The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will start providing more hands-on support to open-source software developers as they work to better secure their projects, the agency said. From a report: CISA hosted a two-day, invite-only summit this week with leaders in the open-source software community and other federal officials. During the private event, the agency also ran what's likely the first tabletop exercise to assess how well the government and the open-source community would respond to a cyberattack targeting one of their projects.

During the summit, CISA and a handful of package repositories unveiled new initiatives to help secure open-source projects. CISA is working on a new communication channel where open-source software developers can share threat intelligence and ask the agency for assistance during an incident. The Rust Foundation is developing new public key infrastructure for its repository, which will help ensure that the code developers are uploading isn't malicious and is coming from legitimate users.

npm, which manages the JavaScript programming language, is requiring project maintainers to enroll in multi-factor authentication and is rolling out a tool to generate "software bills of materials," which provide a recipe list of what code and other elements are in a project. Additional repositories -- including the Python Software Foundation, Packagist, Composer and Maven Central -- are pursuing similar projects and also also rolling out tools to help detect and report malware and other security vulnerabilities.

An anonymous reader quotes a report from the BBC: A group of US lawmakers has introduced a bill that would require Chinese tech giant ByteDance to sell off the popular video-sharing TikTok app within six months or face a ban. For years American officials have raised concerns that data from the app could fall into the hands of the Chinese government. A bipartisan set of 19 lawmakers introduced the legislation on Tuesday. TikTok called the bill a disguised "outright ban."

In a statement announcing the bill, the lawmakers said "applications like TikTok that are controlled by foreign adversaries pose an unacceptable risk to US national security." The bill would give ByteDance 165 days to divest, or it would be blocked from the app store and web hosting platforms in the US. TikTok has previously argued against divestment, saying a change in ownership would not impose new restrictions on data use. [...] The House Energy and Commerce Committee said it would consider the latest bill on Thursday. "This legislation will trample the First Amendment rights of 170 million Americans and deprive 5 million small businesses of a platform they rely on to grow and create jobs," TikTok said in a statement to the BBC.

Former President Donald Trump attempted to completely ban TikTok in 2020, but that was unsuccessful. More recently, a group of senators introduced legislation to block TikTok last year, but it was stalled due to lobbying from the company.

An anonymous reader quotes a report from Krebs on Security: There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. "ALPHV") as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change's network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate's disclosure appears to have prompted BlackCat to cease operations entirely. [...]

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a "ransomware-as-service" collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid. "But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin," the affiliate "Notchy" wrote. "Sadly for Change Healthcare, their data [is] still with us." [...] On the bright side, Notchy's complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems. BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers. However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code. [...] BlackCat's website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat's network.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an "exit scam" on affiliates by withholding many ransomware payment commissions at once and shutting down the service. "ALPHV/BlackCat did not get seized," Wosar wrote on Twitter/X today. "They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice." Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat's exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own. "The affiliates still have this data, and they're mad they didn't receive this money, Smilyanets told Wired.com. "It's a good lesson for everyone. You cannot trust criminals; their word is worth nothing."

An anonymous reader quotes a report from Ars Technica: Oregon has joined the small but growing list of states that have passed right-to-repair legislation. Oregon's bill stands out for a provision that would prevent companies from requiring that official parts be unlocked with encrypted software checks before they will fully function. Bill SB 1596 passed Oregon's House by a 42 to 13 margin. Gov. Tina Kotek has five days to sign the bill into law. Consumer groups and right-to-repair advocates praised the bill as "the best bill yet," while the bill's chief sponsor, state Sen. Janeen Sollman (D), pointed to potential waste reductions and an improved second-hand market for closing a digital divide.

"Oregon improves on Right to Repair laws in California, Minnesota and New York by making sure that consumers have the choice of buying new parts, used parts, or third-party parts for the gadgets and gizmos," said Gay Gordon-Byrne, executive director of Repair.org, in a statement. Like bills passed in New York, California, and Minnesota, Oregon's bill requires companies to offer the same parts, tools, and documentation to individual and independent repair shops that are already offered to authorized repair technicians. Unlike other states' bills, however, Oregon's bill doesn't demand a set number of years after device manufacture for such repair implements to be produced. That suggests companies could effectively close their repair channels entirely rather than comply with the new requirements. California's bill mandated seven years of availability.

