Security

ChatGPT is Leaking Passwords From Private Conversations of Its Users - Report (arstechnica.com) 62

Dan Goodin, reporting for ArsTechnica: ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users, screenshots submitted by an Ars reader on Monday indicated. Two of the seven screenshots the reader submitted stood out in particular. Both contained multiple pairs of usernames and passwords that appeared to be connected to a support system used by employees of a pharmacy prescription drug portal. An employee using the AI chatbot seemed to be troubleshooting problems they encountered while using the portal.

"THIS is so f-ing insane, horrible, horrible, horrible, i cannot believe how poorly this was built in the first place, and the obstruction that is being put in front of me that prevents it from getting better," the user wrote. "I would fire [redacted name of software] just for this absurdity if it was my choice. This is wrong." Besides the candid language and the credentials, the leaked conversation includes the name of the app the employee is troubleshooting and the store number where the problem occurred. The entire conversation goes well beyond what's shown in the redacted screenshot above. A link Ars reader Chase Whiteside included showed the chat conversation in its entirety. The URL disclosed additional credential pairs. The results appeared Monday morning shortly after reader Whiteside had used ChatGPT for an unrelated query.

United Kingdom

UK To Ban Disposable Vapes (nytimes.com) 131

In an announcement earlier today, Prime Minister Rishi Sunak said single-use vapes will be banned in Britain, with certain flavors restricted and regulations put in place around their packaging and displays. The New York Times reports: Mr. Sunak said that the ban, which is part of legislation that still has to be approved by Parliament, was intended to halt "one of the most worrying trends at the moment," before it becomes "endemic." "The long-term impacts of vaping are unknown and the nicotine within them can be highly addictive, so while vaping can be a useful tool to help smokers quit, marketing vapes to children is not acceptable," he said in a statement. Andrea Leadsom, Britain's health minister, said the measures were intended to make sure that vapes were aimed at adults who were quitting smoking, rather than children.

"Nicotine is highly addictive -- and so it is completely unacceptable that children are getting their hands on these products, many of which are undeniably designed to appeal to young people," she said in a statement. [...] While it is not illegal for people under 18 to smoke or vape in Britain, it is illegal for those products to be sold to them. By banning disposable vapes, and restricting the flavors and packaging of refillable vapes, the government hopes to make it far less likely that young people will experiment with e-cigarettes.

Transportation

NYC Wants To Create a First-of-Its Kind Department To Regulate App Based Delivery (fastcompany.com) 38

With the increasing adoption of e-bikes and drones for efficient, eco-friendly delivery services, New York is proposing the Department of Sustainable Delivery to regulate these services, focusing on safety, data sharing, and operational permits to ease congested lanes. Fast Company reports: The first step of the new department will be a task force made up of tech, transportation, labor, and government representatives. There are currently some city regulations around delivery operations, but they're fragmented; the Department of Consumer and Worker Protection, for example, has addressed delivery worker rights (and recently announced a new minimum pay rate for app-based food delivery workers), while the Department of Transportation focuses on commercial delivery, and has taken steps to address delivery cargo bikes. "We don't have a place where every company that wants to dispatch in volume and move freight [and goods] around in the city on a micro level comes through and has to show that they're going to meet certain requirements," [New York City Deputy Mayor of Operations Meera Joshi] says.

Managers of truck delivery fleets often track their driver's performance and behavior with tools like GPS; through the new department, micromobility app companies may be required to share their GPS delivery data with the city. That data might reveal more about how long delivery riders are working, or how heavy cargo bikes' loads are, which could lead to new regulations. Joshi also points to e-bike fires and rising e-bike rider deaths as red flags that signal the need for more oversight and legislation, which could prevent future tragedies. More information about where and when these deliveries are happening could also help the city adapt its infrastructure to this growing market. "As more and more of the city is feeling the effects of the commercialization of bike lanes, we certainly do have to rethink how wide our bike lanes are, what they are there to accommodate, does there need to be some separation between motorized and nonmotorized [bikes]?" Joshi says. "But these things need to be informed." The city is already making some such updates. Last summer, it upgraded a stretch of 10th Avenue to include a 10-foot-wide bike lane, to better allow regular cyclists and delivery e-bikes to coexist

