Robert Grupe's AppSecNewsBits 2025-01-25

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Sage Copilot grounded briefly to fix AI misbehavior
Sage Group plc has confirmed it temporarily suspended its Sage Copilot, an AI assistant for the UK-based business software maker's accounting tools, this month after it blurted customer information to other users.
A customer found when they asked [Sage Copilot] to show a list of recent invoices, the AI pulled data from other customer accounts including their own.
The biz described the blunder as a "minor issue", and denied the machine-learning system had leaked GDPR-sensitive data as some had feared.
AI models make cybersecurity more difficult. And they generally come with warnings that their output needs to be verified since they're often wrong. Nonetheless, companies insist on deploying AI services, occasionally to their chagrin.
Apple this week suspended Apple Intelligence's news summarization capability following concerns that the service's AI summaries were inaccurate.

PowerSchool hacker claims they stole data of 62 million students
The hacker who breached education tech giant PowerSchool claimed in an extortion demand that they stole the personal data of 62.4 million students and 9.5 million teachers, of 6,505 school districts in the US, Canada, and other countries.
PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that provides tools for enrollment, communication, attendance, staff management, learning systems, analytics, and finance.
On January 7th, PowerSchool disclosed that it suffered a cyberattack after a threat actor used stolen credentials to access the company's PowerSource customer support portal. Using this access, the threat actor utilized a customer support maintenance access tool to download student and teacher data from districts' PowerSIS databases. PowerSchool paid a ransom to prevent the stolen data from being leaked privately, seeing a video of the threat actor claiming to delete the data.
PowerSchool promised to release an incident report based on CrowdStrike's investigations on January 17th, but that date has passed without a report being published.

HPE (Hewlett Packard Enterprise) Investigating Breach Claims After Hacker Offers to Sell Data
The notorious hacker IntelBroker announced on January 16 on a cybercrime forum that he is selling files obtained from HPE systems.
The compromised data allegedly includes source code for products such as Zerto and iLO, private GitHub repositories, digital certificates, Docker builds, and even some personal information that the hacker described as “old user PII for deliveries”. IntelBroker is also offering access to some services used by HPE, including APIs, WePay, GitHub and GitLab.

UnitedHealth confirms 190 million Americans affected by Change Healthcare data breach
Change Healthcare has determined the estimated total number of individuals impacted by the Change Healthcare cyberattack is approximately 190 million. The vast majority of those people have already been provided individual or substitute notice. The final number will be confirmed and filed with the Office for Civil Rights at a later date.
The company was “not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis.”
UnitedHealth previously put the number of affected individuals at around 100 million people when the company filed its preliminary analysis with the Office for Civil Rights, the unit under the U.S. Department of Health and Human Services that investigates data breaches.

British Museum forced to partly close after alleged IT attack by former employee
The British Museum was forced to partly close on Friday after its IT infrastructure was allegedly attacked by a former employee. The contractor, who was recently dismissed, was able to get back into the building and shut down several systems including its ticketing platform While the museum remained open, only a handful of ticket holders were able to access its paid-for exhibitions. “An IT contractor who was dismissed last week trespassed into the museum and shut down several of our systems. Police attended and he was arrested at the scene."

Subaru Starlink flaw let hackers hijack cars in US and Canada
The STARLINK admin dashboard should have access to pretty much any Subaru in the United States, Canada, and Japan.
A video demonstrates how the Starlink vulnerability could be exploited to get more than a year's worth of location data for a Subaru car within just 10 seconds.
Subaru Starlink's admin portal contained an arbitrary account takeover flaw stemming from a "resetPassword.json" API endpoint designed to allow Subaru employees to reset their accounts using a valid email without a confirmation token.
After taking over an employee's account, Curry also had to bypass a two-factor authentication (2FA) prompt to access the portal. However, this was also easily circumvented by removing the client-side overlay from the portal's user interface. The vulnerability was fixed within 24 hours of the researchers' report.
Hackers get $886,250 for 49 zero-days at Pwn2Own Automotive 2025
Cybersecurity Threats To Modern Cars: How Hackers Are Taking Control Subaru's case is not isolated. Other automakers have faced similar vulnerabilities, such as a flaw in Kia's dealer portal that allowed hackers to locate and steal vehicles using their license plates.
These examples reveal systemic issues in the design and deployment of connected car systems, including:

