Rite Aid, the third-largest U.S. drug store chain, reported it a ransomware attack that compromised the personal data of 2.2 million customers. The data exposed includes names, addresses, dates of birth, and driver's license numbers or other forms of government-issued ID from transactions between June 2017 and July 2018.

"On June 6, 2024, an unknown third party impersonated a company employee to compromise their business credentials and gain access to certain business systems," the company said in a filing. "We detected the incident within 12 hours and immediately launched an internal investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted." Ars Technica's Dan Goodin reports: RansomHub, the name of a relatively new ransomware group, has taken credit for the attack, which it said yielded more than 10GB of customer data. RansomHub emerged earlier this year as a rebranded version of a group known as Knight. According to security firm Check Point, RansomHub became the most prevalent ransomware group following an international operation by law enforcement in May that took down much of the infrastructure used by rival ransomware group Lockbit.

On its dark web site, RansomHub said it was in advanced stages of negotiation with Rite Aid officials when the company suddenly cut off communications. A Rite Aid official didn't respond to questions sent by email. Rite Aid has also declined to say if the employee account compromised in the breach was protected by multifactor authentication.

A judge in the UK High Court has directed prosecutors to consider bringing criminal charges against computer scientist Craig Wright, after ruling that he lied "extensively and repeatedly" and committed forgery "on a grand scale" in service of his quest to prove he is Satoshi Nakamoto, creator of bitcoin. From a report: In a judgment published Tuesday, Justice James Mellor outlined various injunctions to be imposed upon Wright, after finding in May that he had "engaged in the deliberate production of false documents to support false claims [to be Satoshi] and use the Courts as a vehicle for fraud."

By order of the judge, Wright will be prevented from claiming publicly that he is Satoshi and from bringing or threatening legal action in any jurisdiction on that basis. He will be required to pin a notice to the front page of his personal website and X feed detailing the findings against him. The matter, Mellor writes, will also be referred to the Crown Prosecution Service (CPS), the body responsible for prosecuting criminal cases in the UK, "for consideration of whether a prosecution should be commenced against Dr Wright." It will be up to the CPS to decide whether the available evidence is sufficient to bring charges against Wright "for his wholescale perjury and forgery of documents" and "whether a warrant for his arrest should be issued."

Last week, the U.S. Senate introduced a new bill to outlaw the unethical use of AI-generated content and deepfake technology. Called the Content Origin Protection and Integrity from Edited and Deepfaked Media Act (COPIED Act), the bill would "set new federal transparency guidelines for marking, authenticating and detecting AI-generated content, protect journalists, actors and artists against AI-driven theft, and hold violators accountable for abuses." TechSpot reports: Proposed and sponsored by Democrats Maria Cantwell of Washington and Martin Heinrich of New Mexico, along with Republican Marsha Blackburn of Tennessee, the aims to establish enforceable transparency standards in AI development [such a through watermarking]. The legislation also wants to curb unauthorized data use in training models. The senators intend to task the National Institutes of Standards and Technology with developing sensible transparency guidelines should the bill pass. [...] The senators feel that clarifying and defining what is okay and what is not regarding AI development is vital in protecting citizens, artists, and public figures from the harm that misuse of the technology could cause, particularly in creating deepfakes. The text of the bill can be read here.

An anonymous reader quotes a report from TorrentFreak: Just before the weekend, dozens of record labels including UMG, Warner, and Sony, filed a massive copyright infringement lawsuit against Verizon at a New York federal court. In common with previous lawsuits that accused rivals of similar inaction, Verizon Communications Inc., Verizon Services Corp., and Cellco Partnership (dba Verizon Wireless), stand accused of assisting subscribers to download and share pirated music, by not doing enough to stop them. The labels' complaint introduces Verizon as one of the largest ISPs in the country, one that "knowingly provides its high-speed service to a massive community of online pirates."

Knowledge of infringement, the labels say, was established at Verizon over a period of several years during which it received "hundreds of thousands" of copyright notices, referencing instances of infringement allegedly carried out by its subscribers. The complaint cites Verizon subscribers' persistent use of BitTorrent networks to download and share pirated music, with Verizon allegedly failing to curtail their activity. "While Verizon is famous for its 'Can you hear me now?' advertising campaign, it has intentionally chosen not to listen to complaints from copyright owners. Instead of taking action in response to those infringement notices as the law requires, Verizon ignored Plaintiffs' notices and buried its head in the sand," the labels write.

