This week the New York Times published an opinion piece by three-time Pulitzer Prize winner Thomas L. Friedman arguing that greener energy is the best response to Russia's invasion of Ukraine.

Friedman starts by decrying America's "umpteenth confrontation with a petro-dictator whose viciousness and recklessness are possible only because of the oil wealth he extracts from the ground. "No matter how the war ends in Ukraine, it needs to end with America finally, formally, categorically and irreversibly ending its addiction to oil." Nothing has distorted our foreign policy, our commitments to human rights, our national security and, most of all, our environment than our oil addiction. Let this be the last war in which we and our allies fund both sides.... As long as we're addicted to oil, we are always going to be begging someone, usually a bad guy, to move the price up or down, because we alone are not masters of our own fate. This has got to stop...
Friedman notes that global oil prices collapsing between 1988 and 1992 "helped bankrupt the Soviet Union and hasten its collapse.... We can create the same effects today by overproducing renewables and overemphasizing energy efficiency."

Among his suggestions are requiring power companies to transition faster to renewable energy sources — as well as "eliminating the regulatory red tape around installing rooftop solar systems."

And he's also got a solution for the spike in fuel prices: If you want to lower gasoline prices today, the most surefire, climate-safe method would be to reduce the speed limit on highways to 60 miles per hour and ask every company in America that can do so to let its employees work at home and not commute every day. Those two things would immediately cut demand for gasoline and bring down the price.

Is that too much to ask to win the war against petro-dictators like Putin — a victory in which the byproduct is cleaner air, not burning tanks?

U.S. president Joe Biden "will invoke the Defense Production Act to encourage domestic production of minerals required to make batteries for electric vehicles and long-term energy storage," reports CNBC.

"It will also help the U.S. minimize dependence on foreign supply chains." The president's order could help companies receive government funding for feasibility studies on projects that extract materials, including lithium, nickel, cobalt, graphite and manganese, for EV production.

The Defense Production Act, established by President Harry Truman during the Cold War, allows the president to use emergency authority to prioritize the development of specific materials for national production.... The administration also said it's reviewing further uses of the law to "secure safer, cleaner, and more resilient energy for America."

The transportation sector is one of the largest contributors to U.S. greenhouse gas emissions, representing about one-third of emissions every year. The transition away from gas vehicles to EVs is considered critical to combating human-caused climate change....

The administration in February unveiled a plan to allocate $5 billion to states to fund EV chargers over five years as part of the bipartisan infrastructure package.
The White House said in a statement the move would reduce America's reliance on China and other countries "for the minerals and materials that will power our clean energy future."

In March of 2021 the Krebs on Security blog reported that Ubiquiti, "a major vendor of cloud-enabled Internet of Things devices," had disclosed a breach exposing customer account credentials. But Krebs added that a company source "alleges" that Ubiquiti was downplaying the severity of the incident — which is not true, says Ubiquiti.

Krebs' original post now includes an update — putting the word "breach" in quotation marks, and noting that actually a former Ubiquiti developer had been indicted for the incident...and also for trying to extort the company. It was that extortionist, Ubiquiti says, who'd "alleged" they were downplaying the incident (which the extortionist had actually caused themselves).

Ubiquiti is now suing Krebs, "alleging that he falsely accused the company of 'covering up' a cyberattack," ITWire reports: In its complaint, Ubiquiti said contrary to what Krebs had reported, the company had promptly notified its clients about the attack and instructed them to take additional security precautions to protect their information. "Ubiquiti then notified the public in the next filing it made with the SEC. But Krebs intentionally disregarded these facts to target Ubiquiti and increase ad revenue by driving traffic to his website, www.KrebsOnSecurity.com," the complaint alleged.

It said there was no evidence to support Krebs' claims and only one source, [the indicted former employee] Nickolas Sharp....

According to the indictment issued by the Department of Justice against Sharp in December 2021, after publication of the articles in question on 30 and 31 March, Ubiquiti's stock price fell by about 20% and the company lost more than US$4 billion (A$5.32 billion) in market capitalisation.... The complaint alleged Krebs had intentionally misrepresented the truth because he had a financial incentive to do so, adding, "His entire business model is premised on publishing stories that conform to this narrative...."

