The Department of Justice announced today a policy shift in that it will no longer prosecute good-faith security research that would have violated the country's federal hacking law the Computer Fraud and Abuse Act (CFAA). Motherboard: The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.

"Computer security research is a key driver of improved cybersecurity," Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good." The policy itself reads that "the Department's goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems."

Han Bing, a former database administrator for Lianjia, a Chinese real-estate brokerage giant, has been sentenced to 7 years in prison for logging into corporate systems and deleting the company's data. BleepingComputer reports: Bing allegedly performed the act in June 2018, when he used his administrative privileges and "root" account to access the company's financial system and delete all stored data from two database servers and two application servers. This has resulted in the immediate crippling of large portions of Lianjia's operations, leaving tens of thousands of its employees without salaries for an extended period and forcing a data restoration effort that cost roughly $30,000. The indirect damages from the disruption of the firm's business, though, were far more damaging, as Lianjia operates thousands of offices, employs over 120,000 brokers, owns 51 subsidiaries, and its market value is estimated to be $6 billion.

Slashdot reader DevNull127 writes: 10 people were killed in a grocery store in Buffalo, New York this afternoon — and three more were injured — by a gunman who livestreamed the massacre on Twitch. "A Twitch spokesperson said the platform has investigated and confirmed that the stream was removed 'less than two minutes after the violence started,'" reports NBC News.

The Raw Story reports that the 18-year-old suspected gunman had also apparently posted a 106-page manifesto online prior to the attack. A researcher at George Washington University program on extremism studied the manifesto, and points out that the suspected shooter "states that he was radicalized online on 4chan and was inspired by Brenton Tarrant's manifesto and livestreamed mass shooting in New Zealand."

The suspect reportedly used an assault rifle.
Less than two weeks ago, Slashdot posted the following:

28-year-old Brenton Tarrant killed 51 people in New Zealand in 2019. The Associated Press reports that at that point he'd been reading 4chan for 14 years, according to his mother — since the age of 14.

The year before, 25-year-old Alek Minassian, who killed 11 people in Toronto in 2018, namechecked 4chan in a pre-attack Facebook post.

But the Guardian now adds another a story from nine days ago — when a 23-year-old shooter with 1,000 rounds of ammunition opened fire from his apartment in Washington D.C. "Just two minutes after the shooting began, someone under the username "Raymond Spencer" logged onto the normally-anonymous 4chan and started a new thread titled 'shool [sic] shooting'. The newly published message contained a link — to a 30-second video of images captured from the digital scope of Spencer's rifle...."
NBC News reported that while Saturday's suspected shooter was livestreaming, "Some users of the website 4chan discussed the attack, and at least one archived the video in real-time, releasing photos of dead civilians inside the supermarket over the course of Saturday afternoon."

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets. On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA. According to this page at the Justice Department website, LEIA "provides federated search capabilities for both EPIC and external database repositories," including data classified as "law enforcement sensitive" and "mission sensitive" to the DEA.

A document published by the Obama administration in May 2016 (PDF) says the DEA's El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community. EPIC and LEIA also have access to the DEA's National Seizure System (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins). The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley. Weaver said it's clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases. "I don't think these [people] realize what they got, how much money the cartels would pay for access to this," Weaver said. "Especially because as a cartel you don't search for yourself you search for your enemies, so that even if it's discovered there is no loss to you of putting things ONTO the DEA's radar."

Facial recognition is making a comeback in the United States as bans to thwart the technology and curb racial bias in policing come under threat amid a surge in crime and increased lobbying from developers. From a report: Virginia in July will eliminate its prohibition on local police use of facial recognition a year after approving it, and California and the city of New Orleans as soon as this month could be next to hit the undo button. Homicide reports in New Orleans rose 67% over the last two years compared with the pair before, and police say they need every possible tool. "Technology is needed to solve these crimes and to hold individuals accountable," police Superintendent Shaun Ferguson told reporters as he called on the city council to repeal a ban that went into effect last year.

According to figures from trade group IAB and PwC, the podcast advertising business in the United States is expected to grow to an estimated $4.2 billion in 2024. Variety reports: The sector hit $1.45 billion in 2021, representing 72% annual growth, according to the report. In 2021, U.S. podcast advertising revenue grew twice as fast as the total internet advertising market, which was up 35% last year, according to the 2021 PwC/IAB Internet Advertising Revenue Report. Still, U.S. podcast advertising revenue is poised to continue double-digit growth, growing more than 100% over the next two years to an estimated $4.2 billion in 2024, per the report.

