Workers around the federal government are scrambling to figure out how and if they should respond to an all-government email sent Saturday at the behest of Elon Musk asking them to list five things they did at work within the last week. During the confusion caused by Musk’s email, workers at the Treasury Department received an email from a former Heritage Foundation staffer who is not the Treasury Secretary from an email address that billed itself as being from “Secretary of the Treasury.”
How and whether to respond to the “What did you do last week” email has itself resulted in much discussion and confusion, and efforts to clarify any confusion have resulted in additional confusion as well as worries about sharing classified or otherwise private information. FBI employees were told by new FBI director Kash Patel not to respond to the email, so were members of the military. Musk tweeted “Failure to respond will be taken as a resignation.”
The Treasury Department email, seen by 404 Media and currently being discussed widely on Reddit, came from an email address with the name “*Secretary of the Treasury” but signed by John W. York, who is not the Secretary of the Treasury and who previously worked for the Heritage Foundation, the architects of Project 2025. The current Secretary of Treasury is Scott Bessent, not York. Treasury workers seem to not know who York is or why he is sending emails from an email address previously used by past Secretaries of Treasury.
“It was used in the past rarely: wishing Treasury employees a Merry Christmas or noting there is a return to office mandate,” one source told 404 Media about the email address York’s email came from. “In the past, the emails included the title of the sender (Sec of Treasury, for example) and more often than not a picture of said person. Like when Steven Mnuchin sent emails ordering the evacuation of the buildings in 2020, they had his face on the email. No such embellishments this go round.”
💡
Do you know anything else about what's happening with the 'What did you do last week' email? I would love to hear from you. Using a non-work device, you can message me securely on Signal at jason.404. Otherwise, send me an email at [email protected].
In the email, York tells workers that they must respond to the “What did you do last week” email: “Given the voluminous and extremely important work that Treasury staff perform [sic] on a daily basis, we expect that compliance will not be difficult or time consuming.”
“Your responses should be descriptive enough to show the significance of the work you performed; however, the descriptions should not reveal confidential, privileged, otherwise non-public, pre-decisional or deliberative aspects of that work, given that these responses will be sent outside Treasury,” he wrote. “If you have any questions about how to respond, please consult with your manager.”
Sources at the Treasury Department told 404 Media that they have not previously received any emails from John W. York, that they are not sure what his job is or whether he actually works for the Treasury Department, and that giving descriptive, substantial rundowns of their work tasks without giving “non-public” or sensitive information is not an easy task.
“John York had no title associated with his signature line (unusual as ALL Fed service employees are proud to put their title, Dept, etc in the sig line as a default),” one source told 404 Media. Employees at the Treasury Department have been doing research on York to attempt to figure out who he is. York worked for the Heritage Foundation before joining the Office of Personnel Management towards the end of Trump’s first term. His LinkedIn says he has worked as a “Strategic Human Capital Lead” at Accenture since March 2021. The Treasury Department did not immediately respond to a request for comment about whether he is now a Treasury Department employee.
Top comments on a Reddit post discussing this email are “Who the fuck is John W. York?” and “Schrodinger's phishing email. you're fired if you respond. you're fired if you don’t.”
Other federal employees tell 404 Media that they have been receiving similar clarification emails from agency heads about how and whether to respond, and have been getting follow up emails from their supervisors about what to say if the things they work on are classified. The majority of these emails, which 404 Media is not sharing specifics on because they were in many cases sent to small teams of people, are begging employees to respond to the “What did you do last week emails” while threading the needle of sharing specifics but not sharing private or confidential information.
An AI-generated video of President Donald Trump sucking on Elon Musk’s feet, overlaid with the text “LONG LIVE THE REAL KING,” played on TV screens at the Department of Housing and Urban Development (HUD) headquarters in Washington, D.C., multiple journalists are reporting on social media.
Journalist Marisa Kabas posted the video on Bluesky, writing, “this video played on loop for ~5 mins on screens throughout the building, per agency source. Building staff couldn’t figure out how to turn it off so sent people to every floor to unplug TVs.”
This morning at Dept of Housing and Urban Development (HUD) HQ in DC as mandatory return to office began, this video played on loop for ~5 mins on screens throughout the building, per agency source.
Building staff couldn’t figure out how to turn it off so sent people to every floor to unplug TVs.
Do you have anything to share related to our coverage? I would love to hear from you. Using a non-work device, you can message me securely on Signal at sam.404. Otherwise, send me an email at [email protected].
Last week, Trump called himself a king in a social media post. “CONGESTION PRICING IS DEAD. Manhattan, and all of New York, is SAVED,” Trump wrote on his platform, Truth Social. “LONG LIVE THE KING!”
Right to repair legislation has now been introduced in all 50 states, a milestone that, despite not all passing, shows the power of the grassroots political movement. Thursday, Wisconsin became the final state in the country to introduce a right to repair bill.
So far, right to repair laws have been passed in Massachusetts, New York, Minnesota, Colorado, California, and Oregon. Another 20 states are formally considering right to repair bills during this current legislative session. The rest have previously introduced bills that have not passed; so far we have seen that many states take several years to move a given right to repair bill through the legislative process.
Right to repair laws are designed to make it easier for consumers to fix their electronics, farmers to fix their agricultural equipment, for hospitals to fix their medical devices, and so on. Most right to repair legislation requires companies to sell repair parts to the general public, to make repair manuals available, and bans the use of technological protection measures (which are called “software locks”) that are designed to restrict repair only to authorized repair technicians.
I have been following the right to repair movement for a decade, and, in the early days, a small group of consumer rights advocates worked in a couple states to get legislation introduced.
Many of those bills were killed quickly by big tech lobbyists, who were successful at scaring lawmakers into believing that right to repair would make devices less safe or would be a boon for hackers. Over time, those same consumer rights advocates have been successful in convincing the general public that you should be able to fix the things you buy. The movement was endorsed by the Biden White House and Biden’s Federal Trade Commission, millions of consumers, and an increasing number of state legislators. The movement has gotten companies like Apple, Google, and John Deere to change their policies, inching toward a world where repair is more easily accessible.
