The Linkielist

Linking ideas with the world

The Linkielist

Carmakers Must Bring Back Buttons for safety, Says Europe

Posted on by

Key dashboard touchscreen functions will soon be kicked into touch and physical switches will be required instead for car manufacturers to be granted the highest safety ratings.

Euro NCAP, the automotive safety industry body for Europe, is introducing new guidance for 2026 which means that five important tasks in every car will have to be performed by actual buttons instead of by accessing a screen.

Indicators, hazard warning lights, windscreen wipers, horn, and SOS features will have to be controlled by proper switches in order for cars to be granted Euro NCAP’s coveted five star safety rating.

“The overuse of touchscreens is an industry-wide problem, with almost every vehicle-maker moving key controls onto central touchscreens, obliging drivers to take their eyes off the road and raising the risk of distraction crashes,” explained Matthew Avery, director of strategic development at Euro NCAP.

“New Euro NCAP tests due in 2026 will encourage manufacturers to use separate, physical controls for basic functions in an intuitive manner, limiting eyes-off-road time and therefore promoting safer driving.

Several manufacturers have already come under fire for excessively complex touch screen controls forcing drivers to access menu after menu to adjust seats, mirrors and ventilation—we’re especially looking at you Tesla and VW.

Although it won’t be mandatory to comply with Euro NCAP’s new rules car makers that don’t will lose valuable points in their safety ratings. It sounds like a sensible idea—a positive move in the battle against distracted driving—and one, that, hopefully, the NHTSA will follow.

Source: Carmakers Must Bring Back Buttons, Says Europe – Hagerty Media

It’s a shame they are not also including Radio station buttons, which BMW has removed in it’s latest iteration.

Microsoft calls NYT copyright claims ‘doomsday futurology’ – also, VCRs are legal too

Posted on by

Microsoft is coming out swinging over claims by the New York Times that the Windows giant and OpenAI infringed copyright by using its articles to build ChatGPT and other models.

In yesterday’s filing [PDF], Microsoft’s lawyers recall the early 1980s efforts of the Motion Picture Association to stifle the growth of VCR technology, likening it to the legal efforts of the New York Times (NYT) to stop OpenAI in their work on the “latest profound technological advance.”

The motion describes the NYT’s allegations that the use of GPT-based products “harms The Times,” and “poses a mortal threat to independent journalism” as “doomsday futurology.”

[…]

Microsoft’s response doesn’t appear to suggest that content has not been lifted. Instead, it says: “Despite The Times’s contentions, copyright law is no more an obstacle to the LLM than it was to the VCR (or the player piano, copy machine, personal computer, internet, or search engine.)”

[…]

In its demands for the dismissal of the three claims in particular, the motion points out that Microsoft shouldn’t be held liable for end-user copyright infringement through GPT-based tools. It also says that to get the NYT content regurgitated, a user would need to know the “genesis of that content.”

“And in any event, the outputs the Complaint cites are not copies of works at all, but mere snippets.”

Finally, the filing delves into the murky world of “fair use,” the American copyright law, which is relatively permissive in the US compared to other legal jurisdictions.

OpenAI hit back at the NYT last month and accused the company of paying someone to “hack” ChatGPT in order to persuade it to spit out those irritatingly verbatim copies of NYT content.

[…]

Source: Microsoft calls NYT copyright claims ‘doomsday futurology’ • The Register

For more illustrations about how much nonsense the New York Times suit is, have a look here

Rooster Teeth (Red vs Blue) Shut Down By WB Discovery After Two Decades

Posted on by
a space helmet half red and half blue

Rooster Teeth, a Warner Bros. Discovery Global Streaming & Interactive Entertainment subsidiary, is ending operations after 20+ years. The news was announced on March 6 in a company memo and blog post on the digital content creator’s site.

Earlier today, the news of Rooster Teeth shutting down was first shared at an all-hands company meeting followed by an internal memo from RT’s general manager, Jordan Levin. This memo was then posted alongside a message from community director Chelsea Atkinson confirming that the site was winding down, and adding that a livestream about the shutdown was planned for tomorrow, March 7.

“Since inheriting ownership and control of Rooster Teeth from AT&T following its acquisition of TimeWarner, Warner Bros. Discovery continued its investment in our company, content, and community,” said Levin in the memo.

“Now however, it’s with a heavy heart I announce that Rooster Teeth is shutting down due to challenges facing digital media resulting from fundamental shifts in consumer behavior and monetization across platforms, advertising, and patronage.”

[…]

Rooster Teeth started back in 2003 in Texas. It was founded by Burnie Burns, Matt Hullum, Geoff Ramsey, Jason Saldaña, Gus Sorola, and Joel Heyman. The company’s first big hit was the Halo machinima series, Red Vs. Blue. That show would become incredibly popular, leading to millions of views, DVDs, spin-offs, and loads of merchandise. Elijah Wood even had a role in one season. The show’s 19th and final season is still set to arrive later this year.

[…]

Source: Rooster Teeth Shut Down By WB Discovery After Two Decades

Posted in Art

Alternatieve iPhone app stores stop working when you travel outside of the EU

Posted on by

iOS 17.4 is the first version of Apple’s operating system to comply with the regulatory framework of the European Digital Markets Act. Apple must also support alternative app stores, where apps can be installed around the App Store.

The availability of this functionality is only geographically limited to the EU, and Apple has revealed for the first time that alternative app stores will stop working if you leave the EU for too long.

Furthermore, your Apple ID must be set to one of the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.

The exact period during which you can travel outside the EU is not specified.

Source: Alternatieve iPhone appwinkels werken niet meer als je buiten de EU reist – Emerce

Hackers exploited Windows 0-day for 6 months after Microsoft knew of it

Posted on by

[…]

Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don’t represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability.

