An anonymous reader quotes a report from The Register: London cops on Tuesday arrested two teenagers on suspicion of computer misuse and blackmail following a ransomware attack on a chain of London preschools. London's Metropolitan Police said the two men, both aged 17, were taken into custody during an operation at residential properties in Bishop's Stortford, Hertfordshire. The arrests followed a September 25 referral from the UK's Action Fraud reporting center detailing a ransomware attack on the preschools. While the Met police didn't name the schools, the timing of the referral coincides with a digital break-in at Kido International, a preschool and daycare organization that operates in the UK, US, and India.

In a very aggressive -- and disgusting -- attempt to extort a ransom payment from Kido, the criminals published profiles of 10 children, including photos, names, and home addresses, along with their parents' contact details and in some cases places of work, threatening to expose more if the ransom demand wasn't met. A new crime crew calling itself the Radiant Group claimed responsibility for the attack, and posted the preschool's name, along with its pupils' profiles, as the first leak on its dark web site. The ransomware gang later deleted the kids' and parents' data, apparently under pressure from other criminals -- but not before some of the parents reported receiving threatening calls.

Salesforce says it's refusing to pay an extortion demand made by a crime syndicate that claims to have stolen roughly 1 billion records from dozens of Salesforce customers. From a report: The threat group making the demands began their campaign in May, when they made voice calls to organizations storing data on the Salesforce platform, Google-owned Mandiant said in June. The English-speaking callers would provide a pretense that necessitated the target connect an attacker-controlled app to their Salesforce portal. Amazingly -- but not surprisingly -- many of the people who received the calls complied.

[...] Earlier this month, the group created a website that named Toyota, FedEx, and 37 other Salesforce customers whose data was stolen in the campaign. In all, the number of records recovered, Scattered LAPSUS$ Hunters claimed, was "989.45m/~1B+." The site called on Salesforce to begin negotiations for a ransom amount "or all your customers [sic] data will be leaked." The site went on to say: "Nobody else will have to pay us, if you pay, Salesforce, Inc." The site said the deadline for payment was Friday.

An anonymous reader shares a report: Universities in the UK reassured arms companies they would monitor students' chat groups and social media accounts after firms raised concerns about campus protests, according to internal emails. One university said it would conduct "active monitoring of social media" for any evidence of plans to demonstrate against Rolls-Royce at a careers fair.

A second appeared to agree to a request from Raytheon UK, the British wing of a major US defence contractor, to "monitor university chat groups" before a campus visit. Another university responded to a defence company's "security questionnaire" seeking information about social media posts suggestive of imminent protests over the firm's alleged role in fuelling war, including in Gaza. The universities' apparent compliance with the sensitivities of arms companies before careers fairs has emerged in emails obtained by the Guardian and Liberty Investigates after freedom of information (FoI) requests.

California biotech entrepreneur and former magician Serhat Gumrukcu has been found guilty of orchestrating the 2018 murder of his business rival Gregory Davis, who had threatened to expose Gumrukcu's fraudulent dealings. He faces sentencing in November. SFGATE reports: Seven years ago, Turkish national Serhat Gumrukcu, 42, of Los Angeles, was negotiating a multimillion-dollar biotech merger built off his work on a supposed HIV cure. The deal was put in jeopardy by a former business partner named Gregory Davis, 49, who had threatened to bring legal action against Gumrukcu for fraudulent activities relating to a previous failed oil commodities deal, the U.S. Attorney's Office said in a news release last week. Gumrukcu, a magician-turned-scientist who admitted to buying his medical degree from a Russian university, lived in a Hollywood mansion and partied with Oscar winners and movie producers, according to VTDigger. He stood to make millions from the merger of his biotech company Enochian BioSciences. [...]

In 2017, upon learning that Davis, a father of six from Danville, Vermont, could potentially spoil his fortune-making deal, Gumrukcu set in motion a hit on the former business partner. The murder-for-hire plot involved four men in total, prosecutors said. Gumrukcu had a close friend from Las Vegas, Berk Eratay, approach a third man, Aron Ethridge to find a hit man to kill Davis. The shooter, 37-year-old Montana man Jerry Banks, arrived at Davis' home on Jan. 6, 2018, in a vehicle fitted with flashing red and blue lights and posed as a deputy U.S. marshal. After abducting Davis, Banks shot him dead in the vehicle and left the body partially buried in a snowbank nearby.

