Slashdot Mirror

An anonymous reader quotes a report from Ars Technica: Yet another Los Angeles city councilman has taken Waze to task for creating "dangerous conditions" in his district, and the politician is now "asking the City to review possible legal action." "Waze has upended our City's traffic plans, residential neighborhoods, and public safety for far too long," LA City Councilman David Ryu said in a statement released Wednesday. "Their responses have been inadequate and their solutions, non-existent. They say the crises of congestion they cause is the price for innovation -- I say that's a false choice." In a new letter sent to the City Attorney's Office, Ryu formally asked Los Angeles' top attorney to examine Waze's behavior. While Ryu said he supported "advances in technology," he decried Waze and its parent company, Google, for refusing "any responsibility for the traffic problems their app creates or the concerns of residents and City officials."

U.S. District Judge James Donato ruled on Monday that Facebook must face a class-action lawsuit alleging that the social network unlawfully used a facial recognition process on photos without user permission. Donato ruled that a class-action was the most efficient way to resolve the dispute over facial templates. KFGO reports: Facebook said it was reviewing the ruling. "We continue to believe the case has no merit and will defend ourselves vigorously," the company said in a statement. Lawyers for the plaintiffs could not immediately be reached for comment. Facebook users sued in 2015, alleging violations of an Illinois state law about the privacy of biometric information. The class will consist of Facebook users in Illinois for whom Facebook created and stored facial recognition algorithms after June 7, 2011, Donato ruled. That is the date when Facebook launched "Tag Suggestions," a feature that suggests people to tag after a Facebook user uploads a photo. In the U.S. court system, certification of a class is typically a major hurdle that plaintiffs in proposed class actions need to overcome before reaching a possible settlement or trial.

An anonymous reader quotes a report from The Intercept: ICE, the federal agency tasked with Trump's program of mass deportation, uses backend Facebook data to locate and track immigrants that it is working to round up, according to a string of emails and documents obtained by The Intercept through a public records request. The hunt for one particular immigrant in New Mexico provides a rare window into how ICE agents use social media and powerful data analytics tools to find suspects. In February and March of 2017, several ICE agents were in communication with a detective from Las Cruces, New Mexico, to find information about a particular person. They were ultimately able to obtain backend Facebook data revealing a log of when the account was accessed and the IP addresses corresponding to each login. Lea Whitis, an agent with Homeland Security Investigations, the investigative arm of ICE, emailed the team a "Facebook Business Record" revealing the suspect's phone number and the locations of each login into his account during a date range. Law enforcement agents routinely use bank, telephone, and internet records for investigations, but the extent to which ICE uses social media is not well known.

An anonymous reader quotes a report from The Intercept: ICE, the federal agency tasked with Trump's program of mass deportation, uses backend Facebook data to locate and track immigrants that it is working to round up, according to a string of emails and documents obtained by The Intercept through a public records request. The hunt for one particular immigrant in New Mexico provides a rare window into how ICE agents use social media and powerful data analytics tools to find suspects. In February and March of 2017, several ICE agents were in communication with a detective from Las Cruces, New Mexico, to find information about a particular person. They were ultimately able to obtain backend Facebook data revealing a log of when the account was accessed and the IP addresses corresponding to each login. Lea Whitis, an agent with Homeland Security Investigations, the investigative arm of ICE, emailed the team a "Facebook Business Record" revealing the suspect's phone number and the locations of each login into his account during a date range. Law enforcement agents routinely use bank, telephone, and internet records for investigations, but the extent to which ICE uses social media is not well known.

An anonymous reader quotes a report from Ars Technica: In the wake of this week's passage of the Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA) bill in both houses of Congress on Wednesday, Craigslist has removed its "Personals" section entirely, and Reddit has removed some related subreddits, likely out of fear of future lawsuits. FOSTA, which awaits the signature of President Donald Trump before becoming law, removes some portions of Section 230 of the Communications Decency Act. The landmark 1996 law shields website operators that host third-party content (such as commenters, for example) from civil liability. The new bill is aimed squarely at Backpage, a notorious website that continues to allow prostitution advertisements and has been under federal scrutiny for years. In a bizarre turn of events, the Department of Justice also warned the House in February 2018 that the bill "raises a serious constitutional concern," as it would apply retroactively -- a seeming violation of the Constitution's ex post facto clause. Congress passed it anyway. The Electronic Frontier Foundation wrote in a blog post: "It's easy to see the impact that this ramp-up in liability will have on online speech: facing the risk of ruinous litigation, online platforms will have little choice but to become much more restrictive in what sorts of discussion -- and what sorts of users -- they allow, censoring innocent people in the process."

An anonymous reader quotes a report from Ars Technica: According to a newly unsealed court filing, women at Microsoft who work in technical jobs filed 238 internal complaints pertaining to gender discrimination or sexual harassment from 2010 through 2016. The new document was first reported Monday evening by Reuters. The figures were revealed as part of a proposed class-action lawsuit originally filed in 2015 (Moussouris v. Microsoft). The female plaintiffs argue that the company's internal rating system discriminates against women and disfavors professional advancement for women.

As part of the class certification process and civil discovery, Microsoft handed over years of records to the plaintiffs' lawyers. In the Monday-released filing, which was originally submitted to the court in October 2017, Moussouris' lawyer, Michael Subit, wrote that "Microsoft's Culture is Rife with Sexual Harassment" before continuing: "Company records indicate that women at Microsoft are sexualized by their male managers and coworkers, leading to a substantial number of incidents of alleged sexual harassment, and even several incidents of sexual assault, that often go unpunished." Specifically, Subit continued, Microsoft's internal unit (known as "ERIT") received 108 complaints of sexual harassment filed by female US-based technical employees, 119 complaints of gender discrimination, eight complaints of retaliation, and three complaints of pregnancy discrimination. Out of all of the claimed instances of gender discrimination, Microsoft's internal investigation only found that one such complaint was "founded."

An anonymous reader quotes a report from Ars Technica: According to a newly unsealed court filing, women at Microsoft who work in technical jobs filed 238 internal complaints pertaining to gender discrimination or sexual harassment from 2010 through 2016. The new document was first reported Monday evening by Reuters. The figures were revealed as part of a proposed class-action lawsuit originally filed in 2015 (Moussouris v. Microsoft). The female plaintiffs argue that the company's internal rating system discriminates against women and disfavors professional advancement for women.

