A former CFO of a Seattle startup is accused of diverting $35 million and losing it when the crypto market crashed last year (Warning: source paywalled; alternative source), according to a report. The CFO allegedly used the funds for personal expenses and investments without authorization. The Seattle Times reports: Nevin Shetty, 39, was hired in March 2021 as CFO of a company called fabric, which makes software platforms for retail commerce. About a year later, after the company informed him it was letting him go over job performance concerns, he secretly took the money and transferred it to HighTower Treasury, a crypto platform he controlled as a side business, the indictment said. His idea was to pay the company 6% interest while retaining profits above that, but soon the $35 million investment was practically worthless, the U.S. Attorney's Office in Seattle said in a news release.

The indictment in U.S. District Court charged Shetty with four counts of wire fraud. He is scheduled to be arraigned May 25. Shetty's attorney, Cooper Offenbecher, said in an emailed statement that he and his client had been in regular contact with prosecutors and disagreed with the decision to bring an indictment. "As the CFO of his former employer, tasked with making investment decisions for its benefit, Mr. Shetty was personally devastated by these losses, which occurred as a result of a catastrophic crash in the cryptocurrency market in May 2022," Offenbecher wrote. "We look forward to responding to these allegations in Court."

Prosecutors, however, said that as the company raised hundreds of millions of dollars in startup funding, it adopted a conservative approach to managing that money -- a policy that Shetty had helped draft. According to the Seattle tech news website GeekWire, fabric had raised more than $293 million by February 2022 and was valued at $1.5 billion. In an emailed statement, the company said it had been cooperating with law enforcement and appreciated the work of the FBI and federal prosecutors. "While the amount taken is substantial, fabric remains very well-funded with years of runway," the statement said.

Adi Robertson writes via The Verge: The Supreme Court has declined to consider reinterpreting foundational internet law Section 230, saying it wasn't necessary for deciding the terrorism-related case Gonzalez v. Google. The ruling came alongside a separate but related ruling in Twitter v. Taamneh, where the court concluded that Twitter had not aided and abetted terrorism. In an unsigned opinion (PDF) issued today, the court said the underlying complaints in Gonzalez were weak, regardless of Section 230's applicability. The case involved the family of a woman killed in a terrorist attack suing Google, which the family claimed had violated the law by recommending terrorist content on YouTube. They sought to hold Google liable under anti-terrorism laws.

The court dismissed the complaint largely because of its unanimous ruling (PDF) in Twitter v. Taamneh. Much like in Gonzalez, a family alleged that Twitter knowingly supported terrorists by failing to remove them from the platform before a deadly attack. In a ruling authored by Justice Clarence Thomas, however, the court declared that the claims were "insufficient to establish that these defendants aided and abetted ISIS" for the attack in question. Thomas declared that Twitter's failure to police terrorist content failed the requirement for some "affirmative act" that involved meaningful participation in an illegal act. "If aiding-and-abetting liability were taken too far, then ordinary merchants could become liable for any misuse of their goods and services, no matter how attenuated their relationship with the wrongdoer," writes Thomas. That includes "those who merely deliver mail or transmit emails" becoming liable for the contents of those messages or even people witnessing a robbery becoming liable for the theft. "There are no allegations that defendants treated ISIS any differently from anyone else. Rather, defendants' relationship with ISIS and its supporters appears to have been the same as their relationship with their billion-plus other users: arm's length, passive, and largely indifferent."

