Last year, the uniquely modified F-16 test jet known as the X-62A, flying in a fully autonomous mode, took part in a first-of-its-kind dogfight against a crewed F-16, the U.S. military has announced. This breakthrough test flight, during which a pilot was in the X-62A’s cockpit as a failsafe, was the culmination of a series of milestones that led 2023 to be the year that “made machine learning a reality in the air,” according to one official. These developments are a potentially game-changing means to an end that will feed directly into future advanced uncrewed aircraft programs like the U.S. Air Force’s Collaborative Combat Aircraft effort.
Details about the autonomous air-to-air test flight were included in a new video about the Defense Advanced Research Projects Agency’s (DARPA) Air Combat Evolution (ACE) program and its achievements in 2023. The U.S. Air Force, through the Air Force Test Pilot School (USAF TPS) and the Air Force Research Laboratory (AFRL), is a key participant in the ACE effort. A wide array of industry and academic partners are also involved in ACE. This includes Shield AI, which acquired Heron Systems in 2021. Heron developed the artificial intelligence (AI) ‘pilot’ that won DARPA’s AlphaDogfight Trials the preceding year, which were conducted in an entirely digital environment, and subsequently fed directly into ACE.
“2023 was the year ACE made machine learning a reality in the air,” Air Force Lt. Col. Ryan Hefron, the ACE program manager, says in the newly released video, seen in full below.
DARPA, together with the Air Force and Lockheed Martin, had first begun integrating the so-called artificial intelligence or machine learning “agents” into the X-62A’s systems back in 2022 and conducted the first autonomous test flights of the jet using those algorithms in December of that year. That milestone was publicly announced in February 2023.
The X-62A, which is a heavily modified two-seat F-16D, is also known as the Variable-stability In-flight Simulator Test Aircraft (VISTA). Its flight systems can be configured to mimic those of virtually any other aircraft, which makes it a unique surrogate for a wide variety of testing purposes that require a real-world platform. This also makes VISTA an ideal platform for supporting work like ACE.
A stock picture of the X-62A VISTA test jet. USAF
“So we have an integrated space within VISTA in the flight controls that allows for artificial intelligence agents to send commands into VISTA as if they were sending commands into the simulated model of VISTA,” Que Harris, the lead flight controls engineer for the X-62A at Lockheed Martin, says in the new ACE video. Harris also described this as a “sandbox for autonomy” within the jet.
The X-62A’s original designation was NF-16D, but it received its new X-plane nomenclature in 2021 ahead of being modified specifically to help support future advanced autonomy test work. Calspan, which is on contract with the USAF TPS to support the X-62A’s operations, was a finalist for the 2023 Collier Trophy for its work with the test jet, but did not ultimately win. Awarded annually by the National Aeronautic Association, the Collier Trophy recognizes “the greatest achievement in aeronautics or astronautics in America, with respect to improving the performance, efficiency, and safety of air or space vehicles, the value of which has been thoroughly demonstrated by actual use during the preceding year,” according to the organization’s website.
“So, think of a simulator laboratory that you would have at a research facility,” Dr. Chris Cotting, the Director of Research at the USAF TPS, also says in the video. “We have taken the entire simulator laboratory and crammed it into an F-16.”
The video below shows the X-62A flying in formation with an F-16C and an F-22 Raptor stealth fighter during a test flight in March 2023.
The X-62A subsequently completed 21 test flights out of Edwards Air Force Base in California across three separate test windows in support of ACE between December 2022 and September 2023. During those flight tests, there was nearly daily reprogramming of the “agents,” with over 100,000 lines of code ultimately changed in some way. AFRL has previously highlighted the ability to further support this kind of flight testing through the rapid training and retraining of algorithms in entirely digital environments.
Then, in September 2023, “we actually took the X-62 and flew it against a live manned F-16,” Air Force Lt. Col. Maryann Karlen, the Deputy Commandant of the USAF TPS, says in the newly released video. “We built up in safety [with]… the maneuvers, first defensive, then offensive then high-aspect nose-to-nose engagements where we got as close as 2,000 feet at 1,200 miles per hour.”
A screengrab from the newly released ACE video showing a visual representation of the X-62A and the F-16 merging during the mock dogfight, with a view from the VISTA jet’s cockpit seen in the inset at lower right. DARPA/USAF capture
Additional testing using the X-62A in support of ACE has continued into this year and is still ongoing.
The X-62A’s safely conducting dogfighting maneuvers autonomously in relation to another crewed aircraft is a major milestone not just for ACE, but for autonomous flight in general. However, DARPA and the Air Force stress that while dogfighting was the centerpiece of this testing, what ACE is aiming for really goes beyond that specific context.
“It’s very easy to look at the X-62/ACE program and see it as ‘under autonomous control, it can dogfight.’ That misses the point,” Bill “Evil” Gray, the USAF TPS’ chief test pilot, says in the newly released video. “Dogfighting was the problem to solve so we could start testing autonomous artificial intelligence systems in the air. …every lesson we’re learning applies to every task you can give to an autonomous system.”
Another view from the X-62A’s cockpit during last year’s mock dogfight. DARPA/USAF capture
Gray’s comments are in line with what Brandon Tseng, Shield AI’s co-founder, president, and chief growth officer, told The War Zone in an interview earlier this month:
“I tell people that self-driving technology for aircraft enables mission execution, with no remote pilot, no communications, and no GPS. It enables the concept of teaming or swarming where these aircraft can execute the commander’s intent. They can execute a mission, working together dynamically, reading and reacting to each other, to the battlefield, to the adversarial threats, and to civilians on the ground.”
…
“The other value proposition I think of is the system – the fleet of aircraft always gets better. You always have the best AI pilot on an aircraft at any given time. We win 99.9% of engagements with our fighter jet AI pilot, and that’s the worst that it will ever be, which is superhuman. So when you talk about fleet learning, that will be on every single aircraft, you will always have the best quadcopter pilot, you’ll always have the best V-BAT pilot, you’ll always have the best CCA pilot, you name it. It’ll be dominant. You don’t want the second best AI pilot or the third best, because it truly matters that you’re winning these engagements at incredibly high rates.”
Shield AI
There are still challenges. The new ACE video provides two very helpful definitions of autonomy capability in aerospace development right at the beginning to help in understanding the complexity of the work being done through the program.
The first is so-called rules-based autonomy, which “is very powerful under the right conditions. You write out rules in an ‘if-then’ kind of a way, and these rules have to be robust,” Dr. Daniela Rus from the Massachusetts Institute of Technology’s (MIT) Computer Science & Artificial Intelligence Laboratory (CSAIL), one of ACE’s academic partners, explains at one point. “You need a group of experts who can generate the code to make the system work.”
Historically, when people discuss autonomy in relation to military and civilian aerospace programs, as well as other applications, this has been the kind of autonomy they are talking about.
“The machine learning approach relies on analyzing historical data to make informed decisions for both present and future situations, often discovering insights that are imperceptible to humans or challenging to express through conventional rule-based languages,” Dr. Rus adds. “Machine learning is extraordinarily powerful in environments and situations where conditions fluctuate dynamically making it difficult to establish clear and robust rules.”
Enabling a pilot-optional aircraft like the X-62A to dogfight against a real human opponent who is making unknowable independent decisions is exactly the “environments and situations” being referred to here. Mock engagements like this can be very dangerous even for the most highly trained pilots given their unpredictability.
