Would you trust Elon Musk with your mortgage? Or Big Tech with your benefits?
Us neither.
That’s what’s at stake as the EU’s Artificial Intelligence Act reaches the final stage of negotiations. For all its big talk, it seems like the EU is buckling to Big Tech.
EU lawmakers have been tasked with developing the world’s first comprehensive law to regulate AI products. Now that AI systems are already being used in public life, lawmakers are rushing to catch up.
[…]
The principle of precaution urges us to exercise care and responsibility in the face of potential risks. It is crucial not only to foster innovation but also to prevent the unchecked expansion of AI from jeopardising justice and fundamental rights.
At the Left in the European Parliament, we called for this principle to be applied to the AI Act. Unfortunately, other political groups disagreed, prioritising the interests of Big Tech over those of the people. They settled on a three-tiered approach to risk whereby products are categorised into those that do not pose a significant risk, those that are high risk and those that are banned.
However, this approach contains a major loophole that risks undermining the entire legislation.
Like asking a tobacco company whether smoking is risky
When it was first proposed, the Commission outlined a list of ‘high-risk uses’ of AI, including AI systems used to select students, assess consumers’ creditworthiness, evaluate job-seekers, and determine who can access welfare benefits.
Using AI in these assessments has significant real-life consequences. It can mean the difference between being accepted or rejected to university, being able to take out a loan or even being able to access welfare to pay bills, rent or put food on the table.
Under the three-tiered approach, AI developers are allowed to decide themselves whether their product is high-risk. The self-assessment loophole means the developers themselves get to determine whether their systems are high risk akin to a tobacco company deciding cigarettes are safe for our health, or a fossil fuel company saying its fumes don’t harm the environment.
[…]
Experience shows us that when corporations have this kind of freedom, they prioritise their profits over the interests of people and the planet. If the development of AI is to be accountable and transparent, negotiators must eliminate provisions on self-assessment.
AI gives us the opportunity to change our lives for the better. But as long as we let big corporations make the rules, we will continue to replicate inequalities that are already ravaging our societies.
OK, so this seems to be a little breathless – surely we can put in a mechanism for EU checking of risk level when notified of a potential breech, including harsh penalties for misclassifying an AI?
However, the discussions around the EU AI Act – which had the potential to be one of the first and best pieces of regulation on the planet – has now descended into farce since ChatGPT and some strange idea that the original act did not have any provisions for General Purpose / Foundational AI models (it did – they were high risk models). The silly induced discussions this has provoked has only served to delay the AI act coming into force for over a year – something that big businesses are very very happy to see.
An SEC filing has revealed more details on a data breach affecting 23andMe users that was disclosed earlier this fall. The company says its investigation found hackers were able to access the accounts of roughly 0.1 percent of its userbase, or about 14,000 of its 14 million total customers, TechCrunch notes. On top of that, the attackers were able to exploit 23andMe’s opt-in DNA Relatives (DNAR) feature, which matches users with their genetic relatives, to access information about millions of other users. A 23andMe spokesperson told Engadget that hackers accessed the DNAR profiles of roughly 5.5 million customers this way, plus Family Tree profile information from 1.4 million DNA Relative participants.
DNAR Profiles contain sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships and ancestry reports. Family Tree profiles contain display names and relationship labels, plus other information that a user may choose to add, including birth year and location. When the breach was first revealed in October, the company said its investigation “found that no genetic testing results have been leaked.”
According to the new filing, the data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” All of this was obtained through a credential-stuffing attack, in which hackers used login information from other, previously compromised websites to access those users’ accounts on other sites. In doing this, the filing says, “the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online.”
The disturbing part of this is that the people who were hacked were idiots anyway for re-using their password and probably didn’t realise that they were giving away DNA information about not only themselves, but their whole family to 23andMe, who sold it on. Genetic information is the most personal type of information you have. You can not change it. And if you give it to someone, you also give away your family. Now it wasn’t just given away, it was stolen too.
Electric vehicle owners continue to report far more problems with their vehicles than owners of conventional cars or hybrids, according to Consumer Reports’ newly released annual car reliability survey. The survey reveals that, on average, EVs from the past three model years had 79 percent more problems than conventional cars. Based on owner responses on more than 330,000 vehicles, the survey covers 20 potential problem areas, including engine, transmission, electric motors, leaks, and infotainment systems.
“Most electric cars today are being manufactured by either legacy automakers that are new to EV technology, or by companies like Rivian that are new to making cars,” says Jake Fisher, senior director of auto testing at Consumer Reports. “It’s not surprising that they’re having growing pains and need some time to work out the bugs.” Fisher says some of the most common problems EV owners report are issues with electric drive motors, charging, and EV batteries.
Using realistic ecological modeling, scientists led by Western Sydney University’s Jürgen Knauer found that the globe’s vegetation could actually be taking on about 20% more of the CO2 humans have pumped into the atmosphere and will continue to do so through to the end of the century.
“What we found is that a well-established climate model that is used to feed into global climate assessments by the likes of the IPCC (Intergovernmental Panel on Climate Change) predicts stronger and sustained carbon uptake until the end of the 21st century when extended to account for the impact of some critical physiological processes that govern how plants conduct photosynthesis,” said Knauer.
[…]
Current models, the team adds, are not that complex so likely underestimate future CO2 uptake by vegetation.
[…]
Taking the well-established Community Atmosphere-Biosphere Land Exchange model (CABLE), the team accounted for three physiological factors […] the team found that the most complex version, which accounted for all three factors, predicted the most CO2 uptake, around 20% more than the simplest formula.
[…]
“Our understanding of key response processes of the carbon cycle, such as plant photosynthesis, have advanced dramatically in recent years,” said Ben Smith, professor and research director of Western Sydney University’s Hawkesbury Institute for the Environment. “It always takes a while for new knowledge to make it into the sophisticated models we rely on to inform climate and emissions policy. Our study demonstrates that by fully accounting for the latest science in these models can lead to materially different predictions.