A rootkit “holy grail”

“When it comes to Windows security, there is a thin line between admin and kernel,” Jan Vojtěšek, a researcher with security firm Avast, explained last week. “Microsoft’s security servicing criteria have long asserted that ‘[a]dministrator-to-kernel is not a security boundary,’ meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel.”

The Microsoft policy proved to be a boon to Lazarus in installing “FudModule,” a custom rootkit that Avast said was exceptionally stealthy and advanced.

[…]

In years past, Lazarus and other threat groups have reached this last threshold mainly by exploiting third-party system drivers, which by definition already have kernel access. To work with supported versions of Windows, third-party drivers must first be digitally signed by Microsoft to certify that they are trustworthy and meet security requirements. In the event Lazarus or another threat actor has already cleared the admin hurdle and has identified a vulnerability in an approved driver, they can install it and exploit the vulnerability to gain access to the Windows kernel. This technique—known as BYOVD (bring your own vulnerable driver)—comes at a cost, however, because it provides ample opportunity for defenders to detect an attack in progress.

The vulnerability Lazarus exploited, tracked as CVE-2024-21338, offered considerably more stealth than BYOVD because it exploited appid.sys, a driver enabling the Windows AppLocker service, which comes preinstalled in the Microsoft OS. Avast said such vulnerabilities represent the “holy grail,” as compared to BYOVD.

In August, Avast researchers sent Microsoft a description of the zero-day, along with proof-of-concept code that demonstrated what it did when exploited. Microsoft didn’t patch the vulnerability until last month. Even then, the disclosure of the active exploitation of CVE-2024-21338 and details of the Lazarus rootkit came not from Microsoft in February but from Avast 15 days later. A day later, Microsoft updated its patch bulletin to note the exploitation.

[…]

Source: Hackers exploited Windows 0-day for 6 months after Microsoft knew of it | Ars Technica

Millions of research papers at risk of disappearing from the Internet

Posted on by

More than one-quarter of scholarly articles are not being properly archived and preserved, a study of more than seven million digital publications suggests. The findings, published in the Journal of Librarianship and Scholarly Communication on 24 January1, indicate that systems to preserve papers online have failed to keep pace with the growth of research output.

“Our entire epistemology of science and research relies on the chain of footnotes,” explains author Martin Eve, a researcher in literature, technology and publishing at Birkbeck, University of London. “If you can’t verify what someone else has said at some other point, you’re just trusting to blind faith for artefacts that you can no longer read yourself.”

[…]

The sample of DOIs included in the study was made up of a random selection of up to 1,000 registered to each member organization. Twenty-eight per cent of these works — more than two million articles — did not appear in a major digital archive, despite having an active DOI. Only 58% of the DOIs referenced works that had been stored in at least one archive. The other 14% were excluded from the study because they were published too recently, were not journal articles or did not have an identifiable source.

Preservation challenge

Eve notes that the study has limitations: namely that it tracked only articles with DOIs, and that it did not search every digital repository for articles (he did not check whether items with a DOI were stored in institutional repositories, for example).

[…]

“Everybody thinks of the immediate gains they might get from having a paper out somewhere, but we really should be thinking about the long-term sustainability of the research ecosystem,” Eve says. “After you’ve been dead for 100 years, are people going to be able to get access to the things you’ve worked on?”

doi: https://doi.org/10.1038/d41586-024-00616-5

Source: Millions of research papers at risk of disappearing from the Internet

Want to Steal a Tesla? set up a guest wifi with a fake site, steal the password and make your own key

Posted on by

Security researchers report they uncovered a design flaw that let them hijack a Tesla using a Flipper Zero, a controversial $169 hacking tool. Partners Tommy Mysk and Talal Haj Bakry of Mysk Inc. said the attack is as simple as swiping a Tesla owner’s login information, opening the Tesla app, and driving away. The victim would have no idea they lost their $40,000 vehicle. Mysk said the exploit takes minutes, and to prove it all works, he stole his own car.

The issue isn’t “hacking” in the sense of breaking into software, it’s a social engineering attack that fools a user into handing over their information. Using a Flipper, the researchers set up a WiFi network called “Tesla Guest,” the name Tesla uses for its guest networks at service centers. Mysk then created a website that looks like Tesla’s login page.

The process is simple. In this scenario, hackers could broadcast the network near a charging station, where a bored driver might be looking for entertainment. The victim connects to the WiFi network and enters their username and password on the fake Tesla website. The hacker then uses the credentials to log in to the real Tesla app, which triggers a two-factor authentication code. The victim enters that code into the fake website, and the thief gains access to their account. Once you’re logged into the Tesla app, you can set up a “phone key” which lets you unlock and control the car over Bluetooth with a smartphone. From there, the car is yours.

You can see Mysk’s demonstration of the attack in the video below.

Cybersecurity: Can a Tesla stop phishing and social engineering attacks?

According to Mysk, Tesla doesn’t notify users when new keys are created, so the victim wouldn’t know they’ve been compromised. Mysk said the bad guys wouldn’t need to steal the car right away, either, because the app shows you the physical location of the vehicle. The Tesla owner could finish charging the car and drive off to go shopping or park outside their house. The thief would just watch the car’s location using the app, and then waltz up at an opportune moment and drive away.

“This means with a leaked email and password, an owner could lose their Tesla vehicle.

[…]

Source: Want to Steal a Tesla? Try Using a Flipper Zero

EU fines Apple nearly $2B over in-app music purchases

Posted on by

Apple’s anti-steering provisions that prevent music streaming apps from directing users outside the App Store for paid services were smacked down in the European Union today and earned the iGiant a fine of more than €1.8 billion ($1.95 billion).

