An anonymous reader quotes a report from Ars Technica: Hayden AI, a San Francisco startup that makes spatial analytics tools for cities worldwide, has sued its co-founder and former CEO, alleging that he stole a large quantity of proprietary information in the days leading up to his ouster from the company in September 2024. In a lawsuit filed late last month in San Francisco Superior Court but only made public this week, Hayden AI claims that former CEO Chris Carson undertook what it called "numerous fraudulent actions," which include "forged board signatures, unauthorized stock sales, and improper allocation of personal expenses." [...] Hayden AI, which is worth $464 million according to an estimated valuation on PitchBook, has asked the court to impose preliminary injunctive relief, requiring Carson to either return or destroy the data he allegedly stole. Specifically, the lawsuit alleges that Carson secretly sold over $1.2 million in company stock, forged board signatures, and copied 41GB of proprietary company emails before being fired in September 2024. The complaint also claims Carson fabricated key parts of his resume, including a PhD and military service. It's a "carefully constructed fraud," says Hayden AI.

"That is a lie," the complaint states. "Carson does not hold a PhD from Waseda or any other university. In 2007, he was not obtaining a PhD but was operating 'Splat Action Sports,' a paintball equipment business in a Florida strip mall."

Microsoft wants you to know that it knows that Windows 11, now used by a billion users, has been testing your patience and announced that its engineers are being redirected to urgently address the operating system's performance and reliability problems through an internal process the company calls "swarming."

"The feedback we're receiving from our community of passionate customers and Windows Insiders has been clear. We need to improve Windows in ways that are meaningful for people," Pavan Davuluri, president of Windows and devices, told The Verge. The company plans to spend the rest of 2026 focusing on pain points including system performance, reliability, and overall user experience.

January has been particularly rough for Windows 11. Microsoft issued an emergency out-of-band update to fix shutdown issues on some machines, then released a second out-of-band fix a week later to address OneDrive and Dropbox crashes. Some business PCs are also failing to boot after the January update because they were left in an "improper state" after December's monthly update failed to install. Users have also grown frustrated by aggressive Edge and Bing prompts, constant OneDrive upselling nags, and Microsoft's push to require Microsoft accounts.

The core members of the company's Windows Insider team recently moved to different roles. "Trust is earned over time and we are committed to building it back with the Windows community," Davuluri said.

Friday the security researchers at Arctic Wolf Labs wrote: In late July 2025, Arctic Wolf Labs began observing a surge of intrusions involving suspicious SonicWall SSL VPN activity. Malicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira ransomware. Victims spanned across multiple sectors and organization sizes, suggesting opportunistic mass exploitation.

This campaign has recently escalated, with new infrastructure linked to it observed as late as September 20, 2025.
More from Cybersecurity News: SonicWall has linked these malicious logins to CVE-2024-40766, an improper access control vulnerability disclosed in 2024. The working theory is that threat actors harvested credentials from devices that were previously vulnerable and are now using them in this campaign, even if the devices have since been patched. This explains why fully patched devices have been compromised, a fact that initially led to speculation about a potential zero-day exploit.

Once inside a network, the attackers operate with remarkable speed. The time from initial access to ransomware deployment, known as "dwell time," is often measured in hours, with some intrusions taking as little as 55 minutes, Arctic Wolf said. This extremely short window for response makes early detection critical.
"Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled..." notes Artic Wolf Labs: The threats described in this campaign demand early detection and a rapid response to avoid catastrophic impact to organizations. To facilitate this process, we recommend monitoring for VPN logins originating from untrusted hosting infrastructure. Equally important is ensuring visibility into internal networks, since lateral movement and ransomware encryption can occur within hours or even minutes of initial access. Monitoring for anomalous SMB activity indicative of Impacket use provides an additional early detection opportunity.

When firewalls are confirmed to be running firmware versions vulnerable to credential access or full configuration export, patching alone is not enough. In such situations, credentials must be reset wherever possible, including MFA-related secrets that might otherwise be thought of as secure, and Active Directory credentials with VPN access. These considerations are best practices that apply regardless of which firewall products are in use.
Thanks to Slashdot reader Mirnotoriety for suggesting this story.

"Elizabeth Holmes' fraud conviction has been upheld by a federal appellate panel," writes Slashdot reader ClickOnThis. MSNBC reports: A three-judge panel of the 9th U.S. Circuit Court of Appeals on Monday affirmed the convictions, sentences and nine-figure restitution ordered against both Holmes and Theranos president, Ramesh "Sunny" Balwani. [...] Theranos was supposedly going to revolutionize medical laboratory testing with the ability to run fast, accurate and affordable tests with just a drop of blood from a finger prick. "But the vision sold by Holmes and Balwani was nothing more than a mirage," 9th Circuit Judge Jacqueline H. Nguyen wrote (PDF) for the panel, adding that the "grandiose achievements touted by Holmes and Balwani were half-truths and outright lies."

