SoylentNews

owl writes:

https://daniel.haxx.se/blog/2024/08/14/so-the-department-of-energy-emailed-me/

In a perfect example of checkbox security in action:

I received an email today. What follows is a slightly edited version (for brevity).

From: DOE Attestation Subject: [ACTION REQUIRED] U.S. Department of Energy Secure Software Development Attestation Submission Request

OMB Control No. 1670-0052 Expires: 03/31/2027

Hello Haxx

** The following communication contains important DOE Secure Software Development Attestation Submission instructions. Please read this communication in its entirety. **

The U.S. Department of Energy (DOE) has identified your company's software as affected by this request. The list of impacted software products and versions can be found below.

DOE Request:

In support of the Office of Management and Budget (OMB) requirement to collect attestations per M-22-18, please complete the U.S. Department of Energy Secure Software Development Attestation Form (DOE Common Form). If you are unable to attest to all secure software development framework (SSDF) practices, please be sure to attach your Plan of Action and Milestones (POA&M). The software listed below has been identified as being associated with your company and requires DOE to collect an attestation for the software.

Product Name Version Number

libcurl 8.3

hubie writes:

Disney has asked a Florida court to dismiss a wrongful death lawsuit citing an arbitration waiver in the terms and conditions for Disney+:

According to Newsday, Disney has asked a Florida court to dismiss the wrongful death lawsuit filed by Jeffrey Piccolo, husband of Kanokporn Tangsuan, a doctor at NYU Langone in New York City, who passed away after eating a meal at Raglan Road Irish Pub in Disney Springs in October 2023.

Tangsuan had a severe dairy and nut allergy and informed the waitstaff at the restaurant of her dietary needs, and was "unequivocally assured" they could be accommodated. She ordered and ate the "Sure I'm Frittered" vegetarian broccoli and corn fritters, the "Scallop Forest" sea scallops appetizer, the "This Shepherd Went Vegan" entree, and a side of onion rings.

[...] In the latest update for the Disney Springs wrongful death lawsuit, Disney cited legal language within the terms and conditions for Disney+, which "requires users to arbitrate all disputes with the company." Disney claims Piccolo reportedly agreed to this in 2019 when signing up for a one-month free trial of the streaming service on his PlayStation console.

In the May 31 motion filed to move the wrongful death lawsuit to arbitration, Disney attorneys said that the Disney+ subscriber agreement states that any dispute, except for small claims, "must be resolved by individual binding arbitration." Disney says that similar language was agreed to by Piccolo when he used the My Disney Experience app to purchase tickets to visit EPCOT at Walt Disney World in September 2023. Tangsuan died before she and Piccolo could use the tickets.

[...] Attorneys for Piccolo called Disney's latest motion "preposterous," and that it's "'absurd' to believe that the 153 million subscribers to the popular streaming service have waived all claims against the company and its affiliates because of language 'buried' within the terms and conditions," according to Newsday.

Original Submission

Arthur T Knackerbracket has processed the following story:

It was only in February when Cisco laid off 4,000 people, or 5% of its workforce, as it struggled with a challenging economy and weak demand.

According to Reuters, Cisco is preparing to announce a new round of job cuts, possibly alongside its fourth-quarter results on Wednesday. The publication writes that the number of people being let go is likely to match or be higher than the 4,000 employees laid off in February. The company had nearly 85,000 workers at the end of fiscal 2023; this count does not include the effects of the previous round of layoffs.

Cisco spent $28 billion completing the acquisition of cybersecurity specialist Splunk in March, a purchase that Cisco hopes will reduce its reliance on one-time equipment sales by boosting its subscription offerings.

As with so many recent layoffs in the tech world, AI has once again played a part in people losing their jobs. Cisco launched a $1 billion fund to make investments in AI startups in June, and it has made 20 AI-focused acquisitions and investments in the last several years. Cost cutting helps offset these big investments, and fears that returns on AI spending won't match the money being poured into the industry isn't helping matters.

The company is also focusing on an AI partnership with Nvidia that will see Cisco and Team Green's purpose-built Ethernet networking-based solutions sold through the former's global channels.

[...] According to tracking website Layoffs.fyi, 397 tech companies have laid off 130,482 employees so far in 2024. Throughout all of 2023, 1,193 firms in the industry laid off 264,220 workers.

