For years, the tiny startup Kytch worked to invent and sell a device designed to fix McDonald's notoriously broken ice cream machines, only to watch the fast food Goliath crush their business like the hopes of so many would-be McFlurry customers. Now Kytch is instead seeking to serve out cold revenge -- nearly a billion dollars worth of it. Wired: Late Tuesday night, Kytch filed a long-expected legal complaint against McDonald's, accusing the company of false advertising and tortious interference in its contracts with customers. Kytch's cofounders, Melissa Nelson and Jeremy O'Sullivan, are asking for no less than $900 million in damages.

Since 2019, Kytch has sold a phone-sized gadget designed to be installed inside McDonald's ice cream machines. Those Kytch devices would intercept the ice cream machines' internal communications and send them out to a web or smartphone interface to help owners remotely monitor and troubleshoot the machines' many foibles, which are so widely acknowledged that they've become a full-blown meme among McDonald's customers. The two-person startup's new claims against McDonald's focus on emails the fast food giant sent to every franchisee in November 2020, instructing them to pull Kytch devices out of their ice cream machines immediately.

Those emails warned franchisees that the Kytch devices not only violated the ice cream machines' warranties and intercepted their "confidential information" but also posed a safety threat and could lead to "serious human injury," a claim that Kytch describes as false and defamatory. Kytch also notes that McDonald's used those emails to promote a new ice cream machine, built by its longtime appliance manufacturing partner Taylor, that would offer similar features to Kytch. The Taylor devices, meanwhile, have yet to see public adoption beyond a few test installations.

An anonymous reader quotes a report from Ars Technica, written by Kyle Orland: Second Life, the long-lived online metaverse that still attracts nearly a million monthly active users, has announced it will start charging US users local sales tax on many in-game purchases for the first time since its launch in 2003. That could be a significant drag on the online universe's robust in-game economy and serve as a warning for other nascent metaverse efforts hoping to sell virtual goods to US residents. In announcing the move Monday, Second Life developer Linden Labs cited the 2018 Supreme Court decision South Dakota v. Wayfair, Inc., Et Al. That decision established that states and localities could charge sales tax even for products sold by online companies that don't have a physical presence in that state. Following that decision, Linden Labs says it has "done our best to shield our residents from these taxes as long as possible, but we are no longer able to absorb them."

As such, starting March 31, Second Life users will be billed for local taxes on recurring billings such as subscriptions and land fees. Linden Labs will continue to absorb any taxes charged on one-time purchases like name changes and purchases of L$ in-game currency. But those costs will be passed on to users "at some point in the future" Linden Labs writes. "This is news we don't enjoy sharing, but for the health of the business and of Second Life, we can no longer continue absorbing these tax burdens," Linden Labs writes. "Thank you for your understanding and your continued support of Second Life."

Linden Labs' experience could serve as a cautionary tale as other major companies all rush to launch their own metaverse offerings. That includes companies using so-called "web3" technologies like cryptocurrencies and NFTs to power their virtual economies. Aside from possible local sales tax exposure, cryptocurrencies can be taxed as income or capital gains when they're earned, sold, or converted to another form. NFTs, meanwhile, could likely be taxed as collectibles, attracting a top capital gains tax rate of 28 percent in the US. And the IRS is starting to crack down on enforcement for crypto-based earnings thanks to a provision in last year's bipartisan infrastructure bill.

BitConnect founder Satish Kumbhani, charged criminally in the U.S. last week with a $2.4 billion Ponzi scheme, has vanished from his native India, officials said. From a report: Last September, the Securities and Exchange Commission separately sued Kumbhani, claiming he fraudulently raised more than $2 billion from investors in his cryptocurrency exchange platform. But the SEC didn't know where he was and couldn't serve him with the lawsuit. The mystery deepened a bit Monday. Kumbhani, 36, "has likely relocated from India to an unknown address in a foreign country," SEC attorney Richard Primoff said in a court filing. "Since November, the commission has been consulting with that country's financial regulatory authorities in an attempt to locate Kumbhani's address. At present, however, Kumbhani's location remains unknown."