A screengrab from the newly released ACE video the data about mishaps and fatalities incurred during dogfight training involving F-16 and F/A-18 fighters between 2000 and 2016. DARPA/USAF capture
“The flip side of that coin is the challenge” of many elements involved when using artificial intelligence machine learning being “not fully understandable,” Air Force Col. James Valpiani, the USAF TPS commandant, says in the new ACE video.
“Understandability and verification are holding us back from exploring that space,” he adds. “There is not currently a civil or military pathway to certify machine learning agents for flight critical systems.”
According to DARPA and the Air Force, this is really where ACE and the real-world X-62A test flights come into play. One of the major elements of the AI/machine learning “agents” on the VISTA jet is a set of “safety trips” that are designed to prevent the aircraft from performing both dangerous and unethical actions. This includes code to define allowable flight envelopes and to help avoid collisions, either in midair or with the ground, as well as do things like prevent weapons use in authorized scenarios.
The U.S. military insists that a human will always be somewhere in the loop in the operation of future autonomous weapon systems, but where exactly they are in that loop is expected to evolve over time and has already been the subject of much debate. Just earlier this month, The War Zone explored these and other related issues in depth in a feature you can find here.
“We have to be able to trust these algorithms to use them in a real-world setting,” the ACE program manager says.
“While the X-62’s unique safety features have been instrumental in allowing us to take elevated technical risks with these machine learning agents, in this test campaign, there were no violations of the training rules, which codify the airman safety and ethical norms, demonstrating the potential that machine learning has for future aerospace applications,” another speaker, who is not readily identifiable, adds toward the end of the newly released video.
Trust in the ACE algorithms is set to be put to a significant test later this year when Secretary of the Air Force Frank Kendall gets into the cockpit for a test flight.
“I’m going to take a ride in an autonomously flown F-16 later this year,” Kendall said at a hearing before members of the Senate Appropriations Committee last week. “There will be a pilot with me who will just be watching, as I will be, as the autonomous technology works, and hopefully, neither he nor I will be needed to fly the airplane.”
Kendall has previously named ACE as one of several tangential efforts feeding directly into his service’s Collaborative Combat Aircraft (CCA) drone program. The CCA program is seeking to acquire hundreds, if not thousands of lower-cost drones with high degrees of autonomy. These uncrewed aircraft will operate very closely with crewed types, including a new stealthy sixth-generation combat jet being developed under the Next Generation Air Dominance (NGAD) initiative, primarily in the air-to-air role, at least initially. You can read more about the Air Force’s CCA effort here. The U.S. Navy also has a separate CCA program, which is closely intertwined with that of the Air Force and significant new details about which were recently disclosed.
It is important to note that the X-62A is not the only aircraft the Air Force has been using to support advanced autonomy developments in recent years outside of the ACE program. The service is now in the process of transforming six more F-16s into test jets to support larger-scale collaborative autonomy testing as part of another program called Project VENOM (Viper Experimentation and Next-Gen Operations Mode).
One of the first F-16s set to be converted into an autonomy testbed under Project VENOM arrives at Eglin Air Force Base on April 1, 2024. USAF
In addition, as already noted, the underlying technology being developed under ACE could have very broad applications. There is great interest across the U.S. military in new AI and machine learning-enabled autonomous capabilities in general. Potential adversaries and global competitors, especially China, are also actively pursuing developments in this field. In particular, the Chinese People’s Liberation Army (PLA) is reportedly working on projects with similar, if not identical aims to ACE and the AlphaDogfight Trials. This could all have impacts on the commercial aviation sector, as well.
“What the X-62/CE team has done is really a paradigm shift,” USAF commandant Valpiani says at the end of the newly released video. “We’ve fundamentally changed the conversation by showing this can be done safely and responsibly, and so now we’ve created a pathway for others to follow in building machine learning applications for air and space.”
More details about the use of the X-62A in support of ACE are already set to be revealed later this week and it will be exciting to learn more about what the program has achieved.
At the beginning of 2022, the European Commission came up with a proposal to inspect all chat messages and other communications from citizens for child abuse. In the case of end-to-end encrypted chat services, this should be done via client-side scanning.
The European Parliament voted against the proposal, but came up with its own proposal.
However, the European member states have not yet taken a joint position.
Already in 2022, the EDPS raised the alarm about the European Commission’s proposal to monitor citizens’ communications. It is seen as a serious risk to the fundamental rights of 450 million Europeans.
Sure, so the EU is not much of a democracy with the European Council (which is where the actual power is) not being elected at all, but that doesn’t mean it has to be a surveillance police state.
[…] The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in your inbox, it changed. The innocent pretext disappeared and the real phishing email became visible. A phishing email you had to trust because you knew the sender and they even confirmed that they had forwarded it to you.
This attack is possible because most email clients allow CSS to be used to style HTML emails. When an email is forwarded, the position of the original email in the DOM usually changes, allowing for CSS rules to be selectively applied only when an email has been forwarded.
An attacker can use this to include elements in the email that appear or disappear depending on the context in which the email is viewed. Because they are usually invisible, only appear in certain circumstances, and can be used for all sorts of mischief, I’ll refer to these elements as kobold letters, after the elusive sprites of mythology.
This affects all types of email clients and webmailers that support HTML email. So pretty much all of them. For the moment, however, I’ll focus on selected clients to demonstrate the problem, and leave it to others (or future me) to extend the principle to other clients.
[…]
Exploiting this in Thunderbird is fairly straightforward. Thunderbird wraps emails in <div class="moz-text-html" lang="x-unicode"></div> and leaves them otherwise unchanged, making it a good example to demonstrate the principle. When forwarding an email, the quoted email will be enclosed in another <div></div>, moving it down one level in the DOM.
Taking this into account leads to the following proof of concept:
<!DOCTYPE html>
<html>
<head>
<style>
.kobold-letter {
display: none;
}
.moz-text-html>div>.kobold-letter {
display: block!important;
}
</style>
</head>
<body>
<p>This text is always visible.</p>
<pclass="kobold-letter">This text will only appear after forwarding.</p>
</body>
</html>
The email contains two paragraphs, one that has no styling and should always be visible, and one that is hidden with display: none;. This is how it looks when the email is displayed in Thunderbird:
This email may look harmless…
As expected, only the paragraph “This text is always visible.” is shown. However, when we forward the email, the second paragraph becomes suddenly visible. Albeit only to the new recipient – the original recipient who forwarded the email remains unaware.
…until it has been forwarded.
Because we know exactly where each element will be in the DOM relative to .moz-text-html, and because we control the CSS, we can easily hide and show any part of the email, changing the content completely. If we style the kobold letter as an overlay, we can not only affect the forwarded email, but also (for example) replace any comments your manager might have had on the original mail, opening up even more opportunities for phishing.
HP “sought to take advantage of customers’ sunk costs,” printer owners claimed this week in a class action lawsuit against the hardware giant.
Lawyers representing the aggrieved were responding [PDF] in an Illinois court to an earlier HP Inc motion to dismiss a January lawsuit. Among other things, the plaintiffs’ filing stated that the printer buyers “never entered into any contractual agreement to buy only HP-branded ink prior to receiving the firmware updates.” They allege HP broke several anti-competitive statutes, which they claim:
bar tying schemes, and certain uses of software to accomplish that without permission, that would monopolize an aftermarket for replacement ink cartridges, when these results are achieved in a way that “take[s] advantage of customers’ sunk costs.”
