A wiring mistake by BT meant three people were wrongly accused of downloading child abuse images. CC-licensed photo by Paul Robertson on Flickr.
You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.
There’s another post coming this week at the Social Warming Substack on Friday at 0845 UK time. Free signup.
A selection of 10 links for you. Crossed. I’m @charlesarthur on Twitter. On Threads: charles_arthur. On Mastodon: https://newsie.social/@charlesarthur. On Bluesky: @charlesarthur.bsky.social. Observations and links welcome.
ChatGPT Atlas: OpenAI launches web browser centered around its chatbot • The Guardian
Johana Bhuiyan and agency:
»
OpenAI on Tuesday launched an AI-powered web browser built around its marquee chatbot.
“Meet our new browser—ChatGPT Atlas,” a tweet from the company read.
The browser is designed to provide a more personalized web experience and includes a ChatGPT sidebar that enables users to asks questions about or engage with various aspects of each website they visit, as demonstrated in a video posted alongside the announcement. Atlas is now available globally on Apple’s Mac operating system and will soon be made available on Windows, iOS and Android, according to OpenAI’s announcement.
Users can open the ChatGPT sidebar to and ask it to “summarize content, compare products, or analyze data from any site”, the company website reads. The company has also started to roll out a preview of a virtual assistant dubbed “Agent Mode” to certain premium accounts. Agent Mode allows users to ask ChatGPT to complete tasks “from start to finish” such as “researching and shopping for a trip”.
The browser also enables ChatGPT to edit and alter highlighted text. An example on the website shows an email with highlighted text and a suggested prompt: “Make this sound more professional.”
The company says that users have complete control over their privacy settings: “You control what it remembers about you, how your data is used, and the privacy settings that apply while you browse.” At the moment, Atlas users will be automatically opted out of allowing their browsing data to be used to train ChatGPT models, for instance. And, like in other browsers, a user can delete their browsing and web history.
«
The underlying web engine is Chromium, the open source of Google’s Chrome. So it’s going to look familiar, but of course it’s going to be phoning home to ChatGPT all the time. Natural language searching of your web history; but not yet clear what its search index is. Presumably not Google?
unique link to this extract
BT wiring fault led to three falsely accused of child abuse image • BBC News
Owain Evans:
»
Three people were wrongly accused of downloading child abuse images due to a broadband wiring error by a BT engineer, a tribunal has heard.
The mistake meant internet activity linked to the real offender was traced instead to the address where two men and a woman were staying, who had their electronic devices seized over the course of two police searches. The false accusations back in 2016 had “highly distressing and far-reaching” consequences for the three, the Investigatory Powers Tribunal (IPT) was told.
It ruled that Dyfed-Powys Police had acted lawfully, and found that the error was caused by a technical fault rather than police misconduct.
BT has been approached for comment.
The IPT deals with complaints from anyone who feels they have been the victim of unlawful action by a public body using covert investigative techniques. Each of the three claimants were granted anonymity by the tribunal, and the location of the incident was only described as Dyfed-Powys Police’s “area of operation in Wales”, which covers Carmarthenshire, Ceredigion, Pembrokeshire and Powys.
British telecommunication firm BT told the tribunal that two wires within a street cabinet linking to both addresses had been inadvertently crossed. As a result the offending IP address had been incorrectly attributed to the address of the the first male claimant who was its registered tenant, which he shared with a friend whose girlfriend was also visiting at the time.
The tribunal heard all three had to tell their employers about the accusations made against them. The innocent woman was advised her children could not live with her alone until she was cleared, and the two men faced child protection referrals. The first male claimant was placed on restricted duties at work and the second had a job offer withdrawn.
«
This is unimaginably awful. And it happened nine years ago! At least the three were never charged; the actual offender was later identified. But there’s no compensation for those wrongly accused.
unique link to this extract
Europol dismantles SIM farm network powering 49 million fake accounts worldwide • Hacker News
Ravie Lakshmanan:
»
Europol on Friday announced the disruption of a sophisticated cybercrime-as-a-service (CaaS) platform that operated a SIM farm and enabled its customers to carry out a broad spectrum of crimes ranging from phishing to investment fraud.