The European Commission said Apple’s policies “amount to unfair trading conditions” and “are neither necessary nor proportionate for the protection of Apple’s commercial interests.”

“Apple will have to open the gates to its ecosystem, to allow end users to easily find the apps they want, pay for them in any way they want, and use them on any device they want,” EU antitrust chief Margrethe Vestager said of the decision.

Apple’s anti-steering rules have prevented developers from directing users outside the App Store – thereby circumventing Apple’s 30 percent commission – for in-app purchases and subscriptions. As part of the EC decision, Apple is being forced to end the use of anti-steering provisions in the bloc, but this restriction applies only to music streaming apps, an EC spokesperson told The Register.

Vestager described Apple’s anti-competitive conduct as having gone on for nearly a decade, resulting in iOS users paying “significantly higher prices for music streaming subscriptions.” The anti-steering provisions also led to a “degraded user experience,” Vestager said, as users were forced to “engage in a cumbersome search” to find cheaper prices outside the App Store because the anti-steering rule also prevented developers from telling users about cheaper prices available elsewhere.

[…]

Source: EU fines Apple nearly $2B over in-app purchases • The Register

Satellites Step Up After Red Sea Internet Cables Get Severed

Posted on by

[…] Earlier this week, four out of 15 communication cables were cut, disrupting network traffic that flows through the Red Sea. The damaged cables affected 25% of traffic between Asia, Europe, and the Middle East, according to Hong Kong telecoms company HGC Global Communications. The cause of the damage is still unknown, and the company is working on a fix, which it referred to as an “exceptionally rare occurrence.” Although HGC did not reveal the cause behind the damaged cables, a U.S. National Security Council spokesperson blamed it on the anchor of a cargo ship that was sunk by the Houthi group in Yemen. The Houthis, however, issued a statement denying its involvement.

Regardless of the cause, satellite companies have stepped up by beaming connectivity from space to reroute some of that impacted traffic. Satellite operators such as Intelsat are providing back up connectivity to fill in the gaps for the severed cables, SpaceNews reported.

Intelsat has a fleet of 52 communication satellites in orbit, providing broadband internet and offering airline passengers inflight connectivity. Other companies, like Eutelsat OneWeb, SES, and, more famously, SpaceX are also in the business of beaming connectivity from Earth orbit.

The recent incident, although rare, does offer a glimpse into what a hybrid connectivity solution would look like, providing internet from both underwater cables, as well as orbital satellites. Subsea customers, or those getting internet from both ends, can restore their connectivity within 15 minutes should there be an issue with a terrestrial provider, Rhys Morgan, regional vice president for Intelsat, told SpaceNews.

[…]

Source: Satellites Step Up After Red Sea Internet Cables Get Severed

VMware sandbox escape bugs are so critical, patches are released for end-of-life products – also, remove all your USB products now

Posted on by

VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products.

A constellation of four vulnerabilities—two carrying severity ratings of 9.3 out of a possible 10—are serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that’s segmented from the host machine. VMware officials said that the prospect of a hypervisor escape warranted an immediate response

[…]

A VMware advisory included the following matrix showing how the vulnerabilities—tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255—affect each of the vulnerable products:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version [1] Workarounds Additional Documentation
ESXi 8.0 Any CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255 8.4, 8.4, 7.9, 7.1 critical ESXi80U2sb-23305545 KB96682 FAQ
ESXi 8.0 [2] Any CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255 8.4, 8.4, 7.9, 7.1 critical ESXi80U1d-23299997 KB96682 FAQ
ESXi 7.0 Any CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255 8.4, 8.4, 7.9, 7.1 critical ESXi70U3p-23307199 KB96682 FAQ
Workstation 17.x Any CVE-2024-22252, CVE-2024-22253, CVE-2024-22255 9.3, 9.3, 7.1 critical 17.5.1 KB96682 None.
Fusion 13.x MacOS CVE-2024-22252, CVE-2024-22253, CVE-2024-22255 9.3, 9.3, 7.1 critical 13.5.1 KB96682 None

Three of the vulnerabilities affect the USB controller the products use to support peripheral devices such as keyboards and mice. The advisory describes the vulnerabilities as:

CVE-2024-22252: a use-after-free vulnerability in XHCI USB controller with a maximum severity range of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. Someone with local administrative privileges on a virtual machine can execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox, whereas, on Workstation and Fusion, this could lead to code execution on the machine where Workstation or Fusion is installed.

CVE-2024-22253: a use-after-free vulnerability in UHCI USB controller with a maximum severity rating of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. Exploitation requirements and outcomes are the same as for CVE-2024-22252.

CVE-2024-22254: an out-of-bounds write vulnerability with a maximum severity base score of 7.9. This vulnerability makes it possible for someone with privileges within the VMX process to trigger an out-of-bounds write, leading to a sandbox escape.

CVE-2024-22255: an information disclosure vulnerability in the UHCI USB controller with a maximum CVSSv3 base score of 7.1. Someone with administrative access to a virtual machine can exploit it to leak memory from the vmx process.

Broadcom, the VMware parent company, is urging customers to patch vulnerable products. As a workaround, users can remove USB controllers from vulnerable virtual machines, but Broadcom stressed that this measure could degrade virtual console functionality and should be viewed as only a temporary solution.

[…]

Source: VMware sandbox escape bugs are so critical, patches are released for end-of-life products | Ars Technica

Biden executive order aims to stop a few countries from buying Americans’ personal data – a watered down EU GDPR

Posted on by

[…]

President Joe Biden will issue an executive order that aims to limit the mass-sale of Americans’ personal data to “countries of concern,” including Russia and China. The order specifically targets the bulk sale of geolocation, genomic, financial, biometric, health and other personally identifying information.