[…]
And while it’s somewhat good news, the team says plants can’t be expected to do all the heavy lifting; the onus remains on governments to stick to emission reduction obligations. However, the modeling makes a strong case for the value of greening projects and their importance in comprehensive approaches to tackling global warming.
[…] Tech vendors – software, hardware, and cloud services – generally avoid terms that suggest they’re perhaps in some way pinning down customers in a strategic sales hold.
But as Marie Myers, chief financial officer at HP, was this week talking to the UBS Global Technology conference, in front of investors, the thrust of the message was geared toward the audience.
“We absolutely see when you move a customer from that pure transactional model … whether it’s Instant Ink, plus adding on that paper, we sort of see a 20 percent uplift on the value of that customer because you’re locking that person, committing to a longer-term relationship.”
Instant Ink is a subscription in which ink or toner cartridges are dispatched when needed, with customers paying for plans that start at $0.99 and run to $25.99 per month. As of May last year, HP had more than 11 million subscribers to the service. Since then it has banked double-digit percentage figures on the revenues front.
By pre-pandemic 2019, HP had grown weary of third-party cartridge makers stealing its supplies business. It pledged to charge more upfront for certain printer hardware (“rebalance the system profitability, capturing more profit upfront”).
HP also set in motion new subscriptions, and launched Smart Tank hardware filled with a pre-defined amount of ink/toner. These now account for 60 percent of total shipments.
Myers told the UBS Conference she was “really proud” that HP could “raise the range on our print margins” based on “bold moves and shifting models.”
[…]
An old industry factoid from 2003 was that HP ink cost seven times more than a bottle of 1985 Dom Perignon. HP isn’t alone in these sorts of comparisons – Epson was called out by Which? a couple years back.
Google Drive users are reporting files mysteriously disappearing from the service, with some netizens on the goliath’s support forums claiming six or more months of work have unceremoniously vanished.
The issue has been rumbling for a few days, with one user logging into Google Drive and finding things as they were in May 2023.
According to the poster, almost everything saved since then has gone, and attempts at recovery failed.
Others chimed in with similar experiences, and one claimed that six months of business data had gone AWOL.
There is little information regarding what has happened; some users reported that synchronization had simply stopped working, so the cloud storage was out of date. Others could get some of their information back by fiddling with cached files, although the limited advice on offer for the affected was to leave things well alone until engineers come up with a solution.
A message purporting to be from Google support also advised not to make changes to the root/data folder while engineers investigate the issue.
[…]
a reminder that just because files are being stored in the cloud, there is no guarantee that they are safe. European cloud hosting provider OVH suffered a disastrous fire in 2021 that left some customers scrambling for backups and disaster recovery plans.
[…]
ust because the files have been uploaded one day does not necessarily mean they will still be there – or recoverable – the next.
[…]
MatthewSt reports that he has a fix; obviously this is something worked out by a user rather than official advice, so caution is advised.
ownCloud has disclosed three critical vulnerabilities, the most serious of which leads to sensitive data exposure and carries a maximum severity score.
The open source file-sharing software company said containerized deployments of ownCloud could expose admin passwords, mail server credentials, and license keys.
Tracked as CVE-2023-49103, the vulnerability carries a maximum severity rating of 10 on the CVSS v3 scale and affects the garaphapi app version 0.2.0 to 0.3.0.
The app relies on a third-party library that provides a URL that when followed reveals the PHP environment’s configuration details, which then allows an attacker to access sensitive data.
Not only could an intruder access admin passwords when deployed using containers, but the same PHP environment also exposes other potentially valuable configuration details, ownCloud said in its advisory, so even if the software isn’t running in a container, the recommended fixes should still be applied.
To fix the vulnerability, customers should delete the file at the following directory: owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php.
Customers are also advised to change their secrets in case they’ve been accessed. These include ownCloud admin passwords, mail server credentials, database credentials, and Object-Store/S3 access-keys.
In a library update, ownCloud said it disabled the phpinfo function in its Docker containers and “will apply various hardenings in future core releases to mitigate similar vulnerabilities.”
The second vulnerability carries another high severity score, a near-maximum rating of 9.8 for an authentication bypass flaw that allows attackers to access, modify, or delete any file without authentication.
Tracked as CVE-2023-49105, the conditions required for a successful exploit are that a target’s username is known to the attacker and that they have no signing-key configured, which is the default setting in ownCloud.
Exploits work here because pre-signed URLs are accepted when no signing-key is configured for the owner of the files.
The affected core versions are 10.6.0 to 10.13.0 and to mitigate the issue, users are advised to deny the use of pre-signed URLs in scenarios where no signing-key is configured.
The final vulnerability was assigned a severity score of 9 by ownCloud, a “critical” categorization, but the National Vulnerability Database has reduced this to 8.7 – a less-severe “high” classification.
It’s a subdomain validation bypass issue that affects all versions of the oauth2 library including and before 0.6.1 when “Allow Subdomains” is enabled.
“Within the oauth2 app, an attacker is able to pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker,” read ownCloud’s advisory.
The open-source Roundcube webmail software project has “merged” with Nextcloud, the prominent open-source personal cloud software.
In boosting Nextcloud’s webmail software capabilities, Roundcube is joining Nextcloud as what’s been described as a merger. In 2024 Nextcloud is to invest into Roundcube to accelerate the development of this widely-used webmail open-source software. Today’s press release says Roundcube will not replace Nextcloud Mail with at least no plans for merging the two in the short-term.
Today’s press release says that there are no immediate changes for Roundcube and Nextcloud users besides looking forward to improved integration and accelerated development beginning in the short term.
More details on today’s announcement via the Nextcloud blog.
Considering Roundcube is used by hundreds of millions of users and is basically programmed by just one guy, the $100k was absolute peanuts in terms of how much was raised, especially considering the ambition. Open Source hardliners take note: this shows exactly how unfair the system is – the guy who wrote this should have been a millionaire many times over. Instead, the companies profiting off his work for free have become worth millions, and so have their CEOs.
