Norway plans to enforce a strict minimum social media age of 15 to protect children from harmful content and the influence of algorithms. The Guardian reports: The Scandinavian country already has a minimum age limit of 13 in place. Despite this, more than half of nine-year-olds, 58% of 10-year-olds and 72% of 11-year-olds are on social media, according to research by the Norwegian media authority. The government has pledged to introduce more safeguards to prevent children from getting around the age restrictions -- including amending the Personal Data Act so that social media users must be 15 years old to agree that the platform can handle their personal data, and developing an age verification barrier for social media.

"It sends quite a strong signal," the prime minister told the newspaper VG on Wednesday. "Children must be protected from harmful content on social media. These are big tech giants pitted against small children's brains. We know that this is an uphill battle, because there are strong forces here, but it is also where politics is needed." While he said he understood that social media could offer lonely children a community, self-expression must not be in the power of algorithms. "On the contrary, it can cause you to become single-minded and pacified, because everything happens so fast on this screen," he added. "It is also about giving parents the security to say no," said Kjersti Toppe, the minister for children and families. "We know that many people really want to say no, but don't feel they can."

An anonymous reader quotes a report from SecurityWeek.com: White hat hackers taking part in the Pwn2Own Ireland 2024 contest organized by Trend Micro's Zero Day Initiative (ZDI) have earned half a million dollars on the first day of the event, for exploits targeting NAS devices, cameras, printers and smart speakers. The highest single reward, $100,000, was earned by Sina Kheirkhah of Summoning Team, who chained a total of nine vulnerabilities for an attack that went from a QNAP QHora-322 router to a TrueNAS Mini X storage device. Another exploit chain involving the QNAP QHora-322 and TrueNAS Mini X products was demonstrated by Viettel Cyber Security, but this team earned only $50,000.

A significant reward was also earned by Jack Dates of RET2 Systems, who received $60,000 for hacking a Sonos Era 300 smart speaker. QNAP TS-464 and Synology DiskStation DS1823XS+ NAS device exploits earned $40,000 each for two different teams. Participants also successfully demonstrated exploits against the Lorex 2K WiFi, Ubiquity AI Bullet, and Synology TC500 cameras, and HP Color LaserJet Pro MFP 3301fdw and Canon imageCLASS MF656Cdw printers. These attempts earned the hackers between $11,000 and $30,000. According to ZDI, a total of $516,250 was paid out on the first day of Pwn2Own Ireland for over 50 unique vulnerabilities.

A judge has allowed Saudi dissident Yahya Assiri to sue the kingdom for allegedly targeting his devices with Pegasus spyware and other Israeli-made surveillance tools. Reuters reports: Yahya Assiri, a founder of the opposition National Assembly Party (NAAS) who lives in exile in Britain, alleges his electronic devices were targeted with surveillance software between 2018 and 2020. He is suing Saudi Arabia at London's High Court, saying the country used Pegasus - made by Israeli company NSO Group and sold only to nation states - and other spyware made by lesser-known Israeli firm QuaDream because of his work with dissidents.

Earlier this month, Roger Eastman, a judge in the High Court, gave Assiri permission to serve his lawsuit on the Saudi government, a step that required the court to find Assiri has an arguable case. The decision announced on Monday to allow the case to be served on Saudi Arabia in Riyadh was made on Oct. 11. Assiri said in a statement: "I am fully aware that the authorities will want to target me. However, it is outrageous for them also to target individuals such as the victims of rights abuses and their families in Saudi Arabia simply because these people have been in contact with me."

A civil liberties group has filed a lawsuit in Virginia arguing that the widespread use of Flock's automated license plate readers violates the Fourth Amendment's protections against warrantless searches. 404 Media reports: "The City of Norfolk, Virginia, has installed a network of cameras that make it functionally impossible for people to drive anywhere without having their movements tracked, photographed, and stored in an AI-assisted database that enables the warrantless surveillance of their every move. This civil rights lawsuit seeks to end this dragnet surveillance program," the lawsuit notes (PDF). "In Norfolk, no one can escape the government's 172 unblinking eyes," it continues, referring to the 172 Flock cameras currently operational in Norfolk. The Fourth Amendment protects against unreasonable searches and seizures and has been ruled in many cases to protect against warrantless government surveillance, and the lawsuit specifically says Norfolk's installation violates that. [...]

The lawsuit in Norfolk is being filed by the Institute for Justice, a civil liberties organization that has filed a series of privacy and government overreach lawsuits over the last few years. Two Virginia residents, Lee Schmidt and Crystal Arrington, are listed as plaintiffs in the case. Schmidt is a Navy veteran who alleges in the lawsuit that the cops can easily infer where he is going based on Flock data. "Just outside his neighborhood, there are four Flock Cameras. Lee drives by these cameras (and others he sees around town) nearly every day, and the Norfolk Police Department [NPD] can use the information they record to build a picture of his daily habits and routines," the lawsuit reads. "If the Flock Cameras record Lee going straight through the intersection outside his neighborhood, for example, the NPD can infer that he is going to his daughter's school. If the cameras capture him turning right, the NPD can infer that he is going to the shooting range. If the cameras capture him turning left, the NPD can infer that he is going to the grocery store. The Flock Cameras capture the start of nearly every trip Lee makes in his car, so he effectively cannot leave his neighborhood without the NPD knowing about it." Arrington is a healthcare worker who makes home visits to clients in Norfolk. The lawsuit alleges that it would be trivial for the government to identify her clients. "Fourth Amendment case law overwhelmingly shows that license plate readers do not constitute a warrantless search because they take photos of cars in public and cannot continuously track the movements of any individual," a Flock spokesperson said. "Appellate and federal district courts in at least fourteen states have upheld the use of evidence from license plate readers as Constitutional without requiring a warrant, as well as the 9th and 11th circuits. Since the Bell case, four judges in Virginia have ruled the opposite way -- that ALPR evidence is admissible in court without a warrant."

Democratic senators Elizabeth Warren, Ron Wyden, Richard Blumenthal and Representative Katie Porter are demanding the Justice Department prosecute tax preparation companies for allegedly sharing sensitive taxpayer data with Meta and Google through tracking pixels. The lawmakers' call follows a Treasury Inspector General audit confirming their earlier investigation into TaxSlayer, H&R Block, and Tax Act. The audit found multiple companies failed to properly obtain consent before sharing tax return information via advertising tools. Violations could result in one-year prison terms and $1,000 fines per incident, potentially reaching billions in penalties given the scale of affected users.

In a letter shared with The Verge, the lawmakers said: "Accountability for these tax preparation companies -- who disclosed millions of taxpayers' tax return data, meaning they could potentially face billions of dollars in criminal liability -- is essential for protecting the rule of law and the privacy of taxpayers," the letter reads. "We urge you to follow the facts and the conclusions of TIGTA and the IRS and to take appropriate action against any companies or individuals that have violated the law."

Session, a small but increasingly popular encrypted messaging app, is moving its operations outside of Australia after the country's federal law enforcement agency visited an employee's residence and asked them questions about the app and a particular user. 404 Media reports: Now Session will be maintained by an entity in Switzerland. The move signals the increasing pressure on maintainers of encrypted messaging apps, both when it comes to governments seeking more data on app users, as well as targeting messaging app companies themselves, like the arrest of Telegram's CEO in August. "Ultimately, we were given the choice between remaining in Australia or relocating to a more privacy-friendly jurisdiction, such as Switzerland. For the project to continue, it could not be centred in Australia," Alex Linton, president of the newly formed Session Technology Foundation (STF) which will publish the Session app, told 404 Media in a statement. The app will still function in Australia, Linton added. Linton said that last year the Australian Federal Police (AFP) visited a Session employee at their home in the country. "There was no warrant used or meeting organised, they just went into their apartment complex and knocked on their front door," Linton said.

The AFP asked about the Session app and company, and the employee's history on the project, Linton added. The officers also asked about an ongoing investigation related to a specific Session user, he added. Linton showed 404 Media an email sent by Session's legal representatives to the AFP which reflected that series of events. Part of Session's frustration around the incident came from the AFP deciding to "visit an employee at home rather than arranging a meeting through our proper (publicly available) channels," Linton said.

WordPress sites are being compromised through malicious plugins that display fake software updates and error messages, leading to the installation of information-stealing malware. BleepingComputer reports: Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware. In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.

Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns. "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."

The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names. Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign. When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site. When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners. From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.

According to an internal Border Patrol memo, nearly one-third of the surveillance cameras along the U.S.-Mexico border don't work. "The nationwide issue is having significant impacts on [Border Patrol] operations," reads the memo. NBC News reports: The large-scale outage affects roughly 150 of the 500 cameras perched on surveillance towers along the U.S.-Mexico border. It was due to "several technical problems," according to the memo. The officials, who spoke on the condition of anonymity to discuss a sensitive issue, blamed outdated equipment and outstanding repair issues.

The camera systems, known as Remote Video Surveillance Systems, have been used since 2011 to "survey large areas without having to commit hundreds of agents in vehicles to perform the same function." But according to the internal memo, 30% were inoperable. It is not clear when the cameras stopped working.Two Customs and Border Protections officials said that some repairs have been made this month but that there are still over 150 outstanding requests for camera repairs. The officials said there are some areas that are not visible to Border Patrol because of broken cameras.

