Former Amazon engineer convicted in 2019 Capital One data breach

A Seattle jury has found Paige Thompson, a former Amazon software engineer accused of stealing data from Capital One in 2019, guilty of wire fraud and five counts of unauthorized access to a protected computer. The Capital One hack was one of the biggest security breaches in the US and compromised the data of 100 million people in the country, along with 6 million people in Canada. Thompson was arrested in July that year after a GitHub user saw her post on the website sharing information about stealing data from servers storing Capital One information. 

According to the Department of Justice, Thompson used a tool she built herself to scan Amazon Web Services for misconfigured accounts. She then allegedly used those accounts to infiltrate Capital One’s servers and download over 100 million people’s data. The jury has decided that Thompson violated the Computer Fraud and Abuse Act by doing so, but her lawyers argued that she used the same tools and method also used by ethical hackers.

The Justice Department recently amended the Computer Fraud and Abuse Act to protect ethical or white hat hackers. As long as researchers are investigating or fixing vulnerabilities in “good faith” and aren’t using the security holes they discover for extortion or other malicious purposes, they can no longer be charged under the law.

US authorities, however, disagreed with the assertion that she was only trying to expose Capital One’s vulnerabilities. The Justice Department said she planted cryptocurrency mining software onto the bank’s servers and sent the earnings straight to her digital wallet. She also allegedly bragged about the hack on online forums. 

“Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself,” US Attorney Nick Brown said. Thompson could be sentenced with up to 20 years of prison time for wire fraud and up to five years for each charge of illegally accessing a protected computer. Her sentencing hearing is scheduled for September 15th.

TikTok says it’s storing US data domestically amid renewed security concerns

TikTok says it’s achieved a “significant milestone” toward its promises to beef up the security of its US users’ data. In a new update, the company says it has “changed the default storage location of US user data.”

As the company notes, it had already stored much of its user data in the United States, at a Virginia-based data center. But under a new partnership with Oracle, the company has migrated US user traffic to a new Oracle Cloud Infrastructure.

“Today, 100% of US user traffic is being routed to Oracle Cloud Infrastructure,” the company wrote in a blog post. “We still use our US and Singapore data centers for backup, but as we continue our work we expect to delete US users’ private data from our own data centers and fully pivot to Oracle cloud servers located in the US.” Additionally, TikTok says it has made “operational changes,” including a new department “with US-based leadership, to solely manage US user data for TikTok.”

The moves are part of a longstanding effort by TikTok to address US officials’ concerns over how user data is handled by TikTok and parent company ByteDance. The company has been working to separate US user data so that it’s not accessible to China-based ByteDance as US lawmakers eye legislation to curb the influence of Chinese tech companies.

Still, the new safeguards are unlikely to fully sway critics of TikTok, who say the company still hasn’t addressed all potential concerns about how US user data is handled. In fact, just after TikTok published its blog post, BuzzFeed Newspublished a report that raises new questions about how the company handles the data of its US users.

The report, which was based on hours of internal meetings leaked to BuzzFeed, says that “China-based employees of ByteDance have repeatedly accessed nonpublic data about US TikTok users.” The recordings, which cover a time period between last September and January 2022, offer new details about the complex effort to cut off Bytedance’s access to US user data.

The report quotes an outside consultant hired by TikTok to oversee some of the work saying that they believed there was “backdoor to access user data in almost all” of the company’s internal tools. It also quotes statements from several employees who say “that engineers in China had access to US data between September 2021 and January 2022, at the very least.”

It also notes that while data deemed “sensitive,” like users’ birth dates and phone numbers, will be stored in the Oracle servers, other information about US-based users could remain accessible to ByteDance. “ByteDance’s China-based employees could continue to have access to insights about what American TikTok users are interested in, from cat videos to political beliefs,” the report says.

That may not seem as serious as more personal information like birthdays and phone numbers, but it’s exactly the kind of details that some lawmakers in the US have raised concerns about. US officials have questioned whether the app’s “For You” algorithm could be used as a means of foreign influence.

“We know we’re among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data,” TikTok said in a statement to BuzzFeed News.

The Engadget guide to the best midrange smartphones

A great smartphone doesn’t have to cost a fortune. Years of commoditization have brought features once exclusive to high-end devices – including big batteries, multi-camera arrays and high refresh rate displays – down to their more affordable siblings….

The Apple TV 4K drops to $130, plus the rest of the week’s best tech deals

If you’re still hunting for the perfect gift for dad ahead of Father’s Day this weekend, a bunch of our favorite gadgets are on sale right now. The Apple TV 4K remains discounted to $130, its cheapest price yet, and a couple of colors of the AirPods Ma…

Senators call for a common charger standard in the US

The European Union might not be the only government body setting a common standard for device chargers. The Vergenotes US senators Ed Markey, Elizabeth Warren and Bernie Sanders have sent a letter to Commerce Secretary Gina Raimondo calling on her department to develop a “comprehensive strategy” that would lead to a common charging standard. The EU acted in the “public interest” by settling on one port, the senators said, and the US ought to follow suit to reduce the environmental impact of chargers while improving convenience for users.

The politicians’ arguments largely mirrored the EU’s stance. A charger standard would theoretically reduce e-waste by letting people reuse existing cables and adapters for new devices. It could also help consumers money by sparing them from buying additional chargers, not to mention adding “sanity and certainty” to electronics shopping. This would prevent companies from locking you into proprietary cables that become obsolete, according to the group.

Raimondo hadn’t responded to the letter as of this writing. The senators didn’t specify USB-C as the standard, although that’s likely to be the frontrunner. The EU will require USB-C starting in 2024, and the technology can accommodate everything from smartphones and earbuds through to high-end laptops. It also provides more consistent approaches to fast charging and accessory support.

Critics and some companies have long pushed back on charger standards. Apple most notably claimed a universal charger would hurt innovation by limiting the potential for technical advances, and would allegedly negate e-waste reduction by forcing legions of the company’s users to replace their Lightning cables. Brands like Apple might not have much choice but to switch given the EU’s move, however, and a US standard would only cement that decision.

As it is, there are rumors Apple will move to USB-C for both its 2023 iPhone lineup and this year’s base iPad (all other iPads already use the format). A US charging standard might prevent companies like Apple from reverting to proprietary connectors later on, but the possible new regulation might do little more than enforce the status quo by the time it takes effect.

WhatsApp adds new privacy controls for profile photos and ‘Last Seen’ status

After previewing the feature in beta last April, WhatsApp is rolling out greater privacy controls for Profile Photo, About, Status and Last Seen settings, the company tweeted. Until now, you could only block those settings for Everyone, My Contacts or Nobody, but the new update introduces a “My Contacts Except” option that offers far more granular control. 

The “Last Seen” status is a particular privacy danger, as it indicates when someone last checked the app. That provides a way to find out if a contact may have potentially seen your message even if they have read receipts turned off. The new feature allows you to shut off that feature for certain people, while also blocking Profile Photo, About and Status for individual users. 

If you restrict your Last Seen status to certain people, you’ll notice that you won’t be able to see their Last Seen status, either. The new settings are available via the three-dot menu in the upper right corner, then navigating to Account > Privacy. 

WhatsApp has added a number of new features of late, both around privacy and convenience. Last year, the company said it would limit accounts for users who don’t accept its new privacy policy, but it later backtracked on that. Earlier this week, the chat app unveiled a new feature that makes it easier to switch from Android to iOS.