An anonymous reader quotes a report from PC Gamer: An oversight in accounts used to test Microsoft's payment systems let one engineer swindle his way into over $10 million after selling Xbox Gift Cards for Bitcoin over two years, a new report from Bloomberg revealed this week. In order to make sure its payment systems work, Microsoft employs engineers to "simulate" purchases on its stores. But soon after joining the company in 2017, Volodymyr Kvashuk discovered that there was a flaw in the accounts used to test purchases. See, these simulated accounts are usually flagged as such by the system, and won't send you physical goods if you tried to buy, say, a new gamepad from its site. But if you tested a purchase of Xbox Gift Cards, you'd still receive a completely valid 25-digit code. Kvashuk could've easily reported this to his bosses. But with unlimited free codes at his fingertips, he chose a different option instead.

At first, Kvashuk generated himself a handful of codes -- a cheeky $5 or $10 here or there. But there was the opportunity to make massive, life-changing sums of money off this exploit. He began cycling through mock profiles belonging to his colleagues to hide his tracks, automating the process with a bespoke piece of software prosecutors would later describe as "created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale." After acquiring these codes, Kvashuk would head to crypto marketplaces like Paxful to find prospective sellers. He'd sell them in bulk at a relative discount, which buyers would then go on to sell to folks who wanted to use the codes. Money laundering sites like ChipMixer would let him hide his trail, and the proceeds went towards facilitating an increasingly lavish lifestyle. [...] Microsoft was eventually clued in to Kvashuk's antics after noticing a sharp spike in gift card transactions, with federal agents eventually raiding his home in July 2019. In court, Kvashuk tried to argue that the mass theft was simply an experiment to increase store spending. Obviously, it didn't fly. Kvashuk was sentenced to 9 years in prison, likely deported back to his home country of Ukraine, and will be charged restitution of $8.3 million.

The state of Maine now has the most stringent laws regulating government use of facial recognition in the country. The Verge reports: The new law prohibits government use of facial recognition except in specifically outlined situations, with the most broad exception being if police have probable cause that an unidentified person in an image committed a serious crime, or for proactive fraud prevention. Since Maine police will not have access to facial recognition, they will be able to ask the FBI and Maine Bureau of Motor Vehicles (BMV) to run these searches.

Crucially, the law plugs loopholes that police have used in the past to gain access to the technology, like informally asking other agencies or third parties to run backchannel searches for them. Logs of all facial recognition searches by the BMV must be created and are designated as public records. The only other state-wide facial recognition law was enacted by Washington in 2020, but many privacy advocates were dissatisfied with the specifics of the law. Maine's new law also gives citizens the ability to sue the state if they've been unlawfully targeted by facial recognition, which was notably absent from Washington's regulation. If facial recognition searches are performed illegally, they must be deleted and cannot be used as evidence. In response to this new law, the ACLU said: "Maine is showing the rest of the country what it looks like when we the people are in control of our civil rights and civil liberties, not tech companies that stand to profit from widespread government use of face surveillance technology."

AltMachine shares a report from Reuters: "Lawyers fighting the extradition of Huawei's chief financial officer to the United States on Tuesday presented internal emails from British bank HSBC that they said disproved U.S. claims that Huawei misled the bank," reports Reuters. "CFO Meng Wanzhou's legal team said the emails and documents submitted to a Canadian court showed at least two senior HSBC leaders were aware of connections between Huawei and its Iranian subsidiary, Skycom. Meng's lawyers are trying to add the documents to evidence. They are meant to counter U.S. charges that only junior employees of the British bank knew about the true nature of relationship between Huawei and Skycom. U.S. prosecutors have alleged that Meng misled HSBC about Huawei's business dealings in Iran and may have caused the bank to break U.S. sanctions."

Business dealings with Iran was not illegal under Canada laws as the sanction was not a UN resolution and had no legal basis internationally. The only way for the extradition to proceed would be to show Huawei misled HSBC which operates in the U.S. Amid intensifying US-China technology and economic rivalry, it is not the first time the U.S. law enforcement fabricating false accusation against Chinese or China-linked persons. Earlier in April, U.S. court trial reveals federal agents falsely accused a UT professor born in China of spying and three Congressmen are asking the Department of Justice Office of the Inspector General to "review whether the China Initiative puts untoward pressure on DOJ personnel to engage in racial or ethnic profiling." Federal agents falsely accused Hu of spying for China based solely on a Google search, testimony revealed. After Hu refused to work as a spy for the U.S. government, agents stalked and harassed him for more than two years, leading to the destruction of his reputation and internationally renowned career.