"Now that Wisconsin filed their first Right to Repair legislation, we’ve completed the sweep of getting bills filed in all 50 states. Our legislative map no longer has any blanks,” said Gay Gordon-Byrne, Executive Director at Repair.org, which has been advocating for the legislation. “This proves that Right to Repair is needed everywhere—and we are well on our way towards making that happen."
“Americans are fed up with all the ways in which manufacturers of everything from toasters to tractors frustrate or block repairs, and lawmakers are hearing that frustration and taking action,” said Nathan Proctor, right to repair director for consumer rights group PIRG.
iFixit’s Kyle Wiens, meanwhile, said covering the entire map is a “tipping point” for the movement: “We’ve gone from a handful of passionate advocates to a nationwide call for repair autonomy. People are fed up with disposable products and locked-down devices. Repair is the future, and this moment proves it.”
Like some (many? most? all?) authors I sometimes check how my book is doing on Amazon and other booksellers. Recently while doing that, I came across another listing on the online retailer: “SUMMARY OF JOSEPH COX’S DARK WIRE,” referring to the book I spent years researching, investigating, and writing. It cost $4.99.
Curious whether this product was an AI-generated rip-off of my work, I bought a copy. Flicking through the digital pages, the summary, rather expectedly, condensed each of my chapters into a few page overview. Details I had gone to incredible lengths to get, including flying around the world to meet criminals face-to-face, or sneaking into a law enforcement conference, or slowly building trust with understandably scared sources was plopped into this new book with little context on how they got there or why they mattered.
For example, here is the original opening of my book, about a drug trafficker called Owen Hanson:
It’s hard to keep up with all the news about all the giant gassy orbiters out there. I’m speaking, of course, about hot Jupiters, a class of planets that takes the concept of “inhospitable” to dazzling and creative new levels, and which had an epic news week.
Then, what did scientists find in cores taken from deep-sea trenches? The answer might surprise you. Next, mice administer “first aid.” Last, fish can see you for who you really are (though yummy treats will certainly not be refused).
Hot Jupiters Are So Hot Right Now (and at All Other Times)
Hot Jupiters are the low-hanging fruit of exoplanet discoveries. As the name implies, they are Jupiter-sized worlds that orbit extremely close to their stars, a proximity that makes them—you guessed it—hot.
Given that they are both giant in scale and have short years lasting only hours or days, hot Jupiters are the easiest exoplanets to spot, which is why our catalog of distant worlds is packed with them. In fact, a study came out just this week that identified seven new ones.
But while it’s not all that novel to discover these worlds (which is kind of amazing in itself), scientists have now peered deep into the atmosphere of the hot Jupiter WASP-121, nicknamed Tylos, which is about 850 light years from Earth. It’s the first time several distinct atmospheric layers and processes have been observed on an exoplanet.
“Ultra-hot Jupiters, an extreme class of planets not found in our solar system, provide a unique window into atmospheric processes,” said researchers led by Julia Seidel of the European Southern Observatory (ESO). “Here we show a dramatic shift in atmospheric circulation in an ultra-hot Jupiter” including “the first vertical characterization of a high-altitude, super-rotational atmospheric jet stream.”
Tylos is slightly bigger than Jupiter, but it is so close to its star that its year lasts only 30 hours. As a consequence, it is tidally locked, meaning that one side is always facing the star, and the other always faces away. The star-lit side is about 2,300°C (4,200°F) which is, as advertised, quite hot. Using the ESO’s Very Large Telescope, the researchers spotted the aforementioned equatorial jet stream and saw flows of hot gas moving from the hot day side to the cooler night side—which is still pretty hot at around 700°C (1,340°F).
The weather report on Tylos is permanently fatal with a chance of titanium rain, according to a third study that came out this week (that’s a hot Jupiter hat-trick). Taken together, the research represents a new emerging era of exoplanet observations in which astronomers can peek under the hood of these distant atmospheres and start to get a real vertical cross-section of otherworldly skies.
Down the line, this will lead to better characterizations of the atmospheres of potentially habitable exoplanets, which could contain detectable signs of alien life. But for now, on this late winter weekend, let's be satisfied with warming ourselves into certain oblivion in the bellies of hot Jupiters.
To cool off, we shall now dive straight into the deepest parts of the ocean, the hadal zone, where strange things are inherently afoot. Scientists took sediment cores from seafloors at depths of over 4.6 miles in the Japan Trench which is, in my opinion, asking for trouble. But in this case, the results revealed an activity that you might not expect to find in one of the most inhospitable places on Earth—farming.
I should just say, the “farmers” are probably invertebrates, like sea cucumbers or bivalves, that cultivate microbes that help break down organic matter for them. Still, a basic form of “agrichnial” farming is preserved in trace fossils, like burrows, the team found in the cores.
Trace fossils of burrows in the cores. Image: Hovikoski, Jussi et al
“The hadal zone, >6 km deep, remains one of the least understood ecosystems on Earth,” said researchers led by Jussi Hovikoski of the Geological Survey of Finland. The cores open a rare window into this otherworldly region and reveal “slender spiral, lobate and deeply penetrating straight and ramifying burrow systems…interpreted to include burrows of microbe farming and chemosymbiotic invertebrates.”
The study also gets points for its title, “Bioturbation in the hadal zone,” which sounds like an early aughts prog rock album. \m/
Somebody Call an EMT! (Emergency Mouse Technician)
Humans produce a lot of selfish psychos, if you hadn’t noticed, but one nice thing about our species is we generally share a prosocial instinct to help people during a medical crisis. As it turns out, we’re not alone in this behavior, according to a new study that monitored the reactions of mice to ailing, unconscious, or dead conspecifics.
“Anecdotal observations across several species in the wild, including nonhuman primates, dolphins, and elephants have reported intriguing behaviors of animals toward unresponsive conspecifics that have collapsed because of sickness, injury, or death,” said researchers led by Wenjian Sun of the University of Southern California. “These animals…display various behavioral responses, including touching, grooming, nudging, and sometimes even more intense physical actions, such as striking, toward the collapsed peers. Some of these actions toward incapacitated conspecifics are reminiscent of human emergency responses, especially those involving sensory stimulation.”
To bring these anecdotal reports in an experimental setting, the team videotaped mice responding to cagemates that had been anesthetized into unconsciousness, as well as their reactions to dead mice. The r mice interacted with unconscious cage-mates about ten times as much as with an active partner, and may have even performed basic versions of first aid.