"Undeterred, infringing subscribers identified in Plaintiffs' notices continued to use Verizon's services to infringe Plaintiffs' copyrights with impunity. Meanwhile, Verizon continued to provide its high-speed service to thousands of known repeat infringers so it could continue to collect millions of dollars from them." Through this lawsuit, which references piracy of songs recorded by artists including The Rolling Stones, Ariana Grande, Bob Dylan, Bruno Mars, Elvis Presley, Dua Lipa, Drake, and others, the labels suggest that Verizon will have no choice but to hear them now. [...]

Attached to the complaint, Exhibit A contains a non-exhaustive list of the plaintiffs' copyright works allegedly infringed by Verizon's subscribers. The document is over 400 pages long, with each track listed representing potential liability for Verizon as a willful, intentional, and purposeful contributory infringer, the complaint notes. This inevitably leads to claims based on maximum statutory damages of $150,000 per copyrighted work infringed on Count I (contributory infringement). The statutory maximum of $150,000 per infringed work is also applied to Count II (vicarious infringement), based on the labels' claim that Verizon derived a direct financial benefit from the direct infringements of its subscribers. The labels' complaint can be found here (PDF).

Last week, Senior Advisor on AI Governance at the Center for Democracy & Technology, Kevin Bankston, took to X to report that Google's Gemini AI was caught summarizing his private tax return on Google Drive without his permission. "Despite attempts to disable the feature, Bankston found that Gemini's continued to operate in Google Drive, raising questions about Google's handling of user data and privacy settings," writes TechRadar's Craig Hale. From the report: After failing to find the right controls to disable Gemini's integration, the Advisor asked Google's ChatGPT-rivalling AI chatbot on two occasions to pinpoint the settings. A second, more detailed response still brought no joy: "Gemini is *not* in Apps and services on my dashboard (1st option), and I didn't have a profile pic in the upper right of the Gemini page (2nd)."

With help from another X user, Bankston found the control, which was already disabled, highlighting either a malfunctioning control or indicating that further settings are hidden elsewhere. However, previous Google documentation has confirmed that the company will not use Google Workspace data to train or improve its generative AI services or to feed targeted ads. Bankston theorizes that his previous participation in Google Workspace Labs might have influenced Gemini's behavior. The Gemini side panel in Google Drive for PDFs can be closed if a user no longer wishes to access generative AI summaries.

An anonymous reader quotes a report from The Verge: A federal appeals court has agreed to halt the reinstatement of net neutrality rules until August 5th, while the court considers whether more permanent action is justified. It's the latest setback in a long back and forth on net neutrality -- the principle that internet service providers (ISPs) should not be able to block or throttle internet traffic in a discriminatory manner. The Federal Communications Commission has sought to achieve this by reclassifying ISPs under Title II of the Communications Act, which gives the agency greater regulatory oversight. The Democratic-led agency enacted net neutrality rules under the Obama administration, only for those rules to be repealed under former President Donald Trump's FCC. The current FCC, which has three Democratic and two Republican commissioners, voted in April to bring back net neutrality. The 3-2 vote was divided along party lines.

Broadband providers have since challenged the FCC's action, which is potentially more vulnerable after the Supreme Court's recent decision to strike down Chevron deference -- a legal doctrine that instructed courts to defer to an agency's expert decisions except in a very narrow range of circumstances. Bloomberg Intelligence analyst Matt Schettenhelm said in a report prior to the court's ruling that he doesn't expect the FCC to prevail in court, in large part due to the demise of Chevron. A panel of judges for the Sixth Circuit Court of Appeals said in an order that a temporary "administrative stay is warranted" while it considers the merits of the broadband providers' request for a permanent stay. The administrative stay will be in place until August 5th. In the meantime, the court requested the parties provide additional briefs about the application of National Cable & Telecommunications Association v. Brand X Internet Services to this lawsuit.

AT&T paid more than $300,000 to a member of the team that stole call records for tens of millions of customers, reports Wired — "to delete the data and provide a video demonstrating proof of deletion." The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin... The hacker initially demanded $1 million from AT&T but ultimately agreed to a third of that. WIRED viewed the video that the hacker says he provided to AT&T as proof to the telecom that he had deleted its stolen data from his computer...

AT&T is one of more than 150 companies that are believed to have had data stolen from poorly secured Snowflake accounts during a hacking spree that unfolded throughout April and May. It's been previously reported that the accounts were not secured with multi-factor authentication, so after the hackers obtained usernames and passwords for the accounts, and in some cases authorization tokens, they were able to access the storage accounts of companies and siphon their data. Ticketmaster, the banking firm Santander, LendingTree, and Advance Auto Parts were all among the victims publicly identified to date...

