Apple settles EU case by opening its iPhone payment system to rivals

Posted on by

The EU on Thursday accepted Apple’s pledge to open its “tap to pay” iPhone payment system to rivals as a way to resolve an antitrust case and head off a potentially hefty fine.

The European Commission, the EU’s executive arm and top antitrust enforcer, said it approved the commitments that Apple offered earlier this year and will make them legally binding.

Regulators had accused Apple in 2022 of abusing its dominant position by limiting access to its mobile payment technology.

Apple responded by proposing in January to allow third-party mobile wallet and payment service providers access to the contactless payment function in its iOS operating system. After Apple tweaked its proposals following testing and feedback, the commission said those “final commitments” would address its competition concerns.

“Today’s commitments end our Apple Pay investigation,” Margrethe Vestager, the commission’s executive vice-president for competition policy, told a press briefing in Brussels. “The commitments bring important changes to how Apple operates in Europe to the benefit of competitors and customers.”

Apple said in a prepared statement that it is “providing developers in the European Economic Area with an option to enable NFC [near-field communication] contactless payments and contactless transactions” for uses like car keys, corporate badges, hotel keys and concert tickets.

[…]

The EU deal promises more choice for Europeans. Vestager said iPhone users will be able to set a default wallet of their choice while mobile wallet developers will be able to use important iPhone verification functions like Face ID.

[…]

Analysts said there would be big financial incentives for companies to use their own wallets rather than letting Apple act as the middleman, resulting in savings that could trickle down to consumers. Apple charges banks 0.15% for each credit card transaction that goes through Apple Pay, according to the justice department’s lawsuit.

Apple must open up its payment system in the EU’s 27 countries plus Iceland, Norway and Liechtenstein by 25 July.

“As of this date, developers will be able to offer a mobile wallet on the iPhone with the same ‘tap-and-go’ experience that so far has been reserved for Apple Pay,” Vestager said. The changes will remain in force for a decade and will be monitored by a trustee.

Breaches of EU competition law can draw fines worth up to 10% of a company’s annual global revenue, which in Apple’s case could have amounted to tens of billions of euros.

“The main advantage to the issuer bank of supporting an alternative to Apple Pay via iPhone is the reduction in fees incurred, which can be substantial,” said Philip Benton, a principal analyst at research and advisory firm Omdia. To encourage iPhone users to switch away from Apple Pay to another mobile wallet, “the fee reduction needs to be partially passed onto the consumer” through benefits like cashback or loyalty rewards, he said.

Banks and consumers could also benefit in other ways.

If companies use their own apps for tap-and-go payments, they would get “full visibility” of their customers’ transactions, said Ben Wood, chief analyst at CCS Insight. That data would allow them to “build brand loyalty and trust and offer more personalised services, rewards and promotions directly to the user”, he said.

Source: Apple settles EU case by opening its iPhone payment system to rivals | Apple | The Guardian

Note: Currently, Apple has this full visibility of your transactions. Are you sure you want to trust a company like that with your financial data?

I wonder how childishly Apple will handle this, considering how it has gone about “opening up” it’s app store and allowing home screen apps (not really at all)

Why all Chromium browsers tell Google about your CPU, GPU usage? A whitewashing bullshit explanation.

Posted on by

Running a Chromium-based browser, such as Google Chrome or Microsoft Edge? The chances are good it’s quietly telling Google all about your CPU and GPU usage when you visit one of the search giant’s websites.

The feature is, from what we can tell, for performance monitoring and not really for tracking – Google knows who you are and what you’re doing anyway when you’re logged into and using its sites – but it does raise some antitrust concerns in light of Europe’s competition-fostering Digital Markets Act (DMA).

When visiting a *.google.com domain, the Google site can use the API to query the real-time CPU, GPU, and memory usage of your browser, as well as info about the processor you’re using, so that whatever service is being provided – such as video-conferencing with Google Meet – could, for instance, be optimized and tweaked so that it doesn’t overly tax your computer. The functionality is implemented as an API provided by an extension baked into Chromium – the browser brains primarily developed by Google and used in Chrome, Edge, Opera, Brave, and others.

Non-Chromium-based browsers – such as Mozilla’s Firefox – don’t have that extension, which puts them at a potential disadvantage. Without the API, they may offer a worse experience on Google sites than what’s possible on the same hardware with Google’s own browser, because they can’t provide that live performance info.

There is, however, nothing technically stopping Moz or other browser-engine makers implementing a similar extension itself in Firefox, if they so chose.

Crucially though, websites that compete against Google can’t access the Chromium API. This is where technical solutions start to look potentially iffy in the eyes of Europe’s DMA.

Netherlands-based developer Luca Casonato highlighted the extension’s existence this week on social media, and his findings went viral – with millions of views. We understand at least some people have known about the code for a while now – indeed, it’s all open source and can be found here in the preinstalled extension hangout_services.

That name should give you a clue to its origin. It was developed last decade to provide browser-side functionality to Google Hangouts – a product that got split into today’s Google Meet and Chat. Part of that functionality is logging for Google, upon request, stats about your browser’s use of your machine’s compute resources when visiting a *.google.com domain – such as meet.google.com.

Casonato noted that the extension can’t be disabled in Chrome, at least, and it doesn’t show up in the extension panel. He observed it’s also included in Microsoft Edge and Brave, both of which are Chromium based. We reached out to Casonato for more of his thoughts on this – though given the time differences between him in Europe and your humble vulture in the US, we didn’t immediately hear back.

Explanation

If you’ve read this far there’s probably an obvious question on your mind: What’s to say this API is malicious? We’re not saying that, and neither is Casonato. Google isn’t saying that either.

“Today, we primarily use this extension for two things: To improve the user experience by optimizing configurations for video and audio performance based on system capabilities [and] provide crash and performance issue reporting data to help Google services detect, debug, and mitigate user issues,” a Google spokesperson told us on Thursday.

“Both are important for the user experience and in both cases we follow robust data handling practices designed to safeguard user privacy,” the spokesperson added.

As we understand it, Google Meet today uses the old Hangouts extension to, for one thing, vary the quality of the video stream if the current resolution is proving too much for your PC. Other Google sites are welcome to use the thing, too.

That all said, the extension’s existence could be harmful to competition as far as the EU is concerned – and that seems to be why Casonato pointed it out this week.

Source: Why Chromium tells Google sites about your CPU, GPU usage • The Register

A lovely explanation, but the fact remains that chromium is sending personal information to a central company: Google, without informing users at all. This blanket explanation could be used to whitewash any information they send through Chromium: the contents of your memory? Improving user experience. The position of your mouse on websites? Improving user experience. It just does not wash.

AT&T says criminals stole phone records of ‘nearly all’ customers in another data breach there – also, Snowflake again

Posted on by

In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages — such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.

AT&T said some of the stolen data includes more recent records from January 2, 2023 for a smaller but unspecified number of customers.

The stolen data also includes call records of customers with phone service from other cell carriers that rely on AT&T’s network, the company said.

AT&T said the stolen data “does not contain the content of calls or texts,” but does include calling and texting records that an AT&T phone number interacted with during the six-month period, as well as the total count of a customer’s calls and texts, and call durations — information that is often referred to as metadata. The stolen data does not include the time or date of calls or texts, AT&T said.

Some of the stolen records include cell site identification numbers associated with phone calls and text messages, information that can be used to determine the approximate location of where a call was made or text message sent.

In all, the phone giant said it will notify around 110 million AT&T customers of the data breach, company spokesperson Andrea Huguely told TechCrunch.