According to the latest IAB/PwC podcast report, three key factors are driving podcast ad revenue growth: the ongoing increase in listeners and content; increased use of automated ad tech, as ad revenue served via dynamic ad insertion (DAI) has almost doubled in two years to take 84% share in 2021 (versus ads embedded in podcast audio); and growth of ad spending in categories that historically had lower spend volumes like sports and true crime. "Everything right now is aligned to drive growth," said Chris Bruderle, IAB's VP of research and insights. "There's more engaging and diverse podcast content than ever, and that is translating into larger, more attractive audiences. But more than anything, podcasting has proven that it can deliver beyond direct-to-consumer advertising to support brand-building and drive business outcomes."

A coalition of tech giants, including Google, Microsoft and Yahoo, have pledged support for a New York bill that would ban the use of controversial search warrants that can identify people based on their location data and internet search keywords. From a report: In a brief statement, the coalition known as Reform Government Surveillance said it "supports the adoption of New York Assembly Bill A84A, the Reverse Location Search Prohibition Act, which would prohibit the use of reverse location and reverse keyword searches." The bill, if passed, would become the first state law to ban so-called geofence warrants and keyword search warrants, which rely on demanding tech companies turn over data about users who were near the scene of a crime or searched for particular keywords at a specific point in time. But the bill hasn't moved since it was referred to a committee for discussion in January, the first major hurdle before it can be considered for a floor vote.

Thieves are targeting digital currency investors on the street in a wave of "crypto muggings," police have warned, with victims reporting that thousands of pounds have been stolen after their mobile phones were seized. From a report: Anonymised crime reports provided to the Guardian by City of London police, as part of a freedom of information request, reveal criminals are combining physical muscle with digital knowhow to part people from their cryptocurrency. One victim reported they had been trying to order an Uber near Londonâ(TM)s Liverpool Street station when muggers forced them to hand over their phone. While the gang eventually gave the phone back, the victim later realised that $6,150-worth of ethereum digital currency was missing from their account with the crypto investing platform Coinbase.

In another case, a man was approached by a group of people offering to sell him cocaine and agreed to go down an alley with them to do the deal. The men offered to type a number into his phone but instead accessed his cryptocurrency account, holding him against a wall and forcing him to unlock a smartphone app with facial verification. They transferred $7,400-worth of ripple, another digital currency, out of his account. A third victim said he had been vomiting under a bridge when a mugger forced him to unlock his phone using a fingerprint, then changed his security settings and stole $35,300, including cryptocurrency.

American's Justice Department announced Friday that the CEO of Mining Capital Coin, "a purported cryptocurrency mining and investment platform," has been indicted "for allegedly orchestrating a $62 million global investment fraud scheme."

CNN reports: According to a US Securities and Exchange Commission complaint filed last month, Capuci sold mining packages to more than 65,000 investors since at least January 2018. The group promised daily returns of 1% for up to a year, the SEC press release says. [Capuci apparently said that revenue stabilized the company's cryptocurrency, Capital Coin, according to the DOJ's sttement.] But instead, the DOJ alleges, Capuci diverted the funds to his own cryptocurrency wallets. MCC netted at least $8.1 million from the sale of the mining packages and $3.2 million in initiation fees, which funded a lavish lifestyle, including Lamborghinis, a yacht and real estate, according to the SEC complaint....

The release alleges another fraudulent MCC investment avenue, "Trading Bots," which Capuci claimed operated at "very high frequency, being able to do thousands of trades per second." Capuci claimed the Trading Bots would provide daily returns, according to the DOJ release. ["But instead was diverting the funds to himself and co-conspirators."] Capuci also allegedly ran a pyramid scheme, according to the DOJ, recruiting promoters to sell the mining packages and promising them gifts ranging from Apple watches to Capuci's personal Ferrari, the press release says. ["Capuci further concealed the location and control of the fraud proceeds obtained from investors by laundering the funds internationally through various foreign-based cryptocurrency exchanges."]

The DOJ charged Capuci with conspiracy to commit wire fraud, conspiracy to commit securities fraud, and conspiracy to commit international money laundering. He could face up to 45 years in prison if convicted of all counts.
One U.S. attorney warned in the statement, "As with any emerging market, those who invest in cryptocurrency must beware of profit-making opportunities that appear too good to be true."

The statement also argues that cryptocurrency-based fraud "undermines financial markets worldwide, as bad actors defraud investors, and limits the ability of legitimate entrepreneurs to innovate within this emerging space."

