An anonymous reader quotes a report from Ars Technica: An ex-Ubiquiti engineer, Nickolas Sharp, was sentenced to six years in prison yesterday after pleading guilty in a New York court to stealing tens of gigabytes of confidential data, demanding a $1.9 million ransom from his former employer, and then publishing the data publicly when his demands were refused. Sharp had asked for no prison time, telling United States District Judge Katherine Polk Failla that the cyberattack was actually an "unsanctioned security drill" that left Ubiquiti "a safer place for itself and for its clients," Bloomberg reported. In a court document (PDF), Sharp claimed that Ubiquiti CEO Robert Pera had prevented Sharp from "resolving outstanding security issues," and Sharp told the judge that this led to an "idiotic hyperfixation" on fixing those security flaws.

However, even if that was Sharp's true motivation, Failla did not accept his justification of his crimes, which include wire fraud, intentionally damaging protected computers, and lying to the FBI. "It was not up to Mr. Sharp to play God in this circumstance," Failla said. US attorney for the Southern District of New York, Damian Williams, argued (PDF) that Sharp was not a "cybersecurity vigilante" but an "inveterate liar and data thief" who was "presenting a contrived deception to the Court that this entire offense was somehow just a misguided security drill." Williams said that Sharp made "dozens, if not hundreds, of criminal decisions" and even implicated innocent co-workers to "divert suspicion." Sharp also had already admitted in pre-sentencing that the cyber attack was planned for "financial gain." Williams said Sharp did it seemingly out of "pure greed" and ego because Sharp "felt mistreated" -- overworked and underpaid -- by the IT company, Williams said.

Court documents show that Ubiquiti spent "well over $1.5 million dollars and hundreds of hours of employee and consultant time" trying to remediate what Williams described as Sharp's "breathtaking" theft. But the company lost much more than that when Sharp attempted to conceal his crimes -- posing as a whistleblower, planting false media reports, and contacting US and foreign regulators to investigate Ubiquiti's alleged downplaying of the data breach. Within a single day after Sharp planted false reports, stocks plummeted, causing Ubiquiti to lose over $4 billion in market capitalization value, court documents show. Williams had pushed the court to impose a sentence between eight to 10 years, arguing that anything less would be perceived by the public as a "slap on the wrist." Sharp's six-year term is slightly less than that, but in a press release, Williams described the sentence as imposing "serious penalties" for Sharp's "callous crimes." "He was disgruntled at his employer, planning to leave the company, and wanted to extort millions of dollars and cause damage on his way out," Williams said in his sentencing memo.

Former Coinbase product manager Ishan Wahi was sentenced to two years in prison for insider trading. Decrypt reports: Ishan Wahi, 32, and his associates -- including his brother, Nikhil -- made over $1.5 million from investing in new digital assets just before they were listed by America's biggest crypto exchange. Wahi was able to use his knowledge of incoming assets to buy them and then quickly sell them, to make huge profits. When the San Francisco-based exchange lists new coins and tokens, they quickly shoot up in value, a phenomenon known as "the Coinbase effect."

The Indian national tried to flee the country after being quizzed by Coinbase, the Department of Justice said. But he was stopped from boarding a flight to India by American cops. Wahi pleaded guilty in February to two counts of conspiracy to commit wire fraud brought against him by prosecutors in the Southern District of New York. Wahi, his brother and his friend, Sameer Ramani, were also hit with civil charges by the U.S. Securities and Exchange Commission. "[Wahi] violated the trust placed in him by his employer" by sharing the secret listings," said U.S. Attorney Damian Williams. "Today's sentence should send a strong signal to all participants in the cryptocurrency markets that the laws decidedly do apply to them."

FTX founder Sam Bankman-Fried is seeking the dismissal of 10 of the 13 charges against him over the collapse of the cryptocurrency exchange. Axios reports: Lawyers for Bankman-Fried, who's pleaded not guilty to fraud, conspiracy, campaign finance law violations and money laundering, in a filing argued that several of the charges failed to properly state an offense. The motion that was filed to the U.S. District Court for the Southern District of New York is seeking the dismissal of 10 of the 13 charges against him. "Simply making a false statement, by itself, does not constitute wire fraud unless it is made for the purpose of obtaining money or property from the victim of the fraud," Bankman-Fried's lawyers wrote.

