America's Securities and Exchanges Commission received a letter Thursday from Colorado Senator John Hickenlooper urging clearer regulations of digital assets: The lawmaker asked the agency to clarify what types of digital assets are securities, address how to issue and list digital securities, establish a registration service for digital asset security trading platforms, set regulations on how trading and custody of digital assets should be carried out, and determine what disclosures are required for potential investors to be informed about. "Given the complexity of these issues, and recognizing that some digital assets are securities, others may be commodities, and others may be subject to a completely different regulatory regime, a formal regulatory process is needed now," Hickenlooper wrote in his letter.

"This will significantly improve policy development and allow the SEC to collect views and understand concerns. Furthermore, it will create clear rules that will benefit investors who currently may not be fully aware of the risks associated with digital asset investments...."

Hickenlooper also wrote that applying old market regulations to cryptocurrency would lead to financial services being more expensive and less accessible; leading to the agency's disclosure regime being less useful to U.S. residents. "I recognize these questions are complicated, but it is time for the SEC to engage. Empowering innovators, fostering financial innovation, protecting investors, and ensuring market integrity are consistent principles," the lawmaker concluded in his letter. "I look forward to working with you to build prudent rules as this powerful technology continues to develop."
Meanwhile, the Securities and Exchange Commission wants some changes of its own, reports Reuters: The U.S. Congress should give the Commodity Futures Trading Commission more powers to police cryptocurrency stablecoins to reduce risks to the financial system, Securities and Exchange Commission Chair Gary Gensler said on Friday.... With around $150 billion in market capitalization, stablecoins have many similarities to money market funds, and need to be regulated accordingly, Gensler said at a conference held by Georgetown University's Psaros Center for Financial Markets and Policy in Washington.... "I think the CFTC could have greater authorities. They currently do not have direct regulatory authorities over the underlying non-security tokens," he said....

The Financial Stability Oversight Council, a U.S. regulatory panel comprising top financial regulators, earlier this month recommended that Congress pass legislation addressing the risks digital assets pose to the financial system, including bills to bolster oversight of crypto spot markets and stablecoins. It remains unclear when Congress might pass crypto-related legislation, although several bills have been introduced to address stablecoins and digital commodities regulation.

"Hackers are on a roll in 2022, stealing over $3 billion in cryptocurrency," writes Slashdot reader quonset (citing figures from blockchain analytics firm Chainalysis). "And the year isn't over yet.

"For comparison, in 2021, only $2.1 billion in crypto currency was stolen during the entire year."

CBS News reports: A big chunk of that $3 billion, around $718 million, was taken this month in 11 different hacks, Chainalysis said in a series of tweets posted Wednesday. ctober is now the biggest month in the biggest year ever for hacking activity, with more than half the month still to go," the company tweeted.

In past years, hackers focused their efforts on attacking crypto exchanges, but those companies have since strengthened their security, Chainalysis said. These days, cybercriminals are targeting "cross-chain bridges," which allow investors to transfer digital assets and data among different blockchains.... Cross-chain bridges remain a major target for hackers, with three bridges breached this month and nearly $600 million stolen, accounting for 82% of losses this month and 64% of losses all year," Chainalysis said....

All told, Chainalysis said there have been 125 hacks so far this year.
"Cryptocurrency is not federally regulated or FDIC insured like a bank account," the article concludes, "which means if an account gets hacked, the government will not work to restore a customer's funds."

"Public officials in Washington for years have sparred along partisan lines over whether social media platforms take down too much or too little hate speech and misinformation," reports the Washington Post's politics/tech newsletter, The Technology 202.

"A council launching this week aims to sidestep those disputes by proposing reforms that tackle issues of bipartisan concern, including children's safety and national security." The newly minted Council for Responsible Social Media, set up by the nonpartisan nonprofit Issue One, features a wide-ranging and influential lineup of former U.S. lawmakers and federal officials, advocates, scholars, industry leaders and whistleblowers... "This is not a think tank. This is an action tank," former Democratic House majority leader Dick Gephardt told The Technology 202. "We want to see results...."

