New hotness in democracy: if the people say no to mass surveillance, do it again right after you have said you won’t do it. Not EU this time: it’s India

Posted on by

You know what they say: If at first you don’t succeed at mass government surveillance, try, try again. Only two days after India backpedaled on its plan to force smartphone makers to preinstall a state-run “cybersecurity” app, Reuters reports that the country is back at it. It’s said to be considering a telecom industry proposal with another draconian requirement. This one would require smartphone makers to enable always-on satellite-based location tracking (Assisted GPS).

The measure would require location services to remain on at all times, with no option to switch them off. The telecom industry also wants phone makers to disable notifications that alert users when their carriers have accessed their location.

[…]

Source: India is reportedly considering another draconian smartphone surveillance plan

Looks like the Indians took a page out of the Danish playbook for Chat Control and turning the EU into a 1984 Brave New World

Kohler Can Access Data and Pictures from Toilet Camera It Describes as “End-to-End Encrypted”

Posted on by

In October Kohler launched Dekota, a $600 (plus monthly subscription) device that attaches to the rim of your toilet and collects images and data from inside, promising to track and provide insights on gut health, hydration, and more. To allay the obvious privacy concerns, the company emphasizes the sensors are only pointed down, into the bowl, and assures potential buyers that the data collected by the device and app are protected with “end-to-end encryption”.

Kohler Health’s homepage, the page for the Kohler Health App, and a support page all use the term “end-to-end encryption” to describe the protection the app provides for data. Many media outlets included the claim in their articles covering the launch of the product.

However, responses from the company make it clear that—contrary to common understanding of the term—Kohler is able to access data collected by the device and associated application. Additionally, the company states that the data collected by the device and app may be used to train AI models.

[…]

emails exchanged with Kohler’s privacy contact clarified that the other “end” that can decrypt the data is Kohler themselves: “User data is encrypted at rest, when it’s stored on the user’s mobile phone, toilet attachment, and on our systems.  Data in transit is also encrypted end-to-end, as it travels between the user’s devices and our systems, where it is decrypted and processed to provide our service.”

They additionally told me “We have designed our systems and processes to protect identifiable images from access by Kohler Health employees through a combination of data encryption, technical safeguards, and governance controls.”

What Kohler is referring to as E2EE here is simply HTTPS encryption between the app and the server, something that has been basic security practice for two decades now, plus encryption at rest.

[…]

Source: Kohler Can Access Data and Pictures from Toilet Camera It Describes as “End-to-End Encrypted” – /var/log/simon

Subaru Owners Are Ticked About In-Car Pop-Up Ads for SiriusXM

Posted on by

I’ve written about Stellantis brands doing this twice already in 2025, and this time, it’s Subaru sending pop-up ads for SiriusXM to owners’ infotainment screens.

The Autopian ran a story on the egregious push notifications on Monday, and it only took a short search to find more examples. It happened right around Thanksgiving, as the promotion urged drivers to “Enjoy SiriusXM FREE thru 12/1.” That day has come and gone, but not before it angered droves of Subaru owners.

“I have got this Sirius XM ad a few times over the last couple of years,” the caption on the embedded Reddit thread reads. “This last time was the final straw as I almost wrecked because of it. My entire infotainment screen changed which caused me to take my eyes off the road and since I was going 55mph in winter I swerved a bit and slid and almost went off into a ditch. Something that would not have happened had this ad not popped up.

[…]

At least one 2024 Crosstrek owner reported that the pop-up took over their screen even though they were using Apple CarPlay. To force-close an application that’s in use, solely for the sake of in-car advertising, is especially egregious.

[…]

Reddit posts dating back as far as 2023 show owners complaining about in-car notifications.

[…]

 

Source: Subaru Owners Are Ticked About In-Car Pop-Up Ads for SiriusXM

New Baldness Drug Boosted Hair Growth by 168% – 539% in Trials

Posted on by

[…] On Wednesday, Cosmo Pharmaceuticals announced the results of its two phase III trials testing out the topical drug clascoterone for AGA. Compared to placebo, people on clascoterone gained back significantly more hair—with one trial showing a roughly 500% improvement in hair restoration. The results will pave the way for a potential FDA approval next year, which could make clascoterone the first truly novel treatment for pattern baldness seen in decades.

First-in-class

Male pattern baldness is primarily caused by having genes that make a person’s hair follicles overly sensitive to androgens (male-related sex hormones), particularly the hormone dihydrotestosterone (DHT).

There are effective medications for AGA, such as minoxidil (the active ingredient in Rogaine) and finasteride, as well as other interventions like hair transplants. But these treatments have all their potential drawbacks (including cost) or may not work for everyone.

Cosmo is hoping that clascoterone can become the first of a new class of hair loss drugs. The topical drug is an androgen receptor inhibitor, meaning it directly targets the hormones that help cause the loss of hair follicles in AGA. The Dublin-based company also argues that clascoterone isn’t systemically absorbed by the body, minimizing the risk of potential side effects.

Its two pivotal trials involved nearly 1,500 male patients diagnosed with AGA. The volunteers were randomized to receive a placebo or a topical clascoterone 5% solution on affected parts of their scalp. Both trials met their primary goal. In one, clascoterone users experienced a 539% improvement in the amount of hair grown relative to placebo, while in the other, there was a 168% improvement. According to the company, however, the absolute amount of regrown hair seen during the trials was similar between the two treatment groups. Clascoterone also appeared to be safe and tolerable, the company said, with most adverse events recorded during the studies not related to the drug itself.

