IBM, along with 13 of its current and former executives, has been sued by investors who claim the IT giant used mainframe sales to fraudulently prop up newer, more trendy parts of its business. The Register reports: In effect, IBM deceived the market about its progress in developing Watson, cloud technologies, and other new sources of revenue, by deliberately misclassifying the money it was making from mainframe deals, assigning that money instead to other products, it is alleged. The accusations emerged in a lawsuit [PDF] filed late last week against IBM in New York on behalf of the June E Adams Irrevocable Trust. It alleged Big Blue shifted sales by its "near-monopoly" mainframe business to its newer and less popular cloud, analytics, mobile, social, and security products (CAMSS), which bosses promoted as growth opportunities and designated "Strategic Imperatives."

IBM is said to have created the appearance of demand for these Strategic Imperative products by bundling them into three- to five-year mainframe Enterprise License Agreements (ELA) with large banking, healthcare, and insurance company customers. In other words, it is claimed, mainframe sales agreements had Strategic Imperative products tacked on to help boost the sales performance of those newer offerings and give investors the impression customers were clamoring for those technologies from IBM. "Defendants used steep discounting on the mainframe part of the ELA in return for the customer purchasing catalog software (i.e. Strategic Imperative Revenue), unneeded and unused by the customer," the lawsuit stated.

IBM is also alleged to have shifted revenue from its non-strategic Global Business Services (GBS) segment to Watson, a Strategic Imperative in the CAMSS product set, to convince investors that the company was successfully expanding beyond its legacy business. Last April the plaintiff Trust filed a similar case, which was joined by at least five other law firms representing other IBM shareholders. A month prior, the IBM board had been presented with a demand letter from shareholders to investigate the above allegations. Asked whether any action has been taken as a result of that letter, IBM has yet to respond.

An anonymous reader quotes a report from the Daily Dot: An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government's Terrorist Screening Database and "No Fly List." Located by the Swiss hacker known as maia arson crimew, the server, run by the U.S. national airline CommuteAir, was left exposed on the public internet. It revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees. Analysis of the server resulted in the discovery of a text file named "NoFly.csv," a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations.

The list, according to crimew, appeared to have more than 1.5 million entries in total. The data included names as well as birth dates. It also included multiple aliases, placing the number of unique individuals at far less than 1.5 million. [...] In a statement to the Daily Dot, CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes. CommuteAir added that the server, which was taken offline prior to publication after being flagged by the Daily Dot, did not expose any customer information based on an initial investigation. CommuteAir also confirmed the legitimacy of the data, stating that it was a version of the "federal no-fly list" from roughly four years prior. [...] The server also held the passport numbers, addresses, and phone numbers of roughly 900 company employees. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed.

HPE and Oracle have settled their long-running legal case over alleged copyright infringement regarding Solaris software updates for HPE customers, but it looks like the nature of the settlement is going to remain under wraps. The Register reports: The pair this week informed [PDF] the judge overseeing the case that they'd reached a mutual settlement and asked for the case to be dismissed "with prejudice" -- ie, permanently. The settlement agreement is confidential, and its terms won't be made public. The case goes back to at least 2016, when Oracle filed a lawsuit against HPE over the rights to support the Solaris operating system. HPE and a third company, software support outfit Terix, were accused of offering Solaris support for customers while the latter was not an authorized Oracle partner.

Big Red's complaint claimed HPE had falsely represented to customers that it and Terix could lawfully provide Solaris Updates and other support services at a lower cost than Oracle, and that the two had worked together to provide customers with access to such updates. The suit against HPE was thrown out of court in 2019, but revived in 2021 when a judge denied HPE's motion for a summary judgement in the case. Terix settled its case in 2015 for roughly $58 million. Last year, the case went to court and in June a jury found HPE guilty of providing customers with Solaris software updates without Oracle's permission, awarding the latter $30 million for copyright infringement.

But that wasn't the end of the matter, because HPE was back a couple of months later to appeal the verdict, claiming the complaint by Oracle that it had directly infringed copyrights with regard to Solaris were not backed by sufficient evidence. This hinged on HPE claiming that Oracle had failed to prove that any of the patches and updates in question were actually protected by copyright, but also that Oracle could not prove HPE had any control over Terix in its purported infringement activities. Oracle for its part filed a motion asking the court for a permanent injunction against HPE to prevent it copying or distributing the Solaris software, firmware or support materials, except as allowed by Oracle. Now it appears that the two companies have come to some mutually acceptable out-of-court arrangement, as often happens in acrimonious and long-running legal disputes.

