Crime

Romanian National Pleads Guilty To 'Swatting' Over 75 Public Officials (nypost.com) 20

Longtime Slashdot reader schwit1 shares a report: A Romanian national pleaded guilty on Monday to charges related to his role in a "swatting" ring that targeted dozens of public officials, including a former US president. Going by the aliases "Plank," "Jonah" and "Cypher," 26-year-old Thomasz Szabo took part in a years-long conspiracy to place bogus 911 calls, claiming emergencies were taking place at the homes of top government officials, and make bomb threats against government buildings and houses of worship, according to the Justice Department.

Szabo and a co-conspirator, 21-year-old Serbian national Nemanja Radovanovic, allegedly targeted about 100 people, including members of Congress, governors, cabinet-level executive branch officials and state officials. Szabo, who was extradited from Romania last November, pleaded guilty to one count of conspiracy and one count of making bomb threats. He is slated to be sentenced in a Washington, DC, federal court in October. [...] Charges against Radovanovic are still pending.

Privacy

Meta and Yandex Are De-Anonymizing Android Users' Web Browsing Identifiers (github.io) 60

"It appears as though Meta (aka: Facebook's parent company) and Yandex have found a way to sidestep the Android Sandbox," writes Slashdot reader TheWho79. Researchers disclose the novel tracking method in a report: We found that native Android apps -- including Facebook, Instagram, and several Yandex apps including Maps and Browser -- silently listen on fixed local ports for tracking purposes.

These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programmatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users' web activity.

While there are subtle differences in the way Meta and Yandex bridge web and mobile contexts and identifiers, both of them essentially misuse the unvetted access to localhost sockets. The Android OS allows any installed app with the INTERNET permission to open a listening socket on the loopback interface (127.0.0.1). Browsers running on the same device also access this interface without user consent or platform mediation. This allows JavaScript embedded on web pages to communicate with native Android apps and share identifiers and browsing habits, bridging ephemeral web identifiers to long-lived mobile app IDs using standard Web APIs.
This technique circumvents privacy protections like Incognito Mode, cookie deletion, and Android's permission model, with Meta Pixel and Yandex Metrica scripts silently communicating with apps across over 6 million websites combined.

Following public disclosure, Meta ceased using this method on June 3, 2025. Browser vendors like Chrome, Brave, Firefox, and DuckDuckGo have implemented or are developing mitigations, but a full resolution may require OS-level changes and stricter enforcement of platform policies to prevent further abuse.
Transportation

Ford Mustang Eleanor From Gone In 60 Seconds Can't Be Copyrighted (caranddriver.com) 31

The Ninth Circuit has ruled that the 1967 Ford Mustang fastback nicknamed "Eleanor" in Gone in 60 Seconds is a film prop rather than a protectable character. The panel said the car fails all three Towle test prongs, so it cannot receive standalone copyright protection. sinij writes: The ruling states that the Mustang doesn't pass tests that would qualify it as a character. In the past, studio aggressively went after builders for any Mustang that even remotely approximated Eleanor, making it a hassle to restomod classic Mustangs.
Mars

Trump Wants $1 Billion For Private-Sector-Led Mars Exploration 157

President Trump's 2026 budget proposes over $1 billion for Mars exploration through a new Commercial Mars Payload Services Program, while simultaneously slashing NASA's overall budget by 25%. Phys.Org reports: Under the proposal, NASA would award contracts to companies developing spacesuits, communications systems and a human-rated landing vehicle to foster exploration of the Red Planet. Trump's proposed $18.8 billion NASA budget would cut the agency's funding by about 25% from the year before, with big hits to its science portfolio. The fleshed-out request on Friday builds upon a condensed budget proposal released earlier this month.

"We must continue to be responsible stewards of taxpayer dollars," NASA Acting Administrator Janet Petro wrote in a letter included in the request. "That means making strategic decisions -- including scaling back or discontinuing ineffective efforts." The new Mars scheme is modeled after NASA's Commercial Lunar Payload Services program that has benefited Intuitive Machines LLC, Firefly Aerospace Inc. and Astrobotic Technology Inc., though it has achieved mixed results. According to the budget, the contract to land on Mars would build upon existing lander contracts.
America's Next NASA Administrator Will Not Be Former SpaceX Astronaut Jared Isaacman
Security

