US authorities have seized another major Z-Library domain but still haven't been able to wipe the pirate book site off the Internet. From a report: Z-Library claims to offer over 13 million books, up from 11 million since US authorities launched their first major operation against Z-Library late last year. "Unfortunately, one of our primary login domains was seized today," Z-Library wrote in a Wednesday message on its Telegram account. "Therefore, we recommend using the domain singlelogin[dot]re to log in to your account, as well as to register. Please share this domain with others." In November, US authorities charged Russian nationals Anton Napolsky and Valeriia Ermakova with criminal copyright infringement, wire fraud, and money laundering for allegedly operating Z-Library. The US said at the time that it seized 250 "interrelated web domains" run by Z-Library and that Napolsky and Ermakova were arrested in Argentina at the request of the US government. Other people continue to operate Z-Library, which remained available on the Tor network and returned to the clearnet in February with a new strategy of assigning personal, secret URLs to each user. Z-Library directed users to singlelogin[dot]me, where they could sign in with their login credentials and receive a unique URL to access the entire pirate library.

Sonos and Alphabet's Google will face off in a San Francisco federal trial on Monday over claims that Google copied Sonos' patented smart-speaker technology in wireless audio devices like Google Home and Chromecast Audio. From a report: The case is part of a sprawling intellectual property dispute between the former business partners that includes other lawsuits in the U.S., Canada, France, Germany and the Netherlands. Sonos has asked the court for $90 million in damages from Google in the San Francisco case, down from $3 billion after U.S. District Judge William Alsup narrowed the case, according to a Google court filing. Sonos alleges Google infringed two of its patents related to multi-room wireless audio. Google spokesperson Jose Castaneda said the case relates to "some very specific features that are not commonly used," and that Sonos "mischaracterized our partnership and technology."

A judge sentenced Joe Sullivan, the former chief security officer at Uber, to three years' probation and 200 hours of community service on Thursday for covering up a 2016 cyberattack from authorities and obstructing a federal investigation. From a report: Sullivan's case is likely the first time a security executive has faced criminal charges for mishandling a data breach, and the response to Sullivan's case has split the cybersecurity community. In October, a jury found Sullivan guilty of obstructing an active FTC investigation into Uber's security practices and concealing a 2016 data breach that affected 50 million riders and drivers. Uber paid the hackers $100,000 to not release any stolen data and keep the attack quiet. Sullivan and his team routed the payment through the company's bug bounty program, which good-faith security researchers usually use to report flaws. The hack wasn't publicly disclosed until 2017, shortly after Dara Khosrowshahi stepped into the CEO role.

Khosrowshahi fired Sullivan in 2017, telling the jury last fall that he thought the decision to conceal the breach was "the wrong decision." Sullivan then joined Cloudflare as its chief security officer in 2018, and he stayed there until July 2022 when he stepped down to prepare for his trial. "If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison," Judge William Orrick said during the sentencing on Thursday. "When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off," Orrick added.

Following the announcement of the bill in March, El Salvador President Nayib Bukele signed a law today eliminating income, property, capital gains, and other tariffs on technology innovations. Watcher Guru reports: The announcement reinforces El Salvador's perspective as a haven for technology development. Additionally, Bukele stated that the new act protects "technology innovations, software and app programming, AI, computer, and communications hardware manufacturing."

The Innovations and Technology Manufacturing Incentives Act will likely attract tech developments to the country. Moreover, the elimination of taxes presents an economic benefit to a host of companies. Conversely, El Salvador continues to maintain its commitment to a variety of tech innovations that are being developed.

An anonymous reader quotes a report from TechCrunch: The City of Dallas in Texas has confirmed a ransomware attack has downed key services, including 911 dispatch systems. City officials confirmed on Wednesday that a number of the city's servers had "been compromised with ransomware," causing widespread service outages. The Dallas Police Department (DPD) website is currently offline. The City of Dallas website displays a message stating that "the City is experiencing a service outage and is working to restore services," and the city wrote on a page that contains updates about the incident that all courts were closed on Wednesday and would be closed again on Thursday.