1. Weak authentication makes it easier for attackers to break into sensitive systems.

2. Centralized systems store large amounts of sensitive user and vehicle data, making breaches more likely.

3. Many connected car platforms do not encrypt data properly, leaving it vulnerable during transmission.

4. Poor integration with third-party apps and portals creates security gaps.

5. Automakers often take too long to find and fix vulnerabilities, leaving vehicles exposed for longer than necessary.

MasterCard DNS Error Went Unnoticed for Years
All of the Akamai DNS server names that MasterCard uses are supposed to end in “akam[.]net” but one of them was misconfigured to rely on the domain “akam[.]ne.” The misconfiguration persisted for nearly five years.
This tiny but potentially critical typo was discovered recently by security researcher Philippe Caturegli. He guessed that nobody had yet registered the domain akam[.]ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger. It took $300 and nearly three months of waiting to secure the domain with the registry in Niger.
After enabling a DNS server on akam[.]ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn’t the only organization that had fat-fingered a DNS entry to include “akam[.]ne,” but they were by far the largest.
Had he enabled an email server on his new domain akam[.]ne, Caturegli likely would have received wayward emails directed toward mastercard[.]com or other affected domains. If he’d abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies.
“We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote. “This typo has now been corrected. We obviously disagree with this assessment.”
The misconfigured DNS server Caturegli found involved the MasterCard subdomain az[.]mastercard[.]com. It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoft’s Azure cloud service. The researcher said he’d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.
“Don’t be like Mastercard,” Caturegli concluded. “Don’t dismiss risk, and don’t let your marketing team handle security disclosures.”

Researchers say new attack could take down the European power grid
Researchers revealed a finding that’s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent.
After observing a radio receiver on the streetlight poles throughout Berlin, researchers got to wondering: Would it be possible for someone with a central transmitter to control them en masse, and if so, could they create a city-wide light installation along the lines of Project Blinkenlights? The first Project Blinkenlights iteration occurred in 2001 in Berlin, when the lights inside a large building were synchronized to turn on and off to give the appearance of a giant, low-resolution monochrome computer screen.
They then learned something more surprising—the very same system for controlling Berlin’s lights was used throughout Central Europe to control other regional infrastructure, including switches that regulate the amount of power renewable electric generation facilities feed into the grid.

Cloudflare CDN flaw leaks user location data, even through secure chat apps
A flaw in Cloudflare's content delivery network (CDN), which could expose a person's general location by simply sending them an image on platforms like Signal and Discord. While the geo-locating capability of the attack is not precise enough for street-level tracking, it can provide enough data to infer what geographic region a person lives in and monitor their movements. This finding is particularly concerning for people who are highly concerned about their privacy, like journalists, activists, dissidents, and even cybercriminals.
Cloudflare caches media resources at the data center nearest to the user to improve load times. To conduct the information-disclosure attack, the researcher would send a message to someone with a unique image, whether that be a screenshot or even a profile avatar, hosted on Cloudflare's CDN. Next, he leveraged a bug in Cloudflare Workers that allows forcing requests through specific data centers using a custom tool called Cloudflare Teleport.
Responding to a subsequent request, Cloudflare told the researcher that it is ultimately the users' responsibility to disable caching.

PayPal to pay NY $2 million settlement over 2022 data breach
In 2023, PayPal disclosed that threat actors conducted a large-scale credentials stuffing attack between December 6th and December 8th, 2022, where 35,000 accounts were breached.
New York State has announced a $2,000,000 settlement with PayPal over charges it failed to comply with the state's cybersecurity regulations, leading to a 2022 data breach.
Customer data was exposed after PayPal implemented changes to existing data flows to make IRS Form 1099-Ks available to more of its customers. However, the teams tasked with implementing these changes were not trained on PayPal's systems and application development processes.
As a result, they failed to follow proper procedures before the changes went live. Following the faulty implementation, cybercriminals holding valid credentials for PayPal accounts were able to access those accounts and their 1099-K forms, which revealed a lot of sensitive information. The success of these "credential stuffing" attacks hinged upon the lack of multi-factor authentication (MFA) protection, which was not mandatory on the platform at the time. This, combined with weak access controls allowing automated login attempts without CAPTCHA or rate limiting, constituted key compliance failures for PayPal.