Original Submission

AnonTechie writes:

A recent study has found that 94% of spreadsheets used in business decision-making contain errors, posing serious risks for financial losses and operational mistakes. This finding highlights the need for better quality assurance practices.

The study, led by Prof. Pak-Lok Poon in collaboration with Central Queensland University, Swinburne University of Technology, City University of Hong Kong, and The Royal Victorian Eye and Ear Hospital, shows that most spreadsheets used in important business applications have errors that can affect decision-making processes. "The high rate of errors in these spreadsheets is concerning," says Prof. Poon.

Errors in spreadsheets can lead to poor decisions, resulting in financial losses, pricing mistakes, and operational problems in fields like health care and nuclear operations. "These mistakes can cause major issues in various sectors," adds Prof. Poon.

More information:Pak-Lok Poon et al, Spreadsheet quality assurance: a literature review, Frontiers of Computer Science (2024). DOI: 10.1007/s11704-023-2384-6

PHYS.ORG

[Also Covered By]: news wise

Original Submission

fliptop writes:

A quote from Wyoming's governor and a local prosecutor were the first things that seemed slightly off to Powell Tribune reporter CJ Baker. Then, it was some of the phrases in the stories that struck him as nearly robotic:

The dead giveaway, though, that a reporter from a competing news outlet was using generative artificial intelligence to help write his stories came in a June 26 article about the comedian Larry the Cable Guy being chosen as the grand marshal of the Cody Stampede Parade.

[...] After doing some digging, Baker, who has been a reporter for more than 15 years, met with Aaron Pelczar, a 40-year-old who was new to journalism and who Baker says admitted that he had used AI in his stories before he resigned from the Enterprise.

[...] Journalists have derailed their careers by making up quotes or facts in stories long before AI came about. But this latest scandal illustrates the potential pitfalls and dangers that AI poses to many industries, including journalism, as chatbots can spit out spurious if somewhat plausible articles with only a few prompts.

[...] "In one case, (Pelczar) wrote a story about a new OSHA rule that included a quote from the Governor that was entirely fabricated," Michael Pearlman, a spokesperson for the governor, said in an email. "In a second case, he appeared to fabricate a portion of a quote, and then combined it with a portion of a quote that was included in a news release announcing the new director of our Wyoming Game and Fish Department."

Related:

• AI Threatens to Crush News Organizations. Lawmakers Signal Change Is Ahead
• New York Times Sues Microsoft, ChatGPT Maker OpenAI Over Copyright Infringement
• A Financial News Site Uses AI to Copy Competitors — Wholesale
• Sports Illustrated Published Articles by Fake, AI-Generated Writers
• OpenAI Has Released the Largest Version Yet of its Fake-News-Spewing AI

Original Submission

Arthur T Knackerbracket has processed the following story:

The Sun is going through an intense time right now. Our host star is experiencing increased activity, with a series of solar eruptions aimed towards Earth that resulted in a rare geomagnetic storm.

The National Oceanic and Atmospheric Administration’s (NOAA) Space Weather Prediction Center issued a severe geomagnetic storm alert on Monday following a series of coronal mass ejections (CMEs) that emerged last week. The storm reached level G4, meaning it’s severe. The geomagnetic storm triggered bright, colorful auroras last night in different parts of the world, with a chance for more of the celestial lights to take over the skies later tonight.

Space weather forecasters at NOAA had been monitoring at least five CMEs that erupted from the Sun since last week in anticipation that some may be headed towards Earth. “Some seem to have missed Earth, some clipped Earth, and then eventually one of those we were anticipating was much more of a good punch,” Shawn Dahl, service coordinator for the Space Weather Prediction Center, told Gizmodo.

[...] The Sun is approaching its solar maximum, a period of increased activity during its 11-year cycle that’s characterized by intense solar flares, coronal mass ejections, and massive sunspots. Earlier in May, a G5, or extreme, geomagnetic storm hit Earth as a result of large expulsions of plasma from the Sun’s corona (also known as coronal mass ejections). The G5 storm was the first to hit Earth in more than 20 years, and had some effects on Earth’s power grid.

[...] This solar cycle is exceptionally active, with the Sun developing the largest number of sunspots since 2002. CMEs typically erupt from regions on the Sun with increased amounts of magnetic flux associated with sunspots, and so far the Sun has sprouted 299 sunspots during its current solar cycle.