As part of the class certification process and civil discovery, Microsoft handed over years of records to the plaintiffs' lawyers. In the Monday-released filing, which was originally submitted to the court in October 2017, Moussouris' lawyer, Michael Subit, wrote that "Microsoft's Culture is Rife with Sexual Harassment" before continuing: "Company records indicate that women at Microsoft are sexualized by their male managers and coworkers, leading to a substantial number of incidents of alleged sexual harassment, and even several incidents of sexual assault, that often go unpunished." Specifically, Subit continued, Microsoft's internal unit (known as "ERIT") received 108 complaints of sexual harassment filed by female US-based technical employees, 119 complaints of gender discrimination, eight complaints of retaliation, and three complaints of pregnancy discrimination. Out of all of the claimed instances of gender discrimination, Microsoft's internal investigation only found that one such complaint was "founded."

An anonymous reader quotes a report from Ars Technica: A local city council member is beginning to float the idea of taxing ridehailing companies like Uber and Lyft as a possible way to raise millions of dollars and help pay for local public transportation and infrastructure improvements. If the effort is successful, Oakland could become the first city in California -- Uber and Lyft's home state -- to impose such a tax. However, it's not clear whether Oakland or any other city in the Golden State has the authority to do so under current state rules. Councilwoman Rebecca Kaplan told the East Bay Express that she wants the city council to put forward a ballot measure that would tax such rides. A similar proposal in nearby San Francisco, projecting a fee of $0.20 to $1 per ride, would allow the city to collect an estimated $12.5 to $62.5 million annually. However, an October 2017 city analysis noted that San Francisco "cannot initiate locally without state authorizing legislation" and that the fee "may disproportionately impact lower-income households."

Jason Koebler shares a report from Motherboard: The right to repair battle has come to Silicon Valley's home state: Wednesday, a state assembly member announced that California would become the 18th state in the country to consider legislation that would make it easier to repair your electronics. "The Right to Repair Act will provide consumers with the freedom to have their electronic products and appliances fixed by a repair shop or service provider of their choice, a practice that was taken for granted a generation ago but is now becoming increasingly rare in a world of planned obsolescence," Susan Talamantes Engman, a Democrat from Stockton who introduced the bill, said in a statement. The announcement had been rumored for about a week but became official Wednesday. The bill would require electronics manufacturers to make repair guides and repair parts available to the public and independent repair professionals and would also would make diagnostic software and tools that are available to authorized and first-party repair technicians available to independent companies.

An anonymous reader quotes a report from Ars Technica: FBI Director Christopher Wray again has called for a solution to what the bureau calls the "Going Dark" problem, the idea that the prevalence of default strong encryption on digital devices makes it more difficult for law enforcement to extract data during an investigation. However, in a Wednesday speech at Boston College, Wray again did not outline any specific piece of legislation or technical solution that would provide both strong encryption and allow the government to access encrypted devices when it has a warrant. A key escrow system, with which the FBI or another entity would be able to unlock a device given a certain set of circumstances, is by definition weaker than what cryptographers would traditionally call "strong encryption." There's also the problem of how to compel device and software makers to impose such a system on their customers -- similar efforts were attempted during the Clinton administration, but they failed. A consensus of technical experts has said that what the FBI has asked for is impossible. "I recognize this entails varying degrees of innovation by the industry to ensure lawful access is available," Wray said Wednesday. "But I just don't buy the claim that it's impossible. Let me be clear: the FBI supports information security measures, including strong encryption. Actually, the FBI is on the front line fighting cyber crime and economic espionage. But information security programs need to be thoughtfully designed so they don't undermine the lawful tools we need to keep the American people safe."

An anonymous reader quotes a report from Ars Technica: FBI Director Christopher Wray again has called for a solution to what the bureau calls the "Going Dark" problem, the idea that the prevalence of default strong encryption on digital devices makes it more difficult for law enforcement to extract data during an investigation. However, in a Wednesday speech at Boston College, Wray again did not outline any specific piece of legislation or technical solution that would provide both strong encryption and allow the government to access encrypted devices when it has a warrant. A key escrow system, with which the FBI or another entity would be able to unlock a device given a certain set of circumstances, is by definition weaker than what cryptographers would traditionally call "strong encryption." There's also the problem of how to compel device and software makers to impose such a system on their customers -- similar efforts were attempted during the Clinton administration, but they failed. A consensus of technical experts has said that what the FBI has asked for is impossible. "I recognize this entails varying degrees of innovation by the industry to ensure lawful access is available," Wray said Wednesday. "But I just don't buy the claim that it's impossible. Let me be clear: the FBI supports information security measures, including strong encryption. Actually, the FBI is on the front line fighting cyber crime and economic espionage. But information security programs need to be thoughtfully designed so they don't undermine the lawful tools we need to keep the American people safe."

An anonymous reader quotes a report from Ars Technica: FBI Director Christopher Wray again has called for a solution to what the bureau calls the "Going Dark" problem, the idea that the prevalence of default strong encryption on digital devices makes it more difficult for law enforcement to extract data during an investigation. However, in a Wednesday speech at Boston College, Wray again did not outline any specific piece of legislation or technical solution that would provide both strong encryption and allow the government to access encrypted devices when it has a warrant. A key escrow system, with which the FBI or another entity would be able to unlock a device given a certain set of circumstances, is by definition weaker than what cryptographers would traditionally call "strong encryption." There's also the problem of how to compel device and software makers to impose such a system on their customers -- similar efforts were attempted during the Clinton administration, but they failed. A consensus of technical experts has said that what the FBI has asked for is impossible. "I recognize this entails varying degrees of innovation by the industry to ensure lawful access is available," Wray said Wednesday. "But I just don't buy the claim that it's impossible. Let me be clear: the FBI supports information security measures, including strong encryption. Actually, the FBI is on the front line fighting cyber crime and economic espionage. But information security programs need to be thoughtfully designed so they don't undermine the lawful tools we need to keep the American people safe."

