Longtime Slashdot reader mspohr shares a report from Gizmodo: Hackers for the Chinese government were able to deeply penetrate U.S. telecommunications infrastructure in ways that President Joe Biden's administration hasn't yet acknowledged, according to new reports from the Washington Post and New York Times. The hackers were able to listen to phone calls and read text messages, reportedly exploiting the system U.S. authorities use to wiretap Americans in criminal cases. The worst part? The networks are still compromised and it may take incredibly drastic measures to boot them from U.S. systems.

The hackers behind the infiltration of U.S. telecom infrastructure are known to Western intelligence agencies as Salt Typhoon, and this particular breach of U.S. equipment was first reported in early October by the Wall Street Journal. But Sen. Mark Warner, a Democrat from Virginia, spoke with the Washington Post and New York Times this week to warn the public that this is so much worse than we initially thought, dubbing it "the worst telecom hack in our nation's history." And those articles based on Warner's warnings were published late Thursday.

Hackers weren't able to monitor or intercept anything encrypted, according to the Times, which means that conversations over apps like Signal and Apple's iMessage were probably protected. But end-to-end encryption over texts between Apple devices and Android devices, for instance, aren't encrypted in the same way, meaning they were vulnerable to interception by Salt Typhoon, according to the Times. The details about how the hackers were able to push so deeply into U.S. systems are still scarce, but it has something to do with the ways in which U.S. authorities wiretap suspects in this country with a court order.

"Steven Adair, of cybersecurity firm Veloxity, revealed at the Cyberwarcon security conference how Russian hackers were able to daisy-chain as many as three separate Wi-Fi networks in their efforts to attack victims," writes Longtime Slashdot reader smooth wombat. Wired reports: Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. "I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?" he says. "We came up dry."

Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted -- in fact, the name of another organization just across the road. "At that point, it was 100 percent clear where it was coming from," Adair says. "It's not a car in the street. It's the building next door." With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from another network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. "Who knows how many devices or networks they compromised and were doing this on," says Adair. Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group -- Microsoft refers to the group as Forest Blizzard -- to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.

An anonymous reader quotes a report from Reuters: Google has sued one of its former engineers in Texas federal court, accusing him of stealing trade secrets related to its chip designs and sharing them publicly on the internet. The lawsuit, filed on Tuesday (PDF), said that Harshit Roy "touted his dominion" over the secrets in social media posts, tagging competitors and making threatening statements to the company including "I need to take unethical means to get what I am entitled to" and "remember that empires fall and so will you."

Google hired Roy in 2020 to develop computer chips used in Google Pixel devices like smartphones. Google said in the lawsuit that Roy resigned in February and moved from Bangalore, India to the United States in August to attend a doctorate program at the University of Texas at Austin. According to the complaint, Roy began posting confidential Google information to his X account later that month along with "subversive text" directed at the company, such as "don't expect me to adhere to any confidentiality agreement." The posts included photographs of internal Google documents with specifications for Pixel processing chips.

The lawsuit said that Roy ignored Google's takedown requests and has posted additional trade secrets to X and LinkedIn since October. Google alleged that Roy tagged competitors Apple and Qualcomm in some of the posts, "presumably to maximize the potential harm of his disclosure." Google's complaint also said that several news outlets have published stories with confidential details about Google's devices based on the information that Roy leaked. Google asked the court for an unspecified amount of monetary damages and court orders blocking Roy from using or sharing its secrets.

Netflix is looking toward Discord for help in figuring out who, exactly, is leaking unreleased footage from some of its popular shows. From a report: The Northern District of California court issued a subpoena on Thursday to compel Discord to share information that can help identify a Discord user who's reportedly involved in leaking episodes and images from Netflix shows like Arcane and Squid Game.

Documents filed alongside the subpoena specifically call out an unreleased and copyrighted image from the second season of Squid Game, posted by a Discord user @jacejohns4n. In an interview linked on the user's now deleted X account, published on Telegram, the leaker claimed responsibility for the self-described "worst leak in streaming history," where episodes of Arcane, Heartstopper, Dandadan, Terminator Zero, and other shows were published online. Netflix confirmed in August that a post production studio was hacked.

The Register's Simon Sharwood reports: Japan's National Consumer Affairs Center on Wednesday suggested citizens start "digital end of life planning" and offered tips on how to do it. The Center's somewhat maudlin advice is motivated by recent incidents in which citizens struggled to cancel subscriptions their loved ones signed up for before their demise, because they didn't know their usernames or passwords. The resulting "digital legacy" can be unpleasant to resolve, the agency warns, so suggested four steps to simplify ensure our digital legacies aren't complicated:

- Ensuring family members can unlock your smartphone or computer in case of emergency;
- Maintain a list of your subscriptions, user IDs and passwords;
- Consider putting those details in a document intended to be made available when your life ends;
- Use a service that allows you to designate someone to have access to your smartphone and other accounts once your time on Earth ends.

The Center suggests now is the time for it to make this suggestion because it is aware of struggles to discover and resolve ongoing expenses after death. With smartphones ubiquitous, the org fears more people will find themselves unable to resolve their loved ones' digital affairs -- and powerless to stop their credit cards being charged for services the departed cannot consume.

An anonymous reader quotes a report from Ars Technica: A federal court yesterday ruled against parents who sued a Massachusetts school district for punishing their son who used an artificial intelligence tool to complete an assignment. Dale and Jennifer Harris sued Hingham High School officials and the School Committee and sought a preliminary injunction requiring the school to change their son's grade and expunge the incident from his disciplinary record before he needs to submit college applications. The parents argued that there was no rule against using AI in the student handbook, but school officials said the student violated multiple policies.

The Harris' motion for an injunction was rejected in an order (PDF) issued yesterday from US District Court for the District of Massachusetts. US Magistrate Judge Paul Levenson found that school officials "have the better of the argument on both the facts and the law."

"On the facts, there is nothing in the preliminary factual record to suggest that HHS officials were hasty in concluding that RNH [the Harris' son, referred to by his initials] had cheated," Levenson wrote. "Nor were the consequences Defendants imposed so heavy-handed as to exceed Defendants' considerable discretion in such matters." "On the evidence currently before the Court, I detect no wrongdoing by Defendants," Levenson also wrote. "The manner in which RNH used Grammarly -- wholesale copying and pasting of language directly into the draft script that he submitted -- powerfully supports Defendants' conclusion that RNH knew that he was using AI in an impermissible fashion," Levenson wrote. While "the emergence of generative AI may present some nuanced challenges for educators, the issue here is not particularly nuanced, as there is no discernible pedagogical purpose in prompting Grammarly (or any other AI tool) to generate a script, regurgitating the output without citation, and claiming it as one's own work," the order said.

Levenson concluded with a quote from a 1988 Supreme Court ruling that said the education of youth "is primarily the responsibility of parents, teachers, and state and local school officials, and not of federal judges." According to Levenson, "This case well illustrates the good sense in that division of labor. The public interest here weighs in favor of Defendants."

According to Business Insider (paywalled), Microsoft's Copilot tool inadvertently let customers access sensitive information, such as CEO emails and HR documents. Now, Microsoft is working to fix the situation, deploying new tools and a guide to address the privacy concerns. The story was highlighted by Salesforce CEO Marc Benioff. From the report: These updates are designed "to identify and mitigate oversharing and ongoing governance concerns," the company said in a blueprint for Microsoft's 365 productivity software suite. [...] Copilot's magic -- its ability to create a 10-slide road-mapping presentation, or to summon a list of your company's most profitable products -- works by browsing and indexing all your company's internal information, like the web crawlers used by search engines. IT departments at some companies have set up lax permissions for who can access internal documents -- selecting "allow all" for the company's HR software, say, rather than going through the trouble of selecting specific users.

That didn't create much of a problem because there wasn't a tool that an average employee could use to identify and retrieve sensitive company documents -- until Copilot. As a result, some customers have deployed Copilot only to discover that it can let employees read an executive's inbox or access sensitive HR documents. "Now when Joe Blow logs into an account and kicks off Copilot, they can see everything," a Microsoft employee familiar with customer complaints said. "All of a sudden Joe Blow can see the CEO's emails."