During a briefing with reporters, a senior administration official said that the sale of such data to these countries poses a national security risk. “Our current policies and laws leave open access to vast amounts of American sensitive personal data,” the official said. “Buying data through data brokers is currently legal in the United States, and that reflects a gap in our national security toolkit that we are working to fill with this program.”

Researchers and privacy advocates have long warned about the national security risks posed by the largely unregulated multibillion-dollar data broker industry. Last fall, researchers at Duke University reported that they were able to easily buy troves of personal and health data about US military personnel while posing as foreign agents.

Biden’s executive order attempts to address such scenarios. It bars data brokers and other companies from selling large troves of Americans’ personal information to countries or entities in Russia, China, Iran, North Korea, Cuba and Venezuela either directly or indirectly.

[…]

As the White House points out, there are currently few regulations for the multibillion-dollar data broker industry. The order will do nothing to slow the bulk sale of Americans’ data to countries or companies not deemed to be a security risk. “President Biden continues to urge Congress to do its part and pass comprehensive bipartisan privacy legislation, especially to protect the safety of our children,” a White House statement says.

Source: Biden executive order aims to stop Russia and China from buying Americans’ personal data

Too little, not enough, way way way too late.

AI outperforms humans in standardized tests of creative potential

Posted on by

[…]

Divergent thinking is characterized by the ability to generate a unique solution to a question that does not have one expected solution, such as “What is the best way to avoid talking about politics with my parents?” In the study, GPT-4 provided more original and elaborate answers than the human participants

[…]

The three tests utilized were the Alternative Use Task, which asks participants to come up with creative uses for everyday objects like a rope or a fork; the Consequences Task, which invites participants to imagine possible outcomes of hypothetical situations, like “what if humans no longer needed sleep?”; and the Divergent Associations Task, which asks participants to generate 10 nouns that are as semantically distant as possible. For instance, there is not much semantic distance between “dog” and “cat” while there is a great deal between words like “cat” and “ontology.”

Answers were evaluated for the number of responses, length of response and semantic difference between words. Ultimately, the authors found that “Overall, GPT-4 was more original and elaborate than humans on each of the divergent thinking tasks, even when controlling for fluency of responses. In other words, GPT-4 demonstrated higher creative potential across an entire battery of divergent thinking tasks.”

This finding does come with some caveats. The authors state, “It is important to note that the measures used in this study are all measures of creative potential, but the involvement in creative activities or achievements are another aspect of measuring a person’s creativity.” The purpose of the study was to examine human-level creative potential, not necessarily people who may have established creative credentials.

Hubert and Awa further note that “AI, unlike humans, does not have agency” and is “dependent on the assistance of a human user. Therefore, the creative potential of AI is in a constant state of stagnation unless prompted.”

Also, the researchers did not evaluate the appropriateness of GPT-4 responses. So while the AI may have provided more responses and more original responses, human participants may have felt they were constrained by their responses needing to be grounded in the real world.

[…]

Whether the tests are perfect measures of human creative potential is not really the point. The point is that large language models are rapidly progressing and outperforming humans in ways they have not before. Whether they are a threat to replace human creativity remains to be seen. For now, the authors continue to see “Moving forward, future possibilities of AI acting as a tool of inspiration, as an aid in a person’s creative process or to overcome fixedness is promising.”

Source: AI outperforms humans in standardized tests of creative potential | ScienceDaily

Investigators seek push notification metadata in 130 cases – this is scarier than you think

Posted on by

More than 130 petitions seeking access to push notification metadata have been filed in US courts, according to a Washington Post investigation – a finding that underscores the lack of privacy protection available to users of mobile devices.

The poor state of mobile device privacy has provided US state and federal investigators with valuable information in criminal investigations involving suspected terrorism, child sexual abuse, drugs, and fraud – even when suspects have tried to hide their communications using encrypted messaging.

But it also means that prosecutors in states that outlaw abortion could demand such information to geolocate women at reproductive healthcare facilities. Foreign governments may also demand push notification metadata from Apple, Google, third-party push services, or app developers for their own criminal investigations or political persecutions. Concern has already surfaced that they may have done so for several years.

In December 2023, US senator Ron Wyden (D-OR) sent a letter to the Justice Department about a tip received by his office in 2022 indicating that foreign government agencies were demanding smartphone push notification records from Google and Apple.

[…]

Apple and Google operate push notification services that relay communication from third-party servers to specific applications on iOS and Android phones. App developers can encrypt these messages when they’re stored (in transit they’re protected by TLS) but the associated metadata – the app receiving the notification, the time stamp, and network details – is not encrypted.

[…]

push notification metadata is extremely valuable to marketing organizations, to app distributors like Apple and Google, and also to government organizations and law enforcement agencies.

“In 2022, one of the largest push notification companies in the world, Pushwoosh, was found to secretly be a Russian company that deceived both the CDC and US Army into installing their technology into specific government apps,” said Edwards.

“These types of scandals are the tip of the iceberg for how push notifications can be abused, and why countless serious organizations focus on them as a source of intelligence,” he explained.

“If you sign up for push notifications, and travel around to unique locations, as the messages hit your device, specific details about your device, IP address, and location are shared with app stores like Apple and Google,” Edwards added. “And the push notification companies who support these services typically have additional details about users, including email addresses and user IDs.”

Edwards continued that other identifiers may further deprive people of privacy, noting that advertising identifiers can be connected to push notification identifiers. He pointed to Pushwoosh as an example of a firm that built its push notification ID using the iOS advertising ID.

“The simplest way to think about push notifications,” he said, is “they are just like little pre-scheduled messages from marketing vendors, sent via mobile apps. The data that is required to ‘turn on any push notification service’ is quite invasive and can unexpectedly reveal/track your location/store your movement with a third-party marketing company or one of the app stores, which is merely a court order or subpoena away from potentially exposing those personal details.”