Thanks to Slashdot reader quonset for sharing the story!

This week the Washington Post described Russia as "struggling under an unprecedented hacking wave" — with one survey finding Russia is now the world's leader for leaked sensitive data (such as passwords and email addresses). "Federation government: your lack of honor and blatant war crimes have earned you a special prize..." read a message left behind on one of the breached networks...

Documents were stolen from Russia's media regulator and 20 years of email from one of Russia's government-owned TV/radio broadcasting companies. Ukraine's government is even suggesting targets through its "IT Army" channel on telegram, and has apparently distributed the names of hundreds of Russia's own FSB security agents. And meanwhile, the Post adds, "Ordinary criminals with no ideological stake in the conflict have also gotten in on the act, taking advantage of preoccupied security teams to grab money as the aura of invincibility falls, researchers said." Soon after the invasion, one of the most ferocious ransomware gangs, Conti, declared that it would rally to protect Russian interests in cyberspace. The pledge backfired in a spectacular fashion, since like many Russian-speaking crime groups it had affiliates in Ukraine. One of them then posted more than 100,000 internal gang chats, and later the source code for its core program, making it easier for security software to detect and block attacks.

Network Battalion 65 [a small hacktivist group formed as the war began looking inevitable] went further. It modified the leaked version of the Conti code to evade the new detections, improved the encryption and then used it to lock up files inside government-connected Russian companies. "We decided it would be best to give Russia a taste of its own medicine. Conti caused (and still causes) a lot of heartache and pain for companies all around the world," the group said. "As soon as Russia ends this stupidity in Ukraine, we will stop our attacks completely."

In the meantime, Network Battalion 65 has asked for ransomware payments even as it has shamed victims on Twitter for having poor security. The group said it hasn't gotten any money yet but would donate anything it collects to Ukraine.
Ars Technica quotes a cybersecurity researcher who now says "there are tens of terabytes of data that's just falling out of the sky."

Thanks to long-time Slashdot reader SpzToid for sharing the article!

tsu doh nimh shares a report from Krebs on Security: Faced with a brain drain of smart people fleeing the country following its invasion of Ukraine, the Russian Federation is floating a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation's prison population to perform low-cost IT work for domestic companies. Multiple Russian news outlets published stories on April 27 saying the Russian Federal Penitentiary Service had announced a plan to recruit IT specialists from Russian prisons to work remotely for domestic commercial companies.

Russians sentenced to forced labor will serve out their time at one of many correctional centers across dozens of Russian regions, usually at the center that is closest to their hometown. Alexander Khabarov, deputy head of Russia's penitentiary service, said his agency had received proposals from businessmen in different regions to involve IT specialists serving sentences in correctional centers to work remotely for commercial companies. Khabarov told Russian media outlets that under the proposal people with IT skills at these facilities would labor only in IT-related roles, but would not be limited to working with companies in their own region. "We are approached with this initiative in a number of territories, in a number of subjects by entrepreneurs who work in this area," Khabarov told Russian state media organization TASS. "We are only at the initial stage. If this is in demand, and this is most likely in demand, we think that we will not force specialists in this field to work in some other industries."

28-year-old Brenton Tarrant killed 51 people in New Zealand in 2019. The Associated Press reports that at that point he'd been reading 4chan for 14 years, according to his mother — since the age of 14.

The year before, 25-year-old Alek Minassian, who killed 11 people in Toronto in 2018, namechecked 4chan in a pre-attack Facebook post.

But the Guardian now adds another a story from nine days ago — when a 23-year-old shooter with 1,000 rounds of ammunition opened fire from his apartment in Washington D.C. Just two minutes after the shooting began, someone under the username "Raymond Spencer" logged onto the normally-anonymous 4chan and started a new thread titled "shool [sic] shooting". The newly published message contained a link — to a 30-second video of images captured from the digital scope of Spencer's rifle....

Even as police stormed the apartment building where Spencer hid, with officers maneuvering past a surveillance camera that he had set up in the hallway and was monitoring, Spencer continued to post to the message board. "They're in the wrong part of the building right now searching," he posted at one point. A few minutes later: "Waiting for police to catch up with me."

As he waited, Spencer logged on to Wikipedia to edit the entry for Edmund Burke School, which he had just opened fire on....

Police believe Spencer shot himself to death as officers breached his apartment.

