LeeLynx shares a report from The Register: The majority of Android and iOS apps created for US public and private schools send student data to assorted third parties, researchers have found, calling into question privacy commitments from Apple and Google as app store stewards. The Me2B Alliance, a non-profit technology policy group, examined a random sample of 73 mobile applications used in 38 different schools across 14 US states and found 60 percent were transmitting student data. The apps in question send data using software development kits or SDKs, which consist of modular code libraries that can be used to implement utility functions, analytics, or advertising without the hassle of creating these capabilities from scratch. Examples include: Google's AdMob, Firebase, and Sign-in SDKs, Square's OK HTTP and Okio SDKs, and Facebook's Bolts SDK, among others.

The data that concerns Me2B includes: identifiers (IDFA, MAID, etc), Calendar, Contacts, Photos/Media Files, Location, Network Data (IP address), permissions related to Camera, Microphone, Device ID, and Calls. About 49 percent of the apps reviewed sent student data to Google and about 14 percent communicated with Facebook, with the balance routing info to advertising and analytics firms, many among them characterized as high risk by the Me2B researchers. Among the public school apps, 67 per cent sent data to third parties; private school apps proved less likely to send data to third parties (57 percent). Interestingly, the research group found a signifiant difference across mobile platforms. According to The Register, "91 percent of student Android apps sent data to high-risk third parties while only 26 percent of iOS apps did so, and 20 percent of Android apps piped data to very high-risk third parties while only 2.6 percent of iOS did so."

The report adds: "Nonetheless, the researchers expressed concern that 95 percent of third-party data channels in the surveyed student apps are active even when the user is not signed in and that these apps send data as soon as the app is loaded."

The Electronic Frontier Foundation (EFF) has filed a lawsuit against the remote testing company Proctorio on behalf of Miami University student Erik Johnson. The Verge reports: The lawsuit is intended to "quash a campaign of harassment designed to undermine important concerns" about the company's remote test-proctoring software, according to the EFF. The lawsuit intends to address the company's behavior toward Johnson in September of last year. After Johnson found out that he'd need to use the software for two of his classes, Johnson dug into the source code of Proctorio's Chrome extension and made a lengthy Twitter thread criticizing its practices -- including links to excerpts of the source code, which he'd posted on Pastebin. Proctorio CEO Mike Olsen sent Johnson a direct message on Twitter requesting that he remove the code from Pastebin, according to screenshots viewed by The Verge. After Johnson refused, Proctorio filed a copyright takedown notice, and three of the tweets were removed. (They were reinstated after TechCrunch reported on the controversy.)

In its lawsuit, the EFF is arguing that Johnson made fair use of Proctorio's code and that the company's takedown "interfered with Johnson's First Amendment right." "Copyright holders should be held liable when they falsely accuse their critics of copyright infringement, especially when the goal is plainly to intimidate and undermine them," said EFF Staff Attorney Cara Gagliano in a statement. "I'm doing this to stand up against student surveillance, as well as abuses of copyright law," Johnson told The Verge. "This isn't the first, and won't be the last time a company abuses copyright law to try and make criticism more difficult. If nobody calls out this abuse of power now, it'll just keep happening."

The Biden administration has blocked a Trump-era rule that would have made it easier for companies like Uber, Lyft and Instacart to continue classifying rideshare drivers and delivery workers as independent contractors under federal law. From a report: The rule pertained to the classification of gig workers under the Fair Labor Standards Act, which requires employers to pay non-exempt employees at least the federal minimum wage. The Trump administration published the rule in January 2021, and it was originally set to go into effect on March 8. In February, Biden's labor department delayed implementation until May 7. Now, the Department of Labor has officially withdrawn the rule. The decision to rescind the rule does not mean gig workers will be considered employees. But it does mean certain gig workers won't face an additional obstacle in their efforts to be classified as employees. The rule would have implemented a new interpretation of what type of worker is an independent contractor. The DOL, however, determined that it would have "narrowed the scope of facts and considerations" in determining whether someone is an independent contractor or employee.

The White House has launched a new website, AI.gov, to make artificial intelligence research more accessible across the nation. Axios: The U.S. once led significantly in the global artificial intelligence race, but now risks being overtaken by China. This is one step the White House is taking to drum up excitement for AI and broaden educational opportunities in the field. The website's target audience is the general public, and its purpose is to make public information available on AI more visible to someone like a teacher or student interested in science. Users will be able to visit the website to learn how artificial intelligence is being used across the nation in a variety of ways, including to respond to the COVID pandemic and weather forecasting, for example. It's also meant to be a tool to advance research.