An anonymous reader quotes a report from Ars Technica: Over the past few days, dozens of tech companies have filed briefs in support of Google in a Supreme Court case that tests online platforms' liability for recommending content. Obvious stakeholders like Meta and Twitter, alongside popular platforms like Craigslist, Etsy, Wikipedia, Roblox, and Tripadvisor, urged the court to uphold Section 230 immunity in the case or risk muddying the paths users rely on to connect with each other and discover information online. Out of all these briefs, however, Reddit's was perhaps the most persuasive (PDF). The platform argued on behalf of everyday Internet users, whom it claims could be buried in "frivolous" lawsuits for frequenting Reddit, if Section 230 is weakened by the court. Unlike other companies that hire content moderators, the content that Reddit displays is "primarily driven by humans -- not by centralized algorithms." Because of this, Reddit's brief paints a picture of trolls suing not major social media companies, but individuals who get no compensation for their work recommending content in communities. That legal threat extends to both volunteer content moderators, Reddit argued, as well as more casual users who collect Reddit "karma" by upvoting and downvoting posts to help surface the most engaging content in their communities.

"Section 230 of the Communications Decency Act famously protects Internet platforms from liability, yet what's missing from the discussion is that it crucially protects Internet users -- everyday people -- when they participate in moderation like removing unwanted content from their communities, or users upvoting and downvoting posts," a Reddit spokesperson told Ars. Reddit argues in the brief that such frivolous lawsuits have been lobbed against Reddit users and the company in the past, and Section 230 protections historically have consistently allowed Reddit users to "quickly and inexpensively" avoid litigation. [...]

The Supreme Court will have to weigh whether Reddit's arguments are valid. To help make its case defending Section 230 immunity protections for recommending content, Reddit received special permission from the Supreme Court to include anonymous comments from Reddit mods in its brief. This, Reddit's spokesperson notes, is "a significant departure from normal Supreme Court procedure." The Electronic Frontier Foundation, a nonprofit defending online privacy, championed the court's decision to allow moderators to contribute comments anonymously. "We're happy the Supreme Court recognized the First Amendment rights of Reddit moderators to speak to the court about their concerns," EFF's senior staff attorney, Sophia Cope, told Ars. "It is quite understandable why those individuals may be hesitant to identify themselves should they be subject to liability in the future for moderating others' speech on Reddit."

"Reddit users that interact with third-party content -- including 'hosting' content on a sub-Reddit that they manage, or moderating that content -- could definitely be open to legal exposure if the Court carves out "recommending' from Section 230's protections, or otherwise narrows Section 230's reach," Cope told Ars.

The nation's second-largest wireless carrier on Thursday disclosed that a "bad actor" took advantage of one of its application programming interfaces to gain data on "approximately 37 million current postpaid and prepaid customer accounts." CNET reports: In an 8K filing with the US Securities and Exchange Commission, the carrier says that it was able to trace and stop the "malicious activity" within a day of learning about it. T-Mobile also says that the API that was used does not allow for access to "any customer payment card information, Social Security numbers/tax IDs, driver's license or other government ID numbers, passwords/PINs or other financial account information." According to the filing, the carrier believes that the breach first occurred "on or around" Nov. 25, 2022. The carrier didn't learn that a "bad actor" was getting data from its systems until Jan. 5.

The company's API, however, did reveal other user information, including names, billing addresses, email addresses, phone numbers and birth dates of its customers, their T-Mobile account numbers, and information on which plan features they have with the carrier and the number of lines on their accounts. The company said in the SEC filing that it has "begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements." In 2021, T-Mobile suffered a data breach that exposed data of roughly 76.6 million people. "T-Mobile agreed to a $500 million settlement in the case in July, with $350 million going to settle customer claims from a class action lawsuit and $150 million going to upgrade its data protection system," adds CNET.