The timeline suggests that if [John] Binns is responsible for the AT&T breach, he allegedly did it when he was likely already aware that he was under indictment for the T-Mobile hack and could face arrest for it.

Long-time Slashdot reader schwit1 shared this report from non-profit libertarian law firm, the Institute for Justice: U.S. District Judge Rita Lin has permanently enjoined the California Bureau of Security and Investigative Services from enforcing its private-investigator licensing requirement against anti-spam entrepreneur Jay Fink. The order declares that forcing Jay to get a license to run his business is so irrational that it violates the Due Process Clause of the Fourteenth Amendment...

Jay's business stems from California's anti-spam act, which allows individuals to sue spammers. But to sue, they have to first compile evidence. To do that, recipients often have to wade through thousands of emails. For more than a decade, Jay has offered a solution: he and his team will scour a client's junk folder and catalog the messages that likely violate the law. But last summer, Jay's job — and Californians' ability to bring spammers to justice — came to a screeching halt when the state told him he was a criminal. A regulator told Jay he needed a license to read through emails that might be used as evidence in a lawsuit. And because Jay didn't have a private investigator license, the state shut him down.
The state of California has since "agreed to jointly petition the court for an order that forever prohibits it from enforcing its licensure law against Jay," according to the article.

Otherwise the anti-spam crusader would've had to endure thousands of hours of private investigator training...

MuckRock is a U.S.-based 501(c)(3) non-profit collaborative news site to "request, analyze and share government documents," according to its web site.

And long-time Slashdot reader schwit1 shared their report about a lecture by Admiral Grace Hopper: In a vault at the National Security Agency lies a historical treasure: two AMPEX 1-inch open reel tapes containing a landmark lecture by Admiral Grace Hopper, a giant in the field of computer science. Titled 'Future Possibilities: Data, Hardware, Software, and People,' this lecture, recorded on August 19, 1982, at the NSA's Fort Meade headquarters, and stored in the video archives of the National Cryptographic School, offers a rare glimpse into the mind of a pioneer who shaped the very fabric of technology. Yet this invaluable artifact remains inaccessible, trapped in an obsolete format that the NSA will not release, stating that the agency is unable to play it back.
"NSA is not required to find or obtain new technology (outdated or current) in order to process a request," states the official response from the agency. But MuckRock adds that on June 25, "responding to a follow-up request, the NSA at least provided an image of the tape labels," leading MuckRock to complain that the NSA "is well-positioned to locate, borrow and use a working VTR machine to access Admiral Hopper's lectures... The NSA, with its history of navigating complex technological landscapes and decrypting matters of national significance, does not typically shy away from a challenge." The challenge of accessing these recordings is not just technical, but touches on broader issues around preserving technological heritage.... It is our shared obligation to safeguard such pivotal elements of our nationâ(TM)s history, ensuring they remain within reach of future generations. While the stewardship of these recordings may extend beyond the NSAâ(TM)s typical purview, they are undeniably a part of Americaâ(TM)s national heritage.

Slashdot reader Kirschey writes: The U.S. Customs and Border Protection determined that the redesigned Apple Watch models do not violate AliveCor's electrocardiogram patents, allowing them to be imported. This decision comes before a consolidated hearing at the Federal Circuit Court regarding the same patents.
From the decision: We find that Apple Inc. ("Apple") has met its burden to show that certain redesigned wearable devices ("articles at issue") do not infringe one or more of claims 12, 13, and 19-23 of U.S. Patent No. 10,638,941 ("the '941 Patent") and claims 1, 3, 5, 8-10, 12, 15, and 16 of U.S. Patent No. 10,595,731 ("the '731 Patent). Thus, CBP's position is that the articles at issue are not subject to the limited exclusion order that the U.S. International Trade Commission ("Commission" or "ITC") issued in Investigation No. 337-TA-1266 ("the underlying investigation" or "the 1266 investigation"), pursuant to Section 337 of the Tariff Act of 1930, as amended, 19 U.S.C. 1337 ("Section 337").

