An anonymous reader quotes a report from Politico: Sen. Tom Cotton wasn't fast enough in 2022 to block Senate passage of legislation that would make daylight saving time permanent. Three years later, he wasn't about to repeat that same mistake. The Arkansas Republican was on hand Tuesday afternoon to thwart a bipartisan effort on the chamber floor to pass a bill that would put an end to changing the clocks twice a year, including this coming Sunday. [...] A cross-party coalition of lawmakers has been trying for years to make daylight saving time the default, which would result in more daylight in the evening hours with less in the morning, plus bring to a halt to biannual clock adjustments.

President Donald Trump endorsed the concept this spring, calling the changing of the clocks "a big inconvenience and, for our government, A VERY COSTLY EVENT!!!" His comments coincided with a hearing, then a markup, of Scott's legislation in the Senate Commerce Committee. It set off an intense lobbying battle in turn, pitting the golf and retail industries -- which are advocating for permanent daylight saving time -- against the likes of sleep doctors and Christian radio broadcasters -- who prefer standard time. "If permanent Daylight Savings Time becomes the law of the land, it will again make winter a dark and dismal time for millions of Americans," said Cotton in his objection to a request by Sen. Rick Scott (R-Fla.) to advance the bill by unanimous consent. "For many Arkansans, permanent daylight savings time would mean the sun wouldn't rise until after 8:00 or even 8:30am during the dead of winter," Cotton continued. "The darkness of permanent savings time would be especially harmful for school children and working Americans."

An anonymous reader quotes a report from NBC News: Two senators said they are announcing bipartisan legislation on Tuesday to crack down on tech companies that make artificial intelligence chatbot companions available to minors, after complaints from parents who blamed the products for pushing their children into sexual conversations and even suicide. The legislation from Sens. Josh Hawley, R-Mo, and Richard Blumenthal, D-Conn., follows a congressional hearing last month at which several parents delivered emotional testimonies about their kids' use of the chatbots and called for more safeguards.

"AI chatbots pose a serious threat to our kids," Hawley said in a statement to NBC News. "More than seventy percent of American children are now using these AI products," he continued. "Chatbots develop relationships with kids using fake empathy and are encouraging suicide. We in Congress have a moral duty to enact bright-line rules to prevent further harm from this new technology." Sens. Katie Britt, R-Ala., Mark Warner, D-Va., and Chris Murphy, D-Conn., are co-sponsoring the bill.

The senators' bill has several components, according to a summary provided by their offices. It would require AI companies to implement an age-verification process and ban those companies from providing AI companions to minors. It would also mandate that AI companions disclose their nonhuman status and lack of professional credentials for all users at regular intervals. And the bill would create criminal penalties for AI companies that design, develop or make available AI companions that solicit or induce sexually explicit conduct from minors or encourage suicide, according to the summary of the legislation. "In their race to the bottom, AI companies are pushing treacherous chatbots at kids and looking away when their products cause sexual abuse, or coerce them into self-harm or suicide," Blumenthal said in a statement. "Our legislation imposes strict safeguards against exploitative or manipulative AI, backed by tough enforcement with criminal and civil penalties."

"Big Tech has betrayed any claim that we should trust companies to do the right thing on their own when they consistently put profit first ahead of child safety," he continued.

The Python Software Foundation rejected a $1.5 million U.S. government grant because it required them to renounce all diversity, equity, and inclusion initiatives. "The non-profit would've used the funding to help prevent supply chain attacks; create a new automated, proactive review process for new PyPI packages; and make the project's work easily transferable to other open-source package managers," reports The Register. From the report: The programming non-profit's deputy executive director Loren Crary said in a blog post today that the National Science Founation (NSF) had offered $1.5 million to address structural vulnerabilities in Python and the Python Package Index (PyPI), but the Foundation quickly became dispirited with the terms (PDF) of the grant it would have to follow. "These terms included affirming the statement that we 'do not, and will not during the term of this financial assistance award, operate any programs that advance or promote DEI [diversity, equity, and inclusion], or discriminatory equity ideology in violation of Federal anti-discrimination laws,'" Crary noted. "This restriction would apply not only to the security work directly funded by the grant, but to any and all activity of the PSF as a whole."

To make matters worse, the terms included a provision that if the PSF was found to have voilated that anti-DEI diktat, the NSF reserved the right to claw back any previously disbursed funds, Crary explained. "This would create a situation where money we'd already spent could be taken back, which would be an enormous, open-ended financial risk," the PSF director added. The PSF's mission statement enshrines a commitment to supporting and growing "a diverse and international community of Python programmers," and the Foundation ultimately decided it wasn't willing to compromise on that position, even for what would have been a solid financial boost for the organization. "The PSF is a relatively small organization, operating with an annual budget of around $5 million per year, with a staff of just 14," Crary added, noting that the $1.5 million would have been the largest grant the Foundation had ever received - but it wasn't worth it if the conditions were undermining the PSF's mission. The PSF board voted unanimously to withdraw its grant application.

ExxonMobil has sued California, claiming the state's new climate disclosure laws violate its First Amendment rights by forcing the company to report greenhouse gas emissions and climate risks using standards it "fundamentally disagrees with." The Verge reports: The oil and gas company claims that the two laws in question aim to "embarrass" large corporations the state "believes are uniquely responsible for climate change" in order to push them to reduce their greenhouse gas emissions. There is overwhelming scientific consensus that greenhouse gas emissions from fossil fuels cause climate change by trapping heat on the planet. [...] Under laws the state passed in 2023, "ExxonMobil will be forced to describe its emissions and climate-related risks in terms the company fundamentally disagrees with," a complaint filed Friday says. The suit asks a US District Court to stop the laws from being enforced.

[...] ExxonMobil's latest suit now says the company "understands the very real risks associated with climate change and supports continued efforts to address those risks," but that California's laws would force it "to describe its emissions and climate-related risks in terms the company fundamentally disagrees with." "These laws are about transparency. ExxonMobil might want to continue keeping the public in the dark, but we're ready to litigate vigorously in court to ensure the public's access to these important facts," Christine Lee, a spokesperson for the California Department of Justice, said in an email to The Verge.

BrianFagioli shares a report from NERDS.xyz: Mozilla is testing a new Firefox feature that delivers direct results inside the address bar instead of forcing users through a search results page. The company says the feature will use a privacy framework called Oblivious HTTP, encrypting queries so that no single party can see both what you type and who you are. Some results could be sponsored, but Mozilla insists neither it nor advertisers will know user identities. The system is starting in the U.S. and may expand later if performance and privacy benchmarks are met. Further reading: Mozilla to Require Data-Collection Disclosure in All New Firefox Extensions

An anonymous reader quotes a report from BleepingComputer: The number of victims paying ransomware threat actors has reached a new low, with just 23% of the breached companies giving in to attackers' demands. With some exceptions, the decline in payment resolution rates continues the trend that Coveware has observed for the past six years. In the first quarter of 2024, the payment percentage was 28%. Although it increased over the next period, it continued to drop, reaching an all-time low in the third quarter of 2025.