In the most important environmental case in more than a decade, the Supreme Court on Monday will hear arguments in a dispute that could restrict or even eliminate the Environmental Protection Agency's authority to control the pollution that is heating the planet. From a report: A decision by the high court, with its conservative supermajority, could shred President Biden's plans to halve the nation's greenhouse emissions by the end of the decade, which scientists have said is necessary to avert the most catastrophic impacts of climate change. "They could handcuff the federal government's ability to affordably reduce greenhouse gases from power plants," said Michael Oppenheimer, a professor of geosciences and international affairs at Princeton University. But the outcome could also have repercussions that stretch well beyond air pollution, restricting the ability of federal agencies to regulate health care, workplace safety, telecommunications, the financial sector and more.

[...] At issue is a federal regulation that broadly governs emissions from power plants. But in a curious twist, the regulation actually never took effect and does not currently exist. The legal wrangling began in 2015 when President Barack Obama announced the Clean Power Plan, his chief strategy to fight climate change. Citing its authority under the Clean Air Act, the Obama administration planned to require each state to lower carbon dioxide emissions from the electricity sector -- primarily by replacing coal-fired power plants with wind, solar and other clean sources. Electricity generation is the second largest source of greenhouse gas emissions in the United States, behind transportation.

Though the Russian government has tried geofencing access to crucial web sites, the Jerusalem Post reports that two Russian government web site still went offline Saturday — the Kremlin and the Ministry of Defense. "Gosuslugi, Russia's web portal of state services, went offline on Saturday night as well, with the Russian Ministry of Digital Development, Communications and Mass Media telling TASS that the site is facing cyberattacks on an 'unprecedented scale.'"

Meanwhile, the Washington Post interviews 22-year-old Alex Horlan, a Ukrainian cybersecurity expert in Spain "helping take down some of Russia's most powerful websites — including state media and even the official page of the Kremlin." The attacks he and others are helping to carry out on Russian websites are part of a wide information war in the background of the much larger conflict here, as Ukrainians target Russian websites to rewrite the narrative Moscow is presenting to Russians back home. "We are creating an IT army," Ukrainian Vice Prime Minister Mykhailo Fedorov tweeted on Saturday. Horlan is a cybersecurity expert who recently launched an app called disBalancer that helps take down scam websites by overwhelming them with online traffic. He has redirected his team's efforts in recent days to instead target Russian websites he says are spreading dangerous disinformation about the Russian invasion of Ukraine....

Thousands of people are joining Horlan and others' efforts to target the Russian sites, with around 2,000 logging into his app at any given time, he said. The main challenge is that many are losing WiFi when air raid sirens force them to retreat to underground bunkers....

Volunteers are gathering information on attacks and casualties to fact check and challenge Russia's version of events, posting messages on Telegram and other Russian social media platforms [according to Liuba Tsbulska, a Ukrainian analyst and activist who has tracked Russian disinformation for eight year]. Others work to educate international audiences or produce patriotic content. Some also target Russian military and intelligence officers, flooding their emails and other platforms with messages. Volunteers are reaching out to the mothers of Russian soldiers to convince them to call for Russian President Vladimir Putin to bring their boys back home.

In Kharkiv, after reports that Russian troops and armored vehicles entered Ukraine's second largest city early Sunday, one local Telegram channel with more than 400,000 subscribers urged people to continue to document the adversary's movements as a way to aid Ukraine's forces in the area. In one message, the Truha Kharkiv channel asked citizens to "carefully film and send information about the movement of Russian troops to our channel. This is vital to the defense of our city."

Another message instructed citizens on how to make molotov cocktails.

America's power grid consists of 3,000 public and private sector power companies, with 55,000 substations scattered across the country. On the CBS News show 60 Minutes, reporter Bill Whitaker notes that each grid hold grid-powering transformers — then tells the story of "the most serious attack on our power grid in history" on the night of April 16, 2013: For 20 minutes, gunmen methodically fired at high voltage transformers at the Metcalf Power substation. Security cameras captured bullets hitting the chain link fence.

Jon Wellinghoff: They knew what they were doing. They had a specific objective. They wanted to knock out the substation.

At the time, Jon Wellinghoff was chairman of FERC, the Federal Energy Regulatory Commission, a small government agency with jurisdiction over the U.S. high voltage transmission system.... [T]he attackers had reconnoitered the site and marked firing positions with piles of rocks. That night they broke into two underground vaults and cut off communications coming from the substation.

Jon Wellinghoff: Then they went from these vaults, across this road, over into a pasture area here. There were at least four or five different firing positions.

