Court Orders Maker of Pegasus Spyware To Hand Over Code To WhatsApp

Stephanie Kirchgaessner reports via The Guardian: NSO Group, the maker of one the world’s most sophisticated cyber weapons, has been ordered by a US court to hand its code for Pegasus and other spyware products to WhatsApp as part of the company’s ongoing litigation. The decision by Judge Phyllis Hamilton is a major legal victory for WhatsApp, the Meta-owned communication app which has been embroiled in a lawsuit against NSO since 2019, when it alleged that the Israeli company’s spyware had been used against 1,400 WhatsApp users over a two-week period.

NSO’s Pegasus code, and code for other surveillance products it sells, is seen as a closely and highly sought state secret. NSO is closely regulated by the Israeli ministry of defense, which must review and approve the sale of all licences to foreign governments. In reaching her decision, Hamilton considered a plea by NSO to excuse it of all its discovery obligations in the case due to “various US and Israeli restrictions.”

Ultimately, however, she sided with WhatsApp in ordering the company to produce”all relevant spyware” for a period of one year before and after the two weeks in which WhatsApp users were allegedly attacked: from 29 April 2018 to 10 May 2020. NSO must also give WhatsApp information “concerning the full functionality of the relevant spyware.” Hamilton did, however, decide in NSO’s favor on a different matter: the company will not be forced at this time to divulge the names of its clients or information regarding its server architecture.

Read more of this story at Slashdot.

Calendar Meeting Links Used To Spread Mac Malware

Hackers targeting individuals in the cryptocurrency sector are using a sophisticated phishing scheme that begins with a malicious link on Calendly. “The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call,” reports Krebs on Security. “But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.” From the report: A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm SlowMist about phishing attacks on Telegram from North Korean state-sponsored hackers. “When the project team clicks the link, they encounter a region access restriction,” SlowMist wrote. “At this point, the North Korean hackers coax the team into downloading and running a ‘location-modifying’ malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds.”

SlowMist says the North Korean phishing scams used the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks. “Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion,” the blog post explains. “Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code.”

SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed BlueNoroff, which Kaspersky Labs says is a subgroup of the Lazarus hacking group. “A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs,” Kaspersky wrote of BlueNoroff in Dec. 2023.

Read more of this story at Slashdot.

The FBI Is Using Push Notifications To Catch Sexual Predators

According to the Washington Post (paywalled), the FBI is using mobile push notification data to unmask people suspected of serious crimes, such as pedophilia, terrorism, and murder. Gizmodo reports: The Post did a little digging into court records and found evidence of at least 130 search warrants filed by the feds for push notification data in cases spanning 14 states. In those cases, FBI officials asked tech companies like Google, Apple, and Facebook to fork over data related to a suspect’s mobile notifications, then used the data to implicate the suspect in criminal behavior linked to a particular app, even though many of those apps were supposedly anonymous communication platforms, like Wickr.

How exactly is this possible? Push notifications, which are provided by a mobile operating system provider, include embedded metadata that can be examined to understand the use of the mobile apps on a particular phone. Apps come laced with a quiet identifier, a “push token,” which is stored on the corporate servers of a company like Apple or another phone manufacturer after a user signs up to use a particular app. Those tokens can later be used to identify the person using the app, based on the information associated with the device on which the app was downloaded. Even turning off push notifications on your device doesn’t necessarily disable this feature, experts contend. […]

If finding new ways to catch pedophiles and terrorists doesn’t seem like the worst thing in the world, the Post article highlights the voices of critics who fear that this kind of mobile data could be used to track people who have not committed serious crimes — like political activists or women seeking abortions in states where the procedure has been restricted.

Read more of this story at Slashdot.

The Intercept, Raw Story, and AlterNet Sue OpenAI and Microsoft

The Intercept, Raw Story, and AlterNet have filed separate lawsuits against OpenAI and Microsoft, alleging copyright infringement and the removal of copyright information while training AI models. The Verge reports: The publications said ChatGPT “at least some of the time” reproduces “verbatim or nearly verbatim copyright-protected works of journalism without providing author, title, copyright or terms of use information contained in those works.” According to the plaintiffs, if ChatGPT trained on material that included copyright information, the chatbot “would have learned to communicate that information when providing responses.”