Holmes was convicted of crimes related to fraud against investors while the jury acquitted her or hung on other counts. Balwani was convicted on all counts at his trial. The federal panel rejected a slew of arguments from both defendants, including that their trials featured improper testimony from Theranos employees. While the ruling is a major setback for the defendants, they can further appeal to a fuller panel of 9th Circuit judges and the Supreme Court, which generally has broad discretion over whether to accept cases for review.

gwolf (Slashdot reader #26,339) writes: On Friday, February 14, Libertarian Argentinian president, Javier Milei, promoted the just-created $LIBRA cryptocoin, created by the Viva la libertad project, strongly aligned with his political party, La Libertad Avanza. Milei tweeted, "This private project will be devoted to promote growth of the Argentinian economy, funding small startups and enterprises. The world wants to invest in Argentina!"

It is worth noting that the project's website was registered a mere three minutes before Milei tweeted his endorsement. The cryptocoin quickly reached a $4.6 billion market cap... Only to instantaneously lose 89% of its value, with nine core investers pulling the rug from under the enthusiast investors. More details from the blog Web3 Is Going Just Great: [W]ithin hours of the launch, insiders began selling off their holdings of the token. The token had been highly concentrated among insiders, with around 82% of the token held in a small cluster of apparently insider addresses. Those insiders cashed out around $107 million, crashing the token price by around 95%. After the crash, Milei deleted his tweet promoting the project. He later claimed he was "not aware of the details of the project."
UPDATE: CNN reports that Argentine President Milei is now facing calls for impeachment. The presidency on Saturday announced an investigation into the matter, saying: "President Javier Milei has decided to immediately involve the Anti-Corruption Office to determine whether there was improper conduct on the part of any member of the national government, including the president himself."

An anonymous reader quotes a report from Ars Technica: Northwest Oregon had never seen anything like it. Over the course of three days in June 2021, Multnomah County -- the state's most populous county, which rests in the swayback along Oregon's northern border -- recorded highs of 108, 112, and 116 degrees Fahrenheit. Temperatures were so hot that the metal on cable cars melted and the asphalt on roadways buckled. Nearly half the homes in the county lacked cooling systems because of Oregon's typically gentle summers, where average highs top out at 81 degrees. Sixty-nine people perished from heat stroke, most of them in their homes. When scientific studies showed that the extreme temperatures were caused by heat domes, which experts say are influenced by climate change, county officials didn't just chalk it up to a random weather occurrence. They started researching the large fossil fuel companies whose emissions are driving the climate crisis -- including ExxonMobil, Shell, and Chevron -- and sued them (PDF).

"This catastrophe was not caused by an act of God," said Jeffrey B. Simon, a lawyer for the county, "but rather by several of the world's largest energy companies playing God with the lives of innocent and vulnerable people by selling as much oil and gas as they could." Now, 11 months after the suit was filed, Multnomah County is preparing to move forward with the case in Oregon state court after a federal judge in June settled (PDF) a monthslong debate over where the suit should be heard. About three dozen lawsuits have been filed by states, counties, and cities seeking damages from oil and gas companies for harms caused by climate change. Legal experts said the Oregon case is one of the first focused on public health costs related to high temperatures during a specific occurrence of the "heat dome effect." Most of the other lawsuits seek damages more generally from such ongoing climate-related impacts as sea level rise, increased precipitation, intensifying extreme weather events, and flooding. [...]

The Multnomah County lawsuit says that Exxon, Shell, Chevron, and others engaged in a range of improper practices, including negligence, creating a public nuisance, fraud, and deceit. The suit alleges that the companies were aware of the harms of fossil fuels and engaged in a "scheme to rapaciously sell fossil fuel products and deceptively promote them as harmless to the environment, while they knew that carbon pollution emitted by their products into the atmosphere would likely cause deadly extreme heat events like that which devastated Multnomah County." "We know that climate-induced weather events like the 2021 Heat Dome harm the residents of Multnomah County and cause real financial costs to our local government," Multnomah County Chair Jessica Vega Pederson said in a statement. "The Court's decision to hear this lawsuit in State Court validates our assertion that the case should be resolved here -- it's an important win for this community." In the suit, officials in Portland's Multnomah County said that they will ultimately incur costs in excess of $1.5 billion to deal with the effects of the 2021 heat dome.