One explanation for this is that organizations implemented stronger and more targeted protections against ransomware, and authorities increasing pressure for victims not to pay the hackers. [...] Over the years, ransomware groups moved from pure encryption attacks to double extortion that came with data theft and the threat of a public leak. Coveware reports that more than 76% of the attacks it observed in Q3 2025 involved data exfiltration, which is now the primary objective for most ransomware groups. The company says that when it isolates the attacks that do not encrypt the data and only steal it, the payment rate plummets to 19%, which is also a record for that sub-category.

The average and median ransomware payments fell in Q3 compared to the previous quarter, reaching $377,000 and $140,000, respectively, according to Coveware. The shift may reflect large enterprises revising their ransom payment policies and recognizing that those funds are better spent on strengthening defenses against future attacks. The researchers also note that threat groups like Akira and Qilin, which accounted for 44% of all recorded attacks in Q3 2025, have switched focus to medium-sized firms that are currently more likely to pay a ransom. "Cyber defenders, law enforcement, and legal specialists should view this as validation of collective progress," Coveware says. "The work that gets put in to prevent attacks, minimize the impact of attacks, and successfully navigate a cyber extortion -- each avoided payment constricts cyber attackers of oxygen."

Australia's competition regulator sued Microsoft today, accusing it of misleading millions of customers into paying higher prices for its Microsoft 365 software after bundling it with AI tool Copilot. From a report: The Australian Competition and Consumer Commission alleged that from October 2024, the technology giant misled about 2.7 million customers by suggesting they had to move to higher-priced Microsoft 365 personal and family plans that included Copilot.

After the integration of Copilot, the annual subscription price of the Microsoft 365 personal plan increased by 45% to A$159 ($103.32) and the price of the family plan increased by 29% to A$179, the ACCC said. The regulator said Microsoft failed to clearly tell users that a cheaper "classic" plan without Copilot was still available.

Reason.com explores the fortunes of Aurora Innovation, the first company to put heavy-duty commercial self-driving trucks on public roads (and hopes to expand routes to El Paso, Texas, and Phoenix by the end of the year): An obscure federal rule is slowing the self-driving revolution. When trucks break down, operators are required to place reflective warning cones and road flares around the truck to warn other motorists. The regulations areexacting: Within 10 minutes of stopping, three warning signals must be set in specific locations around the truck. Auroraaskedthe federal Department of Transportation (DOT) to allow warning beacons to be fixed to the truck itself — and activated when a truck becomes disabled. The warning beacons would face both forward and backward, would be more visibleâthan cones (particularly at night), and wouldn't burn out like road flares. Drivers of nonautonomous vehicles could also benefit from that rule change, as they would no longer have to walk into traffic to place the required safety signals.

In December 2024, however, the Transportation Department denied Aurora's request for an exemption to the existing rules, even though regulatorsadmittedin theFederal Registerthat no evidence indicated the truck-mounted beacons would be less safe. Such a study is now underway, but it's unclear how long it will take to draw any conclusions.
The article notes that Aurora has now filed a lawsuit in federal court that seeks to overturn the Transportation Department's denial...

Thanks to long-time Slashdot reader schwit1 for sharing the article.

"Exxon Mobil sued California on Friday," reports Reuters, "challenging two state laws that require large companies to publicly disclose their greenhouse gas emissions and climate-related financial risks." In a complaint filed in the U.S. District Court for the Eastern District of California, Exxon argued that Senate Bills 253 and 261 violate its First Amendment rights by compelling Exxon to "serve as a mouthpiece for ideas with which it disagrees," and asked the court to block the state of California from enforcing the laws. Exxon said the laws force it to adopt California's preferred frameworks for climate reporting, which it views as misleading and counterproductive...

The California laws were supported by several big companies including Apple, Ikea and Microsoft, but opposed by several major groups such as the American Farm Bureau Federation and the U.S. Chamber of Commerce, which called them "onerous." SB 253 requires public and private companies that are active in the state and generate revenue of more than $1 billion annually to publish an extensive account of their carbon emissions starting in 2026. The law requires the disclosure of both the companies' own emissions and indirect emissions by their suppliers and customers. SB 261 requires companies that operate in the state with over $500 million in revenue to disclose climate-related financial risks and strategies to mitigate risk. Exxon also argued that SB 261 conflicts with existing federal securities laws, which already regul

"The First Amendment bars California from pursuing a policy of stigmatization by forcing Exxon Mobil to describe its non-California business activities using the State's preferred framing," Exxon said in the lawsuit.
Exxon Mobil "asks the court to prevent the laws from going into effect next year," reports the Associated Press: In its complaint, ExxonMobil says it has for years publicly disclosed its greenhouse gas emissions and climate-related business risks, but it fundamentally disagrees with the state's new reporting requirements. The company would have to use "frameworks that place disproportionate blame on large companies like ExxonMobil" for the purpose of shaming such companies, the complaint states...

A spokesperson for the office of California Gov. Gavin Newsom said in an email that it was "truly shocking that one of the biggest polluters on the planet would be opposed to transparency."

The Associated Press reports that "North Korean hackers have pilfered billions of dollars" by breaking into cryptocurrency exchanges and by creating fake identities to get remote tech jobs at foreign companies — all orchestrated by the North Korean government to finance R&D on nuclear arms.

That's according to a new the 138-page report by a group watching North Korea's compliance with U.N. sanctions (including officials from the U.S., Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea and the United Kingdom). From the Associated Press: North Korea also has used cryptocurrency to launder money and make military purchases to evade international sanctions tied to its nuclear program, the report said. It detailed how hackers working for North Korea have targeted foreign businesses and organizations with malware designed to disrupt networks and steal sensitive data...

Unlike China, Russia and Iran, North Korea has focused much of its cyber capabilities to fund its government, using cyberattacks and fake workers to steal and defraud companies and organizations elsewhere in the world... Earlier this year, hackers linked to North Korea carried out one of the largest crypto heists ever, stealing $1.5 billion worth of ethereum from Bybit. The FBI later linked the theft to a group of hackers working for the North Korean intelligence service.

Federal authorities also have alleged that thousands of IT workers employed by U.S. companies were actually North Koreans using assumed identities to land remote work. The workers gained access to internal systems and funneled their salaries back to North Korea's government. In some cases, the workers held several remote jobs at the same time.

An anonymous reader shares this report from the Associated Press: Myanmar's military has shut down a major online scam operation near the border with Thailand, detaining more than 2,000 people and seizing dozens of Starlink satellite internet terminals, state media reported Monday... The centers are infamous for recruiting workers from other countries under false pretenses, promising them legitimate jobs and then holding them captive and forcing them to carry out criminal activities.

Scam operations were in the international spotlight last week when the United States and Britain enacted sanctions against organizers of a major Cambodian cyberscam gang, and its alleged ringleader was indicted by a federal court in New York. According to a report in Monday's Myanma Alinn newspaper, the army raided KK Park, a well-documented cybercrime center, as part of operations starting in early September to suppress online fraud, illegal gambling, and cross-border cybercrime.

The U.S. will expand the use of facial recognition technology to track non-citizens entering and leaving the country in order to combat visa overstays and passport fraud, according to a government document published on Friday. Reuters: A new regulation will allow U.S. border authorities to require non-citizens to be photographed at airports, seaports, land crossings and any other point of departure, expanding on an earlier pilot program.