Raw Story and AlterNet’s lawsuit goes further (PDF), saying OpenAI and Microsoft “had reason to know that ChatGPT would be less popular and generate less revenue if users believed that ChatGPT responses violated third-party copyrights.” Both Microsoft and OpenAI offer legal cover to paying customers in case they get sued for violating copyright for using Copilot or ChatGPT Enterprise. The lawsuits say that OpenAI and Microsoft are aware of potential copyright infringement. As evidence, the publications point to how OpenAI offers an opt-out system so website owners can block content from its web crawlers. The New York Times also filed a lawsuit in December against OpenAI, claiming ChatGPT faithfully reproduces journalistic work. OpenAI claims the publication exploited a bug on the chatbot to regurgitate its articles.

Read more of this story at Slashdot.

European Parliament Bans Amazon From Its Premises

Longtime Slashdot reader Kant shares a report from Euractiv: The European Parliament decided to ban Amazon representatives from accessing its buildings on Tuesday (February 27), due to multiple events where the global retailing giant did not attend meetings requested by members of the European Parliament, the European Parliament press service confirmed Euractiv. “In line with rule 123/3 and at the request of the [Employment and Social Affairs] Committee, the Quaestors have authorized the Secretary General [Alessandro Chiocchetti] to withdraw the long-term access badges of the interest representatives of Amazon.” It is now the responsibility of the secretary general to concretely initiate the process of withdrawing their badges and to determine the duration of the ban, a European Parliament source close to the matter told Euractiv.

According to the EMPL chair Dragos Pislaru, who signed the letter, the US e-commerce company refuses to attend more than one meeting with EU lawmakers to discuss the condition of Amazon workers. Four cases are mentioned in the letter. The first occurred in May 2021, when Amazon did not attend a parliamentary committee meeting on “Amazon attacks on fundamental workers’ rights and freedoms: freedom of assembly and association, and the right to collective bargain and action.” The second event concerns the refusal by Amazon CEO Jeff Bezos to attend an exchange of views with EU lawmakers — instead, the company sent a written answer. The last two episodes happened in December 2023 and January 2024. In the former event, Amazon refused access to its facilities in German and Poland to a MEP, while on the latter, the company did not attend another parliamentary committee meeting dedicated to Amazon workers’ conditions. In a statement to Euractiv, an Amazon spokesperson said: “We are very disappointed with this decision, as we want to engage constructively with policymakers. […] Our commitment continues despite this decision. Amazon regularly participates in activities organized by the European Parliament and other EU institutions — including Parliamentary hearings — and we remain committed to participating in balanced, constructive dialogue on issues that affect European citizens.”

Read more of this story at Slashdot.

US Judge Halts Government Effort To Monitor Crypto Mining Energy Use

A federal judge in Texas has granted a temporary order blocking the U.S. government from monitoring the energy usage of cryptocurrency mining operations, stating that the industry had shown it would suffer “irreparable injury” if it was made to comply. The Guardian reports: The US Department of Energy had launched an “eemergency” initiative last month aimed at surveying the energy use of mining operations, which typically use vast amounts of computing power to solve various mathematical puzzles to add new tokens to an online network known as a blockchain, allowing the mining of currency such as bitcoin. The growth of cryptocurrency, and the associated mining of it, has been blamed for a surge in electricity use as data centers have sprung up across the US, even reviving, in some cases, ailing coal plants to help power the mining. […]

“The massive energy consumption of cryptocurrency mining and its rapid growth in the United States threaten to undermine progress towards achieving climate goals, and threaten grids, communities and ratepayers,” said Mandy DeRoche, deputy managing attorney of the clean energy program at Earthjustice. Until now, a lack of publicly available information has only benefited an “industry that has thrived in the shadows,” DeRoche added.

