An anonymous reader quotes a report from the Electronic Frontier Foundation (EFF): In a major decision on Friday, the federal Fifth Circuit Court of Appeals held (PDF) that geofence warrants are "categorically prohibited by the Fourth Amendment." Closely following arguments EFF has made in a number of cases, the court found that geofence warrants constitute the sort of "general, exploratory rummaging" that the drafters of the Fourth Amendment intended to outlaw. EFF applauds this decision because it is essential that every person feels like they can simply take their cell phone out into the world without the fear that they might end up a criminal suspect because their location data was swept up in open-ended digital dragnet. The new Fifth Circuit case, United States v. Smith, involved an armed robbery and assault of a US Postal Service worker at a post office in Mississippi in 2018. After several months of investigation, police had no identifiable suspects, so they obtained a geofence warrant covering a large geographic area around the post office for the hour surrounding the crime. Google responded to the warrant with information on several devices, ultimately leading police to the two defendants.

On appeal, the Fifth Circuit reached several important holdings. First, it determined that under the Supreme Court's landmark ruling in Carpenter v. United States, individuals have a reasonable expectation of privacy in the location data implicated by geofence warrants. As a result, the court broke from the Fourth Circuit's deeply flawed decision last month in United States v. Chatrie, noting that although geofence warrants can be more "limited temporally" than the data sought in Carpenter, geofence location data is still highly invasive because it can expose sensitive information about a person's associations and allow police to "follow" them into private spaces. Second, the court found that even though investigators seek warrants for geofence location data, these searches are inherently unconstitutional. As the court noted, geofence warrants require a provider, almost always Google, to search "the entirety" of its reserve of location data "while law enforcement officials have no idea who they are looking for, or whether the search will even turn up a result." Therefore, "the quintessential problem with these warrants is that they never include a specific user to be identified, only a temporal and geographic location where any given user may turn up post-search. That is constitutionally insufficient."

Unsurprisingly, however, the court found that in 2018, police could have relied on such a warrant in "good faith," because geofence technology was novel, and police reached out to other agencies with more experience for guidance. This means that the evidence they obtained will not be suppressed in this case.

Mozilla's interim CEO Laura Chambers "says the company is reinvesting in Firefox after letting it languish in recent years," reports Fast Company, "hoping to reestablish the browser as independent alternative to the likes of Google's Chrome and Apple's Safari.

"But some of those investments, which also include forays into generative AI, may further upset the community that's been sticking with Firefox all these years..." Chambers acknowledges that Mozilla lost sight of Firefox in recent years as it chased opportunities outside the browser, such as VPN service and email masking. When she replaced Mitchell Baker as CEO in February, the company scaled back those other efforts and made Firefox a priority again. "Yes, Mozilla is refocusing on Firefox," she says. "Obviously, it's our core product, so it's an important piece of the business for us, but we think it's also really an important part of the internet."

Some of that focus involves adding features that have become table-stakes in other browsers. In June, Mozilla added vertical tab support in Firefox's experimental branch, echoing a feature that Microsoft's Edge browser helped popularize three years ago. It's also working on tab grouping features and an easier way to switch between user profiles. Mozilla is even revisiting the concept of web apps, in which users can install websites as freestanding desktop applications. Mozilla abandoned work on Progressive Web Apps in Firefox a few years ago to the dismay of many power users, but now it's talking with community members about a potential path forward.

"We haven't always prioritized those features as highly as we should have," Chambers says. "That's been a real shift that's been very felt in the community, that the things they're asking for . . . are really being prioritized and brought to life."
Firefox was criticized for testing a more private alternative to tracking cookies which could make summaries of aggregated data available to advertisers. (Though it was only tested on a few sites, "Privacy-Preserving Attribution" was enabled by default.) But EFF staff technologist Lena Cohen tells Fast Company that approach was "much more privacy-preserving" than Google's proposal for a "Privacy Sandbox." And according to the article, "Mozilla's system only measures the success rate of ads — it doesn't help companies target those ads in the first place — and it's less susceptible to abuse due to limits on how much data is stored and which parties are allowed to access it." In June, Mozilla also announced its acquisition of Anonym, a startup led by former Meta executives that has its own privacy-focused ad measurement system. While Mozilla has no plans to integrate Anonym's tech in Firefox, the move led to even more anxiety about the kind of company Mozilla was becoming. The tension around Firefox stems in part from Mozilla's precarious financial position, which is heavily dependent on royalty payments from Google. In 2022, nearly 86% of Mozilla's revenue came from Google, which paid $510 million to be Firefox's default search engine. Its attempts to diversify, through VPN service and other subscriptions, haven't gained much traction.

