An anonymous reader shares a report: More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the Justice Department. That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to "conceal and otherwise enable a variety of crimes," the DOJ claims, including spearphishing and credential harvesting in the US and abroad.

Unlike previous attacks by Fancy Bear -- that the DOJ ties to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers -- the Ubiquiti intrusion relied on a known malware, Moobot. Once infected by "Non-GRU cybercriminals," GRU agents installed "bespoke scripts and files" to connect and repurpose the devices, according to the DOJ. The DOJ also used the Moobot malware to copy and delete the botnet files and data, according to the DOJ, and then changed the routers' firewall rules to block remote management access. During the court-sanctioned intrusion, the DOJ "enabled temporary collection of non-content routing information" that would "expose GRU attempts to thwart the operation." This did not "impact the routers' normal functionality or collect legitimate user content information," the DOJ claims. "For the second time in two months, we've disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised US routers," said Deputy Attorney General Lisa Monaco in a press release.

schwit1 writes: Robert F. Kennedy Jr. won a preliminary injunction against the White House and other federal defendants in his suit alleging government censorship of his statements against vaccines on social media. The injunction, however, will be stayed until the US Supreme Court rules in a related case brought by Missouri and Louisiana. An injunction is warranted because Kennedy showed he is likely to succeed on the merits of his claims, Judge Terry A. Doughty of the US District Court for the Western District of Louisiana said Wednesday.

The White House defendants, the Surgeon General defendants, the Centers for Disease Control and Prevention defendants, the Federal Bureau of Investigation defendants, and the Cybersecurity & Infrastructure Security Agency defendants likely violated the Free Speech Clause of the First Amendment, Doughty said. Kennedy's class action complaint, brought with health care professional Connie Sampognaro and Kennedy's nonprofit, Children's Health Defense, alleges that the federal government, beginning in early 2020, began a campaign to induce Facebook, Google (YouTube), and X, formerly known as Twitter, to censor constitutionally protected speech.

Specifically, Kennedy said, the government suppressed "facts and opinions about the COVID vaccines that might lead people to become 'hesitant' about COVID vaccine mandates." Kennedy has sufficiently shown that these defendants "jointly participated in the actions of the social media" platforms by '"insinuating' themselves into the social-media companies' private affairs and blurring the line between public and private action," Doughty said.

A core developer of Nginx, currently the world's most popular web server, has quit the project, stating that he no longer sees it as "a free and open source project... for the public good." From a report: His fork, freenginx, is "going to be run by developers, and not corporate entities," writes Maxim Dounin, and will be "free from arbitrary corporate actions." Dounin is one of the earliest and still most active coders on the open source Nginx project and one of the first employees of Nginx, Inc., a company created in 2011 to commercially support the steadily growing web server. Nginx is now used on roughly one-third of the world's web servers, ahead of Apache.

Nginx Inc. was acquired by Seattle-based networking firm F5 in 2019. Later that year, two of Nginx's leaders, Maxim Konovalov and Igor Sysoev, were detained and interrogated in their homes by armed Russian state agents. Sysoev's former employer, Internet firm Rambler, claimed that it owned the rights to Nginx's source code, as it was developed during Sysoev's tenure at Rambler (where Dounin also worked). While the criminal charges and rights do not appear to have materialized, the implications of a Russian company's intrusion into a popular open source piece of the web's infrastructure caused some alarm. Sysoev left F5 and the Nginx project in early 2022. Later that year, due to the Russian invasion of Ukraine, F5 discontinued all operations in Russia. Some Nginx developers still in Russia formed Angie, developed in large part to support Nginx users in Russia. Dounin technically stopped working for F5 at that point, too, but maintained his role in Nginx "as a volunteer," according to Dounin's mailing list post.

Dounin writes in his announcement that "new non-technical management" at F5 "recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers' position." While it was "quite understandable," given their ownership, Dounin wrote that it means he was "no longer able to control which changes are made in nginx," hence his departure and fork.

