Jacob Knutson reports via Axios: Sensitive, highly detailed personal data for thousands of active-duty and veteran U.S. military members can be purchased for as little as one cent per name through data broker websites, according to a new study (PDF) published on Monday by Duke University researchers. [...] The data about military personnel purchased as part of the study included full names, physical and email addresses, health and financial information and details about their ethnicity, religious practices and political affiliation. In some cases, the information also included whether the person owned or rented a home, was married or had children. The children's ages and sexes were accessible, too.

The researchers bought data on up to around 45,000 military personnel for between $0.12 to $0.32 per record. They also bought data belonging to 5,000 friends and family members of military personnel. Larger data purchases of over 1.5 million service members were available for as little as $0.01 per record from at least one broker the researchers contacted. The researchers called on Congress to pass a comprehensive privacy law and for regulatory agencies like the Federal Trade Commission to develop rules to govern military personnel data purchases.

Epic Games, the maker of the popular game "Fortnite," has launched a battle against Google in federal court in a closely watched antitrust showdown that could reshape how smartphone users get Android apps and pay for in-app content. From a report: Epic's lawsuit in the US District Court in California's Northern District targets the Google Play Store, focusing on Google's fees for in-app subscriptions and one-off transactions, along with other terms that app developers such as Epic say helped Google maintain an illegal monopoly in app distribution.

The legal battle follows a years-long debate about whether app store operators such as Google and Apple foster an open, competitive app ecosystem. The two companies argue their app stores help unlock billions in revenue for small businesses, while ensuring that Android and iOS users benefit from security oversight that the technology giants provide. The jury may hear high-profile witnesses testify from both sides, including Google CEO Sundar Pichai and Epic CEO Tim Sweeney.

The court fight traces back to 2020, when Epic launched Project Liberty, a plan to circumvent Apple and Google's app store terms. That move by Epic forced a confrontation with the tech giants. Epic updated the Fortnite app to encourage players to pay for in-app content directly through Epic's own website -- rather than through Apple and Google's in-app payment systems. That gambit triggered a violation of the app stores' developer terms. The move also prompted both app stores to remove the Fortnite app from their platforms.

An anonymous reader shares a report: Microsoft has had a rough few years of cybersecurity incidents. It found itself at the center of the SolarWinds attack nearly three years ago, one of the most sophisticated cybersecurity attacks we've ever seen. Then, 30,000 organizations' email servers were hacked in 2021 thanks to a Microsoft Exchange Server flaw. If that weren't enough already, Chinese hackers breached US government emails via a Microsoft cloud exploit earlier this year. Something had to give.

Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services today. It's the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.

Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands. In an internal memo to Microsoft's engineering teams today, the company's leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of "blatantly negligent" cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.

wiredmikey shares a report from SecurityWeek: In a surprising development on Monday that is spooking the cybersecurity community, the SEC filed charges against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, alleging that the software company misled investors about its cybersecurity practices and known risks. The charges stem from alleged fraud and internal control failures related to known cybersecurity weaknesses that took place between the company's October 2018 initial public offering (IPO) and its December 2020 revelation of the infamous supply chain cyberattack dubbed "SUNBURST." [...] The SEC's complaint also points to internal communications among SolarWinds employees, including Brown, in 2019 and 2020, which raised questions about the company's ability to protect its critical assets from cyberattacks.

Google Chief Executive Sundar Pichai took the stand Monday in the tech giant's antitrust trial, a pivotal moment in a case that could result in major changes to the company's search engine. From a report: Pichai described Google's search dominance as the result of its innovation and early investment in its Chrome browser. "We realized early on that browsers are critical to how people are able to navigate and use the web," Pichai said during questioning by Google lawyer John Schmidtlein.

"It became very clear early on that if you make the user's experience better, they would use the web more, they would enjoy using the web more, and they would search more in Google as well," Pichai said. [...] The nonjury trial is being heard by U.S. District Judge Amit Mehta, who could ultimately order a breakup or other changes to Google's business practices. Schmidtlein, Google's lead counsel, questioned Pichai about the deal at the heart of the case: the search giant's contract with Apple that makes it the default search engine on Apple's Safari web browser. The Apple deal "makes it very, very seamless and easy for users to use our services," Pichai said. "We know that making it the default will lead to increased usage of our products and services, particularly Google search in this case. So there is clear value in that and that's what we were looking for."

Japan's antitrust watchdog has begun an investigation into whether Alphabet's Google abuses its market position to block rival services, compounding scrutiny of the internet leader's business practices across the globe. From a report: The country's Fair Trade Commission has begun a probe centered on allegations of potential antitrust violations, an official with the agency said, confirming a Nikkei report. It plans to solicit information and views on the matter from the public, the official added. The agency plans to examine whether Google inappropriately asked smartphone makers to prioritize its search services on their devices.