Westland Real Estate Group patrols its 1,000-unit apartment complex in Las Vegas with "a conical, bulky, artificial intelligence-powered robot" standing just over 5 feet tall, according to NBC News. Manufactured by Knightscope, the robot is equipped with four internal cameras capturing a constant 360-degree view, and can also scan and record license plates (as well as the MAC addresses of cellphones). But is it doing any good? As more government agencies and private sector companies resort to robots to help fight crime, the verdict is out about how effective they are in actually reducing it. Knightscope, which experts say is the dominant player in this market, has cited little public evidence that its robots have reduced crime as the company deploys them everywhere from a Georgia shopping mall to an Arizona development to a Nevada casino. Knightscope's clients also don't know how much these security robots help. "Are we seeing dramatic changes since we deployed the robot in January?" Dena Lerner, the Westland spokesperson said. "No. But I do believe it is a great tool to keep a community as large as this, to keep it safer, to keep it controlled."

For its part, Knightscope maintains on its website that the robots "predict and prevent crime," without much evidence that they do so. Experts say this is a bold claim. "It would be difficult to introduce a single thing and it causes crime to go down," said Ryan Calo, a law professor at the University of Washington, comparing the Knightscope robots to a "roving scarecrow." Additionally, the company does not provide specific, detailed examples of crimes that have been thwarted due to the robots.
The robots are expensive — they're rented out at about $70,000-$80,000 a year — but growth has stalled for the two years since 2018, and over four years Knightscope's total clients actually dropped from 30 to just 23. (Expenses have now risen — partly because the company is now doubling its marketing budget.)

There's also a thermal scanning feature, but Andrew Ferguson, a law professor at American University, still called these robots an "expensive version of security theater." And NBC News adds that KnightScope's been involved "in both tragic and comical episodes." In 2016, a K5 roaming around Stanford Shopping Center in Palo Alto, California, hit a 16-month-old toddler, bruising his leg and running over his foot. The company apologized, calling it a "freakish accident," and invited the family to visit the company's nearby headquarters in Mountain View, which the family declined. The following year, another K5 robot slipped on steps adjacent to a fountain at the Washington Harbour development in Washington, D.C., falling into the water. In October 2019, a Huntington Park woman, Cogo Guebara, told NBC News that she tried reporting a fistfight by pressing an emergency alert button on the HP RoboCop itself, but to no avail. She learned later the emergency button was not yet connected to the police department itself... [The northern California city] Hayward dispatched its robot in a city parking garage in 2018. The following year, a man attacked and knocked over the robot. Despite having clear video and photographic evidence of the alleged crime, no one was arrested, according to Adam Kostrzak, the city's chief information officer.
The city didn't renew its contract "due to the financial impact of Covid-19 in early 2020," the city's CIO tells NBC News. But the city had already spent over $137,000 on the robot over two years.

The Houston Chronicle reports: The Texas Supreme Court ruled Friday in a Houston case that Facebook is not a "lawless no-man's-land" and can be held liable for the conduct of pimps who use its technology to recruit and prey on children.

The ruling came in a trio of Houston civil actions involving teenage trafficking victims who met their abusive pimps through Facebook's messaging functions. They sued the California-based social media juggernaut for negligence and product liability, saying that Facebook failed to warn about or attempt to prevent sex trafficking from taking place on its internet platforms. The suits also alleged that Facebook benefited from the sexual exploitation of trafficking victims. The justices said trafficking victims can move forward with lawsuits on the grounds that Facebook violated a provision of the Texas Civil Practice and Remedies Code passed in 2009.

Facebook lawyers argued the company was shielded from liability under Section 230 of the federal Communications Decency Act, which states that what users say or write online is not akin to a publisher conveying the same message. Essentially, they said, Facebook is immune to these types of lawsuits. The majority wrote, "We do not understand Section 230 to 'create a lawless no-man's-land on the Internet' in which states are powerless to impose liability on websites that knowingly or intentionally participate in the evil of online human trafficking... Holding internet platforms accountable for the words or actions of their users is one thing, and the federal precedent uniformly dictates that Section 230 does not allow it," the opinion said. "Holding internet platforms accountable for their own misdeeds is quite another thing. This is particularly the case for human trafficking."

The justices explained that Congress recently amended Section 230 to add the possibility of civil liability for websites that violate state and federal human-trafficking laws. They said under the amended law states may protect residents from internet companies that knowingly or intentionally participate in human trafficking through their action or inaction..... Annie McAdams, a lead attorney for the plaintiffs, said it was a groundbreaking decision. This is the first case to beat Facebook on its argument that it had immunity under Section 230, she said.

