The nonprofit American Radio Relay League — founded in 1914 — has approximately 161,000 members, according to Wikipedia (with over 7,000 members outside the U.S.)

But sometime in early May its systems network was compromised, "by threat actors using information they had purchased on the dark web," the nonprofit announced this week. The attackers accessed the ARRL's on-site systems — as well as most of its cloud-based systems — using "a wide variety of payloads affecting everything from desktops and laptops to Windows-based and Linux-based servers." Despite the wide variety of target configurations, the threat actors seemed to have a payload that would host and execute encryption or deletion of network-based IT assets, as well as launch demands for a ransom payment, for every system... The FBI categorized the attack as "unique" as they had not seen this level of sophistication among the many other attacks, they have experience with.

Within 3 hours a crisis management team had been constructed of ARRL management, an outside vendor with extensive resources and experience in the ransomware recovery space, attorneys experienced with managing the legal aspects of the attack including interfacing with the authorities, and our insurance carrier. The authorities were contacted immediately as was the ARRL President... [R]ansom demands were dramatically weakened by the fact that they did not have access to any compromising data. It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment. After days of tense negotiation and brinkmanship, ARRL agreed to pay a $1 million ransom. That payment, along with the cost of restoration, has been largely covered by our insurance policy...

Today, most systems have been restored or are waiting for interfaces to come back online to interconnect them. While we have been in restoration mode, we have also been working to simplify the infrastructure to the extent possible. We anticipate that it may take another month or two to complete restoration under the new infrastructure guidelines and new standards.
ARRL's called the attack "extensive", "sophisticated", "highly coordinated" and "an act of organized crime". And tlhIngan (Slashdot reader #30335) shared this detail from BleepingComputer.

"While the organization has not yet linked the attack to a specific ransomware operation, sources told BleepingComputer that the Embargo ransomware gang was behind the breach."

Reuters reports that the Iranian hacking team which compromised the campaign of U.S. presidential candidate Donald Trump "is known for placing surveillance software on the mobile phones of its victims, enabling them to record calls, steal texts and silently turn on cameras and microphones, according to researchers and experts who follow the group." Known as APT42 or CharmingKitten by the cybersecurity research community, the accused Iranian hackers are widely believed to be associated with an intelligence division inside Iran's military, known as the Intelligence Organization of the Islamic Revolutionary Guard Corps or IRGC-IO. Their appearance in the U.S. election is noteworthy, sources told Reuters, because of their invasive espionage approach against high-value targets in Washington and Israel. "What makes (APT42) incredibly dangerous is this idea that they are an organization that has a history of physically targeting people of interest," said John Hultquist, chief analyst with U.S. cybersecurity firm Mandiant, who referenced past research that found the group surveilling the cell phones of Iranian activists and protesters... Hultquist said the hackers commonly use mobile malware that allows them to "record phone calls, room audio recordings, pilfer SMS (text) inboxes, take images off of a machine," and gather geolocation data...

APT42 also commonly impersonates journalists and Washington think tanks in complex, email-based social engineering operations that aim to lure their targeting into opening booby-trapped messages, which let them takeover systems. The group's "credential phishing campaigns are highly targeted and well-researched; the group typically targets a small number of individuals," said Josh Miller, a threat analyst with email security company Proofpoint. They often target anti-Iran activists, reporters with access to sources inside Iran, Middle Eastern academics and foreign-policy advisers. This has included the hacking of western government officials and American defense contractors. For example, in 2018, the hackers targeted nuclear workers and U.S. Treasury department officials around the time the United States formally withdrew from the Joint Comprehensive Plan of Action (JCPOA), said Allison Wikoff, a senior cyber intelligence analyst with professional services company PricewaterhouseCoopers.
"APT42 is still actively targeting campaign officials and former Trump administration figures critical of Iran, according to a blog post by Google's cybersecurity research team."

