An anonymous reader shares a report: Telegram's doxxing problem goes far beyond Myanmar. WIRED spoke to activists and experts in the Middle East, Southeast Asia, and Eastern Europe who said that the platform has ignored their warnings about an epidemic of politically motivated doxxing, allowing dangerous content to proliferate, leading to intimidation, violence, and deaths. Telegram, which now claims more than 700 million active users worldwide, has a publicly stated philosophy that private communications should be beyond the reach of governments. That has made it popular among people living under authoritarian regimes all over the world (and among conspiracy theorists, anti-vaxxers, and "sovereign citizens" in democratic countries). But the service's structure -- part encrypted messaging app, part social media platform -- and its almost complete lack of active moderation has made it "the perfect tool" for the kind of doxxing campaigns occurring in Myanmar, according to digital rights activist Victoire Rio. This structure makes it easy for users to crowdsource attacks, posting a target for doxxing and encouraging their followers to dig up or share private information, which they can then broadcast more widely. Misinformation or doxxing content can move seamlessly from anonymous individual accounts to channels with thousands of users. Cross-posting is straightforward, so that channels can feed off one another, creating a kind of virality without algorithms that actively promote harmful content. "Structurally, it's suited to this use case," Rio says.

The first mass use of this tactic occurred during Hong Kong's massive 2019 democracy protests, when pro-Beijing Telegram channels identified demonstrators and sent their information to the authorities. Hundreds of protesters were sentenced to custodial sentences for their role in the demonstrations. But with the city split along "yellow" (pro-protests) and "blue" (pro-police) lines, channels were also set up to dox police officers and their families. In November 2020, a telecom company employee was jailed for two years after doxing police and government employees over Telegram. Since then, Telegram doxing appears to be spreading to new countries. In Iraq, militia groups and their supporters have become adept at using Telegram to source information about opponents, such as leaders of civil society groups, which they then broadcast on channels with tens of thousands of followers. Sometimes, bounties are offered for information, according to Hayder Hamzoz, founder of the Iraqi Network for Social Media, an organization that tracks social media use in the country. Often, these come with direct or implicit threats of violence. Targets have faced harassment and violence, and some have had to flee their homes, Hamzoz says.

Charter Communications must pay over $1.1 billion to the estate and family of an 83-year-old woman murdered in her home by a Spectrum cable technician, a Dallas County Court judge ruled yesterday. Ars Technica reports: A jury in the same court previously ordered Charter to pay $7 billion in punitive damages and $337.5 million in compensatory damages. Judge Juan Renteria lowered the award in a ruling issued yesterday. The damages are split among the estate and four adult children of murder victim Betty Thomas. Renteria did not change the compensatory damages but lowered the punitive damages awarded to the family to $750 million. Pre-judgment interest on the damages pushes Charter's total liability to over $1.1 billion.

It isn't surprising that the judge lowered the payout, in which the jury decided punitive damages should be over 20 times higher than what Charter is liable for in compensatory damages. A nine-to-one ratio is often used as a maximum because of a 2003 US Supreme Court ruling that said: "In practice, few awards exceeding a single-digit ratio between punitive and compensatory damages, to a significant degree, will satisfy due process." Former Spectrum technician Roy Holden pleaded guilty to the 2019 murder of customer Betty Thomas and was sentenced to life in prison in April 2021. Charter was accused of hiring Holden without verifying his employment history and ignoring a series of red flags about his behavior, which included stealing credit cards and checks from elderly female customers.

An anonymous reader quotes a report from Reuters: Germany's general data retention law violates EU law, Europe's top court ruled on Tuesday, dealing a blow to member states banking on blanket data collection to fight crime and safeguard national security. The law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms, the Court of Justice of the European Union (CJEU) said. The ruling comes after major attacks by Islamist militants in France, Belgium and Britain in recent years. Governments argue that access to data, especially that collected by telecoms operators, can help prevent such incidents, while operators and civil rights activists oppose such access.