The New York Times tells the story of Fayçal Ziraoui, a 38-year-old French-Moroccan business consultant who "caused an online uproar" after saying he'd cracked the last two unsolved ciphers of the four attributed to the Zodiac killer in California "and identified him, potentially ending a 50-year-old quest." Maybe because he said he cracked them in just two weeks. Many Zodiac enthusiasts consider the remaining ciphers — Z32 and Z13 — unsolvable because they are too short to determine the encryption key. An untold number of solutions could work, they say, rendering verification nearly impossible.

But Mr. Ziraoui said he had a sudden thought. The code-crackers who had solved the [earlier] 340-character cipher in December had been able to do so by identifying the encryption key, which they had put into the public domain when announcing their breakthrough. What if the killer used that same encryption key for the two remaining ciphers? So he said he applied it to the 32-character cipher, which the killer had included in a letter as the key to the location of a bomb set to go off at a school in the fall of 1970. (It never did, even though police failed to crack the code.) That produced a sequence of random letters from the alphabet. Mr. Ziraoui said he then worked through a half-dozen steps including letter-to-number substitutions, identifying coordinates in numbers and using a code-breaking program he created to crunch jumbles of letters into coherent words...

After two weeks of intense code-cracking, he deciphered the sentence, "LABOR DAY FIND 45.069 NORT 58.719 WEST." The message referred to coordinates based on the earth's magnetic field, not the more familiar geographic coordinates. The sequence zeroed in on a location near a school in South Lake Tahoe, a city in California referred to in another postcard believed to have been sent by the Zodiac killer in 1971.

An excited Mr. Ziraoui said he immediately turned to Z13, which supposedly revealed the killer's name, using the same encryption key and various cipher-cracking techniques. [The mostly un-coded letter includes a sentence which says "My name is _____," followed by a 13-character cipher.] After about an hour, Mr. Ziraoui said he came up with "KAYR," which he realized resembled the last name of Lawrence Kaye, a salesman and career criminal living in South Lake Tahoe who had been a suspect in the case. Mr. Kaye, who also used the pseudonym Kane, died in 2010.

The typo was similar to ones found in previous ciphers, he noticed, likely errors made by the killer when encoding the message. The result that was so close to Mr. Kaye's name and the South Lake Tahoe location were too much to be a coincidence, he thought. Mr. Kaye had been the subject of a report by Harvey Hines, a now-deceased police detective, who was convinced he was the Zodiac killer but was unable to convince his superiors. Around 2 a.m. on Jan. 3, an exhausted but elated Mr. Ziraoui posted a message entitled "Z13 — My Name is KAYE" on a 50,000-member Reddit forum dedicated to the Zodiac Killer.

The message was deleted within 30 minutes.

"Sorry, I've removed this one as part of a sort of general policy against Z13 solution posts," the forum's moderator wrote, arguing that the cipher was too short to be solvable.

AmiMoJo shares a report from TorrentFreak: Police in Japan have arrested three individuals who uploaded so-called "fast movies" to YouTube. These edits of mainstream movie titles, that use copyrighted content to reveal entire plotlines in around 10 minutes, are said to discourage people from watching the originals, costing the industry hundreds of millions in lost revenue. According to Content Overseas Distribution Association (CODA), there are channels with hundreds of uploads being viewed tens of millions of times, often with a for-profit motive. This means that they may fall outside traditional "fair use" style exceptions.

Miyagi Prefectural Police Life Safety Division and the Shiogama Police Station arrested three suspects under suspicion of uploading "fast movies" to YouTube without the rightsholders' consent. The arrests were reportedly carried out under the Copyright Act, which was boosted with new amendments on January 1, 2021. "From June to July 2020, the suspects edited 'I Am a Hero' and two other motion pictures owned by Toho Co., Ltd. as well as 'Cold Fish' and one other motion picture owned by Nikkatsu Corporation down to about 10 minutes without the permission of the right holders. Further, the suspects added narration and uploaded the videos to YouTube to earn advertising revenue," CODA explains. All of the channels shared by CODA appear to be operated from Japan but there is no shortage of YouTube channels operated from the US too.

An anonymous reader quotes a report from Ars Technica: While bitcoin leaves a visible trail of transactions on its underlying blockchain, the niche "privacy coin" monero was designed to obscure the sender and receiver, as well as the amount exchanged. As a result, it has become an increasingly sought-after tool for criminals such as ransomware gangs, posing new problems for law enforcement. "We've seen ransomware groups specifically shifting to monero," said Bryce Webster-Jacobsen, director of intelligence at GroupSense, a cyber security group that has helped a growing number of victims pay out ransoms in monero. "[Cyber criminals] have recognized the ability for mistakes to be made using bitcoin that allow blockchain transactions to reveal their identity."

