Daily Archives: June 25, 2024

Julian Assange to finally go free in guilty plea deal with US

Posted on by

WikiLeaks founder Julian Assange has been freed from prison in the UK after agreeing to plead guilty to just one count of conspiracy to obtain and disclose national defense information, brought against him by the United States. Uncle Sam previously filed more than a dozen counts.

Assange has spent the past five years in a British super-max battling against extradition to the US to face trial for publicly leaking various classified government files via his website.

He is now set to return to his native Australia as a free man once he’s appeared in a US federal court this week to enter a guilty plea.

Assange’s whistleblower organization on Monday confirmed the activist had “left Belmarsh maximum security prison” earlier that day after being “granted bail by the High Court in London.” We’re told he was released at Stansted airport, where he boarded a plane to leave the UK.

His destination appears to be the Northern Mariana Islands, a US territory in the Pacific. A letter [PDF] from the US Department of Justice’s National Security Division dated June 24 states the WikiLeaker will appear before a federal district judge on the islands on Wednesday to admit the allegation against him.

After that, he is expected to be allowed to leave for Australia. Whatever sentence the federal district court decides is expected to have elapsed due to time already served, allowing him to go free.

[…]

At the time of writing, the US, UK, and Australian authorities all appear to be silent on how and why the plea deal was struck. However it appears to have been in the works for some time: A video posted at around 0100 on Monday, UK time, and dated June 19 features Stella Assange – Julian’s wife – saying she expects his release within a week. The video also featured Kristinn Hrafnsson, WikiLeaks editor-in-chief, saying he expects Assange’s imminent release.

Reduced charges

The US had sought to extradite Assange to face 18 charges, but the latest filing [PDF] against him lists just one charge: Conspiracy to obtain and disclose national defense information.

That charge was listed in a superseding indictment issued by the US Attorney’s Office in 2022, along with charges including conspiracy to commit computer intrusions, obtaining national defense information, and disclosure of national defense information.

The absence of the last charge is surely notable – Assange demonstrably did disclose such information, but he and WikiLeaks have long argued that doing so was an act of journalism done in the public interest and therefore justifiable.

The fresh court filing details the sole remaining charge, which it spells out as Assange having “knowingly and unlawfully conspired” with WikiLeaks source Chelsea Manning to commit three offenses against the United States, namely:

  • To receive and obtain documents, writings, and notes connected with the national defense, including such materials classified up to the SECRET level, for the purpose of obtaining information respecting the national defense, and knowing and with reason to believe at the time such materials were received and obtained, they had been and would be taken, obtained, and disposed of by a person contrary to the provisions of Chapter 37 of Title 18 of the United States Code, in violation of Title 18, United States Code, Section 793(c);
  • To willfully communicate documents relating to the national defense, including documents classified up to the SECRET level, from persons having lawful possession of or access to such documents, to persons not entitled to receive them, in violation of Title 18, United States Code. Section 793(d); and
  • To willfully communicate documents relating to the national defense from persons in unauthorized possession of such documents to persons not entitled to receive them, in violation of Title 18, United States Code, Section 793(e).

Private Manning was collared and jailed for 35 years in 2013 for illegally passing classified military intelligence to Assange to leak – most notably the Cablegate files – a sentence commuted by President Obama in 2017.

[…]

Source: Julian Assange to go free in guilty plea deal with US • The Register

Windows 11 is now automatically enabling OneDrive folder backup without asking permission

Posted on by

Microsoft has made OneDrive slightly more annoying for Windows 11 users. Quietly and without any announcement, the company changed Windows 11’s initial setup so that it could turn on the automatic folder backup without asking for it.

Now, those setting up a new Windows computer the way Microsoft wants them to (in other words, connected to the internet and signed into a Microsoft account) will get to their desktops with OneDrive already syncing stuff from folders like Desktop Pictures, Documents, Music, and Videos. Depending on how much is stored there, you might end up with a desktop and other folders filled to the brim with shortcuts to various stuff right after finishing a clean Windows installation.