If signed, the law's requirements for parts, tools, and documentation would apply to devices sold after 2015, except for phones, which are covered after July 2021. The prohibition against parts pairing only covers devices sold in 2025 and later. Like other repair bills, a number of device categories are exempted, including video game consoles, HVAC and medical gear, solar systems, vehicles, and, very specifically, "Electric toothbrushes."

The U.S. government announced Tuesday sanctions against the founder of the notorious spyware company Intellexa and one of his business partners. From a report: This is the first time the U.S. government has targeted specific people, in addition to companies, with sanctions related to the misuse of commercial spyware. And it signifies an escalation of the White House and U.S. government's efforts to curb the spyware industry. "Today's actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens," said Brian E. Nelson, U.S Treasury's under secretary for terrorism and financial intelligence, was quoted as saying in a press release.

"The United States remains focused on establishing clear guardrails for the responsible development and use of these technologies while also ensuring the protection of human rights and civil liberties of individuals around the world." The U.S. Treasury imposed sanctions on Tal Dilian, the founder of Intellexa and a veteran of the spyware industry; and Sara Aleksandra Fayssal Hamou, who is not as well-known as Dilian. Hamou, according to the Treasury, has a leadership role in Intellexa, is an expert in off-shoring, and provided the company managerial services, such as renting office space in Greece.

Hackers backed by the North Korean government gained a major win when Microsoft left a Windows zero-day unpatched for six months after learning it was under active exploitation. From a report: Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don't represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability.

"When it comes to Windows security, there is a thin line between admin and kernel," Jan Vojtesek, a researcher with security firm Avast, explained last week. "Microsoft's security servicing criteria have long asserted that '[a]dministrator-to-kernel is not a security boundary,' meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel." The Microsoft policy proved to be a boon to Lazarus in installing "FudModule," a custom rootkit that Avast said was exceptionally stealthy and advanced. Rootkits are pieces of malware that have the ability to hide their files, processes, and other inner workings from the operating system itself and at the same time control the deepest levels of the operating system. To work, they must first gain administrative privileges -- a major accomplishment for any malware infecting a modern OS. Then, they must clear yet another hurdle: directly interacting with the kernel, the innermost recess of an OS reserved for the most sensitive functions.

An anonymous reader quotes a report from Ars Technica: Jack Teixeira, the National Guard airman who leaked confidential military documents on Discord, agreed Monday to plead guilty, promising to cooperate with officials attempting to trace the full extent of government secrets leaked. Under the plea deal, Teixeira will serve a much-reduced sentence, The Boston Globe reported, recommended between 11 years and 16 years and eight months. Previously, Teixeira had pleaded not guilty to six counts of "willful retention and transmission of national defense information," potentially facing up to 10 years per count. During a pretrial hearing, prosecutors suggested he could face up to 25 years, The Globe reported.

By taking the deal, Teixeira will also avoid being charged with violations of the Espionage Act, The New York Times reported, including allegations of unlawful gathering and unauthorized removal of top-secret military documents. According to prosecutors, it was clear that Teixeira, 22, was leaking sensitive documents -- including national security secrets tied to US foreign adversaries and allies, including Russia, China, Ukraine, and South Korea -- just to impress his friends on Discord -- some of them teenage boys. Investigators found no evidence of espionage. US District Judge Indira Talwani will decide whether or not to sign off on the deal at a hearing scheduled for September 27.

Gartner: By 2026, traditional search engine volume will drop 25%, with search marketing losing market share to AI chatbots and other virtual agents, according to Gartner. "Organic and paid search are vital channels for tech marketers seeking to reach awareness and demand generation goals," said Alan Antin, Vice President Analyst at Gartner. "Generative AI (GenAI) solutions are becoming substitute answer engines, replacing user queries that previously may have been executed in traditional search engines. This will force companies to rethink their marketing channels strategy as GenAI becomes more embedded across all aspects of the enterprise."