[…]

Source: New Baldness Drug Boosted Hair Growth by 539% in Trials

Build Your Own Glasshole Detector

Posted on by

Connected devices are ubiquitous in our era of wireless chips heavily relying on streaming data to someone else’s servers. This sentence might already start to sound dodgy, and it doesn’t get better when you think about today’s smart glasses, like the ones built by Meta (aka Facebook).

[sh4d0wm45k] doesn’t shy away from fighting fire with fire, and shows you how to build a wireless device detecting Meta’s smart glasses – or any other company’s Bluetooth devices, really, as long as you can match them by the beginning of the Bluetooth MAC address.

[sh4d0wm45k]’s device is a mini light-up sign saying “GLASSHOLE”, that turns bright white as soon as a pair of Meta glasses is detected in the vicinity. Under the hood, a commonly found ESP32 devboard suffices for the task, coupled to two lines of white LEDs on a custom PCB. The code is super simple, sifting through packets flying through the air, and lets you easily contribute with your own OUIs (Organizationally Unique Identifier, first three bytes of a MAC address). It wouldn’t be hard to add such a feature to any device of your own with Arduino code under its hood, or to rewrite it to fit a platform of your choice.

We’ve been talking about smart glasses ever since Google Glass, but recently, with Meta’s offerings, the smart glasses debate has reignited. Due to inherent anti-social aspects of the technology, we can see what’d motivate one to build such a hack. Perhaps, the next thing we’ll see is some sort of spoofed packets shutting off the glasses, making them temporarily inoperable in your presence in a similar way we’ve seen with spamming proximity pairing packets onto iPhones.

Source: Build Your Own Glasshole Detector | Hackaday

Shopify goes down: Cyber Monday outage disrupting your online shopping

Posted on by

Here’s hoping the retailers offering tasty Cyber Monday deals that caught your eye aren’t having trouble with Shopify. The ecommerce platform is experiencing some issues. According to a support page, some merchants were having trouble logging into the Shopify platform, which was experiencing outages with the checkout and admin systems. Shopify’s point-of-sale (POS), API and mobile and support systems also saw “degraded performance.”

“We are continuing to investigate and apply mitigations for the issues with accessing Admins and POS systems,” Shopify wrote in an update at 12:39PM ET. “Some merchants may also see an issue with POS checkouts, due to not being able to access POS systems.”

At 2:31PM ET, the company posted an update to its status page, saying “We have found and fixed an issue with our login authentication flow, and are seeing signs of recovery for admin and POS login issues now. We are continuing to monitor recovery.” You might start to see some services go back to normal, and it should hopefully not impact your holiday shopping too much.

Shopify said in a blog post just last week that it powers 12 percent of ecommerce in the US. Brands including Netflix, Mattel, Supreme, Glossier and Converse are among those that use the platform.

When asked for more details about the outage, Shopify directed Engadget to its status page as well as a tweet posted at 10AM that read, “We’re aware of an issue with Admins impacting selected stores, and are working to resolve it.”

[…]

Source: Shopify is down: Updates on the Cyber Monday outage disrupting your online shopping

Netflix Is Killing Casting From Your Phone

Posted on by

[…]

Among other methods, like plugging a laptop directly into the TV, many people still enjoying casting their content from small screens to big screens. For years, this has been a reliable way to switch from watching Netflix on your smartphone or tablet to watching on your TV—you just tap the cast button, select your TV, and in a few moments, your content is beamed to the proper place. Your device becomes its own remote, with search built right-in, and it avoids the need to sign into Netflix on TVs outside your home, such as when staying in hotels.

At least it did, but Netflix no longer wants to let you do it.

Netflix no longer supports casting on most devices

While you can still cast to your TV from other streaming platforms, there’s bad news for Netflix fans: The company has abruptly dropped casting support for most devices. Android Authority was the first to report on the change, though you might have stumbled upon the development yourself when looking for the cast button in the Netflix app. In fact, Netflix has prepared for your confusion, as you can see from this Netflix Help Center page titled “Can’t find ‘Cast’ button in Netflix app.” This page might offer a glimmer of hope at first, as you think “Oh good, Netflix has a solution if the Cast button is missing.” Unfortunately, the response isn’t going to make you happy: “Netflix no longer supports casting shows from a mobile device to most TVs and TV-streaming devices. You’ll need to use the remote that came with your TV or TV-streaming device to navigate Netflix.”

The exception here is for “older” Chromecast devices or TVs that work with Google Cast—but only if you pay for an ad-free Netflix plan. If you took Netflix up on its lower-cost subscription offer, those ads not only cost you extra watch time, but also your ability to cast—assuming you even have the older hardware to cast to.

[…]

Source: Netflix Is Killing Casting From Your Phone | Lifehacker

Korea’s Coupang says data breach exposed nearly 34M customers’ personal information

Posted on by

South Korean e-commerce platform Coupang over the weekend said nearly 34 million Korean customers’ personal information had been leaked in a data breach that had been ongoing for more than five months.

The company said it first detected the unauthorized exposure of 4,500 user accounts on November 18, but a subsequent investigation revealed that the breach had actually compromised about 33.7 million customer accounts in South Korea.

The breach affected customers’ names, email addresses, phone numbers, shipping addresses, and certain order histories, per Coupang. More sensitive data like payment information, credit card numbers, and login credentials was not compromised and remains secure, the company said.

Coupang said it has reported the incident to the Korea Internet & Security Agency (KISA), the Personal Information Protection Commission (PIPC), and the National Police Agency.

One of South Korea’s biggest e-commerce platforms, Coupang also offers an online commerce service called “Rocket Delivery” in the country, and also operates its marketplace in Taiwan. A Coupang spokesperson told TechCrunch that the investigation has found no evidence that consumer data from Coupang Taiwan or Rocket Now, its food delivery service in Japan, was affected in the data breach.