A 2023 red team exercise by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) at an unnamed federal agency exposed critical security failings, including unpatched vulnerabilities, inadequate incident response, and weak credential management, leading to a full domain compromise. According to The Register's Connor Jones, the agency failed to detect or remediate malicious activity for five months. From the report: According to the agency's account of the exercise, the red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 - 9.8) in the target agency's Oracle Solaris enclave, leading to what it said was a full compromise. It's worth noting that CVE-2022-21587, an unauthenticated remote code execution (RCE) bug carrying a near-maximum 9.8 CVSS rating, was added to CISA's known exploited vulnerability (KEV) catalog in February 2023. The initial intrusion by CISA's red team was made on January 25, 2023. "After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch," CISA's report reads. "Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on February 2, 2023." [...]

After gaining access to the Solaris enclave, the red team discovered they couldn't pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful. It said real adversaries may have instead used prolonged password-praying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords. After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed. "None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network," CISA said.

CISA described this as a "full domain compromise" that gave the attackers access to tier zero assets -- the most highly privileged systems. "The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts," the report reads. "With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. "They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization's identity management (IDM)." From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA's team then pivoted into using the access they already had.

The team "kerberoasted" one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn't able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable. CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments. However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA's Federal Attack Surface Testing (FAST) pentesting program to operate. It's crucial that these avenues are able to be explored in such exercises because they're routes into systems adversaries will have no reservations about exploring in a real-world scenario. For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity. CISA said the findings demonstrated the need for agencies to apply defense-in-depth principles. The cybersecurity agency recommended network segmentation and a Secure-by-Design commitment.

An anonymous reader quotes a report from 404 Media: John Binns, a U.S. citizen who has been incarcerated in Turkey, is linked to the massive data breach of metadata belonging to nearly all of AT&T's customers that the telecommunications giant announced on Friday, three sources independently told 404 Media. [...] As 404 Media reported in January, Binns has already been indicted for allegedly breaking into T-Mobile in 2021 and selling stolen data on more than 40 million people. Now, he is allegedly connected to the latest breach against AT&T, which the company said it detected in April.

The AT&T data was lifted from a Snowflake instance, a data warehousing tool, AT&T told 404 Media. Snowflake has been at the center of a series of massive and high profile breaches, including Ticketmaster and Santander. In a blog post published in June which covered a threat actor targeting Snowflake instances, cybersecurity company Mandiant said the threat actor, which it dubs UNC5537, "comprises members based in North America, and collaborates with an additional member in Turkey." In its breach announcement, AT&T said authorities had already apprehended one of the people involved in the breach. Binns was recently arrested and detained in Turkey, The Desk reported in May. That report, which is the last public information about his whereabouts, says he was detained following an extradition request from the U.S. Before he was arrested, Binns told 404 Media in January that he had "reasons to not be concerned" about being extradited.

U.S. phone giant AT&T confirmed Friday it will begin notifying millions of consumers about a fresh data breach that allowed cybercriminals to steal the phone records of "nearly all" of its customers. TechCrunch: In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages -- such as who contacted who by phone or text -- during a six-month period between May 1, 2022 and October 31, 2022. AT&T said some of the stolen data includes more recent records from January 2, 2023 for a smaller but unspecified number of customers.

The stolen data also includes call records of customers with phone service from other cell carriers that rely on AT&T's network, the company said. [...] In all, the phone giant said it will notify around 110 million AT&T customers of the data breach, company spokesperson Andrea Huguely told TechCrunch.

An anonymous reader quotes a report from TechCrunch: A data breach at the phone surveillance operation mSpy has exposed millions of its customers who bought access to the phone spyware app over the past decade, as well as the Ukrainian company behind it. Unknown attackers stole millions of customer support tickets, including personal information, emails to support, and attachments, including personal documents, from mSpy in May 2024. While hacks of spyware purveyors are becoming increasingly common, they remain notable because of the highly sensitive personal information often included in the data, in this case about the customers who use the service. The hack encompassed customer service records dating back to 2014, which were stolen from the spyware maker's Zendesk-powered customer support system.

mSpy is a phone surveillance app that promotes itself as a way to track children or monitor employees. Like most spyware, it is also widely used to monitor people without their consent. These kinds of apps are also known as "stalkerware" because people in romantic relationships often use them to surveil their partner without consent or permission. The mSpy app allows whoever planted the spyware, typically someone who previously had physical access to a victim's phone, to remotely view the phone's contents in real-time. As is common with phone spyware, mSpy's customer records include emails from people seeking help to surreptitiously track the phones of their partners, relatives, or children, according to TechCrunch's review of the data, which we independently obtained. Some of those emails and messages include requests for customer support from several senior-ranking U.S. military personnel, a serving U.S. federal appeals court judge, a U.S. government department's watchdog, and an Arkansas county sheriff's office seeking a free license to trial the app. Even after amassing several million customer service tickets, the leaked Zendesk data is thought to represent only the portion of mSpy's overall customer base who reached out for customer support. The number of mSpy customers is likely to be far higher. mSpy's owners, a Ukraine-based company called Brainstack, have yet to publicly disclose the breach. You can visit Have I Been Pwned to see if your email address was involved in a breach.

