An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening. New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that "certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)" In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.

Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company's code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense's Amazon S3 buckets in the cloud. Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers. It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards. The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time -- sometimes indefinitely. And depending on which service we're talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials. Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they've previously entrusted to Sisense. "If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted," said Nicholas Weaver, a researcher at University of California, Berkeley's International Computer Science Institute (ICSI) and lecturer at UC Davis. "If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable."

Zack Whittaker and Carly Page report via TechCrunch: Microsoft has resolved a security lapse that exposed internal company files and credentials to the open internet. Security researchers Can Yoleri, Murat Ozfidan and Egemen Kochisarli with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft's Azure cloud service that was storing internal information relating to Microsoft's Bing search engine. The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems. But the storage server itself was not protected with a password and could be accessed by anyone on the internet.

Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files. Identifying those storage locations "could result in more significant data leaks and possibly compromise the services in use," Yoleri said. The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5. It's not known for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside.

An anonymous reader quotes a report from Ars Technica: Starting today, home Internet and mobile broadband providers in the US are required to display consumer labels with information on prices, speeds, and data allowances. "Today's nationwide launch of the Broadband Consumer Labels means internet service providers are now required to display consumer-friendly labels at the point of sale," the Federal Communications Commission said (PDF). "Labels are required for all standalone home or fixed Internet service or mobile broadband plans. Providers must display the label -- not simply an icon or link to the label -- in close proximity to an associated plan's advertisement."

The labels are required now for providers with at least 100,000 subscribers, while ISPs with fewer customers have until October 10, 2024, to comply. "If a provider is not displaying their labels or has posted inaccurate information about its fees or service plans, consumers can file a complaint with the FCC Consumer Complaint Center," an agency webpage says. The October 10 date will also bring an additional requirement that providers "make the labels machine-readable to enable third parties to more easily collect and aggregate data for the purpose of creating comparison-shopping tools for consumers," the FCC said.

The FCC issued a consumer advisory telling broadband users what to look for in the labels. Labels should include the monthly price, state whether it is an introductory rate, the amount of time that an introductory rate applies, and the price after any introductory rate expires. The labels must include any additional monthly charges, one-time fees, early termination fees, and taxes. Speed information should include typical download speed, upload speed, and latency. For data caps, the labels should state how much data is included with the monthly price and how much consumers have to pay for additional usage. Labels should also include links to information on discounts and service bundles, network management practices, and privacy policies.

It appears that a nearly eight-year-long battle by the FCC to require internet companies to display information on the costs, fees, and speeds of their broadband services is finally over. From a report: Starting on Wednesday, all but the smallest ISPs will be required to publish broadband "nutrition labels" on all of their plans, the regulator announced. [...] Each label will include monthly broadband prices, introductory rate details, data allowances, broadband speeds, and links to find out about any available discounts or service bundles. Links to network management practices and privacy policies should be listed as well.

An anonymous reader quotes a report from TorrentFreak: Cox Communications doesn't believe that ISPs should be held liable for the activities of their pirating subscribers. After a disappointing verdict from a Virginia jury and an unsatisfactory outcome at the Court of Appeals, the internet provider now intends to escalate the matter to the Supreme Court. If the present verdict stands, innocent people risk losing their Internet access, the ISP notes. [...] That's notable, as it would be the first time that a "repeat infringer" case ends up at the highest court United States. Cox asked the court of appeals to also stay its mandate pending its Supreme Court application, as this could steer the legal battle in yet another direction.

According to Cox, the Supreme Court has substantial reasons to take on the case. For one, there are currently conflicting court of appeals rulings on the "material contribution" aspect of copyright infringement. The Supreme Court could give more clarity on when a service, with a myriad of lawful uses, can be held liable for infringers. In addition, Cox also cites the recent 'Twitter vs. Taamneh' Supreme Court ruling, which held that social media platforms aren't liable for terrorists who use their network. While that's not a copyright case, it's relevant for the secondary liability question, the ISP argues. "Though Twitter was not a copyright case, it confronted a directly analogous theory of secondary liability: that social-media platforms, including Twitter and YouTube, could be liable for continuing to provide services to those they knew were using them for illegal purposes," Cox writes.