A Customs and Border Protection spokesperson said the agency has installed roughly 300 new towers that use more advanced technology. "CBP continues to install newer, more advanced technology that embrace artificial intelligence and machine learning to replace outdated systems, reducing the need to have agents working non-interdiction functions," the spokesperson said. The agency points the finger at the Federal Aviation Administration (FAA), which is responsible for servicing the systems and repairing the cameras. "The FAA, which services the systems and repairs the cameras, has had internal problems meeting the needs of the Border Patrol, the memo says, without elaborating on what those problems are," reports NBC News. While the FAA is sending personnel to work on the cameras, Border Patrol leaders are considering replacing them with a contractor that can provide "adequate technical support for the cameras."

Further reading: U.S. Border Surveillance Towers Have Always Been Broken (EFF)

An anonymous reader quotes a report from the Hollywood Reporter: A production company for Blade Runner 2049 has sued (PDF) Tesla, which allegedly fed images from the movie into an artificial intelligence image generator to create unlicensed promotional materials. Alcon Entertainment, in a lawsuit filed Monday in California federal court, accuses Elon Musk and his autonomous vehicle company of misappropriating the movie's brand to promote its robotaxi at a glitzy unveiling earlier this month. The producer says it doesn't want Blade Runner 2049 to be affiliated with Musk because of his "extreme political and social views," pointing to ongoing efforts with potential partners for an upcoming TV series.

The complaint, which brings claims for copyright infringement and false endorsement, also names Warner Bros. Discovery for allegedly facilitating the partnership. "Any prudent brand considering any Tesla partnership has to take Musk's massively amplified, highly politicized, capricious and arbitrary behavior, which sometimes veers into hate speech, into account," states the complaint. "Alcon did not want BR2049 to be affiliated with Musk." [...] The lawsuit cites an agreement, the details of which are unknown to Alcon, for Warners to lease or license studio lot space, access and other materials to Tesla for the event. Alcon alleges that the deal included promotional elements allowing Tesla to affiliate its products with WBD movies. WBD was Alcon's domestic distributor for the 2017 release of Blade Runner 2049. It has limited clip licensing rights, though not for Tesla's livestream TV event, the lawsuit claims.

Alcon says it wasn't informed about the brand deal until the day of the unveiling. According to the complaint, Musk communicated to WBD that he wanted to associate the robotaxi with the film. He asked the company for permission to use a still directly from the movie, which prompted an employee to send an emergency request for clearance to Alcon since international rights would be involved, the lawsuit says. The producer refused, spurring the creation of the AI images. [...] Alcon seeks unspecified damages, as well as a court order barring Tesla from further distributing the disputed promotional materials. Musk referenced Denis Villeneuve's Blade Runner movie during the robotaxi event. "You know, I love Blade Runner, but I don't know if we want that future," he said. "I believe we want that duster he's wearing, but not the, uh, not the bleak apocalypse."

I, Robot director Alex Proyas also took to X last week, writing: "Hey Elon, Can I have my designs back please?"

News Corp's Dow Jones & Co., publisher of the Wall Street Journal, and the New York Post have sued Perplexity, a startup that calls itself an "AI-powered Swiss Army Knife for information discovery and curiosity," alleging copyright infringement. From a report: "Perplexity is a generative artificial intelligence company that claims to provide its users accurate and up-to-date news and information in a platform that, in Perplexity's own words, allows users to 'Skip the Links' to original publishers' websites," the companies said in the federal lawsuit, filed Monday. "Perplexity attempts to accomplish this by engaging in a massive amount of illegal copying of publishers' copyrighted works and diverting customers and critical revenues away from those copyright holders. This suit is brought by news publishers who seek redress for Perplexity's brazen scheme to compete for readers while simultaneously freeriding on the valuable content the publishers produce."

"Who asked for any of this in the first place?" wonders a New York Times consumer-tech writer. (Alternate URL here.) "Judging from the feedback I get from readers, lots of people outside the tech industry remain uninterested in AI — and are increasingly frustrated with how difficult it has become to ignore." The companies rely on user activity to train and improve their AI systems, so they are testing this tech inside products we use every day. Typing a question such as "Is Jay-Z left-handed?" in Google will produce an AI-generated summary of the answer on top of the search results. And whenever you use the search tool inside Instagram, you may now be interacting with Meta's chatbot, Meta AI. In addition, when Apple's suite of AI tools, Apple Intelligence, arrives on iPhones and other Apple products through software updates this month, the tech will appear inside the buttons we use to edit text and photos.

The proliferation of AI in consumer technology has significant implications for our data privacy, because companies are interested in stitching together and analyzing our digital activities, including details inside our photos, messages and web searches, to improve AI systems. For users, the tools can simply be an annoyance when they don't work well. "There's a genuine distrust in this stuff, but other than that, it's a design problem," said Thorin Klosowski, a privacy and security analyst at the Electronic Frontier Foundation, a digital rights nonprofit, and a former editor at Wirecutter, the reviews site owned by The New York Times. "It's just ugly and in the way."

It helps to know how to opt out. After I contacted Microsoft, Meta, Apple and Google, they offered steps to turn off their AI tools or data collection, where possible. I'll walk you through the steps.
The article suggests logged-in Google users can toggle settings at myactivity.google.com. (Some browsers also have extensions that force Google's search results to stop inserting an AI summary at the top.) And you can also tell Edge to remove Copilot from its sidebar at edge://settings.

But "There is no way for users to turn off Meta AI, Meta said. Only in regions with stronger data protection laws, including the EU and Britain, can people deny Meta access to their personal information to build and train Meta's AI." On Instagram, for instance, people living in those places can click on "settings," then "about" and "privacy policy," which will lead to opt-out instructions. Everyone else, including users in the United States, can visit the Help Center on Facebook to ask Meta only to delete data used by third parties to develop its AI.
By comparison, when Apple releases new AI services this month, users will have to opt in, according to the article. "If you change your mind and no longer want to use Apple Intelligence, you can go back into the settings and toggle the Apple Intelligence switch off, which makes the tools go away."

It connects people, data, and money, Bill Gates wrote this week on his personal blog. But digital public infrastructure is also "revolutionizing the way entire nations serve their people, respond to crises, and grow their economies" — and the Gates Foundation sees it "as an important part of our efforts to help save lives and fight poverty in poor countries." Digital public infrastructure [or "DPI"]: digital ID systems that securely prove who you are, payment systems that move money instantly and cheaply, and data exchange platforms that allow different services to work together seamlessly... [W]ith the right investments, countries can use DPI to bypass outdated and inefficient systems, immediately adopt cutting-edge digital solutions, and leapfrog traditional development trajectories — potentially accelerating their progress by more than a decade. Countries without extensive branch banking can move straight to mobile banking, reaching far more people at a fraction of the cost. Similarly, digital ID systems can provide legal identity to millions who previously lacked official documentation, giving them access to a wide range of services — from buying a SIM card to opening a bank account to receiving social benefits like pensions.

I've heard concerns about DPI — here's how I think about them. Many people worry digital systems are a tool for government surveillance. But properly designed DPI includes safeguards against misuse and even enhances privacy... These systems also reduce the need for physical document copies that can be lost or stolen, and even create audit trails that make it easier to detect and prevent unauthorized access. The goal is to empower people, not restrict them. Then there's the fear that DPI will disenfranchise vulnerable populations like rural communities, the elderly, or those with limited digital literacy. But when it's properly designed and thoughtfully implemented, DPI actually increases inclusion — like in India, where millions of previously unbanked people now have access to financial services, and where biometric exceptions or assisted enrollment exist for people with physical disabilities or no fixed address.

Meanwhile, countries can use open-source tools — like MOSIP for digital identity and Mojaloop for payments — to build DPI that fosters competition and promotes innovation locally. By providing a common digital framework, they allow smaller companies and start-ups to build services without requiring them to create the underlying systems from scratch. Even more important, they empower countries to seek out services that address their own unique needs and challenges without forcing them to rely on proprietary systems.
"Digital public infrastructure is key to making progress on many of the issues we work on at the Gates Foundation," Bill writes, "including protecting children from preventable diseases, strengthening healthcare systems, improving the lives and livelihoods of farmers, and empowering women to control their financial futures.

"That's why we're so committed to DPI — and why we've committed $200 million over five years to supporting DPI initiatives around the world... The future is digital. Let's make sure it's a future that benefits everyone."

"Biden forgives more student loans," read Thursday's headline at CNBC.

While this time it was $4.5 billion in student debt for over 60,000 public service workers, "The Biden-Harris Administration has approved $175 billion in student debt relief for nearly 5 million borrowers through various actions," according to an announcement from the White House on Thursday. (So the average amount received by each of the 5 million students is $35,000.) CNN calculates this eliminates roughly 11% of all outstanding U.S. federal student loan debt.