"We allege that this is just like any other kind of public health crisis and mass destruction of property that is caused by corporate wrongdoing," said Simon, partner in the law firm of Simon Greenstone Panatier. "We contend that these companies polluted the atmosphere with carbon from the burning of fossil fuels; that they foresaw that extreme environmental harm would be caused by it; that some of them, we contend, deliberately misled the public about that."

Monday Boeing announced plans to acquire its key supplier, Spirit AeroSystems, for $4.7 billion, according to the Associated Press — "a move that it says will improve plane quality and safety amid increasing scrutiny by Congress, airlines and the Department of Justice. Boeing previously owned Spirit, and the purchase would reverse a longtime Boeing strategy of outsourcing key work on its passenger planes."

But meanwhile, an anonymous reader shared this report from Newsweek: More than a hundred Boeing whistleblowers have contacted the U.S. aviation watchdog since the start of the year, Newsweek can reveal. Official figures show that the Federal Aviation Administration's (FAA) whistleblowing hotline has seen a huge surge of calls from workers concerned about safety problems. Since January the watchdog saw a total of 126 reports, via various channels, from workers concerned about safety problems. In 2023, there were just 11....

After a visit from FAA Administrator Mike Whitaker to a Boeing factory earlier in the year, Boeing CEO Dave Calhoun agreed to share details of the hotline with all Boeing employees. The FAA told Newsweek that the number of Boeing employees coming forward was a "sign of a healthy culture".... Newsweek also spoke to Jon Holden, president of the 751 District for the International Association of Machinists, Boeing's largest union which represents more than 32,000 aerospace workers. Holden said that numerous whistleblowers had complained to the FAA over Boeing's attempt to cut staff and reduce inspections in an effort to "speed up the rate" at which planes went out the door...

Holden's union is currently in contract negotiations with Boeing, and is attempting to secure a 40% pay rise alongside a 50-year guarantee of work security for its members.
CNN also reports on new allegations Wednesday from a former Boeing quality-control manager: that "for years workers at its 787 Dreamliner factory in Everett, Washington, routinely took parts that were deemed unsuitable to fly out of an internal scrap yard and put them back on factory assembly lines." In his first network TV interview, Merle Meyers, a 30-year veteran of Boeing, described to CNN what he says was an elaborate off-the-books practice that Boeing managers at the Everett factory used to meet production deadlines, including taking damaged and improper parts from the company's scrapyard, storehouses and loading docks... Meyers' claims that lapses he witnessed were intentional, organized efforts designed to thwart quality control processes in an effort to keep up with demanding production schedules. Beginning in the early 2000s, Meyers says that for more than a decade, he estimates that about 50,000 parts "escaped" quality control and were used to build aircraft. Those parts include everything from small items like screws to more complex assemblies like wing flaps. A single Boeing 787 Dreamliner, for example, has approximately 2.3 million parts...

Based on conversations Meyers says he had with current Boeing workers in the time since he left the company, he believes that while employees no longer remove parts from the scrapyard, the practice of using other unapproved parts in assembly lines continues. "Now they're back to taking parts of body sections — everything — right when it arrives at the Everett site, bypassing quality, going right to the airplane," Meyers said.

Company emails going back years show that Meyers repeatedly flagged the issue to Boeing's corporate investigations team, pointing out what he says were blatant violations of Boeing's safety rules. But investigators routinely failed to enforce those rules, Meyers says, even ignoring "eye witness observations and the hard work done to ensure the safety of future passengers and crew," he wrote in an internal 2022 email provided to CNN.

The National Security Agency (NSA), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), have highlighted the ten most common cybersecurity misconfigurations in large organizations. In their join cybersecurity advisory (CSA), they also detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations. From the report: Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:

1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution

NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory -- including the following -- to reduce the risk of malicious actors exploiting the identified misconfigurations: Remove default credentials and harden configurations; Disable unused services and implement access controls; Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities; and Reduce, restrict, audit, and monitor administrative accounts and privileges.

NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including: Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC); Eliminating default passwords; Providing high-quality audit logs to customers at no extra charge; and Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature. A PDF version of the report can be downloaded here (PDF).

An anonymous reader quotes a report from Ars Technica: Arm warned on Monday of active ongoing attacks targeting a vulnerability in device drivers for its Mali line of GPUs, which run on a host of devices, including Google Pixels and other Android handsets, Chromebooks, and hardware running Linux. "A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory," Arm officials wrote in an advisory. "This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0. There is evidence that this vulnerability may be under limited, targeted exploitation. Users are recommended to upgrade if they are impacted by this issue."