Finally, Cox notes that the Supreme Court should hear the case because it deals with an issue that's 'exceptionally important' to ISPs as well as the public. If the present verdict stands, Internet providers may be much more likely to terminate Internet access, even if the subscriber is innocent. "This Court's material-contribution standard provides powerful incentives for ISPs of all stripes to swiftly terminate internet services that have been used to infringe -- no matter the universe of lawful uses to which those services are put, or the consequences to innocent, non-infringing people who also use those services. "That is why a chorus of amici urged this Court not to adopt this standard at the panel and en banc stages, and will likely urge the Supreme Court to grant review as well," Cox adds, referring to the support it received from third-parties previously. "Cox hasn't filed a writ of certiorari yet and still has time, as it's due June 17, 2024," notes TorrentFreak. "The intention to go to the Supreme Court would be another reason to halt the new damages trial, according to Cox, but the court of appeals rejected the request."

"This means that the new damages trial can start, even if the case is still pending at the Supreme Court. However, it's clear that this legal battle is far from over yet."

As the moon blocked the view of the sun across parts of Mexico, the United States and Canada on Monday, the celestial event managed another magnificent feat: It got people offline. From a report: According to Cloudflare, a cloud-computing service used by about 20 percent of websites globally, internet traffic dipped along the path of totality as spellbound viewers took a break from their phones and computers to catch a glimpse of the real-life spectacle.

The places with the most dramatic views saw the biggest dips in traffic compared with the previous week. In Vermont, Arkansas, Indiana, Maine, New Hampshire and Ohio -- states that were in the path of totality, meaning the moon completely blocked out the sun -- internet traffic dropped by 40 percent to 60 percent around the time of the eclipse, Cloudflare said. States that had partial views also saw drops in internet activity, but to a much lesser extent. At 3:25 p.m. Eastern time, internet traffic in New York dropped by 29 percent compared with the previous week, Cloudflare found.

The path of totality made up a roughly 110-mile-wide belt that stretched from Mazatlan, Mexico, to Montreal. In the Mexican state of Durango, which was in the eclipse zone, internet traffic measured by Cloudflare dipped 57 percent compared with the previous week, while farther south, in Mexico City, traffic was down 22 percent. The duration of the eclipse's totality varied by location, with some places experiencing it for more than four minutes while for others, it was just one to two minutes.

The Federal Communications Commission chair decided not to impose Universal Service fees on Internet service, rejecting arguments for new assessments to shore up an FCC fund that subsidizes broadband network expansions and provides discounts to low-income consumers. From a report: The $8 billion-a-year Universal Service Fund (USF) pays for FCC programs such as Lifeline discounts and Rural Digital Opportunity Fund deployment grants for ISPs. Phone companies must pay a percentage of their revenue into the fund, and telcos generally pass those fees on to consumers with a "Universal Service" line item on telephone bills.

Imposing similar assessments on broadband could increase the Universal Service Fund's size and/or reduce the charges on phone service, spreading the burden more evenly across different types of telecommunications services. Some consumer advocates want the FCC to increase the fund in order to replace the Affordable Connectivity Program (ACP), a different government program that gives $30 monthly broadband discounts to people with low incomes but is about to run out of money because of inaction by Congress. The Universal Service funding question is coming up now because, on April 25, the FCC is scheduled to vote on reclassifying broadband as a telecommunications service in order to re-impose the net neutrality rules scrapped during the Trump era. Imposing Universal Service charges on broadband would likely result in ISPs adding those costs to monthly bills and would make the net neutrality proceeding even more of a political minefield than it already is. FCC Chairwoman Jessica Rosenworcel's net neutrality proposal takes the same stance against requiring Universal Service contributions that the FCC took in 2015 when it first imposed the net neutrality rules.

Jon Brodkin reports via Ars Technica: California can keep enforcing its state net neutrality law after the Federal Communications Commission implements its own rules. The FCC could preempt future state laws if they go far beyond the national standard but said that states can "experiment" with different regulations for interconnection payments and zero-rating. The FCC scheduled an April 25 vote on Chairwoman Jessica Rosenworcel's proposal to restore net neutrality rules similar to the ones introduced during the Obama era and repealed under former President Trump. The FCC yesterday released the text of the pending order, which could still be changed but isn't likely to get any major overhaul.