Coinbase Breach Linked To Customer Data Leak In India (reuters.com) 10

Coinbase reportedly knew as early as January about a customer data breach linked to its outsourcing partner TaskUs, where an employee in India was caught leaking customer information in exchange for bribes. "At least one part of the breach [...] occurred when an India-based employee of the U.S. outsourcing firm TaskUs was caught taking photographs of her work computer with her personal phone," reports Reuters, citing five former TaskUs employees. Though Coinbase disclosed the incident in May after receiving an extortion demand, the newly revealed timeline raises questions about how long the company was aware of the breach, which could cost up to $400 million. Reuters reports: Coinbase said in the May SEC filing that it knew contractors accessed employee data "without business need" in "previous months." Only when it received an extortion demand on May 11 did it realize that the access was part of a wider campaign, the company said. In a statement to Reuters on Wednesday, Coinbase said the incident was recently discovered and that it had "cut ties with the TaskUs personnel involved and other overseas agents, and tightened controls." Coinbase did not disclose who the other foreign agents were.

TaskUs said in a statement that two employees had been fired early this year after they illegally accessed information from a client, which it did not identify. "We immediately reported this activity to the client," the statement said. "We believe these two individuals were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client." The person familiar with the matter confirmed that Coinbase was the client and that the incident took place in January.

Google

Google Settles Shareholder Lawsuit, Sill Spend $500 Million On Being Less Evil (arstechnica.com) 22

An anonymous reader quotes a report from Ars Technica: It has become a common refrain during Google's antitrust saga: What happened to "don't be evil?" Google's unofficial motto has haunted it as it has grown ever larger, but a shareholder lawsuit sought to rein in some of the company's excesses. And it might be working. The plaintiffs in the case have reached a settlement with Google parent company Alphabet, which will spend a boatload of cash on "comprehensive" reforms. The goal is to steer Google away from the kind of anticompetitive practices that got it in hot water.

Under the terms of the settlement, obtained by Bloomberg Law, Alphabet will spend $500 million over the next 10 years on systematic reforms. The company will have to form a board-level committee devoted to overseeing the company's regulatory compliance and antitrust risk, a rarity for US firms. This group will report directly to CEO Sundar Pichai. There will also be reforms at other levels of the company that allow employees to identify potential legal pitfalls before they affect the company. Google has also agreed to preserve communications. Google's propensity to use auto-deleting chats drew condemnation from several judges overseeing its antitrust cases. The agreement still needs approval from US District Judge Rita Lin in San Francisco, but that's mainly a formality at this point. Naturally, Alphabet does not admit to any wrongdoing under the terms of the settlement, but it may have to pay tens of millions in legal fees on top of the promised $500 million investment.

Privacy

North Korean Smartphones Automatically Capture Screenshots Every 5 Minutes For State Surveillance 74

A smartphone smuggled out of North Korea automatically captures screenshots every five minutes and stores them in a hidden folder inaccessible to users, according to analysis by the BBC. Authorities can later review these images to monitor citizen activity on the device. The phone, obtained by Seoul-based media outlet Daily NK, resembles a Huawei or Honor device but runs state-approved software designed for surveillance and control. The device also automatically censors text, replacing "South Korea" with "puppet state" and Korean terms of endearment with "comrade."
The Internet

ISP Settles With Record Labels That Demanded Mass Termination of Internet Users (arstechnica.com) 24

An anonymous reader shares a report: Internet service provider Frontier Communications agreed to settle a lawsuit filed by major record labels that demanded mass disconnections of broadband users accused of piracy. Universal, Sony, and Warner sued Frontier in 2021. In a notice of settlement filed last week in US District Court for the Southern District of New York, the parties agreed to dismiss the case with prejudice, with each side to pay its own fees and costs.

The record labels and Frontier simultaneously announced a settlement of similar claims in a Bankruptcy Court case in the same district. Frontier also settled with movie companies in April of this year, just before a trial was scheduled to begin. (Frontier exited bankruptcy in 2021.) [...] Regardless of what is in the agreement, the question of whether ISPs should have to crack down more harshly on users accused of piracy could be decided by the US Supreme Court.

Government

Brazil Tests Letting Citizens Earn Money From Data in Their Digital Footprint (restofworld.org) 15

With over 200 million people, Brazil is the world's fifth-largest country by population. Now it's testing a program that will allow Brazilians "to manage, own, and profit from their digital footprint," according to RestOfWorld.org — "the first such nationwide initiative in the world."

