A federal appeals court rejected T-Mobile's attempt to overturn $92 million in fines for selling customer location information to third-party firms. From a report: The Federal Communications Commission last year fined T-Mobile, AT&T, and Verizon, saying the carriers illegally shared access to customers' location information without consent and did not take reasonable measures to protect that sensitive data against unauthorized disclosure. The fines relate to sharing of real-time location data that was revealed in 2018, but it took years for the FCC to finalize the penalties.

The three carriers appealed the rulings in three different courts, and the first major decision was handed down Friday. A three-judge panel at the US Court of Appeals for the District of Columbia Circuit ruled unanimously against T-Mobile and its subsidiary Sprint. "Every cell phone is a tracking device," the ruling begins. "To receive service, a cell phone must periodically connect with the nearest tower in a wireless carrier's network. Each time it does, it sends the carrier a record of the phone's location and, by extension, the location of the customer who owns it. Over time, this information becomes an exhaustive history of a customer's whereabouts and 'provides an intimate window into [that] person's life.'"

14 months ago a jury ruled against Boeing, awarding $81 million in damages to failed electric airplane startup Zunum. "Zunum alleged that Boeing, while ostensibly investing seed money to get the startup off the ground, stole Zunum's technology and actively undermined its attempts to build a business," the Seattle Times reported at the time.

But two months later that verdict was overturned, Reuters reports, with U.S. District Judge James Robart deciding that Zunum "did not adequately identify its secrets or show that they derived their value from being kept secret."

And then three days ago a U.S. appeals court reinstated the original $81 million award, reversing that district judge's decision and "rejecting his finding that the information Boeing allegedly stole was not entitled to trade-secret protection." [T]he district court erred in concluding that "Zunum failed to identify any of its alleged trade secrets with sufficient particularity"... Here, the court rejected Zunum's repeated attempts to introduce comprehensive trade secret definitions into evidence and instead provided the jury with a court-created exhibit enumerating Zunum's alleged trade secrets with a short description of each. Zunum's witnesses identified the trade secrets by number, provided a basic explanation of each, and used exhibits and demonstratives to exemplify information comprising specific trade secrets.
"internal Boeing communications introduced at trial suggesting that Boeing intended to modify its own in-house designs, methods, and strategies to incorporate information from certain Zunum trade secrets..." according to the new ruling. "Under the parties' agreement, Boeing was not permitted to use Zunum's confidential information for any reason other than to manage its investment in Zunum."

Reuters adds that "A spokesperson for Boeing declined to comment on the appeals court's decision"

One final note: The appeals court also ordered the case to be assigned to a new judge after Robart revealed that his wife had acquired Boeing stock through a retirement savings account during the litigation.
Judge Robart had called that an "error". (And judicial ethics experts interviewed by Business Insider in 2024 "characterized Robart's trades and delayed disclosure to the parties as a minor issue," they reported Thursday.)

But Thursday's ruling notes that the delayed disclosure "taken together with the district court's consistent rulings in Boeing's favor during and after trial, could give an objective observer reason to question the district judge's impartiality in further proceedings."

This week workers on Blizzard's "Story and Franchise Development" team "strongly voted" to join America's largest communications and media labor union, the Communications Workers of America.

From the union's announcement: The Story and Franchise Development team is Blizzard's in-house cinematics, animation, and narrative team, producing the trailers, promotional videos, in-game cutscenes, and other narrative content for Blizzard franchises — as well as franchise archival workers and historians. These workers will be the first in-house cinematic, animation, and narrative studio to form a union in the North American game industry, joining nearly 3,000 workers at Microsoft-owned studios who have organized with CWA to build better standards across the video game industry after Microsoft acquired Activision Blizzard in 2023...

