The U.S. government is urging senior government officials and politicians to ditch phone calls and text messages following intrusions at major American telecommunications companies blamed on Chinese hackers. From a report: In written guidance, opens new tab released on Wednesday, the Cybersecurity and Infrastructure Security Agency said "individuals who are in senior government or senior political positions" should "immediately review and apply" a series of best practices around the use of mobile devices.

The first recommendation: "Use only end-to-end encrypted communications." End-to-end encryption -- a data protection technique which aims to make data unreadable by anyone except its sender and its recipient -- is baked into various chat apps, including Meta's WhatsApp, Apple's iMessage, and the privacy-focused app Signal. Neither regular phone calls nor text messages are end-to-end encrypted, which means they can be monitored, either by the telephone companies, law enforcement, or - potentially - hackers who've broken into the phone companies' infrastructure.

"There are concerns human rights will be breached," reports the BBC, as Wales police forces launch a facial-recognition app that "will allow officers to use their phones to confirm someone's identity." The app, known as Operator Initiated Facial Recognition (OIFR), has already been tested by 70 officers across south Wales and will be used by South Wales Police and Gwent Police. Police said its use on unconscious or dead people would help officers to identify them promptly so their family can be reached with care and compassion. In cases where someone is wanted for a criminal offence, the forces said it would secure their quick arrest and detention. Police also said cases of mistaken identity would be easily resolved without the need to visit a police station or custody suite.

Police said photos taken using the app would not be retained, and those taken in private places such as houses, schools, medical facilities and places of worship would only be used in situations relating to a risk of significant harm.
Liberty, a civil liberties group, is urging new privacy protections from the government, according to the article, which also includes this quote from Jake Hurfurt, of the civil liberties/privacy group Big Brother Watch. "In Britain, none of us has to identify ourselves to police without very good reason but this unregulated surveillance tech threatens to take that fundamental right away."

Google's NotebookLM and its podcast-like Audio Overviews are being updated with a new feature that allows listeners to interact with the AI "hosts." Google describes how this feature works in a blog post. The Verge reports: In addition to the interactive Audio Overviews, Google is introducing a new interface for NotebookLM that organizes things into three areas: a "sources" panel for your information, a "chat" panel to talk with an AI chatbot about the sources, and a "studio" panel that lets you make things like Audio Overviews and Study Guides. I think it looks nice.

Google is announcing a NotebookLM subscription, too: NotebookLM Plus. The subscription will give you "five times more Audio Overviews, notebooks, and sources per notebook," let you "customize the style and tone of your notebook responses," let you make shared team notebooks, and will offer "additional privacy and security," Google says. The subscription is available today for businesses, schools and universities, and organizations and enterprise customers. It will be added to Google One AI Premium in "early 2025." Google is also launching "Agentspace," a platform for custom AI agents for enterprises.

An anonymous reader quotes a report from Tom's Hardware, written by Avram Piltch: Microsoft's Recall feature recently made its way back to Windows Insiders after having been pulled from test builds back in June, due to security and privacy concerns. The new version of Recall encrypts the screens it captures and, by default, it has a "Filter sensitive information," setting enabled, which is supposed to prevent it from recording any app or website that is showing credit card numbers, social security numbers, or other important financial / personal info. In my tests, however, this filter only worked in some situations (on two e-commerce sites), leaving a gaping hole in the protection it promises.

When I entered a credit card number and a random username / password into a Windows Notepad window, Recall captured it, despite the fact that I had text such as "Capital One Visa" right next to the numbers. Similarly, when I filled out a loan application PDF in Microsoft Edge, entering a social security number, name and DOB, Recall captured that. (Note that all info in these screenshots is made up). I also created my own HTML page with a web form that said, explicitly, "enter your credit card number below." The form had fields for Credit card type, number, CVC and expiration date. I thought this might trigger Recall to block it, but the software captured an image of my form filled out, complete with the credit card data. Recall did refuse to capture the credit card fields on the payment pages of Pimoroni and Adafruit. "So, when it came to real-world commerce sites that I visited, Recall got it right," adds Piltch. "However, what my experiment proves is that it's pretty much impossible for Microsoft's AI filter to identify every situation where sensitive information is on screen and avoid capturing it."

Photobucket was sued Wednesday after a recent privacy policy update revealed plans to sell users' photos -- including biometric identifiers like face and iris scans -- to companies training generative AI models. From a report: The proposed class action seeks to stop Photobucket from selling users' data without first obtaining written consent, alleging that Photobucket either intentionally or negligently failed to comply with strict privacy laws in states like Illinois, New York, and California by claiming it can't reliably determine users' geolocation.

