Ars Technica's Jon Brodkin reports: AT&T has stopped offering its 5G home Internet service in New York instead of complying with a new state law that requires IsPs to offer $15 or $20 plans to people with low incomes. New York started enforcing its Affordable Broadband Act yesterday after a legal battle of nearly four years. [...] The law requires IsPs with over 20,000 customers in New York to offer $15 broadband plans with download speeds of at least 25Mbps, or $20-per-month service with 200Mbps speeds. The plans only have to be offered to households that meet income eligibility requirements, such as qualifying for the National school Lunch Program, supplemental Nutrition Assistance Program, or Medicaid. [...]

Ending home Internet service in New York is relatively simple for AT&T because it is outside the 21-state wireline territory in which the telco offers fiber and DsL home Internet service. "AT&T Internet Air is currently available only in select areas and where AT&T Fiber is not available. New York is outside of our wireline service footprint, so we do not have other home Internet options available in the state," the company said. AT&T will continue offering its 4G and 5G mobile service in New York, as the state law only affects home Internet service. People with smartphones or other mobile devices connected to the AT&T wireless network should thus see no change.

Existing New York-based users of AT&T Internet Air can only keep it for 45 days and won't be charged during that time, AT&T said. "During this transition, customers will be able to keep their existing AT&T Internet Air service for up to 45 days, at no charge, as they find other options for broadband. We will work closely with our customers throughout this transition," AT&T said. Residential users will be sent "a recovery kit with instructions on how to return their AIA equipment, while business customers can keep any device they purchased at no charge," AT&T said.

An anonymous reader quotes a report from TechCrunch: On Tuesday, the United Nations security Council held a meeting to discuss the dangers of commercial spyware, which marks the first time this type of software -- also known as government or mercenary spyware -- has been discussed at the security Council. The goal of the meeting, according to the U.s. Mission to the UN, was to "address the implications of the proliferation and misuse of commercial spyware for the maintenance of international peace and security." The United states and 15 other countries called for the meeting. While the meeting was mostly informal and didn't end with any concrete proposals, most of the countries involved, including France, south Korea, and the United Kingdom, agreed that governments should take action to control the proliferation and abuse of commercial spyware. Russia and China, on the other hand, dismissed the concerns.

John scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, gave testimony in which he sounded the alarm on the proliferation of spyware made by "a secretive global ecosystem of developers, brokers, middlemen, and boutique firms," which "is threatening international peace and security as well as human rights." scott-Railton called Europe "an epicenter of spyware abuses" and a fertile ground for spyware companies, referencing a recent TechCrunch investigation that showed Barcelona has become a hub for spyware companies in the last few years.

Representatives of Poland and Greece, countries that had their own spyware scandals involving software made by NsO Group and Intellexa, respectively, also intervened. Poland's representative pointed at local legislative efforts to put "more control, including by the judiciary, on the relevant operational activities of the security and intelligence services," while also recognizing that spyware can be used in a legal way. "We are not saying that the use of spyware is never justified or even required," said Poland's representative. And the Greek representative pointed to the country's 2022 bill to ban the sale of spyware.

A pastor in Pasco, Washington, has been indicted on 26 counts of fraud for orchestrating a cryptocurrency scam that defrauded over 1,500 investors of nearly $5.9 million between 2021 and 2023. Many of the investors were members of his congregation. BleepingComputer reports: The Us Department of Justice says the pastor, Francier Obando Pinillo, 51, used his position to recruit investors into a fraudulent cryptocurrency venture called "solano Fi," which he told them "came to him in a dream" and was a guaranteed investment. "Pinillo used his position as pastor to induce members of his congregation and others to invest their money in a cryptocurrency investment business known as solano Fi," reads the Us Department of Justice announcement. "Pinillo claimed the idea for solano Fi had come to him in a dream and that it was a safe and guaranteed investment."

