Academic researchers have discovered serious vulnerabilities in the core of Threema, an instant messenger that its Switzerland-based developer says provides a level of security and privacy "no other chat service" can offer. From a report: Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, typically abbreviated as E2EE. Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta's WhatsApp messenger. It's among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.

Researchers from the Zurich-based ETH research university reported on Monday that they found seven vulnerabilities in Threema that seriously call into question the true level of security the app has offered over the years. Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing. "In totality, our attacks seriously undermine Threema's security claims," the researchers wrote. "All the attacks can be mitigated, but in some cases, a major redesign is needed."

An anonymous reader quotes a report from Wired: Last month, a young woman went to work at Sarzamineh Shadi, or Land of Happiness, an indoor amusement park east of Iran's capital, Tehran. After a photo of her without a hijab circulated on social media, the amusement park was closed, according to multiple accounts in Iranian media. Prosecutors in Tehran have reportedly opened an investigation. Shuttering a business to force compliance with Iran's strict laws for women's dress is a familiar tactic to Shaparak Shajarizadeh. She stopped wearing a hijab in 2017 because she views it as a symbol of government suppression, and recalls restaurant owners, fearful of authorities, pressuring her to cover her head. But Shajarizadeh, who fled to Canada in 2018 after three arrests for flouting hijab law, worries that women like the amusement park worker may now be targeted with face recognition algorithms as well as by conventional police work.

After Iranian lawmakers suggested last year that face recognition should be used to police hijab law, the head of an Iranian government agency that enforces morality law said in a September interview that the technology would be used "to identify inappropriate and unusual movements," including "failure to observe hijab laws." Individuals could be identified by checking faces against a national identity database to levy fines and make arrests, he said. Two weeks later, a 22-year-old Kurdish woman named Jina Mahsa Amini died after being taken into custody by Iran's morality police for not wearing a hijab tightly enough. Her death sparked historic protests against women's dress rules, resulting in an estimated 19,000 arrests and more than 500 deaths. Shajarizadeh and others monitoring the ongoing outcry have noticed that some people involved in the protests are confronted by police days after an alleged incident -- including women cited for not wearing a hijab. "Many people haven't been arrested in the streets," she says. "They were arrested at their homes one or two days later."

Although there are other ways women could have been identified, Shajarizadeh and others fear that the pattern indicates face recognition is already in use -- perhaps the first known instance of a government using face recognition to impose dress law on women based on religious belief. Mahsa Alimardani, who researches freedom of expression in Iran at the University of Oxford, has recently heard reports of women in Iran receiving citations in the mail for hijab law violations despite not having had an interaction with a law enforcement officer. Iran's government has spent years building a digital surveillance apparatus, Alimardani says. The country's national identity database, built in 2015, includes biometric data like face scans and is used for national ID cards and to identify people considered dissidents by authorities.

The number of active users on the Mastodon social network has dropped more than 30% since the peak and is continuing a slow decline, according to the latest data posted on its website. There were about 1.8 million active users in the first week of January, down from over 2.5 million in early December. The Guardian reports: Mastodon, an open-source network of largely independently hosted servers, has often been touted as an alternative to Twitter. And its growth appears connected to controversies at Twitter. But for many it doesn't fulfill the role that Twitter did and experts say it may be too complicated to really replace it. [...]

There were about 500,000 active Mastodon users before Elon Musk took control of Twitter at the end of October. By mid-November, that number climbed to almost 2 million active users. [...] The surge in new Mastodon users continued throughout November, peaking at over 130,000 new users a day. The upticks often coincided with controversial decisions made by Elon Musk. Data from Google suggests there was also a surge in searches for Mastodon in April 2022, around the time Musk announced he had become Twitter's largest shareholder.