It’s obvious that the Sun isn’t stopping anytime soon. “Bottom line is, we’re going to be under the influence of increased activity all of this year, all of next year, and even in 2026 where we’ll continue to have higher chances this type of activity to continue to happen from time to time over the remainder of this solar cycle maximum that we’re experiencing,” Dahl said.

Original Submission

hubie writes:

"We just would like for them to stop honking their horn at four in the morning repeatedly," one neighbor said:

In San Francisco's South of Market neighborhood, neighbors say repeated honking from Waymo driverless cars is disturbing their sleep.

Multiple residents in high-rise buildings off of 2nd Street near Harrison Street told NBC Bay Area News they have been hearing Waymo vehicles honking in a nearby parking lot for the past several weeks. They said that the lot began to be occupied by Waymo vehicles just a few weeks ago. The Waymos appear to go to the lot to rest in between rides.

Christopher Cherry who lives in the building next door said he was "really excited" to have Waymo in the neighborhood, thinking it would bring more security and quiet to the area.

"We started out with a couple of honks here and there, and then as more and more cars started to arrive, the situation got worse, " Cherry said.

Cherry said the honking happens daily at different levels, with the most intense honking occurring at around 4:00 a.m. and at evening rush hour times.

[...] Videos from residents of these incidents show Waymo cars filing into the parking lot, and then attempting to back into spots, which appears to trigger honking from the other Waymo cars.

[...] Neighbors note, there is no one in the cars that they can flag down and ask to stop the honking.

"I think the most frustrating thing about this is that there is just nobody to talk to, and even at the corporate level, I am finding it difficult, not impossible," White said.

Original Submission

Arthur T Knackerbracket has processed the following story:

This year's Pwnie Awards Ceremony was held on Saturday at the DEF CON hacker convention in Las Vegas. Now in its 17th year, the Pwnie Awards recognises some of the most outstanding achievements in technology security over the past year — as well as the greatest failures. 

As such, it was obvious that CrowdStrike would take home an award this year. Over 8.5 million Windows computers went down in July after the cybersecurity company pushed out an update to its software, bringing numerous companies and services across the world to a sudden halt. Businesses impacted included banks, airlines, mail carriers, supermarkets, and telecommunications companies.

The CrowdStrike outage was a massive global event, which has now been recognised with a massive Pwnie Award trophy. The two-tiered trophy awarded to CrowdStrike dwarfed the smaller pony-shaped ones for other categories, as befitting the eclipsing size of its blunder.

"Definitely not the award to be proud of receiving," Sentonas said in his acceptance speech, taking the stage to laughter and applause. "I think the team was surprised when I said straight away that I'd be coming to get it. We got this horribly wrong, we've said that a number of different times. It's super important to own it when you do things well, it's super important to own it when you do things horribly wrong, which we did in this case."

Accepting the large golden trophy, Sentonas stated that he intended to display it at CrowdStrike's headquarters in Austin, Texas. His hope is that it will serve as a reminder to CrowdStrike's staff to prevent such mistakes from happening in the future.

"The reason why I wanted the trophy is I'm heading back to headquarters," Sentosas continued. "I'm gonna take the trophy with me, it's gonna sit pride of place, because I want every CrowdStriker who comes to work to see it. Because our goal is to protect people, and we got this wrong, and I want to make sure that everybody understands these things can't happen, and that's what this community's about. So from that perspective I will say thank you."

Sentonas' in-person acceptance of CrowdStrike's Pwnie Award was widely well-received, with social media users praising him for accepting accountability with humility, class, and good humour.

Though CrowdStrike's Most Epic Fail trophy was only awarded this weekend, its win had already been announced alongside the Pwnie Award nominations in late July. This was within mere days of the infamous global outage that took down numerous companies and services worldwide. 

In a post to X at the time, the Pwnie Awards stated that it was granting the early award due to "extenuating circumstances." Said circumstance was likely the fact that CrowdStrike's fail was so epic that no one was likely to match it unless they deliberately tried. Even then, it would still be a difficult task.

While all other categories at the 2024 Pwnie Awards had three finalists, CrowdStrike had no competition for the Epic Fail Award. Instead, nominee details for the category simply read, "Lol. Lmao even."

