An anonymous reader quotes a report from the Washington Post: The Biden administration marked the close of tax season Monday by announcing it had met a modest goal of getting at least 100,000 taxpayers to file through the Internal Revenue Service's new tax software, Direct File -- an alternative to commercial tax preparers. Although the government had billed Direct File as a small-scale pilot, it still represents one of the most significant experiments in tax filing in decades -- a free platform letting Americans file online directly to the government. Monday's announcement aside, though, Direct File's success has proven highly subjective.

By and large, people who tried the Direct File software -- which looks a lot like TurboTax or other commercial tax software, with its question-and-answer format -- gave it rave reviews. "Against all odds, the government has created an actually good piece of technology," a writer for the Atlantic marveled, describing himself as "giddy" as he used the website to chat live with a helpful IRS employee. The Post's Tech Friend columnist Shira Ovide called it "visible proof that government websites don't have to stink." Online, people tweeted praise after filing their taxes, like the user who called it the "easiest tax experience of my life."

While the users might be a happy group, however, there weren't many of them compared to other tax filing options -- and their positive reviews likely won't budge the opposition that Direct File has faced from tax software companies and Republicans from the outset. These headwinds will likely continue if the IRS wants to renew it for another tax season. The program opened to the public midway through tax season, when many low-income filers had already claimed their refunds -- and was restricted to taxpayers in 12 states, with only four types of income (wages, interest, Social Security and unemployment). But it gained popularity as tax season went on: The Treasury Department said more than half of the total users of Direct File completed their returns during the last week.

Roku has made two-factor authentication (2FA) mandatory for all users following two credential stuffing attacks that compromised approximately 591,000 customer accounts and led to unauthorized purchases in fewer than 400 cases. The Register reports: Credential stuffing and password spraying are both fairly similar types of brute force attacks, but the former uses known pairs of credentials (usernames and passwords). The latter simply spams common passwords at known usernames in the hope one of them leads to an authenticated session. "There is no indication that Roku was the source of the account credentials used in these attacks or that Roku's systems were compromised in either incident," it said in an update to customers. "Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials."

All accounts now require 2FA to be implemented, whether they were affected by the wave of compromises or not. Roku has more than 80 million active accounts, so only a minority were affected, and these have all been issued mandatory password resets. Compromised or not, all users are encouraged to create a strong, unique password for their accounts, consisting of at least eight characters, including a mix of numbers, symbols, and letter cases. [...] Roku also asked users to remain vigilant to suspicious activity regarding its service, such as phishing emails or clicking on dodgy links to rest passwords -- the usual stuff. "In closing, we sincerely regret that these incidents occurred and any disruption they may have caused," it said. "Your account security is a top priority, and we are committed to protecting your Roku account."

A business columnist at the Los Angeles Times notes Sam Bankman-Fried's judge issued another ruling "that may have a more far-reaching effect on the crypto business.

U.S. Judge Failla "cleared the Securities and Exchange Commission to proceed with its lawsuit alleging that the giant crypto broker and exchange Coinbase has been dealing in securities without a license." What's important about Failla's ruling is that she dismissed out of hand Coinbase's argument, which is that cryptocurrencies are novel assets that don't fall within the SEC's jurisdiction — in short, they're not "securities." Crypto promoters have been making the same argument in court and the halls of Congress, where they're urging that the lawmakers craft an entirely new regulatory structure for crypto — preferably one less rigorous than the existing rules and regulations promulgated by the SEC and the Commodity Futures Trading Commission...

Failla saw through that argument without breaking a sweat. "The 'crypto' nomenclature may be of recent vintage," she wrote, "but the challenged transactions fall comfortably within the framework that courts have used to identify securities for nearly eighty years...." Since Congress hasn't enacted regulations specifically aimed at crypto, Coinbase said, the SEC's lawsuit should be dismissed. The judge's opinion of that argument was withering. "While certainly sizable and important," she wrote, "the cryptocurrency industry 'falls far short of being a "portion of the American economy" bearing vast economic and political significance....'"

Failla's ruling followed another in New York federal court in which a judge deemed crypto to be securities. In that case, Judge Edgardo Ramos refused to dismiss SEC charges against Gemini Trust Co., a crypto trading outfit run by Cameron and Tyler Winkelvoss, and the crypto lender Genesis Global Capital. The SEC charged that a scheme in which Gemini pooled customers' crypto assets and lent them to Genesis while promising the customers high interest returns is an unregistered security. The SEC case, like that against Coinbase, will proceed....