An anonymous reader quotes a report from ZDNet: A slew of newly discovered vulnerabilities can wreak havoc on 4G LTE network users by eavesdropping on phone calls and text messages, knocking devices offline, and even spoofing emergency alerts. Ten attacks detailed in a new paper by researchers at Purdue University and the University of Iowa expose weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to the network and maintaining a connection to receive calls and messages. Those flaws can allow authentication relay attacks that can allow an adversary to connect to a 4G LTE network by impersonating an existing user -- such as a phone number. Although authentication relay attacks aren't new, this latest research shows that they can be used to intercept message, track a user's location, and stop a phone from connecting to the network. By using common software-defined radio devices and open source 4G LTE protocol software, anyone can build the tool to carry out attacks for as little as $1,300 to $3,900, making the cost low enough for most adversaries. The researchers aren't releasing the proof-of-concept code until the flaws are fixed, however.

Coinbase has formally notified its customers that it will be complying with a court order and handing over the user data for about 13,000 of its customers to the Internal Revenue Service. Ars Technica reports: The case began back in November 2016 when the IRS went to a federal judge in San Francisco to enforce an initial order that would have required the company to hand over the data of all users who transacted on the site between 2013 and 2015 as part of a tax evasion investigation. Coinbase resisted the IRS' request in court. But by November 2017, after a hearing, U.S. Magistrate Judge Jacqueline Scott Corley narrowed the request to only cover 13,000 particular individuals. The San Francisco-based startup is now required to provide "taxpayer ID, name, birth date, address, and historical transaction records for certain higher-transacting customers during the 2013-2015 period." Coinbase reminded its users that it is "unable to provide legal or tax advice." The company also noted, "If you have concerns about this, we encourage you to seek legal advice from an attorney promptly. Coinbase expects to produce the information covered by the court's order within 21 days."

Coinbase has formally notified its customers that it will be complying with a court order and handing over the user data for about 13,000 of its customers to the Internal Revenue Service. Ars Technica reports: The case began back in November 2016 when the IRS went to a federal judge in San Francisco to enforce an initial order that would have required the company to hand over the data of all users who transacted on the site between 2013 and 2015 as part of a tax evasion investigation. Coinbase resisted the IRS' request in court. But by November 2017, after a hearing, U.S. Magistrate Judge Jacqueline Scott Corley narrowed the request to only cover 13,000 particular individuals. The San Francisco-based startup is now required to provide "taxpayer ID, name, birth date, address, and historical transaction records for certain higher-transacting customers during the 2013-2015 period." Coinbase reminded its users that it is "unable to provide legal or tax advice." The company also noted, "If you have concerns about this, we encourage you to seek legal advice from an attorney promptly. Coinbase expects to produce the information covered by the court's order within 21 days."

An anonymous reader quotes a report from Ars Technica: A federal judge in California has rejected Disney's effort to stop Redbox from reselling download codes of popular Disney titles like Frozen, Beauty and the Beast, and the latest Star Wars movies. Judge Dean Pregerson's Tuesday ruling invoked the little-used doctrine of copyright misuse, which holds that a copyright holder loses the right to enforce a copyright if the copyright is being abused. Pregerson faulted Disney for tying digital download codes to physical ownership of discs, a practice that he argued ran afoul of copyright's first sale doctrine, which guarantees customers the right to resell used DVDs.

If the ruling were upheld on appeal, it would have sweeping implications. It could potentially force Hollywood studios to stop bundling digital download codes with physical DVDs and force video game companies to rethink their own practices. But James Grimmelmann, a copyright scholar at Cornell Law School, is skeptical that the ruling will survive an inevitable appeal from Disney. "I don't see this one sticking," Grimmelmann told Ars. Copyright misuse has such sweeping legal implications that an appeals court will be reluctant to apply it to a common movie industry practice.

An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."

An anonymous reader quotes a report from The Hollywood Reporter: [I]n the first significant decision referring to the repeal [of net neutrality] since FCC chairman Ajit Pai got his way, a New York judge on Friday ruled that the rescinding of net neutrality rules wasn't relevant to an ongoing lawsuit against Charter Communications. New York Attorney General Eric Schneiderman filed the lawsuit almost exactly a year ago today. It's alleged that Charter's Spectrum-TWC service promised internet speeds it knew it couldn't deliver and that Spectrum-TWC also misled subscribers by promising reliable access to Netflix, online content and online games. According to the complaint, the ISP intentionally failed to deliver reliable service in a bid to extract fees from backbone and content providers. When Netflix wouldn't pay, this "resulted in subscribers getting poorer quality streams during the very hours when they were most likely to access Netflix," and after Netflix agreed to pay demands, service "improved dramatically." This arguably is the kind of thing that net neutrality was supposed to prevent. And Charter itself pointed to the net neutrality repeal in a bid to block Schneiderman's claims that Charter had engaged in false advertising and deceptive business practices. New York Supreme Court Justice O. Peter Sherwood isn't sold.

He writes in an opinion that the FCC's order "which promulgates a new deregulatory policy effectively undoing network neutrality, includes no language purporting to create, extend or modify the preemptive reach of the Transparency Rule," referring to how ISPs have to disclose "actual network performance." And although Charter attempted to argue that the FCC clarified its intent to stop state and local governments from imposing disclosure obligations on broadband providers that were inconsistent with FCC's rules, Sherwood notes other language from the "Restoring Internet Freedom Order" how states will "continue to play their vital role in protecting consumers from fraud, enforcing fair business practices... and generally responding to consumer inquiries and complaints."

An anonymous reader quotes a report from TechCrunch: The ARCEP, France's equivalent of the FCC in the U.S., wants to go beyond telecommunications companies. While many regulatory authorities have focused on carriers and internet service providers, the French authority thinks Google, Apple, Amazon and all the big tech companies also need their own version of net neutrality. The ARCEP just published a thorough 65-page report about the devices we use every day. The report says that devices give you a portion of the internet and prevent an open internet. "With net neutrality, we spend all our time cleaning pipes, but nobody is looking at faucets," ARCEP president Sebastien Soriano told me. "Everybody assumes that the devices that we use to go online don't have a bias. But if you want to go online, you need a device just like you need a telecom company."