According to Ars Technica, SBF's lawyers are essentially arguing that there's no evidence of harm caused because fraud requires a "scheme to cause economic loss to the victim," which prosecutors allegedly haven't proved. Instead, SBF alleges that federal prosecutors have concocted "a hodgepodge of different intangible losses" suffered by banks and lenders -- including "the right to honest services," "the loss of control of assets," and "the deprivation of valuable information." [...] "In the end, the Government is trying to transform allegations of dishonesty and unfair dealing into violations of the federal fraud statutes," SBF's lawyers wrote. "While such conduct may well be improper, it is not wire fraud."

The 31-year-old Bankman-Fried, who is currently under house arrest on a $250 million bond at his parents' home in Palo Alto, California, faces more than 155 years in prison if convicted on all counts. A trial has been scheduled for October.

An anonymous reader quotes a report from The Guardian: An EU plan under which all WhatsApp, iMessage and Snapchat accounts could be screened for child abuse content has hit a significant obstacle after internal legal advice said it would probably be annulled by the courts for breaching users' rights. Under the proposed "chat controls" regulation, any encrypted service provider could be forced to survey billions of messages, videos and photos for "identifiers" of certain types of content where it was suspected a service was being used to disseminate harmful material. The providers issued with a so-called "detection order" by national bodies would have to alert police if they found evidence of suspected harmful content being shared or the grooming of children.

Privacy campaigners and the service providers have already warned that the proposed EU regulation and a similar online safety bill in the UK risk end-to-end encryption services such as WhatsApp disappearing from Europe. Now leaked internal EU legal advice, which was presented to diplomats from the bloc's member states on 27 April and has been seen by the Guardian, raises significant doubts about the lawfulness of the regulation unveiled by the European Commission in May last year. The legal service of the council of the EU, the decision-making body led by national ministers, has advised the proposed regulation poses a "particularly serious limitation to the rights to privacy and personal data" and that there is a "serious risk" of it falling foul of a judicial review on multiple grounds.

The EU lawyers write that the draft regulation "would require the general and indiscriminate screening of the data processed by a specific service provider, and apply without distinction to all the persons using that specific service, without those persons being, even indirectly, in a situation liable to give rise to criminal prosecution." The legal service goes on to warn that the European court of justice has previously judged the screening of communications metadata is "proportionate only for the purpose of safeguarding national security" and therefore "it is rather unlikely that similar screening of content of communications for the purpose of combating crime of child sexual abuse would be found proportionate, let alone with regard to the conduct not constituting criminal offenses." The lawyers conclude the proposed regulation is at "serious risk of exceeding the limits of what is appropriate and necessary in order to meet the legitimate objectives pursued, and therefore of failing to comply with the principle of proportionality". The legal service is also concerned about the introduction of age verification technology and processes to popular encrypted services. "The lawyers write that this would necessarily involve the mass profiling of users, or the biometric analysis of the user's face or voice, or alternatively the use of a digital certification system they note 'would necessarily add another layer of interference with the rights and freedoms of the users,'" reports the Guardian.

"Despite the advice, it is understood that 10 EU member states -- Belgium, Bulgaria, Cyprus, Hungary, Ireland, Italy, Latvia, Lithuania, Romania and Spain -- back continuing with the regulation without amendment."

An anonymous reader quotes a report from KrebsOnSecurity: A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network's chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016. KrebsOnSecurity was recently contacted by a security researcher who said he found a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the USPS. Further investigation revealed a long-running international operation that has been emailing and text messaging people for years to sign up at a slew of websites that all promise they can help visitors secure employment at the USPS.