An anonymous reader shares a report: Three young men got into a car in Walworth County, Wis., in May 2017. They were set on driving at rapid speeds down a long, cornfield-lined road -- and sharing their escapade on social media. As the 17-year-old behind the wheel accelerated to 123 miles per hour, one of the passengers opened Snapchat. His parents say their son wanted to capture the experience using an app feature -- the controversial "speed filter" -- that documents real-life speed, hoping for engagement and attention from followers on the messaging app. It was one of the last things the trio did before the vehicle ran off the road and crashed into a tree, killing all of them. Was Snapchat partially to blame? The boys' parents think so. And, in a surprise decision on Tuesday, a federal appeals court ordered that the parents should have the right to sue Snap.

The ruling, from a three-judge panel of the 9th U.S. Circuit Court of Appeals, has set off intense debate among legal watchers about the future of a decades-old law that has shielded tech companies from civil lawsuits. The boys' parents sued Snap, the maker of Snapchat, after the tragedy. They alleged that the company "knowingly created a dangerous game" through its filter and bore some responsibility. The district court responded how courts usually do when a tech platform is sued in a civil lawsuit: by dismissing the case. The judge cited the sweeping immunity that social media companies enjoy under Section 230 of the Communications Decency Act. The law provides legal immunity to tech companies from libel and other civil suits for what people post on sites, regardless of how harmful it may be. But the appeals court's reversal paves a way around the all-powerful law, saying it doesn't apply because this case is not about what someone posted to Snapchat, but rather the design of the app itself.

schwit1 shares a report from CNN: The Biden administration is considering using outside firms to track extremist chatter by Americans online, an effort that would expand the government's ability to gather intelligence but could draw criticism over surveillance of US citizens. The plan being discussed inside DHS, according to multiple sources, would, in effect, allow the department to circumvent' [restrictions the U.S. government has to surveil American citizens]. A source familiar with the effort said it is not about decrypting data but rather using outside entities who can legally access these private groups to gather large amounts of information that could help DHS identify key narratives as they emerge.

In response to CNN's story, DHS said it "is not partnering with private firms to surveil suspected domestic terrorists online" and "it is blatantly false" to suggest that the department is using outside firms to circumvent its legal limits. "All of our work to address the threat of domestic terrorism is done consistent with the Constitution and other applicable law, and in close coordination with our privacy and civil liberties experts," the DHS statement added. But the department has considered partnering with research firms who have more visibility in this space, though it has not done so to this point, the sources said. If that ultimately happens, DHS could produce information that would likely be beneficial to both it and the FBI, which can't monitor US citizens in this way without first getting a warrant or having the pretext of an ongoing investigation. The CIA and NSA are also limited on collecting intelligence domestically.

Researchers who already monitor such activity online could act as middlemen to obtain the information. DHS officials maintain the materials provided would only consist of broad summaries or analysis of narratives that are emerging on these sites and would not be used to target specific individuals. But some of the research firms and non-profit groups under consideration by the DHS periodically use covert identities to access private social media groups like Telegram, and others used by domestic extremist groups. That thrusts DHS into a potential legal gray area even as it plugs an intelligence gap that critics say contributed to the failure to predict the assault on the Capitol.

Fans of Fortnite aren't happy that Apple pulled the game app off the iPhone last year -- and some aren't shy about appealing to the federal judge who has the power to make things right. From a report: "Can we please have Fortnite mobile back?" a voice was heard saying Tuesday as a clerk was testing dial-in access for the public to monitor Epic Games' trial against Apple in federal court in Oakland, California. Yesterday, as the three-week trial opened, there were enough hecklers who'd figured out how to unmute themselves -- against the court's rules -- that the phone system was briefly shut down, prompting some online commentators to refer to the situation as a hijacking. Further reading: The Apple vs. Epic Games trial airs private emails.

A U.K. company behind digital addressing system What3Words has sent a legal threat to a security researcher for offering to share an open-source software project with other researchers, which What3Words claims violate its copyright. From a report: Aaron Toponce, a systems administrator at XMission, received a letter on Thursday from London-based law firm JA Kemp representing What3Words, requesting that he delete tweets related to the open-source alternative, WhatFreeWords. The letter also demands that he disclose to the law firm the identity of the person or people with whom he had shared a copy of the software, agree that he would not make any further copies of the software and to delete any copies of the software he had in his possession. The letter gave him until May 7 to agree, after which What3Words would "waive any entitlement it may have to pursue related claims against you," a thinly-veiled threat of legal action. "This is not a battle worth fighting," he said in a tweet.