State-level enforcement of net neutrality rules can benefit consumers, the FCC said. The order said that "state enforcement generally supports our regulatory efforts by dedicating additional resources to monitoring and enforcement, especially at the local level, and thereby ensuring greater compliance with our requirements." [...] In the order scheduled for an April 25 vote, the FCC said the California law "appears largely to mirror or parallel our federal rules. Thus we see no reason at this time to preempt it." That doesn't mean the rules are exactly the same. Instead of banning certain types of zero-rating entirely, the FCC will judge on a case-by-case basis whether any specific zero-rating program harms consumers and conflicts with the goal of preserving an open Internet. The FCC said it will evaluate sponsored-data "programs based on a totality of the circumstances, including potential benefits."

The FCC order cautions that the agency will take a dimmer view of zero-rating in exchange for payment from a third party or zero-rating that favors an affiliated entity. But those categories will still be judged by the FCC on a case-by-case basis, whereas California bans paid data cap exemptions entirely. Despite that difference, the FCC said it is "not persuaded on the record currently before us that the California law is incompatible with the federal rules." The FCC also found that California's approach to interconnection payments is compatible with the pending federal rule. Interconnection was the subject of a major controversy involving Netflix and big ISPs a decade ago. The FCC said it found no evidence that the California law has "unduly burdened or interfered with interstate communications service." When it comes to zero-rating and interconnection, the FCC said there is "room for states to experiment and explore their own approaches within the bounds of our overarching federal framework." The FCC said it will reconsider preemption of California rules if "California state enforcement authorities or state courts seek to interpret or enforce these requirements in a manner inconsistent with how we intend our rules to apply."

An anonymous reader quotes a report from 404 Media: Last week, Ernie Smith, the publisher of the website Tedium, got a "copyright infringement notice" from a law firm called Commonwealth Legal: "We're reaching out on behalf of the Intellectual Property division of a notable entity, in relation to an image connected to our client," it read. [...] In this case, though, the email didn't demand that the photo be taken down or specifically threaten a lawsuit. Instead, it demanded that Smith place a "visible and clickable link" beneath the photo in question to a website called "tech4gods" or the law firm would "take action." Smith began looking into the law firm. And he found that Commonwealth Legal is not real, and that the images of its "lawyers" are AI generated.

The threat to "activate the case No. 86342" is obviously nonsense. Beyond that, Commonwealth Legal's website looks generic and is full of stock photos, though I've seen a lot of generic template websites for real law firms. All of its lawyers have vacant, thousand-yard stares that are commonly generated by websites like This Person Does Not Exist, none of them come up in any attorney or LinkedIn searches, and the only reverse image search results for them are for a now-broken website called Generated.Photos, which offered a service to "use AI to generate people online that don't exist, change clothing and modify face and body traits. Download generated people in different postures." "All of the faces scanned were likely AI generated, most likely by a Generative Adversarial Network (GAN) model," Ali Shahriyari, cofounder and CTO of the AI detection startup Reality Defender told 404 Media. Commonwealth Legal's listed address is the fourth floor of a one-story building that looks nothing like the image on its website, and both of its phone numbers are disconnected. No one responded to the contact form that I filled out. Smith realized that what's happening here isn't a copyright enforcement or copyright trolling attempt at all. Instead, it's a backlink SEO scam, where a website owner tries to improve their Google ranking by asking, paying, or threatening someone to link to their website.