Bill Whitaker: No real security?

Jon Wellinghoff: There was no security at all, really.

They aimed at the narrow cooling fins, causing 17 of 21 large transformers to overheat and stop working.

Jon Wellinghoff: They hit them 90 times, so they were very accurate. And they were doing this at night, with muzzle flash in their face.

Someone outside the plant heard gunfire and called 911. The gunmen disappeared without a trace about a minute before a patrol car arrived. The substation was down for weeks, but fortunately PG&E had enough time to reroute power and avoid disaster.

Bill Whitaker: If they had succeeded, what would've happened?

Jon Wellinghoff: Could've brought down all of Silicon Valley.

Bill Whitaker: We're talking Google, Apple; all these guys--

Jon Wellinghoff: Yes, yes. That's correct.

Bill Whitaker: Who do you think this could have been?

Jon Wellinghoff: I don't know. We don't know if they were a nation state. We don't know if they were domestic actors. But it was somebody who did have competent people who could in fact plan out this kind of a very sophisticated attack....

A few months before the assault on Metcalf, Jon Wellinghoff of FERC commissioned a study to see if a physical attack on critical transformers could trigger cascading blackouts... The report was leaked to the Wall Street Journal. It found the U.S. could suffer a coast-to-coast blackout if saboteurs knocked out just nine substations....

In 2016, an eco terrorist in Utah shot up a large transformer, triggering a blackout. He said he'd planned to hit five substations in one day to shut down the West Coast. In 2020, the FBI uncovered a white supremacist plot called "lights out" to simultaneously attack substations around the country.
While the threats can also come from the internet, America's deputy national security advisor for cyber (formerly at the NSA) tells the reporter "We've taken any information we have about malicious software or tactics that the Russian government has used, shared that with the private sector with very practical advice of how to protect against it."

The reporter later spoke to the president's homeland security advisor, who points out there's no specific national regulation for the power plants, arguing that one of the system's strengths is "the resources for energy are different in different regions."

But they also acknowledged the federal government is now setting standards "in a variety of arenas."

Remember when Google threatened to leave Australia if the country implemented a "news media bargaining code" forcing social media platforms to pay news publishers? Wired reports: Google and Facebook did not leave; they paid up, striking deals with news organizations to pay for the content they display on their sites for the first time. The code was formally approved on March 2, 2021... One year after the media code was introduced, Google has 19 content deals with news organizations and Facebook has 11, according to [Australia's communications minister Paul] Fletcher. Now countries around the world are looking at Australia's code as a blueprint of how to subsidize the news and stop the spread of "news deserts" — communities that no longer have a local newspaper.

Canada is expected to propose its own version in March. Media associations in both the U.S. and New Zealand are calling for similar policies. Reports suggest the UK culture secretary, Nadine Dorries, is also planning to require platforms to strike cash-for-content deals.

The international interest has prompted fierce debate about how well Australia's code works.

"We know it works, we can see the evidence," says Fletcher. He points to how the deals are funding journalism in rural areas. Broadcaster The ABC said its deals with Facebook and Google enabled it to hire 50 regional journalists. Google, however, disagrees. It has accused the media code of stifling media diversity by giving media giants a better deal than smaller publishers. "The primary benefactors of such a code would be a small number of incumbent media providers," Google said in a submission to the U.S. Copyright Office, which is currently reviewing its own media laws....

The criticism of Australia's system focuses on its lack of transparency, which means that media companies cannot compare notes on the deals they are offered and there is a lack of clarity on which outlets are entitled to negotiate.... Concerns about the code's flaws are leaking into Canada, where Justin Trudeau's Liberal Party is drafting its own Australia-style legislation. "We're locking down the incumbent publishers, and we're locking down Google and Facebook's dominance as opposed to countering the dominance that exists on both sides," says Dwayne Winseck, journalism professor at Canada's Carleton University.... Yet Canada's news industry is willing to overlook these limitations because it considers the cash as a lifeline, according to Paul Deegan, president and chief executive of News Media Canada.... They are running out of time to save some of the media landscape, he explains — 40 newspapers have closed permanently since the start of the pandemic. "We've got a number of titles and even chains of titles that are quite literally teetering on the brink."

Deegan agrees the code isn't perfect. This is not a magic bullet, he says, "this is a badly needed Band-Aid."

