Microsoft has been pushing hard for its users to sign into Windows with a Microsoft Account. The newest Windows 11 installer removed the easy bypass to the requirement that you make an account or login with your existing account. If you didn’t install Windows 11 without a Microsoft Account and now want to stop sending the company your data, you can still switch to a local account after the fact. Microsoft even had instructions on how to do this on its official support website – or at least it used to…
Microsoft’s ‘Change from a local account to a Microsoft Account’ guide shows users how they can change their Windows 11 PC login credentials to use their Microsoft Account. The company also supplied instructions on how to ‘Change from a Microsoft account to a local account’ on the same page. However, when we checked the page using the Wayback Machine, the instructions on how to do the latter appeared on June 12, 2024, then disappeared on June 17, 2024. The ‘Change from a Microsoft account to a local account’ instructions yet haven’t returned.
Converting your Windows 11 PC’s login from a Microsoft Account to a local account is a pretty simple process. All you have to do is go to the Settings app, proceed to Accounts > Your info, and select “Sign in with a local account instead.” Follow the instructions on the screen, and you should be good to go.
[…]
It’s apparent that Microsoft really wants users to sign up and use their services, much like how Google and Apple make you create an account so you can make full use of your Android or iDevice. While Windows 11 still lets you use the OS with a local account, these developments show that Microsoft wants this option to be inaccessible, at least for the average consumer.
A now-patched vulnerability in Ollama – a popular open source project for running LLMs – can lead to remote code execution, according to flaw finders who warned that upwards of 1,000 vulnerable instances remain exposed to the internet.
Wiz Research disclosed the flaw, tracked as CVE-2024-37032 and dubbed Probllama, on May 5 and its maintainers fixed the issue in version 0.1.34 that was released via GitHub a day later.
Ollama is useful for performing inference with compatible neural networks – such as Meta’s Llama family, hence the name; Microsoft’s Phi clan; and models from Mistral – and it can be used on the command line or via a REST API. It has hundreds of thousands of monthly pulls on Docker Hub.
In a report published today, the Wiz bug hunting team’s Sagi Tzadik said the vulnerability is due to insufficient validation on the server side of that REST API provided by Ollama. An attacker could exploit the flaw by sending a specially crafted HTTP request to the Ollama API server — and in Docker installations, at least, the API server is publicly exposed.
The Ollama server provides multiple API endpoints that perform core functions. This includes the API endpoint /api/pull that lets users download models from the Ollama registry as well as private registries. As the researchers found, the process to trigger the download of a model was exploitable, allowing miscreants to potentially compromise the environment hosting a vulnerable Ollama server.
“What we found is that when pulling a model from a private registry (by querying the http://[victim]:11434/api/pull API endpoint), it is possible to supply a malicious manifest file that contains a path traversal payload in the digest field,” Tzadik explained.
An attacker could then use that payload to corrupt files on the system, achieve arbitrary file read, and ultimately remote code execution (RCE) to hijack that system.
“This issue is extremely severe in Docker installations, as the server runs with root privileges and listens on 0.0.0.0 by default – which enables remote exploitation of this vulnerability,” Tzadik emphasized.
And despite a patched version of the project being available for over a month, the Wiz kids found that, as of June 10, there were more than 1,000 of vulnerable Ollama server instances still exposed to the internet. In light of this, there’s a couple things anyone using Ollama should do to protect their AI applications.
First, which should go without saying, update instances to version 0.1.34 or newer. Also, as Ollama doesn’t inherently support authentication, do not expose installations to the internet unless using some sort of authentication, such as a reverse-proxy. Even better, don’t allow the internet to reach the server at all, put it behind firewalls, and only allow authorized internal applications and their users to access it.
“The critical issue is not just the vulnerabilities themselves but the inherent lack of authentication support in these new tools,” Tzadik noted, referring to previous RCEs in other tools used to deploy LLMs including TorchServe and Ray Anyscale.
Plus, he added, even those these tools are new and often written in modern safety-first programming languages, “classic vulnerabilities such as path traversal remain an issue.” ®
Automated license plate readers “pose risks to public safety,” argues the EFF, “that may outweigh the crimes they are attempting to address in the first place.” When law enforcement uses automated license plate readers (ALPRs) to document the comings and goings of every driver on the road, regardless of a nexus to a crime, it results in gargantuan databases of sensitive information, and few agencies are equipped, staffed, or trained to harden their systems against quickly evolving cybersecurity threats. The Cybersecurity and Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security, released an advisory last week that should be a wake up call to the thousands of local government agencies around the country that use ALPRs to surveil the travel patterns of their residents by scanning their license plates and “fingerprinting” their vehicles. The bulletin outlines seven vulnerabilities in Motorola Solutions’ Vigilant ALPRs, including missing encryption and insufficiently protected credentials…
Unlike location data a person shares with, say, GPS-based navigation app Waze, ALPRs collect and store this information without consent and there is very little a person can do to have this information purged from these systems… Because drivers don’t have control over ALPR data, the onus for protecting the data lies with the police and sheriffs who operate the surveillance and the vendors that provide the technology. It’s a general tenet of cybersecurity that you should not collect and retain more personal data than you are capable of protecting. Perhaps ironically, a Motorola Solutions cybersecurity specialist wrote an article in Police Chief magazine this month that public safety agencies “are often challenged when it comes to recruiting and retaining experienced cybersecurity personnel,” even though “the potential for harm from external factors is substantial.” That partially explains why, more than 125 law enforcement agencies reported a data breach or cyberattacks between 2012 and 2020, according to research by former EFF intern Madison Vialpando. The Motorola Solutions article claims that ransomware attacks “targeting U.S. public safety organizations increased by 142 percent” in 2023.
Yet, the temptation to “collect it all” continues to overshadow the responsibility to “protect it all.” What makes the latest CISA disclosure even more outrageous is it is at least the third time in the last decade that major security vulnerabilities have been found in ALPRs… If there’s one positive thing we can say about the latest Vigilant vulnerability disclosures, it’s that for once a government agency identified and reported the vulnerabilities before they could do damage… The Michigan Cyber Command center found a total of seven vulnerabilities in Vigilant devices; two of which were medium severity and 5 of which were high severity vulnerabilities…
But a data breach isn’t the only way that ALPR data can be leaked or abused. In 2022, an officer in the Kechi (Kansas) Police Department accessed ALPR data shared with his department by the Wichita Police Department to stalk his wife. The article concludes that public safety agencies should “collect only the data they need for actual criminal investigations.
“They must never store more data than they adequately protect within their limited resources-or they must keep the public safe from data breaches by not collecting the data at all.”
“A good portion of my home directory got deleted,” complained a bug report for systemd filed last week. It requested an update to a flag for the systemd-tmpfiles tool which cleans up files and directories: “a huge warning next to –purge. This option is dangerous, so it should be made clear that it’s dangerous.”
The Register explains: As long as five years ago, systemd-tmpfiles had moved on past managing only temporary files — as its name might suggest to the unwary. Now it manages all sorts of files created on the fly … such as things like users’ home directories. If you invoke the systemd-tmpfiles –purge command without specifying that very important config file which tells it which files to handle, version 256 will merrily purge your entire home directory. The bug report first drew a cool response from systemd developer Luca Boccassi of Microsoft: So an option that is literally documented as saying “all files and directories created by a tmpfiles.d/ entry will be deleted”, that you knew nothing about, sounded like a “good idea”? Did you even go and look what tmpfiles.d entries you had beforehand? Maybe don’t just run random commands that you know nothing about, while ignoring what the documentation tells you? Just a thought eh But the report then triggered “much discussion,” reports Phoronix. Some excerpts:
Lennart Poettering: “I think we should fail –purge if no config file is specified on the command line. I see no world where an invocation without one would make sense, and it would have caught the problem here.”
Red Hat open source developer Zbigniew JÄ(TM)drzejewski-Szmek: “We need to rethink how –purge works. The principle of not ever destroying user data is paramount. There can be commands which do remove user data, but they need to be minimized and guarded.”
Systemd contributor Betonhaus: “Having a function that declares irreplaceable files — such as the contents of a home directory — to be temporary files that can be easily purged, is at best poor user interfacing design and at worst a severe design flaw.”
But in the end, Phoronix writes, systemd-tmpfiles behavior “is now improved upon.”
“Merged Wednesday was this patch that now makes systemd-tmpfiles accept a configuration file when running purge. That way the user must knowingly supply the configuration file(s) to which files they would ultimately like removed. The documentation has also been improved upon to make the behavior more clear.”
According to correspondence released by the Scottish Police Authority (SPA) under freedom of information (FOI) rules, Microsoft is unable to guarantee that data uploaded to a key Police Scotland IT system – the Digital Evidence Sharing Capability (DESC) – will remain in the UK as required by law.