“Our results suggest that the actions of mouth/ tongue biting and tongue pulling may have rescue-like effects, reminiscent of human first aid efforts in reviving unconscious individuals with physical stimulation and airway maintenance,” the researchers said.
“The consequences of the behaviors, such as improved airway opening or clearance and expedited recovery, are clearly beneficial to the recipient,” they added, though they also cautioned that “it is challenging to determine the motivational needs behind these distinctive ‘reviving-like’ behaviors.”
Familiarity played a strong role in the experiment's outcome; mice heaped much more attention on dead or unconscious cage-mates that they knew well compared to strangers. At the risk of anthropomorphizing, it’s kind of sad to think about these mice being confronted with their passed-out or dead friends, but the silver lining is an empirical validation of widespread prosocial behaviors.
I’m also going to assume it means that the Disney franchise The Rescuers, starring mice humanitarians, is a documentary.
The next time you go for an ocean swim, why not introduce yourself to some neighboring fish? They might learn to recognize you as an individual and start following you around, especially if you give them something nice to eat. That’s the conclusion of a new study that found fish can tell individual divers apart based on visual cues—and that they rapidly learn which divers are generous with treats (in this case: shrimp).
Researchers Maëlan Tomasek and Katinka Soller conducted several dives at the STARESO research station in Corsica, France. Soller was the designated shrimp dispenser, and the wild fish “volunteers” rapidly learned to distinguish her visually from Tomasek, the shrimp miser.
Tomasek with fish “volunteer.” Image: Maëlan Tomasek
“Two species voluntarily took part in our experiments: saddled sea bream O. melanura and black sea bream S. cantharus,” said the researchers. “Of specific individuals, the saddled bream (Bernie) was first identified at dive 5 of the training, four black bream at dives 12 (Left Hump), 15 (Kasi), 19 (Alfi), 21 (Julius) and the last black bream (Geraldine) on the first session of experiment 1. Note that this marks the moment from which we were able to reliably identify them (i.e. identify with absolute certainty at each apparition from one dive to the next) but that they most likely appeared several days prior to this.”
First of all, fantastic names. I’m already shipping Julius and Geraldine as a celebrity fish couple called Juladine. Left Hump will officiate the wedding. But setting aside the fish fanfic, the team demonstrated that the fish learned to visually tell the researchers apart, leading to a clear preference for following Soller.
“The fact that wild bream can discriminate between divers adds scientific evidence to the numerous accounts suggesting differentiated relationships between fish and specific humans,” the team said. “Our study thus encourages a reappraisal of the methodological avenues to study cognitive abilities of wild fish under natural conditions.”
“It also demonstrates a potential difficulty when conducting such experiments that could be disturbed by fish following specific experimenters,” the researchers said, concluding with an implied wink: “Researchers might not always want to be followed all around by fish, but if they do, they will not be disappointed.”
The U.S. Department of Health and Human Services (HHS) is wasting workers’ time and taxpayer dollars on “a witch hunt to find any content deemed ‘bad,’” according to a source familiar with the work and internal communications viewed by 404 Media. Specifically, people who work on HHS websites are spending days scanning those sites and any documents they share in search of a list terms like “gay,” “sexuality,” “non-binary,” “inclusion,” “queer,” and “gender,” potentially so they could be later removed to comply with Trump’s executive orders attacking diversity, equity, and inclusion in the federal government.
“The most obvious issue to me about this list is that it’s being done in the name of ‘efficiency and saving money.’ It is not efficient to take engineers off their work to scan old content for any keywords this new administration hates. The bigotry is astounding,” the source who is familiar with the work and who asked to be anonymous because they were not permitted to speak to the press, told me. “If they were being true to the concept, sure, they could say that moving forward, we will no longer support creation of new data about these topics. But to go backward decades, scrubbing for stuff they hate, that’s not a savings of time and money, that’s a huge expenditure. It's hypocritical on top of it all.”
💡
Do you know anything else about DOGE and how Trump's executive orders are impacting HHS or other agencies? I would love to hear from you. Using a non-work device, you can message me securely on Signal at emanuel.404. Otherwise, send me an email at [email protected].
The source said that part of what makes the work so time consuming is that the current HHS administration doesn’t just want to know about every page on its sites that include these terms, but also pages that link out to .PDF files that include those terms. For example, last week we reported that the Trump administration added a note rejecting “gender ideology” on a Substance Abuse and Mental Health Services Administration’s website page that shared a .PDF of a study about substance abuse among gay, lesbian, bisexual, or other nonheterosexual adolescents. According to the source, HHS administrators want that page added to a spreadsheet of pages and documents that include the terms it's looking for because of the content of the study.
Since HHS websites share thousands of .PDFs, the source said, “very expensive” engineers spent multiple days scanning the files for the list of terms instead of doing their regular tasks.
Other terms on the list include “they/them” pronouns, “pregnant ‘people,’” “Biden,” and “intersex,” according to a copy of the list seen by 404 Media.
The fact that the government is wasting resources finding every instance of a term it finds objectionable directly contradicts Trump’s and Musk’s stated goal of “government efficiency.” Finding these terms in thousands of studies and papers and potentially removing them is not saving any taxpayer dollars, but just purging government sites with a perspective it disagrees with. Other agencies have also scrambled to find similar terms. Axios reported that DOGE representatives at the National Oceanic and Atmospheric Administration are searching for “DEI content” and Stat News has reported that a number of federal health agencies are searching grants for “taboo words” like “trans” and “diversity.”
“The spitefulness is such a waste of time and money. It's infuriating,” the source said. “Sure, they might argue not to do anything inclusive or helpful in the future, but to burn so much time and money trying to scrub out any content he [Trump] hates from past decades is ... I'm kinda at a loss for words.”
At the moment, it appears that HHS is not removing pages that contain the terms it’s looking for because a federal judge ordered it and other agencies to restore several webpages they removed as a result of Trump’s executive order. The court ordered the administration to restore the webpages to their versions as of January 30, 2025, meaning they were supposed to revert the webpages to what they looked like on January 30 with no changes. The versions that have been restored now have this additional disclaimer about “gender ideology” we reported on last week.
