An anonymous reader quotes a report from Singapore's CNA news channel: Kandula Nagaraju, 39, was sentenced to two years and eight months' jail on Monday (Jun 10) for one charge of unauthorized access to computer material. Another charge was taken into consideration for sentencing. His contract with NCS was terminated in October 2022 due to poor work performance and his official last date of employment was Nov 16, 2022. According to court documents, Kandula felt "confused and upset" when he was fired as he felt he had performed well and "made good contributions" to NCS during his employment. After leaving NCS, he did not have another job in Singapore and returned to India.

Between November 2021 and October 2022, Kandula was part of a 20-member team managing the quality assurance (QA) computer system at NCS. NCS is a company that offers information communication and technology services. The system that Kandula's former team was managing was used to test new software and programs before launch. In a statement to CNA on Wednesday, NCS said it was a "standalone test system." It consisted of about 180 virtual servers, and no sensitive information was stored on them. After Kandula's contract was terminated and he arrived back in India, he used his laptop to gain unauthorized access to the system using the administrator login credentials. He did so on six occasions between Jan 6 and Jan 17, 2023.

In February that year, Kandula returned to Singapore after finding a new job. He rented a room with a former NCS colleague and used his Wi-Fi network to access NCS' system once on Feb 23, 2023. During the unauthorized access in those two months, he wrote some computer scripts to test if they could be used on the system to delete the servers. In March 2023, he accessed NCS' QA system 13 times. On Mar 18 and 19, he ran a programmed script to delete 180 virtual servers in the system. His script was written such that it would delete the servers one at a time. The following day, the NCS team realized the system was inaccessible and tried to troubleshoot, but to no avail. They discovered that the servers had been deleted. [...] As a result of his actions, NCS suffered a loss of $679,493.

An anonymous reader quotes a report from Ars Technica: Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said. The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an "instance where this vulnerability was exploited in the wild." On January 11, 2023 -- more than six weeks after the vulnerability was fixed -- Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware. Netherlands government officials wrote in Monday's report: Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475 . Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry.

The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access. It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data. Even with the technical report on the COATHANGER malware, infections from the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims.

British police have arrested two individuals involved in an SMS-based phishing campaign using a unique device police described as a "homemade mobile antenna," "an illegitimate telephone mast," and a "text message blaster." This first-of-its-kind device in the UK was designed to send fraudulent texts impersonating banks and other official organizations, "all while allegedly bypassing network operators' anti-SMS-based phishing, or smishing, defenses," reports The Register. From the report: Thousands of messages were sent using this setup, City of London Police claimed on Friday, with those suspected to be behind the operation misrepresenting themselves as banks "and other official organizations" in their texts. [...] Huayong Xu, 32, of Alton Road in Croydon, was arrested on May 23 and remains the only individual identified by police in this investigation at this stage. He has been charged with possession of articles for use in fraud and will appear at Inner London Crown Court on June 26. The other individual, who wasn't identified and did not have their charges disclosed by police, was arrested on May 9 in Manchester and was bailed. [...]

Without any additional information to go on, it's difficult to make any kind of assumption about what these "text message blaster" devices might be. However, one possibility, judging from the messaging from the police, is that the plod are referring to an IMSI catcher aka a Stingray, which acts as a cellphone tower to communicate with people's handhelds. But those are intended primarily for surveillance. What's more likely is that the suspected UK device is perhaps some kind of SIM bank or collection of phones programmed to spam out shedloads of SMSes at a time.

storkus shares a report: Starting from 2030, Mastercard will no longer require Europeans to enter their card numbers manually when checking out online -- no matter what platform or device they're using. Mastercard will announce Tuesday in a fireside chat with CNBC that, by 2030, all cards it issues on its network in Europe will be tokenized. In other words, instead of the 16-digit card number we're all accustomed to using for transactions, this will be replaced with a randomly generated "token."

The firm says it's been working with banks, fintechs, merchants and other partners to phase out manual card entry for e-commerce by 2030 in Europe, in favor of a one-click button across all online platforms. This will ensure that consumers' cards are secure against fraud attempts, Mastercard says. Users won't have to keep entering passwords every time they try to make a payment, as Mastercard is introducing passkeys that replace passwords.

storkus comments: "This story, as currently written, says nothing about their plans outside Europe but in the past the USA in particular has been dead last in getting this kind of tech."

