The maker of powerful spy software allegedly used to hack the phones of innocent people says blaming the company is like "criticising a car manufacturer when a drunk driver crashes." From a report: NSO Group is facing international criticism, after reporters obtained a list of alleged potential targets for spyware, including activists, politicians and journalists. Investigations have begun as the list, of 50,000 phone numbers, contained a small number of hacked phones. Pegasus infects iPhones and Android devices, allowing operators to extract messages, photos and emails, record calls and secretly activate microphones and cameras. NSO Group has said the software is intended for use against criminals and terrorists and made available to only military, law enforcement and intelligence agencies from countries with good human-rights records. But a consortium of news organisations, led by French media outlet Forbidden Stories, has published dozens of stories based around the list, including allegations French President Emmanuel Macron's number was on it and may have been targeted.

Read more of this story at Slashdot.

An anonymous reader quotes a report from CNN: A federal judge forced a US Capitol rioter to unlock his laptop Wednesday after prosecutors argued that it likely contained footage of the January 6 insurrection from his helmet-worn camera. The judge granted the Justice Department's request to place Capitol riot defendant Guy Reffitt in front of his laptop so they could use facial recognition to unlock the device. The maneuver happened after the hearing ended and Reffitt's lawyer confirmed to CNN that the laptop was unlocked. Investigators seized the laptop and other devices earlier this year pursuant to a search warrant. Reffitt has been in jail since his arrest in January. His case received national attention after his son spoke publicly about how Reffitt had threatened to kill family members if they turned him into the FBI. The case became an example of how former President Donald Trump's lies tore some families apart -- Reffitt's son and daughter testified against him in court or before the grand jury. He pleaded not guilty to five federal crimes, including bringing a handgun to the Capitol grounds during the insurrection and obstructing justice by allegedly threatening his family. The felony gun charge was added last month, and undercuts false claims from Trump and prominent Republican lawmakers that the rioters weren't armed and that they had "no guns whatsoever." The case raised intriguing constitutional questions about the right against self-incrimination, but Judge Dabney Friedrich agreed with prosecutors that the unlocking was within the law. "As the court here noted, requiring a defendant to expose his face to unlock a computer can be lawful, and is not far removed from other procedures that are now routinely approved by courts, with proper justification: standing in a lineup, submitting a handwriting or voice exemplar, or submitting a blood or DNA sample," CNN senior legal analyst Elie Honig said in an email. Honig said judges try to strike a balance "between respecting a defendant's privacy and other rights on the one hand, and enabling prosecutors to obtain potentially crucial evidence with minimal intrusion on the defendant's rights, on the other." The "potentially crucial evidence" here may include footage of the handgun that Reffitt brought to the Capitol or comments he made about his intentions that day.

Read more of this story at Slashdot.

UnknowingFool shares a report from CBS News: After being down for a month due to a computer issue, Hubble was brought back up last week. NASA released images captured by Hubble over the weekend including a rare observance of two galaxies that are colliding. The other interesting image is that of a spiral galaxy with three arms, as most spiral galaxies have an even number of arms. "I'm thrilled to see that Hubble has its eye back on the universe, once again capturing the kind of images that have intrigued and inspired us for decades," NASA administrator Bill Nelson said in a statement. "This is a moment to celebrate the success of a team truly dedicated to the mission. Through their efforts, Hubble will continue its 32nd year of discovery, and we will continue to learn from the observatory's transformational vision."

Read more of this story at Slashdot.

