An anonymous reader quotes a report from TorrentFreak: In a landmark ruling, the Court of Milan has ordered (PDF) Cloudflare to block pirate streaming services that offer Serie A football matches. The court found that Cloudflare's services are instrumental in facilitating access to live pirate streams, undermining Italy's 'Piracy Shield' legislation. The order, which applies in Italy, affects Cloudflare's CDN, DNS resolver, WARP and proxy services. It also includes a broad data disclosure section. [...]

The Court of Milan's decision prohibits Cloudflare from resolving domain names and routing internet traffic to IP addresses of all services present on the "Piracy Shield" system. This also applies to future domains and aliases used by these pirate services. The order applies to Cloudflare's content delivery network (CDN), DNS services, and reverse proxy services. The order also mentions Cloudflare's free VPN among the targets, likely referring to the WARP service. If any of the targeted pirate streaming providers use Cloudflare's services to infringe on Serie A's copyrights, the company Cloudflare must stop providing CDN, authoritative DNS, and reverse proxy services to these customers. (Note: This is an Italian court order and Cloudflare previously used geotargeting to block sites only in Italy. It may respond similarly here, but terminating customer accounts only in Italy might be more complicated. )

Finally, the order further includes a data disclosure component, under which Cloudflare must identify customers who use Cloudflare's services to offer pirated streams. This should help Serie A to track down those responsible. The data disclosure section also covers information related to the 'VPN' and alternative public DNS services, where these relate to the IPTV platforms identified in the case. That covers traffic volume and connection logs, including IP-addresses and timestamps. In theory, that could also cover data on people who accessed these services using Cloudflare's VPN and DNS resolver. [...] The court ordered Cloudflare to cover the costs of the proceeding and if it doesn't implement the blocking requirements in time, an additional fine of 10,000 euros per day will apply.

A series of drone sightings over U.S. military bases "has renewed concerns that the U.S. doesn't have clear government-wide policy for how to deal with unauthorized incursions that could potentially pose a national security threat," reports CNN: "We're one year past Langley drone incursions and almost two years past the PRC spy balloon. Why don't we have a single [point of contact] who is responsible for coordination across all organizations in the government to address this?" the recently retired head of US Northern Command and NORAD, Gen. Glen VanHerck, told CNN. "Instead, everybody's pointing their fingers at each other saying it's not our responsibility...." Over a period of six days earlier this month, there were six instances of unmanned aerial systems, or drones, entering the airspace of the Marine Corps base Camp Pendleton in California, a spokesperson confirmed to CNN, adding that they posed "no threat to installation operations and no impact to air and ground operations." There have also been incidents in the last month at Wright-Patterson Air Force Base, Ohio; Picatinny Arsenal, New Jersey; Naval Weapons Station Earle, New Jersey; and Vandenberg Space Force Base, California. A Chinese citizen, who is a lawful permanent resident of the US, was recently arrested in connection to the California incident.

The drone incidents are "a problem that has been brewing for over a decade and we have basically failed to address it," said retired Air Force Brig. Gen. Rob Spalding, who previously served as the chief China strategist for the Joint Chiefs of Staff and senior director for strategic planning on the National Security Council. It's unclear what specifically the drones could be doing — the intent could be anything from attempting to gather intelligence on the base or testing its defenses and response time, to gaining a better understanding of how the bases work, or they could simply be harmless hobbyists flying drones too close to restricted areas... Despite the incursions and the risk they could pose, officials say there is no coordinated policy to determine what agency leads the response to such activity, or how to determine where the drones originate.

CNN reported this week that government agencies have struggled to keep pace with the development of drones and drone technology, particularly by adversaries like China, though legislation is being discussed and the Pentagon just recently released its strategy for countering unmanned systems... The two heads of the Senate Armed Services Committee, Sens. Jack Reed and Roger Wicker, sounded the alarm in a Washington Post op-ed at the beginning of 2024 that the US "lacks adequate drone detection capability" and that agencies "lack clear lines of authority about which agency is responsible for stopping these incursions."