Source: Investigators seek push notification metadata in 130 cases • The Register

Also see: Governments, Apple, Google spying on users through push notifications – they all go through Apple and Google servers (unencrypted?)!

Apple reverses hissy fit decision to remove Home Screen web apps in EU

Posted on by

baby throwing a tantrum

Apple has reversed its decision to limit the functionality of Home Screen web apps in Europe following an outcry from the developer community and the prospect of further investigation.

“We have received requests to continue to offer support for Home Screen web apps in iOS, therefore we will continue to offer the existing Home Screen web apps capability in the EU,” the iPhone giant said in an update to its developer documentation on Friday.

“This support means Home Screen web apps continue to be built directly on WebKit and its security architecture, and align with the security and privacy model for native apps on iOS.”

Apple said Home Screen web app support would return with the general availability of iOS 17.4, presently in beta testing and due in the next few days.

[…]

In January, Apple said it would make several changes to its iOS operating system to comply with the law. These include: Allowing third-party app stores; making its NFC hardware accessible to third-party developers for contactless payment applications; and supporting third-party browser engines as alternatives to Safari’s WebKit.

Last month, with the second beta release of iOS 17.4, it became clear Apple would impose a cost for its concessions. The iCloud goliath said, “to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.”

Essentially, Apple has to support third-party browser engines in the EU, the biz didn’t want PWAs to use those non-WebKit engines, and so it chose to just banish the web apps from its Home Screen. Now it’s changed its mind and allowed the apps to stay albeit using WebKit.

For those not in the know: The Home Screen web apps feature refers to one of the capabilities afforded to Progressive Web Apps that makes them perform and appear more like native iOS apps. It allows web apps or websites to be opened from an iOS device and take over the whole screen, just like a native app, instead of loading within a browser window.

[…]

Apple’s demotion of Home Screen web apps broke settings integration, browser storage, push notifications, icon badging, share-to-PWA, app shortcuts, and device APIs.

“Cupertino’s attempt to scuttle PWAs under cover of chaos is exactly what it appears to be: a shocking attempt to keep the web from ever emerging as a true threat to the App Store and blame regulators for Apple’s own malicious choices,”

[…]

In response to Apple’s about-face, OWA credited both vocal protests from developers and the reported decision by regulators to open an investigation into Apple’s abandonment of Home Screen web app support.

[…]

“This simply returns us back to the status quo prior to Apple’s plan to sabotage web apps for the EU,” the group said. “Apple’s over-a-decade suppression of the web in favor of the App Store continues worldwide, and their attempt to destroy web apps in the EU is just their latest attempt.

“If there is to be any silver lining, it is that this has thoroughly exposed Apple’s genuine fear of a secure, open and interoperable alternative to their proprietary App Store that they can not control or tax.”

[…]

Source: Apple reverses decision to remove Home Screen web apps in EU • The Register

Apple has thrown a real tantrum about being forced to comply with the DMCA and whilst hammering hands and feet and rolling on the floor like a toddler who can’t get their way has broken a lot of stuff. Turns out they are now kind of fixing some of it.

See also: Shameless Insult, Malicious Compliance, Junk Fees, Extortion Regime: Industry Reacts To Apple’s Proposed Changes Over Digital Markets Act

HDMI Forum blocks AMD open sourcing drivers due to 2.1

Posted on by

stop using hdmi

As spotted by Linux benchmarking outfit Phoronix, AMD is having problems releasing certain versions of open-source drivers it’s developed for its GPUs – because, according to the Ryzen processor designer, the HDMI Forum won’t allow the code to be released as open source. Specifically, we’re talking about AMD’s FOSS drivers for HDMI 2.1 here.

For some years, AMD GPU customers running Linux have faced difficulties getting high-definition, high-refresh-rate displays connected over HMDI 2.1 to work correctly.

[,…]

The issue isn’t missing drivers: AMD has already developed them under its GPU Open initiative. As AMD developer Alex Deucher put it in two different comments on the Freedesktop.org forum:

HDMI 2.1 is not available on Linux due to the HDMI Forum.

The HDMI Forum does not currently allow an open source HDMI 2.1 implementation.

The High-Definition Multimedia Interface is not just a type of port into which to plug your monitor. It’s a whole complex specification, of which version 2.1, the latest, was published in 2017.

[…]

HDMI cables are complicated things, including copyright-enforcing measures called High-bandwidth Digital Content Protection (HDCP) – although some of those were cracked way back in 2010. As we reported when it came out, you needed new cables to get the best out of HDMI 2.1. Since then, that edition was supplemented by version 2.1b in August 2023 – so now, you may need even newer ones.

This is partly because display technology is constantly improving. 4K displays are old tech: We described compatibility issues a decade ago, and covered 4K gaming the following year.

Such high-quality video brings two consequences. On the one hand, the bandwidth the cables are expected to carry has increased substantially. On the other, some forms of copying or duplication involving a reduction in image quality – say, halving the vertical and horizontal resolution – might still result in an perfectly watchable quality copy.

[…]

As we have noted before, we prefer DisplayPort to HDMI, and one reason is that you can happily drive an HDMI monitor from a DisplayPort output using a cheap cable, or if you have an HDMI cable to hand, an inexpensive adapter. We picked a random example which is a bargain at under $5.

But the converse does not hold. You can’t drive a DisplayPort screen from an HDMI port. That needs an intelligent adaptor which can resample the image and regenerate a display. Saying that, they are getting cheaper, and for lower-quality video such as old VGA or SCART outputs, these days, a circa-$5 microcontroller board such as a Raspberry Pi Pico can do the job, and you can build your own.