"Through its investigation, Ubiquiti learned that Sharp had used his administrative access codes (which Ubiquiti provided to him as part of his employment) to download gigabytes of data. Sharp used a Virtual Private Network (VPN) to mask his online activity, and he also altered log retention policies and related files to conceal his wrongful actions," the complaint alleged. "Ubiquiti shared this information with federal authorities and the company assisted the FBI's investigation into Sharp's blackmail attempt. The federal investigation culminated with the FBI executing a search warrant on Sharp's home on 24 March 2021." The complaint then went into detail about how Sharp contacted Krebs and how the story came to be published.

Krebs was accused of two counts of defamation, with Ubiquiti seeking a jury trial and asking for a judgment against him that awarded compensatory damages of more than US$75,000, punitive damages of US$350,000, all expenses and costs including lawyers' fees and any further relief deemed appropriate by the court.
Krebs' follow-up post in December had included more details: Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp's Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads...

Several days after the FBI executed its search warrant, Sharp "caused false or misleading news stories to be published about the incident," prosecutors say. Among the claims made in those news stories was that Ubiquiti had neglected to keep access logs that would allow the company to understand the full scope of the intrusion. In reality, the indictment alleges, Sharp had shortened to one day the amount of time Ubiquiti's systems kept certain logs of user activity in AWS.
Thanks to Slashdot reader juul_advocate for sharing the story...

"According to The Verge, health providers writing Google reviews about patients with identifiable information is a HIPAA violation," writes Slashdot reader August Oleman. From the report: In the past few years, the phrase 'HIPAA violation' has been thrown around a lot, often incorrectly. People have cited the law, which protects patient health information, as a reason they can't be asked if they're vaccinated or get a doctor's note for an employer. But asking someone if they're vaccinated isn't actually a HIPAA violation. That's a fine and not-illegal thing for one non-doctor to ask another non-doctor. What is a HIPAA violation is what U. Phillip Igbinadolor, a dentist in North Carolina, did in September 2015, according to the Department of Health and Human Services. After a patient left an anonymous, negative Google review, he logged on and responded with his own post on the Google page, saying that the patient missed scheduled appointments. [...]

In the post, he used the patient's full name and described, in detail, the specific dental problem he was in for: "excruciating pain" from the lower left quadrant, which resulted in a referral for a root canal. That's what a HIPAA violation actually looks like. The law says that healthcare providers and insurance companies can't share identifiable, personal information without a patient's consent. In this case, the dentist (a healthcare provider) publicly shared a patient's name, medical condition, and medical history (personal information). As a result, the office was fined $50,000 (PDF).

A controversial facial recognition company that's built a massive photographic dossier of the world's people for use by police, national governments and -- most recently -- the Ukrainian military is now planning to offer its technology to banks and other private businesses. The Washington Post reports: Clearview AI co-founder and CEO Hoan Ton-That disclosed the plans Friday to The Associated Press in order to clarify a recent federal court filing that suggested the company was up for sale. "We don't have any plans to sell the company," he said. Instead, he said the New York startup is looking to launch a new business venture to compete with the likes of Amazon and Microsoft in verifying people's identity using facial recognition.

The new "consent-based" product would use Clearview's algorithms to verify a person's face, but would not involve its ever-growing trove of some 20 billion images, which Ton-That said is reserved for law enforcement use. Such ID checks that can be used to validate bank transactions or for other commercial purposes are the "least controversial use case" of facial recognition, he said. That's in contrast to the business practice for which Clearview is best known: collecting a huge trove of images posted on Facebook, YouTube and just about anywhere else on the publicly-accessible internet.

A Twitter user from the UK named Joseph Kelly has been sentenced to 150 hours of community service for posting a "grossly offensive" tweet about Captain Sir Tom Moore, a British Army officer who raised money for the NHS during the pandemic. The Verge reports: Moore became a national figure in the UK after walking 100 laps around his garden before his 100th birthday. He was later knighted by the Queen. The day after his death, Kelly, 36, tweeted "the only good Brit soldier is a deed one, burn auld fella buuuuurn." Kelly was found guilty in February last year and faced possible jail time. His case brought attention to an often-criticized piece of UK legislation that allows social media users to be prosecuted for sending "grossly offensive" messages.

