Electronic Frontier Foundation

FTC Urged To Stop Tech Makers Downgrading Devices After You've Bought Them (theregister.com) 80

Digital rights activists want device manufacturers to disclose a "guaranteed minimum support time" for devices — and federal regulations ensuring a product's core functionality will work even after its software updates stop.

Influential groups including Consumer Reports, EFF, the Software Freedom Conservancy, iFixit, and U.S. Pirg have now signed a letter to the head of America's Consumer Protection bureau (at the Federal Trade Commision), reports The Register: In an eight-page letter to the Commission (FTC), the activists mentioned the Google/Levis collaboration on a denim jacket that contained sensors enabling it to control an Android device through a special app. When the app was discontinued in 2023, the jacket lost that functionality. The letter also mentions the "Car Thing," an automotive infotainment device created by Spotify, which bricked the device fewer than two years after launch and didn't offer a refund...

Environmental groups and computer repair shops also signed the letter... "Consumers need a clear standard for what to expect when purchasing a connected device," stated Justin Brookman, director of technology policy at Consumer Reports and a former policy director of the FTC's Office of Technology, Research, and Investigation. "Too often, consumers are left with devices that stop functioning because companies decide to end support without little to no warning. This leaves people stranded with devices they once relied on, unable to access features or updates...."

Brookman told The Register that he believes this is the first such policy request to the FTC that asks the agency to help consumers with this dilemma. "I'm not aware of a previous effort from public interest groups to get the FTC to take action on this issue — it's still a relatively new issue with no clear established norms," he wrote in an email. "But it has certainly become an issue" that comes up more and more with device makers as they change their rules about product updates and usage.

"Both switching features to a subscription and 'bricking' a connected device purchased by a consumer in many cases are unfair and deceptive practices," the groups write, arguing that the practices "infringe on a consumer's right to own the products they buy." They're requesting clear "guidance" for manufacturers from the U.S. government. The FTC has a number of tools at its disposal to help establish standards for IoT device support. While a formal rulemaking is one possibility, the FTC also has the ability to issue more informal guidance, such as its Endorsement Guides12 and Dot Com Disclosures.13 We believe the agency should set norms...
The groups are also urging the FTC to:
  • Encourage tools and methods that enable reuse if software support ends.
  • Conduct an educational program to encourage manufacturers to build longevity into the design of their products.
  • Protect "adversarial interoperability"... when a competitor or third-party creates a reuse or modification tool [that] adds to or converts the old device.

Thanks to long-time Slashdot reader Z00L00K for sharing the article.


Crime

New York Times Calls Telegram 'A Playground for Criminals, Extremists and Terrorists' (yahoo.com) 107

The New York Times analyzed over 3.2 million Telegram messages from 16,220 channels. Their conclusion? Telegram "offers features that enable criminals, terrorists and grifters to organize at scale and to sidestep scrutiny from the authorities" — and that Telegram "has looked the other way as illegal and extremist activities have flourished openly on the app."

Or, more succinctly: "Telegram has become a global sewer of criminal activity, disinformation, child sexual abuse material, terrorism and racist incitement, according to a four-month investigation." Look deeper, and a dark underbelly emerges. Uncut lumps of cocaine and shards of crystal meth are for sale on the app. Handguns and stolen checks are widely available. White nationalists use the platform to coordinate fight clubs and plan rallies. Hamas broadcast its Oct. 7 attack on Israel on the site... The Times investigation found 1,500 channels operated by white supremacists who coordinate activities among almost 1 million people around the world. At least two dozen channels sold weapons. In at least 22 channels with more than 70,000 followers, MDMA, cocaine, heroin and other drugs were advertised for delivery to more than 20 countries.

Hamas, the Islamic State and other militant groups have thrived on Telegram, often amassing large audiences across dozens of channels. The Times analyzed more than 40 channels associated with Hamas, which showed that average viewership surged up to 10 times after the Oct. 7 attacks, garnering more than 400 million views in October. Telegram is "the most popular place for ill-intentioned, violent actors to congregate," said Rebecca Weiner, the deputy commissioner for intelligence and counterterrorism at the New York Police Department. "If you're a bad guy, that's where you will land...." [Telegram] steadfastly ignores most requests for assistance from law enforcement agencies. An email inbox used for inquiries from government agencies is rarely checked, former employees said...

