The head of America's FCC "has drafted plans to regulate the cybersecurity of telecommunications companies," reports the Washington Post, and the plans could include financial penalties phone network operators with insufficient security — "the first time the agency has asserted such powers under federal wiretapping law." Rosenworcel said the FCC's authority in this matter comes from Section 105 of the Communications Assistance for Law Enforcement Act [passed in 1994] — a single sentence that stipulates, without elaboration, that telecommunications carriers should ensure systems security "in accordance with regulations prescribed by the Commission." As one of the measures, she is seeking to require network providers to submit an annual certification to the FCC that they are implementing a cybersecurity risk management plan. In addition to imposing fines, the FCC could coordinate with other agencies to pursue criminal penalties against carriers deemed too careless on cybersecurity...

Biden administration officials said voluntary efforts to protect against aggressive Chinese hacking activity have fallen short. "We've had for the last decade voluntary public-private partnership efforts," Neuberger told The Post in a recent interview. "But we continue to see successful breaches, and in many cases, as with ransomware attacks, we continue to see pretty basic cybersecurity practices not being followed." With China's hackers becoming more brazen, pre-positioning themselves in U.S. critical networks, "we need to lock our digital doors," Neuberger said...

Cyber requirements can make a difference, she said. After the Colonial Pipeline ransomware attack in 2021 shut down one of the nation's largest energy pipelines for several days, creating a national security scare, the Transportation Security Administration issued several security directives, and today, all of the country's several dozen critical pipeline companies are in compliance, she said. Similar directives were subsequently issued for rail and aviation sectors, and the compliance rates in those industries are now at 68 and 57 percent respectively, she said.

China-linked spies may still be lurking in U.S. telecommunications networks — but the breach could be much, much wider. In fact, a "couple dozen" countries were hit by the attack, the Wall Street Journal reported this week, citing a top U.S. national security adviser. "Chinese government hackers have compromised telecommunications infrastructure across the globe as part of a massive espionage campaign..." Speaking during a press briefing Wednesday, Anne Neuberger, President Biden's deputy national security adviser for cyber and emerging technology, said the so-called Salt Typhoon campaign is ongoing and that at least eight telecommunications firms in the U.S. had been breached... The Journal previously identified Verizon, AT&T, T-Mobile and Lumen Technologies among the victims... [M]etadata grabs appeared to be "regional" in focus, and were likely a means to identify phone lines of valuable senior government officials, which the hackers then targeted to steal encrypted text messages and listen in on some phone calls, the official said... President-elect Donald Trump, Vice President-elect JD Vance, senior congressional staffers and an array of U.S. security officials were among scores of individuals to have their calls and texts directly targeted, an intelligence-collection coup that likely ensnared their private communications with thousands of Americans, the Journal has reported.

The senior administration official said the global tally of countries victimized was currently believed to be in the "low, couple dozen" but didn't give a precise figure. The global campaign of hacking activity dates back at least a year or two, the official said.
"Neuberger, on the press briefing, said that it wasn't believed that classified communications were accessed in the breaches."

"The U.S. government on Friday ordered testing of the nation's milk supply for bird flu," reports the Associated Press, "to better monitor the spread of the virus in dairy cows." Raw or unpasteurized milk from dairy farms and processors nationwide must be tested on request starting Dec. 16, the Agriculture Department said. Testing will begin in six states — California, Colorado, Michigan, Mississippi, Oregon and Pennsylvania.

Officials said the move is aimed at "containing and ultimately eliminating the virus," known as Type A H5N1, which was detected for the first time in March in U.S. dairy cows. Since then, more than 700 herds have been confirmed to be infected in 15 states. "This will give farms and farmworkers better confidence in the safety of their animals and ability to protect themselves, and it will put us on a path to quickly controlling and stopping the virus' spread nationwide," Agriculture Secretary Tom Vilsack said in a statement.

The risk to people from bird flu remains low, health officials said. Pasteurization, or heat treatment, kills the virus in milk, leaving it safe to drink... At least 58 people in the U.S. have been infected with bird flu, mostly farm workers who became mildly ill after close contact with infected cows, including their milk, or infected poultry.

"TikTok has lost its bid to strike down a law that could result in the platform being banned in the United States," reports CNN.

A U.S. federal appeals court just unanimously ruled in favor of the new U.S. law requiring TikTok's China-based owners to either sell the app next month or face an effective ban in the United States. Denying TikTok's argument that the law was unconstitutional, the judges found that the law does not "contravene the First Amendment to the Constitution of the United States," nor does it "violate the Fifth Amendment guarantee of equal protection of the laws"... After the [January 25] deadline, U.S. app stores and internet services could face hefty fines for hosting TikTok if it is not sold. (Under the legislation, President Biden may issue a one-time extension of the deadline.)

In a statement, TikTok indicated it would appeal the decision. "The Supreme Court has an established historical record of protecting Americans' right to free speech, and we expect they will do just that on this important constitutional issue," said company spokesperson Michael Hughes. "Unfortunately, the TikTok ban was conceived and pushed through based upon inaccurate, flawed and hypothetical information, resulting in outright censorship of the American people. The TikTok ban, unless stopped, will silence the voices of over 170 million Americans here in the US and around the world on January 19th, 2025"....

"People in the United States would remain free to read and share as much PRC propaganda (or any other content) as they desire on TikTok or any other platform of their choosing," the judges said. "What the Act targets is the PRC's ability to manipulate the content covertly. Understood in that way, the Government's justification is wholly consonant with the First Amendment."
The judges also wrote that "in part precisely because of the platform's expansive reach, Congress and multiple Presidents determined that divesting it from the PRC's control is essential to protect our national security... Congress judged it necessary to assume that risk given the grave national-security threats it perceived."

CNN notes that ByteDance "has previously indicated it will not sell TikTok."

The Solana JavaScript SDK "was temporarily compromised yesterday in a supply chain attack," reports BleepingComputer, "with the library backdoored with malicious code to steal cryptocurrency private keys and drain wallets." Solana offers an SDK called "@solana/web3.js" used by decentralized applications (dApps) to connect and interact with the Solana blockchain. Supply chain security firm Socket reports that Solana's Web3.js library was hijacked to push out two malicious versions to steal private and secret cryptography keys to secure wallets and sign transactions... Solana confirmed the breach, stating that one of their publish-access accounts was compromised, allowing the attackers to publish two malicious versions of the library... Solana is warning developers who suspect they were compromised to immediately upgrade to the latest v1.95.8 release and to rotate any keys, including multisigs, program authorities, and server keypairs...

Once the threat actors gain access to these keys, they can load them into their own wallets and remotely drain all stored cryptocurrency and NFTs... Socket says the attack has been traced to the FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx Solana address, which currently contains 674.86 Solana and varying amounts of the Irish Pepe , Star Atlas, Jupiter, USD Coin, Santa Hat, Pepe on Fire, Bonk, catwifhat, and Genopets Ki tokens. Solscan shows that the estimated value of the stolen cryptocurrency is $184,000 at the time of this writing.

For anyone whose wallets were compromised in this supply chain attack, you should immediately transfer any remaining funds to a new wallet and discontinue the use of the old one as the private keys are now compromised.
Ars Technica adds that "In social media posts, one person claimed to have lost $20,000 in the hack."

The compromised library "receives more than ~350,000 weekly downloads on npm," Socket posted. (Although Solana's statement says the compromised versions "were caught within hours and have since been unpublished."

11 years ago his hard drive ended up in a U.K. landfill — with 8,000 bitcoin. It's now worth $800 million... and James Howell wants it back.

The Guardian reports that his "bid to become extremely rich reached a judge on Tuesday with a team of lawyers arguing that it was still possible to launch a hunt for his missing hard drive containing the bitcoin." They claimed that rather than searching for a "needle in a haystack", the position of the bitcoin hoard had been narrowed down to a small area and there was a "finely tuned" plan to retrieve it... [Howells] has been asking Newport city council for help in getting the hard drive back, and even said he would share the money with the authority, to no avail... James Goudie KC, representing the council, said Howells had no legal claim to the hard drive. He said: "Anything that goes into the landfill goes into the council's ownership."

Goudie said Howells' offer to share some of the bitcoin with Newport council amounted to a bribe. He said: "He is trying to buy something the council is not in a position to sell...." Before the hearing, a spokesperson for Newport council said: "The council has told Mr Howells multiple times that excavation is not possible under our environmental permit and that work of that nature would have a huge negative environmental impact on the surrounding area. "Responding to Mr Howells' baseless claims are costing the council and Newport taxpayers time and money which could be better spent on delivering services."
Howells was 28 when he lost the hard drive, and has said he may as well keep trying to recover it — because he'll always know that it's out there. Howells' legal teams are "working pro bono," the article notes, "on the basis that they get a share of the bitcoin profits if successful..." And TechSpot points out that "There's also the question of whether the data on the drive would still be accessible after more than a decade of sitting under a pile of rotting garbage.