As reported by The National, Kelly was sentenced on Wednesday. His defense argued that Kelly had few followers on Twitter at the time; that he had been drinking before writing the post; and that he deleted the tweet just 20 minutes after sending it. "He accepts he was wrong. He did not anticipate what would happen. He took steps almost immediately to delete the tweet but the genie was out of the bottle by then," said Kelly's defence agent Tony Callahan. "His level of criminality was a drunken post, at a time when he was struggling emotionally, which he regretted and almost instantly removed." Kelly was sentenced to 18 months of supervision and 150 hours of unpaid work in the form of a Scottish Community Payback Order (CPO).

slack_justyb writes: After the failure of the Chrome user-tracking system that was called FLoC, Google's latest try at topic tracking to replace the 3rd party cookie (that Chrome is the only browser to still support) is FLEDGE and the most recent drop of Canary has this on full display for users and privacy advocates to dive deeper into. This recent release shows Google's hand that it views user tracking as a mandatory part of internet usage, especially given this system's eye-rolling name of "Privacy Sandbox" and the tightness in the coupling of this new API to the browser directly.

The new API will allow the browser itself to build what it believes to be things that you are interested in, based on broad topics that Google creates. New topics and methods for how you are placed into those topics will be added to the browser's database and indexing software via updates from Google. The main point to take away here though is that the topic database is built using your CPU's time. At this time, opting out of the browser building this interest database is possible thus saving you a few cycles from being used for that purpose. In the future there may not be a way to stop the browser from using cycles to build the database; the only means may be to just constantly remove all interest from your personal database. At this time there doesn't seem to be any way to completely turn off the underlying API. A website that expects this API will always succeed in "some sort of response" so long as you are using Chrome. The response may be that you are interested in nothing, but a response none-the-less. Of course, sending a response of "interested in nothing" would more than likely require someone constantly, and timely, clearing out the interest database, especially if at some later time the option to turn off the building of the database is removed.

With 82% of Google's empire based on ad revenue, this latest development in Chrome shows that Google is not keen on any moves to threaten their main money maker. Google continues to argue that it is mandatory that it builds a user tracking and advertising system into Chrome, and the company says it won't block third-party cookies until it accomplishes that -- no matter what the final solution may ultimately be. The upshot, if it can be called that, of the FLEDGE API over FLoC, is that abuse of FLEDGE looks to yield less valuable results. And attempting to use the API alone to pick out an individual user via fingerprinting or other methods employed elsewhere seems to be rather difficult to do. But only time will tell if that remains true or just Google idealizing this new API. As for the current timeline, here's what the company had to say in the latest Chromium Blog post: "Starting today, developers can begin testing globally the Topics, FLEDGE, and Attribution Reporting APIs in the Canary version of Chrome. We'll progress to a limited number of Chrome Beta users as soon as possible. Once things are working smoothly in Beta, we'll make API testing available in the stable version of Chrome to expand testing to more Chrome users."

Blocking access to internet resources requires lots of hardware but due to sanctions, there are fears in Russia that a breakdown in systems operations may be just months away. Andy Maxwell, reporting for TorrentFreak: Russia's invasion of Ukraine has been going on for more than a month. It isn't going to plan. In parallel with the terrible images being shared around the world, Russia is using its infamous site-blocking systems to deny access to websites that dare to challenge the Kremlin's narrative of Putin's 'Special Operation.' Telecoms regulator Roscomnadzor is working harder than ever to maintain its blockades against everything from Google News, Twitter, Facebook, and Instagram, to the thousands of pirate sites and other resources on the country's blacklists. But, like the invasion itself, things aren't going to plan here either.