Original Submission

upstart writes:

2.9 billion hit in one of the largest data breaches ever:

Regardless of how careful you are online, your personal data can still end up in the hands of hackers—and a new data breach that exposed the data of 2.9 billion people is the perfect example of this.

As reported by Bloomberg, news of this massive new data breach was revealed as part of a class action lawsuit that was filed at the beginning of this month. A complaint submitted to the US District Court for the Southern District of Florida claims the exposed personal data belongs to a public records data provider named National Public Data, which specializes in background checks and fraud prevention.

The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years, Social Security Numbers, and more, was stolen from National Public Data by a cybercriminal group that goes by the name USDoD. The complaint goes on to explain that the hackers then tried to sell this huge collection of personal data on the dark web to the tune of $3.5 million. It's worth noting that due to the sheer number of people affected, this data likely comes from both the U.S. and other countries around the world.

Here's everything we know so far about this massive data breach along with some steps you can take to stay safe if your personal information was exposed online.

So how does a firm like National Public Data obtain the personal data of almost 3 billion people? The answer is through scraping which is a technique used by companies to collect data from web sites and other sources online.

What makes the way National Public Data did this more concerning is that the firm scraped personally identifiable information (PII) of billions of people from non-public sources. As a result, many of the people who are now involved in the class action lawsuit did not provide their data to the company willingly.

According to the complaint, one of the plaintiffs who resides in California first found out about the breach because he was using one of the best identity theft protection services which notified him that his data was exposed and leaked on the dark web.

As part of the class action lawsuit, this plaintiff is asking the court to have National Public Data securely dispose of all the personal information it acquired through scraping. However, he also wants the firm to compensate him and the other victims financially while implementing stricter security measures going forward.

With full names, addresses and Social Security Numbers in hand, there's a lot that hackers can do with this information, especially when it was made available for sale on the dark web.

Original Submission

upstart writes:

The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges:

The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity.

"A signal handler in sshd(8) may call a logging function that is not async-signal-safe," according to an advisory released last week.

"The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges."

[...] "The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD," the project maintainers said.

"As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root."

Users of FreeBSD are strongly advised to update to a supported version and restart sshd to mitigate potential threats.

In cases where sshd(8) cannot be updated, the race condition issue can be resolved by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). While this change makes the daemon vulnerable to a denial-of-service, it safeguards it against remote code execution.

Original Submission

canopic jug writes:

Here are two related essays on software freedom in light of the current environment where platform decay has become the norm.

Lead developer of Linux-Libre, FSFLA board member, and previous FSF board member, Alexandre Oliva wrote a piece back in June about platform decay (also known colloquially as enshittification) and how to fight it through software freedom. It's from his May 5^th, 2024 LibrePlanet presentation with the same title ( video and slides ). This weekend, developer Daniel Cantarín wrote a follow up addressing the nature of software freedom and the increasing communication, philosophical, and political barriers to actually achieving software freedom.

The two essays are essentially in agreement but raise different points and priorities.

Alexandre Oliva's essay includes the following:

[...] Software (static) enshittification

Back in the time when most users could choose which version of a program they wanted to run, upgrading software was not something that happened automagically. Installing a program involved getting a copy of its installable media, and if you wanted to install a newer version, you had to get a copy of the installable media for the newer version.

You could install them side by side, and if you found that the newer version was lacking some feature important to you, or it didn't serve you well, you could roll back to the older version.

This created a scenario in which the old and the new versions competed for users, so in order for the newer version to gain adoption, it had to be more attractive to users than the older one. It had to offer more interesting features, and if it dropped features or engaged in enshittification, it would need even more interesting features to make up.

This limits how much enshittification can be imposed on users in newer versions. It was much harder to pull feature from under users in that static arrangement.

Software (dynamic) enshittification

But now most users are mistreated with imposed updates, and since they are required to be online all the time, they are vulnerable all the time, and they can't go back to an earlier version that served them well. The following are the most enshittifiable arrangements to offer computing facilities to users. Most enshittifiable so far, Homer Simpson would presumably point out.

Apps that run on remotely-controlled telephones (TRApps) and that are typically automatically updated from exclusive app stores, and their counterparts that run on increasingly enshittified computers (CRApps) are cases in which the programs are installed on your own computer, but are controlled by someone else. They've come to be called apps, so that you'll think of them as appliances rather than as something you can and should be able to tinker with.