Investigators soon narrowed in on Gumrukcu after discovering emails between him and Davis revealing tensions over the failed oil deal. Gumrukcu was interviewed twice by the FBI and made false statements on both occasions, federal prosecutors said. Further inspection of cellphone data, bank information and messages identified the four men involved in the kidnapping and killing of Davis.

Police arrested 33-year-old Joseph Mayuyo after a series of online threats forced TikTok to evacuate its Culver City headquarters. TechCrunch reports: A press release from the Culver City Police Department says that TikTok employees reported receiving multiple threats, across various social media platforms, from 33-year-old Hawthorne resident Joseph Mayuyo. After an additional message threatened TikTok's Culver City headquarters, police say company security evacuated the office "out of an abundance of caution."

Police then investigated Mayuyo's home, according to the press release. During the investigation, he allegedly posted additional threatening statements, including one declaring that he would not be taken alive. Detectives obtained search and arrest warrants, and they negotiated with Mayuyo for 90 minutes before he voluntarily exited his home and was taken into custody, the police department says.

Business Insider reports that one TikTok employee described the threats as "really scary," while another was concerned that they seemed to specifically target the e-commerce department. Mayuyo's X account has reportedly been suspended for violating the platform's hateful content policy. A Medium account under his name published a post in July criticizing TikTokShop USA as a "scam."

"More than 800,000 drivers for ride-hailing companies in California will soon be able to join a union," reports the Associated Press, "and bargain collectively for better wages and benefits under a measure signed Friday by Gov. Gavin Newsom." Supporters said the new law will open a path for the largest expansion of private sector collective bargaining rights in the state's history. The legislation is a significant compromise in the yearslong battle between labor unions and tech companies.

California is the second state where Uber and Lyft drivers can unionize as independent contractors. Massachusetts voters passed a ballot referendum in November allowing unionization, while drivers in Illinois and Minnesota are pushing for similar rights...

The collective bargaining measure now allows rideshare workers in California to join a union while still being classified as independent contractors and requires gig companies to bargain in good faith.
"The new law doesn't apply to drivers for delivery apps like DoorDash."

Friday OpenAI CEO Sam Altman announced two changes coming "soon" to Sora: First, we will give rightsholders more granular control over generation of characters, similar to the opt-in model for likeness but with additional controls...

Second, we are going to have to somehow make money for video generation. People are generating much more than we expected per user, and a lot of videos are being generated for very small audiences. We are going to try sharing some of this revenue with rightsholders who want their characters generated by users. The exact model will take some trial and error to figure out, but we plan to start very soon. Our hope is that the new kind of engagement is even more valuable than the revenue share, but of course we we want both to be valuable.
"We are hearing from a lot of rightsholders who are very excited for this new kind of 'interactive fan fiction'," Altman wrote, "and think this new kind of engagement will accrue a lot of value to them, but want the ability to specify how their characters can be used (including not at all)."

"When someone searches for 'James Bond' on Prime Video now, all of the classic films will show up..." notes Parade. But recently Amazon's streaming service had tried new thumbnails with "matching minimalist backgrounds," so every Bond actor — from Sean Connery to Daniel Craig — "had a stylish image with '007' emblazoned over a color background." But in most of those "stylized" images, James Bond's guns were edited out.

It looks like Amazon backed off. On my TV and on my tablet, selecting Dr. No now brings up a page where Bond is holding his gun. (Just like in the original publicity photo.) And there's also guns in the key art for The Spy Who Loved Me, A View to a Kill, and License to Kill.

"Perhaps feeling shame for the terrible botch job on the artwork, not to mention the idea in the first place, Amazon Prime has now reinstated the previous key art across its streaming service," notes the unofficial James Bond fan site MI6. (In most cases guns still aren't shown, but they seem to achieve this by showing a photo from the movie.)