Now that net neutrality has been laid down in European regulation, the ARCEP has been looking at devices for the past couple of years. And it's true that you can feel you're stuck in an ecosystem once you realize you have to use Apple Music on an Apple Watch, or the Amazon Echo assumes you want to buy stuff on Amazon.com when you say "Alexa, buy me a tooth brush." Voice assistants and connected speakers are even less neutral than smartphones. Game consoles, smartwatches and connected cars all share the same issues. The ARCEP doesn't think we should go back to computers and leave our phones behind. This isn't a debate about innovation versus regulation. Regulation can also foster innovation. "This report has listed for the first time ever all the limitations you face as a smartphone user," Soriano said. "By users, we mean both consumers and developers who submit apps in the stores."

An anonymous reader quotes a report from Ars Technica: The online dating service Tinder must change one of its key monetization strategies. A Los Angeles appellate court reversed a lower court's decision on Monday and told Tinder to stop charging older users more money per month for its "Tinder Plus" service. The proposed class-action lawsuit, filed by Tinder user Allan Candelore in February 2016, alleged that Tinder engaged in illegal age discrimination by charging its 30-and-older users $19.99 per month for Tinder Plus while offering younger users either $9.99 or $14.99 monthly subscription rates for the same services. Tinder Plus includes app perks such as additional "super-likes" which are more likely to attract a dater's response. In an initial trial, Tinder's defense argued that the pricing was based on market testing that showed a market-driven reason to offer lower prices to "budget constrained" users.

"Nothing in the [original] complaint suggests there is a strong public policy that justifies the alleged discriminatory pricing," Judge Brian Currey wrote in the appeal court's 3-0 ruling. "Accordingly, we swipe left" -- a joke based on the app's popular "swipe to reject" gesture -- and reverse." That reversal hinges largely on California's Unruh Civil Rights Act, which was passed in 1959 and protects "equal access to public accommodations and prohibits discrimination by business establishments." The ruling noted that some business-led discrimination is allowed by California state law, but it agreed with Candelore's argument that Tinder's age-targeted pricing is not.

mikeebbbd writes: According to Bloomberg, "Xerox, a once-iconic American innovator that became synonymous with office copy machines, is ceding control to Japan's Fujifilm in a deal that creates an $18 billion company." Essentially, it's merging with Fujifilm; a former joint venture operating in the Asian-Pacific area essentially will become the parent company... So much for the company that actually invented the modern graphical user interface later popularized by Apple and Microsoft. "The agreement marks the end of independence for a U.S. company whose roots trace back to the start of the 20th century," reports Bloomberg. "The joint venture will cut 10,000 jobs in Asia as part of the restructuring as the Japanese company struggles with an 'increasingly severe' market environment." While the new company will have a combined revenue of $18 billion, Xerox was acquired by Fujifilm for $6.1 billion.

An anonymous reader quotes a report from Ars Technica: Tesla is now pressing ahead with lobbying efforts that would allow it to expand its direct dealerships in two more states: Nebraska and Wisconsin. For now, more than 20 states already allow the California automaker to sell its own vehicles, while others have set up a system that at least partially bans manufacturers from direct sales and effectively protects auto dealers. Those states include Texas, Michigan, West Virginia, and Utah, among others. Last year, court rulings and changes in the law in Arizona, Missouri, Indiana, and other states have paved the way for Tesla to sell directly to the public. In Nebraska, the new bill under consideration is known as LB 830. It has been met with opposition from existing dealers who are concerned that other manufacturers like GM or Ford will want a similar arrangement. Similarly, in Wisconsin, SB 605 would carve out an exception in state law for a "manufacturer [whose] motor vehicles... are propelled solely by electric power."

Ron Nixon, writing for The New York Times: A new report concludes that a Department of Homeland Security pilot program improperly gathers data on Americans when it requires passengers embarking on foreign flights to undergo facial recognition scans to ensure they haven't overstayed visas. The report, released on Thursday by researchers at the Center on Privacy and Technology at Georgetown University's law school, called the system an invasive surveillance tool that the department has installed at nearly a dozen airports without going through a required federal rule-making process. The report's authors examined dozens of Department of Homeland Security documents and raised questions about the accuracy of facial recognition scans. They said the technology had high error rates and are subject to bias, because the scans often fail to properly identify women and African-Americans. "It's telling that D.H.S. cannot identify a single benefit actually resulting from airport face scans at the departure gate," said Harrison Rudolph, an associate at the center and one of the report's co-authors. "D.H.S. doesn't need a face-scanning system to catch travelers without a photo on file. It's alarming that D.H.S. still hasn't supplied evidence for the necessity of this $1 billion program," he added.

An anonymous reader quotes a report from ProPublica: Verizon is among dozens of the nation's leading employers -- including Amazon, Goldman Sachs, Target and Facebook itself -- that placed recruitment ads limited to particular age groups, an investigation by ProPublica and The New York Times has found. The ability of advertisers to deliver their message to the precise audience most likely to respond is the cornerstone of Facebook's business model. But using the system to expose job opportunities only to certain age groups has raised concerns about fairness to older workers. Several experts questioned whether the practice is in keeping with the federal Age Discrimination in Employment Act of 1967, which prohibits bias against people 40 or older in hiring or employment. Many jurisdictions make it a crime to "aid" or "abet" age discrimination, a provision that could apply to companies like Facebook that distribute job ads.

Facebook defended the practice. "Used responsibly, age-based targeting for employment purposes is an accepted industry practice and for good reason: it helps employers recruit and people of all ages find work," said Rob Goldman, a Facebook vice president. The revelations come at a time when the unregulated power of the tech companies is under increased scrutiny, and Congress is weighing whether to limit the immunity that it granted to tech companies in 1996 for third-party content on their platforms.

A newly released letter from the Department of Justice has formally acknowledged that federal prosecutors have an open criminal investigation into Uber. Ars Technica reports: Late last month, as part of the proceedings in the high-profile and ongoing Waymo v. Uber trade secrets lawsuit, U.S. District Judge William Alsup said that on November 22 he had received a letter from San Francisco-based federal prosecutors. It is very unusual for a judge in a civil case to be apprised of a pending criminal investigation involving one of the litigants. In a separate November 28 letter sent to Judge Alsup, Acting U.S. Attorney Alex Tse asked that the first letter not be made public. The judge unsealed both letters on Wednesday. The first letter was signed by two prosecutors, Matthew Parrella and Amie Rooney. Those attorneys are assigned to the Computer Hacking and Intellectual Property (CHIP) Unit at the United States Attorney's Office in San Jose. [T]he letter could mean Uber and/or its current or former employees may be under investigation for possible crimes under the Computer Fraud and Abuse Act, a longstanding anti-hacking law.