Chambers says that becoming less dependent on Google is "absolutely a priority," and acknowledges that building an ad-tech business is one way of doing that. Mozilla is hoping that emerging privacy regulations and wider adoption of anti-tracking tools in web browsers will increase demand for services like Anonym and for systems like Firefox's privacy-preserving ad measurements. Other revenue-generating ideas are forthcoming. Chambers says Mozilla plans to launch new products outside of Firefox under a "design sprint" model, aimed at quickly figuring out what works and what doesn't. It's also making forays into generative AI in Firefox, starting with a chatbot sidebar in the browser's experimental branch.
Chambers "says to expect a bigger marketing push for Firefox in the United States soon, echoing a 'Challenge the default' ad campaign that was successful in Germany last summer. Mozilla's nonprofit ownership structure, and the idea that it's not beholden to corporate interests, figures heavily into those plans."

Though "It could take years to resolve," the Washington Post imagines six changes that could ultimately result from the two monopoly rulings on Google: Imagine a Google-quality search engine but without ads — or one tailored to children, news junkies or Lego fans. It's possible that Google could be forced to let other companies access its search technology or its essential data to create search engines with the technical chops of Google — but without Google...

Would Apple create a search engine...? The likeliest scenario is you'd need to pick whether to use Google on your iPhone or something else. But technologists and stock analysts have also speculated for years that Apple could make its own search engine. It would be like when Apple started Apple Maps as an alternative to Google Maps.

What if Google weren't allowed to know so much about you? Jason Kint of Digital Content Next, an industry group that includes online news organizations, said one idea is Google's multiple products would no longer be allowed to commingle information about what you do. It would essentially be a divorce of Google's products without breaking the company up. That could mean, for example, that whatever you did on your Android phone or the websites you visit using Chrome would not feed into one giant Google repository about your activities and interests.
The article also wonders if the judge could order Google to be broken up, with separate companies formed out of Android, Google search, and Chrome. (Or if more search competition might make prices drop for the products advertised in search results — or lower the fees charged in Android's app store.) Android's app store might also lose its power to veto apps that compete with Google.

"This is educated speculation," the article acknowledges. "It's also possible that not much will really change. That's what happened after Google was found to have broken the European Union's anti-monopoly laws."

Google has also said it plans to appeal Monday's ruling.

FBI agent Rick Smith remembered seeing that Austrian-born Silicon Valley entrepreneur one year earlier — walking into San Francisco's Soviet Consulate in the early 1980s. Their chance reunion at a bar "would sow the seeds for a major counterintelligence campaign," writes a national security journalist in Politico, describing the collaboration as "an FBI-led operation that sold the Soviet Bloc millions in secretly sabotaged U.S. hi-tech."

The Austrian was already selling American tech goods to European countries, and "By the early 1980s, the FBI knew the Soviet Union was desperate for cutting-edge American technology, like the U.S.-produced microchips then revolutionizing a vast array of digital devices, including military systems..." Moscow's spies worked assiduously to steal such dual use tech or purchase it covertly. The Soviet Union's ballistic missile programs, air defense systems, electronic spying platforms, and even space shuttles, depended on it.... But such tech-focused sanctions-evasion schemes by America's foes offer opportunities for U.S. intelligence, too — including the opportunity to launch ultra-secret sabotage campaigns to alter sensitive technologies before they reach their final destination... Working under the FBI's direction, the Austrian agreed to pose as a crook, a man willing to sell prohibited technology to the communist Eastern Bloc... [T]he FBI and the Austrian would seed faulty tech to Moscow and its allies; drain the Soviet Bloc's coffers; expose its intelligence officers and secret American conspirators; and reveal to American counterspies exactly what tech the Soviets were after...