From the Hindustan Times: BitConnect founder Satish Kumbhani was indicted by a U.S. grand jury on charges he orchestrated a global Ponzi scheme that raised $2.4 billion from investors in a fraudulent cryptocurrency investment platform, according to a Justice Department statement. Kumbhani, 36, was charged in San Diego with misleading investors about BitConnect's purported propriety technology... BitConnect used money from new investors to pay earlier ones and also operated as an unlicensed money transmitting business, the U.S. said.
More details from the San Diego Union-Tribune: Investors around the world, including those in San Diego, were encouraged to buy BitConnect's open-source, decentralized cryptocurrency, called BCC, using Bitcoin for the purchase. Investors would then "lend" their BCC tokens to Bitconnect, which would purportedly invest the proceeds using proprietary technology known as the Trading Bot and Volatility Software. The technology was supposedly designed to trade automatically, and profitably, by buying and selling on the volatility of Bitcoin, according to the indictment.

But much of the technology remained a mystery to investors. When someone asked for a demonstration at an event in 2017, Kumbhani was evasive: "So you ask me very hard question," he told one interviewer. He added later, "For privacy reasons we are not disclosing anything..."

Prosecutors say the investments weren't being traded as promised but were instead used to pay out earlier investors, typical of a pyramid scheme. The funds would also be used to pay BitConnect's army of promoters, who would market the investment opportunity on social media and at live events. Glenn Arcaro, described by prosecutors as "one of the most prolific and successful" of the bunch overseeing the United States, also formed his own cryptocurrency education course called Future Money. But the course was really a way to funnel potential investors to BitConnect, prosecutors said.

Arcaro, a Los Angeles resident, pleaded guilty to conspiracy to commit wire fraud in September for his role in the scheme.
After shutting down abruptly, Kumbhani then "directed his network of promoters to fraudulently manipulate and prop up the price" of BCC, "to create the false appearance of legitimate market demand..." according to a press release from the U.S. Department of Justice: Kumbhani is charged with conspiracy to commit wire fraud, wire fraud, conspiracy to commit commodity price manipulation, operation of an unlicensed money transmitting business, and conspiracy to commit international money laundering. If convicted of all counts, he faces a maximum total penalty of 70 years in prison.

"Elon Musk says SpaceX's Starlink satellites are now active over Ukraine after a request from the embattled country's leadership to replace internet services destroyed by the Russian attack," reports the Independent, in a story shared by Slashdot readers schwit1 and SubMitt: Vladimir Putin's unprovoked invasion has left parts of the country without internet, while SpaceX has launched thousands of communications satellites to bring broadband to hard to reach areas of the world.

"Starlink service is now active in Ukraine. More terminals en route," the entrepreneur tweeted on Saturday.

The move came after Ukraine's vice prime minister urged Mr Musk to help them out, as the SpaceX system does not require any fiber-optic cables.
Newsweek reports that on Friday Ukraine's Vice Prime Minister also asked Apple's Tim Cook to stop providing products and services to Russians — including the Apple Store.

The Huffington Post reports on "the most drastic financial sanction yet on Russian President Vladimir Putin: The United States and key allies will cut Russian banks out of the global financial messaging system SWIFT and begin to target Russia's central bank, according to a White House statement on Saturday...

The statement said the U.S., top European economies, Britain, and Canada would disconnect selected Russian banks from SWIFT, which will severely hurt their ability to operate internationally, and prevent Russia's central bank from using its foreign currency reserves to evade Western sanctions. The pro-Ukraine countries will also make it harder for wealthy Russians to obtain Western citizenship and launch a task force to freeze the assets of Russian elites — a bid to pressure Putin by hurting his friends....

It represents a significant escalation by America's European partners, many of whom worry about the economic toll their own countries will experience if they cut off ties with Russia.

Secret recordings of a surveillance firm's presentation show how much iCloud data Apple surrenders to law enforcement with a warrant -- though it's Google and Facebook that can track a suspect to within three feet. Apple Insider reports: PenLink is a little-known firm from Nebraska which earns $20 million annually from helping the US government track criminal suspects. PenLink also sells its services to local law enforcement -- and it's from such a sales presentation that details of iCloud warrants has emerged. According to Forbes, Jack Poulson of the Tech Inquiry watchdog attended the National Sheriff's Association winter conference. While there, he secretly recorded the event.

