In SolarWinds Case, US Judge Rejects SEC Oversight of Cybersecurity Controls

SolarWinds still faces some legal action over its infamous 2020 breach, reports NextGov.com. But a U.S. federal judge has dismissed most of the claims from America’s Securities and Exchange Commission, which “alleged the company defrauded investors because it deliberately hid knowledge of cyber vulnerabilities in its systems ahead of a major security breach discovered in 2020.”

Slashdot reader krakman shares this report from the Washington Post:
“The SEC’s rationale, under which the statute must be construed to broadly cover all systems public companies use to safeguard their valuable assets, would have sweeping ramifications,” [judge] Engelmayer wrote in a 107-page decision. “It could empower the agency to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers,” he wrote. The federal judge also dismissed SEC claims that SolarWinds’ disclosures after it learned its customers had been affected improperly covered up the gravity of the breach…

In an era when deeply damaging hacking campaigns have become commonplace, the suit alarmed business leaders, some security executives and even former government officials, as expressed in friend-of-the-court briefs asking that it be thrown out. They argued that adding liability for misstatements would discourage hacking victims from sharing what they know with customers, investors and safety authorities. Austin-based SolarWinds said it was pleased that the judge “largely granted our motion to dismiss the SEC’s claims,” adding in a statement that it was “grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns.”

The article notes that as far back as 2018, “an engineer warned in an internal presentation that a hacker could use the company’s virtual private network from an unauthorized device and upload malicious code. Brown did not pass that information along to top executives, the judge wrote, and hackers later used that exact technique.”
Engelmayer did not dismiss the case entirely, allowing the SEC to try to show that SolarWinds and top security executive Timothy Brown committed securities fraud by not warning in a public “security statement” before the hack that it knew it was highly vulnerable to attacks.

The SEC “plausibly alleges that SolarWinds and Brown made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls,” Engelmayer wrote. “Given the centrality of cybersecurity to SolarWinds’ business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material.”

Read more of this story at Slashdot.

The Data That Powers AI Is Disappearing Fast

An anonymous reader quotes a report from the New York Times: For years, the people building powerful artificial intelligence systems have used enormous troves of text, images and videos pulled from the internet to train their models. Now, that data is drying up. Over the past year, many of the most important web sources used for training A.I. models have restricted the use of their data, according to a study published this week by the Data Provenance Initiative, an M.I.T.-led research group. The study, which looked at 14,000 web domains that are included in three commonly used A.I. training data sets, discovered an “emerging crisis in consent,” as publishers and online platforms have taken steps to prevent their data from being harvested.

The researchers estimate that in the three data sets — called C4, RefinedWeb and Dolma — 5 percent of all data, and 25 percent of data from the highest-quality sources, has been restricted. Those restrictions are set up through the Robots Exclusion Protocol, a decades-old method for website owners to prevent automated bots from crawling their pages using a file called robots.txt. The study also found that as much as 45 percent of the data in one set, C4, had been restricted by websites’ terms of service. “We’re seeing a rapid decline in consent to use data across the web that will have ramifications not just for A.I. companies, but for researchers, academics and noncommercial entities,” said Shayne Longpre, the study’s lead author, in an interview.

Read more of this story at Slashdot.

Apple Vision Pro’s Content Drought Improves With New 3D Videos

More than a dozen new Immersive Videos are coming to Vision Pro, with the first, titled Boundless, launching last night. “The announcement follows a long, slow period for new Vision Pro-specific video content from Apple,” writes Ars Technica’s Samuel Axon. “The headset launched in early February with a handful of Immersive Video episodes ranging from five to 15 minutes each. Since then, only three new videos have been added.” From the report: Tonight’s Boundless episode will allow viewers to see what it’s like to ride in a hot air balloon over sweeping vistas. Another episode titled “Arctic Surfing” will arrive this fall, Apple says. Sometime next month, Apple will publish the second episode of its real wildlife documentary, simply titled Wild Life. The episode will focus on elephants in Kenya’s Sheldrick Wildlife Trust. Another episode is in the works, too. “Later this year,” Apple writes in its newsroom post, “viewers will brave the deep with a bold group of divers in the Bahamas, who come face-to-face with apex predators and discover creatures much more complex than often portrayed.”

In September, we’ll see the debut of a new Immersive Video series titled Elevated. Apple describes it as an “aerial travel series” in which viewers will fly over places of interest. The first episode will take viewers to Hawaii, while another planned for later this year will go to New England. Apple is additionally partnering with Red Bull for a look at surfing called Red Bull: Big-Wave Surfing. In addition to those documentary episodes, there will be three short films by year’s end. One will be a musical experience featuring The Weeknd, and another will take basketball fans inside the 2024 NBA All-Star Weekend. There will also be Submerged, the first narrative fictional Immersive Video on the platform. It’s an action short film depicting struggles on a submarine during World War II.

Read more of this story at Slashdot.

CrowdStrike Stock Tanks 15%, Set For Worst Day Since 2022

Shares of cybersecurity company CrowdStrike Holdings dropped 15% on Friday after the company’s software update resulted in what may turn out to be the largest IT outage ever. CrowdStrike stock “is on pace for its steepest daily loss since November 2022 and its $290 low share price is the lowest intraday mark since April 25,” reports Forbes. “CrowdStrike is on track for the third-worst day in its five-year history as a publicly traded company.” From the report: Microsoft, which was swept up in the outage as the downed systems are those running CrowdStrike’s cybersecurity applications and Microsoft’s Windows software, also slumped, with its shares down about 1% to the $3.2 trillion behemoth’s lowest share price since June 11. CrowdStrike competitor Palo Alto Networks enjoyed a 4% rally Friday, while the tech-heavy Nasdaq Composite stock index gained about 0.2%, held up by the likes of Microsoft rival Apple’s 1% stock gain and a 1% rise for shares of Alphabet, which is reportedly in talks to buy cybersecurity firm Wiz for $23 billion.

The CrowdStrike selloff is “an overreaction to a temporary setback,” Rosenblatt analyst Catharine Trebnick wrote in a note to clients Friday. It’s a “compelling buying opportunity” as it “creates a window for investors to buy into a high-quality, growth-oriented cybersecurity company at a discounted valuation,” Trebnick continued. To her point, CrowdStrike stock’s relative valuation, according to its price-to-earnings ratio (P/E), which compares its market value to its projected profits over the next four quarters, fell Friday to its lowest number since April. Still, CrowdStrike’s P/E of about 70 is very high for a company of its size, meaning investors will need to express significant confidence in the business’ ability to grow earnings, a challenge if Friday’s incident were to impact CrowdStrike’s client base.

Read more of this story at Slashdot.