The pastor also set up a Facebook page for solano Fi to attract more investors outside his direct sphere of influence, as well as a Telegram group named 'Multimillionarios solanoFi,' which had 1,500 members. The indictment alleged that Pinillo promised investors they would receive guaranteed monthly investment returns of 34.9% at no risk whatsoever. The indictment further claims he directed the victims to make cryptocurrency transfers to wallets under his control, and instead of investing the funds, he diverted them for personal use. Investors were provided access to a solano Fi web app where they could manage their funds; however, the app showed fake balances and investment returns. Those convinced by the fraud were encouraged to recruit more investors for additional returns, expanding the victims' circle. As in similar scams, when the victims attempted to withdraw money from the solano Fi app, the transaction failed.

An anonymous reader quotes a report from Ars Technica: Lots of startups use Google's productivity suite, known as Workspace, to handle email, documents, and other back-office matters. Relatedly, lots of business-minded webapps use Google's OAuth, i.e. "sign in with Google." It's a low-friction feedback loop -- up until the startup fails, the domain goes up for sale, and somebody forgot to close down all the Google stuff. Dylan Ayrey, of Truffle security Co., suggests in a report that this problem is more serious than anyone, especially Google, is acknowledging. Many startups make the critical mistake of not properly closing their accounts -- on both Google and other web-based apps -- before letting their domains expire.

Given the number of people working for tech startups (6 million), the failure rate of said startups (90 percent), their usage of Google Workspaces (50 percent, all by Ayrey's numbers), and the speed at which startups tend to fall apart, there are a lot of Google-auth-connected domains up for sale at any time. That would not be an inherent problem, except that, as Ayrey shows, buying a domain allows you to re-activate the Google accounts for former employees if the site's Google account still exists.

With admin access to those accounts, you can get into many of the services they used Google's OAuth to log into, like slack, ChatGPT, Zoom, and HR systems. Ayrey writes that he bought a defunct startup domain and got access to each of those through Google account sign-ins. He ended up with tax documents, job interview details, and direct messages, among other sensitive materials. A Google spokesperson said in a statement: "We appreciate Dylan Ayrey's help identifying the risks stemming from customers forgetting to delete third-party saas services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk."

An anonymous reader quotes a report from TorrentFreak: In 'piracy' associated circles, Z-Library has one of the most followed Telegram channels of all. The shadow library's official channel amassed over 630,000 subscribers over the years, who were among the first to read site announcements and other key updates. Z-Library previously had some of its messages removed due to copyright infringement. While it didn't upload or directly link to infringing material on Telegram, rightsholders allegedly complained about the links that were posted to the Z-Library website. In response, Z-Library chose to no longer include links to its own homepage on Telegram. Instead, it referred users to Wikipedia and Reddit, where the links were still available. The same copyright awareness was visible at Anna's Archive, a popular shadow library search engine. This channel was also careful not to post direct links to infringing material. After all, sharing or uploading copyrighted books would undoubtedly lead to trouble.

Despite the reported caution, the channels of both Z-Library and Anna's Archive are no longer accessible today. Messages posted by these accounts were purged "due to copyright infringement", as shown below. Telegram didn't limit its action to removing posts; the channels are now entirely inaccessible. Those trying to access the channels in the Telegram app receive a pop-up message stating they are "unavailable due to copyright infringement." The simultaneous removal of both channels suggests they are linked to the same complaint or decision. The specific complaint and alleged copyright infringements remain unclear.

Change Healthcare has hidden its data breach notification webpage from search engines using "noindex" code, TechCrunch found, making it difficult for affected individuals to find information about the massive healthcare data breach that compromised over 100 million people's medical records last year.

The UnitedHealth subsidiary said Tuesday it had "substantially" completed notifying victims of the February 2024 ransomware attack. The cyberattack caused months of healthcare disruptions and marked the largest known U.s. medical data theft.

The U.s. Federal Trade Commission sued Deere & Co on Wednesday for allegedly monopolizing the repair market for its farm equipment by forcing farmers to use authorized dealers, driving up costs and causing service delays.

The lawsuit, joined by Illinois and Minnesota, claims Deere maintains complete control over equipment repairs by restricting access to essential software to its dealer network. The action seeks to make repair tools available to equipment owners and independent mechanics. FTC Chair Lina Khan said repair restrictions can be "devastating for farmers" who depend on timely repairs during harvest.

