The Federal Aviation Administration (FAA) told lawmakers Monday it had made a series of changes to prevent a repeat of a key computer system outage that forced a nationwide Jan. 11 ground stop disrupting more than 11,000 flights. From a report: The FAA said it has implemented "a one-hour synchronization delay for one of the backup databases. This action will prevent data errors from immediately reaching that backup database." The FAA also said it "now requires at least two individuals to be present during the maintenance of the (messaging) system, including one federal manager."

When you share your email, "you're sharing a lot more," warns the New York Times' lead consumer technology writer: [I]t can be linked to other data, including where you went to school, the make and model of the car you drive, and your ethnicity....

For many years, the digital ad industry has compiled a profile on you based on the sites you visit on the web.... An email could contain your first and last name, and assuming you've used it for some time, data brokers have already compiled a comprehensive profile on your interests based on your browsing activity. A website or an app can upload your email address into an ad broker's database to match your identity with a profile containing enough insights to serve you targeted ads.
The article recommends creating several email addresses to "make it hard for ad tech companies to compile a profile based on your email handle... Apple and Mozilla offer tools that automatically create email aliases for logging in to an app or a site; emails sent to the aliases are forwarded to your real email address." Apple's Hide My Email tool, which is part of its iCloud+ subscription service that costs 99 cents a month, will create aliases, but using it will make it more difficult to log in to the accounts from a non-Apple device. Mozilla's Firefox Relay will generate five email aliases at no cost; beyond that, the program charges 99 cents a month for additional aliases.

For sites using the UID 2.0 framework for ad targeting, you can opt out by entering your email address [or phone number] at https://transparentadvertising.org.

PC Magazine describes a startling discovery by computer science researchers from Johannes Gutenberg University and University College London.

"ChatGPT can weed out errors with sample code and fix it better than existing programs designed to do the same. Researchers gave 40 pieces of buggy code to four different code-fixing systems: ChatGPT, Codex, CoCoNut, and Standard APR. Essentially, they asked ChatGPT: "What's wrong with this code?" and then copy and pasted it into the chat function. On the first pass, ChatGPT performed about as well as the other systems. ChatGPT solved 19 problems, Codex solved 21, CoCoNut solved 19, and standard APR methods figured out seven. The researchers found its answers to be most similar to Codex, which was "not surprising, as ChatGPT and Codex are from the same family of language models."

However, the ability to, well, chat with ChatGPT after receiving the initial answer made the difference, ultimately leading to ChatGPT solving 31 questions, and easily outperforming the others, which provided more static answers. "A powerful advantage of ChatGPT is that we can interact with the system in a dialogue to specify a request in more detail," the researchers' report says. "We see that for most of our requests, ChatGPT asks for more information about the problem and the bug. By providing such hints to ChatGPT, its success rate can be further increased, fixing 31 out of 40 bugs, outperforming state-of-the-art....."

Companies that create bug-fixing software — and software engineers themselves — are taking note. However, an obvious barrier to tech companies adopting ChatGPT on a platform like Sentry in its current form is that it's a public database (the last place a company wants its engineers to send coveted intellectual property).

An anonymous reader quotes a report from Fortune: The Department of Motor Vehicles has never been an agency that screams innovation. The agency is better know for bureaucracy and endless lines than technological transformation. But this may be changing after a collaboration between California's DMV and open-source blockchain Tezos and Oxhead Alpha, a crypto-focused software development firm. Together, the three partners are building a DMV-run blockchain that will not only digitize car titles for California drivers, but also seek to streamline title transfers between owners.

Ajay Gupta, the chief digital officer at the California DMV, said that the agency hopes to finalize its "shadow ledger," or a full replication of the state's title database on the blockchain, within the next three months before building consumer-facing applications, including digital wallets that hold car title NFTs. "The DMV's perception of lagging behind should definitely change," Gupta told Fortune in an exclusive interview. [...] Andrew Smith, the president of Oxhead Alpha, said that he was pleasantly surprised by how quickly the Gupta-led DMV wanted to move with the initiative. He described the current system as using 18th-century paper-based technology to solve 21st-century transaction fraud, pointing to the common sense solutions presented by digitizing car titles and tracing their movement. For example, if someone buys a "lemon," or faulty car, in California, it will have a special designation on their title. If they then move out of state and back into California with the car, they can shirk the "lemon" branding and sell the car without the new buyer knowing. "As far as the benefit for having a persistent digital title, this is a very obvious use case," Smith said.