Windows users are reporting that Hewlett Packard’s HP Smart application is appearing on their systems, despite them not having any of the manufacturer’s hardware attached.
While Microsoft has remained tight-lipped on what is happening, folks on various social media platforms noted the app’s appearance, which seems to afflict both Windows 10 and Windows 11.
The Windows Update mechanism is used to deploy third-party applications and drivers as well as Microsoft’s updates, and we’d bet someone somewhere has accidentally checked the wrong box.
[…]
WindowsLatest reported the issue occurring on both physical Windows 10 hardware and a Windows 11 virtual machine.
HP Smart is innocuous enough. It’s an application used in conjunction with HP’s printer hardware and can simply be uninstalled.
However, the question is how the application got installed in the first place on a machine with no HP hardware attached or on a network, according to affected users.
Google Play has reversed its latest ban on a web browser that keeps getting targeted by vague Digital Millennium Copyright Act (DMCA) notices. Downloader, an Android TV app that combines a browser with a file manager, was restored to Google Play last night.
Downloader, made by app developer Elias Saba, was suspended on Sunday after a DMCA notice submitted by copyright-enforcement firm MarkScan on behalf of Warner Bros. Discovery. It was the second time in six months that Downloader was suspended based on a complaint that the app’s web browser is capable of loading websites.
The first suspension in May lasted three weeks, but Google reversed the latest one much more quickly. As we wrote on Monday, the MarkScan DMCA notice didn’t even list any copyrighted works that Downloader supposedly infringed upon.
Instead of identifying specific copyrighted works, the MarkScan notice said only that Downloader infringed on “Properties of Warner Bros. Discovery Inc.” In the field where a DMCA complainant is supposed to provide an example of where someone can view an authorized example of the work, MarkScan simply entered the main Warner Bros. URL: https://www.warnerbros.com/.
DMCA notice was incomplete
Google has defended its DMCA-takedown process by saying that, under the law, it is obligated to remove any content when a takedown request contains the elements required by the copyright law. But in this case, Google Play removed Downloader even though the DMCA takedown request didn’t identify a copyrighted work—one of the elements required by the DMCA.
[…]
Downloader’s first suspension in May came after several Israeli TV companies complained that the app could be used to load a pirate website. In that case, an appeal that Saba filed with Google Play was quickly rejected. He also submitted a DMCA counter-notice, which gave the complainant 10 business days to file a legal action.
[…]
Saba still needed to republish the app to make it visible to users again. “I re-submitted the app last night in the Google Play Console, as instructed in the email, and it was approved and live a few hours later,” Saba told Ars today.
In a new blog post, Saba wrote that he expected the second suspension to last a few weeks, just like the first did. He speculated that it was reversed more quickly this time because the latest DMCA notice “provided no details as to how my app was infringing on copyrighted content, which, I believe, allowed Google to invalidate the takedown request.”
“Of course, I wish Google bothered to toss out the meritless DMCA takedown request when it was first submitted, as opposed to after taking ‘another look,’ but I understand that Google is probably flooded with invalid takedown requests because the DMCA is flawed,” Saba wrote. “I’m just glad Google stepped in when it did and I didn’t have to go through the entire DMCA counter notice process. The real blame for all of this goes to Warner Bros. Discovery and other corporations for funding companies like MarkScan which has issued DMCA takedowns in the tens of millions.”
After years of continuous, unrepentant abuse of surveillance powers, the FBI is facing the real possibility of seeing Section 702 curtailed, if not scuttled entirely.
Section 702 allows the NSA to gather foreign communications in bulk. The FBI benefits from this collection by being allowed to perform “backdoor” searches of NSA collections to obtain communications originating from US citizens and residents.
There are rules to follow, of course. But the FBI has shown little interest in adhering to these rules, just as much as the NSA has shown little interest in curtailing the amount of US persons’ communications “incidentally” collected by its dragnet.
[…]
Somehow, the FBI director managed to blurt out what everyone was already thinking: that the FBI needs this backdoor access because it almost never has the probable cause to support the search warrant normally needed to access the content of US persons’ communications.
“A warrant requirement would amount to a de facto ban, because query applications either would not meet the legal standard to win court approval; or because, when the standard could be met, it would be so only after the expenditure of scarce resources, the submission and review of a lengthy legal filing, and the passage of significant time — which, in the world of rapidly evolving threats, the government often does not have,” Wray said.
Holy shit. He just flat-out admitted it: a majority of FBI searches of US persons’ communications via Section 702 are unsupported by probable cause
[…]
Unfortunately, both the FBI and the current administration are united in their desire to keep this executive authority intact. Both Wray and the Biden administration call the warrant requirement a “red line.” So, even if the House decides it needs to go (for mostly political reasons) and/or Wyden’s reform bill lands on the President’s desk, odds are the FBI will get its wish: warrantless access to domestic communications for the foreseeable future.
Former Rockstar North developer Obbe Vermeij had been enjoying a few weeks of sharing some decades-old tales. Reminiscing on his many years with the GTA developer, Vermeij took to his personal blog to recall revealing inside stories behind games like San Andreas and Vice City, and everyone was having a good time. Until Rockstar North came along.
[…]
In the last few weeks, on his very old-school Blogger blog, Vermeij had been sharing some stories about the development processes behind the games, seemingly without any malice or ill-intent.
These included interesting insights into the original GTA and GTA 2, like how much the PC versions of the games had to be compromised so it would run on the PS1. “I remember one particular time when all of the textures for the PS version had been cut down to 16 colours,” Vermeij writes. “When the artists saw the results there was cursing. There was no choice though. Difficult choices had to be made to get the game to run on a PS.”
[…]
It seems the line was crossed for some at Rockstar after a couple of weeks of these lovely anecdotes and insights. On November 22, Vermeij removed most of the posts from the site, and added a new one explaining that after receiving an email from Rockstar North, “some of the OGs there are upset by my blog.”