Under the regulation, set to take effect on December 26, U.S. authorities could require the submission of other biometrics, such as fingerprints or DNA, it said. It also allows border authorities to use facial recognition for children under age 14 and elderly people over age 79, groups that are currently exempted. The tighter border rules reflect a broader effort by U.S. President Donald Trump to crack down on illegal immigration. While the Republican president has surged resources to secure the U.S.-Mexico border, he has also taken steps to reduce the number of people overstaying their visas.

A web browser linked to Chinese online gambling websites and downloaded millions of times routes all internet traffic through servers in China and covertly installs programs that run in the background, according to findings published by network security company Infoblox. The researchers said the Universe Browser, which advertises itself as offering privacy protection, includes features similar to malware such as key logging and surreptitious connections.

Infoblox collaborated with the United Nations Office on Drugs and Crime on the research. The investigators found links between the browser and Southeast Asia's cybercrime ecosystem, which has connections to money laundering, illegal online gambling, human trafficking and scam operations using forced labor. The browser is directly linked to BBIN, a major online gambling company that has existed since 1999. Infoblox researchers examined the Windows version of the browser and found that it checks users' locations and languages when launched, installs two browser extensions, and disables security features including sandboxing.

Automattic has filed counterclaims against WP Engine in a lawsuit the hosting company initiated in October 2024. The counterclaims accuse WP Engine of trademark infringement and deceptive marketing practices. After private equity firm Silver Lake invested $250 million in WP Engine, the hosting company began calling itself "The WordPress Technology Company" and allowed partners to refer to it as "WordPress Engine," the lawsuit says. WP Engine also launched products named "Core WordPress" and "Headless WordPress."

The counterclaims allege that WP Engine promised to commit 5% of its resources to the WordPress ecosystem but failed to keep those promises. Automattic contends that WP Engine engaged in trademark violations to avoid licensing fees that would have affected the company's earnings and valuation. Silver Lake sought to sell WP Engine at a $2 billion valuation but could not find a buyer. The filing notes that potential buyers included Automattic. The counterclaims also assert that WP Engine degraded product quality and removed essential features to reduce costs during this period.

An anonymous reader quotes a report from Ars Technica: Donald Trump is eyeing taking equity stakes in quantum computing firms in exchange for federal funding, The Wall Street Journal reported. At least five companies are weighing whether allowing the government to become a shareholder would be worth it to snag funding that the Trump administration has "earmarked for promising technology companies," sources familiar with the potential deals told the WSJ.

IonQ, Rigetti Computing, and D-Wave Quantum are currently in talks with the government over potential funding agreements, with minimum awards of $10 million each, some sources said. Quantum Computing Inc. and Atom Computing are reportedly "considering similar arrangements," as are other companies in the sector, which is viewed as critical for scientific advancements and next-generation technologies. No deals have been completed yet, sources said, and terms could change as quantum-computing firms weigh the potential risks of government influence over their operations. [...]

The administration will lean on Deputy Commerce Secretary Paul Dabbar to extend Trump's industry meddling into the quantum computing world, the WSJ reported. A former Energy Department official, Dabbar co-founded Bohr Quantum Technology, which specializes in quantum networking systems that the DOE expects will help "create new opportunities for scientific discovery." While the firm he previously headed won't be eligible for funding, Dabbar will be leading industry discussions, the WSJ reported, likely hyping Trump's deals as a necessary boon to ensure US firms dominate in quantum computing. A Commerce Department official denied the claims, saying: "The Commerce Department is not currently negotiating equity stakes with quantum computing companies."

In August, the Trump administration took a 10% stake in Intel to help fund factories that Intel is currently building in Ohio.

A UK tribunal ruled that Apple abused its dominant position by charging app developers unfair commissions through its App Store, potentially costing the company hundreds of millions in damages. It marks the first major tech "class action" victory under the UK's collective lawsuit regime. Reuters reports: The Competition Appeal Tribunal (CAT) ruled against Apple after a trial of the lawsuit, which was brought on behalf of millions of iPhone and iPad users in the United Kingdom. The CAT ruled that Apple had abused its dominant position from October 2015 until the end of 2020 by shutting out competition in the app distribution market and by "charging excessive and unfair prices" as commission to developers.

Apple -- which has faced mounting pressure from regulators in the U.S. and Europe over the fees it charges developers -- said it would appeal against the ruling, which it said "takes a flawed view of the thriving and competitive app economy." The case had been valued at around $2 billion by those who brought it. A hearing next month will decide how damages are calculated and Apple's application for permission to appeal. "This ruling overlooks how the App Store helps developers succeed and gives consumers a safe, trusted place to discover apps and securely make payments," an Apple spokesperson said.

President Donald Trump has pardoned the Founder of Binance, Changpeng Zhao, who pleaded guilty to anti-money-laundering violations and served prison time. The Associated Press reports: Zhao has deep ties to World Liberty Financial, a crypto venture that the Republican president and his sons Eric and Donald Jr. launched in September. Trump's most recent financial disclosure report reveals he made more than $57 million last year from World Liberty Financial, which has launched USD1, a stablecoin pegged at a 1-to-1 ratio to the U.S. dollar. World Liberty Financial also recently announced that an investment fund in the United Arab Emirates would be using $2 billion worth of USD1 to purchase a stake in Binance. Zhao also has publicly said that he had asked Trump for a pardon that could nullify his conviction.

White House press secretary Karoline Leavitt said in a statement Thursday that the Biden administration prosecuted Zhao out of a "desire to punish the cryptocurrency industry." She said there were "no allegations of fraud or identifiable victims," though Zhao had pleaded guilty in November to one count of failing to maintain an anti-money-laundering program.

An anonymous reader shares a report: Social media platform Reddit sued AI startup Perplexity in New York federal court on Wednesday, accusing it and three other companies of unlawfully scraping its data to train Perplexity's AI-based search engine. Reddit said in the complaint that the data-scraping companies circumvented its data protection measures in order to steal data that Perplexity "desperately needs" to power its "answer engine" system.

joshuark shares a report from BleepingComputer: A new malicious campaign is targeting macOS developers with fake Homebrew, LogMeIn, and TradingView platforms that deliver infostealing malware like AMOS (Atomic macOS Stealer) and Odyssey. The campaign employs "ClickFix" techniques where targets are tricked into executing commands in Terminal, infecting themselves with malware. Researchers at threat hunting company Hunt.io identified more than 85 domains impersonating the three platforms in this campaign [...].

When checking some of the domains, BleepingComputer discovered that in some cases the traffic to the sites was driven via Google Ads, indicating that the threat actor promoted them to appear in Google Search results. The malicious sites feature convincing download portals for the fake apps and instruct users to copy a curl command in their Terminal to install them, the researchers say. In other cases, like for TradingView, the malicious commands are presented as a "connection security confirmation step." However, if the user clicks on the 'copy' button, a base64-encoded installation command is delivered to the clipboard instead of the displayed Cloudflare verification ID.

The German Koblenz Regional Court has banned the internet service provider 1&1 from marketing its fiber-to-the-curb service as fiber-optic DSL. The court found that the company misled customers because its network uses copper cables for the final stage of connections, sometimes extending up to a mile from the distribution box to subscribers' homes.