"Howells has a team of data recovery engineers who are also working pro bono..."

Thanks to Slashdot reader jjslash for sharing the news.

The Carnegie Endowment for Peace, a nonpartisan international affairs think tank, points out that when subsea internet cables were cut in November, Europe was more prepared: Where in the past there were no contingency plans for sabotage, there are now more maritime patrols, an attempt to forge deeper intelligence connections, and the beginnings of a new relationship with the private sector...

Even before the October 2023 incident, NATO, the EU, and certain European governments began to increase their efforts to boost subsea cable resilience and security. In February 2023, NATO stood up a new Critical Undersea Infrastructure Coordination Cell in Brussels to convene stakeholders and enhance coordination between the public and private sectors. In July 2023, NATO allies at the Vilnius Summit established a Maritime Center for the Security of Critical Undersea Infrastructure as part of the alliance's Maritime Command in Northwood, UK. In October 2023, after the first incident, NATO defense ministers endorsed a new Digital Ocean Vision, an initiative aimed at improving undersea surveillance. And in February 2024, the European Commission released its first "Recommendation on Secure and Resilient Submarine Cable Infrastructures," encouraging member states to conduct regular stress tests, improve information sharing amongst themselves, and improve cable maintenance and repair capabilities.
The article points out that the Chinese ship suspected in the 2023 cable cutting "ignored requests from Finnish and Estonian authorities to halt" and returned to China. But the Chinese ship suspected in November's cable-cutting "remains in international waters in the Kattegat, with naval and coast guard vessels from Denmark, Germany, and Sweden circling close by." Yet "Under international maritime law, these countries' authorities are not allowed to board..." Current provisions of international law are neither formulated to adequately protect subsea data cables from sabotage nor hold perpetrators accountable. This reality should lead the EU, as a body inherently focused on the resilience of international legal regimes, to push for updates that are better suited for the current geopolitical reality... Lawmakers should also explore ways to increase penalties for subsea cable damage, in part to deter acts of sabotage in the first place....

A forthcoming Carnegie Endowment report will detail more in-depth recommendations on how Europe can both protect itself against future subsea cable damage and help expand trusted networks around the world.
The article also notes that "Of the hundreds of disruptions to cables that occur each year, the vast majority are caused by accidental human activity, like fishing, or natural events, like earthquakes."

In March, 2023 the Internet Archive lost in court, with a judge ruling they couldn't scan entire books and then lend them as ebooks. The Internet Archive appealed to a higher court, which also ruled against them in September of 2024.

Today, the Internet Archive made an announcement: that "While we are deeply disappointed with the Second Circuit's opinion in Hachette v. Internet Archive, the Internet Archive has decided not to pursue Supreme Court review." We will continue to honor the Association of American Publishers agreement to remove books from lending at their member publishers' requests.

We thank the many readers, authors and publishers who have stood with us throughout this fight. Together, we will continue to advocate for a future where libraries can purchase, own, lend and preserve digital books.

America's next president "announced Wednesday he has selected Jared Isaacman, a billionaire businessman and space enthusiast who twice flew to orbit with SpaceX, to become the next NASA administrator," reports Ars Technica: In a post on X, Isaacman said he was "honored" to receive Trump's nomination. "Having been fortunate to see our amazing planet from space, I am passionate about America leading the most incredible adventure in human history," Isaacman wrote. "On my last mission to space, my crew and I traveled farther from Earth than anyone in over half a century. I can confidently say this second space age has only just begun...."

"Jared Isaacman will be an outstanding NASA Administrator and leader of the NASA family," said Jim Bridenstine, who led NASA as administrator during Trump's first term in the White House. "Jared's vision for pushing boundaries, paired with his proven track record of success in private industry, positions him as an ideal candidate to lead NASA into a bold new era of exploration and discovery. I urge the Senate to swiftly confirm him." Lori Garver, NASA's deputy administrator during the Obama administration, wrote on X that Isaacman's nomination was "terrific news," adding that "he has the opportunity to build on NASA's amazing accomplishments to pave our way to an even brighter future."

Isaacman, 41, is the founder and CEO of Shift4, a mobile payment processing platform, and co-founded Draken International, which owns a fleet of retired fighter jets to pose as adversaries for military air combat training... Isaacman, an evangelist for the commercial space industry, has criticized some of NASA's decisions on the Artemis program. In several posts on X, he questioned the agency's decision to fund two redundant lunar landers, while not planning for any backup to the Space Launch System (SLS) rocket, which costs $2.2 billion per copy, not including expenses for ground infrastructure or the Orion spacecraft itself. One of those casualties might be the SLS rocket. The program is managed by NASA, with suppliers spread across the United States and prime contractors working under cost-plus arrangements with the space agency, meaning the government is on the hook to pay for any delays or cost overruns.
If confirmed he'll be the 4th NASA administrator who's actually flown in space, according to the article.

And according to Wikipedia, Isaacman was the commander of Inspiration4, a private spaceflight using SpaceX's Crew Dragon Resilience that launched in 2021. The crew returned to Earth on September 18, 2021, after orbiting at 585 km (364 mi) in altitude. The mission was part of a fundraiser for St. Jude Children's Research Hospital, to which Isaacman pledged to donate $100 million.
Thanks to Slashdot reader FallOutBoyTonto for sharing the news.

59-year-old Alex Mashinsky, the founder/former CEO of cryptocurrency lender Celsius Network, "pleaded guilty on Tuesday to two counts of fraud," reports Reuters.

He'd been indicted in July on seven counts of fraud, conspiracy and market manipulation charges, according to the article, and federal prosecutors in Manhattan "said he misled customers of Celsius to persuade them to invest, and artificially inflated the value of his company's proprietary crypto token." On Tuesday, during a hearing before U.S. District Judge John Koeltl, Mashinsky said he pleaded guilty to two out of the seven counts he was initially charged with: commodities fraud, and a fraudulent scheme to manipulate the price of CEL, Celsius' in-house token. In court, Mashinsky admitted to giving Celsius customers "false comfort" by giving an interview in 2021 in which he said Celsius had received approval from regulators for its "Earn" program, which it had not. That program offered to deploy customers' cryptocurrency assets to yield investment returns. He said he also failed to disclose that he had been selling his holdings of CEL, the platform's in-house token.

"I know what I did was wrong, and I want to try to do whatever I can to make it right," Mashinsky said. As part of his plea deal with prosecutors, Mashinsky agreed not to appeal any sentence of 30 years or less — the maximum he faces for the two counts. Koeltl is set to sentence him on April 8, 2025.

Federal prosecutors in Manhattan have said Mashinsky also personally reaped approximately $42 million in proceeds from selling his holdings of the Cel token. "Mashinsky made tens of millions of dollars selling his own CEL at artificially high prices, while his customers were left holding the bag when the company went bankrupt," Damian Williams, the U.S. Attorney in Manhattan, said in a statement on Tuesday... Founded in 2017, Celsius filed for Chapter 11 bankruptcy protection in July 2022 after customers rushed to withdraw deposits as crypto prices fell. Many were initially unable to access their funds... Celsius' former chief revenue officer, Roni Cohen-Pavon, pleaded guilty in September 2023 and agreed to cooperate with prosecutors' investigation.
"The company exited bankruptcy on Jan. 31, and has pivoted to Bitcoin mining..."

An anonymous reader shared this report from NBC News: Amid an unprecedented cyberattack on telecommunications companies such as AT&T and Verizon, U.S. officials have recommended that Americans use encrypted messaging apps to ensure their communications stay hidden from foreign hackers...

In the call Tuesday, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency — both recommended using encrypted messaging apps to Americans who want to minimize the chances of China's intercepting their communications. "Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it's on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible," Greene said. The FBI official said, "People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant" multi-factor authentication for email, social media and collaboration tool accounts...

The FBI and other federal law enforcement agencies have a complicated relationship with encryption technology, historically advocating against full end-to-end encryption that does not allow law enforcement access to digital material even with warrants. But the FBI has also supported forms of encryption that do allow some law enforcement access in certain circumstances.
Officials said the breach seems to include some live calls of specfic targets and also call records (showing numbers called and when). "The hackers focused on records around the Washington, D.C., area, and the FBI does not plan to alert people whose phone metadata was accessed."

"The scope of the telecom compromise is so significant, Greene said, that it was 'impossible" for the agencies "to predict a time frame on when we'll have full eviction.'"