A newly released letter from the Department of Justice has formally acknowledged that federal prosecutors have an open criminal investigation into Uber. Ars Technica reports: Late last month, as part of the proceedings in the high-profile and ongoing Waymo v. Uber trade secrets lawsuit, U.S. District Judge William Alsup said that on November 22 he had received a letter from San Francisco-based federal prosecutors. It is very unusual for a judge in a civil case to be apprised of a pending criminal investigation involving one of the litigants. In a separate November 28 letter sent to Judge Alsup, Acting U.S. Attorney Alex Tse asked that the first letter not be made public. The judge unsealed both letters on Wednesday. The first letter was signed by two prosecutors, Matthew Parrella and Amie Rooney. Those attorneys are assigned to the Computer Hacking and Intellectual Property (CHIP) Unit at the United States Attorney's Office in San Jose. [T]he letter could mean Uber and/or its current or former employees may be under investigation for possible crimes under the Computer Fraud and Abuse Act, a longstanding anti-hacking law.

schwit1 shares a report from Gizmodo: According to statements from July released this weekend, intelligence officials told members of the Senate Intelligence Committee that there's no need for them to approach courts before requesting a tech company help willfully -- though they can always resort to obtaining a Foreign Intelligence Surveillance Court order if the company refuses. The documents show officials testified they had never needed to obtain such an FISC order, though they declined to tell the committee whether they had "ever asked a company to add an encryption backdoor," per ZDNet. Other reporting has suggested the FISC has the power to authorize government personnel to compel such technical assistance without even notifying the FISC of what exactly is required. Section 702 of the Foreign Intelligence Surveillance Act gives authorities additional powers to compel service providers to build backdoors into their products.

New submitter unarmed8 shares a report from CyberScoop: Three Democratic senators introduced legislation on Thursday requiring companies to notify customers of data breaches within thirty days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches. The new bill, called the Data Security and Breach Notification Act, was introduced in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users. The scope of what kind of data breach falls under this is limited. For instance, if only a last name, address or phone number is breached, the law would not apply. If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

An anonymous reader quotes Ars Technica: [O]ne of the most prominent institutions, New York's Flatiron School, will be shelling out $375,000 to settle charges brought by New York Attorney General Eric Schneiderman's office. The AG said the school operated for a period without the proper educational license, and it improperly marketed both its job placement rates and the salaries of its graduates. New York regulators didn't find any inaccuracies in Flatiron's "outcomes report," a document the company is proud of. However, the Attorney General's office found that certain statements made on Flatiron's website didn't constitute "clear and conspicuous" disclosure.

For instance, Flatiron claimed that 98.5 percent of graduates were employed within 180 days of graduation. However, only by carefully reading the outcomes report would one find that the rate included not just full-time employees, but apprentices, contract workers, and freelancers. Some of the freelancers worked for less than 12 weeks. The school also reported an average salary of $74,447 but didn't mention on its website that the average salary claim only applied to graduates who achieved full-time employment. That group comprised only 58 percent of classroom graduates and 39 percent of those who took online courses.
The school's courses last 12 to 16 weeks, and cost between $12,000 and $15,000, according to a statement from the attorney general's office [PDF]. (Or $1,500 a month for an onine coding class). Eligible graduate can claim their share of the $375,000 by filing a complaint within the next thee months.

AnalogDiehard writes: The recent -- and questionable -- practice of technological and pharmaceutical companies selling their patents to U.S. native Indian tribes (where they enjoy "sovereign immunity" from the inter partes review (IPR) process of the PTO) and then the tribes licensing them back to the companies is drawing scrutiny from a federal court and has inspired a new U.S. bill outlawing the practice. The IPR process is a "fast track" (read: much less expensive) process through the PTO to review the validity of challenged patents -- it is loved by defendants and hated by patent holders. Not only has U.S. Circuit Judge William Bryson invalidated Allergan's pharmaceutical patents due to "obviousness," he is questioning the legitimacy of the sovereign immunity tactic. The judge was well aware that the tactic could endanger the IPR process, which was a central component of the America Invents Act of 2011, and writes that sovereign immunity "should not be treated as a monetizable commodity that can be purchased by private entities as part of a scheme to evade their legal responsibility." U.S. Senator Claire McCaskill (D-Mo.) -- no stranger to abuses of the patent system -- has introduced a bill that would outlaw the practice she describes as "one of the most brazen and absurd loopholes I've ever seen and it should be illegal." Sovereign immunity is not absolute and has been limited by Congress and the courts in the past. The bill would apply only to the IPR proceedings and not to patent disputes in federal courts.

Movies studios, Netflix, and Amazon have teamed up to file a lawsuit against a streaming media player called TickBox TV. The device in question runs Kodi on top of Android 6.0, and searches the internet for streams that it can make available to users without actually hosting any of the content itself. An anonymous reader quotes a report from Ars Technica: The complaint (PDF), filed Friday, says the TickBox devices are nothing more than "tool[s] for mass infringement," which operate by grabbing pirated video streams from the Internet. The lawsuit was filed by Amazon and Netflix Studios, along with six big movie studios that make up the Motion Picture Association of America: Universal, Columbia, Disney, Paramount, 20th Century Fox, and Warner Bros.

"What TickBox actually sells is nothing less than illegal access to Plaintiffs' copyrighted content," write the plaintiffs' lawyers. "TickBox TV uses software to link TickBox's customers to infringing content on the Internet. When those customers use TickBox TV as Defendant intends and instructs, they have nearly instantaneous access to multiple sources that stream Plaintiffs' Copyrighted Works without authorization." The device's marketing materials let users know the box is meant to replace paid-for content, with "a wink and a nod," by predicting that prospective customers who currently pay for Amazon Video, Netflix, or Hulu will find that "you no longer need those subscriptions." The lawsuit shows that Amazon and Netflix, two Internet companies that are relatively new to the entertainment business, are more than willing to join together with movie studios to go after businesses that grab their content.

An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.

Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches.

Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.

AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."

Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said.

In other words, some patches are available, but others are pending the investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.

Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."

HostAP: The Linux driver provider has issued several patches in response to the disclosure.

Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

Netgear: Netgear has released fixes for some router hardware. The full list can be found here.

Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

MikroTik: The vendor has already released patches that fix the vulnerabilities.

OpenBSD: Patches are now available.

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.

Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.

Wi-Fi Standard: A fix is available for vendors but not directly for end users.

A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack. From a report: The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network. That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream. In other words: hackers can eavesdrop on your network traffic. The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk. "If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website. News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.

An anonymous reader writes: "VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity," writes Bleeping Computer, "but a recent criminal case shows that at least some do store user activity logs." According to the FBI, VPN providers played a key role in identifying an aggressive cyberstalker by providing detailed logs to authorities, even if they claimed in their privacy policies that they don't. The suspect is a 24-year-old man that hacked his roommate, published her private journal, made sexually explicit collages, sent threats to schools in the victim's name, and registered accounts on adult portals, sending men to the victim's house...
FBI agents also obtained Google records on their suspect, according to a 29-page affidavit which, ironically, includes the text of one of his tweets warning people that VPN providers do in fact keep activity logs. "If they can limit your connections or track bandwidth usage, they keep logs."

An anonymous reader quotes a report from Ars Technica: Kim Dotcom's civil forfeiture case will not be heard before the Supreme Court this term, America's highest court ruled on Monday. The civil forfeiture case was brought 18 months after 2012 American criminal charges related to alleged copyright infringement against Dotcom and his now-shuttered company, Megaupload. In the forfeiture case, prosecutors specifically outlined why the New Zealand seizure of Dotcom's assets on behalf of the American government was valid. Seized items include millions of dollars in various seized bank accounts in Hong Kong and New Zealand, the Dotcom mansion, several luxury cars, four jet skis, two 108-inch TVs, three 82-inch TVs, a $10,000 watch, and a photograph by Olaf Mueller worth over $100,000.

"We are disappointed in the denial of the cert petition -- it is a bad day for due process and international treaties," Ira Rothken, Dotcom's chief global counsel, told Ars. "Kim Dotcom has never been to the United States, is presumed innocent, and is lawfully opposing extradition under the United States-New Zealand Treaty -- yet the United States by merely labeling him as a fugitive gets a judgement to take all of his assets with no due process," Rothken said. "The New Zealand and Hong Kong courts, who have authority over the assets, will now need to weigh in on this issue and we are cautiously optimistic that they will take a dim view of the Fugitive Disentitlement Doctrine and oppose US efforts to seize such assets."

An anonymous reader quotes a report from Ars Technica: Kim Dotcom's civil forfeiture case will not be heard before the Supreme Court this term, America's highest court ruled on Monday. The civil forfeiture case was brought 18 months after 2012 American criminal charges related to alleged copyright infringement against Dotcom and his now-shuttered company, Megaupload. In the forfeiture case, prosecutors specifically outlined why the New Zealand seizure of Dotcom's assets on behalf of the American government was valid. Seized items include millions of dollars in various seized bank accounts in Hong Kong and New Zealand, the Dotcom mansion, several luxury cars, four jet skis, two 108-inch TVs, three 82-inch TVs, a $10,000 watch, and a photograph by Olaf Mueller worth over $100,000.

"We are disappointed in the denial of the cert petition -- it is a bad day for due process and international treaties," Ira Rothken, Dotcom's chief global counsel, told Ars. "Kim Dotcom has never been to the United States, is presumed innocent, and is lawfully opposing extradition under the United States-New Zealand Treaty -- yet the United States by merely labeling him as a fugitive gets a judgement to take all of his assets with no due process," Rothken said. "The New Zealand and Hong Kong courts, who have authority over the assets, will now need to weigh in on this issue and we are cautiously optimistic that they will take a dim view of the Fugitive Disentitlement Doctrine and oppose US efforts to seize such assets."

AmiMoJo shares a report from Schneier on Security: The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines: "Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information. UNITEDRAKE, described as a 'fully extensible remote collection system designed for Windows targets,' also gives operators the opportunity to take complete control of a device. The malware's modules -- including FOGGYBOTTOM and GROK -- can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed."

A jury has ruled that Nintendo must pay $10.1 million because its Wii and Wii U systems infringe a patent belonging to a Dallas medical motion-detection company. Ars Technica reports: iLife sued Nintendo (PDF) in 2013 after filing lawsuits against four other companies in 2012. The case went to a jury trial in Dallas, and yesterday the jury returned its verdict (PDF). They found that Nintendo infringed U.S. Patent No. 6,864,796, first filed in 1999, which describes "systems and methods for evaluating movement of a body relative to an environment." The patent drawings show a body-mounted motion detector that could detect falls in the elderly, which is the market that iLife was targeting, according to its now defunct website. The $10.1 million was less than 10 percent of what iLife's attorneys had been asking for. When the trial began in Dallas on August 21, Law360 reported that iLife lawyers asked the jury for a $144 million payout. That damage demand was based on a royalty of $4 per Wii unit, multiplied by 36 million systems sold in the six years before the lawsuit was filed.

A jury has ruled that Nintendo must pay $10.1 million because its Wii and Wii U systems infringe a patent belonging to a Dallas medical motion-detection company. Ars Technica reports: iLife sued Nintendo (PDF) in 2013 after filing lawsuits against four other companies in 2012. The case went to a jury trial in Dallas, and yesterday the jury returned its verdict (PDF). They found that Nintendo infringed U.S. Patent No. 6,864,796, first filed in 1999, which describes "systems and methods for evaluating movement of a body relative to an environment." The patent drawings show a body-mounted motion detector that could detect falls in the elderly, which is the market that iLife was targeting, according to its now defunct website. The $10.1 million was less than 10 percent of what iLife's attorneys had been asking for. When the trial began in Dallas on August 21, Law360 reported that iLife lawyers asked the jury for a $144 million payout. That damage demand was based on a royalty of $4 per Wii unit, multiplied by 36 million systems sold in the six years before the lawsuit was filed.

An anonymous reader quotes BleepingComputer: A U.S. man has filed a lawsuit against Logitech, a Swiss-based manufacturer of electronic devices, on accusations that Logitech had intentionally delayed and tried to discourage warranty claims for defective products, falsely advertised products, and even hid an End-Of-Life (EOL) announcement from customers. The product at the heart of this lawsuit is a high-definition digital video home security systems named Logitech Alert Systems... The lawsuit alleges that Logitech's cameras had "a high-rate of failure" and the software running on the IP cameras "was rife with bugs and glitches that made the systems unreliable and inoperable"...