The government says it's partnering with California-based data valuation/monetization firm DrumWave to create "data savings account" to "transform data into economic assets, with potential for monetization and participation in the benefits generated by investing in technologies such as AI LLMs." But all based on "conscious and authorized use of personal information." RestOfWorld reports: Today, "people get nothing from the data they share," Brittany Kaiser, co-founder of the Own Your Data Foundation and board adviser for DrumWave, told Rest of World. "Brazil has decided its citizens should have ownership rights over their data...." After a user accepts a company's offer on their data, payment is cashed in the data wallet, and can be immediately moved to a bank account. The project will be "a correction in the historical imbalance of the digital economy," said Kaiser. Through data monetization, the personal data that companies aggregate, classify, and filter to inform many aspects of their operations will become an asset for those providing the data...

Brazil's project stands out because it brings the private sector and the government together, "so it has a better chance of catching on," said Kaiser. In 2023, Brazil's Congress drafted a bill that classifies data as personal property. The country's current data protection law classifies data as a personal, inalienable right. The new legislation gives people full rights over their personal data — especially data created "through use and access of online platforms, apps, marketplaces, sites and devices of any kind connected to the web." The bill seeks to ensure companies offer their clients benefits and financial rewards, including payment as "compensation for the collecting, processing or sharing of data." It has garnered bipartisan support, and is currently being evaluated in Congress...

If approved, the bill will allow companies to collect data more quickly and precisely, while giving users more clarity over how their data will be used, according to Antonielle Freitas, data protection officer at Viseu Advogados, a law firm that specializes in digital and consumer laws. As data collection becomes centralized through regulated data brokers, the government can benefit by paying the public to gather anonymized, large-scale data, Freitas told Rest of World. These databases are the basis for more personalized public services, especially in sectors such as health care, urban transportation, public security, and education, she said.

This first pilot program involves "a small group of Brazilians who will use data wallets for payroll loans," according to the article — although Pedro Bastos, a researcher at Data Privacy Brazil, sees downsides. "Once you treat data as an economic asset, you are subverting the logic behind the protection of personal data," he told RestOfWorld. The data ecosystem "will no longer be defined by who can create more trust and integrity in their relationships, but instead, it will be defined by who's the richest."

Thanks to Slashdot reader applique for sharing the news.
Government

Russian Nuclear Site Blueprints Exposed In Public Procurement Database (cybernews.com) 23

Journalists from Der Spiegel and Danwatch were able to use proxy servers in Belarus, Kazakhstan, and Russia to circumvent network restrictions and access documents about Russia's nuclear weapon sites, reports Cybernews.com.

"Data, including building plans, diagrams, equipment, and other schematics, is accessible to anyone in the public procurement database." Journalists from Danwatch and Der Spiegel scraped and analyzed over two million documents from the public procurement database, which exposed Russian nuclear facilities, including their layout, in great detail. The investigation unveils that European companies participate in modernizing them. According to the exclusive Der Spiegel report, Russian procurement documents expose some of the world's most secret construction sites. "It even contains floor plans and infrastructure details for nuclear weapons silos," the report reads.
Some details from the Amsterdam-based Moscow Times: Among the leaked materials are construction plans, security system diagrams and details of wall signage inside the facilities, with messages like "Stop! Turn around! Forbidden zone!," "The Military Oath" and "Rules for shoe care." Details extend to power grids, IT systems, alarm configurations, sensor placements and reinforced structures designed to withstand external threats...

"Material like this is the ultimate intelligence," said Philip Ingram, a former colonel in the British Army's intelligence corps. "If you can understand how the electricity is conducted or where the water comes from, and you can see how the different things are connected in the systems, then you can identify strengths and weaknesses and find a weak point to attack."

Apparently Russian defense officials were making public procurement notices for their construction projects — and then attaching sensitive documents to those public notices...
AI

Judge Rejects Claim AI Chatbots Protected By First Amendment in Teen Suicide Lawsuit (legalnewsline.com) 83

A U.S. federal judge has decided that free-speech protections in the First Amendment "don't shield an AI company from a lawsuit," reports Legal Newsline.

The suit is against Character.AI (a company reportedly valued at $1 billion with 20 million users) Judge Anne C. Conway of the Middle District of Florida denied several motions by defendants Character Technologies and founders Daniel De Freitas and Noam Shazeer to dismiss the lawsuit brought by the mother of 14-year-old Sewell Setzer III. Setzer killed himself with a gun in February of last year after interacting for months with Character.AI chatbots imitating fictitious characters from the Game of Thrones franchise, according to the lawsuit filed by Sewell's mother, Megan Garcia.

"... Defendants fail to articulate why words strung together by (Large Language Models, or LLMs, trained in engaging in open dialog with online users) are speech," Conway said in her May 21 opinion. "... The court is not prepared to hold that Character.AI's output is speech."