Military installations have the authority to protect themselves and respond to threats, but a former senior military official said that if the drone enters the airspace and subsequently leaves, determining where the drone originated from and what it was doing can be difficult. Military law enforcement typically coordinates with civilian law enforcement off base in that instance, the former official said, but are often limited in what they can do given laws that restrict intelligence collection within US borders. But sources also said the lack of ability to do more also stems at times from a failure to prioritize defense against this kind of activity within the US. The topic is "such a relatively new phenomenon that the law has not caught up and the agencies have not adapted quickly enough," [said one Senate aide familiar with discussions on drone defense and policy].
"The need for Congressional action was made clear in a joint statement this week from the Department of Defense, Department of Homeland Security, Federal Bureau of Investigations and Federal Aviation Administration," according to the article.

"The agencies said they 'urge Congress to enact counter-UAS legislation when it reconvenes that would extend and expand existing counter-drone authorities to identify and mitigate any threat that may emerge.'"

The U.S. Department of Justice has charged Russian-Israeli national, Rostislav Panev, for his alleged role as a developer in the LockBit ransomware group, accused of designing malware and maintaining infrastructure for attacks that extorted over $500 million and caused billions in global damages. CyberScoop reports: The arrest is part of a broader campaign by international law enforcement agencies to dismantle LockBit. In February, a coordinated operation led by the U.K.'s National Crime Agency in cooperation with the FBI and the U.S. Justice Department disrupted LockBit's infrastructure, seizing websites and servers critical to its operations. These efforts significantly curtailed the group's ability to launch further attacks and extort victims.

Panev is one of several individuals charged in connection with LockBit. Alongside him, other key figures have been indicted, including Dmitry Khoroshev, alleged to be "LockBitSupp," the group's primary creator and administrator. Khoroshev, still at large, is accused of developing the ransomware and coordinating attacks on an international scale. The State Department has offered a reward of up to $10 million for his capture.

Meanwhile, numerous members linked to LockBit remain fugitives, such as Russian nationals Artur Sungatov and Ivan Kondratyev, each facing charges for deploying ransomware against multiple industries globally. Mikhail Matveev, another alleged LockBit affiliate, is also at large, with a $10 million reward for his capture. Matveev was recently charged with computer crimes in Russia. You can read the full criminal complaint against Panev here (PDF).

Teenagers using Meta's virtual reality headsets to cheat at the popular game Gorilla Tag are unknowingly selling access to their home internet connections to potential cybercriminals, cybersecurity researchers found. The players have been side-loading Big Mama VPN, a free Android app, onto their VR headsets to create lag that makes it easier to win the tag-based game. However, the app simultaneously operates as a residential proxy service, selling access to users' IP addresses on a marketplace frequented by cybercriminals.

Cybersecurity firm Trend Micro discovered VR headsets were the third most common devices using Big Mama VPN, after Samsung and Xiaomi devices. The company's proxy services have been promoted on cybercrime forums and were linked to at least one cyberattack, according to research from security firms Trend Micro and Kela.

Home Assistant (not to be confused with the Google Assistant on Google Home) has launched the Voice Preview Edition (Voice PE), its first dedicated voice assistant hardware for $59. The device offers a privacy-focused, locally controlled solution that supports over 50 languages and integrates seamlessly with the open-source smart home platform. As The Verge notes, Voice PE supports the wake words "Hey Jarvis" right out of the box. From the report: The Voice PE is a small white box, about the size of your palm, with dual microphones and an audio processor. An internal speaker lets you hear the assistant, but you can also connect a speaker to it via a 3.5 mm headphone jack for better-quality media playback. A colored LED ring on top of the Voice PE indicates when the assistant is listening. It surrounds a rotary dial and a physical button, which is used for setup and to talk to the voice assistant without using the wake word. The button can also be customized to do whatever you want (because this is Home Assistant). A physical mute switch is on the side, and the device is powered by USB-C (charger and cable not included). There's also a Grove port where you can add sensors and other accessories.