The latest case was triggered after Deutsche Telekom unit Telekom Deutschland and internet service provider SpaceNet AG challenged Germany's data retention law arguing it breached EU rules. The German court subsequently sought the advice of the CJEU which said such data retention can only be allowed under very strict conditions. "The Court of Justice confirms that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security," the judges said. "However, in order to combat serious crime, the member states may, in strict compliance with the principle of proportionality, provide for, inter alia, the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses," they said.

A big group of U.S. states, led by New York, has argued to an appeals court that it should reinstate an antitrust lawsuit against Meta's Facebook because of ongoing harm from the company's actions and because the states had not waited too long to file their complaint. From a report: Barbara Underwood, solicitor general of New York which led the group that consists of 46 states, Guam and District of Columbia, said that it was wrong to treat states like a class action and put a limit on when they can sue. States not involved are Alabama, Georgia, South Carolina and South Dakota. She said the states' action was more akin to law enforcement so "laches," which forbids an unreasonable delay in filing, would not apply. She said that Facebook's actions harmed the economy and the marketplace. The states are asking the three-judge panel on U.S. Court of Appeals for the District of Columbia to reinstate a lawsuit filed in 2020, the same time that the U.S. Federal Trade Commission sued the company. Both the FTC and the states had asked the court to order Facebook to sell Instagram, which it bought for $1 billion in 2012, and WhatsApp, which it bought for $19 billion in 2014. The FTC fight with Facebook is going forward.

Indonesia's parliament passed into law on Tuesday a personal data protection bill that includes corporate fines and up to six years imprisonment for those found to have mishandled data in the world's fourth most populous country. From a report: The bill's passage comes after a series of data leaks and probes into alleged breaches at government firms and institutions in Indonesia, from a state insurer, telecoms company and public utility to a contact-tracing COVID-19 app that revealed President Joko Widodo's vaccine records. Lawmakers overwhelmingly approved the bill, which authorises the president to form an oversight body to fine data handlers for breaching rules on distributing or gathering personal data. The biggest fine is 2% of a corporation's annual revenue and could see their assets confiscated or auctioned off. The law includes a two-year "adjustment" period, but does not specify how violations would be addressed during that phase. The legislation stipulates individuals can be jailed for up to six years for falsifying personal data for personal gain or up to five years for gathering personal data illegally.

Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features. Neowin reports: As an additional note, even passwords can be sent by these features, but only when a 'Show Password' button is pressed, which converts the password into visible text, which is then checked. The key issue resolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure.

Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed 'spell-jacking'. What's most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it. The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.

An anonymous reader quotes a report from Axios: Some users of Figma's design software reacted with dismay on Thursday when they found out the company was going to be acquired by Adobe, the unloved giant in the space. Other observers immediately concluded that the acquisition looks downright illegal under antitrust laws.

Why it matters: The Biden administration is on the record as wanting to beef up antitrust enforcement. The Figma deal, at $20 billion, is certainly large enough to grab the attention of regulators. The big question is whether they'll conclude that suing to block it is a case they can win. Either the Department of Justice or the Federal Trade Commission could review the merger; both have taken a renewed interest in software and digital mergers.

Between the lines: The Clayton Antitrust Act says any acquisition that would reduce competition in an industry is illegal. Figma was founded as an Adobe competitor and has grown impressively by doing exactly that -- implying there's a case to be made that this acquisition is anti-competitive. Insofar as Adobe is already the dominant player in the space, any acquisition, let alone a $20 billion one, will be looked at carefully. "The fact that Adobe is not typically identified as a Big Tech platform should provide [Adobe and Figma] with little if any comfort," Charles Rule, a partner at the Rule Garza Howley law firm and former DOJ antitrust official, tells Axios. "This deal appears to raise straightforward, traditional antitrust issues," he says.

"There's enough here to get a close look, and maybe a complaint," adds a former FTC antitrust official. Another former FTC attorney tells Axios to expect a thorough initial investigation into possible overlaps.

