According to Bloomberg, hackers have leaked internal documents stolen from Leidos Holdings, one of the largest IT services providers of the U.S. government. Reuters reports: The company recently became aware of the issue and believes the documents were taken during a previously reported breach of a Diligent Corp. system it used, the report said, adding that Leidos is investigating it. The Virginia-based company, which counts the U.S. Department of Defense as its primary customer, used the Diligent system to host information gathered in internal investigations, the report added, citing a filing from June 2023. A spokesperson for Diligent said the issue seems to be related to an incident from 2022, affecting its subsidiary Steele Compliance Solutions. The company notified impacted customers and had taken corrective action to contain the incident in November 2022.

An anonymous reader quotes a report from the Center for European Policy Analysis (CEPA): Alexey Soldatov, a Russian Internet pioneer and a founder of the first Internet provider in the country, has been sentenced by a court to two years in a labor colony on charges of "abuse of power." Soldatov, 72, had been detained by a court in Moscow. He is terminally ill. Very few in Russia believe in the government charges against a man widely known as a Father of the Russian Internet -- and who is less well known as the father of Andrei Soldatov, one of this article's authors. Soldatov was accused of abuse of power when managing a pool of IP-addresses by an organization he had no position at. This legal absurdity was enough to see him imprisoned even though the court knew of Soldatov's illness, which meant the court had no legal right to pass a custodial sentence. His family believes that the decision is essentially a death sentence. The article details Soldatov's history and his pivotal role in creating the Relcom network, which connected Soviet research centers and established the Soviet Union's first link to the global internet in 1990. During the 1991 KGB coup attempt, Relcom remained operational, highlighting its role in bypassing traditional media control and connecting people both within the Soviet Union and globally.

According to the Washington Post (paywalled), the House Homeland Security Committee has called on the CrowdStrike CEO to testify over the major outage that brought flights, hospital procedures, and broadcasters to a halt on Friday. The outage was caused by a defective software update from the company that primarily affected computers runnings Windows, resulting in system crashes and "blue screen of death" errors. From the report: Republican leaders of the House Homeland Security Committee demanded that CrowdStrike CEO George Kurtz commit by Wednesday to appearing on Capitol Hill to explain how the outages occurred and what "mitigation steps" the company is taking to prevent future episodes. [...] Reps. Mark Green (R-Tenn.) and Andrew R. Garbarino (R-N.Y.), chairs of the Homeland Security Committee and its cybersecurity subcommittee, respectively, wrote in their letter that the outages "must serve as a broader warning about the national security risks associated with network dependency. Protecting our critical infrastructure requires us to learn from this incident and ensure that it does not happen again," the lawmakers wrote. CrowdStrike spokesperson Kirsten Speas said in an emailed statement Monday that the company is "actively in contact" with the relevant congressional committees and that "engagement timelines may be disclosed at Members' discretion," but declined to say whether Kurtz will testify.

The committee is one of several looking into the incident, with members of the House Oversight Committee and House Energy and Commerce Committee separately requesting briefings from CrowdStrike. But the effort by Homeland Security Committee leaders marks the first time the company is being publicly summoned to testify about its role in the disruptions. CrowdStrike has risen to prominence as a major security provider partly by identifying malicious online campaigns by foreign actors, but the outages have heightened concern in Washington that international adversaries could look to exploit future incidents. "Malicious cyber actors backed by nation-states, such as China and Russia, are watching our response to this incident closely," Green and Garbarino wrote. The outages, which disrupted agencies at the federal and state level, are also raising questions about how much businesses and government officials alike have come to rely on Microsoft products for their daily operations.

Switzerland has enacted the "Federal Law on the Use of Electronic Means for the Fulfillment of Government Tasks" (EMBAG), mandating open-source software (OSS) in the public sector to enhance transparency, security, and efficiency. "This new law requires all public bodies to disclose the source code of software developed by or for them unless third-party rights or security concerns prevent it," writes ZDNet's Steven Vaughan-Nichols. "This 'public money, public code' approach aims to enhance government operations' transparency, security, and efficiency." From the report: Making this move wasn't easy. It began in 2011 when the Swiss Federal Supreme Court published its court application, Open Justitia, under an OSS license. The proprietary legal software company Weblaw wasn't happy about this. There were heated political and legal fights for more than a decade. Finally, the EMBAG was passed in 2023. Now, the law not only allows the release of OSS by the Swiss government or its contractors, but also requires the code to be released under an open-source license "unless the rights of third parties or security-related reasons would exclude or restrict this."

