Jan 30, 2018 | Consumer Protection, Employment & Technology Archive
Microsoft Issues Emergency Security Update That Disables Intel’s Spectre Variant 2 Patch
CNBC reported (“Intel’s Spectre patch created its own problems, so Microsoft put out an update to fix it”) that “Microsoft issued an emergency security update on Monday [January 29, 2018] to plug Intel’s buggy Spectre firmware patch as the chipmaker’s fix caused computers to reboot frequently.” Further, according to CNBC:
Microsoft said it was rolling out an out-of-band update that specifically disables Intel’s Spectre variant 2 patch.
The latest update comes nearly four weeks after Intel confirmed that its chips were impacted by vulnerabilities known as Spectre and Meltdown, which make data on affected computers susceptible to espionage.
The Windows maker said system instability triggered by Intel’s faulty patch can in some cases cause “data loss or corruption”.
Microsoft said its latest update prevented computers to reboot unexpectedly and urged affected customers to manually download it from the Microsoft Update Catalog website.
[Emphasis added]
An article by ZDNet (“Windows emergency patch: Microsoft’s new update kills off Intel’s Spectre fix”) reported that
Microsoft has released an emergency Windows update to disable Intel’s troublesome microcode fix for the Spectre Variant 2 attack.
Not only was Intel’s fix for the Spectre attack causing reboots and stability issues, but Microsoft also found it resulted in the worse scenario of data loss or corruption in some circumstances.
To justify the out-of-band update, Microsoft highlights a comment in Intel’s fourth-quarter forward-looking statements that mentions for the first time that mitigation techniques potentially lead to data loss or corruption.
Until then, Intel had only mentioned its update was causing unexpected reboots and unpredictable system behavior.
ZDNet also reported that since
. . . there are no known reports of attacks on Spectre Variant 2, it would seem the greatest risk to systems and data at present is Intel’s buggy microcode.
The company is facing scrutiny from US lawmakers over its handling of the embargo, which has been described by some as an utter mess that left important software projects in the dark.
Jonathan Corbet, a member of the Linux Foundation’s Technical Advisory Board, said the disclosure process for Meltdown and Spectre was unusually secretive.
Additionally, ZDNet reported that “[w]hile the bugs affect Arm and AMD too, Intel is the only chipmaker whose hardware is vulnerable to all three attacks.”
[Emphasis added]
Class Actions Regarding Security Flaws of Intel’s Hardware Design
According to one class action lawsuit complaint, filed in United States District Court, Northern District of California, Intel has
[f]or over two decades, . . . been highly successful in loading most of the world’s computers with its processors. Unfortunately, Intel designed its processors to prioritize speed, not security. Until 2018, Intel didn’t even have a hardware security team.
As a result, Intel’s hardware design contains serious security flaws. On January 3, 2018, the news broke that security researchers had discovered two methods that could be used to exploit flaws in Intel’s hardware design. These two methods can give a hacker access to anything on the computer. And because they exploit flaws in hardware, not software, they work on any operating system, so long as it runs on an Intel processor.
With no hardware fix possible, software makers have recently attempted to create patches to protect Intel-based computers from hackers. But these software patches significantly slow down the computers on which they’re installed and don’t provide complete protection.
Consumers and businesses that purchased Intel-based computers now face an increased risk of being hacked, even after installing software patches that may substantially slow down their computers, giving them performance far below what they paid for.
Intel should not be permitted to retain the profits it made from skimping on security all these years.
[Emphasis added]
Image: Pixabay, Magnascan, CC0 1.0 Universal
Purchasers or Lessors of Intel Processors or Devices Containing an Intel Processor
Kehoe Law Firm, P.C. continues to investigate issues related to the flaws in Intel’s hardware design. If you purchased or leased one or more Intel processors, or one or more devices containing an Intel processor, and have questions or concerns about your potential legal rights or claims, please contact John Kehoe, Esq., (215) 792-6676, Ext. 801, [email protected], complete the form above on the right or e-mail [email protected].