This is Behind the Blog, where we share our behind-the-scenes thoughts about how a few of our top stories of the week came together. This week, we discuss the new Murderbot show, ChatGPT for journalism, and birdwatching from afar.
EMANUEL: Yesterday Apple released the first two images from its upcoming sci-fi show, Murderbot, and announced that it will debut on May 16 this year. I, like many fans of the The Murderbot Diaries books the series is based on, am very excited about the show, but also already disappointed with one major deviation from the source material that’s obvious just from these two still images. The gist is in the show Murderbot is played by Alexander Skarsgård, who in the images looks like a guy, while in the books Murderbot is neither a he or a she, but an “it,” and while it’s not at all the focus of the story, the fact that the main character is androgynous make it much more interesting.
To back up, The Murderbot Diaries are set in the far, far future and follow a “SecUnit,” a super advanced, super lethal cyborg who does private security for scientists and corporations exploring deep space and dangerous planets. Eventually the SecUnit, who we come to know as Murderbot hacks the governing module that keeps it enslaved and has to choose what to do with its independence as it goes off on a series of pulpy space adventures.
Ziff Davis, the $2 billion media conglomerate that owns dozens of sites including PCMag, Lifehacker, IGN and CNET, is quietly taking diversity, equity, and inclusion information off of its website, 404 Media has learned.
In the past month, the company removed information about diversity-focused employee resource groups, inclusion-based hiring goals, and diversity training for its workers and managers from its corporate website.
The changes were first spotted by a Ziff Davis employee. 404 Media granted the employee anonymity to speak candidly.
An archived version of Ziff Davis’s DEI webpage saved on January 19 states, “Ziff Davis is proud to offer Employee Resource Groups (ERGs), voluntary employee-led groups mentored by executive sponsors and overseen by our Global DEI and HR Programs team. They represent seven identity groups: Asian, Black, 2SLGBTQIA+, Latinx/Hispanic, family of all kinds, women and gender minorities, and interfaith.”
This article was produced in collaboration with Court Watch, an independent outlet that unearths overlooked court records. To subscribe to Court Watch, click here.
A Beverly Hills plastic surgeon’s patients filed a class action lawsuit against him earlier this month after they say he didn’t tell them that his patient information database had been hacked twice, and that their personal information and nude photos of themselves undergoing surgery had been posted online.
The lawsuit alleges that the surgeon, Dr. Jaime Schwartz, did not secure his patients’ information with industry-standard safety protocols, and that he lied about the scope of the first hack when patients asked him about it. Schwartz may also be familiar to some reality TV viewers, having appeared on shows such as “Botched,” according to his website.
“Despite charging clients thousands of dollars and having access to their deeply private medical information, Dr. Schwartz disregarded basic security measures necessary to protect that information from malicious cyberattacks,” the lawsuit states. “As a result of his negligence, he allowed his network to be compromised twice in less than a year [emphasis in original].”
In both cases, Dr. Schwartz did not notify his patients of a hack until some of them found their information—including nude photos of themselves with their faces visible—online, according to the lawsuit.
The lawsuit alleges that Dr. Schwartz was first notified of a hack of his patient database in October of 2023, when the hacking group Hunter International posted that it had access to his data.
“The hackers had exfiltrated 1.1 terabytes of data from Dr. Schwartz, consisting of 248,245 files,” the lawsuit states. “The dark web posting included four patient photos, including one nude photo with the patient’s face visible.”
Schwartz refused to pay the ransom, according to the lawsuit. One month later, the hackers updated the post with a note to him.
“Seems like you don’t want to protect your data at all,” the lawsuit quotes the note as reading. “More than 30 days had passed already since your network has been breached. You have been provided with everything you have asked about…But you keep begging for proofs [sic]. This is not the way we going to make business with you. Maybe you will do us a favor and transfer half of the money to prove that you can pay for your data?”
The lawsuit does not specify how much money the hackers had asked for as part of the extortion. About two weeks after the note was posted, the lawsuit states, the hackers put up another update including nude photos of patients. “If you find your private data here just email us and we will let you know how to proceed further with actions against this DOCTOR!” the last update read, according to the lawsuit.
The lawsuit alleges that Schwartz did not notify his patients of the hack until some of them found information about it online. One plaintiff reached out to him to ask whether her data was compromised as part of the breach.
“Thereafter, a person claiming to be in charge of cybersecurity for Dr. Schwartz called [the plaintiff],” the lawsuit states. “[She] is informed and believes that the person was Dr. Schwartz’s brother.”
According to the lawsuit, the head of cybersecurity told the plaintiff that the breach had only affected six people, that her data was not included, and that Schwartz was “working with the FBI and had completely overhauled the computer system to prevent future cyberattacks.”
The medical world is not new to this kind of extortion. Both major hospitals and private clinics have suffered data breaches in recent years, and over 500 breaches of varying degree were reported to the U.S. Department of Health and Human Services in 2024. The American Medical Association found in 2019 that 83 percent of doctors in the U.S. had experienced some kind of cyber attack.
Plastic surgeons, however, have recently become a popular target because of the kind of data they retain. A patient’s file includes not only their medical and financial information, but also photographs taken as part of the treatment process. Depending on the surgery, many of those photographs are taken nude. Even as far back as 2017, hackers targeted a plastic surgeon whose clients allegedly included royal families and stole a wealth of highly personal photos.
“Seems like you don’t want to protect your data at all.”
“This information is particularly valuable for purposes of sale on the dark web to facilitate identity theft and for purposes of ransom/extortion against physicians and patients,” the lawsuit states.
In October of 2023, the FBI released a public service announcement that hackers were targeting plastic surgeons. The announcement said that hackers would phish plastic surgeons’ offices to get access to their patient information databases, then use “open-source information” like patients’ social media profiles as leverage.
“Once successful, cybercriminals use social engineering techniques to enhance the harvested data and extort individuals for cryptocurrency,” the announcement stated.
Yet the lawsuit alleges that Schwartz did not take any extra precautions after his October hack. And, in March of 2024, it claims, he was hacked a second time. In this breach, the lawsuit alleges, “The entirety of Dr. Schwartz’s patient data was compromised.”