Every OpenAI release elicits awe and anxiety as capabilities advance, evident in Sora's strikingly realistic AI-generated video clips that went viral while unsettling industries reliant on original footage. But the company is again being secretive in all the wrong places about AI that can be used to spread misinformation. From a report: As usual, OpenAI won't talk about the all-important ingredients that went into this new tool, even as it releases it to an array of people to test before going public. Its approach should be the other way around. OpenAI needs to be more public about the data used to train Sora, and more secretive about the tool itself, given the capabilities it has to disrupt industries and potentially elections. OpenAI Chief Executive Officer Sam Altman said that red-teaming of Sora would start on Thursday, the day the tool was announced and shared with beta testers. Red-teaming is when specialists test an AI model's security by pretending to be bad actors who want to hack or misuse it. The goal is to make sure the same can't happen in the real world. When I asked OpenAI how long it would take to run these tests on Sora, a spokeswoman said there was no set length. "We will take our time to assess critical areas for harms or risks," she added.

The company spent about six months testing GPT-4, its most recent language model, before releasing it last year. If it takes the same amount of time to check Sora, that means it could become available to the public in August, a good three months before the US election. OpenAI should seriously consider waiting to release it until after voters go to the polls. [...] OpenAI is meanwhile being frustratingly secretive about the source of the information it used to create Sora. When I asked the company about what datasets were used to train the model, a spokeswoman said the training data came "from content we've licensed, and publicly available content." She didn't elaborate further.

According to NASA, the OSIRIS-REx mission has successfully collected 121.6 grams, or almost 4.3 ounces, of rock and dust from the asteroid Bennu. Universe Today reports: These samples have been a long time coming. The OSIRIS-REx (Origins, Spectral Interpretation, Resource Identification, and Security-Regolith Explorer) was approved by NASA back in 2011 and launched in September 2016. It reached its target, the carbonaceous Apollo group asteroid 101955 Bennu, in December 2018. After spending months studying the asteroid and reconnoitring for a suitable sampling location, it selected one in December 2019. After two sampling rehearsals, the spacecraft gathered its sample on October 20th, 2020. In September 2023, the sample finally returned to Earth.

For OSIRIS-REx to be successful, it had to collect at least 60 grams of material. With a final total that is double that, it should open up more research opportunities and allow more of the material to be held untouched for future research. NASA says they will preserve 70% of the sample for the future, including for future generations. The next step is for the material to be put into containers and sent to researchers. More than 200 researchers around the world will receive samples. Many of the samples will find their way to scientists at NASA and institutions in the US, while others will go to researchers at institutions associated with the Canadian Space Agency, JAXA, and other partner nations. Canada will receive 4% of the sample, the first time that Canada's scientific community will have direct access to a returned asteroid sample.

Apple has now offered an explanation for why iOS 17.4 removes support for Home Screen web apps in the European Union. Spoiler: it's because of the Digital Markets Act that went into effect last August. 9to5Mac reports: Last week, iPhone users in the European Union noticed that they were no longer able to install and run web apps on their iPhone's Home Screen in iOS 17.4. Apple has added a number of features over the years to improve support for progressive web apps on iPhone. For example, iOS 16.4 allowed PWAs to deliver push notifications with icon badges. One change in iOS 17.4 is that the iPhone now supports alternative browser engines in the EU. This allows companies to build browsers that don't use Apple's WebKit engine for the first time. Apple says that this change, required by the Digital Markets Act, is why it has been forced to remove Home Screen web apps support in the European Union.

Apple explains that it would have to build an "entirely new integration architecture that does not currently exist in iOS" to address the "complex security and privacy concerns associated with web apps using alternative browser engines." This work "was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps," Apple explains. "And so, to comply with the DMA's requirements, we had to remove the Home Screen web apps feature in the EU." "EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality," Apple continues.