“According to the investigation so far, it is believed that unauthorized access to personal information began on June 24, 2025, via overseas servers,” the company said. “Coupang blocked the unauthorized access route, strengthened internal monitoring, and retained experts from a leading independent security firm.”

Police have reportedly identified at least one suspect, a former Chinese Coupang employee now abroad, after launching an investigation following a November 18 complaint.

[…]

Source: Korea’s Coupang says data breach exposed nearly 34M customers’ personal information | TechCrunch

India demands smartphone makers install government app

Posted on by

India’s government has issued a directive that requires all smartphone manufacturers to install a government app on every handset in the country and has given them 90 days to get the job done – and to ensure users can’t remove the code.

The app is called “Sanchar Saathi” and is a product of India’s Department of Telecommunications (DoT).

On Google Play and Apple’s App Store, the Department describes the app as “a citizen centric initiative … to empower mobile subscribers, strengthen their security and increase awareness about citizen centric initiatives.”

The app does those jobs by allowing users to report incoming calls or messages – even on WhatsApp – they suspect are attempts at fraud. Users can also report incoming calls for which caller ID reveals the +91 country code, as India’s government thinks that’s an indicator of a possible illegal telecoms operator.

Users can also block their device if they lose it or suspect it was stolen, an act that will prevent it from working on any mobile network in India.

Another function allows lookup of IMEI numbers so users can verify if their handset is genuine.

Spam and scams delivered by calls or TXTs are pervasive around the world, and researchers last year found that most Indian netizens receive three or more dodgy communiqués every day. This app has obvious potential to help reduce such attacks.

An announcement from India’s government states that cybersecurity at telcos is another reason for the requirement to install the app.

“Spoofed/ Tampered IMEIs in telecom network leads to situation where same IMEI is working in different devices at different places simultaneously and pose challenges in action against such IMEIs,” according to the announcement. “India has [a] big second-hand mobile device market. Cases have also been observed where stolen or blacklisted devices are being re-sold. It makes the purchaser abettor in crime and causes financial loss to them. The blocked/blacklisted IMEIs can be checked using Sanchar Saathi App.”

That motive is likely the reason India has required handset-makers to install Sanchar Saathi on existing handsets with a software update.

The directive also requires the app to be pre-installed, “visible, functional, and enabled for users at first setup.” Manufacturers may not disable or restrict its features and “must ensure the App is easily accessible during device setup.”

Those functions mean India’s government will soon have a means of accessing personal info on hundreds of millions of devices.

Apar Gupta, founder and director of India’s Internet Freedom Foundation, has criticized the directive on grounds that Sanchar Saathi isn’t fit for purpose. “Rather than resorting to coercion and mandating it to be installed the focus should be on improving it,” he wrote.

[…]

Source: India demands smartphone makers install government app • The Register

Autostarting Apple Podcasts Tries to hack Humans by throwing religion, spirituality, and education lectures at them

Posted on by

You know that feeling when you unlock your phone and suddenly Apple Podcasts is open, showing you some random spirituality podcast from 2018 that you definitely didn’t tap on? Well, turns out that’s not just a quirky glitch—it’s actually someone trying to hack you.

Over the past several months, users have been reporting some seriously strange behavior from Apple Podcasts across both iOS and Mac platforms. According to 404 Media, people are finding the app launching automatically and displaying religion, spirituality, and education podcasts with no apparent trigger. Sometimes you’ll unlock your device and boom—there’s the podcast app, presenting some bizarre show that’s often years old but somehow surfacing now. What makes this particularly concerning is that these mystery podcast pages include links to potentially malicious websites designed to execute cross-site scripting attacks.

How the Apple Podcasts exploit actually works

The technical mechanics reveal just how vulnerable Apple’s ecosystem can be to creative attack vectors. The Apple Podcasts app can be launched automatically with content of an attacker’s choosing, and according to 404 Media, simply visiting a website is enough to trigger Podcasts to open and load a podcast selected by the attacker.

[…]

Apple’s ecosystem security under siege

What makes this podcast vulnerability particularly troubling is how it fits into Apple’s broader security landscape, which has been under increasing pressure from sophisticated attacks. Recent security advisories reveal that multiple vulnerabilities across Apple products could enable arbitrary code execution, with successful exploitation potentially allowing attackers to install programs, modify data, or create new accounts with full user privileges, according to the Center for Internet Security. The scope affects devices running older versions of iOS, iPadOS, macOS, watchOS, tvOS, and visionOS, though fortunately no active exploitation has been reported in the wild.

Even more concerning are recently disclosed zero-click iMessage exploits that remained unpatched through multiple iOS versions. A strategic disclosure revealed vulnerabilities affecting iOS 18.2 through 18.4 that enabled Secure Enclave key theft, crypto wallet draining, and device-to-device propagation via MultipeerConnectivity, as reported in security research. Apple eventually addressed these issues quietly in iOS 18.4.1 without public acknowledgment, highlighting ongoing transparency concerns in vulnerability handling. The fact that these zero-click exploits could facilitate extraction of Secure Enclave-protected keys and enable silent crypto wallet draining demonstrates how sophisticated modern attacks have become against Apple’s supposedly secure architecture.

[…]

Source: Apple Podcasts Security Flaw Enables Device Hijacking << Apple :: Gadget Hacks

Cowed BBC Censors Lecture Calling Trump ‘Most Openly Corrupt President’

Posted on by

The BBC is now voluntarily suppressing criticism of Donald Trump before it airs—and the reason is obvious: Trump threatened to sue them into oblivion, and they blinked.