An anonymous reader shares a report: People are using Spotify playlist and podcast descriptions to distribute spam, malware, pirated software and cheat codes for video games. Cybersecurity researcher Karol Paciorek posted an example of this: A Spotify playlist titled "*Sony Vegas Pro*13 C-r-a-c-k Free Download 2024 m-y-s-o-f-t-w-a-r-e-f-r-e-e.com" acts as a free advertisement for piracy website m-y-s-o-f-t-w-a-r-e-f-r-e-e[dot]com, which hosts malicious software.

"Cybercriminals exploit Spotify for #malware distribution," Paciorek posted on X. "Why? Spotify has a strong reputation and its pages are easily indexed by search engines, making it an effective platform to promote malicious links."

"The playlist title in question has been removed," a spokesperson for Spotify told 404 Media in a statement. "Spotify's Platform Rules prohibit posting, sharing, or providing instructions on implementing malware or related malicious practices that seek to harm or gain unauthorized access to computers, networks, systems, or other technologies."

An anonymous reader shares a report: Lawyers for The New York Times and Daily News, which are suing OpenAI for allegedly scraping their works to train its AI models without permission, say OpenAI engineers accidentally deleted data potentially relevant to the case. Earlier this fall, OpenAI agreed to provide two virtual machines so that counsel for The Times and Daily News could perform searches for their copyrighted content in its AI training sets.

In a letter, attorneys for the publishers say that they and experts they hired have spent over 150 hours since November 1 searching OpenAI's training data. But on November 14, OpenAI engineers erased all the publishers' search data stored on one of the virtual machines, according to the aforementioned letter, which was filed in the U.S. District Court for the Southern District of New York late Wednesday. OpenAI tried to recover the data -- and was mostly successful. However, because the folder structure and file names were "irretrievably" lost, the recovered data "cannot be used to determine where the news plaintiffs' copied articles were used to build [OpenAI's] models," per the letter. "News plaintiffs have been forced to recreate their work from scratch using significant person-hours and computer processing time," counsel for The Times and Daily News wrote.

In a 23-page document (PDF) filed late Wednesday, U.S. regulators asked a federal judge to break up Google after a court found the tech giant of maintaining an abusive monopoly through its dominant search engine. As punishment, the DOJ calls for a sale of Google's Chrome browser and restrictions to prevent Android from favoring its own search engine. The Associated Press reports: Although regulators stopped short of demanding Google sell Android too, they asserted the judge should make it clear the company could still be required to divest its smartphone operating system if its oversight committee continues to see evidence of misconduct. [...] The Washington, D.C. court hearings on Google's punishment are scheduled to begin in April and Mehta is aiming to issue his final decision before Labor Day. If [U.S. District Judge Amit Mehta] embraces the government's recommendations, Google would be forced to sell its 16-year-old Chrome browser within six months of the final ruling. But the company certainly would appeal any punishment, potentially prolonging a legal tussle that has dragged on for more than four years.

Besides seeking a Chrome spinoff and a corralling of the Android software, the Justice Department wants the judge to ban Google from forging multibillion-dollar deals to lock in its dominant search engine as the default option on Apple's iPhone and other devices. It would also ban Google from favoring its own services, such as YouTube or its recently-launched artificial intelligence platform, Gemini. Regulators also want Google to license the search index data it collects from people's queries to its rivals, giving them a better chance at competing with the tech giant. On the commercial side of its search engine, Google would be required to provide more transparency into how it sets the prices that advertisers pay to be listed near the top of some targeted search results. The measures, if they are ordered, threaten to upend a business expected to generate more than $300 billion in revenue this year. "The playing field is not level because of Google's conduct, and Google's quality reflects the ill-gotten gains of an advantage illegally acquired," the Justice Department asserted in its recommendations. "The remedy must close this gap and deprive Google of these advantages."

A new study reveals that many users, particularly students and Redditors, view Z-Library as a vital resource for overcoming economic barriers to education, reflecting a "Robin Hood" mentality that prioritizes access to knowledge over copyright concerns. TorrentFreak reports: The research looks at the motivations of two groups; Reddit users and Chinese postgraduate students. Despite the vast differences between these groups, their views on Z-Library are quite similar. The 134 Reddit responses were sampled from the Zlibrary subreddit, which is obviously biased in favor of the site. However, the reasoning goes well beyond a simple "I want free stuff" arguments. Many commenters highlighted that they were drawn to the site out of poverty, for example, or they highlighted that Z-Library was an essential tool to fulfill their academic goals.

"Living in a 3rd world country, 1 book would cost like 50%- 80% already of my daily wage," one Redditor wrote. The idea that Z-Library is a 'necessary evil' was also highlighted by other commenters. This includes a student who can barely make ends meet, and a homeless person, who has neither the money nor the space for physical books. The lack of free access to all study materials, including academic journal subscriptions at university libraries, was also a key motivator. Paired with the notion that journal publishers make billions of dollars, without compensating authors, justification is found for 'pirate' alternatives. "They make massive profits. So stealing from them doesn't hurt the authors nor reviewers, just the rich greedy publishers who make millions just to design a cover and click 'publish'," one Redditor wrote.

The second part of the study is conducted in a more structured format among 103 postgraduate students in China. This group joined a seminar where Z-Library and the crackdown were discussed. In addition, the students participated in follow-up focus group discussions, while also completing a survey. Despite not all being users of the shadow library, 41% of the students agreed that the site's (temporary) shutdown affected their ability to study and find resources for degree learning. In general, the students have a favorable view toward Z-Library and similar sites, and 71% admit that they have used a shadow library in the past. In line with China's socialist values, the overwhelming majority of the students agreed that access to knowledge should be free for everyone. While the students are aware of copyright law, they believe that the need to access knowledge outweighs rightsholders' concerns. This is also reflected in the following responses, among others. All in all, Z-Library and other shadow libraries are seen as a viable option for expensive or inaccessible books, despite potential copyright concerns. The paper has been published in the Journal of University Teaching & Learning Practice.

The Verge's Richard Lawler reports: Strava recently informed its users and partners that new terms for its API restrict the data that third-party apps can show, refrain from replicating Strava's look, and place a ban on using data "for any model training related to artificial intelligence, machine learning or similar applications." The policy is effective as of November 11th, even though Strava's own post about the change is dated November 15th.

There are plenty of posts on social media complaining about the sudden shift, but one place where dissent won't be tolerated is Strava's own forums. The company says, "...posts requesting or attempting to have Strava revert business decisions will not be permitted." Brian Bell, Strava's VP of Communications and Social Impact, said in a statement: "We anticipate that these changes will affect only a small fraction (less than .1 percent) of the applications on the Strava platform -- the overwhelming majority of existing use cases are still allowed, including coaching platforms focused on providing feedback to users and tools that help users understand their data and performance."

Half of young Norwegians find online piracy acceptable when streaming services are too expensive, according to a new government survey released this week. The Ipsos poll of 1,411 respondents found that 32% of all Norwegians justify using pirate sites to save money, with acceptance rising to 50% among those under 30.

The rates increase further when specifically asked about pirating due to high streaming costs. Despite concerns about piracy, 61% of Norwegians paid for streaming services in the past year, including 64% of those under 30. Among active pirates, 41% said they would stop if legal services were more affordable, while 35% wanted broader content per service. Only 47% of respondents believed piracy supports organized crime, with 24% expressing uncertainty about this connection.

An anonymous reader shares a report: The US Patent and Trademark Office banned the use of generative artificial intelligence for any purpose last year, citing security concerns with the technology as well as the propensity of some tools to exhibit "bias, unpredictability, and malicious behavior," according to an April 2023 internal guidance memo obtained by WIRED through a public records request. Jamie Holcombe, the chief information officer of the USPTO, wrote that the office is "committed to pursuing innovation within our agency" but are still "working to bring these capabilities to the office in a responsible way."

Paul Fucito, press secretary for the USPTO, clarified to WIRED that employees can use "state-of-the-art generative AI models" at work -- but only inside the agency's internal testing environment. "Innovators from across the USPTO are now using the AI Lab to better understand generative AI's capabilities and limitations and to prototype AI-powered solutions to critical business needs," Fucito wrote in an email.