With GenAI driving down the cost of producing content, there is an impact around activities including keyword strategy and website domain authority scoring. Search engine algorithms will further value the quality of content to offset the sheer amount of AI-generated content, as content utility and quality still reigns supreme for success in organic search results. There will also be a greater emphasis placed on watermarking and other means to authenticate high-value content. Government regulations across the globe are already holding companies accountable as they begin to require the identification of marketing content assets that AI creates. This will likely play a role in how search engines will display such digital content.

An anonymous reader shares a report: India has waded into global AI debate by issuing an advisory that requires "significant" tech firms to get government permission before launching new models. India's Ministry of Electronics and IT issued the advisory to firms on Friday. The advisory -- not published on public domain but a copy of which TechCrunch has reviewed -- also asks tech firms to ensure that their services or products "do not permit any bias or discrimination or threaten the integrity of the electoral process."

Though the ministry admits the advisory is not legally binding, India's IT Deputy Minister Rajeev Chandrasekhar says the notice is "signalling that this is the future of regulation." He adds: "We are doing it as an advisory today asking you to comply with it." In a tweet Monday, Chandrasekhar said the advisory is aimed at "untested AI platforms deploying on the India internet" and doesn't apply to startups. About-face from India's position on AI a year ago.

The Washington Post shares some surprising news from the American Council for an Energy Efficient Economy, a 44-year-old nonprofit which works on government energy policies and produces its own research and analysis.

The group "has rated the pollution from vehicles for decades," according to the article — but "says the winning car this year is the Toyota Prius Prime SE, a plug-in hybrid that can go 44 miles on electricity before switching to hybrid." "It's the shape of the body, the technology within it, and the overall weight," said Peter Huether, senior research associate for transportation at ACEEE. "And all different types of Priuses are very efficient...." [T]he Prius Prime also won out in 2020 and 2022. But with more and more electric vehicles on the market, the staying power of the plug-in hybrid is surprising.

The analysis shows that simply running on electricity is not enough to guarantee that a car is "green" — its weight, battery size and overall efficiency matter, too. While a gigantic electric truck weighing thousands of pounds might be better than a gas truck of the same size, both will be outmatched by a smaller, efficient gas vehicle. And the more huge vehicles there are on the road, the harder it will be for the United States to meet its goal of zeroing out emissions by 2050.

The GreenerCars report analyzes 1,200 cars available in 2024, assessing both the carbon dioxide emissions of the vehicle while it's on the road and the emissions of manufacturing the car and battery. It also assesses the impact of pollutants beyond carbon dioxide, including nitrogen oxides, carbon monoxide and particulate matter — all of which can harm human health. The Toyota Prius Prime received a score of 71, followed by several all-electric cars such as the Nissan Leaf and Mini Cooper SE with scores in the high 60s. The Toyota RAV4 Prime, a plug-in hybrid SUV with 42 miles in range, got a score of 64. One gas hybrid, the Hyundai Elantra Blue, made the list as well — thanks to an efficient design and good mileage.

At the bottom of the list were large gas-guzzling trucks such as the Ford F-150 Raptor R, with scores in the 20s. So was one electric car: the Hummer EV, which weighs 9,000 pounds and scored a 29... The Prius Prime outranked its competitors, Huether said, because of its small battery — which lowers the emissions and pollution associated with manufacturing — and its high efficiency. The vehicle's battery is less than one-tenth the size of the battery on the monstrous Hummer EV.

Some news from "Copyleft Currents", the blog of open-source/IP lawyer Heather Meeker: On February 14, 2024, the Court of Appeal of Paris issued an order stating that Orange, a major French telecom provider, had infringed the copyight of Entr'Ouvert's Lasso software and violated the GPL.

They ordered Orange to pay €500,000 in compensatory damages and €150,000 for moral damages.

