City of Columbus Sues Man After He Discloses Severity of Ransomware Attack

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: A judge in Ohio has issued a temporary restraining order against a security researcher who presented evidence that a recent ransomware attack on the city of Columbus scooped up reams of sensitive personal information, contradicting claims made by city officials. The order, issued by a judge in Ohio’s Franklin County, came after the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city’s data. A ransomware group known as Rhysida took credit for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to find a bidder, Rhysida released what it said was about 45 percent of the stolen data on the group’s dark web site, which is accessible to anyone with a TOR browser.

Columbus Mayor Andrew Ginther said on August 13 that a “breakthrough” in the city’s forensic investigation of the breach found that the sensitive files Rhysida obtained were either encrypted or corrupted, making them “unusable” to the thieves. Ginther went on to say the data’s lack of integrity was likely the reason the ransomware group had been unable to auction off the data. Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence that showed the data Rhysida published was fully intact and contained highly sensitive information regarding city employees and residents. Ross, who uses the alias Connor Goodwolf, presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims. Some of the data spanned years.

On Thursday, the city of Columbus sued Ross (PDF) for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him “interacting” with them and required special expertise and tools. The suit went on to challenge Ross alerting reporters to the information, which ii claimed would not be easily obtained by others. “Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so,” city attorneys wrote. “The dark web-posted data is not readily available for public consumption. Defendant is making it so.” The same day, a Franklin County judge granted the city’s motion for a temporary restraining order (PDF) against Ross. It bars the researcher “from accessing, and/or downloading, and/or disseminating” any city files that were posted to the dark web. The motion was made and granted “ex parte,” meaning in secret before Ross was informed of it or had an opportunity to present his case.

Read more of this story at Slashdot.

Artists Claim ‘Big’ Win In Copyright Suit Fighting AI Image Generators

Ars Technica’s Ashley Belanger reports: Artists defending a class-action lawsuit are claiming a major win this week in their fight to stop the most sophisticated AI image generators from copying billions of artworks to train AI models and replicate their styles without compensating artists. In an order on Monday, US district judge William Orrick denied key parts of motions to dismiss from Stability AI, Midjourney, Runway AI, and DeviantArt. The court will now allow artists to proceed with discovery on claims that AI image generators relying on Stable Diffusion violate both the Copyright Act and the Lanham Act, which protects artists from commercial misuse of their names and unique styles.

“We won BIG,” an artist plaintiff, Karla Ortiz, wrote on X (formerly Twitter), celebrating the order. “Not only do we proceed on our copyright claims,” but “this order also means companies who utilize” Stable Diffusion models and LAION-like datasets that scrape artists’ works for AI training without permission “could now be liable for copyright infringement violations, amongst other violations.” Lawyers for the artists, Joseph Saveri and Matthew Butterick, told Ars that artists suing “consider the Court’s order a significant step forward for the case,” as “the Court allowed Plaintiffs’ core copyright-infringement claims against all four defendants to proceed.”

Read more of this story at Slashdot.

Courts Close the Loophole Letting the Feds Search Your Phone At the Border

On Wednesday, Judge Nina Morrison ruled that cellphone searches at the border are “nonroutine” and require probable cause and a warrant, likening them to more invasive searches due to their heavy privacy impact. As reported by Reason, this decision closes the loophole in the Fourth Amendment’s protection against unreasonable searches and seizures, which Customs and Border Protection (CBP) agents have exploited. Courts have previously ruled that the government has the right to conduct routine warrantless searches for contraband at the border. From the report: Although the interests of stopping contraband are “undoubtedly served when the government searches the luggage or pockets of a person crossing the border carrying objects that can only be introduced to this country by being physically moved across its borders, the extent to which those interests are served when the government searches data stored on a person’s cell phone is far less clear,” the judge declared. Morrison noted that “reviewing the information in a person’s cell phone is the best approximation government officials have for mindreading,” so searching through cellphone data has an even heavier privacy impact than rummaging through physical possessions. Therefore, the court ruled, a cellphone search at the border requires both probable cause and a warrant. Morrison did not distinguish between scanning a phone’s contents with special software and manually flipping through it.

