An anonymous reader quotes a report from TechCrunch: A government watchdog has published a scathing rebuke of the Department of the Interior's cybersecurity posture, finding it was able to crack thousands of employee user accounts because the department's security policies allow easily guessable passwords like 'Password1234'. The report by the Office of the Inspector General for the Department of the Interior, tasked with oversight of the U.S. executive agency that manages the country's federal land, national parks and a budget of billions of dollars, said that the department's reliance on passwords as the sole way of protecting some of its most important systems and employees' user accounts has bucked nearly two decades of the government's own cybersecurity guidance of mandating stronger two-factor authentication. It concludes that poor password policies puts the department at risk of a breach that could lead to a "high probability" of massive disruption to its operations.

The inspector general's office said it launched its investigation after a previous test of the agency's cybersecurity defenses found lax password policies and requirements across the Department of the Interior's dozen-plus agencies and bureaus. The aim this time around was to determine if the department's security defenses were enough to block the use of stolen and recovered passwords. [...] To make their point, the watchdog spent less than $15,000 on building a password-cracking rig -- a setup of a high-performance computer or several chained together -- with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like 'Polar_bear65' and 'Nationalparks2014!'. The watchdog also recovered hundreds of accounts belonging to senior government employees and other accounts with elevated security privileges for accessing sensitive data and systems. Another 4,200 hashed passwords were cracked over an additional eight weeks of testing. [...]

The watchdog said it curated its own custom wordlist for cracking the department's passwords from dictionaries in multiple languages, as well as U.S. government terminology, pop culture references, and other publicly available lists of hashed passwords collected from past data breaches. By doing so, the watchdog demonstrated that a well-resourced cybercriminal could have cracked the department's passwords at a similar rate, the report said. The watchdog found that close to 5% of all active user account passwords were based on some variation of the word "password" and that the department did not "timely" wind down inactive or unused user accounts, leaving at least 6,000 user accounts vulnerable to compromise. The report also criticized the Department of the Interior for "not consistently" implementing or enforcing two-factor authentication, where users are required to enter a code from a device that they physically own to prevent attackers from logging in using just a stolen password.

Academic researchers have discovered serious vulnerabilities in the core of Threema, an instant messenger that its Switzerland-based developer says provides a level of security and privacy "no other chat service" can offer. From a report: Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, typically abbreviated as E2EE. Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta's WhatsApp messenger. It's among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.

Researchers from the Zurich-based ETH research university reported on Monday that they found seven vulnerabilities in Threema that seriously call into question the true level of security the app has offered over the years. Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing. "In totality, our attacks seriously undermine Threema's security claims," the researchers wrote. "All the attacks can be mitigated, but in some cases, a major redesign is needed."

New medicines need not be tested in animals to receive U.S. Food and Drug Administration (FDA) approval, according to legislation signed by President Joe Biden in late December 2022. Science Magazine reports: "This is huge," says Tamara Drake, director of research and regulatory policy at the Center for a Humane Economy, a nonprofit animal welfare organization and key driver of the legislation. "It's a win for industry. It's a win for patients in need of cures." In place of the 1938 stipulation that potential drugs be tested for safety and efficacy in animals, the law allows FDA to promote a drug or biologic -- a larger molecule such as an antibody -- to human trials after either animal or nonanimal tests. Drake's group and the nonprofit Animal Wellness Action, among others that pushed for changes, argue that in clearing drugs for human trials the agency should rely more heavily on computer modeling, "organ chips," and other nonanimal methods that have been developed over the past 10 to 15 years.

But pro-research groups are downplaying the law, saying it signals a slow turning of the tide -- not a tsunami that will remake the drug approval process overnight. Jim Newman, communications director at Americans for Medical Progress, which advocates for animal research, argues non-animal technologies are still "in their infancy" and won't be able to replace animal models for "many, many years." FDA still retains tremendous discretion to require animal tests, he notes, and he doesn't expect the agency to change tack anytime soon. In order for a drug to be approved in the United States, FDA typically requires toxicity tests on one rodent species such as a mouse or rat and one nonrodent species such as a monkey or dog. Companies use tens of thousands of animals for such tests each year. Yet more than nine in 10 drugs that enter human clinical trials fail because they are unsafe or ineffective, providing grist to those who argue that animal experiments are a waste of time, money, and lives. [...]