turp182 shares a report from USA Today: [T]he UAE is now testing a new method that has drones fly into clouds to give them an electric shock to trigger rain production [...]. The project is getting renewed interest after the UAE's National Center of Meteorology recently published a series of videos on Instagram of heavy rain in parts of the country. Water gushed past trees, and cars drove on rain-soaked roads. The videos were accompanied by radar images of clouds tagged "#cloudseeding." The Independent reports recent rain is part of the drone cloud seeding project. The UAE oversaw more than 200 cloud seeding operations in the first half of 2020, successfully creating excess rainfall, the National News reported. There have been successes in the U.S., as well as China, India, and Thailand. Long-term cloud seeding in the mountains of Nevada have increased snowpack by 10% or more each year, according to research published by the American Meteorological Society. A 10-year cloud seeding experiment in Wyoming resulted in 5-10% increases in snowpack, according to the State of Wyoming. According to a researcher that worked on the drone initiative, "the aim of the UAE's project is to change the balance of electrical charge on the cloud droplets, causing water droplets to clump together and fall as rain when they are big enough."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Threatpost: Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines. If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights. The bug (CVE-2021-3438) has lurked in systems for 16 years, researchers at SentinelOne said, but was only uncovered this year. It carries an 8.8 out of 10 rating on the CVSS scale, making it high-severity. According to researchers, the vulnerability exists in a function inside the driver that accepts data sent from User Mode via Input/Output Control (IOCTL); it does so without validating the size parameter. As the name suggests, IOCTL is a system call for device-specific input/output operations. "This function copies a string from the user input using 'strncpy' with a size parameter that is controlled by the user," according to SentinelOne's analysis, released on Tuesday. "Essentially, this allows attackers to overrun the buffer used by the driver." Thus, unprivileged users can elevate themselves into a SYSTEM account, allowing them to run code in kernel mode, since the vulnerable driver is locally available to anyone, according to the firm. The printer-based attack vector is perfect for cybercriminals, according to SentinelOne, since printer drivers are essentially ubiquitous on Windows machines and are automatically loaded on every startup. "Thus, in effect, this driver gets installed and loaded without even asking or notifying the user," explained the researchers. "Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot. This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected." Affected models and associated patches can be found here and here. "While HP is releasing a patch (a fixed driver), it should be noted that the certificate has not yet been revoked at the time of writing," according to SentinelOne. "This is not considered best practice since the vulnerable driver can still be used in bring-your-own-vulnerable-driver (BYOVD) attacks." Some Windows machines may already have the vulnerable driver without even running a dedicated installation file, since it comes with Microsoft Windows via Windows Update.

Read more of this story at Slashdot.

quonset writes: Wherever the president goes, so goes the nuclear football, a 45 pound case which allows the president to to confirm his identity and authorize a nuclear strike. The Football also provides the commander in chief with a simplified menu of nuclear strike options -- allowing him to decide, for example, whether to destroy all of America's enemies in one fell swoop or to limit himself to obliterating only Moscow or Pyongyang or Beijing. During the attempted insurrection on January 6th, video from inside the capitol showed the mob coming within 100 feet of then-Vice President Mike Pence and his military aide who was carrying a second nuclear football. Had they lost control of the case, no nuclear weapons could have been launched, but the highly classified information within the case could have been leaked, or sold, to nation states. As a result, members of Congress asked the Pentagon to review procedures for handling and security of the nuclear football. The Department of Defense Inspector General will evaluate the policies and procedures around the Presidential Emergency Satchel, also known as the "nuclear football," in the event that it is "lost, stolen, or compromised," according to an announcement from the DoD IG's office. This would not be the first time procedures for the case have been reviewed. Jimmy Carter, who qualified as a nuclear sub commander, was aware that he would have only a few minutes to decide how to respond to a nuclear strike against the United States. Carter ordered that the war plans be drastically simplified. A former military aide to President Bill Clinton, Col. Buzz Patterson, would later describe the resulting pared-down set of choices as akin to a "Denny's breakfast menu." "It's like picking one out of Column A and two out of Column B," he told the History Channel. Following Carter, an incident during the Reagan administration led to another review. In the chaos after the attempted assassination, the aide carrying the case was separated from Reagan and did not accompany him to the hospital. When Reagan was stripped of his clothes prior to going into surgery, the biscuit, a card every president is given, which, if needed, can personally identify the president, was found abandoned in a hospital plastic bag. Bill Clinton had his review moment when it was discovered he had lost his biscuit for months, and never told anyone.

Read more of this story at Slashdot.