[T]he Soviet Bloc would unknowingly purchase millions of dollars' worth of sabotaged U.S. goods. Communist spies, ignorant that they were being played, would be feted with a literal parade in a Warsaw Pact capital for their success in purchasing this forbidden technology from the West... The Austrian's connections now presented a major opportunity. The Bulgarians, and their East German and Russia allies, were going to get that forbidden tech. But not before the FBI tampered with it first...

Some of the tech was subtly altered before the Bulgarians could get their hands on it. Some was rendered completely unusable. Some of it was shipped unadulterated to keep the operation humming — and allay any suspicions from the Eastern Bloc about what might be going on. And some of it never made its way to the Bulgarians at all. In one case, the bureau intercepted a $400,000 order of computer hardware from the San Jose-based firm Proquip and shipped out 6,000 pounds of sandbags instead.... Some suffered what appeared to be "accidental" wear-and-tear during the long journey to the Eastern Bloc, recalled Ed Appel [a former senior FBI official]. Other times, the FBI would tamper with the electronics so they would experience "chance" voltage overloads once Soviet Bloc operatives plugged them in. The sabotage could also be more subtle, designed to degrade machine parts or microchips over time, or to render hi-tech tools that required intense precision slightly, if imperceptibly, inaccurate.
The article concludes that "While the Soviet Union might have imploded over three decades ago... Russia's intelligence services are still scouring the globe for prohibited U.S. tech, particularly since Moscow's February 2022 invasion of Ukraine...

"Russia has reportedly even covertly imported household items like refrigerators and washing machines to rip out the microchips within them for use in military equipment."

A new article in ScienceAlert describes new research into the dangers of "heavily processed sources of digital nourishment" for generative AI: A new study by researchers from Rice University and Stanford University in the US offers evidence that when AI engines are trained on synthetic, machine-made input rather than text and images made by actual people, the quality of their output starts to suffer.

The researchers are calling this effect Model Autophagy Disorder (MAD). The AI effectively consumes itself, which means there are parallels for mad cow disease — a neurological disorder in cows that are fed the infected remains of other cattle. Without fresh, real-world data, content produced by AI declines in its level of quality, in its level of diversity, or both, the study shows. It's a warning about a future of AI slop from these models.

"Our theoretical and empirical analyses have enabled us to extrapolate what might happen as generative models become ubiquitous and train future models in self-consuming loops," says computer engineer Richard Baraniuk, from Rice University. "Some ramifications are clear: without enough fresh real data, future generative models are doomed to MADness."
The article notes that "faces began to look more and more like each other when fresh, human-generated training data wasn't involved. In tests using handwritten numbers, the numbers gradually became indecipherable.

"Where real data was used but in a fixed way without new data being added, the quality of the output was still degraded, merely taking a little longer to break down. It appears that freshness is crucial."

Thanks to long-time Slashdot reader schwit1 for sharing the news.

Dan Robinson writes via The Register: Hyperscalers are forecast to account for more than 60 percent of datacenter space by 2029, a stark reversal on just seven years ago when the majority of capacity was made up of on-premises facilities. This trend is the result of demand for cloud services and consumer-oriented digital services such as social networking, e-commerce and online gaming pushing growth in hyperscale bit barns, those operated by megacorps including Amazon, Microsoft and Meta. The figures were published by Synergy Research Group, which says they are drawn from several detailed quarterly tracking research services to build an analysis of datacenter volume and trends.

As of last year's data, those hyperscale companies accounted for 41 percent of the entire global data dormitory capacity, but their share is growing fast. Just over half of the hyperscaler capacity is comprised of own-build facilities, with the rest made up of leased server farms, operated by providers such as Digital Realty or Equinix. On-premises datacenters run by enterprises themselves now account for 37 percent of the total, a drop from when they made up 60 percent a few years ago. The remainder (22 percent) is accounted for by non-hyperscale colocation datacenters.

What the figures appear to show is that hyperscale volume is growing faster than colocation or on-prem capacity -- by an average of 22 percent each year. Hence Synergy believes that while colocation's share of the total will slowly decrease over time, actual colo capacity will continue to rise steadily. Likewise, the proportion of overall bit barn space represented by on-premise facilities is forecast by Synergy to decline by almost three percentage points each year, although the analyst thinks the actual total capacity represented by on-premises datacenters is set to remain relatively stable. It's a case of on-prem essentially standing still in an expanding market.