While the correspondence has not been released in full, the disclosure reveals that data hosted in Microsoft’s hyperscale public cloud infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for the DESC did not cover UK-specific data protection requirements; and that while the company has the ability to make technical changes to ensure data protection compliance, it is only making these changes for DESC partners and not other policing bodies because “no one else had asked”.
The correspondence also contains acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture. As a result, the issues identified with the Scottish Police will equally apply to all UK government users, many of whom face similar regulatory limitations on the offshoring of data.
[…]
Nicky Stewart, a former ICT chief at the UK government’s Cabinet Office, said most people with knowledge of how hyperscale public cloud works have known about these data sovereignty issues for years.
“It’s clearly going to be a concern to any police force that’s using Microsoft, but it’s wider than that,” she said, adding that while Part 3 of the Data Protection Act (DPA) 2018 clearly stipulates that law enforcement data needs to be kept in the UK, other kinds of public sector data must also be kept sovereign under the new G-Cloud 14 framework, which has introduced a UK-only data hosting requirement.
[…]
Microsoft’s commitment to not access customer data without permission is further complicated by the terms of service, which make that promise strictly conditional by giving the company the ability to access data without permission if they either have to fulfil a legal burden, such as responding to government requests for data, or to maintain the service.
[…]
He added that given Microsoft’s disclosures to the SPA, “it must now be obvious that M365 and Azure Cloud services do not meet the two key requirements” to be a legal processor or sub-processor of law enforcement data under the DPA 18.
“These are: one, to conduct all processing and support activities 100% from inside the UK; and two, to only make an international transfer if they are specifically instructed to make the particular transfer by the controller,” he said.
“Microsoft have confirmed that they do not and cannot commit to requirement one for their M365 services, or indeed for most of the services they operate and support in Azure. They have also said that they cannot ‘operationalise’ individual requests as required of them under section 59(7) of the act, thus failing to meet requirement two.
“There can be no clearer evidence than Microsoft’s own clarifications that they cannot meet the legal requirements for a processor or sub-processor of law enforcement data.”
Stewart said: “If it’s not possible to understand the simple question, ‘do you know where your data is all the time?’, then you probably shouldn’t be putting your data in that platform.”
With the EU and also some EU domain name registrars (looking at you, SIDN) working with these crazy cloud providers, it should have been blindingly obvious that putting data in a US cloud provider would open it up for US spying and a complete lack of data ownership. However idiots will be idiots.
A letter to publishers seen by Reuters on Friday, which does not name the AI companies or the publishers affected, comes amid a public dispute between AI search startup Perplexity and media outlet Forbes involving the same web standard and a broader debate between tech and media firms over the value of content in the age of generative AI.
The business media publisher publicly accused Perplexity of plagiarizing its investigative stories in AI-generated summaries without citing Forbes or asking for its permission.
A Wired investigation published this week found Perplexity likely bypassing efforts to block its web crawler via the Robots Exclusion Protocol, or “robots.txt,” a widely accepted standard meant to determine which parts of a site are allowed to be crawled.
Perplexity declined a Reuters request for comment on the dispute.
The News Media Alliance, a trade group representing more than 2,200 U.S.-based publishers, expressed concern about the impact that ignoring “do not crawl” signals could have on its members.
“Without the ability to opt out of massive scraping, we cannot monetize our valuable content and pay journalists. This could seriously harm our industry,” said Danielle Coffey, president of the group.
So the original clickbait headline comes from a content licensing startup scaring content providers up but with no details whatsoever. Why is this even news?!
If you found out that 500,000 books had been removed from your local public library, at the demands of big publishers who refused to let them buy and lend new copies, and were further suing the library for damages, wouldn’t you think that would be a major news story? Wouldn’t you think many people would be up in arms about it?
It’s happening right now with the Internet Archive, and it’s getting almost no attention.
As we’ve discussed at great length, the Internet Archive’s Open Library system is indistinguishable from the economics of how a regular library works. The Archive either purchases physical books or has them donated (just like a physical library). It then lends them out on a one-to-one basis (leaving aside a brief moment where it took down that barrier when basically all libraries were shut down due to pandemic lockdowns), such that when someone “borrows” a digital copy of a book, no one else can borrow that same copy.
And yet, for all of the benefits of such a system in enabling more people to be able to access information, without changing the basic economics of how libraries have always worked, the big publishers all sued the Internet Archive. The publishers won the first round of that lawsuit. And while the court (somewhat surprisingly!) did not order the immediate closure of the Open Library, it did require the Internet Archive to remove any books upon request from publishers (though only if the publishers made those books available as eBooks elsewhere).
The Archive has put together an open letter to publishers, requesting that they restore access to this knowledge and information — a request that will almost certainly fall on extremely deaf ears.
We purchase and acquire books—yes, physical, paper books—and make them available for one person at a time to check out and read online. This work is important for readers and authors alike, as many younger and low-income readers can only read if books are free to borrow, and many authors’ books will only be discovered or preserved through the work of librarians. We use industry-standard technology to prevent our books from being downloaded and redistributed—the same technology used by corporate publishers.
The Archive also has a huge collection of quotes from people who have been impacted negatively by all of this. Losing access to knowledge is a terrible, terrible thing, driven by publishers who have always hated the fundamental concept of libraries and are very much using this case as an attack on the fundamental principle of lending books.
[…]
And, why? Because copyright and DRM systems allow publishers to massively overcharge for eBooks. This is what’s really the underlying factor here. Libraries in the past could pay the regular price for a book and then lend it out. But with eBook licensing, they are able to charge exorbitant monopoly rents, while artificially limiting how many books libraries can even buy.
I don’t think many people realize the extreme nature of the pricing situation here. As we’ve noted, a book that might cost $29.99 retail can cost $1,300 for an eBook license, and that license may include restrictions, such as having to relicense after a certain number of lends, or saying a library may only be allowed to purchase a single eBook license at a time.
The ones who changed the way libraries work is not the Internet Archive. It’s the publishers. They’re abusing copyright and DRM to fundamentally kill the very concept of a library, and this lawsuit is a part of that strategy.
European Union officials have delayed talks over proposed legislation that could lead to messaging services having to scan photos and links to detect possible child sexual abuse material (CSAM). Were the proposal to become law, it may require the likes of WhatsApp, Messenger and Signal to scan all images that users upload — which would essentially force them to break encryption.
For the measure to pass, it would need to have the backing of at least 15 of the member states representing at least 65 percent of the bloc’s entire population. However, countries including Germany, Austria, Poland, the Netherlands and the Czech Republic were expected to abstain from the vote or oppose the plan due to cybersecurity and privacy concerns, Politico reports. If EU members come to an agreement on a joint position, they’ll have to hash out a final version of the law with the European Commission and European Parliament.
The legislation was first proposed in 2022 and it could result in messaging services having to scan all images and links with the aim of detecting CSAM and communications between minors and potential offenders. Under the proposal, users would be informed about the link and image scans in services’ terms and conditions. If they refused, they would be blocked from sharing links and images on those platforms. However, as Politico notes, the draft proposal includes an exemption for “accounts used by the State for national security purposes.”
[…]
Patrick Breyer, a digital rights activist who was a member of the previous European Parliament before this month’s elections, has argued that proponents of the so-called “chat control” plan aimed to take advantage of a power vacuum before the next parliament is constituted. Breyer says that the delay of the vote, prompted in part by campaigners, “should be celebrated,” but warned that “surveillance extremists among the EU governments” could again attempt to advance chat control in the coming days.
Other critics and privacy advocates have slammed the proposal. Signal president Meredith Whittaker said in a statement that “mass scanning of private communications fundamentally undermines encryption,” while Edward Snowden described it as a “terrifying mass surveillance measure.”
[…]
The EU is not the only entity to attempt such a move. In 2021, Apple revealed a plan to scan iCloud Photos for known CSAM. However, it scrapped that controversial effort following criticism from the likes of customers, advocacy groups and researchers.
Deliberately exposing people to the coronavirus behind covid-19 in a so-called challenge study has helped us understand why some people seem to be immune to catching the infection.
As part of the first such covid-19 study, carried out in 2021, a group of international researchers looked at 16 people with no known health conditions who had neither tested positive for the SARS-CoV-2 virus nor been vaccinated against it.
The original variant of SARS-CoV-2 was sprayed up their noses. Nasal and blood samples were taken before this exposure and then six to seven times over the 28 days after. They also had SARS-CoV-2 tests twice a day.
[…]
In total, the researchers looked at more than 600,000 blood and nasal cells across all the individuals.