One of India's largest news agencies, Asian News International, has sued OpenAI in a case that could set a precedent for how AI companies use copyrighted news content in the world's most populous nation. From a report: Asian News International filed a 287-page lawsuit in the Delhi High Court on Monday, alleging the AI company illegally used its content to train its AI models and generated false information attributed to the news agency. The case marks the first time an Indian media organization has taken legal action against OpenAI over copyright claims.

According to Bloomberg, the U.S. Justice Department wants Google to sell off its Chrome browser as part of its ongoing search monopoly case. The recommendations will be made official on Wednesday. 9to5Google reports: At the top of the list is having Google sell Chrome "because it represents a key access point through which many people use its search engine." There are many questions about how that works, including what the impact on the underlying Chromium codebase would be. Would Google still be allowed to develop the open-source project by which many other browsers, like Microsoft Edge use? "The government has the option to decide whether a Chrome sale is necessary at a later date if some of the other aspects of the remedy create a more competitive market," reports Bloomberg. Google, which plans to appeal, previously said that "splitting off Chrome or Android would break them."

Bloomberg reports that "antitrust officials pulled back from a more severe option that would have forced Google to sell off Android." However, the government wants Google to "uncouple its Android smartphone operating system from its other products, including search and its Google Play mobile app store, which are now sold as a bundle." Meanwhile, other recommendations include licensing Google Search data and results, as well as allowing websites that are indexed for Search to opt out of AI training.

India's competition watchdog has ordered WhatsApp to stop sharing user data with other Meta units for advertising purposes for five years and also levied a fine of $25.4 million for antitrust violations related to WhatsApp's controversial 2021 privacy policy. From a report: The Competition Commission of India, which began the investigation in 2021, found that WhatsApp's "take-it-or-leave-it" privacy update constituted an abuse of Meta's dominant position by forcing users to accept expanded data collection without an opt-out option.

WhatsApp's 2021 privacy policy update required users to share their data with Meta companies in order to continue using the messaging service, removing a previous opt-out option that had existed since 2016. The mandatory data-sharing requirement expanded the scope of data collection and processing by Meta's group companies.

The Belgian region of Flanders is rolling out personal data "pods" to 7 million citizens in a trial of World Wide Web inventor Tim Berners-Lee's vision for user-controlled data privacy.

Five Belgian hospitals have begun storing patient visit information in the data pods, developed by Berners-Lee's startup Inrupt over the past five years. The system aims to help compliance with European privacy regulations by giving citizens control over their personal information, from medical records to social media posts.

The initiative counters the current internet landscape dominated by major technology companies like Google and Meta, which store user data across their servers. Berners-Lee, who created the World Wide Web at CERN in 1989, advocates for returning data control to users through decentralized systems rather than leaving it vulnerable to harvesting by tech platforms and governments.

On a small network of islands north of Seattle, Washington, San Juan County just completed its first full year of 32-hour workweeks, reports CNN.

And Tuesday the county released a report touting "a host of positive outcomes — from recruiting to retention to employee happiness — and a cost savings of more than $975,000 compared to what the county would have paid if it met the union's pay increase demands." The county said the 32-hour workweek has attracted a host of new talent: Applications have spiked 85.5% and open positions are being filled 23.75% faster, while more employees are staying in their jobs — separation (employees quitting or retiring) dropped by 48%. And 84% of employees said their work-life balance was better. "This is meeting many of the goals that we set out to do when we implemented it," County Manager Jessica Hudson said. said, noting the county is looking for opportunities to expand the initiative...

Departments across San Juan County have implemented the 32-hour workweek differently, some staggering staffing to maintain their previous availability to the public while others have shortened schedules to be open just four days a week... "I tell people, you're not going to see things change from your perspective," said Joe Ingman, a park manager in the county. "Offices are going to stay open, bathrooms are going to get cleaned, grass is going to get mowed." His department adjusted schedules to stay staffed seven days a week, and while communication across shifts was an initial hurdle, issues were quickly ironed out. "It was probably the smoothest summer I've had, and I've been working in parks for over a decade," he said, crediting the new schedule as a boon for recruiting. While job postings used to languish unfilled for months, last summer the applicant pool was not only bigger but more qualified, and the two staffers he hired both cited coming to the county because of the 32-hour workweek.

"It's no more cost to the public to work 32 hours — but we have better applicants," he said. Ingman also said the four-day workweek has done wonders for his job satisfaction; he'd watched colleagues burn out for years, but now sees a path for his own future in the department... County employees have used their extra time off to spend less money on childcare, volunteer in their kids' schools, and contribute to the community... While San Juan County's motivation in adopting a shortened workweek was financial, the benefits its employees cite speak to a larger trend, as workplaces around the country increasingly explore flexible schedules to combat burnout and attract and retain talent.

A survey of CEOs this spring found nearly one third of large US companies were looking into solutions like four-day or four-and-a-half-day workweeks... Even without a reduction in total hours, a Gallup poll last year found a third day off would be widely embraced: 77% of US workers said a 4-day, 40-hour workweek would have a positive impact on their wellbeing.
One worker shared their thoughts with CNN. "Life shouldn't be about just working yourself into the ground..." And they added that "So far, I feel happy; I feel seen as an employee and as a human, and I feel like it could be a beautiful step forward for other people if we just trust it and try it."

They even had some advice for other employers. "Change happens by somebody actually doing the change. The only way we're going to find out if it works is by doing."

"The Pentagon's latest report on UFOs has revealed hundreds of new reports of unidentified and unexplained aerial phenomena," reports the Associated Press, "but no indications suggesting an extraterrestrial origin.

"The review includes hundreds of cases of misidentified balloons, birds and satellites as well as some that defy easy explanation, such as a near-miss between a commercial airliner and a mysterious object off the coast of New York." Federal efforts to study and identify UAPs have focused on potential threats to national security or air safety and not their science fiction aspects. Officials at the Pentagon office created in 2022 to track UAPs, known as the All-Domain Anomaly Resolution Office, or AARO, have said there's no indication any of the cases they looked into have unearthly origins. "It is important to underscore that, to date, the All-Domain Anomaly Resolution Office has discovered no evidence of extraterrestrial beings, activity, or technology," the authors of the report wrote... Reporting witnesses included commercial and military pilots as well as ground-based observers. Investigators found explanations for nearly 300 of the incidents. In many cases, the unknown objects were found to be balloons, birds, aircraft, drones or satellites. According to the report, Elon Musk's Starlink satellite system is one increasingly common source as people mistake chains of satellites for UFOs. Hundreds of other cases remain unexplained, though the report's authors stressed that is often because there isn't enough information to draw firm conclusions.

No injuries or crashes were reported in any of the incidents, though a commercial flight crew reported one near miss with a "cylindrical object" while flying over the Atlantic Ocean off the coast of New York. That incident remains under investigation. In three other cases, military air crews reported being followed or shadowed by unidentified aircraft, though investigators could find no evidence to link the activity to a foreign power.
The article points out that the report's publication comes "a day after House lawmakers called for greater government transparency during a hearing on unidentified anomalous phenomena." And it concludes with this quote from Republican Represenative Andy Ogles of Tennessee. "There is something out there. The question is: Is it ours, is it someone else's, or is it otherworldly?"

jojowombl shares a report from The Guardian: Legal documents released in ongoing US litigation between NSO Group and WhatsApp have revealed for the first time that the Israeli cyberweapons maker -- and not its government customers -- is the party that "installs and extracts" information from mobile phones targeted by the company's hacking software. The new details were contained in sworn depositions from NSO Group employees, portions of which were published for the first time on Thursday.

It comes five years after WhatsApp, the popular messaging app owned by Facebook, first announced it was filing suit against NSO. The company, which was blacklisted by the Biden administration in 2021, makes what is widely considered the world's most sophisticated hacking software, which -- according to researchers -- has been used in the past in Saudi Arabia, Dubai, India, Mexico, Morocco and Rwanda. [...] At the heart of the legal fight was an allegation by WhatsApp that NSO had long denied: that it was the Israeli company itself, and not its government clients around the world, who were operating the spyware. NSO has always said that its product is meant to be used to prevent serious crime and terrorism, and that clients are obligated not to abuse the spyware. It has also insisted that it does not know who its clients are targeting. [...]

