TikTok users are watching financial disclosures of sitting members of Congress to help them determine which stocks to invest in. NPR reports: Among a certain community of individual investors on TikTok, House Speaker Nancy Pelosi's stock trading disclosures are a treasure trove. "Shouts out to Nancy Pelosi, the stock market's biggest whale," said user 'ceowatchlist.' Another said, "I've come to the conclusion that Nancy Pelosi is a psychic," while adding that she is the "queen of investing." "She knew," declared Chris Josephs, analyzing a particular trade in Pelosi's financial disclosures. "And you would have known if you had followed her portfolio." Last year, Josephs noticed that the trades, actually made by Pelosi's investor husband and merely disclosed by the speaker, were performing well.

Josephs is the co-founder of a company called Iris, which shows other people's stock trades. In the past year and a half, he has been taking advantage of a law called the Stock Act, which requires lawmakers to disclose stock trades and those of their spouses within 45 days. Now on Josephs' social investing platform, you can get a push notification every time Pelosi's stock trading disclosures are released. He is personally investing when he sees which stocks are picked: "I'm at the point where if you can't beat them, join them," Josephs told NPR, adding that if he sees trades on her disclosures, "I typically do buy... the next one she does, I'm going to buy." The report notes that Senate and House members have already filed more than 4,000 financial trading disclosures this year, with at least $315 million of stocks and bonds bought or sold. "That's according to Tim Carambat, who in 2020 created and now maintains two public databases of lawmaker financial transactions -- House Stock Watcher and Senate Stock Watcher," reports NPR. "He says there is a significant following for his work," reports NPR.

An anonymous reader quotes a report from CNBC: The Federal Reserve is pushing ahead with its study into whether to implement its own digital currency and will be releasing a paper on the issue shortly, Chairman Jerome Powell said Wednesday. No decision has been made on the matter yet, he added, and said the Fed does not feel pressured to do something quickly as other nations move forward with their own projects. "I think it's important that we get to a place where we can make an informed decision about this and do so expeditiously," Powell said at his post-meeting news conference. "I don't think we're behind. I think it's more important to do this right than to do it fast." Powell added that the Fed is "working proactively to evaluate whether to issue a CBDC, and if so in what form."

The Boston Fed has taken point on the project, joining with MIT in an initiative on whether the central bank should establish its own digital coin targeted at making the payments system more effective. Fed Governor Lael Brainard has been a strong advocate of the effort, though several other officials, including Vice Chair for Supervision Randal Quarles, have cast doubts. Advocates such as Brainard say a central bank digital currency's benefits include getting payments quickly to people in times of crisis and also providing services to the unbanked. "We think it's really important that the central bank maintain a stable currency and payments system for the public's benefit. That's one of our jobs," he said. He noted the "transformational innovation" in the area of digital payments and said the Fed is continuing to do work on the matter, including its own FedNow system expected to go online in 2023. The test for a CBDC, he said, is "are there clear and tangible benefits that outweigh any costs and risks."

Some concerns even have been raised that if the Fed does not act more aggressively, the dollar's position as the global reserve currency could be challenged. Powell noted the dollar's position in the world and said the Fed is "in a good place" to make a decision on whether to implement its own digital currency. He expressed some concern about the regulatory landscape and said the Fed likely will need congressional permission should it decide to proceed. "Where the public's money is concerned, we need to make sure that appropriate regulatory protections are in place, and today there really are not in some cases," Powell said.

FallOutBoyTonto shares a report from Ars Technica: A US intelligence officer traveling in India earlier this month with CIA director William Burns reported experiencing a mysterious health incident and symptoms consistent with so-called Havana syndrome, according to a report by CNN. The officer received immediate medical care upon returning to the US. The case raises fears that such incidents are not only increasing, but potentially escalating, unnamed officials told CNN and The New York Times. The new incident within Burns' own team reportedly left the CIA chief "fuming" with anger.