Apple on Thursday announced changes to its Digital Markets Act (DMA) compliance plan for the European Union, as the tech giant faces an ongoing investigation by the European Commission for suspected non-compliance. The revised rules, set to roll out this fall, ease restrictions on developers' ability to promote external offers within iOS apps. Developers can now inform users about offers available beyond their own websites, including on other apps and marketplaces, without adhering to Apple-mandated templates.

Apple has also introduced a new fee structure for purchases made through external links. An "Initial Acquisition Fee" of 5% will apply to new users' first-year purchases, while a "Store Services Fee" of 10% (or 5% for smaller developers) will be charged on subsequent transactions. These changes replace the controversial Core Technology Fee, which is currently under EU scrutiny.

Spotify and Epic aren't satisfied with the changes. Spotify has called the new plan "unacceptable," arguing it disregards DMA requirements. Epic Games CEO Tim Sweeney labeled it "malicious compliance" involving "junk fees."

Starting today, Morgan Stanley's advisors are allowed to offer bitcoin ETFs to some clients -- a first among major Wall Street banks. "Those funds are BlackRock's iShares Bitcoin Trust and Fidelity's Wise Origin Bitcoin Fund," reports CNBC. From the report: Morgan Stanley made the move in response to demand from clients and in an attempt to follow an evolving marketplace for digital assets [...].The bank is still striking a note of caution, however, in the rollout: Only clients with a net worth of at least $1.5 million, an aggressive risk tolerance and the desire to make speculative investments are suitable for bitcoin ETF solicitation, said the people. The investments are for taxable brokerage accounts, not retirement accounts, they added. The bank will monitor clients' crypto holdings to make sure they don't end up with excessive exposure to the volatile asset class, according to the sources.

The only crypto investments approved for solicited purchase at Morgan Stanley are the pair of bitcoin ETFs from BlackRock and Fidelity; private funds from Galaxy and FS NYDIG that the bank made available starting in 2021 were phased out earlier this year. Morgan Stanley is watching how the market for newly approved ether ETFs develops and hasn't committed to whether it would provide access to those, the people said.

Parody site creator David Senk has rebuffed CrowdStrike's attempt to shut down his "ClownStrike" website, which lampoons the cybersecurity firm's role in a recent global IT outage. Senk swiftly contested the Digital Millennium Copyright Act takedown notice, asserting fair use for parody. When hosting provider Cloudflare failed to acknowledge his counter-notice, Senk defiantly relocated the site to a Finnish server beyond U.S. jurisdiction. The IT consultant decried the takedown as "corporate cyberbullying," accusing CrowdStrike of exploiting copyright law to silence criticism. Despite CrowdStrike's subsequent admission that parody sites were not intended targets, Senk is remaining resolute, demanding a public apology and refusing to return to Cloudflare's services.

iPhone and Apple Watch users in California will soon be able to add their digital ID and driver's license to the Wallet app, as revealed by new landing pages on the state DMV website. This feature follows a slow rollout since its announcement, with only five states currently supporting it. MacRumors reports: "Now you can add your California driver's license or state ID to Apple Wallet on iPhone and Apple Watch so you can present it easily and securely in person and in app," reads the landing page, which contains broken links and placeholder images, and is still missing a proper website security certificate. The webpages were discovered on Sunday by Jimmy Obomsawin, after someone added a link to the landing pages in an Apple Wallet Wikipedia entry last Wednesday.

Members of the Screen Actors Guild (SAG-AFTRA) are striking against the video game industry due to failed negotiations over AI-related worker protections. "The guild began striking on Friday, July 26th, preventing over 160,000 SAG-AFTRA members from taking new video game projects and impeding games already in development from the biggest publishers to the smallest indie studios," notes The Verge. From the report: Negotiations broke down due to disagreements over worker protections around AI. The actors union, SAG-AFTRA, negotiates the terms of the interactive media agreement, or IMA, with a bargaining committee of video game publishers, including Activision, Take-Two, Insomniac Games, WB Games, and others that represent a total of 30 signatory companies. Though SAG-AFTRA and the video game bargaining group were able to agree on a number of proposals, AI remained the final stumbling block resulting in the strike.