"It is easy to search and find channels selling guns, illicit narcotics, prescription drugs and fraudulent ATM cards, called clone cards..." according to the article. The Times "found at least 50 channels openly selling contraband, including guns, drugs and fraudulent debit cards." In December 2022, Hayden Espinosa began serving a 33-month sentence in federal prison in Louisiana for buying and selling illegal firearms and weapon parts he made with 3D printers. That did not stop his business. Using cellphones that had been smuggled into prison, Espinosa continued his illicit trade on a Telegram channel... Espinosa's gun market on Telegram might never have been uncovered except that one of its members was Payton Gendron, who massacred 10 people at a supermarket in Buffalo, New York, in 2022. Investigators scouring his life online for motives for the shooting discovered the channel, which also featured racist and extremist views he had shared.
"Operating like a stateless organization, Telegram has long behaved as if it were above the law," the article concludes — though it adds that "In many democratic countries, patience with the app is wearing thin.

"The European Union is exploring new oversight of Telegram under the Digital Services Act, a law that forces large online platforms to police their services more aggressively, two people familiar with the plans said."
Privacy

Signal is More Than Encrypted Messaging. It Wants to Prove Surveillance Capitalism Is Wrong (wired.com) 70

Slashdot reader echo123 shared a new article from Wired titled "Signal Is More Than Encrypted Messaging. Under Meredith Whittaker, It's Out to Prove Surveillance Capitalism Wrong." ("On its 10th anniversary, Signal's president wants to remind you that the world's most secure communications platform is a nonprofit. It's free. It doesn't track you or serve you ads. It pays its engineers very well. And it's a go-to app for hundreds of millions of people.") Ten years ago, WIRED published a news story about how two little-known, slightly ramshackle encryption apps called RedPhone and TextSecure were merging to form something called Signal. Since that July in 2014, Signal has transformed from a cypherpunk curiosity — created by an anarchist coder, run by a scrappy team working in a single room in San Francisco, spread word-of-mouth by hackers competing for paranoia points — into a full-blown, mainstream, encrypted communications phenomenon... Billions more use Signal's encryption protocols integrated into platforms like WhatsApp...

But Signal is, in many ways, the exact opposite of the Silicon Valley model. It's a nonprofit funded by donations. It has never taken investment, makes its product available for free, has no advertisements, and collects virtually no information on its users — while competing with tech giants and winning... Signal stands as a counterfactual: evidence that venture capitalism and surveillance capitalism — hell, capitalism, period — are not the only paths forward for the future of technology.

Over its past decade, no leader of Signal has embodied that iconoclasm as visibly as Meredith Whittaker. Signal's president since 2022 is one of the world's most prominent tech critics: When she worked at Google, she led walkouts to protest its discriminatory practices and spoke out against its military contracts. She cofounded the AI Now Institute to address ethical implications of artificial intelligence and has become a leading voice for the notion that AI and surveillance are inherently intertwined. Since she took on the presidency at the Signal Foundation, she has come to see her central task as working to find a long-term taproot of funding to keep Signal alive for decades to come — with zero compromises or corporate entanglements — so it can serve as a model for an entirely new kind of tech ecosystem...

Meredith Whittaker: "The Signal model is going to keep growing, and thriving and providing, if we're successful. We're already seeing Proton [a startup that offers end-to-end encrypted email, calendars, note-taking apps, and the like] becoming a nonprofit. It's the paradigm shift that's going to involve a lot of different forces pointing in a similar direction."

Key quotes from the interview:
  • "Given that governments in the U.S. and elsewhere have not always been uncritical of encryption, a future where we have jurisdictional flexibility is something we're looking at."
  • "It's not by accident that WhatsApp and Apple are spending billions of dollars defining themselves as private. Because privacy is incredibly valuable. And who's the gold standard for privacy? It's Signal."
  • "AI is a product of the mass surveillance business model in its current form. It is not a separate technological phenomenon."
  • "...alternative models have not received the capital they need, the support they need. And they've been swimming upstream against a business model that opposes their success. It's not for lack of ideas or possibilities. It's that we actually have to start taking seriously the shifts that are going to be required to do this thing — to build tech that rejects surveillance and centralized control — whose necessity is now obvious to everyone."