An anonymous reader shares a report: U.s. school districts affected by the recent cyberattack on edtech giant Powerschool have told TechCrunch that hackers accessed "all" of their historical student and teacher data stored in their student information systems. Powerschool, whose school records software is used to support more than 50 million students across the United states, was hit by an intrusion in December that compromised the company's customer support portal with stolen credentials, allowing access to reams of personal data belonging to students and teachers in K-12 schools.

The attack has not yet been publicly attributed to a specific hacker or group. Powerschool hasn't said how many of its school customers are affected. However, two sources at affected school districts -- who asked not to be named -- told TechCrunch that the hackers accessed troves of personal data belonging to both current and former students and teachers. Further reading: Lawsuit Accuses Powerschool of selling student Data To 3rd Parties.

An anonymous reader quotes a report from Gizmodo: Texas has sued (PDF) one of the nation's largest car insurance providers alleging that it violated the state's privacy laws by surreptitiously collecting detailed location data on millions of drivers and using that information to justify raising insurance premiums. The state's attorney general, Ken Paxton, said the lawsuit against Allstate and its subsidiary Arity is the first enforcement action ever filed by a state attorney general to enforce a data privacy law. It also follows a deceptive business practice lawsuit he filed against General Motors accusing the car manufacturer of misleading customers by collecting and selling driver data.

In 2015, Allstate developed the Arity Driving Engine software development kit (sDK), a package of code that the company allegedly paid mobile app developers to install in their products in order to collect a variety of sensitive data from consumers' phones. The sDK gathered phone geolocation data, accelerometer, and gyroscopic data, details about where phone owners started and ended their trips, and information about "driving behavior," such as whether phone owners appeared to be speeding or driving while distracted, according to the lawsuit. The apps that installed the sDK included GasBuddy, Fuel Rewards, and Life360, a popular family monitoring app, according to the lawsuit.

Paxton's complaint said that Allstate and Arity used the data collected by its sDK to develop and sell products to other insurers like Drivesight, an algorithmic model that assigned a driving risk score to individuals, and ArityIQ, which allowed other insurers to "[a]ccess actual driving behavior collected from mobile phones and connected vehicles to use at time of quote to more precisely price nearly any driver." Allstate and Arity marketed the products as providing "driver behavior" data but because the information was collected via mobile phones the companies had no way of determining whether the owner was actually driving, according to the lawsuit. "For example, if a person was a passenger in a bus, a taxi, or in a friend's car, and that vehicle's driver sped, hard braked, or made a sharp turn, Defendants would conclude that the passenger, not the actual driver, engaged in 'bad' driving behavior," the suit states. Neither Allstate and Arity nor the app developers properly informed customers in their privacy policies about what data the sDK was collecting or how it would be used, according to the lawsuit. The lawsuit violates Texas' Data Privacy and security Act (DPsA) and insurance code by failing to address violations within the required 30-day cure period. "In its complaint, filed in federal court, Texas requested that Allstate be ordered to pay a penalty of $7,500 per violation of the state's data privacy law and $10,000 per violation of the state's insurance code, which would likely amount to millions of dollars given the number of consumers allegedly affected," adds the report.

"The lawsuit also asks the court to make Allstate delete all the data it obtained through actions that allegedly violated the privacy law and to make full restitution to customers harmed by the companies' actions."

A new ransomware group called Codefinger targets AWs s3 buckets by exploiting compromised or publicly exposed AWs keys to encrypt victims' data using AWs's own ssE-C encryption, rendering it inaccessible without the attacker-generated AEs-256 keys. While other security researchers have documented techniques for encrypting s3 buckets, "this is the first instance we know of leveraging AWs's native secure encryption infrastructure via ssE-C in the wild," Tim West, VP of services with the Halcyon RIsE Team, told The Register. "Historically AWs Identity IAM keys are leaked and used for data theft but if this approach gains widespread adoption, it could represent a significant systemic risk to organizations relying on AWs s3 for the storage of critical data," he warned. From the report: ... in addition to encrypting the data, Codefinder marks the compromised files for deletion within seven days using the s3 Object Lifecycle Management API â" the criminals themselves do not threaten to leak or sell the data, we're told. "This is unique in that most ransomware operators and affiliate attackers do not engage in straight up data destruction as part of a double extortion scheme or to otherwise put pressure on the victim to pay the ransom demand," West said. "Data destruction represents an additional risk to targeted organizations."