SAG-AFTRA's provisions on AI govern both voice and movement performers with respect to digital replicas -- or using an existing performance as the foundation to create new ones without the original performer -- and the use of generative AI to create performances without any initial input. However, according to SAG-AFTRA, the bargaining companies disagreed about which type of performer should be eligible for AI protections. SAG-AFTRA chief contracts officer Ray Rodriguez said that the bargaining companies initially wanted to offer protections to voice, not motion performers. "So anybody doing a stunt or creature performance, all those folks would have been left unprotected under the employers' offer," Rodriguez said in an interview with Aftermath. Rodriguez said that the companies later extended protections to motion performers, but only if "the performer is identifiable in the output of the AI digital replica."

SAG-AFTRA rejected this proposal as it would potentially exclude a majority of movement performances. "Their proposal would carve out anything that doesn't look and sound identical to me," said Andi Norris, a member of SAG-AFTRA's IMA negotiating committee, during a press conference. "[The proposal] would leave movement specialists, including stunts, entirely out in the cold, to be replaced ... by soulless synthetic performers trained on our actual performances." The bargaining game companies argued that the terms went far enough and would require actors' approval. "Our offer is directly responsive to SAG-AFTRA's concerns and extends meaningful AI protections that include requiring consent and fair compensation to all performers working under the IMA. These terms are among the strongest in the entertainment industry," wrote Audrey Cooling, a representative working on behalf of the video game companies on the bargaining committee in a statement to The Verge.

Late Friday Elon Musk appeared on Lex Fridman's podcast for a special eight-hour episode about Neuralink.

It's already been viewed 1,702,036 times on YouTube — and resulted in this report from Reuters: Neuralink has successfully implanted in a second patient its device designed to give paralyzed patients the ability to use digital devices by thinking alone, according to the startup's owner Elon Musk... [Musk] gave few details about the second participant beyond saying the person had a spinal cord injury similar to the first patient, who was paralyzed in a diving accident.

Musk said 400 of the implant's electrodes on the second patient's brain are working. Neuralink on its website states that its implant uses 1,024 electrodes... Musk said he expects Neuralink to provide the implants to eight more patients this year as part of its clinical trials.
Neuralink's device "has allowed the first patient to play video games, browse the internet, post on social media and move a cursor on his laptop," according to the article: The first patient, Noland Arbaugh, was also interviewed on the podcast, along with three Neuralink executives, who gave details about how the implant and the robot-led surgery work. Before Arbaugh received his implant in January, he used a computer by employing a stick in his mouth to tap the screen of a tablet device. Arbaugh said with the implant he now can merely think about what he wants to happen on the computer screen, and the device makes it happen... Arbaugh has improved on his previous world record for the speed at which he can control a cursor with thoughts alone "with only roughly 10, 15% of the electrodes working," Musk said on the podcast.
Fridman said his interview with Musk was "the longest podcast I've ever done," calling their conversation "fascinating, super technical, and wide-ranging... I loved every minute of it."

"Five years ago, Brian Frye set an elaborate trap," writes Decrypt.co. "Now the law professor is teaming up with a singer-songwriter to finally spring it" on America's Security and Exchange Commission "in a novel lawsuit — and in the process, prevent the regulator from ever coming after NFT art projects again." Over and again, the SEC has sued cherry-picked NFT projects it says qualify as unregistered securities — but never once has the regulator defined what types of NFT projects are legal and which are not, casting a chill over the nascent industry... [In 2019] Frye, an expert in securities law and a fan of novel technologies, minted an NFT of a letter he sent to the SEC in which he declared his art project to constitute an illegal, unregistered security. If the conceptual art project wasn't a security, Frye challenged the agency, then it needed to say so. The SEC never responded to Frye — not then, and not after several more self-incriminating correspondences from the professor. But in due time, the agency began vigorously pursuing, and suing, NFT projects.
So 10 months ago, Jonathan Mann — who writes a new song every day and shares it online — crafted a song titled "This Song is A Security." As a seller of NFTs himself, Mann wrote the song "to fight back against the SEC, and defend his right — plus the rights of other artists like him — to earn revenue," according to the article: Frye, who'd practically been salivating for such an opportunity for half a decade, was a natural fit.... In the lawsuit filed against the SEC in Louisiana earlier this week, they challenged the SEC's standing to regulate their NFT-backed artworks as securities, and demanded the agency declare that their respective art projects do not constitute illegal, unregistered securities offerings.
More from the International Business Times: The complaint asked the court to clarify whether the SEC should regulate art and whether artists were supposed to "register" their artworks before selling the pieces to the general public. The complaint also asked whether artists should be "forced to make public disclosures about the 'risks' of buying their art," and whether artists should be "required to comply" with federal securities laws...