They found that in the second and third groups, the participants produced interferon – a substance that helps the immune system fight infections – in their blood before it was produced in their nasopharynx, the upper part of the nose behind the throat where the nasal samples were taken from. The interferon response, when it did occur in the nasopharynx, was actually higher in the noses of those in the second group than the third, says Teichmann.
These groups also didn’t have active infections within their T-cells and macrophages, which are both types of immune cell, says team member Marko Nikolic at University College London.
The results suggest that high levels of activity of an immune system gene called HLA-DQA2 before SARS-CoV-2 exposure helped prevent a sustained infection.
[…]
However, most people have now been exposed to “a veritable mosaic of SARS-CoV-2 variants”, rather than just the ancestral variant used in this study. The results may therefore not reflect cell responses outside of a trial setting, he says.
[…] Forbes has learned the shipping and business services company is using AI tools made by Flock Safety, a $4 billion car surveillance startup, to monitor its distribution and cargo facilities across the United States. As part of the deal, FedEx is providing its Flock surveillance feeds to law enforcement, an arrangement that Flock has with at least four multi-billion dollar private companies. But publicly available documents reveal that some local police departments are also sharing their Flock feeds with FedEx — a rare instance of a private company availing itself of a police surveillance apparatus.
To civil rights activists, such close collaboration has the potential to dramatically expand Flock’s car surveillance network, which already spans 4,000 cities across over 40 states and some 40,000 cameras that track vehicles by license plate, make, model, color and other identifying characteristics, like dents or bumper stickers. Lisa Femia, staff attorney at the Electronic Frontier Foundation, said because private entities aren’t subject to the same transparency laws as police, this sort of arrangement could “[leave] the public in the dark, while at the same time expanding a sort of mass surveillance network.”
[…]
It’s unclear just how widely law enforcement is sharing Flock data with FedEx. According to publicly available lists of data sharing partners, two police departments have granted the FedEx Air Carrier Police Department access to their Flock cameras: Shelby County Sheriff’s Office in Tennessee and Pittsboro Police Department in Indiana.
Shelby County Sheriff’s Office public information officer John Morris confirmed the collaboration. “We share reads from our Flock license plate readers with FedEx in the same manner we share the data with other law enforcement agencies, locally, regionally, and nationally,” he told Forbes via email.
[…]
FedEx is also sharing its Flock camera feeds with other police departments, including the Greenwood Police Department in Indiana, according to Matthew Fillenwarth, assistant chief at the agency. Morris at Shelby County Sheriff’s Office confirmed his department had access to FedEx’s Flock feeds too. Memphis Police Department said it received surveillance camera feeds from FedEx through its Connect Memphis system
[…]
Flock, which was founded in 2017, has raised more than $482 million in venture capital investment from the likes of Andreessen Horowitz, helping it expand its vast network of cameras across America through both public police department contracts and through more secretive agreements with private businesses.
Forbes has now uncovered at least four corporate giants using Flock, none of which had publicly disclosed contracts with the surveillance startup. As Forbespreviously reported, $50 billion-valued Simon Property, the country’s biggest mall owner, and home improvement giant Lowe’s, are two of the biggest clients. Like FedEx, Simon Property also has provided its mall feeds to local cops.
[…]
Kaiser Permanente, the largest health insurance company in America, has shared Flock data with the Northern California Regional Intelligence Center, an intelligence hub that provides support to local and federal police investigating major crimes across California’s west coast
[…]
Flock’s senior vice president of policy and communications Joshua Thomas declined to comment on private customers. “Flock’s technology and tools help our customers bolster their public safety efforts by helping to deter and solve crime efficiently and objectively,” Thomas said. “Objective video evidence is crucial to solving crime and we support our customers sharing that evidence with those that they are legally allowed to do so with.”
[…] CVE-2024-30078, a Wi-Fi driver remote code execution hole rated 8.8 in severity. It’s not publicly disclosed, not yet under attack, and exploitation is “less likely,” according to Redmond.
“An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution,” and thus remotely, silently, and wirelessly run malware or spyware on that nearby victim’s computer, Microsoft admitted.
Childs said: “Considering it hits every supported version of Windows, it will likely draw a lot of attention from attackers and red teams alike.” Patch as soon as you can: This flaw can be abused to run malicious software on and hijack a nearby Windows PC via their Wi-Fi with no authentication needed. Pretty bad. […]
Mathematicians have reinvented the wheel with the discovery of shapes that can roll smoothly when sandwiched between two surfaces, even in four, five or any higher number of spatial dimensions. The finding answers a question that researchers have been puzzling over for decades.
Such objects are known as shapes of constant width, and the most familiar in two and three dimensions are the circle and the sphere. These aren’t the only such shapes, however. One example is the Reuleaux triangle, which is a triangle with curved edges, while people in the UK are used to handling equilateral curve heptagons, otherwise known as the shape of the 20 and 50 pence coins. In this case, being of constant width allows them to roll inside coin-operated machines and be recognised regardless of their orientation.
[…]
While shapes with more than three dimensions are impossible to visualise, mathematicians can define them by extending 2D and 3D shapes in logical ways. For example, just as a circle or a sphere is the set of points that sits at a constant distance from a central point, the same is true in higher dimensions. “Sometimes the most fascinating phenomena are discovered when you look at higher and higher dimensions,” says Gil Kalai at the Hebrew University of Jerusalem in Israel.
Now, Andrii Arman at the University of Manitoba in Canada and his colleagues have answered Schramm’s question and found a set of constant-width shapes, in any dimension, that are indeed smaller than an equivalent dimensional sphere.
[…]
The first part of the proof involves considering a sphere with n dimensions and then dividing it into 2n equal parts – so four parts for a circle, eight for a 3D sphere, 16 for a 4D sphere and so on. The researchers then mathematically stretch and squeeze these segments to alter their shape without changing their width. “The recipe is very simple, but we understood that only after all of our elaboration,” says team member Andriy Bondarenko at the Norwegian University of Science and Technology.
The team proved that it is always possible to do this distortion in such a way that you end up with a shape that has a volume at most 0.9n times that of the equivalent dimensional sphere. This means that as you move to higher and higher dimensions, the shape of constant width gets proportionally smaller and smaller compared with the sphere.
Visualising this is difficult, but one trick is to imagine the lower-dimensional silhouette of a higher-dimensional object. When viewed at certain angles, the 3D shape appears as a 2D Reuleaux triangle (see the middle image above). In the same way, the 3D shape can be seen as a “shadow” of the 4D one, and so on. “The shapes in higher dimensions will be in a certain sense similar, but will grow in complexity as [the] dimension grows,” says Arman.
Having identified these shapes, mathematicians now hope to study them further. “Even with the new result, which takes away some of the mystery about them, they are very mysterious sets in high dimensions,” says Kalai.
A report from BleepingComputer notes that ASUS “has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices.” But there’s more bad news: Taiwan’s CERT has also informed the public about CVE-2024-3912 in a post yesterday, which is a critical (9.8) arbitrary firmware upload vulnerability allowing unauthenticated, remote attackers to execute system commands on the device. The flaw impacts multiple ASUS router models, but not all will be getting security updates due to them having reached their end-of-life (EoL).
Finally, ASUS announced an update to Download Master, a utility used on ASUS routers that enables users to manage and download files directly to a connected USB storage device via torrent, HTTP, or FTP. The newly released Download Master version 3.1.0.114 addresses five medium to high-severity issues concerning arbitrary file upload, OS command injection, buffer overflow, reflected XSS, and stored XSS problems.
In 2018, chip designer Arm introduced a hardware security feature called Memory Tagging Extensions (MTE) as a defense against memory safety bugs. But it may not be as effective as first hoped.
Implemented and supported last year in Google’s Pixel 8 and Pixel 8 Pro phones and previously in Linux, MTE aims to help detect memory safety violations, as well as hardening devices against attacks that attempt to exploit memory safety flaws.
[…]
MTE works by tagging blocks of physical memory with metadata. This metadata serves as a key that permits access. When a pointer references data within a tagged block of memory, the hardware checks to make sure the pointer contains a key matching that of the memory block to gain access to the data. A mismatch throws out an error.
Tag, you’re IT
Diving deeper, when MTE is active, programs can use special instructions to tag 16-byte blocks of physical memory with a 4-bit key. For example, when allocating a chunk of memory from the heap, that chunk (aligned and rounded to 16 bytes) can be tagged with the same 4-bit key, and a pointer to that chunk is generated containing the key in its upper unused bits.
When the program uses that pointer in future, referencing some part of the block, everything works fine. The pointer still contains the correct key. But if the block is freed and its key is changed, subsequent use of that stale pointer will trigger a fault by the processor, due to a mismatching key, which indicates a programming bug or a vulnerability exploit attempt, both of which you want to catch.
And if the program is hijacked via some other vulnerability, and the code is made to reference a tagged block without the right key in the pointer, that will also be caught.