In the case, which began in January, the plaintiffs are arguing that HP issued a firmware update between late 2022 and early 2023 that they allege disabled their printers if they installed a replacement cartridge that was not HP-branded. They are asking for damages that include the cost of now-useless third-party cartridges and an injunction to disable the part of the firmware updates that prevent the use of third-party ink.
In a March filing [PDF], HP claimed it went “to great lengths” to let customers know its printers are intended to work only with cartridges with an HP “security chip.” While the plaintiffs say it uses software updates to block consumers from using cheaper rival cartridges in HP printers, the hardware giant characterizes this as “dynamic security” measures “to prevent the use of third-party printer cartridges that copy HP’s security chips (i.e. cloned or counterfeit cartridges).”
“HP does not block cartridges that reuse HP security chips, and there are many such options available for sale. Nor does HP conceal its use of dynamic security,” the company said.
It added that the printer owners can’t claim damages for being overcharged under federal antitrust laws because consumers who buy products from an intermediary can sue the manufacturer for injunctive relief under those laws, but they can’t sue the manufacturer to recover damages resulting from an alleged overcharge.
HP customers claim firmware update rendered third-party ink verboten
“None of the named plaintiffs allege that they purchased printer ink directly from HP after receiving a dynamic security firmware update,” HP said.
And why should they?
It also said Robinson and co. hadn’t “plausibly alleged” that HP “acted without authorization” or “exceeded authorized access” when the software tweaks came through.
HP CEO Enrique Lores has made no secret of the fact that it hopes to pull customers into a print subscription business model.
Lores said in an interview earlier this year that if a “customer doesn’t print enough or doesn’t use our supplies, it’s a bad investment.” However, in fairness, when it comes to ink cartridges, HP is far from alone in charging steep prices, with some estimates placing printer ink prices at $439-$2,380 per liter. Some printer makers make a loss on retailing the devices.
What better way to learn to use Git than a gamified interface that visualizes every change? That’s the idea behind Oh My Git! which aims to teach players all about the popular version control system that underpins so many modern software projects.
Git good, with a gameified git interface.
Sometimes the downside to a tool being so ubiquitous is that it tends to be taken for granted that everyone already knows how to use it, and those starting entirely from scratch can be left unsure where to begin. That’s what creators [bleeptrack] and [blinry] had in mind with Oh My Git! which is freely available for Linux, Windows, and macOS.
The idea is to use a fun playing-card interface to not only teach players the different features, but also to build intuitive familiarity for operations like merging and rebasing by visualizing in real-time the changes a player’s actions make.
The game is made with beginners in mind, with the first two (short) levels establishing that managing multiple versions of a file can quickly become unwieldy without help. Enter git — which the game explains is essentially a time machine — and it’s off to the races.
It might be aimed at beginners, but more advanced users can learn a helpful trick or two. The game isn’t some weird pseudo-git simulator, either. The back end uses real git repositories, with a real shell and git interface behind it all. Prefer to type commands in directly instead of using the playing card interface? Go right ahead!
Oh My Git! uses the free and open-source Godot game engine (not to be confused with the Godot machine, a chaos-based random number generator.)
Ubisoft’s online-only racing game The Crew stopped being operable on April 1. Some users are reporting, however, that things have gone a bit further. They say that the company actually reached into Ubisoft Connect accounts and revoked the license to access the game, according to reports by Game Rant and others.
Some of these users liken this move to theft, as they had purchased the game with their own money and received no warning that Ubisoft would be deleting the license. When attempting to launch the game, these players say they received a message stating that access was no longer possible.
On its face, this sounds pretty bad. People paid for something that was snatched away. However, there’s one major caveat. The Crew is an online-only racing game, so there really isn’t anything to do without the servers. Those servers went down on April 1 and the game was delisted from digital store fronts. Also, this move only impacts the original game. The Crew 2 and The Crew Motorfest are both still going.
When Ubisoft announced that the servers would be taken offline, it offered refunds to those who recently purchased the The Crew. The game’s been around a decade, so this refund likely didn’t apply to the vast majority of players. Some of these people said they had planned to set up private servers to play the game, an option that is now impossible.
[…]
We pay money for these products. We think we own them, but we don’t own a damned thing. Read the terms of service from Ubisoft or any other major games publisher for proof of that. Philippe Tremblay, Ubisoft’s director of subscriptions, recently told Gamesindustry.biz that players will become “comfortable with not owning” their games.
In this cross-sectional analysis of a nationally representative sample of 100 nonfederal acute care hospitals, 96.0% of hospital websites transmitted user information to third parties, whereas 71.0% of websites included a publicly accessible privacy policy. Of 71 privacy policies, 40 (56.3%) disclosed specific third-party companies receiving user information.
[…]
Of 100 hospital websites, 96 […] transferred user information to third parties. Privacy policies were found on 71 websites […] 70 […] addressed how collected information would be used, 66 […] addressed categories of third-party recipients of user information, and 40 […] named specific third-party companies or services receiving user information.
[…]
In this cross-sectional study of a nationally representative sample of 100 nonfederal acute care hospitals, we found that although 96.0% of hospital websites exposed users to third-party tracking, only 71.0% of websites had an available website privacy policy. Polices averaged more than 2500 words in length and were written at a college reading-level. Given estimates that more than one-half of adults in the US lack literacy proficiency and that the average patient in the US reads at a grade 8 level, the length and complexity of privacy policies likely pose substantial barriers to users’ ability to read and understand them.27,32
[…]
Only 56.3% of policies (and only 40 hospitals overall) identified specific third-party recipients. Named third-parties tended to be companies familiar to users, such as Google. This lack of detail regarding third-party data recipients may lead users to assume that they are being tracked only by a small number of companies that they know well, when, in fact, hospital websites included in this study transferred user data to a median of 9 domains.
[…]
In addition to presenting risks for users, inadequate privacy policies may pose risks for hospitals. Although hospitals are generally not required under federal law to have a website privacy policy that discloses their methods of collecting and transferring data from website visitors, hospitals that do publish website privacy policies may be subject to enforcement by regulatory authorities like the Federal Trade Commission (FTC).33 The FTC has taken the position that entities that publish privacy policies must ensure that these policies reflect their actual practices.34 For example, entities that promise they will delete personal information upon request but fail to do so in practice may be in violation of the FTC Act.34
Walled Culture has been warning about the financialisation and securitisation of music for two years now. Those obscure but important developments mean that the owners of copyrights are increasingly detached from the creative production process. They regard music as just another asset, like gold, petroleum or property, to be exploited to the maximum. A Guest Essay in the New York Times points out one of the many bad consequences of this trend:
Does that song on your phone or on the radio or in the movie theater sound familiar? Private equity — the industry responsible for bankrupting companies, slashing jobs and raising the mortality rates at the nursing homes it acquires — is making money by gobbling up the rights to old hits and pumping them back into our present. The result is a markedly blander music scene, as financiers cannibalize the past at the expense of the future and make it even harder for us to build those new artists whose contributions will enrich our entire culture.