Customers who visited the ISP's website and checked connection availability received a notification stating that a "1&1 fiber optic DSL connection" was available, even though fiber optic cables terminate at street-level distribution boxes or building service rooms. The company pairs the copper lines with vectoring technology to boost DSL speeds to 100 megabits per second. The Federation of German Consumer Organizations filed the lawsuit. Ramona Pop, the organization's chairperson, said that anyone who promises fiber optics but delivers only DSL is deceiving customers.

Florida Attorney General James Uthmeier has issued criminal subpoenas to Roblox, calling it a "breeding ground for predators" and accusing the platform of profiting while failing to protect children. NBC News reports: The subpoenas will allow prosecutors to gather more information about the alleged criminal activity on the platform, including evidence related to suspected predators and victims, according to Uthmeier. The concerns prompted Roblox to invest heavily in protecting younger users on its platform by tightening messaging rules for children under 13, intensive content moderation and AI-powered monitoring.

In an emailed statement to Reuters, Roblox said it prohibits sharing images and videos in chat, uses filters designed to block the exchange of personal information, and is working to implement age estimation for all users accessing chat features. "While no system is perfect, our trained teams and automated tools continuously monitor communications to detect and remove harmful content," a Roblox spokesperson said.

An anonymous reader shares a report: A hacking group that recently doxed hundreds of government officials, including from the Department of Homeland Security (DHS) and Immigration and Customs Enforcement (ICE), has now built dossiers on tens of thousands of U.S. government officials, including NSA employees, a member of the group told 404 Media. The member said the group did this by digging through its caches of stolen Salesforce customer data. The person provided 404 Media with samples of this information, which 404 Media was able to corroborate.

As well as NSA officials, the person sent 404 Media personal data on officials from the Defense Intelligence Agency (DIA), the Federal Trade Commission (FTC), Federal Aviation Administration (FAA), Centers for Disease Control and Prevention (CDC), the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), members of the Air Force, and several other agencies.

An anonymous reader shared this report from Cryptonews: Sony has taken Wall Street by surprise after its banking division, Sony Bank, filed an application with the U.S. Office of the Comptroller of the Currency (OCC) to establish a national crypto bank under its subsidiary "Connectia Trust." The move positions the Japanese tech giant to become one of the first major global corporations to issue a U.S. dollar-backed stablecoin through a federally regulated institution. The application outlines plans to issue a U.S. dollar-pegged stablecoin, maintain the reserve assets backing it, and provide digital asset custody and management services.

The filing places Sony alongside an elite list of firms, including Coinbase, Circle, Paxos, Stripe, and Ripple, currently awaiting OCC approval to operate as national digital banks. If approved, Sony would become the first major global technology company to receive a U.S. bank charter specifically tied to stablecoin issuance....
The Office of the Comptroller of the Currency "has received over 15 applications from fintech and crypto entities seeking trust charters," according to the article, calling it "a sign of renewed regulatory openness" under the office's new chief, a former blockchain executive.

Meanwhile, the United States has also "conditionally given the nod to a new cryptocurrency-focused national bank launched by California tech billionaire Palmer Luckey," reports SFGate: To bring the bank to life, Luckey joined forces with JoeLonsdale, co-founder of Palantir and venture firm 8VC, and financial backer and fellow Palantir co-founder Peter Thiel, according to the Financial Times. Luckey conceived the idea for Erebor following the collapse of the Silicon Valley Bank in 2023, the Financial Times reported. The bank's name draws inspiration from J.R.R. Tolkien's "The Hobbit," referring to another name for the Lonely Mountain in the novel...

The OCC said it applied the "same rigorous review and standards" used in all charter applications. The ["preliminary"] approval was granted in just four months; however, compliance and security checks are expected to take several more months before the new bank can open.
"I am committed to a dynamic and diverse federal banking system," America's Comptroller of the Currency said Wednesday, "and our decision today is a first but important step in living up to that commitment."

"Permissible digital asset activities, like any other legally permissible banking activity, have a place in the federal banking system if conducted in a safe and sound manner. The OCC will continue to provide a path for innovative approaches to financial services to ensure a strong, diverse financial system that remains relevant over time."

Hackers breached financial services firm Prosper, stealing the personal data of roughly 17.6 million people, including Social Security numbers, income details, and government IDs. "We have evidence that confidential, proprietary, and personal information, including Social Security Numbers, was obtained, including through unauthorized queries made on Company databases that store customer information and applicant data. We will be offering free credit monitoring as appropriate after we determine what data was affected," the company says. "The investigation is still in its very early stages, but resolving this incident is our top priority and we are committed to sharing additional information with our customers as appropriate." BleepingComputer reports: Prosper operates as a peer-to-peer lending marketplace that has helped over 2 million customers secure more than $30 billion in loans since its founding in 2005. As the company disclosed one month ago on a dedicated page, the breach was detected on September 2, but Prosper has yet to find evidence that the attackers gained access to customer accounts and funds.

However, the attackers stole data belonging to Prosper customers and loan applicants. The company hasn't shared what information was exposed beyond Social Security numbers because it's still investigating what data was affected. Prosper added that the security breach didn't impact its customer-facing operations and that it has reported the incident to relevant authorities and is collaborating with law enforcement to investigate the attack. [...] The stolen information also includes customers' names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user agent details. Have I Been Pwned revealed the extent of the incident on Thursday.

Amazon's Ring has announced a partnership with Flock Safety, the AI-powered camera network already used by ICE, the Secret Service, and other federal agencies. "Now agencies that use Flock can request that Ring doorbell users share footage to help with 'evidence collection and investigative work,'" reports TechCrunch. From the report: Flock cameras work by scanning the license plates and other identifying information about cars they see. Flock's government and police customers can also make natural language searches of their video footage to find people who match specific descriptions. However, AI-powered technology used by law enforcement has been proven to exacerbate racial biases. On the same day that Ring announced this partnership, 404 Media reported that ICE, the Secret Service, and the Navy had access to Flock's network of cameras. By partnering with Ring, Flock could potentially access footage from millions more cameras.

An anonymous reader quotes a report from Ars Technica: Texas is being sued by a Big Tech lobby group over the state's new law that will require app stores to verify users' ages and impose restrictions on users under 18. "The Texas App Store Accountability Act imposes a broad censorship regime on the entire universe of mobile apps," the Computer & Communications Industry Association (CCIA) said yesterday in a lawsuit (PDF). "In a misguided attempt to protect minors, Texas has decided to require proof of age before anyone with a smartphone or tablet can download an app. Anyone under 18 must obtain parental consent for every app and in-app purchase they try to download -- from ebooks to email to entertainment."

The CCIA said in a press release that the law violates the First Amendment by imposing "a sweeping age-verification, parental consent, and compelled speech regime on both app stores and app developers." When app stores determine that a user is under 18, "the law prohibits them from downloading virtually all apps and software programs and from making any in-app purchases unless their parent consents and is given control over the minor's account," the CCIA said. "Minors who are unable to link their accounts with a parent's or guardian's, or who do not receive permission, would be prohibited from accessing app store content."