This latest round of forgiveness fixed a loophole in a bipartisan program (passed during the Bush administration in 2007) called Public Service Loan Forgiveness: "For too long, the government failed to live up to its commitments, and only 7,000 people had ever received forgiveness under Public Service Loan Forgiveness before Vice President (Kamala) Harris and I took office," Biden said in a statement. "We vowed to fix that," he added... Thursday's announcement impacts about 60,000 borrowers who are now approved for approximately $4.5 billion in student debt relief under PSLF.
CNN points out the total $175 billion in forgiven student debt is more than under any other president — though it's still "less than half of the $430 billion that would've been canceled under the president's one-time forgiveness plan, which was struck down by the Supreme Court last year." The Biden administration has made it easier for about 572,000 permanently disabled borrowers to receive the debt relief to which they are entitled. It also has granted student loan forgiveness to more than 1.6 million borrowers who were defrauded by their college... The Biden administration is conducting a one-time recount of borrowers' past payments and making adjustments if they had been counted incorrectly, bringing many people closer to debt relief.

The U.S. Federal Trade Commission is investigating farm equipment maker Deere over its repair policies, focusing on whether the company's restrictions on repairs violate customers' "right to repair." Reuters reports: The investigation, authorized on Sept. 2, 2021, focuses on repair restrictions manufacturers place on hardware or software, often referred to by regulators as impeding customers' "right to repair" the goods they purchase. The probe was made public through a filing by data analytics company Hargrove & Associates Inc, which sought to quash an FTC subpoena seeking market data submitted to it by members of the Association of Equipment Manufacturers. Neither HAI nor AEM is a target of the FTC probe [...].

The FTC is probing whether Deere violated the Federal Trade Act's section 5, according to the filing. The law prohibits unfair or deceptive practices affecting commerce, and the FTC has recently used it in a broad array of cases, including against Amazon and pharmacy benefit managers.

An anonymous reader quotes a report from BleepingComputer: A new ClickFix campaign is luring users to fraudulent Google Meet conference pages showing fake connectivity errors that deliver info-stealing malware for Windows and macOS operating systems. ClickFix is a social-engineering tactic that emerged in May, first reported by cybersecurity company Proofpoint, from a threat actor (TA571) that used messages impersonating errors for Google Chrome, Microsoft Word, and OneDrive. The errors prompted the victim to copy to clipboard a piece of PowerShell code that would fix the issues by running it in Windows Command Prompt. Victims would thus infect systems with various malware such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.

In July, McAfee reported that the ClickFix campaigns were becoming mode frequent, especially in the United States and Japan. A new report from Sekoia, a SaaS cybersecurity provider, notes that ClickFix campaigns have evolved significantly and now use a Google Meet lure, phishing emails targeting transport and logistics firms, fake Facebook pages, and deceptive GitHub issues. According to the French cybersecurity company, some of the more recent campaigns are conducted by two threat groups, the Slavic Nation Empire (SNE) and Scamquerteo, considered to be sub-teams of the cryptocurrency scam gangs Marko Polo and CryptoLove.

An anonymous reader quotes a report from Hackread: The United States Department of Justice (DoJ) has indicted two Sudanese nationals for their alleged role in operating the hacktivist group Anonymous Sudan. The group claimed fame for conducting "tens of thousands" of large-scale and crippling Distributed Denial of Service attacks (DDoS attacks) targeting critical infrastructure, corporate networks, and government agencies globally. Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, stand accused of conspiracy to damage protected computers. Ahmed Salah faces additional charges for damaging protected computers. The duo is believed to have controlled Anonymous Sudan, which, since early 2023, launched attacks on high-profile entities such as ChatGPT, UAE's Flydubai Airline, London Internet Exchange, Microsoft, and the Israeli BAZAN Group.

The group and its clients also utilized the Distributed Cloud Attack Tool (DCAT) to conduct over 35,000 DDoS attacks. These attacks targeted sensitive government and critical infrastructure in the U.S. and globally, including the Department of Justice, Department of Defense, FBI, State Department, and Cedars-Sinai Medical Center in Los Angeles. The attacks, which sometimes lasted days, reportedly caused major damage, often crippling websites and networks. For instance, the attack on Cedars-Sinai Medical Center forced the redirection of incoming patients for eight hours, causing over $10 million in damages to U.S. victims.

The parents of a Massachusetts student are suing his school after he was penalized for using AI in a Social Studies project, claiming it was for research purposes only. The student received a detention and a lower grade, which his parents argue could harm his college prospects. The school is defending its AI policy and fighting to dismiss the case. The Register reports: "The Plaintiff Student will suffer irreparable harm that far outweighs any harm that may befall the Defendants," their filing reads [PDF]. "He is applying to elite colleges and universities given his high level of academic and personal achievement. Early decision and early action applications in a highly competitive admissions process are imminent and start in earnest on October 1, 2024. Absent the grant of an injunction by this Court, the Student will suffer irreparable harm that is imminent."

The school, however, is fighting back with a motion to dismiss [PDF] the case. The school argues that RNH, along with his classmates, was given a copy of the student handbook in the Fall of last year, which specifically called out the use of AI by students. The class was also shown a presentation about the school's policy. Students should "not use AI tools during in-class examinations, processed writing assignments, homework or classwork unless explicitly permitted and instructed," the policy states. "RNH unequivocally used another author's language and thoughts, be it a digital and artificial author, without express permission to do so," the school argues. "Furthermore, he did not cite to his use of AI in his notes, scripts or in the project he submitted. Importantly, RNH's peers were not allowed to cut corners by using AI to craft their projects; thus, RNH acted 'unfairly in order to gain an advantage.'"

An anonymous reader shares a report: Households on individual streets will be targeted with personalised adverts under plans being rolled out by Channel 4. The channel is to use new technology which will allow brands to tailor who sees their advert by enabling them to select a demographic within a specific location down to street level. For example, someone watching Made in Chelsea on Channel 4's streaming service could be served an ad for a fashion brand in a local outlet to them if a particular fashion trend is being discussed.

Advertisers can further optimise their campaign by selecting from 26 programme genres, as well as time of day and device the show is being watched on. It forms part of a wider update to Channel 4's streaming platform that the broadcaster hopes could boost revenues by as much as $13m. The company will launch a new private marketplace enabling brands to buy advertising space directly in real-time. This will allow advertisers to amend their campaigns to respond to events, whether that be real-world events such as local weather or developments in fictional storylines within TV shows. Channel 4's new ad targeting also includes more detailed data to track whether a viewer has made a purchase after seeing an ad, as well as new viewer profiles for brands to target.

smooth wombat writes: In 2013, James Howell's partner inadvertently threw out a hard drive along with other trash. Unknown to this person, this hard drive contained approximately 8,000 bitcoins. For the past decade Howell has been petitioning the town council of Newport to excavate the landfill in the hope of recovering the drive which would now hold approximately $647 million worth of cryptocurrency. Now he is suing the council in an attempt to force them to let him excavate.

Should the hard drive be recovered, Howells thinks there is an 80 percent chance that the coins on it would be retrievable. If it all works out, he has offered the council 10% of the recovered Bitcoin: $65 million worth. But, citing environmental concerns, the council has rejected his proposal to dig through over a decade's worth of garbage. The council issued a report wherein a spokesperson said, "The council has told Mr. Howells multiple times that excavation is not possible under our environmental permit and that work of that nature would have a huge negative environmental impact on the surrounding area. The council is the only body authorized to carry out operations on the site."

An anonymous reader quotes a report from TorrentFreak: Korean game publisher Nexon is using the U.S. legal system to address online copyright infringement. The company obtained a DMCA subpoena that requires Discord to hand over the personal details of suspected pirates. While Discord has shared information in the past, it doesn't plan to cooperate any longer, refusing to play the role of 'anti-piracy police'. [...] The messaging platform wrote that it is prepared to file a motion to quash the subpoena, if needed. It further urged Nexon to withdraw their demands, and cease sending any similar 'defective' subpoenas going forward. To support its stance, Discord made a list of twenty-two general objections and reservations. Among other things, the company wants to protect user privacy and their first amendment right to anonymous speech.

"Discord objects to the Requests as infringing its users' decisions to remain anonymous, an aspect of their freedom of speech protected by the First Amendment. The Requests improperly seek to unmask anonymous speakers and consequently compel disclosure of material protected by the First Amendment," it reads. This strongly-worded letter didn't have the desired result, however. Instead of backing off, Nexon doubled down, filing a motion to compel (PDF) at a Texas federal court late last week. The game company refutes Discord's objections and asks the court to enter an order requiring Discord to produce the requested user data. Nexon says that it needs this information to protect its copyrights. "Discord's failure to cooperate discovery has impeded Nexon's ability to discover relevant, non-privileged information that will support its potential claims against the users who have provided access to the infringing material," Nexon writes. While the court has yet to rule on the matter, Discord is expected to file a formal motion to quash the subpoena in response, as indicated in its earlier communications.

Longtime Slashdot reader mprindle shares a report from BleepingComputer: Cisco has confirmed to BleepingComputer that it is investigating recent claims that it suffered a breach after a threat actor began selling allegedly stolen data on a hacking forum. [...] This statement comes after a well-known threat actor named "IntelBroker" said that he and two others called "EnergyWeaponUser and "zjj" breached Cisco on October 6, 2024, and stole a large amount of developer data from the company.