It's understandable that Apple wouldn't offer support for Home Screen web apps for third-party browsers. But why did it also remove support for Home Screen web apps for Safari? Unfortunately, that's another side effect of the Digital Markets Act. The DMA requires that all browsers have equality, meaning that Apple can't favor Safari and WebKit over third-party browser engines. Therefore, because it can't offer Home Screen web apps support for third-party browsers, it also can't offer support via Safari. [...] iOS 17.4 is currently available to developers and public beta testers, and is slated for a release in early March. The full explanation was published on Apple's developer website today.

Following a hoax bomb threat sent via ProtonMail to schools in Chennai, India, police in the state of Tamil Nadu put in a request to block the encrypted email service in the region since they have been unable to identify the sender. According to Hindustan Times, that request was granted today. From the report: The decision to block Proton Mail was taken at a meeting of the 69A blocking committee on Wednesday afternoon. Under Section 69A of the IT Act, the designated officer, on approval by the IT Secretary and at the recommendation of the 69A blocking committee, can issue orders to any intermediary or a government agency to block any content for national security, public order and allied reasons. HT could not ascertain if a blocking order will be issued to Apple and Google to block the Proton Mail app. The final order to block the website has not yet been sent to the Department of Telecommunications but the MeitY has flagged the issue with the DoT.

During the meeting, the nodal officer representing the Tamil Nadu government submitted that a bomb threat was sent to multiple schools using ProtonMail, HT has learnt. The police attempted to trace the IP address of the sender but to no avail. They also tried to seek help from the Interpol but that did not materialise either, the nodal officer said. During the meeting, HT has learnt, MeitY representatives noted that getting information from Proton Mail, on other criminal matters, not necessarily linked to Section 69A related issues, is a recurrent problem.

Although Proton Mail is end-to-end encrypted, which means the content of the emails cannot be intercepted and can only be seen by the sender and recipient if both are using Proton Mail, its privacy policy states that due to the nature of the SMTP protocol, certain email metadata -- including sender and recipient email addresses, the IP address incoming messages originated from, attachment name, message subject, and message sent and received times -- is available with the company. "We condemn a potential block as a misguided measure that only serves to harm ordinary people. Blocking access to Proton is an ineffective and inappropriate response to the reported threats. It will not prevent cybercriminals from sending threats with another email service and will not be effective if the perpetrators are located outside of India," said ProtonMail in a statement.

"We are currently working to resolve this situation and are investigating how we can best work together with the Indian authorities to do so. We understand the urgency of the situation and are completely clear that our services are not to be used for illegal purposes. We routinely remove users who are found to be doing so and are willing to cooperate wherever possible within international cooperation agreements."

Google said it will allow businesses to install ChromeOS Flex on their Windows devices, "potentially preventing millions of PCs from hitting landfills after Microsoft ends support for Windows 10 next year," reports Reuters. The Chrome operating system will ultimately allow users to keep using their Windows 10 systems, while also providing regular security updates and features like data encryption. From the report: ChromeOS is significantly less popular than other operating systems. In January 2024, it held a 1.8% share of the worldwide desktop OS market, far behind Windows' share of about 73%, according to data from research firm Statcounter. ChromeOS has struggled with wider adaptability due to its incompatibility with legacy Windows applications and productivity suites used by businesses. Google said that ChromeOS would allow users to stream legacy Windows and productivity applications, which will help deliver them to devices by running the apps on a data center.

An anonymous reader quotes a report from Wired: We already know thatOpenAI's chatbots can pass the bar exam without going to law school. Now, just in time for the Oscars, a new OpenAI app called Sora hopes to master cinema without going to film school. For now a research product, Sora is going out to a few select creators and a number of security experts who will red-team it for safety vulnerabilities. OpenAI plans to make it available to all wannabe auteurs at some unspecified date, but it decided to preview it in advance. Other companies, from giants like Google to startups likeRunway, have already revealed text-to-video AI projects. But OpenAI says that Sora is distinguished by its striking photorealism -- something I haven't seen in its competitors -- and its ability to produce longer clips than the brief snippets other models typically do, up to one minute. The researchers I spoke to won't say how long it takes to render all that video, but when pressed, they described it as more in the "going out for a burrito" ballpark than "taking a few days off." If the hand-picked examples I saw are to be believed, the effort is worth it.