Toponce told TechCrunch that he has complied with the demands, fearing legal repercussions if he didn't. He has also asked the law firm twice for links to the tweets they want deleting but has not heard back. "Depending on the tweet, I may or may not comply. Depends on its content," he said. U.K.-based What3Words divides the entire world into three-meter squares and labels each with a unique three-word phrase. The idea is that sharing three words is easier to share on the phone in an emergency than having to find and read out their precise geographic coordinates. But security researcher Andrew Tierney recently discovered that What3Words would sometimes have two similarly-named squares less than a mile apart, potentially causing confusion about a person's true whereabouts. In a later write-up, Tierney said What3Words was not adequate for use in safety-critical cases.

Long-time Slashdot reader theodp writes: The announcement Monday that Apple Inc. would locate its new high-tech campus in Research Triangle Park," reports The News&Observer's Tyler Dukes, "was heralded as a coup for the state, which has pursued the company and the promise of its high-paying jobs for at least three years. But that victory comes at a cost. State and local incentives for the deal could be worth nearly $1 billion to the company over the next four decades. That award, by far the largest in the state's history, will mostly come from new Apple employees' state income tax payments — the vast majority of which will flow right back to Apple....

"The JDIG award approved by the state's Economic Investment Committee Monday morning would mean $845.8 million in payments to Apple through 2061 — provided the company meets its hiring, worker-retention and investment targets. These payments are recouped from the income taxes Apple's new employees would normally pay to the state. Starting in 2023, the state will start issuing payments to Apple worth a little more than half of those employees' annual tax payments. In 2032, if all goes as planned, that percentage increases to 90%."

Apple, whose market cap on Monday was $2.26 trillion, isn't exactly hurting for money...

Amazon accounts for "roughly half of all online sales," while "more than half of all the stuff sold by Amazon comes from third parties," reports a business columnist for the Los Angeles Times.

But is Amazon legally and financially responsible for the safety of those products? Amazon says no. A trio of state Court of Appeal justices in Los Angeles this week said otherwise.

"We are persuaded that Amazon's own business practices make it a direct link in the vertical chain of distribution under California's strict liability doctrine," the justices ruled, rejecting Amazon's claim that its site is merely a platform connecting buyers and sellers... "Amazon is the retailer. They're the one selling the product," said Christopher Dolan, a San Francisco lawyer who spearheaded the case against the e-commerce behemoth. "Because of this ruling," he told me, "you can be sure Amazon is rewriting all its rules for third-party sellers, and it's doing it today..."
The case began in 2015 when a California woman named Loomis gave her son a hoverboard for Christmas in 2015 — and less than a week later its lithium-ion batteries exploded while charging: In pursuing his case on Loomis' behalf, Dolan found that the Chinese manufacturer and its U.S. distributor had gone out of business, "leaving only Amazon to be held accountable for the injuries to Ms. Loomis and the damages to her home." Amazon prevailed in the original case. An L.A. judge agreed with the Seattle company that it was merely an "online advertiser" and not responsible for the third-party products it sells. The lawsuit was dismissed in March 2019.

This week's appellate court decision overturns that ruling, holding Amazon accountable for the products it allows third parties to sell on its website.

The appellate justices cited Amazon's "substantial ability to influence the manufacturing or distribution process through its ability to require safety certification, indemnification and insurance before it agrees to list any product...." Product liability experts told me this week's decision makes clear that online merchants are just that — merchants — and can't hide behind their connecting-the-world technology to shield them from responsibility for distributing unsafe goods.

Business Insider reports: Former Netflix vice president of IT Michael Kail was convicted by a federal jury on Friday of 28 counts of fraud and money laundering, the U.S. Department of Justice announced in a press release.

Kail, who was indicted in 2018, used his position to create a "pay-to-play" scheme where he approved contracts with outside tech companies looking to do business with Netflix in exchange for taking bribes and kickbacks, according to evidence presented to the jury, the release said. Kail accepted bribes or kickbacks from nine different companies totaling more than $500,000 as well as stock options, according to the Department of Justice's press release...

Netflix sued Kail after he left the company in 2014 to take a role as Yahoo's CIO, accusing him of fraud and breaching his fiduciary duties.
One FBI agent says that Kail "stole the opportunity to work with an industry pioneer from honest, hardworking, Silicon Valley companies," according to the details in the Department of Justice statement: To facilitate kickback payments, the evidence at trial showed that Kail created and controlled a limited liability corporation called Unix Mercenary, LLC. Established on February 7, 2012, Unix Mercenary had no employees and no business location. Kail was the sole signatory to its bank accounts...