Unsecured Tunneling Protocols Expose 4.2 Million Hosts, Including VPNs and Routers
As many as 4.2 million hosts have been found susceptible to the attacks, including VPN servers, ISP home routers, core internet routers, mobile network gateways, and content delivery network (CDN) nodes.
The vulnerabilities are rooted in the fact that the tunneling protocols such as IP6IP6, GRE6, 4in6, and 6in4, which are mainly used to facilitate data transfers between two disconnected networks, do not authenticate and encrypt traffic without adequate security protocols like Internet Protocol Security (IPsec).
The absence of additional security guardrails opens the door to a scenario where an attacker can inject malicious traffic into a tunnel. Vulnerable systems may also allow access to an organization's private network or be abused to perform DDoS attacks. As defenses, it's recommended to use IPSec or WireGuard to provide authentication and encryption, and only accept tunneling packets from trusted sources.
At the network level, it's also advised to implement traffic filtering on routers and middleboxes, carry out Deep packet inspection (DPI), and block all unencrypted tunneling packets.

What's Weak This Week

• SonicWall SMA1000 Appliances Deserialization Vulnerability: SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) contain a deserialization of untrusted data vulnerability, which can enable a remote, unauthenticated attacker to execute arbitrary OS commands.

• JQuery Cross-Site Scripting (XSS) Vulnerability: JQuery contains a persistent cross-site scripting (XSS) vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser.

HACKING
Warning As 70-Year-Old Parks Car And Becomes An Unwilling Gamer
A 70-year-old woman was running late for her hospital appointment as she parked her car and scanned the QR code to pay the £3 ($3.85) parking fee. She was also required to enter her name and email address.
It wasn’t until she got home that things got even more worrisome: she had emails informing her that she had signed up for two gamer subscriptions. Although these were each for the same £3 ($3.85) amount, further investigation revealed this was a three-day trial, and the subscriptions would automatically renew at £17.49 ($21.85) thereafter.
Unfortunately, QR code scams in car parks are incredibly common.
Countermeasures include checking if the QR code looks tampered with and paying particular attention to the website it takes you to, in terms of being as expected and legitimate. Best yet, use an alternative method to pay for your car parking that isn’t as easy to use in a fraudulent attack.

The Internet is (once again) awash with IoT botnets delivering record DDoSes
We’re only three weeks into 2025, and it’s already shaping up to be the year of Internet of Things-driven DDoSes.
Reports are rolling in of threat actors infecting thousands of home and office routers, web cameras, and other Internet-connected devices. Cloudflare reported on a recent distributed denial-of-service attack that delivered 5.6 terabits per second of junk traffic—a new record for the largest DDoS ever reported. The deluge, directed at an unnamed Cloudflare customer, came from 13,000 IoT devices infected by a variant of Mirai, a potent piece of malware with a long history of delivering massive DDoSes of once-unimaginable sizes.
The same day, security company Qualys published research detailing a "large-scale, ongoing operation" dubbed the Murdoc Botnet. It exploits vulnerabilities to install a Mirai variant, primarily on AVTECH Cameras and Huawei HG532 routers.
Cloudflare: Record-breaking 5.6 Tbps DDoS attack and global DDoS trends for 2024 Q4 

Backdoor infecting Juniper Network’s Junos OS VPNs used “magic packets” for stealth and security
When threat actors use backdoor malware to gain access to a network, they want to make sure all their hard work can’t be leveraged by competing groups or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that remains dormant until it receives what’s known in the business as a “magic packet.”
Magic packets give backdoors more stealth because the malware doesn't need to open a specific port to listen for incoming connections. Defenders routinely scan their networks for such ports. If they spot an open port they don’t recognize, it’s likely the infection will be detected.
Backdoors like J-Magic listen to all incoming data and search for tiny specks of it that meet certain conditions. The lightweight backdoor is also notable because it resided only in memory, a trait that makes detection harder for defenders.
While this is not the first discovery of magic packet malware, there have only been a handful of campaigns in recent years,” the researchers wrote. “The combination of targeting Junos OS routers that serve as a VPN gateway and deploying a passive listening in-memory only agent, makes this an interesting confluence of tradecraft worthy of further observation.

