For months, the Colorado Department of State inadvertently exposed partial passwords for voting machines in a public spreadsheet. "While the incident is embarrassing and already fueling accusations from the state's Republican party, the department said in a statement that it 'does not pose an immediate security threat to Colorado's elections, nor will it impact how ballots are counted,'" reports Gizmodo. From the report: Colorado NBC affiliate station 9NEWS reported that Hope Scheppelman, vice chair of the state's Republican party, revealed the error in a mass email sent Tuesday morning, which included an affidavit from a person who claimed to have downloaded the spreadsheet and discovered the passwords by clicking a button to reveal hidden tabs.

In its statement, the Department of State said that there are two unique passwords for each of its voting machines, which are stored in separate places. Additionally, the passwords can only be used by a person who is physically operating the system and voting machines are stored in secure areas that require ID badges to access and are under 24/7 video surveillance.

"The Department took immediate action as soon as it was aware of this, and informed the Cybersecurity and Infrastructure Security Agency, which closely monitors and protects the [country's] essential security infrastructure," The department said, adding that it is "working to remedy this situation where necessary." Colorado voters use paper ballots, ensuring that a physical paper trail that can be used to verify results tabulated electronically.

A Russian court has fined Google an astronomical sum of around $20 decillion for YouTube's blocking of Russian media channels tied to sanctioned entities. The amount compounds weekly as Google continues to disregard the ruling. The Register reports: To put that into perspective, the World Bank estimates global GDP as around $100 trillion, which is peanuts compared to the prospective fine. Google might be one of the most valuable businesses on the planet, but even if Sundar Pichai rummages around the back of the sofa he won't be able to raise the funds to pay the penalty. The bizarre amount has been calculated after a four-year court case that started after YouTube banned the ultra-nationalist Russian channel Tsargrad in 2020 in response to the US sanctions imposed against its owner. Following Putin's illegal invasion of Ukraine in 2022 more channels were added to the banned list and 17 stations are now suing the Chocolate Factory, including Zvezda (a TV channel owned by Putin's Ministry of Defence), according to local media.

"Google was called by a Russian court to administrative liability under Art. 13.41 of the Administrative Offenses Code for removing channels on the YouTube platform. The court ordered the company to restore these channels," lawyer Ivan Morozov told state media outlet TASS. The court imposed a fine of 100 thousand rubles ($1,025) per day, with the total fine doubling every week. Owing to compound interest (Einstein's eighth wonder of the world), Google is now on the hook for an insane amount of money, or what the judge on Monday called "a case in which there are many, many zeros."

Oscar winner Robert Downey Jr. has threatened legal action against future studio executives who attempt to recreate his likeness using AI. "I intend to sue all future executives just on spec," Downey said when asked about potential AI recreations of his performances. He dismissed concerns about Marvel Studios using his likeness without permission, citing trust in their leadership. During the interview, he criticized tech executives who position themselves as AI gatekeepers, calling it "a massive fucking error."

French newspaper Le Monde found that the fitness app Strava can easily track confidential movements of foreign leaders, including U.S. President Joe Biden, and presidential rivals Donald Trump and Kamala Harris. The Independent reports: Le Monde found that some U.S. Secret Service agents use the Strava fitness app, including in recent weeks after two assassination attempts on Trump, in a video investigation released in French and in English. Strava is a fitness tracking app primarily used by runners and cyclists to record their activities and share their workouts with a community. Le Monde also found Strava users among the security staff for French President Emmanuel Macron and Russian President Vladimir Putin. In one example, Le Monde traced the Strava movements of Macron's bodyguards to determine that the French leader spent a weekend in the Normandy seaside resort of Honfleur in 2021. The trip was meant to be private and wasn't listed on the president's official agenda.

Le Monde said the whereabouts of Melania Trump and Jill Biden could also be pinpointed by tracking their bodyguards' Strava profiles. In a statement to Le Monde, the U.S. Secret Service said its staff aren't allowed to use personal electronic devices while on duty during protective assignments but "we do not prohibit an employee's personal use of social media off-duty." "Affected personnel has been notified," it said. "We will review this information to determine if any additional training or guidance is required." "We do not assess that there were any impacts to protective operations or threats to any protectees," it added. Locations "are regularly disclosed as part of public schedule releases."

In another example, Le Monde reported that a U.S. Secret Service agent's Strava profile revealed the location of a hotel where Biden subsequently stayed in San Francisco for high-stakes talks with Chinese President Xi Jinping in 2023. A few hours before Biden's arrival, the agent went jogging from the hotel, using Strava which traced his route, the newspaper found. The newspaper's journalists say they identified 26 U.S. agents, 12 members of the French GSPR, the Security Group of the Presidency of the Republic, and six members of the Russian FSO, or Federal Protection Service, all of them in charge of presidential security, who had public accounts on Strava and were therefore communicating their movements online, including during professional trips. Le Monde did not identify the bodyguards by name for security reasons.