This case has been ongoing for many years. Entr'ouvert is the publisher of Lasso, a reference library for the Security Assertion Markup Language (SAML) protocol, an open standard for identity providers to authenticate users and pass authentication tokens to online services. This is the open protocol that enables single sign-on (SSO). The Lasso product is dual licensed by Entr'Ouvert under GPL or commercial licenses.

In 2005, Orange won a contract with the French Agency for the Development of Electronic Administration to develop parts of the service-public.fr portal, which allows users to interact online with the government for administrative procedures. Orange used the Lasso software in the solution, but did not pass on the rights to its modifications free of charge under GPL, or make the source code to its modifications available. Entr'Ouvert sued Orange in 2010, and the case wended its way through the courts, turning on, among other things, issues of proof of Entr'Ouvert 's copyright interest in the software, and whether the case properly sounded in breach of contract or copyright infringement...

The compensatory damages were based on both lost profits of the plaintiff and disgorgement of profits of Orange. Moral damages compensate the plaintiff for harm to reputation or other non-monetary injury.
Thanks to long-time Slashdot reader AmiMoJo for sharing the article.

America's Federal Aviation administration "will require a fix for a new 737 MAX design problem discovered by Boeing that, although it's a remote possibility, could theoretically disable the jet's engine anti-ice system," reports the Seattle Times: A different flaw in the MAX's engine anti-ice system design drew scrutiny in January and forced the company to drop a request for an exemption from key safety regulations. And now, it's not just the MAX with an engine anti-ice system problem. Airlines have reported a separate issue with a similar system on Boeing's 787 Dreamliner that has caused what the FAA calls "relatively minor" damage to the engine inlets on some two dozen of these widebody jets in service.

Though the FAA considers neither problem to be an immediate risk to flight safety, in February it issued separate notices of two proposed airworthiness directives to require the fix for the engine anti-ice system on the MAX and to lay out inspection and repair procedures for that system on the 787, pending a redesign that provides a permanent fix... When there is an immediate safety risk, the FAA issues a more urgent emergency directive that must be acted upon before further flight. Jets are grounded until it's dealt with. That's not the case with these two proposed airworthiness directives. Indicating that the risk is considered slight, both of the proposed directives will be open for public comments until April. Only after that will action be mandated...

On the MAX, the proposed FAA directive states that Boeing identified a potential single point of failure when it reviewed the internal design of the unit that provides a backup power supply to aircraft systems if the primary electrical system fails. Such a failure could potentially result in the loss of the anti-ice systems on both engines, with no indication or warning that would alert the pilots, the FAA directive states... In November 2022, Boeing sent a service bulletin alerting airlines and describing the required fix, which the FAA will now mandate...

Unlike this MAX issue, the fault discovered on the 787 Dreamliner has resulted in actual damage to engines on passenger aircraft. The FAA airworthiness directive on the 787 states that "damage was found during overhaul on multiple inlets around the Engine Anti-Ice duct within the inlet aft compartment." Rather than a production issue, it was a matter of the seals being insufficiently durable. Even when the plane was flying in dry air and the anti-ice system was not switched on, the seal degradation led to hot air leaking into the inlet compartment, "exposing inlet components to high temperatures," the FAA states. Boeing said this resulted in "thermal damage and discoloration to a limited area of the surrounding composite and metallic structure inside the inlet...." The FAA's proposed airworthiness directive warns that heat damage to the inlet structure could lead to "reduced structural strength and departure of the inlet from the airplane."

"Departure of the inlet" is a bland way of describing the front of the pod around the engine fan detaching, potentially striking the jet's wing, tail or fuselage. Such disintegration could result in "subsequent loss of continued safe flight and landing or injury to occupants," the airworthiness directive states...
"A separate question is how this flaw with the 787 anti-ice duct seals and the single point of failure in the backup power supply on the MAX slipped through the FAA's original certification of these aircraft."

Business Insider also reports that Boeing "is holding off on a planned expansion of production for its 737 Max planes after an Alaska Airlines flight lost a chunk of the plane while airborne in January."