"Twitter, in its most basic form is simple," Meg Coffey, a social media strategist, said. "You can open up an app or open up a website, type some words, and you're done. I mean, it was [a] basic SMS platform." For many, Mastodon may have proved too hard to port over their communities and was just too complicated. Some may have gone back to Twitter, while others, said Coffey, may have dropped social media entirely. "Everybody went and signed up [on Mastodon] and realized how hard it was, and then got back on Twitter and were like, 'Oh, that's, that's hard. Maybe we won't go there,'" she said. "It's like the people that said 'I'm moving to Canada' when Donald Trump was elected," Coffey added. "They never actually moved to Canada."

Half the planet's glaciers will have melted by 2100 even if humanity sticks to goals set out in the Paris climate agreement, according to research that finds the scale and impacts of glacial loss are greater than previously thought. At least half of that loss will happen in the next 30 years. From a report: Researchers found 49% of glaciers would disappear under the most optimistic scenario of 1.5C of warming. However, if global heating continued under the current scenario of 2.7C of warming, losses would be more significant, with 68% of glaciers disappearing, according to the paper, published in Science. There would be almost no glaciers left in central Europe, western Canada and the US by the end of the next century if this happened.

This will significantly contribute to sea level rise, threaten the supply of water of up to 2 billion people, and increase the risk of natural hazards such as flooding. The study looked at all glacial land ice except for Greenland and Antarctic ice sheets. If temperature increases are limited to 1.5C of warming, average sea levels would increase by 90mm (3.5in) from 2015 to 2100, but with 2.7C of warming, glacial melt would lead to around 115mm of sea level rise. These scenarios are up to 23% more than previous models had estimated.

The US has approved use of the world's first vaccine for honey bees. The BBC reports: The US Department of Agriculture (USDA) approved a conditional license for the vaccine this week, according to the biotech firm behind its development. It was engineered to prevent fatalities from American foulbrood disease, a bacterial condition known to weaken colonies by attacking bee larvae. [...] American foulbrood disease poses a challenge for beekeepers as it is highly contagious and has no cure. The only treatment method requires burning the colony of infected bees along with the hives and equipment and treating nearby colonies with antibiotics.

The new vaccine contains an inactive version of the bacteria that causes American foulbrood disease, Paenibacillus larvae, according to Dalan Animal health. The bacteria are incorporated into royal jelly feed given by worker bees to the queen bee, which then ingests the feed and keeps some of the vaccine in her ovaries, according to the biotech firm, which specializes in insect health and immunology. It says this gives bee larvae immunity to the disease as they hatch and reduces death from the illness. [...] Dalan plans to distribute the vaccine "on a limited basis" to commercial beekeepers and said the product would probably be available for purchase in the US this year.

Qualcomm has announced that its new processors and modems will allow phones to communicate with the Iridium satellite network, letting users send and receive messages even in areas without cell coverage. The Verge reports: The feature, called Snapdragon Satellite, will be available in phones that have both Qualcomm's Snapdragon 8 Gen 2 processor and its X70 Modem system, along with some additional radios. Phones that support it should be "launched in select regions starting in the second half of 2023," according to the company's press release, and there are several manufacturers working on designs, according to Francesco Grilli, a Qualcomm spokesperson who helped conduct a briefing for journalists. For now, the feature will likely only be available in flagship Android phones, as Qualcomm's only including the tech in its premium chips. Companies that want to add it to their phones will work directly with Qualcomm to figure out the software and hardware, but they shouldn't have to build new relationships with Iridium, according to Grilli. To the satellites, phones with the tech will look like any other Iridium-enabled devices. As for who will pay for the messages, "the cost of the satellite-based messaging service and dependent services will depend on OEMs and service providers and how they choose to offer the service," according to Grilli.

At first, Snapdragon Satellite will be limited to use in emergency situations, letting you contact someone for help even if you're in a remote area without cell service. According to Grilli, "Snapdragon Satellite leverages Garmin Response." When you send an SOS, "response coordinators immediately see the customer's Latitude/Longitude in their proprietary mapping and response coordination software to determine the appropriate agency to coordinate the rescue." Qualcomm says that, eventually, it'll support "premium messaging," which will likely cost extra and will have to be implemented by OEMs, cell carriers, or other over-the-top service providers. So far, this isn't something Apple offers; you can only send texts via satellite using its SOS feature.