AT&T published a website with information for customers about the data incident. AT&T also disclosed the data breach in a filing with regulators before the market opened on Friday.

Breach linked to Snowflake

AT&T said it learned of the data breach on April 19, and that it was unrelated to its earlier security incident in March.

AT&T’s Huguely told TechCrunch that the most recent compromise of customer records were stolen from the cloud data giant Snowflake during a recent spate of data thefts targeting Snowflake’s customers.

[…]

This is the second security incident AT&T has disclosed this year. AT&T was forced to reset the account passcodes of millions of its customers after a cache of customer account information — including encrypted passcodes for accessing AT&T customer accounts — was published on a cybercrime forum. A security researcher told TechCrunch at the time that the encrypted passcodes could be easily decrypted, prompting AT&T to take precautionary action to protect customer accounts.

Source: AT&T says criminals stole phone records of ‘nearly all’ customers in new data breach | TechCrunch

Data breach exposes millions of mSpy spyware customer support tickets

Posted on by

Unknown attackers stole millions of customer support tickets, including personal information, emails to support, and attachments, including personal documents, from mSpy in May 2024. While hacks of spyware purveyors are becoming increasingly common, they remain notable because of the highly sensitive personal information often included in the data, in this case about the customers who use the service.

The hack encompassed customer service records dating back to 2014, which were stolen from the spyware maker’s Zendesk-powered customer support system.

mSpy is a phone surveillance app that promotes itself as a way to track children or monitor employees. Like most spyware, it is also widely used to monitor people without their consent. These kinds of apps are also known as “stalkerware” because people in romantic relationships often use them to surveil their partner without consent or permission.

The mSpy app allows whoever planted the spyware, typically someone who previously had physical access to a victim’s phone, to remotely view the phone’s contents in real-time.

As is common with phone spyware, mSpy’s customer records include emails from people seeking help to surreptitiously track the phones of their partners, relatives, or children, according to TechCrunch’s review of the data, which we independently obtained. Some of those emails and messages include requests for customer support from several senior-ranking U.S. military personnel, a serving U.S. federal appeals court judge, a U.S. government department’s watchdog, and an Arkansas county sheriff’s office seeking a free license to trial the app.

Even after amassing several million customer service tickets, the leaked Zendesk data is thought to represent only the portion of mSpy’s overall customer base who reached out for customer support. The number of mSpy customers is likely to be far higher.

Yet more than a month after the breach, mSpy’s owners, a Ukraine-based company called Brainstack, have not acknowledged or publicly disclosed the breach.

Troy Hunt, who runs data breach notification site Have I Been Pwned, obtained a copy of the full leaked dataset, adding about 2.4 million unique email addresses of mSpy customers to his site’s catalog of past data breaches.

[…]

Some of the email addresses belong to unwitting victims who were targeted by an mSpy customer. The data also shows that some journalists contacted the company for comment following the company’s last known breach in 2018. And, on several occasions, U.S. law enforcement agents filed or sought to file subpoenas and legal demands with mSpy. In one case following a brief email exchange, an mSpy representative provided the billing and address information about an mSpy customer — an alleged criminal suspect in a kidnapping and homicide case — to an FBI agent.

Each ticket in the dataset contained an array of information about the people contacting mSpy. In many cases, the data also included their approximate location based on the IP address of the sender’s device.

[…]

The emails in the leaked Zendesk data show that mSpy and its operators are acutely aware of what customers use the spyware for, including monitoring of phones without the person’s knowledge. Some of the requests cite customers asking how to remove mSpy from their partner’s phone after their spouse found out. The dataset also raises questions about the use of mSpy by U.S. government officials and agencies, police departments, and the judiciary, as it is unclear if any use of the spyware followed a legal process.

[…]

This is the third known mSpy data breach since the company began in around 2010. mSpy is one of the longest-running phone spyware operations, which is in part how it accumulated so many customers.

[…]

the data breach of mSpy’s Zendesk data exposed its parent company as a Ukrainian tech company called Brainstack.

[…]

Source: Data breach exposes millions of mSpy spyware customers | TechCrunch

India antitrust probe finds Apple abused position in apps market

Posted on by
NEW DELHI, July 12 (Reuters) – An investigation by India’s antitrust body has found that Apple exploited its dominant position in the market for app stores on its iOS operating system, engaging “in abusive conduct and practices”, a confidential report seen by Reuters showed.
The Competition Commission of India (CCI) has been investigating Apple Inc since 2021 for possibly abusing its dominant position in the apps market by forcing developers to use its proprietary in-app purchase system.

[…]

The CCI’s investigations unit, in its 142-page report which is not public but was seen by Reuters, said Apple wields “significant influence” over how digital products and services reach consumers, especially through its iOS platform and App Store.
“Apple App Store is an unavoidable trading partner for app developers, and resultantly, app developers have no choice but to adhere to Apple’s unfair terms, including the mandatory use of Apple’s proprietary billing and payment system,” the CCI unit said in the June 24 report.
“From the perspective of app developers, Apple iOS ecosystem is indispensable.”
[…]
In June, European Union antitrust regulators said Apple breached the bloc’s tech rules, which could result in a hefty fine for the iPhone maker. The company also faces an investigation into new fees imposed on app developers.
In January, in response to a new EU law called the Digital Markets Act, Apple outlined plans to allow software developers to distribute their apps to users in the European Union outside of Apple’s own App Store.
The CCI report is the most critical stage of the Indian investigation and it will now be reviewed by the watchdog’s senior officials.
[…]
The Indian case was first filed by a little-known, non-profit group called “Together We Fight Society” which argued Apple’s in-app fee of up to 30% hurts competition by raising costs for app developers and customers.
Later, a group of Indian startups, Alliance of Digital India Foundation, and Tinder-owner Match filed similar cases at the CCI against Apple, which were all heard together.
The CCI investigation team said in its report that no third-party payment processor was being permitted by Apple to provide the services for in-app purchases.
It added that in most cases the apps are also not being allowed to include any external links that direct customers to other purchasing mechanisms, violating Indian competition laws.
[…]
In its submissions to the CCI, Apple argued its market share in India is an “insignificant” 0-5%, while Google commands 90-100%. The company also argued that the in-app payment system allowed it to maintain and develop the safety of its App Store.
But the CCI said, “App stores are OS (operating system) specific and Apple’s App store is the sole App store available for reaching iOS users.”
“The payment policy of Apple adversely affects the app developers, users and other payment processors,” it said.
[…]

Source: Exclusive: India antitrust probe finds Apple abused position in apps market | Reuters

After a year of no deliveries, F-35 Deliveries Finally Cleared To Resume, New Jets Will Be Limited To Training

Posted on by

A fix of a kind has been found for problems with the F-35’s vital Tech Refresh 3 software, or TR-3, which had seen production deliveries suspended for around a year. Deliveries of the stealth fighters will resume “in the near future,” clearing a backlog of jets sitting in storage, although the TR-3 is only installed in what’s described as a “truncated” form, raising questions about when the F-35 will actually be able to make full use of the long-awaited Block 4 improvements that this software underpins.

The F-35 Joint Program Office announced yesterday that Lt. Gen. Michael J. Schmidt, the F-35 program executive officer, approved the use of the “truncated” TR-3 software on July 3. This means that more than 90 (perhaps as many as 120) F-35s that had been manufactured but then put into storage at Lockheed Martin’s Fort Worth, Texas, plant can be delivered. These jets are destined for both U.S. and foreign customers.