The law requires app developers "to 'age-rate' their content into several subcategories and explain their decision in detail," and "notify app stores in writing every time they improve or modify the functions, features, or user experience of their apps," the group said. The lawsuit says the age-rating system relies on a "vague and unworkable set of age categories." "Our Constitution forbids this," the lawsuit said. "None of our laws require businesses to 'card' people before they can enter bookstores and shopping malls. The First Amendment prohibits such oppressive laws as much in cyberspace as it does in the physical world." The lawsuit was filed in US District Court for the Western District of Texas. CCIA members include Apple and Google, which have both said the law would reduce privacy for app users. The companies recently described their plans to comply, saying they would take steps to minimize the privacy risks.

An anonymous reader shares a report: Cloud-computing firm Salesforce was hit with a proposed class action lawsuit by two authors who alleged the company used thousands of books without permission to train its AI software. Novelists Molly Tanzer and Jennifer Gilmore said in the complaint that Salesforce infringed copyrights by using their work to train its xGen AI models to process language.

An anonymous reader quotes a report from Ars Technica: Record labels Sony, Warner, and Universal yesterday asked the Supreme Court to help it boot pirates off the Internet. Sony and the other labels filed their brief (PDF) in Cox Communications v. Sony Music Entertainment, a case involving the cable Internet service provider that rebuffed labels' demands for mass terminations of broadband subscribers accused of repeat copyright infringement. The Supreme Court's eventual decision in the case may determine whether Internet service providers must terminate the accounts of alleged pirates in order to avoid massive financial liability.

Cox has argued (PDF) that copyright-infringement notices -- which are generated by bots and flag users based on their IP addresses -- sent by record labels are unreliable. Cox said ISPs can't verify whether the notices are accurate and that terminating an account would punish every user in a household where only one person may have illegally downloaded copyrighted files. Record labels urged the Supreme Court to reject this argument.

"While Cox waxes poetic about the centrality of Internet access to modern life, it neglects to mention that it had no qualms about terminating 619,711 subscribers for nonpayment over the same period that it terminated just 32 for serial copyright abuse," the labels' brief said. "And while Cox stokes fears of innocent grandmothers and hospitals being tossed off the Internet for someone else's infringement, Cox put on zero evidence that any subscriber here fit that bill. By its own admission, the subscribers here were 'habitual offenders' Cox chose to retain because, unlike the vast multitude cut off for late payment, they contributed to Cox's bottom line." Record labels were referring to a portion of Cox's brief that said, "Grandma will be thrown off the Internet because Junior illegally downloaded a few songs on a visit."

The U.S. is awash with scam text messages. Officials say it has become a billion-dollar, highly sophisticated business benefiting criminals in China. From a report: Your highway toll payment is now past due, one text warns. You have U.S. Postal Service fees to pay, another threatens. You owe the New York City Department of Finance for unpaid traffic violations. The texts are ploys to get unsuspecting victims to fork over their credit-card details. The gangs behind the scams take advantage of this information to buy iPhones, gift cards, clothing and cosmetics.

Criminal organizations operating out of China, which investigators blame for the toll and postage messages, have used them to make more than $1 billion over the last three years, according to the Department of Homeland Security. Behind the con, investigators say, is a black market connecting foreign criminal networks to server farms that blast scam texts to victims. The scammers use phishing websites to collect credit-card information. They then find gig workers in the U.S. who will max out the stolen cards for a small fee. Making the fraud possible: an ingenious trick allowing criminals to install stolen card numbers in Google and Apple Wallets in Asia, then share the cards with the people in the U.S. making purchases half a world away.

Boris Johnson's former adviser claims that China infiltrated a key UK government data-transfer network for years, compromising highly classified materials and prompting a Whitehall cover-up that prioritized Chinese investment over national security. The Times reports: Dominic Cummings, who served as a senior adviser to Boris Johnson, said that he and the then prime minister were informed about the breach in 2020 but that there had subsequently been a cover-up. He said he was warned at the time that disclosing some specific details of the breach would be a criminal offence. He claimed that the breach included some "Strap" material, which is the government term for the highest level of classified information.

The breach, which was confirmed by two other senior Whitehall sources, was said to have been connected to a Chinese-owned company involved in Britain's critical national infrastructure. Tom Tugendhat, a former Tory security minister, supported Cummings's account. Cummings said that he and Johnson were informed of the breach in the "bunker" of No 10 -- a reference to the secure room in Downing Street.

He told The Times: "The cabinet secretary said, 'We have to explain something; there's been a serious problem', and he talked through what this was. "And it was so bizarre that, not just Boris, a few people in the room were looking around like this -- 'Am I somehow misunderstanding what he's saying? Because it sounds f***ing crazy.'" He added: "What I'm saying is that some Strap stuff was compromised and vast amounts of data classified as extremely secret and extremely dangerous for any foreign entity to control was compromised. "Material from intelligence services. Material from the National Security Secretariat in the Cabinet Office. Things the government has to keep secret. If they're not secret, then there are very, very serious implications for it."

Longtime Slashdot reader Gadi Evron writes: Bruce Schneier and Barath Raghavan say agentic AI is already broken at the core. In their IEEE Security & Privacy essay, they argue that AI agents run on untrusted data, use unverified tools, and make decisions in hostile environments. Every part of the OODA loop (observe, orient, decide, act) is open to attack. Prompt injection, data poisoning, and tool misuse corrupt the system from the inside. The model's strength, treating all input as equal, also makes it exploitable. They call this the AI security trilemma: fast, smart, or secure. Pick two. Integrity isn't a feature you bolt on later. It has to be built in from the start. "Computer security has evolved over the decades," the authors wrote. "We addressed availability despite failures through replication and decentralization. We addressed confidentiality despite breaches using authenticated encryption. Now we need to address integrity despite corruption."

"Trustworthy AI agents require integrity because we can't build reliable systems on unreliable foundations. The question isn't whether we can add integrity to AI but whether the architecture permits integrity at all."

An anonymous reader shares a report: An attorney in a New York Supreme Court commercial case got caught using AI in his filings, and then got caught using AI again in the brief where he had to explain why he used AI, according to court documents filed earlier this month.

New York Supreme Court Judge Joel Cohen wrote in a decision granting the plaintiff's attorneys' request for sanctions that the defendant's counsel, Michael Fourte's law offices, not only submitted AI-hallucinated citations and quotations in the summary judgment brief that led to the filing of the plaintiff's motion for sanctions, but also included "multiple new AI-hallucinated citations and quotations" in the process of opposing the motion.

"In other words," the judge wrote, "counsel relied upon unvetted AI -- in his telling, via inadequately supervised colleagues -- to defend his use of unvetted AI."

The case itself centers on a dispute between family members and a defaulted loan. The details of the case involve a fairly run-of-the-mill domestic money beef, but Fourte's office allegedly using AI that generated fake citations, and then inserting nonexistent citations into the opposition brief, has become the bigger story.

Researchers at UC San Diego and the University of Maryland have found that roughly half of geostationary satellite signals transmit sensitive data without encryption. The team spent three years using an $800 satellite receiver on a university rooftop in San Diego to intercept communications from satellites visible from their location. They collected phone calls and text messages from more than 2,700 T-Mobile users in just nine hours of recording.