The DMV worked with Oxhead Alpha and Tezos to create a private instance of the Tezos blockchain, which would increase security compared to relying on a public blockchain. Smith said that the DMV chain is currently operational and running DMV validator nodes. For now, the blockchain will operate in the background, but Gupta hopes to create consumer-facing applications soon. An obvious application would be allowing people to transfer car ownership between digital wallets through an NFT version of their title, with the DMV acting as a middleman to ensure that all the sale obligations are completed. Gupta said that type of functionality is on the horizon. Another possible use case is transferring titles between states. Smith said that he's seen a lot of appetite from municipal-level governments, with mayors such as Miami's Francis Suarez advocating for crypto, and that generating interest from states would come next.

An anonymous reader quotes a report from TechCrunch: If you recently made a purchase from an overseas online store selling knockoff clothes and goods, there's a chance your credit card number and personal information were exposed. Since January 6, a database containing hundreds of thousands of unencrypted credit card numbers and corresponding cardholders' information was spilling onto the open web. At the time it was pulled offline on Tuesday, the database had about 330,000 credit card numbers, cardholder names, and full billing addresses -- and rising in real-time as customers placed new orders. The data contained all the information that a criminal would need to make fraudulent transactions and purchases using a cardholder's information.

The credit card numbers belong to customers who made purchases through a network of near-identical online stores claiming to sell designer goods and apparel. But the stores had the same security problem in common: Any time a customer made a purchase, their credit card data and billing information was saved in a database, which was left exposed to the internet without a password. Anyone who knew the IP address of the database could access reams of unencrypted financial data. Anurag Sen, a good-faith security researcher, found the exposed credit card records and asked TechCrunch for help in reporting it to its owner. Sen has a respectable track record of scanning the internet looking for exposed servers and inadvertently published data, and reporting it to companies to get their systems secured.

But in this case, Sen wasn't the first person to discover the spilling data. According to a ransom note left behind on the exposed database, someone else had found the spilling data and, instead of trying to identify the owner and responsibly reporting the spill, the unnamed person instead claimed to have taken a copy of the entire database's contents of credit card data and would return it in exchange for a small sum of cryptocurrency. A review of the data by TechCrunch shows most of the credit card numbers are owned by cardholders in the United States. [...] Internet records showed that the database was operated by a customer of Tencent, whose cloud services were used to host the database. TechCrunch contacted Tencent about its customer's database leaking credit card information, and the company responded quickly. The customer's database went offline a short time later. Many of the stores leaking customers' information claim to operate out of Hong Kong and were set up in the past few weeks. Some of the websites include: spraygroundusa.com, ihuahebuy.com, igoodlinks.com, ibuysbuy.com, lichengshop.com, hzoushop.com, goldlyshop.com, haohangshop.com, twinklebubble.store, and spendidbuy.com.

An anonymous reader quotes a report from the Daily Dot: An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government's Terrorist Screening Database and "No Fly List." Located by the Swiss hacker known as maia arson crimew, the server, run by the U.S. national airline CommuteAir, was left exposed on the public internet. It revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees. Analysis of the server resulted in the discovery of a text file named "NoFly.csv," a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations.

The list, according to crimew, appeared to have more than 1.5 million entries in total. The data included names as well as birth dates. It also included multiple aliases, placing the number of unique individuals at far less than 1.5 million. [...] In a statement to the Daily Dot, CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes. CommuteAir added that the server, which was taken offline prior to publication after being flagged by the Daily Dot, did not expose any customer information based on an initial investigation. CommuteAir also confirmed the legitimacy of the data, stating that it was a version of the "federal no-fly list" from roughly four years prior. [...] The server also held the passport numbers, addresses, and phone numbers of roughly 900 company employees. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed.