Russia-linked REvil, the notorious ransomware group believed to be behind the attack this month on meatpacker JBS, has removed the option of paying in bitcoin this year, demanding monero only, according to Brett Callow, threat analyst at Emsisoft. Meanwhile, both DarkSide, the group blamed for the Colonial Pipeline hack, and Babuk, which was behind the attack on Washington DC police this year, allow payments in either cryptocurrency but charge a 10 to 20 percent premium to victims paying in riskier bitcoin, experts say. Justin Ehrenhofer, a cryptocurrency compliance expert and member of the monero developer community, said that at the beginning of 2020, its use by ransomware gangs was "a rounding error." Today he estimates that about 10 to 20 percent of ransoms are paid in monero and that the figure will probably rise to 50 percent by the end of the year.

"In 2016 North Korean hackers planned a $1bn raid on Bangladesh's national bank," reports the BBC, "and came within an inch of success — it was only by a fluke that all but $81m of the transfers were halted, report Geoff White and Jean H Lee...

"It all started with a malfunctioning printer..." It was located inside a highly secure room on the 10th floor of the bank's main office in Dhaka, the capital. Its job was to print out records of the multi-million-dollar transfers flowing in and out of the bank. When staff found it wasn't working, at 08:45 on Friday 5 February 2016, "we assumed it was a common problem just like any other day," duty manager Zubair Bin Huda later told police. "Such glitches had happened before." In fact, this was the first indication that Bangladesh Bank was in a lot of trouble. Hackers had broken into its computer networks, and at that very moment were carrying out the most audacious cyber-attack ever attempted. Their goal: to steal a billion dollars.

To spirit the money away, the gang behind the heist would use fake bank accounts, charities, casinos and a wide network of accomplices.... When the bank's staff rebooted the printer, they got some very worrying news. Spilling out of it were urgent messages from the Federal Reserve Bank in New York — the "Fed" — where Bangladesh keeps a US-dollar account. The Fed had received instructions, apparently from Bangladesh Bank, to drain the entire account — close to a billion dollars. The Bangladeshis tried to contact the Fed for clarification, but thanks to the hackers' very careful timing, they couldn't get through... The bank's HQ in Dhaka was beginning two days off. And when the Bangladeshis began to uncover the theft on Saturday, it was already the weekend in New York... And the hackers had another trick up their sleeve to buy even more time. Once they had transferred the money out of the Fed, they needed to send it somewhere. So they wired it to accounts they'd set up in Manila, the capital of the Philippines. And in 2016, Monday 8 February was the first day of the Lunar New Year, a national holiday across Asia...

They had had plenty of time to plan all of this, because it turns out the Lazarus Group had been lurking inside Bangladesh Bank's computer systems for a year... Once inside the bank's systems, Lazarus Group began stealthily hopping from computer to computer, working their way towards the digital vaults and the billions of dollars they contained... But they still had one final hurdle to clear — the printer on the 10th floor. Bangladesh Bank had created a paper back-up system to record all transfers made from its accounts. This record of transactions risked exposing the hackers' work instantly. And so they hacked into the software controlling it and took it out of action.

With their tracks covered, at 20:36 on Thursday 4 February 2016, the hackers began making their transfers — 35 in all, totalling $951m, almost the entire contents of Bangladesh Bank's New York Fed account.
There's more to the story — it's a whole episode on a 10-episode BBC World Service podcast which they're calling an example of "the new front line in a global battleground: a murky nexus of crime, espionage and nation-state power-mongering. And it's growing fast."

The story has a surprise ending — but alongo the way, the BBC's article points out that the consequences for the bank's governor were almost instant. "He was asked to resign," says U.S.-based cyber-security expert Rakesh Asthana. "I never saw him again."

"In a bid to bolster its claims as a crime-fighting tool, Ring deployed a tactic popular in the business world: influencer marketing," reports the Los Angeles Times. "It selected a cadre of brand ambassadors, rewarded them with free gadgets and discount codes, and urged them to use their connections to promote the Santa Monica security camera startup via word of mouth.

"In this case, the brand ambassadors were Los Angeles Police Department officers." "You are killing it, by the way. Your code has 14 uses, eleven more and I will be sending you every device that we sell," a Ring employee wrote to one officer in a 2016 email. "Do you have any community meetings or crime prevention fairs coming up?"

Ring provided at least 100 LAPD officers with one or more free devices or discount codes and encouraged them to recommend the company's web-connected doorbells and security cameras, emails reviewed by The Times reveal. In more than 15 cases, emails show that officers who received free gadgets or discounts promoted Ring products to fellow police officers or members of the public... [P]articipating officers got tens of thousands of dollars' worth of free and discounted electronics and helped establish a network of personal surveillance cameras that the LAPD could tap into with much less red tape than the typical means of obtaining video.