The announcement is the latest update in organizing the tech and video game industry, as over 6,000 workers in the United States and Canada have organized with the Campaign to Organize Digital Employees (CODE-CWA) since launching over five years ago. Last week, workers at Raven Software secured a historic contract with Microsoft, joining ZeniMax QA developers at CWA, who also secured a contract with the company in June.
"CWA says that Blizzard owner Microsoft has recognized the union," reports the gaming news site Aftermath, in accordance with the labor neutrality policy Microsoft agreed to in 2022, leading to several other union game studios at Microsoft: In July 2024, 500 workers on Blizzard-owned World of Warcraft formed a union that they called "the largest wall-to-wall union at a Microsoft-owned studio," alongside Blizzard QA workers in Austin. Other studios across Microsoft have also unionized in recent years, including at Bethesda, ZeniMax Online Studios, and ZeniMax QA, the latter of which finally reached a contract in May after nearly two years of bargaining. Unionized workers at Raven Studios reached a contract with Microsoft earlier this month.
The CWA's announcement this week included this quote from one organizing committee member (and a cinematic producer). "I'm excited that we have joined together in forming a union to protect my colleagues from things like misguided policies and instability as a result of layoffs."

Russian authorities are "partially" restricting calls in messaging apps Telegram and WhatsApp, the latest step in an effort to tighten control over the internet. From a report: In a statement, government media and internet regulator Roskomnadzor justified the measure as necessary for fighting crime, saying that "according to law enforcement agencies and numerous appeals from citizens, foreign messengers Telegram and WhatsApp have become the main voice services used to deceive and extort money, and to involve Russian citizens in sabotage and terrorist activities."

United Launch Alliance's Vulcan Centaur rocket successfully completed its first-ever national security mission, launching the U.S. military's first experimental navigation satellite in 48 years. Space.com reports: The mission saw the company's powerful new Vulcan Centaur rocket take off from Space Launch Complex 41 (SLC-41) at Cape Canaveral Space Force Station in Florida. Vulcan launched with four side-mounted solid rocket boosters in order to generate enough thrust to send its payload directly into geosynchronous orbit on one of ULA's longest flights ever, a seven-hour journey that will span over 22,000 miles (35,000 kilometers), according to ULA.

The payload launching on Tuesday's mission was the U.S. military's first experimental navigation satellite to be launched in 48 years. It is what's known as a position, navigation and timing (PNT) satellite, a type of spacecraft that provides data similar to that of the well-known GPS system. This satellite will be testing many experimental new technologies that are designed to make it resilient to jamming and spoofing, according to Andrew Builta with L3Harris Technologies, the prime contractor for the PNT payload integrated onto a satellite bus built by Northrop Grumman.

The satellite, identified publicly only as Navigation Technology Satellite-3 (NTS-3), features a phased array antenna that allows it to "focus powerful beams to ground forces and combat jamming environments," Builta said in a media roundtable on Monday (Aug. 11). GPS jamming has become an increasingly worrisome problem for both the U.S. military and commercial satellite operators, which is why this spacecraft will be conducting experiments to test how effective these new technologies are at circumventing jamming attacks. In addition, the satellite features a software architecture that allows it to be reprogrammed while in orbit. "This is a truly game-changing capability," Builta said.

After four weather-related delays, Amazon successfully launched 24 more Kuiper internet satellites aboard a SpaceX Falcon 9, bringing its total to 102. CNBC reports: SpaceX's Starlink is currently the dominant provider of low-earth orbit satellite internet, with a constellation of roughly 8,000 satellites and about 5 million customers worldwide. Amazon is racing to get more of its Kuiper satellites into space to meet a deadline set by the Federal Communications Commission. The FCC requires that Amazon have about 1,600 satellites in orbit by the end of July 2026, with the full 3,236-satellite constellation launched by July 2029.

Amazon has booked up to 83 launches, including three rides with SpaceX. While the company is still in the early stages of building out its constellation, Amazon has already inked deals with governments as it hopes to begin commercial service later this year.