In the meantime, the TR-3 software remains in flight testing, with the aim of achieving a long-term fix.

[…]

TR-3 has suffered numerous delays that have contributed to significant cost overruns in the program. The ongoing issues meant that deliveries of these aircraft were suspended in July 2023.

As of December 2023, it was reported that the development of TR-3 would be completed sometime between April and June of 2024 — after this, the same TR-3 enhancements would have to be incorporated into the existing jets.

By January of this year, Lockheed Martin was saying it didn’t expect F-35 deliveries to resume until late this summer, but it also confirmed that thought was being given to accepting jets before then, without the fully validated TR-3 hardware and software. This is the workaround that Schmidt signed off earlier this month.

In March, when the F-35 was finally been cleared for full-rate production, 17 years after the aircraft first took to the air, customers were still not accepting new aircraft.

[…]

TR-3 has been described as the F-35’s new ‘computer backbone,’ since it promises to provide 25 times more computing power than the existing TR-2 computing system.

Some of the unclassified upgrades are expected to be part of Block 4. The exact configuration is not publicly disclosed just yet. U.S. Department of Defense

Block 4 will give the F-35 advanced new capabilities, including much-expanded processing power, new displays, enhanced cooling, new EOTS and DAS electro-optical sensors, and a range of additional weapons that will greatly help the aircraft meet its potential. A very significant aspect of Block 4 will be a new radar and electronic warfare suite.

[…]

The yearlong delivery hiatus has had a major knock-on effect on the program, both for U.S. and foreign customers.

Lockheed says it will be able to deliver F-35s at a rate of one aircraft per day, but even if it meets that target, it will take more than a year to catch up on deliveries of the stored jets. At the same time, new F-35s continue to come off the production line, making it even harder to address the backlog.

With deliveries on hold, plans to establish new squadrons, train new crews, and accelerate the replacement of older aircraft types have been impacted across the F-35 user community.

An example of these problems came to light late last month, when Denmark announced that the six F-35As it uses for training at Luke Air Force Base, Arizona, will be relocated to Denmark, to help make up for the delivery shortfall of new production aircraft.

[…]

To try and keep things moving, the Joint Program Office and the U.S. military have come up with two separate TR-3 software releases.

“The first release (40P01) is a truncation of the TR-3 software at a point when the code is stable, capable, and maintainable to deliver TR-3 configured aircraft for use in combat training, but it is not until the second software release (40P02) that full combat capability is realized.”

[…]

Source: F-35 Deliveries Finally Cleared To Resume, New Jets Will Be Limited To Training

Isn’t it wonderful as a NATO country to be forced to buy American, especially when the vendors know that you are being strong armed into buying their stuff and sell you absolute lemons. See also US / EU NATO Expenditure – is the balance really so lopsided?

Lithium Ion Batteries a Growing Source of PFAS Pollution, Study Finds

Posted on by

“Nature recently published an open-access article (not paywalled) that studies the lifecycle of lithium-ion batteries once they are manufactured,” writes Slashdot reader NoWayNoShapeNoForm. “The study is a ‘cradle-to-grave’ look at these batteries and certain chemicals that they contain. The University researchers that authored the study found that the electrolytes and polymers inside lithium-ion batteries contain a class of PFAS known as bis-FASI chemicals. PFAS chemicals are internationally recognized pollutants, yet they are found in consumer and industrial processes, such as non-stick coatings, surfactants, and film-forming foams. PFAS chemicals have been found in windmill coatings, semiconductors, solar collectors, and photovoltaic cells.” Phys.org reports: Texas Tech University’s Jennifer Guelfo was part of a research team that found the use of a novel sub-class of per- and polyfluoroalkyl (PFAS) in lithium ion batteries is a growing source of pollution in air and water. Testing by the research team further found these PFAS, called bis-perfluoroalkyl sulfonimides (bis-FASIs), demonstrate environmental persistence and ecotoxicity comparable to older notorious compounds like perfluorooctanoic acid (PFOA). The researchers sampled air, water, snow, soil and sediment near manufacturing plants in Minnesota, Kentucky, Belgium and France. The bis-FASI concentrations in these samples were commonly at very high levels. Data also suggested air emissions of bis-FASIs may facilitate long-range transport, meaning areas far from manufacturing sites may be affected as well. Analysis of several municipal landfills in the southeastern U.S. indicated these compounds can also enter the environment through disposal of products, including lithium ion batteries.

Toxicity testing demonstrated concentrations of bis-FASIs similar to those found at the sampling sites can change behavior and fundamental energy metabolic processes of aquatic organisms. Bis-FASI toxicity has not yet been studied in humans, though other, more well-studied PFAS are linked to cancer, infertility and other serious health harms. Treatability testing showed bis-FASIs did not break down during oxidation, which has also been observed for other PFAS. However, data showed concentrations of bis-FASIs in water could be reduced using granular activated carbon and ion exchange, methods already used to remove PFAS from drinking water. “Our results reveal a dilemma associated with manufacturing, disposal, and recycling of clean energy infrastructure,” said Guelfo, an associate professor of environmental engineering in the Edward E. Whitacre Jr. College of Engineering. “Slashing carbon dioxide emissions with innovations like electric cars is critical, but it shouldn’t come with the side effect of increasing PFAS pollution. We need to facilitate technologies, manufacturing controls and recycling solutions that can fight the climate crisis without releasing highly recalcitrant pollutants.”

source: Lithium Ion Batteries a Growing Source of PFAS Pollution, Study Finds

Inputs, Outputs, and Fair Uses: Unpacking Responses to Journalists’ Copyright Lawsuits

Posted on by

The complaints against OpenAI and Microsoft in New York Times Company v. Microsoft Corporation and Daily News, LP v. Microsoft Corporation include multiple theories––for instance, vicarious copyright infringement, contributory copyright infringement, and improper removal of copyright information. Those theories, however, are ancillary to both complaints’ primary cause of action: direct copyright infringement. While the defendants’ motions to dismiss focus primarily on jettisoning the ancillary claims and acknowledge that “development of record evidence” is necessary for resolving the direct infringement claims, they nonetheless offer insight on how the direct infringement fight might unfurl.

Direct Infringement Via Inputs and Outputs: The Daily News plaintiffs claim that by “building training datasets containing” their copyrighted works without permission, the defendants directly infringe the plaintiffs’ copyrights. Inputting copyrighted material to train Gen AI tools, they aver, constitutes direct infringement. Regarding outputs, the Daily News plaintiffs assert that “by disseminating generative output containing copies and derivatives of the” plaintiffs’ content, the defendants’ tools also infringe the plaintiffs’ copyrights. The Daily News’s input (illicit training) and output (disseminating copies) allegations track earlier contentions of The New York Times Company.

Fair Use Inputs and “Fringe” Outputs: OpenAI’s June arguments in Daily News frame “the core issue”––one OpenAI says “is for a later stage of the litigation” because discovery must first generate a factual record––facing New York City-based federal judge Sidney Stein as “whether using copyrighted content to train a generative AI model is fair use under copyright law.” Fair use, a defense to copyright infringement, involves analyzing four statutory factors: 1) the purpose and character of the allegedly infringing use; 2) the nature of copyrighted work allegedly infringed upon; 3) the amount of the copyrighted work infringed upon and whether the amount, even if small, nonetheless goes to the heart of the work; and 4) whether the infringing use will harm the market value of (or serve as a market substitute for) the original copyrighted work.

