The US Congress will this week decide the fate of Section 702, a major surveillance program that will soon expire if lawmakers do not act. WIRED is tracking the major developments as they unfold.

The United States government, like its rivals in Moscow and Beijing, has poured untold millions of dollars into quietly turning the phones and internet browsers of its own citizens into a powerful intelligence-gathering tool. Shadowy deals between federal agencies and commercial data brokers have helped the US intelligence system to amass a “large amount” of what its own experts term “intimate information” on Americans.

Most US citizens are in the dark as to the true scope and scale of the surveillance they’re under.

House speaker Mike Johnson—whose brief tenure as speaker has been roiled by an ongoing debate over domestic intelligence abuses—previously supported several privacy measures that, now in power, he is working to defeat, including strong new limits on the government’s access to private data.

This week, Johnson is working to resolve the lingering issue of reauthorizing Section 702, a key foreign surveillance program authorized by Congress to target terrorists, cybercriminals, and narcotics traffickers overseas. The program is set to officially expire on April 19.

Congressional sources tell WIRED that a vote to salvage the program could come as early as Thursday, following a series of scheduled briefings on Tuesday and Wednesday between lawmakers and intelligence officials, as well as a number of smaller votes that may significantly modify the terms of the program for years to come.

The focus of privacy advocates has turned almost entirely to an amendment that aims to force the FBI and other agencies to apply for a warrant before accessing the communications of Americans _incidentally_ captured by the US under the 702 program.

Thursday’s vote over the 702 program is at least the third scheduled by the speaker since December. As Johnson has in each case waited until the final moment to delay the vote, a fog of uncertainty surrounds the whole of the process. Privately, lawmakers are discussing next steps should the speaker decide to simply let the program expire, avoiding new statutory limits on the government's most-prized surveillance weapon.

To keep pace with a situation that is sure to evolve rapidly over the next 48 hours, WIRED will update this article with the latest details as they become available. See below for the latest developments.

**House Intel Chair Fires Back at Warrant Seekers**

“We are here,” representative Mike Turner told the House Rules Committee, “because the intelligence community failed us. The FBI failed us. The intelligence community failed to properly police themselves, and they abused the tools that we gave them under FISA.”

Turner, the GOP chairman of the House Intelligence Committee, testified that, in his opinion, the underlying text of the bill was adequate to curb future surveillance abuses by the FBI; that the abuses of the past had been the result of mistakes made by “rank-and-file” employees; and that the same mistakes could be reasonably avoided today by merely asking higher ranking officers to sign off before granting access to wiretaps of Americans’ calls and texts.

Throughout his testimony, Turner discussed the 702 program in terms that focused strictly on its use against terrorist organizations, at times implying that only the communications of Americans in direct contact with foreigners who “represent a national security threat to the United States” are swept up by the program.

In fact, no foreigner is required to have ties to terrorism or be suspected of a crime against the US to be considered a legitimate 702 target. Far less discerning, one of the stated purposes of the program is to gather information relevant to the “conduct of foreign affairs”—a phrase that legal experts contend is so vague as to apply to “almost any activity.”

**What Is Section 702?**

In the wake of 9/11, US president George W. Bush authorized the National Security Agency (NSA) to eavesdrop on Americans without court-approved warrants as part of the hunt for evidence of terrorist activity. A federal judge ruled the collection unconstitutional in 2006, as part of a lawsuit brought by the American Civil Liberties Union. (An appeals court later overturned the ruling without challenging the case's merits.)

Rather than end the surveillance, Congress codified the program as Section 702 of the Foreign Intelligence Surveillance Act (FISA), granting itself some authority to enforce procedures ostensibly designed to limit the program's impact on Americans’ civil liberties.

Section 702 explicitly prohibits the government from targeting Americans. The surveillance must instead focus on foreigners who are physically located overseas. Nevertheless, Americans’ communications are routinely swept up by the program.

While denying that it intentionally sets out to eavesdrop on its own citizens, once it has already done so, the US government’s position is that it now has a right to access these “legally collected” communications without a judge’s approval. In 2021 alone, the FBI conducted searches of communications intercepted under 702 more than 3.4 million times.

Last year, after acknowledging that hundreds of thousands of these searches were unlawful, the FBI said it had taken steps to curtail the number of queries carried out by its employees, reporting in 2022 as few as 204,000 searches.

It is impossible to count the number of Americans whose calls, emails, and texts are subject to surveillance under 702, the government claims, arguing that any attempt to reach an accurate figure would only further imperil the privacy of the Americans it surveils.

Congress is currently divided into two factions: Those that believe the FBI should be required to get a warrant before reading or listening to the communications of Americans collected under 702. And those who say warrants are too burdensome a requirement to impose on investigations of national security threats.

**Judiciary Leaders Call Out FBI’s History of Abuse**

Jim Jordan, the Republican chairman of the House Judiciary Committee, and a leading advocate for stronger privacy under 702 among conservatives, drew attention in his testimony Tuesday to the litany of surveillance abuses first reported by _The Washington Post_ one year ago.

Court documents declassified and released by the FISA court last year found that the FBI had misused the 702 program more than 278,000 times, including, as _The Post_ reported, against “crime victims, Jan. 6 riot suspects, people arrested at protests after the policing killing of George Floyd in 2020 and—in one case—19,000 donors to a congressional candidate.”

“The fundamental question, still, is if the FBI wouldn't follow the procedures in place 278,000 times ... are new requirements going to be enough to safeguard American’ liberties?” Jordan says. "When you have the history we have with this organization, relative to not following the rules, we think you need a separate but equal branch of the government to approve a warrant before you can query American citizens' information.”

Jarrold Nadler—Jordan's Democratic counterpart on the Judiciary—concurred, calling even more emphatically on Congress to “rein in abuse of FISA Section 702 authorities by the intelligence community.”

“Yes, there are already laws on the books to protect Americans from unauthorized government surveillance,” says Nadler. “But we know from our oversight efforts and the intelligence community's own reporting that these laws are often disregarded and are at the very least inadequate to keep this powerful surveillance tool in check.”