[…]
Unfortunately, MTE appears to be insufficiently secure to fulfill its security promises. Researchers affiliated with Seoul National University in South Korea, Samsung Research, and Georgia Institute of Technology in the US have found that they can break MTE through speculative execution.
The authors – Juhee Kim, Jinbum Park, Sihyeon Roh, Jaeyoung Chung, Youngjoo Lee, Taesoo Kim, and Byoungyoung Lee – say as much in their research paper, “TikTag: Breaking Arm’s Memory Tagging Extension with Speculative Execution.”
Having looked at MTE to assess whether it provides the claimed security benefit, the boffins say it does not. Instead, they found they could extract MTE tags in under four seconds around 95 per cent of the time.
“[W]e found that speculative execution attacks are indeed possible against MTE, which severely harms the security assurance of MTE,” the authors report. “We discovered two new gadgets, named TIKTAG-v1 and TIKTAG-v2, which can leak the MTE tag of an arbitrary memory address.”
[…]
The authors say that their research expands on prior work from May 2024 that found MTE vulnerable to speculative probing. What’s more, they contend their findings challenge work by Google’s Project Zero that found no side-channel attack capable of breaking MTE.
Using proof-of-concept code, MTE tags were ferreted out of Google Chrome on Android and the Linux kernel using this technique, with a success rate that exceeded 95 percent in less than four seconds, it’s claimed.
The authors have made their code available on GitHub. “When TikTag gadgets are speculatively executed, cache state differs depending on whether the gadgets trigger a tag check fault or not,” the code repo explains. “Therefore, by observing the cache states, it is possible to leak the tag check results without raising any exceptions.”
Access to leaked tags doesn’t ensure exploitation. It simply means that an attacker capable of exploiting a particular memory bug on an affected device wouldn’t be thwarted by MTE.
The researchers disclosed their findings to Arm, which acknowledged them in a developer note published in December 2023. The chip design firm said that timing differences in successful and failed tag checking can be enough to create an MTE speculative oracle – a mechanism to reveal MTE tags – in Cortex-X2, Cortex-X3, Cortex-A510, Cortex-A520, Cortex-A710, Cortex-A715, and Cortex-A720 processors.
On Thursday, the EU Council is scheduled to vote on a legislative proposal that would attempt to protect children online by disallowing confidential communication.
The vote had been set for Wednesday but got pushed back [PDF].
Known to detractors as Chat Control, the proposal seeks to prevent the online dissemination of child sexual abuse material (CSAM) by requiring internet service providers to scan digital communication – private chats, emails, social media messages, and photos – for unlawful content.
The proposal [PDF], recognizing the difficulty of explicitly outlawing encryption, calls for “client-side scanning” or “upload moderation” – analyzing content on people’s mobile devices and computers for certain wrongdoing before it gets encrypted and transmitted.
The idea is that algorithms running locally on people’s devices will reliably recognize CSAM (and whatever else is deemed sufficiently awful), block it, and/or report it to authorities. This act of automatically policing and reporting people’s stuff before it’s even had a chance to be securely transferred rather undermines the point of encryption in the first place.
We’ve been here before. Apple announced plans to implement a client-side scanning scheme back in August 2021, only to face withering criticism from the security community and civil society groups. In late 2021, the iGiant essentially abandoned the idea.
Europe’s planned “regulation laying down rules to prevent and combat child sexual abuse” is not the only legislative proposal that contemplates client-side scanning as a way to front-run the application of encryption. The US Earn-It Act imagines something similar.
In the UK, the Online Safety Act of 2023 includes a content scanning requirement, though with the government’s acknowledgement that enforcement isn’t presently feasible. While it does allow telecoms regulator Ofcom to require online platforms to adopt an “accredited technology” to identify unlawful content, there is currently no such technology and it’s unclear how accreditation would work.
With the EU proposal vote approaching, opponents of the plan have renewed their calls to shelve the pre-crime surveillance regime.
In an open letter [PDF] on Monday, Meredith Whittaker, CEO of Signal, which threatened to withdraw its app from the UK if the Online Safety Act disallowed encryption, reiterated why the EU client-side scanning plan is unworkable and dangerous.
“There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe,” wrote Whittaker.
European countries continue to play rhetorical games. They’ve come back to the table with the same idea under a new label
“Instead of accepting this fundamental mathematical reality, some European countries continue to play rhetorical games.
“They’ve come back to the table with the same idea under a new label. Instead of using the previous term ‘client-side scanning,’ they’ve rebranded and are now calling it ‘upload moderation.’
“Some are claiming that ‘upload moderation’ does not undermine encryption because it happens before your message or video is encrypted. This is untrue.”
The Internet Architecture Board, part of the Internet Engineering Task Force, offered a similar assessment of client-side scanning in December.
Encrypted comms service Threema published its open variation on this theme on Monday, arguing that mass surveillance is incompatible with democracy, is ineffective, and undermines data security.
“Should it pass, the consequences would be devastating: Under the pretext of child protection, EU citizens would no longer be able to communicate in a safe and private manner on the internet,” the biz wrote.
EU citizens would no longer be able to communicate in a safe and private manner on the internet
“The European market’s location advantage would suffer a massive hit due to a substantial decrease in data security. And EU professionals like lawyers, journalists, and physicians could no longer uphold their duty to confidentiality online. All while children wouldn’t be better protected in the least bit.”
Threema said if it isn’t allowed to offer encryption, it will leave the EU.
And on Tuesday, 37 Members of Parliament signed an open letter to the Council of Europe urging legislators to reject Chat Control.
“We explicitly warn that the obligation to systematically scan encrypted communication, whether called ‘upload-moderation’ or ‘client-side scanning,’ would not only break secure end-to-end encryption, but will to a high probability also not withstand the case law of the European Court of Justice,” the MEPs said. “Rather, such an attack would be in complete contrast to the European commitment to secure communication and digital privacy, as well as human rights in the digital space.” ®
The mysterious brightening of a galaxy far, far away has been traced to the heart of the star system and the sudden awakening of a giant black hole 1m times more massive than the sun.
Decades of observations found nothing remarkable about the distant galaxy in the constellation of Virgo, but that changed at the end of 2019 when astronomers noticed a dramatic surge in its luminosity that persists to this day.
Researchers now believe they are witnessing changes that have never been seen before, with the black hole at the galaxy’s core putting on an extreme cosmic light show as vast amounts of material fall into it.
“We discovered this source at the moment it started to show these variations in luminosity,” said Dr Paula Sánchez-Sáez, a staff astronomer at the European Southern Observatory headquarters in Garching, Germany. “It’s the first time we’ve see this in real time.”
The galaxy, which goes by the snappy codename SDSS1335+0728 and lies 300m light years away, was flagged to astronomers in December 2019 when an observatory in California called the Zwicky Transient Facility recorded a sudden rise in its brightness.
The alert prompted a flurry of new observations and checks of archived measurements from ground- and space-based telescopes to understand more about the galaxy and its past behaviour.
The scientists discovered the galaxy had recently doubled in brightness in mid-infrared wavelengths, become four times brighter in the ultraviolet, and at least 10 times brighter in the X-ray range.
What triggered the sudden brightening is unclear, but writing in Astronomy and Astrophysics, the researchers say the most likely explanation is the creation of an “active galactic nucleus” where a vast black hole at the centre of a galaxy starts actively consuming the material around it.
Active galactic nuclei emit a broad spectrum of light as gas around the black hole heats up and glows, and surrounding dust particles absorb some wavelengths and re-radiate others.
But it is not the only possibility. The team has not ruled out an exotic form of “tidal disruption event”, a highly restrained phrase to describe a star that is ripped apart after straying too close to a black hole.
Tidal disruption events tend to be brief affairs, brightening a galaxy for no more than a few hundred days, but more measurements are needed to rule out the process. “With the data we have at the moment, it’s impossible to disentangle which of these scenarios is real,” said Sánchez-Sáez. “We need to keep monitoring the source.”
Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.
At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.
Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID.
Periodically, Apple and Google mobile devices will forward their locations — by querying GPS and/or by using cellular towers as landmarks — along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it’s what allows your mobile phone to continue displaying your planned route even when the device can’t get a fix on GPS.
[…]
In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.
That’s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.
They learned that while only about three million of those randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups.
[…]
Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.
A “heatmap” of BSSIDs the UMD team said they discovered by guessing randomly at BSSIDs.
The researchers said that by zeroing in on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.
The reason they were able to do that is that each Starlink terminal — the dish and associated hardware that allows a Starlink customer to receive Internet service from a constellation of orbiting Starlink satellites — includes its own Wi-Fi access point, whose location is going to be automatically indexed by any nearby Apple devices that have location services enabled.