Hundreds of federal, state and local U.S. law-enforcement agencies have access without court oversight to a database of more than 150 million money transfers between people in the U.S. and in more than 20 countries, according to internal program documents and an investigation by Sen. Ron Wyden. WSJ: The database, housed at a little-known nonprofit called the Transaction Record Analysis Center, or TRAC, was set up by the Arizona state attorney general's office in 2014 as part of a settlement reached with Western Union to combat cross-border trafficking of drugs and people from Mexico. It has since expanded to allow officials of more than 600 law-enforcement entities -- from federal agencies such as the Federal Bureau of Investigation, the Drug Enforcement Administration, and Immigration and Customs Enforcement to small-town police departments in nearly every state -- to monitor the flow of funds through money services between the U.S. and countries around the world.

TRAC's data includes the full names of the sender and recipient as well as the transaction amount. Rich Lebel, TRAC's director, said the program has directly resulted in hundreds of leads and busts involving drug cartels and other criminals seeking to launder money, and has revealed patterns of money flow that help law-enforcement agencies get a broader grasp on smuggling networks. "It's a law-enforcement investigative tool," Mr. Lebel said. "We don't broadcast it to the world, but we don't run from or hide from it either." Mr. Wyden, an Oregon Democrat, said TRAC allows the government to "serve itself an all-you-can-eat buffet of Americans' personal financial data while bypassing the normal protections for Americans' privacy."

Internal records, including TRAC meeting minutes and copies of 140 subpoenas from the Arizona attorney general, were obtained by the American Civil Liberties Union and reviewed by The Wall Street Journal. They show that any authorized law-enforcement agency can query the data without a warrant to examine the transactions of people inside the U.S. for evidence of money laundering and other crimes. One slideshow prepared by a TRAC investigator showed how the program's data could be used to scan for categories such as "Middle Eastern/Arabic names" in bulk transaction records.

Department of Justice: A complaint was unsealed this morning in federal court in Brooklyn charging Anatoly Legkodymov, a Russian national and senior executive of Bitzlato Ltd. (Bitzlato), a Hong Kong-registered cryptocurrency exchange, with conducting a money transmitting business that transported and transmitted illicit funds and that failed to meet U.S. regulatory safeguards, including anti-money laundering requirements. Legkodymov was arrested last night in Miami and is scheduled to be arraigned this afternoon in the U.S. District Court for the Southern District of Florida. French authorities and the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) are taking concurrent enforcement actions.

According to court documents, Legkodymov is a senior executive and the majority shareholder of Bitzlato Ltd. (Bitzlato), a Hong Kong-registered cryptocurrency exchange that operates globally. Bitzlato has marketed itself as requiring minimal identification from its users, specifying that "neither selfies nor passports [are] required." On occasions when Bitzlato did direct users to submit identifying information, it repeatedly allowed them to provide information belonging to "straw man" registrants. As a result of these deficient know-your-customer (KYC) procedures, Bitzlato allegedly became a haven for criminal proceeds and funds intended for use in criminal activity. Bitzlato's largest counterparty in cryptocurrency transactions was Hydra Market, an anonymous, illicit online marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services that was the largest and longest running darknet market in the world. Hydra Market users exchanged more than $700 million in cryptocurrency with Bitzlato, either directly or through intermediaries, until Hydra Market was shuttered by U.S. and German law enforcement in April 2022. Bitzlato also received more than $15 million in ransomware proceeds.

An anonymous reader quotes a report from TorrentFreak: GitHub has taken down a popular Pirate Bay proxy information portal from Github.io. The developer platform took action in response to a takedown request sent by City of London Police's Intellectual Property Crime Unit (PIPCU). The takedown notice concludes that the site, which did not link to any infringing content directly, is illegal. [...] "This site is in breach of UK law, namely Copyright, Design & Patents Act 1988, Offences under the Fraud Act 2006 and Conspiracy to Defraud," PIPCU writes. "Suspension of the domain(s) is intended to prevent further crime. Where possible we request that domain suspension(s) are made within 48 hours of receipt of this Alert," the notice adds. This takedown request was honored by GitHub, meaning that people who try to access the domain now get a 404 error instead.

While GitHub's swift response is understandable, it's worth pointing out how these blocking efforts are evolving and expanding, far beyond blocking the original Pirate Bay site. The Proxy Bay doesn't link to infringing content directly. The site links to other proxy sites which serve up the Pirate Bay homepage. From there, users may search for or browse torrent links that, once loaded, can download infringing content. Does this mean that simply linking to The Pirate Bay can be considered a crime in itself? If that's the case, other sites such as Wikipedia and Bing are in trouble too.