The practice, privacy and criminal justice experts warn, raises the question of whether LAPD officers were serving the public in their interactions with Ring, or if they were serving a private business and themselves...

It's unclear whether LAPD officers disclosed their arrangements with Ring to the public or fellow officers.

"Modern technology makes it so much harder to commit a crime of passion and get away with it," writes long-time Slashdot reader knaapie, summarizing a story from the Guardian: A Greek pilot claiming he and his wife were robbed, and his wife strangled by the assailants, has now admitted that he himself killed his wife. Police were already suspicious of him and found evidence from phones and the watch of the deceased that implicated him.
In staging the scene of a crime, the suspect even tied up his own hands and those of his dead wife — and strangled their dog. And he'd insisted on his version of the story for five weeks, according to the Guardian.

But then... A pulse monitor on the watch showed his wife was dead at a time before he claimed the raid had taken place, while a fitness app on his phone proved he was moving around the house at the time he said he had been blindfolded and tied up.

In both cases, the findings conflicted with the timeline of events the professional pilot had previously given. A memory card removed at 1.20am from the security camera of the couple's home, several hours before 4.30am when he claimed the thieves had broken in, provided further evidence.

NBC reports that America's "Teamsters" labor union was hit by a ransomware attack demanding $2.5 million back in 2019.

"But unlike many of the companies hit by high-profile ransomware attacks in recent months, the union declined to pay, despite the FBI's advice to do so, three sources familiar with the previously unreported cyberattack told NBC News." Personal information for the millions of active and retired members was never compromised, according to a Teamsters spokesperson, who also said that only one of the union's two email systems was frozen along with other data. Teamsters officials alerted the FBI and asked for help in identifying the source of the attack. They were told that many similar hacks were happening and that the FBI would not be able to assist in pursuing the culprit.

The FBI advised the Teamsters to "just pay it," the first source said. "They said 'this is happening all over D.C. ... and we're not doing anything about it,'" a second source said.

Union officials in Washington were divided over whether to pay the ransom — going so far as to bargain the number down to $1.1 million, according to the sources — but eventually sided with their insurance company, which urged them not to pony up... The Teamsters decided to rebuild their systems, and 99 percent of their data has been restored from archival material — some of it from hard copies — according to the union's spokesperson.

The FBI's communications office did not reply to repeated requests for comment. The FBI's stance is to discourage ransomware payments.
NBC News draws a lesson from the fact that it took nearly two years for this story to emerge. "An unknown number of companies and organizations have been extorted without ever saying a word about it publicly."

The New York Times argues that this week changed Bitcoin's reputation as "secure, decentralized and anonymous" (adding "Criminals, often operating in hidden reaches of the internet, flocked to Bitcoin to do illicit business without revealing their names or locations. The digital currency quickly became as popular with drug dealers and tax evaders as it was with contrarian libertarians.")

"But this week's revelation that federal officials had recovered most of the Bitcoin ransom paid in the recent Colonial Pipeline ransomware attack exposed a fundamental misconception about cryptocurrencies: They are not as hard to track as cybercriminals think..." [F]or the growing community of cryptocurrency enthusiasts and investors, the fact that federal investigators had tracked the ransom as it moved through at least 23 different electronic accounts belonging to DarkSide, the hacking collective, before accessing one account showed that law enforcement was growing along with the industry... The Bitcoin ledger can be viewed by anyone who is plugged into the blockchain. "It is digital bread crumbs," said Kathryn Haun, a former federal prosecutor and investor at venture-capital firm Andreessen Horowitz. "There's a trail law enforcement can follow rather nicely." Haun added that the speed with which the Justice Department seized most of the ransom was "groundbreaking" precisely because of the hackers' use of cryptocurrency. In contrast, she said, getting records from banks often requires months or years of navigating paperwork and bureaucracy, especially when those banks are overseas...

Tracking down a user's transaction history was a matter of figuring out which public key they controlled, authorities said. Seizing the assets then required obtaining the private key, which is more difficult. It's unclear how federal agents were able to get DarkSide's private key. Justice Department spokesman Marc Raimondi declined to say more about how the F.B.I. seized DarkSide's private key. According to court documents, investigators accessed the password for one of the hackers' Bitcoin wallets, though they did not detail how. The F.B.I. did not appear to rely on any underlying vulnerability in blockchain technology, cryptocurrency experts said. The likelier culprit was good old-fashioned police work. Federal agents could have seized DarkSide's private keys by planting a human spy inside DarkSide's network, hacking the computers where their private keys and passwords were stored, or compelling the service that holds their private wallet to turn them over via search warrant or other means. "If they can get their hands on the keys, it's seizable," said Jesse Proudman, founder of Makara, a cryptocurrency investment site. "Just putting it on a blockchain doesn't absolve that fact...."