Americans filing their taxes could face privacy threats, reports the Washington Post: "We just need your OK on a couple of things," TurboTax says as you prepare your tax return.

Alarm bells should be ringing in your head at the innocuous tone.

This is where America's most popular tax-prep website asks you to sign away the ironclad privacy protections of your tax return, including the details of your income, home mortgage and student loan payments. With your permission to blab your money secrets, the company earns extra income from showing you advertisements for the next three years for things like credit cards and mortgage offers targeted to your financial situation.

You have the legal right to say no when TurboTax asks for your permission to "share your data" or use your tax information to "improve your experience...."
The article complains that granting permission allows TurboTax to share details with "sibling" companies "such as your salary, the amount of your tax refund, whether you received a tax break for student loans and the day you printed your tax return..."

"You'll see that permission request once near the beginning of the tax prep process. If you skip it then, you'll see the same screen again near the end. You'll have to say yes or no..." This is part of the corporate arms race for your personal data. Everyone including the grocery store, your apps and the manufacturer of your car are gobbling information to profit from details of your life. With TurboTax, though, you have the power to refuse to participate...

TurboTax and the online tax prep service from H&R Block have been asking every year to blab your tax return. We've cautioned you about it for each of the past two tax filing seasons. (I focused only on TurboTax this year.)

An anonymous reader quotes a report from Gizmodo: For 20 years, a loosely organized group of Wikipedia editors toiled away curating a collection of 15,000 articles on a single subject: the roads and highways of the United States. Despite minor disagreements, the US Roads Project mostly worked in harmony, but recently, a long-simmering debate over the website's rules drove this community to the brink. Efforts at compromise fell apart. There was a schism, and in the fall of 2023, the editors packed up their articles and moved over to a website dedicated to roads and roads alone. It's called AARoads, a promised land where the editors hope, at last, that they can find peace. "Roads are a background piece. People drive on them every day, but they don't give them much attention," said editor Michael Gronseth, who goes by Imzadi1979 on Wikipedia, where he dedicated his work to Michigan highways, specifically. But a road has so much to offer if you look beyond the asphalt. It's the nexus of history, geography, travel, and government, a seemingly perfect subject for the hyper-fixations of Wikipedia. "But there was a shift about a year ago," Gronseth said. "More editors started telling us that what we're doing isn't important enough, and we should go work on more significant topics." [...]

The Roads Project had a number of adversaries, but the chief rival is a group known as the New Page Patrol, or the NPP for short. The NPP has a singular mission. When a new page goes up on Wikipedia, it gets reviewed by the NPP. The Patrol has special editing privileges and if a new article doesn't meet the website's standards, the NPP takes it down. "There's a faction of people who feel that basically anything is valid to be published on Wikipedia. They say, 'Hey, just throw it out there! Anything goes.' That's not where I come down." said Bil Zeleny, a former member of the NPP who goes by onel5969 on Wikipedia, a reference to the unusual spelling of his first name. At his peak, Zeleny said he was reviewing upwards of 100,000 articles a year, and he rejected a lot of articles about roads during his time. After years of frustration, Zeleny felt he was seeing too many new road articles that weren't following the rules -- entire articles that cited nothing other than Google Maps, he said. Enough was enough. Zeleny decided it was time to bring the subject to the council.

Zeleny brought up the problem on the NPP discussion forum, sparking months of heated debate. Eventually, the issue became so serious that some editors proposed an official policy change on the use of maps as a source. Rule changes require a process called "Request for Comment," where everyone is invited to share their thoughts on the issue. Over the course of a month, Wikipedia users had written more than 56,000 words on the subject. For reference, that's about twice as long as Ernest Hemingway's novel The Old Man and the Sea. In the end, the roads project was successful. The vote was decisive, and Wikipedia updated its "No Original Research" policy to clarify that it's ok to cite maps and other visual sources. But this, ultimately, was a victory with no winners. "Some of us felt attacked," Gronseth said. On the US Roads Project's Discord channel, a different debate was brewing. The website didn't feel safe anymore. What would happen at the next request for comment? The community decided it was time to fork. "We don't want our articles deleted. It didn't feel like we had a choice," he said.