"The core goal of the commission is to really show that there are bipartisan paths forward ... that involve having companies have to actually talk about what is their role in society," Facebook whistleblower Frances Haugen said in an interview. Haugen said the council can move the debate around social media accountability forward by focusing on areas of "common ground," like concerns around algorithmic amplification, transparency and platform design choices. Haugen said proposals the council might explore include giving users, particularly children, the option to "reset algorithms" so they do not keep wandering down the same risky "rabbit holes." By focusing on systemic issues, she said, the group might be able to help build support for ideas that sidestep thorny speech debates. The council may also rally around legislation that already has bipartisan support, such as recent Senate bills on kids' online safety and platform transparency, Haugen said....

The council is also poised to shine a brighter spotlight on how U.S. companies may be playing into the hands of foreign adversaries — scrutiny that has largely focused on TikTok, owned by Beijing-based tech giant ByteDance.... Haugen said one concept the group may explore is requiring "consistent reporting" by companies about how much they are investing to counter foreign influence operations.
The Platform Accountability and Transparency Act (introduced in 2021) "would require social media firms to comply with researcher data requests for external audits," reports the Guardian. "Under the proposed law, failure to do so could result in loss of legal protections for content hosted on their platform."

"There are a number of large opportunities today that were not on the table a year ago in terms of moving forward in a bipartisan way," Haugen told the Guardian. "They just need a push over the finish line."

Trevor Milton, the founder and former chairman and CEO of electric heavy truck maker Nikola, was found guilty in federal court on Friday of three of four counts of fraud relating to false statements he made to drive up the value of Nikola's stock. CNBC reports: Milton was charged with two counts of securities fraud and two counts of wire fraud, all related to statements he made about Nikola's business while he was chairman and CEO of the company. Jurors found him guilty on one count of securities fraud and both of the wire fraud counts. Milton faced up to 25 years in prison if convicted on all four counts.

The U.S. Attorney's Office in Manhattan had alleged that Milton lied about "nearly all aspects of the business" he founded in 2014 during his time leading the company. Those lies, prosecutors said, were intended to induce investors to bid up the price of Nikola's stock. "On the backs of those innocent investors taken in by his lies, he became a billionaire virtually overnight," Assistant U.S. Attorney Nicolas Roos said in his opening statement in September. Timeline of events:

June, 2016: Nikola Motor Receives Over 7,000 Preorders Worth Over $2.3 Billion For Its Electric Truck
December, 2016: Nikola Motor Company Reveals Hydrogen Fuel Cell Truck With Range of 1,200 Miles
February, 2020: Nikola Motors Unveils Hybrid Fuel-Cell Concept Truck With 600-Mile Range
June, 2020: Nikola Founder Exaggerated the Capability of His Debut Truck
September, 2020: Nikola Motors Accused of Massive Fraud, Ocean of Lies
September, 2020: Nikola Admits Prototype Was Rolling Downhill In Promo Video
September, 2020: Nikola Founder Trevor Milton Steps Down as Chairman in Battle With Short Seller
October, 2020: Nikola Stock Falls 14 Percent After CEO Downplays Badger Truck Plans
November, 2020: Nikola Stock Plunges As Company Cancels Badger Pickup Truck
July, 2021: Nikola Founder Trevor Milton Indicted on Three Counts of Fraud
December, 2021: EV Startup Nikola Agrees To $125 Million Settlement
September, 2022: Nikola Founder Lied To Investors About Tech, Prosecutor Says in Fraud Trial

An anonymous reader quotes a report from The Register: On June 8, 2020, an individual claiming to be billionaire film producer and philanthropist Sidney Kimmel contacted brokerage Charles Schwab by phone and stated that he had uploaded a wire disbursement form using the service's secure email service. The only problem was the call apparently came from prison. Still, the caller made reference to a transfer verification inquiry earlier that day by his wife -- a role said to have been played by a female co-conspirator. The individual allegedly posing as Kimmel had contacted a Schwab customer service representative three days earlier -- on June 5, 2020 -- about opening a checking account, and was told that a form of identification and a utility bill would be required. On June 6, a co-conspirator is alleged to have provided a picture of Kimmel's driver's license and a Los Angeles Water and Power utility bill. According to court documents [PDF] filed by the US Attorney's Office in the Northern District of Georgia, the uploaded documents consisted of a request for funds to be wired to an external bank and a forged letter of authorization -- both of which appeared to be signed by Kimmel.