Historian Rutger Bregman revealed this week that the BBC commissioned a public lecture from him last month, recorded it, then quietly cut a single sentence before broadcast. The deleted line? Calling Trump “the most openly corrupt president in American history.” Bregman posted about the capitulation, noting that the decision came from “the highest levels” of the BBC—meaning the executives dealing with Trump’s threats.

Well, at least we should call out Donald Trump as the most openly censorial president in American history.

This is the payoff from Trump’s censorship campaign against the BBC. Weeks ago, Trump threatened to sue the BBC for a billion dollars over an edit in a program it aired a year ago. The BBC apologized and fired employees associated with the project. That wasn’t enough. Trump’s FCC censorship lackey Brendan Carr launched a bullshit investigation anyway. And now the BBC is preemptively editing out true statements that might anger the thin-skinned man baby President.

Bregman posted the exact line that got cut. Here’s the full paragraph, with the censored sentence in bold:

On one side we had an establishment propping up an elderly man in obvious mental decline. On the other we had a convicted reality star who now rules as the most openly corrupt president in American history. When it comes to staffing his administration, he is a modern day Caligula, the Roman emperor who wanted to make his horse a consul. He surrounds himself with loyalists, grifters, and sycophants.

Gosh, for what reason would the BBC cut that one particular line?

The BBC admitted to this in the most mealy-mouthed way when asked by the New Republic to comment on the situation:

Asked for comment on Bregman’s charge, a spokesperson for the BBC emailed me this: “All of our programmes are required to comply with the BBC’s editorial guidelines, and we made the decision to remove one sentence from the lecture on legal advice.”

“On legal advice.” Translation: Trump’s SLAPP suit threats worked exactly as intended.

Greg Sargent, writing in the New Republic, nails why this matters:

There is something deeply perverse in this outcome. Even if you grant Trump’s criticism of the edit of his January 6 speech—never mind that as the violence raged, Trump essentially sat on his hands for hours and arguably directed the mob to target his vice president—the answer to this can’t be to let Trump bully truth-telling into self-censoring silence.

That’s plainly what happened here.

Exactly. The BBC’s initial capitulation—the apology, the firings, the groveling—was bad enough. But this is worse. This is pre-censorship. The BBC is now editing out true statements about Trump before they air, purely because they’re afraid of how he might react. That’s not “legal advice.” That’s cowardice institutionalized as policy.

Once again, I remind you that Trump’s supporters have, for years, insisted that he was “the free speech president” and have talked about academic freedom and the right to state uncomfortable ideas.

[…]

Source: BBC Pre-Edits Lecture Calling Trump ‘Most Openly Corrupt President’ | Techdirt

Nexperia accused by parent Wingtech and Chinese unit of plotting to move supply chain

Posted on by

BEIJING/AMSTERDAM, Nov 28 (Reuters) – Wingtech (600745.SS)

, opens new tab, the Chinese parent company of Netherlands-based Nexperia, accused its Dutch unit on Friday of conspiring to build a non-Chinese supply chain and permanently strip it of its control, escalating tensions between the two sides.
In a separate statement, Nexperia’s Chinese arm demanded the Dutch business halt overseas expansion, including in Malaysia. “Abandon improper intentions to replace Chinese capacity,” Nexperia China said.
Sign up here.
The accusations follow an open letter from Nexperia published on Thursday claiming repeated attempts to engage with its Chinese unit had failed.
Nexperia, which produces billions of chips for cars and electronics, has been in a tug-of-war since the Dutch government seized the company two months ago on economic security grounds. An Amsterdam court subsequently stripped Wingtech of control.
Beijing retaliated by halting exports of Nexperia’s finished products on October 4, leading to disruptions in global automotive supply chains.
The curbs were relaxed in early November and the Dutch government suspended the seizure last week following talks. But the court ruling remains in force.
The chipmaker’s Europe-based units and Chinese entities remain locked in a standoff. Nexperia’s Chinese arm declared itself independent from European management, which responded by stopping the shipment of wafers to the company’s plant in China.

CHINESE PARENT WARNS OF RENEWED SUPPLY CHAIN DISRUPTION

The escalating war of words casts doubt on the viability of a company-led resolution urged by China and the European Union this week.
Wingtech said on Friday that Nexperia’s Dutch unit was avoiding the issue of its “legitimate control”, making negotiations untenable.
“We need to find a way first to talk to one another constructively” a spokesperson for Nexperia’s European headquarters said on Friday.
Nexperia China said that the Dutch unit’s claim it could not contact its management was misleading, accusing it of stifling communication by deleting the email accounts of Nexperia China employees and terminating their access to IT systems.
The Chinese unit claimed that the Dutch side was engineering a breakup, citing a $300 million plan to expand a Malaysian plant, and an alleged internal goal of sourcing 90% of production outside China by mid-2026.
[…]

Source: Nexperia accused by parent Wingtech and Chinese unit of plotting to move supply chain | Reuters

Nexperia crisis: Dutch chipmaker wants continuity from China unit, which is angry that Nexperia wants to open factories outside of China

Posted on by

Dutch chipmaker Nexperia has publicly called on its China unit to help restore supply chain operations, warning in an open letter that customers across industries are reporting “imminent production outages.”

Nexperia’s Dutch unit said Thursday that its open letter followed “repeated attempts to establish direct communication through conventional channels” but did not have “any meaningful response.”

The letter marks the latest twist in a long-running saga that has threatened global automotive supply chains and stoked a bitter battle between Amsterdam and Beijing over technology transfer.

“We welcomed the Chinese authorities’ commitment to facilitate the resumption of exports from Nexperia’s Chinese facility and that of our subcontractors, enabling the continued flow of our products to global markets,” Nexperia’s Dutch unit said in the letter.