"Compromised data: Github projects, Gitlab Projects, SonarQube projects, Source code, hard coded credentials, Certificates, Customer SRCs, Cisco Confidential Documents, Jira tickets, API tokens, AWS Private buckets, Cisco Technology SRCs, Docker Builds, Azure Storage buckets, Private & Public keys, SSL Certificates, Cisco Premium Products & More!," reads the post to a hacking forum. IntelBroker also shared samples of the alleged stolen data, including a database, customer information, various customer documentation, and screenshots of customer management portals. However, the threat actor did not provide further details about how the data was obtained.

An anonymous reader quotes a report from CBC News: The murder trial of a tech consultant in the stabbing death of Cash App founder Bob Lee begins Monday, a year and a half after the widely admired entrepreneur was found staggering on a deserted downtown San Francisco street seeking help. Lee's death at age 43 stunned the tech community, and fellow executives and engineers penned tributes to his generosity and brilliance. Lee was chief product officer of cryptocurrency platform MobileCoin when he died. He was a father to two children.

Prosecutors say Nima Momeni, 40, planned the April 4 attack after a dispute over his younger sister, Khazar, with whom Lee was friends. They say Momeni took a knife from his sister's condo, drove Lee to a secluded area and stabbed him three times, then fled. Defence lawyers disagree, and they say that Lee, high on drugs, attacked Momeni. "Our theory is that Bob had the knife, and that Nima acted in self defence," attorney Saam Zangeneh said.

He said his client is eager to tell his side of the story, but they haven't decided whether Momeni will testify in his defence. Momeni, who lives in nearby Emeryville, Calif., has been in custody since his arrest days after Lee died at a San Francisco hospital. Momeni's mother has been a steadfast presence at court hearings, and he is close to his sister. [...] Momeni, who has pleaded not guilty, faces 26 years to life if convicted. San Francisco Superior Court Judge Alexandra Gordon has told jurors the trial could last until mid-December.

9to5Mac's Filipe Esposito reports: Passkeys were introduced two years ago, and they replace traditional passwords with more secure authentication using a security key or biometrics. To make the technology even better, the FIDO Alliance published on Monday new specifications for passkeys, which ensure a way to let users import and export them. Currently, there's no secure way to move passkeys between different password managers. For example, if you've stored a specific passkey in Apple's Passwords app, you can't simply move it to 1Password, or vice versa. But that will change soon.

As just announced by the FIDO Alliance, the new specifications aim to promote user choice by offering a way to import and export passkeys. The draft of the new specifications establishes the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) formats for transferring not only passkeys, but other types of credentials will also be supported. The new formats are encrypted, which ensures that credentials remain secure during the process. For comparison, most password managers currently rely on CSV files to import and export credentials, which is much less secure.

"Some prominent privacy advocates are encouraging customers to pull their data" from 23andMe, reports SFGate.

But can you actually do that? 23andMe makes it easy to feel like you've protected your genetic footprint. In their account settings, customers can download versions of their data to a computer and choose to delete the data attached to their 23andMe profile. An email then arrives with a big pink button: "Permanently Delete All Records." Doing so, it promises, will "terminate your relationship with 23andMe and irreversibly delete your account and Personal Information."

But there's another clause in the email that conflicts with that "terminate" promise. It says 23andMe and whichever contracted genotyping laboratory worked on a customer's samples will still hold on to the customer's sex, date of birth and genetic information, even after they're "deleted." The reason? The company cites "legal obligations," including federal laboratory regulations and California lab rules. The federal program, which sets quality standards for laboratories, requires that labs hold on to patient test records for at least two years; the California rule, part of the state's Business and Professions Code, requires three. When SFGATE asked 23andMe vice president of communications Katie Watson about the retention mandates, she said 23andMe does delete the genetic data after the three-year period, where applicable...

Before it's finally deleted, the data remains 23andMe property and is held under the same rules as the company's privacy policy, Watson added. If that policy changes, customers are supposed to be informed and asked for their consent. In the meantime, a hack is unfortunately always possible. Another 23andMe spokesperson, Andy Kill, told SFGATE that [CEO Anne] Wojcicki is "committed to customers' privacy and pledges to retain the current privacy policy in force for the foreseeable future, including after the acquisition she is currently pursuing."
An Electronic Frontier Foundation privacy lawyer tells SFGate there's no information more personal than your DNA. "It is like a Social Security number, it can't be changed. But it's not just a piece of paper, it's kind of you."

He urged 23andMe to leave customers' data out of any acquisition deals, and promise customers they'd avoid takeover attempts from companies with bad security — or with ties to law enforcement.

America's electric vehicle subsidies brought a 2-to-1 return on investment, according to a paper by the National Bureau of Economic Research. "That includes environmental benefits, but mostly reflects a shift of profits to the United States," reports the New York Times. "Before the climate law, tax credits were mainly used to buy foreign-made cars." "What the [subsidy legislation] did was swing the pendulum the other way, and heavily subsidized American carmakers," said Felix Tintelnot, an associate professor of economics at Duke University who was a co-author of the paper. Those benefits were undermined, however, by a loophole allowing dealers to apply the subsidy to leases of foreign-made electric vehicles. The provision sends profits to non-American companies, and since those foreign-made vehicles are on average heavier and less efficient, they impose more environmental and road-safety costs. Also, the researchers estimated that for every additional electric vehicle the new tax credits put on the road, about three other electric vehicle buyers would have made the purchases even without a $7,500 credit. That dilutes the effectiveness of the subsidies, which are forecast to cost as much as $390 billion through 2031.
The chief economist at Cox Automotive (which provided some of the data) tells the Times that "we could do better", but adds that the subsidies were "worth the money invested". But of course, that depends partly on how benefits were calculated: [U]ing the Environmental Protection Agency's "social cost of carbon" metric, they calculated the dollar cost of each model's lifetime carbon emissions from both manufacturing and driving. On average, emissions by gas-powered vehicles impose 57% greater costs than electric vehicles. The study then calculated harms from air pollution other than greenhouse gases — smog, for example. That's where electric vehicles start to perform relatively poorly, since generating the electricity for them still creates pollution. Those harms will probably fade as more wind and solar energy comes online, but they are significant. Finally, the authors added the road deaths associated with heavier cars. Batteries are heavy, so electric vehicles — especially the largest — are likelier to kill people in crashes.

Totaling these costs and then subtracting fiscal benefits through gas taxes and electricity bills, electric vehicles impose $16,003 in net harms, the authors said, while gas vehicles impose $19,239. But the range is wide, with the largest electric vehicles far outpacing many internal combustion cars.
By this methodology, a large electric pickup like the Rivian imposes three times the harms of a Prius, according to one of the study's co-authors (a Stanford professor of global environmental). And yet "we are subsidizing the Rivian and not the Prius..."

The Wall Street Journal delves into the origin story of that teenaged Grand Theft Auto VI leaker. Arion Kurtaj, now 19 years old, is the most notorious name that has emerged from a sprawling set of online communities called the Com... Their youthful inventiveness and tenacity, as well as their status as minors that make prosecution more complicated, have made the Com especially dangerous, according to law-enforcement officials and cybersecurity investigators. Some kids, they say, are recruited from popular online spaces like Minecraft or Roblox.... [William McKeen, a supervisory special agent with the FBI's Cyber Division] said the average age of anyone arrested for a crime in the U.S. is 37, while the average age of someone arrested for cybercrime is 19. Cybersecurity investigators have found posts they say suggest Kurtaj has been involved in online attacks since he was 11.
"He had limited social skills and trouble developing relationships, records say — and ultimately looked for approval in the booming world of cybercrime..." [When Kurtaj was 14] he landed in a residential school serving children with severe emotional and behavioral needs. Kurtaj was physically assaulted by a staff member at his school who was later convicted as a result, according to a person familiar with the case. In early 2021, his mother brought him home and removed him from government care, court records say. He never returned to school. He was 16.

A month after his mother pulled him out of school, investigators say that Kurtaj was part of a hacking group called Recursion Team that broke into the videogame firm Electronic Arts and stole 780 gigabytes of data. When Electronic Arts refused to engage, they dumped the stolen data online. Within a week of that hack, investigators had identified Kurtaj and provided his name to the FBI. Later in that summer of 2021, according to court records, Kurtaj partnered with another teenager, known as ASyntax, and several Brazilian hackers, and started calling themselves Lapsus$. The group hacked into the British telecommunications giant BT in an effort to steal money using a technique called SIM swapping... The hacks weren't always for money. In late 2021, Lapsus$ hacked into a website operated by Brazil's Ministry of Health and deleted the country's database of Covid vaccinations, according to law enforcement...

If the Com has a social center, it's a website called Doxbin, where users publish personal details, such as home addresses and phone numbers, of their online rivals in an attempt to intimidate each other. Kurtaj bought Doxbin in November 2021 for $75,000, according to Chainalysis. But after a few months, the previous owners accused Kurtaj of mismanaging the site and pressured him to sell it back. He relented. Then in January 2022, cybersecurity investigators say, he doxxed the entire site, publishing a database that included usernames, passwords and email addresses that he'd downloaded when he was the owner. For cybersecurity experts, it was a gold mine. "It helped investigators piece together which crimes were done by who," said Allison Nixon, chief research officer at Unit 221B, an online investigations firm.

