Some startups are going ‘fair source’ to avoid the pitfalls of open source licensing

Posted on by

With the perennial tensions between proprietary and open source software (OSS) unlikely to end anytime soon, a $3 billion startup is throwing its weight behind a new licensing paradigm — one that’s designed to bridge the open and proprietary worlds, replete with new definition, terminology, and governance model.

Developer software company Sentry recently introduced a new license category dubbed “fair source.” Sentry is an initial adopter, as are some half dozen others, including GitButler, a developer tooling company from one of GitHub’s founders

The fair source concept is designed to help companies align themselves with the “open” software development sphere, without encroaching into existing licensing landscapes, be that open source, open core, or source-available, and while avoiding any negative associations that exist with “proprietary.”

However, fair source is also a response to the growing sense that open source isn’t working out commercially.

“Open source isn’t a business model — open source is a distribution model, it’s a software development model, primarily,” Chad Whitacre, Sentry’s head of open source, told TechCrunch. “And in fact, it places severe limits on what business models are available, because of the licensing terms.”

[…]

Sentry, an app performance monitoring platform that helps companies such as Microsoft and Disney detect and diagnose buggy software, was initially available under a permissive BSD 3-Clause open source license. But in 2019, the product transitioned to a business source license (BUSL), a more restrictive source-available license initially created by MariaDB. This move was to counter what co-founder and CTO David Cramer called “funded businesses plagiarizing or copying our work to directly compete with Sentry.”

Fast forward to last August, and Sentry announced that it was making a recently acquired developer tool called Codecov “open source.” This was to the chagrin of many, who questioned whether the company could really call it “open source” given that it was being released under BUSL — a license that isn’t compatible with the Open Source Initiative’s (OSI) definition of “open source.”

Cramer swiftly issued an apology of sorts, explaining that while it had erroneously used the descriptor, the BUSL license adheres to the spirit of what many open source licenses are about: Users can self-host and modify the code without paying the creator a dime. They just can’t commercialize the product as a competing service.

But BUSL isn’t open source.

“We sort of stuck our foot in it, stirred the hornet’s next,” Whitacre said. “But it was during the debate that followed where we realized that we need a new term. Because we’re not closed source, and clearly, the community does not accept that we’re open source. And we’re not open core, either.”

Those who follow the open source world know that terminology is everything, and Sentry is far from the first company to fall in its (mis)use of the established nomenclature.

[…]

For now, the main recommended fair source license is the Functional Source License (FSL), which Sentry itself launched last year as a simpler alternative to BUSL. However, BUSL itself has also now been designated fair source, as has the all-new Fair Core License (FCL) which was contributed by Keygen, both of which are included to support the needs of different projects.

Companies are welcome to submit their own license for consideration, though all fair source licenses should have three core stipulations: It [the code] should be publicly available to read; allow third parties to use, modify, and redistribute with “minimal restrictions“; and have a delayed open source publication (DOSP) stipulation, meaning it converts to a true open source license after a predefined period of time. With Sentry’s FSL license, that period is two years; for BUSL, the default period is four years.

The concept of “delaying” publication of source code under a true open source license is a key defining element of a fair source license, separating it from other models such as open core. The DOSP protects a company’s commercial interests in the short term, before the code becomes fully open source.

[…]

In many ways, fair source is simply an exercise in branding — one that allows companies to cherry-pick parts of an established open source ethos that they cherish, while getting to avoid calling themselves “proprietary” or some other variant.

[…]

 

Source: Some startups are going ‘fair source’ to avoid the pitfalls of open source licensing | TechCrunch

New Dutch government declares asylum emergency – even though there isn’t – to bypass parliament. This is how authoritarianism begins.

Posted on by

The new programme of the Dutch cabinet under Prime Minister Dick Schoof reflects the tough migration stance promised during the election campaign, outlining a comprehensive plan to radically reform the country’s asylum system and push for an opt-out from EU migration policies. 

The Schoof cabinet’s plans for the upcoming term were unveiled today (13 September).  

The government’s newly published programme builds on the key agreements reached earlier this year after extensive negotiations between the former Liberal Party for Freedom and Democracy (VVD), led by the successor to former prime minister Mark Rutte, Wilders’ Freedom Party (PVV), New Social Contract (NSC) party and Citizen-Farmer Movement. 

The programme echoes the hardline stance on migration that dominated the campaign rhetoric and outlines a broad package of measures aimed at radically reforming the asylum system, citing “pressure on housing, healthcare, and education” as threats to social cohesion and safety.

“We must change direction and cut the influx immediately. That’s why I’m introducing the strictest asylum policy ever,” said the Minister of Asylum and Migration from the far-right populist PVV Marjolein Faber on X just before the programme’s release. 

A key element of the strategy focuses on action at the European level, including reforms to regulations and international treaties, as the government plans to take the issue to Brussels “as soon as possible” to achieve “an opt-out from European asylum and migration regulations.” 

At last week’s Ambrosetti Forum in Cernobbio, PVV leader Geert Wilders reiterated his call for EU countries to have an opt-out option on immigration and asylum policies.  

Last week, Minister Faber announced in her debut parliamentary debate that the cabinet intends to declare the asylum crisis an emergency – bypassing parliamentary approval – to swiftly enact measures to cut the migrant influx.

The programme addresses the asylum crisis, including a new Asylum Crisis Law as part of its structural reforms, as well as a redefinition of the nuclear family to restrict family reunification.

It also mentions the scrapping of indefinite asylum permits, allowing periodic reviews to determine if protection is still needed or if individuals can be returned to their home countries. 

Following last November’s national election, which was prompted by the collapse of the fourth Rutte cabinet over immigration policy disputes, Geert Wilders’s far-right party PVV emerged victorious. Securing a landslide victory with 37 seats, PVV became the largest party in the Dutch parliament. 

However, despite winning the election, Wilders opted not to personally join the government. Instead, Dick Schoof, an unelected career bureaucrat who previously headed the Dutch intelligence agency AIVD and served as a top official at the Ministry of Justice, was appointed prime minister by the King last July. 

Source: New Dutch government unveils toughest asylum reform in history – Euractiv

Five new massive satellites outshine most evening stars and will get bigger

Posted on by

A Texas telecommunications startup launched its first five massive “BlueBird” communications satellites into orbit on September 12. Each device is nearly 700-feet-wide when fully deployed, and like BlueWalker 3—AST SpaceMobile’s 2022 prototype, also in orbit—every BlueBird will soon shine brighter than most stars and planets in the night sky. But despite the concerns of critics and experts alike, the company’s CEO vows they are “just getting started.”