Professor Dr. Matthias Sturmer, head of the Institute for Public Sector Transformation at the Bern University of Applied Sciences, led the fight for this law. He hailed it as "a great opportunity for government, the IT industry, and society." Sturmer believes everyone will benefit from this regulation, as it reduces vendor lock-in for the public sector, allows companies to expand their digital business solutions, and potentially leads to reduced IT costs and improved services for taxpayers.

In addition to mandating OSS, the EMBAG also requires the release of non-personal and non-security-sensitive government data as Open Government Data (OGD). This dual "open by default" approach marks a significant paradigm shift towards greater openness and practical reuse of software and data. Implementing the EMBAG is expected to serve as a model for other countries considering similar measures. It aims to promote digital sovereignty and encourage innovation and collaboration within the public sector. The Swiss Federal Statistical Office (BFS) is leading the law's implementation, but the organizational and financial aspects of the OSS releases still need to be clarified.

Researchers have identified a zero-day exploit for the Telegram messaging app on Android devices that could have allowed attackers to send malicious payloads disguised as legitimate files. From a report: The exploit was built to abuse a vulnerability that Slovakia-based firm ESET dubbed EvilVideo. Telegram fixed the bug earlier this month in versions 10.14.5 and above after researchers reported it. Threat actors had about five weeks to exploit the zero-day before it was patched, but it's not clear if it was used in the wild, ESET said. ESET discovered the exploit on an underground forum in early June. It was sold for an unspecified price by a user with the username "Ancryno." In its post, the seller showed screenshots and a video of testing the exploit in a public Telegram channel.

In unpatched versions of Telegram for Android, attackers could use the exploit to send malicious payloads via Telegram channels, groups and chats, making them appear as multimedia files. The exploit takes advantage of Telegram's default setting to automatically download media files. The option can be disabled manually, but in that case, the payload could still be installed on the device if a user tapped the download button in the top left corner of the shared file. If the user tried to play the "video," Telegram displayed a message that it was unable to play it and suggested using an external player. The hackers disguised a malicious app as this external player.

Waymo, a subsidiary of Google's parent Alphabet, has taken legal action against alleged vandals targeting its self-driving taxi fleet in San Francisco, according to court documents. The company, which operates ride-hailing services in several U.S. cities, has filed two lawsuits seeking substantial damages for incidents that reportedly resulted in extensive damage to vehicle tires and bodywork, Wired reported Monday.

Re-visiting the Napster era, Stephen Witt's book How Music Got Free has been adapted into a two-part documentary on Paramount+. But the documentary's director believes "The real innovative minds here were a bunch of rogue teenagers and a guy working a blue-collar factory job in the tiny town of Shelby, North Carolina," according to this article in the Guardian: By day, [Glover] worked at Universal Music's CD manufacturing plant in North Carolina, from which he smuggled out hot albums by stars like Mary J Blige and 50 Cent before they were even released. For the documentary, Glover spoke openly, and largely without regret, as did others who worked at that plant who did their own share of stealing. Part of their incentive was class revenge: while they were paid piddling wages by the hour, the industry used the products they manufactured to mint millions. To maximize profits on his end, Glover set up a subscription service to let those in his circle know what CDs and movies were coming. "He was doing what Netflix would later do," Stapleton said...

In the meantime, the record companies and their lobbying arm, the RIAA, focused their wrath on the most public face of file-sharing: Napster. In truth, all Fanning's company did was make more accessible the work the pirates innovated and first distributed... For its part, the music industry reacted in the worst way possible, PR-wise. They sued the kids who made up their strongest fanbase. "One of the key lessons we learned from this era is that you can't sue your way out of a situation like this," Witt said. "You have to build a new technology that supersedes what the pirates did."