The House Rules Committee is currently holding a hearing that will determine what the final text of the 702-reauthorization bill will look like and which amendments will be offered up for a vote on the House floor.

Both the House Judiciary and Intelligence committees are expected to offer up several amendments, with the latter aiming to impose new warrant requirements on the FBI prior to querying the 702 database for information on Americans. Watch the hearing below:

Section 702: The Future of the Biggest US Spy Program Hangs in the Balance

AI tools are getting better at cloning people’s voices, and scammers are using these new capabilities to commit fraud. Avoid getting swindled by following these expert tips.

You answer a random call from a family member, and they breathlessly explain how there’s been a horrible car accident. They need you to send money right now, or they’ll go to jail. You can hear the desperation in their voice as they plead for an immediate cash transfer. While it sure sounds like them, and the call came from their number, you feel like something’s off. So, you decide to hang up and call them right back. When your family member picks up your call, they say there hasn’t been a car crash, and that they have no idea what you’re talking about.

Congratulations, you just successfully avoided an artificial intelligence scam call.

As generative AI tools get more capable, it is becoming easier and cheaper for scammers to create fake—but convincing—audio of people’s voices. These AI voice clones are trained on existing audio clips of human speech, and can be adjusted to imitate almost anyone. The latest models can even speak in numerous languages. OpenAI, the maker of ChatGPT, recently announced a new text-to-speech model that could further improve voice cloning and make it more widely accessible.

Of course, bad actors are using these AI cloning tools to trick victims into thinking they are speaking to a loved one over the phone, even though they’re talking to a computer. While the threat of AI-powered scams can be frightening, you can stay safe by keeping these expert tips in mind the next time you receive an urgent, unexpected call.

**Remember That AI Audio Is Hard to Detect**

It’s not just OpenAI; many tech startups are working on replicating near perfect-sounding human speech, and the recent progress is rapid. “If it were a few months ago, we would have given you tips on what to look for, like pregnant pauses or showing some kind of latency,” says Ben Colman, cofounder and CEO of Reality Defender. Like many aspects of generative AI over the past year, AI audio is now a more convincing imitation of the real thing. Any safety strategies that rely on you audibly detecting weird quirks over the phone are outdated.

**Hang Up and Call Back**

Security experts warn that it’s quite easy for scammers to make it appear as if the call were coming from a legitimate phone number. “A lot of times scammers will spoof the number that they're calling you from, make it look like it's calling you from that government agency or the bank,” says Michael Jabbara, global head of fraud services at Visa. “You have to be proactive.” Whether it’s from your bank or from a loved one, any time you receive a call asking for money or personal information, go ahead and ask to call them back. Look up the number online or in your contacts, and initiate a follow-up conversation. You can also try sending them a message through a different, verified line of communication like video chat or email.

**Create a Secret Safe Word**

A popular security tip that multiple sources suggested was to craft a safe word that only you and your loved ones know about, and which you can ask for over the phone. “You can even prenegotiate with your loved ones a word or a phrase that they could use in order to prove who they really are, if in a duress situation,” says Steve Grobman, chief technology officer at McAfee. Although calling back or verifying via another means of communication is best, a safe word can be especially helpful for young ones or elderly relatives who may be difficult to contact otherwise.

**Or Just Ask What They Had for Dinner**

What if you don’t have a safe word decided on and are trying to suss out whether a distressing call is real? Pause for a second and ask a personal question. “It could even be as simple as asking a question that only a loved one would know the answer to,” says Grobman. “It could be, ‘Hey, I want to make sure this is really you. Can you remind me what we had for dinner last night?’” Make sure the question is specific enough that a scammer couldn’t answer correctly with an educated guess.

**Understand Any Voice Can Be Mimicked**

Deepfake audio clones aren’t just reserved for celebrities and politicians, like the calls in New Hampshire that used AI tools to sound like Joe Biden and to discourage people from going to the polls. “One misunderstanding is, ‘It cannot happen to me. No one can clone my voice,’” says Rahul Sood, chief product officer at Pindrop, a security company that discovered the likely origins of the AI Biden audio. “What people don’t realize is that with as little as five to 10 seconds of your voice, on a TikTok you might have created or a YouTube video from your professional life, that content can be easily used to create your clone.” Using AI tools, the outgoing voicemail message on your smartphone might even be enough to replicate your voice.

**Don’t Give in to Emotional Appeals**

Whether it’s a pig butchering scam or an AI phone call, experienced scammers are able to build your trust in them, create a sense of urgency, and find your weak points. “Be wary of any engagement where you’re experiencing a heightened sense of emotion, because the best scammers aren’t necessarily the most adept technical hackers,” says Jabbara. “But they have a really good understanding of human behavior.” If you take a moment to reflect on a situation and refrain from acting on impulse, that could be the moment you avoid getting scammed.

AI Scam Calls: How to Protect Yourself, How to Detect

While some states have made data privacy gains, the US has so far been unable to implement protections at a federal level. A new bipartisan proposal called APRA could break the impasse.

Congress may be closer than ever to passing a comprehensive data privacy framework after key House and Senate committee leaders released a new proposal on Sunday.

The bipartisan proposal, titled the American Privacy Rights Act, or APRA, would limit the types of consumer data companies can collect, retain, and use to what they need to operate their services. Users would also be allowed to opt-out of targeted advertising and have the ability to view, correct, delete, and download their data from online services. The proposal would also create a national registry of data brokers, and force those companies to allow users to opt out of having their data sold.

“This landmark legislation gives Americans the right to control where their information goes and who can sell it,” Cathy McMorris Rodgers, House Energy and Commerce Committee chair, said in a statement on Sunday. “It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act.”

Congress has tried to put together a comprehensive federal law protecting user data for decades. Lawmakers have remained divided, though, on whether that legislation should prevent states from issuing tougher rules, and whether to allow a “private right of action” that would enable people to sue companies in response to privacy violations.