The director's schedule is tightly guarded, and officials do not know if the affected intelligence officer was targeted because the officer was traveling with the director. If the health incident was an attack carried out by an adversarial intelligence agency -- as feared -- it's unclear how the adversarial agency learned of the trip and was able to prepare an attack. It's also possible, however, that the officer was targeted for other reasons and without knowledge that the officer was traveling with the director. The report notes that this incident is the second high-profile case in less than a month. "On August 24, another so-called 'anomalous health incident' affecting US embassy staff in Hanoi, Vietnam, came to light," reports Ars Technica. "It is still unclear how many staff members were affected in that incident, but NBC News reported that two US personnel were medevaced out of the country."

em1ly shares a report from Motherboard, which obtained leaked training videos Apple made for its authorized repair partners, showing how the company trains repair technicians to undermine third party companies and talk customers into buying more expensive first party repairs. From the report: "I cracked the glass on my phone and I'm comparing costs. How much for just that part?" One man acting the part of the customer asks in one of the videos.
"I can show you the cost for just the part before we begin," another man, playing the part of repair technician says.
"Whoa," the customer says, holding out his hands. "That's way more than the shop down the street. Why is it so expensive here?"
"This quote's for a genuine Apple part," the technician says.
"What do you mean by genuine?" the customer asks, his hands making scare quotes. "I'd like to save some money. Aren't they really the same part?"

After this, the technician launches into an explanation of why it's best for people to replace broken iPhone parts with genuine Apple products. "A genuine Apple part has to pass AppleCare engineering criteria," the technician says, explaining that a screen from Apple will be tested as if it had just come off the factory floor. "With a genuine Apple display, all the features you've come to rely on behave seamlessly...that's not the case with third party displays."

Six of the eight videos are dedicated to training repair techs on how to deal with customers worried about the huge costs of repairing an Apple device. One three-minute video is dedicated to helping customers understand why a genuine Apple screen is often better than one from a third party.

An anonymous reader quotes a report from TorrentFreak: Virgin Media subscribers receiving letters accusing them of movie piracy may find that settling their cases will be a costly affair. TorrentFreak understands that settlement demands run to several thousand pounds, a massive uplift on the several hundred usually requested in similar cases. Interestingly, however, some subscribers could be immune from being sued. [...] At this stage it's too early to definitively say what factors are being considered when assessing the settlement amount. However, if earlier methodology is deployed it's possible that Voltage's anti-piracy monitoring company (believed to be MaverickEye) will take the BitTorrent swarm size (the number of people sharing the movie at the same time) and multiply that by the price of the Ava movie.

As previously reported, this system has serious flaws. However, for people who simply want to settle and move on, paying Voltage a few thousand pounds should make the whole thing go away -- at least in respect of this particular accusation. But what about those who wish to contest the claims being made? At the core of the letters is the assumption that the person who pays the Virgin Media bill is the person who downloaded and shared the movie 'Ava' without permission. 'Assumption' is key here since Voltage acknowledges that may not be the case and someone else in a household could be liable. If the bill payer did not carry out the infringement and did not authorize/allow someone else to do so, under the Copyright Designs and Patent Act they are not liable. This means that they can issue a direct denial to Voltage but that would not prevent the company from filing a claim if it believes it has a case. At this point it's important to note that any claim by Voltage would be actioned in a civil court where cases are decided on the balance of probabilities -- 51% confidence of infringement could tip a case in the company's favor, resulting in a damages award. That's in addition to the associated legal costs of a failed defense. Given that Voltage is setting the bar so high with demands for multi-thousand-pound settlements, it seems likely that defendants who can afford to mount a defense will do so.

[T]he High Court states that Voltage may not initiate legal proceedings against a minor, which means anyone under the age of 18 in England, Wales or Northern Ireland. This means that if a parent pays the bill and a 17-year-old illegally downloaded and shared the movie, Voltage cannot bring a case against them. Furthermore, the High Court says that Voltage cannot pursue cases against an infringer who is a pensioner. The retirement age in the UK is currently 66 and according to the High Court's instructions, "anyone over the age of 65" can not have proceedings brought against them. In addition, anyone who is considered "vulnerable' will not have to face proceedings either.