FBI: North Korean IT workers steal source code to extort employers
North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code. North Korean IT workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities.
To mitigate these risks, the FBI advised companies to apply the principle of least privilege by disabling local administrator accounts and limiting permissions for remote desktop applications. Organizations should also monitor for unusual network traffic, especially remote connections since North Korean IT personnel often log into the same account from various IP addresses over a short period of time.
It also recommended reviewing network logs and browser sessions for potential data exfiltration through shared drives, cloud accounts, and private code repositories.
This public service announcement follows repeated warnings issued by the FBI over the years regarding North Korea's large army of IT workers, which hide their true identities to get hired at hundreds of companies in the United States and worldwide. Also referred to as "IT warriors," they impersonate U.S.-based IT staff by connecting to enterprise networks via U.S.-based laptop farms.
In August, U.S. law enforcement dismantled a Nashville laptop farm and an Arizona one in May. After being discovered and fired, undercover North Korean IT workers have used insider knowledge to extort their former employers, threatening to leak sensitive information they stole from company systems.
5 indicted as FBI warns North Korea dials up aggression, plus Russian devs allegedly get in on the act 

APPSEC
Blockchains: OWASP Top 10 2025 – Most Critical Weaknesses Exploited/Discovered
As decentralized finance (DeFi) and blockchain technology continue to grow, the importance of robust smart contract security has never been more evident. The latest list reflects evolving attack vectors and highlights the vulnerabilities that have been most exploited or discovered in recent years.
The OWASP Smart Contract Top 10 serves as a vital resource for developers, auditors, and security professionals, offering insights into common weaknesses and mitigation strategies.
It complements other OWASP projects, such as the Smart Contract Security Verification Standard (SCSVS) and Smart Contract Security Testing Guide (SCSTG), providing a holistic approach to securing blockchain ecosystems.
OWASP Smart Contract Top 10 

AWS: Secure a generative AI assistant with OWASP Top 10 mitigation
Before it can be deployed, there is the typical production readiness assessment that includes concerns such as understanding the security posture, monitoring and logging, cost tracking, resilience, and more.
The highest priority of these production readiness assessments is usually security. If there are security risks that can’t be clearly identified, then they can’t be addressed, and that can halt the production deployment of the generative AI application.
In this post, we show you an example of a generative AI assistant application and demonstrate how to assess its security posture using the OWASP Top 10 for Large Language Model Applications, as well as how to apply mitigations for common threats.

How organizations can secure their AI code 

• Ensure software packages are identified: One way to address this is to use software composition analysis (SCA) and software supply chain security tools which help identify the libraries that are in use, the vulnerabilities and the potential legal and compliance issues that might bring.

• Watch for ML models from community hubs: To address these risks, CISOs can establish protocols for downloading and integrating ML models or datasets from external platforms such as Hugging Face. This includes implementing automated scanning tools to detect malicious code or backdoors, having a policy that only allows the use of models from verified publishers, or conducting internal testing in isolated environments.

• Ensure no sensitive information is leaking through AI coding assistants: While there’s no silver bullet, organizations can do a couple of things to decrease this risk. Using self-hosted AI systems that don’t report data back is an answer that works. Another is to ensure data cannot enter.

• Look outside traditional development teams: Cybersecurity leaders might also want to set up training programs tailored to non-traditional development teams to educate data analysts, marketing professionals, and researchers on the potential risks associated with AI-based tools and libraries.

• Safe resources for application security: Organizations need to develop comprehensive strategies that balance the productivity benefits of AI tools with robust security practices.

• The risk of unsafe AI-powered open-source libraries: Instead of paying code completion tool subscriptions, it should invest in the knowledge development of its staff.

