OpenAI CEO Sam Altman's plan for identity verification is raising serious questions about biometric privacy and the options companies pursue to replace easy-to-guess passwords.

Driving the news: Worldcoin, a crypto project co-founded by Altman, debuted its highly anticipated, years-in-the-making World ID verification program last week. It heavily relies on iris scans as proof of identity.

• Worldcoin also opened up the waitlist for developers interested in incorporating World ID into their own apps.

Why it matters: As companies increasingly incorporate generative AI into their products, developers are seeking ways to get ahead of the identity theft and online scams the emerging technology is already proliferating.

• Technology companies have also spent years looking for ways to replace easy-to-guess, phrase-based passwords.

Zoom out: Founded in 2020, Worldcoin consists of three parts: the ID verification protocol, a soon-to-be released worldcoin token and a crypto wallet app.

• Altman and co-founder Alex Blania have set the lofty goal of making worldcoin a universally used cryptocurrency in the developing world — and the pair have long hinted at using the token's infrastructure to distribute future universal basic income programs.
• While the startup has received polarizing reviews, the company has still caught the eye of big-name investors like Andreessen Horowitz and LinkedIn co-founder Reid Hoffman.

How it works: World ID takes the idea of collecting a user's biometric data to a new — and possibly extreme — level.

• World ID helps verify someone's identity in one of two ways: By phone number verification or via "the Orb," a battery-powered iris-scanning device available at Worldcoin operator locations.
• From there, World ID users can choose to add either phone number or Orb verification to their private key identifiers (which are separate from worldcoin crypto wallet key numbers). But app developers who let their users log in via World ID will choose what level of verification they require for their services.
• Availability of the Orb is "mostly limited" to Argentina, Chile, India, Kenya, Portugal and Spain right now, according to a press release.
• Users who get their iris scans will receive 25 worldcoin — although it's unclear what value those coins have.

The big picture: Biometrics has become one of developers' go-to replacements for insecure passwords since it's difficult for malicious actors to replicate someone's fingerprint or face.

• The FIDO Alliance, which sets industry standards for passwordless login tools, even has a certification program to help developers incorporate biometrics safely and securely.

Between the lines: World ID doesn't require any additional personal information, such as someone's name or email address, Tiago Sada, head of product at Worldcoin parent company Tools for Humanity, told Axios.

• Iris scans are processed in-memory locally on the Orb and then immediately deleted, Worldcoin says. The Orb only outputs a so-called iris code to "numerically represent the texture of an iris."
• If a user chooses to verify through the Orb, they'll show a QR code containing a "hashed version" of their World ID private key number, Sada said. The Orb then takes that hashed ID code and "puts it together with your verification, and it signs it," he added.

Yes, but: Collecting biometric data, even if it isn't saved, is still a risky business, privacy and surveillance experts warn.

• Edward Snowden, an NSA whistleblower and privacy advocate, raised concerns about Worldcoin's ID plans back in October 2021.

As the Tennessee state government continues to pass legislation targeting transgender and LGBTQ rights, members of the cybersecurity community are questioning a major industry conference's decision to host next year's event in Nashville.

Driving the news: The Women in Cybersecurity (WiCyS) nonprofit announced over the weekend it plans to host its 2024 summit in Nashville.

• The announcement was met with immediate criticism on Twitter given that many see the nonprofit's mission as creating an inclusive environment for women-identifying people in the male-dominated cybersecurity industry.
• "To say I'm disappointed would be an understatement. To say I'm infuriated wouldn't be sufficient," Alyssa Miller, chief information security officer at Epiq Global, said in a tweet. "Obviously that mission of inclusion was lost."
• WiCyS executive director Lynn Dohm said in a tweet Sunday that the organization signed the contract for the 2024 event four years ago.

What they're saying: "WiCyS is 100% committed to the security and wellbeing of our members and we are considering all options to respond to this challenge," the organization said in a statement Monday.

The big picture: In recent years, several organizations have either moved their conferences or decided to skip major events in states pursuing anti-LGBTQ and anti-trans legislation.