DPD spokesperson Melinda Gutierrez confirmed to TechCrunch that the outage has also impacted Computer Aided Dispatch, or "CAD" systems, which are used by dispatchers and 911 operators to prioritize and record incident calls. Local media reported that this has forced 911 call takers to manually write down instructions for responding officers. "There is no effect to 911 calls at this time, and they continue to be dispatched for service," Gutierrez added. "The outage is not affecting police response."

Printers on the City of Dallas network reportedly began printing out ransom notes on Wednesday morning. As per a copy the note, the Royal ransomware gang has claimed responsibility for the attack, and a URL included on the note directed to a contact form on Royal's dark web victims site. The note said critical data was encrypted, and threatened to publish it online if a ransom demand is not met. The City of Dallas has not yet been listed on Royal's dark web leak site and it's not yet known what types of data has been stolen. City officials have not responded to TechCrunch's questions. The full impact of the ransomware attack remains unknown. In a statement, the city said it was "actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted. The City is currently working to assess the complete impact, but at this time, the impact on the delivery of City services to its residents is limited."

Montana Governor Greg Gianforte has returned an "amendatory veto" to the legislature regarding the state's unconstitutional "ban TikTok" bill, proposing alternative draft language that inadvertently could ban all social media platforms in the state due to poor drafting. The revised language targets any social media application that collects personal information and provides it to a foreign adversary, but since most social media networks collect such information and share it with entities in foreign countries, it would effectively ban all social media in Montana. Techdirt reports: As [1st Amendment lawyer Ari Cohn] points out, the new draft targets any "social media application" that allows for "the collection of personal information or data" and allows for "the personal information or data to be provided to a foreign adversary or a person or entity located within a country designated as a foreign adversary." Now, some might think that sounds reasonable, but the details here matter. And the details reveal that EVERY social media network collects such information and provides it to people located in countries designated as a foreign adversary. And that's because "personal information" is a very broad term, as is "provided." [Ari writes:]

"'Surely,' you might think, 'that just covers the data platforms amass by monitoring and tracking us, right?' Perhaps not. The bill doesn't define the term, so who knows what it means in their heads. But we have an idea of what it means out in the real (online) world, by way of the regulations implementing the Children's Online Privacy Protection Act (COPPA). Those regulations include in the definition of 'personal information' things like: First and last name; Online contact information; A screen or user name where it functions in the same manner as online contact information. In other words, the types of information that accompany virtually every piece of content posted on social media. If a platform allows that kind of information to be provided to any foreign adversary or a person or entity located within a foreign adversary, it is banned from Montana.

Do you know who might be persons located within a country designated as a foreign adversary? Users. Users who are provided the kinds of 'personal information' that are inherent in the very concept of social media. So, effectively, the bill would ban any social media company that allows any user in China, Russia, Iran, or Cuba to see content from a Montana user (and this is a generous reading, nothing in the bill seems to require that the data/information shared be from a Montana resident). On top of it, each time a user from one of those countries accesses content, platforms would be subject to a $10,000 fine. Do you know which platforms allow people in those countries to access content posted in the United States? All of them. Congratulations, Montana Governor Greg Gianforte. You just managed to accidentally ban all social media for Montanans. Good work."

An anonymous reader quotes a report from The Guardian: A Finnish newspaper is circumventing Russian media restrictions by hiding news reports about the war in Ukraine in an online game popular among Russian gamers. "While Helsingin Sanomat and other foreign independent media are blocked in Russia, online games have not been banned so far," said Antero Mukka, the editor-in-chief of Helsingin Sanomat. The newspaper was bypassing Russia's censorship through the first-person shooter game Counter-Strike, where gamers battle against each other as terrorists and counter-terrorists in timed matches. While the majority of matches are played on about a dozen official levels or maps released by the publisher Valve, players can also create custom maps that anyone can download and use. The newspaper's initiative was unveiled on World Press Freedom Day on Wednesday. "To underline press freedom, [in the game] we have now built a Slavic city, called Voyna, meaning war in Russian," Mukka said.