And in a victory for journalists, the judge specifically acknowledged the First Amendment implications of cellphone searches too. She cited reporting by The Intercept and VICE about CPB searching journalists’ cellphones “based on these journalists’ ongoing coverage of politically sensitive issues” and warned that those phone searches could put confidential sources at risk. Wednesday’s ruling adds to a stream of cases restricting the feds’ ability to search travelers’ electronics. The 4th and 9th Circuits, which cover the mid-Atlantic and Western states, have ruled that border police need at least “reasonable suspicion” of a crime to search cellphones. Last year, a judge in the Southern District of New York also ruled (PDF) that the government “may not copy and search an American citizen’s cell phone at the border without a warrant absent exigent circumstances.”

Read more of this story at Slashdot.

California Supreme Court Upholds Gig Worker Law In a Win For Ride-Hail Companies

In a major victory for ride-hail companies, California Supreme Court upheld a law classifying gig workers as independent contractors, maintaining their ineligibility for benefits such as sick leave and workers’ compensation. This decision concludes a prolonged legal battle and supports the 2020 ballot measure Proposition 22, despite opposition from labor groups who argued it was unconstitutional. Politico reports: Thursday’s ruling capped a yearslong battle between labor and the companies over the status of workers who are dispatched by apps to deliver food, buy groceries and transport customers. A 2018 Supreme Court ruling and a follow-up bill would have compelled the gig companies to treat those workers as employees. A collection of five firms then spent more than $200 million to escape that mandate by passing the 2020 ballot measure Proposition 22 in one of the most expensive political campaigns in American history. The unanimous ruling on Thursday now upholds the status quo of the gig economy in California.

As independent contractors, gig workers are not entitled to benefits like sick leave, overtime and workers’ compensation. The SEIU union and four gig workers, ultimately, challenged Prop 22 based on its conflict with the Legislature’s power to administer workers’ compensation, specifically. The law, which passed with 58 percent of the vote in 2020, makes gig workers ineligible for workers’ comp, which opponents of Prop 22 argued rendered the entire law unconstitutional. […] Beyond the implications for gig workers, the heavily-funded Prop 22 ballot campaign pushed the limits of what could be spent on an initiative, ultimately becoming the most expensive measure in California history. Uber and Lyft have both threatened to leave any states that pass laws not classifying their drivers as independent contractors. The decision Thursday closes the door to that possibility for California.

Read more of this story at Slashdot.

In SolarWinds Case, US Judge Rejects SEC Oversight of Cybersecurity Controls

SolarWinds still faces some legal action over its infamous 2020 breach, reports NextGov.com. But a U.S. federal judge has dismissed most of the claims from America’s Securities and Exchange Commission, which “alleged the company defrauded investors because it deliberately hid knowledge of cyber vulnerabilities in its systems ahead of a major security breach discovered in 2020.”

Slashdot reader krakman shares this report from the Washington Post:
“The SEC’s rationale, under which the statute must be construed to broadly cover all systems public companies use to safeguard their valuable assets, would have sweeping ramifications,” [judge] Engelmayer wrote in a 107-page decision. “It could empower the agency to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers,” he wrote. The federal judge also dismissed SEC claims that SolarWinds’ disclosures after it learned its customers had been affected improperly covered up the gravity of the breach…

In an era when deeply damaging hacking campaigns have become commonplace, the suit alarmed business leaders, some security executives and even former government officials, as expressed in friend-of-the-court briefs asking that it be thrown out. They argued that adding liability for misstatements would discourage hacking victims from sharing what they know with customers, investors and safety authorities. Austin-based SolarWinds said it was pleased that the judge “largely granted our motion to dismiss the SEC’s claims,” adding in a statement that it was “grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns.”

