The one-and-done nature of 23andMe is "indicative of a core business problem with the once high-flying biotech company that is now teetering on the brink of collapse," reports NPR. As 23andMe struggles for survival, many of its 15 million customers are left wondering what the company plans to do with all the data it has collected since it was founded in 2006. An anonymous reader shares an excerpt from the report: Andy Kill, a spokesperson for 23andMe, would not comment on what the company might do with its trove of genetic data beyond general pronouncements about its commitment to privacy. "For our customers, our focus continues to be on transparency and choice over how they want their data to be managed," he said. When signing up for the service, about 80% of 23andMe's customers have opted in to having their genetic data analyzed for medical research. "This rate has held steady for many years," Kill added. The company has an agreement with pharmaceutical giant GlaxoSmithKline, or GSK, that allows the drugmaker to tap the tech company's customer data to develop new treatments for disease. Anya Prince, a law professor at the University of Iowa's College of Law who focuses on genetic privacy, said those worried about their sensitive DNA information may not realize just how few federal protections exist. For instance, the Health Insurance Portability and Accountability Act, also known as HIPAA, does not apply to 23andMe since it is a company outside of the health care realm. "HIPAA does not protect data that's held by direct-to-consumer companies like 23andMe," she said.

Although DNA data has no federal safeguards, some states, like California and Florida, do give consumers rights over their genetic information. "If customers are really worried, they could ask for their samples to be withdrawn from these databases under those laws," said Prince. According to the company, all of its genetic data is anonymized, meaning there is no way for GSK, or any other third party, to connect the sample to a real person. That, however, could make it nearly impossible for a customer to renege on their decision to allow researchers to access their DNA data. "I couldn't go to GSK and say, 'Hey, my sample was given to you -- I want that taken out -- if it was anonymized, right? Because they're not going to re-identify it just to pull it out of the database," Prince said.

Vera Eidelman, a staff attorney with the American Civil Liberties Union who specializes in privacy and technology policy, said the patchwork of state laws governing DNA data makes the generic data of millions potentially vulnerable to being sold off, or even mined by law enforcement. "Having to rely on a private company's terms of service or bottom line to protect that kind of information is troubling -- particularly given the level of interest we've seen from government actors in accessing such information during criminal investigations," Eidelman said. She points to how investigators used a genealogy website to identify the man known as the Golden State Killer, and how police homed in on an Idaho murder suspect by turning to similar databases of genetic profiles. "This has happened without people's knowledge, much less their express consent," Eidelman said.

Neither case relied on 23andMe, and spokesperson Kill said the company does not allow law enforcement to search its database. The company has, however, received subpoenas to access its genetic information. According to 23andMe's transparency report, authorities have sought genetic data on 15 individuals since 2015, but the company has resisted the requests and never produced data for investigators. "We treat law enforcement inquiries, such as a valid subpoena or court order, with the utmost seriousness. We use all legal measures to resist any and all requests in order to protect our customers' privacy," Kill said. [...] In a September filing to financial regulators, [23andMe CEO Anne Wojcicki] wrote: "I remain committed to our customers' privacy and pledge," meaning the company's rules requiring consent for DNA to be used for research would remain in place, as well as allowing customers to delete their data. Wojcicki added that she is no longer considering offers to buy the company after previously saying she was.

"The Fight to Repair Newsletter is reporting that U.S. Senator Elizabeth Warren is calling out agricultural equipment giant John Deere for possible violations of the federal Clean Air Act and a years-long pattern of thwarting owners' ability to repair their farm equipment," writes longtime Slashdot reader chicksdaddy. From the report: Deere "appears to be evading its responsibilities under the Clean Air Act to grant customers the right to repair their own agricultural equipment." That is costing farmers an estimated $4.2 billion annually "causing them to miss key crop windows on which their businesses and livelihoods rely," Warren wrote in a letter (https://www.theverge.com/2024/10/3/24260513/john-deere-right-to-repair-elizabeth-warren-clean-air-act) dated October 2nd. The letter from Warren (PDF), a Senator from Massachusetts and strong repair advocate, is just the latest volley lobbed at Illinois-based Deere, an iconic American brand and the largest supplier of agricultural equipment to farms in the U.S. Deere controls an estimated 53 percent of the U.S. market for large tractors and 60 percent of the U.S. market for farm combines.