A little over a week ago, local telecoms operators supplying internet access to Russian citizens were ordered to carry out "urgent checks" on their ability to continue blocking sites deemed illegal by the state. ISPs were required to carry out an audit and liaise with telecoms regulator Roscomnadzor. Today is the reporting deadline but according to several sources, problems are apparent in the system. With accurate and critical reporting being all but strangled by the state, it is not absolutely clear who or what ordered the review but the consensus is that prescribed blocking standards aren't being met. As previously reported, local torrent site RuTracker suddenly found itself unblocked earlier this month, reportedly due to issues at an ISP. Problems are also reported with the Roscomnadzor-controlled 'TSPU' Deep Packet Inspection (DPI) system embedded into the networks of around 80 local ISPs and recently used to restrict Tor, VPNs and Twitter traffic.

The Biden administration is divided over whether to impose sanctions on Kaspersky Lab, a Russian cybersecurity giant that officials warn could be used by the Kremlin as a surveillance tool against its customers, The Wall Street Journal reported Thursday, citing people familiar with the matter. From the report: The White House's National Security Council has pressed the Treasury Department to ready the sanctions as part of the broad Western campaign to punish Russia for its invasion of Ukraine, according to officials familiar with the matter. While Treasury officials have been working to prepare the package, sanctions experts within the department have raised concerns over the size and scope of such a move. The company's software is used by hundreds of millions of customers across the world, making it difficult to enforce the sanctions. In addition, some officials in the U.S. and Europe fear sanctioning Kaspersky Lab will increase the likelihood of triggering a cyberattack against the West by Moscow, even potentially leveraging the software itself. It wasn't clear whether the sanctions would go forward, and one official said the idea had been put on hold for now. The debate reflects how agencies within the Biden administration are weighing in real time options to deliver more economic pain to the Russian economy in response to its invasion of Ukraine.

As the SEC signals that it wants more oversight of digital asset markets, the industry makes it clear it prefers to be supervised by the smaller CFTC. From a report: It was a classic Washington networking party. Sam Bankman-Fried, the co-founder and chief executive officer of FTX, one of the world's largest crypto trading platforms, held court on a February evening in a private room at the Park Hyatt hotel on the edge of Georgetown. Drinks flowed from an open bar, and hors d'oeuvres were served to the clutch of congressional aides, financial lobbyists, and former regulators. The goal of Bankman-Fried, a 30-year-old billionaire, was to showcase his new lobbying operation -- and to persuade influential Washingtonians that crypto needs more regulation. It may seem strange that a crypto magnate is seeking federal oversight. But as lawmakers and bureaucrats grapple with how to police a fast-growing and risky $2 trillion market, new rules seem inevitable. In March, President Joe Biden signed an executive order calling on federal agencies to work out policies on crypto. Bankman-Fried, whose company last year bought the naming rights to the Miami Heat's basketball arena, is pushing his own ideas of what regulation ought to look like, as well as who his main watchdog should be.

He's arguing for a bigger role for the U.S. Commodity Futures Trading Commission. The relatively small agency monitors futures contracts in basic goods such as crude oil, corn, and pork, as well as financial derivatives such as interest-rate swaps. It also oversees U.S. futures and options contracts on the popular cryptocurrencies Bitcoin and Ether. A U.S. affiliate of the Bahamas-based FTX offers such crypto derivatives, so part of its business is already under the CFTC's purview. Bankman-Fried wants Congress to expand the CFTC's authority to cover trading in the coins themselves. Currently, the CFTC only claims jurisdiction over cash token markets in cases of suspected fraud or manipulation that could affect the performance of crypto derivatives. In February testimony to the Senate, he said this lack of clarity is bad for investors and the industry. Other trading platforms are also starting to see the merits of being overseen primarily by the CFTC, say industry leaders who asked not to be named talking about private discussions.

An anonymous reader quotes a report from Ars Technica: With Russian gamers effectively cut off from purchases on most major gaming platforms due to corporate sanctions against the country, the Russian game developer behind indie darling Loop Hero is encouraging Russian customers to pirate the game. In a Sunday post on Russian social network VK (Google translated version), Loop Hero developer Four Quarters said, "In such difficult times, we can only help everyone to raise the pirate flag (together with vpn)" to get the game. The developer then included a link to a copy of Loop Hero on a popular Russian torrent tracker to aid in that process directly.