The article notes that as far back as 2018, “an engineer warned in an internal presentation that a hacker could use the company’s virtual private network from an unauthorized device and upload malicious code. Brown did not pass that information along to top executives, the judge wrote, and hackers later used that exact technique.”
Engelmayer did not dismiss the case entirely, allowing the SEC to try to show that SolarWinds and top security executive Timothy Brown committed securities fraud by not warning in a public “security statement” before the hack that it knew it was highly vulnerable to attacks.

The SEC “plausibly alleges that SolarWinds and Brown made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls,” Engelmayer wrote. “Given the centrality of cybersecurity to SolarWinds’ business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material.”

Read more of this story at Slashdot.

Lawsuit Claims Microsoft Tracked Sex Toy Shoppers With ‘Recording In Real Time’ Software

Samantha Cole reports via 404 Media: A woman is suing Microsoft and two major U.S. sex toy retailers with claims that their websites are tracking users without their consent, despite promising they wouldn’t do that. In a complaint (PDF) filed on June 25 in the Northern District of California, San Francisco resident Stella Tatola claims that Babeland and Good Vibrations — both owned by Barnaby Ltd., LLC — allowed Microsoft to see what visitors to their websites searched for and bought.

“Unbeknownst to Plaintiff and other Barnaby website users, and constituting the ultimate violation of privacy, Barnaby allows an undisclosed third-party, Microsoft, to intercept, read, and utilize for commercial gain consumers’ private information about their sexual practices and preferences, gleaned from their activity on Barnaby’s websites,” the complaint states. “This information includes but is not limited to product searches and purchase initiations, as well as the consumer’s unique Microsoft identifier.” The complaint claims that Good Vibrations and Babeland sites have installed trackers using Microsoft’s Clarity software, which does “recording in real time,” and tracks users’ mouse movements, clicks or taps, scrolls, and site navigation. Microsoft says on the Clarity site that it “processes a massive amount of anonymous data around user behavior to gain insights and improve machine learning models that power many of our products and services.”

“By allowing undisclosed third party Microsoft to eavesdrop and intercept users’ PPSI in such a manner — including their sexual orientation, preferences, and desires, among other highly sensitive, protected information — Barnaby violates its Privacy Policies, which state it will never share such information with third parties,” the complaint states. The complaint includes screenshots of code from the sexual health sites that claims to show them using Machine Unique Identifier (“MUID”) cookies that “identifies unique web browsers visiting Microsoft sites,” according to Microsoft, and are used for “advertising, site analytics, and other operational purposes.” The complaint claims that this violates the California Invasion of Privacy Act, the Federal Wiretap Act, and Californians’ reasonable expectation of privacy.

Read more of this story at Slashdot.

Brazil Hires OpenAI To Cut Costs of Court Battles

Brazil’s government is partnering with OpenAI to use AI for expediting the screening and analysis of thousands of lawsuits to reduce costly court losses impacting the federal budget. Reuters reports: The AI service will flag to government the need to act on lawsuits before final decisions, mapping trends and potential action areas for the solicitor general’s office (AGU). AGU told Reuters that Microsoft would provide the artificial intelligence services from ChatGPT creator OpenAI through its Azure cloud-computing platform. It did not say how much Brazil will pay for the services. AGU said the AI project would not replace the work of its members and employees. “It will help them gain efficiency and accuracy, with all activities fully supervised by humans,” it said.

Court-ordered debt payments have consumed a growing share of Brazil’s federal budget. The government estimated it would spend 70.7 billion reais ($13.2 billion) next year on judicial decisions where it can no longer appeal. The figure does not include small-value claims, which historically amount to around 30 billion reais annually. The combined amount of over 100 billion reais represents a sharp increase from 37.3 billion reais in 2015. It is equivalent to about 1% of gross domestic product, or 15% more than the government expects to spend on unemployment insurance and wage bonuses to low-income workers next year. AGU did not provide a reason for Brazil’s rising court costs.

Read more of this story at Slashdot.

