the president of the west African nation Burkina Faso: Their company, Percepto International, was a pioneer in what's known as the disinformation-for-hire business. They were skilled in deceptive tricks of social media, reeling people into an online world comprised of fake journalists, news outlets and everyday citizens whose posts were intended to bolster support for [president Roch Marc] Kaboré's government and undercut its critics. But as Percepto began to survey the online landscape across Burkina Faso and the surrounding French-speaking Sahel region of Africa in 2021, they quickly saw that the local political adversaries and Islamic extremists they had been hired to combat were not Kaboré's biggest adversary. The real threat, they concluded, came from Russia, which was running what appeared to be a wide-ranging disinformation campaign aimed at destabilizing Burkina Faso and other democratically-elected governments on its borders.

Pro-Russian fake news sites populated YouTube and pro-Russian groups abounded on Facebook. Local influencers used WhatsApp and Telegram groups to organize pro-Russian demonstrations and praise Russian President Vladimir Putin. Facebook fan pages even hailed the Wagner Group, the Russian paramilitary network run by Yevgeniy Prigozhin, the late one-time Putin ally whose Internet Research Agency launched a disinformation campaign in the United States to influence the 2016 presidential election... Percepto didn't know the full scope of the operation it had uncovered but it warned Kaboré's government that it needed to move fast: Launch a counteroffensive online — or risk getting pushed out in a coup.

Three years later, the governments of five former French colonies, including Burkina Faso, have been toppled. The new leaders of two of those countries, Mali and Burkina Faso, are overtly pro-Russian; in a third, Niger, the prime minister installed after a July coup has met recently with the Russian ambassador. In Mali and the Central African Republic, French troops have been replaced with Wagner mercenaries...

Percepto's experience in French-speaking Africa offers a rare window into the round-the-clock information warfare that is shaping international politics — and the booming business of disinformation-for-hire. Meta, the social media company that operates Facebook, Instagram and WhatsApp, says that since 2017 it has detected more than 200 clandestine influence operations, many of them mercenary campaigns, in 68 countries.

The article also makes an interesting point. "The burden of battling disinformation has fallen entirely on Silicon Valley companies."
Bitcoin

Inside a $30 Million Cash-for-Bitcoin Laundering Ring In New York (404media.co) 34

404 Media (working with Court Watch) reports on a $30 Million cash-for-Bitcoin laundering ring operating in the heart of New York For years, a gang operating in New York allegedly offered a cash-for-Bitcoin service that generated at least $30 million, with men standing on street corners with plastic shopping bags full of money, drive-by pickups, and hundreds of thousands of dollars laid out on tables, according to court records.

The records provide rare insight into an often unseen part of the criminal underworld: how hackers and drug traffickers convert their Bitcoin into cash outside of the online Bitcoin exchanges that ordinary people use. Rather than turning to sites like Coinbase, which often collaborate with and provide records to law enforcement if required, some criminals use underground, in-real-life Bitcoin exchanges like this gang which are allegedly criminal entities in their own right.

In a long spanning investigation by the FBI involving a confidential source and undercover agents, one member of the crew said "that at least some of his clients made money by selling drugs, that his wealthiest clients were hackers, and that he had made approximately $30 million over the prior three years through the exchange of cash for virtual currency," the court records read.

Thanks to user Slash_Account_Dot for sharing the news.
Crime

Scammers Try Hosting Their Malware on a Binance Network (krebsonsecurity.com) 21

Breached web sites distribute malware to visitors by claiming they need to update their browser. But one group of attackers "have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement," reports security researcher Brian Krebs.

"By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain." [W]hen Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and "smart contracts," or coded agreements that execute actions automatically when certain conditions are met. Nati Tal, head of security at Guardio Labs, the research unit at Tel Aviv-based security firm Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract's functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.

"These contracts offer innovative ways to build applications and processes," Tal wrote along with his Guardio colleague Oleg Zaytsev. "Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted 'on-chain' without the ability for a takedown." Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact. "So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces," Tal said.

In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts. "This model is designed to proactively identify and mitigate potential threats before they can cause harm," BNB Smart Chain wrote. "The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible."