Tech4Gods.com is a gadget review website run by a man named Daniel Barczak, whose content is "complemented by AI writing assistants." In this case, the photo that Smith had "infringed" was a photo downloaded from the royalty free, free-to-use website Unsplash, which 404 Media also sometimes uses. The image was not taken by Barczak, and has nothing to do with him, he told me in an email: "I certainly don't own any images on the web," he said. The original photographer did not respond to a request for comment sent through Unsplash. Barczak told me that he had been previously buying backlinks to his website for SEO, but said he wasn't aware of who was doing this or why. "I have no idea; it certainly has nothing to do with me," he said. "However, recently, someone has been building spammy links against my site that I have been dealing with." "I have mastered on-page SEO, but unfortunately, I buy links due to a lack of time," he added. "In the past, I had a bad link builder. I wonder if it's him going mad at me for letting him go It's hard to say the web is massive, and everyone can link whenever they want." Link building is an SEO strategy devised to get outside websites to link to your website. He added that "bad links may damage [the site's] profile in Google's eyes." In this case, however, the "lawyers" were threatening a well-established tech blogger, and a link from Tedium would likely be treated as a positive in the search algorithm's eyes.

An anonymous reader shares a report: The Federal Communications Commission has scheduled an April 25 vote to restore net neutrality rules similar to the ones introduced during the Obama era and repealed under former President Trump. The text of the pending net neutrality order wasn't released today. The FCC press release said it will prohibit broadband providers "from blocking, slowing down, or creating pay-to-play Internet fast lanes" and "bring back a national standard for broadband reliability, security, and consumer protection."

[...] Numerous consumer advocacy groups praised the FCC for its plan today. Lobby groups representing Internet providers expressed their displeasure. While there hasn't been a national standard since then-Chairman Ajit Pai led a repeal in 2017, Internet service providers still have to follow net neutrality rules because California and other states impose their own similar regulations. The broadband industry's attempts to overturn the state net neutrality laws were rejected in court.

Although ISPs seem to have been able to comply with the state laws, they argue that the federal standard will hurt their businesses and consumers. "Reimposing heavy-handed regulation will not just hobble network investment and innovation, it will also seriously jeopardize our nation's collective efforts to build and sustain reliable broadband in rural and unserved communities," cable lobbyist Michael Powell said today. Powell, the CEO of cable lobby group NCTA-The Internet & Television Association, was the FCC chairman under President George W. Bush. Powell said the FCC must "reverse course to avoid years of litigation and uncertainty" in a reference to the inevitable lawsuits that industry groups will file against the agency.

An anonymous reader quotes a report from Reuters: The U.S. Federal Communications Commission will vote to reinstate landmark net neutrality rules and assume new regulatory oversight of broadband internet that was rescinded under former President Donald Trump, the agency's chair said. The FCC told advocates on Tuesday of the plan to vote on the final rule at its April 25 meeting. The commission voted 3-2 in October on the proposal to reinstate open internet rules adopted in 2015 and re-establish the commission's authority over broadband internet.

Net neutrality refers to the principle that internet service providers should enable access to all content and applications regardless of the source, and without favoring or blocking particular products or websites. FCC Chair Jessica Rosenworcel confirmed the planned commission vote in an interview with Reuters. "The pandemic made clear that broadband is an essential service, that every one of us -- no matter who we are or where we live -- needs it to have a fair shot at success in the digital age," she said. "An essential service requires oversight and in this case we are just putting back in place the rules that have already been court-approved that ensures that broadband access is fast, open and fair."

The White House plans to renew a push in April to convince Congress to extend an internet subsidy program used by 23 million American households just weeks before it runs out of money, officials said. From a report: In October, the White House asked for $6 billion to extend the program through December 2024, but Congress has not funded it, potentially putting millions of households at risk of losing their internet service. Federal Communications Commission Chair Jessica Rosenworcel told lawmakers in a letter that April is the last month participants will get the full subsidy, with partial subsidies in May.

Congress previously allocated $17 billion to help lower-income families and people impacted by COVID-19 gain broadband access through a $30 per month voucher to use toward internet service. "We have come too far to allow this successful effort to promote internet access for all to end," Rosenworcel said on Tuesday. "Despite the breadth of this support and the urgent need to continue this program to ensure millions of households nationwide do not lose essential internet access, no additional funding has yet been appropriated."

"Today's most effective corporate lobbying no longer involves wooing members of Congress..." writes the Wall Street Journal. Instead the lobbying sector "now works in secret to influence lawmakers with the help of an unlikely ally: you." [Lobbyists] teamed up with PR gurus, social-media experts, political pollsters, data analysts and grassroots organizers to foment seemingly organic public outcries designed to pressure lawmakers and compel them to take actions that would benefit the lobbyists' corporate clients...