While Qualcomm says the emergency service will be free or very cheap, it hasn't provided details yet on how much it'll cost you if you just want to be able to text your friends from remote areas, like a hiking trail, ski lift, or even a boat in the middle of the ocean. Once that service becomes available, however, Qualcomm says you'll be able to use it with your regular phone number. (That likely won't be the case for emergency use, but it matters less there.) [...] While details are sparse on what it'll be like to actually send and receive satellite messages, it sounds like the experience will be similar to Apple's in that you'll have to follow instructions on your phone to point it toward a satellite. According to Grilli, your phone will be able to predict where Iridium's satellites are months in advance thanks to the way its constellation orbits the Earth. When you go to connect to one, it'll use GPS and other measurements to determine where you need to be facing...

Parts made by more than a dozen US and Western companies were found inside a single Iranian drone downed in Ukraine last fall, according to a Ukrainian intelligence assessment obtained exclusively by CNN. From the report: The assessment, which was shared with US government officials late last year, illustrates the extent of the problem facing the Biden administration, which has vowed to shut down Iran's production of drones that Russia is launching by the hundreds into Ukraine. CNN reported last month that the White House has created an administration-wide task force to investigate how US and Western-made technology -- ranging from smaller equipment like semiconductors and GPS modules to larger parts like engines -- has ended up in Iranian drones.

Of the 52 components Ukrainians removed from the Iranian Shahed-136 drone, 40 appear to have been manufactured by 13 different American companies, according to the assessment. The remaining 12 components were manufactured by companies in Canada, Switzerland, Japan, Taiwan, and China, according to the assessment. The options for combating the issue are limited. The US has for years imposed tough export control restrictions and sanctions to prevent Iran from obtaining high-end materials. Now US officials are looking at enhanced enforcement of those sanctions, encouraging companies to better monitor their own supply chains and, perhaps most importantly, trying to identify the third-party distributors taking these products and re-selling them to bad actors.

Thanks in part to Canada's immigration policies, the tech sector in the Toronto Waterloo Corridor will soon have more workers than the San Francisco Bay area. The Record reports: During 2021, the San Francisco Bay area added 14,000 jobs, increasing total tech employment there to 378,870. During 2021, the Toronto Waterloo Corridor added 88,000 jobs, increasing total tech employment to 313,700. "We are on a tear," said Chris Albinson, the chief executive officer at Communitech. "Canada admitted 400,000 newcomers during the last 12 months, half of them with STEM degrees."

"We are growing 350 per cent faster than Silicon Valley, and sometime in early 2023 there will be more tech workers in the Waterloo Toronto corridor," said Albinson. Communitech will announce a new strategy in mid-January, backed by the federal government, that will help push the size of the tech workforce in the corridor ahead of the Silicon Valley, he added.

The North American Aerospace Defense Command is a US/Canada organization protecting the air sovereignty of the two nations.

But every year on December 24th, they also tell you where Santa is. From NORADSanta.org: The modern tradition of tracking Santa began in 1955 when a young child accidentally dialed the unlisted phone number of the Continental Air Defense Command Operations Center upon seeing an newspaper advertisement telling kids to call Santa. The Director of Operations, Colonel Harry Shoup, answered the phone and instructed his staff to check the radar for indications of Santa making his way south from the North Pole.... Each year since, NORAD has dutifully reported Santa's location on Dec. 24 to millions of children and families across the globe. NORAD receives calls from around the world on Dec. 24 asking for Santa's location. Children, families and fans also keep track of Santa's location on the NORAD Tracks Santa® website and our social media platforms.
The page lists the NORAD technologies involved in tracking Santa — including 47 radar installations and geo-synchronous satellites with infrared heat sensors. ("Rudolph's nose gives off an infrared signature similar to a missile launch...")