On June 9, satisfied that Kimmel had been adequately authenticated, the brokerage sent $11 million from Kimmel's Schwab account to a Zions Bank account for Money Metal Exchange, LLC, an Eagle, Idaho-based seller of gold coins and other precious metals. The real Kimmel had no knowledge of the transaction, which resulted in the purchase of 6,106 American Eagle gold coins. The individual who orchestrated the fraudulent purchase of the coins is alleged to have hired a private security firm on June 13, 2020 to transport the coins from Boise, Idaho to Atlanta, Georgia on a chartered plane. An associate of the fraudster allegedly took possession of the coins three days later. All the while the alleged mastermind, Arthur Lee Cofield Jr, was incarcerated in a maximum security prison in Butts County, Georgia, according to the government. Cofield is serving a 14-year sentence for armed robbery and is also under indictment in Fulton County, Georgia for attempted murder.

The day after the coins were purchased, prison staff are said to have searched Cofield's cell and recovered a blue Samsung cellphone hidden under his arm. The prison forensic unit apparently determined that Cofield had been using an account on free voice and messaging service TextNow and matched the phone number with calls made to Money Metals Exchange. On December 8, 2020, a federal grand jury indicted Cofield and two co-conspirators for conspiracy to commit bank fraud and money laundering. Cofield's attorney, Steven Sadow, subsequently sought to suppress the cellphone evidence on Fourth Amendment grounds, arguing that the warrantless search of the device by prison officials was unrelated to the legitimate function of prison security and maintenance. The government said otherwise, insisting that Cofield does not have standing to contest the search, having no "legitimate expectation of privacy in the contents of a contraband cell phone." The judge overseeing the case sided with the government [PDF] and certified the case to proceed to trial.

Firefox Relay, a Mozilla service designed to hide your "real" email address by giving you virtual ones to hand out, is expanding to offer virtual phone numbers. From a report: In a blog post Mozilla product manager Tony Amaral-Cinotto explains that the relay service generates a phone number for you to give out to companies if you suspect they might use it to send you spam messages in the future, or if you think they might share it with others who will. The idea is that handing out this alternative phone number makes it easier to block spam phone calls or texts in the future. You can either block all calls or texts sent to your relay number, or just block specific contacts. Importantly it lets you keep your "real" phone number private, which is something you might want to consider if it's a number you use to receive sensitive information like two-step verification codes via SMS. Once you've signed up, the Firefox phone number masking service offers 50 minutes of incoming calls and 75 text messages a month. The phone number masking service is also more expensive at $4.99 a month (or $3.99 a month when paid annually), while the email service offers a choice between a free tier and a premium tier costing $1.99 a month ($0.99 a month when paid annually).

Geoffrey Fowler, writing for The Washington Post: You may not realize all the ways Amazon is watching you. No other Big Tech company reaches deeper into domestic life. Two-thirds of Americans who shop on Amazon own at least one of its smart gadgets, according to Consumer Intelligence Research Partners. Amazon now makes (or has acquired) more than two dozen types of domestic devices and services, from the garage to the bathroom. All devices generate data. But from years of reviewing technology, I've learned Amazon collects more data than almost any other company. Amazon says all that personal information helps power an "ambient intelligence" to make your home smart. It's the Jetsons dream.

But it's also a surveillance nightmare. Many of Amazon's products contribute to its detailed profile of you, helping it know you better than you know yourself. Amazon says it doesn't "sell" our data, but there aren't many U.S. laws to restrict how it uses the information. Data that seems useless today could look different tomorrow after it gets reanalyzed, stolen or handed to a government.

schwit1 shares a blog post from Signal, the popular instant messaging app: In the interest of privacy, security, and clarity we're beginning to phase out SMS support from the Android app. You'll have several months to export your messages and either find a new app for SMS or tell your friends to download Signal.