OpenAI didn't let me enter my own prompts, but it shared four instances of Sora's power. (None approached the purported one-minute limit; the longest was 17 seconds.) The first came from a detailed prompt that sounded like an obsessive screenwriter's setup: "Beautiful, snowy Tokyo city is bustling. The camera moves through the bustling city street, following several people enjoying the beautiful snowy weather and shopping at nearby stalls. Gorgeous sakura petals are flying through the wind along with snowflakes." The result is a convincing view of what is unmistakably Tokyo, in that magic moment when snowflakes and cherry blossoms coexist. The virtual camera, as if affixed to a drone, follows a couple as they slowly stroll through a streetscape. One of the passersby is wearing a mask. Cars rumble by on a riverside roadway to their left, and to the right shoppers flit in and out of a row of tiny shops.

It's not perfect. Only when you watch the clip a few times do you realize that the main characters -- a couple strolling down the snow-covered sidewalk -- would have faced a dilemma had the virtual camera kept running. The sidewalk they occupy seems to dead-end; they would have had to step over a small guardrail to a weird parallel walkway on their right. Despite this mild glitch, the Tokyo example is a mind-blowing exercise in world-building. Down the road, production designers will debate whether it's a powerful collaborator or a job killer. Also, the people in this video -- who are entirely generated by a digital neural network -- aren't shown in close-up, and they don't do any emoting. But the Sora team says that in other instances they've had fake actors showing real emotions. "It will be a very long time, if ever, before text-to-video threatens actual filmmaking," concludes Wired. "No, you can't make coherent movies by stitching together 120 of the minute-long Sora clips, since the model won't respond to prompts in the exact same way -- continuity isn't possible. But the time limit is no barrier for Sora and programs like it to transform TikTok, Reels, and other social platforms."

"In order to make a professional movie, you need so much expensive equipment," says Bill Peebles, another researcher on the project. "This model is going to empower the average person making videos on social media to make very high-quality content."

Further reading: OpenAI Develops Web Search Product in Challenge To Google

"A lot of that AI chatbots that you spend days talking to push hard on getting more and more private information from you," writes longtime Slashdot reader michelcultivo, sharing a report from Gizmodo.

"To be perfectly blunt, AI girlfriends and boyfriends are not your friends," says Misha Rykov, a Mozilla Researcher from the company's *Privacy Not Included project. "Although they are marketed as something that will enhance your mental health and well-being, they specialize in delivering dependency, loneliness, and toxicity, all while prying as much data as possible from you." Gizmodo reports: Mozilla dug into 11 different AI romance chatbots, including popular apps such as Replika, Chai, Romantic AI, EVA AI Chat Bot & Soulmate, and CrushOn.AI. Every single one earned the Privacy Not Included label, putting these chatbots among the worst categories of products Mozilla has ever reviewed. You've heard stories about data problems before, but according to Mozilla, AI girlfriends violate your privacy in "disturbing new ways." For example, CrushOn.AI collects details including information about sexual health, use of medication, and gender-affirming care. 90% of the apps may sell or share user data for targeted ads and other purposes, and more than half won't let you delete the data they collect. Security was also a problem. Only one app, Genesia AI Friend & Partner, met Mozilla's minimum security standards.