“[Schwartz] failed to notify his patients as required by federal and state law,” the lawsuit states. “He waited to do so until after the hackers posted a public website announcing the hack and leaking patients’ names, contact information, and nude photographs, and began contacting his patients directly. Despite knowing that his patients’ most private medical data was in the hands of malicious actors, Dr. Schwartz waited almost 10 months to notify them [emphasis in original].”
“Maybe you will do us a favor and transfer half of the money to prove that you can pay for your data?”
Schwartz sent his patients a generic message about the second hack in January of 2025. He wrote that, “An unauthorized third party utilized a third-party vendor’s credentials to access the practice’s medical billing and practice management system…It was determined that some of your personal information was present in the impacted data set. We then took steps to notify you of the incident as quickly as possible.”
Despite the head of cybersecurity’s promise of a full system overhaul, the lawsuit alleges that Schwartz’s team did not sufficiently secure its network-connected devices, did not train its staff to avoid phishing emails, and did not properly vet or secure its third-party vendors with access to sensitive patient data. It also claims Schwartz did not adequately monitor its network activity or implement “appropriate network ‘traffic’ controls to prevent the exfiltration of large amounts of data.” The lawsuit additionally claims Schwartz did not have appropriate anti-malware software or firewalls in its system.
The lawsuit also alleges that, when it was filed, Schwartz had not yet contacted the California attorney general or the U.S. Department of Health and Human Service about either hack.
“To date, the hackers have posted approximately 30 patient files,” the lawsuit states. “They have warned that they will continue releasing patient files, in alphabetical order, until Dr. Schwartz contacts them to address the matter.”
The plaintiffs are demanding damages of up to $3,000 per violation per person, amounting to more than $5 million, as well as a potential jury trial.
Schwartz’s office did not respond to a request for comment.
Hoopla, a service that provides public libraries around the country with ebooks, announced that it will do more to prevent the spread of low quality AI-generated books after a 404 Media investigation showed that they were common on its platform.
“At hoopla, customer satisfaction is at the core of everything we do, and we deeply appreciate the feedback we’ve received regarding our content, including AI-related titles,” Ann Ford, VP of Sales & Customer Support at Hoopla, said in an email sent to librarians on February 10, which 404 Media then obtained. “We want to assure you that we take your concerns very seriously. Your input is invaluable in helping us learn, grow, and continuously improve. In response, our senior management has come together to develop a thoughtful and comprehensive plan of action.”
While the exact details of the plan Hoopla is putting together to prevent low quality AI-generated books from flooding its platform are still not clear, Hoopla emailed librarians again on February 14 to share more information on actions it has already implemented. This includes revising its “collection development policy to ensure we adhere to and evolve with industry best practices,” offering librarians better ways to manage the Hoopla catalog by contacting Hoopla directly, and the removal of all “summary titles from all vendors, with some exceptions,” such as HMH Books, the publisher of the popular CliffNotes series. 404 Media also obtained a copy of this second email.
As 404 Media’s investigation into Hoopla showed, books that seemingly use AI to summarize existing, human-written books, are some of the most common low quality content on Hoopla as well as other ebooks providers, including Amazon. For example, one publisher called IRB Media had hundreds of summaries available to lend via Hoopla when I published my story on February 4. At the time of writing IRB Media still has about a dozen summaries I could find on Hoopla, but most of its books had been removed.
Hoopla’s second email to librarians also announced that the company has removed some publishers and authors it identified as providing “poor-quality and/or poor-quality AI-generated content” using “industry metadata standards to identify AI-generated content.” Some of the low quality AI-generated books I highlighted in my story, like a fatty liver diet cookbook by an author that doesn’t appear to exist and has an AI-generated headshot, were removed. Other books, like an AI-generated book about Elon Musk, are still on Hoopla but can’t be borrowed. Other books by the same author of the Elon Musk book, Bill Tarino, have been removed as well.
“It is important to note that libraries may still choose to opt out of all publisher-tagged AI-generated content by contacting their sales representative,” Ford said in one of the emails to librarians. “It is our hope that you are already noticing the positive impact of these actions.”
While it’s notable that Hoopla is actively removing AI-generated books on its platform that it previously ignored, librarians think the company still has a lot of work to do.
“Librarians select, purchase, and lend materials in service to the public, and they put their trust in hoopla to provide a curated and high-quality catalog of materials,” Jennie Rose Halperin, executive director at Library Futures, an organization of librarians, told me in an email. “Hoopla has broken this trust in favor of a profit-motivated, exploitative model that flies in the face of professional values. This statement, which is very light on details, continues to avoid accountability for the expensive and shoddy product they are vending. Around the country, libraries are under attack by censors and book banners for simply providing access to quality resources that serve the needs of their communities, and hoopla’s model puts them further at risk. The misalignment of values between big vendors and libraries has never been clearer.”
This article was produced in collaboration with Court Watch, an independent outlet that unearths overlooked court records. To subscribe to Court Watch, click here.
Meta is suing a scammer who allegedly and prolifically extorted people by banning and unbanning their Instagram accounts.
The lawsuit, filed on Tuesday, is against Idriss Qibaa, who ran the “Unlocked 4 Life” extortion scheme, according to an earlier criminal complaint filed by prosecutors. Qibaa, a self-described “professional when it comes to the banning and unbanning of Instagram accounts,” admitted on Adam 22’s No Jumper podcast in January 2024 that he had over 200 people who pay him monthly to maintain access to their accounts, and claimed he made more than $600,000 a month with this scheme. On the podcast episode, Adam mentioned that celebrities have fallen victim to similar extortion crimes, and Qibaa responded that they’re “getting extorted.”
Part of the “Unlocked 4 Life” extortion scheme included threatening to murder victims if they didn’t cooperate, according to the criminal complaint. A federal grand jury in the District of Nevada indicted Qibaa in August 2024 in a case that’s ongoing, charging him with two counts of violating interstate communications law for sending messages threatening to injure or kill two victims. The indictment goes into detail about the harassment Qibaa allegedly doled out against people who didn’t comply with his scheme, including sending hundreds or thousands of text messages, racial slurs, messages threatening to kill them, and photos of a man with a bloodied face. “Here’s the last guy who came to take photos/came near my home,” that text said. In one case, he threatened to “blast out” a victim’s social security number and demanded she pay him $20,000 to stop harassing her, according to court documents.