During the presentation, PenLink's Scott Tuma described how the company works with law enforcement to track users through multiple services, including the "phenomenal" Apple with iCloud. Apple is open about what it does in the event of a suboena from law enforcement. It's specific about how it will not unlock iPhones, for instance, but it will surrender information from iCloud backups that are stored on its servers. "If you did something bad," said Tuma, "I bet you I could find it on that backup." Tuma also says that in his experience, it's been possible to find people's locations through different services, although not through iCloud. "[Google] can get me within three feet of a precise location," he said. "I cannot tell you how many cold cases I've helped work on where this is five, six, seven years old and people need to put [the suspect] at a hit-and-run or it was a sexual assault that took place." It's also possible for law enforcement and firms like PenLink which help them, to get location data from Facebook and Snapchat. [...]

echo123 shares a report from the Washington Post: The U.S. Postal Service finalized plans Wednesday to purchase up to 148,000 gasoline-powered mail delivery trucks (Warning: paywalled; alternative source), defying Biden administration officials' objections that the multibillion dollar contract would undercut the nation's climate goals. The White House Council on Environmental Quality and the Environmental Protection Agency asked the Postal Service this month to reassess its plan to replace its delivery fleet with 90% gas-powered trucks and 10% electric vehicles, at a cost of as much as $11.3 billion. The contract, orchestrated by Postmaster General Louis DeJoy, offers only a 0.4-mile-per-gallon fuel economy improvement over the agency's current fleet.

Federal climate science officials said the Postal Service vastly underestimated the emissions of its proposed fleet of "Next Generation Delivery Vehicles," or NGDVs, and accused the mail agency of fudging the math of its environmental studies to justify such a large purchase of internal combustion engine trucks. But DeJoy, a holdover from the Trump administration, has called his agency's investment in green transportation "ambitious," even as environmental groups and even other postal leaders have privately questioned it. [...] Environmental advocates assailed the agency's decision, saying it would lock in decades of climate-warming emissions and worsen air pollution. The Postal Service plans call for the new trucks, built by Oshkosh Defense, to hit the streets in 2023 and remain in service for at least 20 years.

DeJoy said in a statement that the agency was open to pursuing more electric vehicles if "additional funding - from either internal or congressional sources -- becomes available." But he added that the agency had "waited long enough" for new vehicles. The White House and EPA had asked the Postal Service to conduct a supplemental environmental impact statement on the new fleet and to hold a public hearing on its procurement plan. The Postal Service rejected those requests: Mark Guilfoil, the agency's vice president of supply management, said they "would not add value" to the mail service's analysis. Now that the Postal Service has finalized it agreement with Oshkosh, environmentalists are expected to file lawsuits challenging it on the grounds that the agency's environmental review failed to comply with the National Environmental Policy Act. They will probably base their case on the litany of problems Biden administration officials previously identified with the agency's technical analysis.

In 2017, Bell Canada, TVA, Videotron, and Rogers teamed up in a lawsuit against the operator of TVAddons, the largest repository of Kodi add-ons. The legal action proved extremely controversial but now, after many twists and turns, the matter is now over. As part of a consent judgment (PDF), TVAddons' founder [Adam Lackman] has admitted liability and agreed to pay a cool US$19.5 million in damages. TorrentFreak reports: In a letter dated February 18, 2022, the media companies and Lackman told the Federal Court that they had resolved their differences by agreeing to a consent judgment. That was reviewed and issued by Justice Rochester, who laid out the agreed terms in her judgment handed down February 22, 2022. Lackman admits to communicating TV shows owned by the plaintiffs to the public, including by directly or indirectly participating in the "development, hosting, distribution or promotion of Kodi add-ons that provide users with unauthorized access" to the plaintiffs' TV shows, contrary to sections 3(1)(f) and 27(1) of the Copyright Act. The TVAddons founder further admits that he made the TV shows available to the public in a manner that provided access "from a place and at a time individually chosen by them" and induced and authorized users of the infringing add-ons to "initiate acts of infringement of the Plaintiffs' right to communicate the Plaintiffs Programs to the public by telecommunication," again by developing, hosting, distributing or promoting Kodi add-ons.