The coordinated law enforcement effort, dubbed Operation SIMCARTEL, saw 26 searches carried out, resulting in the arrest of seven suspects and the seizure of 1,200 SIM box devices, which contained 40,000 active SIM cards. Five of those detained are Latvian nationals.
In addition, five servers were dismantled and two websites gogetsms[.]com and apisim[.]com) advertising the service was taken over on October 10, 2025, to display a seizure banner. Separately, four luxury vehicles were confiscated, and €431,000 ($502,000) in suspects’ bank accounts and €266,000 ($310,000) in their cryptocurrency accounts were frozen.
The countries that participated in the operation comprised authorities from Austria, Estonia, Finland, and Latvia, in collaboration with Europol and Eurojust.
According to Europol, the criminal network has been attributed to more than 1,700 individual cyber fraud cases in Austria and 1,500 in Latvia, leading to losses totaling around €4.5m ($5.25m) and €420,000 ($489,000) in the two countries, respectively.
“The criminal network and its infrastructure were technically highly sophisticated and enabled perpetrators around the world to use this SIM-box service to conduct a wide range of telecommunications-related cybercrimes, as well as other crimes,” the agency said.
«
Imagine how many more of these there might be around the world. We know the US Secret Service found one. It’s not hard to hide them. Hundreds? Thousands? Even.. millions?
unique link to this extract
NSO permanently barred from targeting WhatsApp users with Pegasus spyware • Ars Technica
Dan Goodin:
»
A federal judge has ordered spyware maker NSO to stop using its Pegasus app to target or infect users of WhatsApp.
The ruling, issued Friday by Phyllis J. Hamilton of the US District Court of the District of Northern California, grants a permanent injunction sought by WhatsApp owner Meta in a case it brought against NSO in 2019. The lawsuit alleged that Meta caught NSO trying to surreptitiously infect about 1,400 mobile phones—many belonging to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials—with Pegasus. As part of the campaign, NSO created fake WhatsApp accounts and targeted Meta infrastructure. The suit sought monetary awards and an injunction against the practice.
Friday’s ruling ordered NSO to permanently cease targeting WhatsApp users, attempting to infect their devices, or intercepting WhatsApp messages, which are end-to-end encrypted using the open source Signal Protocol. Hamilton also ruled that NSO must delete any data it obtained when targeting the WhatsApp users.
NSO had argued that such a ruling would “force NSO out of business,” as Pegasus is its “flagship product.” Hamilton ruled that the harm Pegasus posed to Meta outweighed any such considerations.
“In the court’s view, any business that deals with users’ personal information, and that invests resources into ways to encrypt that personal information, is harmed by the unauthorized access of that personal information—and it is more than just a reputational harm, it’s a business harm,” Hamilton wrote. “Essentially, part of what companies such as Whatsapp are ‘selling’ is informational privacy, and any unauthorized access is an interference with that sale. Defendants’ conduct serves to defeat one of the purposes of the service being offered by plaintiffs, which constitutes direct harm.”
The judge went on to deny Meta’s request that the injunction bar foreign governments that may use WhatsApp. She said that sovereign governments weren’t parties to the lawsuit. Friday’s ruling also denied Meta’s request that the injunction bar NSO from targeting users of other Meta properties such as Facebook and Instagram on the grounds there was no evidence presented concerning targeting of them.
«
Without reading the ruling, does “users of WhatsApp” mean “people who have a WhatsApp account/the app on their phone” or “active users of WhatsApp who were targeted through that app”? They seem different.
unique link to this extract
Tahoe Electron detector • furbo.org
Craig Hockenberry:
»
No, we’re not doing science at California’s most beautiful lake. We’re looking for bugs.
A popular cross-platform app development framework called Electron is using private and undocumented API that’s causing system-wide slowdowns in macOS Tahoe.
We’re hearing from customers that some of our apps are running slowly on Tahoe and I suspect that this bug has something to do with it. Unfortunately, it’s hard for customers to check which version of Electron is being used and see if that might be a cause. So I decided to do something about that…
Luckily there’s a script written by Tomas Kafka that lets you check all your apps quickly and easily. I took that script, updated some parts that required Xcode to be installed, and wrapped it up in an AppleScript applet that’s easy to download and run.