The Data Protection Commission in Ireland, Facebook's lead privacy regulator in Europe, has asked Facebook to demonstrate than an LED indicator light on its pair of "smart" Ray-Ban sunglasses -- which lights up when the user is taking a video -- is an effective way of putting other people on notice that they are being recorded by the wearer. TechCrunch reports: Italy's privacy watchdog, the Garante, already raised concerns about Facebook's smart glasses -- but Ireland has an outsized role as a regulator for the tech giant owing to where the company's regional base is located. The first Facebook Ray-Ban-branded specs went on sale earlier this month â" looking mostly like a standard pair of sunglasses but containing two 5 MP cameras mounted on the front that enable the user to take video of whatever they're looking at and upload it to a new Facebook app called View. (The sunglasses also contain in-frame speakers so the user can listen to music and take phone calls.) [...] The specs also include a front-mounted LED light which is supposed to switch on to indicate when a video is being recorded. However European regulators are concerned that what the DPC describes as a "very small" indicator is an inadequate mechanism for alerting people to the risk they are being recorded. Facebook has not demonstrated it conducted comprehensive field testing of the device with a view to assessing the privacy risk it may pose, it added.

"While it is accepted that many devices including smart phones can record third party individuals, it is generally the case that the camera or the phone is visible as the device by which recording is happening, thereby putting those captured in the recordings on notice. With the glasses, there is a very small indicator light that comes on when recording is occurring. It has not been demonstrated to the DPC and Garante that comprehensive testing in the field was done by Facebook or Ray-Ban to ensure the indicator LED light is an effective means of giving notice," the DPC wrote. Facebook's lead EU data protection regulator goes on to say it is calling on the tech giant to "confirm and demonstrate that the LED indicator light is effective for its purpose and to run an information campaign to alert the public as to how this new consumer product may give rise to less obvious recording of their images."

Twitter on Monday said it has agreed to pay $809.5 million to settle a class action lawsuit that accused the social network of violating securities laws by misleading investors about its prospects for growth. CNET reports: The settlement stems from a 2016 lawsuit that alleged Twitter and its executives misled shareholders in November 2014 about user growth, promising an increase in monthly active users to 550 million in the "intermediate" term and more than a billion "over the longer term." But Twitter's user growth remained flat, causing steep declines in its stock price, according to the lawsuit. Twitter stopped reporting monthly active users in April 2019 (at last count it reported 330 million). The company now looks at daily users who see ads as its key metric. In July, Twitter reported that its mDAU, or monetized daily active users, grew to 206 million for the quarter that ended in June. The user growth helped the company, which makes most of its revenue from ads, post a 74% increase in quarterly revenue, to $1.19 billion. The settlement agreement, which doesn't include any admission of wrongdoing by Twitter, is subject to court approval.

An anonymous reader quotes the Record: An Irish man who ran a cheap dark web hosting service has been sentenced today to 27 years in prison for turning a blind eye to customers hosting child sex abuse material. Eric Eoin Marques, 36, from Dublin, operated the Freedom Hosting service between July 2008 and July 2013, when he was arrested following an FBI investigation.

"The investigation revealed that the hosting service contained over 200 child exploitation websites that housed millions of images of child exploitation material," the US Department of Justice said today, announcing Marques' sentencing. "Over 1.97 million of these images and/or videos were not previously known by law enforcement," officials said.
Flashback to 2013: [T]he FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors. Freedom Hosting's operator, Eric Eoin Marques, had rented the servers from an unnamed commercial hosting provider in France, and paid for them from a bank account in Las Vegas.

It's not clear how the FBI took over the servers in late July, but the bureau was temporarily thwarted when Marques somehow regained access and changed the passwords, briefly locking out the FBI until it gained back control. The new details emerged in local press reports from a Thursday bail hearing in Dublin, Ireland, where Marques, 28, is fighting extradition to America on charges that Freedom Hosting facilitated child pornography on a massive scale...

Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle, reporting back to a mysterious server in Northern Virginia. The FBI was the obvious suspect, but declined to comment on the incident. The FBI also didn't respond to inquiries from WIRED today. But FBI Supervisory Special Agent Brooke Donahue was more forthcoming when he appeared in the Irish court yesterday to bolster the case for keeping Marque behind bars."