Security

SpyAgent Android Malware Steals Your Crypto Recovery Phrases From Images 32

SpyAgent is a new Android malware that uses optical character recognition (OCR) to steal cryptocurrency wallet recovery phrases from screenshots stored on mobile devices, allowing attackers to hijack wallets and steal funds. The malware primarily targets South Korea but poses a growing threat as it expands to other regions and possibly iOS. BleepingComputer reports: A malware operation discovered by McAfee was traced back to at least 280 APKs distributed outside of Google Play using SMS or malicious social media posts. This malware can use OCR to recover cryptocurrency recovery phrases from images stored on an Android device, making it a significant threat. [...] Once it infects a new device, SpyAgent begins sending the following sensitive information to its command and control (C2) server:

- Victim's contact list, likely for distributing the malware via SMS originating from trusted contacts.
- Incoming SMS messages, including those containing one-time passwords (OTPs).
- Images stored on the device to use for OCR scanning.
- Generic device information, likely for optimizing the attacks.

SpyAgent can also receive commands from the C2 to change the sound settings or send SMS messages, likely used to send phishing texts to distribute the malware. McAfee found that the operators of the SpyAgent campaign did not follow proper security practices in configuring their servers, allowing the researchers to gain access to them. Admin panel pages, as well as files and data stolen from victims, were easily accessible, allowing McAfee to confirm that the malware had claimed multiple victims. The stolen images are processed and OCR-scanned on the server side and then organized on the admin panel accordingly to allow easy management and immediate utilization in wallet hijack attacks.
Anime

Two Major Anime Leakers To Be Exposed Following First-Time US Court Order 31

For the first time, a U.S. court has ordered the exposure of identities behind anime leaker accounts on X following complaints from producers of Jujutsu Kaisen and Demon Slayer. The order was revealed by Japanese anti-piracy organization CODA (Content Overseas Distribution Association). CBR reports: The order to disclose their identities was issued on Aug. 20 and served on Aug. 30, meaning that these Jujutsu Kaisen and Demon Slayer leakers will be forced to out themselves, lest they face further legal troubles. Several CODA member companies, which include Kodansha (Attack on Titan), Toei Animation (One Piece) and more collected evidence on these accounts; CODA's report states that it has also received other inquiries about other anime and is preparing for further action. "We will continue to work with the rights holders of the victims to take strict action based on the information of the account owners that comes to light, and will demand severe punishment for these leak accounts," it concludes.
Privacy

Telegram Allows Private Chat Reports After Founder's Arrest (techcrunch.com) 48

An anonymous reader shares a report: Telegram has quietly updated its policy to allow users to report private chats to its moderators following the arrest of founder Pavel Durov in France over "crimes committed by third parties" on the platform. [...] The Dubai-headquartered company has additionally edited its FAQ page, removing two sentences that previously emphasized its privacy stance on private chats. The earlier version had stated: "All Telegram chats and group chats are private amongst their participants. We do not process any requests related to them."
EU

US, UK, EU Sign 'Legally Binding' AI Treaty 51

The United States, United Kingdom and European Union have signed the first "legally binding" international AI treaty on Thursday, the Council of Europe human rights organization said. Called the AI Convention, the treaty promotes responsible innovation and addresses the risks AI may pose. Reuters reports: The AI Convention mainly focuses on the protection of human rights of people affected by AI systems and is separate from the EU AI Act, which entered into force last month. The EU's AI Act entails comprehensive regulations on the development, deployment, and use of AI systems within the EU internal market. The Council of Europe, founded in 1949, is an international organization distinct from the EU with a mandate to safeguard human rights; 46 countries are members, including all the 27 EU member states. An ad hoc committee in 2019 started examining the feasibility of an AI framework convention and a Committee on Artificial Intelligence was formed in 2022 which drafted and negotiated the text. The signatories can choose to adopt or maintain legislative, administrative or other measures to give effect to the provisions.