For Gonzalez v. Google, "the allegations underlying their secondary-liability claims are materially identical to those at issue in Twitter," says the court. "Since we hold that the complaint in that case fails to state a claim for aiding and abetting ... it appears to follow that the complaint here likewise fails to state such a claim." Because of that, "we therefore decline to address the application of 230 to a complaint that appears to state little, if any, plausible claim for relief." [...] The Gonzalez ruling is short and declines to deal with many of the specifics of the case. But the Twitter ruling does take on a key question from Gonzalez: whether recommendation algorithms constitute actively encouraging certain types of content. Thomas appears skeptical: "To be sure, plaintiffs assert that defendants' 'recommendation' algorithms go beyond passive aid and constitute active, substantial assistance. We disagree. By plaintiffs' own telling, their claim is based on defendants' 'provision of the infrastructure which provides material support to ISIS.' Viewed properly, defendants' 'recommendation' algorithms are merely part of that infrastructure. All the content on their platforms is filtered through these algorithms, which allegedly sort the content by information and inputs provided by users and found in the content itself. As presented here, the algorithms appear agnostic as to the nature of the content, matching any content (including ISIS' content) with any user who is more likely to view that content. The fact that these algorithms matched some ISIS content with some users thus does not convert defendants' passive assistance into active abetting. Once the platform and sorting-tool algorithms were up and running, defendants at most allegedly stood back and watched; they are not alleged to have taken any further action with respect to ISIS." "The interpretation may deal a blow to one common argument for adding special liability to social media: the claim that recommendation systems go above and beyond simply hosting content and explicitly encourage that content," adds Robertson. "This ruling's reasoning suggests that simply recommending something on an 'agnostic' basis -- as opposed to, in one hypothetical from Thomas, creating a system that 'consciously and selectively chose to promote content provided by a particular terrorist group' -- isn't an active form of encouragement."

The Supreme Court on Thursday sidestepped a case against Google that might have allowed more lawsuits against social media companies. From a report: The justices' decision returns to a lower court the case of a family of an American college student who was killed in an Islamic State terrorist attack in Paris. The family wants to sue Google for YouTube videos they said helped attract IS recruits and radicalize them. Google claims immunity from the lawsuit under a 1996 law that generally shields social media company for content posted by others. Lower courts agreed with Google. The justices had agreed to consider whether the legal shield is too broad. But in arguments in February, several sounded reluctant to weigh in now. In an unsigned opinion Thursday, the court wrote that it was declining to address the law at issue.

Montana is now the first U.S. state to ban TikTok after Montana Governor Greg Gianforte signed legislation to ban the app from operating in the state. Reuters reports: Montana will make it unlawful for Google and Apple's app stores to offer the TikTok app within its borders. The ban takes effect Jan. 1, 2024. TikTok, which has over 150 million American users, is facing growing calls from U.S. lawmakers and state officials to ban the app nationwide over concerns about potential Chinese government influence over the platform. Gov. Gianforte, a Republican, said the bill will further "our shared priority to protect Montanans from Chinese Communist Party surveillance."

Montana, which has a population of just over 1 million people, said TikTok could face fines for each violation and additional fines of $10,000 per day if they violate the ban. It takes effect Jan. 1, 2024. The ban will likely face numerous legal challenges that it violates the First Amendment free speech rights of users. An attempt by then President Donald Trump to ban new downloads of TikTok and WeChat through a Commerce Department order in 2020 was blocked by multiple courts and never took effect. The legislation that Gianforte signed also generally prohibits "the use of all social media applications that collect and provide personal information or data to foreign adversaries on government-issued devices," adds Reuters.

It's unclear if the bill signed today would effectively ban all social media in Montana, since most social media networks collect such information and share it with entities in foreign countries.

Disgraced Theranos founder Elizabeth Holmes has been ordered to report to prison while she appeals her fraud conviction and jail sentence of over 11 years for defrauding investors. She has also been ordered to pay $452 million to victims, which will be split with her former partner, Ramesh "Sunny" Balwani, who was also convicted and sentenced to 13 years in prison. CNBC reports: Elizabeth Holmes, the disgraced CEO of Theranos, must report to prison on May 30, according to a ruling issued Wednesday by U.S. District Judge Edward Davila. Holmes must report to prison no later than 2:00 p.m. local time on that day, and is expected to begin her sentence at a minimum-security facility in Bryan, Texas. On Tuesday, an appeals court rejected Holmes' bid to stay out of prison while she appeals her conviction. In another Tuesday ruling, Judge Davila ordered that Holmes and former Theranos executive Ramesh "Sunny" Balwani pay $452 million in restitution to victims. You can read more about the 'U.S. v. Elizabeth Holmes, et al.' case here.