Russia has enacted a new law expanding control over cryptocurrency mining, granting multiple federal agencies access to digital currency identifier addresses, among other things. The country is also advancing its regulatory framework and experimenting with crypto in international trade. From a report: Taking effect on Nov. 1, the legislation includes several amendments designed to strengthen oversight and impose limitations on crypto mining activities based on regional needs. The law enables the Russian government to implement mining restrictions by location and define specific procedures and circumstances for banning mining operations. A notable provision in the law gives the government the power to stop digital currency mining pools from functioning in certain areas. Additionally, the government now has the authority to regulate infrastructure providers supporting mining operations.

This legislation also grants multiple federal agencies, beyond the Federal Financial Monitoring Service (Rosfinmonitoring), access to digital currency identifier addresses. This expansion includes federal executive agencies and law enforcement, bolstering their capability to track transactions that may be linked to money laundering or terrorist financing activities. Moreover, the amendments transfer responsibility for the national mining register from the Ministry of Digital Development to the Federal Tax Service, which will now oversee mining registrations for businesses and remove those with repeated infractions. While individual miners can continue without registering if they adhere to specific electricity consumption limits, companies and individual entrepreneurs must comply with new registration requirements.

When it comes to introducing liability for software products, "the EU and U.S. are taking very different approaches," according to Lawfare's cybersecurity newsletter. "While the U.S. kicks the can down the road, the EU is rolling a hand grenade down it to see what happens." Under the status quo, the software industry is extensively protected from liability for defects or issues, and this results in systemic underinvestment in product security. Authorities believe that by making software companies liable for damages when they peddle crapware, those companies will be motivated to improve product security... [T]he EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.

Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.

Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however. The directive isn't law itself but sets the legislative direction for EU member states, and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding.

Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.

"In the early hours of Thursday, March 23, 2023, residents in the German town of Kronberg were woken from their sleep by several explosions," reports CNN .

"Criminals had blown up an ATM located below a block of flats in the town center..." According to local media reports, witnesses saw people dressed in dark clothing fleeing in a black car towards a nearby highway. During the heist, thieves stole 130,000 euros in cash. They also caused an estimated half a million euros worth of collateral damage, according to a report by Germany's Federal Criminal Police Office, BKA.

Rather than staging dramatic and risky bank robberies, criminal groups in Europe have been targeting ATMs as an easier and more low-key target. In Germany — Europe's largest economy — thieves have been blowing up ATMs at a rate of more than one per day in recent years. In a country where cash is still a prevalent payment method, the thefts can prove incredibly lucrative, with criminals pocketing hundreds of thousands of euros in one attack.

Europol has been cracking down on the robberies, carrying out large cross-border operations aimed at taking down the highly-organized criminal gangs behind them. Earlier this month, authorities from Germany, France and the Netherlands arrested three members of a criminal network who have been carrying out attacks on cash machines using explosives, Europol said in a statement. Since 2022, the detainees are believed to have looted millions of euros and run up a similar amount in property damage, from 2022 to 2024, Europol said...

Unlike its European neighbors, who largely transitioned away from cash payments due to the Covid-19 pandemic, cash still plays a significant role in Germany. One half of all transactions in 2023 were made using banknotes and coins, according to Bundesbank. Germans have a cultural attachment to cash, traditionally viewing it as a safe method of payment. Some say it allows a greater level of privacy, and gives them more control over their expenses.

"Google essentially disappeared us from the internet," says the couple who created price-comparison site Foundem in 2006. Google's search results for "price comparison" and "comparison shopping" buried their site — for more than three years.

Today the BBC looks at their 15-year legal battle, which culminated with a then record €2.4 billion fine (£2 billion or $2.6 billion) for Google, which was deemed to have abused its market dominance. The case has been hailed as a landmark moment in the global regulation of Big Tech. Google spent seven years fighting that verdict, issued in June 2017, but in September this year Europe's top court — the European Court of Justice — rejected its appeals.

Speaking to Radio 4's The Bottom Line in their first interview since that final verdict, Shivaun and Adam explained that at first, they thought their website's faltering start had simply been a mistake. "We initially thought this was collateral damage, that we had been false positive detected as spam," says Shivaun, 55. "We just assumed we had to escalate to the right place and it would be overturned...." The couple sent Google numerous requests to have the restriction lifted but, more than two years later, nothing had changed and they said they received no response. Meanwhile, their website was "ranking completely normally" on other search engines, but that didn't really matter, according to Shivaun, as "everyone's using Google".