The artificial-intelligence (AI) chatbot ChatGPT that has taken the world by storm has made its formal debut in the scientific literature -- racking up at least four authorship credits on published papers and preprints. Journal editors, researchers and publishers are now debating the place of such AI tools in the published literature, and whether it's appropriate to cite the bot as an author. From a report: Publishers are racing to create policies for the chatbot, which was released as a free-to-use tool in November by tech company OpenAI in San Francisco, California. ChatGPT is a large language model (LLM), which generates convincing sentences by mimicking the statistical patterns of language in a huge database of text collated from the Internet. The bot is already disrupting sectors including academia: in particular, it is raising questions about the future of university essays and research production. Publishers and preprint servers contacted by Nature's news team agree that AIs such as ChatGPT do not fulfil the criteria for a study author, because they cannot take responsibility for the content and integrity of scientific papers. But some publishers say that an AI's contribution to writing papers can be acknowledged in sections other than the author list.

Hundreds of federal, state and local U.S. law-enforcement agencies have access without court oversight to a database of more than 150 million money transfers between people in the U.S. and in more than 20 countries, according to internal program documents and an investigation by Sen. Ron Wyden. WSJ: The database, housed at a little-known nonprofit called the Transaction Record Analysis Center, or TRAC, was set up by the Arizona state attorney general's office in 2014 as part of a settlement reached with Western Union to combat cross-border trafficking of drugs and people from Mexico. It has since expanded to allow officials of more than 600 law-enforcement entities -- from federal agencies such as the Federal Bureau of Investigation, the Drug Enforcement Administration, and Immigration and Customs Enforcement to small-town police departments in nearly every state -- to monitor the flow of funds through money services between the U.S. and countries around the world.

TRAC's data includes the full names of the sender and recipient as well as the transaction amount. Rich Lebel, TRAC's director, said the program has directly resulted in hundreds of leads and busts involving drug cartels and other criminals seeking to launder money, and has revealed patterns of money flow that help law-enforcement agencies get a broader grasp on smuggling networks. "It's a law-enforcement investigative tool," Mr. Lebel said. "We don't broadcast it to the world, but we don't run from or hide from it either." Mr. Wyden, an Oregon Democrat, said TRAC allows the government to "serve itself an all-you-can-eat buffet of Americans' personal financial data while bypassing the normal protections for Americans' privacy."

Internal records, including TRAC meeting minutes and copies of 140 subpoenas from the Arizona attorney general, were obtained by the American Civil Liberties Union and reviewed by The Wall Street Journal. They show that any authorized law-enforcement agency can query the data without a warrant to examine the transactions of people inside the U.S. for evidence of money laundering and other crimes. One slideshow prepared by a TRAC investigator showed how the program's data could be used to scan for categories such as "Middle Eastern/Arabic names" in bulk transaction records.

According to CNN, the Federal Aviation Administration system outage on Wednesday has been traced to a corrupt file. From the report: In a statement late Wednesday, the FAA said it was continuing to investigate the outage and "take all needed steps to prevent this kind of disruption from happening again." "Our preliminary work has traced the outage to a damaged database file. At this time, there is no evidence of a cyberattack," the FAA said. The FAA is still trying to determine whether any one person or "routine entry" into the database is responsible for the corrupted file, a government official familiar with the investigation into the NOTAM system outage told CNN.

When air traffic control officials realized they had a computer issue late Tuesday, they came up with a plan, the source said, to reboot the system when it would least disrupt air travel, early on Wednesday morning. But ultimately that plan and the outage led to massive flight delays and an unprecedented order to stop all aircraft departures nationwide. The computer system that failed was the central database for all NOTAMs (Notice to Air Missions) nationwide. Those notices advise pilots of issues along their route and at their destination. It has a backup, which officials switched to when problems with the main system emerged, according to the source. FAA officials told reporters early Wednesday that the issues developed in the 3 p.m. ET hour on Tuesday.