An anonymous reader shares a report: This week, we looked at a new hardware startup called Telly that's giving away half a million of its new smart televisions for free. The catch is that the 55-inch smart television is fitted with a second display that sits underneath and displays ads while you watch your favorite shows. The trade-off for a free television is agreeing to let this brand-new startup collect vast amounts of data about you because the money ads make from you cover the costs of the television itself. According to its privacy policy, the startup collects data about what you view, where you're located, what you watch, as well as what could be inferred about you from that information.

But annotations left in its privacy policy that were published in error raise concerns about its data practices. We've pasted below the portion of Telly's privacy policy verbatim, typos included, as it was published at the time -- and have highlighted the questionable passage in bold for emphasis: "As noted in the Terms of Use, we do not knowingly collect or solicitPersonal Data about children under 13 years of age; ifyou are a child under the age of 13, please do not attempt to register for orotherwise use the Services or send us any Personal Data. Use of the Servicesmay capture the physical presence of a child under the age of 13, but noPersonal Data about the child is collected. If we learn we have collectedPersonal Data from a child under 13 years of age, we will delete thatinformation as quickly as possible. (I don't know that this is accurate. Do wehave to say we will delete the information or is there another way aroundthis)? If you believe that a child under 13 years of age may have providedPersonal Data to us, please contact us at..." A short time after contacting Telly for comment, the company removed the section from its privacy policy.

Hanging on to your favorite wireless mouse just got a little easier thanks to a new partnership between Logitech and DIY repair specialists iFixit. The Verge: The two companies are working together to reduce unnecessary e-waste and help customers repair their own out-of-warranty Logitech hardware by supplying spare parts, batteries, and repair guides for "select products." Everything will eventually be housed in the iFixit Logitech Repair Hub, with parts available to purchase as needed or within "Fix Kits" that provide everything needed to complete the repair, such as tools and precision bit sets. Starting "this summer," Logitech's MX Master and MX Anywhere mouse models will be the first products to receive spare parts. Pricing information has not been disclosed yet, and Logitech hasn't mentioned any other devices that will receive the iFixit genuine replacement parts and repair guide treatment.

An anonymous reader quotes a report from KrebsOnSecurity: Countless smartphones seized in arrests and searches by police forces across the United States are being auctioned online without first having the data on them erased, a practice that can lead to crime victims being re-victimized, a new study found (PDF). In response, the largest online marketplace for items seized in U.S. law enforcement investigations says it now ensures that all phones sold through its platform will be data-wiped prior to auction.

Researchers at the University of Maryland last year purchased 228 smartphones sold "as-is" from PropertyRoom.com, which bills itself as the largest auction house for police departments in the United States. Of phones they won at auction (at an average of $18 per phone), the researchers found 49 had no PIN or passcode; they were able to guess an additional 11 of the PINs by using the top-40 most popular PIN or swipe patterns. Phones may end up in police custody for any number of reasons -- such as its owner was involved in identity theft -- and in these cases the phone itself was used as a tool to commit the crime. "We initially expected that police would never auction these phones, as they would enable the buyer to recommit the same crimes as the previous owner," the researchers explained in a paper released this month. "Unfortunately, that expectation has proven false in practice."

Beyond what you would expect from unwiped second hand phones -- every text message, picture, email, browser history, location history, etc. -- the 61 phones they were able to access also contained significant amounts of data pertaining to crime -- including victims' data -- the researchers found. [...] Also, the researchers found that many of the phones clearly had personal information on them regarding previous or intended targets of crime: A dozen of the phones had photographs of government-issued IDs. Three of those were on phones that apparently belonged to sex workers; their phones contained communications with clients. "We informed [PropertyRoom] of our research in October 2022, and they responded that they would review our findings internally," said Dave Levin, an assistant professor of computer science at University of Maryland. "They stopped selling them for a while, but then it slowly came back, and then we made sure we won every auction. And all of the ones we got from that were indeed wiped, except there were four devices that had external SD [storage] cards in them that weren't wiped."