Now, that requirement is gone. In eliminating it, Congress seems to have responded to the emergence of nonanimal methods and growing public sentiment against animal research. Senator Rand Paul (R-KY) and Senator Cory Booker (D-NJ), who both call animal research inefficient and inhumane, introduced the changes, which the Senate passed by unanimous consent in September 2022. In December, Biden signed them into law as part of the Consolidated Appropriations Act, which funds the government through this fiscal year. [...] Still, it remains unclear just how much the new law will change things at FDA. Although the legislation allows the agency to clear a drug for human trials without animal testing, it doesn't require that it do so. What's more, FDA's toxicologists are famously conservative, preferring animal tests in part because they allow examination of a potential drug's toxic effects in every organ after the animal is euthanized.

An anonymous reader quotes a report from Wired: Last month, a young woman went to work at Sarzamineh Shadi, or Land of Happiness, an indoor amusement park east of Iran's capital, Tehran. After a photo of her without a hijab circulated on social media, the amusement park was closed, according to multiple accounts in Iranian media. Prosecutors in Tehran have reportedly opened an investigation. Shuttering a business to force compliance with Iran's strict laws for women's dress is a familiar tactic to Shaparak Shajarizadeh. She stopped wearing a hijab in 2017 because she views it as a symbol of government suppression, and recalls restaurant owners, fearful of authorities, pressuring her to cover her head. But Shajarizadeh, who fled to Canada in 2018 after three arrests for flouting hijab law, worries that women like the amusement park worker may now be targeted with face recognition algorithms as well as by conventional police work.

After Iranian lawmakers suggested last year that face recognition should be used to police hijab law, the head of an Iranian government agency that enforces morality law said in a September interview that the technology would be used "to identify inappropriate and unusual movements," including "failure to observe hijab laws." Individuals could be identified by checking faces against a national identity database to levy fines and make arrests, he said. Two weeks later, a 22-year-old Kurdish woman named Jina Mahsa Amini died after being taken into custody by Iran's morality police for not wearing a hijab tightly enough. Her death sparked historic protests against women's dress rules, resulting in an estimated 19,000 arrests and more than 500 deaths. Shajarizadeh and others monitoring the ongoing outcry have noticed that some people involved in the protests are confronted by police days after an alleged incident -- including women cited for not wearing a hijab. "Many people haven't been arrested in the streets," she says. "They were arrested at their homes one or two days later."

Although there are other ways women could have been identified, Shajarizadeh and others fear that the pattern indicates face recognition is already in use -- perhaps the first known instance of a government using face recognition to impose dress law on women based on religious belief. Mahsa Alimardani, who researches freedom of expression in Iran at the University of Oxford, has recently heard reports of women in Iran receiving citations in the mail for hijab law violations despite not having had an interaction with a law enforcement officer. Iran's government has spent years building a digital surveillance apparatus, Alimardani says. The country's national identity database, built in 2015, includes biometric data like face scans and is used for national ID cards and to identify people considered dissidents by authorities.

The brother of a former Coinbase product manager was sentenced on Tuesday to 10 months in prison after pleading guilty in what U.S. prosecutors have called the first insider trading case involving cryptocurrency. Reuters reports: Nikhil Wahi admitted to making trades based on confidential information from Coinbase, one of the world's largest cryptocurrency exchanges, when he pleaded guilty in September to a wire fraud conspiracy charge. Prosecutors said Ishan Wahi, the former product manager, shared the information with his brother and their friend Sameer Ramani about new digital assets that Coinbase was planning to let users trade. Ishan Wahi has pleaded not guilty, and Ramani is at large.