The Courts

Supreme Court Blocks Restrictions On Biden Administration Efforts To Get Platforms To Remove Social Media Posts (nbcnews.com) 148

An anonymous reader quotes a report from NBC News: The Supreme Court on Friday blocked in full a lower court ruling that would have curbed the Biden administration's ability to communicate with social media companies about contentious content on such issues as Covid-19. The decision in a short unsigned order (PDF) puts on hold a Louisiana-based judge's ruling in July that specific agencies and officials should be barred from meeting with companies to discuss whether certain content should be stifled. The Supreme Court also agreed to immediately take up the government's appeal, meaning it will hear arguments and issue a ruling on the merits in its current term, which runs until the end of June. Three conservative justices noted that they would have denied the application: Samuel Alito, Clarence Thomas and Neil Gorsuch.

"At this time in the history of our country, what the court has done, I fear, will be seen by some as giving the government a green light to use heavy-handed tactics to skew the presentation of views on the medium that increasingly dominates the dissemination of news. That is most unfortunate," Alito wrote in a dissenting opinion. GOP attorneys general in Louisiana and Missouri, along with five social media users, filed the underlying lawsuit, alleging that U.S. government officials went too far in what they characterize as coercion of social media companies to address posts, especially those related to Covid-19. The individual plaintiffs include Covid-19 lockdown opponents and Jim Hoft, the owner of the right-wing website Gateway Pundit. They claim that the government's actions violated free speech protections under the Constitution's First Amendment.

The Courts

Frying Pan Company Sued for Claiming Temperatures That Rival the Sun (theverge.com) 124

Can you heat up a pan to 30,000 degrees Fahrenheit? That's the burning question at the center of this proposed class action lawsuit, which claims the advertising for SharkNinja's nonstick cookware violates the laws of physics and thermodynamics. From a report: While SharkNinja is the company best known for its Shark robovacs and Ninja kitchen gadget, this lawsuit takes issue with the Ninja NeverStick Premium Cookware collection, a line of pots and pans it advertises as having superior nonsticking and nonflaking qualities thanks to its manufacturing process.

Instead of making its pans at a measly 900-degree temperature that other brands use, SharkNinja says it heats up the cookware to a maximum of 30,000 degrees Fahrenheit. That process, according to SharkNinja, fuses "plasma ceramic particles" to the surface of the pan, "creating a super-hard, textured surface that interlocks with our exclusive coating for a superior bond." But Patricia Brown, the person who filed this lawsuit, isn't buying it. As cited in Brown's lawsuit, NASA recently said the "surface of the Sun is a blisteringly hot 10,340 degrees Fahrenheit," meaning SharkNinja's manufacturing process reaches about three times that temperature.

Privacy

Telegram is Still Leaking User IP Addresses To Contacts (techcrunch.com) 18

The popular messaging app Telegram can leak your IP address if you simply add a hacker to your contacts and accept a phone call from them. From a report: Denis Simonov, a security researcher, who is also known as n0a, recently highlighted the issue and wrote a simple tool to exploit it. TechCrunch verified the researcher's findings by adding Simonov to the contacts of a newly created Telegram account. Simonov then called the account, and shortly after provided TechCrunch with the IP address of the computer where the experiment was being carried out.

Telegram boasts 700 million users all over the world, and has always marketed itself as a "secure" and "private" messaging app, even though experts have repeatedly warned that Telegram is not as secure as end-to-end encrypted app Signal, for example. The fact that Telegram leaks your IP address to people in your contacts during a voice call has been known for years, but it's likely that new, less technical users may not be aware.

Crime

Indian Authorities Raid Fake Tech Support Rings After Tipoff From Amazon and Microsoft (theregister.com) 25

Acting on information from Microsoft and Amazon, India's Central Bureau of Investigation (CBI) has raided alleged fake tech support operators and other tech-related crims across the country. From a report: The Bureau shared news of a Thursday operation that saw it conduct 76 searches in relation to five cases. The Bureau stated its effort "was conducted in collaboration with national and international agencies, alongside private sector giants," and described two of its targets as international tech support fraud scams that "impersonated a global IT major and a multinational corporation with an online technology-driven trading platform."

The alleged scammers operated call centers in five regions of India and "systematically preyed on foreign nationals, masquerading as technical support representatives" for at least five years. The scammers sent users pop-up messages that appeared to come from multinational companies and advised of PC problems -- with a toll-free number at which assistance could be had. Victims who called the fakers had their PCs taken over, and were charged hundreds of dollars for a fix.

Slashdot Top Deals