I genuinely didn’t think anyone would mind me talking about 20 year old games but I was wrong. Something about ruining the Rockstar mystique or something.
Anyway,
This blog isn’t important enough to me to piss off my former colleagues in Edinburgh so I’m winding it down.
Given that the overwhelming majority of DMCA takedown notices are generated by copyright bots that are only moderately good at their job, at best, perhaps it’s not terribly surprising that these bots keep finding new and interesting ways to cause collateral damage unintentionally.
[…]
a Tumblr site, called “Mapping La Sirena.” If you’re a fan of Star Trek: Picard, you will know that’s the name of the main starship in that series. But if you’re a copyright enforcer for a certain industry, the bots you’ve set up for yourself apparently aren’t programmed with Star Trek fandom.
Transparency.automattic reports Tumblr has received numerous DMCA takedown notices from DMCA Piracy Prevention Inc, a third-party copyright monitoring service used frequently by content creators to prevent infringement of their original work. And these complaints occurred all because of the name La Sirena which also happens to be the name of an adult content creator, La Sirena 69 who is one of Piracy Prevention’s customers.
In one copyright claim over 90 Tumblr posts were targeted by the monitoring service because of the keyword match to “la sirena.” But instead of Automattic being alerted to La Sirena 69’s potentially infringed content, the company reported many of mappinglasirena.tumblr.com’s original posts.
Pure collateral damage. While not intentional per se, this is obviously still a problem. One of two things has to be the case: either we stop allowing copyright enforcement to be farmed out to a bunch of dumb bots that suck at their jobs or we insist that the bots stop sucking, which ain’t going to happen anytime soon. What cannot be allowed to happen is to shrug this sort of thing off as an innocent accident and oh well, too bad, so sad for the impact on the speech rights of the innocent.
There was nothing that remotely infringed La Sirena 69’s content. Everything about the complaints and takedown notices was wrong.
Every clock has two fundamental properties: a certain precision and a certain time resolution. The time resolution indicates how small the time intervals are that can be measured—i.e., how quickly the clock ticks. Precision tells you how much inaccuracy you have to expect with every single tick.
The research team was able to show that since no clock has an infinite amount of energy available (or generates an infinite amount of entropy), it can never have perfect resolution and perfect precision at the same time. This sets fundamental limits to the possibilities of quantum computers.
[…]
Marcus Huber and his team investigated in general which laws must always apply to every conceivable clock. “Time measurement always has to do with entropy,” explains Marcus Huber. In every closed physical system, entropy increases and it becomes more and more disordered. It is precisely this development that determines the direction of time: the future is where the entropy is higher, and the past is where the entropy is even lower.
As can be shown, every measurement of time is inevitably associated with an increase in entropy: a clock, for example, needs a battery, the energy of which is ultimately converted into frictional heat and audible ticking via the clock’s mechanics—a process in which a fairly ordered state occurs the battery is converted into a rather disordered state of heat radiation and sound.
On this basis, the research team was able to create a mathematical model that basically every conceivable clock must obey. “For a given increase in entropy, there is a tradeoff between time resolution and precision,” says Florian Meier, first author of the second paper, now posted to the arXiv preprint server. “That means: Either the clock works quickly or it works precisely—both are not possible at the same time.”
[…]
“Currently, the accuracy of quantum computers is still limited by other factors, for example, the precision of the components used or electromagnetic fields. But our calculations also show that today we are not far from the regime in which the fundamental limits of time measurement play the decisive role.”
[…]
More information: Florian Meier et al, Fundamental accuracy-resolution trade-off for timekeeping devices, arXiv (2023). DOI: 10.48550/arxiv.2301.05173
Hardware security hackers have detailed how it’s possible to bypass Windows Hello’s fingerprint authentication and login as someone else – if you can steal or be left alone with their vulnerable device.
The research was carried out by Blackwing Intelligence, primarily Jesse D’Aguanno and Timo Teräs, and was commissioned and sponsored by Microsoft’s Offensive Research and Security Engineering group. The pair’s findings were presented at the IT giant’s BlueHat conference last month, and made public this week. You can watch the duo’s talk below, or dive into the details in their write-up here.
For users and administrators: be aware your laptop hardware may be physically insecure and allow fingerprint authentication to be bypassed if the equipment falls into the wrong hands. We’re not sure how that can be fixed without replacing the electronics or perhaps updating the drivers and/or firmware within the fingerprint sensors. One of the researchers told us: “It’s my understanding from Microsoft that the issues were addressed by the vendors.” So check for updates or errata. We’ve asked the manufacturers named below for comment, and we will keep you updated.
For device makers: check out the above report to make sure you’re not building these design flaws into your products. Oh, and answer our emails.
The research focuses on bypassing Windows Hello’s fingerprint authentication on three laptops: a Dell Inspiron 15, a Lenovo ThinkPad T14, and a Microsoft Surface Pro 8/X, which were using fingerprint sensors from Goodix, Synaptics, and ELAN, respectively. All three were vulnerable in different ways. As far as we can tell, this isn’t so much a problem with Windows Hello or using fingerprints. It’s more due to shortcomings or oversights with the communications between the software side and the hardware.
Windows Hello allows users to log into the OS using their fingerprint. This fingerprint is stored within the sensor chipset. What’s supposed to happen, simply put, is that when you want to set up your laptop to use your print, the OS generates an ID and passes that to the sensor chip. The chip reads the user’s fingerprint, and stores the print internally, associating it with the ID number. The OS then links that ID with your user account.
Then when you come to login, the OS asks you to present your finger, the sensor reads it, and if it matches a known print, the chips sends the corresponding ID to the operating system, which then grants you access to the account connected to that ID number. The physical communication between the chip and OS involves cryptography to, ideally, secure this authentication method from attackers.
But blunders in implementing this system have left at least the above named devices vulnerable to unlocking – provided one can nab the gear long enough to connect some electronics.