The definition of the word "bot" is shifting to become an insult to someone you know is human, according to researchers who analyzed more than 22 million tweets. Researchers found this shift began around 2017, with left-leaning users more likely to accuse right-leaning users of being bots. "A potential explanation might be that media frequently reported about right-wing bot networks influencing major events like the [2016] US election," says Dennis Assenmacher at Leibniz Institute for Social Sciences in Cologne, Germany. "However, this is just speculation and would need confirmation." NewScientist reports: To investigate, Assenmacher and his colleagues looked at how users perceive what is a bot or not. They did so by looking at how the word "bot" was used on Twitter between 2007 and December 2022 (the social network changed its name to X in 2023, following its purchase by Elon Musk), analyzing the words that appeared next to it in more than 22 million English-language tweets. The team found that before 2017, the word was usually deployed alongside allegations of automated behavior of the type that would traditionally fit the definition of a bot, such as "software," "script" or "machine." After that date, the use shifted. "Now, the accusations have become more like an insult, dehumanizing people, insulting them, and using this as a technique to deny their intelligence and deny their right to participate in a conversation," says Assenmacher. The study has been published in the journal Proceedings of the Eighteenth International AAAI Conference on Web and Social Media.

An anonymous reader quotes a report from Ars Technica: Internet service providers are again urging the Federal Communications Commission to impose new fees on Big Tech firms and use the money to subsidize broadband network deployment and affordability programs. If approved, the request would force Big Tech firms to pay into the FCC's Universal Service Fund (USF), which in turn distributes money to broadband providers. The request was made on June 6 by USTelecom, a lobby group for AT&T, Verizon, CenturyLink/Lumen, and smaller telcos. USTelecom has made similar arguments before, but its latest request to the FCC argues that the recent death of a broadband discount program should spur the FCC to start extracting money from Big Tech.

"Through focusing on the Big Tech companies who benefit most from broadband connectivity, the Commission will fairly allocate the burden of sustaining USF," USTelecom wrote in the FCC filing last week. The USF spends about $8 billion a year. Phone companies must pay a percentage of their revenue into the fund, and telcos generally pass those fees on to consumers with a "Universal Service" line item on telephone bills. The money is directed back to the telco industry with programs like the Connect America Fund and Rural Digital Opportunity Fund, which subsidize network construction in unserved and underserved areas. The USF also funds Lifeline program discounts for people with low incomes.

FCC Chairwoman Jessica Rosenworcel hasn't stated any intention to expand USF contributions to Big Tech. Separately, she rejected calls to impose Universal Service fees on broadband, leaving phone service as the only source of USF revenue. The USTelecom filing came in response to the FCC asking for input on its latest analysis of competition in the communications marketplace. USTelecom says the USF is relevant to the proceeding because "the Universal Service Fund is critical for maintaining a competitive marketplace and an expanded contributions base is necessary to sustain the fund." No changes to the USF would be made in this proceeding, though USTelecom's comments could be addressed in the FCC's final report.

At a New York Yankees baseball game, one fan discovered its concession stand doesn't accept cash. "An employee directed him to a kiosk that could convert his greenbacks into plastic," reports the Wall Street Journal, where the fan, "fed $200 into the reverse ATM, which subtracted a $3.50 fee and spat out a debit card with a balance of $196.50." Paying with cash used to be a way to get a discount. These days it can often cost an extra $1 to $6 — the sort of transaction fees once limited to swiping a credit card or using an out-of-network ATM. Reverse ATMs like those at Yankee Stadium are now common at cashless venues and restaurants across the country as a way to cater to those who prefer paying in cash. People who want to pay their parking tickets, tolls, taxes or phone bills in cash, meanwhile, often learn that government agencies and businesses have outsourced that option to companies that usually charge a fee.