A heatmap of Starlink routers in Ukraine. Image: UMD.
The University of Maryland team geo-fenced various conflict zones in Ukraine, and identified at least 3,722 Starlink terminals geolocated in Ukraine.
“We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,” the researchers wrote. “Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled.”
[…]
The researchers also focused their geofencing on the Israel-Hamas war in Gaza, and were able to track the migration and disappearance of devices throughout the Gaza Strip as Israeli forces cut power to the country and bombing campaigns knocked out key infrastructure.
“As time progressed, the number of Gazan BSSIDs that are geolocatable continued to decline,” they wrote. “By the end of the month, only 28% of the original BSSIDs were still found in the Apple WPS.”
In late March 2024, Apple quietly updated its website to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location.
[…]
Rye said Apple’s response addressed the most depressing aspect of their research: That there was previously no way for anyone to opt out of this data collection.
“You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.”
The researchers said they hope Apple will consider additional safeguards, such as proactive ways to limit abuses of its location API.
[…]
“We observe routers move between cities and countries, potentially representing their owner’s relocation or a business transaction between an old and new owner,” they wrote. “While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.”
The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.
[…]
For example, they discovered that certain commonly used travel routers compound the potential privacy risks.
“Because travel routers are frequently used on campers or boats, we see a significant number of them move between campgrounds, RV parks, and marinas,” the UMD duo wrote. “They are used by vacationers who move between residential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.”
A copy of the UMD research is available here (PDF).
The visualisation of US vs EU spending on NATO going the rounds is pretty suspect: The Blue area contains not just the USA, but also Canada. The US defence budget is incorrect. It fails to take into account that the US is a global player with ambitions and commitments beyond NATO. It doesn’t show that EU defence spending is larger than that of Russia and China. There is no mention of the pressure the USA exerts on it’s NATO allies to Buy American – and the staggering amount the US shop window filled with pretty poor products (such as the F-35) is valued at. There is no mention of the years of fragmentation inflicted on the EU by the US to insure that the EU was never able to create economies of scale, or even a common security and defence policy. Finally, the scale of US defence spending comes at a cost. Social and welfare spending is much much lower in the US than in the EU, which helps explain the low levels of education, happiness, social mobility, etc in the US. A sacrifice the EU does not seem to want to make.
[…] the moral high ground on which the United States stands to shame allies on defense spending is partly an illusion. There is no question Washington spends significant resources on defense, but likening total US defense expenditures to those of its allies is not an appropriate comparison. Unlike most other NATO nations, the United States is a global actor with commitments extending to the Middle East and IndoPacific as well as Europe. Most European defense capabilities are expended in theater or in direct support of NATO missions like in Afghanistan, whereas only a portion of the US defense budget is dedicated to transatlantic security.[…] the common pretense in US policy circles that the entirety of US defense spending is counted toward European security is logically unsound.
[…] In addition, continental US territory falls under NATO’s collective-defence commitment, so US forces devoted to US continental defence also in effect amount to a NATO commitment to defend the Alliance’s largest member. The same goes particularly for Canada’s commitment to North American defence. But that commitment is Alliance-wide, and – as has been often remarked – the one activation of NATO’s Article 5 collective-defence undertaking was in the aftermath of the 9/11 attacks on the US, when the rest of the Alliance quickly supplemented US air defences with Alliance-operated AWACS airborne early-warning aircraft.
However, America is spending its defence dollars principally for its own security needs, as well as to support a range of interests and allies in other regions around the world, not exclusively Europe. As one can see, the balance sheet is complicated to say the least – those assets and resources are developed first and foremost for national interests and therefore have a dual US/external-security use. […]
This focus on US security needs is particularly visible when you look at the amount of troops the US commits to United Nations peacekeeping operations.
The U.S. [….] currently has only 27 personnel in the peacekeepers, as of November 2023. Of them, 21 are staff officers, four are “experts on mission,” and two are police; none are troops.
Other countries that have zero “boots on the ground” include: Canada, Japan, and Australia.
US Spending is about equal to Asian spending, and only slightly higher than the largest EU contributors
This lack of actual boots on the ground but amount of expenditure points to what the United States is really supporting: it’s defence industry.
US Business interests winning – Coercion by the US to buy US products
The US uses strong arm tactics to sell their products to countries that have an indigenous arms industry – usually composed of better and cheaper to operate products. The US, however, won’t take no for an answer – and US companies profit massively. How massively? See below.
[…] NATO creates a market for defence sales. Over the last two years, NATO Allies have agreed to purchase 120 billion dollars’ worth of weapons from U.S. defence companies. Including thousands of missiles to the U.K, Finland and Lithuania, Hundreds of Abrams tanks to Poland and Romania, And hundreds of F-35 aircraft across many European Allied nations – a total of 600 by 2030. From Arizona to Virginia, Florida to Washington state, American jobs depend on American sales to defence markets in Europe and Canada. What you produce keeps people safe. What Allies buy keeps American businesses strong. So NATO is a good deal for the United States. […]
The U.S. alone represents a quarter of the world economy. But together, with NATO Allies, we represent half of the world’s economic might. And half of the world’s military might. Together, we have world-class militaries, vast intelligence networks, more defence spending, and unique diplomatic leverage.[…]
A total of 23 per cent of US arms exports went to states in Europe in 2018–22, up from 11 per cent in 2013–17. Three of the USA’s North Atlantic 4 sipri fact sheet Treaty Organization (NATO) partners in the region were among the 10 largest importers of US arms in 2018–22: the UK accounted for 4.6 per cent of US arms exports, the Netherlands for 4.4 per cent and Norway for 4.2 per cent.
[…]
Arms imports by European states were 47 per higher in 2018–22 than in 2013–17. The biggest European arms importer in 2018–22 was the UK, which was the 13th largest arms importer in the world, followed by Ukraine (see box 2) and Norway, ranking 14th and 15th respectively. The USA accounted for 56 per of the region’s arms imports in 2018–22, Russia for 5.8 per (mainly to Belarus) and Germany for 5.1 per cent.
European NATO states Largely in response to the deteriorating security environment in the region, NATO states in Europe increased their arms imports by 65 per cent between 2013–17 and 2018–22. The USA accounted for 65 per cent of total arms imports by European NATO states and the NATO organization itself (see table 2) in 2018–22. The next biggest suppliers were France (8.6 per cent) and South Korea (4.9 per cent). The arms imports of European NATO states are expected to continue to rise in the coming years, based on existing programmes for arms imports. These include orders placed before the February 2022 Russian invasion of Ukraine and several large orders announced afterwards. Some of the orders placed in 2022 were the result of accelerated procurement processes implemented in response to the war in Ukraine. For example, in the first four years of the period (2018–21), Poland’s most notable arms import orders included 32 combat aircraft and 4 missile and air defence systems from the USA; however, in 2022 Poland announced new orders for 394 tanks, 96 combat helicopters and 12 missile and air defence systems from the USA; 48 combat aircraft, 1000 tanks, 672 self-propelled guns and 288 multiple rocket launchers from South Korea; and 3 frigates from the UK. After an accelerated procurement process, Germany ordered 35 combat aircraft from the USA in late 2022. These are specifically for carrying nuclear weapons owned by the USA and will replace existing aircraft that have this task.
And if you don’t buy US equipment, or don’t want to? You are leant on before you buy and after you buy. The following show rare but explicitly how the US conducts ‘business’
The U.S. government expressed disappointment with the Czech Republic and Hungary for their December moves toward acquiring non-American-made fighter jets. The rare public criticism of U.S. NATO allies comes as Poland also considers purchasing new fighter jets for its air force.
Speaking December 18, State Department spokesman Richard Boucher said that the Czech Republic, Hungary, and Poland—all of which joined NATO in 1999—should not jeopardize more urgent military needs and reforms necessary for the three countries to work more effectively with NATO’s other 16 members by purchasing advanced fighter jets, which can cost up to tens of millions of dollars apiece.
But Boucher continued by saying, “If you’re going to buy [combat aircraft], buy American.” Adding that “we think we make the best,” he said that Secretary of State Colin Powell “has raised the interest of American companies in selling airplanes” during meetings with officials from the three countries. […]
The Pentagon estimated in June that a sale of 60 U.S. F-16 fighters to Poland would cost $4.3 billion. This price tag includes missiles and bombs to arm the aircraft as well as U.S. training.
MR. BOUCHER: The Secretary has been a staunch supporter of American aircraft sales, and in his meetings from the very beginning of the Administration, he has raised the fortunes of American companies and the fact that we make the best airplanes in the world. He has pressed that in a variety of meetings. So we are disappointed that the Czech Republic and Hungary recently took steps forward in procuring advanced supersonic fighter aircraft […] The Secretary has raised these issues about the cost, the spending, the implication for other programs. But in the end, he has always said if you’re going to buy airplanes, you ought to buy American ones
QUESTION: So do you think that their purchase of these jets and using them could affect badly — adversely affect NATO in some way?