In a follow-up post the next day (Google translated version), Four Quarters insisted that "we didn't do anything special, there's nothing wrong with torrents." The company also notes that players wanting to offer the developer donations in lieu of buying the game should refrain. "The truth is that everything is fine with us, send this support to your family and friends at this difficult time," they wrote.

While players outside of Russia should still be able to purchase Loop Hero on Steam, Valve said earlier this month that banking issues prevented it from sending payments to developers in Russia, Belarus, and Ukraine (ironically enough). Valve recently told PC Gamer that developers in these countries will have to provide "intermediary banking information" in a foreign country to receive the payments they're due. "It's a very frustrating situation, and we hope to find the resolution soon," Valve wrote in a note to affected developers. Russia is reportedly considering legalizing software piracy to combat the sanctions imposed on the country for its invasion of Ukraine.

According to Bloomberg, Apple and Meta "provided customer data to hackers who masqueraded as law enforcement officials." Bloomberg's William Turton reports: Apple and Meta provided basic subscriber details, such as a customer's address, phone number and IP address, in mid-2021 in response to the forged "emergency data requests." Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don't require a court order. Snap Inc. received a forged legal request from the same hackers, but it isn't known whether the company provided data in response. It's also not clear how many times the companies provided data prompted by forged legal requests.

Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the U.K. and the U.S. [...] The fraudulent legal requests are part of a months-long campaign that targeted many technology companies and began as early as January 2021. The forged legal requests are believed to be sent via hacked email domains belonging to law enforcement agencies in multiple countries. The forged requests were made to appear legitimate. In some instances, the documents included the forged signatures of real or fictional law enforcement officers. By compromising law enforcement email systems, the hackers may have found legitimate legal requests and used them as a template to create forgeries. Further reading: Hackers Gaining Power of Subpoena Via Fake 'Emergency Data Requests'

School surveillance companies are not doing enough to determine whether their products unfairly target minority groups, according to a report released by U.S. Senators Elizabeth Warren and Ed Markey. From a report: Democratic senators sent questions to four of the most prominent companies that make education software monitoring students' online activity. The resulting report about their findings said that parents and schools are not fully informed about the extent and risks associated with the tracking software made by GoGuardian, Gaggle.Net, Bark Technologies and Securly. The report also said that because the products could increase students' contact with law enforcement, the software "may be exacerbating the school-to-prison pipeline."

Online education during the pandemic led to unprecedented levels of digital surveillance of children, as schools rushed to find ways to keep track of students, Bloomberg Businessweek reported in October. Private equity-backed GoGuardian, officially named Liminex, is one of the most popular makers of education surveillance tools. Its software helps teachers and administrators track what students are doing on school-issued devices, and sometimes personal devices when kids are logged into school accounts. The senators' report says none of the companies has assessed whether their algorithms are biased or track whether they over-target students of color or LGBTQ students. Each of the companies told the senators' offices that they do not study the effects of their products on specific populations due to privacy concerns.

An anonymous reader quotes a report from NPR: A nearly decade-long scheme to steal millions of dollars of computers and iPads from Yale University's School of Medicine is officially over. Former Yale administrator Jamie Petrone, 42, pleaded guilty Monday in federal court in Hartford, Conn., to two counts of wire fraud and a tax offense for her role in the plot. Petrone's ploy started as far back as 2013 and continued well into 2021 while she worked at the university, according to the U.S. Attorney's Office for the District of Connecticut. Until recently, her role was the director of finance and administration for the Department of Emergency Medicine at Yale. As part of this job, Petrone had the authority to make and authorize certain purchases for the department -- as long as the amount was below $10,000.

Starting in 2013, Petrone would order, or have a member of her staff order, computers and other electronics, which totaled to thousands of items over the years, from Yale vendors using the Yale School of Medicine's money. She would then arrange to ship the stolen hardware, whose costs amounted to millions of dollars, to a business in New York, in exchange for money once the electronics were resold. Investigators said Petrone would report on documents to the school that the equipment was for specific needs at the university, like medical studies that ultimately didn't exist. She would break up the fraudulent purchases into orders that were below $10,000 each so that she wouldn't need to get additional approval from school officials. Petrone would ship this equipment out herself to the third-party business that would resell the equipment. It would later pay Petrone by wiring funds into an account of Maziv Entertainment LLC, a company she created.