The Federal Trade Commission on Tuesday announced sweeping action against some of the most important companies in the location data industry, including those that power surveillance tools used by a wide spread of U.S. law enforcement agencies and demanding they delete data related to certain sensitive areas like health clinics and places of worship. From a report: Venntel, through its parent company Gravy Analytics, takes location data from smartphones, either through ordinary apps installed on them or through the advertising ecosystem, and then provides that data feed to other companies who sell location tracking technology to the government or sells the data directly itself.

Venntel is the company that provides the underlying data for a variety of other government contractors and surveillance tools, including Locate X. 404 Media and a group of other journalists recently revealed Locate X could be used to pinpoint phones that visited abortion clinics. The FTC says in a proposed order that Gravy and Venntel will be banned from selling, disclosing, or using sensitive location data, except in "limited circumstances" involving national security or law enforcement.

schwit1 writes: Recruiters approach students with tempting offers, often after observing them for weeks. Promising salaries of over $800 per month -- double the average pay for chemists in Mexican companies, along with potential bonuses like cars or housing -- recruiters capitalize on the financial struggles of young professionals.

These "cooks" are tasked with improving fentanyl's addictive quality and finding alternative synthesis methods to mitigate supply chain disruptions caused by stricter chemical export controls from China and pandemic-induced bottlenecks. The Times interviewed seven drug "cooks," three university chemistry students recruited by the Sinaloa cartel, two agents, a recruiter, and a university professor -- all anonymously to avoid cartel retaliation. According to the recruiter, candidates must be passionate, discreet, and indifferent to the ethical consequences of their work.

The university professor highlighted a disturbing trend: students openly expressed interest in synthesizing illicit drugs during lectures.

America's FBI "has been investigating a longtime Exxon Mobil consultant," reports Reuters, "over the contractor's alleged role in a hack-and-leak operation that targeted hundreds of the oil company's biggest critics, according to three people familiar with the matter." The operation involved mercenary hackers who successfully breached the email accounts of environmental activists and others, the sources told Reuters. The scheme allegedly began in late 2015, when U.S. authorities contend that the names of the hacking targets were compiled by the DCI Group, a public affairs and lobbying company working for Exxon at the time, one of the sources said. DCI provided the names to an Israeli private detective, who then outsourced the hacking, according to the source.

In an effort to push a narrative that Exxon was the target of a political vendetta aimed at destroying its business, some of the stolen material was subsequently leaked to the media by DCI, Reuters determined. The Federal Bureau of Investigation found that DCI shared the information with Exxon before leaking it, the source said. Some environmental activists interviewed by Reuters say the hacking operation disrupted preparations for lawsuits by cities and state attorneys general against Exxon and other energy companies... The stolen material continues to be used today to counter litigation claiming the oil giant misled the public and its investors about the risks of climate change...

The investigation into the hack-and-leak operation comes amid growing concern among law enforcement agencies worldwide about how such cyberespionage schemes threaten to taint judicial proceedings. The FBI has been investigating the broader use of mercenary hackers to tamper with lawsuits since early 2018, Reuters has previously reported. The Israeli private detective hired by DCI, Amit Forlit, was arrested this year at London's Heathrow Airport and is fighting extradition to the United States on charges of hacking and wire fraud... Federal prosecutors have secured a related conviction: that of Forlit's former business associate, private investigator Aviram Azari. Azari pleaded guilty in 2022 to wire fraud, conspiracy to commit hacking and aggravated identity theft, which included targeting the environmental activists.

United Nations members gathered this week in Busan, South Korea to negotiate the first treaty reducing plastic pollution. But Politico reports that "talks collapsed late Sunday after negotiators failed to resolve their differences and agree on a global plastic treaty. At the heart of the disagreement was a refusal by oil-rich nations led by Saudi Arabia to accept a deal that put limits on plastic production... Throughout the two years of talks, oil-rich and plastic-producing states had repeatedly clashed with nations that wanted to reduce plastic production to solve a worsening plastic pollution crisis. Many went to Busan hopeful differences would be put aside in the name of combatting a common global threat. But in the end this proved too optimistic...

The EU, alongside more than 100 other countries that included the U.K., on Thursday had backed a new proposal spearheaded by Panama pushing for a global target to reduce plastic production to "sustainable levels", drawing a clear battle line for the talks. But three negotiators from countries in the High Ambition Coalition to End Plastic Pollution — granted anonymity to discuss closed-door talks — told POLITICO Saudi Arabia had coordinated a push from oil-rich and plastic-producing countries to block any proposals for the treaty that threatened to reduce plastic production. The vast majority of plastic is made from oil or natural gas...

Along with disagreements over plastic production, countries were also unable to agree on whether and how to target particularly polluting plastic products, and how to finance the treaty. Two of the "high-ambition" negotiators referenced above suggested the talks were doomed to fail from the beginning, arguing that there was never going to be enough time given the scope of the mandate. "I think the pressure on us to deliver that in 18 months ... was kind of stupid then, and it's still stupid now," said one. "Usually these processes take a number of years — beyond what we are doing...." But many observers and some delegates said the summit's collapse demonstrated the failures of consensus-based environmental multilateralism, arguing that requiring all countries to agree by consensus gave reluctant nations too much veto power. NGOs like the Center for International Environmental Law hope this week's failed talks will serve as a lesson for future U.N. talks...

The date and time of the next round of talks is yet to be announced.
Greenpeace issued a statement saying "over 100 Member States, representing billions of people, rejected a toothless deal that would have accomplished nothing, and stood before the world committing to an ambitious treaty."

And they argued that the message is clear. "Ambitious countries must not allow the fossil fuel and petrochemical industries, backed by a small minority of countries, to prevent the will of the vast majority. A strong agreement that protects people and the planet is our only option."

The Washington Post reports on tens of thousands of Americans "forced to pay for medication" to prevent the HIV infections, "despite federal requirements guaranteeing free access to treatment...according to multiple studies and interviews with medical professionals, activists and patients." Insurance companies are skirting rules compelling them to pay for pre-exposure prophylaxis treatment, known as PrEP, researchers and HIV advocacy organizations say — leaving patients to shell out hundreds of dollars each year for medication co-pays, doctor visits and screenings required to stay on drugs that reduce the risk of contracting HIV through sex by 99 percent.

Under the Affordable Care Act, commercial insurers must cover certain preventive health services. This is supposed to include at least one form of oral PrEP and related health services, such as regular testing for HIV and other sexually transmitted diseases, for people at increased risk of contracting HIV, according to 2021 guidance from the Biden administration. Responding to complaints that patients were still being charged, the Biden administration in October released new guidance instructing private insurers to cover all forms of PrEP without prior authorization, including new long-acting injections.

Nearly a third of a national sample of 325 health coverage plans on government insurance marketplaces did not include PrEP on their lists of covered preventive services, according to the AIDS Institute, a New York-based nonprofit. Between 20 and 30 percent of PrEP users with commercial insurance still had to pay for it despite the coverage mandate, with an average cost of $227 for 2022, according to the Centers for Disease Control and Prevention. Government regulators have been slow to crack down on insurer violations, activists say, creating a barrier to getting more at-risk Americans on the medication. The CDC estimates that only a third of the more than 1 million people who could benefit from PrEP have received a prescription, according to its most recent data.
The issue appears to be lax enforcement against insurers who break rules, a policy advocate told the newspaper. America's Centers for Medicare and Medicaid Services, which enforces regulations for preventive care, "said it takes enforcement seriously and recently found two insurance plans in violation of coverage requirements following consumer complaints."

And the Post spoke to an official at America's Labor Department, who said they were investigating a complaint against a large insurance company, but "said the agency does not have enough staff to conduct proactive investigations and lacks the authority to sue and penalize insurers that break the rules."

A bipartisan group of 12 senators has urged the TSA inspector general to investigate the agency's use of facial recognition technology, citing concerns over privacy, civil liberties, and its expansion to over 430 airports without sufficient safeguards or proven effectiveness. Gizmodo reports: "This technology will soon be in use at hundreds of major and mid-size airports without an independent evaluation of the technology's precision or an audit of whether there are sufficient safeguards in place to protect passenger privacy," the senators wrote. The letter was signed by Jeffrey Merkley (D-OR), John Kennedy (R-LA), Ed Markey (D-MA), Ted Cruz (R-TX), Roger Marshall (R-Kansas), Ron Wyden (D-OR), Steve Daines (R-MT), Elizabeth Warren (D-MA), Bernie Sanders (I-VT), Cynthia Lummis (R-WY), Chris Van Hollen (D-MD), and Peter Welch (D-VT).

While the TSA's facial recognition program is currently optional and only in a few dozen airports, the agency announced in June that it plans to expand the technology to more than 430 airports. And the senators' letter quotes a talk given by TSA Administrator David Pekoske in 2023 in which he said "we will get to the point where we require biometrics across the board." [...] The latest letter urges the TSA's inspector general to evaluate the agency's facial recognition program to determine whether it's resulted in a meaningful reduction in passenger delays, assess whether it's prevented anyone on no-fly lists from boarding a plane, and identify how frequently it results in identity verification errors.

