An anonymous reader quotes a report from Wired: If you want a job at McDonald's today, there's a good chance you'll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and resume, directs them to a personality test, and occasionally makes them "go insane" by repeatedly misunderstanding their most basic questions. Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald's applicants -- including all the personal information they shared in those conversations -- with tricks as straightforward as guessing the username and password "123456."

On Wednesday, security researchers Ian Carroll and Sam Curryrevealedthat they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with along track record of independent security testing, discovered that simple web-based vulnerabilities -- including guessing one laughably weak password -- allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Carroll says he only discovered that appalling lack of security around applicants' information because he was intrigued by McDonald's decision to subject potential new hires to an AI chatbot screener and personality test. "I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more," says Carroll. "So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years." Paradox.ai confirmed the security findings, acknowledging that only a small portion of the accessed records contained personal data. The company stated that the weak-password account ("123456") was only accessed by the researchers and no one else. To prevent future issues, Paradox is launching a bug bounty program. "We do not take this matter lightly, even though it was resolved swiftly and effectively," Paradox.ai's chief legal officer, Stephanie King, told WIRED in an interview. "We own this."

In a statement to WIRED, McDonald's agreed that Paradox.ai was to blame. "We're disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us," the statement reads. "We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection."

A federal appeals court struck down a "click-to-cancel" rule that would have required companies to make cancelling services as easy as signing up. The Federal Trade Commission rule was scheduled to take effect on July 14 but was vacated by the US Court of Appeals for the 8th Circuit. The three-judge panel ruled unanimously that the Biden-era FTC failed to follow the full rulemaking process required under US law.

The FTC is required to conduct a preliminary regulatory analysis when a rule has an estimated annual economic effect of $100 million or more. The FTC initially estimated the rule would not reach that threshold, but an administrative law judge later found compliance costs would exceed $100 million. Despite this finding, the FTC did not conduct the required preliminary analysis.

Senators Tim Sheehy and Elizabeth Warren have introduced the bipartisan "Warrior Right to Repair Act," which would guarantee the military's right to repair its own equipment. The bill builds on a previous Army directive and has broad public support, with nearly 75% of Americans in favor, according to a PIRG poll. Engadget reports: The Department of Defense has not been immune from restrictive practices set forth by manufacturers, and much like the average consumer, has been hamstrung in its ability to repair its own equipment by clauses in its purchase agreements. According to the Public Interest Research Group (PIRG), the current system leads to excessive repair and sustainment costs, and can even impede military readiness.

"When our neighbors, friends and family serve in our military, we expect them to get what they need to do their jobs as safely as possible," PIRG Federal Legislative Director Isaac Bowers wrote regarding the newly introduced bill. "Somehow, that hasn't included the materials and information they need to repair equipment they rely on. It's time we fixed that."

The Georgia Court of Appeals has overturned a trial court's order after finding it relied on court cases that do not exist, apparently generated by AI. The appellate court vacated the ruling in a divorce case involving Nimat Shahid's challenge to a divorce order granted to her husband Sufyan Esaam in July 2022.

"We are troubled by the citation of bogus cases in the trial court's order," the appeals court stated in its decision, which directs the lower court to revisit Shahid's petition. The court noted the errant citations appear to have been "drafted using generative AI" and were included in an order prepared by attorney Diana Lynch.

Lynch repeated the fabricated citations in her appeals briefs and expanded upon them after Shahid had challenged the fictitious cases. The appeals court found Lynch's briefs contained "11 bogus case citations out of 15 total, one of which was in support of a frivolous request for attorney fees." The court fined Lynch $2,500 for filing the frivolous motion.

X said Tuesday it is "deeply concerned about ongoing press censorship in India" after the Indian government ordered the platform to block 2,355 accounts on July 3, including two Reuters news agency handles. The social media company said the order came under India's Section 69A of the Information Technology Act, with non-compliance risking criminal liability.

The Indian Ministry of Electronics and Information Technology demanded immediate action within one hour without providing justification, X said. After public outcry, the government requested X to unblock the Reuters accounts.

Fubo has agreed to pay $3.4 million to settle a class-action lawsuit (PDF) accusing it of illegally sharing usersâ(TM) personally identifiable information and video viewing history with advertisers without consent, allegedly violating the Video Privacy Protection Act (VPPA). Ars Technica reports: As reported by Cord Cutters News this week, instead of going to trial, Fubo reached a settlement agreement [PDF] that allows people who used Fubo before May 29, which is when Fubo last updated its privacy policy, to receive part of a $3.4 million settlement. The settlement agreement received preliminary approval on May 29, and users recently started receiving notice of their potential entitlement to some of the settlement. They have until September 12 to submit claims. Fubo said in a statement: "We deny the allegations in the putative class lawsuit and specifically deny that we have engaged in any wrongdoing whatsoever. Fubo has nonetheless chosen to pursue a settlement for this matter in order to avoid the uncertainty and expense of litigation. We look forward to putting this matter behind us."