In an interview with the _Spokesman Review_ on Sunday, McMorris Rodgers claimed that the draft’s language is stronger than any active laws, seemingly as an attempt to assuage the concerns of Democrats who have long fought attempts to preempt preexisting state-level protections. APRA does allow states to pass their own privacy laws related to civil rights and consumer protections, among other exceptions.

In the previous session of Congress, the leaders of the House Energy and Commerce Committees brokered a deal with Roger Wicker, the top Republican on the Senate Commerce Committee, on a bill that would preempt state laws with the exception of the California Consumer Privacy Act and the Biometric Information Privacy Act of Illinois. That measure, titled the American Data Privacy and Protection Act, also created a weaker private right of action than most Democrats were willing to support. Cantwell refused to support the measure, instead circulating her own draft legislation. The ADPPA hasn’t been reintroduced, but APRA was designed as a compromise.

“I think we have threaded a very important needle here,” Cantwell told the _Spokesman Review_. “We are preserving those standards that California and Illinois and Washington have.”

APRA includes language from California’s landmark privacy law allowing people to sue companies when they are harmed by a data breach. It also provides the Federal Trade Commission, state attorneys general, and private citizens the authority to sue companies when they violate the law.

The categories of data that would be impacted by the APRA include certain categories of “information that identifies or is linked or reasonably linkable to an individual or device,” according to a Senate Commerce Committee summary of the legislation. Small businesses—those with $40 million or less in annual revenue and limited data collection—would be exempt under APRA, with enforcement focused on businesses with $250 million or more in yearly revenue. Governments and “entities working on behalf of governments” are excluded under the bill, as are the National Center for Missing and Exploited Children and, apart from certain cybersecurity provisions, “fraud-fighting” nonprofits.

US representative Frank Pallone, the top Democrat on the House Energy and Commerce Committee, called the draft “very strong” in a Sunday statement, but said he wanted to “strengthen” it with tighter child safety provisions.

Still, it remains unclear whether APRA will receive the necessary support for approval. On Sunday, committee aids said that conversations on other lawmakers signing onto the legislation are ongoing. The current proposal is a “discussion draft;” while there’s no official date for introducing a bill, Cantwell and McMorris Rodgers will likely shop around the text to colleagues for feedback over the coming weeks, and plan to send it to committees this month.

A Breakthrough Online Privacy Proposal Hits Congress

Ad trackers are out of control. Use a browser that reins them in.

Google's admission that, yes, it does track you while you're in Chrome's Incognito mode, is just the latest in a long line of unsettling revelations about just how keenly Big Tech keeps an eye on our movements every time we connect to the internet. Billions of data records will now be deleted as part of a settlement to a class action lawsuit brought against Google.

As we've written before, Incognito mode and the equivalent modes offered by other browsers aren't as secure as you might think, particularly if you start signing into accounts like Google or Facebook. Your activities and searches as a logged-in user on large platforms can still be recorded, primarily to create advertising that's more accurately targeted toward your demographic.

Google, for its part, says it’s transparent about what data it’s storing and why—and in recent years it has made it easier for users to see and delete the information held about them. To really lock down your privacy and security, though, it’s best to switch to a browser not made by a company that earns billions of dollars selling ads.

And there are alternatives: Below we recommend several browsers built with user privacy and security as a priority. Even better, in many cases they can import data such as bookmarks and passwords from your current browser—Google Chrome, for example.

**DuckDuckGo (Android, iOS, Windows, macOS)**

The DuckDuckGo browser blocks trackers at their source.

DuckDuckGo via David Nield

You might know DuckDuckGo as the anti-Google search engine, but the parent company has branched out to make its own browsers too. They keep you well protected online and at the same time give you plenty of information about the tracking technologies being proactively blocked.

DuckDuckGo starts by enforcing encrypted HTTPS connections when websites offer them, and gives each page you visit a grade based on how aggressively it's trying to mine your data. It'll even scan and rank site privacy policies for you.

When it comes to browsing data, this can be cleared automatically at the end of each session or after a certain period of time. Pop-ups and ads are snuffed out, and of course the DuckDuckGo search engine is built in, free of the Google trappings.

You also get extras like throwaway email aliases you can use in place of your real email address to protect your privacy, and everything about the browser and its features is simple to use: You don't really need to do anything except install them, so you're getting maximum protection with minimal effort.

**Ghostery (Android, iOS, Windows, macOS)**

Ghostery comes with a range of tools to protect your privacy.

Ghostery via David Nield

Install Ghostery on your mobile device or your computer, and straight away it gets to work blocking adverts and tracking cookies that will attempt to keep tabs on what you're up to on the web. There are no complicated setup screens or configurations to manage.

Like DuckDuckGo, Ghostery tells you exactly which trackers and ads it's blocking and how many monitoring tools each website has installed. If you do come across certain sites that are well behaved, you can mark them as trusted with a tap.

Or, if you find a site that's packed full of tracking systems, you can block every single bit of cookie technology on it (for commenting systems, media players, and so on), even if the site ends up breaking. A simple, private search engine is built in to replace Google too.

Ghostery's tools are a little more in-depth and advanced than the ones offered by DuckDuckGo, so you might consider it if you want to take extra control over which trackers are blocked on which sites—but it's simple enough for anyone to use.

**Tor Browser (Android, Windows, macOS)**

Tor connects you to the Tor network, to keep your online activities more private.

Tor via David Nield

Tor Browser markets itself as a browsing option "without tracking, surveillance, or censorship." It is worth a look if you want the ultimate in anonymized, tracker-free browsing—unless you're on iOS, where it isn't available (Tor recommends the Onion Browser instead).

The browser is part of a bigger project to keep internet browsing anonymous: Use Tor and you use the Tor Project network, a complex, encrypted relay system managed by the Tor community, making it much harder for anyone else to follow your activities online.

