An anonymous reader quotes a report from TechCrunch: When Erik Johnson couldn't get his university's mobile student ID app to reliably work, he sought to find a workaround. The app is fairly important, since it allows him and every other student at his university to pay for meals, get into events and even unlock doors to dorm rooms, labs and other facilities across campus. The app is called GET Mobile, and it's developed by CBORD, a technology company that brings access control and payment systems to hospitals and universities. But Johnson -- and the many who left the app one-star reviews in frustration -- said the app was slow and would take too long to load. There had to be a better way.

And so by analyzing the app's network data at the same time he unlocked his dorm room door, Johnson found a way to replicate the network request and unlock the door by using a one-tap Shortcut button on his iPhone. For it to work, the Shortcut has to first send his precise location along with the door unlock request or his door won't open. Johnson said as a security measure students have to be physically in proximity to unlock doors using the app, seen as a measure aimed at preventing accidental door openings across campus. It worked, but why stop there? If he could unlock a door without needing the app, what other tasks could he replicate?

Johnson didn't have to look far for help. CBORD publishes a list of commands available through its API, which can be controlled using a student's credentials, like his. But he soon found a problem: The API was not checking if a student's credentials were valid. That meant Johnson, or anyone else on the internet, could communicate with the API and take over another student's account without having to know their password. Johnson said the API only checked the student's unique ID, but warned that these are sometimes the same as a university-issued student username or student ID number, which some schools publicly list on their online student directories, and as such cannot be considered a secret. Johnson described the password bug as a "master key" to his university -- at least to the doors that are controlled by CBORD. As for needing to be in close proximity to a door to unlock it, Johnson said the bug allowed him to trick the API into thinking he was physically present -- simply by sending back the approximate coordinates of the lock itself. The vulnerability was fixed and session keys were invalidated shortly after TechCrunch shared details of the bug with CBORD.

cartechboy writes: Rivian's CEO, RJ Scaringe, admitted the company messed up. In a lengthy apology, the executive said the company broke people's trust. Rivian's walking back the large, in some cases 20%, price increases introduced earlier in the week for any preorder holder prior to March 1. [However, the price increases stay in effect for anyone who ordered after March 1.] "We wrongly decided to make these changes apply to all future deliveries, including pre-existing configured preorders," Scaringe said, noting that the company "failed to to appreciate" how customers viewed their configurations and pricing.

Scaringe also acknowledged the company "wrongly assumed" the newly announced dual-motor models and standard battery pack would provide satisfactory price points similar to the original configurations.

Russia has decided to stop supplying rocket engines to the United States in retaliation for its sanctions against Russia over Ukraine. Reuters reports: "In a situation like this we can't supply the United States with our world's best rocket engines. Let them fly on something else, their broomsticks, I don't know what," [Dmitry Rogozin, head of the state space agency Roscosmos, said on state Russian television]. According to Rogozin, Russia has delivered a total of 122 RD-180 engines to the U.S. since 1990s, of which 98 have been used to power Atlas launch vehicles. Roscosmos will also stop servicing rocket engines it had previously delivered to the U.S., Rogozin said, adding that the U.S. still had 24 engines that would now be left without Russian technical assistance.

Russia has earlier said it was suspending cooperation with Europe on space launches from the Kourou spaceport in French Guiana in response to Western sanctions over Ukraine. Moscow has also demanded guarantees from British satellite company OneWeb that its satellites would not be used for military purposes. OneWeb, in which the British government has a stake, said on Thursday it was suspending all launches from Russia's Baikonur Cosmodrome in Kazakhstan. Rogozin said Russia would now focus on creating dual-purpose spacecraft in line with the needs of Roscosmos and the Defence Ministry.

An anonymous reader quotes a report from the New York Times: The Russian state-controlled news network RT said on Thursday that it would start broadcasting on the video site Rumble, two days after YouTube announced that it would be blocking channels connected to RT and another Russian state-backed outlet, Sputnik, across Europe. "After a multitude of platforms have moved to knock out our broadcast and limit social media, you can stay on top of our LIVE broadcast," RT posted on Twitter Thursday.

Rumble, which was founded in 2013 to compete with YouTube, is one of several alternative platforms that have attracted millions of users with the promise of a space untethered by what many on the American right have called a censorship of conservative voices. Prominent voices on the platform include Stephen Bannon, former President Donald J. Trump's onetime chief strategist, and Sean Hannity of Fox News. On Thursday afternoon, Misha Solodovnikov, the general manager of the production company behind RT America, T&R Productions, told staff that RT "will be ceasing production" and "must lay off most of its staff who work at all its locations," according to a company memo seen by The New York Times. RT America has offices in Miami, New York, Los Angeles and Washington. Mr. Solodovnikov cited "unforeseen business interruption events" as a reason for the company's announcement.

The U.S. Securities and Exchange Commission is scrutinizing creators of NFTs and the crypto exchanges where they trade to determine if some of the assets run afoul of the agency's rules, Bloomberg News reported Thursday, citing people familiar with the matter. From the report: A focus of the probe is on whether certain nonfungible tokens, digital assets that can be used to denote ownership of things like a painting or sports memorabilia, are being utilized to raise money like traditional securities, said the people. Over the past several months, attorneys in the SEC's enforcement unit have sent subpoenas demanding information about the token offerings. The inquiry is the latest attempt by the SEC under Chair Gary Gensler to ensure the crypto market adheres to its regulations. In February, the commission and state regulators levied a record $100 million fine against BlockFi, a popular virtual-currency exchange, for failing to register products that pay customers high interest rates to lend out their digital tokens.

An anonymous reader quotes a report from Reuters: Senator Elizabeth Warren and three other Democratic lawmakers on Wednesday urged the Treasury Department to ensure the cryptocurrency industry is complying with sanctions imposed on Russia, expressing concern that digital assets could be used to undermine U.S. foreign policy goals. In a letter sent to Treasury Secretary Janet Yellen, Warren along with Senators Sherrod Brown, Mark Warner and Jack Reed questioned whether the department's Office of Foreign Assets Control (OFAC) had effective guidelines in place to enforce sanctions compliance within the crypto industry. "Strong enforcement of sanctions compliance in the cryptocurrency industry is critical given that digital assets, which allow entities to bypass the traditional financial system, may increasingly be used as a tool for sanctions evasion," the letter said.

Biden administration officials have said that they do not believe Russia would be able to use cryptocurrency to completely evade sanctions. "The scale that the Russian state would need to successfully circumvent all U.S. and partners' financial sanctions would almost certainly render cryptocurrency as an ineffective primary tool for the state," said Carol House, the director of cybersecurity for the National Security Council, during a webinar on Wednesday. But the Democratic lawmakers said it was unclear whether OFAC had appropriate guidelines to effectively monitor the crypto industry's compliance with sanctions, noting that the agency has become "increasingly reliant upon voluntary self-disclosure."