The Japanese investigation marked the first time the commission has consulted with third parties from the outset of an individual probe, agency officials told reporters in Tokyo. The probe could widen to include Android phone makers found to be complicit in antitrust activity, an official said, without elaborating. Japan's review comes on top of an antitrust case the US has mounted against the global search leader. Federal regulators accuse Google of abusing its dominance to block startups and larger rivals such as Microsoft, a key argument in the biggest tech anti-monopoly case since the 1990s.

An anonymous reader quotes a report from CNN: China has unveiled plans to restrict exports of graphite -- a mineral crucial to the manufacture of batteries for electric vehicles (EVs) -- on national security grounds, the Ministry of Commerce and the General Administration of Customs said Friday. The announcement comes just days after the United States imposed additional limits on the kinds of semiconductors that American companies can sell to Chinese firms. China, which dominates the world's production and processing of graphite, says export permits will be needed, starting in December, for synthetic graphite material -- including high-purity, high-strength and high-density versions -- as well as for natural flake graphite. [...]

According to the US Geological Survey (PDF), the market for graphite used in batteries has grown 250% globally since 2018. China was the world's leading graphite producer last year, accounting for an estimated 65% of global production, it said. Besides EVs, graphite is commonly used in the semiconductor, aerospace, chemical and steel industries. The export curbs were announced as China faces pressure from multiple governments over its commercial and trade practices. For more than a year, it has been embroiled in a tech war with the United States and its allies in Europe and Asia over access to advanced chips and chipmaking equipment. "At the moment both China and Western countries are engaged in a tit for tat, highlighting how protectionist measures often spread. Newton's third law that every action causes a reaction applies here, too," said Stefan Legge, head of tax and trade policy research at the University of St Gallen in Switzerland.

"At the same time, both sides of the dispute also realize how costly it is if geopolitics trumps economics," he added.

An anonymous reader quotes a report from Politico: The Consumer Financial Protection Bureau on Thursday released a landmark proposal restricting how financial institutions handle consumer data. [...] The proposed rule -- which faces months of feedback and lobbying from industry and consumer groups before it's approved -- would bar financial firms from "hoarding" a consumer's data, the agency said. It would require companies to share information, at a customer's request, with other businesses offering competing products and prevent them from charging for it.

Banks would be required to make personal financial data available to consumers free of charge, and companies that access a person's data would not be able to use it for targeted advertising. Access to a person's data would have to be reauthorized annually, and consumers would have the right to revoke access at any time. The proposal, which implements Section 1033 of the 2010 Dodd-Frank law, also "seeks to move the market away from risky data collection practices" such as screen scraping, the CFPB said. "It is often really daunting for a consumer to switch banks, in part because it's difficult to take their financial transaction history data to a new bank," White House National Economic Council Director Lael Brainard said on a call with reporters. "Today's rule will help ensure financial companies compete based on service quality and pricing."

Jon Brodkin reports via Ars Technica: An advertising industry group urged Comcast to stop its "10G" ads or modify them to state that 10G is an "aspirational" technology rather than something the company actually provides on its cable network today. The National Advertising Division (NAD), part of the advertising industry's self-regulatory system run by BBB National Programs, ruled against Comcast after a challenge lodged by T-Mobile. In its decision announced Thursday, the NAD recommended that Comcast "discontinue its '10G' claims" or "modify its advertising to (a) make clear that it is implementing improvements that will enable it to achieve '10G' and that it is aspirational or (b) use '10G' in a manner that is not false or misleading, consistent with this decision."

Comcast plans to appeal the decision, so it won't make any changes to marketing immediately. If Comcast loses the appeal and agrees to change its practices, it would affect more than just a few ads because Comcast now calls its entire broadband network "10G." "In February 2023, Comcast rebranded its fixed Internet network as 'Xfinity 10G Network' to signify technological upgrades to its network that are continuing to be implemented," the NAD said. Comcast's website claims that the "Xfinity 10G Network is already here! You'll see continual increases in network speed and reliability. No action is required on your part to join the Xfinity 10G Network." It also claims that 10G is "complementary" to the 5G mobile network.