All that can amount to a penalty on the people who prefer paying cash. Though it is more common to buy things with cards and mobile devices, cash remains the third-most popular way to pay, accounting for 16% of all payments in 2023, according to the Federal Reserve. That's down 2 percentage points from the year before, continuing a steady decline that accelerated during the pandemic. "It's unbelievable that we actually have to tell retailers, 'This is U.S. currency and it's something that should be accepted,' " said Jonathan Alexander, executive director of the Consumer Choice in Payment Coalition, a group of businesses and nonprofits lobbying for the continued acceptance of cash.

There aren't federal laws that require businesses to accept cash. States like Colorado and Rhode Island and cities like New York banned cashless retail establishments after many stores shifted to card-only transactions to reduce the spread of Covid-19, speed up transactions and cut back on theft. In 2023, lawmakers in the House of Representatives and the Senate introduced bills requiring that businesses accept cash for all in-person purchases under $500, unless they provide devices like a reverse ATM that don't charge fees. The bills haven't passed.

Cashless businesses can be a burden for older or lower-income shoppers who are less likely to have access to digital payments. They also pose challenges for younger people who haven't yet set up credit cards or bank accounts.
The article includes the story of an 18-year-old who earned cash by babysitting, then went to a hockey game and "was charged a 50-cent fee after putting $20 into a reverse ATM...to order chicken nuggets and a bottle of water." (Others who prefer cash "say paper money is anonymous, helps them keep spending under control and is better for tips," the article adds noting that roughly six in 10 Americans use cash for at least some of their purchases, according to Pew Research Center.)

The makers of one "reverse ATM" tell the Journal that whether or not someone gets charged a fee actually depends on what state they're in — and on the preferences of the venue that installed the ATM machine.

"Lansweeper's scans of its customers' networks found an awful lot of Linux boxes facing imminent end of life," reports the Register, "with no direct upgrade path." Belgian corporate network scanner vendor Lansweeper periodically collates some of the statistics collected by its users and publishes the results... This year's report says that while a third of its users' Linux machines run Ubuntu, second place goes to CentOS Linux [with 26.05%].

Back in 2020, Red Hat brought CentOS Linux 8's end of life forward from 2029 to the end of 2021. CentOS Linux 9 was canceled, CentOS Linux 8 is dead and gone, leaving only CentOS Linux 7. As we reported in May, CentOS 7's end of life is very close now — the end of June. After this month, no more updates.

Of course, Red Hat will be happy to help you migrate to RHEL. It offers a free tool to switch boxes' package source, but RHEL 7 hits what Red Hat terms "the end of its maintenance support 2 phase" on the same day. RHEL 7 isn't EOL, but you'll need to pay extra for "Extended Lifecycle Support (ELS)" to keep security fixes coming. Lansweeper seems confident this will happen: "Assuming most of the CentOS devices will migrate over to RHEL, we can expect RHEL to comfortably take over first place from Ubuntu soon."
RHEL was already on 20% of the machines scanned by Lansweeper (with Rocky Linux at 1.5%). But the Register argues that instead of switching to RHEL, "the freeloaders running CentOS Linux might well migrate to one of the RHELatives instead. CIQ publishes guidance on how to migrate to Rocky Linux, and will help if you buy its CIQ Bridge service. AlmaLinux has more than that with its ELevate tool to perform in-place version upgrades, as we described back in 2022.

"Or, of course, you could just reinstall with Debian, and run anything you can't immediately reprovision in a free RHEL container image."

The Marubo people, an isolated Indigenous tribe in the Amazon, have gained high-speed internet access through Elon Musk's Starlink service, drastically altering their traditional way of life. While the internet has brought significant benefits like improved communication and emergency response, it has also introduced challenges such as social media addiction, exposure to inappropriate content, and cultural erosion. The New York Times reports: After only nine months with Starlink, the Marubo are already grappling with the same challenges that have racked American households for years: teenagers glued to phones; group chats full of gossip; addictive social networks; online strangers; violent video games; scams; misinformation; and minors watching pornography. Modern society has dealt with these issues over decades as the internet continued its relentless march. The Marubo and other Indigenous tribes, who have resisted modernity for generations, are now confronting the internet's potential and peril all at once, while debating what it will mean for their identity and culture.