[...] To give some context, when we started supporting SMS, Signal didn't exist yet. Our Android app was called TextSecure and the Signal encryption protocol was called Axolotl. Almost a decade has passed since then, and a lot has changed. In this time we changed our name, built iOS and desktop apps, and grew from a small project to the most widely used private messaging service on the planet. And we continued supporting the sending and receiving of plaintext SMS messages via the Signal interface on Android. We did this because we knew that Signal would be easier for people to use if it could serve as a homebase for most of the messages they were sending or receiving, without having to convince the people they wanted to talk to to switch to Signal first. But this came with a tradeoff: it meant that some messages sent and received via the Signal interface on Android were not protected by Signal's strong privacy guarantees.

We have now reached the point where SMS support no longer makes sense. For those of you interested, we walk through our reasoning in more detail below. In order to enable a more streamlined Signal experience, we are starting to phase out SMS support from the Android app. You will have several months to transition away from SMS in Signal, to export your SMS messages to another app, and to let the people you talk to know that they might want to switch to Signal, or find another channel if not.

An anonymous reader quotes a report from The Register: Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place. Greg Linares, a security researcher, recently recounted an incident that he said occurred over the summer at a US East Coast financial firm focused on private investment. He told The Register that he was not involved directly with the investigation but interacted with those involved as part of his work in the finance sector. In a Twitter thread, Linares said the hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network.

The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device. "This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained. The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing, according to Linares. The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable. "During their investigation, they determined that the DJI Phantom drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi," Linares said. "This data was later hard coded into the tools that were deployed with the Matrice."

According to Linares, the tools on the drones were used to target the company's internal Confluence page in order to reach other internal devices using the credentials stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he's seen over the past two years. "The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register. "This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT confluence server that contained other credentials for accessing other resources and storing IT procedures." [...] While the identity of the attacker has not been disclosed, Linares believes those responsible did their homework. "This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget and knew their physical security limitations," he said.

Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the "Block connections without VPN," or "Always-on VPN," features is enabled. BleepingComputer reports: The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic. This behavior is built into the Android operating system and is a design choice. However, Android users likely didn't know this until now due to the inaccurate description of the "VPN Lockdown" features in Android's documentation. Mullvad discovered the issue during a security audit that hasn't been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

Android offers a setting under "Network & Internet" to block network connections unless you're using a VPN. This feature is designed to prevent accidental leaks of the user's actual IP address if the VPN connection is interrupted or drops suddenly. Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features. This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the "Block connections without VPN" setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks. "This is a feature request for adding the option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled for a VPN app," explains Mullvad in a feature request on Google's Issue Tracker. "This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy." In response to Mullvad's request, a Google engineer said this is the intended functionality and that it would not be fixed for the following reasons:

- Many VPNs actually rely on the results of these connectivity checks to function,
- The checks are neither the only nor the riskiest exemptions from VPN connections,
- The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and the case remains open.

Android Developers Blog: Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don't leak in server breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps. Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint. Passkeys on users' phones and computers are backed up and synced through the cloud to prevent lockouts in the case of device loss. Additionally, users can use passkeys stored on their phone to sign in to apps and websites on other nearby devices.

Today's announcement is a major milestone in our work with passkeys, and enables two key capabilities: Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager. Developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms. To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year. Our next milestone in 2022 will be an API for native Android apps. Passkeys created through the web API will work seamlessly with apps affiliated with the same domain, and vice versa. The native API will give apps a unified way to let the user pick either a passkey or a saved password. Seamless, familiar UX for both passwords and passkeys helps users and developers gradually transition to passkeys.

For the end-user, creating a passkey requires just two steps: (1) confirm the passkey account information, and (2) present their fingerprint, face, or screen lock when prompted. Signing in is just as simple: (1) The user selects the account they want to sign in to, and (2) presents their fingerprint, face, or screen lock when prompted. A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device. Since passkeys are built on industry standards, this works across different platforms and browsers - including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.

An email mocking Chrome browsing mode's faux privacy has surfaced in the courtroom. From a report: On International Data Privacy Day last year, an email popped into Alphabet Chief Executive Sundar Pichai's inbox from Google's marketing chief Lorraine Twohill full of ideas on gaining user trust. "Make Incognito Mode truly private," she wrote in a bullet point. "We are limited in how strongly we can market Incognito because it's not truly private, thus requiring really fuzzy, hedging language that is almost more damaging." Now, billions of dollars in damages could be at stake in a consumer lawsuit targeting the private-browsing feature if a judge agrees Tuesday to let the case proceed as a class action on behalf of millions of users.