The advisory continued: "A local non-privileged user can make improper GPU processing operations to access a limited amount outside of buffer bounds or to exploit a software race condition. If the system's memory is carefully prepared by the user, then this in turn could give them access to already freed memory." [...] Getting access to system memory that's no longer in use is a common mechanism for loading malicious code into a location an attacker can then execute. This code often allows them to exploit other vulnerabilities or to install malicious payloads for spying on the phone user. Attackers often gain local access to a mobile device by tricking users into downloading malicious applications from unofficial repositories. The advisory mentions drivers for the affected GPUs being vulnerable but makes no mention of microcode that runs inside the chips themselves.

The most prevalent platform affected by the vulnerability is Google's line of Pixels, which are one of the only Android models to receive security updates on a timely basis. Google patched Pixels in its September update against the vulnerability, which is tracked as CVE-2023-4211. Google has also patched Chromebooks that use the vulnerable GPUs. Any device that shows a patch level of 2023-09-01 or later is immune to attacks that exploit the vulnerability. The device driver on patched devices will show as version r44p1 or r45p0. CVE-2023-4211 is present in a range of Arm GPUs released over the past decade. The Arm chips affected are:

- Midgard GPU Kernel Driver: All versions from r12p0 - r32p0
- Bifrost GPU Kernel Driver: All versions from r0p0 - r42p0
- Valhall GPU Kernel Driver: All versions from r19p0 - r42p0
- Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 - r42p0

An anonymous reader quotes a report from Wired: The U.S. Federal Bureau of Investigation (FBI) has done tens of thousands of face recognition searches using software from outside providers in recent years. Yet only 5 percent of the 200 agents with access to the technology have taken the bureau's three-day training course on how to use it, a report from the Government Accountability Office (GAO) this month reveals. The bureau has no policy for face recognition use in place to protect privacy, civil rights, or civil liberties. Lawmakers and others concerned about face recognition have said that adequate training on the technology and how to interpret its output is needed to reduce improper use or errors, although some experts say training can lull law enforcement and the public into thinking face recognition is low risk.

Since the false arrest of Robert Williams near Detroit in 2020, multiple instances have surfaced in the US of arrests after a face recognition model wrongly identified a person. Alonzo Sawyer, whose ordeal became known this spring, spent nine days in prison for a crime he didn't commit. The lack of face recognition training at the FBI came to light in a GAO report examining the protections in place when federal law enforcement uses the technology. The report was compiled at the request of seven Democratic members of Congress. Report author and GAO Homeland Security and Justice director Gretta Goodwin says, via email, that she found no evidence of false arrests due to use of face recognition by a federal law enforcement agency.

The GAO report focuses on face recognition tools made by commercial and nonprofit entities. That means it does not cover the FBI's in-house face recognition platform, which the GAO previously criticized for poor privacy protections. The US Department of Justice was ordered by the White House last year to develop best practices for using face recognition and report any policy changes that result. The outside face recognition tools used by the FBI and other federal law enforcement covered by the report comes from companies including Clearview AI, which scraped billions of photos of faces from the internet to train its face recognition system, andThorn, a nonprofit that combats sex trafficking by applying face recognition to identify victims and sex traffickers from online commercial sex market imagery.The FBI ranks first among federal law enforcement agencies examined by the GAO for the scale of its use of face recognition. More than 60,000 searches were carried out by seven agencies between October 2019 and March 2022. Over half were made by FBI agents, about 15,000 using Clearview AI and 20,000 using Thorn. "No existing law requires federal law enforcement personnel to take training before using face recognition or to follow particular standards when using face recognition in a criminal investigation," notes Wired.

"The DOJ plans to issue a department-wide civil rights and civil liberties policy for face recognition but has yet to set a date for planned implementation, according to the report. It says that DOJ officials, at one point in 2022, considered updating its policy to allow a face recognition match alone to justify applying for a search warrant."

"The flow of lifesaving organs to 63 U.S. transplant centers could be disrupted..." reported the Washington Post on Monday, "by a dispute over the use of data."

Or, as a local news station WRIC puts it, "Two entities dedicated to fighting to save lives through organ transplant operations are now fighting with each other." Buckeye Transplant Services filed a lawsuit against the United Network for Organ Sharing — or UNOS — on July 3 after the Richmond-based non-profit accused the transplant screening service of putting donor and patient privacy at risk.