The Verge's Adi Robertson reports: An appeals court revived a lawsuit against the anonymous messaging service Yolo, which allegedly broke a promise to unmask bullies on the app. In a ruling (PDF) issued Thursday, the Ninth Circuit Court of Appeals said Section 230 of the Communications Decency Act shouldn't block a claim that Yolo misrepresented its terms of service, overruling a lower court decision. But it determined the app can't be held liable for alleged design defects that allowed harassment, letting a different part of that earlier ruling stand.

Yolo was a Snapchat-integrated app that let users send anonymous messages, but in 2021, it was hit with a lawsuit after a teenage user died by suicide. The boy, Carson Bride, had received harassing and sexually explicit messages from anonymized users that -- he believed -- he likely knew. Bride and his family attempted to contact Yolo for help, but Yolo allegedly never answered, and in some cases, emails to the company simply bounced. Snap banned Yolo and another app targeted in the lawsuit, and a year later, it banned all anonymous messaging integration. Bride's family and a collection of other aggrieved parents argued that Yolo broke a legally binding promise to its users. They pointed to a notification where Yolo claimed people would be banned for inappropriate use and deanonymized if they sent "harassing messages" to others. But as the ruling summarizes, the plaintiffs argued that "with a staff of no more than ten people, there was no way Yolo could monitor the traffic of ten million active daily users to make good on its promise, and it in fact never did." Additionally, they claimed Yolo should have known its anonymous design facilitated harassment, making it defective and dangerous.

A lower court threw out both of these claims, saying that under Section 230, Yolo couldn't be held responsible for its users' posts. The appeals court was more sympathetic. It accepted the argument that families were instead holding Yolo responsible for promising users something it couldn't deliver. "Yolo repeatedly informed users that it would unmask and ban users who violated the terms of service. Yet it never did so, and may have never intended to," writes Judge Eugene Siler, Jr. "While yes, online content is involved in these facts, and content moderation is one possible solution for Yolo to fulfill its promise, the underlying duty ... is the promise itself." The Yolo suit built on a previous Ninth Circuit ruling that let another Snap-related lawsuit circumvent Section 230's shield. In 2021, it found Snap could be sued for a "speed filter" that could implicitly encourage users to drive recklessly, even if users were responsible for making posts with that filter. (The overall case is still ongoing.) On top of their misrepresentation claim, the plaintiffs argued Yolo's anonymous messaging capability was similarly risky, an argument the Ninth Circuit didn't buy -- "we refuse to endorse a theory that would classify anonymity as a per se inherently unreasonable risk," Siler wrote.

The Register's Connor Jones reports: The U.S. is suing one of its leading research universities over a litany of alleged failures to meet cybersecurity standards set by the Department of Defense (DoD) for contract awardees. Georgia Institute of Technology (GIT), commonly referred to as Georgia Tech, and its contracting entity, Georgia Tech Research Corporation (GTRC), are being investigated following whistleblower reports from insiders Christopher Craig and Kyle Koza about alleged (PDF) failures to protect controlled unclassified information (CUI). The series of allegations date back to 2019 and continued for years after, although Koza was said to have identified the issues as early as 2018.

Among the allegations is the suggestion that between May 2019 and February 2020, Georgia Tech's Astrolavos Lab -- ironically a group that focuses on cybersecurity issues affecting national security -- failed to develop and implement a cybersecurity plan that complied with DoD standards (NIST 800-171). When the plan was implemented in February 2020, the lawsuit alleges that it wasn't properly scoped -- not all the necessary endpoints were included -- and that for years afterward, Georgia Tech failed to maintain that plan in line with regulations. Additionally, the Astrolavos Lab was accused of failing to implement anti-malware solutions across devices and the lab's network. The lawsuit alleges that the university approved the lab's refusal to deploy the anti-malware software "to satisfy the demands of the professor that headed the lab," the DoJ said. This is claimed to have occurred between May 2019 and December 2021. Refusing to install anti-malware solutions at a contractor like this is not allowed. In fact, it violates federal requirements and Georgia Tech's own policies, but allegedly happened anyway.