Sites like FederalJobsCenter[.]com also show up prominently in Google search results for USPS employment, and steer applicants toward making credit card "registration deposits" to ensure that one's application for employment is reviewed. These sites also sell training, supposedly to help ace an interview with USPS human resources. FederalJobsCenter's website is full of content that makes it appear the site is affiliated with the USPS, although its "terms and conditions" state that it is not. Rather, the terms state that FederalJobsCenter is affiliated with an entity called US Job Services, which says it is based in Lawrenceville, Ga. The site says applicants need to make a credit card deposit to register, and that this amount is refundable if the applicant is not offered a USPS job within 30 days after the interview process. But a review of the public feedback on US Job Services and dozens of similar names connected to this entity over the years shows a pattern of activity: Applicants pay between $39.99 and $100 for USPS job coaching services, and receive little if anything in return. Some reported being charged the same amount monthly. Michael Martel, spokesperson for the United States Postal Inspection Service, said in a written statement that the USPS has no affiliation with the websites or companies named in this story.

"To learn more about employment with USPS, visit USPS.com/careers," Martel wrote. "If you are the victim of a crime online report it to the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov. To report fraud committed through or toward the USPS, its employees, or customers, report it to the United States Postal Inspection Service (USPIS) at www.uspis.gov/report."

A list of all the current sites selling this product can be found in Krebs' report.

An anonymous reader quotes a report from Ars Technica: The New York Police Department (NYPD) and New York City's self-proclaimed computer geek of a mayor are urging resident car owners to equip their vehicles with an Apple AirTag. During a press conference on Sunday, Mayor Eric Adams announced the distribution of 500 free AirTags to New Yorkers, saying the technology would aid in reducing the city's surging car theft numbers. Adams held the press conference at the 43rd precinct in the Bronx, where he said there had been 200 instances of grand larceny of autos. An NYPD official said that in New York City, 966 Hyundais and Kias have been stolen this year thus far, already surpassing 2022's 819 total. The NYPD's public crime statistics tracker says there have been 4,492 vehicle thefts this year, a 13.3 percent increase compared to the same period last year and the largest increase among NYC's seven major crime categories.

Adams, as the city did when announcing litigation against Kia and Hyundai on April 7, largely blamed the rise in car thefts on Kia and Hyundai, which he said are "leading the way" in stolen car brands. Hyundais and Kias were the subjects of the Kia Challenge TikTok trend that encouraged people to jack said vehicles with a mere USB-A cable. The topic has graduated way beyond a social media fad and into a serious concern. [...] Adams was adamant grand larceny auto numbers were dragging the city's overall crime numbers up and urged New Yorkers to "participate" in the fight against car theft by using an AirTag. NYPD Chief of Department Jeffrey Maddrey said users who report a stolen vehicle equipped with an AirTag will see the police use "drones, our StarChase technology & good old fashion police work to safely recover your stolen car."

"Help us help you, get an AirTag," he tweeted.

A former Apple employee has been sentenced to three years in prison and must pay back over $19 million in restitution for stealing around $17 million from the tech giant through mail and wire fraud schemes. From a report: Dhirendra Prasad, 55, was originally charged in March 2022 and later pleaded guilty to conspiring to defraud Apple and related tax crimes back in November last year. Prasad was employed at the company between 2008 and 2018, mostly working as a buyer in Apple's global service supply chain, purchasing parts and services from vendors. In his written plea agreement, Prasad admitted he started siphoning money from his employer around 2011 by accepting kickbacks, stealing parts, inflating invoices, and fraudulently charging Apple for goods that were never delivered. He also admitted to evading tax on the proceeds of his schemes and conspiring on these activities with the owners of two vendor companies, who have been charged in separate cases.

Daniel Shin, the co-founder of Terraform Labs, was indicted in South Korea in connection with the collapsed Terra and Luna cryptocurrencies. From a report: According to reports from Bloomberg and the local Yonhap News Agency, Shin was charged on Tuesday with offenses including fraud, breach of duty, and embezzlement. Prosecutors at Seoul Southern District Court also indicted nine other people with ties to Terra, some of whom had roles in marketing, systems development, and management, as reported by Bloomberg. The outlet also reports that prosecutors have frozen a total of 246.8 billion won (about $184.7 million) in assets from the individuals they charged.