OpenAI CEO Sam Altman appeared before a Senate Judiciary subcommittee, along with IBM chief privacy officer Christian Montgomery and NYU professor Gary Marcus, to testify about the dangers posed by generative artificial intelligence. Altman said he'd welcome legislation in the space and urged Congress to work with OpenAI and other companies in the field to figure out rules and guardrails. Axios reports: Altman argued that generative AI is different and requires a separate policy response. He called it a "tool" for users that cannot do full jobs on its own, merely tasks. Altman called for a government agency that would promulgate rules around licensing for certain tiers of AI systems "above a crucial threshold of capabilities." He said: "My worst fear is we cause significant harm to the world."

Sen. Dick Durbin (D-Ill.) called it "historic" that a company was coming to Congress pleading for regulation. IBM's Montgomery said it was important to regulate risks, not tech itself. "This cannot be the era of move fast and break things," she said.

Environmental DNA research has aided conservation, but scientists say its ability to glean information about human populations and individuals poses dangers. From a report: David Duffy, a wildlife geneticist at the University of Florida, just wanted a better way to track disease in sea turtles. Then he started finding human DNA everywhere he looked. Over the last decade, wildlife researchers have refined techniques for recovering environmental DNA, or eDNA -- trace amounts of genetic material that all living things leave behind. A powerful and inexpensive tool for ecologists, eDNA is all over -- floating in the air, or lingering in water, snow, honey and even your cup of tea. Researchers have used the method to detect invasive species before they take over, to track vulnerable or secretive wildlife populations and even to rediscover species thought to be extinct. The eDNA technology is also used in wastewater surveillance systems to monitor Covid and other pathogens. But all along, scientists using eDNA were quietly recovering gobs and gobs of human DNA. To them, it's pollution, a sort of human genomic bycatch muddying their data. But what if someone set out to collect human eDNA on purpose?

New DNA collecting techniques are "like catnip" for law enforcement officials, says Erin Murphy, a law professor at the New York University School of Law who specializes in the use of new technologies in the criminal legal system. The police have been quick to embrace unproven tools, like using DNA to create probability-based sketches of a suspect. That could pose dilemmas for the preservation of privacy and civil liberties, especially as technological advancement allows more information to be gathered from ever smaller eDNA samples. Dr. Duffy and his colleagues used a readily available and affordable technology to see how much information they could glean from human DNA gathered from the environment in a variety of circumstances, such as from outdoor waterways and the air inside a building. The results of their research, published Monday in the journal Nature Ecology & Evolution, demonstrate that scientists can recover medical and ancestry information from minute fragments of human DNA lingering in the environment. Forensic ethicists and legal scholars say the Florida team's findings increase the urgency for comprehensive genetic privacy regulations.

An anonymous reader quotes a report from Ars Technica: Microsoft cloud services are scanning for malware by peeking inside users' zip files, even when they're protected by a password, several users reported on Mastodon on Monday. Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.

While analysis of password-protected in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password "infected." "While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples," Brandt wrote. "The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs."

Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. One way is to extract any possible passwords from the bodies of email or the name of the file itself. Another is by testing the file to see if it's protected with one of the passwords contained in a list. "If you mail yourself something and type something like 'ZIP password is Soph0s', ZIP up EICAR and ZIP password it with Soph0s, it'll find (the) password, extract and find (and feed MS detection)," he wrote. "A Google representative said the company doesn't scan password-protected zip files, though Gmail does flag them when users receive such a file," notes Ars.

"One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can't be read. As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files."

An anonymous reader quotes a report from TorrentFreak: ACE, the world's leading anti-piracy coalition, is facing an unexpected setback after Google removed a page that advises 'pirates' where they can watch content legally. The removal is the result of an erroneous takedown notice from a competing anti-piracy organization and was likely triggered by an ACE domain name seizure. [...] After the "Watch Legally" page was removed from Google search, visitors see the following note [here] at the bottom of the results.

In response to a recent takedown notice, Google removed ACE's "Watch Legally" page for alleged copyright infringement. This action was taken at the behest of Indian anti-piracy outfit AiPlex. The ACE page was repeatedly flagged by AiPlex in recent weeks. In this notice, for example, it's accused of distributing a pirated copy of the film 'Virgin Bhanupriya,' together with sites such as foumovies.pw, afilmyhit.cafe, and yomovies.bid. Why AiPlex flagged a page that's designed to drive traffic to legal services is unclear.