Jan 29, 2018 | Consumer Protection, Employment & Technology Archive
Robocalls & Prerecorded Messages Allegedly Placed by American Express in Violation of TCPA
On January 25, 2018, Plaintiff Jacob Wilson filed a class action complaint in United States District Court, Southern District of New York, against the American Express Company (“American Express” or “Amex”) which, allegedly, “as part of its collection operations . . . operates an aggressive contact schedule which bombards unsuspecting consumers, with whom it has no relationship, with robocalls and prerecorded messages.”
The Plaintiff alleges that “[h]e is not an [American Express] customer yet has been bombarded with autodialed and pre-recorded calls made without his consent and over his explicit objection.” Further, “Plaintiff has never had a business relationship with [Amex] and never consented to be contacted by [American Express] on his cellular telephone.”
The actions of American Express, according to the complaint, are violations of the Telephone Consumer Protection Act (“TCPA”), and $500 in damages is being sought for each TCPA violation.
Factual Allegations Against Amex Concerning Automated Calls
Plaintiff, allegedly, was “bombarded” with calls to his cell phone throughout January 2018 from telephone numbers (866) 884-0976, (801) 945-9064, and (800) 528-4800. The calls to Plaintiff’s cellular telephone were part of an “automated calling campaign to further its efforts to contact ‘Jessica,’ a person who Plaintiff does not have any relationship with and does not know.” The calls to Plaintiff continued, despite Plaintiff telling Amex not to call Plaintiff and that he was not “Jessica.”
All the calls to Plaintiff’s cell phone were made by Amex with an “automatic telephone dialing system,” otherwise known as an “autodialer,” and when the Plaintiff answered the telephone calls from Amex, a prerecorded message greeting from American Express was heard prior to the call being routed to a live American Express agent.
The American Express TCPA Class & Monetary Damages Sought
The TCPA class action against American Express is on behalf of a class of all individuals within the United States to whom Amex or its agent(s) and/or employee(s) called one’s cellular telephone through the use of any automatic telephone dialing system or artificial or prerecorded voice within the four years prior to the filing of the class action complaint where such person was not a customer of American Express.
The Plaintiff and other Class members seek an award of $500 in statutory damages for each call placed in violation of the TCPA by American Express for negligently placing multiple automated and prerecorded voice calls to the cellular phones of the Plaintiff and other Class members without their prior express consent.
The Plaintiff and other Class members seek an award of treble damages of up to $1,500 for knowingly and/or willfully placing multiple automated and prerecorded voice calls to the cellular telephones of the Plaintiff and other Class members without their prior express consent.
Have You Received Autodialed Robocalls from American Express?
If you are not a customer of American Express, reside in the United States, and have received a telephone call to your cell phone from American Express, or one of American Express’ agents or employees, through the use of any automatic telephone dialing system or artificial or prerecorded voice within the past four years, please contact Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form above on the right or e-mail [email protected] to discuss your potential legal rights, including whether to consider filing a lawsuit to try to recover monetary damages as a result of TCPA violations.
Jan 25, 2018 | Consumer Protection, Employment & Technology Archive
Alleged Failure of Life Time Fitness, Inc. to Pay Federally Mandated Minimum and Overtime Wages to Life Time Fitness Personal Trainers
A collective action complaint for damages (Lenardson, et al v. Life Time Fitness, Inc. (MN), No. 18-00293) was filed on January 19, 2018 in United States District Court, Northern District of Georgia, Atlanta Division, for Life Time Fitness’ failure to pay federally mandated minimum and overtime wages to Life Time Fitness Personal Trainers in violation of the Fair Labor Standards Act.
According to the overtime pay collective action complaint, the Plaintiffs served as Life Time Fitness Personal Trainers in Johns Creek, Georgia within the past three years. The Personal Trainers were paid commission based on sales or services furnished to Life Time Fitness members. The complaint against Life Time Fitness also alleges that
Life Time [Fitness] intentionally engaged in a uniform practice of not recording hours worked or notifying Personal Trainers of their regular rate of pay to obscure the payment of minimum and overtime wages. Thus, [Life Time Fitness] Personal Trainers could not and cannot determine whether they are being paid correctly.