The hangover from March continued into this month. On April 5, a federal jury in New York found Terraform Labs and its chief executive and major shareholder, Do Kwon, liable in what the SEC termed "a massive crypto fraud...." The value of UST fell in effect to zero, the SEC said, "wiping out over $40 billion of total market value ... and sending shock waves through the crypto asset community."

America's FCC votes on net neutrality April 25th. And the director of Stanford Law School's "Center for Internet and Society" (also a law professor) says mostly there's "much to celebrate" in the draft rules released earlier this month. Mobile carriers like T-Mobile, AT&T and Verizon that have been degrading video quality for mobile users will have to stop. The FCC kept in place state neutrality protections like California's net neutrality law, allowing for layers of enforcement. The FCC also made it harder for ISPs to evade net neutrality at the point where data enters their networks.
However, the draft rules also have "a huge problem." The proposed rules make it possible for mobile ISPs to start picking applications and putting them in a fast lane — where they'll perform better generally and much better if the network gets congested.

T-Mobile, AT&T and Verizon are all testing ways to create these 5G fast lanes for apps such as video conferencing, games, and video where the ISP chooses and controls what gets boosted. They use a technical feature in 5G called network slicing, where part of their radio spectrum gets used as a special lane for the chosen app or apps, separated from the usual internet traffic. The FCC's draft order opens the door to these fast lanes, so long as the app provider isn't charged for them.
They warn of things like cellphone plans "Optimized for YouTube and TikTok... Or we could see add-ons like Enhanced Video Conferencing for $10 a month, or one-time 24-hour passes to have Prioritized Online Gaming." This isn't imagination. The ISPs write about this in their blogs and press releases. They talk about these efforts and dreams openly at conferences, and their equipment vendors plainly lay out how ISPs can chop up internet service into all manner of fast lanes.

These kinds of ISP-controlled fast lanes violate core net neutrality principles and would limit user choice, distort competition, hamper startups, and help cement platform dominance. Even small differences in load times affect how long people stay on a site, how much they pay, and whether they'll come back. Those differences also affect how high up sites show in search results. Thus, letting ISPs choose which apps get to be in a fast lane lets them, not users, pick winners and losers online... [T]he biggest apps will end up in all the fast lanes, while most others would be left out. The ones left out would likely include messaging apps like Signal, local news sites, decentralized Fediverse apps like Mastodon and PeerTube, niche video sites like Dropout, indie music sites like Bandcamp, and the millions of other sites and apps in the long tail.
One subheading emphasizes that "This is not controversial," noting that "Even proposed Republican net neutrality bills prohibited ISPs from speeding up and slowing down apps and kinds of apps..." Yet "While draft order acknowledges that some speeding up of apps could violate the no-throttling rule, it added some unclear, nebulous language suggesting that the FCC would review any fast lanes case-by-case, without explaining how it would do that... Companies that do file complaints will waste years litigating the meaning of "unreasonably discriminatory," all the while going up against giant telecoms that stockpile lawyers and lobbyists."

"Net neutrality means that we, the people who use the internet, get to decide what we do online, without interference from ISPs. ISPs do not get to interfere with our choices by blocking, speeding up or slowing down apps or kinds of apps..."

They urge the FCC to edit their draft order before April 24 to clarify "that the no-throttling rule also prohibits ISPs from creating fast lanes for select apps or kinds of apps."

DOJ-Collected Information Exposed In Data Breach Affecting 340,000 Information Collected An anonymous reader shared this report from Security Week: Economic analysis and litigation support firm Greylock McKinnon Associates, Inc. (GMA) is notifying over 340,000 individuals that their personal and medical information was compromised in a year-old data breach. The incident was detected on May 30, 2023, but it took the firm roughly eight months to investigate and determine what type of information was compromised and to identify the impacted individuals.



According to GMA's notification letter to the affected individuals, a copy of which was submitted to the Maine Attorney General's Office, both personal and Medicare information was compromised in the data breach... "This information may have included your name, date of birth, address, Medicare Health Insurance Claim Number (which contains a Social Security number associated with a member) and some medical information and/or health insurance information," the notification letter reads.

The compromised data, GMA says, was obtained by the US Department of Justice "as part of a civil litigation matter". More than 340,000 individuals were affected by the data breach, the company told the Maine Attorney General's Office. The impacted individuals, however, are "not the subject of this investigation or the associated litigation matters", the company tells the affected individuals.