The researchers also obtained data from airline passengers using in-flight Wi-Fi, communications from electric utilities and offshore oil and gas platforms, and US and Mexican military communications that revealed personnel locations and equipment details. The exposed data resulted from telecommunications companies using satellites to relay signals from remote cell towers to their core networks.

The researchers examined only about 15% of global satellite transponder communications and presented their findings at an Association for Computing Machinery conference in Taiwan this week. Most companies warned by the researchers have encrypted their satellite transmissions, but some US critical infrastructure owners have not yet added encryption.

schwit1 shares a report from Hackread: On October 3, 2025, Hackread.com published an in-depth report in which hackers claimed to have stolen 989 million records from 39 major companies worldwide by exploiting a Salesforce vulnerability. The group demanded that Salesforce and the affected firms enter negotiations before October 10, 2025, warning that if their demands were ignored, they would release the entire dataset. The hackers, identifying themselves as "Scattered Lapsus$ Hunters," a collective said to combine elements of Scattered Spider, Lapsus$, and ShinyHunters, have now published data allegedly belonging to 6 of the 39 targeted companies.

The companies named in the leak are as follows: Fujifilm, GAP, INC., Vietnam Airlines, Engie Resources, Quantas Airways Limited, and Albertsons Companies, Inc. In all 6 leaks, the record contains personal details of customers, business, including email addresses, full names, addresses, passport numbers, phone numbers. The hackers said on Telegram that they will not be releasing any additional information, stating, "A lot of people are asking what else will be leaked. Nothing else will be leaked. Everything that was leaked was leaked, we have nothing else to leak, and obviously, the things we have cannot be leaked for obvious reasons."

An anonymous reader quotes a report from The Register: Security researchers have resurrected a 12-year-old data-stealing attack on web browsers to pilfer sensitive info from Android devices. The attack, dubbed Pixnapping, has yet to be mitigated. Conceptually, it's the equivalent of a malicious Android app being able to screenshot other apps or websites. It allows a malicious Android application to access and leak information displayed in other Android apps or on websites. It can, for example, steal data displayed in apps like Google Maps, Signal, and Venmo, as well as from websites like Gmail (mail.google.com). It can even steal 2FA codes from Google Authenticator.

"First, the malicious app opens the target app (e.g., Google Authenticator), submitting its pixels for rendering," explained [Alan Wang, a PhD candidate at UC Berkeley]. "Second, the malicious app picks the coordinates of a target pixel whose color it wants to steal. Suppose for example it wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator, and that this pixel is either white (if nothing was rendered there) or non-white (if part of a 2FA digit was rendered there). Third, the malicious app causes some graphical operations whose rendering time is long if the target pixel is non-white and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the target app. Finally, the malicious app measures the rendering time per frame of the above graphical operations to determine whether the target pixel was white or non-white. These last few steps are repeated for as many pixels as needed to run OCR over the recovered pixels and guess the original content."

The researchers have demonstrated Pixnapping on five devices running Android versions 13 to 16 (up until build id BP3A.250905.014): Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. Android 16 is the latest operating system version. Other Android devices have not been tested, but the mechanism that allows the attack to work is typically available. A malicious Android app implementing Pixnapping would not require any special permissions in its manifest file, the authors say. The researchers detail the attack in a paper (PDF) titled "Pixnapping: Bringing Pixel Stealing out of the Stone Age."

The FCC has forced major U.S. online retailers to remove millions of listings for prohibited Chinese-made electronics, including products from Huawei, ZTE, Hikvision, and Dahua, citing national security risks. Reuters reports: FCC Chair Brendan Carr said in an interview [on Friday] that the items removed are either on a U.S. list of barred equipment or were not authorized by the agency, including items like home security cameras and smart watches from companies including Huawei, Hangzhou Hikvision, ZTE, and Dahua Technology Company. Carr said companies are putting new processes in place to prevent future prohibited items as a result of FCC oversight. "We're going to keep our efforts up," Carr said. The FCC issued a new national security notice reminding companies of prohibited items including video surveillance equipment. Carr said the items could allow China to "surveil Americans, disrupt communications networks and otherwise threaten U.S. national security."

An anonymous reader quotes a report from Reuters: Britain said on Monday it had issued U.S. internet forum site 4chan with a $26,644 fine for failing to provide information about the risk of illegal content on its service, marking the first penalty under the new online safety regime. Media regulator Ofcom said 4chan had not responded to its request for a copy of its illegal harms risk assessment nor a second request relating to its qualifying worldwide. Ofcom said it would take action against any service which "flagrantly fails to engage with Ofcom and their duties under the Online Safety Act" and they should expect to face penalties.

The act, which is designed to protect children and vulnerable users from illegal content online, has caused tension between U.S. tech companies and Britain. Critics of the law have said it threatens free speech and targets U.S. companies. Technology minister Liz Kendall said the government "fully backed" Ofcom in taking action. "This fine is a clear warning to those who fail to remove illegal content or protect children from harmful material," she said. 4chan and Kiwi Farms filed a lawsuit in the United States against Ofcom in August, arguing that the threats and fines issued by the regulator "constitute foreign judgements that would restrict speech under U.S. law." The lawsuit claims that both entities are entirely based in the U.S., have no operations in the U.K., and therefore are not subject to its local laws.

"Dutch authorities have temporarily nationalized Nexperia, owned by Chinese company Wingtech, over fears of critical product unavailability," writes longtime Slashdot reader evil_aaronm. Reuters reports: The Hague invoked never-before-used powers under a Dutch law known as the "Availability of Goods Act." The decision led to a 10% fall in Wingtech's shares in Shanghai on Monday. The Dutch government will not take ownership of Nexperia, but it will now have the power to reverse or block management decisions it considers harmful. The company's regular production is continuing. [...] Wingtech called the Dutch government's intervention in Nexperia, once part of Dutch electronics group Philips, "excessive interference driven by geopolitical bias." Wingtech also alleged that non-Chinese Nexperia executives had tried to forcibly alter the company's equity structure through legal proceedings in a "cloaked power grab" on the company.

A copy of an Amsterdam commercial court ruling dated October 7 and seen by Reuters showed that the court decided on October 1 to suspend Wingtech CEO Zhang Xuezheng from his position as executive director at Nexperia after finding "well founded reasons to doubt" the company was pursuing correct management policy or actions under Dutch civil law. It appointed Dutch businessman Guido Dierick to take Zhang's position with a "deciding vote", and transferred control of almost all of Nexperia's shares to a Dutch lawyer for management. The Dutch state and the company's labour council had supported the moves, the document showed. [...]

In its statement, the Dutch government said that administrative problems at Nexperia posed a threat to the company's "crucial technological knowledge" without elaborating. "The loss of these capabilities could pose a risk to Dutch and European economic security," it said. Nexperia is one of the world's largest makers of simple computer chips such as diodes and transistors, though it also develops more advanced technologies such as "wide gap" semiconductors used in electrical settings and useful for electric cars, chargers and AI data centres. Wingtech said in a filing to the Shanghai stock exchange on Monday that its control over Nexperia would be temporarily restricted due to the Dutch order and court rulings, affecting decision making and operational efficiency.