Codefinger also leaves a ransom note in each affected directory that includes the attacker's Bitcoin address and a client ID associated with the encrypted data. "The note warns that changes to account permissions or files will end negotiations," the Halcyon researchers said in a report about s3 bucket attacks shared with The Register. While West declined to name or provide any additional details about the two Codefinger victims -- including if they paid the ransom demands -- he suggests that AWs customers restrict the use of ssE-C.

"This can be achieved by leveraging the Condition element in IAM policies to prevent unauthorized applications of ssE-C on s3 buckets, ensuring that only approved data and users can utilize this feature," he explained. Plus, it's important to monitor and regularly audit AWs keys, as these make very attractive targets for all types of criminals looking to break into companies' cloud environments and steal data. "Permissions should be reviewed frequently to confirm they align with the principle of least privilege, while unused keys should be disabled, and active ones rotated regularly to minimize exposure," West said. An AWs spokesperson said it notifies affected customers of exposed keys and "quickly takes any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment."

They also directed users to this post about what to do upon noticing unauthorized activity.

An anonymous reader quotes a report from CBs News: The supreme Court on Monday said it will not consider whether to quash lawsuits brought by Honolulu seeking billions of dollars from oil and gas companies for the damage caused by the effects of climate change, clearing the way for the cases to move forward. The legal battle pursued in Hawaii state court is similar to others filed against the nation's largest energy companies by state and local governments in their courts. The suits claim that the oil and gas industry engaged in a deceptive campaign and misled the public about the dangers of their fossil fuel products and the environmental impacts.

A group of 15 energy companies asked the supreme Court to review a decision from the Hawaii supreme Court that allowed a lawsuit brought by the city and county of Honolulu, as well as its Board of Water supply, to proceed. The suit was brought in Hawaii state court in March 2020, and Honolulu raised (PDF) several claims under state law, including creating a public nuisance and failure to warn the public of the risks posed by their fossil fuel products. The city accused the oil and gas industry of contributing to global climate change, leading to flooding, erosion and more frequent and intense extreme weather events. These changes, they said, have led to property damage and a drop in tax revenue as a result of less tourism.

The energy companies unsuccessfully sought to have the case moved to federal court, arguing that the claims raised by Honolulu under state law were overridden by federal law and the Clean Air Act. A state trial court denied their efforts to dismiss the case. The oil and gas industry has argued that greenhouse-gas emissions "flow from billions of daily choices, over more than a century, by governments, companies and individuals about what types of fuels to use, and how to use them." Honolulu, the companies said, was seeking damages for the "cumulative effect of worldwide emissions leading to global climate change." The Hawaii supreme Court ultimately allowed (PDF) the lawsuit to proceed. The state's highest court determined that the Clean Air Act displaced federal common law governing suits seeking damages for interstate pollution. It also rejected the oil companies' argument that Honolulu was seeking to regulate emissions through its lawsuit, finding that the city instead wanted to challenge the promotion and sale of fossil fuel products "without warning and abetted by a sophisticated disinformation campaign."

"Plaintiffs' state tort law claims do not seek to regulate emissions, and there is thus no 'actual conflict' between Hawaii tort law and the [Clean Air Act]," the Hawaii supreme Court ruled. "These claims potentially regulate marketing conduct while the CAA regulates pollution." The oil companies asked the U.s. supreme Court to review the ruling from the Hawaii high court and urged it to stop Honolulu's lawsuit from going forward. Regulation of interstate pollution is a federal area governed by federal law, lawyers for the energy industry argued. [...] The supreme Court in June asked the Biden administration to weigh in on the cases and whether it should step into the dispute. In a filing submitted to the supreme Court before the transfer of presidential power, the Biden administration urged the justices to turn away the appeals, in part because it said it is too soon for them to intervene.