The internet was an immediate sensation. "It changed the routine so much that it was detrimental," [admitted one Marubo leader, Enoque Marubo]. "In the village, if you don't hunt, fish and plant, you don't eat." Leaders realized they needed limits. The internet would be switched on for only two hours in the morning, five hours in the evening, and all day Sunday. During those windows, many Marubo are crouched over or reclined in hammocks on their phones. They spend lots of time on WhatsApp. There, leaders coordinate between villages and alert the authorities to health issues and environmental destruction. Marubo teachers share lessons with students in different villages. And everyone is in much closer contact with faraway family and friends. To Enoque, the biggest benefit has been in emergencies. A venomous snake bite can require swift rescue by helicopter. Before the internet, the Marubo used amateur radio, relaying a message between several villages to reach the authorities. The internet made such calls instantaneous. "It's already saved lives," he said.

In April, seven months after Starlink's arrival, more than 200 Marubo gathered in a village for meetings. Enoque brought a projector to show a video about bringing Starlink to the villages. As proceedings began, some leaders in the back of the audience spoke up. The internet should be turned off for the meetings, they said. "I don't want people posting in the groups, taking my words out of context," another said. During the meetings, teenagers swiped through Kwai, a Chinese-owned social network. Young boys watched videos of the Brazilian soccer star Neymar Jr. And two 15-year-old girls said they chatted with strangers on Instagram. One said she now dreamed of traveling the world, while the other wants to be a dentist in Sao Paulo. This new window to the outside world had left many in the tribe feeling torn. "Some young people maintain our traditions," said TamaSay Marubo, 42, the tribe's first woman leader. "Others just want to spend the whole afternoon on their phones."

An anonymous reader shares a report: A Chinese research team says it has uncovered a significant security flaw in processor design that could have a wide impact on China's booming domestic chip industry. China was relying on the structure of the world's largest open-source CPU architecture to build their own CPUs and bypass the US chip ban, and was paying attention to any weaknesses, they said. The issue was found in RISC-V, an open-source standard used in advanced chips and semiconductors. Compared with mainstream CPU structures -- such as X86 used by Intel and AMD --RISC-V offers free access and can be modified without restriction.

The flaw allows attackers to bypass the security protections of modern processors and operating systems without administrative rights, leading to the potential theft of protected sensitive information and breaches of personal privacy. The vulnerability was confirmed by the team of Professor Hu Wei at Northwestern Polytechnical University (NPU), a major defence research institute in Shaanxi province. The researchers are experienced in hardware design security, vulnerability detection and cryptographic application safety. It was first reported by the National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT) on April 24, and NPU gave further details in an official announcement on May 24.

An anonymous reader quotes a report from The Guardian: Young people with internet addiction experience changes in their brain chemistry which could lead to more addictive behaviors, research suggests. The study, published in PLOS Mental Health, reviewed previous research using functional magnetic resonance imaging (fMRI) to examine how regions of the brain interact in people with internet addiction.

They found that the effects were evident throughout multiple neural networks in the brains of young people, and that there was increased activity in parts of the brain when participants were resting. At the same time, there was an overall decrease in the functional connectivity in parts of the brain involved in active thinking, which is the executive control network of the brain responsible for memory and decision-making. The research found that these changes resulted in addictive behaviors and tendencies in adolescents, as well as behavioral changes linked to mental health, development, intellectual ability and physical coordination. "Adolescence is a crucial developmental stage during which people go through significant changes in their biology, cognition and personalities," said Max Chang, the study's lead author and an MSc student at the UCL Great Ormond Street Institute of Child Health (GOS ICH). "As a result, the brain is particularly vulnerable to internet addiction-related urges during this time, such as compulsive internet usage, cravings towards usage of the mouse or keyboard and consuming media. The findings from our study show that this can lead to potentially negative behavioral and developmental changes that could impact the lives of adolescents. For example, they may struggle to maintain relationships and social activities, lie about online activity and experience irregular eating and disrupted sleep."

Chang said he hopes the findings allow early signs of internet addiction to be treated effectively. "Clinicians could potentially prescribe treatment to aim at certain brain regions or suggest psychotherapy or family therapy targeting key symptoms of internet addiction," said Chang. "Importantly, parental education on internet addiction is another possible avenue of prevention from a public health standpoint. Parents who are aware of the early signs and onset of internet addiction will more effectively handle screen time, impulsivity, and minimize the risk factors surrounding internet addiction."