Character.AI's spokesperson told Legal Newsline they've now launched safety features (including an under-18 LLM, filter Characters, time-spent notifications and "updated prominent disclaimers" (as well as a "parental insights" feature). "The company also said it has put in place protections to detect and prevent dialog about self-harm. That may include a pop-up message directing users to the National Suicide and Crisis Lifeline, according to Character.AI."

Thanks to long-time Slashdot reader schwit1 for sharing the news.
Bitcoin

What's in the US Government's New Strategic Reserve of Seized Crytocurrencies? (yahoo.com) 53

In March an executive order directed America's treasury secretary to create two stockpiles of crypto assets (to accompany already-existing "strategic reserves"of gold and foreign currencies). And the Washington Post notes these new stockpiles would include "cryptocurrency seized by federal agencies in criminal or civil proceedings." But how big would America's "Strategic Bitcoin Reserve" be — and what other cryptocurrencies would the U.S. government hold in its "Digital Asset Stockpile"?

"New data on what crypto cash the U.S. government has seized may now provide some answers. It suggests the crypto reserves will together hold more than $21 billion in cryptocurrency... The stockpile will be funded with whatever crypto assets the Treasury holds other than bitcoin, leaving the stockpile's composition to be largely determined by a mixture of chance and criminal conduct. That unconventional method for selecting government financial holdings had the benefit of making the reserves cost-neutral for the taxpayer.

It also provided a way to estimate what exactly might go into the two pools before results are released from an official accounting of U.S. crypto holdings that is underway.Because government seizures are disclosed in court documents, news releases and other sources, crypto-tracking firms can use those notices to monitor which digital assets the U.S. government holds. Chainalysis, a blockchain analytics firm, reviewed cryptocurrency wallets that appear to be associated with the U.S. government for The Washington Post. The company estimated how much bitcoin it holds, and the other crypto tokens in its top 20 digital holdings as of May 13, by tracking transactions involving those wallets.

The United States' top 20 crypto holdings according to Chainalysis are worth about $20.9 billion as of 3 p.m. Eastern on May 28, with $20.4 billion in bitcoin and about $493 million in other digital assets. It has been scooped up from crimes such as stolen funds, scams and sales on dark net markets. Those estimates put the U.S. government's top crypto holdings at less than the approximately $25 billion worth of oil held in the U.S. Strategic Petroleum Reserve. Their value is nearly double the Fed's listing for U.S. gold holdings, although that figure uses outdated pricing and would be over $850 billion at current prices...

The crypto tokens headed for the U.S. Digital Asset Stockpile according to the Chainalysis list include ethereum, the world's second-largest digital asset, and a string of other crypto tokens with punier name recognition. They include derivatives of bitcoin and ethereum that mirror those cryptocurrencies' prices, several stable coins designed to be pegged in value to the U.S. dollar, and 10 tokens tied to specific companies, including the cryptocurrency exchanges FTX, which imploded in 2022 after defrauding customers, and Binance.

Two U.S. states have already passed legislation creating their own cryptocurrency reserve funds, the article points out. But ethereum co-founder Vitalik Buterin complained to the Post in March that crypto's "original spirit...is about counterbalancing power" — including government and corporate power, and getting too close to "one particular government team" could conflict with its mission of decentralization and openness. And he's not the only one concerned: Austin Campbell, a professor at New York University's business school and a principal at crypto advisory firm Zero Knowledge, sees hypocrisy in crypto enthusiasts cheering the government's strategic reserves. The bitcoin community in particular "has historically been about freedom from sovereign interference," he said.
Piracy

Football and Other Premium TV Being Pirated At 'Industrial Scale' (bbc.com) 131

An anonymous reader quotes a report from the BBC: A lack of action by big tech firms is enabling the "industrial scale theft" of premium video services, especially live sport, a new report says. The research by Enders Analysis accuses Amazon, Google, Meta and Microsoft of "ambivalence and inertia" over a problem it says costs broadcasters revenue and puts users at an increased risk of cyber-crime. Gareth Sutcliffe and Ollie Meir, who authored the research, described the Amazon Fire Stick -- which they argue is the device many people use to access illegal streams -- as "a piracy enabler." [...] The device plugs into TVs and gives the viewer thousands of options to watch programs from legitimate services including the BBC iPlayer and Netflix. They are also being used to access illegal streams, particularly of live sport.