Tech advancements often move faster than the government, resulting in a game of legislative catch up for cities. Joshi says New York City is thinking about micromobility in this way because "we've seen this movie before," referring to tech disruption, "and we'd like a different ending." While Joshi knows that companies may bristle at the increased oversight, she says being proactive about these issues and taking steps to address them will likely help the firms and their public perception long-term. And not addressing micromobility challenges now could also impede larger climate progress. "If we are not able to show that we have a comprehensive framework, show that we're able to manage what we have today and prepare for the unknown, we could have people, saying 'it was better when [delivery] was in trucks,'" Joshi says, "and that would actually be probably the worst thing for the environment."

Data Storage

Japan Will No Longer Require Floppy Disks For Submitting Some Official Documents (engadget.com) 45

Japan is aiming to phase out floppy disks and CD-ROMs, which until now were forms of physical media required for submitting some official documents to the government. Engadget reports: Back in 2022, Minister of Digital Affairs Taro Kono urged various branches of the government to stop requiring businesses to submit information on outdated forms of physical media. The Ministry of Economy, Trade and Industry (METI) is one of the first to make the switch. "Under the current law, there are many provisions stipulating the use of specific recording media such as floppy disks regarding application and notification methods," METI said last week, according to The Register. After this calendar year, METI will no longer require businesses to submit data on floppy disks under 34 ordinances. The same goes for CD-ROMs when it comes to an unspecified number of procedures. There's still quite some way to go before businesses can stop using either format entirely, however.

Kono's staff identified some 1,900 protocols across several government departments that still require the likes of floppy disks, CD-ROMs and even MiniDiscs. The physical media requirements even applied to key industries such as utility suppliers, mining operations and aircraft and weapons manufacturers. There are a couple of main reasons why there's a push to stop using floppy disks, as SoraNews24 points out. One major factor is that floppy disks can be hard to come by. Sony, the last major manufacturer, stopped selling them in 2011. Another is that some data types just won't fit on a floppy disk. A single photo can easily be larger than the format's 1.4MB storage capacity.

Security

Mistakenly Published Password Exposes Mercedes-Benz Source Code (techcrunch.com) 29

An anonymous reader quotes a report from TechCrunch: Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave "unrestricted access" to the company's source code, according to the security research firm that discovered it. Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the exposure and asked for help in disclosing to the car maker. The London-based cybersecurity company said it discovered a Mercedes employee's authentication token in a public GitHub repository during a routine internet scan in January. According to Mittal, this token -- an alternative to using a password for authenticating to GitHub -- could grant anyone full access to Mercedes's GitHub Enterprise Server, thus allowing the download of the company's private source code repositories.

"The GitHub token gave 'unrestricted' and 'unmonitored' access to the entire source code hosted at the internal GitHub Enterprise Server," Mittal explained in a report shared by TechCrunch. "The repositories include a large amount of intellectual property connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information." Mittal provided TechCrunch with evidence that the exposed repositories contained Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes source code. It's not known if any customer data was contained within the repositories. It's not known if anyone else besides Mittal discovered the exposed key, which was published in late-September 2023.
A Mercedes spokesperson confirmed that the company "revoked the respective API token and removed the public repository immediately."

"We can confirm that internal source code was published on a public GitHub repository by human error. The security of our organization, products, and services is one of our top priorities. We will continue to analyze this case according to our normal processes. Depending on this, we implement remedial measures."
The Courts

Tattoo Artist Kat Von D Wins Copyright Lawsuit Over Miles Davis Photo (billboard.com) 46

UnknowingFool writes: Jurors on Friday, January 26, 2024 ruled in favor of celebrity tattoo artist Kat Von D (real name Katherine von Drachenberg) in a copyright lawsuit regarding a photo of Miles Davis in that her use of the photo was not copyright infringement. The photographer of the photo, Jeffrey Sedlik, sued Von D in February 2021 after she used the photo as the basis for a tattoo she inked on a friend. Kat Von D, who gained fame in the reality shows about tattoo artists "LA Ink" and "Miami Ink", put the tattoo on her friend's arm in 2017 as a gift. The jury found that the tattoo was not "substantially similar" to the photo and were also persuaded that the non-commercial nature of the work meant her use of the photo would be fair use.