Foreign Policy magazine explores just what happened after El Salvador adopted bitcoin as legal currency and launched its official government-approved bitcoin wallet Chivo: Chivo launched just after midnight on Sept. 7. The system started failing at three a.m. Server capacity was increased, and app installations were not re-enabled until 11:30 a.m. Transactions failed through the day; customer service lines were jammed; Chivo ATMs ran out of cash. Shortly after ten a.m., the price of bitcoin crashed by $10,000 in three minutes...

After protests on Sept. 6, more than 1,000 people marched on the Legislative Assembly on Sept. 7, jumping barriers placed early that morning to keep them out. One group of protestors set some tires on fire. Opposition politicians attended the day's session in "No Bitcoin" shirts. The protests were not against bitcoin itself. People protested the forced acceptance, the complete lack of transparency from the government, and the dysfunctional Chivo payment system — "people are against how things are being done in the name of bitcoin," local businessman Patrick Murray said....

[T]he Bitcoin Law, and the disastrous launch of Chivo, has frightened the bond markets; El Salvador's sovereign debt dropped almost five cents in a single day, ending Sept. 7 trading at 87.6 cents on the dollar. The World Bank and the International Monetary Fund are already reluctant to supply further funding because of the Bitcoin Law...

Traders were reluctant to accept bitcoin. "I'd rather lose the sale," one trader told La Prensa Grafica. Others didn't trust money they couldn't hold in their hands. Street vendors may not even have phones. Many of their customers are illiterate. Some government offices didn't accept bitcoin payments. Transfers from Chivo to bank accounts were not reliable. The Chivo ATMs didn't work well — one machine had a reported three successful cash withdrawals in a day. Even transfer of bitcoins in and out of Chivo had problems...
"El Salvador's Bitcoin Law Is a Farce," blares the headline on the article, saying El Salvador's system "doesn't work, the currency crashed, and the public hates it."

"Fears of criminals bringing in dirty bitcoins and exchanging them for clean dollars, draining the $150 million trust that was set up as a buffer between bitcoins and dollars, have not come to pass — because Chivo doesn't work well enough."

"Federal prosecutors plan to criminally charge a former Boeing Co. pilot they suspect of misleading aviation regulators about safety issues blamed for two fatal crashes of the 737 Max," reports the Wall Street Journal, citing "people familiar with the matter."

Mark Forkner, who was Boeing's 737 Max chief technical pilot during the aircraft's development, is likely to face prosecution in the coming weeks, these people said... Boeing BA, admitted in a criminal settlement reached with prosecutors earlier this year that two of its employees — unnamed in that agreement — conspired to defraud the FAA about 737 Max training issues in order to benefit themselves and the company.
CBS News offers more details: It would, says the Journal, "be the first attempt to hold a Boeing employee accountable" for conduct before the two crashes. [Forkner] was the lead contact between the aviation giant and the Federal Aviation Administration over how pilots should be trained to fly the planes, the Journal said. According to documents published in early 2020, Forkner withheld details about the planes' faulty flight handling system known as the Maneuvering Characteristics Augmentation System, or MCAS — later blamed for both crashes — from regulators.

The Journal said it wasn't clear what charges Forkner would face... A lawyer for Forkner, David Gerger, didn't respond to requests for comment Thursday from the Journal. Gerger has said in the past that Forkner, a pilot and Air Force veteran, wouldn't put pilots or passengers in danger.

Slashdot reader oumuamua writes that two U.S. nuclear plants owned by Exelon "were almost shutdown prematurely...but were saved at the last minute by the Illinois Senate." The Illinois Senate has approved a clean energy deal which includes a subsidy for Exelon to keep the Byron nuclear plant in operation, after the House passed it last week.

The plan gives Exelon $694 million to keep the Byron and Dresden plants operational. Exelon had previously begun drawing down the Byron plant with an anticipated retirement date of Monday, September 13th, and had warned that once the nuclear fuel had been depleted, it could not be refueled after that date.