The Federal Court issued a permanent injunction to restrain Lackman (and anyone acting with him, under his authority, or in association) from communicating the plaintiffs' content to the public in any way, including via the development or distribution of infringing add-ons such as the 'FreeTelly' and 'Indigo' tools. The terms of the injunction are lengthy and comprehensive, leaving no doubt that TVAddons and all related tools and services are now dead, with Lackman unable to do anything remotely similar in the future.

"THIS COURT ORDERS the Defendant Mr. Lackman to pay the Plaintiffs the amount of twenty-five million dollars ($25,000,000) in the form of a lump sum for damages, profits, punitive and exemplary damages, and costs," Justice Rochester writes. The judgment is in Canadian dollars but for reference, that's currently around US$19.5 million. The judgment also authorizes the bailiffs and independent supervising solicitor (with the assistance of computer forensics experts) to transfer the evidence obtained during the search of June 2017 to the media companies. Exactly what data was seized is currently unclear but it is likely to be sensitive, particularly if the trove includes user data and/or information about Kodi add-on developers. Finally, it appears the media companies will also be taking control of "login credentials, accounts, domains, subdomains and servers" in order to bring this years-long battle to a conclusion. Adam Lackman announced his relief on Twitter, noting that "It wasn't the outcome I had hoped for, but an outcome nonetheless."

An anonymous reader quotes a report from the New York Times: Three men pleaded guilty on Wednesday in a plot to attack power grids in the United States, which they believed could lead to economic and civil unrest and create the opportunity for white leaders to rise, federal prosecutors said. The men, Christopher Brenner Cook, 20, of Columbus, Ohio; Jonathan Allen Frost, 24, of West Lafayette, Ind., and of Katy, Texas; and Jackson Matthew Sawall, 22, of Oshkosh, Wis., each pleaded guilty in U.S. District Court in Columbus on Wednesday to one count of conspiring to provide material support to terrorists. They will each face up to 15 years in prison when they are sentenced. A date has not been scheduled.

In fall 2019, Mr. Frost and Mr. Cook met in an online chat group, and they began talking about the possibility of attacking a power grid, according to plea agreements. Within weeks, the two men began making efforts to recruit others and began sharing reading material that promoted white supremacy and neo-Nazism. By late 2019, Mr. Sawall, a friend of Mr. Cook's, also joined the efforts, prosecutors said. As part of their plot, each man focused on substations in different regions of the country, and how to attack the power grids with rifles, according to court documents. The three men discussed that by knocking out power across the country for an extended period, civil unrest would spread, a race war could break out and the next Great Depression could be induced, according to court documents.

In February 2020, the three men met in Columbus for more talks about their plot, according to court documents. When they met, Mr. Frost gave Mr. Cook an AR-47, and the two men trained with the rifle at a shooting range, according to court documents. Mr. Frost also gave Mr. Cook and Mr. Sawall suicide necklaces that he had filled with fentanyl, which were to be ingested if they were caught by the police, according to court documents. While they were in Columbus, Mr. Sawall and Mr. Cook bought spray paint and used it to write the phrase "Join the Front" on a swastika flag under a bridge at a park, according to court documents. The men had more plans to spread propaganda while they were in Ohio until they encountered the police during a traffic stop, during which Mr. Sawall ingested his suicide necklace but survived, according to a plea agreement. The F.B.I. searched the homes of the three men in August 2020. Agents found multiple firearms, chemicals that could have been used to create an explosive device, and Nazi-related books and videos, according to court documents. Samuel Shamansky, a lawyer for Mr. Frost, said on Wednesday that Mr. Frost had "accepted complete responsibility for his reprehensible conduct."

"He has completely disavowed the racist viewpoints previously embraced," Mr. Shamansky said. "Regrettably, Mr. Frost fell prey to the misinformation espoused on the internet and now recognizes how dangerous the medium can be. Moreover, Mr. Frost has committed himself toward rehabilitation and doing everything within his power to remedy his misdeeds."

An anonymous reader quotes a report from TechCrunch: Waymo, the autonomous driving arm of Alphabet, was granted a win on Tuesday when a California court ruled it could keep certain details regarding its AV technology secret. The company filed a lawsuit against the California Department of Motor Vehicles in late January in order to keep some information about its autonomous vehicle deployment permit, as well as emails between the DMV and the company, redacted from a public record request, which was originally filed by an undisclosed third party. The ruling by the California Superior Court, Sacramento could set a precedent for broader trade secret protection, at least in the autonomous vehicle industry, involving public access to information that has to do with public safety, but which businesses claim contain trade secrets.