Major technology companies have been duped into providing sensitive personal information about their customers in response to fraudulent legal requests, and the data has been used to harass and even sexually extort minors, according to four federal law enforcement officials and two industry investigators. Bloomberg: The companies that have complied with the bogus requests include Meta, Apple, Alphabet's Google, Snap, Twitter and Discord, according to three of the people. All of the people requested anonymity to speak frankly about the devious new brand of online crime that involves underage victims. The fraudulently obtained data has been used to target specific women and minors, and in some cases to pressure them into creating and sharing sexually explicit material and to retaliate against them if they refuse, according to the six people.

The tactic is considered by law enforcement and other investigators to be the newest criminal tool to obtain personally identifiable information that can be used not only for financial gain but to extort and harass innocent victims. It is particularly unsettling since the attackers are successfully impersonating law enforcement officers. The tactic is impossible for victims to protect against, as the best way to avoid it would be to not have an account on the targeted service, according to the people. It's not clear how often the fraudulent data requests have been used to sexually extort minors. Law enforcement and the technology companies are still trying to assess the scope of the problem.

CNN profiles Bellingcat, a Netherlands-based investigative group specializing in "open-source intelligence". And investigator Christo Grozev tells CNN that authoritarian governments make their work easier, because "they love to gather data, comprehensive data, on ... what they consider to be their subjects, and therefore there's a lot of centralized data."

"And second, there's a lot of petty corruption ... within the law enforcement system, and this data market thrives on that." Billions have been spent on creating sophisticated encrypted communications for the military in Russia. But most of that money has been stolen in corrupt kickbacks, and the result is they didn't have that functioning system... It is shocking how incompetent they are. But it was to be expected, because it's a reflection of 23 years of corrupt government.
Interestingly there's apparently less corruption in China — though more whistleblowers. But Bellingcat's first investigation involved the 2014 downing of a Boeing 777 over eastern Ukraine that killed 283 passengers. (The Dutch Safety Board later concluded it was downed by a surface-to-air missile launched from pro-Russian separatist-controlled territory in Ukraine.) "At that time, a lot of public data was available on Russian soldiers, Russian spies, and so on and so forth — because they still hadn't caught up with the times, so they kept a lot of digital traces, social media, posting selfies in front of weapons that shoot down airliners. That's where we kind of perfected the art of reconstructing a crime based on digital breadcrumbs..."

"By 2016, it was no longer possible to find soldiers leaving status selfies on the internet because a new law had been passed in Russia, for example, banning the use of mobile phones by secret services and by soldiers. So we had to develop a new way to get data on government crime. We found our way into this gray market of data in Russia, which is comprised of many, many gigabytes of leaked databases, car registration databases, passport databases. Most of these are available for free, completely freely downloadable from torrent sites or from forums and the internet." And for some of them, they're more current. You actually can buy the data through a broker, so we decided that in cases when we have a strong enough hypothesis that a government has committed the crime, we should probably drop our ethical boundaries from using such data — as long as it is verifiable, as long as it is not coming from one source only but corroborated by at least two or three other sources of data. That's how we develop it. And the first big use case for this approach was the ... poisoning of Sergei and Yulia Skripal in 2018 (in the United Kingdom), when we used this combination of open source and data bought from the gray market in Russia to piece together who exactly the two poisoners were. And that worked tremendously....

It has been what I best describe as a multilevel computer game.... [W]hen we first learned that we can get private data, passport files and residence files on Russian spies who go around killing people, they closed the files on those people. So every spy suddenly had a missing passport file in the central password database. But that opened up a completely new way for us to identify spies, because we were just able to compare older versions of the database to newer versions. So that allowed us to find a bad group of spies that we didn't even know existed before.

The Russian government did realize that that's maybe a bad idea to hide them from us, so they reopened those files but just started poisoning data. They started changing the photographs of some of these people to similar looking, like lookalikes of the people, so that they confused us or embarrass us if we publish a finding but it's for the wrong guy. And then we'll learn how to beat that.
When asked about having dropped some ethical boundaries about data use, Grozev replies "everything changes. Therefore, the rules of journalism should change with the changing times." "And it's not common that journalism was investigating governments conducting government-sanctioned crimes, but now it's happening." With a country's ruler proclaiming perpetual supreme power, "This is not a model that traditional journalism can investigate properly. It's not even a model that traditional law enforcement can investigate properly." I'll give an example. When the British police asked, by international agreement, for cooperation from the Russian government to provide evidence on who exactly these guys were who were hanging around the Skripals' house in 2018, they got completely fraudulent, fake data from the Russian government....