A Maryland judge has overturned the murder conviction of Adnan Syed, in the latest twist to the case at the center of the hit podcast series Serial. From a report: Baltimore City Circuit Judge Melissa Phinn vacated the 41-year-old's conviction and granted him a new trial on Monday, ordering his release after more than 23 years behind bars. The move came after prosecutors made a request for his release on Wednesday saying that "the state no longer has confidence in the integrity of the conviction." Prosecutors said that an almost year-long investigation had cast doubts about the validity of cellphone tower data and uncovered new information about the possible involvement of two alternate unnamed suspects.

Syed was convicted in 2000 of first-degree murder, robbery, kidnapping and imprisonment of his ex-girlfriend Hae Min Lee. Lee, 18, vanished after leaving her high school on 13 January 1999. Her strangled body was found in a shallow grave in a Baltimore park around a month later. Syed has always maintained his innocence. In a tweet shortly after the ruling was made, Serial tweeted: "Sarah was at the courthouse when Adnan was released, a new episode is coming tomorrow morning."

ArsTechnica reports: The head of Kiwi Farms said the site experienced a breach that allowed hackers to access his administrator account and possibly the accounts of all other users. On the site, creator Joshua Moon wrote: "The forum was hacked. You should assume the following. Assume your password for the Kiwi Farms has been stolen. Assume your email has been leaked. Assume any IP you've used on your Kiwi Farms account in the last month has been leaked."

Moon said that the unknown individual or individuals behind the hack gained access to his admin account by using a technique known as session hijacking, in which an attacker obtains the authentication cookies a site sets after an account holder enters valid credentials and successfully completes any two-factor authentication requirements. The session hijacking was made possible after uploading malicious content to XenForo, a site Kiwi Farms uses to power its user forums.

After a Florida man was accused of vehicular homicide, his lawyer used Clearview AI's facial recognition software to prove his innocence. But other defense lawyers say Clearview's offer rings hollow. From a report: It was the scariest night of Andrew Grantt Conlyn's life. He sat in the passenger seat of a two-door 1997 Ford Mustang, clutching his seatbelt, as his friend drove approximately 100 miles per hour down a palm tree-lined avenue in Fort Myers, Fla. His friend, inebriated and distraught, occasionally swerved onto the wrong side of the road to pass cars that were complying with the 35 mile-an-hour speed limit. "Someone is going to die tonight," Mr. Conlyn thought. And then his friend hit a curb and lost control of the car. The Mustang began spinning wildly, hitting a light pole and three palm trees before coming to a stop, the passenger's side against a tree. At some point, Mr. Conlyn blacked out. When he came to, his friend was gone, the car was on fire and his seatbelt buckle was jammed. Luckily, a good Samaritan intervened, prying open the driver's side door and pulling Mr. Conlyn out of the burning vehicle.

Mr. Conlyn didn't learn his savior's name that Wednesday night in March 2017, nor did the police, who came to the scene and found the body of his friend, Colton Hassut, in the bushes near the crash; he'd been ejected from the car and had died. In the years that followed, the inability to track down that good Samaritan derailed Mr. Conlyn's life. If Clearview AI, which is based in New York, hadn't granted his lawyer special access to a facial recognition database of 20 billion faces, Mr. Conlyn might have spent up to 15 years in prison because the police believed he had been the one driving the car. For the last few years, Clearview AI's tool has been largely restricted to law enforcement, but the company now plans to offer access to public defenders. Hoan Ton-That, the chief executive, said this would help "balance the scales of justice," but critics of the company are skeptical given the legal and ethical concerns that swirl around Clearview AI's groundbreaking technology. The company scraped billions of faces from social media sites, such as Facebook, LinkedIn and Instagram, and other parts of the web in order to build an app that seeks to unearth every public photo of a person that exists online.