In recent weeks, Deere faced criticism, including from Republican presidential candidate Donald Trump, after laying off close to 2,000 U.S. based employees at facilities in Iowa and Illinois, moving many of those jobs to facilities in Mexico. The company has also been repeatedly called out for complicating repair and service of its farm equipment -- often relying on software locks and digital rights management to force farmers to use Deere dealers and authorized service providers for even the simplest repairs.

An anonymous reader quotes a report from TechCrunch: A federal judge blocked one of California's new AI laws on Wednesday, less than two weeks after it was signed by Governor Gavin Newsom. Shortly after signing AB 2839, Newsom suggested it could be used to force Elon Musk to take down an AI deepfake of Vice President Kamala Harris he had reposted (sparking a petty online battle between the two). However, a California judge just ruled the state can't force people to take down election deepfakes -- not yet, at least. AB 2839 targets the distributors of AI deepfakes on social media, specifically if their post resembles a political candidate and the poster knows it's a fake that may confuse voters. The law is unique because it does not go after the platforms on which AI deepfakes appear, but rather those who spread them. AB 2839 empowers California judges to order the posters of AI deepfakes to take them down or potentially face monetary penalties.

Perhaps unsurprisingly, the original poster of that AI deepfake -- an X user named Christopher Kohls -- filed a lawsuit to block California's new law as unconstitutional just a day after it was signed. Kohls' lawyer wrote in a complaint that the deepfake of Kamala Harris is satire that should be protected by the First Amendment. On Wednesday, United States district judge John Mendez sided with Kohls. Mendez ordered a preliminary injunction to temporarily block California's attorney general from enforcing the new law against Kohls or anyone else, with the exception of audio messages that fall under AB 2839. [...] In essence, he ruled the law is simply too broad as written and could result in serious overstepping by state authorities into what speech is permitted or not.

Law enforcement from 12 countries arrested four individuals linked to the LockBit ransomware gang, including a developer and a bulletproof hosting administrator. The operation also resulted in the seizure of LockBit infrastructure and involved sanctions targeting affiliates of both LockBit and Evil Corp. BleepingComputer reports: According to Europol, a suspected LockBit ransomware developer was arrested in August 2024 at the request of French authorities while on holiday outside of Russia. The same month, the U.K.'s National Crime Agency (NCA) arrested two more individuals linked to LockBit activity: one believed to be associated with a LockBit affiliate, while the second was apprehended on suspicion of money laundering. In a separate action, at Madrid airport, Spain's Guardia Civil arrested the administrator of a bulletproof hosting service used to shield LockBit's infrastructure. Today, Australia, the United Kingdom, and the United States also revealed sanctions against an individual the UK NCA believes is a prolific LockBit ransomware affiliate linked to Evil Corp.

The United Kingdom sanctioned 15 more Russian nationals involved in Evil Corp's criminal activities, while the United States sanctioned six individuals and Australia targeted two. "These actions follow the massive disruption of LockBit infrastructure in February 2024, as well as the large series of sanctions and operational actions that took place against LockBit administrators in May and subsequent months," Europol said.

California Governor Gavin Newsom signed a law giving the California Energy Commission the authority to require bidirectional charging in electric vehicles (EVs) in the future -- although no timeline is set. Bidirectional charging allows EVs to not only charge from the grid but also supply electricity back to the grid, potentially enhancing grid resiliency, supporting renewable energy, and reducing peak electricity demand. Electrek reports: The idea started in 2023 when state Senator Nancy Skinner introduced a bill which would require EVs to have bidirectional charging by 2027. As this bill made its way through the legislative process, it got watered down from that ambitious timeline. So the current form of the bill, which is now called SB 59, took away that timeline and instead gave the California Energy Commission (CEC) the go-ahead to issue a requirement whenever they see it fit. The bill directs the CEC, the California Air Resources Board, and the California Public Utilities Commission to examine the use cases of bidirectional charging and give them the power to require specific weight classes of EVs to be bidirectional-capable if a compelling use case exists.