And this year NORAD also produced a special video highlighting the various military fleets protecting Santa. ("He may know when you're sleeping, he may know when you're awake... " it tells viewers. "But for 67 years now, when he takes flight, we'll know.")

More from NORADSanta.org: Canadian NORAD fighter pilots, flying the CF-18, take off out of Newfoundland and welcome Santa to North America. Then at numerous locations in Canada other CF-18 fighter pilots escort Santa. While in the United States, American NORAD fighter pilots in either the F-15s, F16s or F-22s get the thrill of flying with Santa and the famous Reindeer...

Q: How can Santa travel the world within 24 hours?

A: NORAD intelligence reports indicate that Santa does not experience time the way we do. His trip seems to take 24 hours to us, but to Santa it might last days, weeks or even months. Santa would not want to rush the important job of delivering presents to children and spreading joy to everyone, so the only logical conclusion is that Santa somehow functions within his own time-space continuum....

How does Santa get down chimneys?

Although NORAD has different hypotheses and theories as to how Santa actually gets down the chimneys, we don't have definitive information to explain the magical phenomenon.

Do your planes ever intercept Santa?

Over the past 65 years, our fighter jets (F-16s, F-15s, F-22s and CF-18s) have intercepted Santa many, many times. When the jets intercept Santa, they tip their wings to say, "Hello Santa! NORAD is tracking you again this year!" Santa always waves. He loves to see the pilots...!

How many people support this effort, and are they active duty military personnel?

More than 1,250 Canadian and American uniformed personnel and DOD civilians volunteer their time on December 24th to answer the thousands of phone calls and emails that flood in from around the world. In addition to the support provided by our corporate contributors to make this program possible, NORAD has two lead project officers who manage the program.

How much money is spent on this project?

The NORAD Tracks Santa program is made possible by volunteers and through the generous support of corporate licensees who bear virtually all of the costs.
Corporate contributors include Microsoft (with separate contributions from Microsoft's search engine Bing and from Microsoft Azure), AWS (and Amazon's Alexa), Verizon, and HP.

NORADSanta.org also boasts extra features like an "arcade" of online games, a jukebox of Christmas tunes, and a library of online books about Santa. And the site even provides some technical data on the weight of Santa's sleigh — although the unit of measurement used is gumdrops.

An anonymous reader quotes a report from Reuters: European antitrust regulators have opened an in-depth investigation into U.S. chipmaker Broadcom's proposed $61 billion bid for cloud computing company VMware, the European Commission said on Tuesday. "The Commission is particularly concerned that the transaction would allow Broadcom to restrict competition in the market for certain hardware components which interoperate with VMware's software," the Commission said in a statement.

The Commission said its preliminary investigation indicates the transaction may allow Broadcom to restrict competition for the supply of certain components by degrading interoperability between VMware software and competitors' hardware to the benefit of its own hardware. This and other factors could lead to higher prices, lower quality and less innovation for business customers, and ultimately consumers, the Commission said. The Commission now has 90 working days, until May 11, 2023, to take a decision. Broadcom on Tuesday reiterated that it continued to expect the transaction would close in its fiscal year 2023, adding it would continuing to work with the European Commission.

It said it was making progress with regulatory filings around the world, having received legal merger clearance in Brazil, South Africa, and Canada and foreign investment control clearance in Germany, France, Austria, and Italy. "The combination of Broadcom and VMware is about enabling enterprises to accelerate innovation and expand choice by addressing their most complex technology challenges in this multi-cloud era, and we are confident that regulators will see this when they conclude their review," it said in a statement. The proposed acquisition underlines Broadcom's ambition to diversify into enterprise software, but comes as regulators worldwide ramp up scrutiny of deals by Big Tech.