Clubhouse announced Wednesday that it would end its waitlist and invite system, opening up to everyone. TechCrunch reports: Clubhouse is also introducing a real logo that will look familiar -- it's basically a slightly altered version of the waving emoji the company already used. Clubhouse will still hold onto its app portraits, introducing a new featured icon from the Atlanta music scene to ring in the changes. "The invite system has been an important part of our early history," Clubhouse founders Paul Davison and Rohan Seth wrote in a blog announcement. They note that adding users in waves and integrating new users into the app's community through Town Halls and orientation sessions helped Clubhouse grow at a healthy rate without breaking, "but we've always wanted Clubhouse to be open." According to new data SensorTower provided to TechCrunch, Clubhouse hit its high point in February at 9.6 million global downloads, up from 2.4 million the month prior. After that, things settled down a bit before perking back up in May when TikTok went live on Android through the Google Play Store. Since May, new Android users have accounted for the lion's share of the app's downloads. In June, Clubhouse was installed 7.7 million times across both iOS and Android -- an impressive number that's definitely in conflict with the perception that the app might not have staying power. Clubhouse's success is a double-edged sword. The app's meteoric rise came as a surprise to the team, as meteoric rises often do. The social app is still a wild success by normal metrics in a landscape completely dominated by a handful of large, entrenched platforms, but it can be tricky to maintain healthy momentum after such high highs. Opening up the app to everybody should certainly help.

Read more of this story at Slashdot.

A London-based entrepreneur is putting a 1973 job application filled out by Steve Jobs up for auction. "The form Jobs apparently filled out for an unspecified position at an unspecified company will be available to buy either as a purportedly authenticated physical good or in digital form, as a nonfungible token, or NFT," reports CNET. From the report: The job application's gone up for auction several times before, selling in 2017 for $18,750, in 2018 for $174,757, and just this last March for a reported $222,400. The auction's organizer, Olly Joshi, is hoping to sweeten the pot by taking bids for the physical and a new NFT version side by side. Bidding starts July 21. "The Steve Jobs hand-written 1973 job application auction aims to highlight the modern shift in perceived value -- the physical or the digital," he said in a statement. The auction will run for seven days, during which people seeking the physical version can bid through Joshi's website, which is being run off an auctioneering app called Snoofa. People hoping to snag the digital version can go to popular NFT marketplace Rarible.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Muse Group -- owner of the popular audio-editing app Audacity -- is in hot water with the open source community again. This time, the controversy isn't over Audacity -- it's about MuseScore, an open source application that allows musicians to create, share, and download musical scores (especially, but not only, in the form of sheet music). The MuseScore app itself is licensed GPLv3, which gives developers the right to fork its source and modify it. One such developer, Wenzheng Tang ("Xmader" on GitHub) went considerably further than modifying the app -- he also created separate apps designed to bypass MuseScore Pro subscription fees. After thoroughly reviewing the public comments made by both sides at GitHub, Ars spoke at length with Muse Group Head of Strategy Daniel Ray -- known on GitHub by the moniker "workedintheory" -- to get to the bottom of the controversy. While Xmader did, in fact, fork MuseScore, that's not the root of the controversy. Xmader forked MuseScore in November 2020 and appears to have abandoned that fork entirely; it only has six commits total -- all trivial, and all made the same week that the fork was created. Xmader is also currently 21,710 commits behind the original MuseScore project repository. Muse Group's beef with Xmader comes from two other repositories, created specifically to bypass subscription fees. Those repositories are musescore-downloader (created November 2019) and musescore-dataset (created March 2020). Musescore-downloader describes itself succinctly: "download sheet music from musescore.com for free, no login or MuseScore Pro required." Musescore-dataset is nearly as straightforward: it declares itself "the unofficial dataset of all music sheets and users on musescore.com." In simpler terms: musescore-downloader lets you download things from musescore.com that you shouldn't be able to; musescore-dataset is those files themselves, already downloaded. For scores that are in the public domain or that users have uploaded under Creative Commons licenses, this isn't necessarily a problem. But many of the scores are only available by arrangement between the score owner and Muse Group itself -- and this has several important implications. Just because you can access the score via the app or website doesn't mean you're free to access it anywhere, anyhow, or redistribute that score yourself. The distribution agreement between Muse Group and the rightsholder allows legitimate downloads, but only when using the site or app as intended. Those agreements do not give users carte blanche to bypass controls imposed on those downloads. Further, those downloads can often cost the distributor real money -- a free download of a score licensed to Muse Group by a commercial rightsholder (e.g., Disney) is generally not "free" to Muse Group itself. The site has to pay for the right to distribute that score -- in many cases, based on the number of downloads made. Bypassing those controls leaves Muse Group on the hook either for costs it has no way to monetize (e.g., by ads for free users) or for violating its own distribution agreements with rightsholders (by failing to properly track downloads).