The state already estimates that integrating EVs into the grid could save $1 billion in costs annually, so there's definitely a use case there, but the question is the cost and immediacy of building those vehicles into the grid. The reason this can't be done immediately is that cars take time to design, and while adding bidirectional charging to an EV isn't the most difficult process, it also only really becomes useful with a whole ecosystem of services around the vehicle.

And that ecosystem has been a bit of a hard sell so far. It's all well and good to tell someone they can make $500/year by selling energy to the grid, but then you have to convince them to buy a more expensive charging unit and keep their car plugged in all the time, with someone else managing its energy storage. Some consumers might push back against that, so part of CEC's job is to wait to pull the trigger until it becomes apparent that people are actually interested in the end-user use case for V2G -- otherwise, no sense in requiring a feature that nobody is going to use.

An anonymous reader quotes a report from Reuters: A federal judge dismissed a U.S. Department of Justice lawsuit accusing eBay of violating environmental laws by allowing the sale of hundreds of thousands of harmful products on its platform, including pesticides and devices to evade motor vehicle pollution controls. U.S. District Judge Orelia Merchant in Brooklyn ruled on Monday that Section 230 of the federal Communications Decency Act, which protects online platforms from liability over user content, shielded eBay from liability in the civil lawsuit.

The judge said eBay's administrative and technical support to sellers "does not materially contribute to the products' alleged unlawfulness" and does not make the San Jose, California, company a "publisher or speaker" on sellers' behalf. Merchant also said eBay was not a "seller" of some of the challenged products, because it did not physically possess them or hold title. She rejected the government's argument that eBay was a seller because it exchanged the products for money. The U.S. government argued eBay violated the Clean Air Act by allowing the sale of harmful products, including more than 343,000 aftermarket "defeat" devices that help vehicles generate more power and get better fuel economy by evading emissions controls. The company also was accused of allowing sales of 23,000 unregistered, misbranded or restricted-use pesticides, as well as distributing more than 5,600 paint and coating removal products that contained methylene chloride, a chemical linked to brain and liver cancer and non-Hodgkin lymphoma.

A Russian criminal gang secretly conducted cyberattacks and espionage operations against NATO allies on the orders of the Kremlin's intelligence services, according to the UK's National Crime Agency. From a report: Evil Corp., which includes a man who gained notoriety for driving a Lamborghini luxury sports car, launched the hacks prior to 2019, the NCA said in statement on Tuesday. The gang has been accused of using malicious software to extort millions of dollars from hundreds of banks and financial institutions in more than 40 countries. In December 2019, the US government sanctioned Evil and accused its alleged leader, Maksim Yakubets, of providing "direct assistance" to the Russian state, including by "acquiring confidential documents." The NCA's statement on Tuesday provides new detail on the work Yakubets and other members allegedly carried out to aid the Kremlin's geopolitical aims. The exact nature of the hacks against the North Atlantic Treaty Organization allies wasn't immediately clear.

The Energy Department said on Monday that it had finalized a $1.52 billion loan guarantee to help a company restart a shuttered nuclear plant in Michigan -- the latest sign of rising government support for nuclear power. From a report: Two rural electricity providers that planned to buy power from the reactor would also receive $1.3 billion in federal grants [Editor's note: the link is likely paywalled; alternative source] under a program approved by Congress to help rural communities tackle climate change. The moves will help Holtec International reopen the Palisades nuclear plant in Covert Township, Mich., which ceased operating in 2022. The company plans to inspect and refurbish the plant's reactor and seek regulatory approval to restart the plant by October 2025.