“We will consider all enforcement and legal options to protect people on our platforms. These particular abuses target users and violate our policies, and we are committed to countering these malicious activities," a Meta spokesperson told 404 Media in a statement.
💡
Do you know anything else about social media account extortion? I would love to hear from you. Using a non-work device, you can message me securely on Signal at sam.404. Otherwise, send me an email at [email protected].
Meta’s new complaint accuses Qibaa of selling “unauthorized Instagram services including (a) the ability to disable user accounts; (b) user account reinstatement services intended to circumvent enforcement actions taken by Meta in response to users who violated the Instagram Terms of Use (‘Terms’) and other rules that govern access to and use of Instagram, including Instagram’s Community Standards (collectively, ‘Instagram Terms and Policies’); and (c) fake engagement services intended to artificially inflate followers on Instagram user accounts, among other things.” The complaint also claims that Qibaa was running the same grift on X, YouTube, TikTok, Snapchat, and Telegram.
In February 2024, Meta sent Qibaa a cease-and-desist letter, revoked his licenses to access Facebook and Instagram, and disabled his accounts, according to the complaint. But Qibaa made new Instagram accounts to get around the bans, Meta alleges.
Meta’s complaint is a look into how easy it is to manipulate its own reporting and moderation features. The company says Qibaa got people’s Instagram accounts banned by simply submitting fake reports claiming they were violating the platform’s terms. When Qibaa submitted the misleading reports, Meta alleges, Instagram disabled the account on the same day, and in some cases, reinstated it on the same day, too.
Updated 2/19 12:35 p.m. EST with comment from Meta.
Every Humane AI Pin ever created will stop functioning at the end of the month. Well, that is not exactly correct. As Engadget has pointed out, Humane told customers that nearly every function of the AI pin will stop working on February 28, but that true diehards can continue to access “offline” features, which primarily seems to be checking whether the battery is charged or not: “After February 28, 2025, AI Pin will still allow for offline features like battery level, etc., but will not include any function that requires cloud connectivity like voice interactions, AI responses, and Center access.” Humane went on to say that “We encourage you to recycle your AI Pin through an e-waste recycling program.”
If you are not familiar, the AI Pin is a $700 piece of junk that was supposed to be an “AI assistant” but instead barely worked, was perhaps a fire hazard, and whose main functionality was triggering fragile venture capitalists on Twitter who self-immolated when the reviews were understandably very bad.
There is very little to say about the Humane AI pin right now other than they are very lucky that the vast majority of tech journalists in the United States are too busy writing about the Elon Musk-led ransacking of the federal government to dunk on this company in the way it truly deserves (we are also doing this but need a break for five minutes).
The company and the tech was wildly hyped, wasted gazillions of dollars (it raised $240 million in funding), made something terrible, existed for less than a year, and are now hazardous e-waste that is a huge pain in the ass to safely dispose of. The saving grace of all of this is that Humane sold so few devices (roughly 10,000) that the number of consumers who are affected is relatively low as these things go and therefore, there are fewer of them that need to be recycled.
The Humane AI Pin is the latest in a long line of internet of things devices that cost a lot and then became e-waste when the company decided to stop supporting it or went out of business.
On recycling: I have been to electronics recycling centers, and small wearables like this are labor intensive to recycle because they have small, difficult-to-remove batteries. An iFixit teardown wondered whether Humane pin was one of the “worst devices ever,” and stated that both the Humane AI pin and the Rabbit R1, another AI wearable, “have batteries that are a pain to remove, hidden behind thoroughly glued-down panels,” and that “making the battery so difficult to reach is perplexing at best.”
Anyways, we must never forget the Humane AI Pin. Good job everyone.
This week we start with Jason's story about anyone being able to push updates to DOGE.gov website. Then we talk about other stories with the DEI.gov and Waste.gov sites. After the break, Sam tells us all about some lawyers who get caught using AI in a case. In the subscribers-only section, we chat about a true crime documentary YouTube channel where the murders were all AI-generated.
Listen to the weekly podcast on Apple Podcasts,Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.
A worker at the General Services Administration told colleagues in a Slack message Tuesday that they have resigned in protest after Elon Musk ally Thomas Shedd requested “admin/root access to all components of the Notify.gov system,” which is a government system used to send mass text messages to the public that contains information the worker said is highly sensitive and would give Shedd unilateral, private access to the personal data of members of the public.
Shedd is a former Tesla engineer who now runs Technology Transformation Services (TTS), a group of coders and software engineers within the GSA, who is closely allied with Elon Musk and DOGE. Notify.gov contains not just the phone numbers of everyday people but also information about whether they participate in government programs such as Medicaid, which is based on a person's financial situation. In recent days, Musk has become obsessed with the idea of "fraud" in Medicaid, Medicare, and Social Security, and in identifying those he suspects are committing fraud.
💡
Do you know anything else about TTS, GSA, or DOGE? I would love to hear from you. Using a non-work device, you can message me securely on Signal at jason.404 -- Otherwise, send me an email at [email protected].
“The TTS commissioner, Thomas Shedd, has required us to provide admin/root access to all components of the Notify.gov system,” the Slack message, seen by 404 Media starts. It then says this would allow Shedd to “view all personally identifiable information (PII) moving through the Notify system, including phone numbers and variable data for members of the public.” It says Shedd “would be able to download and store this data without anybody else receiving a notification.”
On January 24 we received a pretty unusual email. The sender, a procurement officer from government contractor Cirrus Systems, wanted to buy multiple licenses for Graykey, the iPhone and Android hacking technology widely used by U.S. law enforcement and agencies.
“Hello sales Team, I hope this email finds you well,” the email started. “I would be grateful if you provide us with best/lowest price quote for the following items for Federal’s demand. Please assist in me in the below.”
This was a government contractor trying to buy a phone hacking tool directly from a group of journalists. So, pretty weird.
The email included a table laying out how many licenses Cirrus Systems is after (it looks like four). A statement of work (SOW) then lists what specific capabilities the desired system must be capable of doing. They include “full forensic acquisition capability for the latest generations of iOS as implemented on the latest iPhone (iPhone 16 at this time) cellular telephones,” and the same for “the latest generations of Android.”