The crypto mining industry, however, has claimed it is the victim of a “politically motivated campaign” by Joe Biden’s administration and has, for now, succeeded in averting a survey that it contends is unfairly onerous. “This is an attack against legitimate American businesses with the administration feigning an emergency to score political points,” said Lee Bratcher, president the Texas Blockchain Council, one of the groups that sued to stop the survey. “The White House has been clear that they desire to ‘to limit or eliminate’ bitcoin miners from operating in the United States. “Although bitcoin is resilient and cannot be banned, the administration is seeking to make the lives of bitcoin miners, their employees, and their communities too difficult to bear operating in the United States. This is deeply concerning.”

Read more of this story at Slashdot.

Uber-Like Surge Pricing Is Coming For Fast Food

Fast food chain Wendy’s announced it’s adopting a similar approach to Uber’s Surge Pricing policy by dynamically adjusting the prices of its menu items during peak demand periods at certain locations. The controversial strategy seeks to leverage real-time data to align pricing and demand, enhancing efficiency and potentially improving customer satisfaction. From a report: During a conference call earlier this month, Wendy’s CEO Kirk Tanner said the fast-food chain would experiment with dynamic pricing as early as next year. “Beginning as early as 2025, we will begin testing more enhanced features like dynamic pricing and daypart offerings, along with AI-enabled menu changes and suggestive selling,” he said. “As we continue to show the benefit of this technology in our company-operated restaurants, franchisee interest in digital menu boards should increase, further supporting sales and profit growth across the system.”

Prices seesaw all the time on the sites of online retailers like Amazon that use algorithms and artificial intelligence to monitor competitors and glean insights into individual shoppers, adjusting prices depending on interest in the product or in the brand, said Timothy Webb, an assistant professor at the University of Delaware’s hospitality and sport business management program. Coupons and other offers are also routinely dangled in mobile apps to encourage people to make purchases. “A lot of this stuff is already happening even if you don’t realize that it is happening. If you have the Starbucks app and I have the Starbucks app, we probably have different offers,” Webb said. “We might not be in the drive-through and they just increased the prices, but we are already paying different prices for the same products.”

But, he says, Wendy’s fans will likely see moderate, not massive, price swings during periods of peak demand. “It’s not like $200 or $300 on a flight. This is a hypercompetitive industry. If Wendy’s goes up $2 to $3 on a burger at dinner time, I would be shocked. People have too many options. They will just walk down the street and eat at Burger King instead,” Webb said. “There will just be little price changes here.”

Read more of this story at Slashdot.

Half of College Graduates Are Working High School Level Jobs

According to a new study, almost half of America’s new college graduates are winding up in jobs they didn’t need to go to college to get. CBS News reports: If a graduate’s first job is in a low-paying field or out-of-line with a worker’s interests, it could pigeonhole them into an undesirable role or industry that’s hard to escape, according to a new study (PDF) from The Burning Glass Institute and the Strada Institute for the Future of Work. Another study from the HEA Group found that a decade after enrolling in college, attendees of 1 in 4 higher education programs are earning less than $32,000 — the median annual income for high school graduates. A college degree, in itself, is not a ticket to a higher-paying job, the study shows.

“Getting a college degree is viewed as the ticket to the American dream,” said [Burning Glass CEO Matt Sigelman], “and it turns out that it’s a bust for half of students.” The single greatest determinant of post-graduation employment prospects, according to the study, is a college student’s major, or primary focus of study. It can be even more important than the type of institution one attends. Choosing a career-oriented major like nursing, as opposed to criminal justice, gives graduates a better shot at actually using, and getting compensated for the skills they acquire. Just 23% of nursing students are underemployed, versus 68% of criminal justice majors. However, focusing on science, technology, engineering and mathematics (STEM) subjects is not a guarantee of college-level employment and high wages, the study found. […]

Many college graduates remain underemployed even 10 years after college, the study found. That may be because employers seeking college-level skills also tend to focus on job candidates’ recent work experience, placing more emphasis on the latest jobs held by candidates who have spent years in the workforce, versus a degree that was earned a decade prior. “If you come out of school and work for a couple of years as waiter in a restaurant and apply for a college-level job, the employer will look at that work experience and not see relevance,” Sigelman said.

Read more of this story at Slashdot.