Eventually, that's what happened, though the first attempts in that direction made things worse than ever for the labels and stars. When Apple first created the iPod in 2001, there wasn't yet an Apple store where listeners could purchase music legally. "It was just a place to put your stolen MP3s," said Witt. Labels couldn't sue Apple because of a ruling dictating that the manufacturer of a device couldn't be held responsible for piracy enacted by its users. While Steve Jobs later modified his approach, creating a way for fans to buy individual songs for the iPod, "that did more damage to the industry than anything", Witt said. "Whereas, before they could sell a $15 CD to fans who really just wanted one song, now those fans could get that song for just a dollar...."

Eventually, the collective efforts of the streaming companies returned the music industry to massive profitability, though often at the expense of its artists, who often receive a meager slice of the proceeds.... Things ended less favorably for the pirates, some of whom now have criminal records. Likewise, Glover served a short prison sentence though, today, he is chief maintenance technician at the Ryder Truck manufacturing plant in his home town.
A Forbes senior contributor (and director Alexandria Stapleton) believe that for the younger generation it may be "their first introduction to why the music industry is the way that they're used to."

And Stapleton says their sympathies are with those factory workers. Stapleton: They were completely underpaid. They were making literally nothing. It's important for people to understand that while the industry was charging $20 for a CD, it cost like 20 cents to make. That's a big profit margin. And to have a factory that was paying barely enough for people to put food on the table, I think there's something wrong with that...

Witt: It's amazing to think about what they were really doing, which was essentially filling the technological vacuum that the record industry was refusing to fill, right? The record industry was not building out the successor technology to the compact disc because the compact disc was just too profitable for them. Instead, a bunch of random teenagers built the next generation of technology for them, and yeah, it caused a lot of damage. But I don't think that teenagers were necessarily trying to hurt anyone... They weren't malicious. They just were fascinated by how this stuff worked. And of course, they were also completely entranced by the celebrity of the musicians themselves.
In the interview Witt adds that a lot of those teenagers "were really kind of traumatized by their experience with the FBI I would say, and they wanted to get that story out there."

The documentary was produced by LeBron James and Eminem, "who rode the tail end of the CD boom to stratospheric heights," remembers a Fast Company opinion columnist. (And 25 years later, that columnist has gone back to listening to vinyl records, which "reignited for me a long-missing air of full engagement... Technology marches forward, except when it occasionally lurches backward...")

A ransomware attack has taken down the computer system of America's largest trial court, reports the Associated Press: The cybersecurity attack began early Friday and is not believed to be related to the faulty CrowdStrike software update that has disrupted airlines, hospitals and governments around the world, officials said in a statement Friday. The court disabled its computer network systems upon discovery of the attack, and it will remain down through at least the weekend.
Friday's statement called it "a serious security event," adding that the court is receiving help from local, state, and federal law enforcement agencies. "At this time, the preliminary investigation shows no evidence of court users' data being compromised." Over the past few years, the Court has invested heavily in its cybersecurity operations, modernizing its cybersecurity infrastructure and making strategic staff investments in the Cybersecurity Division within Court Technology Services. As a result of this investment, the Court was able to quickly detect an intrusion and address it immediately.

Due to the ongoing nature of the investigation, remediation, and recovery, the Court will not comment further until additional information is available for public release.
Sunday the Court posted on X.com that they're "working diligently to get the Court's network systems back up and running...

"When we have a better understanding of the extent to which the Court will be operational tomorrow, July 22, we will provide information and direction to court users and jurors, likely later this evening."

Slashdot covered Barrett Brown back in 2011 and 2012. The New York Times calls him "an activist associated with the hacker group Anonymous, and a political prisoner recently denied asylum in Britain, all of which sounds a bit dreary until we hear tell of it through Brown's unhinged self-regard."