Welcome back to the Abstract, 404 Media's weekly roundup of scientific studies to distract us from our present dystopia!
This week, we are traveling back in time to 16th century Transylvania, so please make sure you are up to date on your bubonic plague shots. A study reconstructed wild weather events through the eyes of record-keepers during this fraught period, opening a tantalizing window into climate extremes unleashed by a vengeful God (according to contemporary reports).
Then: making love the medaka way (get those anal fins ready). Next, the chillest insect in Antarctica (also: the only one). Finally, these turtles will dance for food, and yes, it’s very cute.
The Haunting Weather Reports of 16th Century Transylvania
Rejoice, for this week has delivered one of the best varieties of study: Science via historical documents. Sure, ice cores and geological strata are great for reconstructing past climates, but nobody can bitch about the weather better than a good old-fashioned red-blooded member of team Homo sapien.
To that end, researchers searched for mentions of weird weather across a trove of diaries, monastery records, travel notes, and other documents from 16th century Transylvania, during a “pivotal moment in climate history” when a centuries-long cooling event called the Little Ice Age intensified, according to researchers led by Ovidiu Răzvan Gaceu of the University of Oradea.
These types of studies are packed with colorful human testimonies that can corroborate natural records. More importantly, though, they are just fun to read, especially during such an evocative time and place, freshly haunted by the vampiric spirit of Vlad the Impaler. Some highlights:
In August 1526, heavy rainfall caused freak floods in Braşov that “washed the walls of the fortress, demolished the main gate, and the fish also got caught in the big church,” according to the Annals of Brașov. Fish in the church! The ultimate baptism.
In autumn 1553, people in the city of Cluj reported unusual weather events including “October strawberries.” For real, October is for pumpkins, get out of here with the strawbs. Turned out it was a bad omen—there was a plague the following winter. Keep that in mind if you see any late autumn strawberries: Kill on sight.
Naturally, a lot of these accounts are heartbreaking. Locusts “sometimes covered the whole sky and destroyed grain crops” and caused terrible famines. A storm-related fire “killed 14 people and made 60 poor.” On September 29, 1582, “there was such a big storm, as it was said that it had never been seen before in the city of Cluj, which uprooted the trees and raised the roofs of the houses, people believed that it is sent by divinity to punish the crimes committed by them.”
I mean, I’m not saying these people weren’t doing crimes. It’s 16th century Transylvania. Do what you gotta do. But that's not why there is extreme weather. You’re just in the Little Ice Age.
The study ultimately identified “multiple pieces of evidence associated with extreme weather events, including 40 unusually warm summers and several years of excess precipitation or drought.” Taken together with natural archives, the documents paint a picture of troubled times, exacerbated by an unstable climate and possible emergent vampires. Relatable!
Valentine’s Day is over, but the romantic mood is still in the air—or in the water, if you’re a medaka (flawless segue). Scientists have discovered that wild medaka, also known as Japanese rice fish, are fans of late-night booty calls, which is a behavior that has not been observed in captivity.
“Although medaka and other model organisms are invaluable in laboratories, their ecology in the wild remains largely unknown,” said researchers led by Yuki Kondo of Osaka Metropolitan University. “This study showed that medaka in the wild initiate spawning during late nocturnal hours and exhibit vigorous courtship behavior at midnight.”
Kondo and her colleagues recorded this vigorous courtship by placing GoPros into streams over the course of several summer nights in Gifu, Japan. The tapes revealed that medaka like to spawn in the dark, possibly to avoid predators during copulation. The results “provide the first empirical evidence that medaka mating begins significantly earlier than previously reported in the laboratory.”
For anyone who feels clueless about courtship, may I offer a page from the Medaka Sutra:
“The spawning behavior of medaka follows a sequence of events: the male chases the female (following), the male swims rapidly around the female (quick circle), the male wraps his dorsal and anal fins around the female (wrapping), the female releases eggs, the male releases sperm (egg and sperm release), and the male leaves the female (leaving),” according to Kondo’s team.
The only true love language is, indeed, spoken with anal fins.
Medaka at Medaka. Image: Osaka Metropolitan University
Major bonus points also go to Osaka Metropolitan University’s press team for throwing together this version of Edward Hopper’s famous “Nighthawks” painting with medaka getting drinks at a bar that is also named Medaka. It is genuinely one of the most inspired public relations efforts I have ever seen, and I’m going to get a print of it to hang on my wall.
Belgica antarctica, or the Antarctic midge, is the only insect that lives year-round on its namesake continent. Do you know how weird you have to be to be the only insect somewhere? But this midge doesn’t care. It just lives out its bug life, which lasts two years, in an otherwise bugless wasteland.
Humans definitely care about the midge, though—how could we not? What is it doing there? How is it not dead? What can it teach us about cryopreservation? These questions are addressed in a new study that resolved mysteries about the animal’s interesting life cycle.
“Freeze tolerance and cryoprotective dehydration are cold tolerance strategies used by various invertebrate species in polar regions and indeed, B. antarctica utilises both for overwintering,” said researchers led by Mizuki Yoshida of the Ohio State University, who completed the project while at Osaka Metropolitan University (OMU killing it this week).
“Larvae that are frozen in ice and cryoprotectively dehydrated readily survived 32 days of simulated overwintering,” the team said. “Unlike many insects restricted to highly specific microhabitats, B. antarctica larvae inhabit a remarkably diverse range of substrates that differ in vegetation, substrate type, slope, drainage, and thermal and hydric conditions.”
Antarctic midges. Image: Osaka Metropolitan University
I love the phrasing of “readily survived” as if the midges were eager to show off their cryoprotective superpowers. After this 32-day period they emerged with “That all you got?” energy. By studying the bugs in these simulated conditions, the researchers confirmed that they rely on multiple overwintering strategies, including a state of arrested development called “obligate diapause.”
“Diapause has long been assumed to be uncommon in Antarctic species, but the present study reveals that B. antarctica utilises diapause for seasonal adaptation, as in many temperate species,” Yoshida and her colleagues said.
In addition to being the only endemic Antarctic insect, this midge has the smallest genome of any known insect while also being the largest fully terrestrial animal on the continent, even though it’s only a few millimeters long. In other words, it is the biggest animal in Antarctica that doesn’t fly or swim. Okay, Antarctic midge. You just keep doing you.