Francesca Fanucci, a legal expert at ECNL (European Center for Not-for-Profit Law Stichting) who contributed to the treaty's drafting process alongside other civil society groups, told Reuters the agreement had been "watered down" into a broad set of principles. "The formulation of principles and obligations in this convention is so overbroad and fraught with caveats that it raises serious questions about their legal certainty and effective enforceability," she said. Fanucci highlighted exemptions on AI systems used for national security purposes, and limited scrutiny of private companies versus the public sector, as flaws. "This double standard is disappointing," she added.
AT&T

AT&T Sues Broadcom For Breaching VMware Support Extension Contract (theregister.com) 76

AT&T has filed a lawsuit against Broadcom, alleging that Broadcom is refusing to honor an extended support agreement for VMware software unless AT&T purchases additional subscriptions it doesn't need. The company warns the consequences could risk massive outages for AT&T's customer support operations and critical federal services, including the U.S. President's office. The Register reports: A complaint [PDF] filed last week in the Supreme Court of New York State explains that AT&T holds perpetual licenses for VMware software and paid for support services under a contract that ends on September 8. The complaint also alleges that AT&T has an option to extend that support deal for two years -- provided it activates the option before the end of the current deal. AT&T's filing claims it exercised that option, but that Broadcom "is refusing to honor" the contract. Broadcom has apparently told AT&T it will continue to provide support if the comms giant "agrees to purchase scores of subscription services and software." AT&T counters that it "does not want or need" those subscriptions, because they:

- Would impose significant additional contractual and technological obligations on AT
- Would require AT&T to invest potentially millions to develop its network to accommodate the new software;
- May violate certain rights of first refusal that AT&T has granted to third parties;
- Would cost AT&T tens of millions more than the price of the support services alone.

[...] The complaint also suggests Broadcom's refusal to extend support creates enormous risk for US national security -- some of the ~8,600 servers that host AT&T's ~75,000 VMs "are dedicated to various national security and public safety agencies within the federal government as well as the Office of the President." Other VMs are relied upon by emergency responders, and still more "deliver services to millions of AT&T customers worldwide" according to the suit. Without support from Broadcom, AT&T claims it fears "widespread network outages that could cripple the operations of millions of AT&T customers worldwide" because it may not be able to fix VMware's software.

The Courts

Snap Sued Over 'Sextortion' of Kids By Predators (cnbc.com) 41

New Mexico Attorney General Raul Torrez has filed a lawsuit against Snap, accusing Snapchat of fostering and promoting illicit sexual material involving children, facilitating sextortion, and enabling trafficking of children, drugs, and guns. CNBC reports: The suit alleges that Snap "repeatedly made statements to the public regarding the safety and design of its platforms that it knew were untrue," or that were contradicted by the company's own internal findings. "Snap was specifically aware, but failed to warn children and parents, of 'rampant' and 'massive' sextortion on its platform -- a problem so grave that it drives children facing merciless and relentless blackmail demands or disclosure of intimate images to their families and friends to suicide," the suit says.

New Mexico's Department of Justice, which Torrez leads, in recent months conducted an investigation that found that there was a "vast network of dark web sites dedicated to sharing stolen, non-consensual sexual images from Snap" and that there were more than 10,000 records related to SNAP and child sexual abuse material "in the last year alone," the department said. The suit alleges violations of New Mexico's unfair trade practices law.

Privacy

Leaked Disney Data Reveals Financial and Strategy Secrets (msn.com) 48

An anonymous reader shares a report: Passport numbers for a group of Disney cruise line workers. Disney+ streaming revenue. Sales of Genie+ theme park passes. The trove of data from Disney that was leaked online by hackers earlier this summer includes a range of financial and strategy information that sheds light on the entertainment giant's operations, according to files viewed by The Wall Street Journal. It also includes personally identifiable information of some staff and customers.

The leaked files include granular details about revenue generated by such products as Disney+ and ESPN+; park pricing offers the company has modeled; and what appear to be login credentials for some of Disney's cloud infrastructure. (The Journal didn't attempt to access any Disney systems.) "We decline to comment on unverified information The Wall Street Journal has purportedly obtained as a result of a bad actor's illegal activity," a Disney spokesman said. Disney told investors in an August regulatory filing that it is investigating the unauthorized release of "over a terabyte of data" from one of its communications systems. It said the incident hadn't had a material impact on its operations or financial performance and doesn't expect that it will.