“In all, this research took approximately three months and resulted in three 100 percent reliable bypasses of Windows Hello authentication,” Blackwing’s D’Aguanno and Teräs wrote on Tuesday.
Here’s a summary of the techniques used and described by the infosec pair:
Model: Dell Inspiron 15
Method: If someone can boot the laptop into Linux, they can use the sensor’s Linux driver to enumerate from the sensor chip the ID numbers associated with known fingerprints. That miscreant can then store in the chip their own fingerprint with an ID number identical to the ID number of the Windows user they want to login as. The chip stores this new print-ID association in an internal database associated with Linux; it doesn’t overwrite the existing print-ID association in its internal database for Windows.
The attacker then attaches a man-in-the-middle (MITM) device between the laptop and the sensor, and boots into Windows. The Microsoft OS sends some non-authenticated configuration data to the chip. Crucially, the MITM electronics rewrites that config data on the fly to tell the chip to use the Linux database, and not the Windows database, for fingerprints. Thus when the miscreant next touches their finger to the reader, the chip will recognize the print, return the ID number for that print from the Linux database, which is the same ID number associated with a Windows user, and Windows will log the attacker in as that user.
Model: Lenovo ThinkPad T14
Method: The attack used against the ThinkPad is similar to the one above. While the Dell machine uses Microsoft’s Secure Device Connection Protocol (SDCP) between the OS and the chip, the T14 uses TLS to secure the connection. This can be undermined to again, using Linux, add a fingerprint with an ID associated with a Windows user, and once booted back into Windows, login as that user using the new fingerprint.
Model: Microsoft Surface Pro 8 / X Type Cover with Fingerprint ID
Method: This is the worst. There is no security between the chip and OS at all, so the sensor can be replaced with anything that can masquerade as the chip and simply send a message to Windows saying: Yup, log that user in. And it works. Thus an attacker can log in without even presenting a fingerprint.
Interestingly enough, D’Aguanno told us restarting the PC with Linux isn’t required for exploitation – a MITM device can do the necessary probing and enrollment of a fingerprint itself while the computer is still on – so preventing the booting of non-Windows operating systems, for instance, won’t be enough to stop a thief. The equipment can be hoodwinked while it’s still up and running.
“Booting to Linux isn’t actually required for any of our attacks,” D’Aguanno told us. “On the Dell (Goodix) and ThinkPad (Synaptics), we can simply disconnect the fingerprint sensor and plug into our own gear to attack the sensors. This can also be done while the machine is on since they’re embedded USB, so they can be hot plugged.”
In that scenario, “Bitlocker wouldn’t affect the attack,” he added.
As to what happens if the stolen machine is powered off completely, and has a BIOS password, full-disk encryption, or some other pre-boot authentication, exploitation isn’t as straight forward or perhaps even possible: you’d need to get the machine booted far enough into Windows for the Blackwing team’s fingerprint bypass to work. The described techniques may work against BIOSes that check for fingerprints to proceed with the startup sequence.
“If there’s a password required to boot the machine, and the machine is off, then that could stop this just by nature of the machine not booting to the point where fingerprint authentication is available,” D’Aguanno clarified to us.
“However, at least one of the implementations allows you to use fingerprint authentication for BIOS boot authentication, too. Our focus was on the impact to Windows Hello, though, so we did not investigate that further at this point, but that may be able to be exploited too.”
The duo also urged manufacturers to use SDCP and enable to connect sensor chips to Windows: “It doesn’t help if it’s not turned on.”
They also promised to provide more details about the vulnerabilities they exploited in all three targets in future, and were obviously circumspect in giving away too many details that could be used to crack kit.
Our mouths might help keep our hunger in check. A recent study found evidence in mice that our brains rely on two separate pathways to regulate our sense of fullness and satiety—one originating from the gut and the other from cells in the mouth that let us perceive taste. The findings could help scientists better understand and develop anti-obesity drugs, the study authors say.
The experiment was conducted by researchers at the University of California San Francisco. They were hoping to definitively answer one of the most important and basic questions about our physiology: What actually makes us want to stop eating?
It’s long been known that the brainstem—the bottom part of the brain that controls many subconscious body functions—also helps govern fullness. The current theory is that neurons in the brainstem respond to signals from the stomach and gut as we’re eating a meal, which then trigger that feeling of having had enough. But scientists have only been able to indirectly study this process until now, according to lead author Zachary Knight, a UCSF professor of physiology in the Kavli Institute for Fundamental Neuroscience. His team was able to directly image and record the fullness-related neurons in the brainstem of alert mice right as they were chowing down.
“Our study is the first to observe these neurons while an animal eats,” Knight told Gizmodo in an email. “We found surprisingly that many of these cells respond to different signals and control feeding in different ways than was widely assumed.”
The team focused on two types of neurons in the brainstem thought to regulate fullness: prolactin-releasing hormone (PRLH) neurons and GCG neurons.
When they fed mice through the stomach alone, they found that PRLH neurons were activated by the gut, as expected by prior assumptions. But when the mice ate normally, these gut signals disappeared; instead, the PRLH neurons were almost instantly activated by signals from the mouth, largely from the parts responsible for taste perception. Minutes later, the GCG neurons were activated by gut signals.
The team’s findings, published Wednesday in Nature, indicate that there are two parallel tracks of satiety in the brainstem, ones that operate at different speeds with slightly different purposes.
“We found that the first pathway—which controls how fast you eat and involves PRLH neurons—is unexpectedly activated by the taste of food,” Knight said. “This was surprising, because we all know that tasty food causes us to eat more. But our findings reveal that food tastes also function to limit the pace of ingestion, through a brainstem pathway that likely functions beneath the level of our conscious awareness.”
The second pathway, governed by the gut and GCG neurons, seems to control how much we ultimately eat, Knight added.
Mice are not humans, of course. So more research will be needed to confirm whether we have a similar system.
Dirty air killed more than half a million people in the EU in 2021, estimates show, and about half of the deaths could have been avoided by cutting pollution to the limits recommended by doctors.