UNOS claimed Buckeye did so by using technology to gain unauthorized, improper access to a DonorNet database. Buckeye denied any wrongdoing and insisted that the company has always complied with data accessibility protocol... This isn't UNOS's first controversy, but the reason this particular debate has become high-profile is due to rumors that it could impact transplant operations. Prior to the lawsuit, UNOS threatened to cut off Buckeye's access to data necessary for its operation. UNOS still insists that no transplant program will experience any interruptions in receiving organ offers as a result of the dispute. However, Buckeye warned that if it loses access to crucial data, 63 hospitals across the country — two in Virginia — could have to take on extra burdens.

One of those healthcare systems, the University of Virginia's Transplant Center, told 8News that its team is closely monitoring the situation and is already coming up with plans to prevent any legal hiccups from interrupting the lifesaving organ donation process.
Buckeye was involved in over 13% of America's organ transplants in 2022, according to figures cited by the Washington Post. "Buckeye said it is doing nothing wrong," according to the article, "and that other organizations across the transplant system act similarly." Meanwhile, UNOS's general counsel "stressed that cutting off Buckeye is a last resort in a negotiation that has been underway for two months," the Washington Post reported. "Certain features of Buckeye's electronic systems are capable of and have collected from UNOS systems various large volumes of patient-specific and facility-specific information related to transplant services," a UNOS attorney wrote to Buckeye on June 21. Livingston, the UNOS general counsel, said in an interview that the data belongs to UNOS and that transplant centers are able to obtain it from the organization if they want it. But Buckeye is not allowed to collect it in bulk and sell it to its customers. He said if Buckeye retrieves and "scrapes" the data, UNOS does not know how well it is secured, whether it is being "misused or mishandled" and how it is being stored. He also said Buckeye could create an alternate database with the information.
On Tuesday the Washington Post reported that UNOS had issued a two-week extension (through July 19): Anne Paschke, a spokesperson for UNOS, said the group provided the extension to "allow the court an appropriate amount of time" to consider the company's request for a temp restraining order. "We are confident in our position," Paschke said... Buckeye sued UNOS in federal court on Monday seeking an injunction that would stop the nonprofit group from blocking its access to the national transplant database system...

[The U.S. Health Resources and Services Administration] unveiled plans in March to overhaul the transplant system, including changes to the 37-year monopoly UNOS has held as manager of the organ database... Buckeye is potentially interested in bidding for a part of the contract UNOS now holds, according to company representatives. Its lawsuit contends UNOS "has monopolistic intent to squash the development of technology that could eventually supplant" the UNOS transplant system.
Thanks to long-time Slashdot reader belmolis for sharing the article.

Marines and sailors who were exposed to toxic water at Camp Lejeune, N.C., are much more likely to suffer from Parkinson's disease than their counterparts who were stationed elsewhere, according to a study published Monday. From a report: Troops stationed at Camp Lejeune for even just a few months during the years 1975-85 are 70% more likely to suffer from Parkinson's disease than troops who were at Camp Pendleton, Calif., according to findings from researchers who accounted for other factors in making their determination. Their report was published by the Journal of the American Medical Association. The Department of Veterans Affairs-funded study was led by Dr. Samuel Goldman, a professor of medicine at the University of California, San Francisco Medical School and a staff physician at the San Francisco VA Medical Center.

The Departments of Defense and Veterans Affairs have acknowledged for years that troops based at Camp Lejeune and other North Carolina facilities from the early 1950s until the mid-1980s were exposed to a number of harmful chemicals in the drinking water, including the solvents benzene and trichloroethylene, which are linked to Parkinson's. Water processed for the base was contaminated by improper chemical-disposal procedures from an off-base dry cleaner, leaky underground storage tanks, industrial spills and other problems for decades, according to the Centers for Disease Control and Prevention. A million veterans and family members have been potentially affected, according to the federal Agency for Toxic Substances and Disease Registry.

FTX founder Sam Bankman-Fried is seeking the dismissal of 10 of the 13 charges against him over the collapse of the cryptocurrency exchange. Axios reports: Lawyers for Bankman-Fried, who's pleaded not guilty to fraud, conspiracy, campaign finance law violations and money laundering, in a filing argued that several of the charges failed to properly state an offense. The motion that was filed to the U.S. District Court for the Southern District of New York is seeking the dismissal of 10 of the 13 charges against him. "Simply making a false statement, by itself, does not constitute wire fraud unless it is made for the purpose of obtaining money or property from the victim of the fraud," Bankman-Fried's lawyers wrote.

According to Ars Technica, SBF's lawyers are essentially arguing that there's no evidence of harm caused because fraud requires a "scheme to cause economic loss to the victim," which prosecutors allegedly haven't proved. Instead, SBF alleges that federal prosecutors have concocted "a hodgepodge of different intangible losses" suffered by banks and lenders -- including "the right to honest services," "the loss of control of assets," and "the deprivation of valuable information." [...] "In the end, the Government is trying to transform allegations of dishonesty and unfair dealing into violations of the federal fraud statutes," SBF's lawyers wrote. "While such conduct may well be improper, it is not wire fraud."