Upon information and belief, Life Time [Fitness] held its department heads “personally liable” if Personal Trainers did not make sufficient commissions to meet the draw. Life Time [Fitness] instructed its department heads to have Personal Trainers clocked in only during their assigned shift, regardless of the amount of time actually worked. Managers instructed and threatened [Life Time Fitness] Personal Trainers not to incur draw because the draw would be deducted from the managers’ wages. Thus, even though [Life Time Fitness] Personal Trainers were in the fitness centers under the control of Life Time performing work, they sometimes did not clock in for all hours worked.
[Life Time Fitness] Personal Trainers were required to work more than 40 hours in a workweek performing, among other things, training clients, attending mandatory meetings, completing tutorials, quizzes, videos and certifications, training courses, and cleaning the equipment in the fitness centers. [Life Time Fitness] Personal Trainers, however, were not paid overtime they earned on some occasions. Because Life Time [Fitness] did not want to pay the minimum-wage draw, let alone overtime, [Life Time Fitness] Personal Trainers were forced to perform these duties “off the clock.”
[Life Time Fitness] Personal Trainers were not paid overtime for some work in excess of 40 hours in a workweek.
Have You Served as a Life Time Fitness Personal Trainer?
If you served as a Life Time Fitness Personal Trainer and believe you have claims for unpaid overtime, please contact Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form above on the right or e-mail [email protected].
Jan 25, 2018 | Consumer Protection, Employment & Technology Archive
Roomstogo.com, Inc. TCPA Class Action Resolved Via Joint Stipulation of Dismissal
As previously reported, on August 10, 2017 a class action complaint (Wetterer v. Roomstogo.com, No. 17-01900) was filed in United States District Court, Middle District of Florida, Tampa Division, to stop Roomstogo.com’s alleged “practice of making illegal telemarketing calls to the telephones of consumers nationwide and to obtain redress for all persons injured by [the] conduct [of Roomstogo.com.]”
According to the complaint, Florida-based Roomstogo.com “placed illegal telemarketing calls to residents of the United States registered on the National Do-Not-Call Registry” and that Roomstogo.com “willfully violated the [Telephone Consumer Protection Act] . . . by causing unsolicited calls to be made to Plaintiff’s and other class members’ cellular and residential telephones.”
The complaint further alleged that
[Roomstogo.com] made more than one unauthorized call to Plaintiff’s residential line for the purpose of marketing furniture deals to Plaintiff. Plaintiff did not have an existing business relationship with Plaintiff, Plaintiff did not seek information about [Roomstogo.com’s] products, Plaintiff never provided express written consent to be called by [Roomstogo.com], and the calls were an invasion of Plaintiff’s privacy. Indeed, Plaintiff has been a member of the National Do-Not-Call Registry, authorized by the TCPA, since March 7, 2009 to prevent persistent and harassing marketing calls to his telephone.
On behalf of the class members, the Plaintiff sought an injunction to require Roomstogo.com to stop all unsolicited telephone calling activities to consumers, $500 per violation under the Telephone Consumer Protection Act in statutory damages to members of the class action, and treble damages (for knowing and/or willful violations).
Joint Stipulation of Dismissal Between Plaintiff and Roomstogo.com
On January 22, 2018, the Plaintiff and Roomstogo.com filed a joint stipulation dismissing the Plaintiff’s original class action complaint and Plaintiff’s individual claims with prejudice. The claims of the putative class members, pursuant to the joint stipulation were dismissed without prejudice. On January 23, 2018, the presiding federal judge signed an Order dismissing Plaintiff’s individual claims with prejudice and the claims of the putative class members without prejudice.
Have You Received Unsolicited Telemarketing Calls, Autodialer Calls, Robocalls, Junk Faxes or Text Messages?
If you have received unsolicited telemarketing calls, autodialer calls, robocalls, junk faxes or text messages and have questions about your potential legal rights, including whether to consider filing a lawsuit to try and recover monetary damages as a result of Telephone Consumer Protection Act violations, please contact Kehoe Law Firm, P.C. by completing the form above on the right or sending an e-mail to [email protected].