The cherry on top came when users complained to the company. "Logitech refused to honor its warranties to remedy the defects while customers' warranty periods lapsed, thereby escaping its legal obligations to provide non-defective replacements or refunds," the lawsuit reads. The lawsuit alleges that Logitech knew its product had a high rate of failure, but instead of issuing a callback, it "responded by designing and implementing a strategy to avoid its express warranty obligations... As a result, Logitech strategically left customers without operable security systems during the warranty period while it ran out the clock."
The proposed class-action lawsuit covers the IP cameras sold between 2010 and 2014, though it alleges Logitech decided to discontinue the products by 2012, and "claims the company wanted to sell current stocks of Alert Systems before making the announcement and allowed customers to buy a product it did not intend to support anymore."

SonicSpike shares a report from The Daily Beast: You can use bitcoin. But you can't hide from the taxman. At least, that's the hope of the Internal Revenue Service, which has purchased specialist software to track those using bitcoin, according to a contract obtained by The Daily Beast. The document highlights how law enforcement isn't only concerned with criminals accumulating bitcoin from selling drugs or hacking targets, but also those who use the currency to hide wealth or avoid paying taxes. The IRS has claimed that only 802 people declared bitcoin losses or profits in 2015; clearly fewer than the actual number of people trading the cryptocurrency -- especially as more investors dip into the world of cryptocurrencies, and the value of bitcoin punches past the $4,000 mark. Maybe lots of bitcoin traders didn't realize the government expects to collect tax on their digital earnings, or perhaps some thought they'd be able to get away with stockpiling bitcoin thanks to the perception that the cryptocurrency is largely anonymous.

"The purpose of this acquisition is to help us trace the movement of money through the bitcoin economy," a section of the contract reads. The Daily Beast obtained the document through the Freedom of Information Act. The contractor in this case is Chainalysis, a startup offering its "Reactor" tool to visualize, track, and analyze bitcoin transactions. Chainalysis' users include law enforcement agencies, banks, and regulatory entities. The software can follow bitcoin as it moves from one wallet to another, and eventually to an exchange where the bitcoin user will likely cash out into dollars or another currency. This is the point law enforcement could issue a subpoena to the exchange and figure out who is really behind the bitcoin.

After issuing a warrant to DreamHost for "all files" related to an anti-trump website, the Justice Department says it's scaling back a demand for information from hosting service DreamHost. The Verge reports: In a legal filing today, the Justice Department argues that the warrant was proper, but also says DreamHost has since brought up information that was previously "unknown." In light of that, it has offered to carve out information demanded in the warrant, specifically pledging to not request information like HTTP logs tied to IP addresses. The department says it is only looking for information related to criminal activity on the site, and says that "the government is focused on the use of the Website to organize, to plan, and to effect a criminal act -- that is, a riot." Peaceful protestors, the government argues, are not the targets of the warrant. The filing asks the court to proceed with the new, less burdensome request, which, apart from the carved-out sections, still requests "all records or other information, pertaining to the Account, including all files, databases, and database records stored by DreamHost in relation to that Account." It's unclear if DreamHost will continue to fight the new demand.

Catalin Cimpanu, reporting for BleepingComputer: On Monday, the Center for Democracy & Technology (CDT) -- a US-based privacy group -- filed a complaint with the US Federal Trade Commission (FTC) accusing one of today's largest VPN providers of deceptive trade practices. In a 14-page complaint, the CDT accuses AnchorFree -- the company behind the Hotspot Shield VPN -- of breaking promises it made to its users by sharing their private web traffic with online advertisers for the purpose of improving the ads shown to its users. In its complaint to the FTC, the CDT is not accusing Anchor Free of secretly injecting ads, as users are well aware of this practice, but of not respecting promises made to its customers. More specifically, the CDT says that AnchorFree does not respect a pledge made in marketing materials that it won't track or sell customer information.

A federal appeals court affirmed the April 2015 inter partes review (IPR) ruling -- a process that allows anyone to challenge a patent's validity at the U.S. Patent and Trademark Office -- that invalidated the so-called "podcasting patent." "That process was held by a company called Personal Audio, which had threatened numerous podcasts with lawsuits in recent years," reports Ars Technica. From the report: Back in 2013, Personal Audio began sending legal demand letters to numerous podcasters and companies, like Samsung, in an apparent attempt to cajole them into a licensing deal, lest they be slapped with a lawsuit. Some of those efforts were successful: in August 2014, Adam Carolla paid about $500,000. As Personal Audio began to gain more public attention, the Electronic Frontier Foundation, however, stepped in and said that it would challenge Personal Audio's US Patent No. 8,112,504, which describes a "system for disseminating media content representing episodes in a serialized sequence." In the end, EFF raised over $76,000, more than double its initial target.

[T]he history of Personal Audio dates to the late 1990s, when founder Jim Logan created a company seeking to create a kind of proto-iPod digital music player. But his company flopped. Years later, Logan turned to lawsuits to collect money from those investments. He sued companies over both the "episodic content" patent, as well as a separate patent, which Logan and his lawyers said covered playlists. He and his lawyers wrung verdicts or settlements from Samsung and Apple.

An anonymous reader quotes a report from King 5, a local news station for Seattle, Washington: On June 8 approximately 350 Hanford workers were ordered to "take cover" after alarms designed to detect elevated levels of airborne radioactive contamination went off. It was quickly determined that radioactive particles had been swept out of a containment zone at the plutonium finishing plant (PFP) demolition site. The work is considered the most hazardous demolition project on the entire nuclear reservation. At the time Hanford officials called the safety measure "precautionary." Officials from the U.S. Dept. of Energy, which owns Hanford, and the contractor in charge of the demolition, CH2M Hill, downplayed the seriousness of the event with statements including, it appeared "workers were not at risk", "(the alarm went off) in an area where contamination is expected" and there was "no evidence radioactive particles had been inhaled" by anyone.