California's Privacy Protection Agency "issued a record fine earlier this month to Tractor Supply," according to an EFF Deeplinks blog post — for "apparently ducking its responsibilities under the California Consumer Privacy Act." Under that law, companies are required to respect California customers' and job applicants' rights to know, delete, and correct information that businesses collect about them, and to opt-out of some types of sharing and use. The law also requires companies to give notice of these rights, along with other information, to customers, job applicants, and others. The CPPA said that Tractor Supply failed several of these requirements. This is the first time the agency has enforced this data privacy law to protect job applicants...

Tractor Supply, which has 2,500 stores in 49 states, will pay for their actions to the tune of $1,350,000 — the largest fine the agency has issued to date. Specifically, the agency said, Tractor Supply violated the law by:

- Failing to maintain a privacy policy that notified consumers of their rights;

- Failing to notify California job applicants of their privacy rights and how to exercise them;

- Failing to provide consumers with an effective mechanism to opt-out of the selling and sharing of their personal information, including through opt-out preference signals such as Global Privacy Control; and

- Disclosing personal information to other companies without entering into contracts that contain privacy protections.


In addition to the fine, the company also must take an inventory of its digital properties and tracking technologies and will have to certify its compliance with the California privacy law for the next four years.
The agency's web site says it "continues to actively enforce California's cutting-edge privacy laws." It's recently issued decisions (and fines) against American Honda Motor Company and clothing retailer Todd Snyder. Other recent actions include:

• Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up "scary" amounts of information about people — to shut down or pay a steep fine.

• Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.

• Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

• The agency has secured more than half a dozen successful enforcement actions against unregistered data brokers following an investigative sweep launched late last year to assess compliance with the Delete Act.

Cryptologist/CS professor Daniel J. Bernstein is alleging that America's National Security Agency is attempting to influence NIST post-quantum cryptography standards.

Bernstein first emphasizes that it's normal for post-quantum cryptography (or "PQ") to be part of "hybrid" security that also includes traditional pre-quantum cryptography. (Bernstein says this is important because since 2016, "We've seen many breaks of post-quantum proposals...")

"The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ." Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing... I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.... The massive U.S. military budget now publicly requires cryptographic "components" to have NSA approval... In June 2024, NSA's William Layton wrote that "we do not anticipate supporting hybrid in national security systems"...

[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, "that's what they're willing to buy. Hence, Cisco will implement it".]

What do you do with your control over the U.S. military budget? That's another opportunity to "shape the worldwide commercial cryptography marketplace". You can tell people that you won't authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you're actually using double encryption.
This seems to be a speculative scenario. But Bernstein is also concerned about how the Internet Engineering Task Force handled two drafts specifying post-quantum encryption mechanisms for TLS ("the security layer inside HTTPS and inside various other protocols"). For a draft suggesting "non-hybrid" encryption, there were 20 statements of support (plus 2 more only conditionally supporting it), but 7 more statements unequivocally opposing adoption, including one from Bernstein. The IETF has at times said they aim for "rough consensus" — or for "broad consensus" — but Bernstein insists 7 opposers in a field of 29 (24.13%) can't be said to match the legal definition of consensus (which is "general agreement"). "I've filed a formal complaint regarding the claim of consensus to adopt."

He's also written a second blog post analyzing the IETF's decision-making process in detail. "It's already bad that the IETF TLS working group adopted non-hybrid post-quantum encryption without official answers to the objections that were raised. It's much worse if the objections can't be raised in the first place."

Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.

"California Governor Gavin Newsom signed the 'California Opt Me Out Act', which will require web browsers to include an easy, universal way for users to opt out of data collection and sales," reports the blog 9to5Mac: [The law] requires browsers to provide a clear, one-click mechanism for Californians to opt out of data sharing across websites. The bill reads: "A business shall not develop or maintain a browser that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses with which the consumer interacts through the browser...." Californians will need patience, though, as the law doesn't take effect until January 1, 2027.
Americans in some states — including California, Texas, Colorado, New Jersey and Maryland — "have the option to make those opt-out demands automatic whenever they surf the web," reports the Washington Post. "But they can only do so if they use small browsers that voluntarily offer that option, such as DuckDuckGo, Firefox and Brave. What's new in California's law is that all browsers must give people the same option." That means soon in California, just using Google's Chrome, Apple's Safari and Microsoft's Edge can command companies not to sell your data or pass it along for ad targeting... It's an imperfect but potent and simple way to flex privacy rights — and becomes even more powerful with another simple privacy measure in California. Starting on January 1, California residents can fill out an online form once to completely and repeatedly wipe their data from hundreds of data brokers that package your personal information for sale.
But their article also suggests other ways readers can "try a one-click privacy option now."

• "[S]ome national companies respect one-click privacy opt-out requests from everyone... This happens automatically if you use DuckDuckGo and Brave. You need to change a setting with Firefox."

• "Download Privacy Badger: The software from the Electronic Frontier Foundation, a consumer privacy advocacy group, works in the background to order websites not to sell information they're collecting about you."

• "Use Permission Slip from Consumer Reports. Give the app basic information, and it will help you do much of the legwork to tell companies not to sell your information or to delete it, if you have the right to do so."

I uploaded a photo on my phone to Microsoft's "OneDrive" file-hosting app — and there was a surprise waiting under Privacy and Permissions. "OneDrive uses AI to recognize faces in your photos..."

And...

"You can only turn off this setting 3 times a year."



If I moved the slidebar for that setting to the left (for "No"), it moved back to the right, and said "Something went wrong while updating this setting." (Apparently it's not one of those three times of the year.)

The feature is already rolling out to a limited number of users in a preview, a Microsoft publicist confirmed to Slashdot. (For the record, I don't remember signing up for this face-recognizing "preview".) But there's a link at the bottom of the screen for a "Microsoft Privacy Statement" that leads to a Microsoft support page, which says instead that "This feature is coming soon and is yet to be released." And in the next sentence it's been saying "Stay tuned for more updates" for almost two years...

A Microsoft publicist agreed to answer Slashdot's questions...

"A 29-year-old man has been arrested on suspicion of starting the Pacific Palisades fire in Los Angeles that killed 12 people and destroyed more than 6,000 homes in January," reports the BBC.

"Evidence collected from Jonathan Rinderknecht's digital devices included an image he generated on ChatGPT depicting a burning city, justice department officials said." Mr Rinderknecht had been living and working in California, and moved to Florida shortly after the fire, according to authorities. The initial blaze Mr Rinderknecht allegedly started on New Year's Day was called the Lachman fire. Although it was quickly suppressed by firefighters, it continued to smoulder underground in the root structure of dense vegetation, according to investigators, before it flared up again above ground in a windstorm [nearly a week later]... He lit it with an open flame after he completed a ride as an Uber driver on New Year's Eve, according to the indictment.

Two passengers rode with Mr Rinderknecht earlier on New Year's Eve. One passenger told investigators he remembered the driver had appeared agitated and angry. Officials said they had used his phone data to pinpoint his location when the fire initially started on 1 January, but when they pressed him on details he allegedly lied to investigators, claiming he was near the bottom of the trail... The phone also showed that he repeatedly called 911 just after midnight on New Year's day, but could not get through because of patchy mobile reception on the trailhead. There was a screen recording of him trying to call emergency services and at one point being connected with a dispatcher. Mr Rinderknecht also asked ChatGPT: "Are you at fault if a fire is lift [sic] because of your cigarettes?"

