Investigative journalist and cybersecurity expert Brian Krebs reports: A 23-year-old Scottish man thought to be a member of the prolific Scattered Spider cybercrime group was extradited last week from Spain to the United States, where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims. Scattered Spider is a loosely affiliated criminal hacking group whose members have broken into and stolen data from some of the world's largest technology companies. Buchanan was arrested in Spain last year on a warrant from the FBI, which wanted him in connection with a series of SMS-based phishing attacks in the summer of 2022 that led to intrusions at Twilio, LastPass, DoorDash, Mailchimp, and many other tech firms. The complain against Buchanan is available here (PDF).

An anonymous reader quotes a report from TechCrunch: Apple sent notifications this week to several people who the company believes were targeted with government spyware, according to two of the alleged targets. In the past, Apple has sent similar notifications to targets and victims of spyware, and directed them to contact a nonprofit that specializes in investigating such cyberattacks. Other tech companies, like Google and WhatsApp, have in recent years also periodically sent such notifications to their users. As of Wednesday, only two people appear to have come forward to reveal they were among those who received the notifications from Apple this week.

One is Ciro Pellegrino, an Italian journalist who works for online news outlet Fanpage. Pellegrino wrote in an article that he received an email and a text message from Apple on Tuesday notifying him that he was targeted with spyware. The message, according to Pellegrino, also said he wasn't the only person targeted. "Today's notification is being sent to affected users in 100 countries," the message read, according to Pellegrino's article. "Did this really happen? Yes, it is not a joke," Pellegrino wrote.

The second person to receive an Apple notification is Eva Vlaardingerbroek, a Dutch right-wing activist, who posted on X on Wednesday. "Apple detected a targeted mercenary spyware attack against your iPhone," the Apple alert said, according to a screenshot shown in a video that Vlaardingerbroek posted on X. "This attack is likely targeting you specifically because of who you are or what you do. Although it's never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning -- please take it seriously." Reacting to the notification, Vlaardingerbroek said that this was an "attempt to intimidate me, an attempt to silence me, obviously."

A newly revealed set of vulnerabilities dubbed AirBorne in Apple's AirPlay SDK could allow attackers on the same Wi-Fi network to hijack tens of millions of third-party devices like smart TVs and speakers. While Apple has patched its own products, many third-party devices remain at risk, with the most severe (though unproven) threat being potential microphone access. 9to5Mac reports: Wired reports that a vulnerability in Apple's software development kit (SDK) means that tens of millions of those devices could be compromised by an attacker: "On Tuesday, researchers from the cybersecurity firm Oligo revealed what they're calling AirBorne, a collection of vulnerabilities affecting AirPlay, Apple's proprietary radio-based protocol for local wireless communication. Bugs in Apple's AirPlay software development kit (SDK) for third-party devices would allow hackers to hijack gadgets like speakers, receivers, set-top boxes, or smart TVs if they're on the same Wi-Fi network as the hacker's machine [...]

Oligo's chief technology officer and cofounder, Gal Elbaz, estimates that potentially vulnerable third-party AirPlay-enabled devices number in the tens of millions. 'Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch -- or they will never be patched,' Elbaz says. 'And it's all because of vulnerabilities in one piece of software that affects everything.'"

For consumers, an attacker would first need to gain access to your home Wi-Fi network. The risk of this depends on the security of your router: millions of wireless routers also have serious security flaws, but access would be limited to the range of your Wi-Fi. AirPlay devices on public networks, like those used everywhere from coffee shops to airports, would allow direct access. The researchers say the worst-case scenario would be an attacker gaining access to the microphones in an AirPlay device, such as those in smart speakers. However, they have not demonstrated this capability, meaning it remains theoretical for now.

An anonymous reader quotes a report from CBS News: New York Gov. Kathy Hochul says a $254 billion state budget deal has been reached, including a "bell-to-bell" school cellphone ban. [...] The distraction-free policy would take effect next school year, making New York the largest state in the country with a "bell-to-bell" cellphone ban. Hochul says the plan will help protect children from addictive technology and improve their mental health. The New York State United Teachers union also came out in support of the ban, saying "we are at a crisis point."