So, how might ingesting copyrighted journalistic content––the training or input aspect of the alleged infringement––be a protected fair use? Microsoft argues in Daily News that its “and OpenAI’s tools [don’t] exploit the protected expression in the Plaintiffs’ digital content.” (emphasis added). That’s a key point because copyright law does not protect things like facts, “titles, names, short phrases, and slogans.” OpenAI asserts, in response to The New York Times Company’s lawsuit, that “no one . . . gets to monopolize facts or the rules of language.” Learning semantic rules and patterns of “language, grammar, and syntax”––predicting which words are statistically most likely to follow others––is, at bottom, the purpose of the fair use to which OpenAI and Microsoft say they’re putting newspaper articles. They’re ostensibly just leveraging copyrighted articles “internally” (emphasis in original) to identify and learn language patterns, not to reproduce the articles in which those words appear.

More fundamentally, OpenAI and Microsoft aren’t attempting to disseminate copies of what copyright law is intended to incentivize and protect––“original works of authorship” and “writings.” They aren’t, the defendants claim, trying to unfairly produce market substitutes for actual newspaper articles.

How, then, do they counter the newspapers’ output infringement allegations that the defendants’ tools sometimes produce verbatim versions of the newspapers’ copyrighted articles? OpenAI contends such regurgitative outcomes “depend on an elaborate effort [by the defendants] to coax such outputs from OpenAI’s products, in a way that violates the operative OpenAI terms of service and that no normal user would ever even attempt.” Regurgitations otherwise are “rare” and “unintended,” the company adds. Barring settlements, courts will examine the input and output infringement battles in the coming months and years.

Source: Inputs, Outputs, and Fair Uses: Unpacking Responses to Journalists’ Copyright Lawsuits | American Enterprise Institute – AEI

Sharing material used to be the norm for newspapers, and should be for LLMs

Posted on by

Even though parents insist that it is good and right to share things, the copyright world has succeeded in establishing the contrary as the norm. Now, sharing is deemed a bad, possibly illegal thing. But it was not always thus, as a fascinating speech by Ryan Cordell, Associate Professor in the School of Information Sciences and Department of English at the University of Illinois Urbana-Champaign, underlines. In the US in the nineteenth century, newspaper material was explicitly not protected by copyright, and was routinely exchanged between titles:

Nineteenth-century editors’ attitude toward text reuse is exemplified in a selection that circulated in the last decade of the century, though often abbreviated from the version I cite here, which insists that “an editor’s selections from his contemporaries” are “quite often the best test of his editorial ability, and that the function of his scissors are not merely to fill up vacant spaces, but to reproduce the brightest and best thoughts…from all sources at the editor’s command.” While noting that sloppy or lazy selection will produce “a stupid issue,” this piece claims that just as often “the editor opens his exchanges, and finds a feast for eyes, heart and soul…that his space is inadequate to contain.” This piece ends by insisting “a newspaper’s real value is not the amount of original matter it contains, but the average quality of all the matter appearing in its columns whether original or selected.”

Material was not only copied verbatim, but modified and built upon in the process. As a result of this constant exchange, alteration and enhancement, newspaper readers in the US enjoyed a rich ecosystem of information, and a large number of titles flourished, since the cost of producing suitable material for each of them was shared and thus reduced.

That historical fact in itself is interesting. It’s also important at a time when newspaper publishers are some of the most aggressive in demanding ever stronger – and ever more disproportionate – copyright protection for their products, for example through “link taxes”. But Cordell’s speech is not simply backward looking. It goes on to make another fascinating observation, this time about large language models (LLMs):

We can see in the nineteenth-century newspaper exchanges a massive system for recycling and remediating culture. I do not wish to slip into hyperbole or anachronism, and will not claim historical newspapers as a precise analogue for twenty-first century AI or large language models. But it is striking how often metaphors drawn from earlier media appear in our attempts to understand and explain these new technologies.

The whole speech is well worth reading as a useful reminder that the current copyright panic over LLMs is in part because we have forgotten that sharing material and helping others to build on it was once the norm. And despite blinkered and selfish views to the contrary, it is still the right thing to do, just as parents continue to tell their children.

Source: Sharing material used to be the norm for newspapers, and should be for LLMs – Walled Culture

Hacking Airline WiFi The Hard Way

Posted on by

[…]

[Robert Heaton] had an interesting idea. Could the limited free use of the network be coopted to access the general internet? Turns out, the answer is yes.

Admittedly, it is a terrible connection. Here’s how it works. The airline lets you get to your frequent flier account. When there, you can change information such as your name. A machine on the ground can also see that change and make changes, too. That’s all it takes.

It works like a drop box. You take TCP traffic, encode it as fake information for the account and enter it. You then watch for the response via the same channel and reconstitute the TCP traffic from the remote side. Now the network is at your fingertips.

There’s more to it, but you can read about it in the post. It is slow, unreliable, and you definitely shouldn’t be doing it. But from the point of view of a clever hack, we loved it. In fact, [Robert] didn’t do it either. He proved it would work but did all the development using GitHub gist as the drop box. While we appreciate the hack, we also appreciate the ethical behavior!

Some airlines allow free messaging, which is another way to tunnel traffic. If you can connect to something, you can probably find a way to use it as a tunnel.

Source: Hacking Airline WiFi The Hard Way | Hackaday

Report finds most subscription services manipulate customers with ‘dark patterns’

Posted on by

Most subscription sites use “dark patterns” to influence customer behavior around subscriptions and personal data, according to a pair of new reports from global consumer protection groups. Dark patterns are “practices commonly found in online user interfaces [that] steer, deceive, coerce or manipulate consumers into making choices that often are not in their best interests.” The international research efforts were conducted by the International Consumer Protection and Enforcement Network (ICPEN) and the Global Privacy Enforcement Network (GPEN).

The ICPEN conducted the review of 642 websites and mobile apps with a subscription component. The assessment revealed one dark pattern in use at almost 76 percent of the platforms, and multiple dark patterns at play in almost 68 percent of them. One of the most common dark patterns discovered was sneaking, where a company makes potentially negative information difficult to find. ICPEN said 81 percent of the platforms with automatic subscription renewal kept the ability for a buyer to turn off auto-renewal out of the purchase flow. Other dark patterns for subscription services included interface interference, where desirable actions are easier to perform, and forced action, where customers have to provide information to access a particular function.

The companion report from GPEN examined dark patterns that could encourage users to compromise their privacy. In this review, nearly all of the more than 1,000 websites and apps surveyed used a deceptive design practice. More than 89 percent of them used complex and confusing language in their privacy policies. Interface interference was another key offender here, with 57 percent of the platforms making the least protective privacy option the easiest to choose and 42 percent using emotionally charged language that could influence users.

Even the most savvy of us can be influenced by these subtle cues to make suboptimal decisions. Those decisions might be innocuous ones, like forgetting that you’ve set a service to auto-renew, or they might put you at risk by encouraging you to reveal more personal information than needed. The reports didn’t specify whether the dark patterns were used in illicit or illegal ways, only that they were present. The dual release is a stark reminder that digital literacy is an essential skill.

Source: Report finds most subscription services manipulate customers with ‘dark patterns’

The US Supreme Court’s Contempt for Facts Is a Betrayal of Justice

Posted on by

When the Supreme Court’s Ohio v. EPA decision blocked Environmental Protection Agency limits on Midwestern states polluting their downwind neighbors, a sad but telling coda came in Justice Neil Gorsuch’s opinion. In five instances, it confused nitrogen oxide, a pollutant that contributes to ozone formation, with nitrous oxide, better known as laughing gas.