South Korean prosecutors have refuted Do Kwon's claim from over the weekend that he is not on the run and asked Interpol to issue a red notice against the Terraform Labs' co-founder, escalating the publicly playing out drama following the $40 billion wipeout on his cryptocurrency startup in May this year. From a report: The Seoul Southern District Prosecutor's Office said that Kwon was not cooperating with the investigation and had told them (through his lawyer last month) that he had no intention to appear for questioning, according to official statements cited by local media Yonhap. The prosecutors have asked Seoul's foreign ministry to revoke Kwon's passport and said they have "circumstantial evidence" that Kwon is attempting to escape. An Interpol red notice, which is a call to law enforcement worldwide, can prevent individuals from being issues visas, restrict their cross border travels, and "provisionally arrest a person pending extradition, surrender or similar legal action." Over the weekend, Kwon claimed he was not on the run from any government agency that had "shown interest to communication." He added in a tweet: "We are in full cooperation and we don't have anything to hide."

Some news Friday from the Associated Press. "The Biden administration is moving one step closer to developing a central bank digital currency, known as the digital dollar, saying it would help reinforce the U.S. role as a leader in the world financial system." The White House said on Friday that after President Joe Biden issued an executive order in March calling on a variety of agencies to look at ways to regulate digital assets, the agencies came up with nine reports, covering cryptocurrency impacts on financial markets, the environment, innovation and other elements of the economic system.

Treasury Secretary Janet Yellen said one Treasury recommendation is that the U.S. "advance policy and technical work on a potential central bank digital currency, or CBDC, so that the United States is prepared if CBDC is determined to be in the national interest.... Right now, some aspects of our current payment system are too slow or too expensive," Yellen said on a Thursday call with reporters laying out some of the findings of the reports....

According to the Atlantic Council nonpartisan think tank, 105 countries representing more than 95% of global gross domestic product already are exploring or have created a central bank digital currency. The council found that the U.S. and the U.K. are far behind in creating a digital dollar or its equivalent.... Several [U.S. agency] reports will come out in the next weeks and months.

Eswar Prasad, a trade professor at Cornell who studies the digitization of currencies, said Treasury's report "takes a positive view about how a digital dollar might play a useful role in increasing payment options for individuals and businesses" while acknowledging the risks of its development. He said the report sets the stage for the creation of agency regulations and legislation "that can improve the benefit-risk tradeoff associated with cryptocurrencies and related technologies."
A statement from the U.S. White House cautions that the report does not make any decisions "regarding particular design choices for a potential U.S. CBDC system." Instead, the 58-page document analyzes 18 different choices for technical designs, and according to its introductory paragraph, "makes recommendations on how to prepare the U.S. Government for a U.S. CBDC system."

But "it does no make an assessment or recommendation about whether a U.S. CBDC system should be pursued."

The world's freight-carrying trucks and ships use GPS-based satellite tracking and navigation systems, reports ZDNet. But "Criminals are turning to cheap GPS jamming devices to ransack the cargo on roads and at sea, a problem that's getting worse...." Jammers work by overpowering GPS signals by emitting a signal at the same frequency, just a bit more powerful than the original. The typical jammers used for cargo hijackings are able to jam frequencies from up to 5 miles away rendering GPS tracking and security apparatuses, such as those used by trucking syndicates, totally useless. In Mexico, jammers are used in some 85% of cargo truck thefts. Statistics are harder to come by in the United States, but there can be little doubt the devices are prevalent and widely used. Russia is currently availing itself of the technology to jam commercial planes in Ukraine.

As we've covered, the proliferating commercial drone sector is also prey to attack.... During a light show in Hong Kong in 2018, a jamming device caused 46 drones to fall out of the sky, raising public awareness of the issue.
While the problem is getting worse, the article also notes that companies are developing anti-jamming solutions for drone receivers, "providing protection and increasing the resiliency of GPS devices against jamming attacks.

"By identifying and preventing instances of jamming, fleet operators are able to prevent cargo theft."