One of the more striking findings came when Mozilla counted the trackers in these apps, little bits of code that collect data and share them with other companies for advertising and other purposes. Mozilla found the AI girlfriend apps used an average of 2,663 trackers per minute, though that number was driven up by Romantic AI, which called a whopping 24,354 trackers in just one minute of using the app. The privacy mess is even more troubling because the apps actively encourage you to share details that are far more personal than the kind of thing you might enter into a typical app. EVA AI Chat Bot & Soulmate pushes users to "share all your secrets and desires," and specifically asks for photos and voice recordings. It's worth noting that EVA was the only chatbot that didn't get dinged for how it uses that data, though the app did have security issues. [...]

An anonymous reader quotes a report from TechCrunch: The U.S. Department of Defense is notifying tens of thousands of individuals that their personal information was exposed in an email data spill last year. According to the breach notification letter sent out to affected individuals on February 1, the Defense Intelligence Agency -- the DOD's military intelligence agency -- said, "numerous email messages were inadvertently exposed to the Internet by a service provider," between February 3 and February 20, 2023. TechCrunch has learned that the breach disclosure letters relate to an unsecured U.S. government cloud email server that was spilling sensitive emails to the open internet. The cloud email server, hosted on Microsoft's cloud for government customers, was accessible from the internet without a password, likely due to a misconfiguration.

The DOD is sending breach notification letters to around 20,600 individuals whose information was affected. "As a matter of practice and operations security, we do not comment on the status of our networks and systems. The affected server was identified and removed from public access on February 20, 2023, and the vendor has resolved the issues that resulted in the exposure. DOD continues to engage with the service provider on improving cyber event prevention and detection. Notification to affected individuals is ongoing," said DOD spokesperson Cdr. Tim Gorman in an email to TechCrunch.

An anonymous reader quotes a report from Ars Technica: The European Court of Human Rights (ECHR) has ruled that weakening end-to-end encryption disproportionately risks undermining human rights. The international court's decision could potentially disrupt the European Commission's proposed plans to require email and messaging service providers to create backdoors that would allow law enforcement to easily decrypt users' messages. This ruling came after Russia's intelligence agency, the Federal Security Service (FSS), began requiring Telegram to share users' encrypted messages to deter "terrorism-related activities" in 2017, ECHR's ruling said. [...] In the end, the ECHR concluded that the Telegram user's rights had been violated, partly due to privacy advocates and international reports that corroborated Telegram's position that complying with the FSB's disclosure order would force changes impacting all its users.

The "confidentiality of communications is an essential element of the right to respect for private life and correspondence," the ECHR's ruling said. Thus, requiring messages to be decrypted by law enforcement "cannot be regarded as necessary in a democratic society." [...] "Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general, and indiscriminate surveillance of personal electronic communications," the ECHR's ruling said. "Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users' electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field."

Martin Husovec, a law professor who helped to draft EISI's testimony, told Ars that EISI is "obviously pleased that the Court has recognized the value of encryption and agreed with us that state-imposed weakening of encryption is a form of indiscriminate surveillance because it affects everyone's privacy." [...] EISI's Husovec told Ars that ECHR's ruling is "indeed very important," because "it clearly signals to the EU legislature that weakening encryption is a huge problem and that the states must explore alternatives." If the Court of Justice of the European Union endorses this ruling, which Husovec said is likely, the consequences for the EU's legislation proposing scanning messages to stop illegal content like CSAM from spreading "could be significant," Husovec told Ars. During negotiations this spring, lawmakers may have to make "major concessions" to ensure the proposed rule isn't invalidated in light of the ECHR ruling, Husovec told Ars. Europol and the European Union Agency for Cybersecurity (ENISA) said in a statement: "Solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well, which makes an easy solution impossible."

Microsoft said Wednesday it had detected and disrupted instances of U.S. adversaries -- chiefly Iran and North Korea and to a lesser extent Russia and China -- using or attempting to exploit generative AI developed by the company and its business partner to mount or research offensive cyber operations. From a report: The techniques Microsoft observed, in collaboration with its partner OpenAI, represent an emerging threat and were neither "particularly novel or unique," the Redmond, Washington, company said in a blog post. But the blog does offer insight into how U.S. geopolitical rivals have been using large-language models to expand their ability to more effectively breach networks and conduct influence operations.