In 2020 a YouTube video used video footage of Steve Wozniak in a scam to steal bitcoin. "Some people said they lost their life savings," Wozniak tells CBS News, explaining why he sued YouTube in 2020 — and where his case stands now: Wozniak's lawsuit against YouTube has been tied up in court now for five years, stalled by federal legislation known as Section 230. Attorney Brian Danitz said, "Section 230 is a very broad statute that limits, if not totally, the ability to bring any kind of case against these social media platforms."

"It says that anything gets posted, they have no liability at all," said Wozniak. "It's totally absolute."

Google responded to our inquiry about Wozniak's lawsuit with a statement from José Castañeda, of Google Policy Communications: "We take abuse of our platform seriously and take action quickly when we detect violations ... we have tools for users to report channels that are impersonating their likeness or business." [Steve's wife] Janet Wozniak, however, says YouTube did nothing, even though she reported the scam video multiple times: "You know, 'Please take this down. This is an obvious mistake. This is fraud. You're YouTube, you're helping dupe people out of their money,'" she said.

"They wouldn't," said Steve...
Today is Steve Wozniak's 75th birthday. (You can watch the interview here.) And the article includes this interesting detail about Woz's life today: Wozniak sold most of his Apple stock in the mid-1980s when he left the company. Today, though, he still gets a small paycheck from Apple for making speeches and representing the company. He says he's proud to see Apple become a trillion-dollar company. "Apple is still the best," he said. "And when Apple does things I don't like, and some of the closeness I wish it were more open, I'll speak out about it. Nobody buys my voice!"

I asked, "Apple listen to you when you speak out?"

"No," Wozniak smiled. "Oh, no. Oh, no."
Wozniak answered questions from Slashdot readers in 2000 and again in 2012.

And he dropped by Slashdot on his birthday to leave this comment for Slashdot's readers...

After five months on the International Space Station, four astronauts splashed down in the Pacific Ocean in a SpaceX Crew Dragon capsule named Endurance, reports Space.com.

It was NASA's 10th commercial crew rotation mission: The flight launched atop a SpaceX Falcon 9 rocket on March 14 and arrived at the orbiting lab two days later. Crew-10's four astronauts soon set to conducting science work, which consumed much of their time over the ensuing months... The wheels for Crew-10's departure began turning last Saturday (Aug. 2), when SpaceX's four-person Crew-11 mission arrived at the International Space Station. The Crew-10 astronauts spent a few days advising their replacements, then set their minds to gearing up for the return to Earth — and reflecting on their orbital experience.

"We got to accomplish a lot of really amazing operational things," Ayers said during a farewell ceremony on Tuesday (Aug. 5). "We got to see some amazing views, and we have had some really big belly laughs and a wonderful time together," she added. "I think that [we're] leaving with a heart full of gratitude, and [we're] excited to see where the International Space Station goes after we get home." The hatches between Endurance and the ISS closed on Friday (Aug. 8) at 4:20 p.m. EDT (2020 GMT), and the capsule undocked about two hours later, at 6:15 p.m. EDT (2205 GMT). Endurance then began maneuvering its way back to Earth, setting up its splashdown today.

It was the first Pacific Ocean return for a SpaceX CCP mission; all previous such flights have come down off the Florida coast. SpaceX recently shifted to West Coast reentries for all of its Dragon missions, both crewed and uncrewed, to minimize the chance that falling space debris could damage property or injure people.
"During their mission, crew members traveled nearly 62,795,205 million miles," NASA announced, "and completed 2,368 orbits around Earth..." Along the way, Crew-10 contributed hundreds of hours to scientific research, maintenance activities, and technology demonstrations. McClain, Ayers, and Onishi completed investigations on plant and microalgae growth, examined how space radiation affects DNA sequences in plants, observed how microgravity changes human eye structure and cells in the body, and more. The research conducted aboard the orbiting laboratory advances scientific knowledge and demonstrates new technologies that enable us to prepare for human exploration of the Moon and Mars.

McClain and Ayers also completed a spacewalk on May 1, relocating a communications antenna, beginning the installation of a mounting bracket for a future International Space Station Roll-Out Solar Array, and other tasks.