The couple would later discover that their site was not the only one to have been put at a disadvantage by Google — by the time the tech giant was found guilty and fined in 2017 there were around 20 claimants, including Kelkoo, Trivago and Yelp... In its 2017 judgement, the European Commission found that Google had illegally promoted its own comparison shopping service in search results, whilst demoting those of competitors... "I guess it was unfortunate for Google that they did it to us," Shivaun says. "We've both been brought up maybe under the delusion that we can make a difference, and we really don't like bullies."

Even Google's final defeat in the case last month did not spell the end for the couple. They believe Google's conduct remains anti-competitive and the EC is looking into it. In March this year, under its new Digital Markets Act, the commission opened an investigation into Google's parent company, Alphabet, over whether it continues to preference its own goods and services in search results... The Raffs are also pursuing a civil damages claim against Google, which is due to begin in the first half of 2026. But when, or if, a final victory comes for the couple it will likely be a Pyrrhic one — they were forced to close Foundem in 2016.
A spokesperson for Google told the BBC the 2024 judgment from the European Court of Justice only relates to "how we showed product results from 2008-2017. The changes we made in 2017 to comply with the European Commission's Shopping decision have worked successfully for more than seven years, generating billions of clicks for more than 800 comparison shopping services.

"For this reason, we continue to strongly contest the claims made by Foundem and will do so when the case is considered by the courts."

Slashdot reader samleecole writes: Privacy advocates gained access to a powerful tool bought by U.S. law enforcement agencies that can track smartphone locations around the world. Abortion clinics, places of worship, and individual people can all be monitored without a warrant.

An investigation into tracking tool Locate X shows in the starkest terms yet how it and others — based on smartphone location data sold to various U.S. government law enforcement agencies, including state entities — could be used to monitor abortion clinic patients. This comes as more states contemplate stricter or outright bans on abortion...

In 2004 Alaa Abd El Fattah answered questions from Slashdot's readers about organizing the first-ever Linux installfest in Egypt.

In 2014 he was arrested for organizing poltical protests without requesting authorization, according to Wikipedia, and then released on bail — but then sentenced to five years in prison upon retrial. He was released in late March of 2019, but then re-arrested again in September by the National Security Agency, convicted of "spreading fake news" and jailed for five years...

Wikipedia describes Abd El-Fattah as an "Egyptian-British blogger, software developer and a political activist" who has been "active in developing Arabic-language versions of software and platforms." But this week an EFF blog post noticed that his released date had recently passed — and yet he was still in prison: It's been 28 days since September 29, the day that should have seen British-Egyptian blogger, coder, and activist Alaa Abd El Fattah walk free. Egyptian authorities refused to release him at the end of his sentence, in contradiction of the country's own Criminal Procedure Code, which requires that time served in pretrial detention count toward a prison sentence. [Human Rights Watch says Egyptian authorities are refusing to count more than two years of pretrial detention toward his time served. Amnesty International has also called for his release.] In the days since, Alaa's family has been able to secure meetings with high-level British officials, including Foreign Secretary David Lammy, but as of yet, the Egyptian government still has not released Alaa...

Alaa deserves to finally return to his family, now in the UK, and to be reunited with his son, Khaled, who is now a teenager. We urge EFF supporters in the UK to write to their MP to place pressure on the UK's Labour government to use their power to push for Alaa's release.
Last month the EFF wrote:: Over 20 years ago Alaa began using his technical skills to connect coders and technologists in the Middle East to build online communities where people could share opinions and speak freely and privately. The role he played in using technology to amplify the messages of his fellow Egyptians — as well as his own participation in the uprising in Tahrir Square — made him a prominent global voice during the Arab Spring, and a target for the country's successive repressive regimes, which have used antiterrorism laws to silence critics by throwing them in jail and depriving them of due process and other basic human rights.

Alaa is a symbol for the principle of free speech in a region of the world where speaking out for justice and human rights is dangerous and using the power of technology to build community is criminalized...

An anonymous reader quotes a report from Reuters: Delta Air Lines on Friday sued cybersecurity firm CrowdStrike in a Georgia state court after a global outage in July caused mass flight cancellations, disrupted travel plans of 1.3 million customers and cost the carrier more than $500 million. Delta's lawsuit filed in Fulton County Superior Court called the faulty software update from CrowdStrike "catastrophic" and said the firm "forced untested and faulty updates to its customers, causing more than 8.5 million Microsoft Windows-based computers around the world to crash." [...]

Delta, which has purchased CrowdStrike products since 2022, said the outage forced it to cancel 7,000 flights, impacting 1.3 million passengers over five days. "If CrowdStrike had tested the faulty update on even one computer before deployment, the computer would have crashed," Delta's lawsuit says. "Because the faulty update could not be removed remotely, CrowdStrike crippled Delta's business and created immense delays for Delta customers." Delta said that as part of its IT-planning and infrastructure, it has invested billions of dollars "in licensing and building some of the best technology solutions in the airline industry."