Founded in 2017, AST SpaceMobile is currently working with AT&T to construct the world’s first space-based cellular broadband network. In a statement on Thursday, AT&T Chief Operating Officer Jeff McElfresh said it’s all part of a plan to offer “a future where our customers will only be hard to reach if they choose to be.” AST SpaceMobile successfully delivered its BlueWalker 3 prototype into low-Earth orbit (LEO) in September 2022, and demonstrated it by allowing a smartphone to make a voice call the following September. Less than a month after the milestone, an international study published in Nature confirmed BlueWalker 3’s peak brightness matched that of Procyon and Achernar, two of the ten brightest stars in the night sky. Subsequent observations recorded even higher magnitudes similar to the stars that make up the constellation of Orion.

Each of the five BlueBirds now in orbit are roughly the same size as BlueWalker 3, meaning they will soon offer similar experiences for sky observers—sometimes visible even to the naked eye. But to achieve a reliable, high speed, and commercially viable satellite broadband network, AST SpaceMobile says it will need to deploy a constellation of nearly 90 satellites.

During a livestream of Thursday’s launch, company founder, chairman, and CEO Abel Avellan said many future satellite iterations will be “three-and-a-half-times larger” than the current BlueBirds. Such a scaling up would make each new, fully deployed device around 2425-square-feet in diameter, or about half the size of a regulation NBA basketball court. As Gizmodo noted on September 13, there are currently no legal restrictions for satellite brightness.

Gigantic satellite constellation arrays are growing at a rate that eclipses both regulatory oversight and experts’ concerns. Shortly after BlueWalker 3’s launch in 2022, the committee speaking on behalf of the International Astronomical Union uniformly denounced its delivery, describing it as “a big shift in the constellation satellite issue [that] should give us all reason to pause.”

AST SpaceMobile is far from the only company pursuing similar projects. SpaceX’s ongoing Starlink internet endeavor intends to eventually include as many as 7,000 satellites in orbit, in spite of its own share of public criticism. Meanwhile, advocates continue to stress the dangers of orbital pollution from decommissioned satellites and debris, often referred to as “space junk.” Without proper oversight and cleanup efforts, experts have repeatedly warned of the possibility of initiating a “Kessler cascade.” In these scenarios, the untenable amount of human-made objects leads to ever-increasing collisions, causing debris to deorbit and pose a danger to anything in its path.

In a statement provided to Popular Science, a spokesperson said that “AST SpaceMobile is committed to the responsible use of space as we advance our goal of using space-based, satellite technology to connect directly with everyday smartphones and help bring broadband to billions of people worldwide who do not have access today.”

Source: Five new massive satellites outshine most evening stars | Popular Science

Cats have brain activity recorded with the help of crocheted hats

Posted on by

Scientists have recorded electrical activity in the brains of awake cats for the first time, thanks to specially crocheted wool caps that hold the electrodes in place.

The technique gives researchers a way to assess chronic pain in cats and could lead to novel treatments, says Aude Castel at the University of Montreal in Canada.

About a quarter of all adult cats live with chronic pain due to osteoarthritis, which gets worse with age. Because treatment options are limited and generally involve significant side effects, Castel and her colleagues have been seeking alternative ways to relieve pain in cats, such as aromatherapy.

Electroencephalograms (EEGs) can be helpful in assessing the effects of such treatments because they can show the brain’s responses to pain and to stimulation of the senses. Thus far, though, the only EEGs carried out in cats have been performed in sedated animals.

Castel and her colleagues attempted to place electrodes on the heads of 11 awake, adult cats – all of which had osteoarthritis – in order to record their brain activity in response to smelling a variety of substances and seeing different wavelengths of light. However, the cats regularly shook their heads, causing the electrodes to shift out of place or fall off. Finally, the researchers realised they could take advantage of a new fashion for cats: crocheted caps.

“When you spend more time putting electrodes back on than you do actually recording the EEGs, you get creative,” says team member Aliénor Delsart, also at the University of Montreal.

The team asked a graduate student to crochet special cat caps to hold the electrodes, inspired by a tutorial on YouTube. With the new hats in place, the researchers found that the electrodes stayed in position and that the cats no longer tried to play with or chew the wires.

The EEG recordings in the awake cats were mostly usable, although a few still had too much interference from the cats’ head movements. Even so, the results allowed the team to determine critical brain activity related to the cats’ pain levels and reactions to various smells and coloured lighting.

As such, the team plans to use the EEG caps in future studies to determine how various treatments – including drugs and alternative therapies like odours and lighting – affect the cats’ perception of pain, says Delsart.

 

Journal reference:

Journal of Neuroscience Methods DOI: 10.1016/j.jneumeth.2024.110254

Source: Cats have brain activity recorded with the help of crocheted hats | New Scientist

Fortinet confirms data breach after hacker claims to steal 440GB of files

Posted on by

Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company’s Microsoft Sharepoint server.

Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices. The company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services.

Early this morning, a threat actor posted to a hacking forum that they had stolen 440GB of data from Fortinet’s Azure Sharepoint instance. The threat actor then shared credentials to an alleged S3 bucket where the stolen data is stored for other threat actors to download.

[…]

The threat actor, known as “Fortibitch,” claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay.

In response to our questions about incident, Fortinet confirmed that customer data was stolen from a “third-party cloud-based shared file drive.”

[…]

Earlier today, Fortinet did not disclose how many customers are impacted or what kind of data has been compromised but said that it “communicated directly with customers as appropriate.”

A later update shared on Fortinet’s website says that the incident affected less than 0.3% of its customer base and that it has not resulted in any malicious activity targeting customers.

[…]

In May 2023, a threat actor claimed to have breached the GitHub repositories for the company Panopta, who was acquired by Fortinet in 2020, and leaked stolen data on a Russian-speaking hacking forum.

Source: Fortinet confirms data breach after hacker claims to steal 440GB of files

Ouch. A 440GB leak is huge.

Apple Vision Pro’s Eye Tracking Exposed What People Type

Posted on by

[…]

Today, a group of six computer scientists are revealing a new attack against Apple’s Vision Pro mixed reality headset where exposed eye-tracking data allowed them to decipher what people entered on the device’s virtual keyboard. The attack, dubbed GAZEploit and shared exclusively with WIRED, allowed the researchers to successfully reconstruct passwords, PINs, and messages people typed with their eyes.

“Based on the direction of the eye movement, the hacker can determine which key the victim is now typing,” says Hanqiu Wang, one of the leading researchers involved in the work. They identified the correct letters people typed in passwords 77 percent of the time within five guesses and 92 percent of the time in messages.

To be clear, the researchers did not gain access to Apple’s headset to see what they were viewing. Instead, they worked out what people were typing by remotely analyzing the eye movements of a virtual avatar created by the Vision Pro. This avatar can be used in Zoom calls, Teams, Slack, Reddit, Tinder, Twitter, Skype, and FaceTime.

[…]

 

Source: Apple Vision Pro’s Eye Tracking Exposed What People Type | WIRED

1.3 million Android-based TV boxes backdoored; researchers still don’t know how

Posted on by

Researchers still don’t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.

Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

Dozens of variants

Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections.

“At the moment, the source of the TV boxes’ backdoor infection remains unknown,” Thursday’s post stated. “One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.”

The following device models infected by Vo1d are:

TV box model Declared firmware version
R4 Android 7.1.2; R4 Build/NHG47K
TV BOX Android 12.1; TV BOX Build/NHG47K
KJ-SMART4KVIP Android 10.1; KJ-SMART4KVIP Build/NHG47K

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What’s more, Doctor Web said it’s not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models.

Further, while only licensed device makers are permitted to modify Google’s AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.

[…]

The statement said people can confirm a device runs Android TV OS by checking this link and following the steps listed here.

[…]

It’s not especially easy for less experienced people to check if a device is infected short of installing malware scanners. Doctor Web said its antivirus software for Android will detect all Vo1d variants and disinfect devices that provide root access. More experienced users can check indicators of compromise here.

Source: 1.3 million Android-based TV boxes backdoored; researchers still don’t know how | Ars Technica

After Synology breaks video station, plex, HEIC, H.265, backups, update now also breaks Surveillence station. What is going on there?!

Posted on by

Installed DSM 7.2.2-72806 on my DS1821+. The update automatically updated Surveillance Station to 9.2.1-11374.

When updating I received the following notice:

Surveillance Station will automatically install the Surveillance Video Extension package. After this update, the Live View Analytics app will no longer be supported. The support for HEVC (H.265) cameras will undergo the following changes, while AVC (H.264) cameras will remain unaffected:
Unsupported features:

Motion detection by Surveillance Station

Continuing to take snapshots after events for email notifications

Adjusted mechanisms:

Event snapshot

Thumbnails (e.g., thumbnails for IP cameras, detection results, timeline preview)

There was also a warning stating:

DS cam Android 3.10.0 or above, iOS 5.9.0 or above:

H.265 camera streams might not be able to play:

If any issues occur with live streaming or video playback, consider changing the camera’s video format to H.264 or using a mobile device that supports H.265 format.

Once the update was finished and I opened Surveillance Station I received this warning:

Some H.265 cameras’s motion detection has been reconfigured or disabled. In this update, Surveillance Station no longer supports H.265 cameras to configure motion detection using Surveillance Station ‘s algorithms. The motion detection setting is automatically switched to using camera’s built-in algorithm if available. Otherwise, the motion detection is disabled. The related functions (e.g., recording schedule, notification, alarm, and action rule) will also be affected.

Testing Surveillance Station in Chrome it is completely broken. There are no previews for my cameras, recordings can’t be played back, etc. This all worked before the update, although I normally use the client. https://imgur.com/a/47m5ukO

Using the Surveillance Station Client on my Mac, there are almost no changes. The camera previews work, hovering over the timeline in monitor center displays a preview, recordings can be played back, smart time-lapse recording in h265 works, etc. https://imgur.com/a/RBVM2ET

Under the camera settings, I can still set a recording schedule, the only thing that was removed is the option to use the Synology detection algorithm under Event Detection. Advanced Event (Smart Event) settings still work. https://imgur.com/a/TFoKvJk

In Monitor Center all previous events from before the update are missing (I can’t jump to the last motion event), but the files themselves are still there in recordings. https://imgur.com/a/PJHBVd3

The iOS app still works fine with no issues.

Ultimately the only change for me is that I now have to configure event detection by logging into each camera recording in h265, everything else is the same as before.

Cameras I tested with are Hikvision DS-2CD2385G1-I recording in h265+ and Reolink E1 Pros.

Source: My experience updating to Surveillance Station 9.2.1-11374

More details on that Windows Installer ‘make me admin’ hole

Posted on by

In this week’s Patch Tuesday Microsoft alerted users to, among other vulnerabilities, a flaw in Windows Installer that can be exploited by malware or a rogue user to gain SYSTEM-level privileges to hijack a PC.

The vulnerability, CVE-2024-38014, was spotted and privately disclosed by security shop SEC Consult, which has now shared the full details of how this attack works. The researcher has released an open source tool to scan a system for Installer files that can be abused to elevate local privileges.

Microsoft said the bug is already exploited, which may mean it acknowledges that SEC Consult’s exploit for the flaw works, or that bad people are abusing this in the wild, or both

[…]

SECC researcher Michael Baer found the exploitable weakness in January. Fixing it turned out to be a complex task and Microsoft asked for more time to address it with a patch, which it implemented this week. The original plan was to close the hole in May, but that slipped to this September for technical reasons. Now Baer has written a blog post explaining exactly how the attack works.

Essentially, a low privileged user opens an Installer package to repair some already-installed code on a vulnerable Windows system. The user does this by running an .msi file for a program, launching the Installer to handle it, and then selecting the option to repair the program (eg, like this). There is a brief opportunity to hijack that repair process, which runs with full SYSTEM rights, and gain those privileges, giving much more control over the PC.

When the repair process begins, a black command-line window opens up briefly to run a Windows program called certutil.exe. Quickly right clicking on the window’s top bar and selecting “Properties” will stop the program from disappearing and open a dialog box in which the user can click on a web link labeled “legacy console mode.” The OS will then prompt the user to open a browser to handle that link. Select Firefox, ideally, to handle that request.

Then in the browser, press Control-O to open a file, type cmd.exe in the top address bar of the dialog box, hit Enter, and bam – you’ve got a command prompt as SYSTEM. That’s because the Installer spawned the browser with those rights from that link.

[…]

Source: More details on that Windows Installer ‘make me admin’ hole • The Register

‘Windhawk’ Is Like an App Store for Windows Interface Mods

Posted on by

Ever wish Windows worked just a little bit differently? You’re not alone. Windhawk is a free and open source application offering dozens of community curated “mods” for Windows and Windows applications. It’s the simplest tool for customizing Windows that I’ve come across.

The application, which you can download for free, gives you a sort of app store for Windows mods. You can browse the mods online, too, if you’re curious. I found customizations that can do things you’d otherwise need dedicated software for—everything from replacing the Windows 11 start menu with an older version, to adding the labels back to taskbar icons. Basically, if you’ve got an itch to change something about how Windows works, there’s a good chance Windhawk can scratch it.

When you open Windhawk, you’ll be presented with the mod marketplace. From here you can browse and install mods in a couple of clicks.

The main interface for the app, which offers a few popular mods to start with. You can click "Explore Mods" to find more.
Credit: Justin Pot

You will be warned to think critically every time you go to install a mod. There will also be a link to the Github page for the mod creator, which means you look into the script if you’re worried. This caution is appreciated—you should always think critically before installing mods like this.

A pop-up explains to proceed with care before installing a mod, then provides links to the mod on Github along with the developer's homepage.
Credit: Justin Pot

After installing a mode you can configure it within the application—just check the “Settings” section for the mod. For example, if you’ve decided to change the look for the Windows taskbar, you can select which theme you want.