Data that a hacking entity calling itself Nullbulge released online spans more than 44 million messages from Disney's Slack workplace communications tool, upward of 18,800 spreadsheets and at least 13,000 PDFs, the Journal found. The scope of the material taken appears to be limited to public and private channels within Disney's Slack that one employee had access to. No private messages between executives appear to be included. Slack is only one online forum in which Disney employees communicate at work.

Crime

Fake CV Lands Top 'Engineer' In Jail For 15 Years (bbc.com) 90

Daniel Mthimkhulu, former chief "engineer" at South Africa's Passenger Rail Agency (Prasa), was sentenced to 15 years in prison for claiming false engineering degrees and a doctorate. His fraudulent credentials allowed him to rise rapidly within Prasa, contributing to significant financial losses and corruption within the agency. The BBC reports: Once hailed for his successful career, Daniel Mthimkhulu was head of engineering at the Passenger Rail Agency of South Africa (Prasa) for five years -- earning an annual salary of about [$156,000]. On his CV, the 49-year-old claimed to have had several mechanical engineering qualifications, including a degree from South Africa's respected Witwatersrand University as well as a doctorate from a German university. However, the court in Johannesburg heard that he had only completed his high-school education.

Mthimkhulu was arrested in July 2015 shortly after his web of lies began to unravel. He had started working at Prasa 15 years earlier, shooting up the ranks to become chief engineer, thanks to his fake qualifications. The court also heard how he had forged a job offer letter from a German company, which encouraged Prasa to increase his salary so the agency would not lose him. He was also at the forefront of a 600m rand deal to buy dozens of new trains from Spain, but they could not be used in South Africa as they were too high. [...] In an interview from 2019 with local broadcaster eNCA, Mthimkhulu admitted that he did not have a PhD. "I failed to correct the perception that I have it. I just became comfortable with the title. I did not foresee any damages as a result of this," he said.

Businesses

Nvidia Hit With DOJ Subpoena In Escalating Antitrust Probe (reuters.com) 13

According to Bloomberg (paywalled), Nvidia has received a subpoena from the U.S. Department of Justice as the regulator seeks evidence that the AI computing company violated antitrust laws. "The antitrust watchdog had previously delivered questionnaires to companies, and is now sending legally binding requests," notes Reuters. "Officials are concerned that the chipmaker is making it harder to switch to other suppliers and penalizes buyers that do not exclusively use its artificial intelligence chips."

The development follows a push by progressive groups last month, who criticized Nvidia's bundling of software and hardware, claiming it stifles innovation and locks in customers. In July, French antitrust regulators announced plans to charge the company for alleged anti-competitive practices.

Developing...
The Courts

Clearview AI Fined $33.7 Million Over 'Illegal Database' of Faces (apnews.com) 40

An anonymous reader quotes a report from the Associated Press: The Dutch data protection watchdog on Tuesday issued facial recognition startup Clearview AI with a fine of $33.7 million over its creation of what the agency called an "illegal database" of billion of photos of faces. The Netherlands' Data Protection Agency, or DPA, also warned Dutch companies that using Clearview's services is also banned. The data agency said that New York-based Clearview "has not objected to this decision and is therefore unable to appeal against the fine."

But in a statement emailed to The Associated Press, Clearview's chief legal officer, Jack Mulcaire, said that the decision is "unlawful, devoid of due process and is unenforceable." The Dutch agency said that building the database and insufficiently informing people whose images appear in the database amounted to serious breaches of the European Union's General Data Protection Regulation, or GDPR. "Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world," DPA chairman Aleid Wolfsen said in a statement. "If there is a photo of you on the Internet -- and doesn't that apply to all of us? -- then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film. Nor is it something that could only be done in China," he said. DPA said that if Clearview doesn't halt the breaches of the regulation, it faces noncompliance penalties of up to $5.6 million on top of the fine.
Mulcaire said Clearview doesn't fall under EU data protection regulations. "Clearview AI does not have a place of business in the Netherlands or the EU, it does not have any customers in the Netherlands or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR," he said.
The Courts