As well as this additional layer of anonymity, Tor Browser is super-strict on the background scripts and tracking tech that sites can run. It also blocks fingerprinting, a method where advertisers attempt to recognize the unique characteristics of your device.

At the end of each browsing session, everything gets wiped, including cookies left behind by sites and the browsing history inside the Tor Browser app itself. In other words, private browsing that leaves no trace is the default—and indeed the only option.

**Brave (Android, iOS, Windows, macOS)**

Brave gives you a clean, speedy browsing experience.

Brave via David Nield

Brave comes with all the tracking protection features you would expect: Ads are completely blocked, there are tight restrictions on the data that sites can gather through cookies and tracking scripts, and you're always kept informed about what's happening.

The browser comes with an optional built-in VPN, though it costs extra ($10 a month). You can also, if you want, use Brave to access the Tor network we mentioned with the Tor browser and take advantage of its anonymizing relay service that hides your location and browsing data.

There's no doubt about the effectiveness of Brave's tracker-blocking technologies, and getting around the web in Brave is quick and snappy. It's a comprehensive package and one that strikes a well-judged balance between simplicity and power for the majority of users.

Brave has regularly pioneered features related to innovative web technologies, including cryptocurrencies, NFTs, and (most recently) artificial intelligence; there's actually a new AI assistant built into it. In other words, it's not exclusively focused on security and privacy.

**Firefox (Android, iOS, Windows, macOS)**

Firefox is part of a suite of privacy products from Mozilla.

Firefox via David Nield

Firefox has long been at the forefront of online privacy—blocking tracking cookies across sites by default, for example—and it continues to be one of the best options for making sure you're giving away as little data as possible as you make your way across the web.

Firefox also gives you a ton of information on each website you visit regarding the trackers and cookies that pages have attempted to leave, and which ones Firefox has blocked. Permissions for access to your location and microphone can be easily managed as well.

Aside from looking after the interests of its users, Firefox also scores highly for user customization. You can change the look and behavior of the browser in a variety of ways, and there are useful integrations like the built-in Pocket utility that saves web stories on your device so you can read them later.

Firefox developer Mozilla offers plenty of extras, including a free data-breach monitor that tells you when your usernames and passwords may have been exposed somewhere online, a free email alias system to keep your actual email address protected, and a VPN that costs $10 per month. It all adds up to a comprehensive package for keeping you safe online.

**Safari (iOS, macOS)**

Safari has been blocking tracking cookies for some time.

Safari via David Nield

Apple continues to add privacy tech to Safari with each release on iOS and macOS—like requiring user authentication (such as a Face ID scan) when returning to a browsing session—though it's obviously not a browsing option if you're on Android or Windows.

Safari has long been blocking third-party tracking cookies that try to connect the dots on your web activity across multiple sites. It also blocks device fingerprinting techniques that try to identify your devices, and it reports back on the trackers it has disabled.

The browser can now also warn you when you try to use a password that's too weak on a new website or service, and it will make a suggestion of a stronger password if needed. Recent browser updates added support for logging in with passkeys too.

Safari operates against the backdrop of Apple's commitment to collect as little information about you as possible and to keep most of that information locked away locally on your device rather than on Apple's servers.

_Update: April 6, 2024, 8:30 am: This guide was updated to include new guidance for DuckDuckGo and Ghostery, as well as to bring some descriptions of browser providers' data collection policies up to date._

Best Privacy Browsers (2024): Brave, Safari, Ghostery, Firefox, DuckDuckGo

Plus: Microsoft scolded for a “cascade” of security failures, AI-generated lawyers send fake legal threats, a data broker quietly lobbies against US privacy legislation, and more.

It’s been a week since the world avoided a potentially catastrophic cyberattack. On March 29, Microsoft developer Andres Freund disclosed his discovery of a backdoor in XZ Utils, a compression tool widely used in Linux distributions and thus countless computer systems worldwide. The backdoor was inserted into the open source tool by someone operating under the persona “Jia Tan” after years of patient work building a reputation as a trustworthy volunteer developer. Security experts believe Jia Tan is the work of a nation-state actor, with clues largely pointing to Russia, although definitive attribution for the attack is still outstanding.

In early 2022, a hacker operating under the name “P4x” took down the internet of North Korea, after the country’s hackers had targeted him. This week, WIRED revealed P4x’s true identity as Alejandro Caceres, a 38-year-old Colombian American. Following his successful attack on North Korea, Caceres pitched the US military on a “special forces”-style offensive hacking team that would carry out operations similar to the one that made P4x famous. The Pentagon eventually declined, but Caceres has launched a startup, Hyperion Gray, and plans to further pursue his controversial approach to cyberwarfare.

In mid-February, millions of people lost internet access after three undersea cables in the Arabian Sea were damaged. Some blamed Houthi rebels in Yemen, who had been attacking ships in the region, but the group denied it had sabotaged the cables. But the rebel attacks are still likely to blame—albeit, in a bizarre way. A WIRED analysis of satellite images, maritime data, and more found that the cables were likely damaged by the trailing anchor of a cargo ship that the Houthi rebels had bombed. The ship drifted for two weeks before finally sinking, crossing paths with the cables at the time they were damaged.

The myth that Google Chrome’s Incognito mode provides adequate privacy protections can finally be put to rest. As part of a settlement over Google’s Incognito privacy claims and practices, the company has agreed to delete “billions” of records collected while users browsed in Incognito mode. It will also further clarify how much user data can be collected by Google and third parties while Incognito is enabled, and take further steps to protect user privacy. There are other privacy-focused browsers that can replace Chrome. But if you’re still using it, make sure to update it to patch some serious security flaws.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A 58-year-old hospital systems administrator pleaded guilty this week to US federal charges after he was caught using another man’s name for more than 30 years. Matthew David Keirans allegedly stole the identity of William Woods in 1988, when the two men worked at a hot dog cart in Albuquerque, New Mexico, according to the US Attorney's Office for the Northern District of Iowa. Over the decades, Keirans obtained employment, bank accounts, loans, and insurance, and paid taxes, under the Woods name. Keirans even had a child whose last name is Woods.