The settings screen for the Windows 11 Taskbar mode allows you to choose which taskbar you want. The user here picked Windows XP, and the taskbar is in fact bright green.
Credit: Justin Pot

Here are a few of my favorite mods I’ve found (so far) to get you started:

  • Taskbar height and icon size lets you slim down the chonky taskbar back to the height it was in the glory days of Windows 2000.
  • Windows 11 start menu styler lets you replace the cluttered start menu with something more streamlined, or with a start menu you remember from previous version of Windows.
  • Taskbar clock customization lets you changes what information does and doesn’t show up in the taskbar clock, formatting that however you like and even including headlines from an RSS feed if you want.
  • Taskbar volume control makes it easier to adjust the volume—put your mouse anywhere on the taskbar and scroll up and down. Simple.
  • Disable grouping on the taskbar means every window you have open has its own taskbar icon, even multiple windows in the same app.

I could spend all day talking about the different things this application can do, but the real fun comes from exploring and tweaking until everything works just the way you want it. My recommendation: dive in.

Source: ‘Windhawk’ Is Like an App Store for Windows Mods | Lifehacker

Google’s 2.4 billion euro shopping comparison fine upheld by Europe’s top court

Posted on by

Europe’s top court on Tuesday upheld a 2.4 billion euro ($2.65 billion) fine imposed on Google

for abusing its dominant position by favoring its own shopping comparison service.

[….]

The fine stems from an antitrust investigation by the European Commission, the executive arm of the European Union, which concluded in 2017.

The commission said at the time that Google had favored its own shopping comparison service over those of its rivals.

Google appealed the decision with the General Court, the EU’s second-highest court, which also upheld the fine. Google then brought the case before the European Court of Justice, the EU’s top court.

The ECJ on Tuesday dismissed the appeal and upheld the commission’s fine.

[…]

Source: Google’s 2.4 billion euro fine upheld by Europe’s top court

Apple Ordered to Pay $14 Billion in Back Taxes to EU

Posted on by

Apple will be required to pay $14 billion in back taxes to Ireland after Europe’s top court released a new ruling on Tuesday, according to a report from the Financial Times. Apple CEO Tim Cook has previously called the case “total political crap” but the judgment is final and Apple will not be able to appeal.

The European Commission’s executive vice president, Margrethe Vestager, first brought the case against Apple alleging that Ireland had given the tech company a deal that “constituted illegal State aid,” by waiving so much in taxes. Apple is now on the hook to pay those taxes, which have been sitting in an escrow account for the past six years, according to the Financial Times. Oddly enough, the original €14.3 billion set aside has fallen in value after first being set aside in 2018 because it was invested in European government bonds.

[…]

Source: Apple Ordered to Pay $14 Billion in Back Taxes

Ford wants to listen in on you in your car to serve you ads as much as possible

Posted on by

ford cars with human ears on their doors driving on a highway

Someday soon, if Ford has its way, drivers and passengers may be bombarded with infotainment ads tailored to their personal and vehicle data.

This sure-to-please-everyone idea comes via a patent application [PDF] filed by Ford Global Technologies late last month that proposes displaying ads to drivers based on their destination, route, who’s in the car, and various other data points able to be collected by modern vehicles.

According to the patent application, infotainment advertising could be varied depending on the situation and user feedback. In one example, Ford supposes showing a visual ad to passengers every 10 minutes while on the highway, and if someone responds positively to audio ads, the system could ramp up the frequency, playing audio ads every five minutes.

Of course, simply playing more ads might frustrate people, which Ford seems to understand because the pending patent notes it would have to account for “a user’s natural inclination to seek minimal or no ads.”

In order to assure advertisers that user preference is ultimately circumvented, Ford said its proposed infotainment system would be designed to “intelligently schedule variable durations of ads, with playing time seeking to maximize company revenue while minimizing the impact on user experience.”

The system would also be able to listen to conversations so it could serve ads during lulls in chatter, ostensibly to be less intrusive while being anything but.

Given the rush by some automakers to turning their vehicles into subscription-based cars-as-a-service, egged on by the chip world, we’re not surprised by efforts to wring more money out of motorists, this time with adverts. We assume patent filings similar to Ford’s have been made.

Trust us!

Then there’s the fact that automakers aren’t terrific on privacy and safeguarding the kinds of info that are used to tailor ads. In September last year, Mozilla published a report on the privacy policies of several automakers whose connected vehicles harvest information about owners, finding that 25 major manufacturers – Ford among them – failed to live up to the Firefox maker’s standards.

Just a couple of months later, a Washington state appeals court ruled it was perfectly legal for vehicles to harvest text and call data from connected smartphones and store it all in memory.

US senators have urged the FTC to investigate several car makers for allegedly selling customer data unlawfully, though we note Ford is not among the companies accused in that matter.

That said, the patent application makes no mention of how the automaker would protect user data used to serve in-vehicle ads. A couple of other potentially privacy-infringing Ford patents from the past year are worth mentioning, too.

The ideas within a patent application should not be viewed as an indication of our product plans

In 2023, Ford filed a patent application for an embedded vehicle system that would automate vehicle repossession if car payments weren’t made. Over the summer, another application describes a system where vehicles monitor each other’s speeds, and if one detects a nearby car speeding, it could snap photos using onboard cameras and send the images, along with speed data, directly to police or roadside monitors. Neither have privacy advocates thrilled.

Bear in mind neither of those patents may ever see the production, and this advertising one might not make it past the “let’s file this patent before the competition just in case” stage of life, either. That’s even what Ford essentially told us.

“Submitting patent applications is a normal part of any strong business as the process protects new ideas and helps us build a robust portfolio of intellectual property,” a Ford spokesperson told The Register. “The ideas described within a patent application should not be viewed as an indication of our business or product plans.”

Ford also said it always puts customers first in development of new products and services, though didn’t directly answer questions about a lack of privacy assurances in the patent application. In any case, it may not actually happen. Until it does.

Source: Who wants in-car ads tailored to your journey, passengers? • The Register

1.7M potentially pwned in US payment services provider breach, wishes victims good luck

Posted on by

Around 1.7 million people will receive a letter from Florida-based Slim CD, if they haven’t already, after the company detected an intrusion dating back nearly a year.

Slim CD provides payment processing solutions, thus credit card numbers along with their expiry dates are among the data types potentially compromised in the incident.

The cardholder’s name and address may also be affected, meaning potential for financial fraud should that data be sold, although Slim CD says it hasn’t detected any misuse of the data.

[…]

Among the questions we put to the company was why it took so long for the break-in to be detected, and whether it believed there were any failures in its ability to detect such incidents.

A postmortem carried out by the company and third-party experts revealed that the intrusion began on August 17, 2023, but was only discovered “on or about” June 15 this year.