By the middle of 2011, an army of lobbyists working for the pillars of the corporate lobbying establishment — the major movie studios, the music industry, pharmaceutical manufacturers and the U.S. Chamber of Commerce — were executing a nearly $100 million campaign to win approval for the internet bill [the PROTECT IP Act, or "PIPA"]. They pressured scores of lawmakers to co-sponsor the legislation. At one point, 99 of the 100 members of the U.S. Senate appeared ready to support it — an astounding number, given that most bills have just a handful of co-sponsors before they are called up for a vote. When lobbyists for Google and its allies went to Capitol Hill, they made little headway. Against such well-financed and influential opponents, the futility of the traditional lobbying approach became clear. If tech companies were going to turn back the anti-piracy bills, they would need to find another way.

It was around this time that one of Google's Washington strategists suggested an alternative strategy. "Let's rally our users," Adam Kovacevich, then 34 and a senior member of Google's Washington office, told colleagues. Kovacevich turned Google's opposition to the anti-piracy legislation into a coast-to-coast political influence effort with all the bells and whistles of a presidential campaign. The goal: to whip up enough opposition to the legislation among ordinary Americans that Congress would be forced to abandon the effort... The campaign slogan they settled on — "Don't Kill the Internet" — exaggerated the likely impact of the bill, but it succeeded in stirring apprehension among web users.

The coup de grace came on Jan. 18, 2012, when Google and its allies pulled off the mother of all outside influence campaigns. When users logged on to the web that day, they discovered, to their great frustration, that many of the sites they'd come to rely on — Wikipedia, Reddit, Craigslist — were either blacked out or displayed text outlining the detrimental impacts of the proposed legislation. For its part, Google inserted a black censorship bar over its multicolored logo and posted a tool that enabled users to contact their elected representatives. "Tell Congress: Please don't censor the web!" a message on Google's home page read. With some 115,000 websites taking part, the protest achieved a staggering reach. Tens of millions of people visited Wikipedia's blacked-out website, 4.5 million users signed a Google petition opposing the legislation, and more than 2.4 million people took to Twitter to express their views on the bills. "We must stop [these bills] to keep the web open & free," the reality TV star Kim Kardashian wrote in a tweet to her 10 million followers...

Within two days, the legislation was dead...

Over the following decade, outside influence tactics would become the cornerstone of Washington's lobbying industry — and they remain so today.
"The 2012 effort is considered the most successful consumer mobilization in the history of internet policy," writes the Washington Post — agreeing that it's since spawned more app-based, crowdsourced lobbying campaigns. Sites like Airbnb "have also repeatedly asked their users to oppose city government restrictions on the apps." Uber, Lyft, DoorDash and other gig work companies also blitzed the apps' users with scenarios of higher prices or suspended service unless people voted for a 2020 California ballot measure on contract workers. Voters approved it."

The Wall Street Journal also details how lobbyists successfully killed higher taxes for tobacco products, the oil-and-gas industry, and even on private-equity investors — and note similar tactics were used against a bill targeting TikTok. "Some say the campaign backfired. Lawmakers complained that the effort showed how the Chinese government could co-opt internet users to do their bidding in the U.S., and the House of Representatives voted to ban the app if its owners did not agree to sell it.

"TikTok's lobbyists said they were pleased with the effort. They persuaded 65 members of the House to vote in favor of the company and are confident that the Senate will block the effort."

The Journal's article was adapted from an upcoming book titled "The Wolves of K Street: The Secret History of How Big Money Took Over Big Government." But the Washington Post argues the phenomenon raises two questions. "How much do you want technology companies to turn you into their lobbyists? And what's in it for you?"

Victoria Song reports via The Verge: When Gmail launched with a goofy press release 20 years ago next week, many assumed it was a hoax. The service promised a gargantuan 1 gigabyte of storage, an excessive quantity in an era of 15-megabyte inboxes. It claimed to be completely free at a time when many inboxes were paid. And then there was the date: the service was announced on April Fools' Day, portending some kind of prank. But soon, invites to Gmail's very real beta started going out -- and they became a must-have for a certain kind of in-the-know tech fan. At my nerdy high school, having one was your fastest ticket to the cool kids' table. I remember trying to track one down for myself. I didn't know whether I actually needed Gmail, just that all my classmates said Gmail would change my life forever.