That blog post includes a gallery preserving copies of Amazon's original "stylized" images. They'd written Thursday that Amazon didn't just use cropping. "In some cases the images have been digitally manipulated to varying levels of success."

If you upload an image to serve as the inspiration for an AI-generated video from OpenAI's Sora, "the app will reject your image if it detects a face — any face," writes Mashable." (Unless that person has agreed to participate.) All Sora videos also include a watermark, notes PC Magazine, and Sora banned the creation of AI-generated videos showing public figures.

"But it turns out the policy doesn't apply to dead celebrities..." Unlike lower-quality deepfakes, many of the Sora videos appear disturbingly realistic and accurately mimic the voices and facial expressions of deceased celebrities. Some of the clips even contain licensed music... [A]ccording to OpenAI, the videos are fair game. "We don't have a comment to add, but we do allow the generation of historical figures," the company tells PCMag.
CNBC reported Saturday that Sora users have also "flooded the platform with artificial intelligence-generated clips of popular brands and animated characters." They noted Sora generated videos with clearly-copyrighted characters like Ronald McDonald, Simpsons characters, Pikachu, Patrick Star from "SpongeBob SquarePants," and Pikachu. (as Cracked.com puts it, "Ever wish 'South Park' was two minutes long and not funny?")

OpenAI's "opt-out" policy for copyright holders was unusual, CNBC writes, since "Typically, third parties have to get explicit permission to use someone's work under copyright law"" (as explained by Jason Bloom, partner/chair of the intellectual property litigation practice group at law firm Haynes Boone). "You can't just post a notice to the public saying we're going to use everybody's works, unless you tell us not to," he said. "That's not how copyright works." "A lot of the videos that people are going to generate of these cartoon characters are going to infringe copyright," Mark Lemley, a professor at Stanford Law School, said in an interview. "OpenAI is opening itself up to quite a lot of copyright lawsuits by doing this..."

Amazon will be adding facial recognition to its camera-equipped Ring doorbells for the first time in December, according to the Washington Post.

"While the feature will be optional for Ring device owners, privacy advocates say it's unfair that wherever the technology is in use, anyone within sight will have their faces scanned to determine who's a friend or stranger." The Ring feature is "invasive for anyone who walks within range of your Ring doorbell," said Calli Schroeder, senior counsel at the consumer advocacy and policy group Electronic Privacy Information Center. "They are not consenting to this." Ring spokeswoman Emma Daniels said that Ring's features empower device owners to be responsible users of facial recognition and to comply with relevant laws that "may require obtaining consent prior to identifying people..."

Other companies, including Google, already offer facial recognition for connected doorbells and cameras. You might use similar technology to unlock your iPhone or tag relatives in digital photo albums. But privacy watchdogs said that Ring's use of facial recognition poses added risks, because the company's products are embedded in our neighborhoods and have a history of raising social, privacy and legal questions... It's typically legal to film in public places, including your doorway. And in most of the United States, your permission is not legally required to collect or use your faceprint. Privacy experts said that Ring's use of the technology risks crossing ethical boundaries because of its potential for widespread use in residential areas without people's knowledge or consent.

You choose to unlock your iPhone by scanning your face. A food delivery courier, a child selling candy or someone walking by on the sidewalk is not consenting to have their face captured, stored and compared against Ring's database, said Adam Schwartz, privacy litigation director for the consumer advocacy group Electronic Frontier Foundation. "It's troubling that companies are making a product that by design is taking biometric information from people who are doing the innocent act of walking onto a porch," he said.
Ring's spokesperson said facial recognition won't be available some locations, according to the article, including Texas and Illinois, which passed laws fining companies for collecting face information without permission. But the Washington Post heard another possible worst-case scenario from Calli Schroeder, senior counsel at the consumer advocacy and policy group Electronic Privacy Information Center: databases of identified faces being stolen by cyberthieves, misused by Ring employees, or shared with outsiders such as law enforcement.