An anonymous reader quotes a report from Ars Technica: AI industry groups are urging an appeals court to block what they say is the largest copyright class action ever certified. They've warned that a single lawsuit raised by three authors over Anthropic's AI training now threatens to "financially ruin" the entire AI industry if up to 7 million claimants end up joining the litigation and forcing a settlement. Last week, Anthropic petitioned (PDF) to appeal the class certification, urging the court to weigh questions that the district court judge, William Alsup, seemingly did not. Alsup allegedly failed to conduct a "rigorous analysis" of the potential class and instead based his judgment on his "50 years" of experience, Anthropic said.

If the appeals court denies the petition, Anthropic argued, the emerging company may be doomed. As Anthropic argued, it now "faces hundreds of billions of dollars in potential damages liability at trial in four months" based on a class certification rushed at "warp speed" that involves "up to seven million potential claimants, whose works span a century of publishing history," each possibly triggering a $150,000 fine. Confronted with such extreme potential damages, Anthropic may lose its rights to raise valid defenses of its AI training, deciding it would be more prudent to settle, the company argued. And that could set an alarming precedent, considering all the other lawsuits generative AI (GenAI) companies face over training on copyrighted materials, Anthropic argued. "One district court's errors should not be allowed to decide the fate of a transformational GenAI company like Anthropic or so heavily influence the future of the GenAI industry generally," Anthropic wrote. "This Court can and should intervene now."

In a court filing Thursday, the Consumer Technology Association and the Computer and Communications Industry Association backed Anthropic, warning the appeals court that "the district court's erroneous class certification" would threaten "immense harm not only to a single AI company, but to the entire fledgling AI industry and to America's global technological competitiveness." According to the groups, allowing copyright class actions in AI training cases will result in a future where copyright questions remain unresolved and the risk of "emboldened" claimants forcing enormous settlements will chill investments in AI. "Such potential liability in this case exerts incredibly coercive settlement pressure for Anthropic," industry groups argued, concluding that "as generative AI begins to shape the trajectory of the global economy, the technology industry cannot withstand such devastating litigation. The United States currently may be the global leader in AI development, but that could change if litigation stymies investment by imposing excessive damages on AI companies."

An anonymous reader shares a report: The Federal Communications Commission is planning a review of the US emergency alert systems. Both the Emergency Alert System (EAS) and the Wireless Emergency Alerts (WAS) will be subject to a "re-examination" by the agency. "We want to ensure that these programs deliver the results that Americans want and need," FCC Chairman Brendan Carr posted on X.

The announcement of this plan notes that the infrastructure underlying the EAS -- which includes radio, television, satellite and cable systems -- is 31 years old, while the framework underpinning the WAS mobile device alerts is 13 years old. The FCC review will also assess what entities should be able to send alerts on those systems, as well as topics such as geographic targeting and security.

An anonymous reader quotes a report from Wired: Two years ago, researchers in the Netherlands discovered an intentional backdoor in an encryption algorithm baked into radios used by critical infrastructure -- as well as police, intelligence agencies, and military forces around the world -- that made any communication secured with the algorithm vulnerable to eavesdropping. When the researchers publicly disclosed the issue in 2023, the European Telecommunications Standards Institute (ETSI), which developed the algorithm, advised anyone using it for sensitive communication to deploy an end-to-end encryption solution on top of the flawed algorithm to bolster the security of their communications. But now the same researchers have found that at least one implementation of the end-to-end encryption solution endorsed by ETSI has a similar issue that makes it equally vulnerable to eavesdropping. The encryption algorithm used for the device they examined starts with a 128-bit key, but this gets compressed to 56 bits before it encrypts traffic, making it easier to crack. It's not clear who is using this implementation of the end-to-end encryption algorithm, nor if anyone using devices with the end-to-end encryption is aware of the security vulnerability in them. Wired notes that the end-to-end encryption the researchers examined is most commonly used by law enforcement and national security teams. "But ETSI's endorsement of the algorithm two years ago to mitigate flaws found in its lower-level encryption algorithm suggests it may be used more widely now than at the time."