The plaintiff Sedilk said he is planning to appeal the ruling arguing it contradicts the Supreme Court ruling in Warhol Foundation vs Goldsmith (PDF) where the artist Andy Warhol made a silkscreen print of Lynn Goldsmith's photo of Prince. The main difference pointed out by Von D's lawyers is that Warhol charged $10,000 for his print whereas Von D did not charge her friend for the tattoo and that is was closer to "fan art".

AI

Following Lawsuit, Rep Admits 'AI' George Carlin Was Human-Written (arstechnica.com) 58

An anonymous reader shares a report: The estate of George Carlin has filed a federal lawsuit against the comedy podcast Dudesy for an hour-long comedy special sold as an AI-generated impression of the late comedian. But a representative for one of the podcast hosts behind the special now admits that it was actually written by a human. In the lawsuit, filed by Carlin manager Jerold Hamza in a California district court, the Carlin estate points out that the special, "George Carlin: I'm Glad I'm Dead," (which was set to "private" on YouTube shortly after the lawsuit was filed) presents itself as being created by an AI trained on decades worth of Carlin's material. That training would, by definition, involve making "unauthorized copies" of "Carlin's original, copyrighted routines" without permission in order "to fabricate a semblance of Carlin's voice and generate a Carlin stand-up comedy routine," according to the lawsuit.

Despite the presentation as an AI creation, there was a good deal of evidence that the Dudesy podcast and the special itself were not actually written by an AI, as Ars laid out in detail this week. And in the wake of this lawsuit, a representative for Dudesy host Will Sasso admitted as much to The New York Times. "It's a fictional podcast character created by two human beings, Will Sasso and Chad Kultgen," spokeswoman Danielle Del told the newspaper. "The YouTube video 'I'm Glad I'm Dead' was completely written by Chad Kultgen." Regardless of that admission, Carlin estate lawyer Josh Schiller told the Times that the lawsuit would move forward. "We don't know what they're saying to be true," he said. "What we will know is that they will be deposed. They will produce documents, and there will be evidence that shows one way or another how the show was created."

Transportation

California Bill Wants To Mandate Electronic 'Speed Limiters' in Cars (caranddriver.com) 362

"Someday in the not too distant future, it might no longer be possible to drive a brand-new car faster than 80 mph in California," writes Car and Driver: That's because state senator Scott Wiener earlier this week proposed a new bill that aims to prevent certain new vehicles from going more than 10 mph over the speed limit. In California, the maximum posted speed limit is 70 mph, meaning anything north of 80 mph would be off limits.

The Speeding and Fatality Emergency Reduction on California Streets — or SAFER California Streets, for short — is a package of bills that includes SB 961 that was published Tuesday, which essentially calls for speed governors on new cars and trucks built or sold in California starting with the 2027 model year. These vehicles would be required to have an "intelligent speed limiter system" that electronically prevents the driver from speeding above the aforementioned threshold.

The speed-limiter tech wouldn't apply to emergency vehicles. There's also language in the bill that the passive device would have the ability to be temporarily disabled by the driver, however, it's unclear in what situations that might apply. The bill also states that automakers would be able to fully disable the speed-limiter, but presumably only for authorized emergency vehicles. The commissioner of the California Highway Patrol could authorize disabling the speed-limiter too at their discretion...

The proposed legislation is said to be an attempt to address rising traffic fatalities, which in California have reportedly increased by 22 perecent from 2019 to 2022.