To make its case, WhatsApp was allowed by Judge Phyllis Hamilton to make its case, including citing depositions that have previously been redacted and out of public view. In one, an NSO employee said customers only needed to enter a phone number of the person whose information was being sought. Then, the employee said, "the rest is done automatically by the system." In other words, the process was not operated by customers. Rather NSO alone decided to access WhatsApp's servers when it designed (and continuously upgraded) Pegasus to target individuals' phones. A spokesperson for NSO, Gil Lainer, said in a statement: "NSO stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system. We are confident that these claims, like many others in the past, will be proven wrong in court, and we look forward to the opportunity to do so."

Chinese hackers, reportedly linked to a Chinese intelligence agency, breached T-Mobile as part of a broader cyber-espionage campaign targeting telecom companies to spy on high-value intelligence targets. "T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information," a company spokesperson told the Wall Street Journal. Reuters reports: It was unclear what information, if any, was taken about T-Mobile customers' calls and communications records, according to the report. On Wednesday, The Federal Bureau of Investigation (FBI) and the U.S. cyber watchdog agency CISA said China-linked hackers have intercepted surveillance data intended for American law enforcement agencies after breaking into an unspecified number of telecom companies. Further reading: U.S. Wiretap Systems Targeted in China-Linked Hack

An anonymous reader quotes a report from Bloomberg: The Australian government plans to enact laws requiring big tech firms to protect its citizens online, the latest move by the center-left Labor administration to crack down on social media including through age limits and curbs on misinformation. Communications Minister Michelle Rowland announced the government's plan for a legislated Digital Duty of Care in Australia on Wednesday night, saying it aligned with similar laws in the UK and European Union. "It is now time for industry to show leadership, and for social media to recognize it has a social responsibility," Rowland said in a speech in Sydney announcing the measures. It would "keep users safe and help prevent online harms."

In response to the laws, Facebook and Instagram operator Meta Platforms Inc. called for the restrictions to be handled by app stores, such as those run by Google and Apple Inc., rather than the platforms themselves. The government has ignored those requests, but has yet to announce what fines companies would face or what age verification information will need to be provided. At the same time, Albanese has moved forward controversial laws to target misinformation and disinformation online, which opponents have labeled an attack on freedom of speech. Earlier this month, Albanese said the government would legislate for a ban on social media for children under 16, a policy the government says is world-leading. "Social media is doing harm to our kids and I'm calling time on it," Albanese told a news conference.

ZDNet's Steven Vaughan-Nichols reports: [...] At KubeCon North America 2024 this week, CNCF executive director Priyanka Sharma said in her keynote, "Patent trolls are not contributors or even adopters in our ecosystem. Instead, they prey on cloud-native adopters by abusing the legal system. We are here to tell the world that these patent trolls don't stand a chance because CNCF is uniting the ecosystem to deter them. Like a herd of musk oxen, we will run them off our pasture." CNCF CTO Chris Aniszczyk added: "The reason trolls can make money is that many companies find it too expensive to fight back, so they pay trolls a settlement fee to avoid the even higher cost of litigation. Now, when a whole herd of companies band together like musk oxen to drive a troll off, it changes the cost structure of fighting back. It disrupts their economic model."

How? Jim Zemlin, the Linux Foundation's executive director, said, "We don't negotiate with trolls. Instead, with United Patents, we go to the PTO and crush those patents. We strive to invalidate them by working with developers who have prior art, bringing this to the attention of the USPTO, and killing patents. No negotiation, no settlement. We destroy the very asset that made patent trolls' business work. Together, since we've started this effort, 90% of the time, we've been able to go in there and destroy these patents." "It's time for us to band together," said Joanna Lee, CNCF's VP of strategic programs and legal. "We encourage all organizations in our ecosystem to get involved. Join the fight, enhance your own company's protection, protect your customers, enhance our community defense, and save money on legal expenses."

While getting your company and its legal department involved in the effort to fend off patent trolls is important, developers can also help. CNCF announced the Cloud Native Heroes Challenge, a patent troll bounty program in which cloud-native developers and technologists can earn swag and win prizes. They're asking you to find evidence of preexisting technology -- referred to by patent lawyers as "prior art" -- that can kill off bad patents. This could be open-source documentation (including release notes), published standards or specifications, product manuals, articles, blogs, books, or any publicly available information. All entrants who submit an entry that conforms to the contest rules will receive a free "Cloud Native Hero" t-shirt that can be picked up at any future KubeCon+CloudNativeCon. The winner will also receive a $3,000 cash prize.

In the inaugural contest, the CNCF is seeking information that can be used to invalidate Claim 1 from US Patent US-11695823-B1. This is the major patent asserted by Edge Networking Systems against Kubernetes users. As is often the case with such patents, it's much too broad. This patent describes a network architecture that facilitates secure and flexible programmability between a user device and across a network with full lifecycle management of services and infrastructure applications. That describes pretty much any modern cloud system. If you can find prior art that describes such a system before June 13, 2013, you could be a winner. Some such materials have already been found. This is already listed in the "known references" tab of the contest information page and doesn't qualify. If you care about keeping open-source software easy and cheap to use -- or you believe trolls shouldn't be allowed to take advantage of companies that make or use programs -- you can help. I'll be doing some digging myself.

quonset shares a report from CNN: Between August 2022 and January 2024, hundreds of swatting calls were made across the country targeting religious institutions, government offices, schools, and random people. Authorities were finally able to track down the criminal, Alan Fillon, who entered the plea to four counts of making interstate threats to injure the person of another, the US Attorney's Office for the Middle District of Florida said in a news release. He faces up to five years in prison on each count. A sentencing date has not yet been set.

The US Attorney's Office said Filion made more than 375 swatting and threat calls from August 2022 to January 2024. Those calls included ones in which he claimed to have planted bombs in targeted locations or threatened to detonate bombs and/or conduct mass shootings at those locations, prosecutors said. He targeted religious institutions, high schools, colleges and universities, government officials and people across the United States. Filion was 16 at the time he placed the majority of the calls.

An anonymous reader quotes a report from Data Center Dynamics: The Japanese government is planning to invest approximately $65 billion to support the country's semiconductor and AI industries. The initiative, which will run until the end of the decade, is expected to generate ~$104 billion in public and private investment during the period. According to a report from Reuters, this new round of funding will specifically target state-backed chip foundry Rapidus and other AI chip suppliers.

Rapidus was founded in November 2022 when the Japanese government and eight Japanese technology and automotive firms, including SoftBank, Sony, and NTT, invested more than $500 million to launch the business. Speaking at a news conference this week, Japanese Prime Minister Shigeru Ishiba did not provide any information about how the venture would be financed but said the government would not issue deficit-covering bonds. Japan's government also said it won't raise taxes to finance the $65 billion plan.

An anonymous reader quotes a report from TechCrunch: U.K. consumer rights group 'Which?' is filing a legal claim against Apple under competition law on behalf of some 40 million users of iCloud, its cloud storage service. The collective proceeding lawsuit, which is seeking 3 billion pounds in compensation damages (around $3.8 billion at current exchange rates), alleges that Apple has broken competition rules by giving its own cloud storage service preferential treatment and effectively locking people into paying for iCloud at "rip-off" prices. "iOS has a monopoly and is in control of Apple's operating systems and it is incumbent on Apple not to use that dominance to gain an unfair advantage in related markets, like the cloud storage market. But that is exactly what has happened," Which wrote in a press release announcing filing the claim with the U.K.'s Competition Appeal Tribunal (CAT).

The lawsuit accuses Apple of encouraging users of its devices to sign up to iCloud for photo storage and other data storage needs, while simultaneously making it difficult for consumers to use alternative storage providers -- including by not allowing them to store or back-up all of their phone's data with a third-party provider. "iOS users then have to pay for the service once photos, notes, messages and other data go over the free 5GB limit," Which noted. The suit also accuses Apple of overcharging U.K. consumers for iCloud subscriptions owing to the lack of competition. "Apple raised the price of iCloud for UK consumers by between 20% and 29% across its storage tiers in 2023," it wrote, saying it's seeking damages for all affected Apple customers -- and estimating that individual consumers could be owed an average of 70 pounds (around $90), depending on how long they've been paying Apple for iCloud services. "Anyone who has 'obtained' iCloud services, including non-paying users, over the nine-year timeframe since the Consumer Rights Act came into force on October 1st, 2015," will be included in the claim. U.K.-based consumers will have to opt-out if they do not want to be included. "Consumers who live outside the U.K. and believe they are eligible to be included must actively opt-in to join the action," adds TechCrunch.