A federal judge struck down California's strict anti-deepfake election law, citing Section 230 protections rather than First Amendment concerns. Politico reports: [Judge John Mendez] also said he intended to overrule a second law, which would require labels on digitally altered campaign materials and ads, for violating the First Amendment. [...] The first law would have blocked online platforms from hosting deceptive, AI-generated content related to an election in the run-up to the vote. It came amid heightened concerns about the rapid advancement and accessibility of artificial intelligence, allowing everyday users to quickly create more realistic images and videos, and the potential political impacts. But opponents of the measures ... also argued the restrictions could infringe upon freedom of expression.

The original challenge was filed by the creator of the video, Christopher Kohls, on First Amendment grounds, with X later joining the case after [Elon Musk] said the measures were "designed to make computer-generated parody illegal." The satirical right-wing news website the Babylon Bee and conservative social media site Rumble also joined the suit. Mendez said the first law, penned by Democratic state Assemblymember Marc Berman, conflicted with the oft-cited Section 230 of the federal Communications Decency Act, which shields online platforms from liability for what third parties post on their sites. "They don't have anything to do with these videos that the state is objecting to," Mendez said of sites like X that host deepfakes.

But the judge did not address the First Amendment claims made by Kohls, saying it was not necessary in order to strike down the law on Section 230 grounds. "I'm simply not reaching that issue," Mendez told the plaintiffs' attorneys. [...] "I think the statute just fails miserably in accomplishing what it would like to do," Mendez said, adding he would write an official opinion on that law in the coming weeks. Laws restricting speech have to pass a strict test, including whether there are less restrictive ways of accomplishing the state's goals. Mendez questioned whether approaches that were less likely to chill free speech would be better. "It's become a censorship law and there is no way that is going to survive," Mendez added.

The Trump administration has reportedly directed NASA to draw up plans to shut down its Orbiting Carbon Observatory satellite missions, which provide vital climate and agricultural data for scientists, oil and gas companies and farmers who need detailed information about carbon dioxide and crop health. As NPR reports, the satellites are "the only two federal satellite missions that were designed and built specifically to monitor planet-warming greenhouse gases." From the report: It is unclear why the Trump administration seeks to end the missions. The equipment in space is state of the art and is expected to function for many more years, according to scientists who worked on the missions. An official review by NASA in 2023 found that "the data are of exceptionally high quality" and recommended continuing the mission for at least three years.

Both missions, known as the Orbiting Carbon Observatories, measure carbon dioxide and plant growth around the globe. They use identical measurement devices, but one device is attached to a stand-alone satellite while the other is attached to the International Space Station. The standalone satellite would burn up in the atmosphere if NASA pursued plans to terminate the mission.

NASA employees who work on the two missions are making what the agency calls Phase F plans for both carbon-monitoring missions, according to David Crisp, a longtime NASA scientist who designed the instruments and managed the missions until he retired in 2022. Phase F plans lay out options for terminating NASA missions. The OCO missions would lose funding under the Trump Administration's budget proposal for Fiscal Year 2026, which begins Oct. 1 but has yet to pass. "Presidential budget proposals are wish lists that often bear little resemblance to final congressional budgets," notes NPR. "The Orbiting Carbon Observatory missions have already received funding from Congress through the end of the 2025 fiscal year, which ends Sept. 30."

"Draft budgets that Congress is currently considering for next year keep NASA funding basically flat. But it's not clear whether these specific missions will receive funding again, or if Congress will pass a budget before current funding expires on Sept. 30."

AI meeting transcription software is inadvertently sharing private conversations with all meeting participants through automated summaries. WSJ found a series of mishaps that people confirmed on-record.

Digital marketing agency owner Tiffany Lewis discovered her "Nigerian prince" joke about a potential client was included in the summary sent to that same client. Nashville branding firm Studio Delger received meeting notes documenting their discussion about "getting sandwich ingredients from Publix" and not liking soup when their client failed to appear. Communications agency coordinator Andrea Serra found her personal frustrations about a neighborhood Whole Foods and a kitchen mishap while making sweet potato recipes included in official meeting recaps distributed to colleagues.