Officials ultimately found a corrupt file in the main NOTAM system, the source told CNN. A corrupt file was also found in the backup system. In the overnight hours of Tuesday into Wednesday, FAA officials decided to shut down and reboot the main NOTAM system -- a significant decision, because the reboot can take about 90 minutes, according to the source. They decided to perform the reboot early Wednesday, before air traffic began flying on the East Coast, to minimize disruption to flights. "They thought they'd be ahead of the rush," the source said. During this early morning process, the FAA told reporters that the system was "beginning to come back online," but said it would take time to resolve. The system, according to the source, "did come back up, but it wasn't completely pushing out the pertinent information that it needed for safe flight, and it appeared that it was taking longer to do that." That's when the FAA issued a nationwide ground stop at around 7:30 a.m. ET, halting all domestic departures. The source said the NOTAM system is an example of aging infrastructure due for an overhaul. "Because of budgetary concerns and flexibility of budget, this tech refresh has been pushed off," the source said. "I assume now they're going to actually find money to do it."

An anonymous reader quotes a report from Wired: Last month, a young woman went to work at Sarzamineh Shadi, or Land of Happiness, an indoor amusement park east of Iran's capital, Tehran. After a photo of her without a hijab circulated on social media, the amusement park was closed, according to multiple accounts in Iranian media. Prosecutors in Tehran have reportedly opened an investigation. Shuttering a business to force compliance with Iran's strict laws for women's dress is a familiar tactic to Shaparak Shajarizadeh. She stopped wearing a hijab in 2017 because she views it as a symbol of government suppression, and recalls restaurant owners, fearful of authorities, pressuring her to cover her head. But Shajarizadeh, who fled to Canada in 2018 after three arrests for flouting hijab law, worries that women like the amusement park worker may now be targeted with face recognition algorithms as well as by conventional police work.

After Iranian lawmakers suggested last year that face recognition should be used to police hijab law, the head of an Iranian government agency that enforces morality law said in a September interview that the technology would be used "to identify inappropriate and unusual movements," including "failure to observe hijab laws." Individuals could be identified by checking faces against a national identity database to levy fines and make arrests, he said. Two weeks later, a 22-year-old Kurdish woman named Jina Mahsa Amini died after being taken into custody by Iran's morality police for not wearing a hijab tightly enough. Her death sparked historic protests against women's dress rules, resulting in an estimated 19,000 arrests and more than 500 deaths. Shajarizadeh and others monitoring the ongoing outcry have noticed that some people involved in the protests are confronted by police days after an alleged incident -- including women cited for not wearing a hijab. "Many people haven't been arrested in the streets," she says. "They were arrested at their homes one or two days later."

Although there are other ways women could have been identified, Shajarizadeh and others fear that the pattern indicates face recognition is already in use -- perhaps the first known instance of a government using face recognition to impose dress law on women based on religious belief. Mahsa Alimardani, who researches freedom of expression in Iran at the University of Oxford, has recently heard reports of women in Iran receiving citations in the mail for hijab law violations despite not having had an interaction with a law enforcement officer. Iran's government has spent years building a digital surveillance apparatus, Alimardani says. The country's national identity database, built in 2015, includes biometric data like face scans and is used for national ID cards and to identify people considered dissidents by authorities.

Amazon Simple Storage Service (S3) will now automatically encrypt all new objects added on buckets on the server side, using AES-256 by default. BleepingComputer reports: While the server-side encryption system has been available on AWS for over a decade, the tech giant has enabled it by default to bolster security. Administrators will not have to take any actions for the new encryption system to affect their buckets, and Amazon promises it won't have any negative performance impact. Administrators may leave the system to encrypt at the default 256-bit AES or choose one of the alternative methods, namely SSE-C or SSE-KMS.

The first option (SSE-C) gives bucket owners control of the keys, while the second (SSE-KMS) lets Amazon do the key management. However, bucket owners can set different permissions for each KMS key to maintain more granular control over the asset access system. To confirm that the changes have been applied to your buckets, admins can configure CloudTrail to log data events at no extra cost. Then perform a test object upload, and look in the event logs for the "SSEApplied": "Default_SSE_S3." field in the log for the uploaded file. To retroactively encrypt objects already in S3 buckets, follow this official guide. "This change puts another security best practice into effect automatically -- with no impact on performance and no action required on your side," reads Amazon's announcement.