In the basement of one of the apartment buildings that make up the Soviet-inspired cityscape, Helsingin Sanomat hid a room where players can find Russian-language reporting by the newspaper's war correspondents in Ukraine. "In the room, you will find our documentation of what the reality of the war in Ukraine is," Mukka said. The walls of the digital room, lit up by red lights, are plastered with news articles and pictures reporting on events such as the massacres in the Ukrainian towns of Bucha and Irpin. On one of the walls, players can find a map of Ukraine that details reported attacks on the civilian population, while a Russian-language recording reading Helsingin Sanomat articles aloud plays in the background. This was "information that is not available from Russian state propaganda sources", Mukka said. The map has been downloaded more than 2,000 times since its release on Monday. According to Mukka, an estimated 4 million Russians have played Counter-Strike.

An anonymous reader quotes a report from KrebsOnSecurity: A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network's chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016. KrebsOnSecurity was recently contacted by a security researcher who said he found a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the USPS. Further investigation revealed a long-running international operation that has been emailing and text messaging people for years to sign up at a slew of websites that all promise they can help visitors secure employment at the USPS.

Sites like FederalJobsCenter[.]com also show up prominently in Google search results for USPS employment, and steer applicants toward making credit card "registration deposits" to ensure that one's application for employment is reviewed. These sites also sell training, supposedly to help ace an interview with USPS human resources. FederalJobsCenter's website is full of content that makes it appear the site is affiliated with the USPS, although its "terms and conditions" state that it is not. Rather, the terms state that FederalJobsCenter is affiliated with an entity called US Job Services, which says it is based in Lawrenceville, Ga. The site says applicants need to make a credit card deposit to register, and that this amount is refundable if the applicant is not offered a USPS job within 30 days after the interview process. But a review of the public feedback on US Job Services and dozens of similar names connected to this entity over the years shows a pattern of activity: Applicants pay between $39.99 and $100 for USPS job coaching services, and receive little if anything in return. Some reported being charged the same amount monthly. Michael Martel, spokesperson for the United States Postal Inspection Service, said in a written statement that the USPS has no affiliation with the websites or companies named in this story.

"To learn more about employment with USPS, visit USPS.com/careers," Martel wrote. "If you are the victim of a crime online report it to the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov. To report fraud committed through or toward the USPS, its employees, or customers, report it to the United States Postal Inspection Service (USPIS) at www.uspis.gov/report."

A list of all the current sites selling this product can be found in Krebs' report.

Yesterday, Colorado eliminated a 2005 law that required local governments to hold an election before offering cable television or telecommunications service, "a process that pitted city and town leaders against well-funded broadband industry lobbying campaigns," reports Ars Technica. From the report: Gov. Jared Polis, a Democrat, signed a bill to eliminate that law yesterday. The bill had been approved by the State House in a 48-14 vote and in the Senate by a 31-4 vote. Both chambers have Democratic majorities, but the votes didn't go entirely along party lines; all of the "no" votes came from Republicans, but other Republicans joined Democrats in approving the bill. The bill signed by Polis "gives local governments the authority to provide broadband service, either on their own or by partnering with industry service providers, without holding a local election," the Governor's Office of Information Technology said.

"Each local government is in a unique position or different phase of connecting residents to high-speed Internet, and this bill allows them to establish broadband plans that meet the needs of their communities," Colorado Broadband Office Executive Director Brandy Reitter said. Going forward, cities and towns won't have to hold elections to opt out of the 2005 restriction on municipal broadband. A vote to opt out of the state law didn't guarantee that a city or town would build a network, but the vote was a necessary step and in some cases resulted in a municipal broadband service.