A more reasonable middle ground would be to consider the intent of a site. The Proxy Bay was launched to facilitate access to The Pirate Bay, which makes court orders less effective. In 2015 UK ISPs began blocking proxy and proxy indexing sites, so that explains why thepirateproxybay.com and others are regularly blocked. Whether this constitutes criminal activity is ultimately for the court to decide, not the police. In this regard, it's worth noting that City of London Police previously arrested the alleged operator of a range of torrent site proxies. The then 20-year-old defendant, who also developed censorship circumvention tool Immunicity, was threatened with a hefty prison sentence but the court disagreed and dismissed the case.

Bloomberg reports: After five people were killed in a 2020 arson in Colorado, law enforcement officials failed to turn up any leads through their initial investigative techniques. So they served a warrant to Google for anyone who had searched for the address of the fire, according to a court motion.

Google eventually complied with the data request, helping law enforcement find suspects. Three teenagers who had searched the address were charged with murder. But the technique also drew a challenge from defense lawyers, who are calling reverse keyword search warrants "a digital dragnet of immense proportions." It's the first case to challenge the constitutionality of the method, the attorneys say.

Defense lawyers filed a motion Wednesday to challenge the judge's decision to use evidence from the warrant to charge their client, Gavin Seymour. They're asking the Colorado Supreme Court to review the matter, after the judge earlier denied their motion to suppress the evidence. The keyword search warrant "is profoundly different from traditional search warrants seeking data belonging to a suspect," the defense argued in the court filing. "Instead, the process operates in reverse — search everyone first, and identify suspects later."
One defendant's lawyer points out Google must review the activities of billions of innocent searchers to respond to keyword search warrants, arguing this has "tremendous implications...for everyone in the country who uses Google to run searches."

Though the state of Wyoming is home to one of America's largest wind farms, "Wyoming's legislature is considering a resolution that calls for a phaseout of new electric vehicle sales by 2035," reports Engadget: In the proposed resolution, a group of lawmakers led by Senator Jim Anderson says Wyoming's "proud and valued" oil and gas industry has created "countless" jobs and contributed revenue to the state's coffers. They add that a lack of charging infrastructure within Wyoming would make the widespread use of EVs "impracticable" and that the state would need to build "massive amounts of new power generation" to "sustain the misadventure of electric vehicles." SJ4 calls for residents and businesses to limit the sale and purchase of EVs voluntarily, with the goal of phasing them out entirely by 2035.

If passed, the resolution would be entirely symbolic. In fact, it's more about sending a message to EV advocates than banning the vehicles altogether. To that point, the final section of SJ4 calls for Wyoming's Secretary of State to send President Biden and California Governor Gavin Newsom copies of the resolution. "One might even say tongue-in-cheek, but obviously it's a very serious issue that deserves some public discussion," Senator Boner, one of the bill's co-sponsors, told the Cowboy State Daily. "I'm interested in making sure that the solutions that some folks want to the so-called climate crisis are actually practical in real life. I just don't appreciate when other states try to force technology that isn't ready."

An anonymous reader quotes a report from BleepingComputer: Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms. "Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account," NortonLifeLock said. "This username and password combination may potentially also be known to others."

More specifically, the notice explains that around December 1, 2022, an attacker used username and password pairs they bought from the dark web to attempt to log in to Norton customer accounts. The firm detected "an unusually large volume" of failed login attempts on December 12, 2022, indicating credential stuffing attacks where threat actors try out credentials in bulk. By December 22, 2022, the company had completed its internal investigation, which revealed that the credential stuffing attacks had successfully compromised an undisclosed number of customer accounts: "In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address." For customers utilizing the Norton Password Manager feature, the notice warns that the attackers might have obtained details stored in the private vaults. Depending on what users store in their accounts, this could lead to the compromise of other online accounts, loss of digital assets, exposure of secrets, and more. Norton has reset passwords on impacted accounts and implemented additional measures to counter the malicious attempts. They're recommending customers enable two-factor authentication and take up the offer for a credit monitoring service.