Doxbin's owners responded with a dox of Kurtaj and his family, including his home address and photos of him, investigators say — setting up the chain of events that would put Kurtaj in the Travelodge.
After two weeks of "protective custody" there — during which time he was supposed to be computer-free — Kurtaj "was arrested a third time and charged with hacking, fraud and blackmail. Authorities said that while at the Travelodge, he broke into Uber and taunted the company by posting a link to a photo of an erect penis on the company's internal Slack messaging system, then stole software and videos from Rockstar Games. Stolen clips had popped up in a Grand Theft Auto discussion forum from a user named teapotuberhacker and stirred a frenzy.

"As officers collected evidence, the teen stood by, emotionless, police say...."

"Kurtaj's lawyers and some experts on autism have said a potential lifetime of incarceration isn't appropriate for a teenager like Kurtaj..."

Thanks to long-time Slashdot reader SpzToid for sharing the article.

In mid-2021 Ameria's National Security Advisor set up a new directorate focused on "advanced chips, quantum computing, and other cutting-edge tech," reports Wired. And the next year as Congress was working on boosting America's semiconductor sector, he was "closing in on a plan to cripple China's... In October 2022, the Commerce Department forged ahead with its new export controls."

So what happened next? In a phone call with President Biden this past spring, Xi Jinping warned that if the US continued trying to stall China's technological development, he would not "sit back and watch." And he hasn't. Already, China has answered the US export controls — and its corresponding deals with other countries — by imposing its own restrictions on critical minerals used to make semiconductors and by hoovering up older chips and manufacturing equipment it is still allowed to buy. For the past several quarters, in fact, China was the top customer for ASML and a number of Japanese chip companies. A robust black market for banned chips has also emerged in China. According to a recent New York Times investigation, some of the Chinese companies that have been barred from accessing American chips through US export controls have set up new corporations to evade those bans. (These companies have claimed no connection to the ones who've been banned.) This has reportedly enabled Chinese entities with ties to the military to obtain small amounts of Nvidia's high-powered chips.

Nvidia, meanwhile, has responded to the US actions by developing new China-specific chips that don't run afoul of the US controls but don't exactly thrill the Biden administration either. For the White House and Commerce Department, keeping pace with all of these workarounds has been a constant game of cat and mouse. In 2023, the US introduced the first round of updates to its export controls. This September, it released another — an announcement that was quickly followed by a similar expansion of controls by the Dutch. Some observers have speculated that the Biden administration's actions have only made China more determined to invest in its advanced tech sector.

And there's clearly some truth to that. But it's also true that China has been trying to become self-sufficient since long before Biden entered office. Since 2014, it has plowed nearly $100 billion into its domestic chip sector. "That was the world we walked into," [NSA Advisor Jake] Sullivan said. "Not the world we created through our export controls." The United States' actions, he argues, have only made accomplishing that mission that much tougher and costlier for Beijing. Intel CEO Pat Gelsinger estimated earlier this year that there's a "10-year gap" between the most powerful chips being made by Chinese chipmakers like SMIC and the ones Intel and Nvidia are working on, thanks in part to the export controls.

If the measure of Sullivan's success is how effectively the United States has constrained China's advancement, it's hard to argue with the evidence. "It's probably one of the biggest achievements of the entire Biden administration," said Martijn Rasser, managing director of Datenna, a leading intelligence firm focused on China. Rasser said the impact of the US export controls alone "will endure for decades." But if you're judging Sullivan's success by his more idealistic promises regarding the future of technology — the idea that the US can usher in an era of progress dominated by democratic values — well, that's a far tougher test. In many ways, the world, and the way advanced technologies are poised to shape it, feels more unsettled than ever.

Four years was always going to be too short for Sullivan to deliver on that promise. The question is whether whoever's sitting in Sullivan's seat next will pick up where he left off.

Formed in 2021 by cybersecurity professionals (and backed by high-powered VCs including Dell Technologies Capital), Halcyon sells an enterprise-grade anti-ransomware platform.

And this month they announced they're offering protection against ransomware attacks targeting Linux systems, according to Linux magazine: According to Cynet, Linux ransomware attacks increased by 75 percent in 2023 and are expected to continue to climb as more bad actors target Linux deployments... "While Windows is the favorite for desktops, Linux dominates the market for supercomputers and servers."
Here's how Halcyon's announcement made their pitch: "When it comes to ransomware protection, organizations typically prioritize securing Windows environments because that's where the ransomware operators were focusing most of their attacks. However, Linux-based systems are at the core of most any organization's infrastructure, and protecting these systems is often an afterthought," said Jon Miller, CEO & Co-founder, Halcyon. "The fact that Linux systems usually are always on and available means they provide the perfect beachhead for establishing persistence and moving laterally in a targeted network, and they can be leveraged for data theft where the exfiltration is easily masked by normal network traffic. As more ransomware operators are developing the capability to target Linux systems alongside Windows, it is imperative that organizations have the ability to keep pace with the expanded threat."

Halcyon Linux, powered through the Halcyon Anti-Ransomware Platform, uniquely secures Linux-based systems offering comprehensive protection and rapid response capabilities... Halcyon Linux monitors and detects ransomware-specific behaviors such as unauthorized access, lateral movement, or modification of critical files in real-time, providing instant alerts with critical context... When ransomware is suspected or detected, the Halcyon Ransomware Response Engine allows for rapid response and action.... Halcyon Data Exfiltration Protection (DXP) identifies and blocks unauthorized data transfers to protect sensitive information, safeguarding the sensitive data stored in Linux-based systems and endpoints...

Halcyon Linux runs with minimal resource impact, ensuring critical environments such as database servers or virtualized workloads, maintain the same performance.
And in addition, Halcyon offers "an around the clock Threat Response team, reviewing and responding to alerts," so your own corporate security teams "can attend to other pressing priorities..."

The Fifth Circuit Court of Appeals has affirmed a copyright infringement verdict against Internet provider Grande, which failed to take action against allegedly pirating subscribers. The jury's $47 million damages award in favor of the major music label plaintiffs is vacated. According to the Court (PDF), individual tracks that are part of an album, should not be counted as separate works. TorrentFreak reports: After hearing both sides, the Fifth Circuit Court of Appeals affirmed the jury verdict yesterday. Grande's arguments, suggesting that the district court mistakenly upheld the verdict earlier, were rejected. "The district court did not err in upholding the jury's unanimous liability verdict because Plaintiffs satisfied each element legally and factually," the decision reads. "The court correctly interpreted the law and instructed the jury on the relevant legal standards in light of the factual issues disputed by the parties, and Plaintiffs introduced ample evidence from which a reasonable jury could find in Plaintiffs' favor." [...]

In addition to the material contribution challenge, Grande and its supporters also pointed out that terminating Internet access isn't a "simple measure," as the jury concluded. Instead, it is drastic and overbroad, which could also impact innocent subscribers. The Court of Appeals rejects this reasoning. Instead, it states that the jury could and did conclude that terminations are a simple measure. There is no evidence to reach a different conclusion. All in all, the Court sees no reason to reverse the jury's verdict that Grande is liable for contributory infringement. This means that the jury verdict is affirmed.

Casio confirmed it suffered a ransomware attack earlier this month, resulting in the theft of personal and confidential data from employees, job candidates, business partners, and some customers. Although customer payment data was not compromised, Casio warns the impact may broaden as the investigation continues. BleepingComputer reports: The attack was disclosed Monday when Casio warned that it was facing system disruption and service outages due to unauthorized access to its networks during the weekend. Yesterday, the Underground ransomware group claimed responsibility for the attack, leaking various documents allegedly stolen from the Japanese tech giant's systems. Today, after the data was leaked, Casio published a new statement that admits that sensitive data was stolen during the attack on its network.

As to the current results of its ongoing investigation, Casio says the following information has been confirmed as likely compromised:

- Personal data of both permanent and temporary/contract employees of Casio and its affiliated companies.
- Personal details related to business partners of Casio and certain affiliates.
- Personal information of individuals who have interviewed for employment with Casio in the past.
- Personal information related to customers using services provided by Casio and its affiliated companies.
- Details related to contracts with current and past business partners.
- Financial data regarding invoices and sales transactions.
- Documents that include legal, financial, human resources planning, audit, sales, and technical information from within Casio and its affiliates.

An anonymous reader quotes a report from NPR : For the first time, internal TikTok communications have been made public that show a company unconcerned with the harms the app poses for American teenagers. This is despite its own research validating many child safety concerns. The confidential material was part of a more than two-year investigation into TikTok by 14 attorneys general that led to state officials suing the company on Tuesday. The lawsuit alleges that TikTok was designed with the express intention of addicting young people to the app. The states argue the multi-billion-dollar company deceived the public about the risks. In each of the separate lawsuits state regulators filed, dozens of internal communications, documents and research data were redacted -- blacked-out from public view -- since authorities entered into confidentiality agreements with TikTok.