More than 100 bitcoins tied to the defunct Canadian crypto exchange QuadrigaCX were transferred out of cold wallets thought to be beyond anyone's control over the weekend, after sitting dormant for more than three years. From a report: The company's bankruptcy trustee, Ernst and Young, did not initiate the transfers, CoinDesk has learned. QuadrigaCX went bankrupt in 2019 after the apparent death of founder and CEO Gerald Cotten. At the time of its collapse, Quadriga was believed to have owed thousands of customers nearly $200 million in various cryptocurrencies -- a staggering failure for what was once Canada's largest crypto exchange.

EY, which is acting as the trustee for Quadriga's estate, announced in February 2019 that it lost control of about 100 BTC after mistakenly sending the coins to Quadriga-operated cold wallets that the Big Four financial services firm said it couldn't access. At the time, the bitcoin was worth around $355,000 (C$470,000).

The world's biggest crypto exchange, Binance, is battling to shore up confidence after a surge in customer withdrawals and a steep drop in the value of its digital token. Reuters reports: The exchange said it dealt with net outflows of around $6 billion over 72 hours last week "without breaking stride" because its finances are solid and "we take our responsibility as a custodian seriously." After the collapse of rival exchange FTX last month, Binance's founder Changpeng Zhao promised his company would "lead by example" in embracing transparency. Yet a Reuters analysis of Binance's corporate filings shows that the core of the business -- the giant Binance.com exchange that has processed trades worth over $22 trillion this year -- remains mostly hidden from public view.

Binance declines to say where Binance.com is based. It doesn't disclose basic financial information such as revenue, profit and cash reserves. The company has its own crypto coin, but doesn't reveal what role it plays on its balance sheet. It lends customers money against their crypto assets and lets them trade on margin, with borrowed funds. But it doesn't detail how big those bets are, how exposed Binance is to that risk, or the full extent of its reserves to finance withdrawals. Binance is not required to publish detailed financial statements because it is not a public company, unlike U.S. rival Coinbase, which is listed on the Nasdaq. Nor has Binance raised outside capital since 2018, industry data show, which means it hasn't had to share financial information with external investors since then.

In an effort to look inside Binance's books, Reuters reviewed filings by Binance units in 14 jurisdictions where the exchange on its website says it has "regulatory licenses, registrations, authorisations and approvals." These locations include several European Union states, Dubai and Canada. Zhao has described the authorisations as milestones in Binance's "journey to being fully licensed and regulated around the world." The filings show that these units appear to have submitted scant information about Binance's business to authorities. The public filings do not show, for example, how much money flows between the units and the main Binance.com exchange. The Reuters analysis also found that several of the units appear to have little activity. Former regulators and ex-Binance executives say these local businesses serve as window dressing for the main unregulated exchange. Binance Chief Strategy Officer Patrick Hillmann said the Reuters analysis of the units' filings in the 14 jurisdictions was "categorically false."

Binance's Hillmann did not comment on the Reuters estimates. "The vast majority of our revenue is made on transaction fees," he said, adding that the exchange has been able to "accumulate large corporate reserves" by keeping expenses down. Binance's "capital structure is debt free" and the company keeps its money made from fees separate from the assets it buys and holds for users, Hillmann said.

Further reading: Binance US To Buy Bankrupt Voyager Digital's Assets for $1 Billion

Slashdot reader lowvisioncomputing shares a story from the CBC about an elaborate heist discovered "when the chief administrative officer of a southwestern Manitoba rural municipality [population: 3,300] noticed the series of unusual cash withdrawals from its bank account...." It began with a job advertisement. A seemingly legitimate company, with a professional website and a Nova Scotia address, claimed it was looking for cash processors. The contract was for one month. Employees could work from home.

They were told they would receive payments to their credit cards, which they would be expected to move to their bank accounts. They would then withdraw the payments, convert them into bitcoin, and send that to another account.... The majority of the 18 people hired were young and lived in various communities across the country.... Anyone who did an internet search for the company would find a professional website, with information matching what was provided in the employment agreement.