Automatic folder backup in OneDrive is a very useful feature when used properly and when the user deliberately enables it. However, Microsoft decided that sending a few notification prompts to enable folder backup was not enough, so it just turned the feature on without asking anybody or even letting users know about it, resulting in a flood of Reddit posts about users complaining about what the hell are those green checkmarks next to files and shortcuts on their desktops.

If you do not want your computer to back up everything on your desktop or other folders, here is how to turn the feature off (you can also set up Windows 11 in offline mode):

  1. Right-click the OneDrive icon in the tray area, click the settings icon and then press Settings.
  2. Go to the “Sync and Backup” tab and click “Manage backup.”
  3. Turn off all the folders you do not want to back up in OneDrive and confirm the changes.
  4. If you have an older OneDrive version with the classic tabbed interface, go to the Backup tab and click Manage Backup > Stop backup > Stop backup.

Microsoft is no stranger to shady tricks with its software and operating system. Several months ago, we noticed that OneDrive would not let you close it without you explaining the reason first (Microsoft later reverted that stupid change). A similar thing was also spotted in the Edge browser, with Microsoft asking users why they downloaded Chrome.

As a reminder, you can always just uninstall OneDrive and call it a day.

Source: Windows 11 is now automatically enabling OneDrive folder backup without asking permission – Neowin

EU Commission accuses Microsoft of breaking antitrust rules with bundled Teams app

Posted on by

The European Commission said in a formal ‘statement of objections’ on Tuesday (25 June) that Microsoft had violated EU antitrust rules by bundling its Teams app with its Office 365 and Microsoft 365 productivity suites.

The statement follows almost a year-long investigation, and the tech giant told Euractiv it would work to “address the Commission’s remaining concerns”.

Teams is a communication and collaboration tool, while Office 365 and Microsoft 365 are comprehensive productivity software suites that include applications like Word, Excel, and Outlook for businesses.

Business software suppliers, like Microsoft, offer software as a service (SaaS) on their own cloud platforms, the Commission wrote in a press release. This allows new companies to provide SaaS solutions and customers to use different software from various providers.

However, Microsoft combines many software types in one package. When Teams was launched, Microsoft included it in their Office 365 and Microsoft 365 business suites, the Commission said.

Margrethe Vestager, the Commission’s executive vice president in charge of competition policy, said the EU executive was concerned that “Microsoft may be giving its own communication product Teams an undue advantage over competitors, by tying it to its popular productivity suites for businesses.”

This might have hindered competition and innovation, harming customers in the European Economic Area, the press release stated.

If confirmed, these practices would violate the Treaty on the Functioning of the European Union (TFEU), which prohibits abuse of a dominant market position.

Brad Smith, vice chair and president of Microsoft, told Euractiv the company was taking the Commission’s assessment seriously:

“Having unbundled Teams and taken initial interoperability steps, we appreciate the additional clarity provided today and will work to find solutions to address the Commission‘s remaining concerns,” he said.

After proceedings began in July 2023, Microsoft made changes to offer some suites without Teams, but the Commission found these changes insufficient and required more action to restore competition.

Statement of Objections

The Commission began its investigation last July, following a complaint from Slack Technologies, now owned by Salesforce. A second complaint from alfaview GmbH raised similar issues about Teams.

Sabastian Niles, president & chief legal officer at Salesforce, told Euractiv they are urging “the Commission to move towards a swift, binding, and effective remedy that restores free and fair choice and promotes competition”.

The Statement of Objections addresses both investigations. This formal step notifies Microsoft of the antitrust concerns, allowing them to review the case documents, respond in writing, and request a hearing to present their defence.

If the Commission finds enough evidence of a violation after reviewing the company’s defence, it can issue a decision to stop the conduct and impose a fine of up to 10% of the company’s global annual revenue.

The Commission can also require the company to take measures to end the infringement. There is no set timeline for completing antitrust investigations, as their duration depends on factors like the case’s complexity, company cooperation, and the defence process.

In March, it was the Commission that violated data protection rules in its use of Microsoft 365, leading to the imposition of corrective measures by the European Data Protection Supervisor (EDPS).