But in one of the lawsuits, filed by the Kentucky Attorney General's Office, the redactions were faulty. This was revealed when Kentucky Public Radio copied-and-pasted excerpts of the redacted material, bringing to light some 30 pages of documents that had been kept secret. A group of more than a dozen states sued TikTok on Tuesday, alleging the app was intentionally designed to addict teens, something authorities say is a violation of state consumer protection laws. After Kentucky Public Radio published excerpts of the redacted material, a state judge sealed the entire complaint following a request from the attorney general's office "to ensure that any settlement documents and related information, confidential commercial and trade secret information, and other protected information was not improperly disseminated," according to an emergency motion to seal the complaint filed on Wednesday by Kentucky officials.

NPR reviewed all the portions of the suit that were redacted, which highlight TikTok executives speaking candidly about a host of dangers for children on the wildly popular video app. The material, mostly summaries of internal studies and communications, show some remedial measures -- like time-management tools -- would have a negligible reduction in screen time. The company went ahead and decided to release and tout the features. Separately, under a new law, TikTok has until January to divest from its Chinese parent company, ByteDance, or face a nationwide ban. TikTok is fighting the looming crackdown. Meanwhile, the new lawsuits from state authorities have cast scrutiny on the app and its ability to counter content that harms minors.

TechCrunch's Carly Page reports: Fidelity Investments, one of the world's largest asset managers, has confirmed that over 77,000 customers had personal information compromised during an August data breach, including Social Security numbers and driver's licenses. The Boston, Massachusetts-based investment firm said in a filing with Maine's attorney general on Wednesday that an unnamed third party accessed information from its systems between August 17 and August 19 "using two customer accounts that they had recently established."

"We detected this activity on August 19 and immediately took steps to terminate the access," Fidelity said in a letter sent to those affected, adding that the incident did not involve any access to customers' Fidelity accounts. Fidelity confirmed that a total of 77,099 customers were affected by the breach, and its completed review of the compromised data determined that customers' personal information was affected. When reached by TechCrunch, Fidelity did not say how the creation of two Fidelity customer accounts allowed access to the data of thousands of other customers.

In another data breach notice filed with New Hampshire's attorney general, Fidelity revealed that the third party "accessed and retrieved certain documents related to Fidelity customers and other individuals by submitting fraudulent requests to an internal database that housed images of documents pertaining to Fidelity customers." Fidelity said the data breach included customers' Social Security numbers and driver's licenses, according to a separate data breach notice filed by Fidelity with the Massachusetts' attorney general. No information about the breach was found on Fidelity's website at the time of writing.

The FBI created a cryptocurrency as part of an investigation into price manipulation in crypto markets, the government revealed on Wednesday. From a report: The FBI's Ethereum-based token, NexFundAI, was created with the help of "cooperating witnesses." As a result of the investigation, the Securities and Exchange Commission charged three "market makers" and nine people for allegedly engaging in schemes to boost the prices of certain crypto assets. The Department of Justice charged 18 people and entities for "widespread fraud and manipulation" in crypto markets.

The defendants allegedly made false claims about their tokens and executed so-called "wash trades" to create the impression of an active trading market, prosecutors claim. The three market makers -- ZMQuant, CLS Global, and MyTrade -- allegedly wash traded or conspired to wash trade on behalf of NexFundAI, an Ethereum-based token they didn't realize was created by the FBI.

"What the FBI uncovered in this case is essentially a new twist to old-school financial crime," Jodi Cohen, the special agent in charge of the FBI's Boston division, said in a statement. "What we uncovered has resulted in charges against the leadership of four cryptocurrency companies, and four crypto 'market makers' and their employees who are accused of spearheading a sophisticated trading scheme that allegedly bilked honest investors out of millions of dollars."

A new study suggests game piracy costs publishers 19% of revenue on average when digital rights management (DRM) protections are cracked. Research associate William Volckmann at UNC analyzed 86 games using Denuvo DRM on Steam between 2014-2022.

The study, published in Entertainment Computing, found cracks appearing in the first week after release led to 20% revenue loss, dropping to 5% for cracks after six weeks. Volckmann used Steam user reviews and player counts as proxies for sales data.

The European Union has delayed the introduction of a new biometric entry-check system for non-EU citizens, which was due to be introduced on Nov. 10, after Germany, France and the Netherlands said border computer systems were not yet ready. From a report: "Nov. 10 is no longer on the table," EU Home Affairs Commissioner Ylva Johansson told reporters. She said there was no new timetable, but that the possibility of a phased introduction was being looked at. The Entry/Exit System (EES) is supposed to create a digital record linking a travel document to biometric readings confirming a person's identity, removing the need to manually stamp passports at the EU's external border. It would require non-EU citizens arriving in the Schengen free-travel area to register their fingerprints, provide a facial scan and answer questions about their stay.

Porch pirates across the country for months have been snatching FedEx packages that contain AT&T iPhones -- within minutes or even seconds of delivery. From a report: The key to these swift crimes, investigators say: The thieves are armed with tracking numbers. Another factor that makes packages from AT&T particularly vulnerable is that AT&T typically doesn't require signature on delivery. Doorbell camera videos show the thefts in New York, Pennsylvania, Delaware, Virginia, Michigan, Georgia, Florida and Texas. The details are similar: A FedEx driver drops off a box with an iPhone from AT&T. Then a person walks up -- sometimes wearing an Amazon delivery vest -- and plucks the package off the front step. The heist can be so quick that in some videos, the FedEx driver and thief cross paths.

"They know what's getting delivered and the location," said Detective Lt. Matt Arsenault from the Gardner Police Department in Massachusetts, which is investigating several recent thefts. "They meet the delivery driver at the front door and take it." Since the pandemic, parcel carriers have reported a rise in porch thefts as workers have returned to offices and fewer people are home during the day to receive packages. Now, a spate of thefts that began a few months ago is targeting FedEx deliveries for AT&T. The two companies said they were working with law enforcement to investigate, and declined to disclose how many such packages have been stolen.

Alypius shares a report from 9to5Mac: It was revealed this weekend that Chinese hackers managed to access systems run by three of the largest internet service providers (ISPs) in the US. What's notable about the attack is that it compromised security backdoors deliberately created to allow for wiretaps by US law enforcement. [...] Apple famously refused the FBI's request to create a backdoor into iPhones to help access devices used by shooters in San Bernardino and Pensacola. The FBI was subsequently successful in accessing all the iPhones concerned without the assistance it sought.

Our arguments against such backdoors predate both cases, when Apple spoke out on the issue in the wake of terrorist attacks in Paris more than a decade ago: "Apple is absolutely right to say that the moment you build in a backdoor for use by governments, it will only be a matter of time before hackers figure it out. You cannot have an encryption system which is only a little bit insecure any more than you can be a little bit pregnant. Encryption systems are either secure or they're not -- and if they're not then it's a question of when, rather than if, others are able to exploit the vulnerability."

This latest case perfectly illustrates the point. The law required ISPs to create backdoors that could be used for wiretaps by US law enforcement, and hackers have now found and accessed them. Exactly the same would be true if Apple created backdoors into iPhones.

TorrentFreak's Andy Maxwell reports: In August, New Zealand's Justice Minister authorized Kim Dotcom's immediate arrest and extradition. Dotcom's response to his followers on X was simple: "I'm not leaving." Another post mid-September -- "we are very close to disaster" -- led to Dotcom disappearing for three weeks. On his return, Dotcom said X had suspended his account, based on an extremely serious allegation. After accusing Elon Musk of failing to help, yesterday Dotcom warned that a Trump loss would see Musk indicted and "fighting for his life." Dotcom has a plan to avoid extradition; chaos like this provides the fuel.

The details of Dotcom's "plan" to stay in New Zealand are yet to be revealed. Given Dotcom's history, exhausting the judiciary with every possible avenue of appeal is pretty much guaranteed, no matter how unlikely the prospects of success. At the same time, it's likely that Dotcom will use social media to preach to the existing choir. He will also try to appeal to those who loathe him, and those who merely hate him, by focusing on a common grievance. "People keep suggesting that I should leave this corrupt US colony like a fugitive on the run. Hell no," he told 1.7 million X followers recently. "Corrupt US colony" and the interchangeable "obedient" variant are clearly derogatory, catering to theories of joint complicity and sniveling weakness. This rhetoric has been visible on Dotcom's social media accounts for some time, but the main theme is Dotcom's belligerent, out-of-the-blue support for Russia's invasion of Ukraine. [...]

Some people believe that Dotcom genuinely supports Russia and, with his quotes regularly appearing on state-run news channels, arguing otherwise is a pretty tough ask. A different assessment starts with the things Dotcom values most -- his family, his wealth, and his freedom -- and applies that to a reputation of doing whatever it takes to protect and maintain those three, non-negotiable aspects of his life. Right now, his best chance is to tilt the chess board via a change at the White House, and then carefully exploit a change in policy. Dotcom's colleagues took a plea deal from the U.S. and New Zealand that Dotcom insists he would never accept; certainly not if Biden was in power. A Donald Trump win, on the other hand, would introduce an administration Dotcom could be seen to negotiate with, on previously unthinkable terms, without losing face. Previous reluctance to admit any wrongdoing could suddenly seem trivial after the prevention of World War 3.