Transportation

America's Car Industry Seeks to Crush AM Radio. Will Congress Rescue It? (msn.com) 262

The Wall Street Journal reports that "a motley crew of AM radio advocates," including conservative talk show hosts and federal emergency officials, are lobbying Congress to stop carmakers from dropping AM radio from new vehicles: Lawmakers say most car companies are noncommittal about the future of AM tuners in vehicles, so they want to require them by law to keep making cars with free AM radio. Supporters argue it is a critical piece of the emergency communication network, while the automakers say Americans have plenty of other ways, including their phones, to receive alerts and information. The legislation has united lawmakers who ordinarily want nothing to do with one another. Sens. Ted Cruz (R., Texas) and Ed Markey (D., Mass.) are leading the Senate effort, and on the House side, Speaker Mike Johnson — himself a former conservative talk radio host in Louisiana — and progressive "squad" member Rep. Rashida Tlaib of Michigan are among about 200 co-sponsors...

A spring 2023 Nielsen survey, the most recent one available, showed that AM radio reaches about 78 million Americans every month. That is down from nearly 107 million in the spring of 2016, one of the earliest periods for which Nielsen has data... Automakers say the rise of electric vehicles is driving the shift away from AM, because onboard electronics create interference with AM radio signals — a phenomenon that "makes the already fuzzy analog AM radio frequency basically unlistenable," according to the Alliance for Automotive Innovation, a car-industry trade group. Shielding cables and components to reduce interference would cost carmakers $3.8 billion over seven years, the group estimates.

Markey and other lawmakers say they want to preserve AM radio because of its role in emergency communications. The Federal Emergency Management Agency says that more than 75 radio stations, most of which operate on the AM band and cover at least 90% of the U.S. population, are equipped with backup communications equipment and generators that allow them to continue broadcasting information to the public during and after an emergency. Seven former FEMA administrators urged Congress in a letter last year to seek assurances from automakers that they would keep broadcast radio available. The companies' noncommittal response spurred legislation, lawmakers said.

Automakers increasingly want to put radio and other car features "behind a paywall," Markey said in an interview. "They see this as another profit center for them when the American driving public has seen it as a safety resource for them and their families...." He compared the auto industry's resistance to the bill to previous opposition to government mandates like seat belts and air bags. "Leaving safety decisions to the auto industry is very dangerous," Markey said.

Lawmakers have heard from over 400,000 AM radio supporters, according to the president of the National Association of Broadcasters.

But the article also cites an executive at the Consumer Technology Association, who says automakers and tech advocacy groups have told lawmakers that requiring AM radio "would be "inconsistent with the principles of a free market.... It's strange that Congress is focused on a 100-year-old technology."
United Kingdom

London Accused of Wrongly Fining Hundreds of Thousands of EU Drivers (theguardian.com) 91

The Guardian reports that "Hundreds of thousands of EU citizens were wrongly fined for driving in London's Ulez clean air zone, according to European governments..." The Guardian can reveal Transport for London (TfL) has been accused by five EU countries of illegally obtaining the names and addresses of their citizens in order to issue the fines, with more than 320,000 penalties, some totalling thousands of euros, sent out since 2021...

Since Brexit, the UK has been banned from automatic access to personal details of EU residents. Transport authorities in Belgium, Spain, Germany and the Netherlands have confirmed to the Guardian that driver data cannot be shared with the UK for enforcement of London's ultra-low emission zone (Ulez), and claim registered keeper details were obtained illegally by agents acting for TfL's contractor Euro Parking Collection. In France, more than 100 drivers have launched a lawsuit claiming their details were obtained fraudulently, while Dutch lorry drivers are taking legal action against TfL over £6.5m of fines they claim were issued unlawfully.

According to the Belgian MP Michael Freilich, who has investigated the issue on behalf of his constituents, TfL is treating European drivers as a "cash cow" by using data obtained illegitimately to issue unjustifiable fines.

Freilich describes the situation as "possibly one of the largest privacy and data breaches in EU history," according to the article.

Some drivers have even received penalties of up to five-figure sums — for compliant vehicles which had simply not yet been registered. And "some low-emission cars have been misclassed as heavy goods diesel vehicles and fined under the separate low-emission zone scheme, which incurs penalties of up to £2,000 a day."