Prosecutors said Wahi made nearly $900,000 of profit by illegally trading ahead of 40 different Coinbase announcements. They recommended a 10- to 16-month sentence. At a sentencing hearing in Manhattan federal court, U.S. District Judge Loretta Preska said his crime was "not an isolated error in judgment." "Today's sentence makes clear that the cryptocurrency markets are not lawless," Damian Williams, the top federal prosecutor in Manhattan, said in a statement. Further reading: Coinbase To Cut 20% Jobs, Abandon 'Several' Projects To Weather Downturns in Crypto Market

An investigation recently revealed how images of a minor and a tester on the toilet ended up on social media. iRobot said it had consent to collect this kind of data from inside homes -- but participants say otherwise. From a report: When Greg unboxed a new Roomba robot vacuum cleaner in December 2019, he thought he knew what he was getting into. He would allow the preproduction test version of iRobot's Roomba J series device to roam around his house, let it collect all sorts of data to help improve its artificial intelligence, and provide feedback to iRobot about his user experience. He had done this all before. Outside of his day job as an engineer at a software company, Greg had been beta-testing products for the past decade. He estimates that he's tested over 50 products in that time -- everything from sneakers to smart home cameras.

But what Greg didn't know -- and does not believe he consented to -- was that iRobot would share test users' data in a sprawling, global data supply chain, where everything (and every person) captured by the devices' front-facing cameras could be seen, and perhaps annotated, by low-paid contractors outside the United States who could screenshot and share images at their will. Greg, who asked that we identify him only by his first name because he signed a nondisclosure agreement with iRobot, is not the only test user who feels dismayed and betrayed. Nearly a dozen people who participated in iRobot's data collection efforts between 2019 and 2022 have come forward in the weeks since MIT Technology Review published an investigation into how the company uses images captured from inside real homes to train its artificial intelligence. The participants have shared similar concerns about how iRobot handled their data -- and whether those practices conform with the company's own data protection promises. After all, the agreements go both ways, and whether or not the company legally violated its promises, the participants feel misled.

An anonymous reader quotes a report from Motherboard: A team of security researchers managed to gain "super administrative access" into Reviver, the company behind California's new digital license plates which launched last year. That access allowed them to track the physical GPS location of all Reviver customers and change a section of text at the bottom of the license plate designed for personalized messages to whatever they wished, according to a blog post from the researchers. "An actual attacker could remotely update, track, or delete anyone's REVIVER plate," Sam Curry, a bug bounty hunter, wrote in the blog post. Curry wrote that he and a group of friends started finding vulnerabilities across the automotive industry. That included Reviver.

California launched the option to buy digital license plates in October. Reviver is the sole provider of these plates, and says that the plates are legal to drive nationwide, and "legal to purchase in a growing number of states." [...] In the blog post, Curry writes the researchers were interested in Reviver because the license plate's features meant it could be used to track vehicles. After digging around the app and then a Reviver website, the researchers found Reviver assigned different roles to user accounts. Those included "CONSUMER" and "CORPORATE." Eventually, the researchers identified a role called "REVIVER," managed to change their account to it, which in turn granted them access to all sorts of data and capabilities, which included tracking the location of vehicles. "We could take any of the normal API calls (viewing vehicle location, updating vehicle plates, adding new users to accounts) and perform the action using our super administrator account with full authorization," Curry writes. "We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package REVIVER plates) and update the default image used by the dealer when the newly purchased vehicle still had DEALER tags." Reviver told Motherboard in a statement that it patched the issues identified by the researchers. "We are proud of our team's quick response, which patched our application in under 24 hours and took further measures to prevent this from occurring in the future. Our investigation confirmed that this potential vulnerability has not been misused. Customer information has not been affected, and there is no evidence of ongoing risk related to this report. As part of our commitment to data security and privacy, we also used this opportunity to identify and implement additional safeguards to supplement our existing, significant protections," the statement read.

"Cybersecurity is central to our mission to modernize the driving experience and we will continue to work with industry-leading professionals, tools, and systems to build and monitor our secure platforms for connected vehicles," it added.

Seattle public schools have sued the tech giants behind TikTok, Facebook, Instagram, YouTube and Snapchat, accusing them of creating a "mental health crisis among America's Youth." Engadget reports: The 91-page lawsuit (PDF) filed in a US district court states that tech giants exploit the addictive nature of social media, leading to rising anxiety, depression and thoughts of self-harm. "Defendants' growth is a product of choices they made to design and operate their platforms in ways that exploit the psychology and neurophysiology of their users into spending more and more time on their platforms," the complaint states. "[They] have successfully exploited the vulnerable brains of youth, hooking tens of millions of students across the country into positive feedback loops of excessive use and abuse of Defendants' social media platforms."