For those who don't like the idea of always-listening microphones in their home from companies such as Amazon and Google, but who still want the convenience of controlling their home with their voice, the potential here is huge. But it may be a while until Voice PE is ready to replace your Echo or Nest smart speaker. [...] if you want more features, Voice PE can connect to supported AI models, such as ChatGPT or Gemini, to fully replace Assist or use it as a fallback for commands it doesn't understand. But for many smart home users, there will be plenty of value in a simple, inexpensive device that lets you turn your lights on and off, start a timer, and execute other useful commands with your voice without relying on an internet connection.

Spanish police have uncovered a major clue in the year-long investigation of a missing Cuban man, JLPO, after Google Street View images showed a man loading a body-shaped package into a car and pushing a wheelbarrow with a large white package. These images led to the discovery of the victim's dismembered remains in a cemetery and the arrest of two suspects, including the victim's wife and a bar worker. The Independent reports: Spanish police have said the pictures are a "decisive" clue in case, with detectives reportedly launching a murder investigation and arresting two people in connection with the man's death. According to El Pais, police are still investigating the case -- and it appears neither have yet appeared charged before a court.

An anonymous reader shares a report: Australia's chief cyber security agency has decided local orgs should stop using the tech that forms the current cryptographic foundation of the internet by the year 2030 -- years before other nations plan to do so -- over fears that advances in quantum computing could render it insecure.

The Land Down Under's plans emerged last week when the Australian Signals Directorate (ASD) published guidance for High Assurance Cryptographic Equipment (HACE) -- devices that send and/or receive sensitive information -- that calls for disallowing the cryptographic algorithms SHA-256, RSA, ECDSA and ECDH, among others, by the end of this decade.

Bill Buchanan, professor in the School of Computing at Edinburgh Napier University, wrote a blog post in which he expressed shock that the ASD aims to move so quickly. "Basically, these four methods are used for virtually every web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent," he wrote. "The removal of SHA-256 definitely goes against current recommendations."

An anonymous reader quotes a report from The Register: China's Electronics Video Industry Association last week signed off on a standard for a universal remote control -- a gadget Beijing thinks locals need because they're struggling with multiple remotes, but which is also a little more significant in other ways. The standard requires remote controls to allow voice control, and to use one of three means of wireless comms: Bluetooth, infrared, and Star Flash -- more on that later. It has been hailed as a boon for consumers who apparently struggle to find the right remote control to use as they navigate between televisions and set-top boxes.

This standard reportedly detects which device a user wants to control, makes the connection, and eases the chore of directing a stream from a set-top box to a display. Device-makers have been told that televisions and set-top boxes must support the standard, and they've quickly complied: local media report that Chinese consumer electronics outfit Konka has already delivered the first Smart TV capable of handling the universal remote. Building a standard ecosystem for universal remotes has obvious benefits for consumers, who should be able to use one unit across multiple devices and won't be tied to proprietary tech. But this move has other benefits for Beijing, thanks to its requirement to use China's home-grown Bluetooth alternative, Star Flash.

Star Flash is one of the projects run by the SparkLink Alliance -- a group that lists hundreds of Chinese developers and manufacturers as members. Huawei contributes tech to the group. Chinese IoT hardware vendor Qogrisys has described it as an upgrade to both Bluetooth and Wi-Fi that incorporates ideas used in 5G networks, is capable of handling multiple simultaneous device connections, sips power sparingly so battery-powered devices go longer between recharges, and can stream lossless stereo audio. Chinese consumer electronic and automotive brands are already keen to use Star Flash, and the Alliance is promoting its use in industrial settings too. China will promote use of universal remotes in 2025 -- meaning the protocol may soon appear in millions of domestic devices, giving manufacturers scale to justify further investment.