Apple was handed a victory today by a jury in Delware, which ruled that two of Masimo's smartwatches and chargers "willfully violated Apple's patent rights in smartwatch designs," according to Reuters. The reward? $250 in damages. 9to5Mac reports: Apple previously accused Masimo of using litigation to boost the launch of its own smartwatch product. In October 2022, Apple filed two patent infringement lawsuits against Masimo. The first lawsuit accused Masimo of copying the Apple Watch design. The second said that Masimo's technical features infringed on Apple patents covering technology used in the Apple Watch.

Reuters reports: "Apple convinced a federal jury on Friday that health monitoring tech company Masimo's smartwatches infringe two of its design patents. The jury, in Delaware, agreed with Apple that Masimo's W1 and Freedom watches and chargers willfully violated Apple's patent rights in smartwatch designs, awarding the tech giant $250 in damages. Apple's attorneys told the court the 'ultimate purpose' of its lawsuit was to win an injunction against sales of Masimo's smartwatches after an infringement ruling." The jury, however, also determined that Masimo's smartwatches "did not infringe on Apple patents covering smartwatch inventions that the tech giant had accused Masimo of copying." The two companies continue to battle it out over patent infringements regarding the Apple Watch's blood oxygen sensor.

An anonymous reader quotes a report from Ars Technica: Earlier this year, we reported on the video game archivists asking for a legal DMCA exemption to share Internet-accessible emulated versions of their physical game collections with researchers. Today, the US Copyright Office announced once again that it was denying that request, forcing researchers to travel to far-flung collections for access to the often-rare physical copies of the games they're seeking.

In announcing its decision, the Register of Copyrights for the Library of Congress sided with the Entertainment Software Association and others who argued that the proposed remote access could serve as a legal loophole for a free-to-access "online arcade" that could harm the market for classic gaming re-releases. This argument resonated with the Copyright Office despite a VGHF study that found 87 percent of those older game titles are currently out of print. "While proponents are correct that some older games will not have a reissue market, they concede there is a 'healthy' market for other reissued games and that the industry has been making 'greater concerted efforts' to reissue games," the Register writes in her decision. "Further, while the Register appreciates that proponents have suggested broad safeguards that could deter recreational uses of video games in some cases, she believes that such requirements are not specific enough to conclude that they would prevent market harms."

A DMCA exemption for remote sharing already exists for non-video-game computer software that is merely "functional," as the Register notes. But the same fair use arguments that allow for that sharing don't apply to video games because they are "often highly expressive in nature," the Register writes. In an odd footnote, the Register also notes that emulation of classic game consoles, while not infringing in its own right, has been "historically associated with piracy," thus "rais[ing] a potential concern" for any emulated remote access to library game catalogs. That footnote paradoxically cites Video Game History Foundation (VGHF) founder and director Frank Cifaldi's 2016 Game Developers Conference talk on the demonization of emulation and its importance to video game preservation. "The moment I became the Joker is when someone in charge of copyright law watched my GDC talk about how it's wrong to associate emulation with piracy and their takeaway was 'emulation is associated with piracy,'" Cifaldi quipped in a social media post.

The top U.S. consumer finance watchdog warned businesses about potential legal problems they could face from using new technology such as artificial intelligence or algorithmic scores to snoop on and evaluate their employees. From a report: The Consumer Financial Protection Bureau on Thursday said "invasive" new tools to monitor workers are governed by a law designed to ensure fairness in credit reporting, giving employees specific rights. Employees have the right to consent to the collection of personal information, to receive detailed information and to dispute inaccurate information, the CFPB said in the newly released guidance.

"Workers shouldn't be subject to unchecked surveillance or have their careers determined by opaque third-party reports without basic protections," CFPB Director Rohit Chopra said. More companies are leaning on AI and other powerful tools throughout the employment process, using software that can, for example, interview candidates and surveillance tools that can look for unsafe behavior. Americans have expressed concerns about Big Brother-style surveillance while they are on the job.

A government-controlled wallet that had been drained of $20 million on Thursday received most of its funds back Friday, adding another layer of mystery to transactions flagged by blockchain analysts as likely being connected to a high-profile theft. From a report: The pseudonymous blockchain sleuth ZachXBT had said in a tweet Thursday that the transfers resembled the playbook of a bad actor. Engaging with several decentralized finance protocols, the wallet had also tapped so-called instant exchanges after funds were moved across a series of transfers that "looked nefarious." About $19.3 million worth of funds had been returned to the wallet early Friday, per on-chain data collected by Arkham Intelligence, including Ethereum and the stablecoin USDC. Still, ZachXBT said in his Telegram community that funds transferred to exchanges had not yet been returned.