The Blockchain Association, a collective crypto group that includes some of the biggest digital asset firms, asserted that the SEC has no authority over NFT art. "We support the plaintiffs in their quest for legal clarity," the group said.
In an interview with Slashdot, Mann says he started his "Song a Day" project almost 17 years ago (when he was 26 years old) — and his interest in NFTs is sincere: "Over the years, I've always sought a way to make Song A Day sustainable financially, through video contests, conference gigs, ad revenue, royalties, Patreon and more.

"When I came across NFTs in 2017, they didn't have a name. We just called them 'digital collectibles'. For the last 2+ years, NFTs have become that self-sustaining model for my work.

"I know most people believe NFTs are a joke at best and actively harmful at worst. Even most people in the crypto community have given up on them. Despite all that, I still believe they're worth pursuing.

"Collecting an NFT from an artist you love is the most direct way to support them. There's no multinational corporation, no payment processor, and no venture capitalists between you and the artist you want to support."
Slashdot also tracked down the SEC's Office of Public Affairs, and got an official response from SEC public affairs specialist Ryan White.

Slashdot: The suit argues that the SEC's approach "threatens the livelihoods of artists and creators that are simply experimenting with a novel, fast-growing technology," and seeks guidance in the face of a "credible threat of enforcement". Is the SEC going to respond to this lawsuit? And if you don't have an answer at this time, can you give me a general comment on the issues and concerns being raised?

SEC Public Affairs Specialist Ryan White: We would decline comment.

Decrypt.co points out that the lawsuit "has no guarantee of offering some conclusive end to the NFT regulation question... That may only come with concrete legislation or a judgment by the Supreme Court."

But Mann's song still makes a very public show out of their concerns — with Mann even releasing a follow-up song titled "I'm Suing the SEC." (Its music video mixes together wacky clips of Mila Kunis's Stoner Cats and Fonzie jumping a shark with footage of NFT critics like Elizabeth Warren and SEC chairman Gary Gensler.)

And an earlier song also used auto-tune to transform Gensler's remarks about cryptocurrencies into the chorus of a song titled "Hucksters, Fraudsters, Scam Artists, Ponzi Schemes".

Mann later auctioned an NFT of the song — for over $3,000 in Ethereum.

America's National Football League "is the latest organization to turn to facial authentication to bolster event security," reports the Record, citing a new announcement this week: All 32 NFL stadiums will start using the technology this season, after the league signed a contract with a company that uses facial scans to verify the identity of people entering event venues and other secure spaces.

The facial authentication platform, which counts the Cleveland Browns' owners as investors, will be used to "streamline and secure" entry for thousands of credentialed media, officials, staff and guests so they can easily access restricted areas such as press boxes and locker rooms, Jeff Boehm, the chief operating officer of Wicket, said in a LinkedIn post Monday. "Credential holders simply take a selfie before they come, and then Wicket verifies their identity and checks their credentials with Accredit (a credentialing platform) as they walk through security checkpoints," Boehm added.

Wicket technology was deployed in a handful of NFL stadiums last year as part of a pilot program. Other stadiums will start rolling it out beginning on Aug. 8, when the pre-season kicks off. Some teams also have extended their use of the technology to scan the faces of ticket holders. The Cleveland Browns, Atlanta Falcons and New York Mets all have used the company's facial authentication software to authenticate fans with tickets, according to Stadium Tech Report. "Fans come look at the tablet and, instantly, the tablet recognizes the fan," Brandon Covert, the vice president of information technology for the Cleveland Browns, said in a testimonial appearing on Wicket's website. "It's almost a half-second stop. It's not even a stop — more of a pause."
"The Browns also use Wicket to verify the ages of fans purchasing alcohol at concession stands, according to Wicket's LinkedIn page," the article points out.