TorrentFreak's Ernesto Van der Sar recalls the rise and fall of Napster, the file-sharing empire that kickstarted a global piracy frenzy 25 years ago. Here's an excerpt from his report: At the end of the nineties, technology and the Internet were a playground for young engineers and 'hackers'. Some of them regularly gathered in the w00w00 IRC chatroom on the EFnet network. This tech-think-tank had many notable members, including WhatsApp founder Jan Koum and Shawn Fanning, who logged on with the nickname Napster. In 1998, 17-year-old Fanning shared an idea with the group. 'Napster' wanted to create a network of computers that could share files with each other. More specifically, a central music database that everyone in the world could access.

This idea never left the mind of the young developer. Fanning stopped going to school and flanked by his friend Sean Parker, devoted the following months to making his vision a reality. That moment came on June 1, 1999, when the first public release of Napster was released online. Soon after, the software went viral. Napster was quickly embraced by millions of users, who saw the software as something magical. It was a gateway for musical exploration, one that dwarfed even the largest record stores in town. And all for free. It sounds mundane today, but some equated it to pure technological sorcery. For many top players in the music industry, Napster's sorcery was pure witchcraft. At the time, manufacturing CDs with high profit margins felt like printing money and Napster's appearance threatened to ruin the party. [...]

At the start of 2001, Napster's user base reached a peak of more than 26.4 million worldwide. Yet, despite huge growth and backing from investors, the small file-sharing empire couldn't overcome the legal challenges. The RIAA lawsuit resulted in an injunction from the Ninth Circuit Court, which ordered the network to shut down. This happened during July 2001, little more than two years after Napster launched. By September that year, the case had been settled for millions of dollars. While the Napster craze was over, file-sharing had mesmerized the masses and the genie was out of the bottle. Grokster, KaZaa, Morpheus, LimeWire, and many others popped up and provided sharing alternatives, for as long as they lasted. Meanwhile, BitTorrent was also knocking on the door. "Napster paved the way for Apple's iTunes store, to serve the demand that was clearly there," notes Ernesto. "This music streaming landscape was largely pioneered by a Napster 'fan' from Sweden, Daniel Ek."

"Like many others, Ek was fascinated by the 'all you can play' experience offered by file-sharing software, and that planted the seeds for the music streaming startup Spotify, where he still serves as CEO today. In fact, Spotify itself used file-sharing technology under the hood to ensure swift playback."

"The US Cybersecurity and Infrastructure Security Agency has added a critical security bug in Linux to its list of vulnerabilities known to be actively exploited in the wild," reported Ars Technica on Friday.

"The vulnerability, tracked as CVE-2024-1086 and carrying a severity rating of 7.8 out of a possible 10, allows people who have already gained a foothold inside an affected system to escalate their system privileges." It's the result of a use-after-free error, a class of vulnerability that occurs in software written in the C and C++ languages when a process continues to access a memory location after it has been freed or deallocated. Use-after-free vulnerabilities can result in remote code or privilege escalation. The vulnerability, which affects Linux kernel versions 5.14 through 6.6, resides in the NF_tables, a kernel component enabling the Netfilter, which in turn facilitates a variety of network operations... It was patched in January, but as the CISA advisory indicates, some production systems have yet to install it. At the time this Ars post went live, there were no known details about the active exploitation.

A deep-dive write-up of the vulnerability reveals that these exploits provide "a very powerful double-free primitive when the correct code paths are hit." Double-free vulnerabilities are a subclass of use-after-free errors...

Journalist Steven Brill has written a new book called The Death of Truth. Its subtitle? "How Social Media and the Internet Gave Snake Oil Salesmen and Demagogues the Weapons They Needed to Destroy Trust and Polarize the World-And What We Can Do."

An excerpt published by Wired points out that last year around the world, $300 billion was spent on "programmatic advertising", and $130 billion was spent in the United States alone in 2022. The problem? For over a decade there's been "brand safety" technology, the article points out — but "what artificial intelligence could not do was spot most forms of disinformation and misinformation..."