The governor previously outlined the proposal back in January, saying it would ban the use of smartphones and other internet-enabled devices on school grounds during the school day. That includes classroom time, lunch and study hall periods. "A bell-to-bell ban, morning until the day is over, is not going to hurt your kids. It's going to help them emerge with stronger mental health and resiliency," she told CBS News New York at the time.

Hochul said the ban would include smartphones and other personal "smart" devices, like smartwatches. Exemptions could be made if a student requires a device to manage a medical condition or for translation purposes. Cellphones that don't have internet capability and devices that are provided by the school for lesson plans would still be allowed. The proposal would let individual schools come up with their own ways to implement the ban and store the devices, and schools would be able to decide whether to have students leave them in things like pouches, lockers or cubbies. It would also require schools to make sure parents have a way to contact their children during the day, if needed. "Protecting our communities requires more than streets where people feel safe. We need classrooms where young minds can flourish, and that means eliminating once and for all the digital distractions that steal our kids' attention," the governor said, adding, "We protected our kids before from cigarettes, alcohol and drunk driving, and now, we're protecting them from addictive technology designed to hijack their attention."

An anonymous reader quotes a report from ZDNet: Today, open-source software powers the world. It didn't have to be that way. The Open Invention Network's (OIN) origins are rooted in a turbulent era for open source. In the mid-2000s, Linux faced existential threats from copyright and patent litigation. Besides, the infamous SCO lawsuit and Microsoft's claims that Linux infringed on hundreds of its patents cast a shadow over the ecosystem. Business leaders became worried. While SCO's attacks petered out, patent trolls -- formally known as Patent Assertion Entities (PAEs) -- were increasing their attacks. So, open-source friendly industry giants, including IBM, Novell, Philips, Red Hat, and Sony, formed the Open Invention Network (OIN) to create a bulwark against patent threats targeting Linux and open-source technologies. Founded in 2005, the Open Invention Network (OIN) has evolved into a global community comprising over 4,000 participants, ranging from startups to multinational corporations, collectively holding more than three million patents and patent applications.

At the heart of OIN's legal strategy is a royalty-free cross-license agreement. Members agree not to assert their patents against the Linux System, creating a powerful network effect that shields open-source projects from litigation. As OIN CEO Keith Bergelt explained, this model enables "broad-based participation by ensuring patent risk mitigation in key open-source technologies, thereby facilitating open-source adoption." This approach worked then, and it continues to work today. [...] Over the years, OIN's mission has expanded beyond Linux to cover a range of open-source technologies. Its Linux System Definition, which determines the scope of patent cross-licensing, has grown from a few core packages to over 4,500 software components and platforms, including Android, Apache, Kubernetes, and ChromeOS. This expansion has been critical, as open source has become foundational across industries such as finance, automotive, telecommunications, and artificial intelligence.

The Karnataka High Court on Tuesday directed India's government to block Switzerland-based email service Proton Mail, citing national security concerns and law enforcement challenges. Justice M Nagaprasanna ordered authorities to initiate proceedings under Section 69A of the Information Technology Act to ban the service, while mandating immediate blocking of "offending URLs" until final decisions are made.

The ruling followed a petition from M Moser Design Associates India, which claimed its female employees were targeted with obscene emails containing "AI-generated deepfake images" sent via Proton Mail. Petitioners argued Proton Mail operates servers outside India, making it inaccessible to law enforcement. The court noted several bomb threats to Indian schools were sent using the service, which has already been banned in Russia and Saudi Arabia. Additional Solicitor General Aravind Kamath, representing the government, said authorities would comply with the court's direction.

A former Disney employee who hacked into the company's servers to alter its restaurant menus, including falsifying allergen information and printing profane language, has been sentenced to three years in prison. From a report: Michael Scheuer, a Florida resident, was sentenced last week in federal court and ordered to pay nearly $690,000 in restitution, with most of that going to Disney. He pled guilty in January to one count of computer fraud and one count of aggravated identity theft.

"Scheuer remains remorseful and apologetic to his former co-workers. We are grateful that the judge heard all of our arguments and mitigation when fashioning a sentence that was half of what the government was seeking," said David Haas, Scheuer's lawyer, in a statement to CNN.