AI technology should not be considered an "inventor" by U.S. patent law, Google argues in a new filing with the U.S. Patent and Trademark Office. From a report: USPTO is currently soliciting comments on AI technologies and inventorship -- asking people, among other things, how AI is being used in creating inventions and whether its contributions would qualify it for treatment as a joint inventor. Questions posed by USPTO include: "If an AI system contributes to an invention at the same level as a human who would be considered a joint inventor, is the invention patentable under current patent laws? Are there situations in which AI-generated contributions are not owned by any entity and therefore part of the public domain?"

An anonymous reader shares a report: A passenger walks up to an airport security checkpoint, slips an ID card into a slot and looks into a camera atop a small screen. The screen flashes "Photo Complete" and the person walks through -- all without having to hand over their identification to the TSA officer sitting behind the screen. It's all part of a pilot project by the Transportation Security Administration to assess the use of facial recognition technology at a number of airports across the country. "What we are trying to do with this is aid the officers to actually determine that you are who you say who you are," said Jason Lim, identity management capabilities manager, during a demonstration of the technology to reporters at Baltimore-Washington International Thurgood Marshall Airport.

The effort comes at a time when the use of various forms of technology to enhance security and streamline procedures is only increasing. TSA says the pilot is voluntary and accurate, but critics have raised concerns about questions of bias in facial recognition technology and possible repercussions for passengers who want to opt out. The technology is currently in 16 airports. In addition to Baltimore, it's being used at Reagan National near Washington, D.C., airports in Atlanta, Boston, Dallas, Denver, Detroit, Las Vegas, Los Angeles, Miami, Orlando, Phoenix, Salt Lake City, San Jose, and Gulfport-Biloxi and Jackson in Mississippi. However, it's not at every TSA checkpoint so not every traveler going through those airports would necessarily experience it.

"Deep in a pine forest in Wilcox County, Alabama, three workers dangled from the top of a 350-foot cellular tower," reports the New York Times. "They were there to rip out and replace Chinese equipment from the local wireless network..." As the United States and China battle for geopolitical and technological primacy, the fallout has reached rural Alabama and small wireless carriers in dozens of states. They are on the receiving end of the Biden administration's sweeping policies to suppress China's rise, which include trade restrictions, a $52 billion package to bolster domestic semiconductor manufacturing against China and the divestiture of the video app TikTok from its Chinese owner. What the wireless carriers must do, under a program known as "rip and replace," has become the starkest physical manifestation of the tech Cold War between the two superpowers. The program, which took effect in 2020, mandates that American companies tear out telecom equipment made by the Chinese companies Huawei and ZTE. U.S. officials have warned that gear from those companies could be used by Beijing for espionage and to steal commercial secrets.

Instead, U.S. carriers have to use equipment from non-Chinese companies. The Federal Communications Commission, which oversees the program, would then reimburse the carriers from a pot of $1.9 billion intended to cover their costs. Similar rip-and-replace efforts are taking place elsewhere. In Europe, where Huawei products have been a key part of telecom networks, carriers in Belgium, Britain, Denmark, the Netherlands and Sweden have also been swapping out the Chinese equipment because of security concerns, according to Strand Consult, a research firm that tracks the telecom industry. "Rip-and-replace was the first front in a bigger story about the U.S. and China's decoupling, and that story will continue into the next decade with a global race for A.I. and other technologies," said Blair Levin, a former F.C.C. chief of staff and a fellow at the Brookings Institution.

But cleansing U.S. networks of Chinese tech has not been easy. The costs have already ballooned above $5 billion, according to the F.C.C., more than double what Congress appropriated for reimbursements. Many carriers also face long supply chain delays for new equipment. The program's burden has fallen disproportionately on smaller carriers, which relied more on the cheaper gear from the Chinese firms than large companies like AT&T and Verizon. Given rip-and-replace's difficulties, some smaller wireless companies now say they may not be able to upgrade their networks and continue serving their communities, where they are often the only internet providers. "For many rural communities, they are faced with the disastrous choice of having to continue to use insecure networks that are ripe for surveillance or having to cut off their services," said Geoffrey Starks, a Democratic commissioner at the F.C.C.