You can’t make this stuff up. This repeated mistake in the 5-4 decision exemplifies a high court not just indifferent to facts but contemptuous of them.

Public trust in the Supreme Court, already at a historic low, is now understandably plunging. In the last four years, a reliably Republican majority on the high court, led by Chief Justice John Roberts, has embarked on a remarkable spree against history and reality itself, ignoring or eliding facts in decisions involving school prayer, public health, homophobia, race, climate change, abortion and clean water, not to mention the laughing gas case.

The crescendo to this assault on expertise landed in June, when the majority’s Chevron decision arrogated to the courts regulatory calls that have been made by civil servant scientists, physicians and lawyers for the last 40 years. (With stunning understatement, the Associated Press called it “a far-reaching and potentially lucrative victory to business interests.” No kidding.) The decision enthrones the high court—an unelected majority—as a group of technically incompetent, in some cases corrupt, politicos in robes with power over matters that hinge on vital facts about pollution, medicine, employment and much else. These matters govern our lives.

The 2022 Kennedy v. Bremerton School District school prayer decision hinged on a fable of a football coach offering “a quiet personal prayer,” in the words of the opinion. In reality, this coach was holding overt post-game prayer meetings on the 50-yard line, ones that an atheist player felt compelled to attend to keep off the bench. Last year’s 303 Creative v. Elenis decision, allowing a Web designer to discriminate against gay people, revolved entirely on a supposed request for a gay wedding website that never existed that (supposedly) came from a straight man who never made the request. Again, you can’t make this stuff up. Unless you are on the Supreme Court. Then it becomes law.

Summing up the Court’s term on July 1, the legal writer Chris Geidner called attention to a more profound “important and disturbing reality” of the current majority’s relationship to facts. “When it needs to decide a matter for the right, it can and does accept questionable, if not false, claims as facts. If the result would benefit the left, however, there are virtually never enough facts to reach a decision.”

The “laughing gas” decision illustrates this nicely: EPA had asked 23 states to submit a state-based plan to reduce their downwind pollution. Of those, 21 proposed to do nothing to limit their nitrogen (not nitrous) oxide emissions. Two others didn’t even respond to that extent. Instead of telling the states to cut their pollution as required by law, the Court’s majority invented a new theoretical responsibility for EPA—to account for future court cases keeping a state out of its Clean Air Act purview—and sent the case back to an appeals court.

Source: The Supreme Court’s Contempt for Facts Is a Betrayal of Justice | Scientific American

And that’s not even talking about giving sitting presidents immunity from criminal behaviour either!

Scientific articles using ‘sneaked references’ to inflate their citation numbers

Posted on by

[…] A recent Journal of the Association for Information Science and Technology article by our team of academic sleuths – which includes information scientists, a computer scientist and a mathematician – has revealed an insidious method to artificially inflate citation counts through metadata manipulations: sneaked references.

Hidden manipulation

People are becoming more aware of scientific publications and how they work, including their potential flaws. Just last year more than 10,000 scientific articles were retracted. The issues around citation gaming and the harm it causes the scientific community, including damaging its credibility, are well documented.

[…]

we found through a chance encounter that some unscrupulous actors have added extra references, invisible in the text but present in the articles’ metadata, when they submitted the articles to scientific databases. The result? Citation counts for certain researchers or journals have skyrocketed, even though these references were not cited by the authors in their articles.

Chance discovery

The investigation began when Guillaume Cabanac, a professor at the University of Toulouse, wrote a post on PubPeer, a website dedicated to postpublication peer review, in which scientists discuss and analyze publications. In the post, he detailed how he had noticed an inconsistency: a Hindawi journal article that he suspected was fraudulent because it contained awkward phrases had far more citations than downloads, which is very unusual.

The post caught the attention of several sleuths who are now the authors of the JASIST article. We used a scientific search engine to look for articles citing the initial article. Google Scholar found none, but Crossref and Dimensions did find references. The difference? Google Scholar is likely to mostly rely on the article’s main text to extract the references appearing in the bibliography section, whereas Crossref and Dimensions use metadata provided by publishers.

[…]

In the journals published by Technoscience Academy, at least 9% of recorded references were “sneaked references.” These additional references were only in the metadata, distorting citation counts and giving certain authors an unfair advantage. Some legitimate references were also lost, meaning they were not present in the metadata.

In addition, when analyzing the sneaked references, we found that they highly benefited some researchers. For example, a single researcher who was associated with Technoscience Academy benefited from more than 3,000 additional illegitimate citations. Some journals from the same publisher benefited from a couple hundred additional sneaked citations.

[…]

Why is this discovery important? Citation counts heavily influence research funding, academic promotions and institutional rankings. Manipulating citations can lead to unjust decisions based on false data. More worryingly, this discovery raises questions about the integrity of scientific impact measurement systems, a concern that has been highlighted by researchers for years. These systems can be manipulated to foster unhealthy competition among researchers, tempting them to take shortcuts to publish faster or achieve more citations.

[…]

Source: When scientific citations go rogue: Uncovering ‘sneaked references’

Speed limiters arrive for all new cars in the European Union

Posted on by

It was a big week for road safety campaigners in the European Union as Intelligent Speed Assistance (ISA) technology became mandatory on all new cars.

The rules came into effect on July 7 and follow a 2019 decision by the European Commission to make ISA obligatory on all new models and types of vehicles introduced from July 2022. Two years on, and the tech must be in all new cars.

European legislators reckon that the rules will make for safer roads. However, they will also add to the ever-increasing amount of technology rolling around the continent’s highways. While EU law has no legal force in the UK, it’s hard to imagine many manufacturers making an exemption for Britain.

So how does it work? In the first instance, the speed limit on a given road can be detected by using data from a Global Navigation Satellite System (GNSS) – such as Global Positioning System (GPS) – and a digital map to come up with a speed limit. This might be combined with physical sign recognition.

If the driver is being a little too keen, the ISA system must notify them that the limit has been exceeded but, according to the European Road Safety Charter “not to restrict his/her possibility to act in any moment during driving.”

“The driver is always in control and can easily override the ISA system.”

There are four options available to manufacturers according to the regulations. The first two, a cascaded acoustic or vibrating warning, don’t intervene, while the latter two, haptic feedback through the acceleration pedal and a speed limiter, will. The European Commission noted, “Even in the case of speed control function, where the car speed will be automatically gently reduced, the system can be smoothly overridden by the driver by pressing the accelerator pedal a little bit deeper.”

The RAC road safety spokesperson Rod Dennis said: “While it’s not currently mandated that cars sold in the UK have to be fitted with Intelligent Speed Assistance (ISA) systems, we’d be surprised if manufacturers deliberately excluded the feature from those they sell in the UK as it would add unnecessary cost to production.”

This writer has driven a car equipped with the technology, and while it would be unfair to name and shame particular manufacturers, things are a little hit-and-miss. Road signs are not always interpreted correctly, and maps are not always up to date, meaning the car is occasionally convinced that the speed limit differs from reality, with various beeps and vibrations to demonstrate its belief.

Dennis cautioned, “Anyone getting a new vehicle would be well advised to familiarise themselves with ISA and how it works,” and we would have to agree.

While it is important to understand that the technology is still a driver aid and can easily be overridden, it is not hard to detect the direction of travel.