Source: EU Commission accuses Microsoft of breaking antitrust rules with bundled Teams app – Euractiv

The last statement is irrelevant in this context but still something very worrying. Teams should be available as a stand alone product.

Record labels sue AI music generators for ‘massive infringement of recorded music’

Posted on by

Major music labels are taking on AI startups that they believe trained on their songs without paying. Universal Music Group, Warner Music Group and Sony Music Group sued the music generators Suno and Udio for allegedly infringing on copyrighted works on a “massive scale.”

The Recording Industry Association of America (RIAA) initiated the lawsuits and wants to establish that “nothing that exempts AI technology from copyright law or that excuses AI companies from playing by the rules.”

The music labels’ lawsuits in US federal court accuse Suno and Udio of scraping their copyrighted tracks from the internet. The filings against the AI companies reportedly demand injunctions against future use and damages of up to $150,000 per infringed work. (That sounds like it could add up to a monumental sum if the court finds them liable.) The suits appear aimed at establishing licensed training as the only acceptable industry framework for AI moving forward — while instilling fear in companies that train their models without consent.

Screenshot of the Udio AI music generator homescreen.
Udio

Suno AI and Udio AI (Uncharted Labs run the latter) are startups with software that generates music based on text inputs. The former is a partner of Microsoft for its CoPilot music generation tool. The RIAA claims the services’ reproduced tracks are uncannily similar to existing works to the degree that they must have been trained on copyrighted songs. It also claims the companies didn’t deny that they trained on copyright works, instead shielding themselves behind their training being “confidential business information” and standard industry practices.

According to The Wall Street Journal, the lawsuits accuse the AI generators of creating songs that sounded remarkably similar to The Temptations’ “My Girl,” Green Day’s “American Idiot,” and Mariah Carey’s “All I Want for Christmas Is You,” among others. They also claim the AI services produced indistinguishable vocals from artists like Lin-Manuel Miranda, Bruce Springsteen, Michael Jackson and ABBA.

Wired reports that one example cited in the lawsuit details how one of the AI tools reproduced a song that sounded nearly identical to Chuck Berry’s pioneering classic “Johnny B. Goode,” using the prompt, “1950s rock and roll, rhythm & blues, 12 bar blues, rockabilly, energetic male vocalist, singer guitarist,” along with some of Berry’s lyrics. The suit claims the generator almost perfectly generated the original track’s “Go, Johnny, go, go” chorus.

Screenshot for the Suno AI webpage.
Suno

To be clear, the RIAA isn’t advocating based on the principle that all AI training on copyrighted works is wrong. Instead, it’s saying it’s illegal to do so without licensing and consent, i.e., when the labels (and, likely to a lesser degree, the artists) don’t make any money off of it.

[…]

Source: Record labels sue AI music generators for ‘massive infringement of recorded music’

So they are not only claiming that stuff inspired by stuff a computer listened to is different from stuff inspired by stuff a person listened to, but they are also claiming copyright on something from the 1950’s?!

New study confirms forever chemicals (PFAS) are also absorbed through human skin

Posted on by

A study of 17 commonly used synthetic ‘forever chemicals’ has shown that these toxic substances can readily be absorbed through human skin.

New research, published today in Environment International proves for the first time that a wide range of PFAS (perfluoroalkyl substances) — chemicals which do not break down in nature — can permeate the skin barrier and reach the body’s bloodstream.

PFAS are used widely in industries and consumer products from school uniforms to personal care products because of their water and stain repellent properties. While some substances have been banned by government regulation, others are still widely used and their toxic effects have not yet been fully investigated.

PFAS are already known to enter the body through other routes, for example being breathed in or ingested via food or drinking water, and they are known to cause adverse health effects such as a lowered immune response to vaccination, impaired liver function and decreased birth weight.

It has commonly been thought that PFAS are unable to breach the skin barrier, although recent studies have shown links between the use of personal care products and PFAS concentrations in human blood and breast milk. The new study is the most comprehensive assessment yet undertaken of the absorption of PFAS into human skin and confirms that most of them can enter the body via this route.

[…]

“The ability of these chemicals to be absorbed through skin has previously been dismissed because the molecules are ionised. The electrical charge that gives them the ability to repel water and stains was thought to also make them incapable of crossing the skin membrane.