The end result... In 2019, other than the government of Vladimir Putin, Warren Buffett was the biggest funder of Sputnik News, the Russian disinformation website controlled by the Kremlin... Geico, the giant American insurance company and subsidiary of Buffett's Berkshire Hathaway, was the leading advertiser on the American version of Sputnik News' global website network... No one at Geico or its advertising agency had any idea its ads would appear on Sputnik, let alone what anti-American content would be displayed alongside the ads. How could they? Which person or army of people at Geico or its agency could have read 44,000 websites?

Geico's ads had been placed through a programmatic advertising system that was invented in the late 1990s as the internet developed. It exploded beginning in the mid 2000s and is now the overwhelmingly dominant advertising medium. Programmatic algorithms, not people, decide where to place most of the ads we now see on websites, social media platforms, mobile devices, streaming television, and increasingly hear on podcasts... If Geico's advertising campaign were typical of programmatic campaigns for broad-based consumer products and services, each of its ads would have been placed on an average of 44,000 websites, according to a study done for the leading trade association of big-brand advertisers.

Geico is hardly the only rock-solid American brand to be funding the Russians. During the same period that the insurance company's ads appeared on Sputnik News, 196 other programmatic advertisers bought ads on the website, including Best Buy, E-Trade, and Progressive insurance. Sputnik News' sister propaganda outlet, RT.com (it was once called Russia Today until someone in Moscow decided to camouflage its parentage), raked in ad revenue from Walmart, Amazon, PayPal, and Kroger, among others... Almost all advertising online — and even much of it on television (through streaming TV), or on podcasts, radio, mobile devices, and electronic billboards — is now done programmatically, which means the machine, not a planner, makes those placement decisions. Unless the advertiser uses special tools, such as what are called exclusion or inclusion lists, the publishers and content around which the ad appears, and which the ad is financing, are no longer part of the decision.
"What I kept hearing as the professionals explained it to me was that the process is like a stock exchange, except that the buyer doesn't know what stock he is buying... the advertiser and its ad agency have no idea where among thousands of websites its ad will appear."

This week the Washington Post reported that Americans "are more hesitant to buy EVs now than they were a year ago, according to a March Gallup poll, which found that just 44 percent of American adults say they'd consider buying an EV in the future, down from 55 percent last year. High prices and charging worries consistently rank as the biggest roadblocks for electric vehicles," they write, noting the concerns coincide with a slowdown in electric car and truck sales, while hybrids are increasing their market share.

But something else happened this week. The chair of California's Air Resource Board and the chair of the state's Energy Commission teamed up for an op-ed piece arguing that "despite negative hype," electric cars are their state's future: When California's electric vehicle sales dipped at the end of last year, critics predicted the start of a new downward trend that would doom the industry and the state's broader effort to clean up the transportation sector, the single largest source of greenhouse gases and air pollution. But the latest numbers show that's not the case. Californians purchased 108,372 new zero-emission vehicles in the first three months of 2024 — nearly 7,000 more than the same time last year and the highest-ever first-quarter sales.

Today, one in four new cars sold in the Golden State is electric, up from just 8% in 2020...

California is now home to 56 manufacturers of zero-emission vehicles and related products, making our state a hub for cutting-edge automotive technology. Soon even raw materials will be sourced in-state, paving the way for domestic battery production...

Challenges persist, and chief among them is the need for more widely available charging options. Many more charging stations need to be built as fast as possible to keep up with EV adoption. To address this, California is investing $4 billion over six years to rapidly build out the EV refueling network, on top of billions in investment by utilities. Equally essential is improved reliability of the EV charging network. Too many drivers today encounter faulty charging stations, which is why the California Energy Commission is developing the strongest charging reliability standards in the country and will require companies to be transparent with the public about their performance.
They also point out that California "now boasts more EV chargers in the state than gasoline nozzles."

And that it's become the first U.S. state whose best-selling car is electric.