[…]

There was no apology in the letter [PDF] sent to the 1.693 million potentially affected customers, who were instead encouraged to order a free credit report and remain vigilant against any malicious account activity.

Source: 1.7M potentially pwned by payment services provider breach • The Register

Avis alerts 300k US car renters that insider crooks stole their info

Posted on by

Avis Rent A Car System has alerted 299,006 customers across multiple US states that their personal information was stolen in an August data breach.

The digital break-in occurred between August 3 and August 6, according to the car rental giant in filings with the Maine and California attorneys general.

On August 14, Avis determined that sensitive info had been “obtained by the unauthorized third party,” although the sample breach notification letter redacted the specifics, so we can’t say for sure what personal details were stolen.

Avis also cites “insider wrongdoing” under the breach disclosure section in the Maine filing, but doesn’t provide additional details about what happened.

“Since the incident occurred, we have worked with cybersecurity experts to develop a plan to enhance security protections for the impacted business application,” the letter sent to affected consumers says [PDF].

“In addition, we have taken steps to deploy and implement additional safeguards onto our systems, and are actively reviewing our security monitoring and controls to enhance and fortify the same,” it continues.

[…]

According to San Francisco-based law firm Schubert Jonckheer & Kolbe, this information may include customers’ names, addresses, dates of birth, driver’s license numbers, and financial information (including account numbers and credit or debit card numbers).

[…]

Source: Avis alerts 300k car renters that crooks stole their info • The Register

Resistance to Hungarian presidency’s new push for child sexual abuse prevention regulation – because it’s a draconian spying law asking for 100% coverage of digital comms

Posted on by

Resistance to the Hungarian presidency’s approach to the EU’s draft law to combat online child sexual abuse material (CSAM) was still palpable during a member states’ meeting on Wednesday (4 September).

The Hungarian presidency of the Council of the EU aims to secure consensus on the proposed law to combat online child sexual abuse material (CSAM) by October, according to an EU diplomat and earlier reports by Politico.

Hungary has prepared a compromise note on the draft law, also reported by Contexte.

The note, presented at a meeting of ambassadors on Wednesday, seeks political guidance to make progress at the technical level, the EU diplomat told Euractiv.

With the voluntary regime expiring in mid-2026, most member states agree that urgent action is needed, the diplomat continued.

But some member states are still resistant to the Hungarian’s latest approach.

The draft law to detect and remove online child sexual abuse material (CSAM) was removed from the agenda of Thursday’s (20 June) meeting of the Committee of Permanent Representatives (COREPER), who were supposed to vote on it.

Sources close to the matter told Euractiv, that Poland and Germany remain opposed to the proposal, with smaller member states also voicing concerns, potentially forming a blocking minority.

Although France and the Netherlands initially supported the proposal, the Netherlands has since withdrawn its support, and Italy has indicated that the new proposal is moving in the right direction.

As a result, no agreement was reached to move forward.

Currently, an interim regulation allows companies to voluntarily detect and report online CSAM. Originally set to expire in 2024, this measure has been extended to 2026 to avoid a legislative gap, as the draft for a permanent law has yet to be agreed.

Hungary is expected to introduce a concrete textual proposal soon. The goal is to agree on its general approach by October, the EU diplomat said, a fully agreed position among member states which serves as the basis for negotiations with the European Parliament.

Meanwhile, the European Commission is preparing to send a detailed opinion to Hungary regarding the draft law, expected by 30 September, Contexte reported on Wednesday.

[…]

In the text, the presidency also suggested extending the temporary exemption from certain provisions of the ePrivacy Directive, which governs privacy and electronic communications, for new CSAM and grooming.

[…]

Source: Resistance lingers to Hungarian presidency’s new push for child sexual abuse prevention regulation – Euractiv

See also:

The EU Commission’s Alleged CSAM Regulation ‘Experts’ giving them free reign to spy on everyone: can’t be found. OK then.

EU delays decision over continuous spying on all your devices *cough* scanning encrypted messages for kiddie porn

Signal, MEPs urge EU Council to drop law that puts a spy on everyone’s devices

European human rights court says backdooring encrypted comms is against human rights

EU Commission’s nameless experts behind its “spy on all EU citizens” *cough* “child sexual abuse” law

EU Trys to Implement Client-Side Scanning, death to encryption By Personalised Targeting of EU Residents With Misleading Ads

 

Finaly people urge FTC to ban hardware tethering – downgrades, transferral costs, sudden bricking, unexpected subscriptions

Posted on by

Consumer and digital rights activists are calling on the US Federal Trade Commission to stop device-makers using software to reduce product functionality, bricking unloved kit, or adding surprise fees post-purchase.

In an eight-page letter [PDF] to the Commission (FTC), the activists mentioned the Google/Levis collaboration on a denim jacket that contained sensors enabling it to control an Android device through a special app. When the app was discontinued in 2023, the jacket lost that functionality. The letter also mentions the “Car Thing,” an automotive infotainment device created by Spotify, which bricked the device fewer than two years after launch and didn’t offer a refund.

Another example highlighted is the $1,695 Snoo connected bassinet, manufactured by an outfit named Happiest Baby. Kids outgrow bassinets, yet Happiest Baby this year notified customers that if they ever sold or gave away their bassinets, the device’s next owner would have to pay a new $19.99 monthly subscription fee to keep certain features. Activists argue that reduces the resale value of the devices.

Signatories to the letter include individuals from Consumer Reports, the Electronic Frontier Foundation, teardown artists iFixit, and the Software Freedom Conservancy. Environmental groups and computer repair shops also signed the letter.

The signatories urged the FTC to create “clear guidance” that would prevent device manufacturers from using software that locks out features and functions in products that are already owned by customers.

The practice of using software to block features and functions is referred to by the signatories as “software tethering.”

“Consumers need a clear standard for what to expect when purchasing a connected device,” stated Justin Brookman, director of technology policy at Consumer Reports and a former policy director of the FTC’s Office of Technology, Research, and Investigation. “Too often, consumers are left with devices that stop functioning because companies decide to end support without little to no warning. This leaves people stranded with devices they once relied on, unable to access features or updates.”

“Consumers increasingly face a death by a thousand cuts as connected products they purchase lose their software support or advertised features that may have prompted the original purchase,” the letter states. “They may see the device turned into a brick or their favorite features locked behind a subscription. Such software tethers also prevent consumers from reselling their purchases, as some software features may not transfer, or manufacturers may shut down devices, causing a second-hand buyer harm.”

[…]

Source: Activists urge FTC to ban hardware downgrades • The Register

More recent examples are Anova suddenly charging for a subscription, Peloton suddenly asking for an extra fee for resold units. In the past the field is long and littered, with video games being orphaned being pretty huge, but many many gadget makers (Logitech is really good at this) abandoning products and bricking them.