"S3 buckets that do not use default encryption will now automatically apply SSE-S3 as the default setting. Existing buckets currently using S3 default encryption will not change."

At least three major torrent sites are currently exposing intimate details of their operations to anyone with a web browser. TorrentFreak understands that the sites use a piece of software that grabs brand-new content from other sites before automatically uploading it to their own. A security researcher tried to raise the alarm but nobody will listen. From the report: To get their hands on the latest releases as quickly as possible, [private torrent sites, or private trackers as they're commonly known] often rely on outside sources that have access to so-called 0-Day content, i.e, content released today. The three affected sites seem to have little difficulty obtaining some of their content within minutes. At least in part, that's achieved via automation. When outside suppliers of content are other torrent sites, a piece of software called Torrent Auto Uploader steps in. It can automatically download torrents, descriptions, and associated NFO files from one site and upload them to another, complete with a new .torrent file containing the tracker's announce URL. The management page [here] has been heavily redacted because the content has the potential to identify at least one of the sites. It's a web interface, one that has no password protection and is readily accessible by anyone with a web browser. The same problem affects at least three different servers operated by the three sites in question.

Torrent Auto Uploader relies on torrent clients to transfer content. The three sites in question all use rTorrent clients with a ruTorrent Web UI. We know this because the researcher sent over a whole bunch of screenshots and supporting information which confirms access to the torrent clients as well as the Torrent Auto Uploader software. The image [here] shows redactions on the tracker tab for good reason. In a regular setup, torrent users can see the names of the trackers coordinating their downloads. This setup is no different except that these URLs reference three different trackers supplying the content to one of the three compromised sites.

Rather than publish a sequence of completely redacted screenshots, we'll try to explain what they contain. One begins with a GET request to another tracker, which responds with a torrent file. It's then uploaded to the requesting site which updates its SQL database accordingly. From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that's only useful when nobody knows what it is. The same security hole also grants direct access to one of the sites tracker 'bots' through the panel that controls it. Then there's access to 'Staff Tools' on the same page which connect to other pages allowing username changes, uploader application reviews, and a list of misbehaving users that need to be monitored. That's on top of user profiles, the number of torrents they have active, and everything else one could imagine. Another screenshot featuring a torrent related to a 2022 movie reveals the URL of yet another third-party supplier tracker. Some basic queries on that URL lead to even more torrent sites. And from there, more, and more, and more -- revealing torrent passkeys for every single one on the way.

The FBI is investigating the 3Commas data breach, CoinDesk is reporting. From the report: The investigation comes after weeks of criticism from users of the Estonia-based crypto trading service, who say its CEO repeatedly brushed off warning signs that the platform had leaked user data. This week, 100,000 Binance and KuCoin API keys linked to 3Commas were leaked by an anonymous person. On Thursday, two 3Commas users told CoinDesk that they were contacted by agents from the FBI's Cincinnati Field Office in connection to the leak.

Over the last several months, dozens of 3Commas users found that the service had, without their consent, traded away funds on crypto exchanges they'd linked to it. Initially, 3Commas said that these users were most likely phished and insisted that the platform was safe. The API database leaker insinuated that the 3Commas keys had been sold by someone from within the company, but 3Commas CEO Yuriy Sorokin said in a statement on Thursday that "3Commas stresses that it has found no evidence during the internal investigation that any employee of 3Commas was somehow involved in attacks against the API data."

An anonymous reader quotes a report from NPR: A new short-term rental registration law put forth by the administration of New York City Mayor Eric Adams could remove thousands of Airbnb listings from the market next month. The new measure, which will go into effect in January, will require Airbnb hosts to register their short-term rentals with the city's database -- including proof that the hosts themselves reside there, and that their home abides by local zoning and safety requirements. If Airbnb hosts fail to comply, they could face $1,000 to $5,000 in penalty fees.https://codelibrary.amlegal.com/codes/newyorkcity/latest/NYCadmin/0-0-0-133488

Christian Klossner, executive director for the city's Office of Special Enforcement, told the New York Daily News that he expects to see 10,000 listings disappear after the new regulations go into effect. "Every illegal short-term rental in our city represents a unit of housing that is not available for real New Yorkers to live in," New York State Senator Liz Krueger said in July, following news of the lawsuit. "In the middle of an ongoing affordable housing crisis, every single unit matters." There are nearly 40,000 Airbnb listings in New York City alone, according to InsideAirbnb, which tracks these numbers. More than half of those listings, according to the database, are for an entire home, or apartment. A spokesperson for Airbnb said the new regulations will hurt average New Yorkers who are struggling to keep up with rising costs.