“Our research shows that this theory does not always hold true and that, in fact, uptake through the skin could be a significant source of exposure to these harmful chemicals.”

[…]

Of the 17 PFAS tested, the team found 15 substances showed substantial dermal absorption — at least 5% of the exposure dose. At the exposure doses examined, absorption into the bloodstream of the most regulated PFAS (perfluoro octanoic acid (PFOA)) was 13.5% with a further 38% of the applied dose retained within the skin for potential longer-term uptake into the circulation.

The amount absorbed seemed to correlate with the length of the carbon chain within the molecule. Substances with longer carbon chains showed lower levels of absorption, while compounds with shorter chains that were introduced to replace longer carbon chain PFAS like PFOA, were more easily absorbed. Absorption of perfluoro pentanoic acid for example was four times that of PFOA at 59%.

[…]

Story Source:

Materials provided by University of Birmingham. Note: Content may be edited for style and length.

Journal Reference:

  1. Oddný Ragnarsdóttir, Mohamed Abou-Elwafa Abdallah, Stuart Harrad. Dermal bioavailability of perfluoroalkyl substances using in vitro 3D human skin equivalent models. Environment International, 2024; 188: 108772 DOI: 10.1016/j.envint.2024.108772

Source: New study confirms forever chemicals are absorbed through human skin | ScienceDaily

E.U. starts swinging DMA, starts with monolithic monopolist Apple

Posted on by

Apple is the first company to be charged with violating the Digital Markets Act, a law passed in 2022 that gives European regulators wide authority to force the largest “online gatekeepers” to change their business practices.

The charges signal that the European Union, already known as an aggressive regulator of the tech industry, plans to intensify its crackdown. Amazon, Google and Meta are also facing investigations under the new competition rules, while TikTok and X are facing probes under another law intended to force internet companies to more aggressively police their platforms for illicit content.

[…]

After initiating an investigation in March, E.U. regulators said Apple was putting unlawful restrictions on companies that make games, music services and other applications. Under the law, also known as the D.M.A., Apple cannot limit how companies communicate with customers about sales and other offers and content available outside the App Store. The company faces a penalty of up to 10 percent of global revenue, a fine that could go up to 20 percent for repeat infringements, regulators said. Apple reported $383 billion in revenue last year.

“Today is a very important day for the effective enforcement of the D.M.A.,” said Margrethe Vestager, the European Commission executive vice president in charge of competition policy. She said Apple’s App Store policies make developers more dependent on the company and prevent consumers from being aware of better offers.

[…]

“The European Commission would like Apple to open its ecosystem, and Apple is saying no way,” said Mr. Valletti, now an economics professor at Imperial College London. “Apple is basically saying, ‘See you in court.’”

Apple’s regulatory woes show how government scrutiny of the tech industry is growing worldwide. In the United States, Apple is being sued by the Justice Department over claims that it has an illegal monopoly in the smartphone market. It also is arguing in U.S. federal court that it has the right to take up to 27 percent of certain app sales through third-party payment systems, which developers argue violates a 2021 judicial ruling.

Japan and Britain, which is no longer part of the European Union, have advanced rules to curb Apple’s control of the App Store, as well.

[…]

Source: Apple’s App Store Policies Charged Under New E.U. Competition Law – The New York Times

Apple has been swinging it’s fuck you stick at the EU for some time now, so it’s not surprising that the EU has decided to finally do something about it.

eg: I can have app store? Apple: yes but NO! Give €1,000,000 + lock in to Apple ecosystem. This is how to “comply” with EU anti competition law

Apple reverses hissy fit decision to remove Home Screen web apps in EU

Apple stamps feet but now to let EU developers distribute apps from the web

More stuff on Apple

Microsoft Account to local account conversion guide erased from official Windows 11 guide

Posted on by

Microsoft has been pushing hard for its users to sign into Windows with a Microsoft Account. The newest Windows 11 installer removed the easy bypass to the requirement that you make an account or login with your existing account. If you didn’t install Windows 11 without a Microsoft Account and now want to stop sending the company your data, you can still switch to a local account after the fact. Microsoft even had instructions on how to do this on its official support website – or at least it used to…

Microsoft’s ‘Change from a local account to a Microsoft Account’ guide shows users how they can change their Windows 11 PC login credentials to use their Microsoft Account. The company also supplied instructions on how to ‘Change from a Microsoft account to a local account’ on the same page. However, when we checked the page using the Wayback Machine, the instructions on how to do the latter appeared on June 12, 2024, then disappeared on June 17, 2024. The ‘Change from a Microsoft account to a local account’ instructions yet haven’t returned.