“Nevertheless, customers across industries are still reporting imminent production stoppages. This situation cannot persist,” they added. The group called on the leadership of Nexperia’s entities in China to take steps to restore the established supply flows without delay.

In a statement, Wingtech Technology, Nexperia’s Chinese parent company, said on Friday that the Dutch unit’s open letter contained “a large number of misleading and untrue allegations.”

It said the “unlawful deprivation of Wingtech’s control and shareholder rights over Nexperia” was the root cause of the ongoing supply chain chaos.

“Combined with the recent series of actions by the Dutch government and Nexperia B.V., we believe their true intention is to buy time for Nexperia B.V. to construct a ‘de-China-ized’ supply chain and permanently strip Wingtech of its shareholder rights,” Wingtech said.

JINAN, CHINA - OCTOBER 23: In this photo illustration, the logo of semiconductor manufacturer Nexperia is displayed on a screen on October 23, 2025 in Jinan, Shandong Province of China. (Photo by VCG/VCG via Getty Images)
In this photo illustration, the logo of semiconductor manufacturer Nexperia is displayed on a screen.
Vcg | Visual China Group | Getty Images

Nexperia manufactures billions of so-called foundation chips — transistors, diodes and power management components — that are produced in Europe, assembled and tested in China, and then re-exported to customers in Europe and elsewhere.

The chips are relatively low-tech and inexpensive but are needed in almost every device that uses electricity. In cars, those chips are used to connect the battery to motors, for lights and sensors, for braking systems, airbag controllers, entertainment systems and electric windows.

How did we get here?

The situation began in September, when the Dutch government invoked a Cold War-era law to effectively take control of Nexperia. The highly unusual move was reportedly made after the U.S. raised security concerns.

Beijing responded by moving to block its products from leaving China, which, in turn, raised the alarm among global automakers as they faced shortages of the chipmaker’s components.

In an apparent reprieve last week, however, the Dutch government said it had suspended its state intervention at Nexperia following talks with Chinese authorities. It was thought at the time that this could bring an end to the dispute and pave the way for a restoration of normal supply chains.

Rico Luman, senior sector economist for transport and logistics at Dutch bank ING, said it remains unclear how long the situation will last.

“The imposed measures to seize the Dutch Nexperia subsidiary have been lifted, but there are still talks ongoing about restoring the corporate structure and relation with parent company Wingtech,” Luman told CNBC by email.

“It’s not only about supplies of finished chips, it’s also about wafer supplies from Europe to the Chinese entity,” Luman said, adding that companies including Japan’s Nissan and German auto supplier Bosch are among the firms to have warned about looming shortages.

[…]

Source: Nexperia crisis: Dutch chipmaker issues urgent plea to its China unit

Canadian data order risks blowing a hole in EU sovereignty

Posted on by

A Canadian court has ordered French cloud provider OVHcloud to hand over customer data stored in Europe, potentially undermining the provider’s claims about digital sovereignty protections.

According to documents seen by The Register, the Royal Canadian Mounted Police (RCMP) issued a Production Order in April 2024 demanding subscriber and account data linked to four IP addresses on OVH servers in France, the UK, and Australia as part of a criminal investigation.

OVH has a Canadian arm, which was the jumping-off point for the courts, but OVH Group is a French company, so the data in France should be protected from prying eyes. Or perhaps not.

Rather than using established Mutual Legal Assistance Treaties (MLAT) between Canada and France, the RCMP sought direct disclosure through OVH’s Canadian subsidiary.

This puts OVH in an impossible position. French law prohibits such data sharing outside official treaties, with penalties up to €90,000 and six months imprisonment. But refusing the Canadian order risks contempt of court charges.

[…]

Under Trump 2.0, economic and geopolitical relations between Europe and the US have become increasingly volatile, something Microsoft acknowledged in April.

Against this backdrop, concerns about the US CLOUD Act are growing. Through the legislation, US authorities can request – via warrant or subpoena – access to data hosted by US corporations regardless of where in the world that data is stored. Hyperscalers claim they have received no such requests with respect to European customers, but the risk remains and European cloud providers have used this as a sales tactic by insisting digital information they hold is protected.

In the OVH case, if Canadian authorities are able to force access to data held on European servers rather than navigate official channels (for example, international treaties), the implications could be severe.

[…]

Earlier this week, GrapheneOS announced it no longer had active servers in France and was in the process of leaving OVH.

The privacy-focused mobile outfit said, “France isn’t a safe country for open source privacy projects. They expect backdoors in encryption and for device access too. Secure devices and services are not going to be allowed. We don’t feel safe using OVH for even a static website with servers in Canada/US via their Canada/US subsidiaries.”

In August, an OVH legal representative crowed over the admission by Microsoft that it could not guarantee data sovereignty.

It would be deeply ironic if OVH were unable to guarantee the same thing because the company has a subsidiary in Canada.

[…]

Source: Canadian data order risks blowing a hole in EU sovereignty • The Register

Asahi admits ransomware may have spilled data on 2M people

Posted on by

Asahi has finally done the sums on September’s ransomware attack in Japan, conceding the crooks may have helped themselves to personal data tied to almost 2 million people.

Back on September 29, Asahi disclosed a “system failure caused by a cyberattack” that knocked out ordering, shipping, and call center systems across its Japanese operations. Days later, the attack was claimed by the Qilin ransomware crew, which reckons it stole some 27 GB of internal files – including employee records, contracts, financial documents, and other sensitive assets.