The F.B.I. has partnered with several companies that specialize in tracking cryptocurrencies across digital accounts, according to officials, court documents and the companies. Start-ups with names like TRM Labs, Elliptic and Chainalysis that trace cryptocurrency payments and flag possible criminal activity have blossomed as law enforcement agencies and banks try to get ahead of financial crime. Their technology traces blockchains looking for patterns that suggest illegal activity... "Cryptocurrency allows us to use these tools to trace funds and financial flows along the blockchain in ways that we could never do with cash," said Ari Redbord, the head of legal affairs at TRM Labs, a blockchain intelligence company that sells its analytic software to law enforcement and banks. He was previously a senior adviser on financial intelligence and terrorism at the Treasury Department.
The story includes three intriguing quotes:

• Justice Department spokesman Marc Raimondi said the Colonial Pipeline ransom seizure was only the latest of "many seizures, in the hundreds of millions of dollars, from unhosted cryptocurrency wallets" used for criminal activity.
• Hunter Horsley, chief executive of cryptocurrency investment company Bitwise Asset Management, said "The public is slowly being shown, in case after case, that Bitcoin is good for law enforcement and bad for crime — the opposite of what many historically believed."
• A spokesperson for Chainalysis, a start-up that traces cryptocurrency payments, tells the Times that in the end, "cryptocurrencies are actually more transparent than most other forms of value transfer. Certainly more transparent than cash."

A security camera installation worker for ADT was sentenced Wednesday to a little more than four years in federal prison for illegally accessing the security cameras of more than 200 North Texas customers, reports the Dallas Morning News: Telesforo Aviles, age 35, faced a maximum of five years in prison for computer fraud under the terms of his plea agreement, in which he admitted to accessing customer accounts over 9,600 times since 2015.

He was cuffed and taken into custody to begin serving his sentence after the hearing.

The quiet and introverted technician, a senior supervisor with 17 years at ADT, was caught last year after the company was alerted by a customer to suspicious activity, said his lawyer, Tom Pappas. Aviles, who is married with five children, turned himself in when he was asked to, Pappas said. "He's mortified by what he did," Pappas said. "He sees what he did as a betrayal of himself, too." Of the nearly 10,000 images Aviles accessed, about 40 were "sexual in nature" and none involved children, Pappas said.

An ADT spokesman said the company had no comment.

Assistant U.S. Attorney Sid Mody had asked Starr to give Aviles the maximum sentence, saying that while 217 accounts were accessed, the total number of victims is much higher given that each household had multiple family members. That violation, he said, destroyed "in the worst way" their sense of feeling safe and secure at home... Starr said he considered Aviles' cooperation with authorities and lack of a criminal history as well as the fact that the conduct involved a "lengthy period of time." Aviles noted the homes that had "attractive women" and repeatedly logged into their accounts to view the footage, prosecutors said...

ADT has since been hit with class-action lawsuits from customers over the breach.
The article also notes the story of one woman who filed a federal lawsuit last month against ADT. She'd told the court Aviles persuaded her to install cameras in her bedrooms after she'd specifically questioned whether it was truly necessary. "Aviles told her that it was necessary because a burglar could enter the house through the bedroom windows, and the cameras would monitor that," her lawsuit says. "Of course, Aviles' placement of the cameras had nothing to do with potential burglars."

In a statement filed with the court, one female homeowner reportedly wrote that "This deliberate and calculated invasion of privacy is arguably more harmful than if I had installed no security system and my house had been burglarized."

U.S. Senate Majority Leader Chuck Schumer on Thursday said he is initiating a review of recent high-profile cyber attacks on governments and businesses to find out whether a legislative response is needed. From a report: "Today I am asking Chairman Gary Peters of our Homeland Security Committee and our other relevant committee chairs to begin a government-wide review of these attacks and determine what legislation may be needed to counter the threat of cyber crime and bring the fight to the cyber criminals." Schumer noted that the New York City subway system was the victim of a computer hack in early June. This came on the heels of Colonial Pipeline having to shut down some operations, resulting in disrupted fuel supplies in the U.S. Southeast, as a result of a cyber attack.

A Texas man who had boasted that he was at the United States Capitol when swarms of Trump supporters stormed the building on Jan. 6 pleaded guilty on Wednesday to charges of plotting to blow up an Amazon data center in Virginia, prosecutors said. The New York Times reports: The man, Seth Aaron Pendley, 28, of Wichita Falls, Texas, had been arrested in April after he went to pick up what he believed were bombs made of C-4 plastic explosives and detonation cords from an explosives supplier in Fort Worth, but were actually inert objects provided by an undercover F.B.I. agent, prosecutors said. In a conversation recorded by an undercover agent on March 31, Mr. Pendley said he had hoped to anger "the oligarchy" enough to provoke a reaction that would persuade Americans to take action against what he perceived to be a "dictatorship," prosecutors said.