As well as impoverishing our culture, the financialisation and securitisation of music is making life even harder for the musicians it depends on:
In the 1990s, as the musician and indie label founder Jenny Toomey wrote recently in Fast Company, a band could sell 10,000 copies of an album and bring in about $50,000 in revenue. To earn the same amount in 2024, the band’s whole album would need to rack up a million streams — roughly enough to put each song among Spotify’s top 1 percent of tracks. The music industry’s revenues recently hit a new high, with major labels raking in record earnings, while the streaming platforms’ models mean that the fractions of pennies that trickle through to artists are skewed toward megastars.
Part of the problem is the extremely low rates paid by streaming services. But the larger issue is the power imbalance within all the industries based on copyright. The people who actually create books, music, films and the rest are forced to accept bad deals with the distribution companies. Walled Culture the book (free ebook versions) details the painfully low income the vast majority of artists derive from their creativity, and how most are forced to take side jobs to survive. This daily struggle is so widespread that it is no longer remarked upon. It is one of the copyright world’s greatest successes that the public and many creators now regard this state of affairs as a sad but unavoidable fact of life. It isn’t.
The New York Times opinion piece points out that there are signs private equity is already moving on to its next market/victim, having made its killing in the music industry. But one thing is for sure. New ways of financing today’s exploited artists are needed, and not ones cooked up by Wall Street. Until musicians and creators in general take back control of their works, rather than acquiescing in the hugely unfair deal that is copyright, it will always be someone else who makes most of the money from their unique gifts.
Of course, the whole model of continously making money from a single creating is a bit fucked up. If a businessman were to ask for money every time someone read their email that would be plain stupid. How is this any different?
[…] We’re told mitigations put in place at the software and silicon level by the x86 giant to thwart Spectre-style exploitation of its processors’ speculative execution can be bypassed, allowing malware or rogue users on a vulnerable machine to steal sensitive information – such as passwords and keys – out of kernel memory and other areas of RAM that should be off limits.
The boffins say they have developed a tool called InSpectre Gadget that can find snippets of code, known as gadgets, within an operating system kernel that on vulnerable hardware can be abused to obtain secret data, even on chips that have Spectre protections baked in.
[…]
“We show that our tool can not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations,” the VU Amsterdam team said this week. “As a demonstration, we present the first native Spectre-v2 exploit against the Linux kernel on last-generation Intel CPUs, based on the recent BHI variant and able to leak arbitrary kernel memory at 3.5 kB/sec.”
A quick video demonstrating that Native BHI-based attack to grab the /etc/shadow file of usernames and hashed passwords out of RAM on a 13th-gen Intel Core processor is below. We’re told the technique, tagged CVE-2024-2201, will work on any Intel CPU core.
The VU Amsterdam team — Sander Wiebing, Alvise de Faveri Tron, Herbert Bos and Cristiano Giuffrida — have now open sourced InSpectre Gadget, an angr-based analyzer, plus a database of gadgets found for Linux Kernel 6.6-rc4 on GitHub.
“Our efforts led to the discovery of 1,511 Spectre gadgets and 2,105 so-called ‘dispatch gadgets,'” the academics added. “The latter are very useful for an attacker, as they can be used to chain gadgets and direct speculation towards a Spectre gadget.”
[…]
AMD and Arm cores are not vulnerable to Native BHI, according to the VU Amsterdam team. AMD has since confirmed this in an advisory
[…]
After the aforementioned steps were taken to shut down BHI-style attacks, “this mitigation left us with a dangling question: ‘Is finding ‘native’ Spectre gadgets for BHI, ie, not implanted through eBPF, feasible?'” the academics asked.
The short answer is yes. A technical paper [PDF] describing Native BHI is due to be presented at the USENIX Security Symposium.
A handful of bugs in LG smart TVs running WebOS could allow an attacker to bypass authorization and gain root access on the device.
Once they have gained root, your TV essentially belongs to the intruder who can use that access to do all sorts of nefarious things including moving laterally through your home network, dropping malware, using the device as part of a botnet, spying on you — or at the very least severely screwing up your streaming service algorithms.
Bitdefender Labs researcher Alexandru Lazăr spotted the four vulnerabilities that affect WebOS versions 4 through 7. In an analysis published today, the security firm noted that while the vulnerable service is only intended for LAN access, more than 91,000 devices are exposed to the internet, according to a Shodan scan.
Here’s a look at the four flaws:
CVE-2023-6317: a PIN/prompt bypass that allows an attacker to set a variable and add a new user account to the TV without requiring a security PIN. It has a CVSS rating of 7.2.
CVE-2023-6318: a critical command injection flaw with a 9.1 CVSS rating that allows an attacker to elevate an initial access to root-level privileges and take over the TV.
CVE-2023-6319: another 9.1-rated command injection vulnerability that can be triggered by manipulating the music-lyrics library.
CVE-2023-6320: a critical command injection vulnerability that can be triggered by manipulating an API endpoint to allow execution of commands on the device as dbus, which has similar permissions as root. It also received a 9.1 CVSS score.
In order to abuse any of the command injection flaws, however, the attacker must first exploit CVE-2023-6317. This issue is down to WebOS running a service on ports 3000/3001 that allows users to control their TV on their smartphone using a PIN. But, there’s a bug in the account handler function that sometimes allows skipping the PIN verification:
The function that handles account registration requests uses a variable called skipPrompt which is set to true when either the client-key or the companion-client-key parameters correspond to an existing profile. It also takes into consideration what permissions are requested when deciding whether to prompt the user for a PIN, as confirmation is not required in some cases.
After creating an account with no permissions, an attacker can then request a new account with elevated privileges “but we specify the companion-client-key variable to match the key we got when we created the first account,” the team reports.
The server confirms that the key exists, but doesn’t verify which account it belongs to, we’re told. “Thus, the skipPrompt variable will be true and the account will be created without requesting a PIN confirmation on the TV,” the team reports
And then, after creating this account with elevated privileges, an attacker can use that access to exploit the other three flaws that lead to root access or command execution as the dbus user.
Lazăr responsibly reported the flaws to LG on November 1, 2023, and LG asked for a time extension to fix them. The electronics giant issued patches on March 22. It’s a good idea to check your TV for software updates and apply the WebOS patch now.
The Mass Damage & Consumer Foundation today announced that it has initiated a class action lawsuit against Google over its Android operating system. The reason is a new study that shows how Dutch Android smartphones systematically transfer large amounts of information about device use to Google. Even with the most privacy-friendly options enabled, user data cannot be prevented from ending up on Google’s servers. According to the foundation, this is not clear to Android users, let alone whether they have given permission for this.
For the research, a team of scientists purchased several Android phones between 2022 and 2024 and captured, decrypted and analyzed the outgoing traffic on a Dutch server. This shows that a bundle of processes called ‘Google Play Services’ runs silently in the background and cannot be disabled or deleted. These processes continuously record what happens on and around the phone. For example, Google shares which apps someone uses, products they order and even whether users are sleeping.
More than nine million Dutch people
The Mass Damage & Consumer Foundation states that Google’s conduct violates a large number of Dutch and European rules that must protect consumers. The foundation wants to use a lawsuit to force Google to implement fundamental (privacy) changes to the Android platform and to offer an opt-out option for every form of data it collects, not just a few.