An anonymous reader quotes an op-ed from The Globe and Mail, written by Kate Robertson and Ron Deibert. Robertson is a senior research associate and Deibert is director at the University of Toronto's Citizen Lab. From the piece: A federal cybersecurity bill, slated to advance through Parliament soon, contains secretive, encryption-breaking powers that the government has been loath to talk about. And they threaten the online security of everyone in Canada. Bill C-26 empowers government officials to secretly order telecommunications companies to install backdoors inside encrypted elements in Canada's networks. This could include requiring telcos to alter the 5G encryption standards that protect mobile communications to facilitate government surveillance. The government's decision to push the proposed law forward without amending it to remove this encryption-breaking capability has set off alarm bells that these new powers are a feature, not a bug.

There are already many insecurities in today's networks, reaching down to the infrastructure layers of communication technology. The Signalling System No. 7, developed in 1975 to route phone calls, has become a major source of insecurity for cellphones. In 2017, the CBC demonstrated how hackers only needed a Canadian MP's cell number to intercept his movements, text messages and phone calls. Little has changed since: A 2023 Citizen Lab report details pervasive vulnerabilities at the heart of the world's mobile networks. So it makes no sense that the Canadian government would itself seek the ability to create more holes, rather than patching them. Yet it is pushing for potential new powers that would infect next-generation cybersecurity tools with old diseases.

It's not as if the government wasn't warned. Citizen Lab researchers presented the 2023 report's findings in parliamentary hearings on Bill C-26, and leaders and experts in civil society and in Canada's telecommunications industry warned that the bill must be narrowed to prevent its broad powers to compel technical changes from being used to compromise the "confidentiality, integrity, or availability" of telecommunication services. And yet, while government MPs maintained that their intent is not to expand surveillance capabilities, MPs pushed the bill out of committee without this critical amendment last month. In doing so, the government has set itself up to be the sole arbiter of when, and on what conditions, Canadians deserve security for their most confidential communications -- personal, business, religious, or otherwise. The new powers would only make people in Canada more vulnerable to malicious threats to the privacy and security of all network users, including Canada's most senior officials. [...] "Now, more than ever, there is no such thing as a safe backdoor," the authors write in closing. "A shortcut that provides a narrow advantage for the few at the expense of us all is no way to secure our complex digital ecosystem."

"Against this threat landscape, a pivot is crucial. Canada needs cybersecurity laws that explicitly recognize that uncompromised encryption is the backbone of cybersecurity, and it must be mandated and protected by all means possible."

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Department of the Treasury today unveiled sanctions against three Chinese nationals for allegedly operating 911 S5, an online anonymity service that for many years was the easiest and cheapest way to route one's Web traffic through malware-infected computers around the globe. KrebsOnSecurity identified one of the three men in a July 2022 investigation into 911 S5, which was massively hacked and then closed ten days later.

From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as "proxies" that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe -- but predominantly in the United States. 911 built its proxy network mainly by offering "free" virtual private networking (VPN) services. 911's VPN performed largely as advertised for the user -- allowing them to surf the web anonymously -- but it also quietly turned the user's computer into a traffic relay for paying 911 S5 customers. 911 S5's reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that "last mile" of cybercrime. Namely, the ability to route one's malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied.

In July 2022, KrebsOnSecurity published a deep dive into 911 S5, which found the people operating this business had a history of encouraging the installation of their proxy malware by any means available. That included paying affiliates to distribute their proxy software by secretly bundling it with other software. That story named Yunhe Wang from Beijing as the apparent owner or manager of the 911 S5 proxy service. In today's Treasury action, Mr. Wang was named as the primary administrator of the botnet that powered 911 S5. Update, May 29, 12:26 p.m. ET: The U.S. Department of Justice (DOJ) just announced they have arrested Wang in connection with the 911 S5 botnet. The DOJ says 911 S5 customers have stolen billions of dollars from financial institutions, credit card issuers, and federal lending programs. [...] The third man sanctioned is Yanni Zheng, a Chinese national the U.S. Treasury says acted as an attorney for Wang and his firm -- Spicy Code Company Limited -- and helped to launder proceeds from the business into real estate holdings. Spicy Code Company was also sanctioned, as well as Wang-controlled properties Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited. "911 S5 customers allegedly targeted certain pandemic relief programs," a DOJ statement on the arrest reads. "For example, the United States estimates that 560,000 fraudulent unemployment insurance claims originated from compromised IP addresses, resulting in a confirmed fraudulent loss exceeding $5.9 billion. Additionally, in evaluating suspected fraud loss to the Economic Injury Disaster Loan (EIDL) program, the United States estimates that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5. Millions of dollars more were similarly identified by financial institutions in the United States as loss originating from IP addresses compromised by 911 S5."

"Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in her name that were then utilized to purchase luxury real estate properties for Yunhe Wang," the document continues. "These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats."

The Biden administration on Tuesday laid out for the first time [PDF] a set of broad government guidelines around the use of carbon offsets in an attempt to shore up confidence in a method for tackling global warming that has faced growing criticism. From a report: Companies and individuals spent $1.7 billion last year voluntarily buying carbon offsets, which are intended to cancel out the climate effects of activities like air travel by funding projects elsewhere, such as the planting of trees, that remove carbon dioxide from the atmosphere, but that wouldn't have happened without the extra money.

Yet a growing number of studies and reports have found that many carbon offsets simply don't work. Some offsets help fund wind or solar projects that likely would have been built anyway. And it's often extremely difficult to measure the effectiveness of offsets intended to protect forests. As a result, some scientists and researchers have argued that carbon offsets are irredeemably flawed and should be abandoned altogether. Instead, they say, companies should just focus on directly cutting their own emissions.

The Biden administration is now weighing in on this debate, saying that offsets can sometimes be an important tool for helping businesses and others reduce their emissions, as long as there are guardrails in place. The new federal guidelines are an attempt to define "high-integrity" offsets as those that deliver real and quantifiable emissions reductions that wouldn't have otherwise taken place. [...] The new federal guidelines also urge businesses to focus first on reducing emissions within their own supply chains as much as possible before buying carbon offsets. Some companies have complained that it is too difficult to control their sprawling network of outside suppliers and that they should be allowed to use carbon offsets to tackle pollution associated with, for instance, the cement or steel they use.

PayPal hopes to boost its growth by starting an ad network [non-paywalled link] juiced with something it already owns: data on its millions of users. From a report: The digital payments company plans to build an ad sales business around the reams of data it generates from tracking the purchases as well as the broader spending behaviors of millions of consumers who use its services, which include the more socially-enabled Venmo app. PayPal has hired Mark Grether, who formerly led Uber's advertising business, to lead the effort as senior vice president and general manager of its newly-created PayPal Ads division. In his new role, he will be responsible for developing new ad formats, overseeing sales and hiring staff to fill out the division, he said.

PayPal in January introduced Advanced Offers, its first ad product, which uses AI and the company's data to help merchants target PayPal users with discounts and other personalized promotions. Advanced Offers only charges advertisers when consumers make a purchase. Online marketplaces eBay and Zazzle have begun testing it, according to a PayPal spokesman. But PayPal now aims to sell ads not only to its own customers, but to so-called non-endemic advertisers, or those that don't sell products or services through PayPal. Those companies might use PayPal data to target consumers with ads that could be displayed elsewhere, for instance, on other websites or connected TV sets.

A hacker group called RansomHub said it was behind the cyberattack that hit the Christie's website just days before its marquee spring sales began, forcing the auction house to resort to alternatives to online bidding. From a report: In a post on the dark web on Monday, the group claimed that it had gained access to sensitive information about the world's wealthiest art collectors, posting only a few examples of names and birthdays. It was not immediately possible to verify RansomHub's claims, but several cybersecurity experts said they were a known ransomware operation and that the claim was plausible. Nor was it clear if the hackers had gained access to more sensitive information, including financial data and client addresses. The group said it would release the data, posting a countdown timer that would reach zero by the end of May.

At Christie's, a spokesman said in a statement, "Our investigations determined there was unauthorized access by a third party to parts of Christie's network." The spokesman, Edward Lewine, said that the investigations "also determined that the group behind the incident took some limited amount of personal data relating to some of our clients." He added, "There is no evidence that any financial or transactional records were compromised." Hackers said that Christie's failed to pay a ransom when one was demanded.