The US Federal Trade Commission is proposing a new rule that it hopes will put an end to hidden junk fees that some businesses often add as a surprise when consumers are checking out. From a report: The agency is currently seeking public comment on the rule, known as the Trade Regulation Rule on Unfair or Deceptive Fees, after having already collected 12,000 comments last year from individuals, businesses, law enforcement groups, and others on how deceptive fees affect them. FTC Chair Lina Khan said in a statement that "by hiding the total price, these junk fees make it harder for consumers to shop for the best product or service and punish businesses who are honest upfront." FTC adds that tackling junk fees through its nearly 100-year-old legal mandate that covers "unfair and deceptive acts or practices" is not enough. A new rule with more precise language can do a better job with specifics, the agency argues: "It is an unfair and deceptive practice and a violation of this part for any Business to offer, display, or advertise an amount a consumer may pay without Clearly and Conspicuously disclosing the Total Price."

A team of scientists drove hundreds of miles through the steppes of Kazakhstan in search of what may be one of the largest and most diverse fungi ecosystems on Earth.

The Washington Post believes their efforts "could help make the planet more resilient to climate change." When these underground fungi come together, they form sophisticated systems known as "mycorrhizal networks...." Mycorrhizal fungi often form mutually beneficial relationships with plants. They trade essential nutrients such as phosphorus and nitrogen in exchange for carbon, and act as an extended root system, allowing plants to access water they can't reach. These networks may also prove to be invaluable for transporting carbon underground, a study published in June found. About 13 gigatons of carbon fixed by vegetation — equivalent to about one-third of all carbon dioxide emissions from fossil fuels in one year — flows through underground fungi, according to an analysis of nearly 200 data sets.

In the steppe, these plant-fungal benefits may be short-lived, however. While deserts are a natural part of Kazakhstan's ecosystem, more than half of the country's vegetation and drylands is at risk of becoming desert as well. The main drivers are large-scale intensive agriculture and increasingly warm and dry temperatures brought by climate change.... Knowing what species of fungi live here is key to understanding how to protect them, said Bethan Manley, project officer at the Society for the Protection of Underground Networks who was on the expedition. It will help determine "where we might be able to have the most effective measures of not poisoning them with fungicides or not having harmful farming practices," she said.

It started when Linux blogger Bryan Lunduke complained about how the Linux Foundation was reducing the six-year long-term support (LTS) window for the Linux kernel to two years. Lunduke argued that the Foundation seemed more interested in funding compliance best practices — as well as artificial intelligence and blockchain projects.

In an online discussion, Linux kernel maintainer Greg Kroah-Hartman had this response: Did anyone think to actually ask the developer who is maintaining the long-term support kernel versions why he made that change (back in February?), i.e. me...? No, I guess that would take too much effort, and wouldn't result in such a click-bait headline.

"LTS kernels are no longer supported for 6 years because it turns out no one used them." doesn't have that same fun sound... In a second comment Kroah-Hartman also clarified that in fact "The amount of resources and other stuff that the Linux Foundation provides to the Linux kernel community has increased over the years, including last year. " Just because new people are brought in with new projects (that the LF member companies want to host) does not mean that somehow less is being given to the kernel community at all. It is not a zero-sum game here at all, that's not how the LF works in any way.

Again, this would have been easy to verify if someone just asked us.

So to repeat, no "abandonment" is happening here at all, the opposite is happening, just like it has for the entirety of the Linux Foundation's existence, support has grown every year.
Thanks to long-time Slashdot reader whoever57 for sharing the news.

South Korea's telecommunications regulator said on Friday that Alphabet's Google and Apple have abused their dominant app market position and warned of possible fines totalling up to $50.5 million. From a report: The Korea Communications Commission (KCC) said in a statement that the two tech giants forced app developers into specific payment methods and caused unfair delay in app review. The KCC is notifying the companies for corrective action, and will deliberate on the fines, the statement said. "What KCC has shared today is the pre-notice and we will carefully review and submit our response. Once the final written decision is shared with us we will carefully review to evaluate the next course of action," Google said in a statement to Reuters. Apple also issued a statement, saying: "We disagree with the conclusions made by the KCC in their Examiner's Report, and believe the changes we have implemented to the App Store comply with the Telecommunications Business Act. As we have always done, we will continue to engage with the KCC to share our views."

Long-time Slashdot reader theodp spotted a Reddit Ask Me Anything (AMA) this week with the Microsoft engineering team that created Python in Excel, a new feature that makes it possible to natively combine Python and Excel analytics in Excel workbooks. (Copilot integration is coming soon). Redditors expressed a wish to be able to run Python in environments other than the confines of the locked down, price-to-be-determined Microsoft Azure cloud containers employed by Python in Excel.