Twohill's assessment of Incognito's shortcomings was remarkably candid considering Google had already been sued at the time she messaged her boss, who himself had shepherded the feature through development back when the company launched its Chrome browser in 2008. Google denies wrongdoing. "Privacy controls have long been built into our services and we encourage our teams to constantly discuss or consider ideas to improve them," spokesman Jose Castaneda said in an email. Court filings show that well before the search engine giant was taken to court, rank and file Googlers frankly voiced their own frustrations that Incognito didn't live up to its name.

An anonymous reader quotes a report from TorrentFreak: The Motion Picture Association (MPA) has sent its latest overview of notorious piracy markets to the US Government. The Hollywood group, which also represents Netflix, lists a broad variety of online piracy threats. Aside from traditional pirate sites, it also includes domain registries, hosting providers, advertisers, and apps. [...] The MPA report typically provides a detailed overview of the piracy landscape. This year, the USTR further asked rightsholders to explain how piracy impacts US workers. According to the movie industry group, the effect is significant. "In 2020, there were an estimated 137.2 billion visits to film and TV piracy sites globally, which cost the U.S. economy at least $29.2 billion in lost revenue each year. Specifically, piracy has been estimated to reduce employment in our industry between 230,000 and 560,000 jobs," MPA writes, citing external research. The MPA notes that piracy is a global problem that requires cooperation from the broader Internet ecosystem. Services that see themselves as neutral intermediaries, operating parts of the core Internet infrastructure, should take responsibility. "All stakeholders in the internet ecosystem -- including hosting providers, DNS providers, cloud services, advertising networks, payment processors, social networks, and search engines -- should actively seek to reduce support for notoriously infringing sites," MPA writes.

The industry group views Cloudflare as part of this group and mentions the US company by name in its submission. "Cloudflare's customers include some of the most notorious, longstanding pirate websites in the world, including the massively popular streaming site cuevana3.me and The Pirate Bay," MPA notes, adding that repeated notices of infringement elicited no action on Cloudflare's part. The notorious markets list is limited to non-US operations, so Cloudflare itself isn't one of the MPA's targets. Various other Internet services are, including several third-party intermediaries. The MPA's list of notorious markets calls out domain name registries, including the Russian .RU registry, and the companies that maintain the records for the .CH, .CC, .IO, .ME and .TO domain names. These continue to keep pirate sites on board, despite numerous complaints. The same is true for the payment provider VoguePay, which is reportedly quite popular among IPTV services. In addition, advertisers such as 1XBET and Propeller Ads are called out as well. The latter company rebutted MPA's accusations last year but that didn't prevent it from being highlighted again.

Hosting companies are also cited as intermediaries that could and should do more. Instead, some find themselves appealing to pirate services with products such as "bulletproof" hosting. Squitter.eu and Amaratu are two such examples, the MPA reports. In addition to third-party intermediaries, there is also a category of services that caters to pirates directly. These "piracy as a service" (PaaS) companies offer tools that allow people to start a pirate site with minimal effort. "PaaS encompasses a suite of often off-the-shelf services that make it easy for would-be pirates without any technical knowledge to create, operate, and monetize a fully functioning pirate operation," MPA writes. [...] Actual pirate sites themselves are also mentioned, including the usual suspects The Pirate Bay, RARBG and YTS. In addition to torrent sites, the MPA also lists direct download hubs, streaming portals and linking sites, including Uptobox.com, Fmovies.to and Egy.best. Various dedicated piracy apps get a mention as well, and the MPA further includes a long list of unauthorized IPTV services. The anti-piracy group says that it has identified more than a thousand pirate IPTV platforms, so the list provided to the USTR is certainly not exhaustive. In fact, the MPA says that all companies, sites, and services are part of a broader piracy problem. Those flagged in the MPA's report are just examples of some of the worst offenders, nothing more. A list of all sites and services that are highlighted and categorized in MPA's notorious markets submission (PDF) can be found in the article.