Thanks to Slashdot reader Bruce66423 for sharing the article.
Businesses

The Great Freight-Train Heists of the 21st Century 78

Cargo theft from freight trains in the Los Angeles area has surged, with detectives estimating over 90 containers being opened daily and that theft on their freight trains in the Union Pacific area was up some 160 percent from the previous year. Nationally, cargo theft neared $1 billion in losses last year. Companies decline comment but California's governor publicly questioned the widespread railroad theft. Most arrested were not organized; many were homeless people nearby opportunistically taking fallen boxes off tracks. Theft stems largely from e-commerce boom that reshaped freight shipping to meet consumer demand, opening vulnerabilities. Railroad police forces and online retailers aim to combat this but concede difficulty tracking stolen goods resold anonymously online. Some products stolen from containers even get resold back on Amazon. The New York Times Magazine: Sometimes products stolen out of Amazon containers are resold by third-party sellers back on Amazon in a kind of strange ouroboros, in which the snakehead of capitalism hungrily swallows its piracy tail. Last June, California's attorney general created what was touted as a first-of-its-kind agreement among online retailers that committed them to doing a better job tracking, reporting and preventing stolen items from being resold on their platforms. While declining to comment on specific cases, a spokesperson for Amazon told me that the company is working to improve the process of vetting sellers: The number of "bad actor attempts" to create new selling accounts on Amazon decreased to 800,000 in 2022 from six million in 2020.
United States

NSA Buys Americans' Internet Data Without Warrants, Letter Says (nytimes.com) 96

The National Security Agency buys certain logs related to Americans' domestic internet activities from commercial data brokers, according to an unclassified letter by the agency. The New York Times: The letter [PDF], addressed to a Democratic senator and obtained by The New York Times, offered few details about the nature of the data other than to stress that it did not include the content of internet communications. Still, the revelation is the latest disclosure to bring to the fore a legal gray zone: Intelligence and law enforcement agencies sometimes purchase potentially sensitive and revealing domestic data from brokers that would require a court order to acquire directly.

It comes as the Federal Trade Commission has started cracking down on companies that trade in personal location data that was gathered from smartphone apps and sold without people's knowledge and consent about where it would end up and for what purpose it would be used. In a letter to the director of national intelligence dated Thursday, the senator, Ron Wyden, Democrat of Oregon, argued that "internet metadata" -- logs showing when two computers have communicated, but not the content of any message -- "can be equally sensitive" as the location data the F.T.C. is targeting. He urged intelligence agencies to stop buying internet data about Americans if it was not collected under the standard the F.T.C. has laid out for location records. "The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal," Mr. Wyden wrote.

Piracy

Streaming Pirates Are Hollywood's New Villains (bloomberg.com) 160

Illegal subscription services that steal films or TV shows bring in $2 billion a year in ads and subscriber fees (non-paywalled link). From a report: Ever since taking on Netflix at its own game, old Hollywood has struggled to turn a profit in streaming, with the likes of Disney+, Peacock and Paramount+ losing billions of dollars each year, sparking concerns on Wall Street that the services will never be as profitable as cable once was. But the age of streaming has been a boon for some unintended winners: pirates that use software to rip a film or television show in seconds from legitimate online video platforms and host the titles on their own, illegitimate services, which rake in about $2 billion annually from ads and subscriptions.

With no video production costs, illicit streaming sites such as myflixer and projectfreetv have achieved profit margins approaching 90%, according to the Motion Picture Association, a trade group representing Hollywood studios that's working to crack down on the thousands of illegal platforms that have cropped up in recent years. Initially the rise of legitimate online businesses such as Netflix actually helped curb digital piracy, which had largely been based on file uploads. But now piracy involving illegal streaming services as well as file-sharing costs the US economy about $30 billion in lost revenue a year and some 250,000 jobs, estimates the US Chamber of Commerce's Global Innovation Policy Center. The global impact is about $71 billion annually.