Petrone used the money to live the high life, buy real estate and travel, federal prosecutors say. She bought luxury cars as well. At the time of her guilty pleas, she was in possession of two Mercedes-Benz vehicles, two Cadillac Escalades, a Dodge Charger and a Range Rover. [...] At the time of her guilty plea, she agreed to forfeit the luxury vehicles as well as three homes in Connecticut. A property she owns in Georgia may also be seized. Petrone has also agreed to forfeit more than $560,000 that was seized from the Maziv Entertainment LLC bank account. Federal prosecutors say the loss to Yale totals approximately $40,504,200.

Companies are offering interest-free advances to people with poor credit in exchange for detailed personal data. Wired: Tulloch [Editor's note: the anecdote character in the story] is one of a growing number of US workers turning their personal data over to private companies in exchange for paycheck advances, fueling an industry potentially worth up to $12 billion, by some estimates. In 2020, $9.5 billion in wages were accessed early, according to the research firm Aite-Novarica Group, up from $6.3 billion in 2019. These early payouts can be habit-forming; a 2021 report from the Financial Health Network found that more than 70 percent of pay advance users took out consecutive advances.

What Tulloch didn't know was that when he signed up for the app, a company called Argyle was retrieving the data that would be used to decide how much money to give him. It builds the technology that allows companies like B9 to extract a wealth of data from payroll accounts -- up to 140 data points. These can include shifts worked, time off, earnings and promotions history, health care and retirement contributions, even reputational markers like on-time rate or a gig worker's star rating and deactivation history. For every worker that uses its product, Argyle charges customers like B9 a fee, plus an additional monthly charge for continuous monitoring. This makes for a valuable data trove; it's further upstream than banking data, providing a fuller picture of a worker's earnings, deductions, and behavior. Some estimate that payroll data could be worth $10 billion. Argyle pegs it at 10 times higher.

Argyle is part of an emerging set of payroll data companies founded over the last four years to cash in on workers' personal information. They build secure connections between payroll providers like Paychex and businesses that want to access that data, like B9. Argyle acts like a courier, shuttling data from one account to another, the same way banking data is transmitted to apps like Venmo. Its competitors include Atomic, Pinwheel, Truv, and Plaid (which builds those bank integrations but recently began releasing payroll products). The data that workers provide can be used to underwrite financial products like loans, mortgages, insurance policies, and buy-now-pay-later apps; simplify direct deposit switching; or verify income and employment for apartment and job applications.

The Federal Trade Commission sued Intuit in federal court on Monday, claiming it has deceived customers for years by marketing its TurboTax software as free and then charging most users when they file their income taxes. From a report: Around 56 million people filed their taxes with TurboTax in 2021, according to an Inuit shareholder presentation in January. Those individuals filed 54 million W-2 and 40 million 1099 tax forms, the company said. The FTC sued Intuit in U.S. District Court for the Northern District of California, asking for an immediate halt to its "bogus" advertising as taxpayers rush to meet the April 18 deadline to file their 2021 income taxes. The agency also issued a parallel administrative complaint on Monday. That proceeding will determine whether Intuit's conduct violated the FTC Act, the lawsuit said. Much of Intuit's advertising tells consumers they can file their income taxes for free online using TurboTax, but that's not true for most users, including independent contractors in the gig economy who get a 1099 tax form, the FTC said.

Russia's biggest internet company has embedded code into apps found on mobile devices that allows information about millions of users to be sent to servers located in its home country. From a report: The revelation relates to software created by Yandex that permits developers to create apps for devices running Apple's iOS and Google's Android, systems that run the vast majority of the world's smartphones. Yandex collects user data harvested from mobiles, before sending the information to servers in Russia. Researchers have raised concerns the same "metadata" may then be accessed by the Kremlin and used to track people through their mobiles. Researcher Zach Edwards first made the discovery regarding Yandex's code as part of an app auditing campaign for Me2B Alliance, a non-profit. Four independent experts ran tests for the Financial Times to verify his work.