MR. BOUCHER: We have — I think we have tried to make clear all along that, as nations address these force requirements and these purchases, they needed to consider the overall impact on military reform programs and abilities to meet their broader global force obligations to NATO. And those are important questions that we think need to be considered.
[…]
MR. BOUCHER: Yes. If you’re going to buy, buy American. But consider carefully how you can meet your overall obligations.
QUESTION: Richard, you seem to be saying — let me get this straight. Do you think it was unwise of these two governments to decide to buy planes instead of doing something else with the money?
MR. BOUCHER: I don’t think I would use your language. I think I will stick to my language, thanks.
QUESTION: What was your language — you think it was what, then? You think —
MR. BOUCHER: As I said, we think that they should avoid major defense procurements, which could jeopardize other urgently needed military reforms.
QUESTION: But if they are going to make them, they should buy from the States and not from —
MR. BOUCHER: Yes
[…]
QUESTION: I don’t understand the interoperability thing that you just brought up with Barry. Because, I mean, are you saying that, say, French aircraft or British aircraft are not interoperable within the NATO scheme of things? I mean, these countries fly their own planes. Why can’t — why do the Czechs have to buy your planes, and why can’t they buy from someone — I mean, I can understand if they were buying from China, or from — (laughter) — what’s the deal?
[…]
MR. BOUCHER: Nobody said they can’t buy some other airplane. We haven’t argued that these other airplanes cannot be interoperable with NATO — with American airplanes or NATO airplanes or other airplanes that NATO maintains in its inventory. Our view has been that when it comes to airplanes, first of all, we make the best ones. And second of all, we make airplanes that have been deployed throughout the world, that have been proven in combat, that have been proven in lots of different situations. And they have a demonstrated record of interoperability, as well as performance. And we think we make the best. So we make that clear to other countries when we talk to them.
QUESTION: But can’t you let, you know, Boeing and Lockheed Martin make their own sales pitch for them?
MR. BOUCHER: We like to support American workers, American companies.
QUESTION: All right.
QUESTION: Sort of related to that. Can you just expand on how the Secretary has raised the fortunes of American aircraft companies? I’m just — that was what you said originally —
MR. BOUCHER: Perhaps it’s not the best phrase. He has raised the interests of American aircraft companies in selling airplanes.
QUESTION: But he didn’t — I just want to —
MR. BOUCHER: I didn’t say he — that he — I didn’t mean to say that he brought more money their way. No.
QUESTION: Okay. I just —
MR. BOUCHER: That was a bad — perhaps a bad choice of words. But that was not the implication. He has raised the interest of American companies in selling airplanes.
The following excerpts show the US way of thinking re common EU defence policy. The US has spent decades strong arming the EU into not working together. They used scare tactics and nonsense texts in order to assure US supremacy within NATO as well as globally. Of course, there is a lot to be said that the EU allowed themselves to be bossed around, and the weak spines of the EU politicians (and of course their wallets, as they were still paying back the Marshall Plan to uncertain terms) can be shown. At the same time, their military advisors were playing in terms of self interest – they wanted to keep playing with US toys and at US facilities and at the scale the US exercises were held and didn’t see that if they had a single EU defence policy, they would be able to play at that scale – but with toys and capabilities they got to design themselves, instead of riding on US coat tails.
From a military standpoint, the European Union’s Security and Defense Policy (ESDP) defies logic. Why would the European allies seek to create a competing military force outside NATO when worried about American isolationism and when unable and unwilling to dedicate the necessary resources? This article suggests an alternative motive behind the European Union’s establishment of a defense program—the development and enhancement of a “European identity.” In short, the ESDP is designed in no small part to further the project of nation-building in a broadening European Union. This article proposes a social-constructivist framework for analyzing this development.
The level of Europe’s defense spending and the size of its collective forces in uniform should make it a global power with one of the strongest militaries in the world. But Europe does not act as one on defense, even though it formed a political union almost 30 years ago. Europe’s military strength today is far weaker than the sum of its parts. This is not just a European failure; it is also fundamentally a failure of America’s post-Cold War strategy toward Europe—a strategy that remains virtually unchanged since the 1990s.
Europe’s dependence on the United States for its security means that the United States possesses a de facto veto on the direction of European defense. Since the 1990s, the United States has typically used its effective veto power to block the defense ambitions of the European Union. This has frequently resulted in an absurd situation where Washington loudly insists that Europe do more on defense but then strongly objects when Europe’s political union—the European Union—tries to answer the call. This policy approach has been a grand strategic error—one that has weakened NATO militarily, strained the trans-Atlantic alliance, and contributed to the relative decline in Europe’s global clout. As a result, one of America’s closest partners and allies of first resort is not nearly as powerful as it could be.
[…]
U.S. policy has consistently opposed EU defense efforts since the late 1990s, arguing that EU defense efforts would undermine NATO. State Department officials’ oft-repeated claim, virtually unchanged over the past three decades, is that an EU defense structure would “duplicate” NATO, making the treaty organization obsolete. Democratic and Republican administrations have repeated the mantra “no duplication” so often that it has become U.S. policy doctrine.5 But rarely, if ever, is the concern about possible duplication actually unpacked and assessed.
[…]
The limited nature of current EU defense efforts is no doubt the fault of the EU. But the immense agency the United States has on European defense questions is also undeniable. Since the 1990s, the United States has wielded its influence, often by mobilizing EU members that are most dependent on U.S. security guarantees to block or constrain EU efforts.
Thus, for nearly 25 years, the United States has opposed the federalization of European foreign and defense policy at the EU level.
[…]
in December 1998, Secretary of State Madeleine Albright struck a different tone than her predecessor 45 years earlier.13 In just a few short sentences, she laid out Washington’s concerns. She explained that the effort to create a European Security and Defense Identity (ESDI) must avoid “de-linking ESDI from NATO, avoid duplicating existing efforts, and avoid discriminating against non-EU members.” Secretary Albright’s address became known as the “three Ds”—no duplicating, discriminating, or delinking.
Secretary Albright’s speech was prompted by what seemed, at the time, like a stunning European breakthrough on defense. Just four days prior, a remarkable agreement was signed by U.K. Prime Minister Tony Blair and French President Jacques Chirac in St. Malo, France. There, the two largest European military powers agreed to support the formation of a 60,000 strong European force.
[…]
Secretary Albright’s “three Ds,” if rigidly interpreted, left little room for the EU to expand into defense. The speech became a de facto doctrine that has been rigidly adhered to ever since, even if that was not the original intent. The subsequent two decades have shown that any EU effort could be accused of being duplicative or discriminating against non-EU states.
[…]
U.S. Secretary of Defense William Cohen warned in his final NATO summit in 2000—in what The Washington Post described as an “unusually passionate speech” at a NATO Defense Ministerial—that “there will be no EU caucus in NATO” and that NATO could become “a relic of the past” should the EU move forward with its proposal to set up a rapid reaction force.16
[…]
Indeed, when the Bush administration took office in 2001, it pushed NATO to create an alternative to the EU’s rapid reaction force proposal, the NATO Response Force.
[…]
In a letter that caught Brussels completely off guard, the State Department’s Under Secretary of State Andrea Thompson and Under Secretary of Defense Ellen Lord warned the EU of retribution if it did not include the United States or third parties to participate in PESCO projects.33 Returning to the concerns that Secretary Albright had voiced 20 years prior, they argued that there was a risk of “EU capabilities developing in a manner that produces duplication, non-interoperable military systems, diversion of scarce defense resources, and unnecessary competition between NATO and the EU.”34 Yet the inclusion that the Trump administration demanded is not reciprocal, as the United States would not allow European defense companies similar access to the U.S. defense procurements.35 The U.S. Congress wants American taxpayer dollars to go to American companies, and yet the United States expects the EU to operate differently.
The Trump administration maintained U.S. opposition to EU defense, less to preserve NATO equities and more for petty, parochial purposes: the interests of U.S. defense companies. As Nick Witney of the European Council on Foreign Relations (ECFR) points out, the United States “aggressively lobbied against Europeans’ efforts to develop their defence industrial and technological base.”36 This exposes the contradictory nature of U.S. policy: The United States expects Europe to get its act together on defense but to not spend its taxpayer euros on European companies. Indeed, it is hard to see Europeans spending robustly on defense if that spending does not support European jobs and innovation.