An anonymous reader quotes a report from CyberScoop: North Korean operatives seeking and gaining technical jobs with foreign companies kept CrowdStrike busy, accounting for almost one incident response case or investigation per day in the past year, the company said in its annual threat hunting report released Monday. "We saw a 220% year-over-year increase in the last 12 months of Famous Chollima activity," Adam Meyers, senior vice president of counter adversary operations, said during a media briefing about the report. "We see them almost every day now," he said, referring to the North Korean state-sponsored group of North Korean technical specialists that has crept into the workforce of Fortune 500 companies and small-to-midsized organizations across the globe.

CrowdStrike's threat-hunting team investigated more than 320 incidents involving North Korean operatives gaining remote employment as IT workers during the one-year period ending June 30. CrowdStrike researchers found that Famous Chollima fueled that pace of activity with an assist from generative artificial intelligence tools that helped North Korean operatives maneuver workflows and evade detection during the hiring process. "They use generative AI across all stages of their operation," Meyers said. The insider threat group used generative AI to draft resumes, create false identities, build tools for job research, mask their identity during video interviews and answer questions or complete technical coding assignments, the report found. CrowdStrike said North Korean tech workers also used generative AI on the job to help with daily tasks and manage various communications across multiple jobs -- sometimes three to four -- they worked simultaneously.

Threat hunters observed other significant shifts in malicious activity during the past year, including a 27% year-over-year increase in hands-on-keyboard intrusions -- 81% of which involved no malware. Cybercrime accounted for 73% of all interactive intrusions during the one-year period. CrowdStrike continues to find and add more threat groups and clusters of activity to its matrix of cybercriminals, nation-state attackers and hacktivists. The company identified 14 new threat groups or individuals in the past six months, Meyers said. "We're up to over 265 named adversary groups that we track, and then 150 what we call malicious activity clusters," otherwise unnamed threat groups or individuals under development, Meyers said.

"Digital storefront Itch.io is reindexing its free adult games," reports Engadget, "and is talking to its partnered payment processors about plans to gradually reintroduce paid NSFW content..." In a statement included in the Itch.io update, Stripe said it hasn't closed the door on the possibility of being able to support adult content again in the future. In the meantime, Itch.io says it is talking to its other payment partners about accepting the card payments Stripe is currently no longer able to process.
Itch's founder told the gaming news site Aftermath that it was a notice from Visa that led to the sudden deindexing of so many games. But Aftermath notes that Visa and Mastercard have now "both released statements effectively washing their hands of the situation but also, paradoxically, justifying any actions they might have taken."

- Visa: "When a legally operating merchant faces an elevated risk of illegal activity, we require enhanced safeguards for the banks supporting those merchants..."

- Mastercard: "Our payment network follows standards based on the rule of law. Put simply, we allow all lawful purchases on our network. At the same time, we require merchants to have appropriate controls to ensure Mastercard cards cannot be used for unlawful purchases, including illegal adult content."

Aftermath's take? The part where the two companies act as though their hands have been tied by the long arm of the law is, frankly, bullshit. None of the games removed from Steam or Itch were illegal. They depict actions that are perfectly legal in other mediums. To re-quote Mike Stabile, director of policy at the Free Speech Coalition: "The stuff [companies] are talking about is entirely legal. It's legal to have in a book, it's legal to have in a game. They are making decisions based on their brand, based on public pressure from anti-porn groups, and that can be reversed."
Meanwhile, gamers are still pushing back: It's difficult to say just how many people have spent the past several days tying up the lines of card companies and payment processors, but the movement has made itself visible enough to gain support from larger industry bodies like the Communications Workers of America [the largest communications/media labor union in America] and the International Game Developers Association.