The real William Woods, meanwhile, reportedly learned that someone else was using his identity in 2019. At the time, Woods was unhoused and living in Los Angeles. He contacted a bank where “William Woods” had an account, providing his real Social Security card and California ID card to prove his identity. However, he could not answer the security questions to gain access. The bank called Keirans—who was pretending to be Woods—and Keirans convinced the bank employee that the real Woods should not have access to the accounts. The Los Angeles Police Department then arrested the real Woods and charged him with identity theft after Keirans provided officers with false documents and information.

In a nightmarish twist, during judicial proceedings, the real Woods accurately maintained that “William Donald Woods” was his true identity, prompting the court to order him to a mental institution. The real Woods ultimately spent 428 days in jail and 147 days in a mental hospital before his release.

The real Woods then continued to work to regain his true identity, eventually contacting authorities after learning that Keirans worked at a hospital in Iowa City. Investigators later confirmed the real Woods’ identity after obtaining a DNA test. Confronted with the evidence, Keirans confessed to a series of crimes and now faces a maximum sentence of 32 years in prison, a $1.25 million fine, and five years of supervised release.

**US Review Board Slams Microsoft for ‘Cascade of Avoidable Security Failures’**

The White-House mandated Cyber Safety Review Board issued a scathing report against Microsoft this week, accusing the tech giant of failing to stop a “preventable” intrusion by China-backed hackers of hundreds of Microsoft Exchange Online email accounts. To gain access to email accounts belonging to 22 organizations and 500 individuals worldwide, the hackers, known as Storm-0558, stole a Microsoft cryptographic key. The CSRB report chastises the company for failing to detect “the compromise of its cryptographic crown jewels,” inadequate security practices, and a “corporate culture that deprioritized both enterprise security investments and rigorous risk management,” among a “cascade” of other defeats.

The report also found that Microsoft still does not know how Storm-0558 obtained its key, accusing the company of making false statements after it initially claimed that the key was accidentally included in an April 2021 “crash dump.” The company has since updated its explanation of the intrusion to say that it still does not know how the hackers obtained the key. The CSRB issued 25 recommended steps that Microsoft—a major government contractor whose systems protect highly sensitive information—should take to better protect its systems.

**AI-Generated Lawyers Caught Spewing Fake Legal Threats**

The owner of the website Tedium received legal threats from a nonexistent “law firm” charging the publication with a copyright violation. The thing is, the “lawyers” behind the complaint were AI-generated. The “law firm” accused Tedium of using a photograph without the owner’s consent, and a "copyright infringement" notice offered to supposedly settle the matter, if only Tedium would agree to properly credit the photo’s “owner” and link out to their website. This was, of course, a backlink scam designed to boost the SEO ranking of the fake copyright holder’s page. Only this time, the scam was bolstered by a cast of AI-generated characters: a hot-shot team of young, "skilled lawyers" purportedly specializing in creative rights and commercial law.

**Data Behemoth Enlists Lobbyists Against Effort in US to Limit Deals With Spies**

An internal feud is underway in the US Congress over the fate of a beleaguered spy program called Section 702 and the commercial deals that US intelligence agencies have struck in recent years with global data brokers, purchasing information that government agents typically need a warrant to obtain. Consequently, the UK owner of LexisNexis—an “amalgam of publishers and data brokers, stitched together into a single information giant”—has retained the services of a Washington, DC, lobbying firm to engage with federal lawmakers over “potential privacy, data security, breach notification, data broker, and FISA reform legislation.” Politico reports that the company, RELX, previously used the firm, Venable, to combat privacy legislation aimed at restricting the kinds of personal data companies are allowed to sell to law enforcement.

**‘Weapon Scanners’ Eyed by New York’s Surveillant Mayor Boasts Abysmal Track Record**

New York City mayor Eric Adams is hastening his crusade against subway violence with a plan to test weapons scanners that claim to use artificial intelligence to detect whether commuters are carrying blades and firearms. Documents obtained by Hell Gate reveal what Adams failed to disclose at a press conference last week: that data already in the city’s hands show the technology is only rarely useful. After police officers permitted to carry firearms were factored out of one study at a Bronx hospital, the scanners were found to be accurate less than 1 percent of the time. (All told, more than 85 percent of the time, the scanners cast false suspicion on New Yorkers who were found to be unarmed.) The move by Adams follows New York governor Kathy Hochul’s deployment of hundreds of National Guard soldiers in the city’s subway systems. Adams first addressed a spate of homicides and stabbings across the city in March by sending hundreds of police officers underground to search commuters' bags at well over 100 subway stations—a tactic that roused resistance from a few locals this week who smashed ticket machines and disabled security cameras at a midtown station to protest the surveillance surge.

Identity Thief Lived as a Different Man for 33 Years

As “P4x,” Alejandro Caceres single-handedly disrupted the internet of an entire country. Then he tried to show the US military how it can—and should—adopt his methods.

A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask

The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.

Ultimately, Scott argues that those three years of code changes and polite emails were likely not spent sabotaging multiple software projects, but rather building up a history of credibility in preparation for the sabotage of XZ Utils specifically—and potentially other projects in the future. “He just never got to that step because we got lucky and found his stuff,” says Scott. “So that’s burned now, and he’s gonna have to go back to square one.”

**Technical Ticks and Time Zones**

Despite Jia Tan’s persona as a single individual, their yearslong preparation is a hallmark of a well-organized state-sponsored hacker group, argues Raiu, the former Kaspersky lead researcher. So too are the technical hallmarks of the XZ Utils malicious code that Jia Tan added. Raiu notes that, at a glance, the code truly looks like a compression tool. “It’s written in a very subversive manner,” he says. It’s also a “passive” backdoor, Raiu says, so it wouldn’t reach out to a command-and-control server that might help identify the backdoor’s operator. Instead, it waits for the operator to connect to the target machine via SSH and authenticate with a private key—one generated with a particularly strong cryptographic function known as ED448.