snydeq shares a report from CSO Online, written by Lucian Constantin: A personal GitHub access token with administrative privileges to the official repositories for the Python programming language and the Python Package Index (PyPI) was exposed for over a year. The access token belonged to the Python Software Foundation's director of infrastructure and was accidentally included in a compiled binary file that was published as part of a container image on Docker Hub. [...] The incident shows that scrubbing access tokens from source code only, which some development tools do automatically, is not enough to prevent potential security breaches. Sensitive credentials can also be included in environment variables, configuration files and even binary artifacts as a result of automated build processes and developer mistakes. "Although we encounter many secrets that are leaked in the same manner, this case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands -- one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself," researchers from security firm JFrog, who found and reported the token, wrote in a report.

A bipartisan group of senators reached a new agreement on legislation that would ban members of Congress, their spouses and dependent children, as well as the president and vice president, from purchasing and selling stocks while in office. According to CNBC, it would also give lawmakers 90 days to sell their stocks. From the report: The proposal is the latest chapter in a yearslong saga in Congress to pass regulations that limit lawmakers' ability to buy and sell stocks, and the first one to get formal consideration by a Senate committee -- in this case the Homeland Security & Governmental Affairs Committee on July 24. Ethics experts say that legislators' access to the kind of information they receive gives them the potential of having an unfair advantage to the investing public.

Sens. Hawley, Jon Ossoff, D-Ga., Jeff Merkley, D-Ore., and Gary Peters, D-Mich., negotiated and announced the new details. If passed, the bill would also prohibit lawmakers' spouses and dependent children from trading stocks, beginning March 2027. Also starting that year, the U.S. president, vice president and all members of Congress would have to divest from any covered investments. The penalty for violating the divestment mandate, as proposed by the senators, would cost a lawmaker the greater amount of either their monthly salary, or 10% of the value of each covered asset in violation.

An anonymous reader shares a report: A CNN investigation found the use of hidden cameras is a persistent problem in the industry. Regulations are sparse, and the punishments for those that commit these crimes are lenient -- video voyeurism is typically charged as a misdemeanor. Meanwhile, the people who are recorded -- often naked or engaging in sexual activities -- say they suffer from long-term trauma and the fear that their images could, at any moment, be disseminated on the internet. An Airbnb spokesperson told CNN that hidden camera complaints are rare, but when they do occur, "we take appropriate, swift action, which can include removing hosts and listings that violate the policy."

At a court-ordered deposition last year, an Airbnb representative was supposed to answer a key question from the attorney suing the company: How many complaints or reports had been made to Airbnb since December 1, 2013, of people who had been recorded by surveillance devices? The Airbnb representative testified that the company generated 35,000 customer support tickets about surveillance devices in the preceding decade. An Airbnb spokesperson told CNN that a single report could create multiple tickets. The company declined to specify how many unique complaints there have been. In the deposition, which has not been previously reported, the company representative sought to downplay the significance of the number of tickets, testifying they could reflect instances such as a malfunctioning doorbell camera or a tablet with recording capabilities left out on a coffee table. The representative did not provide any statistics detailing the number of claims she suggested were innocuous among the 35,000 tickets.

A US District Court judge in San Francisco has largely dismissed a class-action lawsuit against GitHub, Microsoft, and OpenAI, which challenged the legality of using code samples to train GitHub Copilot. The judge ruled that the plaintiffs failed to establish a claim for restitution or unjust enrichment but allowed the claim for breach of open-source license violations to proceed. InfoWorld reports: The lawsuit, first filed in Nov. 2022, claimed that GitHub's training of the Copilot AI on public GitHub code repositories violated the rights of the "vast number of creators" who posted code under open-source licenses on GitHub. The complaint (PDF) alleged that "Copilot ignores, violates, and removes the Licenses offered by thousands -- possibly millions -- of software developers, thereby accomplishing software piracy on an unprecedented scale." [...]