So the only way to counter that as a journalist is to get the data that the Russian government is refusing to hand over. And if this is the only way to get it, and if you can be sure that you can prove that this is valid data and authentic data — I think it is incumbent on journalists to find the truth. And especially when law enforcement refuses to find the truth because of honoring the sovereign system of respecting other governments.
It was Bellingcat that identified the spies who's poisoned Russian opposition leader Alexey Navalny. CNN suggests that for more details on their investigation, and "to understand Vladimir Putin's stranglehold on power in Russia, watch the new film Navalny which premieres Sunday at 9 p.m. ET on CNN."

The movie's tagline? "Poison always leaves a trail."

The nonprofit online news site Virginia Mercury investigated their state police departments' "real-time location warrants," which are "addressed to telephone companies, ordering them to regularly ping a customers' phone for its GPS location and share the results with police." Public records requests submitted to a sampling of 18 police departments around the state found officers used the technique to conduct more than 7,000 days worth of surveillance in 2020. Court records show the tracking efforts spanned cases ranging from high-profile murders to minor larcenies.... Seven departments responded that they did not have any relevant billing records, indicating they don't use the technique. Only one of the departments surveyed, Alexandria, indicated it had an internal policy governing how their officers use cellphone tracking, but a copy of the document provided by the city was entirely redacted....

Drug investigations accounted for more than 60 percent of the search warrants taken out in the two jurisdictions. Larcenies were the second most frequent category. Major crimes like murders, rapes and abductions made up a fraction of the tracking requests, accounting for just under 25 of the nearly 400 warrants filed in the jurisdictions that year.
America's Supreme Court "ruled that warrantless cellphone tracking is unconstitutional back in 2012," the article points out — but in practice those warrants aren't hard to get. "Officers simply have to attest in an affidavit that they have probable cause that the tracking data is 'relevant to a crime that is being committed or has been committed'.... There's been limited public discussion or awareness of the kinds of tracking warrants the judiciary is approving." "I don't think people know that their cell phones can be converted to tracking devices by police with no notice," said Steve Benjamin, a criminal defense lawyer in Richmond who said he's recently noticed an uptick in cases in which officers employed the technique. "And the reality of modern life is everyone has their phone on them during the day and on their nightstand at night. ... It's as if the police tagged them with a chip under their skin, and people have no idea how easily this is accomplished."
The case for these phone-tracking warrants?

• The executive director of the Virginia Association of Chiefs of Police tells the site that physical surveillance ofen requires too many resources — and that cellphone tracking is safer. "It may be considered an intrusive way of gathering data on someone, but it's certainly less dangerous than physical tracking."
• A spokesperson for the Chesterfield County police department [responsible for 64% of the state's tracking] argued that "We exist to preserve human life and protect the vulnerable, and we will use all lawful tools at our disposal to do so." And they added that such "continued robust enforcement efforts" were a part of the reason that the county's still-rising number of fatal drug overdoses had not risen more.

The site also obtained bills from four major US cellphone carriers, and reported how much they were charging police for providing their cellphone-tracking services:

• "T-Mobile charged $30 per day, which comes to $900 per month of tracking."
• "AT&T charged a monthly service fee of $100 and an additional $25 per day the service is utilized, which comes to $850 per 30 days of tracking..."
• "Verizon calls the service 'periodic location updates,' charging $5 per day on top of a monthly service fee of $100, which comes to $200 per 30 days of tracking."
• "Sprint offered the cheapest prices to report locations back to law enforcement, charging a flat fee of $100 per month."

Thanks to Slashdot reader Beerismydad for sharing the article!

"Cryptocurrency has changed the game of cybercrime," argues Vice's Christian Devolu, in a new episode of their video series CRYPTOLAND. "Hackers and cybergangs have been locking down the data of large corporations, police departments, and even hospitals, and demanding ransom — and guess what they're asking for? Cryptocurrency!"

In short, argues an article accompanying the episode, cryptocurrency "gave birth to the ransomware epidemic."

Slashdot reader em1ly shares one highlight from the video: The team visits a school district in Missouri ["just one of around 1,000 U.S. schools hacked last year with ransomware"] that was the victim of a ransomware attack. ["Luckily, the school's backups were not impacted...."]
Another interesting observation from the article: When ransom payments do happen, companies like Chainalysis can track the Bitcoin through the blockchain, identifying the hackers' wallets and collaborating with law enforcement in an attempt to recover the funds or identify the hackers themselves.