Harmful content pushed to users includes extreme diet plants, encouragement of self-harm and more, according to the complaint. That has led to a 30 percent increase between 2009 and 2019 of students who report feeling "so sad or hopeless... for two weeks or more in a row that [they] stopped doing some usual activities." That in turn leads to a drop in performance in their studies, making them "less likely to attend school, more likely to engage in substance use, and to act out, all of which directly affects Seattle Public Schools' ability to fulfill its educational mission." Section 230 of the US Communications Decency Act means that online platforms aren't responsible for content posted by third parties. However, the lawsuit claims that the provision doesn't protect social media companies for recommending, distributing and promoting content "in a way that causes harm."

AmiMoJo writes: Belarusian dictator Alexander Lukashenko has signed a new law that legalizes piracy of movies, music, TV shows and software owned by rightsholders from 'unfriendly countries'. The law also allows goods protected by intellectual property law to be imported from any country without obtaining permission from rightsholders.

Lukashenko's support for Russia's invasion of Ukraine led to new sanctions being imposed by the EU, U.S. and other countries. In common with Russia, Belarus relies on intellectual property owned by foreign rightsholders that are currently unable or unwilling to supply and/or license it. So, to ensure legal access to pirated movies, music, TV shows and software, the government drafted a new law to restrict intellectual property rights.

The American Farm Bureau Federation and machinery manufacturer Deere signed a memorandum of understanding on Sunday that ensures farmers have the right to repair their own farm equipment or go to an independent technician. From a report: As the agriculture sector accelerates its adoption of technology, the reliance on high-tech machinery such as GPS-guided combines and tractors has become more common-place.

But equipment makers such as Deere have generally required customers to use their parts and service divisions for repairs and until recently, only allowed authorized dealers the means and tools to access the complex computerized systems of their tractors and other machinery. The Farm Bureau's memorandum of understanding with Deere "will ensure farmers everywhere are able to repair our own equipment," Farm Bureau president Zippy Duvall said, speaking at the federation's convention in Puerto Rico.

Saturday night in the Silicon Valley city of San Jose, the assistant police chief tweeted out praise for their recently-upgraded Automatic License Plate Readers: Officers in Air3 [police helicopter], monitoring the ALPR system, got alerted to 3 stolen cars. They directed ground units to the cars. All 3 drivers in custody! No dangerous vehicle pursuits occurred, nor were they needed.

2 drivers tried to run away. But, you can't outrun a helicopter!"
There's photos — one of the vehicles appears to be a U-Haul pickup truck — and the tweet drew exactly one response, from San Jose mayor Matt Mahan: "Nice job...! Appreciate the excellent police work and great to see ALPRs having an impact. Don't steal cars in San Jose!"
Some context: The San Jose Spotlight (a nonprofit local news site) noted that prior to last year license plate readers had been mounted exclusively on police patrol cars (and in use since 2006). But last year the San Jose Police Department launched a new "pilot program" with four cameras mounted at a busy intersection, that "captured nearly 300,000 plate scans in just the last month, according to city data."

By August this had led to plans for 150 more stationary ALPR cameras, a local TV station reported. "Just this week, police said they solved an armed robbery and arrested a suspected shooter thanks to the cameras." During a forum to update the community, San Jose police also mentioned success stories in other cities like Vallejo where they've reported a 100% increase in identifying stolen vehicles. San Jose is now installing hundreds around the city and the first batch is coming in the next two to three months....

The biggest concern among those attending Wednesday's virtual forum was privacy. But the city made it clear the data is only shared with trained police officers and certain city staff, no out-of-state or federal agencies. "Anytime that someone from the San Jose Police Department accesses the ALPR system, they have to input a reason, the specific plates they are looking for and all of that information is logged so that we can keep track of how many times its being used and what its being used for," said Albert Gehami, Digital Privacy Officer for San Jose.
More privacy concerns were raised in September, reports the San Jose Spotlight: The San Jose City Council unanimously approved a policy Tuesday that formally bans the police department from selling any license plate data, using that information for investigating a person's immigration status or for monitoring legally protected activities like protests or rallies.