Web sites that, every time you visit them, install and demand to run Javascrapped programs on your computer, are a case in which, even if the program is technically Free Software, in this setting, someone else controls which version you get to run, and what that version does.

And then, there are the situations in which, instead of getting a copy of a program, you're offered a service that will do your computing for you, under somebody else's control, substituting software that could have been respectful of your freedom. [...]

Arthur T Knackerbracket has processed the following story:

As soon as this week, NASA officials will make perhaps the agency's most consequential safety decision in human spaceflight in 21 years.

NASA astronauts Butch Wilmore and Suni Williams are nearly 10 weeks into a test flight that was originally set to last a little more than one week. The two retired US Navy test pilots were the first people to fly into orbit on Boeing's Starliner spacecraft when it launched on June 5. Now, NASA officials aren't sure Starliner is safe enough to bring the astronauts home.

Three of the managers at the center of the pending decision, Ken Bowersox and Steve Stich from NASA and Boeing's LeRoy Cain, either had key roles in the ill-fated final flight of Space Shuttle Columbia in 2003 or felt the consequences of the accident.

At that time, officials misjudged the risk. Seven astronauts died, and the Space Shuttle Columbia was destroyed as it reentered the atmosphere over Texas. Bowersox, Stich, and Cain weren't the people making the call on the health of Columbia's heat shield in 2003, but they had front-row seats to the consequences.

Bowersox was an astronaut on the International Space Station when NASA lost Columbia. He and his crewmates were waiting to hitch a ride home on the next Space Shuttle mission, which was delayed two-and-a-half years in the wake of the Columbia accident. Instead, Bowersox's crew came back to Earth later that year on a Russian Soyuz capsule. After retiring from the astronaut corps, Bowersox worked at SpaceX and is now the head of NASA's spaceflight operations directorate.

Stich and Cain were NASA flight directors in 2003, and they remain well-respected in human spaceflight circles. Stich is now the manager of NASA's commercial crew program, and Cain is now a Boeing employee and chair of the company's Starliner mission director. For the ongoing Starliner mission, Bowersox, Stich, and Cain are in the decision-making chain.

All three joined NASA in the late 1980s, soon after the Challenger accident. They have seen NASA attempt to reshape its safety culture after both of NASA's fatal Space Shuttle tragedies. After Challenger, NASA's astronaut office had a more central role in safety decisions, and the agency made efforts to listen to dissent from engineers. Still, human flaws are inescapable, and NASA's culture was unable to alleviate them during Columbia's last flight in 2003.

[...] "I have wondered if some in management roles today that were here when we lost Challenger and Columbia remember that in both of those tragedies, there were those that were not comfortable proceeding," Milt Heflin, a retired NASA flight director who spent 47 years at the agency, wrote in an email to Ars. "Today, those memories are still around."

"I suspect Stich and Cain are paying attention to the right stuff," Heflin wrote.

The question facing NASA's leadership today? Should the two astronauts return to Earth from the International Space Station in Boeing's Starliner spacecraft, with its history of thruster failures and helium leaks, or should they come home on a SpaceX Dragon capsule?

Under normal conditions, the first option is the choice everyone at NASA would like to make. It would be least disruptive to operations at the space station and would potentially maintain a clearer future for Boeing's Starliner program, which NASA would like to become operational for regular crew rotation flights to the station.

But some people at NASA aren't convinced this is the right call. Engineers still don't fully understand why five of the Starliner spacecraft's thrusters overheated and lost power as the capsule approached the space station for docking in June. Four of these five control jets are now back in action with near-normal performance, but managers would like to be sure the same thrusters—and maybe more—won't fail again as Starliner departs the station and heads for reentry.

Original Submission

Freeman writes:

https://arstechnica.com/science/2024/08/mdma-for-ptsd-three-studies-retracted-on-heels-of-fda-rejection/

A scientific journal has retracted three studies underpinning the clinical development of MDMA—aka ecstasy—as a psychedelic treatment for post-traumatic stress disorder. The move came just a day after news broke that the Food and Drug Administration rejected the treatment, despite positive results reported from two Phase III clinical trials.