Kail faces a maximum sentence of twenty years in prison and a fine of $250,000, or twice his gross gain or twice the gross loss to Netflix, whichever is greater, for each count of a wire or mail fraud conviction, and ten years in prison and a fine of $250,000 for each count of a money laundering conviction.

An anonymous reader quotes a report from CNN: Federal agencies are investigating at least two possible incidents on US soil, including one near the White House in November of last year, that appear similar to mysterious, invisible attacks that have led to debilitating symptoms for dozens of US personnel abroad. Multiple sources familiar with the matter tell CNN that while the Pentagon and other agencies probing the matter have reached no clear conclusions on what happened, the fact that such an attack might have taken place so close to the White House is particularly alarming. Defense officials briefed lawmakers on the Senate and House Armed Services Committees on the matter earlier this month, including on the incident near the White House. That incident, which occurred near the Ellipse, the large oval lawn on the south side of the White House, sickened one National Security Council official, according to multiple current and former US officials and sources familiar with the matter. In a separate 2019 episode, a White House official reported a similar attack while walking her dog in a Virginia suburb just outside Washington, GQ reported last year.

Those sickened reported similar symptoms to CIA and State Department personnel impacted overseas, and officials quickly began to investigate the incident as a possible "Havana syndrome" attack. That name refers to unexplained symptoms that US personnel in Cuba began experiencing in late 2016 -- a varying set of complaints that includes ear popping, vertigo, pounding headaches and nausea, sometimes accompanied by an unidentified "piercing directional noise." Rumors have long swirled around Washington about similar incidents within the United States. While the recent episodes around Washington appear similar to the previous apparent attacks affecting diplomats, CIA officers and other US personnel serving in Cuba, Russia and China, investigators have not determined whether the puzzling incidents at home are connected to those that have occurred abroad or who may be behind them, sources tell CNN.

Indie developer (and Humble Indie Bundle originator) Wolfire Games has filed a proposed class-action lawsuit against Steam creator Valve, saying that the company is wielding Steam's monopoly power over the PC gaming market to extract "an extraordinarily high cut from nearly every sale that passes through its storeâ"30%." Ars Technica reports: The lawsuit, filed in a Washington state federal court, centers on what it considers an illegal tying of the Steam gaming platform (which provides game library management, social networking, achievement tracking, Steam Workshop mods, etc.) and the Steam game store (which processes online payments and delivers a copy of the game). After years of growth, the vast majority of PC gamers are locked into the Steam platform thanks to "immense network effects" and the high switching costs to move to a new PC platform, the suit argues. That makes the platform "a must-have for game publishers," who need access to the players on Steam to succeed. But games that use the Steam platform also have to be sold on the Steam Store, where Valve takes its 30 percent cut of all sales. By leveraging its monopoly platform power into a "gatekeeper role" for the store, Valve "wield[s] extreme power over publishers of PC Desktop Games" that leads to a "small but significant and non-transitory increase in price" for developers compared to a truly competitive market, the suit argues.

The suit includes a laundry list of competitors that have tried to create their own platforms to take on Steam's monopoly, including CD Projekt Red, EA, Microsoft, Amazon, and Epic (not to mention "pure distributors" with platform-free stores like GameStop, Green Man Gaming, Impulse, and Direct2Drive). But the lawsuit argues that Steam's lock-in effects mean none of these stores have been able to make much of a dent in Valve's monopoly position, despite plenty of well-funded attempts. Even the Epic Games Store, which has spent hundreds of millions of dollars securing exclusives and free game giveaways, has a market share of only "a little above 2 percent," according to one cited analysis (in an interview last June, Epic's Tim Sweeney estimated a more robust 15 percent market share for EGS).

"The failure of these companies to meaningfully compete against the Steam Gaming Platform shows it is virtually impossible as an economic matter to compete against the Steam Gaming Platform," the suit argues. "The Steam Gaming Platform has well-cemented dominance in the PC Desktop Gaming Platform Market, and given its unique and strong network effects, that is unlikely to change." The only meaningful way to avoid [Valve's] anticompetitive measures, the suit argues, is "to avoid using the Steam Gaming Platform at all." But Valve's monopoly position means that "there are no economically viable alternatives to the Steam Gaming Platform" for most PC games. While the suit acknowledges a few counterexamples (Riot's League of Legends is cited by name), such titles "typically require a long history of recognition and success before they can attempt to thrive without the Steam Gaming Platform," the suit says.