The backdoor’s careful design could be the work of US hackers, Raiu notes, but he suggests that’s unlikely, since the US wouldn’t typically sabotage open source projects—and if it did, the National Security Agency would probably use a quantum-resistant cryptographic function, which ED448 is not. That leaves non-US groups with a history of supply chain attacks, Raiu suggests, like China’s APT41, North Korea’s Lazarus Group, and Russia’s APT29.

At a glance, Jia Tan certainly looks East Asian—or is meant to. The time zone of Jia Tan’s commits are UTC+8: That’s China’s time zone, and only an hour off from North Korea’s. However, an analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply changed the time zone of their computer to UTC+8 before every commit. In fact, several commits were made with a computer set to an Eastern European or Middle Eastern time zone instead, perhaps when Jia Tan forgot to make the change.

“Another indication that they are not from China is the fact that they worked on notable Chinese holidays,” say Karty and Henniger, students at Dartmouth College and the Technical University of Munich, respectively. They note that Jia Tan also didn't submit new code on Christmas or New Year's. Boehs, the developer, adds that much of the work starts at 9 am and ends at 5 pm for Eastern European or Middle Eastern time zones. “The time range of commits suggests this was not some project that they did outside of work,” Boehs says.

Though that leaves countries like Iran and Israel as possibilities, the majority of clues lead back to Russia, and specifically Russia’s APT29 hacking group, argues Dave Aitel, a former NSA hacker and founder of the cybersecurity firm Immunity. Aitel points out that APT29—widely believed to work for Russia’s foreign intelligence agency, known as the SVR—has a reputation for technical care of a kind that few other hacker groups show. APT29 also carried out the Solar Winds compromise, perhaps the most deftly coordinated and effective software supply chain attack in history. That operation matches the style of the XZ Utils backdoor far more than the cruder supply chain attacks of APT41 or Lazarus, by comparison.

“It could very well be someone else,” says Aitel. “But I mean, if you’re looking for the most sophisticated supply chain attacks on the planet, that’s going to be our dear friends at the SVR.”

Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked. That means we should expect to see Jia Tan return by other names: seemingly polite and enthusiastic contributors to open source projects, hiding a government’s secret intentions in their code commits.

_Updated 4/3/2024 at 12:30 pm ET to note the possibility of Israeli or Iranian involvement._

The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind

Details are starting to emerge about a stunning supply chain attack that sent the open source software community reeling.

On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in XZ Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer spotted something fishy.

“This might be the best-executed supply chain attack we've seen described in the open, and it’s a nightmare scenario: malicious, competent, authorized upstream in a widely used library,” software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.

Researchers have spent the weekend gathering clues. Here’s what we know so far.

**What Is XZ Utils?**

XZ Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. XZ Utils provides critical functions for compressing and decompressing data during all kinds of operations. XZ Utils also supports the legacy .lzma format, making this component even more crucial.

**What Happened?**

Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging in to devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.

Through sheer luck and Freund’s careful eye, he eventually discovered the problems were the result of updates that had been made to XZ Utils. On Friday, Freund took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software.

**What Does the Backdoor Do?**

Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions when performing operations related to .lzma compression or decompression. When these functions involved SSH, they allowed for malicious code to be executed with root privileges. This code allowed someone in possession of a predetermined encryption key to log in to the backdoored system over SSH. From then on, that person would have the same level of control as any authorized administrator.

**How Did This Backdoor Come to Be?**

It would appear that this backdoor was years in the making. In 2021, someone with the username JiaT75 made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe\_fprint funcion with a variant that has long been recognized as less secure. No one noticed at the time.

The following year, JiaT75 submitted a patch over the XZ Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of XZ Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.

In January 2023, JiaT75 made their first commit to XZ Utils. In the months following, JiaT75, who used the name Jia Tan, became increasingly involved in XZ Utils affairs. For instance, Tan replaced Collins’ contact information with their own on oss-fuzz, a project that scans open source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to XZ Utils.

In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of XZ Utils. The updates implemented the backdoor. In the following weeks, Tan or others appealed to developers of Ubuntu, Red Hat, and Debian to merge the updates into their OSes. Eventually, one of the two updates made its way into several releases, according to security firm Tenable. There’s more about Tan and the timeline here.

**Can You Say More About What This Backdoor Does?**

In a nutshell, it allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.

Multiple people who have reverse-engineered the updates have much more to say about the backdoor. Developer Sam James provided an overview here.

The XZ Backdoor: Everything You Need to Know

To settle a years-long lawsuit, Google has agreed to delete “billions of data records” collected from users of “Incognito mode,” illuminating the pitfalls of relying on Chrome to protect your privacy.

If you still hold any notion that Google Chrome’s “Incognito mode” is a good way to protect your privacy online, now’s a good time to stop.

Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users—even when they’re in private-browsing mode.

Under the terms of the settlement, Google must further update the Incognito mode “splash page” that appears anytime you open an Incognito mode Chrome window after previously updating it in January. The Incognito splash page will explicitly state that Google collects data from third-party websites “regardless of which browsing or browser mode you use,” and stipulate that “third-party sites and apps that integrate our services may still share information with Google,” among other changes. Details about Google’s private-browsing data collection must also appear in the company’s privacy policy.

Additionally, some of the data that Google previously collected on Incognito users will be deleted. This includes “private-browsing data” that is “older than nine months” from the date that Google signed the term sheet of the settlement last December, as well as private-browsing data collected throughout December 2023. Certain documents in the case referring to Google's data collection methods remain sealed, however, making it difficult to assess how thorough the deletion process will be.

Google spokesperson Jose Castaneda says in a statement that the company “is happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.” Castaneda also noted that the company will now pay “zero” dollars as part of the settlement after earlier facing a $5 billion penalty.