Exelon said Monday that with the passage of the bill, it was preparing to refuel both plants.
The company had actually intended to close the Byron plant for some time, according to an earlier article: In February of 2019, a filing with the U.S. Securities and Exchange Commission, Exelon said the plant is "showing increased signs of economic distress, which could lead to an early retirement, in a market that does not currently compensate them for their unique contribution to grid resiliency and their ability to produce large amounts of energy without carbon and air pollution." Exelon cited revenue shortfalls in the hundreds of millions of dollars because of declining energy prices and energy rules that allow fossil fuel plants to make cheaper bids at energy auction.
Or, as another article puts it, "Exelon says its Byron and Dresden stations are losing money."

oumuamua adds that "With the urgency of the climate crisis more clear than ever, no nuclear plant should be closed prematurely while coal plants continue operation in the same state. Many celebrated the Senate move, however, others have criticized Exelon's actions. "Exelon first started what we've dubbed the nuclear hostage crisis. It's a pattern where a utility will for whatever reasons threaten closure, which gets the workers very upset, then the local community whose tax base depends on it gets upset, they pressure their legislators, and then the legislators grant bailouts," said Dave Kraft, head of the Nuclear Energy Information Service.

Kraft said rather than continuing to support nuclear energy, Illinois needs to redouble its commitment to wind and solar.

An anonymous reader quotes a report from Motherboard: Researchers have found a new and surprisingly simple method for bypassing facial recognition software using makeup patterns. A new study from Ben-Gurion University of the Negev found that software-generated makeup patterns can be used to consistently bypass state-of-the-art facial recognition software, with digitally and physically-applied makeup fooling some systems with a success rate as high as 98 percent. In their experiment, the researchers defined their 20 participants as blacklisted individuals so their identification would be flagged by the system. They then used a selfie app called YouCam Makeup to digitally apply makeup to the facial images according to the heatmap which targets the most identifiable regions of the face. A makeup artist then emulated the digital makeup onto the participants using natural-looking makeup in order to test the target model's ability to identify them in a realistic situation.

The researchers tested the attack method in a simulated real-world scenario in which participants wearing the makeup walked through a hallway to see whether they would be detected by a facial recognition system. The hallway was equipped with two live cameras that streamed to the MTCNN face detector while evaluating the system's ability to identify the participant. The experiment saw 100 percent success in the digital experiments on both the FaceNet model and the LResNet model, according to the paper. In the physical experiments, the participants were detected in 47.6 percent of the frames if they weren't wearing any makeup and 33.7 percent of the frames if they wore randomly applied makeup. Using the researchers' method of applying makeup to the highly identifiable parts of the attacker's face, they were only recognized in 1.2 percent of the frames.

A man who the Department of Justice says unlocked AT&T customers' phones for a fee was sentenced to 12 years in prison, in what the judge called "a terrible cybercrime over an extended period," which allegedly continued even after authorities were on to the scheme. The Verge reports: According to a news release from the DOJ, in 2012, Muhammad Fahd, a citizen of Pakistan and Grenada, contacted an AT&T employee via Facebook and offered the employee "significant sums of money" to help him secretly unlock AT&T phones, freeing the customers from any installment agreement payments and from AT&T's service. Fahd used the alias Frank Zhang, according to the DOJ, and persuaded the AT&T employee to recruit other employees at its call center in Bothell, Washington, to help with the elaborate scheme. Fahd instructed the AT&T employees to set up fake businesses and phony bank accounts to receive payments, and to create fictitious invoices for deposits into the fake accounts to create the appearance that money exchanged as part of the scheme was payment for legitimate services.

In 2013, however, AT&T put into place a new unlocking system which made it harder for Fahd's crew to unlock phones' unique IMEI numbers, so according to the DOJ he hired a developer to design malware that could be installed on AT&T's computer system. This allegedly allowed him to unlock more phones, and do so more efficiently. The AT&T employees working with Fahd helped him access information about its systems and other employees' credentials, allowing his developer to tailor the malware more precisely, the DOJ said. A forensic analysis by AT&T showed Fahd and his helpers fraudulently unlocked more than 1.9 million phones, costing the company more than $200 million. Fahd was arrested in Hong Kong in 2018 and extradited to the US in 2019. He pleaded guilty in September 2020 to conspiracy to commit wire fraud.