Source: HDMI Forum ‘blocks AMD open sourcing its 2.1 drivers’ • The Register

Coinbase pulls rug. Crypto holder trading is disabled and all assets shown $0 to users. Bitcoin is shooting up currently at $61k highly volatile and history repeats itself. PTSD from GME buy button disable is real. Not your wallet, not your money.

Posted on by

Coinbase is pulling the rug right now.

Check their sub and witness the fire.

Update:
They are now excusing it all with this error.

Update 2:
I argue it is fully artificial override since when loading the webpage it does momentarily flicker your true asset value and it gets then updated to zero when page finishes loading, even after one purges the browser data. So their data comes through, it is just forced to go zero to disable trading. I wait to be debunked. I do have some funds over there purely for science.

Update 3:
I now see my assets again after 70 minutes since the initial downtime began, missing a lot of “valuable” volatility.
Trading is still disabled though.
And in particular BTC-USD advanced trading doesn’t seem to load whatsoever.

Update 4:
Mainstream seems to be making articles now to ensure people their assets are all “wasted” yet safe.
https://www.bnnbloomberg.ca/coinbase-tells-users-your-assets-are-safe-as-some-see-0-balance-1.2040524

…issues with Coinbase may have more significance these days, considering the outsized role the company plays in helping to manage the new spot-Bitcoin ETFs. Coinbase provides a variety of services to the fund issuers, including serving as custodian for eight of the 10 spot Bitcoin ETFs.

Source: Coinbase pulling the rug right now. Crypto holder trading is disabled and all assets shown $0 to users. Bitcoin is shooting up currently at $61k highly volatile and history repeats itself. PTSD from GME buy button disable is real. Not your wallet, not your money. : Superstonk

Basically trading from Coinbase has been suspended now that BTC is flying up. A bit like how Robin Hood and a few other traders stopped people from selling Gamestop when it flew up.

Scammers Are Now Scanning Faces To Defeat Age verification Biometric Security Measures

Posted on by

For quite some time now we’ve been pointing out the many harms of age verification technologies, and how they’re a disaster for privacy. In particular, we’ve noted that if you have someone collecting biometric information on people, that data itself becomes a massive risk since it will be targeted.

And, remember, a year and a half ago, the Age Verification Providers Association posted a comment right here on Techdirt saying not to worry about the privacy risks, as all they wanted to do was scan everyone’s face to visit a website (perhaps making you turn to the left or right to prove “liveness”).

Anyway, now a report has come out that some Chinese hackers have been tricking people into having their faces scanned, so that the hackers can then use the resulting scan to access accounts.

Attesting to this, cybersecurity company Group-IB has discovered the first banking trojan that steals people’s faces. Unsuspecting users are tricked into giving up personal IDs and phone numbers and are prompted to perform face scans. These images are then swapped out with AI-generated deepfakes that can easily bypass security checkpoints

The method — developed by a Chinese-based hacking family — is believed to have been used in Vietnam earlier this month, when attackers lured a victim into a malicious app, tricked them into face scanning, then withdrew the equivalent of $40,000 from their bank account. 

Cool cool, nothing could possibly go wrong in now requiring more and more people to normalize the idea of scanning your face to access a website. Nothing at all.

And no, this isn’t about age verification, but still, the normalization of facial scanning is a problem, as it’s such an obvious target for scammers and hackers.

Source: As Predicted: Scammers Are Now Scanning Faces To Defeat Biometric Security Measures | Techdirt

EU to hit Apple with first ever fine in €500mn music streaming penalty

Posted on by

apple and google as monopoly characters holding big bags of cash in front of a store

Brussels is to impose its first ever fine on tech giant Apple for allegedly breaking EU law over access to its music streaming services, according to five people with direct knowledge of the long-running investigation.

The fine, which is in the region of €500mn and is expected to be announced early next month, is the culmination of a European Commission antitrust probe into whether Apple has used its own platform to favour its services over those of competitors.

The probe is investigating whether Apple blocked apps from informing iPhone users of cheaper alternatives to access music subscriptions outside the App Store. It was launched after music-streaming app Spotify made a formal complaint to regulators in 2019.

The Commission will say Apple’s actions are illegal and go against the bloc’s rules that enforce competition in the single market, the people familiar with the case told the Financial Times. It will ban Apple’s practice of blocking music services from letting users outside its App Store switch to cheaper alternatives.

Brussels will accuse Apple of abusing its powerful position and imposing anti-competitive trading practices on rivals, the people said, adding that the EU would say the tech giant’s terms were “unfair trading conditions”.

It is one of the most significant financial penalties levied by the EU on big tech companies. A series of fines against Google levied over several years and amounting to about €8bn are being contested in court.

Apple has never previously been fined for antitrust infringements by Brussels, but the company was hit in 2020 with a €1.1bn fine in France for alleged anti-competitive behaviour. The penalty was revised down to €372mn after an appeal.

The EU’s action against Apple will reignite the war between Brussels and Big Tech at a time when companies are being forced to show how they are complying with landmark new rules aimed at opening competition and allowing small tech rivals to thrive.

Companies that are defined as gatekeepers, including Apple, Amazon and Google, need to fully comply with these rules under the Digital Markets Act by early next month.

The act requires these tech giants to comply with more stringent rules and will force them to allow rivals to share information about their services.

[…]

Source: EU to hit Apple with first ever fine in €500mn music streaming penalty

You can now mark up your Google Docs with handwritten notes on Android devices

Posted on by

Google Docs is getting an annotation feature that will let you mark up your documents just like you might with a pen and paper. With today’s update, announced at MWC 2024, Google Docs users on Android devices can use a finger or stylus to write notes, highlight text and circle words to their heart’s desire. Google says the feature will work on Android tablets and smartphones, so it’s got some real potential to give devices like foldables even more of a productivity boost. It should also make for a smoother way to sign digital documents.