Other steps Google must take will include continuing to “block third-party cookies within Incognito mode for five years,” partially redacting IP addresses to prevent re-identification of anonymized user data, and removing certain header information that can currently be used to identify users with Incognito mode active.

The data-deletion portion of the settlement agreement follows preemptive changes to Google’s Incognito mode data collection and the ways it describes what Incognito mode does. For nearly four years, Google has been phasing out third-party cookies, which the company says it plans to completely block by the end of 2024. Google also updated Chrome’s Incognito mode “splash page” in January with weaker language to signify that using Incognito is not “private,” but merely “more private” than not using it.

The settlement's relief is strictly “injunctive,” meaning its central purpose is to put an end to Google activities that the plaintiffs claim are unlawful. The settlement does not rule out any future claims—_The Wall Street Journal_ reports that the plaintiffs’ attorneys had filed at least 50 such lawsuits in California on Monday—though the plaintiffs note that monetary relief in privacy cases is far more difficult to obtain. The important thing, the plaintiffs’ lawyers argue, is effecting changes at Google now that will provide the greatest, immediate benefit to the largest number of users.

Critics of Incognito, a staple of the Chrome browser since 2008, say that, at best, the protections it offers fall flat in the face of the sophisticated commercial surveillance bearing down on most users today; at worst, they say, the feature fills people with a false sense of security, helping companies like Google passively monitor millions of users who've been duped into thinking they're browsing alone.

The Incognito Mode Myth Has Fully Unraveled

Millions lost internet service after three cables in the Red Sea were damaged. Houthi rebels deny targeting the cables, but their missile attack on a cargo ship, left adrift for months, is likely to blame.

The ballistic missile hit the _Rubymar_ on the evening of February 18. For months, the cargo ship had been shuttling around the Arabian Sea, uneventfully calling at local ports. But now, taking on water in the bottleneck of the Bab-el-Mandeb Strait, its two dozen crew issued an urgent call for help and prepared to abandon ship.

Over the next two weeks—while the crew were ashore—the “ghost ship” took on a life of its own. Carried by currents and pushed along by the wind, the 171-meter-long, 27-meter-wide _Rubymar_ drifted approximately 30 nautical miles north, where it finally sank—becoming the most high-profile wreckage during a months-long barrage of missiles and drones launched by Iranian-backed Houthi rebels in Yemen. The attacks have upended global shipping.

But the _Rubymar_ wasn’t the only casualty. During its final journey, three internet cables laid on the seafloor in the Bab-el-Mandeb Strait were damaged. The drop in connectivity impacted millions of people, from nearby East Africa to thousands of miles away in Vietnam. It’s believed the ship’s trailing anchor may have broken the cables while it drifted. The _Rubymar_ also took 21,000 metric tons of fertilizer to its watery grave—a potential environmental disaster in waiting.

An analysis from WIRED—based on satellite imagery, interviews with maritime experts, and new internet connectivity data showing the cables went offline within minutes of each other—tracks the last movements of the doomed ship. While our analysis cannot definitively show that the anchor caused the damage to the crucial internet cables—that can only be determined by an upcoming repair mission—multiple experts conclude it is the most likely scenario.

The damage to the internet cables comes when the security of subsea infrastructure—including internet cables and energy pipelines—has catapulted up countries’ priorities. Politicians have become increasingly concerned about the critical infrastructure since the start of the Russia-Ukraine war in February 2022 and a subsequent string of potential sabotage, including the Nord Stream pipeline explosions. As Houthi weapons keep hitting ships in the Red Sea region, there are worries the _Rubymar_ may not be the last shipwreck.

The _Rubymar_’s official trail goes cold on February 18. At 8 pm local time, reports emerged that a ship in the Bab-el-Mandeb Strait, which is also known as the Gate of Tears or the Gate of Grief, had been attacked. Two anti-ship ballistic missiles were fired from “Iranian-backed Houthi terrorist-controlled areas of Yemen,” US Central Command said. Ninety minutes after the warnings arrived, at around 9:30 pm, the _Rubymar_ broadcast its final location using the automatic identification system (AIS), a GPS-like positioning system used to track ships.

As water started pouring into the hull, engine room, and machinery room, the crew’s distress call was answered by the _Lobivia_—a nearby container ship—and a US-led coalition warship. By 1:57 am on February 19, the crew was reported safe. That afternoon, the 11 Syrians, six Egyptians, three Indians, and four Filipinos who were on board arrived at the Port of Djibouti. “We do not know the coordinates of _Rubymar_,” Djibouti’s port authority posted on X.

Satellite images picked up the _Rubymar_, its path illuminated by an oil slick, two days later, on February 20. Although the crew dropped the ship’s anchor during the rescue, the ship drifted north, further up the strait in the direction of the Red Sea.

For three days, satellite photos show, the vessel largely stayed in place thanks to low winds and weak currents. Then, on February 22, satellite images show peculiar circular wave patterns hitting the ship, as seen in the image below. One former naval intelligence analyst familiar with the images, who asked not to be named for safety reasons, says this could be a sign the anchor may have come loose. One image, they say, appears to show an unidentified object, which could be a small boat, nearby.

Both the wind and currents picked up on February 23, when the ship began drifting for a second time, says Robert Parkington, an intelligence analyst with geospatial analysis firm Geollect. “As wind increases, as current increases, that chance for movement gets so much higher,” says Parkington, who monitored the _Rubymar_’s movements with data from satellite technology firm Spire Global. “Even a small breeze can have an impact on where the vessel’s moving.”

Circular ripples are visible around the Rubymar.Courtesy of BlackSky

More than 550 internet cables run along the ocean floors and connect the world. They link continents and economies, beaming everything from Zoom calls to financial transactions every millisecond. Twelve of the cables run through the Bab-el-Mandeb Strait, says Alan Mauldin, research director at telecom research firm TeleGeography. “These cables vary massively in their age, also in their capacities,” Mauldin explains. The region is a crucial, but vulnerable, choke point.