They're reviewing Brown's "extraordinary" new memoir, My Glorious Defeats: Hacktivist, Narcissist, Anonymous," a book they call "deranged, hyperbolic, and true." A "machine" that focuses attention on little-known social issues, Anonymous has gone after the Church of Scientology, Koch Industries, websites hosting child pornography and the Westboro Baptist Church. The public tends to be confused by nebulous digital activities, so it was, in the collective's heyday, helpful to have Brown act as a translator between the hackers and mainstream journalists. "The year 2011 ended as it began," he writes, "with a sophisticated hack on a state-affiliated corporation that ostensibly dealt in straightforward security and analysis while secretly engaging in black ops campaigns against activists who'd proven troublesome to powerful clients."

This particular corporation was Stratfor, a company that spied on activists for the government... Brown waited for the feds to come back and drag him to jail. He also says he tried to get off suboxone in order to avoid the painful possibility of prison withdrawal, and stopped taking Paxil, inducing a manic state, all of which is given as explanation for his regrettable next move, which was to set up a camera and start talking. The feds had threatened his mother, he told the internet, and in response he was threatening Robert Smith, the lead agent on his case. He found himself in custody the same night.

Brown was then subjected to the kind of nonsense the Department of Justice is prone to inflicting on those involved in shadowy internet activities that, in fact, almost no one in the legal process understands. He was charged with participating in the hack of Stratfor, though he was not really involved and cannot code, and although the whole thing was organized by an F.B.I. informant. Brown had also retweeted a Fox News host's call to murder Julian Assange; the prosecution presented this as if he were himself calling for the murder of Assange. But generally, Brown's primary victim is himself. "My thirst for glory and hatred for the state," he writes, "were incompatible with an orthodox criminal defense, in which the limiting of one's sentence is the sole objective."

In his cell, with an eraser-less pencil he needs a compliant guard to repeatedly sharpen, he writes "The Barrett Brown Review of Arts and Letters and Jail." His mother types it up; The Intercept publishes. He develops the character he will play in his memoir: a self-aware narcissist and addict. He wins a National Magazine Award, and is especially pleased that his column "Please Stop Sending Me Jonathan Franzen Novels," wins while Franzen is in attendance.
"The state is an afterthought here — a litany of absurdist horrors too stupid to appall..." the review concludes.

"We're left with a man who refuses to look away from the deep structure of the world, an unstable position from which there is no sanctuary. My Glorious Defeats is deranged, hyperbolic and as true a work as I have read in a very long time."

2017 Slashdot headline: "People Keep Finding Hidden Cameras in Their Airbnbs."

Nearly seven years later, CNN launched their own investigation of "Airbnb's hidden camera problem". CNN: "Across North America, police have seized thousands of images from hidden cameras at Airbnb rentals, including people's most intimate moments... It's more than just a few reported cases. And Airbnb knows it's a problem. In this deposition reviewed by CNN, an Airbnb rep said 35,000 customer support tickets about security cameras or recording devices had been documented over a decade. [The deposition estimates "about" 35,000 tickets "within the scope of the security camera and recording devices policy."]

Airbnb told CNN a single complaint can involve multiple tickets.
CNN actually obtained the audio recording of an Airbnb host in Maine admitting to police that he'd photographed a couple having sex using a camera hidden in a clock — and also photographed other couples. And one Airbnb guest told CNN he'd only learned he'd been recorded "because police called him, months later, after another guest found the camera" — with police discovering cameras in every single room in the house, concealed inside smoke detectors. "Part of the challenge is that the technology has gotten so advanced, with these cameras so small that you can't even see them," CNN says.

But even though recording someone without consent is illegal in every state, CNN also found that in this case and others, Airbnb "does not contact law enforcement once hidden cameras are discovered — even if children are involved." Their reporter argues that Airbnb "not only fails to protect its guests — it works to keep complaints out of the courts and away from the public."

They spoke to two Florida attorneys who said trying to sue Airbnb if something goes wrong is extremely difficult — since its Terms of Service require users to assume every risk themselves. "The person going to rent the property agrees that if something happens while they're staying at this accommodation, they're actually prohibited from suing Airbnb," says one of the attorneys. "They must go a different route, which is a binding arbitration." (When CNN asked if this was about controlling publicity, the two lawyers answered "absolutely" and "100%".) And when claims are settled, CNN adds, "Airbnb has required guests to sign confidentiality agreements — which CNN obtained — that keep some details of legal cases private."