Australian security software house Click Studios has told customers not to post emails sent by the company about its data breach, which allowed malicious hackers to push a malicious update to its flagship enterprise password manager Passwordstate to steal customer passwords. TechCrunch reports: Last week, the company told customers to "commence resetting all passwords" stored in its flagship password manager after the hackers pushed the malicious update to customers over a 28-hour window between April 20-22. The malicious update was designed to contact the attacker's servers to retrieve malware designed to steal and send the password manager's contents back to the attackers. In an email to customers, Click Studios did not say how the attackers compromised the password manager's update feature, but included a link to a security fix.

But news of the breach only became public after Danish cybersecurity firm CSIS Group published a blog post with details of the attack hours after Click Studios emailed its customers. Click Studios claims Passwordstate is used by "more than 29,000 customers," including in the Fortune 500, government, banking, defense and aerospace, and most major industries.

In an update on its website, Click Studios said in a Wednesday advisory that customers are "requested not to post Click Studios correspondence on Social Media." The email adds: "It is expected that the bad actor is actively monitoring Social Media, looking for information they can use to their advantage, for related attacks." "It is expected the bad actor is actively monitoring social media for information on the compromise and exploit. It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content," the company said. The report says Click Studios has remained extremely tightlipped about the situation. The company has refused to comment or respond to questions; it's also unclear if the company has disclosed the breach to U.S. and EU authorities, which require companies to disclose data breach incidents or face hefty fines.

The New York Police Department said this week that it will stop using the "Digidog," a four-legged robot occasionally deployed for recon in dangerous situations. NYPD officials confirmed in a statement it had terminated its contract and will return the dog to vendor Boston Dynamics. Last December, the agency leased the Digidog, nicknamed Spot, for $94,000. From a report: John Miller, the police department's deputy commissioner for intelligence and counterterrorism, told The New York Times that the contract was "a casualty of politics, bad information, and cheap sound bites." Miller bemoaned the role of bad press in the backlash, but in many ways the NYPD's own actions were a blueprint for how not to introduce new tech. And, for activists, how to effectively agitate for banning unwanted technologies.

In truth, it wasn't just sound bites that doomed Spot. New Yorkers didn't want it. In February, the NYPD used Spot to defuse a hostage situation in the Bronx. When video of the device went viral, its flexible legs and camera-for-a-head design spooked people. The robot is quadrupedal but doesn't actually look like a dog. A more immediate comparison is the armed robots featured in a postapocalyptic episode of Black Mirror. This comparison spread rapidly on social media. The NYPD's secrecy worked against it: There was no public comment process for Spot, and residents hadn't known to expect to see robot-dogs respond to hostage situations. The NYPD had exactly this opportunity, months earlier, when it had to disclose both the price and governing policies for all surveillance devices as defined by the city's Public Oversight of Surveillance Technology (POST) Act. Instead, the agency included a passing reference to Spot in a larger section on "situational awareness cameras," with no images.

An anonymous reader quotes a report from PC Gamer: The Oculus Quest 2 is a hell of a lot of hardware for $299. In fact, we're convinced that Facebook is making a loss on each unit sold. Even so, that pricing is one of the main reasons it's the most popular headset on Steam and our pick as the best VR headset. Well, that and the ease of use. [...] The thing is, that price seems too good to be true, with no other manufacturer's VR headset close to the specs list of the Quest 2 -- in either tethered or standalone form -- hitting the same low, low price. That money gets you a robust virtual reality headset with 6GB of RAM, a Qualcomm Snapdragon XR2 CPU, 64GB of storage, 1832x1920 per eye display and a pair of controllers. [...]

But there's one factor that could potentially offset that price -- Facebook has access to a whole lot of your data. This is something the Oculus Quest 2 is upfront about: You absolutely need a Facebook account in order to use the device and it does have its data collection policies in black and white. Although what isn't quite so obvious is how much your data is worth to Facebook. At least it isn't without a tiny bit of digging.