…If you’re one of those people who’s wondering when it’s a good time to upgrade to Tahoe, you can run TahoeElectronDetector on older versions of macOS and give yourself an idea of when it’s safe to move to the new operating system.
Additionally, there’s a website that lists the status of the most popular apps. This will be helpful in locating newer versions since some of them will not update automatically.
«
ICE’s “athletically allergic” recruits • The Atlantic
Nick Miroff:
»
President Donald Trump’s plan to double the size of the ICE workforce has met a foe more powerful than any activist group. It is decimating new recruits at the agency’s training academy in Georgia. It is the ICE personal-fitness test.
More than a third have failed so far, four officials told me, impeding the agency’s plan to hire, train, and deploy 10,000 deportation officers by January. To pass, recruits must do 15 push-ups and 32 sit-ups, and run 1.5 miles (2.4km) in 14 minutes.
“It’s pathetic,” one career ICE official told me, adding that before now, a typical class of 40 recruits had only a couple of candidates fail, because the screening process was more rigorous.
The academy’s standards have already been eased to boost recruitment, he said, and the new parameters “should be the minimum for any officer.” He and others, none of whom were authorized to speak with reporters, told me that agency veterans are concerned about the quality of the new recruits being fast-tracked onto the street to meet Trump’s hiring goals.
An email from ICE headquarters to the agency’s top officials on October 5 lamented that “a considerable amount of athletically allergic candidates” had been showing up to the academy; they had “misrepresented” their physical condition on application forms. The email directed leaders at ICE’s field offices to conduct preliminary fitness exams with new recruits before sending them to the academy.
“We all know the self-certification method has failed,” Ralph Ferguson, an operations official at ICE headquarters, wrote.
The Department of Homeland Security spokesperson Tricia McLaughlin told me in a statement that the one-third failure rate reflected only “a subset of candidates in initial basic academy classes,” and not all new hires. She said DHS expects to fill 85% of new deportation-officer positions with experienced law-enforcement officials whom they can fast-track.
«
That’s utterly incredible. The running test is a pace of 5’50” per km, which ought to be feasible for anyone under 50 not weighed down by avoirdupois. But the evidence from video is that ICE recruits are not, by any means, fleet of foot and rely instead on proximity and guns. (Gift link.)
unique link to this extract
‘Significant exposure’: Amazon Web Services outage exposed UK state’s £1.7bn reliance on tech giant • The Guardian
Simon Goodley:
»
AWS has won 189 UK government contracts worth £1.7bn since 2016 – during which time it has invoiced about £1.4bn, according to the figures compiled by Tussell, a public procurement intelligence firm.
The research group added that “35 public sector authorities currently use [AWS] services across 41 contracts worth a combined £1.1bn. Key ministerial departments have contracts with the company such as the Home Office, DWP, HMRC, [the Ministry of Justice], the Cabinet Office and Defra.”
Tim Wright, a technology partner at the law firm Fladgate, said: “That’s a very significant exposure and its pretty ironic considering how the FCA [Financial Conduct Authority] and the PRA [Prudential Regulation Authority] have repeatedly highlighted the dangers of concentration risk in cloud service provision for regulated entities for a number of years.
“Recent moves by HM Treasury, the PRA and FCA to establish direct oversight of ‘critical third parties’ aim to address precisely the risk of outages like that suffered by AWS, yet until significant diversification or sovereign cloud adoption occurs, the UK government’s own stance shows an uncomfortable contradiction with the very resilience principles regulators have advocated.”
The House of Commons’ treasury committee has written to the economic secretary to the Treasury, Lucy Rigby, to ask why the government had not yet designated Amazon a “critical third party” to the UK’s financial services sector – which would expose the tech firm to financial regulatory oversight.
…Among the UK government contracts, only HMRC said it was affected. It said that customers were “having problems accessing our online services”, and urged them to call back later as its phone lines were busy.
«
HMRC is always busy, so to be honest that’s not unexpected. But this is clearly a critical risk.
unique link to this extract
AWS crash causes $2,000 Smart Beds to overheat and get stuck upright • Dexerto
Calum Patterson:
»
A major Amazon Web Services (AWS) outage on October 20 had the unexpected side effect of causing chaos in bedrooms across the US, as owners of Eight Sleep’s $2,000+ ‘Pod’ mattress covers found their smart beds had no offline mode and were stuck at high temperatures and odd positions in the night.