From the Washington Post: The U.S. government said Thursday that Russian government hackers who recently stole Microsoft corporate emails had obtained passwords and other secret material that might allow them to breach multiple U.S. agencies.

The Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, on Tuesday issued a rare binding directive to an undisclosed number of agencies requiring them to change any log-ins that were taken and investigate what else might be at risk. The directive was made public Thursday, after recipients had begun shoring up their defenses. The "successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies," CISA wrote. "This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure."
"CISA officials told reporters it is so far unclear whether the hackers, associated with Russian military intelligence agency SVR, had obtained anything from the exposed agencies," according to the article. And the article adds that CISA "did not spell out the extent of any risks to national interests."

But the agency's executive assistant director for cybersecurity did tell the newspaper that "the potential for exposure of federal authentication credentials...does pose an exigent risk to the federal enterprise, hence the need for this directive and the actions therein." Microsoft's Windows operating system, Outlook email and other software are used throughout the U.S. government, giving the Redmond, Washington-based company enormous responsibility for the cybersecurity of federal employees and their work. But the longtime relationship is showing increasing signs of strain.... [T]he breach is one of a few severe intrusions at the company that have exposed many others elsewhere to potential hacking. Another of those incidents — in which Chinese government hackers cracked security in Microsoft's cloud software offerings to steal email from State Department and Commerce Department officials — triggered a major federal review that last week called on the company to overhaul its culture, which the Cyber Safety Review Board cited as allowing a "cascade of avoidable errors."

An anonymous reader quotes a report from Ars Technica: Influential US Senator Sherrod Brown (D-Ohio) has called on U.S. President Joe Biden to ban electric vehicles from Chinese brands. Brown calls Chinese EVs "an existential threat" to the U.S. automotive industry and says that allowing imports of cheap EVs from Chinese brands "is inconsistent with a pro-worker industrial policy." Brown's letter to the president (PDF) is the most recent to sound alarms about the threat of heavily subsidized Chinese EVs moving into established markets. Brands like BYD and MG have been on sale in the European Union for some years now, and last October, the EU launched an anti-subsidy investigation into whether the Chinese government is giving Chinese brands an unfair advantage.

The EU probe won't wrap until November, but another report published this week found that government subsidies for green technology companies are prevalent in China. BYD, which now sells more EVs than Tesla, has benefited from almost $4 billion (3.7 billion euro) in direct help from the Chinese government in 2022, according to a study by the Kiel Institute. Last month, the EU even started paying extra attention to imports of Chinese EVs, issuing a threat of retroactive tariffs that could start being imposed this summer. Chinese EV imports to the EU have increased by 14 percent since the start of its investigation, but they have yet to really begin in the U.S., where there are a few barriers in their way. Chinese batteries make an EV ineligible for the IRS's clean vehicle tax credit, for one thing. And Chinese-made vehicles (like the Lincoln Nautilus, Buick Envision, and Polestar 2) are already subject to a 27.5 percent import tax.

But Chinese EVs are on sale in Mexico already, and that has American automakers worried. Last year, Ford CEO Jim Farley said he saw Chinese automakers "as the main competitors, not GM or Toyota." And in January, Tesla CEO Elon Musk said he believed that "if there are no trade barriers established, they will pretty much demolish most other car companies in the world." [...] It's not just the potential damage to the U.S. auto industry that has prompted this letter. Brown wrote that he is concerned about the risk of China having access to data collected by connected cars, "whether it be information about traffic patterns, critical infrastructure, or the lives of Americans," pointing out that "China does not allow American-made electric vehicles near their official buildings." At the end of February, the Commerce Department also warned of the security risk from Chinese-connected cars and revealed it has launched an investigation into the matter. "When the goal is to dominate a sector, tariffs are insufficient to stop their attack on American manufacturing," Brown wrote. "Instead, the Administration should act now to ban Chinese EVs before they destroy the potential for the U.S. EV market. For this reason, no solution should be left off the table, including the use of Section 421 (China Safeguard) of the Trade Act of 1974, or some other authority."

An anonymous reader quotes a report from Wired: A controversial US wiretap program days from expiration cleared a major hurdle on its way to being reauthorized. After months of delays, false starts, and interventions by lawmakers working to preserve and expand the US intelligence community's spy powers, the House of Representatives voted on Friday to extend Section 702 (PDF) of the Foreign Intelligence Surveillance Act (FISA) for two years. Legislation extending the program -- controversial for being abused by the government -- passed in the House in a 273-147 vote. The Senate has yet to pass its own bill.