An anonymous reader quotes a report from BleepingComputer: Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers. This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.

On September 17, 2022, the database's keys were changed, purging all potential access from unauthorized third parties. The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren't stored in the exposed database. Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused. The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data. For this reason, all users of T-Connect who registered between July 2017 and September 2022 are advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota.

A Florida-headquartered company has been ordered to pay about $73,000 in compensation and other fees after firing a Netherlands-based remote worker who refused to keep their webcam on all day, NL Times reports. The Verge: The company, Chetu, said the unnamed employee was required to attend a virtual classroom with their webcam turned on for the entire day and their screen remotely monitored. But when the employee refused, saying that leaving their webcam on for "9 hours a day" made them feel uncomfortable and was an invasion of their privacy, the company dismissed them, citing âoerefusal to workâ and "insubordination."

"Iran's state-run broadcaster was apparently hacked on air Saturday," reports the BBC, "with a news bulletin interrupted by a protest against the country's leader."

While such incidents are "historically rare," they add that more recently,this incident follows "widespread open dissent" It comes after at least three people were shot dead when protesters clashed with security forces in new unrest over the death of Mahsa Amini. s Amini was detained in Tehran by morality police for allegedly not covering her hair properly. The 22-year-old Iranian Kurd died in custody on 16 September, three days after her arrest. Her death has sparked an unprecedented wave of protest across the country.

Saturday's TV news bulletin at 21:00 (17:30 GMT) was interrupted with images which included Iran's supreme leader with a target on his head, photos of Ms Amini and three other women killed in recent protests. e of the captions read "join us and rise up", whilst another said "our youths' blood is dripping off your paws".

The interruption lasted only a few seconds before being cut off.
Thanks to Nodsnarb and ttyler (long-time Slashdot reader #20,687) for sharing the story.

"Scammers are leveraging the vulnerabilities in the global supply chain, as well as the public's continuing need for new batteries, to sell a wide variety of counterfeits or unauthorized replicas online," warns America's FBI.

"Do not fall victim to online fraudsters or unauthorized dealers or manufacturers." Counterfeit batteries do not go through the same standardized testing as original equipment manufacturer batteries and can adversely impact the safety and health of the consumer....

Avoid aftermarket batteries when possible because they may be dangerous.... Consumers should avoid all third-party purchases of batteries, as they can appear to be legitimate OEM batteries but are likely counterfeit.... [B]atteries sold at deep discounts or at significantly lower-than-average prices are likely counterfeit.
The FBI warns you should always avoid batteries that:

• are not properly packaged;
• have misprinted or misspelled labels;
• have labels that peel off; or
• do not have official manufacturer batch numbers.

"The FBI's warning is not specific to laptops or smartphones," notes ZDNet, "which makes sense given that batteries are now found in everything from cars, scooters, e-bikes, e-cigarettes and trains to drones and more."

Thanks to Slashdot reader joshuark for sharing the story.

In 2008 California's voters approved the first bonds for a $33 billion San Francisco-to-Los Angeles bullet train.

14 years later, the New York Times is now calling the project "a case study in how ambitious public works projects can become perilously encumbered by political compromise, unrealistic cost estimates, flawed engineering and a determination to persist on projects that have become... too big to fail...." Political compromises, the records show, produced difficult and costly routes through the state's farm belt. They routed the train across a geologically complex mountain pass in the Bay Area. And they dictated that construction would begin in the center of the state, in the agricultural heartland, not at either of the urban ends where tens of millions of potential riders live. The pros and cons of these routing choices have been debated for years. Only now, though, is it becoming apparent how costly the political choices have been. Collectively, they turned a project that might have been built more quickly and cheaply into a behemoth so expensive that, without a major new source of funding, there is little chance it can ever reach its original goal of connecting California's two biggest metropolitan areas in two hours and 40 minutes....