Shrinkwrap 'Contract' Found At Costco On... Collagen Peptides (mastodon.social) 74

Slashdot covered shrinkwrap licenses on software back in 2000 and 2002. But now ewhac (Slashdot reader #5,844) writes: The user Wraithe on the Mastodon network is reporting that a bottle of Vital Proteins(TM) collagen peptides purchased at Costco came with a shrinkwrap contract. Collagen peptides are often used as an anti-aging nutritional supplement. The top of the Vital Proteins bottle has a pull-to-open seal. Printed on the seal is the following: "Read This: By opening and using this product, you agree to be bound by our Terms and Conditions, fully set forth at vitalproteins.com/tc, which includes a mandatory arbitration agreement. If you do not agree to be bound, please return this product immediately."

So-called "shrinkwrap contracts" have been the subject of controversy and derision for decades since their first widespread appearance in the 1970's, attempting to alter the terms of sale after the fact, impose unethical and onerous restrictions on the purchaser, and absolving the vendor of all liability. Most such contracts appear on items involving copyrighted works (computer software, or any item containing computer software). The alleged "validity" of such contracts supposedly proceeds from the (alleged) need that the item requires a copyright license from the vendor to use (because the right to use/read/listen/view/execute is somehow not concomitant with purchase), and that the shrinkwrap contract furnishes such license.

The application of such a contract to a good where copyright has no scope, however, is something new. The alleged contract itself governs consumers' use of, "the VitalProteins.com website and any other applications, content, products, and services (collectively, the "Service")...," contains the usual we're-not-responsible-for-anything indemnification paragraph, and unilaterally removes your right to seek redress in court of law and imposes binding arbitration involving any disputes that may arise between the consumer and the company. Indeed, the arbitration clause is the first numbered section in the alleged contract.

The same contract has been spotted by numerous others — including someone who posted about it on Reddit two years ago. ("When I opened it, encountered a vacuum seal with the following 'READ THIS: by opening and using this product, you agree to...'") But the same verbiage still appears in online listings today for the product from Albertsons, Walgreens, and CVS.

Shrinkwrap contracts. They're not just for software any more...
United States

Investigation Finds 'Little Oversight' Over Crucial Supply Chain for US Election Software (politico.com) 94

Politico reports U.S. states have no uniform way of policing the use of overseas subcontractors in election technology, "let alone to understand which individual software components make up a piece of code."

For example, to replace New Hampshire's old voter registration database, state election officials "turned to one of the best — and only — choices on the market," Politico: "a small, Connecticut-based IT firm that was just getting into election software." But last fall, as the new company, WSD Digital, raced to complete the project, New Hampshire officials made an unsettling discovery: The firm had offshored part of the work. That meant unknown coders outside the U.S. had access to the software that would determine which New Hampshirites would be welcome at the polls this November.

The revelation prompted the state to take a precaution that is rare among election officials: It hired a forensic firm to scour the technology for signs that hackers had hidden malware deep inside the coding supply chain. The probe unearthed some unwelcome surprises: software misconfigured to connect to servers in Russia ["probably by accident," they write later] and the use of open-source code — which is freely available online — overseen by a Russian computer engineer convicted of manslaughter, according to a person familiar with the examination and granted anonymity because they were not authorized to speak about it... New Hampshire officials say the scan revealed another issue: A programmer had hard-coded the Ukrainian national anthem into the database, in an apparent gesture of solidarity with Kyiv.

None of the findings amounted to evidence of wrongdoing, the officials said, and the company resolved the issues before the new database came into use ahead of the presidential vote this spring. This was "a disaster averted," said the person familiar with the probe, citing the risk that hackers could have exploited the first two issues to surreptitiously edit the state's voter rolls, or use them and the presence of the Ukrainian national anthem to stoke election conspiracies. [Though WSD only maintains one other state's voter registration database — Vermont] the supply-chain scare in New Hampshire — which has not been reported before — underscores a broader vulnerability in the U.S. election system, POLITICO found during a six-month-long investigation: There is little oversight of the supply chain that produces crucial election software, leaving financially strapped state and county offices to do the best they can with scant resources and expertise.