VENDORS

As OpenAI launches $500B “Stargate” project, critics express skepticism
OpenAI, SoftBank, Oracle, and MGX announced plans to form Stargate, a new company that will invest $500 billion in AI computing infrastructure across the United States over four years. OpenAI says the goal of Stargate is to kickstart building more data centers to expand computing capacity for current and future AI projects, including OpenAI's goal of "AGI," which the company defines as a highly autonomous AI system that "outperforms humans at most economically valuable work."
SoftBank will handle financial operations for Stargate while OpenAI manages technical operations. The partnership includes technology collaborations with Arm, Microsoft, and Nvidia. Notably, MGX is part of Abu Dhabi's push into AI investments, backed by substantial sovereign wealth from the United Arab Emirates.
Some frequent OpenAI critics, like tech writer Ed Zitron, have already begun to question whether Stargate can come up with the initial $100 billion in funds, much less the $500 billion they expect to raise over time. Notably, the US government has not announced any government dollars directly invested in the project. OpenAI and SoftBank have each committed $19 billion to the new venture. Tech writer Ed Zitron referencing OpenAI's $5 billion in losses in 2024, "Oh my god, this is completely ridiculous. OpenAI will raise another $19bn in debt/equity? This company loses $5bn+ a year! So what, they raise $19bn for Stargate, then what, another $10bn just to be able to survive?"

Stargate, smargate. We're spending $60B+ on AI this year, Meta's Zuckerberg boasts
There's Microsoft, Google, and Amazon each separately pledging to spend tens of billions of dollars – at least $200 billion between them – on building out AI infrastructure over the next year or so to inject assistants, generative models, and more into their products.
According to Zuckerberg, the Social Network's $60-65 billion in CAPEX spending will support the deployment of roughly a gigawatt of new compute capacity with more than 1.3 million GPUs training and serving models by the end of the year.
To power the accelerators, Meta began construction last month on a two gigawatt-plus datacenter in Richland Parish, Louisiana.
The facility is so large, Zuckerberg boasted "it would cover a significant part of Manhattan." While Meta is looking for a nuclear-power provider to keep the GPUs running, this site will instead be powered by combined-cycle combustion turbine plants with a total energy generation capacity of 2,262 megawatts.

Cutting-edge Chinese “reasoning” model rivals OpenAI o1—and it’s free to download
DeepSeek R1 is free to run locally and modify, and it matches OpenAI's o1 in several benchmarks. DeepSeek published six smaller "DeepSeek-R1-Distill" versions ranging from 1.5 billion to 70 billion parameters. These distilled models are based on existing open source architectures like Qwen and Llama, trained using data generated from the full R1 model. The smallest version can run on a laptop, while the full model requires far more substantial computing resources.

Apple Intelligence, previously opt-in by default, enabled automatically in iOS 18.3 Opting out is still possible in Settings, but only after setup is complete.

Tool touted as 'first AI software engineer' is bad at its job, testers claim
The auto-coder is called “Devin” and was introduced in March 2024. The bot’s creator, an outfit called Cognition AI, has made claims such as “Devin can build and deploy apps end to end," and "can autonomously find and fix bugs in codebases."
The tool reached general availability in December 2024, starting at $500 per month.
Data scientists have tested Devin and found it completed just three out of 20 tasks successfully.

New Android Identity Check locks settings outside trusted locations
The new Identity Check feature is designed to enhance theft protections in Android by requiring biometric authentication to access critical account and device settings when outside trusted locations.
Theft Detection Lock is Google's AI-powered theft detection system that can identify phone theft events based on sensor data, Wi-Fi, and Bluetooth, and lock the screen.
The feature is designed to activate when someone grabs the phone out of the owner's hands and runs away, which could expose personal data if the screen remains unlocked.

LEGAL
Trump is signing a flurry of executive orders. Here's how those work
President Theodore Roosevelt became the first to break 1,000, averaging 145 executive orders per year. Franklin D. Roosevelt issued a record 3,721 during his unprecedented 12 years in office.
President-elect Donald Trump talks to reporters after a meeting with Republican leadership at the Capitol on Jan. 8. Politics As Trump takes office again, he has even more sway over the Republican Party Since then, the number of executive orders issued under each president has numbered in the low hundreds.
Biden issued 162 orders, while Trump issued 220 during his first term.