[Since 2022, Dotcom supported narratives more closely aligned with those of the Kremlin, in particular the claim that United States policy is the root cause of the current conflict. The amplification of anti-Ukraine rumors in the United States, strategically links alleged U.S. policy failures to billions of dollars in military aid, all at taxpayers' expense. This toxic mix, Dotcom insists, heralds the collapse of the dollar, the dismantling of the "US Empire," and ultimately a global human catastrophe; World War 3, no holds barred.]

BleepingComputer's Lawrence Abrams: Internet Archive's "The Wayback Machine" has suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records. News of the breach began circulating Wednesday afternoon after visitors to archive.org began seeing a JavaScript alert created by the hacker, stating that the Internet Archive was breached.

"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!," reads a JavaScript alert shown on the compromised archive.org site. The text "HIBP" refers to is the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service.

Hunt told BleepingComputer that the threat actor shared the Internet Archive's authentication database nine days ago and it is a 6.4GB SQL file named "ia_users.sql." The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data. Hunt says there are 31 million unique email addresses in the database, with many subscribed to the HIBP data breach notification service. The data will soon be added to HIBP, allowing users to enter their email and confirm if their data was exposed in this breach.

In a new 32-page filing (PDF), the Department of Justice indicated that it was considering a possible breakup of Google as an antitrust remedy for its search and advertising monopoly. The remedies necessary to "prevent and restrain monopoly maintenance could include contract requirements and prohibitions; non-discrimination product requirements; data and interoperability requirements; and structural requirements," the department said in the filing. CNBC reports: The DOJ also said it was "considering behavioral and structural remedies that would prevent Google from using products such as Chrome, Play, and Android to advantage Google search and Google search-related products and features -- including emerging search access points and features, such as artificial intelligence -- over rivals or new entrants."

Additionally, the DOJ suggested limiting or prohibiting default agreements and "other revenue-sharing arrangements related to search and search-related products." That would include Google's search position agreements with Apple's iPhone and Samsung devices -- deals that cost the company billions of dollars a year in payouts. The agency suggested one way to do this is requiring a "choice screen," which could allow users to pick from other search engines. Such remedies would end "Google's control of distribution today" and ensure "Google cannot control the distribution of tomorrow."

An anonymous reader quotes a report from TechCrunch: U.S. money transfer giant MoneyGram has confirmed that hackers stole its customers' personal information and transaction data during a cyberattack last month. The company said in a statement Monday that an unauthorized third party "accessed and acquired" customer data during the cyberattack on September 20. The cyberattack -- the nature of which remains unknown -- sparked a week-long outage that resulted in the company's website and app falling offline. MoneyGram says it serves over 50 million people in more than 200 countries and territories each year.

The stolen customer data includes names, phone numbers, postal and email addresses, dates of birth, and national identification numbers. The data also includes a "limited number" of Social Security numbers and government identification documents, such as driver's licenses and other documents that contain personal information, like utility bills and bank account numbers. MoneyGram said the types of stolen data will vary by individual. MoneyGram said that the stolen data also included transaction information, such as dates and amounts of transactions, and, "for a limited number of consumers, criminal investigation information (such as fraud)."

A Nintendo Switch modder has entered a legal battle against Nintendo without legal representation, Torrent Freak reports. Ryan Daly, alleged owner of Modded Hardware, denied all allegations in a lawsuit filed by Nintendo in July. Nintendo claims Modded Hardware offers hardware and firmware for creating and playing pirated games, as well as providing customers with pirated Nintendo titles.

The company filed suit after Daly allegedly ignored warnings to cease operations in March and May 2024. Daly's court response denies wrongdoing and ownership of the business. His defenses include fair use, invalid copyrights, and unjust enrichment. The Modded Hardware website is now password-protected.

An anonymous reader shares a report: The companies behind the streaming industry, including smart TV and streaming stick manufacturers and streaming service providers, have developed a "surveillance system" that has "long undermined privacy and consumer protection," according to a report from the Center for Digital Democracy (CDD) published today and sent to the Federal Trade Commission (FTC). Unprecedented tracking techniques aimed at pleasing advertisers have resulted in connected TVs (CTVs) being a "privacy nightmare," according to Jeffrey Chester, report co-author and CDD executive director, resulting in calls for stronger regulation.

The 48-page report, How TV Watches Us: Commercial Surveillance in the Streaming Era [PDF], cites Ars Technica, other news publications, trade publications, blog posts, and statements from big players in streaming -- from Amazon to NBCUniversal and Tubi, to LG, Samsung, and Vizio. It provides a detailed overview of the various ways that streaming services and streaming hardware target viewers in newfound ways that the CDD argues pose severe privacy risks. The nonprofit composed the report as part of efforts to encourage regulation. Today, the CDD sent letters to the FTC [PDF], Federal Communications Commission (FCC), California attorney general [PDF], and California Privacy Protection Agency (CPPA) [PDF], regarding its concerns. "Not only does CTV operate in ways that are unfair to consumers, it is also putting them and their families at risk as it gathers and uses sensitive data about health, children, race, and political interests,â Chester said in a statement.

An anonymous reader quotes a report from Reuters: The U.S. Federal Trade Commission's case accusing Amazon of stifling competition in online retail will move forward, though some of the states that sued alongside the agency had their claims dismissed, court documents showed. U.S. District Judge John Chun in Seattle unsealed his ruling from Sept. 30, which dismissed some of the claims brought by attorneys general in New Jersey, Pennsylvania, Maryland and Oklahoma. Last year, the FTC alleged Amazon.com, which has 1 billion items in its online superstore, was using an algorithm that pushed up prices U.S. households paid by more than $1 billion. Amazon has said in court papers it stopped using the program in 2019.

The FTC has accused the online retailer of using anti-competitive tactics to maintain dominance among online superstores and marketplaces. Amazon asked Chun to dismiss the case in December, saying the FTC had raised no evidence of harm to consumers. The judge said in his ruling that he cannot consider Amazon's claims that its actions benefited competition at this early stage in the case.

An anonymous Slashdot reader shared the EFF's "Deeplink" blog post: EFF, along with the ACLU and the ACLU of Mississippi, filed an amicus brief on Thursday asking a federal appellate court to continue to block Mississippi's HB 1126 — a bill that imposes age verification mandates on social media services across the internet. Our friend-of-the-court brief, filed in the U.S. Court of Appeals for the Fifth Circuit, argues that HB 1126 is "an extraordinary censorship law that violates all internet users' First Amendment rights to speak and to access protected speech" online.

HB 1126 forces social media sites to verify the age of every user and requires minors to get explicit parental consent before accessing online spaces. It also pressures them to monitor and censor content on broad, vaguely defined topics — many of which involve constitutionally protected speech. These sweeping provisions create significant barriers to the free and open internet and "force adults and minors alike to sacrifice anonymity, privacy, and security to engage in protected online expression." A federal district court already prevented HB 1126 from going into effect, ruling that it likely violated the First Amendment.

At the heart of our opposition to HB 1126 is its dangerous impact on young people's free expression. Minors enjoy the same First Amendment right as adults to access and engage in protected speech online. "No legal authority permits lawmakers to burden adults' access to political, religious, educational, and artistic speech with restrictive age-verification regimes out of a concern for what minors might see" [argues the brief]. "Nor is there any legal authority that permits lawmakers to block minors categorically from engaging in protected expression on general purpose internet sites like those regulated by HB 1126..."
"The law requires all users to verify their age before accessing social media, which could entirely block access for the millions of U.S. adults who lack government-issued ID..." And it also asks another question. "Would you want everything you do online to be linked to your government-issued ID?"

And the blog post makes one more argument. "in an era where data breaches and identity theft are alarmingly common." So the bill "puts every user's personal data at risk... No one — neither minors nor adults — should have to sacrifice their privacy or anonymity in order to exercise their free speech rights online."

Long-time Slashdot reader schwit1 shared this report from Australia's public broadcaster ABC: Ecovacs robot vacuums, which have been found to suffer from critical cybersecurity flaws, are collecting photos, videos and voice recordings — taken inside customers' houses — to train the company's AI models.

The Chinese home robotics company, which sells a range of popular Deebot models in Australia, said its users are "willingly participating" in a product improvement program.

When users opt into this program through the Ecovacs smartphone app, they are not told what data will be collected, only that it will "help us strengthen the improvement of product functions and attached quality". Users are instructed to click "above" to read the specifics, however there is no link available on that page.

Ecovacs's privacy policy — available elsewhere in the app — allows for blanket collection of user data for research purposes, including:

- The 2D or 3D map of the user's house generated by the device
- Voice recordings from the device's microphone
— Photos or videos recorded by the device's camera

"It also states that voice recordings, videos and photos that are deleted via the app may continue to be held and used by Ecovacs..."

An anonymous reader shared this report from the Washington Post: Hundreds of Americans have been arrested after being connected to a crime by facial recognition software, a Washington Post investigation has found, but many never know it because police seldom disclose their use of the controversial technology...