An anonymous reader quotes a report from Ars Technica: The New York Police Department (NYPD) and New York City's self-proclaimed computer geek of a mayor are urging resident car owners to equip their vehicles with an Apple AirTag. During a press conference on Sunday, Mayor Eric Adams announced the distribution of 500 free AirTags to New Yorkers, saying the technology would aid in reducing the city's surging car theft numbers. Adams held the press conference at the 43rd precinct in the Bronx, where he said there had been 200 instances of grand larceny of autos. An NYPD official said that in New York City, 966 Hyundais and Kias have been stolen this year thus far, already surpassing 2022's 819 total. The NYPD's public crime statistics tracker says there have been 4,492 vehicle thefts this year, a 13.3 percent increase compared to the same period last year and the largest increase among NYC's seven major crime categories.

Adams, as the city did when announcing litigation against Kia and Hyundai on April 7, largely blamed the rise in car thefts on Kia and Hyundai, which he said are "leading the way" in stolen car brands. Hyundais and Kias were the subjects of the Kia Challenge TikTok trend that encouraged people to jack said vehicles with a mere USB-A cable. The topic has graduated way beyond a social media fad and into a serious concern. [...] Adams was adamant grand larceny auto numbers were dragging the city's overall crime numbers up and urged New Yorkers to "participate" in the fight against car theft by using an AirTag. NYPD Chief of Department Jeffrey Maddrey said users who report a stolen vehicle equipped with an AirTag will see the police use "drones, our StarChase technology & good old fashion police work to safely recover your stolen car."

"Help us help you, get an AirTag," he tweeted.

Apple and Google said on Tuesday that they were working together to prevent lost item trackers like Apple's AirTag from being used to track people without their permission. From a report: The companies came together to draft a new industry standard that will add the ability to alert victims to unwanted trackers in Android and iOS, the companies said. Apple's AirTag is intended to help people find lost items such as keys by displaying an item's nearly real-time location inside an iPhone app. But there have been many reports about the $30 coin-sized device being used to stalk people since it went on sale in 2021. In response, Apple previously built detection features into iPhones that allow users to detect unfamiliar AirTags in the user's area. Tuesday's announcement suggests that Android phones will also soon gain the ability to warn their users if they are being tracked by an AirTag.

A GitHub project called GPT4free has received a letter from OpenAI demanding that the repo be shut down within five days or face a lawsuit. Tom's Hardware reports: Anyone can use ChatGPT for free, but if you want to use GPT4, the latest language model, you have to either pay for ChatGPT Plus, pay for access to OpenAI's API, or find another site that has incorporated GPT4 into its own free chatbot. There are sites that use OpenAI such as Forefront and You.com, but what if you want to make your own bot and don't want to pay for the API? A GitHub project called GPT4free allows you to get free access to the GPT4 and GPT3.5 models by funneling those queries through sites like You.com, Quora and CoCalc and giving you back the answers. The project is GitHub's most popular new repo, getting 14,000 stars this week.

Now, according to Xtekky, the European computer science student who runs the repo, OpenAI has sent a letter demanding that he take the whole thing down within five days or face a lawsuit. I interviewed Xtekky via Telegram, and he said he doesn't think OpenAI should be targeting him since he isn't connecting directly to the company's API, but is instead getting data from other sites that are paying for their own API licenses. If the owners of those sites have a problem with his scripts querying them, they should approach him directly, he posited. [...] Even if the original repo is taken down, there's a great chance that the code -- and this method of accessing GPT4 and GPT3.5 -- will be published elsewhere by members of the community. Even if GPT4Free had never existed anyone can find ways to use these sites' APIs if they continue to be unsecured. "Users are sharing and hosting this project everywhere," he said. "Deletion of my repo will be insignificant."