Responding to the story, Airbnb seemed to acknowledge guests have been secretly recorded by hosts, by calling such occurrences "exceptionally rare... When we do receive an allegation, we take appropriate, swift action, which can include removing hosts and listings that violate the policy.

"Airbnb's trust and safety policies lead the vacation rental industry..."

SolarWinds still faces some legal action over its infamous 2020 breach, reports NextGov.com. But a U.S. federal judge has dismissed most of the claims from America's Securities and Exchange Commission, which "alleged the company defrauded investors because it deliberately hid knowledge of cyber vulnerabilities in its systems ahead of a major security breach discovered in 2020."

Slashdot reader krakman shares this report from the Washington Post: "The SEC's rationale, under which the statute must be construed to broadly cover all systems public companies use to safeguard their valuable assets, would have sweeping ramifications," [judge] Engelmayer wrote in a 107-page decision. "It could empower the agency to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers," he wrote. The federal judge also dismissed SEC claims that SolarWinds' disclosures after it learned its customers had been affected improperly covered up the gravity of the breach...

In an era when deeply damaging hacking campaigns have become commonplace, the suit alarmed business leaders, some security executives and even former government officials, as expressed in friend-of-the-court briefs asking that it be thrown out. They argued that adding liability for misstatements would discourage hacking victims from sharing what they know with customers, investors and safety authorities. Austin-based SolarWinds said it was pleased that the judge "largely granted our motion to dismiss the SEC's claims," adding in a statement that it was "grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns."
The article notes that as far back as 2018, "an engineer warned in an internal presentation that a hacker could use the company's virtual private network from an unauthorized device and upload malicious code. Brown did not pass that information along to top executives, the judge wrote, and hackers later used that exact technique." Engelmayer did not dismiss the case entirely, allowing the SEC to try to show that SolarWinds and top security executive Timothy Brown committed securities fraud by not warning in a public "security statement" before the hack that it knew it was highly vulnerable to attacks.

The SEC "plausibly alleges that SolarWinds and Brown made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls," Engelmayer wrote. "Given the centrality of cybersecurity to SolarWinds' business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material."

"Many people over the past few days have been lashing out at Mozilla," writes the blog Its FOSS, "for enabling Privacy-Preserving Attribution by default on Firefox 128, and the lack of publicity surrounding its introduction."

Mozilla responded that the feature will only run "on a few sites in the U.S. under strict supervision" — adding that users can disable it at any time ("because this is a test"), and that it's only even enabled if telemetry is also enabled.

And they also emphasize that it's "not tracking." The way it works is there's an "aggregation service" that can periodically send advertisers a summary of ad-related actions — again, aggregated data, from a mass of many other users. (And Mozilla says that aggregated summary even includes "noise that provides differential privacy.") This Privacy-Preserving Attribution concept "does not involve sending information about your browsing activities to anyone... Advertisers only receive aggregate information that answers basic questions about the effectiveness of their advertising."

More from It's FOSS: Even though Mozilla mentioned that PPA would be enabled by default on Firefox 128 in a few of its past blog posts, they failed to communicate this decision clearly, to a wider audience... In response to the public outcry, Firefox CTO, Bobby Holley, had to step in to clarify what was going on.

He started with how the internet has become a massive cesspool of surveillance, and doing something about it was the primary reason many people are part of Mozilla. He then expanded on their approach with Firefox, which, historically speaking, has been to ship a browser with anti-tracking features baked in to tackle the most common surveillance techniques. But, there were two limitations with this approach. One was that advertisers would try to bypass these countermeasures. The second, most users just accept the default options that they are shown...

Bas Schouten, Principal Software Engineer at Mozilla, made it clear at the end of a heated Mastodon thread that "[opt-in features are] making privacy a privilege for the people that work to inform and educate themselves on the topic. People shouldn't need to do that, everyone deserves a more private browser. Privacy features, in Firefox, are not meant to be opt-in. They need to be the default.