Source: Speed limiters arrive for all new cars in the European Union • The Register

Paramount Axes Decades Of Comedy Central History In Latest Round Of Brunchlord Dysfunction

Posted on by

Last month we noted how the brunchlords in charge of Paramount (CBS) decided to eliminate decades of MTV News journalism history as part of their ongoing “cost saving” efforts. It was just the latest casualty in an ever-consolidating and very broken U.S. media business routinely run by some of the least competent people imaginable.

We’ve noted how with streaming growth slowing, there’s no longer money to be made goosing stock valuations via subscriber growth. So media giants (and the incompetent brunchlords that usually fail upward into positions of unearned power within them) have turned their attention to all the usual tricks: layoffs, pointless megamergers, price hikes, and more and more weird and costly consumer restrictions.

Part of that equation also involves being too cheap to preserve history, as we’ve seen countless times when a journalism or media company implodes and then immediately disappears not just staffers but decades of their hard work. Usually (and this is from my experience as a freelancer) without any warning or consideration of the impact whatsoever.

Paramount has been struggling after its ingenious strategy of making worse and worse streaming content while charging more and more money somehow hasn’t panned out. While the company looks around for merger and acquisition partners, they’ve effectively taken a hatchet to company staff and history.

First with the recent destruction of the MTV News archives and a major round of layoffs, and now with the elimination of years of Comedy Central history. Last week, as part of additional cost cutting moves, the company basically gutted the Comedy Central website, eliminating years of archived video history of numerous programs ranging from old South Park clips to episodes of the The Colbert Report.

A website message and press statement by the company informs users that they can simply head over to the Paramount+ streaming app to watch older content:

As part of broader website changes across Paramount, we have introduced more streamlined versions of our sites, driving fans to Paramount+ to watch their favorite shows.”

Except older episodes of The Daily Show and The Colbert Report can no longer be found on Paramount+, also due to layoffs and cost cutting efforts at the company. Paramount is roughly $14 billion in debt due to mismanagement, and a recent plan to merge with Skydance was scuttled at the last second.

Eventually Paramount will find somebody else to merge with in order to bump stock valuations, nab a fat tax cut, and justify excessive executive compensation (look at me, I’m a savvy dealmaker!). At which point, as we saw with the disastrous AT&T–>Time Warner–>Discovery series of mergers, an entirely new wave of layoffs, quality erosion, and chaos will begin as they struggle to pay off deal debt.

It’s all so profoundly pointless, and at no point does anything like product quality, customer satisfaction, employee welfare, or the preservation of history enter into it. The executives spearheading this repeated trajectory from ill-conceived business models to mindless mergers will simply be promoted to bigger and better ventures because there’s simply no financial incentive to learn from historical missteps.

The executives at the top of the heap usually make out like bandits utterly regardless of competency or outcomes, so why change anything?

Source: Paramount Axes Decades Of Comedy Central History In Latest Round Of Brunchlord Dysfunction | Techdirt

Hackers reverse-engineer Ticketmaster’s barcode system to unlock resales on other platforms

Posted on by

Scalpers have used a security researcher’s findings to reverse-engineer “nontransferable” digital tickets from Ticketmaster and AXS, allowing transfers outside their apps. The workaround was revealed in a lawsuit AXS filed in May against third-party brokers adopting the practice, according to 404 Media, which first reported the news.

The saga began in February when an anonymous security researcher, going by the pseudonym Conduition, published technical details about how Ticketmaster generates its electronic tickets.

[…]

Although the companies claim the practice is strictly a security measure, it also conveniently allows them to control how and when their tickets are resold. (Yay, capitalism?)

Side-by-side phone screenshots of the Ticketmaster app showing event barcodes.
Ticketmaster

Ticketmaster and AXS create their “nontransferable” tickets using rotating barcodes that change every few seconds, preventing working screenshots or printouts. On the back end, it uses similar underlying tech similar to two-factor authentication apps. In addition, the codes are only generated shortly before an event starts, limiting the window for sharing them outside the apps. Without interference from outside parties, the platforms get to lock ticket buyers into their own resale services, giving them vertical control of the entire ecosystem.

That’s where the hackers come in. Using Conduition’s published findings, they extracted the platforms’ secret tokens that generate new tickets, using an Android phone with its Chrome browser connected to Chrome DevTools on a desktop PC. Using the tokens, they create a parallel ticketing infrastructure that regenerates genuine barcodes on other platforms, allowing them to sell working tickets on platforms Ticketmaster and AXS don’t allow. Online reports claim the parallel tickets often work at the gates.

According to 404 Media, AXS’ lawsuit accuses the defendants of selling “counterfeit” tickets (even though they usually work) to “unsuspecting customers.” The court documents allegedly describe the parallel tickets as “created, in whole or in part by one or more of the Defendants illicitly accessing and then mimicking, emulating, or copying tickets from the AXS Platform.”

[…]

404 Media’s entire story is worth reading. More technically minded folks may take an interest in Conduition’s earlier findings, which illustrate what the ticketing behemoths are doing on their back ends to keep the entire ecosystems in their clutches.

Source: Hackers reverse-engineer Ticketmaster’s barcode system to unlock resales on other platforms

European Commission probes Amazon, Temu, Shein over ad recommendation systems

Posted on by

The European Commission has sent a request for information to Amazon on measures taken to comply with a landmark EU law on content moderation, the Digital Services Act (DSA), according to a Friday (5 July) press release.

It’s the latest in a barrage of similar requests, accusations, and fines from the EU executive against big tech platforms under the DSA and the Digital Markets Act (DMA).

Amazon has been requested to provide information on the transparency of its recommendation systems, including data inputs, and opt-out options offered to users who don’t want to be profiled by their algorithms, by 26 July, the press release said.

The e-commerce giant is also requested to answer questions on its Amazon Store Ad Library, including a risk assessment report. The Library provides EU users “with the ability to query data related to advertisements and affiliate marketing content,” according to a company website.

The firm is “reviewing” the request and is working closely with the Commission, an Amazon spokesperson told Euractiv on Friday.

The Commission will assess its next steps based on the company’s replies. Since Amazon is designated a Very Large Online Platform (VLOP), meaning that it counts over 45 million users in Europe, the consequences of which can include fines up to 6% of the company’s global annual turnover. Amazon reported $574.8 billion (€530.8 billion) in net sales in 2023.

Just one week ago, the Commission sent similar requests to e-commerce platforms Temu and Shein.

Amazon had tried to suspend its DSA obligation to make its ads repository publicly available, in the Court of Justice of the EU.  But the court decided against Amazon on 27 March.

Source: European Commission probes Amazon over recommendation systems – Euractiv

Well, it’s not like Amazon hasn’t used their marketplace data to sell their own competing products before:

Amazon knew seller data was used to boost company sales

Bag maker Peak Design calls out Amazon for its copycat ways

European Commission charges Amazon over misuse of seller data to make copy cat products

Amazon Restricts How Rival Device Makers Buy Ads on Its Site

Amazon and Meta to stop using rivals marketplace data to undercut their products.

Amazon offers to share data, boost rivals to dodge EU antitrust fines

The list goes on and on – this is just from 2020 upwards.

Googles Enshittification hits Fitbit: You Won’t Be Able to Access Your Fitbit Web Dashboard Any More

Posted on by

Today is the last day you can interact with your Fitbit health data on a big screen. Last month, Fitbit announced in a blog post that consumers will no longer have access to the tracker’s web dashboard after July 8, 2024.

Fitbit describes the move as “consolidating the dashboard into the Fitbit app.” However, the statement assumes that all of the dashboard’s functionality is on the app, and the device consumers use to log and analyze their data doesn’t matter to them, which isn’t entirely true.