• Social audio app Clubhouse didn't attend last year's South by Southwest conference in Austin, Texas, because of the state Legislature's push to limit access to gender-affirming care for transgender youth.
• Two scientific and research organizations moved their conferences away from Utah last year after lawmakers passed legislation banning most abortions and another bill barring trans girls from participating in girls' sports.

Zoom out: More than 100 pieces of legislation in state legislatures this year would ban aspects of gender-affirming medical care, per the ACLU.

Yes, but: Not all organizations can afford the costs associated with changing venues, and most venues schedule years in advance for large-scale gatherings like the WiCyS summit.

One of the most popular dark-web data breach forums appears to be shutting down after federal agents arrested its top administrator last week.

Driving the news: The new administrator of the forum, who goes by the handle "Baphomet," said Tuesday they plan to shut down BreachForums, noting that "it's the only safe decision."

• Last week, FBI agents arrested Conor Brian Fitzpatrick in Peekskill, New York, for one count of "conspiracy to solicit individuals with the purpose of selling unauthorized access devices," according to an affidavit from an agent.
• During the arrest, Fitzpatrick allegedly admitted to running BreachForums and said he used the alias "Pompompurin," per the affidavit. Bloomberg first reported on the arrest.

Why it matters: The arrest and subsequent shutdown of the forum would mark another win for law enforcement amid a series of high-profile cybercrime arrests and takedowns.

• Last week, the U.S. Attorney's Office for the Eastern District of New York arrested two men who allegedly forged law enforcement data requests to tech companies for sensitive user data.
• Earlier this year, the FBI seized some of the servers belonging to the Hive ransomware gang following a monthslong sting operation.

The big picture: BreachForums, a popular dark-web forum, has been at the center of several major incidents, including this month's breach of DC Health Link.

• On the forum, malicious hackers can buy and sell stolen data from recent data breaches. Earlier this month, a hacker was selling files on the forum allegedly stolen from DC Health Link, including personal information belonging to lawmakers and congressional staff.
• Pompompurin has also claimed responsibility for a November 2021 incident exploiting a flaw in the FBI's email system.

The intrigue: Originally, Baphomet had planned to move BreachForums to different infrastructure, but a message to users indicates they switched course after learning that federal officials have access to Pompompurin's computer.

• Baphomet claims someone was able to log in to one of the forum's servers on Sunday. "Unfortunately, this likely leads to the conclusion that someone has access to Pom's machine," they wrote.

What's next: Fitzpatrick is scheduled to make an appearance in a federal court in Alexandria, Virginia, on Friday, according to court documents.

@ D.C.

🌏 More than a dozen countries have introduced full, partial or public-sector bans on TikTok. (Axios)

🇬🇷 Greece's national intelligence service used spyware to spy on an American citizen who worked on Meta's security and trust team in Greece. (New York Times)

🧳 The Cybersecurity and Infrastructure Security Agency named 13 new members to its cybersecurity advisory committee, including former national cyber director Chris Inglis. (CISA)

@ Industry

🔍 Twitter is testing a government ID-based verification program. (TechCrunch)

🛍️ Saks Fifth Avenue confirmed that one of its vendors has experienced a "data security incident" after the Clop ransomware gang claimed responsibility for the attack. (Bleeping Computer)

📲 The BBC is advising its staff to delete TikTok from their devices. (BBC)

@ Hackers and hacks

🇨🇳 China state-backed hackers exploited more critical software vulnerabilities in 2022 than any other nation-state's groups, according to researchers at Mandiant. (CyberScoop)

📚 The Medusa ransomware gang claims it published stolen Minneapolis Public School records after the district refused to pay a $1 million ransom. (The 74)

🧐 Researchers warn that a patch for a critical vulnerability in Microsoft Outlook doesn't fully protect computer networks. (Cybersecurity Dive)

The ChatGPT future is already here: Security researchers at Claroty told the Wall Street Journal they used the AI chatbot to help win a recent hackathon 👀 🤖.