Google announced plans today to port its Permission Auto-Reset feature from Android 11 to older versions of its mobile operating system, as far back as Android 6. From a report: Launched last fall, the Permission Auto-Reset feature works by automatically withdrawing user permissions from an app that hasn't been opened and used for a few months. "Starting in December 2021, we are expanding this [feature] to billions more devices," Google said today. "This feature will automatically be enabled on devices with Google Play services that are running Android 6.0 (API level 23) or higher." Exempt from this new feature will be device admin apps and enterprise apps where the permissions have been fixed through a general enterprise policy.

Federal Trade Commission chair Lina Khan signaled changes are on the way in how the agency scrutinizes acquisitions after revealing the results of a study of a decade's worth of Big Tech company deals that weren't reported to the agency. From a report: Tech's business ecosystem is built on giant companies buying up small startups, but the message from the antitrust agency this week could chill mergers and acquisitions in the sector. The FTC reviewed 616 transactions valued at $1 million or more between 2010 and 2019 that were not reported to antitrust authorities by Amazon, Apple, Facebook, Google and Microsoft. 94 of the transactions actually exceeded the dollar size threshold that would require companies to report a deal. The deals may have qualified for other regulatory exemptions. 79% of transactions used deferred or contingent compensation to founders and key employees, and nearly 77% involved non-compete clauses. 36% of the transactions involved assuming some amount of debt or liabilities. In a statement, Khan said the report shows that loopholes may be "unjustifiably enabling deals to fly under the radar."

Telegram has exploded as a hub for cybercriminals looking to buy, sell and share stolen data and hacking tools, new research shows, as the messaging app emerges as an alternative to the dark web. From a report: An investigation by cyber intelligence group Cyberint, together with the Financial Times, found a ballooning network of hackers sharing data leaks on the popular messaging platform, sometimes in channels with tens of thousands of subscribers, lured by its ease of use and light-touch moderation. In many cases, the content resembled that of the marketplaces found on the dark web, a group of hidden websites that are popular among hackers and accessed using specific anonymising software. "We have recently been witnessing a 100 per cent-plus rise in Telegram usage by cybercriminals," said Tal Samra, cyber threat analyst at Cyberint.

"Its encrypted messaging service is increasingly popular among threat actors conducting fraudulent activity and selling stolen dataâ... as it is more convenient to use than the dark web." The rise in nefarious activity comes as users flocked to the encrypted chat app earlier this year after changes to the privacy policy of Facebook-owned rival WhatsApp prompted many to seek out alternatives. Launched in 2013, Telegram allows users to broadcast messages to a following via "channels," or create public and private groups that are simple for others to access. Users can also send and receive large data files, including text and zip files, directly via the app.

The U.S. Department of Justice announced Wednesday that Stefan He Qin, the founder of two cryptocurrency-focused hedge funds who pled guilty to securities fraud in February, has been sentenced to 90 months in prison for his actions. Tom's Hardware reports: Qin's funds were called Virgil Sigma and VQR. Both were supposed to offer investors a way to profit off the crypto market that "was not exposed to any risk from the price of cryptocurrency moving up or down and therefore provided a relatively safe and liquid investment." Those claims didn't seem to attract much scrutiny; the DOJ noted that The Wall Street Journal actually profiled Qin in 2018 to celebrate his fund's apparent success. But U.S. Attorney Audrey Strauss said in a statement that Qin's funds were actually devoted to his personal gain rather than solid financial returns for investors: "Qin's investors soon discovered that his strategies [emphasis Strauss'] weren't much more than a disguised means for him to embezzle and make unauthorized investments with client funds. When faced with redemption requests he couldn't fulfill, Qin doubled down on his scheme by attempting to plunder funds from VQR to satisfy his victim investors' demands. Qin's brazen and wide-ranging scheme left his beleaguered investors in the lurch for over $54 million, and he has now been handed the appropriately lengthy sentence of over seven years in federal prison." The DOJ said that in addition to the 90-month prison sentence, Qin "was also sentenced to three years of supervised release, and ordered to forfeit $54,793,532" and that "the Virgil Sigma fund and VQR have ceased operations and the liquidation and distribution of assets is being handled by a court-appointed receiver."