During a public joint hearing today titled "Unidentified Anomalous Phenomena: Exposing the Truth," four experts testified that the U.S. is running secret UAP programs, including crash retrieval and reverse-engineering programs for advanced nonhuman technology. Although the Pentagon maintains there's no evidence of alien spacecraft, witnesses like Luis Elizondo and Michael Gold argue that UAPs represent an intelligence enigma and call for open, stigma-free study to address potential security concerns and unknown scientific possibilities. NPR reports: Tim Gallaudet, retired rear admiral, U.S. Navy; CEO of Ocean STL Consulting, LLC
"Confirmation that UAPs are interacting with humanity came for me in January 2015," Gallaudet said in his written testimony (PDF). He describes being part of a pre-deployment naval exercise off the U.S. East Coast that culminated in the famous "Go Fast" video, in which a Navy F/A-18 jet's sensors recorded "an unidentified object exhibiting flight and structural characteristics unlike anything in our arsenal." He was among a group of commanders involved in the exercise who received an email containing the video, which was sent by the operations officer of Fleet Forces Command, Gallaudet said. "The very next day, the email disappeared from my account and those of the other recipients without explanation," he said.

Luis Elizondo, author and former Department of Defense official
Elizondo's written testimony (PDF) was brief and alleged that a secretive arms race is playing out on the global stage. "Let me be clear: UAP are real," he wrote. "Advanced technologies not made by our Government -- or any other government -- are monitoring sensitive military installations around the globe. Furthermore, the U.S. is in possession of UAP technologies, as are some of our adversaries." Elizondo is a former intelligence officer who later "managed a highly sensitive Special Access Program on behalf of the White House and the National Security Council," according to his official bio (PDF). "By 2012, [Elizondo] was the senior ranking person of the DOD's Advanced Aerospace Threat Identification Program, a secretive Pentagon unit that studied unidentified anomalous phenomena," his bio states, adding that he resigned in 2017.

Michael Gold, former NASA associate administrator of space policy and partnerships; member of NASA UAP Independent Study Team
Gold's written testimony (PDF) stressed the need for government agencies and academics to "overcome the pernicious stigma that continues to impede scientific dialogue and open discussions" about unexplained phenomena. "As the saying goes, the truth is out there," Gold said, "we just need to be bold enough and brave enough to face it."

Michael Shellenberger, founder of Public, a news outlet on the Substack platform
Shellenberger's testimony (PDF) ran to some 214 pages, including a lengthy timeline of UAP reports from 1947 to 2023. Shellenberger pressed the White House and Congress to act, calling for the adoption of UAP transparency legislation and cutting funds for any related programs that aren't disclosed to lawmakers. "UAP transparency is bi-partisan and critical to our national security," his written testimony stated. You can watch the proceeding here.

The FBI raided Polymarket CEO Shayne Coplan's Manhattan apartment, seizing his phone and electronic devices. A source close to the matter told The New York Post it was politically motivated due to Polymarket's successful prediction of Trump's election win. It's "grand political theater at its worst," the source said. "They could have asked his lawyer for any of these things. Instead, they staged a so-called raid so they can leak it to the media and use it for obvious political reasons."

Although no charges were filed, the raid has sparked controversy, with speculation of political retribution and concerns over potential market manipulation, as Polymarket faces scrutiny both in the U.S. and from French regulators. The New York Post reports: Coplan was not arrested and has not been charged, a Polymarket spokesperson told The Post on Wednesday evening. "Polymarket is a fully transparent prediction market that helps everyday people better understand the events that matter most to them, including elections," the rep said. "We charge no fees, take no trading positions, and allow observers from around the world to analyze all market data as a public good."

Coplan posted on X after his run-in with the feds: "New phone, who dis?" Polymarket does not allow trading in the US, though bettors can bypass the ban by accessing the site through VPN. The FBI's investigation comes a week after Coplan said Polymarket is planning to return to the US. [...] In 2022, the online gambling platform was forced to pause its trading in the US and pay a $1.4 million penalty to settle charges with the Commodity Futures Trading Commission that it had failed to register with the agency. [In France, regulators are investigating Polymarket's compliance with national gambling laws, with concerns about unauthorized gambling activities within the country.] A Fortune report published a week before the election found widespread evidence of wash-trading on Polymarket. "Polymarket's Terms of Use expressly prohibit market manipulation," a Polymarket spokesperson told Fortune in a statement.

An anonymous reader shares a report: Officials inside the Secret Service clashed over whether they needed a warrant to use location data harvested from ordinary apps installed on smartphones, with some arguing that citizens have agreed to be tracked with such data by accepting app terms of service, despite those apps often not saying their data may end up with the authorities, according to hundreds of pages of internal Secret Service emails obtained by 404 Media.

The emails provide deeper insight into the agency's use of Locate X, a powerful surveillance capability that allows law enforcement officials to follow a phone, and person's, precise movements over time at the click of a mouse. In 2023, a government oversight body found that the Secret Service, Customs and Border Protection, and Immigration and Customs Enforcement all used their access to such location data illegally. The Secret Service told 404 Media in an email last week it is no longer using the tool. "If USSS [U.S. Secret Service] is using Locate X, that is most concerning to us," one of the internal emails said. 404 Media obtained them and other documents through a Freedom of Information Act (FOIA) request with the Secret Service.

An anonymous reader quotes a report from The Register: Royal assent was granted to two right to repair bills last week that amend Canada's Copyright Act to allow the circumvention of technological protection measures (TPMs) if this is done for the purposes of "maintaining or repairing a product, including any related diagnosing," and "to make the program or a device in which it is embedded interoperable with any other computer program, device or component." The pair of bills allow device owners to not only repair their own stuff regardless of how a program is written to prevent such non-OEM measures, but said owners can also make their devices work with third-party components without needing to go through the manufacturer to do so.

Bills C-244 (repairability) and C-294 (interoperability) go a long way toward advancing the right to repair in Canada and, as iFixit pointed out, are the first federal laws anywhere that address how TPMs restrict the right to repair -- but they're hardly final. TPMs can take a number of forms, from simple administrative passwords to encryption, registration keys, or even the need for a physical object like a USB dongle to unlock access to copyrighted components of a device's software. Most commercially manufactured devices with proprietary embedded software include some form of TPM, and neither C-244 nor C-294 place any restrictions on the use of such measures by manufacturers. As iFixit points out, neither Copyright Act amendments do anything to expand access to the tools needed to circumvent TPMs. That puts Canadians in a similar position to US repair advocates, who in 2021 saw the US Copyright Office loosen DMCA restrictions to allow limited repairs of some devices despite TPMs, but without allowing access to the tools needed to do so. [...]

Canadian Repair Coalition co-founder Anthony Rosborough said last week that the new repairability and interoperability rules represent considerable progress, but like similar changes in the US, don't actually amount to much without the right to distribute tools. "New regulations are needed that require manufacturers and vendors to ensure that products and devices are designed with accessibility of repairs in mind," Rosborough wrote in an op-ed last week. "Businesses need to be able to carry out their work without the fear of infringing various intellectual property rights."

An anonymous reader quotes a report from NBC News: Former Massachusetts Air National Guard member Jack Teixeira was sentenced Tuesday to 15 years for stealing classified information from the Pentagon and sharing it online, the U.S. Attorney for Massachusetts announced. Teixeira received the sentence before Judge Indira Talwani in U.S. District Court for the District of Massachusetts. In March, the national guardsman pleaded guilty to six counts of willful retention and transmission of national defense information under the Espionage Act. He was arrested by the FBI in North Dighton, Massachusetts, in April 2023 and has been in federal custody since mid-May 2023.

According to court documents, Teixeira transcribed classified documents that he then shared on Discord, a social media platform mostly used by online gamers. He began sharing the documents in or around 2022. A document he was accused of leaking included information about providing equipment to Ukraine, while another included discussions about a foreign adversary's plot to target American forces abroad, prosecutors said. [...] While the documents were discovered online in March 2023, Teixeira had been sharing them online since January of that year, according to prosecutors.