Meta has filed a legal complaint against a company for allegedly creating tens of thousands of fake Facebook accounts to scrape user data and provide surveillance services for clients. From a report: The firm, Voyager Labs, bills itself as "a world leader in advanced AI-based investigation solutions." What this means in practice is analyzing social media posts en masse in order to make claims about individuals. In 2021, for example, The Guardian reported how Voyager Labs sold its services to the Los Angeles Police Department, with the company claiming to predict which individuals were likely to commit crimes in the future.

Meta announced the legal action in a blog post on January 12th, claiming that Voyager Labs violated its terms of service. According to a legal filing issued on November 11th, Meta alleges that Voyager Labs created over 38,000 fake Facebook user accounts and used its surveillance software to gather data from Facebook and Instagram without authorization. Voyager Labs also collected data from sites including Twitter, YouTube, and Telegram.

All.health, a medical care startup that rose from the ashes of once-hot wearable company Jawbone, is being sued in San Francisco by one of its investors for alleged fraud, misrepresentation and breach of contract. From a report: All.health's co-founders, the former Jawbone Chief Executive Officer Hosain Rahman and Michael Luna, are also named in the complaint. While All.health, Rahman and Luna deny the claims, the dispute is an illustration of the rancor that can envelop fledgling tech companies at a suddenly volatile time for startup funding. Jawbone was a Silicon Valley darling -- most famous for its wireless earpieces -- until the startup dramatically folded in 2017 and sold off its assets. As Jawbone was disintegrating, Rahman salvaged the company's medical device business. The resulting startup, now called All.health, developed wearable monitoring hardware and technology for people with chronic illnesses like diabetes.

In a complaint filed this summer, Polymath Holdings, a Dubai-based investment company and All.health backer, claimed that the startup overpromised, took millions of dollars and under-delivered on a commitment to manufacture thousands of health-monitoring devices. The suit, which was recently largely unredacted by a San Francisco court, alleges that the startup was a "classic 'fake-it-until-you-make it' tale of fraud."

Downing Street has said it is considering a Tory-backed amendment to the online safety bill that would allow for the imposing of jail sentences on social media bosses who are found not to have protected children's safety. The Guardian reports: No 10 said on Thursday it was open to the proposal, which is backed by at least 36 Conservative MPs including the former home secretary Priti Patel and the former work and pensions secretary Iain Duncan Smith. The amendment would give Ofcom, the communications watchdog, the power to prosecute executives at social media companies that are found to have breached the law. If ministers include it in the bill, it will mark the third time the prime minister, Rishi Sunak, has bowed to the demands of his backbenchers, after U-turns on planning and onshore windfarms.

The bill is aimed at cracking down on a range of online content that ministers believe is causing serious harm to users and was informed in part by the testimony of Frances Haugen, a former Facebook employee who accused the company of repeatedly putting profits ahead of user safety. The bill will force companies to remove any content promoting self-harm, depicting sexual violence or facilitating suicide. It will also require companies to impose and enforce strict age limits and to publish assessments of the risks their platforms pose to young people. As it is currently written, the bill gives Ofcom the power to levy fines on companies of up to 10% of their global turnover for breaches in the law. Ofcom will be able to prosecute executives only if they fail to cooperate with an investigation. This has upset many Conservative MPs, however, who believe the regulator should be given tougher powers.

The amendment, which has been signed by 37 MPs overall, would allow Ofcom to prosecute individual executives if they were proved to have connived with or consented to breaking the elements of the bill designed to protect children's safety. Judges would be allowed to impose prison sentences of up to two years. [...] Other changes to the bill, which has its report and third reading stage in the House of Commons next week, include altering earlier plans to tackle content seen by adults that is harmful but falls below the threshold of criminality, such as cyberbullying and sexist and racist material. Tech companies will be required to state clearly in their terms and conditions how they will moderate such content. Users will also be given the option of asking to have such content screened out when they are on social media platforms. A Downing Street spokesperson said on Thursday: "Our aim is to hold to account social media platforms for harmful content, while also ensuring the UK remains a great place to invest and grow a tech business. We are confident we can achieve both of these things. We will carefully consider all the proposed amendments to the online safety bill and set out the position when report stage continues."

An anonymous reader quotes a report from 9to5Mac: Apple has suffered a setback in its long-running Apple Watch patent infringement battle with medical technology company Masimo. A court has ruled that Apple has indeed infringed one of Masimo's patents in the Apple Watch Series 6 and up. Masimi is seeking a US import on all current Apple Watches. If granted, this would effectively end Apple Watch sales in the US, as the company would not be allowed to bring in the devices from China.