An anonymous reader quotes a report from Ars Technica: Epic Games, buoyed by the massive success of Fortnite, has spent the last few years throwing elbows in the mobile industry to get its app store on more phones. It scored an antitrust win against Google in late 2023, and the following year it went after Samsung for deploying "Auto Blocker" on its Android phones, which would make it harder for users to install the Epic Games Store. Now, the parties have settled the case just days before Samsung will unveil its latest phones.

The Epic Store drama began several years ago when the company defied Google and Apple rules about accepting outside payments in the mega-popular Fortnite. Both stores pulled the app, and Epic sued. Apple emerged victorious, with Fortnite only returning to the iPhone recently. Google, however, lost the case after Epic showed it worked behind the scenes to stymie the development of app stores like Epic's. Google is still working to avoid penalties in that long-running case, but Epic thought it smelled a conspiracy last year. It filed a similar lawsuit against Samsung, accusing it of implementing a feature to block third-party app stores. The issue comes down to the addition of a feature to Samsung phones called Auto Blocker, which is similar to Google's new Advanced Protection in Android 16. It protects against attacks over USB, disables link previews, and scans apps more often for malicious activity. Most importantly, it blocks app sideloading. Without sideloading, there's no way to install the Epic Games Store or any of the content inside it.

Auto Blocker is enabled by default on Samsung phones, but users can opt out during setup. Epic claimed in its suit that the sudden inclusion of this feature was a sign that Google was working with Samsung to stand in the way of alternative app stores again. Epic has apparently gotten what it wanted from Samsung -- CEO Tim Sweeney has announced that Epic is dropping the case in light of a new settlement. Sweeney said Samsung "will address Epic's concerns," without elaborating on the details. Samsung may stop making Auto Blocker the default or create a whitelist of apps, like the Epic Games Store, that can bypass Auto Blocker. Another possibility is that Epic and select third-party stores are granted special access while Auto Blocker remains on for others, balancing security and openness.

A "more interesting outcome," according to Ars, would be for Samsung to pre-install the Epic Games Store on its new phones.

"California residents who lit illegal fireworks over the July 4 holiday may be in for a nasty surprise in the mail thanks to covert fire department operations," reports SFGate.

"A number of California cities, including Sacramento, have begun using drones to locate people shooting off illegal fireworks." From Wednesday to Saturday night, the Sacramento Fire Department's special fireworks task force patrolled the streets with unmarked cars and drones, focusing on neighborhoods where they've had prior complaints. Task force officers and the drones took photos of the illegal activity, and within 30 days the property owner where the fireworks were used could receive a fine in the mail...

This year, Sacramento upped the fine to $1,000 for the first firework, $2,500 for the second and $5,000 per firework after that. If you lit a firework on city property, such as a park or a school, the fine goes up to $10,000 each. There's no limit to how many fines you can be issued... This year, a number of cities across the state announced they would be using drones to find scofflaws, among them Indio, Riverside, Hemet, Brea and towns in Tulare County...

Fox40 reported on Saturday that around 60 citations were being prepared in Sacramento, with more likely on the way as fire officials review surveillance footage.
Last year for illegal fireworks, one Sacramento-area resident received a $100,000 fine.

A Maine police department has now acknowledged "it inadvertently shared an AI-altered photo of drug evidence on social media," reports Boston.com: The image from the Westbrook Police Department showed a collection of drug paraphernalia purportedly seized during a recent drug bust on Brackett Street, including a scale and white powder in plastic bags. According to Westbrook police, an officer involved in the arrests snapped the evidence photo and used a photo editing app to insert the department's patch. "The patch was added, and the photograph with the patch was sent to one of our Facebook administrators, who posted it," the department explained in a post. "Unbeknownst to anyone, when the app added the patch, it altered the packaging and some of the other attributes on the photograph. None of us caught it or realized it."

It wasn't long before the edited image's gibberish text and hazy edges drew criticism from social media users. According to the Portland Press Herald, Westbrook police initially denied AI had been used to generate the photo before eventually confirming its use of the AI chatbot ChatGPT. The department issued a public apology Tuesday, sharing a side-by-side comparison of the original and edited images.