The KING 5 Investigators have discovered those statements are incorrect. An internal CH2M Hill email sent to their employees on July 21 was obtained by KING. It states that 301 (test kits) have been issued to employees and of the first 65 workers tested, a "small number of employees" showed positive results for "internal exposures" (by radioactive plutonium). Sources tell KING the "small number of employees" is twelve. Twelve people out of 65 is 20 percent. Still outstanding are 236 tests. A communication specialist with CH2M Hill sent a statement that more positive results are expected. "We expect additional positive results because analytical tests like a bioassay can detect radiological contamination at levels far lower than what field monitoring can detect," said Destry Henderson of CH2M Hill Plateau Remediation Company.

An anonymous reader quotes a report from King 5, a local news station for Seattle, Washington: On June 8 approximately 350 Hanford workers were ordered to "take cover" after alarms designed to detect elevated levels of airborne radioactive contamination went off. It was quickly determined that radioactive particles had been swept out of a containment zone at the plutonium finishing plant (PFP) demolition site. The work is considered the most hazardous demolition project on the entire nuclear reservation. At the time Hanford officials called the safety measure "precautionary." Officials from the U.S. Dept. of Energy, which owns Hanford, and the contractor in charge of the demolition, CH2M Hill, downplayed the seriousness of the event with statements including, it appeared "workers were not at risk", "(the alarm went off) in an area where contamination is expected" and there was "no evidence radioactive particles had been inhaled" by anyone.

The KING 5 Investigators have discovered those statements are incorrect. An internal CH2M Hill email sent to their employees on July 21 was obtained by KING. It states that 301 (test kits) have been issued to employees and of the first 65 workers tested, a "small number of employees" showed positive results for "internal exposures" (by radioactive plutonium). Sources tell KING the "small number of employees" is twelve. Twelve people out of 65 is 20 percent. Still outstanding are 236 tests. A communication specialist with CH2M Hill sent a statement that more positive results are expected. "We expect additional positive results because analytical tests like a bioassay can detect radiological contamination at levels far lower than what field monitoring can detect," said Destry Henderson of CH2M Hill Plateau Remediation Company.

An anonymous reader quotes a report from King 5, a local news station for Seattle, Washington: On June 8 approximately 350 Hanford workers were ordered to "take cover" after alarms designed to detect elevated levels of airborne radioactive contamination went off. It was quickly determined that radioactive particles had been swept out of a containment zone at the plutonium finishing plant (PFP) demolition site. The work is considered the most hazardous demolition project on the entire nuclear reservation. At the time Hanford officials called the safety measure "precautionary." Officials from the U.S. Dept. of Energy, which owns Hanford, and the contractor in charge of the demolition, CH2M Hill, downplayed the seriousness of the event with statements including, it appeared "workers were not at risk", "(the alarm went off) in an area where contamination is expected" and there was "no evidence radioactive particles had been inhaled" by anyone.

The KING 5 Investigators have discovered those statements are incorrect. An internal CH2M Hill email sent to their employees on July 21 was obtained by KING. It states that 301 (test kits) have been issued to employees and of the first 65 workers tested, a "small number of employees" showed positive results for "internal exposures" (by radioactive plutonium). Sources tell KING the "small number of employees" is twelve. Twelve people out of 65 is 20 percent. Still outstanding are 236 tests. A communication specialist with CH2M Hill sent a statement that more positive results are expected. "We expect additional positive results because analytical tests like a bioassay can detect radiological contamination at levels far lower than what field monitoring can detect," said Destry Henderson of CH2M Hill Plateau Remediation Company.

Zack Whittaker, reporting for ZDNet: A security researcher who in May stopped an outbreak of the WannaCry ransomware has been arrested and detained after attending the Def Con conference in Las Vegas. Marcus Hutchins, 23, a British national, was arrested at Las Vegas airport on Wednesday by US Marshals, several close friends confirmed to ZDNet. A friend told ZDNet that he was "was pulled by Marshals at the lounge" after clearing security. He was briefly detained in a federal facility in Nevada until he was moved. "We went to see him this morning and we had already been moved," said the friend. Hutchins is now understood to be in custody at an FBI field office in the state. Motherboard first broke the story on Thursday. Update: A Motherboard reporter tweets, "Here's the indictment accusing @MalwareTechBlog of running the Kronos banking malware."
Update 2: New DOJ statement: Gregory J. Haanstad, United States Attorney for the Eastern District of Wisconsin, announced that on July 11, 2017, following a two-year long investigation, a federal grand jury returned a six-count indictment against Marcus Hutchins, also known as "Malwaretech," for his role in creating and distributing the Kronos banking Trojan.

Zack Whittaker, reporting for ZDNet: A security researcher who in May stopped an outbreak of the WannaCry ransomware has been arrested and detained after attending the Def Con conference in Las Vegas. Marcus Hutchins, 23, a British national, was arrested at Las Vegas airport on Wednesday by US Marshals, several close friends confirmed to ZDNet. A friend told ZDNet that he was "was pulled by Marshals at the lounge" after clearing security. He was briefly detained in a federal facility in Nevada until he was moved. "We went to see him this morning and we had already been moved," said the friend. Hutchins is now understood to be in custody at an FBI field office in the state. Motherboard first broke the story on Thursday. Update: A Motherboard reporter tweets, "Here's the indictment accusing @MalwareTechBlog of running the Kronos banking malware."
Update 2: New DOJ statement: Gregory J. Haanstad, United States Attorney for the Eastern District of Wisconsin, announced that on July 11, 2017, following a two-year long investigation, a federal grand jury returned a six-count indictment against Marcus Hutchins, also known as "Malwaretech," for his role in creating and distributing the Kronos banking Trojan.

An anonymous reader quotes a report from Ars Technica: A privacy advocacy group has filed a formal legal complaint with the Federal Trade Commission, asking the agency to begin an investigation "into Google's in-store tracking algorithm to determine whether it adequately protects the privacy of millions of American consumers." In the Monday filing, the Electronic Privacy Information Center (EPIC) said it is concerned with Google's new Store Sales Management program, which debuted in May. The system allows the company to extend its online tracking capabilities into the physical world. The idea is to combine credit card and other financial data acquired from data brokers to create a singular profile as a way to illustrate to companies what goods and services are being searched for online, which result in actual in-person sales. Because the algorithm that Google uses is secret, EPIC says, there is no way to determine how well Google's claimed anonymization feature -- to mask names, credit card numbers, location, and other potentially private data -- actually works. While Google has been cagey about exactly how it does this, the company has previously revealed that the technique is based on CryptDB.