The Wikipedia platform is designed for interoperability. If you want to start your own Wiki, you can split off and take your Wikipedia work with you, a process known as "forking." [...] Over the course of several months, the US Roads Project did the same. Leaving Wikipedia was painful, but the fight that drove the roads editors away was just as difficult for people on the other side. Some editors embroiled in the roads fights deleted their accounts, though none of these ex-Wikipedian's responded to Gizmodo's requests for comment. Bil Zeleny was among the casualties. After almost six years of hard work on the New Post Patrol, he reached the breaking point. The controversy had pushed him too far, and Zeleny resigned from the NPP. [...] AARoads actually predates Wikipedia, tracing its origins all the way back to the prehistoric internet days of the year 2000, complete with articles, maps, forums, and a collection of over 10,000 photos of highway signs and markers. When the US Roads Project needed a new home, AARoads was happy to oblige. It's a beautiful resource. It even has backlinks to relevant non-roads articles on the regular Wikipedia. But for some, it isn't home. "There are members who disagree with me, but my ultimate goal is to fork back," said Gronseth. "We made our articles license-compatible, so they can be exported back to Wikipedia someday if that becomes an option. I don't want to stay separate. I want to be part of the Wikipedia community. But we don't know where things will land, and for now, we've struck out on our own."

A number of government agencies in the European Union and elsewhere have voiced concerns about security risks as Apple opens up its iPhones and iPads to rival app stores to comply with EU tech rules, Apple said on Friday. From a report: Under the Digital Markets Act, from March 7 Apple will be required to offer alternative app stores on iPhones and allow developers to opt out of using its in-app payment system, which charges fees of up to 30%. The U.S. tech giant, which on Jan. 24 detailed the changes to bring its App Store in line with the EU rules, said "sideloading" has sparked concerns from both EU and non-EU government agencies and users.

An anonymous reader quotes an excerpt from a Wired article: In 2019, a government contractor and technologist named Mike Yeagley began making the rounds in Washington, DC. He had a blunt warning for anyone in the country's national security establishment who would listen: The US government had a Grindr problem. A popular dating and hookup app, Grindr relied on the GPS capabilities of modern smartphones to connect potential partners in the same city, neighborhood, or even building. The app can show how far away a potential partner is in real time, down to the foot. But to Yeagley, Grindr was something else: one of the tens of thousands of carelessly designed mobile phone apps that leaked massive amounts of data into the opaque world of online advertisers. That data, Yeagley knew, was easily accessible by anyone with a little technical know-how. So Yeagley -- a technology consultant then in his late forties who had worked in and around government projects nearly his entire career -- made a PowerPoint presentation and went out to demonstrate precisely how that data was a serious national security risk.

As he would explain in a succession of bland government conference rooms, Yeagley was able to access the geolocation data on Grindr users through a hidden but ubiquitous entry point: the digital advertising exchanges that serve up the little digital banner ads along the top of Grindr and nearly every other ad-supported mobile app and website. This was possible because of the way online ad space is sold, through near-instantaneous auctions in a process called real-time bidding. Those auctions were rife with surveillance potential. You know that ad that seems to follow you around the internet? It's tracking you in more ways than one. In some cases, it's making your precise location available in near-real time to both advertisers and people like Mike Yeagley, who specialized in obtaining unique data sets for government agencies.

Working with Grindr data, Yeagley began drawing geofences -- creating virtual boundaries in geographical data sets -- around buildings belonging to government agencies that do national security work. That allowed Yeagley to see what phones were in certain buildings at certain times, and where they went afterwards. He was looking for phones belonging to Grindr users who spent their daytime hours at government office buildings. If the device spent most workdays at the Pentagon, the FBI headquarters, or the National Geospatial-Intelligence Agency building at Fort Belvoir, for example, there was a good chance its owner worked for one of those agencies. Then he started looking at the movement of those phones through the Grindr data. When they weren't at their offices, where did they go? A small number of them had lingered at highway rest stops in the DC area at the same time and in proximity to other Grindr users -- sometimes during the workday and sometimes while in transit between government facilities. For other Grindr users, he could infer where they lived, see where they traveled, even guess at whom they were dating.