[…]
Identity can be easily traced
The research paid specific attention to the use of unique identifiers (UIDs). These are characteristics that Google can link to the collected data, such as an e-mail address or Android ID, a unique serial number with which someone is known to Google. The use of these features is sensitive. For example, Google advises against the use of unique features in its own guidelines for app developers: users could unintentionally be tracked across multiple apps. However, one or more of these unique features were found in the data transmissions examined – without exception. The researchers point out that this makes it easy to trace someone’s identity to virtually everything that happens on and around an Android device.
People who develop long covid after being hospitalised with severe covid-19 have raised levels of many inflammatory immune molecules compared with those who recovered fully after such a hospitalisation, according to a study of nearly 700 people.
The findings show that long covid has a real biological basis, says team member Peter Openshaw at Imperial College London. “People are not imagining it,” he says. “It’s genuinely happening to them.”
[…]
The study by Liewand her colleagues involved measuring the levels of 368 immune molecules in the blood of 659 people who were hospitalised with covid-19, mostly early on in the pandemic. The 426 people who were still reporting symptoms more than three months later were compared with the 233 who reported being fully recovered.
The study found that the patterns of immune activation reflected the main kinds of symptoms people with long covid reported. The five main symptom types were fatigue; cognitive impairment; anxiety and depression; cardiorespiratory symptoms; and gastrointestinal symptoms.
For instance, people with gastrointestinal symptoms had higher blood levels of SCG3, a signalling protein that is also elevated in the faeces of people with irritable bowel syndrome.
The findings won’t help with diagnosing whether people have long covid or not, says team member Chris Brightling at the University of Leicester in the UK. But once the condition has been diagnosed, testing for these molecules could help reveal what kind of long covid people have, and thus what kind of interventions might help, he says.
In early 2023 an awesome colleague (Andreas) spoke about an incident response case featuring thugs plugging a media keyboard into an ATM, and breaking out of its ATM kiosk software to install malware causing it to dispense $$$. This prompted me to spend some time during spring and summer of 2023 looking into Consumer Control, a subset of USB functionality, which is what allows media keyboards to launch and control various applications over USB with the press of single buttons; so called Consumer Control Buttons (CCBs). This writeup describes my research on the matter, and what I have nicknamed the USB HID & Run attack (credit to Roman for helping out with the name).
[…]
An attacker with access to the USB port of the kiosk, could potentially leverage this access to break out of the kiosk using keyboard shortcuts or CCBs.
[…]
Attacks on kiosks often focus on breaking out of the kiosk model to perform other actions on the underlying systems. Typical means of achieving this, either in the case of a kiosk equipped with a keyboard or with an on-screen keyboard, is to leverage either operating system-specific or application-specific keyboard shortcuts to trigger an event exposing unintended functionality. Examples of this include:
Leveraging built-in Windows shortcuts (e.g. Win+E to launch the File Explorer).
Leveraging application-specific shortcuts (e.g. ctrl+p which in many applications opens a print dialog from which the underlying file system can be reached).
Going completely bananas and doing “weird shit” with the hope of triggering an error that can be leveraged to access further functionality.
Often times, access to the underlying file system is enough to execute arbitrary code on the system. While details of this is beyond the scope of this project, Windows-based readers are encouraged to pause momentarily and do the following:
Press Win+E
Press ctrl+l
Type cmd
Press enter
Now imagine this was a kiosk instead, and you hopefully get the concept. Congratulations, you are now a computer hacker with the ability to execute arbitrary code on the system.
For kiosks that are not equipped with either a physical or on-screen keyboard, this becomes much more difficult. However, with physical access to a USB port, you can plug in your own keyboard and do the same thing.
A plethora of resources exist on the matter of breaking out of kiosks, documenting many of the methods I have used myself on real assessments. [1] is a generic but comprehensive resource, and [2] is a more in-depth article written by a kiosk lockdown software manufacturer that even goes into great detail on physical USB attacks. However, the topic of CCBs is not covered.
[…]
Media Keyboards and USB
What sets media keyboards apart from traditional keyboards is the presence of keys that automagically launch a new application, or control elements of a currently running application.
[…]
Manufacturers can choose to include these keys to for example launch a local file explorer, a web browser or a calculator application; all through USB.
[…]
The functionality that USB HID vendors can include in their devices is defined in the USB HID Usage Tables for USB document [7].
[…]
The Consumer Page of the USB HID usage tables [7, Ch. 15] defines multiple usage names. The following two look especially interesting:
Application Launch Buttons, used to launch applications (configured by the operating system vendor, e.g. Microsoft)
Generic GUI Application Controls, used to replicate control actions found in typical GUI applications such as pressing buttons and scrolling
[…]
In order to address the first objective set out by this project, I had to be able to send USB CCBs. As it would turn out, implementation of a "media keyboard" capable of sending arbitrary CCBs was trivial using a Teensyduino [10].
[…]
The following is a simple proof of concept, showcasing some interesting CCBs enabled by default in Windows 10 and 11.
/*
Simple CCB cycling example wherein the Teensyduino becomes a USB media keyboard and cycles through CCBs that have an action in Windows 10/11.
Values for keypresses are taken from the USB HID Class specification.
Before compiling, select "Keyboard" from the "Tools > USB Type" menu.
*/
void setup() {
}
void loop() {
Keyboard.press(( 0x183 | 0xE400 )); // Default media player
Keyboard.release(( 0x183 | 0xE400 ));
delay(500);
Keyboard.press(( 0x18A | 0xE400 )); // Default email client
Keyboard.release(( 0x18A | 0xE400 ));
delay(500);
Keyboard.press(( 0x192 | 0xE400 )); // Pop calc!
Keyboard.release(( 0x192 | 0xE400 ));
delay(500);
Keyboard.press(( 0x194 | 0xE400 )); // File Explorer (This PC)
Keyboard.release(( 0x194 | 0xE400 ));
delay(500);
Keyboard.press(( 0x223 | 0xE400 )); // Microsoft Edge
Keyboard.release(( 0x223 | 0xE400 ));
delay(500);
}
Compiling and uploading the above code to the Teensyduino board and subsequently plugging it into the USB port of a computer running a fresh Windows 10 launched the applications indicated by the comments in the code. That’s right, we just popped calc using CCBs. Note that these specific keys are the same as those defined in [9].
A small side note here is that I tried this using both a Teensyduino 2.0 and 3.2, they both work. However, I could only the latter of them to spoof Vendor ID and Product ID.
Distinguishing CCBs From Windows Keyboard Shortcuts
Equipped with the ability to send arbitrary CCBs using a Teensyduino, I set out to find out if CCBs are inherently different from builtin keyboard shortcuts in Windows, aiming to fulfill the second objective. To verify this, I disabled Windows keyboard shortcuts with the following command:
After rebooting the machine for the registry change to take effect, I plugged in the Teensyduino. Lo and behold, Keyboard.press(( 0x194 | 0xE400 )); caused This PC to pop up, whereas Win+E did nothing (except put a smile on my face).