There is another version of the Quest 2 that isn't as discounted as the consumer version, and that's the one aimed at businesses. The actual hardware is identical, but the difference is you don't need to login in with a Facebook account in order to use it. The price for this model? $799. There's also an annual fee of $180 that kicks in a year after purchase, which covers Oculus' business services and support, but that just muddies the waters a little. The point being, the Quest 2 for business, the headset from which Facebook can't access your data directly, costs $500 more. So that's looking essentially like the value the social media giant attributes to your data, which either seems like a lot or barely anything at all, depending on your stance. The Supplemental Oculus Data Policy outlines what sort of data is actually being collected when you use the Quest 2. Such things as your physical dimension, including your hand size, how big your play area is using the Oculus Guardian system, data on any content you create using the Quest 2, as well as more obvious stuff like your device ID and IP address.

For at least the third time since the beginning of this year, the U.S. government is investigating a hack against federal agencies that began during the Trump administration but was only recently discovered, according to senior U.S. officials and private sector cyber defenders. Reuters reports: The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it. More than a dozen federal agencies run Pulse Secure on their networks, according to public contract records. An emergency cybersecurity directive last week demanded that agencies scan their systems for related compromises and report back.

The results, collected on Friday and analyzed this week, show evidence of potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency. "This is a combination of traditional espionage with some element of economic theft," said one cybersecurity consultant familiar with the matter. "We've already confirmed data exfiltration across numerous environments." The maker of Pulse Secure, Utah-based software company Ivanti, said it expected to provide a patch to fix the problem by this Monday, two weeks after it was first publicized. Only a "very limited number of customer systems" had been penetrated, it added.

Over the last two months, CISA and the FBI have been working with Pulse Secure and victims of the hack to kick out the intruders and uncover other evidence, said another senior U.S. official who declined to be named but is responding to the hacks. The FBI, Justice Department and National Security Agency declined to comment. The U.S. government's investigation into the Pulse Secure activity is still in its early stages, said the senior U.S. official, who added the scope, impact and attribution remain unclear. Security researchers at U.S. cybersecurity firm FireEye and another firm, which declined to be named, say they've watched multiple hacking groups, including an elite team they associate with China, exploiting the new flaw and several others like it since 2019.

An anonymous reader quotes a report from Motherboard: The IRS is looking for help to break into cryptocurrency hardware wallets, according to a document posted on the agency website in March of this year. Many cryptocurrency investors store their cryptographic keys, which confer ownership of their funds, with the exchange they use to transact or on a personal device. Some folks, however, want a little more security and use hardware wallets -- small physical drives which store a user's keys securely, unconnected to the internet. The law enforcement arm of the tax agency, IRS Criminal Investigation, and more specifically its Digital Forensic Unit, is now asking contractors to come up with solutions to hack into cryptowallets that could be of interest in investigations, the document states.

"The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations," the document reads. "There is a portion of this cryptographic puzzle that continues to elude organizations -- millions, perhaps even billions of dollars, exist within cryptowallets." The security of hardware wallets presents a problem for investigators. The document states that agencies may be in possession of a hardware wallet as part of a case, but may not be able to access it if the suspect does not comply. This means that authorities cannot effectively "investigate the movement of currencies" and it may "prevent the forfeiture and recovery" of the funds. "The explicit outcome of this contract is to tame the cybersecurity research into measured, repeatable, consistent digital forensics processes that can be trained and followed in a digital forensics' laboratory," the document says.

tsu doh nimh writes: Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau. Bill Demirkapi, an independent security researcher who's currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.

Demirkapi encountered one lender's site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API -- a capability that allows lenders to automate queries for FICO credit scores from the credit bureau. "No one should be able to perform an Experian credit check with only publicly available information," Demirkapi said. "Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian's system." Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the "date of birth" field let him then pull a person's credit score. He even built a handy command-line tool to automate the lookups, which he dubbed "Bill's Cool Credit Score Lookup Utility."

Plans for 3D-printed, self-assembled "ghost guns" can be posted online without U.S. State Department approval, a federal appeals court ruled Tuesday. From a report: A divided panel of the 9th U.S. Circuit Court of Appeals in San Francisco reinstated a Trump administration order that permitted removal of the guns from the State Department's Munitions List. Listed weapons need State Department approval for export. In 2015, federal courts applied the requirement to weapons posted online and intended for production on 3D printers, the San Francisco Chronicle reported. However, three years later the State Department under then-President Donald Trump settled a lawsuit by a 3D gun company and ordered their removal.

California, 21 other states and the District of Columbia sued and a federal judge in Seattle issued an injunction last year, saying that posting the designs without restrictions could put unregistered weapons into the hands of terrorists. In overturning the injunction, the appellate panel found 2-1 that a 1989 federal law prohibits courts from overruling the State Department's decision to add or remove a weapon from the Munitions List, the Chronicle reported.