An anonymous reader quotes a report from 404 Media: Flock is one of the largest vendors of automated license plate readers (ALPRs) in the country. The company markets itself as having the goal to fully "eliminate crime" with the use of ALPRs and other connected surveillance cameras, a target experts say is impossible. [...] Flock and automated license plate reader cameras owned by other companies are now in thousands of neighborhoods around the country. Many of these systems talk to each other and plug into other surveillance systems, making it possible to track people all over the country.

"It went from me seeing 10 license plate readers to probably seeing 50 or 60 in a few days of driving around," [said Alabama resident and developer Will Freeman]. "I wanted to make a record of these things. I thought, 'Can I make a database of these license plate readers?'" And so he made a map, and called it DeFlock. DeFlock runs on Open Street Map, an open source, editable mapping software. He began posting signs for DeFlock (PDF) to the posts holding up Huntsville's ALPR cameras, and made a post about the project to the Huntsville subreddit, which got good attention from people who lived there. People have been plotting not just Flock ALPRs, but all sorts of ALPRs, all over the world. [...]

When I first talked to Freeman, DeFlock had a few dozen cameras mapped in Huntsville and a handful mapped in Southern California and in the Seattle suburbs. A week later, as I write this, DeFlock has crowdsourced the locations of thousands of cameras in dozens of cities across the United States and the world. He said so far more than 1,700 cameras have been reported in the United States and more than 5,600 have been reported around the world. He has also begun scraping parts of Flock's website to give people a better idea of where to look to map them. For example, Flock says that Colton, California, a city with just over 50,000 people outside of San Bernardino, has 677 cameras.

People who submit cameras to DeFlock have the ability to note the direction that they are pointing in, which can help people understand how these cameras are being positioned and the strategies that companies and police departments are using when deploying them. For example, all of the cameras in downtown Huntsville are pointing away from the downtown core, meaning they are primarily focused on detecting cars that are entering downtown Huntsville from other areas.

With iOS 18.2, Apple will allow you to share the location of a lost AirTag with other people and with more than 15 different airlines. The Verge reports: When using the feature, you can generate a Share Item Location link within the Find My app on an iPhone, iPad, or Mac. Once you share the link with someone, they can click on it to view an interactive map with the location of your lost item. Apple will update the website automatically when the lost item moves, and it will also display a timestamp when it moved last. Apple will turn off the feature once you find your lost item. You can also manually stop sharing the location of an AirTag at any time, or the link will "automatically expire after seven days." [...]

As part of the rollout, Apple is partnering with over 15 airlines, including Delta, United, Virgin Atlantic, Lufthansa, Air Canada, and more. All of these airlines will be able to "privately and securely" accept links to lost items, as "access to each link will be limited to a small number of people, and recipients will be required to authenticate in order to view the link through either their Apple Account or partner email address." This feature will be available to airlines in the "coming months." Additionally, SITA, a baggage tracing solution, will also implement Share Item Location into its luggage tracker.

The FTX estate has filed a lawsuit against Binance and former CEO Changpeng Zhao, seeking to recover $1.76 billion, alleging a "fraudulent" 2021 share deal that involved funding from FTX's insolvent Alameda Research. The suit also accuses Zhao of misleading social media posts that allegedly spurred customer withdrawals and contributed to FTX's collapse. CNBC reports: In a Sunday filing with a Delaware court, FTX cites a 2021 transaction in which Binance, Zhao and others exited their investment in FTX, selling a 20% stake in the platform and a 18.4% stake in its U.S.-based entity West Realm Shires back to the company. The FTX estate alleges that the share repurchase was funded by FTX's Alameda Research division through a combination of the company's and Binance's exchange tokens, as well as Binance's dollar-pegged stablecoin.

"Alameda was insolvent at the time of the share repurchase and could not afford to fund the transaction," the suit claims, labeling the deal agreed with FTX co-founder Sam Bankman-Fried -- who's now serving a 25-year sentence over fraud linked to the downfall of his exchange -- a "constructive fraudulent transfer." Binance denies the allegations, saying in an emailed statement, "The claims are meritless, and we will vigorously defend ourselves."

On Tuesday Massachusetts voted to become the first state to allow gig-working drivers to join labor unions, reports WBUR: Since these gig workers are classified as independent contractors, federal law allowing employees the right to unionize does not apply to them. With the passage of this ballot initiative, Massachusetts is the first state to give ride-hailing drivers the ability to collectively bargain over working conditions.
Supporters have said the ballot measure "could provide a model for other states to let Uber and Lyft drivers unionize," reports Reuters, "and inspire efforts to organize them around the United States." Roxana Rivera, assistant to the president of 32BJ SEIU, an affiliate of the Service Employees International Union, that had spearheaded a campaign to pass the proposal, said its approval shows that Massachusetts voters want drivers to have a meaningful check against the growing power of app-based companies... The Massachusetts vote was the latest front in a years-long battle in the United States over whether ride-share drivers should be considered to be independent contractors or employees entitled to benefits and wage protections. Studies have shown that using contractors can cost companies as much as 30% less than employees.

Drivers for Uber and Lyft, including approximately 70,000 in Massachusetts, do not have the right to organize under the National Labor Relations Act... Under the Massachusetts measure, drivers can form a union after collecting signatures from at least 25% of active drivers in Massachusetts, and companies can form associations to allow them to jointly negotiate with the union during state-supervised talks.
But the Boston Globe points out that the measure " divided labor advocates in Massachusetts, some of whom worry it would in fact be a step backward in the lengthy fight to boost the rights of gig workers." Those concerns led the state's largest labor organization, the AFL-CIO, to remain neutral. But two unions backing the effort, the SEIU 32BJ and the International Association of Machinists, say allowing drivers to unionize, even if not as full employees, will help provide urgently needed worker protections and better pay and safety standards.

Friday "would have been his 38th birthday," writes the EFF, remembering Aaron Swartz as "a digital rights champion who believed deeply in keeping the internet open..." And they add that today the official web site for Aaron Swartz Day honored his memory with a special podcast "featuring those carrying on the work around issues close to his heart," including an appearance by Brewster Kahle, founder of the Internet Archive.

The first speaker is Ryan Shapiro, FOIA expert and co-founder of the national security transparency non-profit Property of the People. The Aaron Swartz Day site calls him "the researcher who discovered why the FBI had such an interest in Aaron in the years right before the JSTOR fiasco." (That web page calls it an "Al Qaeda phishing expedition that left Aaron with an 'International Terrorism Investigation' code in his FBI database file forever," as reported by Gizmodo.)

Other speakers on the podcast include:

• Nathan Dyer of SecureDrop, Newsroom Support Engineer for the Freedom of the Press Foundation with an update on SecureDrop

• Tracey Jaquith, Founding Coder and TV Architect at the Internet Archive, discussing "Microservices, Monoliths, and Operational Security — The Internet Archive in 2024."

• Tracy Rosenberg, co-founder of the Aaron Swartz Day Police Surveillance Project and Oakland Privacy, with "an update on the latest crop of surveillance battles."

• Ryan Sternlicht, VR developer, educator, researcher, advisor, and maker, on "The Next Layer of Reality: Social Identity and the New Creator Economy."

• Grant Smith Ellis, Chairperson of the Board, MassCann and Legal Intern at the Parabola Center, on "Jury Trials in the Age of Social Media."

• Michael "Mek" Karpeles, Open Library, Internet Archive, on "When it Rains at the Archive, Build an Ark — Book bans, Lawsuits, & Breaches."

The site also seeks to showcase SecureDrop and Open Library, projects started by Aaron before his death, as well as new projects "directly inspired by Aaron and his work."

With the debut of the Pirate Bay TV series in Sweden, international viewers are finding it surprisingly difficult to pirate. TorrentFreak reports: The series premiered at the on-demand platform of the Swedish national broadcaster SVT a few hours ago. International deals haven't been announced, but pirates can generally get access anyway. Soon after the first two episodes of The Pirate Bay series came out, scene release copies started circulating online. As one would expect.

The Scene group OLLONBORRE, which specializes in Swedish content, was the first to pick the show up. Within minutes, the first 1080p WEB-rips were posted on private scene servers and 720p copies followed a few hours later. Interestingly, pirate releases have yet to make their way to The Pirate Bay. We haven't seen any other copies on other public pirate sites either, which is surprising given the topic of the series.