And a July report from Privacy International found that 25 of the top 100 soccer stadiums in the world are already using facial recognition technology.

Thanks to long-time Slashdot reader schwit1 for sharing the news.

An anonymous reader shared this report from BleepingComputer: A Chinese hacking group tracked as StormBamboo has compromised an undisclosed internet service provider (ISP) to poison automatic software updates with malware. Also tracked as Evasive Panda, Daggerfly, and StormCloud, this cyber-espionage group has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.

On Friday, Volexity threat researchers revealed that the Chinese cyber-espionage gang had exploited insecure HTTP software update mechanisms that didn't validate digital signatures to deploy malware payloads on victims' Windows and macOS devices... To do that, the attackers intercepted and modified victims' DNS requests and poisoned them with malicious IP addresses. This delivered the malware to the targets' systems from StormBamboo's command-and-control servers without requiring user interaction.
Volexity's blog post says they observed StormBamboo "targeting multiple software vendors, who use insecure update workflows..." and then "notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped."

BleepingComputer notes that "âAfter compromising the target's systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data."

Apple's elaborate new ad campaign promises that Safari is "a browser that protects your privacy." And the Washington Post says Apple "deserves credit for making many privacy protections automatic with Safari..."

"But Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, said Safari is no better than the fourth-best web browser for your privacy." "If browser privacy were a sport at the Olympics, Apple isn't getting on the medal stand," Cahn said. (Apple did not comment about this.)

Safari stops third-party cookies anywhere you go on the web. So do Mozilla's Firefox and the Brave browser... Chrome allows third-party cookies in most cases unless you turn them off... Even without cookies, a website can pull information like the resolution of your computer screen, the fonts you have installed, add-on software you use and other technical details that in aggregate can help identify your device and what you're doing on it. The measures, typically called "fingerprinting," are privacy-eroding tracking by another name. Nick Doty with the Center for Democracy & Technology said there's generally not much you can do about fingerprinting. Usually you don't know you're being tracked that way. Apple says it defends against common fingerprinting techniques but Cahn said Firefox, Brave and the Tor Browser all are better at protecting you from digital surveillance. That's why he said Safari is no better than the fourth-best browser for privacy.
Safari's does offer extra privacy protections in its "private" mode, the article points out. "When you use this option, Apple says it does more to block use of 'advanced' fingerprinting techniques. It also steps up defenses against tracking that adds bits of identifying information to the web links you click."

The article concludes that Safari users can "feel reasonably good about the privacy (and security) protections, but you can probably do better — either by tweaking your Apple settings or using a web browser that's even more private than Safari."

The Japanese government has released details of an app that verifies the legitimacy of its troubled My Number Card -- a national identity document. From a report: Beginning in 2015, every resident of Japan was assigned a 12 digit My Number that paved the way for linking social security, taxation, disaster response and other government services to both the number itself and a smartcard. The plan was to banish bureaucracy and improve public service delivery -- but that didn't happen.

My Number Card ran afoul of data breaches, reports of malfunctioning card readers, and database snafus that linked cards to other citizens' bank accounts. Public trust in the scheme fell, and adoption stalled. Now, according to Japan's Digital Ministry, counterfeit cards are proliferating to help miscreant purchase goods -- particularly mobile phones -- under fake identities. Digital minister Taro Kono yesterday presented his solution to the counterfeits: a soon to be mandatory app that confirms the legitimacy of the card. The app uses the camera on a smartphone to read information printed on the card -- like date of birth and name. It compares those details to what it reads from info stored in the smartcard's resident chip, and confirms the data match without the user ever needing to enter their four-digit PIN.

Microsoft Dynamics 365's "field service management" tools enable employers to monitor mobile workers via smartphone apps -- "allegedly to the detriment of their autonomy and dignity," reports The Register. From the report: According to a probe by Cracked Labs - an Austrian nonprofit research group -- the software is part of a broader set of applications that disempowers workers through algorithmic management. The case study [PDF] summarizes how employers in Europe actually use software and smartphone apps to oversee field technicians, home workers, and cleaning staff. It's part of a larger ongoing project helmed by the group called "Surveillance and Digital Control at Work," which includes contributions from AlgorithmWatch; Jeremias Adams-Prassl, professor of law at the University of Oxford; and trade unions UNI Europa and GPA.