Yandex has acknowledged its software collects "device, network and IP address" information that is stored "both in Finland and in Russia," but it called this data "non-personalised and very limited." It added: "Although theoretically possible, in practice it is extremely hard to identify users based solely on such information collected. Yandex definitely cannot do this." The revelations come at a critical time for Yandex, often referred to as "Russia's Google," which has long attempted to chart an independent path without falling foul of Russian president Vladimir Putin's desire for greater control of the internet. The company said it followed "a very strict" internal process when dealing with governments: "Any requests that fail to comply with all relevant procedural and legal requirements are turned down."

Corin Faife writes via The Verge: On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA). Seen as an ambitious law with far-reaching implications, the most eye-catching measure in the bill would require that every large tech company -- defined as having a market capitalization of more than 75 billion euros or a user base of more than 45 million people in the EU -- create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS -- which security experts worry will undermine hard-won gains in the field of message encryption.

The main focus of the DMA is a class of large tech companies termed "gatekeepers," defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to "break open" some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols. But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users.

Signal is small enough that it wouldn't be affected by the DMA provisions, but WhatsApp -- which uses the Signal protocol and is owned by Meta -- certainly would be. The result could be that some, if not all, of WhatsApp's end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging. Given the need for precise implementation of cryptographic standards, experts say that there's no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.

The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before subsequently accessing the internal systems of authentication giant Okta, according to documents seen by TechCrunch that provide new details of the cyber intrusion that have not yet been reported. The report adds: [...] The documents provide the most detailed account to date of the Sitel compromise, which allowed the hackers to later gain access to Okta's network. [...] The documents, obtained by independent security researcher Bill Demirkapi and shared with TechCrunch, include a Sitel customer communication sent on January 25 -- more than a week after hackers first compromised its network -- and a detailed timeline of the Sitel intrusion compiled by incident response firm Mandiant dated March 17 that was shared with Okta.

According to the documents, Sitel said it discovered the security incident in its VPN gateways on a legacy network belonging to Sykes, a customer service company working for Okta that Sitel acquired in 2021. The timeline details how the attackers used remote access services and publicly accessible hacking tools to compromise and navigate through Sitel's network, gaining deeper visibility to the network over the five days that Lapsus$ had access. Sitel said that its Azure cloud infrastructure was also compromised by hackers. According to the timeline, the hackers accessed a spreadsheet on Sitel's internal network early on January 21 called "DomAdmins-LastPass.xlsx." The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee's LastPass password manager.

A group of U.S. lawmakers says the U.S. Treasury Department may be the right government entity to create a digital dollar -- not the Federal Reserve. A new bill introduced Monday would authorize just that. CoinDesk reports: Reps. Stephen Lynch (D-Mass.), Jesus Chuy Garcia (D-Ill.), Ayanna Pressley (D-Mass.) and Rashida Tlaib (D-Mich.) introduced the "Electronic Currency And Secure Hardware Act" (ECASH Act) to direct the Treasury Secretary to develop and issue an electronic version of the U.S. dollar, with an eye to preserving privacy and anonymity in transactions. The electronic dollar, as defined in the bill, would be a bearer instrument that people could hold on their phone or a card. The system would be token-based, not account-based, meaning if someone were to lose their phone or card, they would lose the funds. In other words, it would be like losing a wallet with dollar bills in it. This electronic dollar would be deemed legal tender and be functionally identical to a physical greenback.

Rohan Grey, an assistant professor at Willamette University who consulted on the bill, told CoinDesk the bill is meant to create a true digital analogue to the U.S. dollar. "We're proposing to have a genuine cash-like bearer instrument, a token-based system that doesn't have either a centralized ledger or distributed ledger because it had no ledger whatsoever. It uses secured hardware software and it's issued by the Treasury," he said. This form of e-cash would support peer-to-peer transactions, and given the nature of its setup, it would support fully anonymous transactions. Thus, it would differ from other proposals for a digital dollar, which are based on stablecoins or other decentralized ledger tools. The full text of the E-CASH Bill can be read here.