Cloudflare's 2024 internet traffic report highlights a 17.2% global increase in traffic, with Google maintaining its position as the most visited service and the U.S. responsible for 34.6% of bot traffic. The Register reports: One surprise (or perhaps not) is that IPv6 traffic is actually down as a percentage of the packets that passed through Cloudflare's network. It says that 28.5 percent of global traffic was IPv6 during 2024, whereas last year's report put this figure at 33.75 percent. The company also reveals that a fifth of all TCP connections (20.7 percent) are unexpectedly terminated before any useful data can be exchanged. Causes of this could vary from DoS attacks, quirky client behavior, or a network interrupting a connection to filter content.

Coudflare says about half of these incidents were connections closed "Post SYN" -- after its server has received a client's SYN packet, but before a subsequent acknowledgement (ACK) or any useful data. These can be attributed to DoS attacks or internet scanning, while Post-ACK or Post-PSH anomalies are more often associated with connection tampering activity such as filtering, especially if they occur at high rates in specific networks. Mobile device traffic accounted for about 41.3 percent of the total, which is roughly the same as last year. This is largely split between the Apple and Android ecosystems, with iOS on almost a third and Android accounting for two-thirds. [...]

Google's Chrome appears to be the most popular browser by far, accounting for 65.8 percent of all requests during 2024. Just 15.5 percent came from Apple's Safari browser, which leads the way on iOS devices, naturally. Microsoft's Edge accounted for 6.9 percent of browsing, while Mozilla Firefox stood at 4 percent. For search engines, Google also claimed the top spot, with a greater than 88 percent share of all search traffic that passed through Cloudflare. Yandex and Baidu were next with 3.1 percent and 2.7 percent, respectively, while Bing trailed with 2.6 percent. DuckDuckGo accounted for 0.9 percent of searches. You can read Cloudflare's full Year in Review here.

America's telecom-regulating Federal Communications Commission "has opened up the entire 6 GHz frequency band to very low-power devices," reports the Register, "alongside other unlicensed applications such as Wi-Fi kits." The FCC said it has adopted extra rules to allow very low-power device operation across the entire 1,200 MHz of the 6 GHz band, from 5.925 to 7.125 GHz, within the US. The agency had already opened up 850 MHz of the band to small mobile devices a year ago, and has now decided to open up the remaining 350 MHz.

It hopes that this will give a shot in the arm to an ecosystem of short-range devices such as wearables, healthcare monitors, short-range mobile hotspots, and in-car devices that will be able to make use of this spectrum without the need of a license. These applications often call for low power transmission across short distances, but at very high connection speeds, the FCC says — otherwise, existing technologies like Bluetooth could suffice. "This 1,200 MHz means unlicensed bandwidth with a mix of high capacity and low latency that is absolutely prime for immersive, real-time applications," said Jessica Rosenworcel, the FCC's outgoing chair. "These are the airwaves where we can develop wearable technologies and expand access to augmented and virtual reality in ways that will provide new opportunities in education, healthcare, and entertainment."

Because these are such low-power devices, no restrictions have been placed on where they can be used, and they will not be required to operate under the control of an automatic frequency coordination system, as some Wi-Fi equipment must to avoid interference with existing services that use the 6 GHz spectrum. However, to minimize the risk of any potential interference, the devices will be required to implement a transmit power control mechanism and employ a contention-based protocol, requiring a device to listen to the channel before transmission. They are, however, prohibited from operating as part of any fixed outdoor infrastructure.

Automattic CEO Matt Mullenweg abruptly left a key WordPress community platform after a federal court ordered his company to restore rival WP Engine's access to WordPress.org and remove a controversial login requirement. The preliminary injunction mandates Automattic eliminate a checkbox that forced users to declare they had no connection to WP Engine before accessing the platform.

Mullenweg departed the Post Status Slack forum following the ruling, writing he was "sick and disgusted to be legally compelled to provide free labor" to WP Engine, according to 404 Media. "It's hard to imagine wanting to continue to working on WordPress after this," he added. The order gives Automattic 72 hours to comply, including reinstating WP Engine's employee credentials and plugin access. The ruling marks a significant development in an escalating dispute between the WordPress parent company and the web hosting provider.