Fast forward to November 27, Asahi has finally posted a full breakdown of who and what might be affected. The tally includes 1.525 million people who contacted its customer service centers, 114,000 external contacts who received condolence or congratulatory telegrams, 107,000 current or former employees, and 168,000 of their family members. The exposed data includes names, addresses, phone numbers, email addresses, and in some cases date of birth and gender – but credit card information is not on the list.

Asahi notes that the exposed data was limited to systems managed in Japan, and none has yet been published. The company also pledges to notify individuals whose data is confirmed to have been compromised – but with nearly two million people in scope, that’s a mammoth mailing list.

In its latest update, Asahi said attackers entered via compromised network equipment at a Group datacenter facility in Japan and deployed ransomware on the same day, encrypting data on multiple live servers and some connected PCs.

[…]

Source: Asahi admits ransomware may have spilled data on 2M people • The Register

The dangers of collecting too much data

FCC: US emergency broadcast system hacked to send offensive content instead of beeps

Posted on by

Malicious intruders have hijacked US radio gear to turn emergency broadcast tones into a profanity-laced alarm system.

That’s according to the latest warning issued by the Federal Communications Commission (FCC), which has flagged a “recent string of cyber intrusions” that diverted studio-to-transmitter links (STLs) so attackers could replace legitimate programming with their own audio – complete with the signature “Attention Signal” tone of the domestic Emergency Alert System (EAS).

According to the alert, the intrusions exploited unsecured broadcasting equipment, notably devices manufactured by Swiss firm Barix, which were reconfigured to stream attacker-controlled audio instead of station output. That stream included either real or simulated EAS alert tones, followed by obscene language or other offensive content.

Stations in Texas and Virginia have already reported incidents, including one during a live sports broadcast and another on a public radio affiliate’s backup stream.

The HTX Media radio station in Houston confirmed it had fallen victim to hijackers in a post on Facebook, saying: “We’ve received multiple reports that 97.5 FM (ESPN Houston) has been hijacked and is currently broadcasting explicit and highly offensive content… The station appears to be looping a repeated audio stream that includes an Emergency Alert System (EAS) tone before playing an extremely vulgar track.”

[…]

Source: FCC: US radio gear hijacked for bogus alerts and bad words • The Register

A universal physical law for how objects shatter

Posted on by

A dropped plate, a smashed sugar cube and a broken drinking glass all seem to follow the same law of physics when it comes to how many fragments of a given size they will shatter into.

For several decades, researchers have known that there is something universal about the process of fragmentation, when an object breaks into many parts when dropped or smashed. If you counted how many fragments existed at each possible size and made a graph of that distribution, it would have the same shape regardless of the object that shattered. Emmanuel Villermaux at Aix-Marseille University in France has now derived an equation that explains that shape, effectively formulating a universal law for how objects break.

Instead of focusing on the details of how cracks appear in an object before it fragments, he took a more zoomed-out approach. Villermaux considered all possible sets of fragments that an object can shatter into. Some sets would include highly specific outcomes, like a vase shattering into four equal pieces. He picked out the most probable set, the one with the highest entropy, which captured breakages that were messy and irregular. This is similar to the way many laws concerning large ensembles of particles were derived in the 19th century, he says. Additionally, Villermaux used a law of physics that describes changes in the total density of fragments when the object is shattering, which he and his colleagues had previously found.

Together, these two ingredients let him derive a simple equation predicting how many fragments of each size a breaking object should produce. To see how well it worked, Villermaux compared it with a whole slew of past experiments with shattering glass bars, dry spaghetti, plates, ceramic tubes and even plastic fragments in the ocean and waves breaking on choppy seas. Across the board, the way fragmentation showed up in each of these scenarios followed his new law, capturing the ubiquitous graph shape that researchers had seen before.

[…]

Source: Physicists have worked out a universal law for how objects shatter | New Scientist

That didn’t take long: A few days after Chat Control, European Parliament implements Age Verification on Social Media, 16+

Posted on by

On Wednesday, MEPs adopted a non-legislative report by 483 votes in favour, 92 against and with 86 abstentions, expressing deep concern over the physical and mental health risks minors face online and calling for stronger protection against the manipulative strategies that can increase addiction and that are detrimental to children’s ability to concentrate and engage healthily with online content.


Minimum age for social media platforms

To help parents manage their children’s digital presence and ensure age-appropriate online engagement, Parliament proposes a harmonised EU digital minimum age of 16 for access to social media, video-sharing platforms and AI companions, while allowing 13- to 16-year-olds access with parental consent.

Expressing support for the Commission’s work to develop an EU age verification app and the European digital identity (eID) wallet, MEPs insist that age assurance systems must be accurate and preserve minors’ privacy. Such systems do not relieve platforms of their responsibility to ensure their products are safe and age-appropriate by design, they add.

To incentivise better compliance with the EU’s Digital Services Act (DSA) and other relevant laws, MEPs suggest senior managers could be made personally liable in cases of serious and persistent non-compliance, with particular respect to protection of minors and age verification.

[…]

According to the 2025 Eurobarometer, over 90% of Europeans believe action to protect children online is a matter of urgency, not least in relation to social media’s negative impact on mental health (93%), cyberbullying (92%) and the need for effective ways to restrict access to age-inappropriate content (92%).

Member states are starting to take action and responding with measures such as age limits and verification systems.

Source: Children should be at least 16 to access social media, say MEPs | News | European Parliament

Expect to see manadatory surveillance on social media (whatever they define that to be) soon as it is clearly “risky”.

The problem is real, but age verification is not the way to solve the problem. Rather, it will make it much, much worse as well as adding new problems entirely.

See also: https://www.linkielist.com/?s=age+verification&submit=Search

See also: Europen Council decides to implement Mass Surveillance and Age Verification through law protecting children from online abuse

Welcome to a new fascist thought controlled Europe, heralded by Denmark.