[…]
The problem with the current state of European defense is not fundamentally about spending. Collectively, European defense spending levels should actually be enough to put forth a fighting force roughly on par with other global powers. While it is difficult to compare in absolute numbers given the differences in purchasing power, when taken together, the EU spends more on defense than either Russia or China, at nearly $200 billion per year.38
RAND is enormously respected and see the fear instigated in each of their possible scenarios for a common EU defence policy – they apparently lead to greater conflict in the world and otherwise NATO suffers.
This study explored three possible futures of European strategic autonomy in defence to understand their policy implications
[….] Experts varied in their views of which scenario was most plausible, with European interviewees tending to lean towards Scenario 1, which envisages development of a strong European pillar of NATO, on the basis of current trends; and US interviewees expressing some scepticism of this being plausible in the short term (next five years or so). As a result, several US interviewees noted that elements of Scenario 2, which envisage a faltering EU defence integration and transatlantic fragmentation, might be more plausible. A strong Europe that does not rely on NATO for access to military capabilities and structures, as envisaged in Scenario 3, was generally perceived as implausible in the short (five year) term considered by this study
A militarily stronger EU has clear benefits for NATO and the U.S., but the path towards it is not without risks – particularly if it diverges from NATO
A strong European pillar within NATO was largely seen by experts as advantageous for all actors considered: bringing greater military strength to NATO, while creating a militarily stronger partner to the U.S. in a time of intense global competition. Conversely, a capable EU that duplicates or disregards NATO was seen as a threat to transatlantic relations. A number of US interviewees also perceived a risk that the U.S. would lose influence in Europe and would risk divergence of foreign and security policy. This was seen as particularly concerning vis-à-vis other countries the U.S. perceives as competitors and adversaries (e.g. China, Russia) but which some in the EU may not perceive in the same way. The risks accompanying such divergence due to a militarily independent EU were seen as not too dissimilar to those of the opposite extreme of a fragmented Europe.vi A militarily fragmented EU, then, could weaken NATO in terms of defence capabilities but could also mean a further relative increase in US influence within NATO, potentially driving greater coherence of the Alliance. Overall, however, NATO’s credibility – tightly knit with the strength, effectiveness and coordination of military capabilities of the 30 allies – would likely suffer in this scenario. This is because most EU member states are also NATO members and the forces and capabilities they have are the same – whether used for EU CSDP missions or operations through NATO. US foreign and security policy ambitions could also suffer if one of its crucial allies were to become fragmented and militarily weak
As you can tell, the EU seems to care a lot more for it’s citizens.
The EU also believes in prevention. Delivering Official development assistance (ODA) is a way to prevent conflicts globally. The EU spends around EUR 50 billion per year on ODA, the US requested $10.5 billion in bolstering humanitarian assistance 2023. The EU is also set to spend around EUR 578 billion on climate spending in the period between 2021 – 2027, around 82.5 billion per year. The US around $2.3 billion in 2023. Climate change affects refugee streams, changing ecosystems and their economic attractiveness. It also makes working conditions harder for people in the defence industry:
The security threats of climate change
With the alarming acceleration of global warming and weather extremes across the globe, environmental issues have become more severe and climate change has become a defining issue of our time. Climate change causes complications for fresh water management and water scarcity, as well as health issues, biodiversity loss and demographic challenges. Other consequences like famine, drought and marine environmental degradation lead to loss of land and livelihood, and have a disproportionate impact on women and girls, and poor and vulnerable populations.
Climate change is also a threat multiplier that affects NATO security, operations and missions both in the Euro-Atlantic area and in the Alliance’s broader neighbourhood. It makes it harder for militaries to carry out their tasks. It also shapes the geopolitical environment, leading to instability and geostrategic competition and creating conditions that can be exploited by state and non-state actors that threaten or challenge the Alliance. Increasing surface temperatures, thawing permafrost, desertification, loss of sea ice and glaciers, and the opening up of shipping lanes may cause volatility in the security environment. As such, the High North is one of the epicentres of climate change.
Climate change affects the current and future operating environment, and the military will need to ensure its operational effectiveness in increasingly harsh conditions. Greater temperature extremes, sea level rise, significant changes in precipitation patterns and extreme weather events test the resilience of militaries and infrastructure. For example, increases in ambient temperatures coupled with changing air density (pressure altitude) can have a detrimental impact on fixed- and rotary-wing aircraft performance and air transport capability. Similarly, preventing the overheating of military aircraft, especially the sensitive electronic and airbase installations, requires an increased logistical effort and higher energy consumption. Many transport routes are located on coastal roads, which are particularly vulnerable to weather extremes. These are not only challenges to engineering and technology development, but must also be factored into operational planning scenarios.
The US does indeed spend more than the EU on its’ armed forces, but the amount ‘spent on NATO’ is not a true reflection. The US budget also includes homeland forces as well as the expeditionary ambitions of the USA. It also turns out that the USA thwarts attempts by Europe to form a common security and defence policy, both through their vocal stance against “duplication” by the EU of NATO forces and their strong arm tactics that force the EU to buy American to the detriment of the EU arms industry.
The US budget props up an arms based economy, to the detriment of the US population. US citizens notably less happy than EU citizens, most likely due to the relatively tiny amount that the US spends on social protections, relative to the EU countries.
ASUS has suddenly agreed “to overhaul its customer support and warranty systems,” writes the hardware review site Gamers Nexus — after a three–videoseries on its YouTube channel documented bad and “potentially illegal” handling of customer warranties for the channel’s 2.2 million viewers.
The Verge highlights ASUS’s biggest change: If you’ve ever been denied a warranty repair or charged for a service that was unnecessary or should’ve been free, Asus wants to hear from you at a new email address. It claims those disputes will be processed by Asus’ own staff rather than outsourced customer support agents…. The company is also apologizing today for previous experiences you might have had with repairs. “We’re very sorry to anyone who has had a negative experience with our service team. We appreciate your feedback and giving us a chance to make amends.” It started five weeks ago when Gamers Nexus requested service for a joystick problem, according to a May 10 video. First they’d received a response wrongly telling them their damage was out of warranty — which also meant Asus could add a $20 shipping charge for the requested repair. “Somehow that turned into ASUS saying the LCD needs to be replaced, even though the joystick is covered under their repair policies,” the investigators say in the video. [They also note this response didn’t even address their original joystick problem — “only that thing that they had decided to find” — and that ASUS later made an out-of-the-blue reference to “liquid damage.”] The repair would ultimately cost $191.47, with ASUS mentioning that otherwise “the unit will be sent back un-repaired and may be disassembled.” ASUS gave them four days to respond, with some legalese adding that an out-of-warranty repair fee is non-refundable, yet still “does not guarantee that repairs can be made.”
Even when ASUS later agreed to do a free “partial” repair (providing the requested in-warranty service), the video’s investigators still received another email warning of “pending service cancellation” and return of the unit unless they spoke to “Invoice Quotation Support” immediately. The video-makers stood firm, and the in-warranty repair was later performed free — but they still concluded that “It felt like ASUS tried to scam us.” ASUS’s response was documented in a second video, with ASUS claiming it had merely been sending a list of “available” repairs (and promising that in the future ASUS would stop automatically including costs for the unrequested repair of “cosmetic imperfections” — and that they’d also change their automatic emails.)
ASUS promises it’s “created a Task Force team to retroactively go back through a long history of customer surveys that were negative to try and fix the issues.” (The third video from Gamers Nexus warned ASUS was already on the government’s radar over its handling of warranty issues.)
ASUS also announced their repairs centers were no longer allowed to claim “customer-induced damage” (which Gamers Nexus believes “will remove some of the financial incentive to fail devices” to speed up workloads).
ASUS is creating a new U.S. support center allowing customers to choose either a refurbished board or a longer repair.
Gamers Nexus says they already have devices at ASUS repair centers — under pseudonyms — and that they “plan to continue sampling them over the next 6-12 months so we can ensure these are permanent improvements.” And there’s one final improvement, according to Gamers Nexus. “After over a year of refusing to acknowledge the microSD card reader failures on the ROG Ally [handheld gaming console], ASUS will be posting a formal statement next week about the defect.”
The AWARE program, a project of the US Defense Advanced Research Projects Agency (DARPA), aims to develop a new version of dextroamphetamine that can be activated or deactivated through exposure to near-infrared light. This would enable near-infrared light emitters in a helmet to selectively activate the stimulant in the brain’s prefrontal cortex, and then switch it off when not needed – allowing US military pilots to maintain maximum alertness on duty and catch up on sleep more easily afterward.
If it succeeds, DARPA’s AWARE technology could specifically avoid activating the stimulant in parts of the brain where it might cause unwanted side effects, such as anxiety or euphoria. A euphoric response can also increase the risk of addiction, another unwanted outcome. This may allow military personnel to activate smaller quantities of dextroamphetamine molecules in order to “truly tailor the dosage to the pilot in a personalised way”, says Pedro Irazoqui, program manager for the AWARE project.