After years of stagnation, America's nuclear industry is seeing a resurgence of interest. Both Congress and the Biden administration have offered billions of dollars in subsidies to prevent older nuclear plants from closing and to build new reactors. Despite concerns about high costs and hazardous waste, nuclear plants can generate electricity at all hours without emitting the greenhouse gases that are heating the planet. David Turk, the deputy secretary of energy, said he expected U.S. electricity demand would grow by 15 percent over the next few years, driven by an increase in electric vehicles, a boom in battery and solar factories as well as a surge of new data centers for artificial intelligence. That meant the nation needs new low-carbon sources of power that could run 24/7 and complement wind and solar plants.

"California Governor Gavin Newsom has vetoed SB 1047, a high-profile bill that would have regulated the development of AI," reports TechCrunch. The bill "would have made companies that develop AI models liable for implementing safety protocols to prevent 'critical harms'." The rules would only have applied to models that cost at least $100 million and use 10^26 FLOPS (floating point operations, a measure of computation) during training.

SB 1047 was opposed by many in Silicon Valley, including companies like OpenAI, high-profile technologists like Meta's chief AI scientist Yann LeCun, and even Democratic politicians such as U.S. Congressman Ro Khanna. That said, the bill had also been amended based on suggestions by AI company Anthropic and other opponents.

In a statement about today's veto, Newsom said, "While well-intentioned, SB 1047 does not take into account whether an AI system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data. Instead, the.." bill applies stringent standards to even the most basic functions — so long as a large system deploys it. I do not believe this is the best approach to protecting the public from real threats posed by the technology."
"Over the past 30 days, Governor Newsom signed 17 bills covering the deployment and regulation of GenAI technology..." according to a statement from the governor's office, "cracking down on deepfakes, requiring AI watermarking, protecting children and workers, and combating AI-generated misinformation... The Newsom Administration will also immediately engage academia to convene labor stakeholders and the private sector to explore approaches to use GenAI technology in the workplace."

In a separate statement the governor pointed out California " is home to 32 of the world's 50 leading Al companies," and warned that the bill "could give the public a false sense of security about controlling this fast-moving technology. Smaller, specialized models may emerge as equally or even more dangerous than the models targeted by SB 1047 — at the potential expense of curtailing the very innovation that fuels advancement in favor of the public good..."

"While well-intentioned, SB 1047 does not take into account whether an AI system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data. Instead, the bill applies stringent standards to even the most basic functions — so long as a large system deploys it.

"I do not believe this is the best approach to protecting the public from real threats posed by the technology."

Interestingly, the Los Angeles Times reported that the vetoed bill had been supported by Mark Hamill, J.J. Abrams, and "more than 125 Hollywood actors, directors, producers, music artists and entertainment industry leaders" who signed a letter of support. (And that bill also cited the support of "over a hundred current and former employees of OpenAI, Google DeepMind, Anthropic, Meta, and xAI..."

The United Nations is set to vote on a treaty later this year intended to create norms for fighting cybercrime -- and the Biden administration is fretting over whether to sign on. Politico: The uncertainty over the treaty stems from fears that countries including Russia, Iran and China could use the text as a guise for U.N. approval of their widespread surveillance measures and suppression of the digital rights of their citizens. If the United States chooses not to vote in favor of the treaty, it could become easier for these adversarial nations -- named by the Cybersecurity and Infrastructure Security Agency as the biggest state sponsors of cybercrime -- to take the lead on cyber issues in the future. And if the U.S. walks away from the negotiating table now, it could upset other nations that spent several years trying to nail down the global treaty with competing interests in mind.

While the treaty is not set for a vote during the U.N. General Assembly this week, it's a key topic of debate on the sidelines, following meetings in New York City last week, and committee meetings set for next month once the world's leaders depart. The treaty was troubled from its inception. A cybercrime convention was originally proposed by Russia, and the U.N. voted in late 2019 to start the process to draft it -- overruling objections by the U.S. and other Western nations. Those countries were worried Russia would use the agreement as an alternative to the Budapest Convention -- an existing accord on cybercrime administered by the Council of Europe, which Russia, China and Iran have not joined.