Android users will have access to multiple pen colors and highlighters with the new annotation tool for Google Docs, which is good news for anyone who loves color-coding their notes. If the popularity of digital notebooks like reMarkable’s tablets or Amazon’s Kindle Scribe has taught us anything, it’s that, as speedy as typing may be, plenty of people still prefer writing by hand when it’s an option. The only thing this update seems to be missing is the ability to convert handwriting to text, which would allow for more extensive writing tasks.

[…]

Source: You can now mark up your Google Docs with handwritten notes on Android devices

Reggaeton Be Gone – use a Raspberry Pi to jam bluetooth speakers when reggaeton music comes on

Posted on by

[…]

Consider this scenario: Your wall-to-wall neighbor loves to blast Reggaeton music at full volume through a Bluetooth speaker every morning at 9 am. You have two options:

  • A. Knock on their door and politely ask them to lower the volume.
  • B. Build an AI device that can handle the situation more creatively.

Reggaeton Be Gone (the name is a homage to Tv-B-Gone device) will monitor room audio, it will identify Reggaeton genre with Machine Learning and trigger comm requests and packets to the Bluetooth speaker with the high goal of disabling it or at least disturbing the sound so much that the neighbor won’t have other option that turn it off.

[…]

Plans to make your own in the Source: Reggaeton Be Gone – Hackster.io

Nintendo files lawsuit against creators of Yuzu emulator

Posted on by

yuzu nintendo switch emulator on android[…]

The 41-page lawsuit was filed against Tropic Haze, the company that makes Yuzu. (Nintendo also specifically references a person aliased as Bunnei, who leads development on Yuzu.) Yuzu is a free emulator that was released in 2018 months after the Nintendo Switch originally launched. The same folks who made Citra, a Nintendo 3DS emulator, made this one. Basically, it’s a piece of software that lets people play Nintendo Switch games on Windows PC, Linux, and Android devices. (It also runs on Steam Deck, which Valve showed — then wiped — in a Steam Deck video clip.) Emulators aren’t necessarily illegal, but pirating games to play on them is. But Nintendo said in its lawsuit that there’s no way to legal way to use Yuzu.

Nintendo argued that Yuzu executes codes that “defeat” Nintendo’s security measures, including decryption using “an illegally-obtained copy of prod.keys.”

“In other words, without Yuzu’s decryption of Nintendo’s encryption, unauthorized copies of games could not be played on PCs or Android devices,” Nintendo wrote in the lawsuit. As to the alleged damages created by Yuzu, Nintendo pointed to the release of The Legend of Zelda: Tears of the Kingdom. Tears of the Kingdom leaked almost two weeks earlier than the game’s May 12 release date. The pirated version of the game spread quickly; Nintendo said it was downloaded more than 1 million times before Tears of the Kingdom’s release date. People used Yuzu to play the game; Nintendo said more than 20% of download links pointed people to Yuzu.

Though Yuzu doesn’t give out pirated copies of games, Nintendo repeatedly said that most ROM sites point people toward Yuzu to play whatever games they’ve downloaded.

[…]

Nintendo is asking the court to shut down the emulator, and for damages. Polygon has reached out to Nintendo and Tropic Haze for comment.

The Tears of the Kingdom publisher is notoriously strict with its intellectual property. Nintendo’s won several lawsuits targeting pirated game sites like RomUniverse, where it was awarded more than $2 million in damages. Nintendo also notoriously went after an alleged Nintendo Switch hacker named Gary Bowser, who was arrested and charged for selling Switch hacks. Though he’s been released from prison, Bowser still owes Nintendo $10 million; he paid Nintendo $175 while in prison from money he earned working in the prison library and kitchen.

Source: Nintendo files lawsuit against creators of Yuzu emulator – Polygon

So if all the links point to the pirated copy of the game, why don’t Nintendo sue Google and Baidu and Yandex and all the other search engines that provide the links? Because they are huge and have massive lawyer engines. And Yuzu doesn’t. And also because providing links is not illegal, as has been seen again and again. Also, creating emulators is not illegal either, but the lawsuits will probably suffocate the company. The law is seriously broken.

Meta will start collecting much more “anonymized” data about Quest headset usage

Posted on by

Meta will soon begin “collecting anonymized data” from users of its Quest headsets, a move that could see the company aggregating information about hand, body, and eye tracking; camera information; “information about your physical environment”; and information about “the virtual reality events you attend.”

In an email sent to Quest users Monday, Meta notes that it currently collects “the data required for your Meta Quest to work properly.” Starting with the next software update, though, the company will begin collecting and aggregating “anonymized data about… device usage” from Quest users. That anonymized data will be used “for things like building better experiences and improving Meta Quest products for everyone,” the company writes.

A linked help page on data sharing clarifies that Meta can collect anonymized versions of any of the usage data included in the “Supplemental Meta Platforms Technologies Privacy Policy,” which was last updated in October. That document lists a host of personal information that Meta can collect from your headset, including:

  • “Your audio data, when your microphone preferences are enabled, to animate your avatar’s lip and face movement”
  • “Certain data” about hand, body, and eye tracking, “such as tracking quality and the amount of time it takes to detect your hands and body”
  • Fitness-related information such as the “number of calories you burned, how long you’ve been physically active, [and] your fitness goals and achievements”
  • “Information about your physical environment and its dimensions” such as “the size of walls, surfaces, and objects in your room and the distances between them and your headset”
  • “Voice interactions” used when making audio commands or dictations, including audio recordings and transcripts that might include “any background sound that happens when you use those services” (these recordings and transcriptions are deleted “immediately” in most cases, Meta writes)
  • Information about “your activity in virtual reality,” including “the virtual reality events you attend”

The anonymized collection data is used in part to “analyz[e] device performance and reliability” to “improve the hardware and software that powers your experiences with Meta VR Products.”