Teenagers are notoriously dramatic, but Gmail did revolutionize email. It reimagined what our inboxes were capable of and became a central part of our online identities. The service now has an estimated 1.2 billion users -- about 1/7 of the global population -- and these days, it's a practical necessity to do anything online. It often feels like Gmail has always been here and always will be. But 20 years later, I don't know anyone who's champing at the bit to open up Gmail. Managing your inbox is often a chore, and other messaging apps like Slack and WhatsApp have come to dominate how we communicate online. What was once a game-changing tool sometimes feels like it's been sidelined. In another 20 years, will Gmail still be this central to our lives? Or will it -- and email -- be a thing of the past?

Tobias Mann reports via The Register: Cloud server provider Vultr has rapidly revised its terms-of-service after netizens raised the alarm over broad clauses that demanded the "perpetual, irrevocable, royalty-free" rights to customer "content." The red tape was updated in January, as captured by the Internet Archive, and this month users were asked to agree to the changes by a pop-up that appeared when using their web-based Vultr control panel. That prompted folks to look through the terms, and there they found clauses granting the US outfit a "worldwide license ... to use, reproduce, process, adapt ... modify, prepare derivative works, publish, transmit, and distribute" user content.

It turned out these demands have been in place since before the January update; customers have only just noticed them now. Given Vultr hosts servers and storage in the cloud for its subscribers, some feared the biz was giving itself way too much ownership over their stuff, all in this age of AI training data being put up for sale by platforms. In response to online outcry, largely stemming from Reddit, Vultr in the past few hours rewrote its ToS to delete those asserted content rights. CEO J.J. Kardwell told The Register earlier today it's a case of standard legal boilerplate being taken out of context. The clauses were supposed to apply to customer forum posts, rather than private server content, and while, yes, the terms make more sense with that in mind, one might argue the legalese was overly broad in any case.

"We do not use user data," Kardwell stressed to us. "We never have, and we never will. We take privacy and security very seriously. It's at the core of what we do globally." [...] According to Kardwell, the content clauses are entirely separate to user data deployed in its cloud, and are more aimed at one's use of the Vultr website, emphasizing the last line of the relevant fine print: "... for purposes of providing the services to you." He also pointed out that the wording has been that way for some time, and added the prompt asking users to agree to an updated ToS was actually spurred by unrelated Microsoft licensing changes. In light of the controversy, Vultr vowed to remove the above section to "simplify and further clarify" its ToS, and has indeed done so. In a separate statement, the biz told The Register the removal will be followed by a full review and update to its terms of service. "It's clearly causing confusion for some portion of users. We recognize that the average user doesn't have a law degree," Kardwell added. "We're very focused on being responsive to the community and the concerns people have and we believe the strongest thing we can do to demonstrate that there is no bad intent here is to remove it."

An anonymous reader quotes a report from The Verge, written by Nilay Patel: Today, I'm talking to Jay Graber, the CEO of Bluesky Social, which is a decentralized competitor to Twitter, er, X. Bluesky actually started inside of what was then known as Twitter — it was a project from then-CEO Jack Dorsey, who spent his days wandering the earth and saying things like Twitter should be a protocol and not a company. Bluesky was supposed to be that protocol, but Jack spun it out of Twitter in 2021, just before Elon Musk bought the company and renamed it X. Bluesky is now an independent company with a few dozen employees, and it finds itself in the middle of one of the most chaotic moments in the history of social media. There are a lot of companies and ideas competing for space on the post-Twitter internet, and Jay makes a convincing argument that decentralization -- the idea that you should be able to take your username and following to different servers as you wish -- is the future. It's a powerful concept that's been kicking around for a long time, but now it feels closer to reality than ever before. You've heard us talk about it a lot on Decoder: the core idea is that no single company -- or individual billionaire -- can amass too much power and control over our social networks and the conversations that happen on them.