Read more of this story at Slashdot.

Today, Amaon said it will be upgrading almost every plug-in Echo smart speaker to support Matter, a cross-platform open-source standard coming later this year. This includes most Echo and Echo Dot speakers and every Echo Studio, Echo Show, Echo Plus, and Echo Flex. "In fact, the only Echo smart speakers that won't get upgraded to Matter are the first-gen Echo, first-gen Echo Dot and Echo Tap," reports The Verge. From the report: While the company doesn't provide a timeline for those upgrades, the general idea is that Matter will launch by late 2021, so it shouldn't be long until Amazon's newest and / or more popular devices receive the capability. A bigger question is whether any of them will work as Matter hubs. Google announced in May that in addition to upgrading its Nest devices to Matter, it would allow its devices that support the Thread protocol (like the Nest Wi-Fi, Nest Hub Max, and second-gen Nest Hub) to double as connection hubs for Matter, too, not simply as a voice assistant to control Matter gadgets. But while Amazon's Eero routers were early to adopt Thread, Amazon's Echo smart speakers were not.

Read more of this story at Slashdot.

A 18-year-old Tennessee man who helped set in motion a fraudulent distress call to police that lead to the death of a 60-year-old grandfather in 2020 was sentenced to 60 months in prison today. Krebs on Security reports: Shane Sonderman, of Lauderdale County, Tenn. admitted to conspiring with a group of criminals that's been "swatting" and harassing people for months in a bid to coerce targets into giving up their valuable Twitter and Instagram usernames. At Sonderman's sentencing hearing today, prosecutors told the court the defendant and his co-conspirators would text and call targets and their families, posting their personal information online and sending them pizzas and other deliveries of food as a harassment technique. Other victims of the group told prosecutors their tormentors further harassed them by making false reports of child abuse to social services local to the target's area, and false reports in the target's name to local suicide prevention hotlines. Eventually, when subjects of their harassment refused to sell or give up their Twitter and Instagram usernames, Sonderman and others would swat their targets -- or make a false report to authorities in the target's name with the intention of sending a heavily armed police response to that person's address. [...] Sonderman might have been eligible to knock a few months off his sentence had he cooperated with investigators and refrained from committing further crimes while out on bond. But prosecutors said that shortly after his release, Sonderman went right back to doing what he was doing when he got caught. Investigators who subpoenaed his online communications found he'd logged into the Instagram account "FreeTheSoldiers," which was known to have been used by the group to harass people for their social media handles. Sonderman was promptly re-arrested for violating the terms of his release, and prosecutors played for the court today a recording of a phone call Sonderman made from jail in which he brags to a female acquaintance that he wiped his mobile phone two days before investigators served another search warrant on his home. "Although it may seem inadequate, the law is the law," said Judge Norris after giving Sonderman the maximum sentence allowed by law under the statute. "The harm it caused, the death and destruction... it's almost unspeakable. This is not like cases we frequently have that involve guns and carjacking and drugs. This is a whole different level of insidious criminal behavior here."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Motherboard: The Federal Trade Commission unanimously voted Wednesday to pursue policies that will make it easier for people to repair their own things. In a vote of 5-0 during a Commission Meeting, the FTC agreed to adopt a policy paper outlining how it planned to enforce rules that keep manufacturers from restricting aftermarket repair. It plans to enforce existing warranty law, coordinate with state and local lawmakers to ensure open markets, and investigate the current repair monopolies for violations of antitrust law. The move comes just weeks after President Joe Biden signed an executive order directing the commission to create right-to-repair rules. The FTC policy paper outlined a five-pronged approach to the problem. First, it's asking for comments and complaints from the public about bad experiences it's had with repair issues and violated warranty. It's long been illegal under federal law for companies to void warranties based on aftermarket repairs. The problem is that those laws often aren't enforced, though the FTC did take some action on manufacturers who put warranty-void-if-removed stickers on their devices after Motherboard reported on the problem several years ago. "While current law does not provide for civil penalties or redress, the Commission will consider filing suit against violators of the Magnuson-Moss Warranty Act to seek appropriate injunctive relief," the policy paper said. Next, the FTC said it will look over current repair restrictions for violations of existing antitrust and anti-competition laws. "Finally, the Commission will bring an interdisciplinary approach to this issue, using resources and expertise from throughout the agency to combat unlawful repair restrictions," the policy paper said. "The FTC will also closely coordinate with state law enforcement and policymakers to ensure compliance and to update existing law and regulation to advance the goal of open repair markets." "Manufacturers, be warned: It's time to clean up your act and let people fix their stuff," Nathan Proctor, U.S. PIRG Right to Repair Senior Campaign Director, told Motherboard in an email. "With unanimous support from commissioners, there's a new sheriff in town. The FTC is ready to act to stop many of the schemes used to undermine repair, while support is increasing for new legislation to further crack down."