It was a mix of spiritualism and financial education, remembers one patron of Generación Zoe, which "pitched itself as an 'educational and resource-creating community for personal, professional, financial and spiritual development,'" reports Rest of World: Generación Zoe claimed to make money through trading, and promised a 7.5% monthly return on investment for three years for those who put money into its "trust." In Argentina and other countries, other companies with the Zoe name peddled a similar narrative... It included a "university" that offered courses on ontological coaching, a type of philosophical practice popular in some Argentine business circles...

Over 2020 and 2021, more than ten thousand people bought into Zoe, investing hundreds of millions of dollars between them. Zoe grew rapidly, hyping new tech innovations including the "robots" and a cryptocurrency called Zoe Cash. Its interests and visibility expanded: The Zoe name appeared on burger joints, car dealerships, a plane rental company, and pet shops, all emblazoned with its name. It sponsored soccer teams and even created three of its own... Zoe also spread beyond Argentina to other countries in Latin America and further afield, including Mexico, Paraguay, Colombia, Spain, and the U.S.

Towards the end of 2021, however, the shine began to wear off, as authorities began looking into Zoe's activities... Zoe members reported being unable to withdraw the funds they had put into trusts or "robots," and in early 2022, the value of Zoe Cash plummeted. Angry investors banged on the doors of Zoe's branches, and investigations against Zoe and Cositorto piled up across Latin America, Spain, and the U.S.

By March 2022, a handful of high-profile names involved with Zoe in Argentina had been arrested, or were wanted by the authorities...
Prosecutors now accuse Zoe of being nothing more than a simple Ponzi scheme.

Mike Lynch, the tech entrepreneur once hailed as Britain's answer to Bill Gates, has lost an appeal against extradition to the US to answer criminal fraud charges. The Guardian reports: Lynch, the founding investor of the British cybersecurity firm Darktrace, is facing allegations that he duped the US firm Hewlett-Packard into overpaying when it struck an $11bn deal for his software firm Autonomy in 2011. Two high court judges considered Mike Lynch's challenge at a recent hearing in London and on Friday issued a ruling rejecting his appeal against extradition to face the charges.

Lynch, who could face a maximum prison sentence of 25 years if found guilty, has always denied the allegations and any wrongdoing. Lord Justice Lewis and Justice Julian Knowles ruled on Friday that Lynch, who made 500 million pounds from the sale to HP and was hailed as one of Britain's few global tech champions, should be extradited to the US to stand trial. Sushovan Hussain, Autonomy's former finance director, is already serving time in jail in the US after being found guilty of fraud relating to the same deal.

A spokesperson for Lynch said he was considering appealing to the European court of human rights. "Dr Lynch is very disappointed, but is reviewing the judgment and will continue to explore his options to appeal, including to the European court of human rights (ECHR)," he said. "The United States' legal overreach into the UK is a threat to the rights of all British citizens and the sovereignty of the UK." However, criminal defense law firm Corker Binning said that only 8% of applications to the ECHR in such cases -- seeking a Rule 39 order to stop the UK extradition until it has considered the case -- were successful last year.

Amazon has launched its Anti-Counterfeiting Exchange (ACX), an initiative to help retail stores label and track marketplace counterfeits as part of the e-commerce giant's efforts to crack down on organized crime on its platform, the company announced on Thursday. From a report: Online marketplaces in the United States including Amazon face hurdles in keeping counterfeiters off their platforms and fake merchandise from entering their warehouses. The new program mimics data exchange programs by the credit card industry to find scammers and identify their tactics. Stores and Amazon marketplace sellers can anonymously contribute information and records flagging counterfeiters to a third-party database or use the database to avoid doing business with the bad actors.

"We think it is critical to share information about confirmed counterfeiters to help the entire industry stop these criminals earlier," Dharmesh Mehta, Amazon's vice president of selling partner services, said in a statement. The Seattle-based retail giant piloted the anti-counterfeiting initiative in 2021 with an undisclosed number of apparel, home goods and cosmetics stores, where counterfeiting is most common.