Section 702 permits the US government to wiretap communications between Americans and foreigners overseas. Hundreds of millions of calls, texts, and emails are intercepted by government spies each with the "compelled assistance" of US communications providers. The government may strictly target foreigners believed to possess "foreign intelligence information," but it also eavesdrops on the conversations of an untold number of Americans each year. (The government claims it is impossible to determine how many Americans get swept up by the program.) The government argues that Americans are not themselves being targeted and thus the wiretaps are legal. Nevertheless, their calls, texts, and emails may be stored by the government for years, and can later be accessed by law enforcement without a judge's permission. The House bill also dramatically expands the statutory definition for communication service providers, something FISA experts, including Marc Zwillinger -- one of the few people to advise the Foreign Intelligence Surveillance Court (FISC) -- have publicly warned against.

The FBI's track record of abusing the program kicked off a rare detente last fall between progressive Democrats and pro-Trump Republicans -- both bothered equally by the FBI's targeting of activists, journalists, anda sitting member of Congress. But in a major victory for the Biden administration, House members voted down an amendment earlier in the day that would've imposed new warrant requirements on federal agencies accessing Americans' 702 data. The warrant amendment was passed earlier this year by the House Judiciary Committee, whose long-held jurisdiction over FISA has been challenged by friends of the intelligence community. Analysis by the Brennan Center this week found that 80 percent of the base text of the FISA reauthorization bill had been authored by intelligence committee members.

An anonymous reader quotes a report from The Guardian: Hospitals -- despite being places where people implicitly expect to have their personal details kept private -- frequently use tracking technologies on their websites to share user information with Google, Meta, data brokers, and other third parties, according to research published today. Academics at the University of Pennsylvania analyzed a nationally representative sample of 100 non-federal acute care hospitals -- essentially traditional hospitals with emergency departments -- and their findings were that 96 percent of their websites transmitted user data to third parties. Additionally, not all of these websites even had a privacy policy. And of the 71 percent that did, 56 percent disclosed specific third-party companies that could receive user information.

The researchers' latest work builds on a study they published a year ago of 3,747 US non-federal hospital websites. That found 98.6 percent tracked and transferred visitors' data to large tech and social media companies, advertising firms, and data brokers. To find the trackers on websites, the team checked out each hospitals' homepage on January 26 using webXray, an open source tool that detects third-party HTTP requests and matches them to the organizations receiving the data. They also recorded the number of third-party cookies per page. One name in particular stood out, in terms of who was receiving website visitors' information. "In every study we've done, in any part of the health system, Google, whose parent company is Alphabet, is on nearly every page, including hospitals," [Dr Ari Friedman, an assistant professor of emergency medicine at the University of Pennsylvania] observed. "From there, it declines," he continued. "Meta was on a little over half of hospital webpages, and the Meta Pixel is notable because it seems to be one of the grabbier entities out there in terms of tracking."

Both Meta and Google's tracking technologies have been the subject of criminal complaints and lawsuits over the years -- as have some healthcare companies that shared data with these and other advertisers. In addition, between 20 and 30 percent of the hospitals share data with Adobe, Friedman noted. "Everybody knows Adobe for PDFs. My understanding is they also have a tracking division within their ad division." Others include telecom and digital marketing companies like The Trade Desk and Verizon, plus tech giants Oracle, Microsoft, and Amazon, according to Friedman. Then there's also analytics firms including Hotjar and data brokers such as Acxiom. "And two thirds of hospital websites had some kind of data transfer to a third-party domain that we couldn't even identify," he added. Of the 71 hospital website privacy policies that the team found, 69 addressed the types of user information that was collected. The most common were IP addresses (80 percent), web browser name and version (75 percent), pages visited on the website (73 percent), and the website from which the user arrived (73 percent). Only 56 percent of these policies identified the third-party companies receiving user information. In lieu of any federal data privacy law in the U.S., Friedman recommends users protect their personal information via the browser-based tools Ghostery and Privacy Badger, which identify and block transfers to third-party domains.

OpenTable's restaurant pages still feature a lot of reviews left by anonymous diners at the moment, but that will not be the case starting next month. From a report: The online restaurant reservation service is changing its policy around reviews so that they're not as anonymous -- and it's even applying the new rule retroactively. As BleepingComputer reports, it told users in an email that starting on May 22, it "will begin displaying diner first names and profile photos on all diner reviews." Further, "this update will also apply to past reviews."