AI helps find simple charging trick to boost li-ion battery lifespan

Posted on by

A simple change in how new lithium-ion batteries are charged can boost their total lifespans by 50 per cent on average – and battery manufacturers everywhere can immediately put the discovery into action. Extended battery lifespans could prove especially crucial for improving electric vehicles and energy storage for electricity grids.

“The cool thing is that we didn’t change any chemistry of the battery,” says William Chueh at Stanford University in California. “We just changed that last step in manufacturing to form the battery a little differently.”

Factories usually charge new batteries for the first time using low electric currents over many hours. But Chueh and his colleagues found that charging a new battery using high currents can significantly increase the number of times it can be recharged.

They used AI machine learning to identify the most important factors impacting battery performance during the first charge, and charging current was one of the most crucial. The researchers confirmed this result by constructing and experimenting on 186 batteries, and those first charged using a high current had a 50 per cent longer lifespan on average. For example, using this method, an electric car battery could go from lasting just 1500 recharge cycles to more than 2200 cycles.

Their finding subverts conventional wisdom because charging at a high current instead of a low one inactivates more lithium ions in a new battery – and the supply of lithium ions flowing back and forth between negative and positive electrodes determines how much charge the battery can hold. But the initial loss of lithium ions creates extra space in the positive electrode that enables the battery to cycle more efficiently when charging and draining, says team member Xiao Cui, also at Stanford University.

During the initial charging process, the inactivated lithium ions also become part of a protective layer on the negative electrode that can slow down battery degradation.

Source: AI helps find simple charging trick to boost battery lifespan | New Scientist

WaveCore beams gigabit network bridge link through concrete wall

Posted on by

Airvine Scientific has a product that could make life easier for IT staff. WaveCore is designed to beam a network signal through thick concrete walls, eliminating the need to drill holes or route your cabling via a circuitous course.

The Silicon Valley wireless company says its newly introduced kit is quick to deploy and can penetrate thick concrete walls and floors in commercial real estate structures.

Drilling a hole for a cabling might mean time-consuming and costly inspections to get permits, and having to to go around it might mean routing cables via the nearest elevator or riser shaft, it says.

WaveCore is basically a pair of devices that form a point-to-point Ethernet bridge using a wireless signal capable of penetrating up to 12 inches (30 cm) of concrete and brick at multi-gigabit data rates. An Ethernet bridge is simply a way of linking separate network segments, in this case through a thick wall that would otherwise pose an obstacle.

wc airvine

Concrete walls are an average thickness of 8 inches (20 cm) or more in commercial real estate buildings around the world, the firm says. These types of walls may form the building’s outer perimeter, serve as interior load bearing walls or create protection for spaces such as fire control or network server rooms.

Airvine claims that tests with select customers earlier this year delivered results such as a 3 Gbps connection through 8 inches of concrete in the middle of a 54-foot (16 meter) link, and a 4 Gbps connection through a 12 inch (30 cm) concrete wall in a garage that was in the middle of a 6-foot (1.8 meter) link.

In a blog post discussing WaveCore, VP of Marketing Dave Sumi explains how it had been developed off the back of an existing product, WaveTunnel, which operates as an indoor wireless backbone in factories, warehouses, conference centers and similar large sites.

This can penetrate most interior walls and bend around corners, but the company says the one obstacle that it just couldn’t avoid and get around is thick concrete walls.

[…]

Source: WaveCore beams gigabit network link through 1ft-thick wall

Second Circuit Says Libraries Disincentivize Authors To Write Books By Lending Them For Free

Posted on by

What would you think if an author told you they would have written a book, but they wouldn’t bother because it would be available to be borrowed for free from a library? You’d probably think they were delusional. Yet that argument has now carried the day in putting a knife into the back of the extremely useful Open Library from the Internet Archive.

The Second Circuit has upheld the lower court ruling and found that the Internet Archive’s Open Library is not fair use and therefore infringes on the copyright of publishers (we had filed an amicus brief in support of the Archive asking them to remember the fundamental purpose of copyright law and the First Amendment, which the Court ignored).

Even though this outcome was always a strong possibility, the final ruling is just incredibly damaging, especially in that it suggests that all libraries are bad for authors and cause them to no longer want to write. I only wish I were joking. Towards the end of the ruling (as we’ll get to below) it says that while having freely lent out books may help the public in the “short-term” the “long-term” consequences would be that “there would be little motivation to produce new works.

[…]

As you’ll recall, the Open Library is no different than a regular library. It obtains books legally (either through purchase or donation) and then lends out one-to-one copies of those books. It’s just that it lends out digital copies of them. To keep it identical to a regular library, it makes sure that only one digital copy can be lent out for every physical copy it holds. Courts have already determined that digitizing physical books is fair use, and the Open Library has been tremendously helpful to all sorts of people.

The only ones truly annoyed by this are the publishers, who have always hated libraries and have long seen the shift to digital as an open excuse to effectively harm libraries. With licensed ebooks, the publishers have jacked up the prices so that (unlike with regular books), the library can’t just buy a single copy from any supplier and lend it out. Rather, publishers have made it prohibitively expensive to get ebook licenses, which come with ridiculous restrictions on how frequently books can be lent and more.

[…]

The key part of the case is whether or not the Internet Archive’s scanning and lending of books is fair use. The Second Circuit says that it fails the fair use four factors test. On the question of transformative use, the Internet Archive argued that because it was using technology to make lending of books more convenient and efficient, it was clearly transformative. Unfortunately, the court disagrees:

We conclude that IA’s use of the Works is not transformative. IA creates digital copies of the Works and distributes those copies to its users in full, for free. Its digital copies do not provide criticism, commentary, or information about the originals. Nor do they “add[] something new, with a further purpose or different character, altering the [originals] with new expression, meaning or message.” Campbell, 510 U.S. at 579. Instead, IA’s digital books serve the same exact purpose as the originals: making authors’ works available to read. IA’s Free Digital Library is meant to―and does―substitute for the original Works

The panel is not convinced by the massive change in making physical books digitally lendable:

True, there is some “change” involved in the conversion of print books to digital copies. See Infinity Broadcast Corp. v. Kirkwood, 150 F.3d 104, 108 n.2 (2d Cir. 1998) (“[A] change in format . . . is not technically a transformation.”). But the degree of change does not “go beyond that required to qualify as derivative.” Warhol II, 598 U.S. at 529. Unlike transformative works, derivative works “ordinarily are those that re-present the protected aspects of the original work, i.e., its expressive content, converted into an altered form.” Google Books, 804 F.3d at 225. To be transformative, a use must do “something more than repackage or republish the original copyrighted work.” Authors Guild, Inc. v. HathiTrust, 755 F.3d 87, 96 (2d Cir. 2014); see also TVEyes, 883 F.3d at 177 (“[A] use of copyrighted material that merely repackages or republishes the original is unlikely to be deemed a fair use.” (internal quotation marks omitted)). Changing the medium of a work is a derivative use rather than a transformative one.