In its lawsuit, Waymo argued being forced to reveal trade secrets would undermine its investments into automated driving technology and have a "chilling effect across the industry" where the DMV is no longer a safe space for companies to transparently share information about their tech. "We're pleased that the court reached the right decision in granting Waymo's request for a preliminary injunction, precluding the disclosure of competitively-sensitive trade secrets that Waymo had included in the permit application it submitted to the CA DMV," a Waymo spokesperson told TechCrunch. "We will continue to openly share safety and other data on our autonomous driving technology and operations, while recognizing that detailed technical information we share with regulators is not always appropriate for sharing with the public." [...] "These R&D efforts take many years and an enormous financial investment," reads Waymo's declaration shared with the court. "Waymo's AV development began as part of Google in 2009 before Waymo became its own company in 2016; therefore, Waymo's AVs have been in development for more than 12 years. Waymo has invested truly significant amounts researching and developing its AV products." It is difficult, however, to determine whether or not the information actually contains trade secrets without being able to see any of it.

"The question is, can the company derive economic value purely from not sharing that information with others?" Matthew Wansley, former general counsel of nuTonomy (which Aptiv acquired) and a law professor at Yeshiva University's Cardozo School of Law in New York, told TechCrunch. [...] "I looked through the complaint that Waymo filed, and the categories of information they're talking about are pretty broad," said Wansley. "Are there trade secrets in that set of information that they sent? Probably, there are some. Does it include all of the information they sent? Almost certainly not. The only thing that would surprise me is if everything they're claiming is a trade secret is actually a trade secret. But without knowing the specific information that they share with regulators, it's just hard to know." And now the public will never know. In an effort to assuage any fears about its technology, the report notes that Waymo "has submitted a safety self-assessment to the U.S. Department of Transportation, and is publishing a law enforcement interaction guide and a detailed description of its safety methodologies."

An anonymous reader quotes a report from TechCrunch, written by security editor Zack Whittaker: Consumer-grade spyware is often sold under the guise of child monitoring software, but also goes by the term "stalkerware" for its ability to track and monitor other people or spouses without their consent. Stalkerware apps are installed surreptitiously by someone with physical access to a person's phone and are hidden from home screens, but will silently and continually upload call records, text messages, photos, browsing history, precise location data and call recordings from the phone without the owner's knowledge. Many of these spyware apps are built for Android, since it's easier to plant a malicious app than on iPhones, which have tighter restrictions on what kind of apps can be installed and what data can be accessed. Last October, TechCrunch revealed a consumer-grade spyware security issue that's putting the private phone data, messages and locations of hundreds of thousands of people, including Americans, at risk. But in this case it's not just one spyware app exposing people's phone data. It's an entire fleet of Android spyware apps that share the same security vulnerability.

On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person's phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte. TechCrunch found nine nearly identical spyware apps that presented with distinctly different branding, some with more obscure names than others: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. Other than their names, the spyware apps have practically identical features under the hood, and even the same user interface for setting up the spyware. Once installed, each app allows the person who planted the spyware access to a web dashboard for viewing the victim's phone data in real time -- their messages, contacts, location, photos and more. Much like the apps, each dashboard is a clone of the same web software. And, when TechCrunch analyzed the apps' network traffic, we found the apps all contact the same server infrastructure. But because the nine apps share the same code, web dashboards and the same infrastructure, they also share the same vulnerability.

The vulnerability in question is known as an insecure direct object reference, or IDOR, a class of bug that exposes files or data on a server because of sub-par, or no, security controls in place. It's similar to needing a key to unlock your mailbox, but that key can also unlock every other mailbox in your neighborhood. IDORs are one of the most common kinds of vulnerability [...]. But shoddy coding didn't just expose the private phone data of ordinary people. The entire spyware infrastructure is riddled with bugs that reveal more details about the operation itself. It's how we came to learn that data on some 400,000 devices -- though perhaps more -- have been compromised by the operation. Shoddy coding also led to the exposure of personal information about its affiliates who bring in new paying customers, information that they presumably expected to be private; even the operators themselves. After emailing 1Byte with details of the security vulnerability, the email address was shut down along with "at least two of the branded spyware apps," according to TechCrunch. "That leaves us here. Without a fix, or intervention from the web host, TechCrunch cannot disclose more about the security vulnerability -- even if it's the result of bad actors themselves -- because of the risk it poses to the hundreds of thousands of people whose phones have been unknowingly compromised by this spyware."