In fact, the records show that officers often obscured their reliance on the software in public-facing reports, saying that they identified suspects "through investigative means" or that a human source such as a witness or police officer made the initial identification... The Coral Springs Police Department in South Florida instructs officers not to reveal the use of facial recognition in written reports, according to operations deputy chief Ryan Gallagher. He said investigative techniques are exempt from Florida's public disclosure laws... The department would disclose the source of the investigative lead if it were asked in a criminal proceeding, Gallagher added....

Prosecutors are required to inform defendants about any information that would help prove their innocence, reduce their sentence or hurt the credibility of a witness testifying against them. When prosecutors fail to disclose such information — known as a "Brady violation" after the 1963 Supreme Court ruling that mandates it — the court can declare a mistrial, overturn a conviction or even sanction the prosecutor. No federal laws regulate facial recognition and courts do not agree whether AI identifications are subject to Brady rules. Some states and cities have begun mandating greater transparency around the technology, but even in these locations, the technology is either not being used that often or it's not being disclosed, according to interviews and public records requests...

Over the past four years, the Miami Police Department ran 2,500 facial recognition searches in investigations that led to at least 186 arrests and more than 50 convictions. Among the arrestees, just 1 in 16 were told about the technology's use — less than 7 percent — according to a review by The Post of public reports and interviews with some arrestees and their lawyers. The police department said that in some of those cases the technology was used for purposes other than identification, such as finding a suspect's social media feeds, but did not indicate in how many of the cases that happened. Carlos J. Martinez, the county's chief public defender, said he had no idea how many of his Miami clients were identified with facial recognition until The Post presented him with a list. "One of the basic tenets of our justice system is due process, is knowing what evidence there is against you and being able to challenge the evidence that's against you," Martinez said. "When that's kept from you, that is an all-powerful government that can trample all over us."

After reviewing The Post's findings, Miami police and local prosecutors announced plans to revise their policies to require clearer disclosure in every case involving facial recognition.
The article points out that Miami's Assistant Police Chief actually told a congressional panel on law enforcement AI use that his department is "the first to be completely transparent about" the use of facial recognition. (When confronted with the Washington Post's findings, he "acknowledged that officers may not have always informed local prosecutors [and] said the department would give prosecutors all information on the use of facial recognition, in past and future cases".

He told the Post that the department would "begin training officers to always disclose the use of facial recognition in incident reports." But he also said they would "leave it up to prosecutors to decide what to disclose to defendants."

The British Post Office scandal "was first exposed by Computer Weekly in 2009, revealing the stories of seven subpostmasters and the problems they suffered due to Horizon accounting software," remembers Computer Weekly, "which led to the most widespread miscarriage of justice in British history."

But now the Post Office "is investigating allegations that a senior executive instructed staff to destroy or conceal documents that could be of interest to the Post Office scandal public inquiry," Computer Weekly writes. A company employee acknowleged a report in an internal whistleblower program "regarding destroying or concealing material... allegations that a senior Post Office member of staff had instructed their team to destroy or conceal material of possible interest to the inquiry, and that the same individual had engaged in inappropriate behaviour." The shocking revelation echoes evidence from appeals against wrongful convictions in 2021. During the Court of Appeal trials it was revealed that a senior Post Office executive instructed employees to shred documents that undermined an insistence that its Horizon computer system was robust, amid claims that errors in the system caused unexplained accounting shortfalls.

"Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users."

That's the title of a new report released this week by cybersecurity company Group-IB revealing the official Apple App Store and Google Play store offered apps that were actually one part of a larger fraud campaign. "To complete the scam, the victim is asked to fund their account... After a few seemingly successful trades, the victim is persuaded to invest more and more money. The account balance appears to grow rapidly. However, when the victim attempts to withdraw funds, they are unable to do so."

Forbes reports: Group-IB determined that the frauds would begin with a period of social engineering reconnaissance and entrapment, during which the trust of the potential victim was gained through either a dating app, social media app or even a cold call. The attackers spent weeks on each target. Only when this "fattening up" process had reached a certain point would the fraudsters make their next move: recommending they download the trading app from the official App Store concerned.

When it comes to the iOS app, which is the one that the report focussed on, Group-IB researchers said that the app remained on the App Store for several weeks before being removed, at which point the fraudsters switched to phishing websites to distribute both iOS and Android apps. The use of official app stores, albeit only fleetingly as Apple and Google removed the fake apps in due course, bestowed a sense of authenticity to the operation as people put trust in both the Apple and Google ecosystems to protect them from potentially dangerous apps.
"The use of web-based applications further conceals the malicious activity," according to the researchers, "and makes detection more difficult." [A]fter the download is complete, the application cannot be launched immediately. The victim is then instructed by the cybercriminals to manually trust the Enterprise developer profile. Once this step is completed, the fraudulent application becomes operational... Once a user registers with the fraudulent application, they are tricked into completing several steps. First, they are asked to upload identification documents, such as an ID card or passport. Next, the user is asked to provide personal information, followed by job-related details...

The first discovered application, distributed through the Apple App Store, functions as a downloader, merely retrieving and displaying a web-app URL. In contrast, the second application, downloaded from phishing websites, already contains the web-app within its assets. We believe this approach was deliberate, since the first app was available in the official store, and the cybercriminals likely sought to minimise the risk of detection. As previously noted, the app posed as a tool for mathematical formulas, and including personal trading accounts within an iOS app would have raised immediate suspicion.
The app (which only runs on mobile phones) first launches a fake activity with formulas and graphics, according to the researchers. "We assume that this condition must bypass Apple's checks before being published to the store. As we can see, this simple trick allows cybercriminals to upload their fraudulent application to the Apple Store." They argue their research "reinforces the need for continued review of app store submissions to prevent such scams from reaching unsuspecting victims". But it also highlights "the importance of vigilance and end-user education, even when dealing with seemingly trustworthy apps..."

"Our investigation began with an analysis of Android applications at the request of our client. The client reported that a user had been tricked into installing the application as part of a stock investment scam. During our research, we uncovered a list of similar fraudulent applications, one of which was available on the Google Play Store. These apps were designed to display stock-related news and articles, giving them a false sense of legitimacy."

Wired reports on "AI-powered cameras mounted on cars and trucks, initially designed to capture license plates, but which are now photographing political lawn signs outside private homes, individuals wearing T-shirts with text, and vehicles displaying pro-abortion bumper stickers — all while recordi00ng the precise locations of these observations..."

The detailed photographs all surfaced in search results produced by the systems of DRN Data, a license-plate-recognition (LPR) company owned by Motorola Solutions. The LPR system can be used by private investigators, repossession agents, and insurance companies; a related Motorola business, called Vigilant, gives cops access to the same LPR data. However, files shared with WIRED by artist Julia Weist, who is documenting restricted datasets as part of her work, show how those with access to the LPR system can search for common phrases or names, such as those of politicians, and be served with photographs where the search term is present, even if it is not displayed on license plates... Beyond highlighting the far-reaching nature of LPR technology, which has collected billions of images of license plates, the research also shows how people's personal political views and their homes can be recorded into vast databases that can be queried.

"It really reveals the extent to which surveillance is happening on a mass scale in the quiet streets of America," says Jay Stanley, a senior policy analyst at the American Civil Liberties Union. "That surveillance is not limited just to license plates, but also to a lot of other potentially very revealing information about people."

DRN, in a statement issued to WIRED, said it complies with "all applicable laws and regulations...." Over more than a decade, DRN has amassed more than 15 billion "vehicle sightings" across the United States, and it claims in its marketing materials that it amasses more than 250 million sightings per month. Images in DRN's commercial database are shared with police using its Vigilant system, but images captured by law enforcement are not shared back into the wider database. The system is partly fueled by DRN "affiliates" who install cameras in their vehicles, such as repossession trucks, and capture license plates as they drive around. Each vehicle can have up to four cameras attached to it, capturing images in all angles. These affiliates earn monthly bonuses and can also receive free cameras and search credits...

"License plate recognition (LPR) technology supports public safety and community services, from helping to find abducted children and stolen vehicles to automating toll collection and lowering insurance premiums by mitigating insurance fraud," Jeremiah Wheeler, the president of DRN, says in a statement... Wheeler did not respond to WIRED's questions about whether there are limits on what can be searched in license plate databases, why images of homes with lawn signs but no vehicles in sight appeared in search results, or if filters are used to reduce such images.
Privacy experts shared their reactions with Wired

• "Perhaps [people] want to express themselves in their communities, to their neighbors, but they don't necessarily want to be logged into a nationwide database that's accessible to police authorities." — Jay Stanley, a senior policy analyst at the American Civil Liberties Union

• "When government or private companies promote license plate readers, they make it sound like the technology is only looking for lawbreakers or people suspected of stealing a car or involved in an amber alert, but that's just not how the technology works. The technology collects everyone's data and stores that data often for immense periods of time." — Dave Maass, an EFF director of investigations

• "The way that the country is set up was to protect citizens from government overreach, but there's not a lot put in place to protect us from private actors who are engaged in business meant to make money." — Nicole McConlogue, associate law professor at Mitchell Hamline School of Law (who has researched license-plate-surveillance systems)

Thanks to long-time Slashdot reader schwit1 for sharing the article.