The battle between the two companies has a long history. Back in 2013, Apple reportedly contacted Masimo to discuss a potential collaboration between the two companies. Instead, claims Masimo, Apple used the meetings to identify staff it wanted to poach. Masimo later called the meetings a "targeted effort to obtain information and expertise." Apple did indeed hire a number of Masimo staff, including the company's chief medical officer, ahead of the launch of the Apple Watch. Masimo CEO Joe Kiano later expressed concern that Apple may have been trying to steal the company's blood oxygen sensor technology. The company describes itself as "the inventors of modern pulse oximeters," and its tech is used in many hospitals.

In 2020, the company sued Apple for stealing trade secrets and infringing 10 Masimo patents. The lawsuit asked for an injunction on the sale of the Apple Watch. Apple has consistently denied the claims, and recently hit back with a counterclaim of its own, alleging that Masimo's own W1 Advanced Health Tracking Watch infringes multiple Apple patents. Reuters reports that a US court has ruled against Apple on one of the patent claims.

The U.S. Securities and Exchange Commission (SEC) alleged crypto exchange Gemini and crypto lender Genesis Global Capital sold unregistered securities in a lawsuit filed late Thursday. CoinDesk reports: The investment regulator took aim at Gemini Earn, the troubled yield-bearing product that hundreds of thousands of U.S. investors entrusted with their crypto. Gemini generated yield on billions of dollars in crypto by loaning deposits to Genesis, which loaned them out again. But Genesis' November closing of lending withdrawals left some 340,000 Gemini Earn customers and about $900 million in crypto in limbo, the SEC said. The regulator accused the popular program of being an unregistered security. "Defendants offered and sold the Gemini Earn Agreements through the Gemini Earn Program without registering" with securities regulators, the complaint said. "As a result, investors lacked material information about the Gemini Earn program that would have been relevant to their investment decisions."

JPMorgan Chase is suing the 30-year-old founder of Frank, a buzzy fintech startup it acquired for $175 million, for allegedly lying about its scale and success by creating an enormous list of fake users to entice the financial giant to buy it. Forbes: Frank, founded by former CEO Charlie Javice in 2016, offers software aimed at improving the student loan application process for young Americans seeking financial aid. Her lofty goals to build the startup into "an Amazon for higher education" won support from billionaire Marc Rowan, Frank's lead investor according to Crunchbase, and prominent venture backers including Aleph, Chegg, Reach Capital, Gingerbread Capital and SWAT Equity Partners. The lawsuit, which was filed late last year in U.S. District Court in Delaware, claims that Javice pitched JP Morgan in 2021 on the "lie" that more than 4 million users had signed up to use Frank's tools to apply for federal aid.

When JP Morgan asked for proof during due diligence, Javice allegedly created an enormous roster of "fake customers -- a list of names, addresses, dates of birth, and other personal information for 4.265 million 'students' who did not actually exist." In reality, according to the suit, Frank had fewer than 300,000 customer accounts at that time. [...] Frank's chief growth officer Olivier Amar is also named in the JP Morgan complaint. It alleges that Javice and Amar first asked a top engineer at Frank to create the fake customer list; when he refused, Javice approached "a data science professor at a New York City area college" to help. Using data from some individuals who'd already started using Frank, he created 4.265 million fake customer accounts -- for which Javice paid him $18,000 -- and had it validated by a third-party vendor at her direction, JP Morgan alleges. Amar, meanwhile, spent $105,000 buying a separate data set of 4.5 million students from the firm ASL Marketing, per the complaint.

An anonymous reader quotes a report from TechCrunch: A government watchdog has published a scathing rebuke of the Department of the Interior's cybersecurity posture, finding it was able to crack thousands of employee user accounts because the department's security policies allow easily guessable passwords like 'Password1234'. The report by the Office of the Inspector General for the Department of the Interior, tasked with oversight of the U.S. executive agency that manages the country's federal land, national parks and a budget of billions of dollars, said that the department's reliance on passwords as the sole way of protecting some of its most important systems and employees' user accounts has bucked nearly two decades of the government's own cybersecurity guidance of mandating stronger two-factor authentication. It concludes that poor password policies puts the department at risk of a breach that could lead to a "high probability" of massive disruption to its operations.