Investigators said the suspect wanted to "preserve evidence of himself trying to assist in the suppression of the fire". "He wanted to create evidence regarding a more innocent explanation for the cause of the fire," the indictment said... In July 2024, five months before he allegedly set the fire, Mr Rinderknecht asked ChatGPT to create an image of a "dystopian painting" that included a burning forest and a crowd of people running away from a fire, according to investigators.
The announcement from officials suggests they retrieved data about Rinderknecht's iPhone. It says after walking up the trailer Rinderknecht "listened to a rap song — to which he had listened repeatedly in previous days — whose music video included things being lit on fire."

An anonymous reader quotes a report from CSO Online: On Sept. 17, security vendor SonicWall announced that cybercriminals had stolen backup files configured for cloud backup. At the time, the company claimed the incident was limited to "less than five percent" of its customers. Now, the firewall provider has admitted that "all customers" using the MySonicWall cloud backup feature were affected. According to the company, the stolen files contain encrypted credentials and configuration data. "[W]hile encryption remains in place, possession of these files could increase the risk of targeted attacks," SonicWall warns in its press release.

Security specialist Arctic Wolf also warns of the consequences of the incident. "Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization's network," explains Stefan Hostetler, threat intelligence researcher at Arctic Wolf. "These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates," he adds. Arctic Wolf has previously observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use for future attacks. SonicWall urges all customers and partners to regularly check their devices for updates. Admins can find additional information here.

An anonymous reader shares a report: Control of NSO Group is set to leave Israeli hands. A group of American investors led by Hollywood producer Robert Simonds has agreed to acquire the controversial spyware developer in a deal valued at several tens of millions of dollars. The transaction is expected to be signed in the coming days, though its completion will require approval from Israel's Defense Export Control Agency (DECA) at the Ministry of Defense.

Since March 2023, NSO's shares have been held by a Luxembourg-based holding company wholly owned by founder Omri Lavie. The company's lender syndicate, which had extended roughly $500 million in loans to finance a share buyback from the private equity fund Francisco Partners, transferred ownership to Lavie following the restructuring.

An anonymous reader quotes a report from Gizmodo: The City of New York is reaching across the country to sue tech giants headquartered in California over allegations that their platforms have created a youth mental health crisis. The city, along with its school districts and health department, alleges that "gross negligence" on the part of Meta, Alphabet, Snap, and ByteDance has gotten kids hooked on social media, which has created a "public nuisance" that is placing a strain on the city's resources.

In a 327-page complaint filed in the US District Court for the Southern District of New York, the city alleges that tech companies have designed their platforms in a way that seeks to "maximize the number of children" using them, and have built "algorithms that wield user data as a weapon against children and fuel the addiction machine." The city also alleges that these companies "know children and adolescents are in a developmental stage that leaves them particularly vulnerable to the addictive effects of these features," but "target them anyway, in pursuit of additional profit."

[...] It cites data from the New York City Police Department, for instance, that show at least 16 teens have died while "subway surfing" -- riding outside of a moving train -- a dangerous behavior which the lawsuit claims has been encouraged by social media trends. Two girls, ages 12 and 13, died earlier this month while subway surfing. It also cited survey data collected from New York high school students, which shows that 77.3% of the city's teens spend three or more hours per day on screens, which it claims has contributed to lost sleep and, in turn, absences from school -- corroborated by the city's school districts, which provided data to show that 36.2% of all public school students are considered chronically absent, missing at least 10% of the school year.

An anonymous reader quotes a report from Ars Technica: Apple yesterday announced a plan to comply with a Texas age verification law and warned that changes required by the law will reduce privacy for app users. "Beginning January 1, 2026, a new state law in Texas -- SB2420 -- introduces age assurance requirements for app marketplaces and developers," Apple said yesterday in a post for developers. "While we share the goal of strengthening kids' online safety, we are concerned that SB2420 impacts the privacy of users by requiring the collection of sensitive, personally identifiable information to download any app, even if a user simply wants to check the weather or sports scores."

The Texas App Store Accountability Act requires app stores to verify users' ages and imposes restrictions on those under 18. Apple said that developers will have "to adopt new capabilities and modify behavior within their apps to meet their obligations under the law." Apple's post noted that similar laws will take effect later in 2026 in Utah and Louisiana. Google also recently announced plans for complying with the three state laws and said the new requirements reduce user privacy. "While we have user privacy and trust concerns with these new verification laws, Google Play is designing APIs, systems, and tools to help you meet your obligations," Google told developers in an undated post.

The Utah law is scheduled to take effect May 7, 2026, while the Louisiana law will take effect July 1, 2026. The Texas, Utah, and Louisiana "laws impose significant new requirements on many apps that may need to provide age appropriate experiences to users in these states," Google said. "These requirements include ingesting users' age ranges and parental approval status for significant changes from app stores and notifying app stores of significant changes."

An anonymous reader shares a report: A website set up by an unknown Dane over the course of one weekend in August is giving a massive headache to those trying to pass a European bill aimed at stopping child sexual abuse material from spreading online.

The website, called Fight Chat Control, was set up by Joachim, a 30-year-old software engineer living in Aalborg, Denmark. He made it after learning of a new attempt to approve a European Union proposal to fight child sexual abuse material (CSAM) -- a bill seen by privacy activists as breaking encryption and leading to mass surveillance.

The site lets visitors compile a mass email warning about the bill and send it to national government officials, members of the European Parliament and others with ease. Since launching, it has broken the inboxes of MEPs and caused a stir in Brussels' corridors of power. "We are getting hundreds per day about it," said Evin Incir, a Swedish Socialists and Democrats MEP, of the email deluge.

An anonymous reader quotes a report from The Verge: Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge. A tweet by vx-underground said that the company was being extorted over a breach of its Zendesk instance by a group claiming to have "1.5TB of age verification related photos. 2,185,151 photos." In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach. "All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts," said Wexler. "We've secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause."

An anonymous reader quotes a report from The Register: London cops on Tuesday arrested two teenagers on suspicion of computer misuse and blackmail following a ransomware attack on a chain of London preschools. London's Metropolitan Police said the two men, both aged 17, were taken into custody during an operation at residential properties in Bishop's Stortford, Hertfordshire. The arrests followed a September 25 referral from the UK's Action Fraud reporting center detailing a ransomware attack on the preschools. While the Met police didn't name the schools, the timing of the referral coincides with a digital break-in at Kido International, a preschool and daycare organization that operates in the UK, US, and India.

In a very aggressive -- and disgusting -- attempt to extort a ransom payment from Kido, the criminals published profiles of 10 children, including photos, names, and home addresses, along with their parents' contact details and in some cases places of work, threatening to expose more if the ransom demand wasn't met. A new crime crew calling itself the Radiant Group claimed responsibility for the attack, and posted the preschool's name, along with its pupils' profiles, as the first leak on its dark web site. The ransomware gang later deleted the kids' and parents' data, apparently under pressure from other criminals -- but not before some of the parents reported receiving threatening calls.