In a decision first announced on June 24, but only unsealed and made public on July 5, California Northern District judge Jon S. Tigar wrote that "In sum, plaintiff's claims do not support the remedy they seek. Plaintiffs have failed to establish, as a matter of law, that restitution for any unjust enrichment is available as a measure of plaintiffs' damages for their breach of contract claims." Judge Tigar went on to state that "court dismisses plaintiffs' section 1202(b) claim, this time with prejudice. The Court declines to dismiss plaintiffs' claim for breach of contract of open-source license violations against all defendants. Finally, the court dismisses plaintiffs' request for monetary relief in the form of unjust enrichment, as well as plaintiffs' request for punitive damages."

An anonymous reader quotes a report from Ars Technica: Northwest Oregon had never seen anything like it. Over the course of three days in June 2021, Multnomah County -- the state's most populous county, which rests in the swayback along Oregon's northern border -- recorded highs of 108, 112, and 116 degrees Fahrenheit. Temperatures were so hot that the metal on cable cars melted and the asphalt on roadways buckled. Nearly half the homes in the county lacked cooling systems because of Oregon's typically gentle summers, where average highs top out at 81 degrees. Sixty-nine people perished from heat stroke, most of them in their homes. When scientific studies showed that the extreme temperatures were caused by heat domes, which experts say are influenced by climate change, county officials didn't just chalk it up to a random weather occurrence. They started researching the large fossil fuel companies whose emissions are driving the climate crisis -- including ExxonMobil, Shell, and Chevron -- and sued them (PDF).

"This catastrophe was not caused by an act of God," said Jeffrey B. Simon, a lawyer for the county, "but rather by several of the world's largest energy companies playing God with the lives of innocent and vulnerable people by selling as much oil and gas as they could." Now, 11 months after the suit was filed, Multnomah County is preparing to move forward with the case in Oregon state court after a federal judge in June settled (PDF) a monthslong debate over where the suit should be heard. About three dozen lawsuits have been filed by states, counties, and cities seeking damages from oil and gas companies for harms caused by climate change. Legal experts said the Oregon case is one of the first focused on public health costs related to high temperatures during a specific occurrence of the "heat dome effect." Most of the other lawsuits seek damages more generally from such ongoing climate-related impacts as sea level rise, increased precipitation, intensifying extreme weather events, and flooding. [...]

The Multnomah County lawsuit says that Exxon, Shell, Chevron, and others engaged in a range of improper practices, including negligence, creating a public nuisance, fraud, and deceit. The suit alleges that the companies were aware of the harms of fossil fuels and engaged in a "scheme to rapaciously sell fossil fuel products and deceptively promote them as harmless to the environment, while they knew that carbon pollution emitted by their products into the atmosphere would likely cause deadly extreme heat events like that which devastated Multnomah County." "We know that climate-induced weather events like the 2021 Heat Dome harm the residents of Multnomah County and cause real financial costs to our local government," Multnomah County Chair Jessica Vega Pederson said in a statement. "The Court's decision to hear this lawsuit in State Court validates our assertion that the case should be resolved here -- it's an important win for this community." In the suit, officials in Portland's Multnomah County said that they will ultimately incur costs in excess of $1.5 billion to deal with the effects of the 2021 heat dome.

"We allege that this is just like any other kind of public health crisis and mass destruction of property that is caused by corporate wrongdoing," said Simon, partner in the law firm of Simon Greenstone Panatier. "We contend that these companies polluted the atmosphere with carbon from the burning of fossil fuels; that they foresaw that extreme environmental harm would be caused by it; that some of them, we contend, deliberately misled the public about that."

Eton College, Britain's elite boarding school with alumni that includes Princes William and Harry, as well as George Orwell and a long list of others, is banning incoming students from having smartphones. Instead, the school will provide students with a Nokia "brick" phone, which will only be capable of making calls and sending text messages. CBS News reports: Parents of first-year students at Eton -- where tuition exceeds $60,000 per year -- were informed of the changes in a letter, which said that incoming 13-year-old boarders should have their smart devices taken home after their SIM cards are transferred to offline Nokia phones provided by the school, which can only make calls and send simple text messages. Eton's previous rules on smartphones required first-year students to hand over their devices overnight.

"Eton routinely reviews our mobile phone and devices policy to balance the benefits and challenges that technology brings to schools," a spokesperson for the school told CBS News on Tuesday, adding that those joining in Year 9, essentially the equivalent of freshman year in high school for American students, "will receive a 'brick' phone for use outside the school day, as well as a school-issued iPad to support academic study." The spokesperson added that "age-appropriate controls remain in place for other year groups." The ban follows a recent guidance issued by the UK government backing school principals who decide to ban smartphones during the school day. The goal is to help minimize disruption and improve classroom behavior.