But "There were three main reasons behind starting with the cloud (as a GDPR Compliant Microsoft 365 Connected experience) first," MicrosoftExcelTeam explained:

1. Running Python securely on a local machine is a difficult problem. We treat all Python code in the workbook as untrusted, so we execute it in a hypervisor-isolated container on Azure that does not have any outbound network access. Python code and the data that it operates on is sent to be executed in the container. The Microsoft-licensed Python environment in the container is provided by Anaconda and was prepared using their stringent security practices as documented here.

2. Sharing Excel workbooks with others is a really important scenario. We wanted to ensure that the Python code in a workbook you share behaves the same when your teammates open it â" without requiring them to install and manage Python.

3. We need to ensure that the Python in Excel feature always works for our customers. The value of Python is in its ecosystem of libraries, not just in providing a Python interpreter. But managing a local Python environment is challenging even for the most experienced developers. By running on Azure, we remove the need for users or their systems administrators to maintain a local installation of Python on every machine that uses the feature in their organization...


So, how does one balance tradeoffs between increased security and ease-of-maintenance with the loss of functionality and increased costs when it comes to programming language use? Is it okay to just give up on making certain important basic functionality available, as Microsoft is doing here with Python and has done in the past by not supporting Excel VBA in the Cloud and no longer making BASIC available on PCs and Macs?
Microsoft's team added at one point that "For our initial release, we are targeting data analytics scenarios, and bringing the power of Python analytics libraries into Excel.

"We believe the approach weâ(TM)ve taken will appeal to analysts who use both Excel and Python Notebooks in their workflows. Today, these users need to import/export data and have no way of creating a self-contained artifact that can be easily and securely shared with their colleagues."

The Associated Press reports: The National Security Agency is starting an artificial intelligence security center -- a crucial mission as AI capabilities are increasingly acquired, developed and integrated into U.S. defense and intelligence systems, the agency's outgoing director announced Thursday. Army Gen. Paul Nakasone said the center would be incorporated into the NSA's Cybersecurity Collaboration Center, where it works with private industry and international partners to harden the U.S. defense-industrial base against threats from adversaries led by China and Russia.

Nakasone was asked about using AI to automate the analysis of threat vectors and red-flag alerts -- and he reminded the audience that U.S. intelligence and defense agencies already use AI. "AI helps us, But our decisions are made by humans. And that's an important distinction," Nakasone said. "We do see assistance from artificial intelligence. But at the end of the day, decisions will be made by humans and humans in the loop."

Nakasone said it would become "NSA's focal point for leveraging foreign intelligence insights, contributing to the development of best practices guidelines, principles, evaluation, methodology and risk frameworks" for both AI security and the goal of promoting the secure development and adoption of AI within "our national security systems and our defense industrial base." He said it would work closely with U.S. industry, national labs, academia and the Department of Defense as well as international partners.

According to the Wall Street Journal, Nvidia's French offices were raided this week on suspicion the chipmaker engaged in anticompetitive practices. Reuters reports: The French competition authority, which disclosed the dawn raid on Wednesday, did not say what practices it was investigating or which company it had targeted, beyond saying it was in the "graphics cards sector." The French competition authority said that its operation this week followed a broader inquiry into the cloud-computing sector. The broader inquiry revolves around concerns that cloud-computing companies could use their access to computing power to exclude smaller competitors.

This week's operation had targeted Nvidia, which is the world's largest maker of chips used both for artificial intelligence and for computer graphics, the WSJ report added, citing people familiar with the raid. Chips originally made for computer graphics are suited for AI-related computing.

An anonymous reader quotes a report from Wired: The U.S. Federal Bureau of Investigation (FBI) has done tens of thousands of face recognition searches using software from outside providers in recent years. Yet only 5 percent of the 200 agents with access to the technology have taken the bureau's three-day training course on how to use it, a report from the Government Accountability Office (GAO) this month reveals. The bureau has no policy for face recognition use in place to protect privacy, civil rights, or civil liberties. Lawmakers and others concerned about face recognition have said that adequate training on the technology and how to interpret its output is needed to reduce improper use or errors, although some experts say training can lull law enforcement and the public into thinking face recognition is low risk.

Since the false arrest of Robert Williams near Detroit in 2020, multiple instances have surfaced in the US of arrests after a face recognition model wrongly identified a person. Alonzo Sawyer, whose ordeal became known this spring, spent nine days in prison for a crime he didn't commit. The lack of face recognition training at the FBI came to light in a GAO report examining the protections in place when federal law enforcement uses the technology. The report was compiled at the request of seven Democratic members of Congress. Report author and GAO Homeland Security and Justice director Gretta Goodwin says, via email, that she found no evidence of false arrests due to use of face recognition by a federal law enforcement agency.