Intelligence agencies have a long and unfortunate history of trying to root out LGBTQ Americans from their workforce, but this wasn't Yeagley's intent. He didn't want anyone to get in trouble. No disciplinary actions were taken against any employee of the federal government based on Yeagley's presentation. His aim was to show that buried in the seemingly innocuous technical data that comes off every cell phone in the world is a rich story -- one that people might prefer to keep quiet. Or at the very least, not broadcast to the whole world. And that each of these intelligence and national security agencies had employees who were recklessly, if obliviously, broadcasting intimate details of their lives to anyone who knew where to look. As Yeagley showed, all that information was available for sale, for cheap. And it wasn't just Grindr, but rather any app that had access to a user's precise location -- other dating apps, weather apps, games. Yeagley chose Grindr because it happened to generate a particularly rich set of data and its user base might be uniquely vulnerable. The report goes into great detail about how intelligence and data analysis techniques, notably through a program called Locomotive developed by PlanetRisk, enabled the tracking of mobile devices associated with Russian President Vladimir Putin's entourage. By analyzing commercial adtech data, including precise geolocation information collected from mobile advertising bid requests, analysts were able to monitor the movements of phones that frequently accompanied Putin, indicating the locations and movements of his security personnel, aides, and support staff.

This capability underscored the surveillance potential of commercially available data, providing insights into the activities and security arrangements of high-profile individuals without directly compromising their personal devices.

In a series of tests using fake data, a U.S. government watchdog was able to steal more than 1GB of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The experiment is detailed in a new report by the Department of the Interior's Office of the Inspector General (OIG), published last week. TechCrunch reports: The goal of the report was to test the security of the Department of the Interior's cloud infrastructure, as well as its "data loss prevention solution," software that is supposed to protect the department's most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report. The Department of the Interior manages the country's federal land, national parks and a budget of billions of dollars, and hosts a significant amount of data in the cloud. According to the report, in order to test whether the Department of the Interior's cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that "would appear valid to the Department's security tools."

The OIG team then used a virtual machine inside the Department's cloud environment to imitate "a sophisticated threat actor" inside of its network, and subsequently used "well-known and widely documented techniques to exfiltrate data." "We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system," the report read. The OIG said it conducted more than 100 tests in a week, monitoring the government department's "computer logs and incident tracking systems in real time," and none of its tests were detected nor prevented by the department's cybersecurity defenses.

"Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data," said the OIG's report. "In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system's controls for protecting sensitive data from unauthorized access." That's the bad news: The weaknesses in the Department's systems and practices "put sensitive [personal information] for tens of thousands of Federal employees at risk of unauthorized access," read the report. The OIG also admitted that it may be impossible to stop "a well-resourced adversary" from breaking in, but with some improvements, it may be possible to stop that adversary from exfiltrating the sensitive data.

According to the Washington Post (paywalled), the FBI is using mobile push notification data to unmask people suspected of serious crimes, such as pedophilia, terrorism, and murder. Gizmodo reports: The Post did a little digging into court records and found evidence of at least 130 search warrants filed by the feds for push notification data in cases spanning 14 states. In those cases, FBI officials asked tech companies like Google, Apple, and Facebook to fork over data related to a suspect's mobile notifications, then used the data to implicate the suspect in criminal behavior linked to a particular app, even though many of those apps were supposedly anonymous communication platforms, like Wickr.