In early December 2019, the cybercriminals sent a phishing email to multiple people at the municipal office of WestLake-Gladsone, a municipality about 150 kilometres west of Winnipeg, on the southwestern shore of Lake Manitoba. At least one person clicked on the link, which allowed the hackers to get into the municipality's computers and bank accounts. But weeks went by and nothing happened, so the municipality didn't report it to the police. It was only after the money disappeared that the municipality discovered the two incidents were connected, said Kate Halashewski, who at the time was the assistant chief administrative officer for the Municipality of WestLake-Gladstone....

Court documents say that on Dec. 19, 2019, a person logged into the municipality's bank account and changed the password, along with the personal verification questions. Over the next 17 days, the cyberattackers added the 18 "employees" hired as payees and began systematically making withdrawals, transferring the money to the employees' credit cards. Dozens of withdrawals were made, totalling $472,377, according to court documents — a considerable amount for a municipality with an entire annual budget of $7 million.

Those withdrawals weren't discovered until Jan. 6, when Halashewski saw 48 bank transfers — each less than $10,000 — going to unfamiliar accounts.... Once they'd completed the initial transfers and conversion, the bitcoin was then sent to the private account of the scammers — who cybersecurity experts say likely aren't in Canada....

The municipality finally announced it had lost nearly half a million dollars in an Oct. 12, 2020, news release.... No arrests have been made in connection with the WestLake-Gladstone cyberattack and RCMP say it is no longer under active investigation.

Google this week released OSV-Scanner -- an open source vulnerability scanner linked to the OSV.dev database that debuted last year. From a report: Written in the Go programming language, OSV-Scanner is designed to scan open source applications to assess the security of any incorporated dependencies -- software libraries that get added to projects to provide pre-built functions so developers don't have to recreate those functions on their own. Modern applications can have a lot of dependencies. For example, researchers from Mozilla and Concordia University in Canada recently created a single-page web application with the React framework using the create-react-app command. The result was a project with seven runtime dependencies and nine development dependencies.

But each of these direct dependencies had other dependencies, known as transitive dependencies. The react package includes loose-envify as a transitive dependency -- one that itself depends on other libraries. All told, this basic single-page "Hello world" app required a total of 1,764 dependencies. As Rex Pan, a software engineer on Google's Open Source Security Team, observed on Tuesday in a blog post, vetting thousands of dependences isn't something developers can do on their own.

A new patent granted to Apple suggests the company could use satellite communications for more than just getting help in an emergency. 9to5Mac reports: Emergency SOS via Satellite was one of the headline features of September's Apple event -- so much so that the Far Out event name referenced it. The service launched in the US and Canada last month, and was yesterday extended to the UK, France, Germany, and Ireland. More countries will follow. A patent granted on the same day the service expanded to more countries suggests that Apple satellite plans may extend beyond text, and beyond emergency use.

Patently Apple spotted it: "Satellite communications data conveyed by transceivers #28 and antenna radiators #30 may include media data (e.g., streaming video, television data, satellite radio data, etc.), voice data (e.g., telephone voice data), internet data, and/or any other desired data." Apple has currently committed $450M to support the satellite communications feature, a reasonably sizeable amount of money even by Apple standards for a service that will be of use to a tiny fraction of iPhone owners. But if it's the start of something more, then the investment could look rather modest.

Tax authorities from Australia, Canada, France, the UK and the USA have conducted a joint probe into "electronic sales suppression software" -- applications that falsify point of sale data to help merchants avoid paying tax on their true revenue. From a report: A Friday announcement from the Joint Chiefs of Global Tax Enforcement (known as the J5), states that the probe "resulted in the arrest of five individuals in the United Kingdom who allegedly designed and sold electronic sales suppression systems internationally." Those responsible allegedly started to export their wares during the COVID-19 pandemic.

"These dodgy sales suppression tools allow retailers to keep a separate set of books and launder the money in one transaction," explained J5 chief and Australian Taxation Office deputy commissioner John Ford. "They conceal and transfer this income anonymously, sometimes offshore."