Even with these new rules, some privacy advocates and community groups are still opposed to the technology. Victor Sin, chair of the Santa Clara Valley Chapter of ACLU of Northern California, expressed doubt that the readers are improving public safety. He made the comments in a letter to the council from himself and leaders of four other community organizations. "Despite claims that (automated license plate reader) systems can reduce crime, researchers have expressed concerns about the rapid acquisition of this technology by law enforcement without evidence of its efficacy," the letter reads. Groups including the Asian Law Alliance and San Jose-Silicon Valley NAACP also said the city should reduce the amount of time it keeps license plate data on file down from one year.....

Mayor Sam Liccardo said he's already convinced the readers are useful, but added the council should try to find a way to measure their effect. "It's probably not a bad idea for us to decide what are the outcomes we're trying to achieve, and if there is some reasonable metric that captures that outcome in a meaningful way," Liccardo said. "Was this used to actually help us arrest anybody, or solve a crime or prevent an accident?"
An EFF position paper argues that "ALPR data is gathered indiscriminately, collecting information on millions of ordinary people." By plotting vehicle times and locations and tracing past movements, police can use stored data to paint a very specific portrait of drivers' lives, determining past patterns of behavior and possibly even predicting future ones — in spite of the fact that the vast majority of people whose license plate data is collected and stored have not even been accused of a crime.... [ALPR technology] allows officers to track everyone..."
Maybe the police officer's tweet was to boost public support for the technology? It's already led to a short report from another local news station: San Jose police recovered three stolen cars using their automated license-plate recognition technology (ALPR) on Saturday, according to officials with the San Jose Police Department.

Officers inside of Air3, one of SJPD's helicopters, spotted three stolen cars using ALPR before directing ground units their way. Police say no pursuits occurred, though two of the drivers tried to run away.

CNN reports that 32-year-old Katelyn McClure "has been sentenced to three years in state prison for her role in scamming more than $400,000 from GoFundMe donors, by claiming to be collecting money for a homeless man."
In 2017, McClure claimed she ran out of gas and was stranded on Interstate 95 in Philadelphia. The homeless man, Johnny Bobbitt Jr., supposedly saw her and gave her his last $20 for gas. McClure and her then-boyfriend, Mark D'Amico, posted about the "good deed" on social media, including a picture of her with Bobbitt on a highway ramp. They also started a GoFundMe campaign to raise money for the homeless veteran, saying they wanted to pay it forward to the good Samaritan and get him off the streets.

The story went viral and made national headlines, with more than 14,000 donors contributing. The scammers netted around $367,000 after fees, according to court documents.... Bobbitt, who received $75,000 from the fundraiser, according to prosecutors, took civil action against D'Amico and McClure and the scam soon became public.... D'Amico and Bobbitt were charged in 2018 alongside McClure for concocting the scheme, prosecutors said. McClure pleaded guilty to one count of theft by deception in the second degree in 2019, according to the Burlington County prosecutor.

Bobbitt pleaded guilty to conspiracy to commit theft by deception in 2019 and was sentenced to a five-year special probation period which includes drug treatment. D'Amico also pleaded guilty and agreed to a five-year term in New Jersey state prison, as well as restitution of GoFundMe and the donors, in 2019.
"The gas part is completely made up, but the guy isn't," McClure texted a friend (according to CNN). "I had to make something up to make people feel bad." So what happened to "the guy" from the highway ramp? Prosecutors note that if Bobbitt "fails to adhere to the tightly-structured regimen of treatment and recovery services, which includes frequent testing for drug use, he could be sentenced to five years in state prison."

And they add that the judge "also ruled that McClure, a former state Department of Transportation worker, is permanently barred from ever holding another position as a public employee."

Their statement points out that the 2017 campaign was at the time the largest fraud ever perpetrated through GoFundMe — which voluntarily reimbursed the 14,000-plus donors.