The university and the GTRC also, it is claimed, submitted a false cybersecurity assessment score in December 2020 -- a requirement for all DoD contractors to demonstrate they're meeting compliance standards. The two organizations are accused of issuing themselves a score of 98, which was later deemed to be fraudulent based on various factors. To summarize, the issue centers around the claim that the assessment was carried out on a "fictitious" environment, so on that basis the score wasn't given to a system related to the DoD contract, the US alleges. The claims are being made under the False Claims Act (FCA), which is being utilized by the Civil Cyber-Fraud Initiative (CCFI), which was introduced in 2021 to punish entities that knowingly risk the safety of United States IT systems. It's a first-of-its-kind case being pursued as part of the CCFI. All previous cases brought under the CCFI were settled before they reached the litigation stage.

An anonymous reader quotes a report from the Financial Post: You may find yourself smelling crayons in the aisles of stores soon -- if Crayola's chief executive Pete Ruggiero has his way. In July, the U.S. Patent and Trademark Office issued a trademark to the arts and crafts giant for the smell of its crayons -- that waxy scent of a childhood spent trying to color within the lines. While it's too soon for this back-to-school season, Ruggiero imagines one day pumping it through the aisles of retailers, triggering nostalgia while shoppers are browsing and hopefully buying more crayons.

Crayola, a unit of Hallmark, first applied for the trademark in 2018 and was initially turned down less than a year later, but won its bid on appeal. During the process, the company shared examples of its own crayons as well as competitors to verify the distinctiveness. It's a "slightly earthy soap with pungent, leather-like clay undertones," according to the trademark documents. "We've been talking about doing it for years," Ruggiero said about the trademark. "That Crayola smell, there's a connection between the smell and childhood memories that is very powerful."

An anonymous reader quotes a report from the Associated Press: A U.S. government report expected to stir debate concluded that fluoride in drinking water at twice the recommended limit is linked with lower IQ in children. The report, based on an analysis of previously published research, marks the first time a federal agency has determined -- "with moderate confidence" -- that there is a link between higher levels of fluoride exposure and lower IQ in kids. While the report was not designed to evaluate the health effects of fluoride in drinking water alone, it is a striking acknowledgment of a potential neurological risk from high levels of fluoride. Fluoride strengthens teeth and reduces cavities by replacing minerals lost during normal wear and tear, according to the U.S. Centers for Disease Control and Prevention. The addition of low levels of fluoride to drinking water has long been considered one of the greatest public health achievements of the last century.

The long-awaited report released Wednesday comes from the National Toxicology Program, part of the Department of Health and Human Services. It summarizes a review of studies, conducted in Canada, China, India, Iran, Pakistan, and Mexico, that concludes that drinking water containing more than 1.5 milligrams of fluoride per liter is consistently associated with lower IQs in kids. The report did not try to quantify exactly how many IQ points might be lost at different levels of fluoride exposure. But some of the studies reviewed in the report suggested IQ was 2 to 5 points lower in children who'd had higher exposures.

Since 2015, federal health officials have recommended a fluoridation level of 0.7 milligrams per liter of water, and for five decades before the recommended upper range was 1.2. The World Health Organization has set a safe limit for fluoride in drinking water of 1.5. The report said that about 0.6% of the U.S. population -- about 1.9 million people -- are on water systems with naturally occurring fluoride levels of 1.5 milligrams or higher. The 324-page report did not reach a conclusion about the risks of lower levels of fluoride, saying more study is needed. It also did not answer what high levels of fluoride might do to adults.

New submitter ElimGarak000 shares a report from CyberScoop: The Texas-based voice service provider that sent AI-generated robocalls of President Joe Biden to New Hampshire voters ahead of its Democratic presidential primary has agreed to pay a $1 million fine and implement enhanced verification protocols designed to prevent robocalls and phone number spoofing in a settlement with the Federal Communications Commission. The fine represents half the amount the FCC was originally seeking in an enforcement action proposed against Lingo Telecom in May. Despite that, agency leaders characterized the settlement (PDF) as a successful effort to defend U.S. telecommunications networks and election infrastructure from nascent AI and deepfake technologies. [...]