On Wednesday, in an appearance before Magistrate Judge Hal R. Ray Jr. of U.S. District Court for the Northern District of Texas, Mr. Pendley pleaded guilty to a malicious attempt to destroy a building with an explosive. He faces five to 20 years in federal prison. His sentencing has been set for Oct. 1. "Due in large part to the meticulous work of the F.B.I.'s undercover agents, the Justice Department was able to expose Mr. Pendley's twisted plot and apprehend the defendant before he was able to inflict any real harm," Prerak Shah, the acting U.S. attorney for the Northern District of Texas, said in a statement. "We may never know how many tech workers' lives were saved through this operation -- and we're grateful we never had to find out."

Slashdot reader Charlotte Web summarizes a Department of Justice press release: The U.S. Department of Justice says "millions" of computers around the world were infected with the Trickbot malware, which was used "to harvest banking credentials and deliver ransomware."

In February they arrested a 55-year-old woman in Miami, Florida, saying she and her associates "are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems," according to Special Agent in Charge Eric B. Smith of the FBI's Cleveland Field Office. In October ZDNet was calling Trickbot "one of today's largest malware botnets and cybercrime operations."

Yesterday that woman — Alla Witte, aka "Max" — was arraigned in federal court in Cleveland, Ohio. According to the indictment, Witte worked as a malware developer for the Trickbot Group and wrote code related to the control, deployment, and payments of ransomware.

From the Department of Justice announcement:

The ransomware informed victims that their computer was encrypted, and that they would need to purchase special software through a Bitcoin address controlled by the Trickbot Group to decrypt their files. In addition, Witte allegedly provided code to the Trickbot Group that monitored and tracked authorized users of the malware and developed tools and protocols to store stolen login credentials... Witte and her co-conspirators allegedly worked together to infect victim computers with the Trickbot malware designed to capture online banking login credentials and harvest other personal information, including credit card numbers, emails, passwords, dates of birth, social security numbers and addresses. Witte and others also allegedly captured login credentials and other stolen personal information to gain access to online bank accounts, execute unauthorized electronic funds transfers and launder the money through U.S. and foreign beneficiary accounts...

If convicted, Witte faces a maximum penalty of 30 years in prison for conspiracy to commit wire and bank fraud; 30 years in prison for each substantive bank fraud count; a two-year mandatory sentence for each aggravated identity theft count, which must be served consecutively to any other sentence; and 20 years in prison for conspiracy to commit money laundering.

The indictment alleges that "beginning in November 2015, Witte and others stole money and confidential information from unsuspecting victims, including businesses and their financial institutions in the United States, United Kingdom, Australia, Belgium, Canada, Germany, India, Italy, Mexico, Spain, and Russia through the use of the Trickbot malware." The AP reports the group is now accused of targeting high-reward victims which included hospitals, schools, public utilities, and governments, as well as real estate and law firms and country clubs.

Interestingly, this case is part of the U.S. Department of Justice's "Ransomware and Digital Extortion Task Force," with its Criminal Division working with the U.S. Attorneys' Offices and prioritizing the disruption, investigation, and prosecution of ransomware "by tracking and dismantling the development and deployment of malware, identifying the cybercriminals responsible, and holding those individuals accountable for their crimes," according to the department's statement. "The department, through the Task Force, also strategically targets the ransomware criminal ecosystem as a whole and collaborates with domestic and foreign government agencies as well as private sector partners to combat this significant criminal threat."

"These charges serve as a warning to would-be cybercriminals," said Deputy Attorney General Lisa O. Monaco, "that the Department of Justice, through the Ransomware and Digital Extortion Task Force and alongside our partners, will use all the tools at our disposal to disrupt the cybercriminal ecosystem."

An anonymous reader quotes a report from The Register: A scammer who convinced some of the world's biggest tech businesses to send him replacement kit has been sentenced to seven years and eight months in the U.S. prison system. Justin David May, 31, used stolen hardware serial numbers, a plethora of fake websites and online identities, social engineering tactics, and a network of associates, to scam Cisco out of nearly $3.5m in hardware in just 12 months. Microsoft lost 137 Surface laptops (retail cost $364,761) to the crew, with Lenovo US also losing 137 replacement hard drives worth $143,000 and APC (formerly American Power Conversion) getting scammed out of a few uninterruptible power supplies. May pled guilty to 42 counts of mail fraud, 10 counts of money laundering, three counts of interstate transportation of goods obtained by fraud, and two counts of tax evasion.