The Verge is decrying "a genre of video that derives its entertainment value from unwitting passersby" — like filming pedestrians in a neighborhood in New York City: Many viewers on TikTok ate it up, but others pushed back on the idea that there's humor in filming and posting an unsuspecting neighbor for content. This year, I saw more and more resistance to the practice that's become normal or even expected.... [P]eople who have been featured in videos unbeknownst to them have pointed out that even if there's no ill will, it's just unnerving and weird to be filmed by others as if you're bit characters in the story of their life. One TikTok user, @hilmaafklint, landed in a stranger's vlog when they filmed her to show her outfit. She didn't realize it had happened until another stranger recognized her and tagged her in the video.

"It's weird at best, and creepy and a safety hazard at worst," she says in a video....

Even before TikTok, public space had become an arena for constant content creation; if you step outside, there's a chance you'll end up in someone's video. It could be minimally invasive, sure, but it could also shine an unwanted spotlight on the banal moments that just happen to get caught on film. This makeshift, individualized surveillance apparatus exists beyond the state-sponsored systems — the ones where tech companies will hand over electronic doorbell footage without a warrant or where elected officials allow police to watch surveillance footage in real time. We're watched enough as it is.

So if you're someone who makes content for the internet, consider this heartfelt advice and a heads-up. If you're filming someone for a video, please ask for their consent.

And if I catch you recording me for content, I will smack your phone away.

"France's data protection authority, CNIL, fined Apple €8 million (about $8.5 million) Wednesday," reports Gizmodo, "for illegally harvesting iPhone owners' data for targeted ads without proper consent." It's an unusual sanction for the iPhone maker, which has faced fewer legal penalties over privacy than its Big Tech competitors. Apple makes privacy a selling point for its devices, plastering "Privacy. That's iPhone." across 40-foot billboards across the world.... Apple failed to "obtain the consent of French iPhone users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals," the CNIL said in a statement. The CNIL's fine calls out the search ads in Apple's App Store, specifically. A French court fined the company over $1 million in December over its commercial practices related to the App Store....

With iPhones running iOS 14.6 and below, Apple's Personalized Advertising privacy setting was turned on by default, leaving users to seek out the control on their own if they wanted to protect their information. That violates EU privacy law, according to the CNIL.... The newer versions of the iPhone operating system corrected the problem, presenting users with a prompt before the advertising data was collected. Gizmodo also notes this response from an Apple spokesperson. "We are disappointed with this decision given the CNIL has previously recognized that how we serve search ads in the App Store prioritizes user privacy, and we will appeal. Apple Search Ads goes further than any other digital advertising platform we are aware of by providing users with a clear choice as to whether or not they would like personalized ads."

Gizmodo calls France's fine "a signal that Apple may face a less friendly regulatory future in Europe."

"We are seeing, across the gamut, products that impact our privacy, products that create cybersecurity risks, that have overarchingly long-term environmental impacts, disposable products, and flat-out just things that maybe should not exist."

That's the CEO of the how-to repair site iFixit, introducing their third annual "Worst in Show" ceremony for the products displayed at this year's CES. But the show's slogan promises it's also "calling out the most troubling trends in tech." For example, the EFF's executive director started with two warnings. First, "If it's communicating with your phone, it's generally communicating to the cloud too." But more importantly, if a product is gathering data about you and communicating with the cloud, "you have to ask yourself: is this company selling something to me, or are they selling me to other people? And this year, as in many past years at CES, it's almost impossible to tell from the products and the advertising copy around them! They're just not telling you what their actual business model is, and because of that — you don't know what's going on with your privacy."

After warning about the specific privacy implications of a urine-analyzing add-on for smart toilets, they noted there was a close runner-up for the worst privacy: the increasing number of scam products that "are basically based on the digital version of phrenology, like trying to predict your emotions based upon reading your face or other things like that. There's a whole other category of things that claim to do things that they cannot remotely do."

To judge the worst in show by environmental impact, Consumer Reports sent the Associate Director for their Product Sustainability, Research and Testing team, who chose the 55-inch portable "Displace TV" for being powered only by four lithium-ion batteries (rather than, say, a traditional power cord).