In addition to the fine, the settlement requires Lingo Telecom to follow regulatory protocols that were put in place in 2020 to ensure telecommunications carriers authenticate caller identities using their networks. The protocols, known as STIR/SHAKEN, require carriers like Lingo to digitally verify and formally attest to the FCC that callers are legitimate and own the phone number they display on Caller ID. In the New Hampshire robocall case, Kramer and Life Corporation spoofed the phone number of Kathy Sullivan, a former state Democratic party official who was running a write-in campaign for Biden.

The FCC cited Lingo's inability to properly implement and enforce STIR/SHAKEN as a key failure in a February cease-and-desist letter, and again in May when the agency proposed a $2 million enforcement action. The company was also named in a civil lawsuit filed by the League of Women Voters and New Hampshire residents, seeking damages over the incident. Per terms of the settlement, Lingo Telecom must hire a senior manager knowledgeable in STIR/SHAKEN protocols and develop a compliance plan, new operating procedures and training programs. They must also report any incidents of non-compliance with STIR/SHAKEN within 15 days of discovery. "Every one of us deserves to know that the voice on the line is exactly who they claim to be," FCC Chairwoman Jessica Rosenworcel said in a statement. "If AI is being used, that should be made clear to any consumer, citizen, and voter who encounters it. The FCC will act when trust in our communications networks is on the line."

An anonymous reader quotes a report from NBC News: The former CEO of a small Kansas bank was sentenced to more than 24 years in prison for looting the bank of $47 million -- which he sent to cryptocurrency wallets controlled by scammers who had duped him in a "pig butchering" scheme that appealed to his greed, federal prosecutors said. The massive embezzlement by ex-CEO Shan Hanes in a series of wire transfers over just eight weeks last year led to the collapse and FDIC takeover of Heartland Tri-State Bank in Elkhart, one of only five U.S. banks that failed in 2023. Hanes, 53, also swindled funds from a local church and investment club -- and a daughter's college savings account -- to transfer money, purportedly to buy cryptocurrency as the scammers insisted they needed more funds to unlock the supposed returns on his investments, according to records from U.S. District Court in Wichita, Kansas. But Hanes never realized any profit and lost all of the money he stole as a result of the scam. Judge John Broomes on Monday sentenced Hanes to 293 months in prison -- 29 months more than what prosecutors requested after he pleaded guilty in May to a single count of embezzlement by a bank officer. [...]

[P]rosecutors and bank regulators said that Hanes, who has three daughters with his school teacher wife, began stealing after being targeted in a pig-butchering scheme in late 2022. That scheme was described in a court filing as "a scammer convincing a victim (a pig) to invest in supposedly legitimate virtual currency investment opportunities and then steals the victim's money -- butchering the pig." Hanes, who had served on the board of the American Bankers Association, and been chairman of the Kansas Bankers Association, in December 2022 began making transactions to buy cryptocurrency, which "appeared to be precipitated by communication with an unidentified co-conspirator on the electronic messaging app 'WhatsApp,'" prosecutors wrote in a court filing. "To date, the true identity of the co-conspirator, or conspirators, remain unknown," the filing notes. Hanes initially used personal funds to buy crypto, but in early 2023 he stole $40,000 from Elkhart Church of Christ and $10,000 from the Santa Fe Investment Club, according to prosecutors and a defense filing. He also used $60,000 taken from a daughter's college fund, and nearly $1 million in stock from the Elkhart Financial Corporation, his lawyer said in a filing.

In May 2023, he began to make wire transfers from Heartland Tri-State Bank to accounts controlled by scammers, at first with a $5,000 transfer. Two weeks later, on May 30, Hanes wired $1.5 million and a day after that, he sent another transfer of the same amount the following day, filings show. Three days later he directed two wire transfers totaling $6.7 million to be sent by the bank to the crypto wallet, and a whopping $10 million less than two weeks later, and another $3.3 million days afterward. Hanes told bank employees to execute the wire transfers, and "made many misrepresentations to various people" to get access to the funds so they could be transferred, prosecutors wrote. Heartland Tri-State employees circumvented the bank's own wire policy and daily limits to approve Hanes' wire transfers, according to a report by the Office of the Inspector General of the Board of Governors of the Federal Reserve System.