Microsoft said the "attacks" detected all involved large-language models the partners own and said it was important to expose them publicly even if they were "early-stage, incremental moves." Cybersecurity firms have long used machine-learning on defense, principally to detect anomalous behavior in networks. But criminals and offensive hackers use it as well, and the introduction of large-language models led by OpenAI's ChatGPT upped that game of cat-and-mouse.

Mark Tyson reports via Tom's Hardware: A serial burglar in Edina, Minnesota is suspected of using a Wi-Fi jammer to knock out connected security cameras before stealing and making off with the victim's prized possessions. [...] Edina police suspect that nine burglaries in the last six months have been undertaken with Wi-Fi jammer(s) deployed to ensure incriminating video evidence wasnâ(TM)t available to investigators. The modus operandi of the thief or thieves is thought to be something like this:

- Homes in affluent areas are found - Burglars carefully watch the homes - The burglars avoid confrontation, so appear to wait until homes are empty - Seizing the opportunity of an empty home, the burglars will deploy Wi-Fi jammer(s) - "Safes, jewelry, and other high-end designer items," are usually taken

A security expert interviewed by the source publication, KARE11, explained that the jammers simply confused wireless devices rather than blocking signals. They usually work by overloading wireless traffic âoeso that real traffic cannot get through,â the news site was told. [...] Worryingly, Wi-Fi jamming is almost a trivial activity for potential thieves in 2024. KARE11 notes that it could buy jammers online very easily and cheaply, with prices ranging from $40 to $1,000. Jammers are not legal to use in the U.S. but they are very easy to buy online.

At least six major tech companies, including Adobe, Google, Meta, Microsoft, OpenAI and TikTok, plan to sign an agreement this week that details how they'll attempt to stop the use of AI-generated election misinformation and deepfakes. ABC News reports: "In a critical year for global elections, technology companies are working on an accord to combat the deceptive use of AI targeted at voters," said a joint statement from several companies Tuesday. "Adobe, Google, Meta, Microsoft, OpenAI, TikTok and others are working jointly toward progress on this shared objective and we hope to finalize and present details on Friday at the Munich Security Conference."

The companies declined to share details of what's in the agreement. Many have already said they're putting safeguards on their own generative AI tools that can manipulate images and sound, while also working to identify and label AI-generated content so that social media users know if what they're seeing is real.

Indian tech services giant Infosys has been named as the source of a data leak suffered by the Bank of America. From a report: Infosys disclosed the breach in a November 3, 2023, filing that revealed its US subsidiary Infosys McCamish Systems LLC (IMS) "has become aware of a cyber security incident resulting in non-availability of certain applications and systems in IMS." A data breach notification filed in the US state of Maine this week describes the incident as "External system breach (hacking)" and reveals the improperly accessed data includes "Name or other personal identifier in combination with: Social Security Number."

The notification was submitted by an outside attorney working on behalf of the Bank of America, names IMS as the source, and revealed that information on 57,028 people was leaked. A sample of the letter sent to those impacted by the incident reveals that on November 24, "IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America's systems were not compromised." Things then get a bit scary: "It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information."

Starting today, telcos in American will need to disclose system break-ins within seven days. "[T]he same deadline now exists to report any data leaks to the FBI and US Secret Service as well," adds The Register. From the report: After releasing a proposed rule in early January and giving the industry 30 days to respond, the FCC's final rule was published today. It solidifies what the agency proposed a little more than a month ago, and what was teased in early 2022 when FCC chairwoman Jessica Rosenworcel drafted initial changes to the commission's 16-year old security "breach" reporting duties.

Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service as well. As the FCC planned, the new rule also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers. The FCC now "requires carriers to notify customers of breaches of covered data without unreasonable delay ... and in no case more than 30 days following reasonable determination of a breach."