The researchers from the European Environment Agency attributed 253,000 early deaths to concentrations of fine particulates known as PM2.5 that breached the World Health Organization’s maximum guideline limits of 5µg/m3. A further 52,000 deaths came from excessive levels of nitrogen dioxide and 22,000 deaths from short-term exposure to excessive levels of ozone.
“The figures released today by the EEA remind us that air pollution is still the number one environmental health problem in the EU,” said Virginijus Sinkevičius, the EU’s environment commissioner.
Doctors say air pollution is one of the biggest killers in the world but death tolls will drop quickly if countries clean up their economies. Between 2005 and 2021, the number of deaths from PM2.5 in the EU fell 41%, and the EU aims to reach 55% by the end of the decade.
Ubisoft is blaming a “technical error” for a fullscreen pop-up ad that appeared in Assassin’s Creed Odyssey this week. Reddit users say they spotted the pop-up on Xbox and PlayStation versions of the game, with an ad appearing just when you navigate to the map screen. “This is disgusting to experience while playing,” remarked one Reddit user, summarizing the general feeling against such pop-ups in the middle of gameplay.
“We have been made aware that some players encountered pop-up ads while playing certain Assassin’s Creed titles yesterday,” says Ubisoft spokesperson Fabien Darrigues, in a statement to The Verge. “This was the result of a technical error that we addressed as soon as we learned of the issue.”
The pop-up ad appeared during the middle of gameplay.Image: triddell24 (Reddit)
While it was unclear at first why the game suddenly started showing Black Friday pop-up ads to promote Ubisoft’s latest versions of Assassin’s Creed, the publisher later explained what went wrong in a post on X (formerly Twitter). Ubisoft says it was trying to put an ad for Assassin’s Creed Mirage in the main menu of other Assassin’s Creed games. However, a “technical error” caused the promotion to show up on in-game menus instead. Ubisoft says the issue has since been fixed.
We recently saw Microsoft use fullscreen Xbox pop-up ads to promote its own games, and they’ve been annoying Xbox owners. Microsoft’s ads only appear when you boot an Xbox, and not everyone seems to be getting them. Microsoft and Ubisoft’s pop-ups are still very different to the ads we’re used to seeing on game consoles. We’ve seen games like Saints Row 2 with ads running on billboards, or plenty of in-game ads in EA Games titles in the mid-to-late 2000s.
Fullscreen pop-up ads in the middle of a game certainly aren’t common. Imagine a world full of games you’ve paid $70 for and then ads popping up in the middle of gameplay. I truly hope that Ubisoft’s “technical error” never becomes a game industry reality.
In a paper in Proceedings of the National Academy of Sciences, a group of researchers led by Dion Häfner, a computer scientist at the University of Copenhagen, describe a clever way to make AI more understandable. They have managed to build a neural network, use it to solve a tricky problem, and then capture its insights in a relatively simple five-part equation that human scientists can use and understand.
The researchers were investigating “rogue waves”, those that are much bigger than expected given the sea conditions in which they form. Maritime lore is full of walls of water suddenly swallowing ships. But it took until 1995 for scientists to measure such a wave—a 26-metre monster, amid other waves averaging 12 metres—off the coast of Norway, proving these tales to be tall only in the literal sense.
[…]
To produce something a human could follow, the researchers restricted their neural network to around a dozen inputs, each based on ocean-wave maths that scientists had already worked out. Knowing the physical meaning of each input meant the researchers could trace their paths through the network, helping them work out what the computer was up to.
The researchers trained 24 neural networks, each combining the inputs in different ways. They then chose the one that was the most consistent at making accurate predictions in a variety of circumstances, which turned out to rely on only five of the dozen inputs.
To generate a human-comprehensible equation, the researchers used a method inspired by natural selection in biology. They told a separate algorithm to come up with a slew of different equations using those five variables, with the aim of matching the neural network’s output as closely as possible. The best equations were mixed and combined, and the process was repeated. The result, eventually, was an equation that was simple and almost as accurate as the neural network. Both predicted rogue waves better than existing models.
The first part of the equation rediscovered a bit of existing theory: it is an approximation of a well-known equation in wave dynamics. Other parts included some terms that the researchers suspected might be involved in rogue-wave formation but are not in standard models. There were some puzzlers, too: the final bit of the equation includes a term that is inversely proportional to how spread out the energy of the waves is. Current human theories include a second variable that the machine did not replicate. One explanation is that the network was not trained on a wide enough selection of examples. Another is that the machine is right, and the second variable is not actually necessary.
Better methods for predicting rogue waves are certainly useful: some can sink even the biggest ships. But the real prize is the visibility that Dr Häfner’s approach offers into what the neural network was doing. That could give scientists ideas for tweaking their own theories—and should make it easier to know whether to trust the computer’s predictions.
At the Parliament’s plenary session in Strasbourg, the right to repair was adopted with 590 votes in favour.
The legislative file, first presented by the EU Commission in March, aims to support the European Green Deal targets by increasing incentives for a circular economy, such as making repair a more attractive option than replacement for consumers.
[…]
Apart from ensuring favourable conditions for an independent repair market and preventing manufacturers from undermining repairs as an attractive choice, the IMCO position also extended the product category for a right-to-repair to bicycles.
“We do need this right to repair. What we are currently doing is simply not sustainable. We are living in a market economy where after two years, products have to be replaced, and we must lead Europe to a paradigm shift in that regard,” Repasi said.
Sunčana Glavak (EPP), the rapporteur for the opinion of the ENVI (Environment, Public Health and Food Safety) Committee, added it was “necessary to strengthen the repair culture through awareness raising campaigns, above all at the national level”.
[…]
To incentivise the choice for repair, the Parliament introduced an additional one-year guarantee period on the repaired goods, “once the minimum guarantee period has elapsed”, Repasi explained, as well as the possibility for a replacement product during repair if the repair takes too long.