"We've heard from you, our diners, that trust and transparency are important when looking at reviews," the company also said in its letter, insinuating that it's changing the way reviews work based on user feedback. As BleepingComputer says, it'll be easy to match a bad review with customer reservation records based on the user's first name and when the post was made. While that's not nearly as bad as Glassdoor publishing people's names alongside their employer reviews without consent, it could still be very uncomfortable for people who wanted to talk about bad experiences without the fear of not being welcomed back into a particular establishment.

HP "sought to take advantage of customers' sunk costs," printer owners claimed this week in a class action lawsuit against the hardware giant. The Register: Lawyers representing the aggrieved were responding in an Illinois court to an earlier HP motion to dismiss a January lawsuit. Among other things, the plaintiffs' filing stated that the printer buyers "never entered into any contractual agreement to buy only HP-branded ink prior to receiving the firmware updates." They allege HP broke several anti-competitive statutes, which they claim: "bar tying schemes, and certain uses of software to accomplish that without permission, that would monopolize an aftermarket for replacement ink cartridges, when these results are achieved in a way that 'take[s] advantage of customers' sunk costs.'"

In the case, which began in January, the plaintiffs are arguing that HP issued a firmware update between late 2022 and early 2023 that they allege disabled their printers if they installed a replacement cartridge that was not HP-branded. They are asking for damages that include the cost of now-useless third-party cartridges and an injunction to disable the part of the firmware updates that prevent the use of third-party ink.

An anonymous reader shares a report: If you're -- apparently, one of the few people -- using the VPN service that comes with Google One, we've got bad news for you. In an email you're going to receive from Google if you haven't gotten it yet, it revealed that it's phasing out the perk sometime later this year. The company rolled out Google One's VPN feature back in 2020, but you could only access it then if you're paying for a plan with at least 2TB of storage, which costs at least $10 a month. Last year, the company expanded its availability across all One plans, including the basic $2-per-month option, making it more affordable than before.

A federal jury in Illinois on Wednesday said Amazon Web Services owes tech company Kove $525 million for violating three patents relating to its data-storage technology. From the report: The jury determined (PDF) that AWS infringed three Kove patents covering technology that Kove said had become "essential" to the ability of Amazon's cloud-computing arm to "store and retrieve massive amounts of data." An Amazon spokesperson said the company disagrees with the verdict and intends to appeal. Kove's lead attorney Courtland Reichman called the verdict "a testament to the power of innovation and the importance of protecting IP (intellectual property) rights for start-up companies against tech giants." Kove also sued Google last year for infringing the same three patents in a separate Illinois lawsuit that is still ongoing.

An anonymous reader quotes a report from Ars Technica: Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products. Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs. For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests. [...] "All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code. Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. "A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process," Binarly researchers wrote in an advisory. "This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR." Advisories are available here, here, and here.

An anonymous reader quotes a report from Ars Technica: Amid a flurry of lawsuits over AI models' training data, US Representative Adam Schiff (D-Calif.) has introduced (PDF) a bill that would require AI companies to disclose exactly which copyrighted works are included in datasets training AI systems. The Generative AI Disclosure Act "would require a notice to be submitted to the Register of Copyrights prior to the release of a new generative AI system with regard to all copyrighted works used in building or altering the training dataset for that system," Schiff said in a press release.

The bill is retroactive and would apply to all AI systems available today, as well as to all AI systems to come. It would take effect 180 days after it's enacted, requiring anyone who creates or alters a training set not only to list works referenced by the dataset, but also to provide a URL to the dataset within 30 days before the AI system is released to the public. That URL would presumably give creators a way to double-check if their materials have been used and seek any credit or compensation available before the AI tools are in use. All notices would be kept in a publicly available online database.

Currently, creators who don't have access to training datasets rely on AI models' outputs to figure out if their copyrighted works may have been included in training various AI systems. The New York Times, for example, prompted ChatGPT to spit out excerpts of its articles, relying on a tactic to identify training data by asking ChatGPT to produce lines from specific articles, which OpenAI has curiously described as "hacking." Under Schiff's law, The New York Times would need to consult the database to ID all articles used to train ChatGPT or any other AI system. Any AI maker who violates the act would risk a "civil penalty in an amount not less than $5,000," the proposed bill said. Schiff described the act as championing "innovation while safeguarding the rights and contributions of creators, ensuring they are aware when their work contributes to AI training datasets."

"This is about respecting creativity in the age of AI and marrying technological progress with fairness," Schiff said.