A security researcher discovered an unprotected database belonging to SL Data Services containing over 600,000 sensitive files, including criminal histories and background checks with names, addresses, and social media accounts. The Register reports: We don't know how long the personal information was openly accessible. Infosec specialist Jeremiah Fowler says he found the Amazon S3 bucket in October and reported it to the data collection company by phone and email every few days for more than two weeks. [The info service provider eventually closed up the S3 bucket, says Fowler, although he never received any response.] In addition to not being password protected, none of the information was encrypted, he told The Register. In total, the open bucket contained 644,869 PDF files in a 713.1 GB archive.

Some 95 percent of the documents Fowler saw were labeled "background checks," he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges. While court records and sex offender status are usually public records in the US, this exposed cache could be combined with other data points to make complete profiles of people -- along with their family members and co-workers -- providing everything criminals would need for targeted phishing and/or social engineering attacks.

A U.S. federal appeals court ruled that sanctions against Tornado Cash, a crypto transaction anonymization service, must be abandoned, stating that its immutable smart contracts do not constitute "property" under U.S. law and that the Treasury overstepped its authority. The ruling is available here (PDF). CoinDesk reports: The decision answers a controversial privacy debate on whether the government -- via a sanctions list maintained by the U.S. Treasury Department -- has a right to target the technology because it's associated with criminals. The ruling reversed a district court's August ruling that had sided with the government's pursuit of what it had characterized as a "notorious" crypto-mixing service.

OFAC had sanctioned Tornado Cash last year, contending that it was a vital tool used by bad actors including North Korea's Lazarus Group to launder crypto tokens pilfered from platforms and games such as Axie Infinity. Coinbase (COIN) and others had sued the government, claiming it had overreached. Paul Grewal, chief legal officer of crypto exchange Coinbase, cheered the ruling in a Tuesday post on X, calling it a "historic win for crypto." "These smart contracts must now be removed from the sanctions list and U.S. persons will once again be allowed to use this privacy-protecting protocol," Grewal wrote. "Put another way, the government's overreach will not stand." "We readily recognize the real-world downsides of certain uncontrollable technology falling outside of OFAC's sanctioning authority," the judges said, referencing the ineffectiveness of a law that was established well before the world moved online. "But we must uphold the statutory bargain struck (or mis-struck) by Congress, not tinker with it."

Tornado Cash's TORN token has since rallied 500%, passing the $20 mark.

The FTC has opened a broad antitrust investigation into Microsoft, including of its software licensing and cloud computing business. Bloomberg first reported the news. Reuters reports: The probe was approved by FTC Chair Lina Khan ahead of her likely departure in January. The election of Donald Trump as U.S. president and the expectation he will appoint a fellow Republican with a softer approach toward business, leaves the outcome of the investigation up in the air.

The FTC is examining allegations that the software giant is potentially abusing its market power in productivity software by imposing punitive licensing terms to prevent customers from moving their data from its Azure cloud service to other competitive platforms, sources confirmed earlier this month. The FTC is also looking at practices related to cybersecurity and artificial intelligence products, the source said on Wednesday.

A piracy ring that gave 22 million subscribers in Europe cheap access to content stolen from international streaming services has been shut down by Italian authorities after a two-year investigation. From a report: The criminal enterprise used a complex international IT system to "capture and resell" live programming and other on-demand content from companies including sports broadcaster DAZN, Netflix, Amazon Prime, Paramount, Sky and Disney+, prosecutors said in a statement on Wednesday.

Authorities estimate the operation generated revenues of roughly $264.3 million a month [non-paywalled link], or $3.2 billion a year, and caused combined damages of more than $10.6 billion to the affected broadcast companies. "The rate of profit you get from these illegal activities with lower risk is equivalent to that of cocaine trafficking," Francesco Curcio, the criminal prosecutor who led the investigation, told reporters.

An anonymous reader quotes a report from TechCrunch: Security researchers have uncovered two previously unknown zero-day vulnerabilities that are being actively exploited by RomCom, a Russian-linked hacking group, to target Firefox browser users and Windows device owners across Europe and North America. RomCom is a cybercrime group that is known to carry out cyberattacks and other digital intrusions for the Russian government. The group -- which was last month linked to a ransomware attack targeting Japanese tech giant Casio -- is also known for its aggressive stance against organizations allied with Ukraine, which Russia invaded in 2014.

Researchers with security firm ESET say they found evidence that RomCom combined use of the two zero-day bugs -- described as such because the software makers had no time to roll out fixes before they were used to hack people -- to create a "zero click" exploit, which allows the hackers to remotely plant malware on a target's computer without any user interaction. "This level of sophistication demonstrates the threat actor's capability and intent to develop stealthy attack methods," ESET researchers Damien Schaeffer and Romain Dumont said in a blog post on Monday. [...] Schaeffer told TechCrunch that the number of potential victims from RomCom's "widespread" hacking campaign ranged from a single victim per country to as many as 250 victims, with the majority of targets based in Europe and North America. Mozilla and the Tor Project quickly patched a Firefox-based vulnerability after being alerted by ESET, with no evidence of Tor Browser exploitation. Meanwhile, Microsoft addressed a Windows vulnerability on November 12 following a report by Google's Threat Analysis Group, indicating potential use in government-backed hacking campaigns.

An anonymous reader quotes a report from the New York Times: The founder of an artificial intelligence start-up focused on education was arrested and charged with defrauding her investors, lying about the company's profits and falsely claiming that some of the largest school districts in the country, including New York City's, were her customers. The founder, Joanna Smith-Griffin, started the company, AllHere Education, in 2016, with the goal of using artificial intelligence to increase student and parent engagement and curb absenteeism. In the years that followed, Ms. Smith-Griffin, 33, misrepresented AllHere's revenue and customer base to fraudulently raise almost $10 million in funds, according to the indictment. Once the company's valuation had climbed, she sold some of her stake in it and spent hundreds of thousands of dollars on a down payment for a new home and on her wedding.

Ms. Smith-Griffin was arrested Tuesday in North Carolina, where she lives, and charged with wire fraud, securities fraud and aggravated identity theft. She faces more than 40 years in prison. AllHere is now in bankruptcy proceedings, prosectors said, and all of its employees have been laid off. "Her alleged actions impacted the potential for improved learning environments across major school districts by selfishly prioritizing personal expenses," said James E. Dennehy, the F.B.I. assistant director in New York leading the investigation into Ms. Smith-Griffin. "The F.B.I. will ensure that any individual exploiting the promise of educational opportunities for our city's children will be taught a lesson." Smith-Griffin is the latest Forbes 30 Under 30 honoree to be indicted on fraud. "The Forbes-to-Fraud pipeline includes FTX founder Sam Bankman-Fried and Caroline Ellison, co-CEO of Alameda Research; fintech Frank founder Charlie Javice; and 'Pharma bro' Martin Shkreli," notes TechCrunch.

Interpol arrested 1,006 suspects in Africa during a massive two-month operation, clamping down on cybercrime that left tens of thousands of victims, including some who were trafficked, and produced millions in financial damages, the global police organization said Tuesday. From a report: Operation Serengeti, a joint operation with Afripol, the African Union's police agency, ran from Sept. 2 to Oct. 31 in 19 African countries and targeted criminals behind ransomware, business email compromise, digital extortion and online scams, the agency said in a statement.

Blue Yonder, a Panasonic subsidiary specializing in AI-driven supply chain solutions, experienced a recent ransomware attack that impacted many of its customers. "Among its 3,000 customers are high-profile organizations like DHL, Renault, Bayer, Morrisons, Nestle, 3M, Tesco, Starbucks, Ace Hardware, Procter & Gamble, Sainsbury, and 7-Eleven," reports BleepingComputer. From the report: On Friday, the company warned that it was experiencing disruptions to its managed services hosting environment due to a ransomware incident that occurred the day before, on November 21. "On November 21, 2024, Blue Yonder experienced disruptions to its managed services hosted environment, which was determined to be the result of a ransomware incident," reads the announcement. "Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process. We have implemented several defensive and forensic protocols."

Blue Yonder claims it has detected no suspicious activity in its public cloud environment and is still processing multiple recovery strategies. [...] As expected, this has impacted clients directly, as a spokesperson for UK grocery store chain Morrisons has confirmed to the media they have reverted to a slower backup process. Sainsbury told CNN that it had contingency plans in place to overcome the disruption. A Saturday update informed customers that the restoration of the impacted services continued, but no specific timelines for complete restoration could be shared yet. Another update published on Sunday reiterated the same, urging clients to monitor the customer update page on Blue Yonder's website over the coming days.