[…]
The following is a list of systems/devices I have experimented on with CCBs, with limited success:
Windows 10/11 single-app kiosk [11]: CCBs seem to have no effect in a kiosk with Microsoft Edge
Windows 10/11 digital signage mode [12]: The key AC Home (0x223) opens up an InPrivate window
Various Samsung TVs: Possible to open and navigate the menu using CCBs
Additionally, I recently had the opportunity to experiment with an Android-based meeting room controller. With a regular keyboard, I was unable to perform any unintended action. However, when using CCBs (specifically the keys AL Contacts/Address Book (0x18D), AL Calendar/Schedule (0x18E), and AL Internet Browser (0x196)), I observed that they triggered the launch of the Android Contacts application, the Android Calendar application, and the default Internet browser of the tablet.
[…] Ukrainian troops told the Daily Telegraph that they have been subjected to regular attacks from small drones dropping teargas and other chemicals.
The use of such substances, which is known as CS, is banned during wartime under the Chemical Weapons Convention.
Moscow was accused of using chemical weapons in a drone assault on the port of Mariupol in the early stages of its invasion in February 2022.
Slava, a senior lieutenant whose unit is deployed near Lyman, in Donetsk oblast, said some Ukrainian units in his area were coming under “almost daily” gas attacks.
A CS gas grenade was provided to the Telegraph for verification by Rebekah Maciorowski, an American combat medic and a qualified nurse serving in the Ukrainian army.
Maciorowski has been routinely called to provide medical aid to Ukrainian soldiers in the three brigades she works with in Donetsk oblast after chemical weapon attacks, which she described as “systematic”.
The grenade was originally retrieved by soldiers in the 53rd Mechanised Brigade, one of the units with which she works.
Maciorowski said: “My guys retrieved it while under fire because nobody believed they were being attacked with chemical weapons.”
Ihor, the commander of a Ukrainian reconnaissance team deployed near the frontline city of Chasiv Yar, in Donetsk oblast, told the Telegraph: “Nearly every position in our area of the front was getting one or two gas grenades dropped on them a day.”
OpenAI and Google trained their AI models on text transcribed from YouTube videos, potentially violating creators’ copyrights, according to The New York Times.
According to the NYT, OpenAI used its Whisper speech recognition tool to transcribe more than one million hours of YouTube videos, which were then used to train GPT-4. The Information previously reported that OpenAI had used YouTube videos and podcasts to train the two AI systems. OpenAI president Greg Brockman was reportedly among the people on this team. Per Google’s rules, “unauthorized scraping or downloading of YouTube content” is not allowed
[…]
The way the data is stored in an ML model means that the data is not scraped or downloaded – unless you consider every view downloading or scraping though.
What this shows is a determination to ride the AI hype and find a way to monetise content that has already been released into the public domain without any extra effort apart from hiring a bunch of lawyers. The players are big and the payoff is potentially huge in terms of cash, but in terms of setting back progress, throwing everything under the copyright bus is a staggering disaster.
A study has concluded that Apple’s privacy practices aren’t particularly effective, because default apps on the iPhone and Mac have limited privacy settings and confusing configuration options.
The research was conducted by Amel Bourdoucen and Janne Lindqvist of Aalto University in Finland. The pair noted that while many studies had examined privacy issues with third-party apps for Apple devices, very little literature investigates the issue in first-party apps – like Safari and Siri.
The aims of the study [PDF] were to investigate how much data Apple’s own apps collect and where it’s sent, and to see if users could figure out how to navigate the landscape of Apple’s privacy settings.
[…]
“Our work shows that users may disable default apps, only to discover later that the settings do not match their initial preference,” the paper states.
“Our results demonstrate users are not correctly able to configure the desired privacy settings of default apps. In addition, we discovered that some default app configurations can even reduce trust in family relationships.”
The researchers criticize data collection by Apple apps like Safari and Siri, where that data is sent, how users can (and can’t) disable that data tracking, and how Apple presents privacy options to users.
The paper illustrates these issues in a discussion of Apple’s Siri voice assistant. While users can ostensibly choose not to enable Siri in the initial setup on macOS-powered devices, it still collects data from other apps to provide suggestions. To fully disable Siri, Apple users must find privacy-related options across five different submenus in the Settings app.
Apple’s own documentation for how its privacy settings work isn’t good either. It doesn’t mention every privacy option, explain what is done with user data, or highlight whether settings are enabled or disabled. Also, it’s written in legalese, which almost guarantees no normal user will ever read it.
[…]
The authors also conducted a survey of Apple users and quizzed them on whether they really understood how privacy options worked on iOS and macOS, and what apps were doing with their data.
While the survey was very small – it covered just 15 respondents – the results indicated that Apple’s privacy settings could be hard to navigate.
Eleven of the surveyed users were well aware about data tracking and that it was mostly on by default. However, when informed about how privacy options work in iOS and macOS, nine of the surveyed users were surprised about the scope of data collection.
[…]
Users were also tested on their knowledge of privacy settings for eight default apps – including Siri, Family Sharing, Safari, and iMessage. According to the study, none could confidently figure out how to work their way around the Settings menu to completely disable default apps. When confused, users relied on searching the internet for answers, rather than Apple’s privacy documentation.
[…]
Assuming Apple has any interest in fixing these shortcomings, the team made a few suggestions. Since many users first went to operating system settings instead of app-specific settings when attempting to disable data tracking, a change could assist users. Centralizing these options would also prevent users from getting frustrated and giving up on finding the settings they’re looking for.
Informing users what specific settings do would also be an improvement – many settings are labelled with just a name, but no further details. The researchers suggest replacing Apple’s jargon-filled privacy policy with descriptions that are in the settings menu itself, and maybe even providing some infographic illustrations as well. Anything would be better than legalese.
While this study probably won’t convince Apple to change its ways, lawsuits might have better luck. Apple has been sued multiple times for not transparently disclosing its data tracking. One of the latest suits calls out Apple’s broken promises about privacy, claiming that “Apple does not honor users’ requests to restrict data sharing.”
Roku describes its idea in a patent application, which largely flew under the radar when it was filed in November, and was recently spotted by the streaming newsletter Lowpass. In the application, Roku describes a system that’s able to detect when users pause third-party hardware and software and show them ads during that time.
According to the company, its new system works via an HDMI connection. This suggests that it’s designed to target users who play video games or watch content from other streaming services on their Roku TVs. Lowpass described Roku’s conundrum perfectly:
“Roku’s ability to monetize moments when the TV is on but not actively being used goes away when consumers switch to an external device, be it a game console or an attached streaming adapter from a competing manufacturer,” Janko Roettgers, the newsletter’s author, wrote. “Effectively, HDMI inputs have been a bit of a black box for Roku.”
In addition, Roku wouldn’t just show you any old ads. The company states that its innovation can recognize the content that users have paused and deliver customized related ads. Roku’s system would do this by using audio or video-recognition technologies to analyze what the user is watching or analyze the content’s metadata, among other methods.
[…]
In the case of gaming, there’s also the danger of Roku mistaking a long moment of pondering for a pause and sticking an ad right when you’re getting ready to face the final boss. The company is aware of this potential failure and points out that its system will monitor the frames of the content being watched to ensure there was a phase. It also plans on using other methods, such as analyzing the audio feed on the TV for extended moments of silence, to confirm there has been a pause.
[…] As reported by Android Authority, more and more users are complaining about their Pixel phones not working as, well, phones. Users will miss phone calls entirely, and only notice after they see the call went directly to voicemail, while text messages don’t appear as they’re received, but rather pop in all at once in batches. It’s affecting multiple types of Pixel, as well, including Pixel 7a, Pixel 7, Pixel 7 Pro, Pixel 8, and Pixel 8 Pro.