Last month, Senator Deb Fischer, a Republican of Nebraska, introduced a bill to close the gap in rip-and-replace funding for carriers... In January, the F.C.C. said it had received 126 applications seeking funding beyond what it could reimburse. Lawmakers had underestimated the costs of shredding Huawei and ZTE equipment, and new equipment and labor costs have risen. The F.C.C. said it could cover only about 40 percent of the expenses. Some wireless carriers immediately paused their replacement efforts. "Until we have assurance of total project funding, this project will continue to be delayed as we await the necessary funding required to build and pay for the new network equipment," United Wireless of Dodge City, Kansas, wrote in a regulatory filing to the F.C.C. in January.

Three companies "supplied millions of fake public comments to influence a 2017 proceeding by the Federal Communications Commission (FCC) to repeal net neutrality rules," announced New York's attorney general this week.

Their investigation "found that the fake comments used the identities of millions of consumers, including thousands of New Yorkers, without their knowledge or consent," as well as "widespread fraud and abusive practices" Collectively, the three companies have agreed to pay $615,000 in penalties and disgorgement. This is the second series of agreements secured by Attorney General James with companies that supplied fake comments to the FCC... As detailed in a report by the Office of the Attorney General, the nation's largest broadband companies funded a secret campaign to generate millions of comments to the FCC in 2017. These comments provided "cover" for the FCC to repeal net neutrality rules. To help generate these comments, the broadband industry engaged commercial lead generators that used advertisements and prizes, like gift cards and sweepstakes entries, to encourage consumers to join the campaign.

However, nearly every lead generator that was hired to enroll consumers in the campaign instead simply fabricated consumers' responses. As a result, more than 8.5 million fake comments that impersonated real people were submitted to the FCC, and more than half a million fake letters were sent to Congress. Two of the companies, LCX and Lead ID, were each engaged to enroll consumers in the campaign. Instead, each independently fabricated responses for 1.5 million consumers. The third company, Ifficient, acted as an intermediary, engaging other lead generators to enroll consumers in the campaign. Ifficient supplied its client with more than 840,000 fake responses it had received from the lead generators it had hired.

The Office of the Attorney General's investigation also revealed that the fraud perpetrated by the various lead generators in the net neutrality campaign infected other government proceedings as well. Several of the lead generation firms involved in the broadband industry's net neutrality comment campaigns had also worked on other, unrelated campaigns to influence regulatory agencies and public officials. In nearly all of these advocacy campaigns, the lead generation firms engaged in fraud. As a result, more than 1 million fake comments were generated for other rulemaking proceedings, and more than 3.5 million fake digital signatures for letters and petitions were generated for federal and state legislators and government officials across the nation.

LCX and Lead ID were responsible for many of these fake comments, letters, and petition signatures. Across four advocacy campaigns in 2017 and 2018, LCX fabricated consumer responses used in approximately 900,000 public comments submitted to the Environmental Protection Agency (EPA) and the Bureau of Ocean Energy Management (BOEM) at the U.S. Department of the Interior. Similarly, in advocacy campaigns between 2017 and 2019, Lead ID fabricated more than half a million consumer responses. These campaigns targeted a variety of government agencies and officials at the federal and state levels...

LCX and its principals will pay $400,000 in penalties and disgorgement to New York and $100,000 to the San Diego District Attorney's Office.
Thanks to Slashdot reader gkelley for sharing the news.

An anonymous reader quotes a report from CNBC: The U.S. government is seeking to turn metro areas in middle America into the next hot spots of tech innovation with an initial $500 million investment. The Department of Commerce announced Friday its first notice of funding opportunity, or NOFO, for the Regional Technology and Innovation Hub program, known as Tech Hubs. It kicks off the process for eligible groups around the country to apply to be designated as Tech Hubs. That designation gives them the chance to take advantage of the funds to make their regions attractive places for entrepreneurs and technologists to live and work.