What does Meta know about what you're doing in VR?
Enlarge / What does Meta know about what you’re doing in VR?
Meta

Meta’s help page also lists a small subset of “additional data” that headset users can opt out of sharing with Meta. But there’s no indication that Quest users can opt out of the new anonymized data collection policies entirely.

These policies only seem to apply to users who make use of a Meta account to access their Quest headsets, and those users are also subject to Meta’s wider data-collection policies. Those who use a legacy Oculus account are subject to a separate privacy policy that describes a similar but more limited set of data-collection practices.

Not a new concern

Meta is clear that the data it collects “is anonymized so it does not identify you.” But here at Ars, we’ve long covered situations where data that was supposed to be “anonymous” was linked back to personally identifiable information about the people who generated it. The FTC is currently pursuing a case against Kochava, a data broker that links de-anonymized geolocation data to a “staggering amount of sensitive and identifying information,” according to the regulator.

Concerns about VR headset data collection dates back to when Meta’s virtual reality division was still named Oculus. Shortly after the launch of the Oculus Rift in 2016, Senator Al Franken (D-Minn.) sent an open letter to the company seeking information on “the extent to which Oculus may be collecting Americans’ personal information, including sensitive location data, and sharing that information with third parties.”

In 2020, the company then called Facebook faced controversy for requiring Oculus users to migrate to a Facebook account to continue using their headsets. That led to a temporary pause of Oculus headset sales in Germany before Meta finally offered the option to decouple its VR accounts from its social media accounts in 2022.

Source: Meta will start collecting “anonymized” data about Quest headset usage | Ars Technica

$500 drone calculates its position with camera, Google Maps

Posted on by

[…]

A team of drone enthusiasts have built a sub-$500 drone that uses a camera and Google Maps to provide itself with GPS co-ordinates, removing the need for a GPS satellite signal. And all of this was done in 24 hours during the El Segundo Defense Tech Hackathon.

[…]

The drone uses a camera mounted underneath it to position itself with imagery from Google Maps highlighting similarities in the images to get a rough estimate of the co-ordinates

[…]

Google Maps allows users to download segments of maps ahead of time, usually for use when you are travelling or camping out in remote areas.

[…]

Without needing to rely on an external constellation of satellites, the GPS-free drone can continue operating on missions in GPS-denied environments, such as remote areas or those that have been jammed. Unlike Skydio’s approach, which uses cameras to position itself, using imagery that doesn’t rely on light to work means this drone can fly anywhere in the world it has imagery for at any time of the day or night.

[…]

Source: $500 drone calculates its position with camera, Google Maps

Vietnam to collect biometrics – even DNA – for new ID cards. Centralised databases never leak.

Posted on by

The Vietnamese government will begin collecting biometric information from its citizens for identification purposes beginning in July this year.

Prime minister Pham Minh Chinh instructed the nation’s Ministry of Public Security to collect the data in the form of iris scans, voice samples and actual DNA, in accordance with amendments to Vietnam’s Law on Citizen Identification.

The ID cards are issued to anyone over the age of 14 in Vietnam, and are optional for citizens between the ages of 6 and 14, according to a government news report.

Ammendments to the Law on Citizen Identification that allow collection of biometrics passed on November 27 of last year.

The law allows recording of blood type among the DNA-related information that will be contained in a national database to be shared across agencies “to perform their functions and tasks.”

The ministry will work with other parts of the government to integrate the identification system into the national database.

As for how the information will be collected, the amendments state:

Biometric information on DNA and voice is collected when voluntarily provided by the people or the agency conducting criminal proceedings or the agency managing the person to whom administrative measures are applied in the process of settling the case according to their functions and duties whether to solicit assessment or collect biometric information on DNA, people’s voices are shared with identity management agencies for updating and adjusting to the identity database.

Vietnam’s future identity cards will incorporate the functions of health insurance cards, social insurance books, driver’s licenses, birth certificates, and marriage certificates, as defined by the amendment.

There are approximately 70 million adults in Vietnam as of 2022, making the collection and safeguarding of such data no small feat.

The Reg is sure the personal information on all those citizens will be just fine – personal data held by governments for ID cards certainly never leaks.

[…]

Source: Vietnam to collect biometrics – even DNA – for new ID cards • The Register

Absolutely retarded.

‘No one understands outsourcing the management of .nl domains to Amazon’

Posted on by

At the beginning of February, SIDN was in the news after announcing that it wanted to outsource part of its services to Amazon Web Services, the American web giant. According to SIDN, the reason for the outsourcing was that implementation on its own servers had become too expensive and too labor-intensive.

Van Eeten: ‘SIDN has not provided any explanation as to how on earth it ended up at Amazon. I can imagine that they don’t feel like dealing with all that iron (servers) and can’t find staff. But then there are numerous Dutch providers who say: ‘Just leave it to us. Then we will arrange everything.’

Van Eeten also does not understand why the registration system used by SIDN would be so demanding. ‘In principle it seems quite simple, I estimate a few hundred accounts on a database. I don’t see any reason why a Dutch cloud service couldn’t handle that.’

The criticism is partly a matter of timing: five years ago there would have been a lot less fuss about it. Van Eeten: ‘But in recent years the question has increasingly arisen whether it is wise to outsource more and more digital services to a handful of American companies. That discussion is about digital sovereignty. And that has become quite a thing in Europe.’

Source: ‘No one understands outsourcing the management of .nl domains to Amazon’ – Emerce

It’s completely nuts that a technical organisation says they can’t be technical – and is washing its hands of running the most popular TLD per capita population in the world!