Bluesky's approach to this is something called the AT Protocol, which powers Bluesky's own platform but which is also a technology that anyone can use right now to host their own servers and, eventually, interoperate with a bunch of other networks. You'll hear Jay explain how building Bluesky the product alongside AT Protocol the protocol has created a cooperate-compete dynamic that runs throughout the entire company and that also informs how it's building products and features -- not only for its own service but also for developers to build on top of. Jay and I also talked about the growth of the Bluesky app, which now has more than 5 million users, and how so many of the company's early decisions around product design and moderation have shaped the type of organic culture that's taken hold there. Content moderation is, of course, one of the biggest challenges any platform faces, and Bluesky, in particular, has had its fair share of controversies. But the idea behind AT Protocol and Bluesky is devolving control, so Bluesky users can pick their own moderation systems and recommendation algorithms -- a grand experiment that I wanted to know much more about.

Finally, Jay and I had the opportunity to get technical and go deeper on standards and protocols, which are the beating heart of the decentralization movement. Bluesky's AT Protocol is far from the only protocol in the mix -- there's also ActivityPub, which is what powers Mastodon and, soon, Meta's Threads. There's been some real animosity between these camps, and I asked Jay about the differences between the two, the benefits of Bluesky's approach, and how she sees the two coexisting in the future.

An anonymous reader shares a report: The number of landline users has plummeted with the rise of cellphones, and the 19th-century technology's days appear to be numbered. Providers like AT&T are looking to exit the business by transitioning customers to cellphones or home telephone service over broadband connections. But for many of the millions of people still clinging to their copper-based landline telephones, newer alternatives are either unavailable, too expensive, or are unreliable when it matters most: in an emergency.

According to the National Center for Health Statistics, only a quarter of adults in the United States still have landlines and only around 5 percent say they mostly or only rely on them. The largest group of people holding onto their landlines are 65 and older. Meanwhile, more than 70 percent of adults are using wireless phones only. The copper lines used for traditional landlines carry electricity over the wires, so as long as a phone is corded or charged it will work during a power outage. Landlines are separate from cellular and broadband networks and are not affected by their outages, making them a necessary backstop in rural areas. Many of those same areas have inadequate cellular or internet coverage.

"In three, four, maybe five years a lot of states are going to say 'Okay, it's permissible to discontinue service if you, the phone company, can demonstrate there's functional alternative service,'" says Rob Frieden, an Academy and Emeritus Professor of Telecommunications and Law at Pennsylvania State University. AT&T recently asked the California Public Utilities Commission to end its obligation to provide landline service in parts of the state. The Federal Communications Commission, which has to approve a request to end service, said it hasn't received one from AT&T.

BleepingComputer reports on "a new denial-of-service attack dubbed 'Loop DoS' targeting application layer protocols."

According to their article, the attack "can pair network services into an indefinite communication loop that creates large volumes of traffic." Devised by researchers at the CISPA Helmholtz-Center for Information Security, the attack uses the User Datagram Protocol (UDP) and impacts an estimated 300,000 host and their networks. The attack is possible due to a vulnerability, currently tracked as CVE-2024-2169, in the implementation of the UDP protocol, which is susceptible to IP spoofing and does not provide sufficient packet verification. An attacker exploiting the vulnerability creates a self-perpetuating mechanism that generates excessive traffic without limits and without a way to stop it, leading to a denial-of-service (DoS) condition on the target system or even an entire network. Loop DoS relies on IP spoofing and can be triggered from a single host that sends one message to start the communication.

According to the Carnegie Mellon CERT Coordination Center (CERT/CC) there are three potential outcomes when an attacker leverages the vulnerability:

— Overloading of a vulnerable service and causing it to become unstable or unusable.
— DoS attack on the network backbone, causing network outages to other services.
— Amplification attacks that involve network loops causing amplified DOS or DDOS attacks.