Google has reached a groundbreaking deal with California lawmakers to contribute millions to local newsrooms, aiming to support journalism amid its decline as readers migrate online and advertising dollars evaporate. The agreement also includes a controversial provision for artificial intelligence funding. Politico reports: California emulated a strategy that other countries like Canada have used to try and reverse the journalism industry's decline as readership migrated online and advertising dollars evaporated. [...] Under the deal, the details of which were first reported by POLITICO on Monday, Google and the state of California would jointly contribute a minimum of $125 million over five years to support local newsrooms through a nonprofit public charity housed at UC Berkeley's journalism school. Google would contribute at least $55 million, and state officials would kick in at least $70 million. The search giant would also commit $50 million over five years to unspecified "existing journalism programs."

The deal would also steer millions in tax-exempt private dollars toward an artificial intelligence initiative that people familiar with the negotiations described as an effort to cultivate tech industry buy-in. Funding for artificial intelligence was not included in the bill at the core of negotiations, authored by Assemblymember Buffy Wicks. The agreement has drawn criticism from a journalists' union that had so far championed Wicks' effort. Media Guild of the West President Matt Pearce in an email to union members Sunday evening said such a deal would entrench "Google's monopoly power over our newsrooms." "This public-private partnership builds on our long history of working with journalism and the local news ecosystem in our home state, while developing a national center of excellence on AI policy," said Kent Walker, chief legal officer for Alphabet, the parent company of Google.

Media Guild of the West President Matt Pearce wasn't so chipper. He criticized the plan in emails with union members, calling it a "total rout of the state's attempts to check Google's stranglehold over our newsrooms."

An anonymous reader quotes a report from Dark Reading: Researchers have exploited a vulnerability in Microsoft's Copilot Studio tool allowing them to make external HTTP requests that can access sensitive information regarding internal services within a cloud environment -- with potential impact across multiple tenants. Tenable researchers discovered the server-side request forgery (SSRF) flaw in the chatbot creation tool, which they exploited to access Microsoft's internal infrastructure, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances, they revealed in a blog post this week. Tracked by Microsoft as CVE-2024-38206, the flaw allows an authenticated attacker to bypass SSRF protection in Microsoft Copilot Studio to leak sensitive cloud-based information over a network, according to a security advisory associated with the vulnerability. The flaw exists when combining an HTTP request that can be created using the tool with an SSRF protection bypass, according to Tenable.

"An SSRF vulnerability occurs when an attacker is able to influence the application into making server-side HTTP requests to unexpected targets or in an unexpected way," Tenable security researcher Evan Grant explained in the post. The researchers tested their exploit to create HTTP requests to access cloud data and services from multiple tenants. They discovered that "while no cross-tenant information appeared immediately accessible, the infrastructure used for this Copilot Studio service was shared among tenants," Grant wrote. Any impact on that infrastructure, then, could affect multiple customers, he explained. "While we don't know the extent of the impact that having read/write access to this infrastructure could have, it's clear that because it's shared among tenants, the risk is magnified," Grant wrote. The researchers also found that they could use their exploit to access other internal hosts unrestricted on the local subnet to which their instance belonged. Microsoft responded quickly to Tenable's notification of the flaw, and it has since been fully mitigated, with no action required on the part of Copilot Studio users, the company said in its security advisory. Further reading: Slack AI Can Be Tricked Into Leaking Data From Private Channels

An anonymous reader quotes a report from Ars Technica: Chrome users who declined to sync their Google accounts with their browsing data secured a big privacy win this week after previously losing a proposed class action claiming that Google secretly collected personal data without consent from over 100 million Chrome users who opted out of syncing. On Tuesday, the 9th US Circuit Court of Appeals reversed (PDF) the prior court's finding that Google had properly gained consent for the contested data collection. The appeals court said that the US district court had erred in ruling that Google's general privacy policies secured consent for the data collection. The district court failed to consider conflicts with Google's Chrome Privacy Notice (CPN), which said that users' "choice not to sync Chrome with their Google accounts meant that certain personal information would not be collected and used by Google," the appeals court ruled.