In the US, which counts almost 130 subscription piracy sites, the MPA estimates that the top three combined have about 2 million users paying $5 to $10 per month for films, TV shows and live sports. Analysts say the user number could soar as the cost of subscriptions from legitimate companies such as Walt Disney approach $20 per month as they seek to bolster the finances of their streaming platforms. "Some of these pirate websites have gotten more daily visits than some of the top 10 legitimate sites," says Karyn Temple, the MPA's general counsel. "That really shows how prolific they are."

Privacy

Inside a Global Phone Spy Tool Monitoring Billions (404media.co) 40

A wide-spanning investigation by 404 Media reveals more details about a secretive spy tool that can tracks billions of phone profiles through the advertising industry called Patternz. From the report: Hundreds of thousands of ordinary apps, including popular ones such as 9gag, Kik, and a series of caller ID apps, are part of a global surveillance capability that starts with ads inside each app, and ends with the apps' users being swept up into a powerful mass monitoring tool advertised to national security agencies that can track the physical location, hobbies, and family members of people to build billions of profiles, according to a 404 Media investigation.

404 Media's investigation, based on now deleted marketing materials and videos, technical forensic analysis, and research from privacy activists, provides one of the clearest examinations yet of how advertisements in ordinary mobile apps can ultimately lead to surveillance by spy firms and their government clients through the real time bidding data supply chain. The pipeline involves smaller, obscure advertising firms and advertising industry giants like Google. In response to queries from 404 Media, Google and PubMatic, another ad firm, have already cut-off a company linked to the surveillance firm.

Privacy

Amazon's Ring To Stop Letting Police Request Doorbell Video From Users 64

Amazon's Ring home doorbell unit says it will stop letting police departments request footage from users' video doorbells and surveillance cameras, retreating from a practice that was criticized by civil liberties groups and some elected officials. Bloomberg: Next week, the company will disable its Request For Assistance tool (non-paywalled link), the program that had allowed law enforcement to seek footage from users on a voluntary basis, Eric Kuhn, who runs Ring's Neighbors app, said in a blog post on Wednesday. Police and fire departments will have to seek a warrant to request footage from users or show the company evidence of an ongoing emergency.

Kuhn didn't say why Ring was disabling the tool. Yassi Yarger, a spokesperson, said Ring had decided to devote its resources to new products and experiences in the Neighbors app that better fit with the company's vision. The aim is to make Neighbors, which had been focused on crime and safety, into more of a community hub, she said. New features announced on Wednesday -- one called Ring Moments that lets users post clips and a company-produced Best of Ring -- highlight that push.
United States

Biden Aims To Stop Countries From Exploiting Americans' Data for Blackmail, Espionage (bloomberg.com) 119

The Biden administration is preparing an executive order that seeks to prevent foreign adversaries from accessing troves of highly sensitive personal data about Americans and people connected to the US government, Bloomberg News reported, citing documents. From the report: The administration plans to soon unveil the new executive order, which will direct the US Attorney General and Department of Homeland Security to issue new restrictions on transactions involving data that, if obtained, could threaten national security, according to three people familiar with the matter, who asked not to be named as the details are still private.

The draft order focuses on ways that foreign adversaries are gaining access to Americans' "highly sensitive" personal data -- from genetic information to location -- through legal means. That includes obtaining information through intermediaries, such as data brokers, third-party vendor agreements, employment agreements or investment agreements, according to a draft of the proposed order. In addition, organizations owned, controlled or operated by "countries of concern" are often obligated to hand such data over to the government when asked.

Electronic Frontier Foundation

EFF Adds Street Surveillance Hub So Americans Can Check Who's Checking On Them (theregister.com) 56

An anonymous reader quotes a report from The Register: For a country that prides itself on being free, America does seem to have an awful lot of spying going on, as the new Street Surveillance Hub from the Electronic Frontier Foundation shows. The Hub contains detailed breakdowns of the type of surveillance systems used, from bodycams to biometrics, predictive policing software to gunshot detection microphones and drone-equipped law enforcement. It also has a full news feed so that concerned citizens can keep up with the latest US surveillance news; they can also contribute to the Atlas of Surveillance on the site.