In a Google Support thread about the issue, users blame the March 2024 update for causing this chaos, and suggest the April 2024 update didn’t include a patch for it, either. (It isn’t present in the release notes.) One alleges this update somehow messed with the phone’s IMS (IP Multimedia Subsystem), which is responsible for powering different communication standards on the Pixel. One commenter goes so far as to say the SMS issues have nearly driven them to iPhone, saying, “Google – are you getting the message?”
We don’t know exactly what is causing this network issue with Pixel, and it’s not affecting each and every Pixel user, as this Android Police commenter would like readers to know. But there are enough Pixel devices experiencing network problems around the world that this seems to be an issue Google can address.
[…]
it seems like the only temporary workaround is to toggle wifi off and on again, to essential toggle wifi calling off and on again as well. Reports suggest the workaround will allow calls and texts through as normal, but only temporarily, as the issue does seem to come back in time.
In an increasingly digital age, owning media outright has become less and less possible. Whether it’s movies, music, books, or video games, the pivot to digital has made it harder for consumers to own permanent, physical copies of their favorite pieces of media. In video games, myriad titles that players have spent time and money on have been taken offline by publishers, never to be played again. Legislation around this is spotty worldwide, and some companies have gotten away with raking in consumer money just to pull the plug on a game months or years down the line. However, YouTube channel Accursed Farms is starting a coordinated campaign to force stronger legislation against this practice, with Ubisoft’s racing game The Crewat the center of it.
The growing lack of ownership in video games
Ross Scott, who runs Accursed Farms, posted a 31-minute video on the channel, which outlines the problem and how he believes drawing attention to The Crew’s April 1 shutdown could cause governments to enact greater consumer protections for people who purchase online games. As laid out in the video, consumer rights for these situations vary in different countries. France, however, has some pretty robust consumer laws, and Ubisoft is based there.
“This isn’t really about The Crew or even Ubisoft,” Scott says in the video. “It’s about trying to find a weak link in the industry so governments can examine this practice to stop publishers from destroying our games.”
Accursed Farms
According to a since-deleted blog post by Ubisoft, The Crew had over 12 million players before it was delisted in December of last year. Even if most of those people weren’t actively playing the game by the end of its lifetime, that still means that millions of copies of the game were sold—zero of which can be played today. This has become pretty common practice for a lot of online games from some of the biggest companies in the industry, like when Square Enix shut down Final Fantasy VII: The First Soldier in January 2023 or Electronic Arts sunsetting the mobile version of Apex Legends the following May. However, Scott hypothesizes that players don’t form substantial collective action to save these games because, by the time a company makes a decision to shut a game down, most of its player base has already moved on. This is why he’s formed the Stop Killing Games initiative, which is attempting to rally concerned video game fans into pushing local governments to examine the situation with The Crew. The hope is that this can spark broader change.
How the Stop Killing Games initiative is coordinating action
The Stop Killing Games website includes step-by-step instructions for different countries and regions on how to support the cause, whether by contacting local representatives and government bodies or just spreading the word.
[…]
The Stop Killing Games’ end goal is that governments will implement legislation to ensure the following:
Games sold must be left in a functional state
Games sold must require no further connection to the publisher or affiliated parties to function
The above also applies to games that have sold microtransactions to customers
The above cannot be superseded by end user license agreements
As Scott lays out, the ideal outcome is that legislation will require online games to be run on player-hosted servers after developers stop supporting it, rather than publishers shouldering the burden of hosting servers internally. This is often a leading cause for games and services being shut down.
[…]
Ubisoft’s director of subscriptions, Philippe Tremblay, recently said the company wants players to be more comfortable not owning the games they buy the same way people have grown accustomed to not owning albums on Spotify or films on Netflix:
One of the things we saw is that gamers are used to, a little bit like DVD, having and owning their games. That’s the consumer shift that needs to happen. They got comfortable not owning their CD collection or DVD collection. That’s a transformation that’s been a bit slower to happen [in games]. As gamers grow comfortable in that aspect… you don’t lose your progress. If you resume your game at another time, your progress file is still there. That’s not been deleted. You don’t lose what you’ve built in the game or your engagement with the game. So it’s about feeling comfortable with not owning your game.
Windows welcome light into interior spaces, but they also bring in unwanted heat. A new window coating blocks heat-generating ultraviolet and infrared light and lets through visible light, regardless of the sun’s angle. The coating can be incorporated onto existing windows or automobiles and can reduce air-conditioning cooling costs by more than one-third in hot climates.
[…]
Window coatings used in many recent studies are optimized for light that enters a room at a 90-degree angle. Yet at noon, often the hottest time of the day, the sun’s rays enter vertically installed windows at oblique angles.
Luo and his postdoctoral associate Seongmin Kim previously fabricated a transparent window coating by stacking ultra-thin layers of silica, alumina and titanium oxide on a glass base. A micrometer-thick silicon polymer was added to enhance the structure’s cooling power by reflecting thermal radiation through the atmospheric window and into outer space.
Additional optimization of the order of the layers was necessary to ensure the coating would accommodate multiple angles of solar light.
[…]
Their model produced a coating that both maintained transparency and reduced temperature by 5.4 to 7.2 degrees Celsius in a model room, even when light was transmitted in a broad range of angles. The lab’s results were recently published in Cell Reports Physical Science.
Seongmin Kim, Serang Jung, Alexandria Bobbitt, Eungkyu Lee, Tengfei Luo. Wide-angle spectral filter for energy-saving windows designed by quantum annealing-enhanced active learning. Cell Reports Physical Science, 2024; 5 (3): 101847 DOI: 10.1016/j.xcrp.2024.101847
Strictly following a diet – either healthy low-carb or healthy low-fat – was what mattered for short-term weight loss during the first six months. But people who maintained long-term weight loss for a year ate the same number of calories as those who regained weight or who did not lose weight during the second six months.
So what explains this difference?
According to the study, the bacteria living in your gut and the amounts of certain proteins your body makes can affect your ability to sustain weight loss. And some people, it turns out, shed more pounds on low-fat diets while others did better on low-carb diets.
Stanford Medicine researchers have identified several biomarkers that predict how successful an individual will be at losing weight and keeping it off long-term. These biomarkers include signatures from the gut microbiome, proteins made by the human body and levels of exhaled carbon dioxide. The researchers published their findings in Cell Reports Medicine Dec. 13.
[…]
The study showed that just cutting calories or exercising were not enough to sustain weight loss over a year. To try and understand why, the team turned their focus to biomarkers of metabolism.
[…]
Throughout the study, the researchers measured the ratio of inhaled oxygen to exhaled carbon dioxide, known as a respiratory quotient, which serves as a proxy for whether carbohydrates or fats are the body’s primary fuel. A lower ratio means the body burns more fat, while a higher ratio means it burns more carbohydrates. So, those who started the diet with a higher respiratory quotient lost more weight on a low-carb diet.
“There are people who can be eating very few calories but still sustain their weight because of how their bodies metabolize fuels. It is not for lack of will: It is just how their bodies work,” Perelman said.
In other words, if your body prefers carbs and you’re predominately eating fat, it will be much harder to metabolize and burn off those calories.
[…]
tracking amounts of certain gut microbe strains will be a way for people to determine which diets are best for weight loss.