The U.S. is preparing to impose new sanctions targeting 200 Chinese chipmakers and potentially restricting the export of High Bandwidth Memory (HBM). The move is intended to further hinder China's semiconductor and AI advancements. Tom's Hardware reports: The update sheds light on the Biden administration's recent efforts to impose stricter regulations on chip manufacturers in China. The latest swarm of sanctions reportedly targets roughly 200 Chinese firms. US companies are prohibited from exporting select technologies or products to the targeted firms. The report suggests that the US Department of Commerce aims to push these new regulations before the Thanksgiving break - or November 28. Neither the Department of Commerce nor the Chamber of Commerce responded to Reuters' request for comments.

Moreover, another wave of sanctions is set to follow in December - targeting the export of HBM (High Bandwidth Memory) - primarily to choke China's advance in the AI domain. The impacts of these restrictions are materializing given that Huawei's Kirin SoCs and Ascend AI accelerators will reportedly remain stuck at 7nm technology until 2026 as SMIC fails to procure cutting-edge Extreme Ultraviolet (EUV) machines from ASML.

A new bill introduced by Sen. Peter Welch (D-Vt) aims to make it easier for human creators to find out if their work was used without permission to train artificial intelligence. NBC News reports: The Transparency and Responsibility for Artificial Intelligence Networks (TRAIN) Act would enable copyright holders to subpoena training records of generative AI models, if the holder can declare a "good faith belief" that their work was used to train the model. The developers would only need to reveal the training material that is "sufficient to identify with certainty" whether the copyright holder's works were used. Failing to comply would create a legal assumption -- until proven otherwise -- that the AI developer did indeed use the copyrighted work. [...]

In a news release, Welch said the TRAIN Act has been endorsed by several organizations -- including the Screen Actors Guild-American Federation of Television and Radio Artists (SAG-AFTRA), the American Federation of Musicians, and the Recording Academy -- as well as major music labels -- including Universal Music Group, Warner Music Group and Sony Music Group.

An anonymous reader quotes a report from Ars Technica: The Supreme Court signaled it may take up a case that could determine whether Internet service providers must terminate users who are accused of copyright infringement. In an order (PDF) issued today, the court invited the Department of Justice's solicitor general to file a brief "expressing the views of the United States."

In Sony Music Entertainment v. Cox Communications, the major record labels argue that cable provider Cox should be held liable for failing to terminate users who were repeatedly flagged for infringement based on their IP addresses being connected to torrent downloads. There was a mixed ruling at the US Court of Appeals for the 4th Circuit as the appeals court affirmed a jury's finding that Cox was guilty of willful contributory infringement but reversed a verdict on vicarious infringement "because Cox did not profit from its subscribers' acts of infringement." That ruling vacated a $1 billion damages award and ordered a new damages trial. Cox and Sony are both seeking a Supreme Court review. Cox wants to overturn the finding of willful contributory infringement, while Sony wants to reinstate the $1 billion verdict.

The Supreme Court asking for US input on Sony v. Cox could be a precursor to the high court taking up the case. For example, the court last year asked the solicitor general to weigh in on Texas and Florida laws that restricted how social media companies can moderate their platforms. The court subsequently took up the case and vacated lower-court rulings, making it clear that content moderation is protected by the First Amendment.

Some days more than half of California's available solar power goes to waste, according to research from the California Institute for Energy and Environment. "In the last 12 months, California's solar farms have curtailed production of more than 3 million megawatt hours of solar energy," according to a data analysis by the Los Angeles Times — enough to power 518,000 California homes for a year.

And it was curtailed "either on the orders of the state's grid operator or because prices had plummeted because of the glut. The waste would have been even larger if California had not paid utilities in other states to take the excess solar energy, documents from the state's grid operator show." That means green energy paid for by California electricity customers is sent away, lowering bills for residents of other states. Arizona's largest public utility reaped $69 million in savings last year by buying from the market California created to get rid of its excess solar power. The utility returned that money to its customers as a credit on their bills. Also reaping profits are electricity traders, including banks and hedge funds. The increasing oversupply of solar power has created a situation where energy traders can buy the excess at prices so low they become negative, said energy consultant Gary Ackerman, the former executive director of the Western Power Trading Forum. That means the solar plant is paying the traders to take it. "This is all being underwritten by California ratepayers," Ackerman said...

The solar glut also means higher electricity bills for Californians, since they are effectively paying to generate the power but not using it. California's electric rates are roughly twice the nation's average, with only Hawaii having higher rates. Rates at Southern California Edison and Pacific Gas & Electric increased by 51% over the last three years. "Ratepayers aren't getting the energy they've paid for," said Ron Miller, an energy industry consultant in Denver. He calculates that the retail value of the solar energy thrown away in a year would be more than $1 billion.

Gov. Gavin Newsom's advisors and those who manage the state's electric grid say they are working to reduce the curtailments, including by building more industrial-scale battery storage facilities that soak up the excess solar power during the day and then release it at night. Officials in the governor's office declined to be interviewed, but issued a statement saying the curtailments are often because of congestion on transmission lines, rather than a statewide oversupply of power. The state has been spending heavily to upgrade transmission lines to ease the congestion. "It's also important to have extra energy resources available that can help the state during periods of extreme weather and historic heatwaves when demand is particularly high, which have happened the past few years," the statement said...

The commercial solar industry contends that the expansion of storage capacity to bank solar power will eventually eliminate the glut.

"At points there was fear the talks would implode, as groups representing vulnerable small island states and the least-developed countries walked out of negotiations Saturday," according to a new report from CNN.

But after weeks of international climate talks at COP29, "the world agreed to a new climate deal... "with wealthy countries pledging to provide $300 billion annually by 2035 to poorer countries to help them cope with the increasingly catastrophic impacts of the climate crisis." The amount pledged, however, falls far short of the $1.3 trillion economists say is needed to help developing countries cope with a climate crisis they have done least to cause — and there has been a furious reaction from many developing countries. a fiery speech immediately after the gavel went down, India's representative Chandni Raina slammed the $300 billion as "abysmally poor" and a "paltry sum," calling the agreement "nothing more than an optical illusion" and unable to "address the enormity of the challenge we all face."

Others were equally damning in their criticism. We are leaving with a small portion of the funding climate-vulnerable countries urgently need," said Tina Stege, Marshall Islands climate envoy. Stege heavily criticized the talks as showing the "very worst of political opportunism." Fossil fuel interests "have been determined to block progress and undermine the multilateral goals we've worked to build," she said in a statement...

There was also a push for richer emerging economies such as China and Saudi Arabia to contribute to the climate funding package, but the agreement only "encourages" developing countries to make voluntary contributions, and places no obligations on them... Saudi Arabia, the world's top oil exporter, which has pushed against ambitious action at past climate summits, seemed even more emboldened in Baku, publicly and explicitly rejecting any reference to oil, coal and gas in the deal.
The package "is also being criticised as short-sighted from the richer world's perspective," notes the BBC: The argument runs that if you want to keep the world safe from rising temperatures, then wealthier nations need to help emerging economies cut their emissions, because that is where 75% of the growth in emissions has occurred in the past decade.
But "Delegations more optimistic about the agreement said this deal is headed in the right direction," writes the Associated Press, "with hopes that more money flows in the future." The text included a call for all parties to work together using "all public and private sources" to get closer to the $1.3 trillion per year goal by 2035. That means also pushing for international mega-banks, funded by taxpayer dollars, to help foot the bill. And it means, hopefully, that companies and private investors will follow suit on channeling cash toward climate action. The agreement is also a critical step toward helping countries on the receiving end create more ambitious targets to limit or cut emissions of heat-trapping gases.

On November 24th, 1971 — 53 years ago today — a mysterious man jumped out of an airplane clutching $200,000 in ransom money. (He'd extorted it from the airline by claiming he had a bomb, and it's still "the only unsolved case of air piracy in the history of commercial aviation," according to Wikipedia.) Will modern technology finally let us solve the case — or just turn it into a miniseries on Netflix? And have online researchers finally discovered the definitive clue?

The FBI vetted more than 800 suspects, according to the Wyoming news site Cowboy State Daily, but in 2016 announced they were suspending their active investigation.

So it's newsworthy that the FBI now appears to be investigating new evidence, according to an amateur D.B. Cooper researcher on YouTube: the discovery of what's believed to be D.B. Cooper's uniquely-modified parachute: Retired pilot, skydiver and YouTuber, Dan Gryder told Cowboy State Daily that he may have found the missing link after uncovering the modified military surplus bailout rig he believes was used by D.B. Cooper in the heist. It belonged to Richard Floyd McCoy II, and was carefully stored in his deceased mother's storage stash until very recently... McCoy's children, Chanté and Richard III, or "Rick," agree with Gryder that they believe their father was D.B. Cooper, a secret that shrouded the family but wasn't overtly discussed. For years, they said, the family stayed mum out of fear of implicating their mother, Karen, whom they believe was complicit in both hijackings. Upon her death in 2020, they broke their silence to Gryder after being contacted by him off and on for years.