The short answers are "yes" and "no." America's Constitution prohibits government intervention into public expression, reports the business-news radio show Marketplace, "protecting free speech and expression "through, for example.... writing, protesting and coding languages like JavaScript, HTML, Python and Perl."

Specifically protecting code started with the 1995 case of cryptographer Daniel Bernstein, who challenged America's "export controls" on encryption (which regulated it like a weapon). But they also spoke to technology lawyer Kendra Albert, a clinical instructor at Harvard Law School's Cyberlaw Clinic, about the specific parameters of how America protects code as a form of expression: Albert: I think that the reality was that the position that code was a form of expression is in fact supported by a long history of First Amendment law. And that it, you know, is very consistent with how we see the First Amendment interpreted across a variety of contexts.... [O]ne of the questions courts ask is whether a regulation or legislation or a government action is specifically targeting speech, or whether the restrictions on speech are incidental, but not the overall intention. And that's actually one of the places you see kind of a lot of these difficulties around code as speech. The nature of many kinds of regulation may mean that they restrict code because of the things that particular forms of software code do in the world. But they weren't specifically meant to restrict the expressive conduct. And courts end up then having to sort of go through a test that was originally developed in the context of someone burning a draft card to figure out — OK, is this regulation, is the burden that it has on this form of expressive speech so significant that we can't regulate in this way? Or is this just not the focus, and the fact that there are some restrictions on speech as a result of the government attempting to regulate something else should not be the focus of the analysis?

Q: Congress and federal agencies as well as some states are looking to tighten regulations around cryptocurrencies and blockchain technology. What role do you think the idea of code as speech will play in this environment moving forward?

Albert: The reality is that the First Amendment is not a total bar to regulation of speech. It requires the government meet a higher standard for regulating certain kinds of speech. That runs, to some extent, in conflict with how people imagine what "code is speech" does as sort of a total restriction on the regulation of software, of code, because it has expressive content. It just means that we treat code similarly to how we treat other forms of expression, and that the government can regulate them under certain circumstances.

Long-time Slashdot reader n3hat writes: The BBC reports that a thief has been emptying gym patrons' accounts by stealing their bank card and mobile phone, registering the account to the thief's own mobile, and emptying the victims' bank accounts. The thief works around 2-factor authentication by taking advantage of the victim's phone having been configured to show notifications on the lock screen, so the thief can view the 2FA credential even though they don't have the unlock code.

The article gives instructions on how to disable notifications on the lock screen, for both iPhone and Android.

Reuters reports: Billionaire Elon Musk accused Twitter of fraud by concealing serious flaws in the social media company's data security, which the entrepreneur said should allow him to end his $44 billion deal for the company, according to a Thursday court filing. Musk, the world's richest person, amended his previously filed lawsuit by adopting allegations by a Twitter whistleblower, who told Congress on Tuesday of meddling on the influential social media platform by foreign agents.

The chief executive of electric vehicle maker Tesla also alleged that Twitter hid from him that it was not complying with a 2011 agreement with the Federal Trade Commission regarding user data.

"Needless to say, the newest revelations make undeniably clear that the Musk Parties have the full right to walk away from the Merger Agreement — for numerous independently sufficient reasons," said the amended countersuit.
Twitter's lawyers countered that the whistleblower claims weren't sufficient grounds for terminating the deal, according to the article. And they added that the whistleblower was in fact fired for poor performance, and that while they've investigated the whistleblower's allegations internally they were found to have no merit.

They also disagree with Musk's characterization of the allegations as proving "fraud" and "breach of contract."

LastPass says the attacker behind the August security breach had internal access to the company's systems for four days until they were detected and evicted. BleepingComputer reports: In an update to the security incident notification published last month, Lastpass' CEO Karim Toubba also said that the company's investigation (carried out in partnership with cybersecurity firm Mandiant) found no evidence the threat actor accessed customer data or encrypted password vaults. "Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults," Toubba said.