And the "worst in show" award for repairability went to the Ember Mug 2+ — a $200 travel mug "with electronics and a battery inside...designed to keep your coffee hot." Kyle Wiens, iFixit's CEO, first noted it was a product which "does not need to exist" in a world which already has equally effective double-insulated, vaccuum-insulated mugs and Thermoses. But even worse: it's battery powered, and (at least in earlier versions) that battery can't be easily removed! (If you email the company asking for support on replacing the battery, Wiens claims that "they will give you a coupon on a new, disposable coffee mug. So this is the kind of product that should not exist, doesn't need to exist, and is doing active harm to the world.

"The interesting thing is people care so much about their $200 coffee mug, the new feature is 'Find My iPhone' support. So not only is it harming the environment, it's also spying on where you're located!"

The founder of SecuRepairs.org first warned about "the vast ecosystem of smart, connected products that are running really low-quality, vulnerable software that make our persons and our homes and businesses easy targets for hackers." But for the worst in show for cybersecurity award, they then chose Roku's new Smart TV, partly because smart TVs in general "are a problematic category when it comes to cybersecurity, because they're basically surveillance devices, and they're not created with security in mind." And partly because to this day it's hard to tell if Roku has fixed or even acknowledged its past vulnerabilities — and hasn't implemented a prominent bug bounty program. "They're not alone in this. This is a problem that affects electronics makers of all different shapes and sizes at CES, and it's something that as a society, we just need to start paying a lot more attention to."

And US Pirg's "Right to Repair" campaign director gave the "Who Asked For This" award to Neutrogena's "SkinStacks" 3D printer for edible skin-nutrient gummies — which are personalized after phone-based face scans. ("Why just sell vitamins when you could also add in proprietary refills and biometic data harvesting.")

CNN reports: Two men were arrested on New Year's Eve for allegedly shutting down four Washington state power substations in late December that led to power outages for thousands across Pierce County. Matthew Greenwood and Jeremy Crahan have been charged with conspiracy to damage energy facilities and Greenwood faces a separate charge of possessing illegal short-barreled rifles.... The two cut off power to thousands of locals and caused at least $3 million worth of damage, according to charging documents.

Investigators identified Greenwood and Crahan almost immediately after the attacks took place by using cell phone data that allegedly showed both men in the vicinity of all four substations, according to court documents. Surveillance images cited in the court documents also showed images of one of the men and of the getaway car....

The two face up to 20 years behind bars if convicted of conspiring to attack energy facilities.
In addition, possession of an unregistered firearm is punishable by up to ten years in prison, according to a statement from the Department of Justice. But identifying the suspects was apparently pretty simple.

"When law enforcement served a search warrant on the home of the suspects, they recovered distinctive clothing pictured in the surveillance photos."

Thanks to long-time Slashdot reader schwit1 for sharing the story.

"More than half a million people who deposited money with collapsed crypto lender Celsius Network have been dealt a major blow to their hopes of recovering their funds," reports the Washington Post, "with the judge in the company's bankruptcy case ruling that the money belongs to Celsius and not to the depositors." The judge, Martin Glenn, found that Celsius's terms of use — the lengthy contracts that many websites publish but few consumers read — meant "the cryptocurrency assets became Celsius's property."

The ruling underscores the Wild West nature of the unregulated crypto industry. On Thursday, New York Attorney General Letitia James moved to impose a kind of order, or at least legal repercussions, on Celsius founder Alex Mashinsky, whom she accused in a lawsuit of defrauding hundreds of thousands of consumers.... And while Glenn's ruling won't affect FTX, whose terms of use were different, some analysts saw the ruling as spreading beyond Celsius.

"There are many other platforms that feature terms of use that are similar to Celsius's," said Aaron Kaplan, a lawyer with the financial-focused firm of Gusrae Kaplan Nusbaum and co-founder of his own crypto company. Customers need to "understand the risks that they are taking when depositing their assets onto insufficiently regulated platforms," he said.