"It was never our intent to alter the image of the evidence," the department's post read. "We never realized that using a photoshop app to add our logo would alter a photograph so substantially."

Long-time Slashdot reader AmiMoJo shared this report from the Apple news blog 9to5Mac: iOS 26 is a packed update for iPhone users thanks to the new Liquid Glass design and major updates for Messages, Wallet, CarPlay, and more. But another new feature was just discovered in the iOS 26 beta: FaceTime will now freeze your call's video and audio if someone starts undressing.

When Apple unveiled iOS 26 last month, it mentioned a variety of new family tools... "Communication Safety expands to intervene when nudity is detected in FaceTime video calls, and to blur out nudity in Shared Albums in Photos." However, at least in the iOS 26 beta, it seems that a similar feature may be in place for all users — adults included.
That's the claim of an X.com user named iDeviceHelp, who says FaceTime in iOS 26 swaps in a warning message that says "Audio and video are paused because you may be showing something sensitive," giving users a choice of ending the call or resuming it.

9to5Mac says "It's unclear whether this is an intended behavior, or just a bug in the beta that's applying the feature to adults... [E]verything happens on-device so Apple has no idea about the contents of your call."

An anonymous reader quotes a report from the Associated Press: Websites that displayed legally mandated U.S. national climate assessments seem to have disappeared, making it harder for state and local governments and the public to learn what to expect in their backyards from a warming world. Scientists said the peer-reviewed authoritative reports save money and lives. Websites for the national assessments and the U.S. Global Change Research Program were down Monday and Tuesday with no links, notes or referrals elsewhere. The White House, which was responsible for the assessments, said the information will be housed within NASA to comply with the law, but gave no further details. Searches for the assessments on NASA websites did not turn them up.

"It's critical for decision makers across the country to know what the science in the National Climate Assessment is. That is the most reliable and well-reviewed source of information about climate that exists for the United States," said University of Arizona climate scientist Kathy Jacobs, who coordinated the 2014 version of the report. "It's a sad day for the United States if it is true that the National Climate Assessment is no longer available," Jacobs said. "This is evidence of serious tampering with the facts and with people's access to information, and it actually may increase the risk of people being harmed by climate-related impacts."

"This is a government resource paid for by the taxpayer to provide the information that really is the primary source of information for any city, state or federal agency who's trying to prepare for the impacts of a changing climate," said Texas Tech climate scientist Katharine Hayhoe, who has been a volunteer author for several editions of the report. Copies of past reports are still squirreled away in NOAA's library. NASA's open science data repository includes dead links to the assessment site. [...] Additionally, NOAA's main climate.gov website was recently forwarded to a different NOAA website. Social media and blogs at NOAA and NASA about climate impacts for the general public were cut or eliminated. "It's part of a horrifying big picture," [said Harvard climate scientist John Holdren, who was President Obama's science advisor and whose office directed the assessments]. "It's just an appalling whole demolition of science infrastructure." National climate assessments are more detailed and locally relevant than UN reports and undergo rigorous peer review and validation by scientific and federal institutions, Hayhoe and Jacobs said. Suppressing these reports would be censoring science, Jacobs said.

A year after Right to Repair laws took effect in California and Minnesota, many product manufacturers continue to obstruct consumer repairs, according to a new study from advocacy group US PIRG. The organization's "Leaders and Laggards II" report evaluated 25 products across five categories and found 40% received failing grades of D or F.

Apple delivered the study's biggest surprise, earning a B+ for its latest iPad and B for the M3 MacBook Pro after releasing repair manuals for the iPad in May. The Framework Laptop 13 and Valve's Steam Deck topped the rankings with A+ scores. Dishwashers from Beko, Bosch, Frigidaire, GE, and LG performed worst alongside gaming consoles from MSI, Atari, and Sony. Researchers could not access repair manuals for 48% of products and found no available spare parts for 44%.

An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app's full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims. [...] According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims' devices.

Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows. The Catwatchful database also revealed the identity of the spyware operation's administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers. Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned. The stalkerware operation uses a custom API and Google's Firebase to collect and store victims' stolen data, including photos and audio recordings. According to Daigle, the API was left unauthenticated, exposing sensitive user data such as email addresses and passwords.

The hosting provider temporarily suspended the spyware after TechCrunch disclosed this vulnerability but it returned later on HostGator. Despite being notified, Google has yet to take down the Firebase instance but updated Google Play Protect to detect Catwatchful.