Scheuer worked as a menu production manager for Disney and was fired last June for misconduct, according to the original complaint. He had access to, and also used, secure internal servers for creating and publishing menus for all of Disney's restaurants as part of his job at the company.

An anonymous reader quotes a report from Wired: Automakers are increasingly pushing consumers to accept monthly and annual fees to unlock preinstalled safety and performance features, from hands-free driving systems and heated seats to cameras that can automatically record accident situations. But the additional levels of internet connectivity this subscription model requires can increase drivers' exposure to government surveillance and the likelihood of being caught up in police investigations. A cache of more than two dozen police records recently reviewed by WIRED show US law enforcement agencies regularly trained on how to take advantage of "connected cars," with subscription-based features drastically increasing the amount of data that can be accessed during investigations. The records make clear that law enforcement's knowledge of the surveillance far exceeds that of the public and reveal how corporate policies and technologies -- not the law -- determine driver privacy.

"Each manufacturer has their whole protocol on how the operating system in the vehicle utilizes telematics, mobile Wi-Fi, et cetera," one law enforcement officer noted in a presentation prepared by the California State Highway Patrol (CHP) and reviewed by WIRED. The presentation, while undated, contains statistics on connected cars for the year 2024. "If the vehicle has an active subscription," they add, "it does create more data." The CHP presentation, obtained by government transparency nonprofit Property of the People via a public records request, trains police on how to acquire data based on a variety of hypothetical scenarios, each describing how vehicle data can be acquired based on the year, make, and model of a vehicle. The presentation acknowledges that access to data can ultimately be limited due to choices made by not only vehicle manufacturers but the internet service providers on which connected devices rely.

One document notes, for instance, that when a General Motors vehicle is equipped with an active OnStar subscription, it will transmit data -- revealing its location -- roughly twice as often as a Ford vehicle. Different ISPs appear to have not only different capabilities but policies when it comes to responding to government requests for information. Police may be able to rely on AT&T to help identify certain vehicles based on connected devices active in the car but lack the ability to do so when the device relies on a T-Mobile or Verizon network instead. [...] Nearly all subscription-based car features rely on devices that come preinstalled in a vehicle, with a cellular connection necessary only to enable the automaker's recurring-revenue scheme. The ability of car companies to charge users to activate some features is effectively the only reason the car's systems need to communicate with cell towers. The police documents note that companies often hook customers into adopting the services through free trial offers, and in some cases the devices are communicating with cell towers even when users decline to subscribe.

An anonymous reader quotes a report from Milwaukee Journal Sentinel: Milwaukee police are mulling a trade: 2.5 million mugshots for free use of facial recognition technology. Officials from the Milwaukee Police Department say swapping the photos with the software firm Biometrica will lead to quicker arrests and solving of crimes. But that benefit is unpersuasive for those who say the trade is startling, due to the concerns of the surveillance of city residents and possible federal agency access. "We recognize the very delicate balance between advancement in technology and ensuring we as a department do not violate the rights of all of those in this diverse community," Milwaukee Police Chief of Staff Heather Hough said during an April 17 meeting.

For the first time, Milwaukee police officials detailed their plans to use the facial recognition technology during a meeting of the city's Fire and Police Commission, the oversight body for those departments. In the past, the department relied on facial recognition technology belonging to neighboring police agencies. In an April 24 email, Hough said the department has not entered into an agreement with any facial recognition and the department intends to continue engaging the public before doing so. The department will discuss it at a future meeting of the city's Public Safety and Health Committee next, she said. "While we would like to acquire the technology to assist in solving cases, being transparent with the community that we serve far outweighs the urgency to acquire," she said in an email.

Officials said the technology alone could not be used as probable cause to arrest someone and the only authorized uses would be when there's basis to believe criminal activity has happened or could happen, or a threat to public safety is imminent. Hough said the department intended to craft a policy that would ensure no one is arrested solely based on facial recognition matches. That reassurance and others from police officials came as activists, residents and some public officials voiced concern.

The sale of bankrupt DNA data bank 23andMe is delayed as the company struggles to secure a lead bidder who can meet regulatory and privacy requirements, pushing the initial auction deadline from Friday to Monday. Seeking Alpha reports: 23andMe Holdings (OTC:MEHCQ), currently in Chapter 11 bankruptcy proceedings, is requiring that any potential bidders for the company's assets "guaranty that they will comply with the Company's privacy policies and applicable law." The genetics company said this is necessary to protect customers' data.