Gryder, who has been researching the case for more than 20 years, documented his investigation in a lengthy two-part series on his YouTube channel, "Probable Cause," in 2021 and 2022, where he connects the dots and shows actual footage of him finding the parachute in an outbuilding on the McCoy family property in North Carolina in July 2022. On Monday, Gryder released a third video, "D.B. Cooper: Deep FBI Update," where he announced the FBI's new and very recent efforts in his discoveries. After watching his first two videos, Gryder said FBI agents contacted Rick and Gryder to see the parachute. It was the first investigative move by the agency since issuing the 2016 public statement, declaring the case closed pending new evidence. Gryder and Rick McCoy traveled to Richmond, Virginia, in September 2023, where they met with FBI agents, who took the harness and parachute into evidence along with a skydiving logbook found by Chanté that aligned with the timeline for both hijackings, providing another vital piece in the puzzle, Gryder said....

During the meeting, Gryder said the agents called it a first step. If the evidence proved fruitless, they would have promptly returned the skydiving rig, he said, but that didn't happen. Instead, an FBI agent called Rick a month later to ask to search the family property in Cove City, North Carolina, which McCoy's mother owned and where Gryder had found the parachute and canopy... [Gryder says he watched] at least seven vehicles descend on the property with more than a dozen agents who scoured the property for about four hours... Rick said he has provided a DNA sample and was told by the FBI agents that the next step might be exhuming his father's body, but no formal terms and conditions for that process have been established thus far, he said.
A retired commercial airline pilot who was present in the Virginia FBI meeting said "It was clear they were taking it seriously" — noting it was the FBI who'd requested that meeting. The article cites two FBI agents who'd earlier already believed D.B. Cooper was McCoy. And the article points out that the FBI "has never ruled McCoy out, stating in a 2006 statement that he was 'still a favorite suspect among many.'"

A second article notes that Gryder supports the FBI's recent request to exhume McCoy's body. As he sees it, "The existing DNA marker comparisons studied so far only validate the need for this final extreme step and should close the mystery once and for all."

And the article adds that McCoy's children are "eager for closure and hope that the FBI finds the evidence agents need to close the D.B. Cooper case once and for all."

America's Justice Department "has ordered all consensual searches by drug enforcement agents conducted at the nation's airports stopped," reports Georgia's local TV station Atlanta News First — after their series of investigations "uncovered how the agents often search innocent passengers at airport gates, looking for cash." On Thursday, the department made public a November 12, 2024, directive from the deputy attorney general to the U.S. Drug Enforcement Administration (DEA) that it suspend "all consensual encounters at mass transportation facilities unless they are either connected to an ongoing, predicated investigation involving one or more identified targets or criminal networks or approved by the DEA Administrator based on exigent circumstances." The management advisory memorandum was issued by DOJ Inspector General Michael Horowitz.

The memo specifically mentioned the case of an airline passenger interviewed by Atlanta News First Chief Investigator Brendan Keefe, author of the Atlanta News First investigation, In Plane Sight. The award-winning series uncovered how drug agents have been seizing anything over $5,000 if airline passengers can't prove — on the spot — that their own money didn't come from drug trafficking. The government seizes the cash when no drugs are found, without arresting the traveler or charging them with a crime, and the DEA gets to keep the money it seizes.

After witnessing the Atlanta News First series, the passenger in question — who was departing from Cincinnati and heading to New York, where he lives — refused consent to have his bags searched at the gate... "The DOJ Office of the Inspector General (OIG) further learned that the DEA Task Force Group selected this traveler for the encounter based on information provided by a DEA confidential source, who was an employee of a commercial airline, about travelers who had purchased tickets within 48 hours of the travel," the memo said. "The OIG learned that the DEA had been paying this employee a percentage of forfeited cash seized by the DEA office from passengers at the local airport when the seizure resulted from information the employee had provided to the DEA. The employee had received tens of thousands of dollars from the DEA over the past several years."
The news station's investigation "also revealed passengers selected for what the government calls 'random, consensual encounters' are actually profiled by the drug agents who search Black men far more often than any other group of passengers," according to the article.

"The reports analyzed data showing that, for drug agents to find just one passenger with money, they have to publicly search 10 departing passengers."

NBC News reports that a newly identified chemical byproduct "may be present in drinking water in about a third of U.S. homes, a study found."

"Scientists do not yet know whether the byproduct is dangerous. But some are worried that it could have toxic properties because of similarities to other chemicals of concern." The newly identified substance, named "chloronitramide anion," is produced when water is treated with chloramine, a chemical formed by mixing chlorine and ammonia. Chloramine is often used to kill viruses and bacteria in municipal water treatment systems. Researchers said the existence of the byproduct was discovered about 40 years ago, but it was only identified now because analysis techniques have improved, which finally enabled scientists to determine the chemical's structure.

It could take years to figure out whether chloronitramide anion is dangerous — it's never been studied. The researchers reported their findings Thursday in the journal Science, in part to spur research to address safety concerns. The scientists said they have no hard evidence to suggest that the compound represents a danger, but that it bears similarities to other chemicals of concern. They think it deserves scrutiny because it's been detected so widely...

David Reckhow, a research professor in civil and environmental engineering at the University of Massachusetts, Amherst, who was not involved with the study, said the finding was an important step. The ultimate goal, he said, is understanding whether the substance is a hazard; he concurred that it was likely toxic. "It's a pretty small molecule and it can probably for that reason enter into biological systems and into cells. And it is still a reactive molecule," he said. "Those are the kinds of things you worry about."
"It's estimated more than 113 million people drink chloraminated processed water in the U.S.," according to a follow-up article by ABC News.

But they also include this quote from Dr. Stephanie Widmer, a board-certified medical toxicologist and emergency medicine physician. "The reality is that no one really knows too much about this chloronitramide and its impact on human health, and more research needs to be done. These disinfecting chemicals have been giving us clean drinking water for decades, so no reason to fear drinking water as a result of this study." Although ABC News tacks on this sentence.

"The study authors suggest, in general, adding a carbon filter to a sink or a standalone pitcher may be a good option for those concerned."

Thanks to long-time Slashdot reader Greymane for sharing the news.

Meta wants to force Apple and Google to verify the ages of people downloading apps from their app stores, reports the Washington Post — and now Meta's campaign "is picking up momentum" with legislators in the U.S. Congress.

Federal and state lawmakers have recently proposed a raft of measures requiring that platforms such as Meta's Facebook and Instagram block users under a certain age from using their sites. The push has triggered fierce debate over the best way to ascertain how old users are online. Last year Meta threw its support behind legislation that would push those obligations onto app stores rather than individual app providers, like itself, as your regular host and Naomi Nix reported. While some states have considered the plan, it has not gained much traction in Washington.

That could be shifting. Two congressional Republicans are preparing a new age verification bill that places the burden on app stores, according to two people familiar with the matter, who spoke on the condition of anonymity to discuss the plans... The bill would be the first of its kind on Capitol Hill, where lawmakers have called for expanding guardrails for children amid concerns about the risks of social media but where political divisions have bogged down talks. The measure would give parents the right to sue an app store if their child was exposed to certain content, such as lewd or sexual material, according to a copy obtained by the Tech Brief. App stores could be protected against legal claims, however, if they took steps to protect children against harms, such as verifying their ages and giving parents the ability to block app downloads.
The article points out that U.S. lawmakers "have the power to set national standards that could override state efforts if they so choose..."

An anonymous reader shared this report from CNET: Meta says it's taken down more than 2 million accounts this year linked to overseas criminal gangs behind scam operations that human rights activists say forced hundreds of thousands of people to work as scammers and cost victims worldwide billions of dollars.

In a Thursday blog post, the parent of Facebook, Instagram and WhatsApp says the pig butchering scam operations — based in Myanmar, Laos, Cambodia, the United Arab Emirates and the Philippines — use platforms like Facebook and Instagram; dating, messaging, crypto and other kinds of apps; and texts and emails, to globally target people... [T]he scammers strike up an online relationship with their victims and gain their trust. Then they move their conversations to crypto apps or scam websites and dupe victims into making bogus investments or otherwise handing over their money, Meta said. They'll ask the victims to deposit money, often in the form of cryptocurrency, into accounts, sometimes even letting the victims make small withdrawals, in order to add a veneer of legitimacy. But once the victim starts asking for their investment back, or it becomes clear they don't have any more money to deposit, the scammer disappears and takes the money with them.