"The CBC is reporting that a class action lawsuit against Epic Games over Fortnite being addictive to children will go ahead," writes Slashdot reader lowvisioncomputing. From the report: The suit was first brought to the courts in 2019 by three Quebec parents who claimed that Fortnite was designed to addict its users, many of them children, to the game. According to the original filing, the plaintiffs say their children exhibited troubling behaviors, including not sleeping, not eating, not showering and no longer socializing with their peers. According to the filing, one of the children was diagnosed with an addiction by an on-call doctor at a Quebec clinic, or CLSC, in the Lower St. Lawrence region. It also notes that the World Health Organization (WHO) recognized addictive gaming disorder as a disease in 2018.

Jean-Philippe Caron, one of the CaLex Legal lawyers working on the suit, said the case isn't unlike a 2015 Quebec Superior Court ruling that found tobacco companies didn't warn their customers about the dangers of smoking. "[The game] has design patterns that make sure to always encourage player engagement. You have to understand that children's prefrontal cortices are still developing so that could be part of the explanation for why this game is particularly harmful," he said. The class action will also discuss in-game purchases, namely cosmetic items -- known as skins -- and the game's Battle Pass system, which offers expanded rewards as players level up.

The children allegedly spent excessive amounts of money on V-Bucks -- an in-game currency users buy with real money -- which can be exchanged for skins or used to unlock the Battle Pass. One of the children reportedly spent over $6,000 on skins, while another spent $600 on V-Bucks -- items Superior Court Judge Sylvain Lussier described as "without any tangible value." That may run afoul of Article 1406 of Quebec's civil code, where "serious disproportion between the prestations of the parties" -- meaning, the obligation to provide something in turn -- "creates a presumption of exploitation."

An anonymous reader quotes a report from Ars Technica: Electric vehicle drivers in Marshfield, Wisconsin, and Owosso, Michigan, are the first to benefit from General Motors' Dealer Community Charging Program. These deployments of new level 2 (AC) chargers are the first in a planned rollout of 40,000 new plug-in points, which GM says will nearly double the number of public charging stations in the US and Canada. GM announced the program in October 2021 and since then has had almost 1,000 of its Chevrolet dealerships sign on to the initiative, which is designed to increase charger access in underserved, rural, and urban locations. GM will supply dealerships with up to 10 19.2 kW chargers to be installed around the communities they serve, and the chargers are available to any EV driver, not just those who drive electric models from GM.

Wheeler's Chevrolet in Wisconsin was the first dealership to sign on to the initiative and has installed chargers in two parks, a library, and a sports complex, among other locations in Marshfield. "We're excited to be the first dealership in the nation to have these chargers," said Mary Jo Wheeler-Schueller, owner of Wheelers Chevrolet GMC. "This will help put Marshfield on the map in terms of EV leadership. This is a great stop for commuters to check out our community and see all that Marshfield has to offer." Young Cadillac Chevrolet in Michigan followed and installed its first charger at a health care center in Owosso. GM says that the next installations should take place in Delaware, Georgia, Illinois, Indiana, Kansas, Ohio, and Washington in the coming months. Separately, GM has another program that, together with EVgo, is in the midst of installing 5,250 DC fast chargers by 2025, including 2,000 fast chargers at Pilot and Flying J travel centers.

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

Canada's biggest pension fund, CPP Investments, has ended its nearly year-long effort of studying investment opportunities in the volatile crypto market, Reuters reported Wednesday, citing people familiar with the matter. From the report: The reasons behind CPPI's abandonment of crypto research were not immediately clear. CPPI declined to comment but said it has made no direct investments in crypto. It referred to previous comments on cryptocurrency by its CEO, John Graham, in which he sounded a note of caution. CPPI's Alpha Generation Lab, which examines emerging investment trends, had formed a three-member team in early 2021 to research crypto currencies and blockchain-related businesses, with a view to taking potential exposure, the people added.