In addition, bidders will need to submit documentation of their intended use of any data, describe the privacy programs and security controls they have in place or would implement, and say whether they would ask for current privacy policies to be amended. 23andMe has also filed a motion asking for the appointment of an independent customer Data representative to review whether a proposed deal is in alignment with the company's privacy policies and data privacy laws.

A new DARPA project called expMath "aims to jumpstart math innovation with the help of AI," writes The Register. America's "Defense Advanced Research Projects Agency" believes mathematics isn't advancing fast enough, according to their article... So to accelerate — or "exponentiate" — the rate of mathematical research, DARPA this week held a Proposers Day event to engage with the technical community in the hope that attendees will prepare proposals to submit once the actual Broad Agency Announcement solicitation goes out...

[T]he problem is that AI just isn't very smart. It can do high school-level math but not high-level math. [One slide from DARPA program manager Patrick Shafto noted that OpenAI o1 "continues to abjectly fail at basic math despite claims of reasoning capabilities."] Nonetheless, expMath's goal is to make AI models capable of:

- auto decomposition — automatically decompose natural language statements into reusable natural language lemmas (a proven statement used to prove other statements); and
auto(in)formalization — translate the natural language lemma into a formal proof and then translate the proof back to natural language.
"How must faster with technology advance with AI agents solving new mathematical proofs?" asks former DARPA research scientist Robin Rowe (also long-time Slashdot reader robinsrowe): DARPA says that "The goal of Exponentiating Mathematics is to radically accelerate the rate of progress in pure mathematics by developing an AI co-author capable of proposing and proving useful abstractions."
Rowe is cited in the article as the founder/CEO of an AI research institute named "Fountain Adobe". (He tells The Register that "It's an indication of DARPA's concern about how tough this may be that it's a three-year program. That's not normal for DARPA.") Rowe is optimistic. "I think we're going to kill it, honestly. I think it's not going to take three years. But I think it might take three years to do it with LLMs. So then the question becomes, how radical is everybody willing to be?"
"We will robustly engage with the math and AI communities toward fundamentally reshaping the practice of mathematics by mathematicians," explains the project's home page. They've already uploaded an hour-long video of their Proposers Day event.

"It's very unclear that current AI systems can succeed at this task..." program manager Shafto says in a short video introducing the project. But... "There's a lot of enthusiasm in the math community for the possibility of changes in the way mathematics is practiced. It opens up fundamentally new things for mathematicians. But of course, they're not AI researchers. One of the motivations for this program is to bring together two different communities — the people who are working on AI for mathematics, and the people who are doing mathematics — so that we're solving the same problem.

At its core, it's a very hard and rather technical problem. And this is DARPA's bread-and-butter, is to sort of try to change the world. And I think this has the potential to do that.

Slashdot reader itwbennett writes: Personal health information on 4.7 million Blue Shield California subscribers was unintentionally shared between Google Analytics and Google Ads between April 2021 and January 2025 due to a misconfiguration error. Security consultant and SANS Institute instructor Brandon Evans points to two lessons to take from this debacle:

- Read the documentation of any third party service you sign up for, to understand the security and privacy controls;
- Know what data is being collected from your organization, and what you don't want shared.

"If there is a concern by the organization that Google Ads would use this information, they should really consider whether or not they should be using a platform like Google Analytics in the first place," Evans says in the article. "Because from a technical perspective, there is nothing stopping Google from sharing the information across its platform...

"Google definitely gives you a great bunch of controls, but technically speaking, that data is within the walls of that organization, and it's impossible to know from the outside how that data is being used."

An anonymous reader shared this report from the Washington Post: The acting U.S. attorney for the District of Columbia sent a letter to the nonprofit that runs Wikipedia, accusing the tax-exempt organization of "allowing foreign actors to manipulate information and spread propaganda to the American public."