But, that’s not what a derivative work is? A derivative work is not scanning a book. Scanning a book is making a copy. A derivative work is something like making a movie out of a book. So, this analysis is just fundamentally wrong in saying that this is a derivative work, and thus the rest of the analysis is kinda wonky based on that error.

Tragically, the Court then undermines the important ruling in the Betamax/VCR case that found “time shifting” (recording stuff off your TV) to be fair use, even as it absolutely was repackaging the same content for the same purpose. The Court says that doesn’t matter because it “predated our use of the word ‘transformative’ as a term of art.” But that doesn’t wipe out the case as a binding precedent, even though the Court here acts as though it does.

Sony was decided long before modern technology made it possible for one to view virtually any content at any time. Put in context, the “time-shifting” permitted by the defendant’s tape recorders in Sony was a unique efficiency not widely available at the time, and certainly not offered by the plaintiff-television producer.

So because content is more widely available, this kind of shifting is no longer fair use? How does that make any sense at all?

Then the Court says (incorrectly — as we’ll explain shortly) that there’s really nothing new or different about what the Open Library does:

Here, by contrast, IA’s Free Digital Library offers few efficiencies beyond those already offered by Publishers’ own eBooks.

The problem, though, is that this isn’t quite true. Getting licensed ebooks out from libraries is a difficult and cumbersome practice and requires each library to have a vast ebook collection that none can possibly afford. As this lawsuit went down, more and more authors came out of the woodwork, explaining how research they had done for their books was only possible because of the Open Library and would have been impossible via a traditional library given the lending restrictions and availability restrictions.

[…]

From there, the Court explores whether or not the Internet Archive’s use here was commercial. The lower court said it was because, ridiculously, the Internet Archive had donation links on library pages. Thankfully, the panel here sees how problematic that would be for every non-profit:

We likewise reject the proposition that IA’s solicitation of donations renders its use of the Works commercial. IA does not solicit donations specifically in connection with its digital book lending services―nearly every page on IA’s website contains a link to “Donate” to IA. App’x 6091. Thus, as with its partnership with BWB, any link between the funds IA receives from donations and its use of the Works is too attenuated to render the use commercial. Swatch, 756 F.3d at 83. To hold otherwise would greatly restrain the ability of nonprofits to seek donations while making fair use of copyrighted works. See ASTM I, 896 F.3d at 449 (rejecting the argument that because free distribution of copyrighted industry standards enhanced a nonprofit organization’s fundraising appeal, the use was commercial).

It also disagrees that this use is commercial because there’s a referral link for people to go and buy a copy of the book, saying that’s “too attenuated”:

Any link between the funds IA receives from its partnership with BWB and its use of the Works is too attenuated for us to characterize the use as commercial on that basis

Even so, the lack of commerciality isn’t enough to protect the project on the first factor analysis, and it goes to the publishers.

[…]

Source: Second Circuit Says Libraries Disincentivize Authors To Write Books By Lending Them For Free | Techdirt

There is a lot more, but it’s safe to say that the courts in the US and copyright laws have run amok and are only feeding the rich to the detriment of the poor. Denying people libraries is a step beyond.

Internet Archive loses appeal – 4 greedy publishers shut down major library in insane luddite US law system

Posted on by

The Internet Archive’s appeal could spell further trouble for the non-profit, as it is in the middle of a another copyright lawsuit with music publishers that could cost more than $400m if it loses.

The Internet Archive has been dealt a serious blow in court, as it lost an appeal case to share scanned books without the approval of publishers.

The loss could lead to serious repercussions for the non-profit, as hundreds of thousands of digital books have been removed from its library. The Internet Archive is also in the middle of another copyright lawsuit from multiple music labels for digitising vintage records.

What is the Internet Archive?

Based in San Francisco, the Internet Archive is one of the world’s most well-known libraries for scanned copies of millions of physical books that it lends to people all over the globe for free.

The non-profit organisation claims its mission is to provide “universal access to all knowledge” and has been archiving digital content for years such as books, movies, music, software and more.

The archive claims to have more than 20m freely downloadable books and texts, along with a collection of 2.3m modern e-books that can be borrowed – similar to a library. But while supporters say the Internet Archive is a valuable source of easily accessible information, its critics claim it breaches copyright laws.

What caused the major publisher lawsuit?

The Internet Archive let users access its vast digital library for years before the lawsuit began, but a decision during the Covid-19 pandemic prompted the legal response.

Previously, only a limited number of individuals were allowed to borrow a digital book from the non-profit’s Open Library service, a principle that the archive referred to as controlled digital lending.

But this rule was relaxed during the pandemic and led to the creation of the archive’s National Emergency Library, which meant an unlimited number of people could access the same e-books. After this decision, the major publishers launched their lawsuit and the archive went back to its controlled lending practices.

The four publishers – Hachette, Penguin Random House, Wiley, and HarperCollins – said the Internet Archive was conducting copyright infringement through its practices. But the lawsuit went after both library services and had a major impact – in June 2024, the Internet Archive said more than 500,000 books had been removed from its library as a result of the lawsuit.

The non-profit’s founder Brewster Kahle previously said libraries are “under attack at an unprecedented scale”, with a mix of book bans, defunding and “overzealous lawsuits like the one brought against our library”.

From a loss to an appeal

Unfortunately for the digital library, a judge sided in favour of the publishers on 24 March 2023, agreeing with their claims that the Internet Archive’s practices constitutes “wilful digital piracy on an industrial scale” that hurts both writers and publishers.

The archive appealed this decision later that year, but the appeals court determined that it is not “fair use” for a non-profit to scan copyright-protected print books in their entirety and distribute those digital copies online. The appeals court also said there is not enough of a change from a printed copy to a digital one to constitute fair use.

“We conclude that IA’s use of the works is not transformative,” the appeals court said. “IA creates digital copies of the works and distributes those copies to its users in full, for free. Its digital copies do not provide criticism, commentary, or information about the originals.”

The appeals court did disagree with the previous court’s verdict that the Internet Archive’s use of these copyrighted materials is “commercial in nature” and said it is “undisputed that IA is a nonprofit entity and that it distributes its digital books for free”.

What does this mean for the Internet Archive?

The archive’s director of library services Chris Freeland said the non-profit is “disappointed” in the decision by the appeals court and that it is “reviewing the court’s opinion and will continue to defend the rights of libraries to own, lend and preserve books”.

Freeland also shared a link to readers where they can sign an open letter asking publishers to restore access to the 500,000 books removed from the archive’s library.

The loss also presents a bad precedent for the archive’s Great 78 Project, which is focused on the discovery and preservation of 78rpm records. The Internet Archive has been working to digitise millions of these recordings to preserve them, adding that the disks they were recorded onto are made of brittle material and can be easily broken.