"If you are 'completely anti-ads' (i.e. even if their implementation is private), you probably use an ad blocker. So are unaffected by this."
This has already provoked a discussion among Slashdot readers. "It doesn't seem that evil to me," argues Slashdot reader geekprime. "Seems like the elimination of cross site cookies is a privacy enhancing idea." (They cite Mozilla's statement that their goal is "to inform an emerging Web standard designed to help sites understand how their ads perform without collecting data about individual people. By offering sites a non-invasive alternative to cross-site tracking, we hope to achieve a significant reduction in this harmful practice across the web.")

But Slashdot reader TheNameOfNick disagrees. "How realistic is the part where advertisers stop tracking you because they get less information from the browser maker...?"

Mozilla has provided simple instructions for disabling the feature:

• Click the menu button and select Settings.
• In the Privacy & Security panel, find the Website Advertising Preferences section.
• Uncheck the box labeled Allow websites to perform privacy-preserving ad measurement.

Nigeria fined Meta for $220 million on Friday, alleging the tech giant violated the country's local consumer, data protection and privacy laws. Reuters reports: Nigeria's Federal Competition and Consumer Protection Commission (FCCPC) said Meta appropriated the data of Nigerian users on its platforms without their consent, abused its market dominance by forcing exploitative privacy policies on users, and meted out discriminatory and disparate treatment on Nigerians, compared with other jurisdictions with similar regulations. FCCPC chief Adamu Abdullahi said the investigations were jointly held with Nigeria's Data Protection Commission and spanned over 38 months. The investigations found Meta policies don't allow users the option or opportunity to self-determine or withhold consent to the gathering, use, and sharing of personal data, Abdullahi said.

"The totality of the investigation has concluded that Meta over the protracted period of time has engaged in conduct that constituted multiple and repeated, as well as continuing infringements... particularly, but not limited to abusive, and invasive practices against data subjects in Nigeria," Abdullahi said. "Being satisfied with the significant evidence on the record, and that Meta has been provided every opportunity to articulate any position, representations, refutations, explanations or defences of their conduct, the Commission have now entered a final order and issued a penalty against Meta," Abdullahi said. The final order mandates steps and actions Meta must take to comply with local laws, Abdullahi said.

An anonymous reader quotes a report from Ars Technica: Citing frustration with mobile carriers enforcing different phone-unlocking policies that are bad for consumers, the Federal Communications Commission is proposing a 60-day unlocking requirement that would apply to all wireless providers. The industry's "confusing and disparate cell phone unlocking policies" mean that "some consumers can unlock their phones with relative ease, while others face significant barriers," Commissioner Geoffrey Starks said at yesterday's FCC meeting. "It also means certain carriers are subject to mandatory unlocking requirements while others are free to dictate their own. This asymmetry is bad for both consumers and competition."

The FCC is "proposing a uniform 60-day unlocking policy" so that "consumers can choose the carrier that offers them the best value," Starks said. Unlocking a phone allows it to be used on a different carrier's network as long as the phone is compatible. The FCC approved the Notice of Proposed Rulemaking (NPRM) in a 5-0 vote. That begins a public comment period that could lead to a final rulemaking. A draft of the NPRM said the FCC "propose[s] to require all mobile wireless service providers to unlock handsets 60 days after a consumer's handset is activated with the provider, unless within the 60-day period the service provider determines the handset was purchased through fraud."

"You bought your phone, you should be able to take it to any provider you want," Rosenworcel said. "Some providers already operate this way. Others do not. In fact, some have recently increased the time their customers must wait until they can unlock their device by as much as 100 percent." Rosenworcel apparently was referring to a prepaid brand offered by T-Mobile. The NPRM draft said that "T-Mobile recently increased its locking period for one of its brands, Metro by T-Mobile, from 180 days to 365 days." The 365-day rule brought Metro into line with other T-Mobile prepaid phones that already came with the year-long lock. We reached out to T-Mobile and will update this article if it provides a comment. A merger condition imposed on T-Mobile's purchase of Sprint merely requires that it unlock prepaid phones within one year. T-Mobile imposes different unlocking policies on prepaid and postpaid phones. For postpaid devices, T-Mobile says it will unlock phones that have been active for at least 40 days, but only if any associated financing or leasing agreement has been paid in full.