Reddit doesn't have to identify eight anonymous users who wrote comments in piracy-related threads, a judge in the US District Court for the Northern District of California ruled on Friday. From a report: US Magistrate Judge Laurel Beeler quashed a subpoena issued by film studios in an order that agrees with Reddit that the First Amendment protects the users' right to speak anonymously online. The First Amendment right to anonymous speech is not absolute, but the precedent followed by US district courts only forces disclosure of anonymous users' identities "in the exceptional case where the compelling need for the discovery sought outweighs the First Amendment rights of the anonymous speaker," Beeler noted. After reviewing the facts and arguments, she found that the Reddit users' comments were irrelevant to the film studios' underlying case and that the studios could obtain relevant information from other sources.

Reddit has no involvement in the underlying case, which is a copyright lawsuit in a different federal court against cable Internet service provider RCN. Bodyguard Productions, Millennium Media, and other film companies sued RCN in the US District Court in New Jersey over RCN customers' alleged downloads of 34 movies such as Hellboy, Rambo: Last Blood, Tesla, and The Hitman's Bodyguard. In an attempt to prove that RCN (now known as Astound Broadband) turned a blind eye to customers illegally downloading copyrighted movies, the studios subpoenaed Reddit seeking identifying information for specific users who commented in piracy-related threads. While some of the comments were posted in 2022, other comments were made in 2009 and 2014.

The Biden administration plans to study companies' use of technology to monitor and manage workers, which it said on Monday is becoming increasingly common and can cause "serious risks to workers." From a report: The White House Office of Science and Technology Policy, in a blog post, sought comments from employees about their experience with surveillance technology, and asked employers and software vendors how they develop and use them. "While these technologies can benefit both workers and employers in some cases, they can also create serious risks to workers," the OSTP said.

"Monitoring conversations can deter workers from exercising their rights to organize and collectively bargain with their employers. And, when paired with employer decisions about pay, discipline, and promotion, automated surveillance can lead to workers being treated differently or discriminated against."

Microsoft's headquarters are in the state of Washington — and this year when the state legislature considered a right-to-repair bill, Microsoft showed its support.

The nonprofit "climate solutions" site Grist reports that the committee considering that bill received an email from Microsoft's senior director of government affairs, saying that the bill "fairly balances the interests of manufacturers, customers, and independent repair shops and in doing so will provide more options for consumer device repair." The Fair Repair Act stalled out a week later due to opposition from all three Republicans on the committee and Senator Lisa Wellman, a Democrat and former Apple executive. (Apple frequently lobbies against right-to-repair bills, and during a hearing, Wellman defended the iPhone maker's position that it is already doing enough on repair.) But despite the bill's failure to launch this year, repair advocates say Microsoft's support — a notable first for a major U.S. tech company — is bringing other manufacturers to the table to negotiate the details of other right-to-repair bills for the first time.

"We are in the middle of more conversations with manufacturers being way more cooperative than before," Nathan Proctor, who heads the U.S. Public Research Interest Group's right-to-repair campaign, told Grist. "And I think Microsoft's leadership and willingness to be first created that opportunity...."

Like other consumer tech giants, Microsoft has historically fought right-to-repair bills while restricting access to spare parts, tools, and repair documentation to its network of "authorized" repair partners. In 2019, the company even helped kill a repair bill in Washington state. But in recent years the company has started changing its tune on the issue. In 2021, following pressure from shareholders, Microsoft agreed to take steps to facilitate the repair of its devices — a first for a U.S. company. Microsoft followed through on the agreement by expanding access to spare parts and service tools, including through a partnership with the repair guide site iFixit. The tech giant also commissioned a study that found repairing Microsoft products instead of replacing them can dramatically reduce both waste and carbon emissions. Microsoft has also started engaging more cooperatively with lawmakers over right-to-repair bills. In late 2021 and 2022, the company met with legislators in both Washington and New York to discuss each state's respective right-to-repair bill. In both cases, lawmakers and advocates involved in the bill negotiations described the meetings as productive...