Chat Control: EU lawmakers finally agree on the “voluntary” scanning of your private chats

Posted on by

[…] The EU Council has finally reached an agreement on the controversial Child Sexual Abuse Regulation (CSAR) after more than three years of failed attempts.

Nicknamed Chat Control by its critics, the agreement has kept cryptographers, technologists, encrypted service providers, and privacy experts alike in turmoil since its inception.

Presidency after presidency, the bill has taken many shapes. But its most controversial feature is an obligation for all messaging service providers operating in the EU – including those using end-to-end-encryption – to scan their users’ private chats on the lookout for child sexual abuse material (CSAM).

At the beginning of the month, the Danish Presidency decided to change its approach with a new compromise text that makes the chat scanning voluntary, instead. That turned to be a winning move, with the proposal managing to reach an agreement in the Council on Wednesday, November 26, 2025.

Privacy experts are unlikely to celebrate, though. The decision came a few days after a group of scientists wrote yet another open letter warning that the latest text still “brings high risks to society.” That’s after other privacy experts deemed the new proposal a “political deception” rather than an actual fix.

The EU Council is now preparing to start negotiations with the European Parliament, hoping to agree on the final terms of the regulation.

What we know about the Council agreement

As per the EU Council announcement, the new law imposes a series of obligations on digital companies. Under the new rules, online service providers will be required to assess how their platforms could be misused and, based on the results, may need to “implement mitigating measures to counter that risk,” the Council notes.

Source: Chat Control: EU lawmakers finally agree on the voluntary scanning of your private chats | TechRadar

A “risk mitigation obligation” can be used to explain anything and obligate spying through whatever services the EU says there is “risk”

Considering the whole proposal was shot down several times in the past years and even past month, using a back door rush to push this through is not how a democracy is supposed to function at all. And this is how fascism grips it’s iron claws. What is going on in Demark?

Europen Council decides to implement Mass Surveillance and Age Verification through law protecting children from online abuse

Posted on by

[…]

Under the new rules, online service providers will be required to assess the risk that their services could be misused for the dissemination of child sexual abuse material or for the solicitation of children. On the basis of this assessment, they will have to implement mitigating measures to counter that risk. Such measures could include making available tools that enable users to report online child sexual abuse, to control what content about them is shared with others and to put in place default privacy settings for children.

Member states will designate national authorities (‘coordinating and other competent authorities’) responsible for assessing these risk assessments and mitigating measures, with the possibility of obliging providers to carry out mitigating measures.

[…]

The Council also wants to make permanent a currently temporary measure that allows companies to – voluntarily – scan their services for child sexual abuse. At present, providers of messaging services, for instance, may voluntarily check content shared on their platforms for online child sexual abuse material,

[Note here: if it is deemed “risky” then the voluntary part is scrubbed and it becomes mandatory. Anything can be called “risky” very easily (just look at the data slurping that goes on in Terms of Services through the text “improving our product”).]

The new law provides for the setting up of a new EU agency, the EU Centre on Child Sexual Abuse, to support the implementation of the regulation.

The EU Centre will assess and process the information supplied by the online providers about child sexual abuse material identified on services, and will create, maintain and operate a database for reports submitted to it by providers. It will further support the national authorities in assessing the risk that services could be used for spreading child sexual abuse material.

The Centre is also responsible for sharing companies’ information with Europol and national law enforcement bodies. Furthermore, it will establish a database of child sexual abuse indicators, which companies can use for their voluntary activities.

Source: Child sexual abuse: Council reaches position on law protecting children from online abuse – Consilium

The article does not mention how you can find out if someone is a child: that is age verification. Which comes with huge rafts of problems, such as censorship (there go the LGBTQ crowd!), hacks (Discord) stealing all the government IDs used to verify ages, and of course ways that people find to circumvent age verification (VPNs, which increase internet traffic, meme pictures of Donald Trump) which causes them to behave in a more unpredictable way, thus harming the kids this is supposed to protect.

Of course, this law has been shot down several times in the past 3 years by the EU, but that didn’t stop Denmark from finding a way to implement it nonetheless in a back door shotgun kind of way.

Pebble Watch Software Is Now 100% Open Source + Tick Talk #4 – PT2 Demos!

Posted on by

Another big Pebble update today! TLDR:

  • Yesterday, Pebble watch software was ~95% open source. Today, it’s 100% open source. You can download, compile and run all the software you need to use your Pebble. We just published the source code for the new Pebble mobile app!
  • Pebble Appstore now has a publicly available backup and supports multiple feeds, providing long term reliability through decentralization. We’ve launched our own feed and Developer Dashboard.
  • Pebble Time 2 schedule update (aiming to begin shipping in January, with most arriving on wrists in March/April)
  • New Tick Talk episode #4 is up, with Pebble Time 2 demos!

Pre-production Pebble Time 2 (Black/Red colourway) in all its glory

Source: Pebble Watch Software Is Now 100% Open Source + Tick Talk #4 – PT2 Demos!

Age Verification, Estimation, Assurance, Oh My! A Guide To The Terminology

Posted on by

If you’ve been following the wave of age-gating laws sweeping across the country and the globe, you’ve probably noticed that lawmakers, tech companies, and advocates all seem to be using different terms for what sounds like the same thing. Age verification, age assurance, age estimation, age gating—they get thrown around interchangeably, but they technically mean different things. And those differences matter a lot when we’re talking about your rights, your privacy, your data, and who gets to access information online.