Last, turtles do a little victory dance when they find food. Yes, it is cute. Yes, there is a video.
The footage (along with this extended clip) is part of a study that tested if turtles could distinguish the magnetic signatures of two geographical areas. When the turtles were exposed to signatures associated with an area they associated with food, they danced in anticipation of a meal, demonstrating that they could tell the signals apart—and party accordingly.
“Hallmarks of the behaviour include some or all of the following: tilting the body vertically, holding the head near or above water, opening the mouth, rapid alternating movement of the front flippers, and, occasionally, even spinning in place, hence the name ‘turtle dance,’” said researchers led by Kayla Goforth of Texas A&M University. “Turtles exhibited significantly higher levels of turtle dance behaviour when experiencing the field in which they had been fed.”
With that, let’s all tilt vertically, spin in place, and shell-abrate the long weekend.
A German researcher captured the contents of the White House’s “DEI.gov” during a brief period when it was not password protected.
The capture shows that the site contains a list of vague, alleged government-funded tasks and their costs, without sources or context, like “$1.3 million to Arab and Jewish photographers," “$1.5 million for ‘art for inclusion of people with disabilities,’” and "$3.4 million for Malaysian drug-fueled gay sex app.” DEI.gov redirects to waste.gov and is currently inaccessible without a password; Elon Musk told reporters on Tuesday that his Department of Government Efficiency (DOGE) is “trying to be as transparent as possible.”
💡
Do you know anything else about what's going on inside DOGE? I would love to hear from you. Using a non-work device, you can message me securely on Signal at sam.404. Otherwise, send me an email at [email protected].
The researcher is Henrik Schönemann, a historian who started the Safeguarding Research & Culture archivalist project, posted screenshots on Mastodon showing the contents. Schönemann also shared the specific site scrapes that he was able to capture, which showed the contents of the site. He told 404 Media he set up a change detection app using PikaPods, and is monitoring changes across hundreds of government websites. When the dei.gov and waste.gov sites were registered 10 days ago, he started tracking them, too.
After being forced by a court order to restore certain pages about gender and diversity to government websites, the Trump administration has added a note to the top of those pages saying “Any information on this page promoting gender ideology is extremely inaccurate, and disconnected from the immutable biological reality that there are two sexes, male and female.”
Per a court order, HHS is required to restore this website as of February 14, 2025 at 11:59 p.m. Any information on this page promoting gender ideology is extremely inaccurate, and disconnected from the immutable biological reality that there are two sexes, male and female. The Trump Administration rejects gender ideology and condemns the harms it causes to children, by promoting their chemical and surgical mutilation, and to women, by depriving them of their dignity, safety, well-being, and opportunities. This page does not reflect biological reality and therefore the Administration and this Department rejects it.
The note essentially seems like a way for the current administration to legally comply with a court order while still signaling that it entirely rejects any government funded or endorsed research or policy sympathetic to LGBTQ+ community and diversity, equity, and inclusion, which Trump and Elon Musk’s Department of Government Efficiency have been purging from government websites.
Earlier this week, we reported that a federal judge ordered the Department of Health and Human Services, Centers for Disease Control, and Food and Drug Administration to restore several webpages they removed as a result of Trump’s executive order attacking diversity, equity, and inclusion. The agencies were given until 11:59 p.m. on February 11 to restore the webpages.
The court ordered the administration to restore the webpages “to their versions as of January 30, 2025, meaning they were supposed to revert the webpages to what they looked like on January 30 with no changes. The versions that have been restored now have this additional disclaimer.
A joint status update filed Thursday by lawyers for the Department of Justice and the Public Citizen Litigation Group says that the government has provided the court with a list of websites that it has restored, though the list of websites is not available. It also specifically says that the government is refusing to restore the website reproductiverights.gov: “Defendants have objected to restoring the website ‘reproductiverights.gov.’ Plaintiff’s counsel is conferring with their client,” it says.
“Plaintiff’s lists include websites from Department of Health and Human Services (HHS) components other than the Centers for Disease Control and Prevention and the Food and Drug Administration. The parties disagree about whether such websites properly fall within the scope of the Order. However, given Plaintiff’s forthcoming amended complaint and to avoid further emergency motions practice, Defendants will restore those websites consistent with the Order,” it adds.
This is Behind the Blog, where we share our behind-the-scenes thoughts about how a few of our top stories of the week came together. This week, we discuss Apple's iCloud, Wikipedia is a miracle of humankind, and good soup.
JASON: After our relatively unhinged BTBs last week, many of you left extremely nice comments, reached out individually, or otherwise gave us encouragement. You all are the best, and it made us feel very good. Thank you!
This week, I wrote about what the Wikimedia Foundation is doing to prepare itself for attacks from well-funded people who have decided to wage a harassment and legal war on Wikipedia editors. I am not going to rehash why people want to attack Wikipedia because it’s done very well in this article by Molly White, but boils down essentially to: Wikipedia is not that easily manipulated, it does not shy away from the truth, and its distributed, global nature makes it quite resilient.
The doge.gov website that was spun up to track Elon Musk’s cuts to the federal government is insecure and pulls from a database that can be edited by anyone, according to two separate people who found the vulnerability and shared it with 404 Media. One coder added at least two database entries that are visible on the live site and say “this is a joke of a .gov site” and “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN -roro.”
Doge.gov was hastily deployed after Elon Musk told reporters Tuesday that his Department of Government Efficiency is “trying to be as transparent as possible. In fact, our actions—we post our actions to the DOGE handle on X, and to the DOGE website.” At the time, DOGE was an essentially blank webpage. It was built out further Wednesday and Thursday, and now shows a mirror of the @DOGE X account posts, as well as various stats about the U.S. government’s federal workforce.
Two different web development experts who asked to remain anonymous because they were probing a federal website told 404 Media that doge.gov is seemingly built on a Cloudflare Pages site that is not currently hosted on government servers. The database it is pulling from can be and has been written to by third parties, and will show up on the live website.
Both sources told 404 Media that they noticed Doge.gov is pulling from a Cloudflare Pages website, where the code that runs it is actually deployed.
