Kendra Albert gave an excellent talk at USENIX Security this year, pointing out that the legal agreements surrounding vulnerability disclosure muzzle researchers while allowing companies to not fix the vulnerabilities—exactly the opposite of what the responsible disclosure movement of the early 2000s was supposed to prevent. This is the talk. > Thirty years ago, a debate raged over whether vulnerability disclosure was > good for computer security. On one side, full disclosure advocates argued that > software bugs weren’t getting fixed and wouldn’t get fixed if companies that > made insecure software wasn’t called out publicly. On the other side, > companies argued that full disclosure led to exploitation of unpatched > vulnerabilities, especially if they were hard to fix. After blog posts, public > debates, and countless mailing list flame wars, there emerged a compromise > solution: coordinated vulnerability disclosure, where vulnerabilities were > disclosed after a period of confidentiality where vendors can attempt to fix > things. Although full disclosure fell out of fashion, disclosure won and > security through obscurity lost. We’ve lived happily ever after since...

The company Flok is surveilling us as we drive: > A retired veteran named Lee Schmidt wanted to know how often Norfolk, > Virginia’s 176 Flock Safety automated license-plate-reader cameras were > tracking him. The answer, according to a U.S. District Court lawsuit filed in > September, was more than four times a day, or 526 times from mid-February to > early July. No, there’s no warrant out for Schmidt’s arrest, nor is there a > warrant for Schmidt’s co-plaintiff, Crystal Arrington, whom the system tagged > 849 times in roughly the same period. > > You might think this sounds like it violates the Fourth Amendment, which > protects American citizens from unreasonable searches and seizures without > probable cause. Well, so does the American Civil Liberties Union. Norfolk, > Virginia Judge Jamilah LeCruise also agrees, and in 2024 she ruled that > plate-reader data obtained without a search warrant couldn’t be used against a > defendant in a robbery case...

The variations seem to be endless. Here’s a fake ghostwriting scam that seems to be making boatloads of money. > This is a big story about scams being run from Texas and Pakistan estimated to > run into tens if not hundreds of millions of dollars, viciously defrauding > Americans with false hopes of publishing bestseller books (a scam you’d not > think many people would fall for but is surprisingly huge). In January, three > people were charged with defrauding elderly authors across the United States > of almost $44 million ­by “convincing the victims that publishers and > filmmakers wanted to turn their books into blockbusters.”...

A DoorDash driver stole over $2.5 million over several months: > The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a > fraudulent customer account in the DoorDash app. Then, using DoorDash employee > credentials, he manually assigned the orders to driver accounts he and the > others involved had created. Devagiri would then mark the undelivered orders > as complete and prompt DoorDash’s system to pay the driver accounts. Then he’d > switch those same orders back to “in process” and do it all over again. Doing > this “took less than five minutes, and was repeated hundreds of times for many > of the orders,” writes the US Attorney’s Office...

The case is over: > A jury has awarded WhatsApp $167 million in punitive damages in a case the > company brought against Israel-based NSO Group for exploiting a software > vulnerability that hijacked the phones of thousands of users. I’m sure it’ll be appealed. Everything always is.

Meta is suing NSO Group, basically claiming that the latter hacks WhatsApp and not just WhatsApp users. We have a procedural ruling: > Under the order, NSO Group is prohibited from presenting evidence about its > customers’ identities, implying the targeted WhatsApp users are suspected or > actual criminals, or alleging that WhatsApp had insufficient security > protections. > > […] > > In making her ruling, Northern District of California Judge Phyllis Hamilton > said NSO Group undercut its arguments to use evidence about its customers with > contradictory statements...

The company doesn’t keep logs, so couldn’t turn over data: > Windscribe, a globally used privacy-first VPN service, announced today that > its founder, Yegor Sak, has been fully acquitted by a court in Athens, Greece, > following a two-year legal battle in which Sak was personally charged in > connection with an alleged internet offence by an unknown user of the service. > > The case centred around a Windscribe-owned server in Finland that was > allegedly used to breach a system in Greece. Greek authorities, in cooperation > with INTERPOL, traced the IP address to Windscribe’s infrastructure and, > unlike standard international procedures, proceeded to initiate criminal > proceedings against Sak himself, rather than pursuing information through > standard corporate channels...

The Justice Department has published the criminal complaint against Dmitry Khoroshev, for building and maintaining the LockBit ransomware.

An advocacy groups is filing a Fourth Amendment challenge against automatic license plate readers. > “The City of Norfolk, Virginia, has installed a network of cameras that make > it functionally impossible for people to drive anywhere without having their > movements tracked, photographed, and stored in an AI-assisted database that > enables the warrantless surveillance of their every move. This civil rights > lawsuit seeks to end this dragnet surveillance program,” the lawsuit notes. > “In Norfolk, no one can escape the government’s 172 unblinking eyes,” it > continues, referring to the 172 Flock cameras currently operational in > Norfolk. The Fourth Amendment protects against unreasonable searches and > seizures and has been ruled in many cases to protect against warrantless > government surveillance, and the lawsuit specifically says Norfolk’s > installation violates that.”...