While Catwatchful claims it "cannot be uninstalled," you can dial "543210" and press the call button on your Android phone to reveal the hidden app. As for its removal, TechCrunch has a general how-to guide for removing Android spyware that could be helpful.

"Slashdot regularly posts milestones on CO2 levels reported by the Mauna Loa Observatory," writes longtime Slashdot reader symbolset, pointing to a new article highlighting how the Trump administration's proposed budget would eliminate funding for the lab's carbon dioxide monitoring. "Continuous observation records since 1958 will end with the new federal budget as ocean and atmospheric sciences are defunded." From a report: [I]t's the Mauna Loa laboratory that is the most prominent target of the President Donald Trump's climate ire, as measurements that began there in 1958 have steadily shown CO2's upward march as human activities have emitted more and more of the planet-warming gas each year. The curve produced by the Mauna Loa measurements is one of the most iconic charts in modern science, known as the Keeling Curve, after Charles David Keeling, who was the researcher who painstakingly collected the data. His son, Ralph Keeling, a professor at the Scripps Institution of Oceanography at UC San Diego, now oversees collecting and updating that data.

Today, the Keeling Curve measurements are made possible by the National Oceanic and Atmospheric administration, but the data gathering and maintenance of the historical record also is funded by Schmidt Sciences and Earth Networks, according to the Keeling Curve website. In the event of a NOAA shut down of the lab, Scripps could seek alternate sources of funding to host the instruments atop the same peak or introduce a discontinuity in the record by moving the instruments elsewhere in Hawaii.

The proposal to shut down Mauna Loa had been made public previously but was spelled out in more detail on Monday when NOAA submitted a budget document (PDF) to Congress. It made more clear that the Trump administration envisions eliminating all climate-related research work at NOAA, as had been proposed in Project 2025, the conservative blueprint for overhauling the government. It would do this in large part by cutting NOAA's Office of Oceanic and Atmospheric Research entirely, including some labs that are also involved in improving weather forecasting. NOAA has long been one of the world's top climate science agencies, but the administration would steer it instead towards being more focused on operational weather forecasting and warning responsibilities.

An anonymous reader quotes a report from Ars Technica: Last week, OpenAI raised objections in court, hoping to overturn a court order requiring the AI company to retain all ChatGPT logs "indefinitely," including deleted and temporary chats. But Sidney Stein, the US district judge reviewing OpenAI's request, immediately denied OpenAI's objections. He was seemingly unmoved by the company's claims that the order forced OpenAI to abandon "long-standing privacy norms" and weaken privacy protections that users expect based on ChatGPT's terms of service. Rather, Stein suggested that OpenAI's user agreement specified that their data could be retained as part of a legal process, which Stein said is exactly what is happening now.

The order was issued by magistrate judge Ona Wang just days after news organizations, led by The New York Times, requested it. The news plaintiffs claimed the order was urgently needed to preserve potential evidence in their copyright case, alleging that ChatGPT users are likely to delete chats where they attempted to use the chatbot to skirt paywalls to access news content. A spokesperson told Ars that OpenAI plans to "keep fighting" the order, but the ChatGPT maker seems to have few options left. They could possibly petition the Second Circuit Court of Appeals for a rarely granted emergency order that could intervene to block Wang's order, but the appeals court would have to consider Wang's order an extraordinary abuse of discretion for OpenAI to win that fight.

In the meantime, OpenAI is negotiating a process that will allow news plaintiffs to search through the retained data. Perhaps the sooner that process begins, the sooner the data will be deleted. And that possibility puts OpenAI in the difficult position of having to choose between either caving to some data collection to stop retaining data as soon as possible or prolonging the fight over the order and potentially putting more users' private conversations at risk of exposure through litigation or, worse, a data breach. [...]

Both sides are negotiating the exact process for searching through the chat logs, with both parties seemingly hoping to minimize the amount of time the chat logs will be preserved. For OpenAI, sharing the logs risks revealing instances of infringing outputs that could further spike damages in the case. The logs could also expose how often outputs attribute misinformation to news plaintiffs. But for news plaintiffs, accessing the logs is not considered key to their case -- perhaps providing additional examples of copying -- but could help news organizations argue that ChatGPT dilutes the market for their content. That could weigh against the fair use argument, as a judge opined in a recent ruling that evidence of market dilution could tip an AI copyright case in favor of plaintiffs.

A California jury has ordered Google to pay $314.6 million to Android smartphone users in the state after finding the company liable for collecting data from idle devices without permission.