It's common knowledge that The Scene -- a secretive network of release groups -- prefers to keep its releases private. Therefore, it wasn't happy with The Pirate Bay's public nature and rise to prominence in the early 2003s, which is highlighted in the first episodes of the TV series. However, we expected non-scene release groups would be eager to pick up the show. Apparently that's not the case, yet.

An anonymous reader quotes a report from TechCrunch: The FBI is warning that hackers are obtaining private user information — including emails and phone numbers — from U.S.-based tech companies by compromising government and police email addresses to submit "emergency" data requests. The FBI's public notice filed this week is a rare admission from the federal government about the threat from fraudulent emergency data requests, a legal process designed to help police and federal authorities obtain information from companies to respond to immediate threats affecting someone's life or property. The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an "uptick" around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness.

"Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes," reads the FBI's advisory. [...] The FBI said in its advisory that it had seen several public posts made by known cybercriminals over 2023 and 2024, claiming access to email addresses used by U.S. law enforcement and some foreign governments. The FBI says this access was ultimately used to send fraudulent subpoenas and other legal demands to U.S. companies seeking private user data stored on their systems. The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police accounts to send emails to companies requesting user data. In some cases, the requests cited false threats, like claims of human trafficking and, in one case, that an individual would "suffer greatly or die" unless the company in question returns the requested information.

The FBI said the compromised access to law enforcement accounts allowed the hackers to generate legitimate-looking subpoenas that resulted in companies turning over usernames, emails, phone numbers, and other private information about their users. But not all fraudulent attempts to file emergency data requests were successful, the FBI said. The FBI said in its advisory that law enforcement organizations should take steps to improve their cybersecurity posture to prevent intrusions, including stronger passwords and multi-factor authentication. The FBI said that private companies "should apply critical thinking to any emergency data requests received," given that cybercriminals "understand the need for exigency."

The FBI is warning that hackers are obtaining private user information -- including emails and phone numbers -- from U.S.-based tech companies by compromising government and police email addresses to submit "emergency" data requests. From a report: The FBI's public notice filed this week is a rare admission from the federal government about the threat from fraudulent emergency data requests, a legal process designed to help police and federal authorities obtain information from companies to respond to immediate threats affecting someone's life or property.

The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an "uptick" around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness. "Cyber-criminals are likely gaining access to compromised U.S. and foreign government email addresses and using them to conduct fraudulent emergency data requests to U.S. based companies, exposing the personal information of customers to further use for criminal purposes," reads the FBI's advisory.

IBM is facing a new lawsuit alleging that its Weather Channel website shared users' personal data with third-party ad partners without consent, violating the Video Privacy Protection Act (VPPA). The Register reports: In the absence of a comprehensive federal privacy law, the complaint [PDF] claims Big Blue violated America's Video Privacy Protection Act (VPPA), enacted in 1988 in response to the disclosure of Supreme Court nominee Robert Bork's videotape rental records. IBM was sued in 2019 (PDF) by then Los Angeles City Attorney Mike Feuer over similar allegations: That its Weather Channel mobile app collected and shared location data without disclosure. The IT titan settled that claim in 2020. A separate civil action against IBM's Weather Channel was filed in 2020 and settled in 2023 (PDF).

This latest legal salvo against alleged Weather Channel-enabled data collection takes issue with the sensitive information made available through the company's website to third-party ad partners mParticle and AppNexus/Xandr (acquired by Microsoft in 2022). The former provides customer analytics, and the latter is an advertising and marketing platform. The complaint, filed on behalf of California plaintiff Ed Penning, contends that by watching videos on the Weather Channel website, those two marketing firms received Penning's full name, gender, email address, precise geolocation, the name, and the URLs of videos he watched, without his permission or knowledge.

It explains that the plaintiff's counsel retained a private research firm last year to analyze browser network traffic during video sessions on the Weather Channel website. The research firm is said to have confirmed that the website provided the third-party ad firms with information that could be used to identify people and the videos that they watched. The VPPA prohibits video providers from sharing "personally identifiable information" about clients without their consent. [...] The lawsuit aspires to be certified as a class action. Under the VPPA, a successful claim allows for actual damages (if any) and statutory damages of $2,500 for each violation of the law, as well as attorney's fees.

An anonymous reader quotes a report from 404 Media: If you voted in the U.S. presidential election yesterday in which Donald Trump won comfortably, or a previous election, a website powered by a right-wing group is probably doxing you. VoteRef makes it trivial for anyone to search the name, physical address, age, party affiliation, and whether someone voted that year for people living in most states instantly and for free. This can include ordinary citizens, celebrities, domestic abuse survivors, and many other people. Voting rolls are public records, and ways to more readily access them are not new. But during a time of intense division, political violence, or even the broader threat of data being used to dox or harass anyone, sites like VoteRef turn a vital part of the democratic process -- simply voting -- into a security and privacy threat. [...]

The Voter Reference Foundation, which runs VoteRef, is a right wing organization helmed by a former Trump campaign official, ProPublica previously reported. The goal for that organization was to find irregularities in the number of voters and the number of ballots cast, but state election officials said their findings were "fundamentally incorrect," ProPublica added. In an interview with NPR, the ProPublica reporter said that the Voter Reference Foundation insinuated (falsely) that the 2020 election of Joe Biden was fraudulent in some way. 404 Media has found people on social media using VoteRef's data to spread voting conspiracies too. VoteRef has steadily been adding more states' records to the VoteRef website. At the time of writing, it has records for all states that legally allow publication. Some exceptions include California, Virginia, and Pennsylvania. ProPublica reported that VoteRef removed the Pennsylvania data after being contacted by an attorney for Pennsylvania's Department of State. "Digitizing and aggregating data meaningfully changes the privacy context and the risks to people. Your municipal government storing your marriage certificate and voter information in some basement office filing cabinet is not even remotely the same as a private company digitizing all the data, labeling it, piling it all together, making it searchable," said Justin Sherman, a Duke professor who studies data brokers.

"Policymakers need to get with the times and recognize that data brokers digitizing, aggregating, and selling data based on public records -- which are usually considered 'publicly available information' and exempted from privacy laws -- has fueled decades of stalking and gendered violence, harassment, doxing, and even murder," Sherman said. "Protecting citizens of all political stripes, targets and survivors of gendered violence, public servants who are targets for doxing and death threats, military service members, and everyone in between depends on reframing how we think about public records privacy and the mass aggregation and sale of our data."

An anonymous reader quotes a report from CBC News: The head of a company specializing in cryptocurrency was kidnapped and held for ransom in downtown Toronto during rush hour Wednesday. Police were called about a kidnapping in the area of University Avenue and Richmond Street W. just before 6 p.m., says a spokesperson with the Toronto Police Service. The suspects forced the victim into a vehicle and made a demand for money, the spokesperson said. The man was later located in Centennial Park in Etobicoke uninjured.

CBC Toronto has learned the victim is Dean Skurka, the president and CEO of Toronto-based financial firm WonderFi. He was released after a ransom of $1 million was paid electronically, a source close to the investigation said. Police say the investigation is ongoing and have not released any further details. [...] The alleged kidnapping happened the same day WonderFi released its third quarter earnings results, showing a 153 per cent increase compared to its third quarter in 2023.

An anonymous reader quotes a report from PCMag: Have I Been Pwned has long been one of the most useful ways to learn if your personal information was exposed in a hack. But a new site offers its own powerful tool to help you check if your data has been leaked to cybercriminals. DataBreach.com is the work of a New Jersey company called Atlas Privacy, which helps consumers remove their personal information from data brokers and people search websites. On Wednesday, the company told us it had launched DataBreach.com as an alternative to Have I Been Pwned, which is mainly searchable via the user's email address. DataBreach.com is designed to do that and more. In addition to your email address, the site features an advanced search function to see whether your full name, physical address, phone number, Social Security number, IP address, or username are in Atlas Privacy's extensive library of recorded breaches. More categories will also be added over time.