A new social engineering scam is making the rounds, and this one is particularly insidious: It tricks users into sending money to what they think is their own account to reverse a fraudulent charge. From a report: The FBI's Internet Crime Complaint Center issued the warning, which it said involves cybercriminals who have definitely done their homework. "In addition to knowing the victim's financial institution, the actors often had further information such as the victim's past addresses, social security number, and the last four digits of their bank accounts," the IC3 said.

The con starts off as many that target individuals do nowadays: With a text message. In this case it's not a phishing attempt, it's an attempt to ascertain whether the person receiving the message is susceptible to further manipulation. Posing as the target's bank, the message asks whether a large charge ($5,000 in the example the FBI gives) was legitimate and asks for a reply of YES or NO. Replying no leads to a follow-up text: "Our fraud specialist will be contacting you shortly. This is where social engineering comes in, and the FBI is painting a picture of a sophisticated operation. The "fraud specialists" contacting users reportedly "speak English without a discernible accent," and once they establish credibility with the victim they move on to "helping" them "reverse" the fake transaction.

It gets even more insidious here: The charges that are being refuted aren't bank charges directly: they are payments being made through an instant payment app like Venmo or CashApp. The fraudster never asks for a password or any information that might clue someone in that they're being strung along. Instead, the caller asks the victim to use their bank website or app to remove their email address from the digital payment app (thereby unlinking the app and bank account), which the fraudster then asks for. Next, the victim is asked to send the same amount as the fake payment to themselves using their own email address, which has already been added to an account the criminal controls.

TikTok is under investigation by US government agencies over its handling of child sexual abuse material, as the burgeoning short-form video app struggles to moderate a flood of new content. From a report: Dealing with sexual predators has been an enduring challenge for social media platforms, but TikTok's young user base has made it vulnerable to being a target. The US Department of Homeland Security is investigating how TikTok handles child sexual abuse material, according to two sources familiar with the case. The Department of Justice is also reviewing how a specific privacy feature on TikTok is being exploited by predators, said one person with knowledge of the case. The DOJ has a longstanding policy of not confirming or denying the existence of ongoing investigations. "It is a perfect place for predators to meet, groom and engage children," said Erin Burke, unit chief of the child exploitation investigations unit at Homeland Security's cyber crime division, calling it the "platform of choice" for the behaviour.

Virgil Griffith, a US cryptocurrency expert, was sentenced on Tuesday to 63 months in prison after pleading guilty to assisting the Democratic People's Republic of Korea (DPRK) with technical info on how to evade sanctions. BleepingComputer reports: The sanctions imposed by the International Emergency Economic Powers Act (IEEPA) and Executive Order 13466 forbid the export of any goods, services, or technology to the DPRK without a Department of the Treasury license issued by the Office of Foreign Assets Control (OFAC). Griffith, who worked as a special projects developer and research scientist for the Ethereum Foundation, was arrested in November 2019 by the FBI following a presentation in North Korea on how the country could use cryptocurrency and blockchain tech (i.e., smart contracts) to launder money and evade sanctions.

Despite being denied permission by the US Department of State, Griffith went to the North Korean conference knowing that doing so without a license from the OFAC would violate US sanctions against the DPRK. According to court documents, the cryptocurrency expert asked to receive his travel visa on a separate paper and not on his US passport, likely to avoid creating physical evidence of his travel to North Korea.

At the DPRK Cryptocurrency Conference, "Griffith and his co-conspirators also answered specific questions about blockchain and cryptocurrency technologies for the DPRK audience, including individuals whom Griffith understood worked for the North Korean government." DOJ said today. He also tried recruiting "other US citizens to travel to North Korea and provide similar services to DPRK persons and attempted to broker introductions for the DPRK to other cryptocurrency and blockchain service providers." During the DPRK Cryptocurrency Conference, he also talked about how North Korea could use cryptocurrency to gain financial independence from the global banking system.

A police officer in Santa Ana, California, admitted to blaring Disney favorites from a squad car PA system in an attempt to keep citizens' videos of their actions off of YouTube. Jalopnik reports: It just so happens they woke up a sleeping city council member, who took police to task for their annoying and suspicious tactic. Using copyright infringement against those who record police actions hasn't really work so far, which may be why this officer decided to really blare Disney tunes during an investigation of a car theft. At the moment, the video posted by Santa Ana Audits is still up after being posted six days ago, so it's safe to say this officer woke up an entire community for nothing.

Santa Ana PD release a statement on Twitter acknowledging the video. Santa Ana PD told Vice that using squad car audio system is not department policy. YouTube won't always remove a video for copyright infringement. Sometimes the site will place an ad on the video, with proceeds going to the copyright holder.