The FBI, Interpol and the UK's National Crime Agency have accused Meta of making a "purposeful" decision to increase end-to-end encryption in a way that in effect "blindfolds" them to child sex abuse. From a report: The Virtual Global Taskforce, made up of 15 law enforcement agencies, issued a joint statement saying that plans by Facebook and Instagram-parent Meta to expand the use of end-to-end encryption on its platforms were "a purposeful design choice that degrades safety systems," including with regards to protecting children. The law enforcement agencies also warned technology companies more broadly about the need to balance safeguarding children online with protecting users' privacy. "The VGT calls for all industry partners to fully appreciate the impact of implementing system design decisions that result in blindfolding themselves to CSA [child sexual abuse] occurring on their platforms or reduces their capacity to identify CSA and keep children safe," the statement said.

An anonymous reader quotes a report from TorrentFreak: Last year, a U.S. federal court handed a 40-month prison sentence to Gary Bowser. The Canadian pleaded guilty to being part of the Nintendo hacking group "Team Xecuter" and has now served his time. In part due to his good behavior, Bowser got an early release from federal prison. [...] In a recent video interview with Nick Moses, Bowser explains that he was released from federal prison on March 28th. He is currently in processing at the Northwest Detention Center in Tacoma, Washington, to prepare for his return to Canada.

What his life will look like in Canada remains uncertain. However, in federal prison, Bowser has shown that he doesn't shy away from putting in work and helping other people in need. Aside from his prison job, he spent several nightly hours on suicide watch. The prison job brought in some meager income, a large part of which went to pay for the outstanding restitution he has to pay, which is $14.5 million in total. Thus far, less than $200 has been paid off. "I've been making payments of $25 per month, which they've been taking from my income because I had a job in federal prison. So far I paid $175," Bowser tells Nick Moses.

If Bowser manages to find a stable source of income in Canada, Nintendo will get a chunk of that as well. As part of a consent judgment, he agreed to pay $10 million to Nintendo, which is the main restitution priority. "The agreement with them is that the maximum they can take is 25 to 30 percent of your gross monthly income. And I have up to six months before I have to start making payments," Bowser notes. At that rate, it is unlikely that Nintendo will ever see the full amount. Or put differently, Bowser will carry the financial consequences of his Team-Xecuter involvement for the rest of his life.

Motherboard has discovered a swatting-as-a-service account on Telegram that uses computer generated voices to issue bomb and mass shooting threats against highschools and other locations across the country. An anonymous reader shares an excerpt from the report: Known as "Torswats" on the messaging app Telegram, the swatter has been calling in bomb and mass shooting threats against highschools and other locations across the country. Torswat's connection to these wide ranging swatting incidents has not been previously reported. The further automation of swatting techniques threatens to make an already dangerous harassment technique more prevalent. Swatting is when someone calls in a bogus threat in an attempt to direct law enforcement resources to a particular home, school, or other location. Often, swatting calls result in heavily armed police raiding an innocent victim's home. At least one case has resulted in police killing the unsuspecting occupant.

Torswats carries out these threatening calls as part of a paid service they offer. For $75, Torswats says they will close down a school. For $50, Torswats says customers can buy "extreme swattings," in which authorities will handcuff the victim and search the house. Torswats says they offer discounts to returning customers, and can negotiate prices for "famous people and targets such as Twitch streamers." Torswats says on their Telegram channel that they take payment in cryptocurrency. [...] On their Telegram channel, Torswats has uploaded at least 35 distinct recordings of calls they appear to have made. Torswats may have made many more swatting calls on others' behalf, though: each filename includes a number, with the most recent going up to 170. Torswats also recently shuttered their channel before reappearing on Telegram in February.

In all of those 35 recordings except two, Torswats appears to have used a synthesized voice. The majority of the calls are made with a fake male sounding voice; several include a woman which also appears to be computer generated. Torswats is seemingly able to change what the voice is saying in something close to real-time in order to respond to the operator's questions. These sometimes include "where are you located," "what happened," and "what is your name?" [...] Earlier this month, Torswats allegedly changed their tactics: they claimed to have made a swatting call using their own voice. In the subsequent recording, they start with much the same script as their automated voice. "I've done something really bad and want to kill myself," they tell the operator. They then claim they came out to their parents as a transgender woman, that they have an AR-15, and will shoot any police who respond. "Forgot to cut off my laugh at the end," Torswats wrote on Telegram.