The 31-year-old Bankman-Fried, who is currently under house arrest on a $250 million bond at his parents' home in Palo Alto, California, faces more than 155 years in prison if convicted on all counts. A trial has been scheduled for October.

schwit1 shares an excerpt from a Motherboard article: Some renters may savor the convenience of "smart home" technologies like keyless entry and internet-connected doorbell cameras. But tech companies are increasingly selling these solutions to landlords for a more nefarious purpose: spying on tenants in order to evict them or raise their rent. "You CAN raise rents in NYC!" reads the headline of one promotional email sent to landlords. It was a sales pitch from Teman, a tech company that makes surveillance systems for apartment buildings. Teman's sales pitch proposes a solution to a frustration for many New York City landlords, who have tenants living in older apartments that are protected by a myriad of rent control and stabilization laws. The company's email suggests a workaround: "3 Simple Steps to Re-Regulate a Unit." First, use one of Teman's automated products to catch a tenant breaking a law or violating their lease, such as by having unapproved subletters or loud parties. Then, "vacate" them and merge their former apartment with one next door or above or below, creating a "new" unit that's not eligible for rent protections. "Combine a $950/mo studio and $1400/mo one-bedroom into a $4200/mo DEREGULATED two-bedroom," the email enticed. Teman's surveillance systems can even "help you identify which units are most-likely open to moving out (or being evicted!)." [...]

Erin McElroy, a professor of American Studies at the University of Texas at Austin who tracks eviction trends, also says that digital surveillance of residential buildings is increasing, particularly in New York City, which she calls the "landlord tech epicenter." Any camera system can document possibly eviction-worthy behavior, but McElroy identified two companies, Teman and Reliant Safety, that use the biometrics of tenants with the explicit goal of facilitating evictions. These companies are part of an expanding industry known as "proptech," encompassing all the technology used for acquiring and managing real estate. A report by Future Market Insights predicts that proptech will quadruple its current value, becoming a $86.5 billion industry by 2023. It is also sprouting start-ups to ease all aspects of the business -- including the unsavory ones. [...]

Reliant Safety, which claims to watch over 20,000 apartment units nationwide, has a less colorful corporate pedigree. It is owned by the Omni Organization, a private developer founded in 2004 that "acquires, rehabilitates, builds and manages quality affordable housing throughout the United States," according to its website. The company claims it has acquired and managed more than 17,000 affordable housing units. Many of the properties it lists are in New York City. Omni's website features spotless apartment complexes under blue skies and boasts about sponsorship of after-school programs, food giveaways, and homeless transition programs. Reliant's website features videos that depict various violations detected by its surveillance cameras. The website has a page of "Lease Violations" it says its system has detected, which include things such as "pet urination in hallway," "hallway fistfight," "improper mattress disposal," "tenant slips in hallway," as well as several alleged assaults, videos of fistfights in hallways, drug sales at doorways and break-ins through smashed windows. Almost all of them show Black or brown people and almost all are labeled as being from The Bronx -- where, in 2016, Omni opened a 140-unit affordable housing building at 655 Morris Avenue that boasted about "state-of-the-art facial recognition building access" running on ubiquitous cameras in common areas. Reliant presents these as "case studies" and lists outcomes that include arrest and eviction. Part of its package of services is "illegal sublet detection" using biometrics submitted by tenants to suss out anyone not authorized to be there. While Reliant claims its products are rooting out illegal and dangerous activity, the use of surveillance and biometrics to further extend policing into minority communities are a major cause for concern to privacy advocates.

Ford's fuel-economy figures for the 2013-2014 C-Max hybrids "were not based in reality" says Iowa's attorney general.

And now the Ford Motor Company "will pay $19.2 million to a consortium of 40 states and Washington,D.C.," writes Consumer Reports (which also covers additional false advertising about the payload capacity of its Super Duty pickup trucks). In these two cases, Ford exaggerated numbers for an advantage in competitive segments. And it was caught....