On Friday, the company developing the therapy, Lykos Therapeutics, announced that it had received a rejection letter from the FDA. Lykos said the letter echoed the numerous concerns raised previously by the agency and its expert advisory committee, which, in June, voted overwhelmingly against approving the therapy. The FDA and its advisers identified flaws in the design of the clinical trials, missing data, and a variety of biases in people involved with the trials, including an alleged cult-like support of psychedelics. Lykos is a commercial spinoff of the psychedelic advocacy nonprofit Multidisciplinary Association for Psychedelic Studies (MAPS).

FDA advisers also noted the public allegations of a sexual assault of a trial participant during a Phase II trial by an unlicensed therapist providing the MDMA-assisted psychotherapy.

Original Submission

upstart writes:

Algorithmic collusion appears to be spreading to more and more industries. And existing laws may not be equipped to stop it:

If you rent your home, there's a good chance your landlord uses RealPage to set your monthly payment. The company describes itself as merely helping landlords set the most profitable price. But a series of lawsuits says it's something else: an AI-enabled price-fixing conspiracy.

The classic image of price-fixing involves the executives of rival companies gathering behind closed doors and secretly agreeing to charge the same inflated price for whatever they're selling. This type of collusion is one of the gravest sins you can commit against a free-market economy; the late Justice Antonin Scalia once called price-fixing the "supreme evil" of antitrust law. Agreeing to fix prices is punishable with up to 10 years in prison and a $100 million fine.

But, as the RealPage example suggests, technology may offer a workaround. Instead of getting together with your rivals and agreeing not to compete on price, you can all independently rely on a third party to set your prices for you. Property owners feed RealPage's "property management software" their data, including unit prices and vacancy rates, and the algorithm—which also knows what competitors are charging—spits out a rent recommendation. If enough landlords use it, the result could look the same as a traditional price-fixing cartel: lockstep price increases instead of price competition, no secret handshake or clandestine meeting needed.

Without price competition, businesses lose their incentive to innovate and lower costs, and consumers get stuck with high prices and no alternatives. Algorithmic price-fixing appears to be spreading to more and more industries. And existing laws may not be equipped to stop it.

In 2017, then–Federal Trade Commission Chair Maureen Ohlhausen gave a speech to antitrust lawyers warning about the rise of algorithmic collusion. "Is it okay for a guy named Bob to collect confidential price strategy information from all the participants in a market and then tell everybody how they should price?" she asked. "If it isn't okay for a guy named Bob to do it, then it probably isn't okay for an algorithm to do it either."

[...] According to the lawsuits, RealPage's clients act more like collaborators than competitors. Landlords hand over highly confidential information to RealPage, and many of them recruit their rivals to use the service. "Those kinds of behaviors raise a big red flag," Maurice Stucke, a law professor at the University of Tennessee and a former antitrust attorney at the Department of Justice, told me. When companies are operating in a highly competitive market, he said, they typically go to great lengths to protect any sensitive information that could give their rivals an edge.

Submitted on behalf of mrpg:

https://www.wired.com/story/usps-scam-text-smishing-triad/

The flood of text messages started arriving early this year. They carried a similar thrust: The United States Postal Service is trying to deliver a parcel but needs more details, including your credit card number. All the messages pointed to websites where the information could be entered.

Like thousands of others, security researcher Grant Smith got a USPS package message. Many of his friends had received similar texts. A couple of days earlier, he says, his wife called him and said she'd inadvertently entered her credit card details. With little going on after the holidays, Smith began a mission: Hunt down the scammers.

Over the course of a few weeks, Smith tracked down the Chinese-language group behind the mass-smishing campaign, hacked into their systems, collected evidence of their activities, and started a months-long process of gathering victim data and handing it to USPS investigators and a US bank, allowing people's cards to be protected from fraudulent activity.

In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers, says Smith, a red team engineer and the founder of offensive cybersecurity firm Phantom Security. Many people entered multiple cards each, he says. More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains. The victims were spread across the United States—California, the state with the most, had 141,000 entries—with more than 1.2 million pieces of information being entered in total.

[...] Chasing down the group didn't take long. Smith started investigating the smishing text message he received by the dodgy domain and intercepting traffic from the website. A path traversal vulnerability, coupled with a SQL injection, he says, allowed him to grab files from the website's server and read data from the database being used.