"Reasonable determination" of a data blurt is further defined as "when the carrier has information indicating that it is more likely than not that there was a breach" and "does not mean reaching a conclusion regarding every fact surrounding a data security incident that may constitute a breach." In other words, if customers are affected then they had better be notified post-haste. The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of. Prior to the passage of the new rule customers only had to be told if Customer proprietary network information (CPNI) was exposed to the world.

An anonymous reader shares a report: The startup that develops the phone app for casino resort giant WinStar has secured an exposed database that was spilling customers' private information to the open web. Oklahoma-based WinStar bills itself as the "world's biggest casino" by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings.

The app is developed by a Nevada software startup called Dexiga. The startup left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser. Dexiga took the database offline after TechCrunch alerted the company to the security lapse. Anurag Sen, a good-faith security researcher who has a knack for discovering inadvertently exposed sensitive data on the internet, found the database containing personal information, but it was initially unclear who the database belonged to. Sen said the personal data included full names, phone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch to help identify its owner and disclose the security lapse.

Technology made its mark on the Super Bowl ads this year. Microsoft purchased a long inspirational ad for Copilot, ending with the tagline "Your everyday AI companion." (Although another message made the opposite point. "With artificial intelligence, the future is in good hands," an announcer says ironically -- while the ad shows the minions from Despicable Me 4.)

Google's ad showed how its Pixel 8 smartphone helps people with vision problems take photos. T-Mobile touted its internet service.

And for some reason CrowdStrike's ad about its endpoint security software took place in the Old West...

VW ended an ad looking at its history with a shot of its new electric vehicle, the ID.Buzz minivan, while Kia had its own heart-tugging ad touting their electric EV9.

And Pfizer ran a minute-long ad showing the history of medical progress, culminating with a pointer to their new domain, LetsOutdoCancer.com.

Even NASA got into the action, releasing a video showing an astronaut catching a pass in zero gravity. ("Including its solar panels, the Space Station is the same size as a regulation football field.")

And some people even tried watching the Super Bowl on their new Apple Vision Pro...

Martin Hellman "achieved legendary status as co-inventor of the Diffie-Hellman public key exchange algorithm, a breakthrough in software and computer cryptography," notes a new interview in InfoWorld.

Nine years after winning the Turing award, the 78-year-old cryptologist shared his perspective on some other issues: What do you think about the state of digital spying today?

Hellman: There's a need for greater international cooperation. How can we have true cyber security when nations are planning — and implementing — cyber attacks on one another? How can we ensure that AI is used only for good when nations are building it into their weapons systems? Then, there's the grandaddy of all technological threats, nuclear weapons. If we keep fighting wars, it's only a matter of time before one blows up.

The highly unacceptable level of nuclear risk highlights the need to look at the choices we make around critical decisions, including cyber security. We have to take into consideration all participants' needs for our strategies to be effective....

Your battle with the government to make private communication available to the general public in the digital age has the status of folklore. But, in your recent book (co-authored with your wife Dorothie [and freely available as a PDF]), you describe a meeting of minds with Admiral Bobby Ray Inman, former head of the NSA. Until I read your book, I saw the National Security Agency as bad and Diffie-Hellman as good, plain and simple. You describe how you came to see the NSA and its people as sincere actors rather than as a cynical cabal bent on repression. What changed your perspective?

Hellman: This is a great, real-life example of how taking a holistic view in a conflict, instead of just a one-sided one, resolved an apparently intractable impasse. Those insights were part of a major change in my approach to life. As we say in our book, "Get curious, not furious." These ideas are effective not just in highly visible conflicts like ours with the NSA, but in every aspect of life.
Hellman also had an interesting answer when asked if math, game theory, and software development teach any lessons applicable to issues like nuclear non-proliferation or national defense.

"The main thing to learn is that the narrative we (and other nations) tell ourselves is overly simplified and tends to make us look good and our adversaries bad."