Congress authorized $10 billion for the program between fiscal years 2023 and 2027, of which $500 million is available to be distributed this year. Under the current funding opportunity, a total of $15 million in planning grants will be made available to applicants designated as Tech Hubs. Later this year, the Department will seek to award five to 10 designated Tech Hubs grants of $50 million to $75 million each to help build out capacity in their region, according to a Department of Commerce official. President Joe Biden requested $4 billion be made available for Tech Hubs in next year's budget.

Eligible applicants are groups made up of at least one entity from each of the following categories: a higher education institution, subdivision of local or state government, industry or firm in relevant tech or manufacturing field, economic development group, and labor organization or workforce training group. Under the statute, Tech Hubs should focus on a specific set of key areas of technology, which include artificial intelligence, robotics, natural disaster prevention, biotechnology, cybersecurity, energy efficiency and more. The department must designate at least 20 Tech Hubs under the law. The hope is that the infusion of funds will help regions across the country become essential centers of innovation and create more well-paying jobs across a greater swath of the nation. "America leads the world in technological innovation. But the sad reality is that our tech ecosystem is extremely concentrated," Commerce Secretary Gina Raimondo told reporters on a briefing call Thursday, noting that 80% of U.S. venture capital money is invested in the San Francisco Bay Area, the Northeast and Southern California. "There's so much more potential for tech innovation all across the country. In the U.S. we have the best research institutions in the world. That's indisputable. And frankly, many of them are in America's heartland, far from the coast."

"President Biden is so clear on one point, which is that everyone in America deserves a fair shot at economic opportunity, no matter where they live, and they shouldn't have to move in order to get a good job," Raimondo said. "Nobody should have to leave their family or support system or network to move to New York or San Francisco just to get a good job."

Discord has informed users of a data breach that occurred after a third-party support agent's account was compromised, exposing user email addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets. Discord immediately disabled the account and worked with the customer service partner to prevent similar incidents in the future, but users are advised to stay vigilant for any suspicious activity. BleepingComputer reports: "Due to the nature of the incident, it is possible that your email address, the contents of customer service messages and any attachments sent between you and Discord may have been exposed to a third party," Discord said in letters sent to affected users. "As soon as Discord was made aware of the issue, we deactivated the compromised account and completed malware checks on the affected machine."

They also worked with the customer service partner to implement effective measures to prevent similar incidents in the future. "While we believe the risk is limited, it is recommended that you be vigilant for any suspicious messages or activity, such as fraud or phishing attempts," the company said.

An anonymous reader quotes a report from Ars Technica: Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008. The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. PCs running Windows 11 must have it enabled to meet the software's system requirements.

Microsoft says that the vulnerability can be exploited by an attacker with either physical access to a system or administrator rights on a system. It can affect physical PCs and virtual machines with Secure Boot enabled. We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it's installed and partly because it will eventually render current Windows boot media unbootable. The fix requires changes to the Windows boot manager that can't be reversed once they've been enabled. Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn't include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft's ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.

Not wanting to suddenly render any users' systems unbootable, Microsoft will be rolling the update out in phases over the next few months. The initial version of the patch requires substantial user intervention to enable -- you first need to install May's security updates, then use a five-step process to manually apply and verify a pair of "revocation files" that update your system's hidden EFI boot partition and your registry. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs. A second update will follow in July that won't enable the patch by default but will make it easier to enable. A third update in "first quarter 2024" will enable the fix by default and render older boot media unbootable on all patched Windows PCs. Microsoft says it is "looking for opportunities to accelerate this schedule," though it's unclear what that would entail.

Toyota Japan has apologized after admitting to leaving millions of customers' vehicle details on the public internet for a decade. From a report: The car maker said in a notice that it will notify about 2.15 million customers whose personal and vehicle information were left exposed to the internet after a "cloud misconfiguration" was discovered recently in April. Toyota said that the exposed data includes: registered email addresses; vehicle-unique chassis and navigation terminal numbers; the location of vehicles and what time they were there; and videos from the vehicle's "drive recorder" which records footage from the car. Toyota said the data spilling from its Connected Cloud (TC) was initially exposed in November 2013, but pertains only to vehicles in Japan, according to the company. The company's connected service provides Toyota customers with information about their vehicle, provides in-car entertainment services, and helps to notify authorities in the event of an accident or breakdown.