In November last year, a Liverpool man who sold Fire Stick devices he reconfigured to allow people to illegally stream Premier League football matches was jailed. After uploading the unauthorized services on the Amazon product, he advertised them on Facebook. Another man from Liverpool was given a two-year suspended sentence last year after modifying fire sticks and selling them on Facebook and WhatsApp. According to data for the first quarter of this year, provided to Enders by Sky, 59% of people in UK who said they had watched pirated material in the last year while using a physical device said they had used a Amazon fire product. The Enders report says the fire stick enables "billions of dollars in piracy" overall. [...]

The researchers also pointed to the role played by the "continued depreciation" of Digital Rights Management (DRM) systems, particularly those from Google and Microsoft. This technology enables high quality streaming of premium content to devices. Two of the big players are Microsoft's PlayReady and Google's Widevine. The authors argue the architecture of the DRM is largely unchanged, and due to a lack of maintenance by the big tech companies, PlayReady and Widevine "are now compromised across various security levels." Mr Sutcliffe and Mr Meir said this has had "a seismic impact across the industry, and ultimately given piracy the upper hand by enabling theft of the highest quality content." They added: "Over twenty years since launch, the DRM solutions provided by Google and Microsoft are in steep decline. A complete overhaul of the technology architecture, licensing, and support model is needed. Lack of engagement with content owners indicates this a low priority."

Security

Billions of Cookies Up For Grabs As Experts Warn Over Session Security (theregister.com) 36

Billions of stolen cookies are being sold on the dark web and Telegram, with over 1.2 billion containing session data that can grant cybercriminals access to accounts and systems without login credentials, bypassing MFA. The Register reports: More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. Adrianus Warmenhoven, cybersecurity advisor at NordVPN, said: "Cookies may seem harmless, but in the wrong hands, they're digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide. Most people don't realize that a stolen cookie can be just as dangerous as a password, despite being so willing to accept cookies when visiting websites, just to get rid of the prompt at the bottom of the screen. However, once these are intercepted, a cookie can give hackers direct access to all sorts of accounts containing sensitive data, without any login required."

The vast majority of stolen cookies (90.25 percent) contain ID data, used to uniquely identify users and deliver targeted ads. They can also contain data such as names, home and email addresses, locations, passwords, phone numbers, and genders, although these data points are only present in around 0.5 percent of all stolen cookies. The risk of ruinous personal data exposure as a result of cookie theft is therefore pretty slim. Aside from ID cookies, the other statistically significant type of data that these can contain are details of users' sessions. Over 1.2 billion of these are still up for grabs (roughly 6 percent of the total), and these are generally seen as more of a concern.

Crime

US Sanctions Cloud Provider 'Funnull' As Top Source of 'Pig Butchering' Scams (krebsonsecurity.com) 8

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as "pig butchering." In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers. "Americans lose billions of dollars annually to these cyber scams, with revenues generated from these crimes rising to record levels in 2024," reads a statement from the U.S. Department of the Treasury, which sanctioned Funnull and its 40-year-old Chinese administrator Liu Lizhi. "Funnull has directly facilitated several of these schemes, resulting in over $200 million in U.S. victim-reported losses."

The Treasury Department said Funnull's operations are linked to the majority of virtual currency investment scam websites reported to the FBI. The agency said Funnull directly facilitated pig butchering and other schemes that resulted in more than $200 million in financial losses by Americans. Pig butchering is a rampant form of fraud wherein people are lured by flirtatious strangers online into investing in fraudulent cryptocurrency trading platforms. Victims are coached to invest more and more money into what appears to be an extremely profitable trading platform, only to find their money is gone when they wish to cash out. The scammers often insist that investors pay additional "taxes" on their crypto "earnings" before they can see their invested funds again (spoiler: they never do), and a shocking number of people have lost six figures or more through these pig butchering scams.

KrebsOnSecurity's January story on Funnull was based on research from the security firm Silent Push, which discovered in October 2024 that a vast number of domains hosted via Funnull were promoting gambling sites that bore the logo of the Suncity Group, a Chinese entity named in a 2024 UN report (PDF) for laundering millions of dollars for the North Korean state-sponsored hacking group Lazarus. Silent Push found Funnull was a criminal content delivery network (CDN) that carried a great deal of traffic tied to scam websites, funneling the traffic through a dizzying chain of auto-generated domain names and U.S.-based cloud providers before redirecting to malicious or phishous websites. The FBI has released a technical writeup (PDF) of the infrastructure used to manage the malicious Funnull domains between October 2023 and April 2025.

Slashdot Top Deals