Fourteen years later, construction is now underway on part of a 171-mile "starter" line connecting a few cities in the middle of California, which has been promised for 2030. But few expect it to make that goal. Meanwhile, costs have continued to escalate. When the California High-Speed Rail Authority issued its new 2022 draft business plan in February, it estimated an ultimate cost as high as $105 billion. Less than three months later, the "final plan" raised the estimate to $113 billion. The rail authority said it has accelerated the pace of construction on the starter system, but at the current spending rate of $1.8 million a day, according to projections widely used by engineers and project managers, the train could not be completed in this century....

As of now, there is no identified source of funding for the $100 billion it will take to extend the rail project from the Central Valley to its original goals, Los Angeles and San Francisco, in part because lawmakers, no longer convinced of the bullet train's viability, have pushed to divert additional funding to regional rail projects....

The Times's review, though, revealed that political deals created serious obstacles in the project from the beginning. Speaking candidly on the subject for the first time, some of the high-speed rail authority's past leaders say the project may never work.

"Russian-speaking hackers on Wednesday claimed responsibility for knocking offline state government websites in Colorado, Kentucky and Mississippi, among other states," reports CNN, calling it "the latest example of apparent politically motivated hacking following Russia's invasion of Ukraine.... The websites in Colorado, Kentucky and Mississippi were sporadically available Wednesday morning and afternoon as administrators appeared to try to bring them online." The Kentucky Board of Elections' website, which posts information on how to register to vote, was also temporarily offline on Wednesday, but it was not immediately clear what caused that outage. The board of elections' website is also managed by the Kentucky government, though the hackers did not specifically list the board as a target.... Websites like that of the Kentucky Board of Elections are not directly involved in the casting or counting of votes, but they can provide useful information for voters....

The hacking group claiming responsibility for Wednesday's website outage is known as Killnet and stepped up their activity after Russia's February invasion of Ukraine to target organizations in NATO countries. They are a loose band of so-called "hacktivists" — politically motivated hackers who support the Kremlin but whose ties to that government are unknown. The group also claimed responsibility for briefly downing a US Congress website in July, and for cyberattacks on organizations in Lithuania after the Baltic country blocked the shipment of some goods to the Russian enclave of Kaliningrad in June....

Officials at the FBI and CISA reiterated this week that any efforts by hackers to breach election infrastructure are "unlikely to result in largescale disruptions or prevent voting."
Government Technology supplies some context: Amsterdam-based threat intelligence technology and services provider EclecticIQ's Threat Research team said in a blog post that Killnet appears to only have the capacity to launch DDoS attacks with short-term impact, and falls short of dealing lasting damage to victims' network infrastructure. "Analysts believe that Killnet supporters are novice users with zero or limited experience with DDoS attacks, based on an analysis of Telegram messaging data and open-source reporting," EclecticIQ wrote.
CNN described Killnet's typical attacks as "crude hacks that temporarily knock websites offline but don't do further damage to infrastructure.

"Killnet thrives off of public attention and bravado, and cybersecurity experts have to strike a balance between being mindful of Killnet's online antics and not hyping a low-level threat."

"One of the largest hospital chains in the U.S. was hit with a suspected ransomware cyberattack this week," reports NBC News, "leading to delayed surgeries, hold ups in patient care and rescheduled doctor appointments across the country." CommonSpirit Health, ranked as the fourth-largest health system in the country by Becker's Hospital Review, said Tuesday that it had experienced "an IT security issue" that forced it to take certain systems offline. While CommonSpirit declined to share specifics, a person familiar with its remediation efforts confirmed to NBC News that it had sustained a ransomware attack.

CommonSpirit, which has more than 140 hospitals in the U.S., also declined to share information on how many of its facilities were experiencing delays. Multiple hospitals, however, including CHI Memorial Hospital in Tennessee, some St. Luke's hospitals in Texas, and Virginia Mason Franciscan Health in Seattle all have announced they were affected.

One Texas woman, who spoke to NBC News on the condition of anonymity to protect her family's medical privacy, said that she and her husband had arrived at a CommonSpirit-affiliated hospital on Wednesday for long-scheduled major surgery, only for his doctor to recommend delaying it until the hospital's technical issues were resolved.

The surgeon "told me it could potentially delay post-op care, and he didn't want to risk it," she said.
Wednesday the company confirmed that "We have taken certain systems offline."