Slashdot has covered the legal hijinx of Malibu Media over the years. Now Ars Technica reports that the studio could be destroyed by unpaid taxes: Over the past decade, Malibu Media has emerged as a prominent so-called "copyright troll," suing thousands of "John Does" for allegedly torrenting adult content hosted on the porn studio's website, "X-Art." Whether defendants were guilty or not didn't seem to matter to Malibu, critics claimed, as much as winning as many settlements as possible. As courts became more familiar with Malibu, however, some judges grew suspicious of the studio's litigiousness. As early as 2012, a California judge described these lawsuits as "essentially an extortion scheme," and by 2013, a Wisconsin judge ordered sanctions, agreeing with critics who said that Malibu's tactics were designed to "harass and intimidate" defendants into paying Malibu thousands in settlements.

By 2016, Malibu started losing footing in this arena — and even began fighting with its own lawyer. At that point, file-sharing lawsuits became less commonplace, with critics noting a significant reduction in Malibu's lawsuits over the next few years. Now, TorrentFreak reports that Malibu's litigation machine appears to finally be running out of steam — with its corporate status suspended in California sometime between mid-2020 and early 2021 after failing to pay taxes. Last month, a Texas court said that Malibu has until January 20 to pay what's owed in back taxes and get its corporate status reinstated. If that doesn't happen over the next few weeks, one of Malibu's last lawsuits on the books will be dismissed, potentially marking the end of Malibu's long run of alleged copyright trolling.

An anonymous reader quotes a report from Interesting Engineering: A program trained with the help of artificial intelligence is set to help a defendant contest his case in a U.S. court next month, New Scientist reported. Instead of addressing the court, the program, which will run on a smartphone, will supply appropriate responses through an earpiece to the defendant, who can then use them in the courtroom. [...] In a new development, a company, DoNotPay, which has been training AI, has now claimed that its program will be able to defend a speeding case that is due to be heard in a U.S. court in February 2023. Identities of the individual and the court remain under wraps, but we do know that the defendant is contesting a speeding ticket.

Since this is the AI's very first case, DoNotPay is ready to take on the burden of punishment if the AI's advice does not help the client. Since it is a speeding ticket, DoNotPay will pay for the speeding ticket. If it wins though, it will have a massive victory to its credit. The real big question, though, is whether this is legal in the court of law. CEO Joshua Browder told New Scientist that it had found a court where listening via an earpiece was within the rules, even though it might not be in the spirit of the rules.

An anonymous reader quotes a report from CNBC: A new law that went into effect this week requires most California employers to disclose salaries on job listings. The law affects every company with more than 15 employees looking to fill a job that could be performed from the state of California. It covers hourly and temporary work, all the way up to openings for highly paid technology executives. That means it's now possible to know the salaries top tech companies pay their workers. For example: A program manager in Apple's augmented reality group will receive base pay between $121,000 and $230,000 per year, according to an Apple posting Wednesday. A midcareer software engineer at Google Health can expect to make between $126,000 and $190,000 per year. A director of software engineering at Meta leading teams building network infrastructure will make at least $253,000 and as much as $327,000 in salary per year. Notably, these salary listings do not include any bonuses or equity grants, which many tech companies use to attract and retain employees.

California's pay transparency law is intended to reduce gender and race pay gaps and help minorities and women better compete in the labor market. For example, people can compare their current pay with job listings with the same job title and see if they're being underpaid. [...] But the new disclosures under the law might not tell the whole story of what a job pays. Companies can choose to display wide pay ranges, violating the spirit of the law, and the law doesn't require companies to reveal bonuses or equity compensation. The law could also penalize ambitious workers who are gunning for more money because of their experience or skills, the California Chamber of Commerce said last year when opposing the bill. Some employers might be wary of posting pay to prevent bidding wars for top talent.

There are two primary components to California Senate Bill No. 1162, which was passed in September and went into effect Jan. 1. First is the pay transparency component on job listings, which applies to any company with more than 15 employees if the job could be done in California. The second part requires companies with more than 100 employees to submit a pay data report to the state of California with detailed salary information broken down by race, sex and job category. Companies have to provide a similar report on the federal level, but California now requires more details. Employers are required to maintain detailed records of each job title and its wage history, and California's labor commissioner can inspect those records. California can enforce the law through fines and can investigate violations. The reports won't be published publicly under the new law.