Streaming companies have to pay mobile carriers — such as AT&T — if they don’t want traffic from their services to affect users’ data caps. AT&T owns HBO, though, so the conglomerate would be paying itself if it didn’t want its new HBO Max service to do so. The company has confirmed to The Verge that data from HBO Max will be exempted from customers’ traditional data caps or the soft data caps that come with “unlimited” plans.

The Verge spoke to an AT&T executive who says that the aforementioned fee is an expense for HBO Max, but is revenue for AT&T Mobility, so the two cancel each other out. If another streaming service, such as Netflix, were to pay the fee, it would only count as a cost. No other streaming companies pay the fee, and therefore, all traffic from Netflix, Hulu and others counts against data caps. This could give AT&T and HBO Max an unfair advantage in the streaming wars.

The NYT reporters filed a Freedom of Information Request for the data after the FCC refused to show logs. In theory, they’ll show both the extent of fake commenting and help trace it back to groups that may have been involved. Investigations have suggested that over half of the comments are fake, and some of the comments appear linked to dark money groups determined to skew the political discussion.

The FCC hasn’t commented on the decision. However, it has a long history of fighting attempts to address the flawed net neutrality commenting process. In addition to trying to block log requests, it insisted its comment system had fallen prey to a cyberattack only to admit the attack never happened. It even rejected city governments’ requests in recent weeks to extend a commenting window. It won’t be surprising if the FCC contests this court ruling in a last-ditch bid to keep the comments’ origins a secret.

Of course, stating a change of opinion doesn’t negate the ruling by itself. There would need to be another case that reversed Brand X, and the chances of that happening aren’t terribly high. Mozilla still has the option of appealing to the Supreme Court after it lost its bid to overturn Pai’s net neutrality repeal, but that doesn’t mean other justices will see things his way. Thomas might face an uphill battle rallying support in a court that’s primarily aligned with the current White House. That’s also assuming he would be consistent when called to act — another case could produce different results.

Consequently, the FCC will launch a period where the public and interested parties can share their views on the process. This is not an opportunity to re-litigate net neutrality repeal, but it is an opportunity to examine if the FCC acted properly and with regard to its broader obligations. The court, for instance, has directed the body to see if repeal has harmed public safety and reduced investment in critical infrastructure.

That may include references to the incident in which Verizon, Engadget’s parent company, throttled the data plan of a vehicle owned by the Santa Clara fire service. According to Chief Anthony Bowden in a 2018 lawsuit, Verizon’s throttling of the vehicle’s plan hampered efforts to fight wildfires. Verizon said that in that instance, the throttling was the result of a mistake, and that its policy is to not throttle emergency teams.

And a third-party study which claimed that, regardless of traffic, major ISPs throttle video traffic at all times of the day. Researchers from University of Massachusetts, Amherst, and Northeastern University found that, in one instance, a carrier throttled Netflix and YouTube 70 and 74 percent of the time, respectively.

Care about #netneutrality? Want to fix the mess the FCC made when it rolled back open internet policies?

Time to speak up.

The FCC is asking for public comment on net neutrality matters the court said it got wrong.

This is our shot.

Let’s do this.https://t.co/3ONvuen17E

— Jessica Rosenworcel (@JRosenworcel) February 19, 2020

The Register claims that the FCC is behaving churlishly, burying its request for comment in a wordy title that does not reflect its true intentions. But FCC Commissioner Jessica Rosenworcel published a statement asking people to “make some noise” and write in. Rosenworcel says that the FCC’s decision to repeal net neutrality was on the “wrong side of history” and that the public should demand an “open internet.”

Those wishing to make a comment can do so on the FCC’s Electronic Filing System, entering 17-108 (Restoring Internet Freedom) in the proceedings box. The deadline for comments is March 30th.

In 2017, the FCC voted to repeal net neutrality laws, which were put in place in 2015 to prevent internet service providers from using blocking, throttling and paid prioritization. Internet giants like Amazon, Facebook, Google, Netflix and Twitter sued the FCC as part of the Internet Association lobbying group. Several other companies spoke out against the repeal, and 23 attorneys general filed a challenge. In April, the Democratic-controlled US House of Representatives voted to reinstate net neutrality protections, but the Republican-controlled Senate would not consider the measure.