The technology vendors who build software used on Election Day face razor-thin profit margins in a market that is unforgiving commercially and toxic politically. That provides little room for needed investments in security, POLITICO found. It also leaves states with minimal leverage over underperforming vendors, who provide them with everything from software to check in Americans at their polling stations to voting machines and election night reporting systems. Many states lack a uniform or rigorous system to verify what goes into software used on Election Day and whether it is secure.

The article also points out that many state and federal election officials "insist there has been significant progress" since 2016, with more regular state-federal communication. "The Cybersecurity and Infrastructure Security Agency, now the lead federal agency on election security, didn't even exist back then.

"Perhaps most importantly, more than 95% of U.S. voters now vote by hand or on machines that leave some type of paper trail, which officials can audit after Election Day."
Crime

Was the Arrest of Telegram's CEO Inevitable? (platformer.news) 174

Casey Newton, former senior editor at the Verge, weighs in on Platformer about the arrest of Telegram CEO Pavel Durov.

"Fending off onerous speech regulations and overzealous prosecutors requires that platform builders act responsibly. Telegram never even pretended to." Officially, Telegram's terms of service prohibit users from posting illegal pornographic content or promotions of violence on public channels. But as the Stanford Internet Observatory noted last year in an analysis of how CSAM spreads online, these terms implicitly permit users who share CSAM in private channels as much as they want to. "There's illegal content on Telegram. How do I take it down?" asks a question on Telegram's FAQ page. The company declares that it will not intervene in any circumstances: "All Telegram chats and group chats are private amongst their participants," it states. "We do not process any requests related to them...."

Telegram can look at the contents of private messages, making it vulnerable to law enforcement requests for that data. Anticipating these requests, Telegram created a kind of jurisdictional obstacle course for law enforcement that (it says) none of them have successfully navigated so far. From the FAQ again:

To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data. [...] To this day, we have disclosed 0 bytes of user data to third parties, including governments.

As a result, investigation after investigation finds that Telegram is a significant vector for the spread of CSAM.... The company's refusal to answer almost any law enforcement request, no matter how dire, has enabled some truly vile behavior. "Telegram is another level," Brian Fishman, Meta's former anti-terrorism chief, wrote in a post on Threads. "It has been the key hub for ISIS for a decade. It tolerates CSAM. Its ignored reasonable [law enforcement] engagement for YEARS. It's not 'light' content moderation; it's a different approach entirely.

The article asks whether France's action "will embolden countries around the world to prosecute platform CEOs criminally for failing to turn over user data." On the other hand, Telegram really does seem to be actively enabling a staggering amount of abuse. And while it's disturbing to see state power used indiscriminately to snoop on private conversations, it's equally disturbing to see a private company declare itself to be above the law.

Given its behavior, a legal intervention into Telegram's business practices was inevitable. But the end of private conversation, and end-to-end encryption, need not be.

Crime

Woman Mailed Herself an Apple AirTag To Help Catch Mail Thieves (cnn.com) 103

Several items were stolen from a woman's P.O. box. So she mailed herself a package containing an Apple AirTag, according to the Santa Barbara County Sheriff's office: Her mail was again stolen on Monday morning, including the package with the AirTag that she was able to track.

It is important to note that the victim did not attempt to contact the suspects on her own... The Sheriff's Office would like to commend the victim for her proactive solution, while highlighting that she also exercised appropriate caution by contacting law enforcement to safely and successfully apprehend the suspects.

CNN reports on what the authorities found: The suspected thieves were located in nearby Santa Maria, California, with the victim's mail — including the package containing the AirTag — and other items authorities believe were stolen from more than a dozen victims, according to the sheriff's office. Virginia Franchessca Lara, 27, and Donald Ashton Terry, 37, were arrested in connection with the crime, authorities said.

Lara was booked on felonies including possession of checks with intent to commit fraud, fictitious checks, identity theft, credit card theft and conspiracy, and remains held on a $50,000 bail as of Thursday, jail records show. Terry faces felony charges including burglary, possession of checks with intent to commit fraud, credit card theft, identity theft and conspiracy and was held on a $460,000 bail, according to jail records...