The US military has used dextroamphetamine for decades, since the Vietnam War. When a US-led coalition defeated the Iraqi invasion of Kuwait in 1991, a survey showed most F-15 Eagle fighter pilots reported using the stimulants during combat air patrols. But in addition to its addictive potential, the drug’s side effects “can adversely impact team performance”, and the long-lasting stimulant effect can prevent military personnel from taking advantage of naps, according to the DARPA program description. The Air Force suspended stimulant use between 1996 and 2001. However, pilots flying B-2 Spirit bombers were once again using dextroamphetamine during the US invasion of Iraq in 2003.
[…]
Some of the main challenges involve modifying the dextroamphetamine molecule so one portion changes only in the presence of a specific band of near-infrared light, along with making sure that this “PhotoDex” version cannot work in the absence of such light, says Irazoqui. DARPA also plans to work closely with both helmet manufacturers and the US Air Force to ensure the wearable light emitters are compatible with US military headgear.
No photoswitchable drugs have made it into clinical use yet, says Rafael Gómez-Bombarelli at the Massachusetts Institute of Technology. But his research group has used artificial intelligence to design such drugs, and he says technologies exist to help achieve DARPA’s goal.
The DARPA program’s work, which will involve technological development along with safety and efficacy testing in animals, is expected to begin in the fall of 2024 and continue until the fall of 2027. Then the US Air Force plans to take over and begin experiments with humans.
Controversial facial recognition company Clearview AI has agreed to an unusual settlement to a class action lawsuit, The New York Times reports. Rather than paying cash, the company would provide a 23 percent stake in its company to any Americans in its database. Without the settlement, Clearview could go bankrupt, according to court documents.
If you live in the US and have ever posted a photo of yourself publicly online, you may be part of the class action. The settlement could amount to at least $50 million according to court documents, It still must be approved by a federal judge.
Clearview AI, which counts billionaire Peter Thiel as a backer, says it has over 30 billion images in its database. Those can be accessed and cross-referenced by thousands of law enforcement departments including the US FBI and Department of Homeland Security.
Shortly after its identity was outed, Clearview was hit with lawsuits in Illinois, California, Virginia, New York and elsewhere, which were all brought together as a class action suit in a federal Chicago court. The cost of the litigation was said to be draining the company’s reserves, forcing it to seek a creative way to settle the suit.
The relatively small sum divided by the large number of users likely to be in the database means you won’t be receiving a windfall. In any case, it would only happen if the company goes public or is acquired, according to the report. Once that occurs, lawyers would take up to 39 percent of the settlement, meaning the final amount could be reduced to about 30 million. If a third of Americans were in the database (about 110 million), each would get about 27 cents.
That does beg the question of whether it would be worth just over a quarter to see one of the creepiest companies of all time to go bankrupt. To cite a small litany of the actions taken against it (on top of the US class action):
It was sued by the ACLU in 2020 (Clearview agreed to permanently halt sales of its biometric database to private companies in the US as part of the settlement.
Italy slapped a €20 million fine on the company in 2022 and banned it from using images of Italians in its database
Privacy groups in Europe filed complaints against it for allegedly breaking privacy laws (2021)
UK’s privacy watchdog slapped it with a £7.55 million fine and ordered it to delete data from any UK resident
It’s been a rocky couple of months for Sonos — so much so that CEO Patrick Spence now has a canned autoreply for customers emailing him to vent about the redesigned app. But as the company works to right the ship, restore trust, and get the new Sonos Ace headphones off to a strong start, it finds itself in the middle of yet another controversy.
As highlighted by repair technician and consumer privacy advocate Louis Rossmann, Sonos has made a significant change to its privacy policy, at least in the United States, with the removal of one key line. The updated policy no longer contains a sentence that previously said, “Sonos does not and will not sell personal information about our customers.” That pledge is still present in other countries, but it’s nowhere to be found in the updated US policy, which went into effect earlier this month.
Now, some customers, already feeling burned by the new Sonos app’s unsteady performance, are sounding off about what they view as another poor decision from the company’s leadership. For them, it’s been one unforced error after another from a brand they once recommended without hesitation.
[…]
As part of its reworked app platform, Sonos rolled out web-based access for all customer systems — giving the cloud an even bigger role in the company’s architecture. Unfortunately, the web app currently lacks any kind of two-factor authentication, which has also irked users; all it takes is an email address and password to remotely control Sonos devices.
Mozilla has reinstated certain add-ons for Firefox that earlier this week had been banned in Russia by the Kremlin.
The browser extensions, which are hosted on the Mozilla store, were made unavailable in the Land of Putin on or around June 8 after a request by the Russian government and its internet censorship agency, Roskomnadzor.
Among those extensions were three pieces of code that were explicitly designed to circumvent state censorship – including a VPN and Censor Tracker, a multi-purpose add-on that allowed users to see what websites shared user data, and a tool to access Tor websites.
The day the ban went into effect, Roskomsvoboda – the developer of Censor Tracker – took to the official Mozilla forums and asked why his extension was suddenly banned in Russia with no warning.
[…]
“In alignment with our commitment to an open and accessible internet, Mozilla will reinstate previously restricted listings in Russia,” the group declared. “Our initial decision to temporarily restrict these listings was made while we considered the regulatory environment in Russia and the potential risk to our community and staff.
“We remain committed to supporting our users in Russia and worldwide and will continue to advocate for an open and accessible internet for all.”
The Mozilla Foundation, the entity behind the web browser Firefox, is blocking various censorship circumvention add-ons for its browser, including ones specifically to help those in Russia bypass state censorship. The add-ons were blocked at the request of Russia’s federal censorship agency, Roskomnadzor — the Federal Service for Supervision of Communications, Information Technology, and Mass Media — according to a statement by Mozilla to The Intercept.
“Following recent regulatory changes in Russia, we received persistent requests from Roskomnadzor demanding that five add-ons be removed from the Mozilla add-on store,” a Mozilla spokesperson told The Intercept in response to a request for comment. “After careful consideration, we’ve temporarily restricted their availability within Russia. Recognizing the implications of these actions, we are closely evaluating our next steps while keeping in mind our local community.”
“It’s a kind of unpleasant surprise because we thought the values of this corporation were very clear in terms of access to information.”
Stanislav Shakirov, the chief technical officer of Roskomsvoboda, a Russian open internet group, said he hoped it was a rash decision by Mozilla that will be more carefully examined.
“It’s a kind of unpleasant surprise because we thought the values of this corporation were very clear in terms of access to information, and its policy was somewhat different,” Shakirov said. “And due to these values, it should not be so simple to comply with state censors and fulfill the requirements of laws that have little to do with common sense.”
Developers of digital tools designed to get around censorship began noticing recently that their Firefox add-ons were no longer available in Russia.
On June 8, the developer of Censor Tracker, an add-on for bypassing internet censorship restrictions in Russia and other former Soviet countries, made a post on the Mozilla Foundation’s discussion forums saying that their extension was unavailable to users in Russia.
The developer of another add-on, Runet Censorship Bypass, which is specifically designed to bypass Roskomnadzor censorship, posted in the thread that their extension was also blocked. The developer said they did not receive any notification from Mozilla regarding the block.
Two VPN add-ons, Planet VPN and FastProxy — the latter explicitly designed for Russian users to bypass Russian censorship — are also blocked. VPNs, or virtual private networks, are designed to obscure internet users’ locations by routing users’ traffic through servers in other countries.
The Intercept verified that all four add-ons are blocked in Russia. If the webpage for the add-on is accessed from a Russian IP address, the Mozilla add-on page displays a message: “The page you tried to access is not available in your region.” If the add-on is accessed with an IP address outside of Russia, the add-on page loads successfully.
[…]
According to Mozilla’s Pledge for a Healthy Internet, the Mozilla Foundation is “committed to an internet that includes all the peoples of the earth — where a person’s demographic characteristics do not determine their online access, opportunities, or quality of experience.” Mozilla’s second principle in their manifesto says, “The internet is a global public resource that must remain open and accessible.”
[…]
The same four censorship circumvention add-ons also appear to be available for other web browsers without being blocked by the browsers’ web stores. Censor Tracker, for instance, remains available for the Google Chrome web browser, and the Chrome Web Store page for the add-on works from Russian IP addresses. The same holds for Runet Censorship Bypass, VPN Planet, and FastProxy.
This idealistic commitment Mozilla has is one of the reasons I use Firefox as my standard browser (apart from that it’s a really really good technology; has good addons; is anti-monopoly; doesn’t own the copyright of everything you type in it; doesn’t spy on you; etc), so to see them cave in to a country like Russia is a real disappointment.