The Justice Department unsealed criminal charges Friday against three Iranian operatives suspected of hacking Donald Trump's presidential campaign and disseminating stolen information to media organizations. From a report: The three accused hackers were employed by Iran's paramilitary Revolutionary Guard and their operation also targeted a broad swath of targets, including government officials, members of the media and non-governmental organizations, the Justice Department said.

The Trump campaign disclosed on Aug. 10 that it had been hacked and said Iranian actors had stolen and distributed sensitive internal documents. Multiple major news organizations that said they were leaked confidential information from inside the Trump campaign, including Politico, The New York Times and The Washington Post, declined to publish it.

Ars Technica's Dan Goodin reports: Last week, NIST released its second public draft of SP 800-63-4, the latest version of its Digital Identity Guidelines. At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully. It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance. A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember. Another requirement that often does more harm than good is the required use of certain characters, such as at least one number, one special character, and one upper- and lowercase letter. When passwords are sufficiently long and random, there's no benefit from requiring or restricting the use of certain characters. And again, rules governing composition can actually lead to people choosing weaker passcodes.

The latest NIST guidelines now state that:
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. ("Verifiers" is bureaucrat speak for the entity that verifies an account holder's identity by corroborating the holder's authentication credentials. Short for credential service provider, "CSPs" are a trusted entity that assigns or registers authenticators to the account holder.) In previous versions of the guidelines, some of the rules used the words "should not," which means the practice is not recommended as a best practice. "Shall not," by contrast, means the practice must be barred for an organization to be in compliance. Several other common sense practices mentioned in the document include: 1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., "What was the name of your first pet?") or security questions when choosing passwords.
9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

"Dozens of Fortune 100 organizations" have unknowingly hired North Korean IT workers using fake identities, generating revenue for the North Korean government while potentially compromising tech firms, according to Google's Mandiant unit. "In a report published Monday [...], researchers describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018," reports The Record. "In most cases, the IT workers 'consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.'" From the report: The remote workers "often gain elevated access to modify code and administer network systems," Mandiant found, warning of the downstream effects of allowing malicious actors into a company's inner sanctum. [...] Using stolen identities or fictitious ones, the actors are generally hired as remote contractors. Mandiant has seen the workers hired in a variety of complex roles across several sectors. Some workers are employed at multiple companies, bringing in several salaries each month. The tactic is facilitated by someone based in the U.S. who runs a laptop farm where workers' laptops are sent. Remote technology is installed on the laptops, allowing the North Koreans to log in and conduct their work from China or Russia.

Workers typically asked for their work laptops to be sent to different addresses than those listed on their resumes, raising the suspicions of companies. Mandiant said it found evidence that the laptops at these farms are connected to a "keyboard video mouse" device or multiple remote management tools including LogMeIn, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer and others. "Feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops," Mandiant reported.

In several incident response engagements, Mandiant found the workers used the same resumes that had links to fabricated software engineer profiles hosted on Netlify, a platform often used for quickly creating and deploying websites. Many of the resumes and profiles included poor English and other clues indicating the actor was not based in the U.S. One characteristic repeatedly seen was the use of U.S-based addresses accompanied by education credentials from universities outside of North America, frequently in countries such as Singapore, Japan or Hong Kong. Companies, according to Mandiant, typically don't verify credentials from universities overseas. Further reading: How Not To Hire a North Korean IT Spy

According to the Wall Street Journal, the U.S. Department of Justice is investigating Super Micro Computer after short-seller Hindenburg Research alleged "accounting manipulation" at the AI server maker. Super Micro's shares fell about 12% following the report. Reuters reports: The WSJ report, which cited people familiar with the matter, said the probe was at an early stage and that a prosecutor at a U.S. attorney's office recently contacted people who may be holding relevant information. The prosecutor has asked for information that appeared to be connected to a former employee who accused the company of accounting violations, the report added.

Super Micro had late last month delayed filing its annual report, citing a need to assess "its internal controls over financial reporting," a day after Hindenburg disclosed a short position and made claims of "accounting manipulation." The short-seller had cited a three-month investigation that included interviews with former senior employees of Super Micro and litigation records. Hindenburg's allegations included evidence of undisclosed related-party transactions, failure to abide by export controls, among other issues. The company had denied Hindenburg's claims.