Amazon says they're "reuniting lost dogs through the power of AI," in their announcement this week, thanks to "an AI-powered community feature that enables your outdoor Ring cameras to help reunite lost dogs with their families... When a neighbor reports a lost dog in the Ring app, nearby outdoor Ring cameras automatically begin scanning for potential matches."

Amazon calls it an example of their vision for "tools that make it easier for neighbors to look out for each other, and create safer, more connected communities." They're also 10x zoom, enhanced low-light performance, 2K and 4K resolutions, and "advanced AI tuning" for video...

An anonymous reader quotes a report from Reuters: Indonesia has suspended TikTok's registration to provide electronic systems after it failed to hand over all data relating to the use of its live stream feature, a government official said on Friday. The suspension could in theory prevent access to TikTok, which has more than 100 million accounts based in Indonesia.

Alexander Sabar, an official at Indonesia's communications and digital ministry, said in a statement some accounts with ties to online gambling activities used TikTok's live stream feature during national protests. [...] Sabar said the government had asked the company for its traffic, streaming and monetization data. The company, owned by China's ByteDance, did not provide complete data, citing its internal procedures, Sabar said without giving further detail.

The SEC has approved the Texas Stock Exchange (TXSE), the first new fully integrated U.S. stock exchange in decades and the only one based in Texas. TXSE is set to launch trading services, as well as exchange-traded products, known as ETPs, and corporate listings, in 2026. CBS News reports: Exchange-traded products are financial instruments that follow the performance of underlying assets such as stocks, indexes or other financial benchmarks. Like stocks, ETPs are traded on public exchanges, allowing investors to buy and sell them throughout the trading day at market prices that fluctuate in real time.

TXSE was backed by wealth management giant BlackRock and market maker Citadel Securities, among other firms. The Texas company said in June 2024 that it raised a total of $120 million from more than two dozen investors. TXSE's headquarters in Dallas opened this spring, the group said.

The Cybersecurity Information Sharing Act expired on Wednesday when the federal government shut down. The law had provided legal protections since 2015 for organizations to share cyber threat intelligence with federal agencies. Without these protections, private sector companies that control most U.S. critical infrastructure face potential legal risks when sharing information about threats. Sen. Gary Peters called the lapse "an open invitation to cybercriminals and hostile actors to attack our economy and our critical infrastructure."

The intelligence sharing enabled by CISA 2015 helped expose Chinese campaigns including Volt Typhoon in 2023 and Salt Typhoon last year. Several cybersecurity firms pledged to continue sharing threat data despite the law's expiration. Halcyon and CrowdStrike confirmed they would maintain information sharing. Palo Alto Networks said it remained committed to public-private partnerships but did not specify whether it would continue sharing threat data. Multiple bipartisan reauthorization efforts failed before the shutdown. The House Homeland Security Committee had approved a 10-year extension last month.

alternative_right shares a report from the Smoking Gun: Minutes after vandalizing 17 cars in a Missouri college parking lot, a 19-year-old sophomore had a lengthy ChatGPT conversation during which he confessed to the crime, asked about the possibility of getting caught, and wondered, "is there any way they could know it was me," according to a police probable cause statement. Ryan Schaefer was arrested yesterday and charged with felony property damage for a rampage early Sunday at a Missouri State University parking lot. Investigators allege that Schaefer shattered car windows, ripped off side mirrors, dented hoods, and broke windshield wipers during the 3 AM spree.

When confronted with surveillance footage and other evidence, Schaefer said that he could see the resemblance between the suspect and himself. At that point, Schaefer reportedly consented to a search of his iPhone. A subsequent review of the device revealed location data placing Schaefer "at or near the scene of the crime," as well as a "troubling dialogue exchange this defendant seems to have had with artificial intelligence software installed on his phone," prosecutors reported. The incriminating ChatGPT conversation can be found here.