US Regulatory Freeze Pending Review 
(1) Do not propose or issue any rule in any manner, including by sending a rule to the Office of the Federal Register (the “OFR”), until a department or agency head appointed or designated by the President after noon on January 20, 2025, reviews and approves the rule.
(2) Immediately withdraw any rules that have been sent to the OFR but not published in the Federal Register, so that they can be reviewed and approved as described in paragraph 1.
(3) Consistent with applicable law and subject to the exceptions described in paragraph 1, consider postponing for 60 days from the date of this memorandum the effective date for any rules that have been published in the Federal Register, or any rules that have been issued in any manner but have not taken effect, for the purpose of reviewing any questions of fact, law, and policy that the rules may raise.

Infosec was literally the last item in Trump's policy plan, yet major changes are likely on his watch
The Republican Party’s 2024 election platform document mentions infosec just once, in the last paragraph of a 16-page manifesto: "Republicans will use all tools of National Power to protect our Nation’s Critical Infrastructure and Industrial Base from malicious cyber actors. This will be a National Priority, and we will both raise the Security Standards for our Critical Systems and Networks and defend them against bad actors."
Kristi Noem, Trump’s nominee for Homeland Security Secretary, last week used a confirmation hearing to indicate she would make cuts to CISA and described countering online foreign influence in US elections as "off mission."
Trump wants the agency to "focus solely on protecting the civilian government networks, public-private partnerships and information sharing on emerging threats, and coordinating protection of the nation's critical infrastructure."
Trump seems likely to persist with President Biden’s national cybersecurity policy and the Executive Order 14028 that directed federal agencies to adopt zero-trust architectures. That plan built on an executive order that Trump enacted in 2017, titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

Trump Terminates DHS Advisory Committee Memberships, Disrupting Cybersecurity Review
"In alignment with the Department of Homeland Security's (DHS) commitment to eliminating the misuse of resources and ensuring that DHS activities prioritize our national security, I am directing the termination of all current memberships on advisory committees within DHS, effective immediately," Acting Secretary Benjamine C. Huffman said in a January 20, 2025, memo.
"Future committee activities will be focused solely on advancing our critical mission to protect the homeland and support DHS's strategic priorities." This includes members of the Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Safety Review Board (CSRB). CSRB was established in February 2022 as a public-private initiative to assess significant cybersecurity events, and provide recommendations on improving cybersecurity and incident response practices.
It's currently not clear how the investigatory body will be restructured. Some of the other advisory boards that have been disbanded include the Artificial Intelligence Safety and Security Board, Critical Infrastructure Partnership Advisory Council, National Security Telecommunications Advisory Committee, National Infrastructure Advisory Council, and the USSS Cyber Investigations Advisory Board.

Trump signs executive order on developing artificial intelligence ‘free from ideological bias’
The new order doesn’t name which existing policies are hindering AI development but sets out to track down and review “all policies, directives, regulations, orders, and other actions taken” as a result of former President Joe Biden’s sweeping AI executive order of 2023, which Trump rescinded Monday.
Any of those Biden-era actions must be suspended if they don’t fit Trump’s new directive that AI should “promote human flourishing, economic competitiveness, and national security.”
Trump’s order also calls for the development of an AI action plan within 180 days. Leading the work will be a small group of White House tech and science officials, including a new Special Advisor for AI and Crypto — a role Trump has given to venture capitalist and former PayPal executive David Sacks.

Trump opens a divide between US and EU over Big Tech
President Trump on Thursday called out the European Union for its antitrust battles with American tech giants, saying the billions of dollars in fines they've levied against US companies amount to a tax on American corporations “They took court cases with Apple, and they supposedly won a case that most people didn’t think was much of a case, they won $15 billion or $16 billion from Apple. They won billions from Google. I think they’re after Facebook for billions and billions. These are American companies, whether you like them or not, they are American companies, and they shouldn’t be doing that. And as far as I’m concerned, it’s a form of taxation.”
Most recently, the bloc fined Apple 13 billion euros over back taxes owed to Ireland. The fee hit Apple’s bottom line in Q4, pulling lower its earnings per share from $1.64 to $0.97.
In March 2024, the EU fined Apple $2 billion as part of the company’s long-running battle with Spotify for allegedly “abusing its dominant position on the market for the distribution of music streaming apps.”
Google lost a legal battle with the EU in September, forcing the company to pay $2.7 billion for using its price comparison tool to disadvantage European services.
Google also continues to fight a 2011 antitrust case over its Android operating system, which the EU says the company uses to impose “illegal restrictions on Android device manufacturers and mobile network operators to cement its dominant position in general internet search.”
In November, the EU fined Meta 797 million euros over claims that it breached antitrust rules through its Facebook Marketplace service.
The bloc also fined Meta $1.3 billion in 2023 over claims that it violated data protection rules in the region.
The collection of European economies threatened Amazon with antitrust fines of $47 billion, forcing the company to change its business practices in the EU.
The regulator recently issued a statement of objections to Microsoft over its decision to tie its Teams software to its Office 365 and Microsoft 365 productivity suites.
Remarks By President Trump at the World Economic Forum 