The vehicle "once led the Space Shuttle down the runway at Edwards Air Force Base," The Drive reported in 2022, noting it was won in an auction for $21,061 (beating 18 other bidders). "I just figured the NASA brand combined with Airsteam hip seemed like a can't lose combination," the buyer says now, in a listing for the vehicle on the on the automotive sales site Hemmings.com asking $199,000..

They're touting it as a priceless marketing/publicity prop — "a once in a lifetime opportunity" to own what was once an "onsite command center complete with communications and atmospheric monitoring... Imagine pulling into Burning Man driving this..." The seller points out it's the only custom-built "Airstream" trailer ever sold by NASA. (The others were crushed, except for one donated to the Kennedy museum.) But for this one "Apparently there was some miscommunication when the vehicle was decommissioned. It should have been offered to museums but the sales team did not know what it was.")

"Has only 8240 miles on it as driven from Ohio to California then around the Edwards base."

The seller apparently first tried listing it on eBay in May for $50,000. ("Reserve not met," says that listing page now. "Very well maintained, minor dings on exterior...")

Thanks to long-time Slashdot reader schwit1 for sharing the news.

An anonymous reader quotes a report from Wired: Anthropic revoked OpenAI's API access to its models on Tuesday, multiple sources familiar with the matter tell WIRED. OpenAI was informed that its access was cut off due to violating the terms of service. "Claude Code has become the go-to choice for coders everywhere, and so it was no surprise to learn OpenAI's own technical staff were also using our coding tools ahead of the launch of GPT-5," Anthropic spokesperson Christopher Nulty said in a statement to WIRED. "Unfortunately, this is a direct violation of our terms of service." According to Anthropic's commercial terms of service, customers are barred from using the service to "build a competing product or service, including to train competing AI models" or "reverse engineer or duplicate" the services. This change in OpenAI's access to Claude comes as the ChatGPT-maker is reportedly preparing to release a new AI model, GPT-5, which is rumored to be better at coding.

OpenAI was plugging Claude into its own internal tools using special developer access (APIs), instead of using the regular chat interface, according to sources. This allowed the company to run tests to evaluate Claude's capabilities in things like coding and creative writing against its own AI models, and check how Claude responded to safety-related prompts involving categories like CSAM, self-harm, and defamation, the sources say. The results help OpenAI compare its own models' behavior under similar conditions and make adjustments as needed. "It's industry standard to evaluate other AI systems to benchmark progress and improve safety. While we respect Anthropic's decision to cut off our API access, it's disappointing considering our API remains available to them," OpenAI's chief communications officer Hannah Wong said in a statement to WIRED. Nulty says that Anthropic will "continue to ensure OpenAI has API access for the purposes of benchmarking and safety evaluations as is standard practice across the industry."

An anonymous reader quotes a report from Wired: An airline leaving all of its passengers' travel records vulnerable to hackers would make an attractive target for espionage. Less obvious, but perhaps even more useful for those spies, would be access to a premium travel service that spans 10 different airlines, left its own detailed flight information accessible to data thieves, and seems to be favored by international diplomats. That's what one team of cybersecurity researchers found in the form of Airportr, a UK-based luggage service that partners with airlines to let its largely UK- and Europe-based users pay to have their bags picked up, checked, and delivered to their destination. Researchers at the firm CyberX9 found that simple bugs in Airportr's website allowed them to access virtually all of those users' personal information, including travel plans, or even gain administrator privileges that would have allowed a hacker to redirect or steal luggage in transit. Among even the small sample of user data that the researchers reviewed and shared with WIRED they found what appear to be the personal information and travel records of multiple government officials and diplomats from the UK, Switzerland, and the US.