[click the source link below to read the different definitions – ed]

Why This Confusion Matters

Politicians and tech companies love using these terms interchangeably because it obscures what they’re actually proposing. A law that requires “age assurance” sounds reasonable and moderate. But if that law defines age assurance as requiring government ID verification, it’s not moderate at all—it’s mass surveillance. Similarly, when Instagram says it’s using “age estimation” to protect teens, that sounds privacy-friendly. But when their estimation fails and forces you to upload your driver’s license instead, the privacy promise evaporates.

Here’s the uncomfortable truth: most lawmakers writing these bills have no idea how any of this technology actually works. They don’t know that age estimation systems routinely fail for people of color, trans individuals, and people with disabilities. They don’t know that verification systems have error rates. They don’t even seem to understand that the terms they’re using mean different things. The fact that their terminology is all over the place—using “age assurance,” “age verification,” and “age estimation” interchangeably—makes this ignorance painfully clear, and leaves the onus on platforms to choose whichever option best insulates them from liability.

Language matters because it shapes how we think about these systems. “Assurance” sounds gentle. “Verification” sounds official. “Estimation” sounds technical and impersonal, and also admits its inherent imprecision. But they all involve collecting your data and create a metaphysical age gate to the internet. The terminology is deliberately confusing, but the stakes are clear: it’s your privacy, your data, and your ability to access the internet without constant identity checks. Don’t let fuzzy language disguise what these systems really do.

Republished from EFF’s Deeplinks blog.

Source: Age Verification, Estimation, Assurance, Oh My! A Guide To The Terminology | Techdirt

The unpowered SSDs in your drawer are slowly losing your data

Posted on by

SSDs have all but replaced hard drives when it comes to primary storage. They’re orders of magnitude faster, more convenient, and consume less power than mechanical hard drives. That said, if you’re also using SSDs for cold storage, expecting the drives lying in your drawer to work perfectly after years, you might want to rethink your strategy

[…]

Unlike hard drives that magnetize spinning discs to store data, SSDs modify the electrical charge in NAND flash cells to represent 0 and 1. NAND flash retains data in underlying transistors even when power is removed, similar to other forms of non-volatile memory. However, the duration for which your SSD can retain data without power is the key here. Even the cheapest SSDs, say those with QLC NAND, can safely store data for about a year of being completely unpowered. More expensive TLC NAND can retain data for up to 3 years, while MLC and SLC NAND are good for 5 years and 10 years of unpowered storage, respectively.

The problem is that most consumer SSDs use only TLC or QLC NAND, so users who leave their SSDs unpowered for over a year are risking the integrity of their data. The reliability of QLC NAND has improved over the years, so you should probably consider 2–3 years of unpowered usage as the guardrails. Without power, the voltage stored in the NAND cells can be lost, either resulting in missing data or completely useless drives.

[…]

SSDs aren’t eternal, even if you keep them powered on forever. The limited write cycles of NAND flash will eventually bring an SSD to the end of its lifecycle, but the majority of users will probably replace the drive before that ever happens.

[…]

Source: The unpowered SSDs in your drawer are slowly losing your data

CISA: Spyware crews breaking into Signal, WhatsApp accounts

Posted on by

CISA has warned that state-backed snoops and cyber-mercenaries are actively abusing commercial spyware to break into Signal and WhatsApp accounts, hijack devices, and quietly rummage through the phones of what the agency calls “high-value” users.

In an alert published Monday, the US government’s cyber agency said it’s tracking multiple miscreants that are using a mix of phishing, bogus QR codes, malicious app impersonation, and, in some cases, full-blown zero-click exploits to compromise messaging apps which most people assume are safe.

The agency says the activity it’s seeing suggests an increasing focus on “high-value” individuals – everyone from current and former senior government, military, and political officials to civil society groups across the US, the Middle East, and Europe. In many of the campaigns, attackers delivered spyware first and asked questions later, using the foothold to deploy more payloads and deepen their access.

“CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications,” the agency said. “These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”

The campaigns CISA flags in its bulletin show attackers doing what they do best: sidestepping encryption entirely by spoofing apps, abusing account features, and exploiting the phones underneath them.

For example, Google’s Threat Intelligence Group in February detailed how multiple Russia-aligned crews, including Sandworm and Turla, attempted to snoop on Signal users by abusing the app’s “linked devices” feature. By coaxing victims into scanning a tampered QR code, the operators could quietly add a second, attacker-controlled device to the account. Once paired, new messages flowed to both ends in real time, letting Moscow’s finest eavesdrop.

CISA also pointed to a separate line of Android exploitation work, spearheaded by Palo Alto Networks’ Unit 42, in which commercial-grade spyware known as LANDFALL was delivered to Samsung Galaxy devices. Uncovered earlier this month, this campaign combined a Samsung vulnerability with a zero-click WhatsApp exploit, allowing operators to slip a malicious image into a target’s inbox and have the device compromise itself on receipt.

Not all the activity relied on exploits. Several of the campaigns CISA cites – including ProSpy and ToSpy – made headway by impersonating familiar apps such as Signal and TikTok, hoovering up chat data, recordings, and files once it landed on a device. Meanwhile, Zimperium’s researchers identified ClayRat, an Android spyware family that has been seeded across Russia via counterfeit Telegram channels and lookalike phishing sites masquerading as WhatsApp, TikTok, and YouTube.

CISA’s alert lands amid heightened scrutiny of commercial spyware vendors. The US recently barred NSO Group from targeting WhatsApp users with Pegasus, and earlier this year, the US House of Representatives banned WhatsApp from staff devices after a string of security concerns. This move reflects the uncomfortable reality behind CISA’s warning: attackers aren’t breaking encrypted messengers, they’re simply burrowing under them. ®

Source: CISA: Spyware crews breaking into Signal, WhatsApp accounts • The Register