Two separate classes could be protected by the litigation. The first includes anyone who ever uploaded a photo between 2003 -- when Photobucket was founded -- and May 1, 2024. Another potentially even larger class includes any non-users depicted in photographs uploaded to Photobucket, whose biometric data has also allegedly been sold without consent.

Photobucket risks huge fines if a jury agrees with Photobucket users that the photo-storing site unjustly enriched itself by breaching its user contracts and illegally seizing biometric data without consent. As many as 100 million users could be awarded untold punitive damages, as well as up to $5,000 per "willful or reckless violation" of various statutes.

Bruce Perens, original co-founder of the Open Source Initiative, has responded to questions from Slashdot readers about a new alternative he's developing that hopefully helps "Post Open" developers get paid.

But first, "One of the things that's clear from the Slashdot patter is that people are not aware of what I've been doing, in general," Perens says. "So, let's start by filling that in..."

Read on for the rest of his wide-ranging answers....

As a "global crew of activists, technologists and builders," Mozilla open-sourced Firefox more than 25 years ago, notes a new blog post — and their president says Mozilla's mission is the same today: "build and support technology in the public interest, and spark more innovation, more competition and more choice online along the way."

But "Even though we've been at the forefront of privacy and open source, people weren't getting the full picture of what we do. We were missing opportunities to connect with both new and existing users." So this week the company announced a branding refresh, "making sure people know Mozilla for its broader impact, as well as Firefox."

The open-source blog It's FOSS writes: Meant to symbolize their activist spirit, the new brand identity of Mozilla involves a custom semi-slab typeface that spells Mozilla, followed by a flag that was taken from the M of their name. Mozilla points out that this is not just a rebranding, but something that will lay the foundation for the next 25 years, helping them promote the ideals of privacy and open source.
Mozilla teamed up with the design agency used by major brands like Uber and Burger King, for a strategy they say will "embody our role as a leader in digital rights and innovation, putting people over profits through privacy-preserving products, open-source developer tools, and community-building efforts..." We back people and projects that move technology, the internet and AI in the right direction. In a time of privacy breaches, AI challenges and misinformation, this transformation is all about rallying people to take back control of their time, individual expression, privacy, community and sense of wonder... [T]he new brand empowers people to speak up, come together and build a happier, healthier internet — one where we can all shape how our lives, online and off, unfold...

- The flag symbol highlights our activist spirit, signifying a commitment to 'Reclaim the Internet.' A symbol of belief, peace, unity, pride, celebration and team spirit — built from the 'M' for Mozilla and a pixel that is conveniently displaced to reveal a wink to its iconic Tyrannosaurus rex symbol designed by Shepard Fairey. The flag can transform into a more literal interpretation as its new mascot in ASCII art style, and serve as a rallying cry for our cause...

- The custom typefaces are bespoke and an evolution of its Mozilla slab serif today. It stands out in a sea of tech sans. The new interpretation is more innovative and built for its tech platforms. The sans brings character to something that was once hard working but generic. These fonts are interchangeable and allow for a greater degree of expression across its brand experience, connecting everything together.
The blog post at It's FOSS ends with a "trip down memory lane" — showing Mozilla's two previous logos. "I will be honest, I liked the Dino better," they write "the 2024 logo is a nice mix of a custom typeface and a flag, which looks really neat in my opinion."

Bruce Perens wrote the original Open Source definition back in 1997, and then co-founded the Open Source Initiative with Eric Raymond in 1998. But after resigning from the group in 2020, Perens is now diligently developing an alternative he calls "Post Open" to "meet goals that Open Source fails at today" — even providing a way to pay developers for their work.

To make it all happen, he envisions software developers owning (and controlling) a not-for-profit corporation developing a body of software called "the Post Open Collection" and collecting its licensing fees to distribute among developers. The hope? To "make it possible for an individual developer to stay at home and code all day, and make their living that way without having to build a company."

The not-for-profit entity — besides actually enforcing its licensing — could also:

• Provide tech support, servicing all Post-Open software through one entity.
• Improve security by providing developers with cryptographic-hardware-backed authentication guaranteeing secure software chain-of-custody.
• Handle onerous legal requirements like compliance with the EU Cyber Resilience Act "on behalf of all developers in the Post Open Collection".
• Compensate documentation writers.
• Fund lobbying on behalf of developers, along with advocacy for their software's privacy-preserving features.