In a separate report, security editor Zack Whittaker explains how one can remove common consumer-grade spyware.

An anonymous reader quotes a report from Krebs on Security: Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 -- two years after responsibility for securing the state's IT systems was centralized within Parson's own Office of Administration. [...]

On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that [St. Louis Post-Dispatch reporter Josh Renaud] did nothing wrong and only accessed information that was publicly available. Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was "not an actual network intrusion" and the state database was "misconfigured." The emails also revealed the proposed message when education department leaders initially prepared to respond in October: "We are grateful to the member of the media who brought this to the state's attention," was the proposed quote attributed to the state's education commissioner before Parson began shooting the messenger.

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state's Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade. McGowin also said the DESE's website was developed and maintained by the Office of Administration's Information Technology Services Division (ITSD) -- which the governor's office controls directly. "I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct," the Highway Patrol investigator wrote. "I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration." The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson's vow to prosecute "the hackers." Khan's attorney Elad Gross told the publication his client was not being charged, and that "state officials committed all of the wrongdoing here."

"They failed to follow basic security procedures for years, failed to protect teachers' Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem," Gross told The Post-Dispatch. "We thank the Missouri State Highway Patrol and the Cole County Prosecutor's Office for their diligent work on a case that never should have been sent to them."

Microsoft MVP Rudy Ooms has discovered that the built-in Windows data wiping functions leave user data behind in the latest versions of Windows 10 and Windows 11. "This error applies to both local and remote wiping of PCs running Windows 10 version 21H2 and Windows 11 version 21H2," reports Tom's Hardware. From the report: Ooms first discovered that there were problems with the disk wipe functionality provided by Microsoft when doing a remote wipe via Microsoft Intune system management. However, he has tested several Windows versions and both local and remote wiping over the weekend to compile the following summary table [embedded in the article]. At the bottom of the table you can see that both Wipe and Fresh Start options appear to work as expected in Windows 10 and 11 version 21H1, but are ineffectual in versions 21H2. Ooms installed and tested these four OSes, with local and remote wipe operations, then checked the results. The most common issue was the leaving behind of user data in a folder called Windows.old on the "wiped" or "fresh start" disk. This is despite Microsoft warning users ahead of the action that "This removes all personal and company data and settings from this device."

In his blog post, Oooms notes that some users might feel assured that their personal data was always stored on a Bitlocker drive. However, when a device is wiped, Bitlocker is removed, and he discovered that the Windows.old folder contained previously encrypted data, now non-encrypted. It was also noted that OneDrive files, which had been marked as "Always Keep on this device" in Windows previously, remained in Windows.old too. Ooms has kindly put together a PowerShell Script to fix this security blunder by Microsoft. One needs to run the script ahead of wiping/resetting your old device. Hopefully Microsoft will step up and fix this faulty behavior in the coming weeks, so you don't need to remember to run third party scripts.

An anonymous reader quotes a report from FedScoop: The Internal Revenue Service has committed to Login.gov as a user authentication tool after earlier this month agreeing to abandon the use of a commercial tool that featured third-party facial recognition technology. In a statement on Monday, the Treasury Department said it is working with the General Services Administration to achieve the "security standards and scale" required to adopt the platform.

It comes after IRS earlier this month announced a plan to move away from using a third-party service for facial recognition to authenticate taxpayers creating new online accounts. It was forced to reject the technology following revelations that contractor ID.me uses powerful one-to-many facial recognition technology. "While this short-term solution is in place for this year's filing season, the IRS will work closely with partners across government to roll out login.gov as an authentication tool," IRS said.

While Login.gov is not expected to be ready in time for use by taxpayers during the current tax season, users are now able to sign up for IRS online accounts without the use of any biometric data. Any previously collected biometric data will also be deleted over the next few weeks, according to IRS. Despite the move to Login.gov, taxpayers will still have the option to verify their identity automatically through ID.me's tool if they choose. New requirements are in place to ensure images provided are deleted for the account being created. The IRS said in a statement: "Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data -- including facial recognition -- will be required if taxpayers choose to authenticate their identity through a virtual interview."