Converting your Windows 11 PC’s login from a Microsoft Account to a local account is a pretty simple process. All you have to do is go to the Settings app, proceed to Accounts > Your info, and select “Sign in with a local account instead.” Follow the instructions on the screen, and you should be good to go.

[…]

It’s apparent that Microsoft really wants users to sign up and use their services, much like how Google and Apple make you create an account so you can make full use of your Android or iDevice. While Windows 11 still lets you use the OS with a local account, these developments show that Microsoft wants this option to be inaccessible, at least for the average consumer.

Source: Microsoft Account to local account conversion guide erased from official Windows 11 guide — instructions redacted earlier this week | Tom’s Hardware

Patch now: ‘Easy-to-exploit’ RCE in open source Ollama

Posted on by

A now-patched vulnerability in Ollama – a popular open source project for running LLMs – can lead to remote code execution, according to flaw finders who warned that upwards of 1,000 vulnerable instances remain exposed to the internet.

Wiz Research disclosed the flaw, tracked as CVE-2024-37032 and dubbed Probllama, on May 5 and its maintainers fixed the issue in version 0.1.34 that was released via GitHub a day later.

Ollama is useful for performing inference with compatible neural networks – such as Meta’s Llama family, hence the name; Microsoft’s Phi clan; and models from Mistral – and it can be used on the command line or via a REST API. It has hundreds of thousands of monthly pulls on Docker Hub.

In a report published today, the Wiz bug hunting team’s Sagi Tzadik said the vulnerability is due to insufficient validation on the server side of that REST API provided by Ollama. An attacker could exploit the flaw by sending a specially crafted HTTP request to the Ollama API server — and in Docker installations, at least, the API server is publicly exposed.

The Ollama server provides multiple API endpoints that perform core functions. This includes the API endpoint /api/pull that lets users download models from the Ollama registry as well as private registries. As the researchers found, the process to trigger the download of a model was exploitable, allowing miscreants to potentially compromise the environment hosting a vulnerable Ollama server.

“What we found is that when pulling a model from a private registry (by querying the http://[victim]:11434/api/pull API endpoint), it is possible to supply a malicious manifest file that contains a path traversal payload in the digest field,” Tzadik explained.

An attacker could then use that payload to corrupt files on the system, achieve arbitrary file read, and ultimately remote code execution (RCE) to hijack that system.

“This issue is extremely severe in Docker installations, as the server runs with root privileges and listens on 0.0.0.0 by default – which enables remote exploitation of this vulnerability,” Tzadik emphasized.

And despite a patched version of the project being available for over a month, the Wiz kids found that, as of June 10, there were more than 1,000 of vulnerable Ollama server instances still exposed to the internet. In light of this, there’s a couple things anyone using Ollama should do to protect their AI applications.

First, which should go without saying, update instances to version 0.1.34 or newer. Also, as Ollama doesn’t inherently support authentication, do not expose installations to the internet unless using some sort of authentication, such as a reverse-proxy. Even better, don’t allow the internet to reach the server at all, put it behind firewalls, and only allow authorized internal applications and their users to access it.

“The critical issue is not just the vulnerabilities themselves but the inherent lack of authentication support in these new tools,” Tzadik noted, referring to previous RCEs in other tools used to deploy LLMs including TorchServe and Ray Anyscale.

Plus, he added, even those these tools are new and often written in modern safety-first programming languages, “classic vulnerabilities such as path traversal remain an issue.” ®

Source: Patch now: ‘Easy-to-exploit’ RCE in open source Ollama