"We've started to build the team," Perens said in a recent interview, announcing weeks ago that attorneys are already discussing the structure of the future organization and its proposed license.

But what do you think? Perens has agreed to answer questions from Slashdot readers...

He's also Slashdot reader #3,872. (And Perens is also an amateur radio operator, currently on the board of M17 — a community of open source developers and radio enthusiasts — and in general support of Open Source and Amateur Radio projects through his non-profit HamOpen.org.) But more importantly, Perens "was the person to announce 'Open Source' to the world," according to his official site. Now's your chance to ask him about his next new big idea...

Ask as many questions as you'd like, but please, one per comment. We'll pick the very best questions — and forward them on to Bruce Perens himself to answer!

UPDATE: Bruce Perens has answered your questions!

The Federal Trade Commission on Tuesday announced sweeping action against some of the most important companies in the location data industry, including those that power surveillance tools used by a wide spread of U.S. law enforcement agencies and demanding they delete data related to certain sensitive areas like health clinics and places of worship. From a report: Venntel, through its parent company Gravy Analytics, takes location data from smartphones, either through ordinary apps installed on them or through the advertising ecosystem, and then provides that data feed to other companies who sell location tracking technology to the government or sells the data directly itself.

Venntel is the company that provides the underlying data for a variety of other government contractors and surveillance tools, including Locate X. 404 Media and a group of other journalists recently revealed Locate X could be used to pinpoint phones that visited abortion clinics. The FTC says in a proposed order that Gravy and Venntel will be banned from selling, disclosing, or using sensitive location data, except in "limited circumstances" involving national security or law enforcement.

A new lawsuit filed by a current Apple employee accuses the company of spying on its workers via their personal iCloud accounts and non-work devices. From a report: The suit, filed Sunday evening in California state court, alleges Apple employees are required to give up the right to personal privacy, and that the company says it can "engage in physical, video and electronic surveillance of them" even when they are at home and after they stop working for Apple.

Those requirements are part of a long list of Apple employment policies that the suit contends violate California law. The plaintiff in the case, Amar Bhakta, has worked in advertising technology for Apple since 2020. According to the suit, Apple used its privacy policies to harm his employment prospects. For instance, it forbade Bhakta from participating in public speaking about digital advertising and forced him to remove information from his LinkedIn page about his job at Apple.

Bluesky says it will never train generative AI on its users' data. But despite that, "one million public Bluesky posts — complete with identifying user information — were crawled and then uploaded to AI company Hugging Face," reports Mashable (citing an article by 404 Media).

"Shortly after the article's publication, the dataset was removed from Hugging Face," the article notes, with the scraper at Hugging Face posting an apology. "While I wanted to support tool development for the platform, I recognize this approach violated principles of transparency and consent in data collection. I apologize for this mistake." But TechCrunch noted the incident's real lesson. "Bluesky's open API means anyone can scrape your data for AI training," calling it a timely reminder that everything you post on Bluesky is public. Bluesky might not be training AI systems on user content as other social networks are doing, but there's little stopping third parties from doing so...

Bluesky said that it's looking at ways to enable users to communicate their consent preferences externally, [but] the company posted: "Bluesky won't be able to enforce this consent outside of our systems. It will be up to outside developers to respect these settings. We're having ongoing conversations with engineers & lawyers and we hope to have more updates to share on this shortly!"
Mashable notes Bluesky's response to 404Media — that Bluesky is like a website, and "Just as robots.txt files don't always prevent outside companies from crawling those sites, the same applies here."

So "While many commentators said that data collection should be opt in, others argued that Bluesky data is publicly available anyway and so the dataset is fair use," according to SiliconRepublic.com.

Riot Games has announced sweeping changes to its terms of service, expanding penalties for player misconduct beyond in-game behavior to include content creation and social media activities.

The new rules, Engadget reports, enable "Riot-wide bans" for violations across platforms where players discuss or stream Riot games. The company will not actively monitor social media but will respond to reported violations, particularly during game livestreams.

Australia will ban children under 16 from using social media after its senate approved what will become a world-first law. From a report: Children will be blocked from using platforms including TikTok, Instagram, Snapchat and Facebook, a move the Australian government argue is necessary to protect their mental health and wellbeing.