An anonymous reader quotes a report from TorrentFreak: The operator of a popular pirate sports streaming site in Argentina has gone from spending time in jail with murderers to landing a new high-profile job a month later. Alejo "Shishi" Warles, the 25-year-old operator of Al Angulo TV, was arrested on August 20 in a LaLiga-backed crackdown. After his release on bail, he was hired by professional esports team 9z Globant, a partnership involving Argentine tech unicorn Globant. [...] The team is the result of a partnership between 9z Team and Argentinian tech unicorn Globant. Somewhat ironically, Globant previously worked with LaLiga to monitor the live-streaming user experience. Warles welcomed himself to 9z Globant via the team's social media account, referring to himself as an idol, genius, and GOAT.

Lucia Quinteros, the main social media manager at the esports team, informed Entre Rios that after considering their new hire's history, they believe that he can add value to the team. "We hired Alejo, not the person who set up that project (Al Angulo TV). Of course, we evaluated what happened, but we believe that, from now on, Alejo can pursue a different career path," Quinteros said. According to Warles himself, he was hired because he's the best. Like many of his comments, this bravado should not be taken too seriously, but nevertheless sits in stark contrast to the typical pirate site operator facing criminal charges.

Researchers have unveiled two new hardware-based attacks, Battering RAM and Wiretap, that break Intel SGX and AMD SEV-SNP trusted enclaves by exploiting deterministic encryption and physical interposers. Ars Technica reports: In the age of cloud computing, protections baked into chips from Intel, AMD, and others are essential for ensuring confidential data and sensitive operations can't be viewed or manipulated by attackers who manage to compromise servers running inside a data center. In many cases, these protections -- which work by storing certain data and processes inside encrypted enclaves known as TEEs (Trusted Execution Enclaves) -- are essential for safeguarding secrets stored in the cloud by the likes of Signal Messenger and WhatsApp. All major cloud providers recommend that customers use it. Intel calls its protection SGX, and AMD has named it SEV-SNP.

Over the years, researchers have repeatedly broken the security and privacy promises that Intel and AMD have made about their respective protections. On Tuesday, researchers independently published two papers laying out separate attacks that further demonstrate the limitations of SGX and SEV-SNP. One attack, dubbed Battering RAM, defeats both protections and allows attackers to not only view encrypted data but also to actively manipulate it to introduce software backdoors or to corrupt data. A separate attack known as Wiretap is able to passively decrypt sensitive data protected by SGX and remain invisible at all times.

In India, Bollywood stars are asking judges to protect their voice and persona in the era of AI. From a report: One famous couple's biggest target is Google's YouTube. Abhishek Bachchan and his wife Aishwarya Rai Bachchan, known for her iconic Cannes Film Festival red carpet appearances, have asked a judge to remove and prohibit creation of AI videos infringing their intellectual property rights. But in a more far-reaching request, they also want Google ordered to have safeguards to ensure such YouTube videos uploaded anyway do not train other AI platforms, legal papers reviewed by Reuters show.

A handful of Bollywood celebrities have begun asserting their "personality rights" in Indian courts over the last few years, as the country has no explicit protection for those like in many U.S. states. But the Bachchans' lawsuits are the most high-profile to date about the interplay of personality rights and the risk that misleading or deepfake YouTube videos could train other AI models. The actors argue that YouTube's content and third-party training policy is concerning as it lets users consent to sharing of a video they created to train rival AI models, risking further proliferation of misleading content online, according to near-identical filings from Abhishek and Aishwarya dated September 6, which are not public.

Charlie Javice, founder of college financial-aid startup Frank, was sentenced to over seven years in prison for defrauding JPMorgan by inflating user numbers before the bank's $175 million acquisition. CNN reports: Javice, 33, was convicted in March of duping the banking giant when it bought her company, called Frank, in the summer of 2021. She made false records that made it seem like Frank had over 4 million customers when it had fewer than 300,000. Addressing the court before she was sentenced, Javice, who was in her mid-20s when she founded the company, said she was "haunted that my failure has transformed something meaningful into something infamous." Sometimes speaking through tears, she said she "made a choice that I will spend my entire life regretting."