The San Jose jury ruled Tuesday that Google sent and received information from phones while idle, creating "mandatory and unavoidable burdens shouldered by Android device users for Google's benefit." The 2019 class action represented an estimated 14 million Californians who argued Google consumed their cellular data for targeted advertising purposes.

China will launch digital IDs for internet use on July 15th, transferring online verification from private companies to government control. Users obtain digital IDs by submitting personal information including facial scans to police via an app. A pilot program launched one year ago enrolled 6 million people.

The system currently remains voluntary, though officials and state media are pushing citizens to register for "information security." Companies will see only anonymized character strings when users log in, while police retain exclusive access to personal details. The program replaces China's existing system requiring citizens to register with companies using real names before posting comments, gaming, or making purchases.

Police say they punished 47,000 people last year for spreading "rumours" online. The digital ID serves a broader government strategy to centralize data control. State planners classify data as a production factor alongside labor and capital, aiming to extract information from private companies for trading through government-operated data exchanges.

An anonymous reader shares a report: Law enforcement officials are investigating a former employee of a company that negotiates with hackers and facilitates cryptocurrency payments during ransomware attacks, according to a statement from the firm, DigitalMint. DigitalMint President Marc Jason Grens this week told organizations it works with that the US Justice Department is examining allegations that the then-employee struck deals with hackers to profit from extortion payments, according to a person familiar with the matter.

Grens did not identify the employee by name and characterized their actions as isolated, said the person, who spoke on condition that they not be identified describing private conversations. DigitalMint is cooperating with a criminal investigation into "alleged unauthorized conduct by the employee while employed here," Grens said in an email to Bloomberg News. The Chicago-based company is not the target of the investigation and the employee "was immediately terminated," Grens said, adding that he can't provide more information because the probe is ongoing.

Apple has filed (PDF) a lawsuit against former Vision Pro engineer Di Liu, accusing him of stealing thousands of confidential files related to his work on Apple's augmented reality headset for the benefit of his new employer Snap. The company alleges Liu misled colleagues about his departure, secretly accepted a job offer from Snap, and attempted to cover his tracks by deleting files -- actions Apple claims violated his confidentiality agreement. The Register reports: Liu secretly received a job offer from Snap on October 18, 2024, a role the complaint describes as "substantially similar" to his Apple position, meaning Liu waited nearly two weeks to resign from Apple, per the lawsuit. "Even then, he did not disclose he was leaving for Snap," the suit said. "Apple would not have allowed Mr. Liu continued access had he told the truth." Liu allegedly copied "more than a dozen folders containing thousands of files" from Apple's filesystem to a personal cloud storage account, dropping the stolen bits in a pair of nested folders with the amazingly nondescript names "Personal" and "Knowledge."

Apple said that data Liu copied includes "filenames containing confidential Apple product code names" and files "marked as Apple confidential." Company research, product design, and supply chain management documents were among the content Liu is accused of stealing. The complaint also alleges that Liu deleted files to conceal his activities, a move that may hinder Apple's ability to determine the full scope of the data he exfiltrated. "Mr. Liu additionally took actions to conceal his theft, including deceiving Apple about his job at Snap, and deleting files from his Apple-issued computer that might have let Apple determine what data Mr. Liu stole," the complaint noted.

Whatever he has, Apple wants it back. The company demands a jury trial on a single count of breach of contract under a confidentiality and intellectual property agreement Liu was bound to. It also asks the court to compel Liu to return all misappropriated data, award damages to be determined at trial, and reimburse Apple's costs and attorneys' fees.

An anonymous reader quotes a report from Axios: Tinder is mandating new users in California verify their profiles using facial recognition technology starting Monday, executives exclusively tell Axios. The move aims to reduce impersonation and is part of Tinder parent Match Group's broader effort to improve trust and safety amid ongoing user frustration. The Face Check feature prompts users to take a short video selfie during onboarding. The biometric face scan, powered by FaceTec, then confirms the person is real and present and whether their face matches their profile photos. It also checks if the face is used across multiple accounts. If the criteria are met, the user receives a photo verified badge on their profile. The selfie video is then deleted. Tinder stores a non-reversible, encrypted face map to detect duplicate profiles in the future.

Face Check is separate from Tinder's ID Check, which uses a government-issued ID to verify age and identity. "We see this as one part of a set of identity assurance options that are available to users," Match Group's head of trust and safety Yoel Roth says. "Face Check ... is really meant to be about confirming that this person is a real, live person and not a bot or a spoofed account." "Even if in the short term, it has the effect of potentially reducing some top-line user metrics, we think it's the right thing to do for the business," Rascoff said.