While the _Rubymar_ was drifting, three cables were damaged: the Seacom/Tata cable, a 15,000-kilometer-long wire running the length of East Africa and also connecting it to India; the Asia Africa Europe-1 (AAE-1), which snakes 25,000 kilometers and links Europe to East Asia; and the Europe India Gateway (EIG), made of 15,000 kilometers of cable and joining India with the United Kingdom.

The Seacom cable went down at 9:46 am on February 24, according to new analysis shared exclusively with WIRED by Doug Madory, director of internet analysis at the web monitoring firm Kentik. Five minutes later, at around 9:51 am, the AAE-1 cable dropped offline. Madory says the third damaged cable, EIG, was already mostly offline following a separate fault elsewhere. A telecom industry notice seen by WIRED confirms the three faults and says this was the EIG’s second. The notice says the damage is located around 30 kilometers away from where the cables land in Djibouti and are at depths of around 150 meters.

To determine when the cables lost connectivity, Madory examined internet traffic and routing data from multiple networks. For instance, a network linked to Equity Bank Tanzania, the analysis shows, lost connectivity from the Seacom cable; moments later, it was impacted by the AAE-1 damage. The two clusters of outages impacted countries in East Africa, including Tanzania, Kenya, Uganda, and Mozambique, Madory says. But they also had an impact thousands of miles away in Vietnam, Thailand, and Singapore. “The loss of these submarine cables disrupted internet service for millions of people,” he says. “While service providers in the affected countries have shifted to using the remaining cables, there exists a loss of overall capacity.” The analysis matches when the Seacom cable went offline, says Prenesh Padayachee, the company’s chief digital officer. Both AAE and EIG cables are owned by consortiums of companies, which did not respond to requests for comment.

The telecom industry builds backups into its systems to account for disruptions—and the approach mostly works. When one cable goes offline, traffic is sent via other routes. “Connectivity just went away,” says Thomas King, the chief technology officer of German-based internet exchange DE-CIX, which used the AAE-1 cables. “The issue was detected automatically. Rerouting happens also automatically,” King says. Other firms sent data on different paths around the world.

In the days after damage to the cables first emerged, one unconfirmed press report claimed Houthi rebels could have sabotaged the cables. There has been no public evidence to support this. Farzin Nadimi, a senior fellow at the Washington Institute think tank who has been monitoring the region, says it is most likely that the _Rubymar_ damaged the cables, but Houthi sabotage should not be entirely ruled out, as “highly trained” divers could reach the cables’ depths. Telecom firms have reported fears about Houthi damage to cables, while Houthi spokespeople have repeatedly denied responsibility for the disruptions.

“We don’t even know if the cable is fully broken yet,” Padayachee says. “All we know is that the cable is damaged to a level where we’ve lost comms.” It could have been cut, or even dragged along the seabed and bent so light signals cannot pass through the cable, he says.

Many in the marine and cable industry have turned toward the _Rubymar_’s drift as the likely cause for the outage. Padayachee says it is the most “plausible” scenario given the ship’s predicted drifting speed. “If you work out the distance between the two cables that roughly relates to the same sort of timeframe as to when one cable will be affected to when the other cable will be affected,” the timing makes sense, he says, adding that the cables are 700 to 1,000 meters apart.

Anchor damage, alongside earthquakes and landslides, is one of the most common ways subsea internet cables are disrupted. For instance, multiple cables in the Red Sea region were damaged by a ship dragging its anchor in 2012. There are also several types of anchor, explain William Coombs and Michael Brown, professors at Durham University and the University of Dundee, respectively, who are researching the dynamics of anchors and how they can damage underwater cables. Some anchors sit on the seabed while others dig into the ground, they say. “If the soil type is not right, and the cable has quite shallow burial or it is on the seabed, you are going to catch it if your anchor starts to drag,” Brown says.

“Considering the timings of when outages were reported, considering the rough location of where those cables are known to be, and considering where we believe to be the location of the _Rubymar_, I would say that there is a likely possibility that the anchor did cause the damage,” says Parkington of Geollect.

The _Rubymar_ finally sank on March 2. Videos reportedly taken inside the ship, gathered by Saudi state-owned news organization Al Arabiya English, show water gushing into the ship after the missile strike. As the _Rubymar_ took on more water and partially submerged, experts say, its drifting likely slowed and eventually brought it to a complete stop.

While the ship has finished its journey, the three internet cables will remain offline for some time. Padayachee, from Seacom, says that the Yemeni government is likely to approve permits for the company’s repair plans in the next couple of weeks, with repairs to all three damaged cables possibly starting later in April.

Padayachee says that additional security measures are being put in place for the operation, but the repair work itself should be relatively straightforward. The repairs are taking place in water only a couple of hundred meters deep—shallow compared to other cases where cables are more than a mile deep. When the cables are pulled out of the water by the repair crew, it should be possible to say whether the cuts were caused by the anchor or deliberately.

The _Rubymar_ presents one potential final challenge: Padayachee says the location of the cable damage is believed to be around one or two miles away from where the ship sank. “It doesn’t look like it will affect anything in the repair operation,” he says. “It could change by the time they get there: The vessel may have moved or, in fact, the vessel may have broken up and parts of it moved around.” The US Central Command has said the _Rubymar_ also presents a “subsurface impact risk to other ships.”

The Houthi’s missile launches, meanwhile, don’t look like they will stop any time soon. Other ships have been damaged; lives have been lost, and those factors will impact repairs. “It's not something you usually see: trying to have a cable ship into those waters, recover the cable, make a repair, and then be able to return to port. It's a long process. It’s risky,” says Mauldin, from TeleGeography. The risk, for other internet cables, is a repeat of the _Rubymar_. “It is not out of the question,” Madory concludes in his analysis, “that we could have another vessel, struck by a missile, inadvertently cut another submarine cable.”

_Correction 4/1/2024, 9:49 am: A previous version of this article incorrectly stated the length of the_ Rubymar, _which is 171 meters, not 17 meters._

Source

Wired