Political Consultant Behind Fake Biden Robocalls Faces $6 Million Fine, Criminal Charges

Political consultant Steven Kramer faces a $6 million fine and over two dozen criminal charges for using AI-generated robocalls mimicking President Joe Biden’s voice to mislead New Hampshire voters ahead of the presidential primary. The Associated Press reports: The Federal Communications Commission said the fine it proposed Thursday for Steven Kramer is its first involving generative AI technology. The company accused of transmitting the calls, Lingo Telecom, faces a $2 million fine, though in both cases the parties could settle or further negotiate, the FCC said. Kramer has admitted orchestrating a message that was sent to thousands of voters two days before the first-in-the-nation primary on Jan. 23. The message played an AI-generated voice similar to the Democratic president’s that used his phrase “What a bunch of malarkey” and falsely suggested that voting in the primary would preclude voters from casting ballots in November.

Kramer is facing 13 felony charges alleging he violated a New Hampshire law against attempting to deter someone from voting using misleading information. He also faces 13 misdemeanor charges accusing him of falsely representing himself as a candidate by his own conduct or that of another person. The charges were filed in four counties and will be prosecuted by the state attorney general’s office. Attorney General John Formella said New Hampshire was committed to ensuring that its elections “remain free from unlawful interference.”

Kramer, who owns a firm that specializes in get-out-the-vote projects, did not respond to an email seeking comment Thursday. He told The Associated Press in February that he wasn’t trying to influence the outcome of the election but rather wanted to send a wake-up call about the potential dangers of artificial intelligence when he paid a New Orleans magician $150 to create the recording. “Maybe I’m a villain today, but I think in the end we get a better country and better democracy because of what I’ve done, deliberately,” Kramer said in February.

Read more of this story at Slashdot.

Big Three Carriers Pay $10 Million To Settle Claims of False ‘Unlimited’ Advertising

Jon Brodkin reports via Ars Technica: T-Mobile, Verizon, and AT&T will pay a combined $10.2 million in a settlement with US states that alleged the carriers falsely advertised wireless plans as “unlimited” and phones as “free.” The deal was announced yesterday by New York Attorney General Letitia James. “A multistate investigation found that the companies made false claims in advertisements in New York and across the nation, including misrepresentations about ‘unlimited’ data plans that were in fact limited and had reduced quality and speed after a certain limit was reached by the user,” the announcement said.

T-Mobile and Verizon agreed to pay $4.1 million each while AT&T agreed to pay a little over $2 million. The settlement includes AT&T subsidiary Cricket Wireless and Verizon subsidiary TracFone. The settlement involves 49 of the 50 US states (Florida did not participate) and the District of Columbia. The states’ investigation found that the three major carriers “made several misleading claims in their advertising, including misrepresenting ‘unlimited’ data plans that were actually limited, offering ‘free’ phones that came at a cost, and making false promises about switching to different wireless carrier plans.”

“AT&T, Verizon, and T-Mobile lied to millions of consumers, making false promises of free phones and ‘unlimited’ data plans that were simply untrue,” James said. “Big companies are not excused from following the law and cannot trick consumers into paying for services they will never receive.” The carriers denied any illegal conduct despite agreeing to the settlement. In addition to payments to each state, the carriers agreed to changes in their advertising practices. It’s unclear whether consumers will get any refunds out of the settlement, however. These are the following changes the three carriers agreed upon, as highlighted by the NY attorney general’s office:
– “Unlimited” mobile data plans can only be marketed if there are no limits on the quantity of data allowed during a billing cycle.
– Offers to pay for consumers to switch to a different wireless carrier must clearly disclose how much a consumer will be paid, how consumers will be paid, when consumers can expect payment, and any additional requirements consumers have to meet to get paid.
– Offers of “free” wireless devices or services must clearly state everything a consumer must do to receive the “free” devices or services.
– Offers to lease wireless devices must clearly state that the consumer will be entering into a lease agreement.
– All “savings” claims must have a reasonable basis. If a wireless carrier claims that consumers will save using its services compared to another wireless carrier, the claim must be based on similar goods or services or differences must be clearly explained to the consumer.

The advertising restrictions are to be in place for five years.

Read more of this story at Slashdot.