“We aim to bring to light the decisions by music collectors over the decades and a digital reference collection of underrepresented artists and genres,” the Internet Archive says on the project page.

“The digitisation will make this less commonly available music accessible to researchers in a format where it can be manipulated and studied without harming the physical artefacts.”

But multiple music labels are suing the Internet Archive for this project and claims it has “wilfully reproduced” thousands of protected sound recordings without copyright authorisation. The music labels are seeking damages of up to $150,000 for each protected sound recording infringed in the lawsuit, which could lead to payments of more than $412m if the court rules against the Internet Archive.

Source: What you need to know about the Internet Archive’s appeal loss

EU, UK, US and more sign world’s first International treaty on AI – but the US makes sure it’s pretty much useless

Posted on by

The EU, UK, US, and Israel signed the world’s first treaty protection human rights in AI technology in a ceremony in Vilnius, Lithuania, on Thursday (5 September), but civil society groups say the text has been watered down.

The Framework Convention on artificial intelligence and human rights, democracy, and the rule of law was adopted in May by the Council of Europe, the bloc’s human rights body.

But after years of negotiations, and pressure from countries like the US who participated in the process, the private sector is largely excluded from the Treaty, leaving mostly the public sector and its contractors under its scope.

The request was “presented as a pre-condition for their signature of the Convention,” said Francesca Fanucci, Senior Legal Advisor at ECNL and representing the Conference of INGOs (CINGO), citing earlier reporting by Euractiv.

Andorra, Georgia, Iceland, Moldova, Norway, and San Marino also signed the treaty.

The treaty has been written so that it does not conflict with the AI Act, the EU’s landmark regulation on the technology, so its signature and ratification is not significant for EU member states, Fanucci said.

“It will not be significant for the other non-EU State Parties either, because its language was relentlessly watered down and turned into broad principles rather than prescriptive rights and obligations, with numerous loopholes and blanket exemptions,” she added.

“Given the vague language and the loopholes of the Convention, it is then also up to states to prove that they mean what they sign – by implementing it in a meaningful and ambitious way,” said Angela Müller, who heads AlgorithmWatch’s policy and advocacy group as executive director.

Ensuring that binding international mechanisms “don’t carve out national security interests” is the next important step, Siméon Campeos, founder and CEO of SaferAI, told Euractiv.

Carve-outs for national security interests were also discussed in the negotiations.

The signatories are also to discuss and agree on a non-binding methodology on how to conduct impact assessment of AI systems on human rights, the rule of law and democracy, which EU states will likely not participate in given they are implementing the AI Act, said Fanucci.

[….]

Source: EU, UK, US, Israel sign world’s first AI Treaty – Euractiv

YubiKeys are vulnerable to unpatchable cloning attacks thanks to newly discovered physical side channel

Posted on by

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

Patching not possible

YubiKey-maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

[…]

In this case, the side channel is the amount of time taken during a mathematical calculation known as a modular inversion. The Infineon cryptolibrary failed to implement a common side-channel defense known as constant time as it performs modular inversion operations involving the Elliptic Curve Digital Signature Algorithm. Constant time ensures the time sensitive cryptographic operations execute is uniform rather than variable depending on the specific keys.

More precisely, the side channel is located in the Infineon implementation of the Extended Euclidean Algorithm, a method for, among other things, computing the modular inverse. By using an oscilloscope to measure the electromagnetic radiation while the token is authenticating itself, the researchers can detect tiny execution time differences that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows the researchers to extract the secret ECDSA key that underpins the entire security of the token.

[…]

The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources and then only in highly targeted scenarios.

[…]

A key question that remains unanswered at the moment is what other security devices rely on the three vulnerable Infineon secure modules and use the Infineon cryptolibrary? Infineon has yet to issue an advisory and didn’t respond to an email asking for one. At the moment, there is no known CVE for tracking the vulnerability.

Source: YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel | Ars Technica

Balloon-Based Sensor That Pinpoints Location Of Drone Operators Emerges In Ukraine

Posted on by

Ukraine has developed a balloon-carried electronic surveillance system designed to detect enemy drone operators, which can then be targeted, offering a more comprehensive solution than tackling individual drones. While the current status of the system, known as Aero Azimuth, is unclear, its unveiling points to a resurgence in interest in elevated sensors mounted on aerostats.

[…]

While the Azimuth system already existed in ground-based form, this seems to the the first airborne application, which makes use of an aerostat from another Ukrainian company, Aerobavovna. Also included in the Aero Azmiuth system are a trailer with a winch for launching and recovering the balloon, a gas cylinder system to inflate the envelope, plus tools for repair and maintenance.

The basic Azimuth uses passive signals intelligence (SIGINT) equipment to detect and then locate the radio-frequency signals emitted by enemy (Russian) drone operators. These signals include communication channels, telemetry, and data exchange. The information gathered by Azimuth is then related to troops, who can directly target the drone operators in question.

[…]

By elevating the Azimuth system on an aerostat, that detection range can reportedly be extended to 37 miles, while the same targets can be triangulated at a distance of 15-19 miles, according to Kvertus spokespeople. These figures are when the balloon is operating at “average flight altitude,” with the optimum altitude meanwhile reported as being around 1,000-2,300 feet.

[…]

Source: Balloon-Based Sensor That Pinpoints Location Of Drone Operators Emerges In Ukraine

China’s Connected Car Crashes Are a Warning

Posted on by

[…] What happens when connected cars become disconnected cars? […]

The phenomenon was chronicled in Rest of World, which spoke to multiple owners of EVs produced by financially troubled Chinese automakers. China kickstarted its EV industry with aggressive subsidies that lured dozens, if not hundreds of companies to produce cars. When those subsidies ceased, an automotive extinction event unfolded, with a reported 20-plus brands calling it quits

[…]

The largest Chinese automaker to fail yet has been WM Motor, which reportedly sold around 100,000 cars between 2019 and 2022. It filed for bankruptcy in October 2023, and in doing so ceased offering software support for customers’ cars. With company servers offline, widespread failures were reported, affecting cars’ stereos, charging status indicators, odometers, and app-controlled remote functions such as air conditioning and locking.

Though WM Motor is said to have brought servers back online so that these vehicles can fully function again, it doesn’t seem to have delivered any software updates since its bankruptcy filing almost a year ago. Its app also remains unavailable on smartphone app stores, locking potential buyers of used WM Motors vehicles out of some features. It seemingly hasn’t flown afoul of China’s consumer protection laws, which mandate 10 years of parts and service support—but apparently not software. As many as 160,000 Chinese car owners are estimated to be in a similar boat, as an increasing number of automakers encounter financial trouble.

[…]

Source: China’s Connected Car Collapse Is a Warning for the American /Market

And what happens when a manufacturer just calls your car End of Life?