The GAO report focuses on face recognition tools made by commercial and nonprofit entities. That means it does not cover the FBI's in-house face recognition platform, which the GAO previously criticized for poor privacy protections. The US Department of Justice was ordered by the White House last year to develop best practices for using face recognition and report any policy changes that result. The outside face recognition tools used by the FBI and other federal law enforcement covered by the report comes from companies including Clearview AI, which scraped billions of photos of faces from the internet to train its face recognition system, andThorn, a nonprofit that combats sex trafficking by applying face recognition to identify victims and sex traffickers from online commercial sex market imagery.The FBI ranks first among federal law enforcement agencies examined by the GAO for the scale of its use of face recognition. More than 60,000 searches were carried out by seven agencies between October 2019 and March 2022. Over half were made by FBI agents, about 15,000 using Clearview AI and 20,000 using Thorn. "No existing law requires federal law enforcement personnel to take training before using face recognition or to follow particular standards when using face recognition in a criminal investigation," notes Wired.

"The DOJ plans to issue a department-wide civil rights and civil liberties policy for face recognition but has yet to set a date for planned implementation, according to the report. It says that DOJ officials, at one point in 2022, considered updating its policy to allow a face recognition match alone to justify applying for a search warrant."

The European Commission has re-imposed a fine of about $400 million on chipmaker Intel for abusing its dominant position in the x86 processor market. The move is the latest twist in an antitrust saga that has been now running for more than two decades. The Register: According to the Commission, the fine is in response to previously established anticompetitive practices by the silicon giant, aimed at excluding competitors from the market in breach of EU competition rules. The original fine handed to Intel in 2009 was for $1.2 billion, based on findings that the company had given incentives to PC makers to use its CPUs instead of those from rivals, or else delay the launch of specific products containing rival chips.

These incentives consisted of wholly or partially hidden rebates for using Intel chips, or payments in order to delay launching products with rival chips, amounting to so-called "naked restrictions." It ultimately goes back to complaints from rival CPU maker AMD in 2000 and again in 2003 that Intel was engaging in anticompetitive conduct by offering rebates to vendors to favor Intel components. Intel fought the decision, but an appeal by the Silicon Valley outfit to have it overturned was initially denied in 2014. Then in 2022, the EU General Court partially annulled the 2009 ruling by the Commission, in particular the findings related to Intel's conditional rebates, and went on to nix the fine imposed on the company in its entirety.

An anonymous reader shared this report from Bloomberg: China-linked hackers breached the corporate account of a Microsoft engineer and are suspected of using that access to steal a valuable key that enabled the hack of senior U.S. officials' email accounts, the company said in a blog post. The hackers used the key to forge authentication tokens to access email accounts on Microsoft's cloud servers, including those belonging to Commerce Secretary Gina Raimondo, Representative Don Bacon and State Department officials earlier this year.

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft disclosed the breach in June, but it was still unclear at the time exactly how hackers were able to steal the key that allowed them to access the email accounts. Microsoft said the key had been improperly stored within a "crash dump," which is data stored after a computer or application unexpectedly crashes...

The incident has brought fresh scrutiny to Microsoft's cybersecurity practices.
Microsoft's blog post says they corrected two conditions which allowed this to occur. First, "a race condition allowed the key to be present in the crash dump," and second, "the key material's presence in the crash dump was not detected by our systems." We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).

After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.

The FTC's chief administrative law judge (ALJ) ruled that Intuit, the parent company of TurboTax, "deceived consumers" and "engaged in deceptive advertising" by advertising its "Free Edition" tax filing service as free when users ultimately had to pay. The Verge reports: The ruling (PDF) includes several pages of commercials and online ads where Intuit advertised its "Free Edition" software. While the name implies that the service is, well, free, people wound up having to pay to use it -- sparking a lawsuit from the FTC and a $141 million payout to affected users. Meanwhile, Intuit's actually no-cost Free File version, which it launched in partnership with the IRS, remained exceedingly difficult to find. In 2021, Intuit exited the program after the IRS stopped letting companies hide their free filing services from search engines.

The FTC's ALJ determined that there is a "cognizant danger of a recurring violation" by Intuit and issued a cease-and-desist order that prohibits the company from "engaging in deceptive practices in the future." The ruling prevents Intuit from representing a product as free unless it actually is free for everyone to use and "clearly and conspicuously discloses any terms that would limit the offer." In a statement, Intuit called the FTC's investigation process "flawed and highly questionable," noting "Intuit already adheres to most of the advertising practices in the FTC's erroneous decision." The company adds that it has "been clear, fair, and transparent" with customers and remains "committed to free tax preparation."