The online safety amendment (social media minimum age) bill will impose fines of up to 50 million Australian dollars ($32.5 million) on platforms for systemic failures to prevent young children from holding accounts. It would take effect a year after the bill becomes law, allowing platforms time to work out technological solutions that would also protect users' privacy. The senate passed the bill 34 votes to 19. The house of representatives overwhelmingly approved the legislation 102 votes to 13 on Wednesday.

A bipartisan group of 12 senators has urged the TSA inspector general to investigate the agency's use of facial recognition technology, citing concerns over privacy, civil liberties, and its expansion to over 430 airports without sufficient safeguards or proven effectiveness. Gizmodo reports: "This technology will soon be in use at hundreds of major and mid-size airports without an independent evaluation of the technology's precision or an audit of whether there are sufficient safeguards in place to protect passenger privacy," the senators wrote. The letter was signed by Jeffrey Merkley (D-OR), John Kennedy (R-LA), Ed Markey (D-MA), Ted Cruz (R-TX), Roger Marshall (R-Kansas), Ron Wyden (D-OR), Steve Daines (R-MT), Elizabeth Warren (D-MA), Bernie Sanders (I-VT), Cynthia Lummis (R-WY), Chris Van Hollen (D-MD), and Peter Welch (D-VT).

While the TSA's facial recognition program is currently optional and only in a few dozen airports, the agency announced in June that it plans to expand the technology to more than 430 airports. And the senators' letter quotes a talk given by TSA Administrator David Pekoske in 2023 in which he said "we will get to the point where we require biometrics across the board." [...] The latest letter urges the TSA's inspector general to evaluate the agency's facial recognition program to determine whether it's resulted in a meaningful reduction in passenger delays, assess whether it's prevented anyone on no-fly lists from boarding a plane, and identify how frequently it results in identity verification errors.

A security researcher discovered an unprotected database belonging to SL Data Services containing over 600,000 sensitive files, including criminal histories and background checks with names, addresses, and social media accounts. The Register reports: We don't know how long the personal information was openly accessible. Infosec specialist Jeremiah Fowler says he found the Amazon S3 bucket in October and reported it to the data collection company by phone and email every few days for more than two weeks. [The info service provider eventually closed up the S3 bucket, says Fowler, although he never received any response.] In addition to not being password protected, none of the information was encrypted, he told The Register. In total, the open bucket contained 644,869 PDF files in a 713.1 GB archive.

Some 95 percent of the documents Fowler saw were labeled "background checks," he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges. While court records and sex offender status are usually public records in the US, this exposed cache could be combined with other data points to make complete profiles of people -- along with their family members and co-workers -- providing everything criminals would need for targeted phishing and/or social engineering attacks.

A U.S. federal appeals court ruled that sanctions against Tornado Cash, a crypto transaction anonymization service, must be abandoned, stating that its immutable smart contracts do not constitute "property" under U.S. law and that the Treasury overstepped its authority. The ruling is available here (PDF). CoinDesk reports: The decision answers a controversial privacy debate on whether the government -- via a sanctions list maintained by the U.S. Treasury Department -- has a right to target the technology because it's associated with criminals. The ruling reversed a district court's August ruling that had sided with the government's pursuit of what it had characterized as a "notorious" crypto-mixing service.

OFAC had sanctioned Tornado Cash last year, contending that it was a vital tool used by bad actors including North Korea's Lazarus Group to launder crypto tokens pilfered from platforms and games such as Axie Infinity. Coinbase (COIN) and others had sued the government, claiming it had overreached. Paul Grewal, chief legal officer of crypto exchange Coinbase, cheered the ruling in a Tuesday post on X, calling it a "historic win for crypto." "These smart contracts must now be removed from the sanctions list and U.S. persons will once again be allowed to use this privacy-protecting protocol," Grewal wrote. "Put another way, the government's overreach will not stand." "We readily recognize the real-world downsides of certain uncontrollable technology falling outside of OFAC's sanctioning authority," the judges said, referencing the ineffectiveness of a law that was established well before the world moved online. "But we must uphold the statutory bargain struck (or mis-struck) by Congress, not tinker with it."

Tornado Cash's TORN token has since rallied 500%, passing the $20 mark.

The Verge's Wes Davis reports: A new startup created by former Android leaders aims to build an operating system for AI agents. Among them is Hugo Barra, Google's former VP of Android product management, who says the new company -- named "/dev/agents" -- will revisit the leaders' "Android roots."

"We can see the promise of AI agents, but as a developer, it's just too hard to build anything good," /dev/agents cofounder and CEO and Google's former Android VP of engineering David Singleton told Bloomberg. He said the industry needs "an Android-like moment for AI."