UK ministers are considering allowing private companies to profit from anonymized NHs data as part of a push to leverage AI for medical advancements, despite concerns over privacy and ethical risks. The Guardian reports: Keir starmer on Monday announced a push to open up the government to AI innovation, including allowing companies to use anonymized patient data to develop new treatments, drugs and diagnostic tools. With the prime minister and the chancellor, Rachel Reeves, under pressure over Britain's economic outlook, starmer said AI could bolster the country's anaemic growth, as he put concerns over privacy, disinformation and discrimination to one side.

"We are in a unique position in this country, because we've got the National Health service, and the use of that data has already driven forward advances in medicine, and will continue to do so," he told an audience in east London. "We have to see this as a huge opportunity that will impact on the lives of millions of people really profoundly." starmer added: "It is important that we keep control of that data. I completely accept that challenge, and we will also do so, but I don't think that we should have a defensive stance here that will inhibit the sort of breakthroughs that we need."

The move to embrace the potential of AI rather than its risks comes at a difficult moment for the prime minister, with financial markets having driven UK borrowing costs to a 30-year high and the pound hitting new lows against the dollar. starmer said on Monday that AI could help give the UK the economic boost it needed, adding that the technology had the potential "to increase productivity hugely, to do things differently, to provide a better economy that works in a different way in the future." Part of that, as detailed in a report by the technology investor Matt Clifford, will be to create new datasets for startups and researchers to train their AI models.

Data from various sources will be included, such as content from the National Archives and the BBC, as well as anonymized NHs records. Officials are working out the details on how those records will be shared, but said on Monday that they would take into account national security and ethical concerns. starmer's aides say the public sector will keep "control" of the data, but added that could still allow it to be used for commercial purposes.

"Oracle has informed us they won't voluntarily withdraw their trademark on 'Javascript'." That's the word coming from the company behind Deno, the alternative Javascript/Typescript/WebAssembly runtime, which is pursuing a formal cancellation with the U.s. Patent and Trademark Office.

so what happens next? Oracle "will file their Answer, and we'll start discovery to show how 'Javascript' is widely recognized as a generic term and not controlled by Oracle." Deno's social media posts show a schedule of various court dates that extend through July of 2026, so "The dispute between Oracle and Deno Land could go on for quite a while," reports InfoWorld: Deno Land co-founder Ryan Dahl, creator of both the Deno and Node.js runtimes, said a formal answer from Oracle is expected before February 3, unless Oracle extends the deadline again. "After that, we will begin the process of discovery, which is where the real legal work begins. It will be interesting to see how Oracle argues against our claims — genericide, fraud on the UsPTO, and non-use of the mark."

The legal process begins with a discovery conference by March 5, with discovery closing by september 1, followed by pretrial disclosure from October 16 to December 15. An optional request for an oral hearing is due by July 8, 2026.
Oracle took ownership of Javascript's trademark in 2009 when it purchased sun Microsystems, InfoWorld notes.

But "Oracle does not control (and has never controlled) any aspect of the specification or how the phrase 'Javascript' can be used by others," argues an official petition filed by Deno Land Inc. with the United states Patent and Trademark Office: Today, millions of companies, universities, academics, and programmers, including Petitioner, use "Javascript" daily without any involvement with Oracle. The phrase "Javascript" does not belong to one corporation. It belongs to the public. Javascript is the generic name for one of the bedrock languages of modern programming, and, therefore, the Registered Mark must be canceled.

An open letter to Oracle discussing the genericness of the phrase "Javascript," published at https://javascript.tm/, was signed by 14,000+ individuals at the time of this Petition to Cancel, including notable figures such as Brendan Eich, the creator of Javascript, and the current editors of the Javascript specification, Michael Ficarra and shu-yu Guo. There is broad industry and public consensus that the term "Javascript" is generic.
The seven-page petition goes into great detail, reports InfoWorld. "Deno Land also accused Oracle of committing fraud in its trademark renewal efforts in 2019 by submitting screen captures of the website of Javascript runtime Node.js, even though Node.js was not affiliated with Oracle."