Rather than analyzing the CPN, it appears that the US district court completely bought into Google's argument that the CPN didn't apply because the data collection at issue was "browser agnostic" and occurred whether a user was browsing with Chrome or not. But the appeals court -- by a 3-0 vote -- did not. In his opinion, Circuit Judge Milan Smith wrote that the "district court should have reviewed the terms of Google's various disclosures and decided whether a reasonable user reading them would think that he or she was consenting to the data collection." "By focusing on 'browser agnosticism' instead of conducting the reasonable person inquiry, the district court failed to apply the correct standard," Smith wrote. "Viewed in the light most favorable to Plaintiffs, browser agnosticism is irrelevant because nothing in Google's disclosures is tied to what other browsers do."

Smith seemed to suggest that the US district court wasted time holding a "7.5-hour evidentiary hearing which included expert testimony about 'whether the data collection at issue'" was "browser-agnostic." "Rather than trying to determine how a reasonable user would understand Google's various privacy policies," the district court improperly "made the case turn on a technical distinction unfamiliar to most 'reasonable'" users, Smith wrote. Now, the case has been remanded to the district court where Google will face a trial over the alleged failure to get consent for the data collection. If the class action is certified, Google risks owing currently unknown damages to any Chrome users who opted out of syncing between 2016 and 2024. According to Smith, the key focus of the trial will be weighing the CPN terms and determining "what a 'reasonable user' of a service would understand they were consenting to, not what a technical expert would."

An anonymous reader shares a report: U.S. agencies are increasingly accessing parts of a half-billion encrypted chat message haul that has rocked the global organized crime underground, using the chats as part of multiple drug trafficking prosecutions, according to a 404 Media review of U.S. court records. In particular, U.S. authorities are using the chat messages to prosecute alleged maritime drug smugglers who traffic cocaine using speedboats and commercial ships.

The court records show the continued fallout of the massive hack of encrypted phone company Sky in 2021, in which European agencies obtained the intelligence goldmine of messages despite Sky being advertised as end-to-end encrypted. European authorities have used those messages as the basis for many prosecutions and drug seizures across the continent. Now, it's clear that the blast radius extends to the United States.

Slack AI, an add-on assistive service available to users of Salesforce's team messaging service, is vulnerable to prompt injection, according to security firm PromptArmor. From a report: The AI service provides generative tools within Slack for tasks like summarizing long conversations, finding answers to questions, and summarizing rarely visited channels.

"Slack AI uses the conversation data already in Slack to create an intuitive and secure AI experience tailored to you and your organization," the messaging app provider explains in its documentation. Except it's not that secure, as PromptArmor tells it. A prompt injection vulnerability in Slack AI makes it possible to fetch data from private Slack channels.

Toyota confirmed a breach of its network after 240GB of data, including employee and customer information, was leaked on a hacking forum by a threat actor. The company has not provided details on how or when the breach occurred. BleepingComputer reports: ZeroSevenGroup (the threat actor who leaked the stolen data) says they breached a U.S. branch and were able to steal 240GB of files with information on Toyota employees and customers, as well as contracts and financial information. They also claim to have collected network infrastructure information, including credentials, using the open-source ADRecon tool that helps extract vast amounts of information from Active Directory environments.

"We have hacked a branch in United States to one of the biggest automotive manufacturer in the world (TOYOTA). We are really glad to share the files with you here for free. The data size: 240 GB," the threat actor claims. "Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data. We also offer you AD-Recon for all the target network with passwords." While Toyota hasn't shared the date of the breach, BleepingComputer found that the files had been stolen or at least created on December 25, 2022. This date could indicate that the threat actor gained access to a backup server where the data was stored. "We are aware of the situation. The issue is limited in scope and is not a system wide issue," Toyota told BleepingComputer. The company added that it's "engaged with those who are impacted and will provide assistance if needed."