Cybersecurity firm Kaspersky has defended its decision to automatically replace its antivirus software on U.S. customers' computers with UltraAV, a product from American company Pango, without explicit user consent. The forced switch, affecting nearly one million users, occurred as a result of a U.S. government ban on Kaspersky software.

Kaspersky spokesperson Francesco Tius told TechCrunch that the company informed eligible U.S. customers via email about the migration, which began in early September. Windows users experienced an automatic transition to ensure continuous protection, while Mac and mobile users were instructed to manually install UltraAV. Some customers expressed alarm at the unannounced software swap. Kaspersky blamed missed notifications on unregistered email addresses, directing users to in-app messages and an online FAQ. The abrupt change raises concerns about user autonomy and privacy in software updates, particularly as UltraAV lacks an established security track record.

An anonymous reader quotes a report from Bloomberg: OpenAI has pitched the Biden administration on the need for massive data centers that could each use as much power as entire cities, framing the unprecedented expansion as necessary to develop more advanced artificial intelligence models and compete with China. Following a recent meeting at the White House, which was attended by OpenAI Chief Executive Officer Sam Altman and other tech leaders, the startup shared a document with government officials outlining the economic and national security benefits of building 5-gigawatt data centers in various US states, based on an analysis the company engaged with outside experts on. To put that in context, 5 gigawatts is roughly the equivalent of five nuclear reactors, or enough to power almost 3 million homes. OpenAI said investing in these facilities would result in tens of thousands of new jobs, boost the gross domestic product and ensure the US can maintain its lead in AI development, according to the document, which was viewed by Bloomberg News. To achieve that, however, the US needs policies that support greater data center capacity, the document said. "Whatever we're talking about is not only something that's never been done, but I don't believe it's feasible as an engineer, as somebody who grew up in this," said Joe Dominguez, CEO of Constellation Energy Corp. "It's certainly not possible under a timeframe that's going to address national security and timing."

Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, WSJ reported Wednesday, citing people familiar with the matter. From the report: The hacking campaign, called Salt Typhoon by investigators, hasn't previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing's massive digital army of cyberspies has had breaking into valuable computer networks in the U.S. and around the globe.

In Salt Typhoon, the actors linked to China burrowed into America's broadband networks. In this type of intrusion, bad actors aim to establish a foothold within the infrastructure of cable and broadband providers that would allow them to access data stored by telecommunications companies or launch a damaging cyberattack. Last week, U.S. officials said they had disrupted a network of more than 200,000 routers, cameras and other internet-connected consumer devices that served as an entry point into U.S. networks for a China-based hacking group called Flax Typhoon. And in January, federal officials disrupted Volt Typhoon, yet another China-linked campaign that has sought to quietly infiltrate a swath of U.S. critical infrastructure.

"The cyber threat posed by the Chinese government is massive," said Christopher Wray, the Federal Bureau of Investigation's director, speaking earlier this year at a security conference in Germany. "China's hacking program is larger than that of every other major nation, combined." U.S. security officials allege that Beijing has tried and at times succeeded in burrowing deep into U.S. critical infrastructure networks ranging from water-treatment systems to airports and oil and gas pipelines. Top Biden administration officials have issued public warnings over the past year that China's actions could threaten American lives and are intended to cause societal panic. The hackers could also disrupt the U.S.'s ability to mobilize support for Taiwan in the event that Chinese leader Xi Jinping orders his military to invade the island.

The FAA's air traffic control systems are significantly out of date and won't be updated until the 2030s, according to a report from the U.S. Government Accountability Office (GAO). The Register reports: In a report released Monday, the GAO said that 51 of the FAA's 138 ATC systems -- more than a third -- were unsustainable due to a lack of parts, shortfalls in funding to sustain them, or a lack of technology refresh funding to replace them. A further 54 systems were described as "potentially unsustainable" for similar reasons, with the added caveat that tech refresh funding was available to them. "FAA has 64 ongoing investments aimed at modernizing 90 of the 105 unsustainable and potentially unsustainable systems," the GAO said in its report. "However, the agency has been slow to modernize the most critical and at-risk systems."