Airportr's CEO Randel Darby confirmed CyberX9's findings in a written statement provided to WIRED but noted that Airportr had disabled the vulnerable part of its site's backend very shortly after the researchers made the company aware of the issues last April and fixed the problems within a few day. "The data was accessed solely by the ethical hackers for the purpose of recommending improvements to Airportr's security, and our prompt response and mitigation ensured no further risk," Darby wrote in a statement. "We take our responsibilities to protect customer data very seriously." CyberX9's researchers, for their part, counter that the simplicity of the vulnerabilities they found mean that there's no guarantee other hackers didn't access Airportr's data first. They found that a relatively basic web vulnerability allowed them to change the password of any user to gain access to their account if they had just the user's email address -- and they were also able to brute-force guess email addresses with no rate limitations on the site. As a result, they could access data including all customers' names, phone numbers, home addresses, detailed travel plans and history, airline tickets, boarding passes and flight details, passport images, and signatures.

By gaining access to an administrator account, CyberX9's researchers say, a hacker could also have used the vulnerabilities it found to redirect luggage, steal luggage, or even cancel flights on airline websites by using Airportr's data to gain access to customer accounts on those sites. The researchers say they could also have used their access to send emails and text messages as Airportr, a potential phishing risk. Airportr tells WIRED that it has 92,000 users and claims on its website that it has handled more than 800,000 bags for customers. [...] The researchers found that they could monitor their browser's communications as they signed up for Airportr and created a new password, and then reuse an API key intercepted from those communications to instead change another user's password to anything they chose. The site also lacked a "rate limiting" security measure that would prevent automated guesses of email addresses to rapidly change the password of every user's account. And the researchers were also able to find email addresses of Airportr administrators that allowed them to take over their accounts and gain their privileges over the company's data and operations. "Anyone would have been able to gain or might have gained absolute super-admin access to all the operations and data of this company," says Himanshu Pathak, CyberX9's founder and CEO. "The vulnerabilities resulted in complete confidential private information exposure of all airline customers in all countries who used the service of this company, including full control over all the bookings and baggage. Because once you are the super-admin of their most sensitive systems, you have have the ability to do anything."

Hackers from the group UNC2891 attempted a high-tech bank heist by physically planting a 4G-enabled Raspberry Pi inside a bank's ATM network, using advanced malware hidden with a never-before-seen Linux bind mount technique to evade detection. "The trick allowed the malware to operate similarly to a rootkit, which uses advanced techniques to hide itself from the operating system it runs on," reports Ars Technica. Although the plot was uncovered before the hackers could hijack the ATM switching server, the tactic showcased a new level of sophistication in cyber-physical attacks on financial institutions. The security firm Group-IB, which detailed the attack in a report on Wednesday, didn't say where the compromised switching equipment was located or how attackers managed to plant the Raspberry Pi. Ars Technica reports: To maintain persistence, UNC2891 also compromised a mail server because it had constant Internet connectivity. The Raspberry Pi and the mail server backdoor would then communicate by using the bank's monitoring server as an intermediary. The monitoring server was chosen because it had access to almost every server within the data center. As Group-IB was initially investigating the bank's network, researchers noticed some unusual behaviors on the monitoring server, including an outbound beaconing signal every 10 minutes and repeated connection attempts to an unknown device. The researchers then used a forensic tool to analyze the communications. The tool identified the endpoints as a Raspberry Pi and the mail server but was unable to identify the process names responsible for the beaconing.

The researchers then captured the system memory as the beacons were sent. The review identified the process as lightdm, a process associated with an open source LightDM display manager. The process appeared to be legitimate, but the researchers found it suspicious because the LightDM binary was installed in an unusual location. After further investigation, the researchers discovered that the processes of the custom backdoor had been deliberately disguised in an attempt to throw researchers off the scent.

[Group-IB Senior Digital Forensics and Incident Response Specialist Nam Le Phuong] explained: "The backdoor process is deliberately obfuscated by the threat actor through the use of process masquerading. Specifically, the binary is named "lightdm", mimicking the legitimate LightDM display manager commonly found on Linux systems. To enhance the deception, the process is executed with command-line arguments resembling legitimate parameters -- for example, lightdm -- session child 11 19 -- in an effort to evade detection and mislead forensic analysts during post-compromise investigations. These backdoors were actively establishing connections to both the Raspberry Pi and the internal Mail Server."