When Washington lawmakers revived their right-to-repair bill for the 2023 legislative cycle, Microsoft once again came to the negotiating table. From state senator and bill sponsor Joe Nguyen's perspective, Microsoft's view was, "We see this coming, we'd rather be part of the conversation than outside. And we want to make sure it is done in a thoughtful way." Proctor, whose organization was also involved in negotiating the Washington bill, said that Microsoft had a few specific requests, including that the bill require repair shops to possess a third-party technical certification and carry insurance. It was also important to Microsoft that the bill only cover products manufactured after the bill's implementation date, and that manufacturers be required to provide the public only the same parts and documents that their authorized repair providers already receive. Some of the company's requests, Proctor said, were "tough" for advocates to concede on. "But we did, because we thought what they were doing was in good faith."

"ThreatGPT, MedicalGPT, DateGPT and DirtyGPT are a mere sampling of the many outfits to apply for trademarks with the United States Patent and Trademark Office in recent months," notes TechCrunch, exploring the issue of whether OpenAI can actually trademark the phrase 'GPT'... Little wonder that after applying in late December for a trademark for "GPT," which stands for "Generative Pre-trained Transformer," OpenAI last month petitioned the USPTO to speed up the process, citing the "myriad infringements and counterfeit apps" beginning to spring into existence. Unfortunately for OpenAI, its petition was dismissed last week... Given the rest of the queue in which OpenAI finds itself, that means a decision could take up to five more months, says Jefferson Scher, a partner in the intellectual property group of Carr & Ferrell and chair of the firm's trademark practice group. Even then, the outcome isn't assured, Scher explains... [H]elpful, says Scher, is the fact that OpenAI has been using "GPT" for years, having released its original Generative Pre-trained Transformer model, or GPT-1, back in October 2018...

Even if a USPTO examiner has no problem with OpenAI's application, it will be moved afterward to a so-called opposition period, where other market participants can argue why the agency should deny the "GPT" trademark. Scher describes what would follow this way: In the case of OpenAI, an opposer would challenge Open AI's position that "GPT" is proprietary and that the public perceives it as such instead of perceiving the acronym to pertain to generative AI more broadly...

It all begs the question of why the company didn't move to protect "GPT" sooner. Here, Scher speculates that the company was "probably caught off guard" by its own success... Another wrinkle here is that OpenAI may soon be so famous that its renown becomes a dominant factor, says Scher. While one doesn't need to be famous to secure a trademark, once an outfit is widely enough recognized, it receives protection that extends far beyond its sphere. Rolex is too famous a trademark to be used on anything else, for instance.
Thanks to Slashdot reader rolodexter for sharing the article.

California has approved a groundbreaking rule to cut greenhouse gas emissions by limiting rail pollution, banning locomotives over 23 years old by 2030, increasing the use of zero-emissions technology for freight transportation, and imposing restrictions on idling. The Associated Press reports: The rule will ban locomotive engines more than 23 years old by 2030 and increase the use of zero-emissions technology to transport freight from ports and throughout railyards. It would also ban locomotives in the state from idling longer than 30 minutes if they are equipped with an automatic shutoff. The standards would also reduce chemicals that contribute to smog. They could improve air quality near railyards and ports.

The transportation sector contributed the largest share of greenhouse gas emissions nationwide in 2020, according to the Environmental Protection Agency. But rail only accounts for about 2% of those emissions. Other states can sign on to try to adopt the California rule if it gets the OK from the Biden administration. The rule is the most ambitious of its kind in the country. "The locomotive rule has the power to change the course of history for Californians who have suffered from train pollution for far too long, and it is my hope that our federal regulators follow California's lead," said Yasmine Agelidis, a lawyer with environmental nonprofit Earthjustice, in a statement.