Ford ran a series of ads that claimed the C-Max provided better fuel economy than the Toyota Prius. The 2013 C-Max was originally rated at 47 mpg in city and highway driving, and 47 mpg overall. The claim was that it delivered 47 mpg in every situation. Back on Dec. 6, 2012, Consumer Reports wrote... "After running both vehicles through our real-world tests, we have gotten very good results. But they are far below Ford's ambitious triple-47 figures." We got 37 mpg overall in our tests. That's close to what owners reported on the Environmental Protection Agency's fueleconomy.gov, at 39 mpg.... In our tests, the Toyota Prius at the time got 44 mpg overall, far more than the C-Max.
Iowa's attorney general notes that "In 2013, Ford admitted that its initial fuel economy rating for the C-Max hybrid was likely overstated. The carmaker announced at the time that it would make a 'goodwill payment' of $550 to consumers who purchased a 2013 C-Max hybrid and $325 to those who leased the vehicle, according to Edmunds."

Consumer Reports adds: It then made hardware updates for new models, including a higher final gear ratio, lower-viscosity motor oil, and aerodynamic improvements, including a rear spoiler, new hood seals, and air deflectors in front of the tires, and a higher speed threshold for the electric drive. The new mpg figures were 39 mpg combined for 2014 through 2016 (41 city, 36 highway)...

This case underscores why Consumer Reports goes to great lengths to test the fuel economy of every nonelectric car we purchase. It provides realistic, objective, independent information for car shoppers and helps keep the auto industry honest.
Consumer Reports also quotes Ford's statement on their false advertising. "We are pleased that the matter is closed without any judicial finding of improper conduct."

"We worked with the states to resolve their concerns."

Earlier this month, a German court fined an unidentified website $110 for violating EU privacy law by importing a Google-hosted web font. The Register reports: The decision, by Landgericht Munchen's third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff's IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe's General Data Protection Regulation (GDPR). That is to say, when the plaintiff visited the website, the page made the user's browser fetch a font from Google Fonts to use for some text, and this disclosed the netizen's IP address to the US internet giant. This kind of hot-linking is normal with Google Fonts; the issue here is that the visitor apparently didn't give permission for their IP address to be shared. The website could have avoided this drama by self-hosting the font, if possible.

The decision says IP addresses represent personal data because it's theoretically possible to identify the person associated with an IP address, and that it's irrelevant whether the website or Google has actually done so. The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of 250,000 euros for each violation, or up to six months in prison, for continued improper use of Google Fonts. Google Fonts is widely deployed -- the Google Fonts API is used by about 50m websites. The API allows websites to style text with Google Fonts stored on remote servers -- Google's or a CDN's -- that get fetched as the page loads. Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.

In 2020 Microsoft's GitHub acquired NPM (makers of the default package manager for Node.js). The company's web page boasts that npm "is a critical part of the JavaScript community and helps support one of the largest developer ecosystems in the world."

But now BleepingComputer reports on two security flaws found (and remediated) in its software registry. Names of private npm packages on npmjs.com's 'replica' server (consumed by third-party services) were leaked — but in addition, a second flaw could've allowed attackers "to publish new versions of any existing npm package that they do not own or have rights to, due to improper authorization checks."

In a blog post this week GitHub's chief security officer explained the details: During maintenance on the database that powers the public npm replica at replicate.npmjs.com, records were created that could expose the names of private packages. This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed. No other information, including the content of these private packages, was accessible at any time. Package names in the format of @owner/package for private packages created prior to October 20 were exposed between October 21 13:12:10Z UTC and October 29 15:51:00Z UTC. Upon discovery of the issue, we immediately began work on implementing a fix and determining the scope of the exposure. On October 29, all records containing private package names were removed from the replication database. While these records were removed from the replicate.npmjs.com service on this date, the data on this service is consumed by third-parties who may have replicated the data elsewhere. To prevent this issue from occuring again, we have made changes to how we provision this public replication database to ensure records containing private package names are not generated during this process.

Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report.

We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file. This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package. We mitigated this issue by ensuring consistency across both the publishing service and authorization service to ensure that the same package is being used for both authorization and publishing.

This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously. However, we can say with high confidence that this vulnerability has not been exploited maliciously during the timeframe for which we have available telemetry, which goes back to September 2020.
BleepingComputer adds: Both announcements come not too long after popular npm libraries, 'ua-parser-js,' 'coa,' and 'rc' were hijacked in a series of attacks aimed at infecting open source software consumers with trojans and crypto-miners. These attacks were attributed to the compromise of npm accounts [1, 2] belonging to the maintainers behind these libraries.

None of the maintainers of these popular libraries had two-factor authentication (2FA) enabled on their accounts, according to GitHub. Attackers who can manage to hijack npm accounts of maintainers can trivially publish new versions of these legitimate packages, after contaminating them with malware. As such, to minimize the possibility of such compromises from recurring in near future, GitHub will start requiring npm maintainers to enable 2FA, sometime in the first quarter of 2022.