The company is working on a cloud-based "next-gen operating system for AI agents" intended "for trusted agents to work with users across all of their devices," Singleton wrote in a post on X. He said that AI agents will "need new UI patterns, a reimagined privacy model, and a developer platform that makes it radically simpler to build useful agents."

An anonymous reader quotes a report from TechCrunch: Security researchers have uncovered two previously unknown zero-day vulnerabilities that are being actively exploited by RomCom, a Russian-linked hacking group, to target Firefox browser users and Windows device owners across Europe and North America. RomCom is a cybercrime group that is known to carry out cyberattacks and other digital intrusions for the Russian government. The group -- which was last month linked to a ransomware attack targeting Japanese tech giant Casio -- is also known for its aggressive stance against organizations allied with Ukraine, which Russia invaded in 2014.

Researchers with security firm ESET say they found evidence that RomCom combined use of the two zero-day bugs -- described as such because the software makers had no time to roll out fixes before they were used to hack people -- to create a "zero click" exploit, which allows the hackers to remotely plant malware on a target's computer without any user interaction. "This level of sophistication demonstrates the threat actor's capability and intent to develop stealthy attack methods," ESET researchers Damien Schaeffer and Romain Dumont said in a blog post on Monday. [...] Schaeffer told TechCrunch that the number of potential victims from RomCom's "widespread" hacking campaign ranged from a single victim per country to as many as 250 victims, with the majority of targets based in Europe and North America. Mozilla and the Tor Project quickly patched a Firefox-based vulnerability after being alerted by ESET, with no evidence of Tor Browser exploitation. Meanwhile, Microsoft addressed a Windows vulnerability on November 12 following a report by Google's Threat Analysis Group, indicating potential use in government-backed hacking campaigns.

Blue Yonder, a Panasonic subsidiary specializing in AI-driven supply chain solutions, experienced a recent ransomware attack that impacted many of its customers. "Among its 3,000 customers are high-profile organizations like DHL, Renault, Bayer, Morrisons, Nestle, 3M, Tesco, Starbucks, Ace Hardware, Procter & Gamble, Sainsbury, and 7-Eleven," reports BleepingComputer. From the report: On Friday, the company warned that it was experiencing disruptions to its managed services hosting environment due to a ransomware incident that occurred the day before, on November 21. "On November 21, 2024, Blue Yonder experienced disruptions to its managed services hosted environment, which was determined to be the result of a ransomware incident," reads the announcement. "Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process. We have implemented several defensive and forensic protocols."

Blue Yonder claims it has detected no suspicious activity in its public cloud environment and is still processing multiple recovery strategies. [...] As expected, this has impacted clients directly, as a spokesperson for UK grocery store chain Morrisons has confirmed to the media they have reverted to a slower backup process. Sainsbury told CNN that it had contingency plans in place to overcome the disruption. A Saturday update informed customers that the restoration of the impacted services continued, but no specific timelines for complete restoration could be shared yet. Another update published on Sunday reiterated the same, urging clients to monitor the customer update page on Blue Yonder's website over the coming days.

Meta wants to force Apple and Google to verify the ages of people downloading apps from their app stores, reports the Washington Post — and now Meta's campaign "is picking up momentum" with legislators in the U.S. Congress.

Federal and state lawmakers have recently proposed a raft of measures requiring that platforms such as Meta's Facebook and Instagram block users under a certain age from using their sites. The push has triggered fierce debate over the best way to ascertain how old users are online. Last year Meta threw its support behind legislation that would push those obligations onto app stores rather than individual app providers, like itself, as your regular host and Naomi Nix reported. While some states have considered the plan, it has not gained much traction in Washington.

That could be shifting. Two congressional Republicans are preparing a new age verification bill that places the burden on app stores, according to two people familiar with the matter, who spoke on the condition of anonymity to discuss the plans... The bill would be the first of its kind on Capitol Hill, where lawmakers have called for expanding guardrails for children amid concerns about the risks of social media but where political divisions have bogged down talks. The measure would give parents the right to sue an app store if their child was exposed to certain content, such as lewd or sexual material, according to a copy obtained by the Tech Brief. App stores could be protected against legal claims, however, if they took steps to protect children against harms, such as verifying their ages and giving parents the ability to block app downloads.
The article points out that U.S. lawmakers "have the power to set national standards that could override state efforts if they so choose..."