"Early Wednesday, San Francisco police made an arrest in the April 4th killing of tech exec Bob Lee," writes Slashdot reader xevioso. "Lee was stabbed in the early hours of April 4th, and later died. His killing prompted a host of claims that this was yet another example of San Francisco's slide into chaos, but the person arrested is reportedly another tech exec." Mission Local reports: The alleged killer also works in tech and is a man Lee purportedly knew. We are told that police today were dispatched to Emeryville with a warrant to arrest a man named Nima Momeni. The name and Emeryville address SFPD officers traveled to correspond with this man, the owner of a company called Expand IT.

Multiple police sources have described the predawn knifing that last week left the 43-year-old Lee dead in a deserted section of downtown San Francisco as neither a robbery attempt nor a random attack. Rather, Lee and Momeni were portrayed by police as being familiar with one another. In the wee hours of April 4, they were purportedly driving together through downtown San Francisco in a car registered to the suspect. Some manner of confrontation allegedly commenced while both men were in the vehicle, and potentially continued after Lee exited the car. Police allege that Momeni stabbed Lee multiple times with a knife that was recovered not far from the spot on the 300 block of Main Street to which officers initially responded.

Federal authorities are making arrests and seizing funds with the help of new tools to identify criminals through cryptocurrency transactions. From a report: James Zhong appeared to have pulled off the perfect crime. In December 2012, he stumbled upon a software bug while withdrawing money from his account on Silk Road, an online marketplace used to hide criminal dealings behind the seemingly bulletproof anonymity of blockchain transactions and the dark web. Mr. Zhong, a 22-year-old University of Georgia computer-science student at the time, used the site to buy cocaine. "I accidentally double-clicked the withdraw button and was shocked to discover that it resulted in allowing me to withdraw double the amount of bitcoin I had deposited," he later said in federal court. After the first fraudulent withdrawal, Mr. Zhong created new accounts and with a few hours of work stole 50,000 bitcoins worth around $600,000, court papers from federal prosecutors show.

Federal officials closed Silk Road a year later on criminal grounds and seized computers that held its transaction records. The records didn't reveal Mr. Zhong's caper at first. Authorities hadn't yet mastered how to track people and groups hidden behind blockchain wallet addresses, the series of letters and numbers used to anonymously send and receive cryptocurrency. One elemental feature of the system was the privacy it gave users. Mr. Zhong moved the stolen bitcoins from one account to another for eight years to cover his tracks. By late 2021, the red-hot crypto market had raised the value of his trove to $3.4 billion. In November 2021, federal agents surprised Mr. Zhong with a search warrant and found the digital keys to his crypto fortune hidden in a basement floor safe and a popcorn tin in the bathroom. Mr. Zhong, who pleaded guilty to wire fraud, is scheduled to be sentenced Friday in New York federal court, where prosecutors are seeking a prison sentence of less than two years.

Mr. Zhong's case is one of the highest-profile examples of how federal authorities have pierced the veil of blockchain transactions. Private and government investigators can now identify wallet addresses associated with terrorists, drug traffickers, money launderers and cybercriminals, all of which were supposed to be anonymous. Law-enforcement agencies, working with cryptocurrency exchanges and blockchain-analytics companies, have compiled data gleaned from earlier investigations, including the Silk Road case, to map the flow of cryptocurrency transactions across criminal networks worldwide. In the past two years, the U.S. has seized more than $10 billion worth of digital currency through successful prosecutions, according to the Internal Revenue Service -- in essence, by following the money. Instead of subpoenas to banks or other financial institutions, investigators can look to the blockchain for an instant snapshot of the money trail.