U.S. Department of Commerce Issues Interim Final Rule Implementing Its Framework for Artificial Intelligence Diffusion
ECCN 3A090.a controls integrated circuits with one or more digital processing units having either: (1) a ‘total processing performance’ of 4800 or more; or (2) a ‘total processing performance’ of 1600 or more and a ‘performance density’ of 5.92 or more.
ECCN 3A090.b controls integrated circuits with one or more digital processing units having either: (1) a ‘total processing performance’ of 2400 or more and less than 4800 and a ‘performance density’ of 1.6 or more and less than 5.92; or (2) a ‘total processing performance’ of 1600 or more and a ‘performance density’ of 3.2 or more and less than 5.92.
ECCN 4A090.a controls computers, “electronic assemblies” and “components” containing integrated circuits, any of which meets or exceeds the limits in 3A090.a.
ECCN 4A090.b controls computers, “electronic assemblies” and “components” containing integrated circuits, any of which meets or exceeds the limits in 3A090.b.

Court rules FISA Section 702 surveillance of US resident was unconstitutional
Section 702 of the 1978 Foreign Intelligence Surveillance Act, aka FISA, authorizes the warrantless gathering of communications data from non-US persons who are outside the USA.
New York made a landmark ruling that sided against the warrantless state surveillance of people's private communications in America. Specifically, it was decided the FBI had violated a US resident's Fourth Amendment rights against unreasonable searches by looking through a vast database of overseas communications vacuumed up under Section 702 of the Foreign Intelligence Surveillance Act and using that resident's private messages as evidence to successfully prosecute him.
Federal district judge rejected the government's position that it was allowed to view that resident's emails, collected under Section 702, without a warrant. The database query that pulled up his harvested messages was ruled an unjustified, unlawful search.
This particular case concerned Agron Hasbajrami, an Albanian citizen and US resident who was arrested at JFK airport on September 6, 2011, just before he tried boarding a flight to Pakistan via Turkey. He was accused of seeking to join a terror organization to fight against American forces and others in Afghanistan and Pakistan, and later pleaded guilty to charges of attempting and conspiring to provide material support to terrorists.
He was sentenced to 16 years in prison. Once Hasbajrami was in the clink, it emerged the g-men had made the collar using emails between the Albanian and an unnamed foreigner associated with terrorists as evidence, all obtained without a warrant under Section 702.

LinkedIn accused of training AI on private messages
A lawsuit alleges InMail messages were fed to neural networks based on LinkedIn's disclosure last year. The Microsoft-owned goliath announced policy changes reflecting its use of member posts and personal data to train AI models and its provision of said data to third-parties for that purpose.
LinkedIn exempted customers in Canada, the EU, EEA, UK, Switzerland, Hong Kong, or Mainland China from having their LinkedIn data used "to train content-generating AI models."
Customers in the US, where there's still no federal privacy law, were offered a setting, enabled by default, titled: "Data for Generative AI Improvement."