Jan 22, 2018 | Consumer Protection, Employment & Technology Archive
Spectre and Meltdown Computer Security Vulnerabilities Explained
According to CSO’s January 15, 2018 article, “Spectre and Meltdown Explained: What they are, how they work, what’s at risk,” by Josh Fruhlinger:
Spectre and Meltdown are the names given to a trio of variations on a vulnerability that affects nearly every computer chip manufactured in the last 20 years. The flaws are so fundamental and widespread that security researchers are calling them catastrophic. [Emphasis added]
Spectre and Meltdown: What Are These Two Security Vulnerabilities?
According to CSO, the Spectre and Meltdown security vulnerabilities
. . . are the names given to different variants of the same fundamental underlying vulnerability that affects nearly every computer chip manufactured in the last 20 years and could, if exploited, allow attackers to get access to data previously considered completely protected. Security researchers discovered the flaws late in 2017 and publicized them in early 2018. Technically, there are three variations on the vulnerability, each given its own CVE number; two of those variants are grouped together as Spectre and the third is dubbed Meltdown. [Emphasis added]
. . .
All of the variants of this underlying vulnerability involve a malicious program gaining access to data that it shouldn’t have the right to see, and do so by exploiting two important techniques used to speed up computer chips, called speculative execution and caching. [Emphasis added]
Spectre and Meltdown Differences & Their Dangers
The CSO article further stated that
. . . Spectre and Meltdown could allow potential attackers to get access to data they shouldn’t have access to . . . but their effects are somewhat different:
- Meltdown got its name because it “melts” security boundaries normally enforced by hardware. By exploiting Meltdown, an attacker can use a program running on a machine to gain access to data from all over that machine that the program shouldn’t normally be able to see, including data belonging to other programs and data that only administrators should have access to. Meltdown doesn’t require too much knowledge of how the program the attacker hijacks works, but it only works with specific kinds of Intel chips. This is a pretty severe problem but fixes are being rolled out. [Emphasis added]
- By exploiting the Spectre variants, an attacker can make a program reveal some of its own data that should have been kept secret. It requires more intimate knowledge of the victim program’s inner workings, and doesn’t allow access to other programs’ data, but will also work on just about any computer chip out there. Spectre’s name comes from speculative execution but also derives from the fact that it will be much trickier to stop — while patches are starting to become available, other attacks in the same family will no doubt be discovered. That’s the other reason for the name: Spectre will be haunting us for some time. [Emphasis added]
Regarding the dangers of Spectre and Meltdown, the CSO article stated:
Spectre and Meltdown both open up possibilities for dangerous attacks. For instance, JavaScript code on a website could use Spectre to trick a web browser into revealing user and password information. Attackers could exploit Meltdown to view data owned by other users and even other virtual servers hosted on the same hardware, which is potentially disastrous for cloud computing hosts. [Emphasis added]
But beyond the potential specific attacks themselves lies the fact that the flaws are fundamental to the hardware platforms running beneath the software we use every day. Even code that is formally secure as written turns out to be vulnerable, because the assumptions underlying the security processes built into the code — indeed, built into all of computer programming — have turned out to be false. [Emphasis added]
The CSO article also provides details about speculative execution, caching, protected memory, Spectre and Meltdown patches, as well as when PCs, Macs, iPhones, Androids or browsers will get a patch and information about the impact of Spectre and Meltdown on performance.
Spectre and Meltdown: An Informative Red Hat Video
Red Hat’s YouTube video, “Meltdown and Spectre in 3 Minutes,” by provides a good, basic explanation of the two threats and what is being done about the security vulnerabilities.
Image: Pixabay, axonite, CC0 1.0 Universal
Kehoe Law Firm Class Action Investigations
Please click Apple iPhone Slowdown, Apple iPhone Class Action, iPhone Slowdown Lawsuits, Intel Class Action Lawsuits, INTC Chip Processor, and AMD for information about other ongoing class action investigations.