Google's app store claims that their text-messaging app Google Messages means "conversations are end-to-end encrypted".

"That is some serious bullshit," argues tech blogger John Gruber: It's shamefully misleading regarding Google Messages's support for end-to-end encryption... Google Messages does support end-to-end encryption, but only over RCS and only if all participants in the chat are using a recent version of Google Messages. But the second screenshot in the Play Store listing flatly declares "Conversations are end-to-end encrypted", full stop...

I realize that "Some conversations are end-to-end encrypted" will naturally spur curiosity regarding which conversations are encrypted and which aren't, but that's the truth. And users of the app should be aware of that. "RCS conversations with other Google Messages users are encrypted" would work.

Then, in the "report card" section of the listing, it states the following:

Data is encrypted in transit
Your data is transferred over a secure connection

Which, again, is only true sometimes. It's downright fraudulent to describe Google Messages's transit security this way.... [D]epending who you communicate with — iPhone users, Android users with old devices, Android users who use other text messaging apps — it's quite likely most of your messages won't be secure... E2EE is never available for SMS, and never available if a participant in the chat is using any RCS client (on Android or Apple Messages) other than Google Messages. That's an essential distinction that should be made clear, not obfuscated.
Gruber's earlier blog post had pointed out that the RCS standard "has no encryption; E2EE RCS chats in Google Messages use Google's proprietary extension and are exclusive to the Google Messages app, so RCS chats between Google Messages and other apps, most conspicuously Apple Messages, are not encrypted."

And in his newer post, Gruber adds, "While I'm at it, it's also embarrassing that Google Voice has no support for RCS at all. It's Google's own app and service, and Google has been the world's most vocal proponent of RCS messaging."

"Steven Adair, of cybersecurity firm Veloxity, revealed at the Cyberwarcon security conference how Russian hackers were able to daisy-chain as many as three separate Wi-Fi networks in their efforts to attack victims," writes Longtime Slashdot reader smooth wombat. Wired reports: Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. "I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?" he says. "We came up dry."

Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted -- in fact, the name of another organization just across the road. "At that point, it was 100 percent clear where it was coming from," Adair says. "It's not a car in the street. It's the building next door." With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from another network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. "Who knows how many devices or networks they compromised and were doing this on," says Adair. Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group -- Microsoft refers to the group as Forest Blizzard -- to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. "It was an exact one-to-one match," Adair says.

Half of young Norwegians find online piracy acceptable when streaming services are too expensive, according to a new government survey released this week. The Ipsos poll of 1,411 respondents found that 32% of all Norwegians justify using pirate sites to save money, with acceptance rising to 50% among those under 30.

The rates increase further when specifically asked about pirating due to high streaming costs. Despite concerns about piracy, 61% of Norwegians paid for streaming services in the past year, including 64% of those under 30. Among active pirates, 41% said they would stop if legal services were more affordable, while 35% wanted broader content per service. Only 47% of respondents believed piracy supports organized crime, with 24% expressing uncertainty about this connection.

Sony is bringing cloud streaming to the PlayStation Portal. "When it first launched, the device was only able to stream games from your PS5 over Wi-Fi," notes The Verge's Jay Peters. "But as part of a new system update that's rolling out starting later today, you'll be able to stream select PS5 games from the PlayStation Plus Game Catalog to your PlayStation Portal." From the report: Sony is launching the feature in beta, and you'll need to be a PlayStation Plus Premium subscriber to take advantage of it. Sony says that to stream at 720p, you'll need a minimum 7 Mbps connection, while 1080p quality will require a minimum 13 Mbps connection. Some PlayStation Plus features won't be available to start with cloud streaming to the PlayStation Portal, including Game Trials, party voice chat, game invites for select games, 3D audio, and "in-game commerce." And you won't be able to stream any PS4 games or PS3 games. Child accounts also won't be able to use cloud streaming on the Portal.