In the statement Fitbit released, it attributed the decision to its parent company. “Combined with Google’s decades of being the best at making sense of data, it’s our mission to be one combined Fitbit and Google team,”

[…]

Rightfully so, consumers are not happy, and quite a few have announced their decisions to switch to a fitness-tracking alternative. Apparently, the ability to create custom meals was an option specific to the web dashboard and not available on the phone app.

Pace Charts is another feature consumers don’t see on their Fitbit mobile apps despite being promised everything the web version offers. Some users commented that they prefer the web portal for entering data, while others lamented losing a big picture overview of their stats.

[…]

Source: You Won’t Be Able to Access Your Fitbit Web Dashboard After Today

Why You Should Consider Proton Docs Over Google

Posted on by

Proton has officially launched Docs in Proton Drive, a new web-based productivity app that gives you access to a fully-featured text editor with shared editing capabilities and full end-to-end encryption. It’s meant to take on Google Docs—one of the leading online word processors in the world, and make it more convenient to use Proton’s storage service. But how exactly does Proton’s document editor compare to Google’s? Here’s what you need to know.

Docs in Proton Drive has a familiar face

On the surface, Docs in Proton Drive—or Proton Docs as some folks have begun calling it for simplicity’s sake—looks just like Google Docs. And that’s to be expected. Text editors don’t have much reason to stray from the same basic “white page with a bunch of toolbars” look, and they all offer the same types of tools like headlines, bullet points, font changes, highlighting, etc.

[…]

The difference isn’t in the app itself

[…]

Proton has built its entire business around the motto of “privacy first,” and that extends to the company’s latest software offerings, too. Docs in Proton Drive includes complete end-to-end encryption—down to your cursor movements—which means nobody, not even Proton, can track what you’re doing in your documents. They’re locked down before they even reach Proton’s servers.

This makes the product very enticing for businesses that might want to keep their work as private as possible while also still having the same functionality as Google Docs—because Proton isn’t missing any of the functionality that Google Docs offers, aside from the way that Google Docs integrates with the rest of the Google Suite of products.

That’s not to say that Google isn’t secure. Google does utilize its own level of encryption when storing your data in the cloud. However, it isn’t completely end-to-end encrypted, so Google has open access to your data. Google says it only trains its generative AI on “publicly accessible” information, and while that probably won’t affect most people, it is a pain point for many, especially as the company does make exceptions for features like Smart Compose.

That worry is why products with end-to-end encryption have become such a commodity in recent years—especially as cybersecurity risks continue to rise, meaning you have to trust the companies who store your data even more. Proton’s advantage is that it promises to NEVER use your content for any purpose—and those aren’t empty words. Because the company doesn’t have access to your content, it couldn’t use it even if it wanted to.

[…]

Source: Why You Should Consider Proton Docs Over Google | Lifehacker

Nike Is Killing the App for Its 5 year old $350 Self-Tying Sneakers

Posted on by

In 2019, Nike got closer than ever to its dream of popularizing self-tying sneakers by releasing the Adapt BB. Using Bluetooth, the sneakers paired to the Adapt app that let users do things like tighten or loosen the shoes’ laces and control its LED lights. However, Nike has announced that it’s “retiring” the app on August 6, when it will no longer be downloadable from Apple’s App Store or the Google Play Store; nor will it be updated.

In an announcement recently spotted by The Verge, Nike’s brief explanation for discontinuing the app is that Nike “is no longer creating new versions of Adapt shoes.” The company started informing owners about the app’s retirement about four months ago.

Those who already bought the shoes can still use the app after August 6, but it’s expected that iOS or Android updates will eventually make the app unusable. Also, those who get a new device won’t be able to download Adapt after August 6.

Without the app, wearers are unable to change the color of the sneaker’s LED lights. The lights will either maintain the last color scheme selected via the app or, per Nike, “if you didn’t install the app, light will be the default color.” While owners will still be able to use on-shoe buttons to turn the shoes on or off, check its battery, adjust the lace’s tightness, and save fit settings, the ability to change lighting and control the shoes via mobile phone were big selling points of the $350 kicks.

[…]

Some may be unsurprised that Nike’s attempt at commercializing the shoes from Back to the Future Part II has run into a wall. Nike, for instance, also discontinued NikeConnect, its app for $200 NBA jerseys announced in 2017 that turned wearers into marketing gold.

Casual sneaker wearers would overlook the Adapt BB’s flashy features, but the shoe had inherent flaws that could frustrate sneaker fanatics, too. It didn’t take long, for example, for a recommended software update to break the shoes, including making them unwearable to anyone who wanted to tighten the laces.

[…]

Source: Nike Is Killing the App for Its $350 Self-Tying Sneakers | WIRED

Nike has a much longer history of killing apps, leaving you with junk, like the Nike+

The bloat continues: Spellcheck and autocorrect in Notepad begins rolling out. Who wants this stuff?

Posted on by

Notepad (version 11.2402.18.0)

With this update, Notepad will now highlight misspelled words and provide suggestions so that you can easily identify and correct mistakes. We are also introducing autocorrect which seamlessly fixes common typing mistakes as you type.

Misspelled word highlighted in Notepad with options to correct the spelling.
Misspelled word highlighted in Notepad with options to correct the spelling.

Getting started with spellcheck in Notepad is easy as misspelled words are automatically underlined in red. To fix a spelling mistake, click, tap, or use the keyboard shortcut Shift + F10 on the misspelled word to see suggested spellings. Selecting a suggestion immediately updates the word. You can also choose to ignore words in a single document or add them to the dictionary, so they are not flagged as a mistake again. Spellcheck in Notepad supports multiple languages.

This feature is enabled by default for some file types but is off by default in log files and other file types typically associated with coding. You can toggle this setting on or off globally or for certain file types in Notepad app settings or temporarily for the current file in the context menu. We’ve organized the settings page as well to make it easier to find and adjust Notepad app settings.

[We are beginning to roll out spellcheck in Notepad, so it may not be available to all Insiders in the Canary and Dev Channels just yet as we plan to monitor feedback and see how it lands before pushing it out to everyone.]

FEEDBACK: Please share your feedback in Feedback Hub (WIN + F) under Apps > Notepad.

Source: Spellcheck in Notepad begins rolling out to Windows Insiders | Windows Insider Blog

Guys, notepad is supposed to be simple! The height of complexity was supposed to be choosing word wrap or not. All of this cruft is completely unnecessary. If I want it, I can start up libreoffice writer, notepad++ or proton docs.

Dior Paid a Contractor $57 to Make a Bag That Sold for Nearly $2,800 under really bad working conditions

Posted on by

Italian prosecutors in Milan investigated the LVMH subsidiary Dior’s use of third-party suppliers in recent months. Prosecutors said these companies exploited workers to pump out bags for a small fraction of their store price.

Citing documents examined by authorities, Reuters reported last month that Dior paid a supplier $57 to produce bags that retailed for about $2,780. The costs do not include raw materials such as leather.

The relevant unit of Dior didn’t adopt “appropriate measures to check the actual working conditions or the technical capabilities of the contracting companies,” a prosecution document said, according to Reuters.

In probes through March and April, investigators found evidence that workers were sleeping in the facility so bags could be produced around the clock, Reuters reported. They also tracked electricity-consumption data, which showed work was being carried out during nights and holidays, the report said.

The subcontractors were Chinese-owned firms, prosecutors said. They said most of the workers were from China, with two living in the country illegally and another seven working without required documentation.

The probe also said safety devices on gluing and brushing machines were removed so workers could operate them faster.