The Washington Post reports that the U.S. government "plans to expand its use of facial recognition to pursue criminals and scan for threats, an internal survey has found, even as concerns grow about the technology's potential for contributing to improper surveillance and false arrests." Ten federal agencies — the departments of Agriculture, Commerce, Defense, Homeland Security, Health and Human Services, Interior, Justice, State, Treasury and Veterans Affairs — told the Government Accountability Office they intend to grow their facial recognition capabilities by 2023, the GAO said in a report posted to its website Tuesday. Most of the agencies use face-scanning technology so employees can unlock their phones and laptops or access buildings, though a growing number said they are using the software to track people and investigate crime. The Department of Agriculture, for instance, said it wants to use it to monitor live surveillance feeds at its facilities and send an alert if it spots any faces also found on a watch list...

The GAO said in June that 20 federal agencies have used either internally developed or privately run facial recognition software, even though 13 of those agencies said they did not "have awareness" of which private systems they used and had therefore "not fully assessed the potential risks ... to privacy and accuracy." In the current report, the GAO said several agencies, including the Justice Department, the Air Force and Immigration and Customs Enforcement, reported that they had used facial recognition software from Clearview AI, a firm that has faced lawsuits from privacy groups and legal demands from Google and Facebook after it copied billions of facial images from social media without their approval... Many federal agencies said they used the software by requesting that officials in state and local governments run searches on their own software and report the results. Many searches were routed through a nationwide network of "fusion centers," which local police and federal investigators use to share information on potential threats or terrorist attacks...

U.S. Customs and Border Protection officials, who have called the technology "the way of the future," said earlier this month that they had run facial recognition scans on more than 88 million travelers at airports, cruise ports and border crossings. The systems, the officials said, have detected 850 impostors since 2018 — or about 1 in every 103,000 faces scanned.

Rei_is_a_dumbass shares a report from CNBC: Tesla is defending itself in the U.S. and Germany against allegations that it has violated environmental rules and regulations, according to a new financial filing. In the U.S., the Environmental Protection Agency accused Tesla last week of failing to prove it is in compliance with federal emissions standards for hazardous air pollutants. Specifically, the EPA is seeking details about how Tesla handles "surface coating" of its vehicles. As CNBC has previously reported, the "paint shop" at Tesla's main U.S. car plant in Fremont, California, has a history of problems, including fires, improper cleaning and maintenance. Some vehicle re-touching, to fix flaws in paint on the cars, has been done in a tented "paint hospital" at the Fremont factory, employees previously told CNBC. In 2020, Tesla embarked on massive improvements to its paint facilities, Fremont building permits revealed.

Tesla said in the filing Wednesday that the company "has responded to all information requests from the EPA and refutes the allegations." The company does not expect any "material adverse impact" on its business from its dealings with the EPA in this matter. Tesla is also still tangling with local air quality authorities in California -- the Bay Area Air Quality Management District -- over previously disclosed "notices of violation," relating to "air permitting and related compliance for the Fremont Factory."

In Germany, Wednesday's financial filing said, authorities have fined Tesla 12 million euros, or about $14.5 million, for allegedly failing to make public notifications and properly fulfill their obligations to take back old batteries from customers. German law requires automakers selling electric cars to take back batteries and dispose of them in an environmentally sustainable manner. Tesla wrote in the filing: "This is primarily relating to administrative requirements, but Tesla has continued to take back battery packs." Tesla filed an objection in Germany and said that the matter should not have a material impact on Tesla's business.

The Next Web writes: A trio of computer scientists from the Rensselaer Polytechnic Institute in New York recently published research detailing a potential AI intervention for murder: an ethical lockout. The big idea here is to stop mass shootings and other ethically incorrect uses for firearms through the development of an AI that can recognize intent, judge whether it's ethical use, and ultimately render a firearm inert if a user tries to ready it for improper fire...

Clearly the contribution here isn't the development of a smart gun, but the creation of an ethically correct AI. If criminals won't put the AI on their guns, or they continue to use dumb weapons, the AI can still be effective when installed in other sensors. It could, hypothetically, be used to perform any number of functions once it determines violent human intent. It could lock doors, stop elevators, alert authorities, change traffic light patterns, text location-based alerts, and any number of other reactionary measures including unlocking law enforcement and security personnel's weapons for defense...

Realistically, it takes a leap of faith to assume an ethical AI can be made to understand the difference between situations such as, for example, home invasion and domestic violence, but the groundwork is already there. If you look at driverless cars, we know people have already died because they relied on an AI to protect them. But we also know that the potential to save tens of thousands of lives is too great to ignore in the face of a, so far, relatively small number of accidental fatalities...