The report said the seemingly perilous status of 17 systems was "especially concerning" as these are deemed to have critical operational impact at the same time as being unsustainable and having extended completion dates -- the first of them won't be modernized until 2030 at the earliest. Others aren't planned to be complete until 2035, and four of the 17 "most critical and at-risk FAA ATC systems" have no modernization plans at all. Of the systems on the list, two are more than 40 years old, and a further seven have been in service for more than 30 years.

Caroline Ellison, the former CEO of Alameda Research, must serve 24 months in prison and forfeit $11 billion. "I've seen a lot of cooperators in 30 years. I've never seen one quite like Ms. Ellison," said Judge Lewis Kaplan during the sentencing hearing today. The Verge reports: Ellison pleaded guilty to two counts of wire fraud and five conspiracy counts in December 2022 as part of a cooperation agreement with the government. Prosecutors had recommended a lenient sentence because of Ellison's "extraordinary" and "very timely" cooperation. Her own lawyers asked for no jail time, as did the federal Probation Department.

Ellison was the key witness at the trial of FTX cofounder Sam Bankman-Fried, where she testified for three days. A statement submitted by the prosecution before Ellison's sentencing said the speed at which she came clean made it possible to indict her ex-boyfriend Bankman-Fried quickly, "ensuring that he did not flee the Bahamas or further obstruct the government's investigation." The document also noted that Ellison was completely and immediately forthcoming in her meetings with the government.

Ellison was also prompt in assisting John J. Ray, the new CEO charged with cleaning up the FTX mess, in locating and recovering customer assets, according to a statement written by Ray submitted by the defense. Her "early cooperation" was "valuable" in recovering debtors' assets, he wrote. Ellison is working on a deal where she will turn over "substantially all of her remaining assets after satisfying her forfeiture obligations" to the FTX debtors.

An anonymous reader quotes a report from Ars Technica: California Gov. Gavin Newsom vetoed a bill that would have required makers of web browsers and mobile operating systems to let consumers send opt-out preference signals that could limit businesses' use of personal information. The bill approved by the State Legislature last month would have required an opt-out signal "that communicates the consumer's choice to opt out of the sale and sharing of the consumer's personal information or to limit the use of the consumer's sensitive personal information." It would have made it illegal for a business to offer a web browser or mobile operating system without a setting that lets consumers "send an opt-out preference signal to businesses with which the consumer interacts."

In a veto message (PDF) sent to the Legislature Friday, Newsom said he would not sign the bill. Newsom wrote that he shares the "desire to enhance consumer privacy," noting that he previously signed a bill "requir[ing] the California Privacy Protection Agency to establish an accessible deletion mechanism allowing consumers to request that data brokers delete all of their personal information." But Newsom said he is opposed to the new bill's mandate on operating systems. "I am concerned, however, about placing a mandate on operating system (OS) developers at this time," the governor wrote. "No major mobile OS incorporates an option for an opt-out signal. By contrast, most Internet browsers either include such an option or, if users choose, they can download a plug-in with the same functionality. To ensure the ongoing usability of mobile devices, it's best if design questions are first addressed by developers, rather than by regulators. For this reason, I cannot sign this bill." Vetoes can be overridden with a two-thirds vote in each chamber. The bill was approved 59-12 in the Assembly and 31-7 in the Senate. But the State Legislature hasn't overridden a veto in decades. "It's troubling the power that companies such as Google appear to have over the governor's office," said Justin Kloczko, tech and privacy advocate for Consumer Watchdog, a nonprofit group in California. "What the governor didn't mention is that Google Chrome, Apple Safari and Microsoft Edge don't offer a global opt-out and they make up for nearly 90 percent of the browser market share. That's what matters. And people don't want to install plug-ins. Safari, which is the default browsers on iPhones, doesn't even accept a plug-in."