"Airbnb agrees regular New Yorkers should be able to share their home and not be targeted by the City, and we urge the administration to work with our Host community to support a regulatory framework that helps responsible Hosts and targets illegal hotel operators," Nathan Rotman, public policy regional lead for Airbnb, said in a statement to NPR on Wednesday.

Last week, LastPass announced that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. "While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager," reports The Verge. Here's an excerpt from the report: LastPass' December 22nd statement was "full of omissions, half-truths and outright lies," reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it's being; he accuses the company of trying to portray the August incident where LastPass says "some source code and technical information were stolen" as a separate breach when he says that in reality the company "failed to contain" the breach. He also highlights LastPass' admission that the leaked data included "the IP addresses from which customers were accessing the LastPass service," saying that could let the threat actor "create a complete movement profile" of customers if LastPass was logging every IP address you used with its service.

Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. "LastPass's claim of 'zero knowledge' is a bald-faced lie," he says, alleging that the company has "about as much knowledge as a password manager can possibly get away with." LastPass claims its "zero knowledge" architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesn't dispute that particular point, he does say that the phrase is misleading. "I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted."

Palant also notes that the encryption only does you any good if the hackers can't crack your master password, which is LastPass' main defense in its post: if you use its defaults for password length and strengthening and haven't reused it on another site, "it would take millions of years to guess your master password using generally-available password-cracking technology" wrote Karim Toubba, the company's CEO. "This prepares the ground for blaming the customers," writes Palant, saying that "LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn't follow their best practices." However, he also points out that LastPass hasn't necessarily enforced those standards. Despite the fact that it made 12-character passwords the default in 2018, Palant says, "I can log in with my eight-character password without any warnings or prompts to change it."

The shoebox-shaped device, designed to capture fingerprints and perform iris scans, was listed on eBay for $149.95. A German security researcher, Matthias Marx, successfully offered $68, and when it arrived at his home in Hamburg in August, the rugged, hand-held machine contained more than what was promised in the listing. The device's memory card held the names, nationalities, photographs, fingerprints and iris scans of 2,632 people. From a report: Most people in the database, which was reviewed by The New York Times, were from Afghanistan and Iraq. Many were known terrorists and wanted individuals, but others appeared to be people who had worked with the U.S. government or simply been stopped at checkpoints. Metadata on the device, called a Secure Electronic Enrollment Kit, or SEEK II, revealed that it had last been used in the summer of 2012 near Kandahar, Afghanistan. The device -- a relic of the vast biometric collection system the Pentagon built in the years after the Sept. 11, 2001, attacks -- is a physical reminder that although the United States has moved on from the wars in Afghanistan and Iraq, the tools built to fight them and the information they held live on in ways unintended by their creators.

Exactly how the device ended up going from the battlefields in Asia to an online auction site is unclear. But the data, which offers detailed descriptions of individuals in addition to their photograph and biometric data, could be enough to target people who were previously unknown to have worked with U.S. military forces should the information fall into the wrong hands. For those reasons, Mr. Marx would not place the information online or share it in an electronic format, but he did allow a Times reporter in Germany to see the data in person alongside him. "Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it," Brig. Gen. Patrick S. Ryder, the Defense Department's press secretary, said in a statement. "The department requests that any devices thought to contain personally identifiable information be returned for further analysis." He provided an address for the military's biometrics program manager at Fort Belvoir in Virginia where the devices could be sent. The biometric data on the SEEK II was collected at detainment facilities, on patrols, during screenings of local hires and after the explosion of an improvised bomb. Around the time when the device was last used in Afghanistan, the American war effort there was winding down.