U.S. District Judge Ada Brown in Dallas blocked the FTC's rule banning noncompete agreements, arguing the FTC lacks authority to implement such broad regulations and did not adequately justify the sweeping prohibition. Reuters reports: Brown had temporarily blocked the rule in July while she considered a bid by the U.S. Chamber of Commerce, the country's largest business lobby, and tax service firm Ryan to strike it down entirely. The rule was set to take effect Sept. 4. Brown in her ruling said that even if the FTC had the power to adopt the rule, the agency had not justified banning virtually all noncompete agreements. "The Commission's lack of evidence as to why they chose to impose such a sweeping prohibition ... instead of targeting specific, harmful non-competes, renders the Rule arbitrary and capricious," wrote Brown, an appointee of Republican former President Donald Trump.

FTC spokesperson Victoria Graham said the agency was disappointed with the ruling and is "seriously considering a potential appeal." "Today's decision does not prevent the FTC from addressing noncompetes through case-by-base enforcement actions," Graham said in a statement. The Democratic-controlled FTC approved the ban on noncompete agreements in a 3-2 vote in May. The commission and supporters of the rule say the agreements are an unfair restraint on competition that violate U.S. antitrust law and suppress workers' wages and mobility.

A new TV series is capturing the dramatic saga of the The Pirate Bay, the notorious file-sharing website that openly challenged the entertainment industry in the early 2000s. A just-launched teaser is available on YouTube. TorrentFreak reports: A few years ago, news broke that The Pirate Bay story was being turned into a TV series. Written by Piotr Marciniak and directed by Jens Sjogren, who also made the "I am Zlatan" documentary, production was in the hands of B-Reel Films, working for the Swedish broadcaster SVT. American distribution company Dynamic Television scooped up worldwide rights. As far as we know, international deals have not yet been announced. The Swedish premiere on November 8 is coming closer, however, and a few days ago SVT released an official teaser.

The founders of The Pirate Bay -- Anakata, Brokep and Tiamo -- are played by Arvid Swedrup, Simon Greger Carlsson and Willjam Lempling. The teaser doesn't give away much, but it's interesting that one of The Pirate Bay's infamous responses to legal threats features prominently. The teaser quotes from Anakata's response to a letter from DreamWorks, written twenty years ago. The movie company sent a DMCA takedown notice requesting the removal of a torrent for the film Shrek 2, but the reply was not what they had hoped for. "As you may or may not be aware, Sweden is not a state in the United States of America. Sweden is a country in northern Europe. Unless you figured it out by now, US law does not apply here," Anakata wrote. "It is the opinion of us and our lawyers that you are ........ morons, and that you should please go sodomize yourself with retractable batons."

The response was public information and made it into the series. Whether there will be any new revelations has yet to be seen, however, as none of the site's founders were actively involved in production. Instead, the producers used interviews with other people involved, plus the vast amount of public information available on the Internet. That includes the infamous responses to legal threats. Time will tell how the producers and director have decided to tell this story. Production took place in Stockholm, Sweden, but also ventured to other countries, including Chile and Thailand, where Fredrik Neij was arrested and paraded in front of the press in 2014.

AI company Anthropic has been hit with a class-action lawsuit in California federal court by three authors who say it misused their books and hundreds of thousands of others to train its AI-powered chatbot Claude. From a report: The complaint, filed on Monday, by writers and journalists Andrea Bartz, Charles Graeber and Kirk Wallace Johnson, said that Anthropic used pirated versions of their works and others to teach Claude to respond to human prompts.

The lawsuit joins several other high-stakes complaints filed by copyright holders including visual artists, news outlets and record labels over the material used by tech companies to train their generative artificial intelligence systems. Separate groups of authors have sued OpenAI and Meta over the companies' alleged misuse of their work to train the large-language models underlying their chatbots.

Security researcher Brian Krebs writes: New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today. In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased). NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company's database, which they claimed has been floating around the underground since December 2023.

Following last week's story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property -- the background search service recordscheck.net -- was hosting an archive that included the usernames and password for the site's administrator. A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages. The exposed archive, which was named "members.zip," indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not. According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD's founder, an actor and retired sheriff's deputy from Florida named Salvatore "Sal" Verini.

Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company's website, and that the site is slated to cease operations "in the next week or so." "Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords," Verini told KrebsOnSecurity. "Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative." The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com's homepage features a positive testimonial from Sal Verini.

An anonymous reader quotes a report from The Guardian: Voters in Wyoming's capital city on Tuesday are faced with deciding whether to elect a mayoral candidate who has proposed to let an artificial intelligence bot run the local government. Earlier this year, the candidate in question -- Victor Miller -- filed for him and his customized ChatGPT bot, named Vic (Virtual Integrated Citizen), to run for mayor of Cheyenne, Wyoming. He has vowed to helm the city's business with the AI bot if he wins. Miller has said that the bot is capable of processing vast amounts of data and making unbiased decisions. In what AI experts say is a first for US political campaigns, Miller and Vic have told local news outlets in interviews that their form of proposed governance is a "hybrid approach." The AI bot told Your Wyoming Link that its role would be to provide data-driven insights and innovative solutions for Cheyenne. Meanwhile, Vic said, the human elected office contender, Miller, would serve as the official mayor if chosen by voters and would ensure that "all actions are legally and practically executed."

"It's about blending AI's capabilities with human judgment to effectively lead Cheyenne," the bot said. The bot said it did not have political affiliations -- and its goal is to "focus on data-driven practical solutions that benefit the community." During a meet-and-greet this summer, the Washington Post reported that the AI bot was asked how it would go about making decisions "according to human factor, involving humans, and having to make a decision that affects so many people." "Making decisions that affect many people requires a careful balance of data-driven insights and human empathy," the AI bot responded, according to an audio recording obtained and published by the Washington Post. Vic then ran through a multi-part plan that suggested using AI technology to gather data on public opinion and feedback from the community, holding town hall meetings to listen to residents' concerns, consulting experts in relevant fields, evaluating the human impact of the decision and providing transparency about the decision-making. According to Wyoming Public Media, Miller has also pledged that he would donate half the mayoral salary to a non-profit if he is elected. The other half could be used to continually improve the AI bot, he said. Miller has faced some pushback since announcing his mayoral campaign. Wyoming's Secretary of State, Chuck Gray, launched an investigation to determine if the AI bot could legally appear on the ballot, citing state law that says only real people that are registered to vote can run for office. City officials clarified that Miller is the actual candidate, so he was allowed to continue. However, Laramie County ruled that only Miller's name would appear on the ballot, not the bot's.

OpenAI later shut down Miller's account, but he quickly created a new one and continued his campaign.

The Department of Justice has amended its antitrust lawsuit against Ticketmaster and Live Nation, alleging that Ticketmaster's introduction of nontransferable tickets and the SafeTix system was primarily intended to stifle competition from rival platforms like StubHub and SeatGeek, rather than merely to reduce ticket fraud. "The complaint, which was amended on Monday after 10 states joined the DOJ's lawsuit, cites internal Ticketmaster documents obtained during the legal process," notes The Verge. From the report: In 2019, Ticketmaster rolled out SafeTix, which replaced static barcodes on electronic tickets with encrypted barcodes that refresh every 15 seconds. Ticketmaster marketed SafeTix as a way of reducing ticket fraud, but the complaint claims reducing competition was "a primary motivation" for the new ticketing system. [...] The amended complaint includes new information about Ticketmaster's dominance of the events market. One internal Live Nation document cited in the complaint notes that Ticketmaster is the primary ticketer for approximately 80 percent of arenas across the country that host NBA or NHL teams. As of 2022, Live Nation-promoted events accounted for 70 percent of all amphitheater shows across the country, according to internal Live Nation events mentioned in the complaint.

The DOJ alleges that because of Ticketmaster's conduct, consumers have "paid more and continue to pay more for fees relating to tickets to live events than they would have paid in a free and open competitive market." The exact amount of monetary harm is still unknown, the complaint claims, and will require discovery from Ticketmaster and Live Nation's books, as well as from its third-party competitors.