CISPA researchers Yepeng Pan and Professor Dr. Christian Rossow say the potential impact is notable, spanning both outdated (QOTD, Chargen, Echo) and modern protocols (DNS, NTP, TFTP) that are crucial for basic internet-based functions like time synchronization, domain name resolution, and file transfer without authentication... The researchers warned that the attack is easy to exploit, noting that there is no evidence indicating active exploitation at this time. Rossow and Pan shared their findings with affected vendors and notified CERT/CC for coordinated disclosure. So far, vendors who confirmed their implementations are affected by CVE-2024-2169 are Broadcom, Cisco, Honeywell, Microsoft, and MikroTik.

To avoid the risk of denial of service via Loop DoS, CERT/CC recommends installing the latest patches from vendors that address the vulnerability and replace products that no longer receive security updates. Using firewall rules and access-control lists for UDP applications, turning off unnecessary UDP services, and implementing TCP or request validation are also measures that can mitigate the risk of an attack. Furthermore, the organization recommends deploying anti-spoofing solutions like BCP38 and Unicast Reverse Path Forwarding (uRPF), and using Quality-of-Service (QoS) measures to limit network traffic and protect against abuse from network loops and DoS amplifications.

An anonymous reader quotes a report from KrebsOnSecurity: The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerep's CEO to admit that he has founded dozens of people-search networks over the years. Mozilla only began bundling Onerep in Firefox last month, when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches. On March 14, KrebsOnSecurity published a story showing that Onerep's Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Onerep and Shelest did not respond to requests for comment on that story.

But on March 21, Shelest released a lengthy statement wherein he admitted to maintaining an ownership stake in Nuwber, a consumer data broker he founded in 2015 -- around the same time he launched Onerep. Shelest maintained that Nuwber has "zero cross-over or information-sharing with Onerep," and said any other old domains that may be found and associated with his name are no longer being operated by him. "I get it," Shelest wrote. "My affiliation with a people search business may look odd from the outside. In truth, if I hadn't taken that initial path with a deep dive into how people search sites work, Onerep wouldn't have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I'm aiming to do better in the future." The full statement is available here (PDF).

In a statement released today, a spokesperson for Mozilla said it was moving away from Onerep as a service provider in its Monitor Plus product. "Though customer data was never at risk, the outside financial interests and activities of Onerep's CEO do not align with our values," Mozilla wrote. "We're working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first." KrebsOnSecurity also reported that Shelest's email address was used circa 2010 by an affiliate of Spamit, a Russian-language organization that paid people to aggressively promote websites hawking male enhancement drugs and generic pharmaceuticals. As noted in the March 14 story, this connection was confirmed by research from multiple graduate students at my alma mater George Mason University.

Shelest denied ever being associated with Spamit. "Between 2010 and 2014, we put up some web pages and optimize them -- a widely used SEO practice -- and then ran AdSense banners on them," Shelest said, presumably referring to the dozens of people-search domains KrebsOnSecurity found were connected to his email addresses (dmitrcox@gmail.com and dmitrcox2@gmail.com). "As we progressed and learned more, we saw that a lot of the inquiries coming in were for people." Shelest also acknowledged that Onerep pays to run ads on "on a handful of data broker sites in very specific circumstances." "Our ad is served once someone has manually completed an opt-out form on their own," Shelest wrote. "The goal is to let them know that if they were exposed on that site, there may be others, and bring awareness to there being a more automated opt-out option, such as Onerep."

An Internet service provider that admitted lying to the FCC about where it offers broadband will pay a $10,000 fine and implement a compliance plan to prevent future violations. ArsTechnica: Jefferson County Cable (JCC), a small ISP in Toronto, Ohio, admitted that it falsely claimed to offer fiber service in an area that it hadn't expanded to yet. A company executive also admitted that the firm submitted false coverage data to prevent other ISPs from obtaining government grants to serve the area. Ars helped expose the incident in a February 2023 article.

The FCC announced the outcome of its investigation on March 15, saying that Jefferson County Cable violated the Broadband Data Collection program requirements and the Broadband DATA Act, a US law, "in connection with reporting inaccurate information or data with respect to the Company's ability to provide broadband Internet access service." The FCC said: "To settle this matter, Jefferson County Cable agrees to pay a $10,000 civil penalty to the United States Treasury. Jefferson County Cable also agrees to implement enhanced compliance measures. This action will help further the Commission's efforts to bridge the digital divide by having accurate data of locations where broadband service is available."