In the largest scam against Cisco, run from April 2016, according to court documents [PDF] filed in eastern district court of Pennsylvania, May and the team set up domains and email addresses to mimic cisco.com user IDs and harvested serial numbers of legit machinery. They then used these to trick Cisco into sending out replacement kit, such as a Cisco Catalyst 3850-48P-E Switch worth around $21,000 at the time, and a couple of Cisco ASR 9001 routers priced at over $100,000 for the pair. The same scam worked well for Microsoft and Lenovo too, it seems. The court docs note that May was skilled at picking imaginary faults that weren't remotely repairable, such as basic software issues, but which were more obvious as serious flaws needing a replacement unit. In addition the crew digitally altered images of their supposed kit and serial numbers to fool support staff. Once the hardware was received, usually via UPS or FedEx, the companies never got the faulty kit back because it never existed. Meanwhile the packages were picked up, sold on eBay and other second-hand sites, and the cash pocketed, or in the case of Microsoft, some of the hardware shipped to Singapore for resale.

New laws in Maryland and Montana are the first in the nation to restrict law enforcement's use of genetic genealogy, the DNA matching technique that in 2018 identified the Golden State Killer, in an effort to ensure the genetic privacy of the accused and their relatives. From a report: Beginning on Oct. 1, investigators working on Maryland cases will need a judge's signoff before using the method, in which a "profile" of thousands of DNA markers from a crime scene is uploaded to genealogy websites to find relatives of the culprit. The new law, sponsored by Democratic lawmakers, also dictates that the technique be used only for serious crimes, such as murder and sexual assault. And it states that investigators may only use websites with strict policies around user consent. Montana's new law, sponsored by a Republican, is narrower, requiring that government investigators obtain a search warrant before using a consumer DNA database, unless the consumer has waived the right to privacy.

The laws "demonstrate that people across the political spectrum find law enforcement use of consumer genetic data chilling, concerning and privacy-invasive," said Natalie Ram, a law professor at the University of Maryland who championed the Maryland law. "I hope to see more states embrace robust regulation of this law enforcement technique in the future." Privacy advocates like Ms. Ram have been worried about genetic genealogy since 2018, when it was used to great fanfare to reveal the identity of the Golden State Killer, who murdered 13 people and raped dozens of women in the 1970s and '80s. After matching the killer's DNA to entries in two large genealogy databases, GEDmatch and FamilyTreeDNA, investigators in California identified some of the culprit's cousins, and then spent months building his family tree to deduce his name -- Joseph James DeAngelo Jr. -- and arrest him.

A birthday party for 17-year-old Adrian Lopez turned into a viral TikTok event that drew thousands of unruly party-goers to Huntington Beach, California, reports the Los Angeles Times.

Just not Adrian Lopez, "who in the days leading up to the party was increasingly nervous about all the attention." When it was over, more than 175 people were arrested, city officials and merchants were adding up the damage, and everyone was wondering who should be blamed and who should be billed...

The high schooler's invitation was picked up by TikTok's "For You" algorithm and viewed by people across the country. The announcement was curious: Who was this mystery teen, and would anyone actually go to his party? Some TikTok users, including internet celebrities, began posting about it, and videos with the hashtag #adrianskickback have since drawn more than 326 million views.

On Saturday night, roughly 2,500 teenagers and young adults — some who say they drove for hours or flew in from other states — converged on the Huntington Beach Pier and downtown area in a gathering that devolved into mayhem. Partygoers blasted fireworks into a mob in the middle of Pacific Coast Highway, jumped on police cars, scaled palm trees and flag poles and leapt from the pier into throngs of people below to crowd-surf. A window at CVS was smashed, businesses were tagged with graffiti, and the roof of Lifeguard Tower 13 collapsed after it was scaled...

Authorities spotted the party announcement when it began circulating last week and immediately began staffing up in preparation for what was being billed as a weekend-long event. In all, more than 150 officers from nearly every police agency in Orange County were called out to the beach Saturday night to help get the crowd under control. Clashes with police broke out Saturday, and officers fired rubber bullets and pepper projectiles as they tried to disperse the crowd. Eventually, authorities issued an overnight curfew to clear the streets...

The majority of those taken into custody over the weekend were not from Orange County, police said.
One 53-year-old watching the crowd told the Times that "Literally they were playing in traffic on the Pacific Coast Highway." But the Times also got a quote from one 18-year-old attendee who "went to last Saturday's party but said he does not condone the debauchery that ensued."

"People my age haven't gone out in a year... It was to get the ball rolling. This is the start of summer."