Mental toll: Scale AI, Outlier sued by humans paid to steer AI away from our darkest depths
One of the common forms of machine learning, known as supervised learning, requires sets of labelled data to teach AI models how to map terms such as "cat" to images of cats. The technique is used not only for computer-vision models, but also for systems capable of inputting and outputting text and audio.
The problem is these prompts – such as "Man setting animal on fire," presumably submitted to a text-to-image model – may produce results that are upsetting. And contractors employed to screen and mitigate such stuff have to deal with such content on an ongoing basis.
The lawsuit filed in a US federal district court in northern California, accuses Scale AI and Smart Ecosystem (doing business as Outlier) of misleading workers hired to label data for training AI – from associating words with pictures, to identifying dangerous input prompts – and neglecting to protect them from violent, harmful content they had to engage with as part of their work.
Scale AI and Outlier were sued in December, and again in January this year, in San Francisco Superior Court based on alleged labor violations, specifically underpaid wages.
A separate lawsuit filed in federal court in October, against Scale AI, Outlier, and another labor platform HireArt, alleges the firms laid off 500 people in August, in violation of California labor law.

Silk Road's Dread Pirate Roberts walks free as Trump pardons dark web kingpin
Otherwise known by his online handle "Dread Pirate Roberts," Ulbricht was sentenced to two life sentences in 2015, plus an additional 40 years, with no chance of parole for his role in creating and running the darknet marketplace between 2011 and 2013. He was found guilty of seven charges leveled against him relating to drug trafficking, money laundering, computer hacking, and trafficking forged identity documents.
The Libertarian movement is a strong advocate for the use of cryptocurrencies and, generally speaking, anything that promotes the rights of individuals. Silk Road, the first major and defining modern dark web marketplace, was an early adopter of Bitcoin as a method of payment. Libertarians, cryptocurrency advocates, and certain US politicians have all petitioned the President to pardon Ulbricht in recent years.
Among the more vocal of these politicians is Senator Rand Paul (R-KY), who wrote to Trump before the President issued the unconditional pardon reaffirming his support for Ulbricht, claiming his sentence "is vastly disproportionate to his crimes." Those in favor of releasing the Silk Road founder have said previously that his sentence didn't reflect the non-violent nature of his crimes, that he was being punished for the sale of drugs by merely being the creator of the website, and that the actual drug dealers operating on Silk Road received markedly more lenient sentences.
Telegram captcha tricks you into running malicious PowerShell scripts
Threat actors took advantage of this development, using fake but verified Ross Ulbricht accounts on X to direct people to malicious Telegram channels presented as official Ulbricht portals that tricks them into run PowerShell code that infects them with malware.
On Telegram, users are met with so-called identity verification request named 'Safeguard,' which walks users through the fake verification process. At the end, users are shown a Telegram mini app that displays a fake verification dialog. This mini app automatically copies a PowerShell command into the device's clipboard and then prompts the user to open the Windows Run dialog and paste it in and run it. Users should never execute anything they copy online in their Windows 'Run' dialog or PowerShell terminal unless they know what they're doing.
If unsure about something you copied on your clipboard, paste it on a text reader and analyze its contents, with any obfuscation considered a red flag.

And Now For Something Completely Different …

Earth's Magnetic North Pole Is Officially Moving – Scientists Just Updated Its Location
As the iron and nickel inside our planet shift, so does Earth's magnetic field, meaning the North (and South) Poles are also constantly on the move.
If you're using a compass or a GPS system, knowing exactly where these points are is crucial. Magnetic north has been moving slowly around Canada since the 1500s but, in the past 20 years, it accelerated towards Siberia, increasing in speed every year until about five years ago, when it suddenly decelerated from 50 to 35 kilometers [31 to 22 miles] per year, which is the biggest deceleration in speed we've ever seen.
Two giant magnetic lobes – one under Canada and one under Siberia – are what's driving the shifting of magnetic north. Sometimes the shifts are dramatic enough that an emergency update is required, outside of the usual 5-year cycle.
Experts from the US National Oceanic and Atmospheric Administration (NOAA) and the British Geological Survey (BGS) have joined forces – as they do every five years – to produce a new, more accurate World Magnetic Model (WMM).
Traveling 8,500 km (5,282 miles) from South Africa to the UK in a straight line would leave you 150 km (93 miles) off course by the end, if you used the old WMM compared to the new WMM for your navigation.
[rG: Whenever you use a compass it is important to adjust for magnetic north deviations based on your longitude and latitude. If you use an electronic compass (watch, etc.), you may need to sent it off for recalibration.]