The outage began around 3 am ET, when AWS reported “increased error rates and latencies” in its US-EAST-1 region. By mid-morning, Downdetector had logged more than eight million reports of disruptions affecting apps, games, and banking platforms.
Eight Sleep’s products rely on cloud connectivity to control temperature and track biometric data. When AWS went down, users lost access to the app that manages its water-cooled coils, leaving them stuck with whatever setting was last active.
Some beds overheated, others stopped cooling altogether, and several users said their devices became completely unresponsive.
One viral post from tech enthusiast Alex Browne summed up the absurdity after his Pod locked itself nine degrees above room temperature. “Backend outage means I’m sleeping in a sauna,” he wrote. “Eight Sleep confirmed there’s no offline mode yet, but they’re working on it.”
«
No offline mode! I know, you’re thinking: how could anyone be that stupid? Except there’s a wrinkle in the US tax code called ASC 606 which means you can’t book your revenue as “software as a service” (SaaS) unless the product is crippled without an internet connection. This is a problem for Eight Sleep: it can promise an offline version, but what if everyone starts using that?
unique link to this extract
Apple alerts exploit developer that his iPhone was targeted with government spyware • TechCrunch
Lorenzo Franceschi-Bicchierai:
»
Earlier this year, a developer was shocked by a message that appeared on his personal phone: “Apple detected a targeted mercenary spyware attack against your iPhone.”
“I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
“What the hell is going on? I really didn’t know what to think of it,” said Gibson, adding that he turned off his phone and put it away on that day, March 5. “I went immediately to buy a new phone. I called my dad. It was a mess. It was a huge mess.”
At Trenchant, Gibson worked on developing iOS zero-days, meaning finding vulnerabilities and developing tools capable of exploiting them that are not known to the vendor who makes the affected hardware or software, such as Apple.
“I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen,” he told TechCrunch.
But the ex-Trenchant employee may not be the only exploit developer targeted with spyware. According to three sources who have direct knowledge of these cases, there have been other spyware and exploit developers in the last few months who have received notifications from Apple alerting them that they were targeted with spyware.
«
I’m surprised he’s surprised: if you’re searching for zero-days, you’re obviously going to be of interest to state hackers who would like to get their hands on the zero-days without having to pay for them. And they’d also like to know who those zero-days are going to. Trenchant needs better employee briefing, is my take.
unique link to this extract
Book excerpt: Taiwan’s undersea cables face growing threats • Rest of World
Samanth Subramanian:
»
Not long after the cables in the Matsu islands were cut, Taiwan’s communications authority proposed heavy criminal penalties for anyone who damaged subsea cables: a fine of up to $3.2m and life in prison. The law is both harsh and, in the case of foreign actors, essentially meaningless. How would a Taiwanese court even begin to try the Chinese crew of a long-gone fishing vessel?
At present, there is no effective, coherent body of law to hold responsible saboteurs of cables at sea. The only guides available are a mess of national regulations and the UN Convention on the Law of the Sea. Jurisdictions overlap furiously: if, out in international waters, a ship flagged in Panama and operated by an Indian crew cuts a cable that lands in several countries along the west African coast and that is co-owned by British, South African, and American companies, who is the perpetrator, who is the victim, and where would a trial take place? The law around undersea cables turns out to be just as murky and uncertain as the submarine depths in which these cables lie.
For more than a century, the positions of cables at sea have been recorded carefully in maps and published — the better to warn ships to avoid them. “But if this data is used the other way, it becomes a vulnerability,” Chiueh said. “All countries face this problem now.”
«
Elon Musk must be rubbing his hands in delight at the prospect of all those undersea cables being in trouble. But: satellites can be attacked too.
unique link to this extract
| • Why do social networks drive us a little mad? • Why does angry content seem to dominate what we see? • How much of a role do algorithms play in affecting what we see and do online? • What can we do about it? • Did Facebook have any inkling of what was coming in Myanmar in 2016? Read Social Warming, my latest book, and find answers – and more. |
Errata, corrigenda and ai no corrida: none notified
The Overspill: when there's more that I want to say 