In the letter dated April 24, Ed Martin said he sought to determine whether the Wikimedia Foundation's behavior is in violation of its Section 501(c)(3) status. Martin asked the foundation to provide detailed information about its editorial process, its trust and safety measures, and how it protects its information from foreign actors. "Wikipedia is permitting information manipulation on its platform, including the rewriting of key, historical events and biographical information of current and previous American leaders, as well as other matters implicating the national security and the interests of the United States," Martin wrote. "Masking propaganda that influences public opinion under the guise of providing informational material is antithetical to Wikimedia's 'educational' mission."
Google prioritizes Wikipedia articles, the letter points out, which "will only amplify propaganda" if the content contained in Wikipedia articles "is biased, unreliable, or sourced by entities who wish to do harm to the United States." And as a U.S.-based non-profit, Wikipedia enjoys tax-exempt status while its board "is composed primarily of foreign nationals," the letter argues, "subverting the interests of American taxpayers."

While noting Martin's concerns about "allowing foreign actors to manipulate information and spread propaganda," the Washington Post also notes that before being named U.S. attorney, "Martin appeared on Russia-backed media networks more than 150 times, The Washington Post reported last week...."

Additional articles about the letter here and here.

An anonymous reader quotes a report from TechCrunch: Government censorship has found its way to Bluesky, but there's currently a loophole thanks to how the social network is structured. Earlier this month, Bluesky restricted access to 72 accounts in Turkey at the request of Turkish governmental authorities, according to a recent report by the Freedom of Expression Association. As a result, people in Turkey can no longer see these accounts, and their reach is limited. The report indicates that 59 Bluesky accounts were blocked on the grounds of protecting "national security and public order." Bluesky also made another 13 accounts and at least one post invisible from Turkey.

Given that many Turkish users migrated from X to Bluesky in the hopes of fleeing government censorship, Bluesky's bowing to the Turkish government's demands has raised questions among the community as to whether the social network is as open and decentralized as it claims to be. (Or whether it's "just like Twitter" after all.) However, Bluesky's technical underpinnings currently make bypassing these blocks easier than it would be on a network like X -- even if it's not quite as open as the alternative social network Mastodon, another decentralized X rival.

A Mastodon user could move their account around to different servers to avoid censorship targeted at the original Mastodon instance (server) where they first made posts that attracted the censors. Users on the official Bluesky app can configure their moderation settings but have no way to opt out of the moderation service Bluesky provides. This includes its use of geographic labelers, like the newly added Turkish moderation labeler that handles the censorship of accounts mandated by the Turkish government. (Laurens Hof has a great breakdown of how this all works in more technical detail here on The Fediverse Report.) Simply put, if you're on the official Bluesky app and Bluesky (the company) agrees to censor something in your region, there's no way to opt out of this to see the hidden posts or accounts. Other third-party Bluesky apps, which make up the larger open social web known as the Atmosphere, don't have to follow these same rules. At least, not for now.

An anonymous reader quotes a report from Cybernews: Researchers at Cybernews have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people across countless companies. The app, designed to track productivity by logging activity and snapping regular screenshots of employees' screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day frame by frame. The leaked data is extremely sensitive, as millions of screenshots from employees' devices could not only expose full-screen captures of emails, internal chats, and confidential business documents, but also contain login pages, credentials, API keys, and other sensitive information that could be exploited to attack businesses worldwide. After the company was contacted, access to the unsecured database was secured. An official comment has yet to be received.

New Jersey sued the property management software company RealPage, accusing it and 10 of the state's largest landlords of conspiring to drive up residential rents, violating federal and state antitrust laws and New Jersey consumer fraud laws. From a report: The complaint filed on Wednesday by state Attorney General Matthew Platkin said the defendants, including AvalonBay Communities illegally used RealPage's revenue management software and algorithms to inflate rents for apartments in multifamily properties.

New Jersey said the defendants also quietly exchanged non-public data such as lease prices, amenities, concessions offered, property values and housing inventory, in order to align pricing and avoid competition to lower rents. The state said the collusion has inflated rents for hundreds of thousands of residents, with half of low-income renters paying more than 30% of their gross incomes toward rent. Many real estate and financial experts recommend a 30% limit.