The inspector general's office said it launched its investigation after a previous test of the agency's cybersecurity defenses found lax password policies and requirements across the Department of the Interior's dozen-plus agencies and bureaus. The aim this time around was to determine if the department's security defenses were enough to block the use of stolen and recovered passwords. [...] To make their point, the watchdog spent less than $15,000 on building a password-cracking rig -- a setup of a high-performance computer or several chained together -- with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like 'Polar_bear65' and 'Nationalparks2014!'. The watchdog also recovered hundreds of accounts belonging to senior government employees and other accounts with elevated security privileges for accessing sensitive data and systems. Another 4,200 hashed passwords were cracked over an additional eight weeks of testing. [...]

The watchdog said it curated its own custom wordlist for cracking the department's passwords from dictionaries in multiple languages, as well as U.S. government terminology, pop culture references, and other publicly available lists of hashed passwords collected from past data breaches. By doing so, the watchdog demonstrated that a well-resourced cybercriminal could have cracked the department's passwords at a similar rate, the report said. The watchdog found that close to 5% of all active user account passwords were based on some variation of the word "password" and that the department did not "timely" wind down inactive or unused user accounts, leaving at least 6,000 user accounts vulnerable to compromise. The report also criticized the Department of the Interior for "not consistently" implementing or enforcing two-factor authentication, where users are required to enter a code from a device that they physically own to prevent attackers from logging in using just a stolen password.

Academic researchers have discovered serious vulnerabilities in the core of Threema, an instant messenger that its Switzerland-based developer says provides a level of security and privacy "no other chat service" can offer. From a report: Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, typically abbreviated as E2EE. Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta's WhatsApp messenger. It's among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.

Researchers from the Zurich-based ETH research university reported on Monday that they found seven vulnerabilities in Threema that seriously call into question the true level of security the app has offered over the years. Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing. "In totality, our attacks seriously undermine Threema's security claims," the researchers wrote. "All the attacks can be mitigated, but in some cases, a major redesign is needed."

New medicines need not be tested in animals to receive U.S. Food and Drug Administration (FDA) approval, according to legislation signed by President Joe Biden in late December 2022. Science Magazine reports: "This is huge," says Tamara Drake, director of research and regulatory policy at the Center for a Humane Economy, a nonprofit animal welfare organization and key driver of the legislation. "It's a win for industry. It's a win for patients in need of cures." In place of the 1938 stipulation that potential drugs be tested for safety and efficacy in animals, the law allows FDA to promote a drug or biologic -- a larger molecule such as an antibody -- to human trials after either animal or nonanimal tests. Drake's group and the nonprofit Animal Wellness Action, among others that pushed for changes, argue that in clearing drugs for human trials the agency should rely more heavily on computer modeling, "organ chips," and other nonanimal methods that have been developed over the past 10 to 15 years.

But pro-research groups are downplaying the law, saying it signals a slow turning of the tide -- not a tsunami that will remake the drug approval process overnight. Jim Newman, communications director at Americans for Medical Progress, which advocates for animal research, argues non-animal technologies are still "in their infancy" and won't be able to replace animal models for "many, many years." FDA still retains tremendous discretion to require animal tests, he notes, and he doesn't expect the agency to change tack anytime soon. In order for a drug to be approved in the United States, FDA typically requires toxicity tests on one rodent species such as a mouse or rat and one nonrodent species such as a monkey or dog. Companies use tens of thousands of animals for such tests each year. Yet more than nine in 10 drugs that enter human clinical trials fail because they are unsafe or ineffective, providing grist to those who argue that animal experiments are a waste of time, money, and lives. [...]

Now, that requirement is gone. In eliminating it, Congress seems to have responded to the emergence of nonanimal methods and growing public sentiment against animal research. Senator Rand Paul (R-KY) and Senator Cory Booker (D-NJ), who both call animal research inefficient and inhumane, introduced the changes, which the Senate passed by unanimous consent in September 2022. In December, Biden signed them into law as part of the Consolidated Appropriations Act, which funds the government through this fiscal year. [...] Still, it remains unclear just how much the new law will change things at FDA. Although the legislation allows the agency to clear a drug for human trials without animal testing, it doesn't require that it do so. What's more, FDA's toxicologists are famously conservative, preferring animal tests in part because they allow examination of a potential drug's toxic effects in every organ after the animal is euthanized.