The Federal Trade Commission (FTC) voted 3-2 Wednesday that a decade-old rule on health data breaches applies to apps that handle sensitive health information, warning these companies to comply. From a report: The new policy statement agreed to by the FTC was intended to clarify the agency's 2009 Health Breach Notification Rule, which requires vendors handling health records to notify consumers if the data is accessed through a breach or other means without the individual's authorization. The new policy states that the rule applies to health apps, such as those tracking fitness or menstrual cycles, which have been developed over the past decade.

"As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever," the policy statement agreed to Wednesday reads. "Firms offering these services should take appropriate care to secure and protect consumer data." The FTC intends to enforce the new policy, with those in violation facing a financial penalty of over $43,000 per day.

An anonymous reader quotes a report from Ars Technica: Travis CI is a popular software-testing tool due to its seamless integration with GitHub and Bitbucket. As the makers of the tool explain: "When you run a build, Travis CI clones your GitHub repository into a brand-new virtual environment and carries out a series of tasks to build and test your code. If one or more of those tasks fail, the build is considered broken. If none of the tasks fail, the build is considered passed and Travis CI can deploy your code to a web server or application host." But this month, researcher Felix Lange found a security vulnerability that caused Travis CI to include secure environment variables of all public open source repositories that use Travis CI into pull request builds. Environment variables can include sensitive secrets like signing keys, access credentials, and API tokens. If these variables are exposed, attackers can abuse the secrets to obtain lateral movement into the networks of thousands of organizations.

Tracked as CVE-2021-41077, the bug is present in Travis CI's activation process and impacts certain builds created between September 3 and September 10. As a part of this activation process, developers are supposed to add a ".travis.yml" file to their open source project repository. This file tells Travis CI what to do and may contain encrypted secrets. Another place encrypted secrets may be defined is Travis' web UI. But, these secrets are not meant to be exposed. In fact, Travis CI's docs have always stated, "Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code." Ideally, Travis is expected to run in a manner that prevents public access to any secret environment variables specified. [...] This vulnerability caused these sorts of secrets to be unexpectedly exposed to just about anyone forking a public repository and printing files during a build process. Fortunately, the issue didn't last too long -- around eight days, thanks to Lange and other researchers who notified the company of the bug on September 7. But out of caution, all projects relying on Travis CI are advised to rotate their secrets.

The presence and relatively quick patching of the flaw aside, Travis CI's concise security bulletin and overall handling of the coordinated disclosure process has infuriated the developer community. In a long Twitter thread, Peter Szilagyi details the arduous process that his group endured as it waited for Travis CI to take action and release a brief security bulletin on an obscure webpage. "After 3 days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th. No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen," tweeted Szilagyi. After Szilagyi and Lange asked GitHub to ban Travis CI over its poor security posture and vulnerability disclosure processes, an advisory showed up. "Finally, after multiple ultimatums from multiple projects, [they] posted this lame-ass post hidden deep where nobody will read it... Not even a single 'thank you.' [No] acknowledgment of responsible disclosure. Not even admitting the gravity of it all," said Szilagyi, while referring to the security bulletin -- and especially its abridged version, which included barely any details. Szilagyi was joined by several members of the community in criticizing the bulletin. Boston-based web developer Jake Jarvis called the disclosure an "insanely embarrassing 'security bulletin.'" "Travis CI implemented a series of security patches starting on Sept 3rd that resolves this issue," concluded Mendy on behalf of the Travis CI team. "As a reminder, cycling your secrets is something that all users should do on a regular basis. If you are unsure how to do this, please contact Support."

DoorDash sued New York City on Wednesday over a new law requiring food delivery companies to share customer data with restaurants, saying it violates customer privacy and lets restaurants compete unfairly. Reuters reports: It was filed in federal court in Manhattan six days after DoorDash, Grubhub and Uber Eats sued the United States' most populous city over a separate law capping fees that delivery companies charge restaurants. [...] In Wednesday's lawsuit, San Francisco-based DoorDash said New York exhibited "naked animus" by requiring food delivery companies to provide customers' names, phone numbers, email addresses and delivery addresses to restaurants. DoorDash said this would let restaurants "free-ride" on the data in a "shocking and invasive intrusion of consumers' privacy," saying restaurants would not demand the same information from in-person diners. It also said "more vulnerable populations, especially undocumented customers" could be harmed if data were mishandled, and shared with immigration authorities or hate groups.