Moreover, the Parliament intends to create a rule that market authorities can intervene to lower prices for spare parts to a realistic price level.
“Manufacturers must also be obliged to provide spare parts and repair information at fair prices. The European Parliament has recognised this correctly,” Holger Schwannecke, secretary general of the German Confederation of Skilled Crafts and Small Businesses, said.
He warned that customer claims against vendors and manufacturers must not result in craftspeople being held liable for third-party repairs.
To ensure that operating systems of smartphones continue to work after repair by an independent repairer, the Parliament aims to ban phone makers’ practice of running a closed system that limits access to alternative repair services.
Spotify struck a special deal with Google that lets it pay no commission to Google when people sign up for subscriptions using the music streaming service’s own payment system on Android, according to new testimony in the ongoing Epic v. Google trial first reported by The Verge. As part of the same deal, Spotify paid Google just four percent commission if users signed up for the service through Google, far less than most other apps which typically pay 15 percent for subscriptions through the Google Play Store.
“Listening to music is one of [the phone’s] core purposes… if we don’t have Spotify working properly across Play services and core services, people will not buy Android phones”, Google’s partnerships head Don Harrison reportedly said in court. Both Google and Spotify also agreed to put $50 million each in a “success fund” as part of the deal.
The remarks were made as part of a lawsuit first filed against Google by Epic Games, the maker of the wildly popular Fortnite, in 2020. Epic claimed that Google’s Play Store on Android was an illegal monopoly that forced app makers to part with huge sums of cash in exchange for offering users in-app purchases through the Play Store. Epic filed a similar lawsuit against Apple in 2021, which it lost.
“A small number of developers that invest more directly in Android and Play may have different service fees as part of a broader partnership that includes substantial financial investments and product integrations across different form factors,” Dan Jackson, a Google spokesperson, wrote to Engadget in a statement. “These key investment partnerships allow us to bring more users to Android and Play by continuously improving the experience for all users and create new opportunities for all developers.”
Spotify initially supported Epic in its fight against Google and Apple. But in 2022, the company started using a Google program called User Choice Billing that let Android apps use their own payment systems in exchange for giving a reduced cut to Google. The special deal revealed in court showed that Google was willing to carve out even more exceptions for popular apps like Spotify.
Stable Diffusion’s generative art can now be animated, developer Stability AI announced. The company has released a new product called Stable Video Diffusion into a research preview, allowing users to create video from a single image. “This state-of-the-art generative AI video model represents a significant step in our journey toward creating models for everyone of every type,” the company wrote.
The new tool has been released in the form of two image-to-video models, each capable of generating 14 to 25 frames long at speeds between 3 and 30 frames per second at 576 × 1024 resolution.
[…]
Stable Video Diffusion is available only for research purposes at this point, not real-world or commercial applications. Potential users can sign up to get on a waitlist for access to an “upcoming web experience featuring a text-to-video interface,” Stability AI wrote. The tool will showcase potential applications in sectors including advertising, education, entertainment and more.
[…]
it has some limitations, the company wrote: it generates relatively short video (less than 4 seconds), lacks perfect photorealism, can’t do camera motion except slow pans, has no text control, can’t generate legible text and may not generate people and faces properly.
The tool was trained on a dataset of millions of videos and then fine-tuned on a smaller set, with Stability AI only saying that it used video that was publicly available for research purposes.
Commercial air crews are reporting something “unthinkable” in the skies above the Middle East: novel “spoofing” attacks have caused navigation systems to fail in dozens of incidents since September.
In late September, multiple commercial flights near Iran went astray after navigation systems went blind. The planes first received spoofed GPS signals, meaning signals designed to fool planes’ systems into thinking they are flying miles away from their real location. One of the aircraft almost flew into Iranian airspace without permission. Since then, air crews discussing the problem online have said it’s only gotten worse, and experts are racing to establish who is behind it.
OPSGROUP, an international group of pilots and flight technicians, sounded the alarm about the incidents in September and began to collect data to share with its members and the public. According to OPSGROUP, multiple commercial aircraft in the Middle Eastern region have lost the ability to navigate after receiving spoofed navigation signals for months. And it’s not just GPS—fallback navigation systems are also corrupted, resulting in total failure.
According to OPSGROUP, the activity is centered in three regions: Baghdad, Cairo, and Tel Aviv. The group has tracked more than 50 incidents in the last five weeks, the group said in a November update, and identified three new and distinct kinds of navigation spoofing incidents, with two arising since the initial reports in September.
While GPS spoofing is not new, the specific vector of these new attacks was previously “unthinkable,” according to OPSGROUP, which described them as exposing a “fundamental flaw in avionics design.” The spoofing corrupts the Inertial Reference System, a piece of equipment often described as the “brain” of an aircraft that uses gyroscopes, accelerometers, and other tech to help planes navigate. One expert Motherboard spoke to said this was “highly significant.”
“This immediately sounds unthinkable,” OPSGROUP said in its public post about the incidents. “The IRS (Inertial Reference System) should be a standalone system, unable to be spoofed. The idea that we could lose all on-board nav capability, and have to ask [air traffic control] for our position and request a heading, makes little sense at first glance— especially for state of the art aircraft with the latest avionics. However, multiple reports confirm that this has happened.”
Signal jamming in the Middle East is common, but this kind of powerful spoofing is new. According to Todd Humphreys, a UT Austin professor who researches satellite communications, extremely powerful signal jammers have been present in the skies near Syria since 2018. “Syria was called ‘the most aggressive electronic warfare environment on the planet’ by the head of [U.S. Special Operations Command],” Humphreys told Motherboard.
[…]
“Apart from run-of-the-mill jamming (e.g., with chirp jammers), we have captured GPS spoofing signals in our radio trawling,” he said. “But, interestingly, the spoofing signals never seemed to be complete. They were either missing key internal data, or were not mutually consistent, and so would not have fooled a GPS receiver. They seemed to be aimed at denial of service rather than actual deception. My students and I came to realize that spoofing is the new jamming. In other words, it is being used for denial of service because it’s more effective for that purpose than blunt jamming.”