Mobile maintenance workers used to have a substantial amount of autonomy when they were equipped with basic mobile phones, the study notes, but smartphones have allowed employers to track what mobile workers do, when they do it, where they are, and gather many other data points. The effect of this monitoring, the report argues, means diminished worker discretion, autonomy, and sense of purpose due to task-based micromanagement. The shift has also accelerated and intensified work stress, with little respect to workers' capabilities, differences in lifestyle, and job practices. "Field service workers travel to multiple locations servicing different products every day," a Microsoft spokesperson told The Register. "Dynamics 365 Field Service and its Copilot capabilities are designed to help field service workers schedule, plan and provide onsite maintenance and repairs in the right location, on time with the right information and workplace guides on their device to complete their jobs."

"Dynamics 365 Field Service does not use AI to recommend individual workers for specific jobs based on previous performance. Dynamics 365 Field Service was developed in accordance with our Responsible AI principles and data privacy statement. Customers are solely responsible for using Dynamics 365 Field Service in compliance with all applicable laws, including laws relating to accessing individual employee analytics and monitoring."

An anonymous reader quotes a report from Ars Technica: On Wednesday, US Sens. Chris Coons (D-Del.), Marsha Blackburn (R.-Tenn.), Amy Klobuchar (D-Minn.), and Thom Tillis (R-NC) introduced the Nurture Originals, Foster Art, and Keep Entertainment Safe (NO FAKES) Act of 2024. The bipartisan legislation, up for consideration in the US Senate, aims to protect individuals from unauthorized AI-generated replicas of their voice or likeness. The NO FAKES Act would create legal recourse for people whose digital representations are created without consent. It would hold both individuals and companies liable for producing, hosting, or sharing these unauthorized digital replicas, including those created by generative AI. Due to generative AI technology that has become mainstream in the past two years, creating audio or image media fakes of people has become fairly trivial, with easy photorealistic video replicas likely next to arrive. [...]

To protect a person's digital likeness, the NO FAKES Act introduces a "digital replication right" that gives individuals exclusive control over the use of their voice or visual likeness in digital replicas. This right extends 10 years after death, with possible five-year extensions if actively used. It can be licensed during life and inherited after death, lasting up to 70 years after an individual's death. Along the way, the bill defines what it considers to be a "digital replica": "DIGITAL REPLICA.-The term "digital replica" means a newly created, computer-generated, highly realistic electronic representation that is readily identifiable as the voice or visual likeness of an individual that- (A) is embodied in a sound recording, image, audiovisual work, including an audiovisual work that does not have any accompanying sounds, or transmission- (i) in which the actual individual did not actually perform or appear; or (ii) that is a version of a sound recording, image, or audiovisual work in which the actual individual did perform or appear, in which the fundamental character of the performance or appearance has been materially altered; and (B) does not include the electronic reproduction, use of a sample of one sound recording or audiovisual work into another, remixing, mastering, or digital remastering of a sound recording or audiovisual work authorized by the copyright holder." The NO FAKES Act "includes provisions that aim to balance IP protection with free speech," notes Ars. "It provides exclusions for recognized First Amendment protections, such as documentaries, biographical works, and content created for purposes of comment, criticism, or parody."

Taco Bell's parent company, Yum! Brands, announced today that the fast-food chain will expand its Voice AI technology to "hundreds" of chains around the country by the end of the year. A global expansion of the service will follow. Fortune reports: Right now, more than 100 Taco Bell locations in 13 states rely on AI to take customer orders at the drive-thru. Company officials say that has resulted in improved order accuracy, shorter wait times, and higher profits. Human workers, the company says, will be freed up to focus on other tasks, ranging from interacting with guests who opt to order from the restaurant counter to preparing food. "Yum! Brands is integrating digital and technology into all aspects of our business with exciting new capabilities, and AI is a core piece of that strategy," said Lawrence Kim, chief innovation officer at Yum! Brands, in a statement. "With over two years of fine-tuning and testing the drive-thru Voice AI technology, we're confident in its effectiveness in optimizing operations and enhancing customer satisfaction."