The Atlas, started in 2019, allows anyone to check what law enforcement is being used in their local area -- be it license plate readers, drones, or gunshot detection microphones. It can also let you know if local law enforcement is collaborating with third parties like home security vendor Ring to get extra information. EFF policy analyst Matthew Guariglia told The Register that once people look into what's being deployed using their tax dollars, a lot of red flags are raised. Over the last few years America's thin blue line have not only been harvesting huge amounts of data themselves, but also buying it in from commercial operators. The result is a perfect storm on privacy -- with police, homeowners, and our personal technology proving to be a goldmine of intrusive information that's often misused.

Crime

IT Consultant Fined For Daring To Expose Shoddy Security (theregister.com) 102

Thomas Claburn reports via The Register: A security researcher in Germany has been fined $3,300 for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records. Back in June 2021, according to our pals at Heise, an contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor. It turned out the password to access that remote server was stored in plain text in the program file MSConnect.exe, and opening it in a simple text editor would reveal the unencrypted hardcoded credential.

With that easy-to-find password in hand, anyone could log into the remote server and access data belonging to not just that one customer of Modern Solution, but data belonging to all of the vendor's clients stored on that database server. That info is said to have included personal details of those customers' own customers. And we're told that Modern Solution's program files were available for free from the web, so truly anyone could inspect the executables in a text editor for plain-text hardcoded database passwords. The contractor's findings were discussed in a June 23, 2021 report by Mark Steier, who writes about e-commerce. That same day Modern Solution issued a statement [PDF] -- translated from German -- summarizing the incident [...]. The statement indicates that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and conversation and call histories. But it claims that only a limited amount of data -- names and addresses -- about shoppers who made purchases from these retail clients was exposed. Steier contends that's incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data, which he said included extensive customer data from the online stores operated by Modern Solution's clients.

In September 2021 police in Germany seized the IT consultant's computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge â" he worked previously for a related firm -- and the biz claimed he was a competitor. Hendrik H. was charged with unlawful data access under Section 202a of Germany's Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation's cybersecurity law. In June, 2023, a Julich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected. But the Aachen regional court directed the district court to hear the complaint. Now, the district court has reversed its initial decision. On January 17, a Julich District Court fined Hendrik H. and directed him to pay court costs.

Crime

Walmart's Financial Services 'Became a Fraud Magnet', Says ProPublica (propublica.org) 83

One man living in Virginia oversaw "the laundering of some $7 million in fraudulently obtained gift cards" from Walmart in an international operation which over five years scammed hundreds of victims into sending the numbers over the phone, reports a new ProPublica investigation. (Citing court evidence that emerged after his arrested in 2021). Earlier that year, he complained to an associate that more and more people were competing to resell cards in China, eating into his profits. So many scammers were flocking to Walmart that he and his team regularly encountered them at self-checkout counters.... "We ran into quite a few at the store, and we even started chatting."
It was apparently so common that federal prosecutors started calling it "The Walmart scheme." And while the store is supposed to watch for customers who appear to be acting on a scammer's instructions, "Too often, Walmart has failed." America's largest retailer has long been a facilitator of fraud on a mass scale, a ProPublica investigation has found. For roughly a decade, Walmart has resisted tougher enforcement while breaking promises to regulators and skimping on employee training, according to more than 50 interviews, internal documents supplied by former industry executives, court filings and other public records...More than $1 billion in fraud losses were routed through the company's financial systems between 2013 and 2022, according to filings by the Federal Trade Commission and court cases analyzed by ProPublica. That has helped fuel a boom in financial chicanery. Americans, many of them elderly, were swindled out of $27 billion between 2013 and 2022, according to the FTC...

Walmart has a financial incentive to avoid cracking down. It makes money each time a Walmart gift card is used and earns a fee when another brand of card is bought. And it receives one commission when a person sends a money transfer and a second when the recipient picks it up. The company's financial services business generates hundreds of millions in annual profits. (Its filings do not provide specific figures for gift cards and money transfers.) "They were concerned about the bucks. That's all," Nick Alicea, a former fraud team leader for the U.S. Postal Inspection Service who investigated Walmart for years, told ProPublica. Walmart's deficiencies have repeatedly attracted government scrutiny. In 2017, the attorneys general of New York and Pennsylvania investigated Walmart over concerns that it was "reaping the benefits" of gift card fraud. The investigation concluded a year later with Walmart promising to restrict or eliminate the use of its gift cards to purchase other gift cards...