A group of Senators on Wednesday announced bipartisan legislation that seeks to prevent an AI system from making nuclear launch decisions. "The Block Nuclear Launch by Autonomous Artificial Intelligence Act would prohibit the use of federal funds for launching any nuclear weapon by an automated system without 'meaningful human control,'" reports Ars Technica. From the report: The new bill builds on existing US Department of Defense policy, which states that in all cases, "the United States will maintain a human 'in the loop' for all actions critical to informing and executing decisions by the President to initiate and terminate nuclear weapon employment." The new bill aims to codify the Defense Department principle into law, and it also follows the recommendation of the National Security Commission on Artificial Intelligence, which called for the US to affirm its policy that only human beings can authorize the employment of nuclear weapons.

"While US military use of AI can be appropriate for enhancing national security purposes, use of AI for deploying nuclear weapons without a human chain of command and control is reckless, dangerous, and should be prohibited," Buck said in a statement. "I am proud to co-sponsor this legislation to ensure that human beings, not machines, have the final say over the most critical and sensitive military decisions."

An anonymous reader quotes a report from Wired: The U.S. Department of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, WIRED has learned, but were unaware of the significance of what they had found. The breach, publicly announced in December 2020, involved Russian hackers compromising the software maker SolarWinds and inserting a backdoor into software served to about 18,000 of its customers. That tainted software went on to infect at least nine US federal agencies, among them the Department of Justice (DOJ), the Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms including Microsoft, Mandiant, Intel, Cisco, and Palo Alto Networks. The hackers had been in these various networks for between four and nine months before the campaign was exposed by Mandiant.

WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020 -- but the scale and significance of the breach wasn't immediately apparent. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. The software, used by system administrators to manage and configure networks, was communicating externally with an unfamiliar system on the internet. The DOJ asked the security firm Mandiant to help determine whether the server had been hacked. It also engaged Microsoft, though it's not clear why the software maker was also brought onto the investigation.

It's not known what division of the DOJ experienced the breach, but representatives from the Justice Management Division and the US Trustee Program participated in discussions about the incident. The Trustee Program oversees the administration of bankruptcy cases and private trustees. The Management Division advises DOJ managers on budget and personnel management, ethics, procurement, and security. Investigators suspected the hackers had breached the DOJ server directly, possibly by exploiting a vulnerability in the Orion software. They reached out to SolarWinds to assist with the inquiry, but the company's engineers were unable to find a vulnerability in their code. In July 2020, with the mystery still unresolved, communication between investigators and SolarWinds stopped. A month later, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite, the sources say. According to WIRED, the DOJ said it "notified the US Cybersecurity and Infrastructure Agency (CISA) about the breach at the time it occurred -- though a US National Security Agency spokesperson expressed frustration that the agency was not also notified."

"But in December 2020, when the public learned that a number of federal agencies were compromised in the SolarWinds campaign -- the DOJ among them -- neither the DOJ nor CISA revealed to the public that the operation had unknowingly been found months earlier. The DOJ initially said its chief information officer had discovered the breach on December 24."

Yesterday, Washington Governor Jay Inslee signed the My Health, My Data bill into law, requiring companies to receive a user's explicit consent before they can collect, share, or sell their health data. When the law comes into effect in March 2024, users will have the right to withdraw consent at any time and have their data deleted. The Verge reports: The law should help shield users' health data from the companies and organizations not included under the HIPAA Privacy Rule, which prevents certain medical providers from disclosing "individually identifiable" health information without consent. The HIPAA Privacy Rule doesn't cover many of the health apps and sites that collect medical data, allowing them to freely collect and sell this information to advertisers.

Under Washington's new law, which comes into effect in March 2024, medical apps and sites must ask a user for permission to collect their health data in a nondeceptive manner that "openly communicates a consumer's freely given, informed, opt-in, voluntary, specific, and unambiguous written consent." The site and apps must also disclose what kind of data they plan to collect and if they plan to sell it. Additionally, the bill will block medical providers from using geofencing to collect location information about the patients that visit the facility.