Jan 16, 2018 | Consumer Protection, Employment & Technology Archive
Former T.J. Maxx Loss Prevention Detective Files Collective Action Complaint
Unpaid Overtime Pay Sought by Former T.J. Maxx Loss Prevention Detective
An overtime pay collective action lawsuit (Mills v. T.J. Maxx, Inc., No. 17-05236) was filed in United States District Court, Northern District of Georgia, Atlanta Division, against T.J. Maxx, an operator of multiple retail stores across the United States. Plaintiff Aaron Mills, who served as a T.J. Maxx Loss Prevention Detective in multiple locations in Georgia during his T.J. Maxx employment, filed the class action lawsuit to recover unpaid overtime pay owed pursuant to the Fair Labor Standards Act (“FLSA”).
T.J. Maxx Loss Prevention Detectives, Loss Prevention Associates & Others Similarly Situated
The collective action was brought under the FLSA on behalf of the Plaintiff and all individuals employed since December 18, 2015 by T.J. Maxx as a Loss Prevention Detective, Loss Prevention Associate, and all other similarly situated hourly employees.
T.J. Maxx, according to the complaint, employed Plaintiff as a Loss Prevention Detective from October 1, 2016 until September 28, 2017. The Plaintiff worked at various T.J. Maxx locations in Atlanta, Georgia and his duties included such things as investigating incidents of internal theft throughout a high volume multi-store environment, conducting fact-finding, installing covert cameras, reviewing media, and resolving internal theft cases with the help of a national task force.
The overtime collective action complaint alleges that the Plaintiff
. . . was assigned to work 40 hours per week by T.J. Maxx. However, in actuality, [Plaintiff] Mills worked 45 hours each week, as a result of being required to work off-the-clock 5 hours each week in order to respond to phone calls and e-mails from his supervisor for loss prevention cases. These off-the-clock e-mails and calls would occur before his shift, after his shift, and on weekends.
[Plaintiff] Mills was paid $14.93 per hour, and worked 45 hours per week. [Plaintiff] Mills was generally paid $597.20 per week reflecting only being paid for 40 hours of work. [Plaintiff] Mills was never compensated for this extra 5 hours of time worked. [Emphasis added]
[The Plaintiff] was frequently called and e-mailed by his direct supervisor . . . despite being off-the-clock, and expected to respond to his supervisor’s needs at all times.
Plaintiff was also called to testify at various hearings for his employment, and would not be compensated for all hours worked while testifying or appearing in court.
Plaintiff was paid straight-time for the first 40 hours worked, despite working well in excess of 40 hours per week.
This failure to pay overtime wages to this hourly employee can only be considered a willful violation of the FLSA, within the meaning of 29 U.S.C. § 255(a).
T.J. Maxx Loss Prevention Detective Seeks More Than $20K in Unpaid Overtime Damages
The former Loss Prevention Detective, according to the collective action overtime pay complaint,
. . . worked 45 hours per week, which includes 40 regular hours and 5 overtime hours. [The Plaintiff] was paid straight-time for the first 40 hours worked. His rate of pay was $14.93 per hour, so his “one-and-half-times-rate” is $22.40 per hour, for the purposes of computing overtime.1 5 overtime hours multiplied by $22.40 oneand- half-times-rate, equals $112 unpaid overtime per week. [The Plaintiff] was employed 102 weeks by Defendant. 102 weeks multiplied by $112 unpaid overtime per week, equals $11,424 in unpaid overtime wages. If the Court grants liquidated damages in this case, pursuant to 29 U.S. Code § 216(b), then the total damages are $11,424 plus $11,424, which equals $22,848.
Image: “T.J. Maxx, Peabody, Massachusetts,” Anthony92931, Wikimedia Commons, CC BY-SA 3.0.
T.J. Maxx Loss Prevention Detectives & Loss Prevention Associates
If you serve or served as a T.J. Maxx Loss Prevention Detective, T.J. Maxx Loss Prevention Associate or other similar position and believe you have legal claims for unpaid overtime, please contact Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form above on the right or e-mail [email protected].