OpenAI escaped a copyright lawsuit from a group of open-source programmers after they voluntarily dismissed their case against the company in federal court. From a report: The programmers, who allege the generative AI programming tool Copilot was trained on their code without proper attribution, filed their notice of voluntary dismissal Thursday, but will still have their case against GitHub and parent company Microsoft, which collaborated with OpenAI in developing the tool. The proposed class action filed in 2022 in the US District Court for the Northern District of California was the first major copyright case against OpenAI, which has since been hit with numerous lawsuits from authors and news organizations including the New York Times.

Oracle agreed to pay $115 million to settle a lawsuit accusing the database software and cloud computing company of invading people's privacy by collecting their personal information and selling it to third parties. Reuters: The plaintiffs, who otherwise have no connection to Oracle, said the company violated federal and state privacy laws and California's constitution by creating unauthorized "digital dossiers" for hundreds of millions of people. They said the dossiers contained data including where people browsed online, and where they did their banking, bought gas, dined out, shopped and used their credit cards. Oracle then allegedly sold the information directly to marketers or through products such as ID Graph, which according to the company helps marketers "orchestrate a relevant, personalized experience for each individual."

An anonymous reader quotes a report from The Record: When Florida real estate professional Susan Hicks discovered the app Forewarn over a year ago, she was shocked to learn that for a service costing about $20 a month she could instantly retrieve detailed data on prospective clients with only their phone number. "For anybody who's had exposure to this, usually the first time they see it, it blows their mind," Hicks told Recorded Future News, adding that she enthusiastically recommends the tool to the brokers she manages. "It's incredible that there's that amount of information out there that you can just access with one click." "It can be real creepy and you have to swear that you're not going to use it in a wrong manner," Hicks added, referring to Forewarn rules which say real estate agents can't share data from the app publicly or with third parties, or use the app to pull information on non-professional contacts.

Forewarn is primarily marketed to and used by the real estate industry, and it has been penetrating that market at a rapid clip. Although some real estate agents say the financial information it returns saves time when finding clients most likely to have the budget for the houses they're looking at, most agents and associations tout it primarily as a safety tool because it also supplies criminal records. In addition to those records, the product -- owned by the data broker red violet -- also supplies a given individual's address history; phone, vehicle and property records; bankruptcies; and liens and judgements, including foreclosure histories. Although such data could generally be gleaned from public records, Forewarn delivers it at the press of a button -- a function real estate agents say allows them to gather publicly available information without having to visit courthouses and municipal offices, a process which would normally take days.

The power of Forewarn's technology has led to rapid adoption, but the company is still largely unknown outside the real estate industry. Several fair housing and civil rights advocates interviewed by Recorded Future News weren't aware of its existence. The individuals whose data it sells also have no idea their information is being shared with real estate agents, who potentially might choose not to work with them because of what they discover on the app. Forewarn did not respond to multiple requests for comment, however, statements made by one of its executives suggest that the company intentionally keeps a low profile. "Do not tell the prospect that they are not permitted or unqualified to purchase or sell property because of information you obtained from Forewarn," a company executive said at a recent training webinar with Illinois real estate agents. She emphasized that potential buyers "do not get notified" when they are screened with the app, a question she said many real estate agents ask. Real estate agents who, for example, discover a client has a lien filed against them, should consider telling the prospect they "obtained this information from a confidential service that bases their information on available public record information," the executive added.

An anonymous reader quotes a report from Ars Technica: The Federal Communications Commission today voted to lower price caps on prison phone calls and closed a loophole that allowed prison telecoms to charge high rates for intrastate calls. Today's vote will cut the price of interstate calls in half and set price caps on intrastate calls for the first time. The FCC said it "voted to end exorbitant phone and video call rates that have burdened incarcerated people and their families for decades. Under the new rules, the cost of a 15-minute phone call will drop to $0.90 from as much as $11.35 in large jails and, in small jails, to $1.35 from $12.10."