The US appeals court’s decision means the repeal of net neutrality laws will remain, at least for the time being. The October ruling did state that the FCC had “not shown legal authority” to ban states from implementing their own laws, and it called on the FCC to address other shortcomings in its order, like a need to examine implications for public safety.

The candidate also vows to “dramatically” lower the cost of service. He would require basic internet plans, up the FCC’s minimum definition of broadband from 10Mbps to 100Mbps, regulate rates and fully subsidize entry-level plans for low-income households. This would involve protecting and expanding the Lifeline program. He would outright ban data caps and throttling, and would offer $500 million per year in grants to foster “digital literacy, adoption and inclusivity.”

As you might imagine, Sanders would join Elizabeth Warren in planning to end internet monopolies. He would use existing antitrust regulations to break up cable and ISP monopolies, restore net neutrality, reinstate privacy protections and appoint FCC members who’d foster “competition, choice and affordability.” He’d also mandate transparent prices, accurate speed claims and granular service info. He would not only call for more accurate broadband maps, but run a national census to help with that goal.

Other plans would focus on creating more resilient communications networks that could not only withstand and recover from disasters like hurricanes, but hold up to the effects of climate change and install fiber lines alongside road improvement projects. He would thwart providers who exploit disasters to profit from customers, and establish a “modern smart grid” that can deliver electricity reliably and efficiently while dealing with high levels of renewable energy.

Sanders isn’t the only Democratic candidate making large commitments to broadband access. Warren is pledging $85 billion toward rural broadband, while Joe Biden would offer $20 billion. There’s a clear desire to support internet access beyond cities — it mainly comes down to which (if any) policy is best, and whether or not these strategies will influence voters in November 2020.

What the fail

With the Pixel 4 face unlock debacle, you really can say that Google’s Android security team did not check itself before it wrecked itself. What we’re thankful for here is the BBC journalist, who probably does not have narcolepsy, but instead pretended to be asleep with his review copy of a Pixel 4 to see if its “face unlock” feature was secure.

It wasn’t.

The Pixel 4’s only biometric security option, facial recognition, unlocked the phone even if the user’s eyes were closed. Google said it would be issuing a fix… in a few months. It made us wonder if everyone at Google was okay. In response to our queries, Google said: “We’ve been working on an option for users to require their eyes to be open to unlock the phone, which will be delivered in a software update in the coming months.”

So thank you for learning how to fake naptime, Mr. BBC reporter. You may have saved a lot of ordinary users (who do not have your access and influence) a lot of sleepless nights.

A vote for sanity

Since at least 2004, voting machine hackers — ahem, election security researchers — at Def Con were treated like crazy people or conspiracy nuts (which are kind of the same thing). Usually, both. In 2016, we wrote: “the machines are so badly maintained, historically backdoored, and easily hacked that even Def Con hackers massively stress out about the voting process in their own forums and chat spaces.”

It’s a setup that should seem familiar to any horror fan. The protagonist keeps trying to warn people about some looming danger — the Necronomicon, a clown in the sewer, a possessed car. But no one believes them, so the clown, the car and the gateway-to-hell book win every time. That’s what every day is like for researchers pointing out the insane mess of voting machine and election security year after year.

That is, until this year, when a voting machine (that was not possessed, we think) was filmed by a Mississippi voter actually changing their vote in front of their eyes. That viral video made national headlines, further exposing the numerous, simultaneous issues in electronic voting machines across the state, putting the governor’s race (and more) in doubt.

So let’s give thanks for that seemingly possessed voting machine. It’s time for everyone to start believing those Def Con election security “final girls.”

FCC’d up

The story of the fake FCC commenters could really be old episode of Scooby Doo, with Old Man Jenkins in a bad monster disguise cursing those nosy kids for seeing through his obvious scam. It started in 2017 when the FCC decided to decimate the open internet by killing net neutrality and (cough) miraculously, the FCC’s website was flooded with fake comments supporting the FCC’s widely-opposed move.