Read more of this story at Slashdot.

China has rejected an accusation by Washington and its Western allies that Beijing is to blame for a hack of the Microsoft Exchange email system and complained Chinese entities are victims of damaging U.S. cyberattacks. From a report: A foreign ministry spokesman demanded Washington drop charges announced Monday against four Chinese nationals accused of working with the Ministry of State Security to try to steal U.S. trade secrets, technology and disease research. The announcement that the Biden administration and European allies formally blame Chinese government-linked hackers for ransomware attacks increased pressure over long-running complaints against Beijing but included no sanctions. "The United States ganged up with its allies to make unwarranted accusations against Chinese cybersecurity," said the spokesman, Zhao Lijian. "This was made up out of thin air and confused right and wrong. It is purely a smear and suppression with political motives. China will never accept this," Zhao said, though he gave no indication of possible retaliation. China is a leader in cyberwarfare research along with the United States and Russia, but Beijing denies accusations that Chinese hackers steal trade secrets and technology. Security experts say the military and security ministry also sponsor hackers outside the government.

Read more of this story at Slashdot.

The world's largest carbon capture and storage project has failed to meet a crucial target of capturing and burying an average of 80% of the carbon dioxide produced from gas wells in Western Australia over five years. From a report: The energy giant Chevron agreed to the target with the West Australian government when developing its $54 billion Gorgon project to extract and export gas from fields off the WA coast. The five year milestone passed on Sunday. In a statement the energy giant Chevron announced that since operations began in August 2019 it had injected five million tonnes of greenhouse gases underground. According to the independent analyst Peter Milne, that leaves a shortfall of around 4.6 million tonnes, which he estimates would cost about $100 million to offset via carbon credits. The project has national and even international significance, with the oil and gas industry and the federal government declaring the success of carbon capture and storage to be crucial in tackling climate change while making use of fossil fuels. "It is essential we position Australia to succeed by investing now in the technologies that will support our industries into the future, with lower emissions energy that can support Australian jobs," Prime Minister Scott Morrison said in April while announcing $263.7 million in funding to develop carbon capture and storage technology.

Read more of this story at Slashdot.

Payments services company Square will open a new business focused on creating an "open developer platform" to make it easier to provide non-custodial, decentralized financial services, CEO Jack Dorsey said Thursday in a series of tweets. From a report: The still to-be-named division's "primary focus" would be bitcoin, he added. The initiative, which will be led by Mike Brock, would feature "open roadmap, open development and open source," Dorsey tweeted. Brock heads the company's strategic development group. The new division will differ from Square Crypto in that Square will provide direction as well as funding for its work, Dorsey tweeted. Square Crypto is working on the Lightning Development Kit.

Read more of this story at Slashdot.

Electric-car maker Tesla will most likely restart accepting bitcoin as payments, Chief Executive Officer Elon Musk said at a conference on Wednesday. From a report: Musk's comments come after Tesla said in May it would stop accepting bitcoin for car purchases. "Tesla would resume accepting bitcoin, it is most likely" Musk said at the B Word conference, where Square's Jack Dorsey also took part. Musk said he personally owned bitcoin, ethereum and dogecoin, apart from bitcoin that Tesla and SpaceX owned. Musk added that neither he nor any of his companies are selling any bitcoin. "If the price of bitcoin goes down, I lose money. I pump but i don't dump. I would like to see bitcoin succeed," he added.