Instead, the company let the practice continue until 2022 — even after it knew that millions of dollars were being laundered through its stores. The FTC sued Walmart in 2022, alleging it "turned a blind eye" as criminals took advantage of its money transfer service. Walmart, the FTC claimed, pocketed millions in fees while "letting fraudsters fleece its customers." Summarizing the FTC's evidence, a federal judge in the case wrote that "Walmart knew that its services were used by fraudsters" and that the company was repeatedly warned about certain stores where "twenty-five, fifty, or even seventy-five percent of money transfer activity was fraudulent." Separately, a federal grand jury in Pennsylvania is hearing evidence of possible criminal conduct in Walmart's money transfer business, according to corporate filings that did not detail the allegations.

While the FTC says Americans were swindled out of $27 billion between 2013 and 2022, Walmart responded to ProPublica's investigation by pointing out it's refunded $4 million to gift-card fraud victims, and also blocked more than $700 million in suspicious money transfers. "We have a robust anti-fraud program and other controls to help stop scammers and other criminals who may use the financial services we offer to harm our customers." The company's legal filings in the FTC case struck a different tone. Walmart is seeking to dismiss the suit, partly on the grounds that it has "no responsibility to protect against the criminal conduct of third parties." Though fraud is "deeply unfortunate," Walmart argues, such schemes are "reasonably avoidable by consumers."
Other interesting quotes from the article:
  • "Walmart outlets at one point accounted for the top 20 locations for fraud nationally among chains that partnered with MoneyGram, according to internal documents."
  • "In a single week in March 2017, consumers claiming they'd been duped into a money transfer filed 610 complaints about Walmart, according to documents obtained by ProPublica. CVS ranked second, with 47."
  • "Site inspections routinely found that Walmart staff lacked anti-fraud training and that employees failed to ask screening questions..."
  • Walmart resisted MoneyGram's attempts to fight fraud [according to the former fraud team leader for the postal inspector's office in Harrisburg, Pennsylvania, who investigated MoneyGram and Walmart].

Cellphones

Could Apostrophy OS Be the Future of Cellphone Privacy? (stuff.co.za) 100

"Would you pay $15 a month so Android doesn't track you and send all of that data back to Google?" asks Stuff South Africa: A new Swiss-based privacy company thinks $15 is a fair fee for that peace of mind. "A person's data is the original digital currency," argues Apostrophy, which has created its own operating system, called Apostrophy OS.

It's based on Android — don't panic — but the version that has already been stripped of Google's intrusiveness by another privacy project called GrapheneOS, which used to be known as CopperheadOS. Launched in 2014, it which was briefly known as the Android Hardening project, before being rebranded as GrapheneOS in 2019. Apostrophy OS is "focused on empowering our users, not leveraging them," it says and is "purposely Swiss-based, so we can be champions of data sovereignty".

What it does, they say, is separate the apps from the underlying architecture of the operating system and therefore prevent apps from accessing miscellaneous personal data, especially the all-important location data so beloved of surveillance capitalism... Apostrophy OS has its own app store, but also cleverly allows users to access the Google Play Store. If you think that is defeating the point, Apostrophy argues that those apps can't get to the vitals of your digital life. Apostrophy OS has "partitioned segments prioritising application integrity and personal data privacy".

The service is free for one year with the purchase of the new MC02 phone from Swiss manufacturer Punkt, according to PC Magazine. "The phone costs $749 and is available for preorder now. It will ship at the end of January." Additional features include a built-in VPN called Digital Nomad based on the open-source Wireguard framework to secure your activity against outside snooping, which includes "exit addresses" in the US, Germany, and Japan with the base subscription.

Slashdot Top Deals