And the people doing the scamming are often victims themselves. During the COVID-19 pandemic, criminal gangs began building scam centers in Southeast Asia, luring in often unsuspecting job seekers with what looked like amazing postings on local job boards and other platforms, then forcing them to work as scammers, often under the threat of physical harm. The scope of what's become a global problem is staggering. In a report issued in May, the US Institute of Peace estimates that at least 300,000 people are being forced to work, or are otherwise suffering human rights violations, inside these scam centers. The report also estimates global financial losses stemming from the scams at $64 billion in 2023, with the number of financial victims in the millions.

Meta says it has focused on investigating and disrupting the scam operations for more than two years, working with nongovernmental organizations and other tech companies, like OpenAI, Coinbase and dating-app operator Match Group, along with law enforcement in both the US and the countries where the centers are located.
Meta titled its blog post "Cracking Down On Organized Crime Behind Scam Centers," writing "We hope that sharing our insights will help inform our industry's defenses so we can collectively help protect people from criminal scammers."

Longtime Slashdot reader mspohr shares a report from Gizmodo: Hackers for the Chinese government were able to deeply penetrate U.S. telecommunications infrastructure in ways that President Joe Biden's administration hasn't yet acknowledged, according to new reports from the Washington Post and New York Times. The hackers were able to listen to phone calls and read text messages, reportedly exploiting the system U.S. authorities use to wiretap Americans in criminal cases. The worst part? The networks are still compromised and it may take incredibly drastic measures to boot them from U.S. systems.

The hackers behind the infiltration of U.S. telecom infrastructure are known to Western intelligence agencies as Salt Typhoon, and this particular breach of U.S. equipment was first reported in early October by the Wall Street Journal. But Sen. Mark Warner, a Democrat from Virginia, spoke with the Washington Post and New York Times this week to warn the public that this is so much worse than we initially thought, dubbing it "the worst telecom hack in our nation's history." And those articles based on Warner's warnings were published late Thursday.

Hackers weren't able to monitor or intercept anything encrypted, according to the Times, which means that conversations over apps like Signal and Apple's iMessage were probably protected. But end-to-end encryption over texts between Apple devices and Android devices, for instance, aren't encrypted in the same way, meaning they were vulnerable to interception by Salt Typhoon, according to the Times. The details about how the hackers were able to push so deeply into U.S. systems are still scarce, but it has something to do with the ways in which U.S. authorities wiretap suspects in this country with a court order.

"Steven Adair, of cybersecurity firm Veloxity, revealed at the Cyberwarcon security conference how Russian hackers were able to daisy-chain as many as three separate Wi-Fi networks in their efforts to attack victims," writes Longtime Slashdot reader smooth wombat. Wired reports: Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. "I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?" he says. "We came up dry."

Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted -- in fact, the name of another organization just across the road. "At that point, it was 100 percent clear where it was coming from," Adair says. "It's not a car in the street. It's the building next door." With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from another network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. "Who knows how many devices or networks they compromised and were doing this on," says Adair. Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group -- Microsoft refers to the group as Forest Blizzard -- to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.

An anonymous reader quotes a report from Reuters: Google has sued one of its former engineers in Texas federal court, accusing him of stealing trade secrets related to its chip designs and sharing them publicly on the internet. The lawsuit, filed on Tuesday (PDF), said that Harshit Roy "touted his dominion" over the secrets in social media posts, tagging competitors and making threatening statements to the company including "I need to take unethical means to get what I am entitled to" and "remember that empires fall and so will you."

Google hired Roy in 2020 to develop computer chips used in Google Pixel devices like smartphones. Google said in the lawsuit that Roy resigned in February and moved from Bangalore, India to the United States in August to attend a doctorate program at the University of Texas at Austin. According to the complaint, Roy began posting confidential Google information to his X account later that month along with "subversive text" directed at the company, such as "don't expect me to adhere to any confidentiality agreement." The posts included photographs of internal Google documents with specifications for Pixel processing chips.

The lawsuit said that Roy ignored Google's takedown requests and has posted additional trade secrets to X and LinkedIn since October. Google alleged that Roy tagged competitors Apple and Qualcomm in some of the posts, "presumably to maximize the potential harm of his disclosure." Google's complaint also said that several news outlets have published stories with confidential details about Google's devices based on the information that Roy leaked. Google asked the court for an unspecified amount of monetary damages and court orders blocking Roy from using or sharing its secrets.

Netflix is looking toward Discord for help in figuring out who, exactly, is leaking unreleased footage from some of its popular shows. From a report: The Northern District of California court issued a subpoena on Thursday to compel Discord to share information that can help identify a Discord user who's reportedly involved in leaking episodes and images from Netflix shows like Arcane and Squid Game.

Documents filed alongside the subpoena specifically call out an unreleased and copyrighted image from the second season of Squid Game, posted by a Discord user @jacejohns4n. In an interview linked on the user's now deleted X account, published on Telegram, the leaker claimed responsibility for the self-described "worst leak in streaming history," where episodes of Arcane, Heartstopper, Dandadan, Terminator Zero, and other shows were published online. Netflix confirmed in August that a post production studio was hacked.

The Register's Simon Sharwood reports: Japan's National Consumer Affairs Center on Wednesday suggested citizens start "digital end of life planning" and offered tips on how to do it. The Center's somewhat maudlin advice is motivated by recent incidents in which citizens struggled to cancel subscriptions their loved ones signed up for before their demise, because they didn't know their usernames or passwords. The resulting "digital legacy" can be unpleasant to resolve, the agency warns, so suggested four steps to simplify ensure our digital legacies aren't complicated:

- Ensuring family members can unlock your smartphone or computer in case of emergency;
- Maintain a list of your subscriptions, user IDs and passwords;
- Consider putting those details in a document intended to be made available when your life ends;
- Use a service that allows you to designate someone to have access to your smartphone and other accounts once your time on Earth ends.

The Center suggests now is the time for it to make this suggestion because it is aware of struggles to discover and resolve ongoing expenses after death. With smartphones ubiquitous, the org fears more people will find themselves unable to resolve their loved ones' digital affairs -- and powerless to stop their credit cards being charged for services the departed cannot consume.

An anonymous reader quotes a report from Ars Technica: A federal court yesterday ruled against parents who sued a Massachusetts school district for punishing their son who used an artificial intelligence tool to complete an assignment. Dale and Jennifer Harris sued Hingham High School officials and the School Committee and sought a preliminary injunction requiring the school to change their son's grade and expunge the incident from his disciplinary record before he needs to submit college applications. The parents argued that there was no rule against using AI in the student handbook, but school officials said the student violated multiple policies.

The Harris' motion for an injunction was rejected in an order (PDF) issued yesterday from US District Court for the District of Massachusetts. US Magistrate Judge Paul Levenson found that school officials "have the better of the argument on both the facts and the law."

"On the facts, there is nothing in the preliminary factual record to suggest that HHS officials were hasty in concluding that RNH [the Harris' son, referred to by his initials] had cheated," Levenson wrote. "Nor were the consequences Defendants imposed so heavy-handed as to exceed Defendants' considerable discretion in such matters." "On the evidence currently before the Court, I detect no wrongdoing by Defendants," Levenson also wrote. "The manner in which RNH used Grammarly -- wholesale copying and pasting of language directly into the draft script that he submitted -- powerfully supports Defendants' conclusion that RNH knew that he was using AI in an impermissible fashion," Levenson wrote. While "the emergence of generative AI may present some nuanced challenges for educators, the issue here is not particularly nuanced, as there is no discernible pedagogical purpose in prompting Grammarly (or any other AI tool) to generate a script, regurgitating the output without citation, and claiming it as one's own work," the order said.

Levenson concluded with a quote from a 1988 Supreme Court ruling that said the education of youth "is primarily the responsibility of parents, teachers, and state and local school officials, and not of federal judges." According to Levenson, "This case well illustrates the good sense in that division of labor. The public interest here weighs in favor of Defendants."

According to Business Insider (paywalled), Microsoft's Copilot tool inadvertently let customers access sensitive information, such as CEO emails and HR documents. Now, Microsoft is working to fix the situation, deploying new tools and a guide to address the privacy concerns. The story was highlighted by Salesforce CEO Marc Benioff. From the report: These updates are designed "to identify and mitigate oversharing and ongoing governance concerns," the company said in a blueprint for Microsoft's 365 productivity software suite. [...] Copilot's magic -- its ability to create a 10-slide road-mapping presentation, or to summon a list of your company's most profitable products -- works by browsing and indexing all your company's internal information, like the web crawlers used by search engines. IT departments at some companies have set up lax permissions for who can access internal documents -- selecting "allow all" for the company's HR software, say, rather than going through the trouble of selecting specific users.

That didn't create much of a problem because there wasn't a tool that an average employee could use to identify and retrieve sensitive company documents -- until Copilot. As a result, some customers have deployed Copilot only to discover that it can let employees read an executive's inbox or access sensitive HR documents. "Now when Joe Blow logs into an account and kicks off Copilot, they can see everything," a Microsoft employee familiar with customer complaints said. "All of a sudden Joe Blow can see the CEO's emails."