Read more of this story at Slashdot.

When Vlad Tenev and Baiju Bhatt created the stock trading app Robinhood in 2013, the entrepreneurs declared that their mission was to democratize Wall Street and make finance accessible to all. Now as they prepare to make their company public, they are taking that ethos to a new extreme. From a report: Mr. Tenev and Mr. Bhatt have long discussed how Robinhood's initial public offering would be more open than any other offering that came before it, three people close to the company said. This week, the two founders laid out the details: Robinhood plans to sell as much as a third of its offering, or $770 million of shares, directly to customers through its app. The company added that anyone can participate in a special livestream of its investor presentations this Saturday. The moves are highly unusual and upend the traditional I.P.O. process. No company has ever offered so many shares to everyday investors at the outset; firms typically reserve just 1 or 2 percent of their shares for customers. And investor presentations usually take place behind closed doors with Wall Street firms, which have long had the most access to public offerings. But Mr. Tenev and Mr. Bhatt have made plans since at least 2019 to change the way I.P.O.s are done, said a person familiar with the company who was not authorized to speak publicly. Robinhood also chose Goldman Sachs to lead its offering partly because of the bank's ability to help sell pre-I.P.O. shares -- normally reserved for professionally managed funds -- to thousands of everyday investors on Robinhood's app, another person involved in the offering said.

Read more of this story at Slashdot.

Proposed changes to EU law would force companies that transfer Bitcoin or other crypto-assets to collect details on the recipient and sender. From a report: The proposals would make crypto-assets more traceable, the EU Commission said, and would help stop money-laundering and the financing of terrorism. The new rules would also prohibit providing anonymous crypto-asset wallets. The proposals could take two years to become law. The Commission argued that crypto-asset transfers should be subject to the same anti-money-laundering rules as wire transfers. "Given that virtual assets transfers are subject to similar money-laundering and terrorist-financing risks as wire funds transfers... it therefore appears logical to use the same legislative instrument to address these common issues," the Commission wrote. While some crypto-asset service providers are already covered by anti-money-laundering rules, the new proposals would "extend these rules to the entire crypto-sector, obliging all service providers to conduct due diligence on their customers," the Commission explained. Under the proposals, a company transferring crypto-assets for a customer would be obliged to include their name, address, date of birth and account number, and the name of the recipient.

Read more of this story at Slashdot.

Amid the varied cast of people whose numbers appear on a list of individuals selected by NSO Group's client governments, one name stands out as particularly ironic. Pavel Durov, the enigmatic Russian-born tech billionaire who has built his reputation on creating an unhackable messaging app, finds his own number on the list. From a report: Durov, 36, is the founder of Telegram, which claims to have more than half a billion users. Telegram offers end-to-end encrypted messaging and users can also set up "channels" to disseminate information quickly to followers. It has found popularity among those keen to evade the snooping eyes of governments, whether they be criminals, terrorists or protesters battling authoritarian regimes. In recent years, Durov has publicly rubbished the security standards of competitors, particularly WhatsApp, which he has claimed is "dangerous" to use. By contrast, he has positioned Telegram as a plucky upstart determined to safeguard the privacy of its users at all costs.

Read more of this story at Slashdot.

Microsoft said Wednesday it's acquiring CloudKnox, a start-up whose software helps companies reduce the amount of access they provide to their cloud resources. Terms of the deal weren't disclosed. From a report: The move represents another step Microsoft is taking to expand its security business, in addition to working to keep Windows and its other products secure. In January, Microsoft said it had generated over $10 billion in security revenue in the previous 12 months, up more than 40% year over year, meaning that it's growing faster than most other product areas. Just last week Microsoft announced the acquisition of another security company, RiskIQ, which can spot threats across a given company's entire information-technology footprint. CloudKnox's software works with Microsoft's Azure public cloud, as well as the Amazon and Google clouds. The software spots and can remove cases of permissions for employees and virtual identities that aren't being actively used, and it can show alerts about unusual activity.

Read more of this story at Slashdot.