Authorities said they're working on contacting other victims of theft in this case.

Thanks to long-time Slashdot reader schwit1 for sharing the news.
Power

US Government Opens Up 31 Million Acres of Federal Lands For Solar (electrek.co) 103

An anonymous reader quotes a report from Electrek: The Biden administration has finalized a plan to expand solar on 31 million acres of federal lands in 11 western states. The proposed updated Western Solar Plan is a roadmap for Bureau of Land Management's (BLM) governance of solar energy proposals and projects on public lands. It bumps up the acreage from the 22 million acres it recommended in January, and this plan adds five additional states -- Idaho, Montana, Oregon, Washington, and Wyoming -- to the six states -- Arizona, California, Colorado, Nevada, New Mexico, and Utah -- analyzed in the original plan.

It would make the public lands available for potential solar development, putting solar farms closer to transmission lines or on previously disturbed lands and avoiding protected lands, sensitive cultural resources, and important wildlife habitats. [...] BLM surpassed its goal of permitting more than 25 gigawatts (GW) of clean energy projects on public lands earlier in 2024. It's permitted 29 GW of projects on public lands -- enough to power over 12 million homes. The Biden administration set the goal to achieve 100% clean electricity on the US grid by 2035.

The Courts

City of Columbus Sues Man After He Discloses Severity of Ransomware Attack (arstechnica.com) 37

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: A judge in Ohio has issued a temporary restraining order against a security researcher who presented evidence that a recent ransomware attack on the city of Columbus scooped up reams of sensitive personal information, contradicting claims made by city officials. The order, issued by a judge in Ohio's Franklin County, came after the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city's data. A ransomware group known as Rhysida took credit for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to find a bidder, Rhysida released what it said was about 45 percent of the stolen data on the group's dark web site, which is accessible to anyone with a TOR browser.

Columbus Mayor Andrew Ginther said on August 13 that a "breakthrough" in the city's forensic investigation of the breach found that the sensitive files Rhysida obtained were either encrypted or corrupted, making them "unusable" to the thieves. Ginther went on to say the data's lack of integrity was likely the reason the ransomware group had been unable to auction off the data. Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence that showed the data Rhysida published was fully intact and contained highly sensitive information regarding city employees and residents. Ross, who uses the alias Connor Goodwolf, presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims. Some of the data spanned years.

On Thursday, the city of Columbus sued Ross (PDF) for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him "interacting" with them and required special expertise and tools. The suit went on to challenge Ross alerting reporters to the information, which ii claimed would not be easily obtained by others. "Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so," city attorneys wrote. "The dark web-posted data is not readily available for public consumption. Defendant is making it so." The same day, a Franklin County judge granted the city's motion for a temporary restraining order (PDF) against Ross. It bars the researcher "from accessing, and/or downloading, and/or disseminating" any city files that were posted to the dark web. The motion was made and granted "ex parte," meaning in secret before Ross was informed of it or had an opportunity to present his case.

Security

Malware Infiltrates Pidgin Messenger's Official Plugin Repository (bleepingcomputer.com) 10

The Pidgin messaging app removed the ScreenShareOTR plugin from its third-party plugin list after it was found to be used to install keyloggers, information stealers, and malware targeting corporate networks. BleepingComputer reports: The plugin was promoted as a screen-sharing tool for secure Off-The-Record (OTR) protocol and was available for both Windows and Linux versions of Pidgin. According to ESET, the malicious plugin was configured to infect unsuspecting users with DarkGate malware, a powerful malware threat actors use to breach networks since QBot's dismantling by the authorities. [...] Those who installed it are recommended to remove it immediately and perform a full system scan with an antivirus tool, as DarkGate may be lurking on their system.

After publishing our story, Pidgin's maintainer and lead developer, Gary Kramlich, notified us on Mastodon to say that they do not keep track of how many times a plugin is installed. To prevent similar incidents from happening in the future, Pidgin announced that, from now on, it will only accept third-party plugins that have an OSI Approved Open Source License, allowing scrutiny into their code and internal functionality.

Slashdot Top Deals