An anonymous reader shares a report: People are using Spotify playlist and podcast descriptions to distribute spam, malware, pirated software and cheat codes for video games. Cybersecurity researcher Karol Paciorek posted an example of this: A Spotify playlist titled "*Sony Vegas Pro*13 C-r-a-c-k Free Download 2024 m-y-s-o-f-t-w-a-r-e-f-r-e-e.com" acts as a free advertisement for piracy website m-y-s-o-f-t-w-a-r-e-f-r-e-e[dot]com, which hosts malicious software.

"Cybercriminals exploit Spotify for #malware distribution," Paciorek posted on X. "Why? Spotify has a strong reputation and its pages are easily indexed by search engines, making it an effective platform to promote malicious links."

"The playlist title in question has been removed," a spokesperson for Spotify told 404 Media in a statement. "Spotify's Platform Rules prohibit posting, sharing, or providing instructions on implementing malware or related malicious practices that seek to harm or gain unauthorized access to computers, networks, systems, or other technologies."

An anonymous reader shares a report: Lawyers for The New York Times and Daily News, which are suing OpenAI for allegedly scraping their works to train its AI models without permission, say OpenAI engineers accidentally deleted data potentially relevant to the case. Earlier this fall, OpenAI agreed to provide two virtual machines so that counsel for The Times and Daily News could perform searches for their copyrighted content in its AI training sets.

In a letter, attorneys for the publishers say that they and experts they hired have spent over 150 hours since November 1 searching OpenAI's training data. But on November 14, OpenAI engineers erased all the publishers' search data stored on one of the virtual machines, according to the aforementioned letter, which was filed in the U.S. District Court for the Southern District of New York late Wednesday. OpenAI tried to recover the data -- and was mostly successful. However, because the folder structure and file names were "irretrievably" lost, the recovered data "cannot be used to determine where the news plaintiffs' copied articles were used to build [OpenAI's] models," per the letter. "News plaintiffs have been forced to recreate their work from scratch using significant person-hours and computer processing time," counsel for The Times and Daily News wrote.

In a 23-page document (PDF) filed late Wednesday, U.S. regulators asked a federal judge to break up Google after a court found the tech giant of maintaining an abusive monopoly through its dominant search engine. As punishment, the DOJ calls for a sale of Google's Chrome browser and restrictions to prevent Android from favoring its own search engine. The Associated Press reports: Although regulators stopped short of demanding Google sell Android too, they asserted the judge should make it clear the company could still be required to divest its smartphone operating system if its oversight committee continues to see evidence of misconduct. [...] The Washington, D.C. court hearings on Google's punishment are scheduled to begin in April and Mehta is aiming to issue his final decision before Labor Day. If [U.S. District Judge Amit Mehta] embraces the government's recommendations, Google would be forced to sell its 16-year-old Chrome browser within six months of the final ruling. But the company certainly would appeal any punishment, potentially prolonging a legal tussle that has dragged on for more than four years.

Besides seeking a Chrome spinoff and a corralling of the Android software, the Justice Department wants the judge to ban Google from forging multibillion-dollar deals to lock in its dominant search engine as the default option on Apple's iPhone and other devices. It would also ban Google from favoring its own services, such as YouTube or its recently-launched artificial intelligence platform, Gemini. Regulators also want Google to license the search index data it collects from people's queries to its rivals, giving them a better chance at competing with the tech giant. On the commercial side of its search engine, Google would be required to provide more transparency into how it sets the prices that advertisers pay to be listed near the top of some targeted search results. The measures, if they are ordered, threaten to upend a business expected to generate more than $300 billion in revenue this year. "The playing field is not level because of Google's conduct, and Google's quality reflects the ill-gotten gains of an advantage illegally acquired," the Justice Department asserted in its recommendations. "The remedy must close this gap and deprive Google of these advantages."

A new study reveals that many users, particularly students and Redditors, view Z-Library as a vital resource for overcoming economic barriers to education, reflecting a "Robin Hood" mentality that prioritizes access to knowledge over copyright concerns. TorrentFreak reports: The research looks at the motivations of two groups; Reddit users and Chinese postgraduate students. Despite the vast differences between these groups, their views on Z-Library are quite similar. The 134 Reddit responses were sampled from the Zlibrary subreddit, which is obviously biased in favor of the site. However, the reasoning goes well beyond a simple "I want free stuff" arguments. Many commenters highlighted that they were drawn to the site out of poverty, for example, or they highlighted that Z-Library was an essential tool to fulfill their academic goals.

"Living in a 3rd world country, 1 book would cost like 50%- 80% already of my daily wage," one Redditor wrote. The idea that Z-Library is a 'necessary evil' was also highlighted by other commenters. This includes a student who can barely make ends meet, and a homeless person, who has neither the money nor the space for physical books. The lack of free access to all study materials, including academic journal subscriptions at university libraries, was also a key motivator. Paired with the notion that journal publishers make billions of dollars, without compensating authors, justification is found for 'pirate' alternatives. "They make massive profits. So stealing from them doesn't hurt the authors nor reviewers, just the rich greedy publishers who make millions just to design a cover and click 'publish'," one Redditor wrote.

The second part of the study is conducted in a more structured format among 103 postgraduate students in China. This group joined a seminar where Z-Library and the crackdown were discussed. In addition, the students participated in follow-up focus group discussions, while also completing a survey. Despite not all being users of the shadow library, 41% of the students agreed that the site's (temporary) shutdown affected their ability to study and find resources for degree learning. In general, the students have a favorable view toward Z-Library and similar sites, and 71% admit that they have used a shadow library in the past. In line with China's socialist values, the overwhelming majority of the students agreed that access to knowledge should be free for everyone. While the students are aware of copyright law, they believe that the need to access knowledge outweighs rightsholders' concerns. This is also reflected in the following responses, among others. All in all, Z-Library and other shadow libraries are seen as a viable option for expensive or inaccessible books, despite potential copyright concerns. The paper has been published in the Journal of University Teaching & Learning Practice.

The Verge's Richard Lawler reports: Strava recently informed its users and partners that new terms for its API restrict the data that third-party apps can show, refrain from replicating Strava's look, and place a ban on using data "for any model training related to artificial intelligence, machine learning or similar applications." The policy is effective as of November 11th, even though Strava's own post about the change is dated November 15th.

There are plenty of posts on social media complaining about the sudden shift, but one place where dissent won't be tolerated is Strava's own forums. The company says, "...posts requesting or attempting to have Strava revert business decisions will not be permitted." Brian Bell, Strava's VP of Communications and Social Impact, said in a statement: "We anticipate that these changes will affect only a small fraction (less than .1 percent) of the applications on the Strava platform -- the overwhelming majority of existing use cases are still allowed, including coaching platforms focused on providing feedback to users and tools that help users understand their data and performance."

Half of young Norwegians find online piracy acceptable when streaming services are too expensive, according to a new government survey released this week. The Ipsos poll of 1,411 respondents found that 32% of all Norwegians justify using pirate sites to save money, with acceptance rising to 50% among those under 30.

The rates increase further when specifically asked about pirating due to high streaming costs. Despite concerns about piracy, 61% of Norwegians paid for streaming services in the past year, including 64% of those under 30. Among active pirates, 41% said they would stop if legal services were more affordable, while 35% wanted broader content per service. Only 47% of respondents believed piracy supports organized crime, with 24% expressing uncertainty about this connection.

An anonymous reader shares a report: The US Patent and Trademark Office banned the use of generative artificial intelligence for any purpose last year, citing security concerns with the technology as well as the propensity of some tools to exhibit "bias, unpredictability, and malicious behavior," according to an April 2023 internal guidance memo obtained by WIRED through a public records request. Jamie Holcombe, the chief information officer of the USPTO, wrote that the office is "committed to pursuing innovation within our agency" but are still "working to bring these capabilities to the office in a responsible way."

Paul Fucito, press secretary for the USPTO, clarified to WIRED that employees can use "state-of-the-art generative AI models" at work -- but only inside the agency's internal testing environment. "Innovators from across the USPTO are now using the AI Lab to better understand generative AI's capabilities and limitations and to prototype AI-powered solutions to critical business needs," Fucito wrote in an email.

One of India's largest news agencies, Asian News International, has sued OpenAI in a case that could set a precedent for how AI companies use copyrighted news content in the world's most populous nation. From a report: Asian News International filed a 287-page lawsuit in the Delhi High Court on Monday, alleging the AI company illegally used its content to train its AI models and generated false information attributed to the news agency. The case marks the first time an Indian media organization has taken legal action against OpenAI over copyright claims.