While method through which the attacker was able to compromise a Lastpass developer's endpoint to access the Development environment, the investigation found that the threat actor was able to impersonate the developer after he "had successfully authenticated using multi-factor authentication." After analyzing source code and production builds, the company has also not found evidence that the attacker tried to inject malicious code. This is likely because only the Build Release team can push code from Development into Production, and even then, Toubba said the process involves code review, testing, and validation stages. Additionally, he added that the LastPass Development environment is "physically separated from, and has no direct connectivity to" Lastpass' Production environment. The company says it has since "deployed enhanced security controls including additional endpoint security controls and monitoring," as well as additional threat intelligence capabilities and enhanced detection and prevention technologies in both Development and Production environments.

Verizon Wireless, AT&T and Comcast were hit with copyright lawsuits accusing them of turning a blind eye to customers who illegally distribute and download pirated films. The production companies seek to force the internet providers to implement policies that provide for the termination of accounts held by repeat offenders and to block certain piracy websites. Hollywood Reporter: The trio of complaints filed throughout September, with the most recent filed Tuesday in Pennsylvania federal court, come from Voltage Pictures, After Productions and Ammo Entertainment, among others. Two law firms, Dovel & Luner and Culpepper IP, are representing the production labels. The internet providers knowingly contributed to copyright infringement by their customers, the lawsuits claim. Plaintiffs say they sent Verizon, AT&T and Comcast hundreds of thousands of notices about specific instances of infringement. They claim, for example, to have sent over 100,000 notices to Comcast concerning the illegal downloading of I Feel Pretty using its services. The lawsuit seeks to hold the internet providers liable for failing to investigate.

"Comcast did not take meaningful action to prevent ongoing infringements by these Comcast users," states the complaint. "Comcast failed to terminate the accounts associated with these IP addresses or otherwise take any meaningful action in response to these Notices. Comcast often failed to even forward the Notices to its internet service customers or otherwise inform them about the Notice or its contents." The internet providers, therefore, vicariously infringed on plaintiffs' movies since they had the right to terminate the accounts of customers who violate copyright law, the suit alleges. The Digital Millennium Copyright Act, passed in 1988, criminalizes services intended to circumvent measures that control access to copyrighted works. It provides protection from liability for services providers. But the production companies argue the internet providers don't have safe harbor under the law since it only shields companies if they've adopted and implemented policies that provide for the termination of accounts held by repeat offenders.

An anonymous reader shares a report: Here's a fun new feature for Chrome for Android: fingerprint-protected Incognito tabs. 9to5Google discovered the feature in the Chrome 105 stable channel, though you'll have to dig deep into the settings to enable it at the moment. If you want to add a little more protection to your private browsing sessions, type "chrome://flags/#incognito-reauthentication-for-android" into the address bar and hit enter. After enabling the flag and restarting Chrome, you should see an option to "Lock Incognito tabs when you leave Chrome." If you leave your Incognito session and come back, an "unlock Incognito" screen will appear instead of your tabs, and you'll be asked for a fingerprint scan.

Since the data of about roughly 1 billion Chinese citizens appeared for sale on a popular dark web forum in June, researchers have observed a surge in other kinds of personal records from China appearing on cybercriminal marketplaces. From a report: In the aftermath of that record leak, an estimated 290 million records about people in China surfaced on an underground bazaar known as Breach Forums in July, according to Group-IB, a cybersecurity firm based in Singapore. In August, one seller hawked personal information belonging to nearly 50 million users of Shanghai's mandatory health code system, used to enforce quarantine and testing orders. The alleged hoard included names, phone numbers, IDs and their Covid status -- for the price of $4,000.

"The forum has never seen such an influx of Chinese users and interest in Chinese data," said Feixiang He, a researcher at Group-IB. "The number of attacks on Chinese users may grow in the near future." Bloomberg was unable to confirm the authenticity of the datasets for sale on Breach Forums. The website, like other markets where illicit goods are sold, has been home to false advertisements meant to generate attention, as well as legitimate data apparently stolen in security incidents, including an instance where users marketed user information taken from Twitter.