The new rules are expected to take effect in January 2025 for all prisons and for jails with at least 1,000 incarcerated people. The rate caps would take effect in smaller jails in April 2025. Worth Rises, a nonprofit group advocating for prison reform, said it "estimates that the new rules will impact 83 percent of incarcerated people (about 1.4 million) and save impacted families at least $500 million annually." The nonprofit Prison Policy Institute said that prison phone companies charge ancillary fees for things "like making a deposit to fund an account." The ban on those fees "also effectively blocks a practice that we have been campaigning against for years: companies charging fees to consumers who choose to make single calls rather than fund a calling account, and deliberately steering new consumers to this higher-cost option in order to increase fee revenue," the group said.

The ancillary fee ban is a "technical-sounding change," but will help "eliminate some of the industry's dirtiest tricks that shortchange both the families and the facilities," the group said.

An anonymous reader quotes a report from TechCrunch: The U.S. Postal Service was sharing the postal addresses of its online customers with advertising and tech giants Meta, LinkedIn and Snap, TechCrunch has found. On Wednesday, the USPS said it addressed the issue and stopped the practice, claiming that it was "unaware" of it. TechCrunch found USPS was sharing customers' information by way of hidden data-collecting code (also known as tracking pixels) used across its website. Tech and advertising companies create this kind of code to collect information about the user -- such as which pages they visit -- every time a webpage containing the code loads in the customer's browser.

In the case of USPS, some of that collected data included the postal addresses of logged-in USPS Informed Delivery customers, who use the service to see photos of their incoming mail before it arrives. It's not clear how many individuals had their information collected or for how long. Informed Delivery had more than 62 million users (PDF) as of March 2024. [...] The code also collected other data, such as information about the user's computer type and browser, which appeared as partly pseudonymized -- essentially scrambled in a way that makes it more difficult for humans to know where data came from, or who it relates to, by using randomized identifiers in place of real customer names. But researchers have long warned that pseudonymous data can still be used to re-identify seemingly anonymous individuals.

TechCrunch also found that tracking numbers entered into the USPS website were also shared with advertisers and tech companies, including Bing, Google, LinkedIn, Pinterest and Snap. Some in-transit tracking data was also shared, such as the real-world location of the mail in the postal system, even if the customer was not logged in to USPS' website. USPS spokesperson Jim McKean said in a statement: "The Postal Service leverages an analytics platform for our own internal purposes, so that we understand the usage of our products and services and which we use on an aggregated basis to market our products. The Postal Service does not sell or provide any personal information that is collected from this analytics platform to any third party, and we were unaware of any configuration of the platform that collected personal information from the URL and that shared it without our knowledge with social media."

"We have taken immediate action to remediate this issue," the spokesperson added, without saying what action was taken.

An anonymous reader quotes an excerpt from TechCrunch, written by Zack Whittaker: We're over halfway through 2024, and already this year we have seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can't get any worse, they do. From huge stores of customers' personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks. Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact and. in some cases, how they could have been stopped. These are some of the largest breaches highlighted in the report:

AT&T's Data Breaches: AT&T experienced two data breaches in 2024, affecting nearly all its customers and many non-customers. The breaches exposed phone numbers, call records, and personal information, risking account hijacks for 7.6 million customers.
Change Healthcare Hack: A ransomware attack on Change Healthcare resulted in the theft of sensitive medical data, affecting a substantial proportion of Americans. The breach caused widespread outages in healthcare services across the U.S. and compromised personal, medical, and billing information.
Synnovis Ransomware Attack: The cyberattack on U.K. pathology lab Synnovis disrupted patient services in London hospitals for weeks, leading to thousands of postponed operations and the exposure of data related to 300 million patient interactions.
Snowflake Data Theft (Including Ticketmaster): Cybercriminals stole hundreds of millions of records from Snowflake's corporate customers, including 560 million records from Ticketmaster. The breach affected data from multiple companies and institutions, exposing vast amounts of customer and employee information.