Judge Alvin K. Hellerstein largely dismissed arguments by Javice's lawyer, Ronald Sullivan, that he should be lenient because the negotiations that led to Frank's sale pitted "a 28-year-old versus 300 investment bankers from the largest bank in the world." Still, the judge criticized the bank, saying "they have a lot to blame themselves" for after failing to do adequate due diligence. He quickly added, though, that he was "punishing her conduct and not JPMorgan's stupidity." Javice was among a number of young tech executives who vaulted to fame with supposedly disruptive or transformative companies, only to see them collapse amid questions about whether they had engaged in puffery and fraud while dealing with investors.

An anonymous reader quotes a report from the BBC: A Chinese national has been convicted following an international fraud investigation which resulted in what's believed to be the single largest cryptocurrency seizure in the world. The Metropolitan Police says it recovered 61,000 bitcoin worth more than $6.7 billion in current prices. Zhimin Qian, also known as Yadi Zhang, pleaded guilty on Monday at Southwark Crown Court of illegally acquiring and possessing the cryptocurrency. A second person appeared in court on Tuesday to admit to their role in the scheme.

Malaysian national Seng Hok Ling, of Matlock, Derbyshire, pleaded guilty at Southwark Crown Court of entering into a money laundering arrangement on or before April 23, 2024. According to the charge, he had been dealing in cryptocurrency on Qian's behalf, "knowing or suspecting his actions would facilitate the acquisition or control of criminal property by another." Between 2014 and 2017 Qian led a large-scale scam in China which involved cheating more than 128,000 victims and storing the stolen funds in bitcoin assets, the Met said in a statement.

It said the 47-year-old's guilty plea followed a seven-year probe into a global money laundering web which began when it got a tipoff about the transfer of criminal assets. Qian had been "evading justice" for five years up to her arrest, which required a complex investigation involving multiple jurisdictions, said Detective Sergeant Isabella Grotto, who led the Met's investigation. She fled China using false documents and entered the UK, where she attempted to launder the stolen money by buying property, said the Met. "By pleading guilty today, Ms Zhang hopes to bring some comfort to investors who have waited since 2017 for compensation, and to reassure them that the significant rise in cryptocurrency values means there are more than sufficient funds available to repay their losses," said Qian's solicitor Roger Sahota, of Berkeley Square Solicitors.

"Bitcoin and other cryptocurrencies are increasingly being used by organised criminals to disguise and transfer assets, so that fraudsters may enjoy the benefits of their criminal conduct," added deputy chief Crown prosecutor, Robin Weyell. "This case, involving the largest cryptocurrency seizure in the UK, illustrates the scale of criminal proceeds available to those fraudsters."

alternative_right shares a report from 404 Media: Critics of YouTuber Ethan Klein are pushing back on subpoenas that would reveal their identities as part of an ongoing legal fight between Klein and his detractors. Klein is a popular content creator whose YouTube channel has more than 2 million subscribers. He's also involved in a labyrinthine personal and legal beef with three other content creators and the moderators of a subreddit that criticizes his work. Klein filed a legal motion to compel Discord and Reddit to reveal the identities of those moderators, a move their lawyers say would put them in harm's way and stifle free speech on the internet forever.

[...] On July 31, a judge allowed Klein's lawyers to file a subpoena with Reddit and Discord that would reveal the identities of the people running r/h3snark and an associated Discord server. On September 22, lawyers for the defendants filed a motion to quash the subpoenas. "On its face, the Action is about copyright infringement," the latest filing said. "At its heart, however, the Action is about stifling criticism and seeking retribution by unmasking individuals for perceived reputational harms TEI [Klein's production company] attributes to [John Doe moderators] unrelated to TEI's intellectual property rights." [...]

The anonymity of places like Reddit and Discord grant a layer of protection to people seeking to critique power. This case could set a dangerous precedent, the lawyers believe. "If the court allows TEI's Subpoenas, it would enable TEI to impose a considerable price on Does' use of the vehicle of anonymous speech -- including public exposure, real risks of retaliation and actual harm, and the financial and other burdens of defending the Action," the filing said. The filing added: "Very few would-be commentators are prepared to bear costs of this magnitude. So, when word gets out that the price tag of criticizing Ethan is this high -- that speech will disappear. But that is precisely what Ethan Klein wants."