A draft executive order from the Trump administration proposes integrating AI into K-12 education by directing federal agencies to promote AI literacy, train teachers, and establish public-private partnerships. "The draft is marked 'predecisional' and could be subject to change before it is signed, or it could be abandoned," notes the Washington Post. From the report: Titled "Advancing artificial intelligence education for American youth," the draft order would establish a White House task force on AI education that would be chaired by Michael Kratsios, director of the Office of Science and Technology Policy, and would include the secretaries of education, agriculture, labor and energy, as well as Trump's special adviser for AI and cryptocurrency, David Sacks. The draft order would instruct federal agencies to seek public-private partnerships with industry, academia and nonprofit groups in efforts to teach students "foundational AI literacy and critical thinking skills."

The task force should look for existing federal funding such as grants that could be used for AI programs, and agencies should prioritize spending on AI education, according to the draft order. It would also instruct Education Secretary Linda McMahon to prioritize federal grant funding for training teachers on how to use AI, including for administrative tasks and teacher training and evaluation. All educators should undergo professional development to integrate AI into all subject areas, the draft order says. It would also establish a "Presidential AI Challenge" -- a competition for students and educators to demonstrate their AI skills -- and instruct Labor Secretary Lori Chavez-DeRemer to develop registered apprenticeships in AI-related occupations. The focus is on K-12 education, but the draft order says, "Our Nation must also make resources available for lifelong learners to develop new skills for a changing workforce."

WhatsApp is rolling out a new "Advanced Chat Privacy" feature that blocks others from exporting chat histories or automatically downloading media. While it doesn't stop screenshots or manual downloads, it marks the first step in WhatsApp's plan to enhance in-chat privacy protections. The Verge reports: By default, WhatsApp saves photos and videos in a chat to your phone's local storage. It also lets you and your recipients export chats (with or without media) to your messages, email, or notes app. The Advanced Chat Privacy setting will prevent this in group and individual chats. [...] WhatsApp says this is its "first version" of the feature, and that it plans to add more protections down the line.

"We think this feature is best used when talking with groups where you may not know everyone closely but are nevertheless sensitive in nature," WhatsApp says in its announcement. WABetaInfo first spotted this feature earlier this month, and now it's rolling out to the latest version of the app. You can turn on the setting by tapping the name of your chat and selecting Advanced Chat Privacy.

Nintendo has filed a request for subpoena in California's Northern District Court to compel Discord to reveal the identity of user "GameFreakOUT," the alleged source of last year's extensive Pokemon leak. The company is demanding the name, address, phone number, and email of the individual behind the "Teraleak," which contained claimed source code for upcoming title Pokemon Legends: Z-A, next-generation Pokemon games, builds of older titles, and numerous concept art and lore documents.

Court documents obtained by Polygon show Nintendo included a partially redacted Discord screenshot as evidence, where GameFreakOUT shared files in a server named "FreakLeak." The breach occurred around October 12, 2024, two days after Game Freak publicly acknowledged a hack affecting employee information without confirming game data theft.

An anonymous reader quotes a report from Reuters: A U.S. appeals court on Monday revived a proposed data privacy class action against Shopify, a decision that could make it easier for American courts to assert jurisdiction over internet-based platforms. In a 10-1 decision, the 9th U.S. Circuit Court of Appeals in San Francisco said the Canadian e-commerce company can be sued in California for collecting personal identifying data from people who make purchases on websites of retailers from that state.

Brandon Briskin, a California resident, said Shopify installed tracking software known as cookies on his iPhone without his consent when he bought athletic wear from the retailer I Am Becoming, and used his data to create a profile it could sell to other merchants. Shopify said it should not be sued in California because it operates nationwide and did not aim its conduct toward that state. The Ottawa-based company said Briskin could sue in Delaware, New York or Canada. A lower court judge and a three-judge 9th Circuit panel had agreed the case should be dismissed, but the full appeals court said Shopify "expressly aimed" its conduct toward California.

"Shopify deliberately reached out ... by knowingly installing tracking software onto unsuspecting Californians' phones so that it could later sell the data it obtained, in a manner that was neither random, isolated, or fortuitous," Circuit Judge Kim McLane Wardlaw wrote for the majority. A spokesman for Shopify said the decision "attacks the basics of how the internet works," and drags entrepreneurs who run online businesses into distant courtrooms regardless of where they operate. Shopify's next legal steps are unclear.