An anonymous reader quotes a report from The Verge: The New York Police Department is reenlisting Digidog, the four-legged robot that the city faced backlash for deploying a few years back, as reported earlier by The New York Times. NYC Mayor Eric Adams announced the news during a press event on Tuesday, stating that the use of Digidog in the city can "save lives." Digidog -- also known as Spot -- is a remote-controlled robot made by the Hyundai-owned Boston Dynamics. It's designed to work in situations that may pose a threat to humans, helping to do things like perform inspections in dangerous areas and monitor construction sites. However, Boston Dynamics also touts its use as a public safety tool, which the NYPD has tried in the past.

City officials say that the NYPD will acquire two robot dogs for a total of $750,000, according to the NYT, and that they will only be used during life-threatening situations, such as bomb threats. "I believe that technology is here; we cannot be afraid of it," Mayor Adams said during Tuesday's press conference. "A few loud people were opposed to it, and we took a step back — that is not how I operate. I operate on looking at what's best for the city." The Surveillance Technology Oversight Project (STOP), a group that advocates against the use of local and state-level surveillance, has denounced Mayor Adams' move. "The NYPD is turning bad science fiction into terrible policing," Albert Fox Cahn, STOP's executive director, says in a statement. "New York deserves real safety, not a knockoff robocop. Wasting public dollars to invade New Yorkers' privacy is a dangerous police stunt."

The new management of FTX, headed by CEO John Ray III, on Sunday released its first interim report on control failures at the collapsed crypto exchange. There is a lot to digest. The Block: The 45-page report -- published Sunday afternoon by FTX Trading Ltd and its affiliated debtors -- describes in painstaking detail FTX's slapdash record-keeping, near non-existent cybersecurity defenses and its sparse expertise in key areas like finance. One of the more eye-catching items concerned Alameda Research, the trading firm that allegedly had access to billions of dollars in customer funds stored with FTX. The report states that Alameda "often had difficulty understanding what its positions were, let alone hedging or accounting for them."

Former CEO Sam Bankman-Fried, now under house arrest and facing a litany of criminal charges, described Alameda in internal communications as "hilariously beyond any threshold of any auditor being able to even get partially through an audit," according to the report. He went on: "Alameda is unauditable. I don't mean this in the sense of 'a major accounting firm will have reservations about auditing it'; I mean this in the sense of 'we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.' We sometimes find $50m of assets lying around that we lost track of; such is life."

"Thieves has discovered new ways to steal cars by pulling off smart devices (like smart headlights) to get at and attack via the Controller Area Network (CAN) bus," writes longtime Slashdot reader KindMind. The Register reports: A Controller Area Network (CAN) bus is present in nearly all modern cars, and is used by microcontrollers and other devices to talk to each other within the vehicle and carry out the work they are supposed to do. In a CAN injection attack, thieves access the network, and introduce bogus messages as if it were from the car's smart key receiver. These messages effectively cause the security system to unlock the vehicle and disable the engine immobilizer, allowing it to be stolen. To gain this network access, the crooks can, for instance, break open a headlamp and use its connection to the bus to send messages. From that point, they can simply manipulate other devices to steal the vehicle.

"In most cars on the road today, these internal messages aren't protected: the receivers simply trust them," [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor's RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.

Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota -- which among other things allows you to inspect the data logs of your vehicle -- helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, "Ian's car dropped a lot of DTCs." Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn't failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.

An anonymous reader quotes a report from MacRumors: An Apple Store at the Alderwood Mall was burgled last weekend, with thieves infiltrating the location through a nearby coffee shop. According to Seattle's King 5 News, thieves broke into Seattle Coffee Gear, went into the bathroom, and cut a hole in the wall to get to the Apple Store backroom. The burglars were able to bypass the Apple Store's security system by using the adjacent coffee shop, stealing a total of 436 iPhones that were worth around $500,000.

According to Seattle Coffee Gear manager Eric Marks, the coffee shop is not noticeably adjacent to the Apple Store because of the way that the store is laid out. "I would have never suspected we were adjacent to the Apple Store, how it wraps around I mean," Marks told King 5 News. "So, someone really had to think it out and have access to the mall layout." Police were able to obtain surveillance footage of the theft, but as it is part of an active investigation, it has not yet been released. Nothing was stolen from the coffee shop, but it will cost $1,500 to replace locks and repair the bathroom wall.