[…]
“The GPS and IRS, and their redundant backups, are the principal components of modern aircraft navigation systems,” Humphreys said. “When their readings are corrupted, the Flight Management System assumes an incorrect aircraft position, Synthetic Vision systems show the wrong context, etc. Eventually, if the pilots figure out that something is amiss, they can revert to [VHF omnidirectional range]/ [distance measure equipment] over land. But in several recent cases, air traffic control had to step in and directly provide pilots ‘vectors’ (over an insecure communications channel) to guide them to their destination. That’s not a scalable solution.”
[…]
“It shows that the inertial reference systems that act as dead-reckoning backups in case of GPS failure are no backup at all in the face of GPS spoofing because the spoofed GPS receiver corrupts the IRS, which then dead reckons off the corrupted position,” he told Motherboard. “What is more, redundant GPS receivers and IRSs (large planes have 2+ GPS receivers and 3+ IRS) offer no additional protection: they all get corrupted.”
Humphreys and others have been sounding the alarm about an attack like this occurring for the past 15 years. In 2012, he testified by Congress about the need to protect GNSS from spoofing. “GPS spoofing acts like a zero-day exploit against aviation systems,” he told Motherboard. “They’re completely unprepared for it and powerless against it.”
[…]
The entities behind the novel spoofing attacks are unknown, but Humphreys said that he and a student have narrowed down possible sources. “Using raw GPS measurements from several spacecraft in low-Earth orbit, my student Zach Clements last week located the source of this spoofing to the eastern periphery of Tehran,” he said.
Iran would not be the only country spoofing GPS signals in the region. As first reported by Politico, Clements was the first to identify spoofing most likely coming from Israel after Hamas’ Oct. 7 attacks. “The strong and persistent spoofing we’re seeing over Israel since around October 15 is almost certainly being carried out by Israel itself,” Humprheys said. “The IDF effectively admitted as much to a reporter with Haartz.” Humphreys said at the time that crews experiencing this GPS spoofing could rely on other onboard instruments to land.
Humphreys said the effects of the Israeli spoofing are identical to those observed in late September near Iran. “And these are the first clear-cut cases of GPS spoofing of commercial aircraft ever, to my knowledge,” he said. “That they happened so close in time is surprising, but possibly merely coincidental.”
A senator has alleged that American law enforcement agencies snoop on US citizens and residents, seemingly without regard for the privacy provisions of the Fourth Amendment, under a secret program called the Hemisphere Project that allows police to conduct searches of trillions of phone records.
According to Senator Ron Wyden (D-OR), these searches “usually” happen without warrants. And after more than a decade of keeping people — lawmakers included — in the dark about Hemisphere, Wyden wants the Justice Department to reveal information about what he called a “long-running dragnet surveillance program.”
“I have serious concerns about the legality of this surveillance program, and the materials provided by the DoJ contain troubling information that would justifiably outrage many Americans and other members of Congress,” Wyden wrote in a letter [PDF] to US Attorney General Merrick Garland.
Under Hemisphere, the White House Office of National Drug Control Policy (ONDCP) pays telco AT&T to provide all federal, state, local, and tribal law enforcement agencies with the ability to request searches of trillions of domestic phone records dating back to at least 1987, plus the four billion call records added every day.
[…]
Hemisphere first came to light in a 2013 New York Times report that alleged the “scale and longevity of the data storage appears to be unmatched by other government programs, including the NSA’s gathering of phone call logs under the Patriot Act.”
It’s not classified, but that doesn’t mean the Feds want you to see it
Privacy advocates including the Electronic Frontier Foundations have filed Freedom of Information Act and state-level public records lawsuits to learn more about the secret snooping program.
Few have made a dent: it appears that the Feds are doing everything they can to keep Hemisphere secret.
Although the program and its documents are not classified, the Justice Department has marked them as “Law Enforcement Sensitive,” meaning their disclosure could hurt ongoing investigations. This designation also prevents the documents from being publicly released.
Senator Wyden wants the designation removed.
Additionally, Hemisphere is not subject to a federal Privacy Impact Assessment due to its funding structure, it’s claimed. The White House doesn’t directly pay AT&T – instead the ONDCP provides a grant to the Houston High Intensity Drug Trafficking Area, which is a partnership between federal, state, and local law enforcement agencies. And this partnership, in turn, pays AT&T to operate this surveillance scheme.
Earlier this year, YouTube began interrupting videos for those using advert blockers with a pop-up encouraging them to either disable the offending extension or filter, or pay for YT’s ad-free premium tier.
More recently, netizens have reported experiencing delays in playback when using non-Chrome browsers as well.
Upon launching a video, Firefox users have reported a delay of roughly five seconds before playback would begin. In a statement to The Register, Google admitted it was intentionally making its content less binge-able for users unwilling to turn off offending extensions, though this wasn’t linked to any one browser.
“Ads are a vital lifeline for our creators that helps them run and grow their businesses,” a Google spokesperson explained. “In the past week, users using ad blockers may have experienced delays in loading, regardless of the browser they are using.”
To be clear, Google’s business model revolves around advertising, and ad blockers are specifically called out as being in violation of its terms of service. Google also makes Chrome, the widely-used browser that Mozilla’s Firefox and others try to compete against.
Unfortunately, the method used by Google to detect the presence of ad blockers and trigger the delay appears to be prone to false positives. Several netizens have reported experiencing delays when using Firefox or Microsoft’s Edge browser without an ad blocker installed.
[…]
The Register was unable to replicate this behavior in Firefox with or without an ad blocker enabled. This suggests Google could be experimenting to see just how far it can push users to convince them to turn off their ad blockers for good. In other words, not all netizens will or have experienced this delay.
YouTube said its ad block detection does not target any specific browsers, and that people who continue to use ad blockers may experience degraded or interrupted service as its detection efforts evolve.