We’re not there yet, so until then, according to the researchers, the focus should be on eating high-quality foods that are unprocessed and low in refined flours and sugar.
The research team identified specific nutrients that were correlated with weight loss during the first six months. Low-carb diets should be based on monounsaturated fats — such as those that come from avocados, rather than bacon — and high in vitamins K, C and E. These vitamins are in vegetables, nuts, olives, and avocados. Low-fat diets should be high in fiber, such as is found in whole grains and beans, and avoid added sugars.
“Your mindset should be on what you can include in your diet instead of what you should exclude,” Perelman said. “Figure out how to eat more fiber, whether it is from beans, whole grains, nuts or vegetables, instead of thinking you shouldn’t eat ice cream. Learn to cook and rely less on processed foods. If you pay attention to the quality of food in your diet, then you can forget about counting calories.”
In hopes of settling a lawsuit challenging its data collection practices, Google has agreed to destroy web browsing data it collected from users browsing in Chrome’s private modes – which weren’t as private as you might have thought.
The lawsuit [PDF], filed in June, 2020, on behalf of plaintiffs Chasom Brown, Maria Nguyen, and William Byatt, sought to hold Google accountable for making misleading statements about privacy.
[…]
“Despite its representations that users are in control of what information Google will track and collect, Google’s various tracking tools, including Google Analytics and Google Ad Manager, are actually designed to automatically track users when they visit webpages – no matter what settings a user chooses,” the complaint claims. “This is true even when a user browses in ‘private browsing mode.'”
Chrome’s Incognito mode only provides privacy in the client by not keeping a locally stored record of the user’s browsing history. It does not shield website visits from Google.
[…]
During the discovery period from September 2020 through March 2022, Google produced more than 5.8 million pages of documents. Even so, it was sanctioned nearly $1 million in 2022 by Magistrate Judge Susan van Keulen – for concealing details about how it can detect when Chrome users employ Incognito mode.
What the plaintiffs’ legal team found might have been difficult to explain at trial.
“Google employees described Chrome Incognito Mode as ‘misleading,’ ‘effectively a lie,’ a ‘confusing mess,’ a ‘problem of professional ethics and basic honesty,’ and as being ‘bad for users, bad for human rights, bad for democracy,'” according to the declaration [PDF] of Mark C Mao, a partner with the law firm of Boies Schiller Flexner LLP, which represents the plaintiffs.
[…]
On December 26 last year the plaintiffs and Google agreed to settle the case. The plaintiffs’ attorneys have suggested the relief provided by the settlement is worth $5 billion – but nothing will be paid, yet.
The settlement covers two classes of people: one of which excludes those using Incognito mode while logged into their Google Account:
Class 1: All Chrome browser users with a Google account who accessed a non-Google website containing Google tracking or advertising code using such browser and who were (a) in “Incognito mode” on that browser and (b) were not logged into their Google account on that browser, but whose communications, including identifying information and online browsing history, Google nevertheless intercepted, received, or collected from June 1, 2016 through the present.
Class 2: All Safari, Edge, and Internet Explorer users with a Google account who accessed a non-Google website containing Google tracking or advertising code using such browser and who were (a) in a “private browsing mode” on that browser and (b) were not logged into their Google account on that browser, but whose communications, including identifying information and online browsing history, Google nevertheless intercepted, received, or collected from June 1, 2016 through the present.
The settlement [PDF] requires that Google: inform users that it collects private browsing data, both in its Privacy Policy and in an Incognito Splash Screen; “must delete and/or remediate billions of data records that reflect class members’ private browsing activities”; block third-party cookies in Incognito mode for the next five years (separately, Google is phasing out third-party cookies this year); and must delete the browser signals that indicate when private browsing mode is active, to prevent future tracking.
[…]
The class of affected people has been estimated to number about 136 million.
It will become mandatory for payment service providers, such as banks, that offer standard credit transfers in euros to offer the sending and receipt of instant payments in euros. The regulation relating to this has now been published.
Thanks to the regulation, people will be able to transfer money within 10 seconds at any time of the day.
The situation varies widely from Member State to Member State as regards the availability of instant payments and any associated fees. At the beginning of 2022, only 11 percent of all euro transfers in the EU were instant.
On October 26, 2022, the European Commission presented a proposal for a regulation on instant payments in euros. With the proposal, the Commission fulfilled a key commitment in the Commission’s 2020 Retail Payments Strategy.
The regulation provides for a longer transition period for countries outside the eurozone, as they need more time to adapt to the new rules.
It’s pretty silly that it’s 2024 and only now are database bits being forced to flip within 10 seconds, but that shows how long overdue this kind of regulation is.
On the 28th February, The European Parliament gave its final approval to the Digital Identity Regulation, with 335 votes to 190, with 31 abstentions. It was adopted by the EU Council of Ministers on 26th of March. The next step will be its publication in the Official Journal and its entry into force 20 days later.
The regulation introduces the EU Digital Identity Wallet, which will allow citizens to identify and authenticate themselves online to a range of public and private services, as well as store and share digital documents. Wallet users will also be able to create free digital signatures.
The EU Digital Identity Wallet will be used on a voluntary basis, and no one can be discriminated against for not using the wallet. The wallet will be open-source, to further encourage transparency, innovation, and enhance security.
Find out more about the history of the regulation and the project here.
Open-source code and new version of the ARF released for public feedback.
The open-source code of the EU Digital Identity Wallet, and the latest version of the Architecture and Reference Framework (ARF) are now available on our Github.
Version 1.3 of the ARF is now available to the public, to gather feedback before its adoption by the expert group. The ARF outlines how wallets distributed by Member States will function and contains a high level overview of the standards and practices that are needed to build the wallet.
The open-source code of the wallet (also referred to as the reference implementation) is built on the specifications outlined in the ARF. It is based on a modular architecture composed of a set of business agnostic, reusable components which will evolve in incremental steps and can be reused across multiple projects.
[…]
Large Scale Pilot projects are currently test driving the many use cases of the EU Digital Identity Wallet in the real world.
To decide how to best implement their cars’ touchscreens, Aston designers went out and sampled a range of vehicles, using their controls and noting the steps necessary to activate certain functions. Any feature expected to be immediately available that wasn’t triggered the “piss-off factor.”
The new Vantage is a good example of Aston’s design philosophy. It has a touchscreen, but it’s accompanied by many physical buttons, switches, and knobs. Nurnberger told CarExpert that Aston considered moving the seat controls into the touchscreen, but owners said they like to adjust their seat on the move depending on how they’re driving, and touchscreen-based settings are cumbersome and unsafe to use on the fly. The same thinking applies to volume and HVAC-related inputs.
“That’s the thing about the piss-off factor. When you want it, you want it instantly,” said Nurnberger. “If you want to turn the volume up and down, temperature absolutely—the minute you’ve got to go into a screen and tap for temperature, you’ve lost the customer. You’ve lost the experience.”
Aston is echoing what so many of us have already been saying. I think we can all agree that more button-heavy interiors are preferred. Touchscreens require more mental effort to use while simultaneously offering zero tactile feedback—frustrating at best and downright dangerous at worst. The automaker’s approach is a simple and sensible one that the entire industry should follow, especially brands that sell cars most of us can actually afford: if it pisses people off, don’t do it.