Atlas Privacy has been offering its paid services to customers, such as police officers and celebrities, to protect bad actors from learning their addresses or phone numbers. In doing so, the company has also amassed over 17.5 billion records from the numerous stolen databases circulating on the internet, including in cybercriminal forums. As a public service, Atlas is now using its growing repository of stolen records to create a breach notification site, free of charge. DataBreach.com builds off Atlas's effort in August to host a site notifying users whether their Social Security number and other personal information were leaked in the National Public Data hack. Importantly, Atlas designed DataBreach.com to prevent it from storing or collecting any sensitive user information typed into the site. Instead, the site will fetch a hash from Atlas' servers, or a fingerprint of the user's personal information -- whether it be an email address, name, or SSN -- and compare it to whatever the user is searching for. "The comparison will be done locally," meaning it'll occur on the user's PC or phone, rather than Atlas's internet server, de Saint Meloir said.

An anonymous reader quotes a report from Reuters: Australia Prime Minister Anthony Albanese said on Thursday the government would legislate for a ban on social media for children under 16, a policy the government says is world-leading. "Social media is doing harm to our kids and I'm calling time on it," Albanese told a news conference. Legislation will be introduced into parliament this year, with the laws coming into effect 12 months after it is ratified by lawmakers, he added. There will be no exemptions for users who have parental consent.

"The onus will be on social media platforms to demonstrate they are taking reasonable steps to prevent access," Albanese said. "The onus won't be on parents or young people." Communications Minister Michelle Rowland said platforms impacted would include Meta Platforms' Instagram and Facebook, as well as Bytedance's TikTok and Elon Musk's X. Alphabet's YouTube would likely also fall within the scope of the legislation, she added.

Intel faces a class-action lawsuit alleging its 13th and 14th generation desktop processors from 2022 and 2023 are defective, causing system instability and frequent crashes. The suit claims that Intel knew of the issue but continued marketing the processors anyway. The Register reports: The plaintiff, Mark Vanvalkenburgh of Orchard Park, New York, purchased an Intel Core i7-13700K from Best Buy in January 2023, according to the complaint [PDF]. "After purchasing the product, Plaintiff learned that the processor was defective, unstable, and crashing at high rates," the complaint claims. "The processor caused issues in his computer, including random screen blackouts and random computer restarts. These issues were not resolved even after he attempted to install a patch issued by Intel for its 13th Generation processors."

The potential class-action lawsuit cites various media reports and social media posts dating back to December 2022 that describe problems with Intel's 13th and 14th generation processors, known as Raptor Lake. These reports document unexplained failures and system instability, as well as a higher-than-expected rate of product returns. "By late 2022 or early 2023, Intel knew of the defect," the complaint says. "Intel's Products undergo pre-release and post-release testing. Through these tests, Intel became aware of the defect in the processors." And because Intel continued making marketing claims touting the speed and performance of its products, with no mention of any defect, the complaint alleges that Intel committed fraud by omission, breached implied warranty, and violated New York General Business Law.

The federal government of Canada has ordered TikTok to shut down its operations in the country, citing national security concerns. However, Canadians will still be able to access the app and use it to create content. "The decision to use a social media application or platform is a personal choice," said Innovation Minister Francois-Philippe Champagne.

"We came to the conclusion that these activities that were conducted in Canada by TikTok and their offices would be injurious to national security. I'm not at liberty to go into much detail, but I know Canadians would understand when you're saying the government of Canada is taking measures to protect national security, that's serious." CBC News reports: Champagne urged Canadians to use TikTok "with eyes wide open." Critics have claimed that TikTok users' data could be obtained by the Chinese government. "Obviously, parents and anyone who wants to use social platform should be mindful of the risk," he said. The decision was made in accordance with the Investment Canada Act, which allows for the review of foreign investments that may harm Canada's national security.

Former CSIS director David Vigneault told CBC News it's "very clear" from the app's design that data gleaned from its users "is available to the government of China" and its large-scale data harvesting goals. "Most people can say, 'Why is it a big deal for a teenager now to have their data [on TikTok]?' Well in five years, in 10 years, that teenager will be a young adult, will be engaged in different activities around the world," he said at the time. "As an individual, I would say that I would absolutely not recommend someone have TikTok."

An anonymous reader quotes a report from The Guardian: The US supreme court grappled on Wednesday with a bid by Meta's Facebook to scuttle a federal securities fraud lawsuit brought by shareholders who accused the social media platform of misleading them about the misuse of user data. The justices heard arguments in Facebook's appeal of a lower court's decision allowing the 2018 class action suit led by Amalgamated Bank to proceed. The suit seeks unspecified monetary damages in part to recoup the lost value of the Facebook stock held by the investors. It is one of two cases coming before them this month -- the other one involving artificial intelligence chipmaker Nvidia on 13 November -- that could lead to rulings making it harder for private litigants to hold companies to account for alleged securities fraud.

At issue is whether Facebook broke the law when it failed to detail the prior data breach in subsequent business-risk disclosures, and instead portrayed the risk of such incidents as purely hypothetical. Facebook argued in a supreme court brief that it was not required to reveal that its warned-of risk had already materialized because "a reasonable investor" would understand risk disclosures to be forward-looking statements. "When we think about these questions, we're not looking only to lies or complete false statements," the liberal justice Elena Kagan told Kannon Shanmugam, the lawyer for Facebook. "We're also looking to misleading statements or misleading omissions." The conservative justice Samuel Alito asked Shanmugam: "Isn't it the case that an evaluation of risks is always forward-looking?" "It is. And that is essentially what underlies our argument here," Shanmugam responded.

The plaintiffs accused Facebook of misleading investors in violation of the Securities Exchange Act, a 1934 federal law that requires publicly traded companies to disclose their business risks. They claimed the company unlawfully withheld information from investors about a 2015 data breach involving British political consulting firm Cambridge Analytica that affected more than 30 million Facebook users. Edward Davila, a US district judge, dismissed the lawsuit but the San Francisco-based ninth US circuit court of appeals revived it. The supreme court's ruling is expected by the end of June.

An anonymous reader quotes a report from TorrentFreak: Rightsholders have asked Google to remove more than 10 billion 'copyright infringing' URLs from its search results. The search engine doesn't celebrate the milestone in any way, but the takedown notices document intriguing shifts in volume over time, as well as shifting takedown interests. [...] The path to 10 billion was turbulent. When Google first made DMCA details public it was processing a few million DMCA takedown requests in a year. That number swiftly increased to hundreds of millions and eventually reached a billion DMCA requests in 2016.

The exponential growth curve eventually flattened out and around 2017, the takedown volume started to decline. The decrease was in part due to various anti-piracy algorithms making pirated content less visible in search results. By downranking pirate sites, infringing content became harder to find. As a result, Google processed fewer takedown notices, a welcome change for both rightsholders and the search engine. Today, Google continues to make pirate sites less visible in search, but the reduction in takedown notices didn't last. On the contrary, over the past several months, Google search processed a record number of DMCA notices.

Last summer, the search giant recorded the 7 billionth takedown request and after that the numbers shot up, adding billions more in the year that followed. The company is now handling removal requests at a rate of roughly 2.5 billion per year; a new record. This represents more than 50 million takedown requests per week and roughly 5,000 every minute. [...] While the 10 billionth reported URL is undoubtedly a milestone, this number is largely driven by a few rightsholders, reporting outfits, and domain names. The aforementioned takedown outfit Link-Busters, for example, accounts for roughly 15% of all reported links, nearly 1.5 billion. Similarly, the ten most prolific rightsholders, including the BPI, HarperCollins, and VIZ Media, are responsible for 40% of all reported links. These ten companies are only a tiny fraction of the 600,000 rightsholders that reported pirated links, however. A small group of domains also receives a disproportionate amount of attention. In total, 5,400,061 domains have been reported, with the top domains having dozens of millions of flagged URLs each. However, most domains have only a few flagged links, some of which are erroneous.

During an operation across 95 countries from April to August 2024, Interpol arrested 41 individuals and dismantled over 1,000 servers and infrastructure running on 22,000 IP addresses facilitating cybercrime. BleepingComputer reports: Interpol said its enforcement action was backed by intelligence provided by private cybersecurity firms like Group-IB, Kaspersky, Trend Micro, and Team Cymru, leading to the identification of over 30,000 suspicious IP addresses. Eventually, roughly 76% of those were taken down, 59 servers were seized, and 43 electronic devices were confiscated, which will be examined to retrieve additional evidence. In addition to the 41 individuals who were arrested, the authorities are also investigating another 65 persons suspected of associating with illicit activities.