Confidential data of about 112,000 taxpayers inadvertently published by the IRS over the summer was mistakenly republished in late November and remained online until early December, the IRS disclosed last week. From a report: Form 990-T data that was supposed to stay private had been taken offline but made its way back to the IRS site when a contractor uploaded an old file that still included most of the private information, a letter sent Thursday to congressional leaders said. The agency is required to make Form 990-Ts filed by nonprofit groups available online but is supposed to keep the form filed by individuals private; in both cases, the agency made that information available too.

An internal programming error caused the September release of private forms along with the ones filed by nonprofit groups, the letter said. This time, the contractor tasked with managing the database reuploaded the older file with the original data instead of a new file that filtered out the forms that needed to be kept private. The IRS shared corrected data with the contractor on Nov. 23, but the old files had not been purged from their system. A third-party researcher alerted the IRS the files were back online on Dec. 1, and the IRS ordered the contractor to take them down immediately. Roughly 104,000 of the 106,000 forms disclosed in September were redisclosed this time. The agency is reconsidering its relationship with the contractor Accenture on this project, the report added, citing a person familiar with the matter.

On Friday, long-time Slashdot reader NewtonsLaw wrote: Manufacturers of drones made after 16 September 2022 must, from today (16 December), ensure that those drones are "Standard Remote ID" compliant. This means that the drones must broadcast packets of data once per second (using Bluetooth or Wifi) that contain the position speed and path of the drone, a unique identifier and the operator's position including height above ground....

Already, several companies have announced their intention to build networks of receivers that will create a realtime database of all drone activity in the USA, showing the positions of the drones and their operators and flagging any non-compliant craft.

By September 16, 2023, all U.S. hobbyists must fit "broadcast remote ID" modules to their RC model aircraft or older drones which also make them Remote ID compliant (unless they are under 250g in mass or are flown in pre-approved areas called FRIAs)....

Drone and radio-controlled model aircraft users must register with the FAA [unless they weigh less than 0.55 pounds], sit (and pass) a knowledge test and soon have this Remote ID technology installed on all their craft.
"Remote ID helps the FAA, law enforcement, and other federal agencies find the control station when a drone appears to be flying in an unsafe manner or where it is not allowed to fly," argues an FAA web page. This week the top intelligence official at the U.S. Department of Defense told reporters that drones, including drones operated by amateur hobbyists and by foreign adversaries, account for many of the reports of Unidentified Flying Objects, according to the Washington Post.

They quote Sean Kirkpatrick, the director of America's new UFO-tracking agency, as saying that "Some of these things almost collide with planes. We see that on a regular basis...."

IBM has quietly announced it's planning a 24-core Power 10 processor, seemingly to make one of its servers capable of running Oracle's database in a cost-effective fashion. From a report: A hardware announcement dated December 13 revealed the chip in the following "statement of general direction" about Big Blue's Power S1014 technology-based server: "IBM intends to announce a high-density 24-core processor for the IBM Power S1014 system (MTM 9105-41B) to address application environments utilizing an Oracle Database with the Standard Edition 2 (SE2) licensing model. It intends to combine a robust compute throughput with the superior reliability and availability features of the IBM Power platform while complying with Oracle Database SE2 licensing guidelines."

Google this week released OSV-Scanner -- an open source vulnerability scanner linked to the OSV.dev database that debuted last year. From a report: Written in the Go programming language, OSV-Scanner is designed to scan open source applications to assess the security of any incorporated dependencies -- software libraries that get added to projects to provide pre-built functions so developers don't have to recreate those functions on their own. Modern applications can have a lot of dependencies. For example, researchers from Mozilla and Concordia University in Canada recently created a single-page web application with the React framework using the create-react-app command. The result was a project with seven runtime dependencies and nine development dependencies.

But each of these direct dependencies had other dependencies, known as transitive dependencies. The react package includes loose-envify as a transitive dependency -- one that itself depends on other libraries. All told, this basic single-page "Hello world" app required a total of 1,764 dependencies. As Rex Pan, a software engineer on Google's Open Source Security Team, observed on Tuesday in a blog post, vetting thousands of dependences isn't something developers can do on their own.