Fast forward to October this year, when reports emerged proving those comments were not only fake, but the stolen identities and information of US breach victims. You can’t say no one expected that plot twist: Turns out the people whose names were used in those fake FCC comments were none too pleased about it. Let’s just be thankful that the org behind this reprehensible attempt to hack public opinion, industry group Broadband for America, used the (ahem) brain trust at Media Bridge and LCX Digital to make sure a big stinky pile of breadcrumbs lead right back to the source.

Little green fail-iens

If it turns out that Mark Zuckerberg arrived on this planet promising a better world through his janky tech and carrying around a book called “To Serve Man,” we’d be among the humans saying “I told you so.” But in a way we’re glad Facebook has been so profoundly terrible at everything, because it helps us identify the planet-sized security #fails the company has made.

Like how in April, we found out that the passwords for hundreds of millions of Facebook, Facebook Lite, and Instagram users were stored in plain text. Facebook wanted everyone to know passwords were readable and searchable “only” internally, but with nearly 40,000 full-time employees, that comfort is as cold as Uranus. It’s even more chilling knowing the company discovered this complete and utter failure at password security by way of a 2018 breach, when attackers made off with data from 50 million Facebook users via compromised account access tokens.

Thanks for being terrible, Facebook! You have revealed your intentions on our planet.

We don’t see a problem

Look. No one wants ATMs to be insecure, susceptible to viruses, or hackable by jerks who might try to take money from any unsuspecting individual.

The sad truth is that ATMs are so scattershot in their security, they’re a common theme in hacking presentations. And in organized crime there are “cashing crews” who swoop in to scoop up the Benjamins. In fact, the hacker who makes the ATM spew cash is a persistent and annoying Hollywood trope. But, for good reason: It’s real. In 2010, hacker Barnaby Jack made global headlines when he “jackpotted” ATMs on the Black Hat conference stage.

This is such a known problem, and has been going on so long that it’s hard to feel bad for ATM vendors, or their software and hardware vendors. So when we read headlines like “Malware That Spits Cash Out of ATMs Has Spread Across the World” it’s tough to feel like we’d be anything but grateful if this ongoing security blunder accidentally spit out some extra cash onto our feet this chilly holiday season.

Equifail

In the slums of our cyberpunk future, “Equifax” is the word harsh parents whisper to frighten their children into making strong, complex passwords. That’s thanks to news in October about a shareholder class-action suit over the credit reporting company’s egregious 2017 breach.

This revealed a slew of truly appalling, grossly negligent security practices. Especially, as Hot for Security reported, the use of “admin” as both username and password, “to authorize access to a portal used to manage credit disputes,” which “contained a vast trove of personal information.”

If you read the suit’s laundry list of security #fails it’s not a stretch to think of the company as both a folklore bogeyman of the American credit system, as well as cautionary-tale, monster under the bed for bad practices. We’re just grateful the headlines might’ve scared some people into following better password practices.

Keep on hackin’

not an isolated incident: pic.twitter.com/kVeKPTILT7

— Eli Wirtschafter (@RadioEli) September 2, 2019

Who forgot to secure all those electronic road signs we keep seeing hacked with messages like “THE FUTURE SUCKS”? Whoever you are, I hope you got fired, but I also have a strong urge to buy you a beer. Because in this abysmally wrong alternate timeline, I think many can agree that hackable road signs are bringing us a much-needed bit of levity right now.

The security failings of these signs are kind of two-fold. One is that they’re all issued with a default username and password, according to one manufacturer, ADDCO. If the signs were issued with a one-time password, that would be the end of warnings about “Entering bat country.”

The other #fail is that few people setting up their brand-new electronic road signs are changing those default passwords. Unless the calls are coming from inside the house, and someone working on the road crew was responsible for the sign reading “TRAPPED IN SIGN FACTORY.” In which case, let’s give thanks for anything reminding us that hacks are supposed to be fun, and people still love making each other smile.

Images: Koren Shadmi (Turkey Illustration); Chris Velazco / Engadget (Pixel 4); Mark Wilson/Getty Images (Ajit Pai); Getty Creative (ATM)