"The U.K is looking to build a homegrown challenger to OpenAI and drastically increase national computing infrastructure," reports CNBC, "as Prime Minister Keir starmer's government sets its sights on becoming a global leader in artificial intelligence." The government is primarily seeking to expand data center capacity across the U.K. to boost developers of powerful AI models which rely on high-performance computing equipment hosted in remote locations to train and run their systems. A target of increasing "sovereign," or public sector, compute capacity in the U.K. by twentyfold by 2030 has been set... To further bolster Britain's computing infrastructure, the government also committed to setting up several AI "growth zones," where rules on planning permission will be relaxed in certain places to allow for the creation of new data centers. Meanwhile, an "AI Energy Council" formed of industry leaders from both energy and AI will be set up to explore the role of renewable and low-carbon sources of energy, like nuclear...

Britain plans to use the AI growth zones and a newly established National Data Library to connect public institutions — such as universities — to enhance the country's ability to create "sovereign" AI models which aren't reliant on silicon Valley... Last month, the government announced a consultation on measures to regulate the use of copyrighted content to train AI models.

As an ecological disaster devastated two coastal California cities, more than 7,500 firefighters pushed back against the wildfires. 900 of them are inmates, reports NPR. That's about 12%: California is one of more than a dozen states that operates conservation camps, commonly known as fire camps, for incarcerated people to train to fight fires and respond to other disasters... There are now 35 such camps in California, all of which are minimum-security facilities... When they are not fighting fires, they also respond to floods and other disasters and emergencies. Otherwise, the crews do community service work in areas close to their camp, according to the state corrections department...

A 2018 Time investigation found that incarcerated firefighters are at a higher risk for serious injuries. They also are more than four times as likely to get cuts, bruises or broken bones compared to professional firefighters working the same fires, the report found. They were also more than eight times as likely to face injuries after inhaling smoke, ash and other debris compared with other firefighters, the report said.
"Two of the camps are for incarcerated women," reports the BBC. One of them — since released — remembers that "It felt like you were doing something that mattered instead of rotting away in a cell," according to the nonprofit new site CalMatters. They can also earn credits that help reduce their prison sentences, the BBC learned from the California Department of Corrections and Rehabilitation.

Friday one local California news report shared the perspective of formerly incarcerated Californian, Matthew Hahn (from a 2021 Washington Post column). "Yes, the decision to take part is largely made under duress, given the alternative. Yes, incarcerated firefighters are paid pennies for an invaluable task. And yes, it is difficult though not impossible for participants to become firefighters after leaving prison," Hahn said. "Despite this, fire camps remain the most humane places to do time in the California prison system."
From that 2021 Washington Post column: California prisons have, on average, three times the murder rate of the country overall and twice the rate of all American prisons. These figures don't take into account the sheer number of physical assaults that occur behind prison walls. Prison feels like a dangerous place because it is. Whether it's individual assaults or large-scale riots, the potential for violence is ever-present. Fire camp represents a reprieve from that risk. sure, people can die in fire camp as well — at least three convict-firefighters have died working to contain fires in California since 2017 — but the threat doesn't weigh on the mind like the prospect of being murdered by a fellow prisoner. I will never forget the relief I felt the day I set foot in a fire camp in Los Angeles County, like an enormous burden had been lifted...

[When his 12-man crew was called to fight the Jesusita Fire], the fire had ignited one home's deck and was slowly burning its way to the structure. We cut the deck off the house, saving the home. I often fantasize about the owners returning to see it still standing, unaware and probably unconcerned that an incarcerated fire crew had saved it. There was satisfaction in knowing that our work was as valuable as that of any other firefighter working the blaze and that the gratitude expressed toward first responders included us.

There are other reasons for prisoners to choose fire camp if given the opportunity. They are often located in secluded natural settings, giving inmates the chance to live in an environment that doesn't remotely resemble a prison. There are no walls, and sometimes there aren't even fences. Gun towers are conspicuously absent, and the guards aren't even armed.... [C]onsider the guy pushing a broom in his cell block making the equivalent of one Top Ramen noodle packet per day, just so he can have the privilege of making a collect call to his mother. Or think of the man scrubbing the streaks out of the guards' toilets, making seven cents an hour, half of which goes to pay court fees and restitution, just so he can have those couple of hours outside his cage for the day...

so, while we may have faced the heat of a wildfire for a few bucks a day, and we may have saved a few homes and been happy doing so, understand that we were rational actors. We wanted to be there, where some of our dignity was returned to us.