[…]

The probe also extended to Giorgio Armani contractors, and the luxury company was accused of not properly overseeing its suppliers.

Armani paid contractors $99 per bag for products that sold for more than $1,900 in stores, according to documents seen by Reuters.

[…]

Judges in Milan have ordered units of both companies to be placed under judicial administration for one year. Reuters reported earlier this year that they’d be allowed to operate during the period.

A regular manufacturing practice

The prosecution said violating labor rules was a common industry practice that luxury giants relied on for higher profits.

“It’s not something sporadic that concerns single production lots, but a generalized and consolidated manufacturing method,” court documents about the decision to place Dior under administration said, according to Reuters.

“The main problem is obviously people being mistreated: applying labor laws, so health and safety, hours, pay,” Fabio Roia, the president of the Milan Court, told Reuters earlier this year. “But there is also another huge problem: the unfair competition that pushes law-abiding firms off the market.”

[…]

Source: Dior Paid a Contractor $57 to Make a Bag That Sold for Nearly $2,800 – Business Insider

A breakthrough in solid state sodium batteries: inexpensive, clean, fast-charging

Posted on by

[…] “Although there have been previous sodium, solid-state, and anode-free batteries, no one has been able to successfully combine these three ideas until now,” said UC San Diego PhD candidate Grayson Deysher, first author of a new paper outlining the team’s work.

The paper, published today in Nature Energy, demonstrates a new sodium battery architecture with stable cycling for several hundred cycles. By removing the anode and using inexpensive, abundant sodium instead of lithium, this new form of battery will be more affordable and environmentally friendly to produce. Through its innovative solid-state design, the battery also will be safe and powerful.

[…]

“In any anode-free battery there needs to be good contact between the electrolyte and the current collector,” Deysher said. “This is typically very easy when using a liquid electrolyte, as the liquid can flow everywhere and wet every surface. A solid electrolyte cannot do this.”

However, those liquid electrolytes create a buildup called solid electrolyte interphase while steadily consuming the active materials, reducing the battery’s usefulness over time.

A solid that flows

The team took a novel, innovative approach to this problem. Rather than using an electrolyte that surrounds the current collector, they created a current collector that surrounds the electrolyte.

They created their current collector out of aluminum powder, a solid that can flow like a liquid.

During battery assembly the powder was densified under high pressure to form a solid current collector while maintaining a liquid-like contact with the electrolyte, enabling the low-cost and high-efficiency cycling that can push this game-changing technology forward.

[…]

Story Source:

Materials provided by University of Chicago. Original written by Paul Dailing. Note: Content may be edited for style and length.

Journal Reference:

  1. Grayson Deysher, Jin An Sam Oh, Yu-Ting Chen, Baharak Sayahpour, So-Yeon Ham, Diyi Cheng, Phillip Ridley, Ashley Cronk, Sharon Wan-Hsuan Lin, Kun Qian, Long Hoang Bao Nguyen, Jihyun Jang, Ying Shirley Meng. Design principles for enabling an anode-free sodium all-solid-state battery. Nature Energy, 2024; DOI: 10.1038/s41560-024-01569-9

Source: A breakthrough in inexpensive, clean, fast-charging batteries | ScienceDaily

384,000 sites still pulling code from sketchy polyfill.io code library recently bought by Chinese firm

Posted on by

More than 384,000 websites are linking to a site that was caught last week performing a supply-chain attack that redirected visitors to malicious sites, researchers said.

For years, the JavaScript code, hosted at polyfill[.]com, was a legitimate open source project that allowed older browsers to handle advanced functions that weren’t natively supported. By linking to cdn.polyfill[.]io, websites could ensure that devices using legacy browsers could render content in newer formats. The free service was popular among websites because all they had to do was embed the link in their sites. The code hosted on the polyfill site did the rest.

The power of supply-chain attacks

In February, China-based company Funnull acquired the domain and the GitHub account that hosted the JavaScript code. On June 25, researchers from security firm Sansec reported that code hosted on the polyfill domain had been changed to redirect users to adult- and gambling-themed websites. The code was deliberately designed to mask the redirections by performing them only at certain times of the day and only against visitors who met specific criteria.

The revelation prompted industry-wide calls to take action. Two days after the Sansec report was published, domain registrar Namecheap suspended the domain, a move that effectively prevented the malicious code from running on visitor devices. Even then, content delivery networks such as Cloudflare began automatically replacing pollyfill links with domains leading to safe mirror sites. Google blocked ads for sites embedding the Polyfill[.]io domain. The website blocker uBlock Origin added the domain to its filter list. And Andrew Betts, the original creator of Polyfill.io, urged website owners to remove links to the library immediately.

As of Tuesday, exactly one week after malicious behavior came to light, 384,773 sites continued to link to the site, according to researchers from security firm Censys. Some of the sites were associated with mainstream companies including Hulu, Mercedes-Benz, and Warner Bros. and the federal government. The findings underscore the power of supply-chain attacks, which can spread malware to thousands or millions of people simply by infecting a common source they all rely on.

[…]

Source: 384,000 sites pull code from sketchy code library recently bought by Chinese firm | Ars Technica

CocoaPods Vulnerabilities from 2014 Affects almost all Apple devices, Facebook, TikTok apps and more

Posted on by

CocoaPods vulnerabilities reported today could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting “almost every Apple device.”

E.V.A Information Security researchers found that the three vulnerabilities in the open source CocoaPods dependency manager were present in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods “that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases.”

The widespread issue is further evidence of the vulnerability of the software supply chain. The researchers wrote that they often find that 70-80% of client code they review “is composed of open-source libraries, packages, or frameworks.”

The CocoaPods Vulnerabilities

The newly discovered vulnerabilities – one of which (CVE-2024-38366) received a 10 out of 10 criticality score – actually date from a May 2014 CocoaPods migration to a new ‘Trunk’ server, which left 1,866 orphaned pods that owners never reclaimed.

The other two CocoaPods vulnerabilities (CVE-2024-38368 and CVE-2024-38367) also date from the migration.

For CVE-2024-38368, the researchers said that in analyzing the source code of the ‘Trunk’ server, they noticed that all orphan pods were associated with a default CocoaPods owner, and the email created for this default owner was unclaimed-pods@cocoapods.org. They also noticed that the public API endpoint to claim a pod was still available, and the API “allowed anyone to claim orphaned pods without any ownership verification process.”

“By making a straightforward curl request to the publicly available API, and supplying the unclaimed targeted pod name, the door was wide open for a potential attacker to claim any or all of these orphaned Pods as their own,” wrote Reef Spektor and Eran Vaknin.

Once they took over a Pod, an attacker would be able to manipulate the source code or insert malicious content into the Pod, which “would then go on to infect many downstream dependencies, and potentially find its way into a large percentage of Apple devices currently in use.”

[…]

“The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package.”

Downstream dependencies could mean that thousands of applications and millions of devices were exposed over the last few years, and close attention should be paid to software that relies on orphaned CocoaPod packages that do not have an owner assigned to them.

Developers and organizations should review dependency lists and package managers used in their applications, validate checksums of third-party libraries, perform periodic scans to detect malicious code or suspicious changes, keep software updated, and limit use of orphaned or unmaintained packages.

“Dependency managers are an often-overlooked aspect of software supply chain security,” the researchers wrote. “Security leaders should explore ways to increase governance and oversight over the use these tools.”

Source: CocoaPods Vulnerabilities Could Affect Apple, Facebook, TikTok