How exactly is this possible? Push notifications, which are provided by a mobile operating system provider, include embedded metadata that can be examined to understand the use of the mobile apps on a particular phone. Apps come laced with a quiet identifier, a "push token," which is stored on the corporate servers of a company like Apple or another phone manufacturer after a user signs up to use a particular app. Those tokens can later be used to identify the person using the app, based on the information associated with the device on which the app was downloaded. Even turning off push notifications on your device doesn't necessarily disable this feature, experts contend. [...]

If finding new ways to catch pedophiles and terrorists doesn't seem like the worst thing in the world, the Post article highlights the voices of critics who fear that this kind of mobile data could be used to track people who have not committed serious crimes -- like political activists or women seeking abortions in states where the procedure has been restricted.

Journalist Eric Newcomer, writing at The Free Press: There was a time when I believed that self-driving cars should be held to the standard of airplanes. Every mistake needed to be rigorously understood and any human death was unforgivable. But my view has evolved over time as human drivers have continued to kill tens of thousands of people a year. We need a solution that's meaningfully better than human drivers, yes, but we shouldn't wait for perfection before we start getting dangerous human drivers off the streets.

Lost in all the fulminating about automation and big-tech tyranny is the fact that self-driving cars are an attempt to solve a very serious problem. Traffic fatalities are a leading cause of death in the United States for anyone between the ages of 1 and 54. About 40,000 people die in car crashes a year in the U.S., with about one-third involving drunk drivers. There's a natural, though irrational, human bias toward the status quo. We tend to believe that things are the way they are for a good reason. But of course, technology has drastically improved human lives and human life spans already. Why stop now that more powerful computer chips and sophisticated artificial intelligence models open up new possibilities?

[...] Leaving aside seething hostility toward tech and private capital, and worries over job losses, the most credible objection to self-driving cars from the left is the fear that deploying them means doubling down on roads and sprawl, and undermining support for public transportation projects. But there's no reason self-driving cars and public transportation need to be at odds. They can fulfill different needs. Autonomous vehicles are being deployed in San Francisco in fleets through ride-hailing programs, reducing the need for personal car ownership. If we can get self-driving cars working, self-driving buses on regular routes should be even easier. And contrary to the view that driverless cars are being deployed unilaterally by tech billionaires, the people's representatives -- government officials -- gave Alphabet-owned Waymo a license to operate. Our roads and motor vehicles are tightly regulated. Single incidents have derailed self-driving car projects, from Uber and more recently, GM-owned Cruise, while human drivers kill tens of thousands a year unimpeded.

An anonymous reader quotes a report from Ars Technica: Convicted FTX fraudster Sam Bankman-Fried pleaded for a lenient prison sentence in a court filing yesterday, saying that he isn't motivated by greed and "is already being punished." Bankman-Fried requested a sentence of 63 to 78 months, or 5.25 to 6.5 years. Because of "Sam's charitable works and demonstrated commitment to others, a sentence that returns Sam promptly to a productive role in society would be sufficient, but not greater than necessary, to comply with the purposes of sentencing," the court filing (PDF) said. Bankman-Fried's filing also said that he maintains his innocence and intends to appeal his convictions.

A presentence investigation report (PSR) prepared by a probation officer recommended that Bankman-Fried be sentenced to 100 years in prison, according to the filing. "That recommendation is grotesque," SBF's filing said, arguing that it is based on an erroneously calculated loss of $10 billion. The $10 billion loss asserted in the PSR is "illusory" because the "victims are poised to recover -- were always poised to recover -- a hundred cents on the dollar" in bankruptcy proceedings, SBF's filing said. The filing urged the court to "reject the PSR's barbaric proposal" of 100 years, saying that such sentences should only be for "heinous conduct" like terrorism and child sexual abuse.

The founder and ex-CEO of cryptocurrency exchange FTX, Bankman-Fried was convicted on seven charges with a combined maximum sentence of 110 years after a monthlong trial in US District Court for the Southern District of New York. The charges included wire fraud and conspiracy to commit wire fraud, securities fraud, commodities fraud, and money laundering. US government prosecutors are required to make a sentencing recommendation by March 15, and US District Judge Lewis Kaplan is scheduled to issue a sentence on March 28.