Tropic Haze, the popular Yuzu Nintendo Switch emulator developer, appears to have agreed to settle Nintendo’s lawsuit against it. Less than a week after Nintendo filed the legal action, accusing the emulator’s creators of “piracy at a colossal scale,” a joint final judgment and permanent injunction filed Tuesday says Tropic Haze has agreed to pay the Mario maker $2.4 million, along with a long list of concessions.
Nintendo’s lawsuit claimed Tropic Haze violated the anti-circumvention and anti-trafficking provisions of the Digital Millennium Copyright Act (DMCA). “Without Yuzu’s decryption of Nintendo’s encryption, unauthorized copies of games could not be played on PCs or Android devices,” the company wrote in its complaint. It described Yuzu as “software primarily designed to circumvent technological measures.”
Yuzu launched in 2018 as free, open-source software for Windows, Linux and Android. It could run countless copyrighted Switch games — including console sellers like The Legend of Zelda: Breath of the Wild and Tears of the Kingdom, Super Mario Odyssey and Super Mario Wonder. Reddit threads comparing Switch emulators praised Yuzu’s performance compared to rivals like Ryujinx. Yuzu introduces various bugs across different titles, but it can typically handle games at higher resolutions than the Switch, often with better frame rates, so long as your hardware is powerful enough.
A screenshot from Yuzu’s website, showing The Legend of Zelda: Breath of the Wild (Tropic Haze / Nintendo)
As part of an Exhibit A attached to the proposed joint settlement, Tropic Haze agreed to a series of accommodations. In addition to paying Nintendo $2.4 million, it must permanently refrain from “engaging in activities related to offering, marketing, distributing, or trafficking in Yuzu emulator or any similar software that circumvents Nintendo’s technical protection measures.”
Tropic Haze must also delete all circumvention devices, tools and Nintendo cryptographic keys used in the emulator and turn over all circumvention devices and modified Nintendo hardware. It even has to surrender the emulator’s web domain (including any variants or successors) to Nintendo. (The website is still live now, perhaps waiting for the judgment’s final a-okay.) Not abiding by the settlement’s agreements could land Tropic Haze in contempt of court, including punitive, coercive and monetary actions.
Although piracy is the top motive for many emulator users, the software can double as crucial tools for video game preservation — making rapid legal surrenders like Tropic Haze’s potentially problematic. Without emulators, Nintendo and other copyright holders could make games obsolete for future generations as older hardware eventually becomes more difficult to find.
Despite the settlement, it appears unlikely the open-source Yuzu will disappear entirely. The emulator is still available on GitHub, where its entire codebase can be found.
Apple’s compliance measures with the EU’s Digital Markets Act haven’t exactly been universally well received, so the iMaker is making a few tweaks to appease the software-developing masses.
In a post to its developer site today, Apple said it is modifying not only how developers can distribute apps, but also changing the structure of alternative app marketplaces and linking out for purchases that are made away from the official iOS App Store.
Let’s get the quick news out of the way first, starting with changes to alternative app marketplaces. Whereas previously alternative app marketplaces in the EU had to allow apps from other devs, Apple now says that marketplaces “can choose to offer a catalog of apps solely from the developer of the marketplace.”
Think a Meta market that contains just Facebook, Instagram, WhatsApp and the like – but not an Epic Games store, as developers still need to be part of the Apple Developer Program.
European Commission on Apple’s announcement:
“Gatekeepers are required to demonstrate and ensure effective compliance with the relevant obligations. The designated gatekeepers have submitted and published a compliance report explaining their proposals to comply with the relevant obligations.”We will now carefully analyse the compliance reports and assess whether the implemented measures are effective in achieving the objectives of the relevant obligations and DMA in general.”
The Commish added that “if needed,” it would “not hesitate to take formal enforcement action, using the entire toolbox, to fully enforce the DMA. The Commission can open proceedings against such gatekeeper for non-compliance, prescribe specific compliance solutions and impose fines.”
Apple also loosened its link-out rules, and will now allow developers pushing users outside the App Store for purchases to display their offers however they want. Up until now, developers had to use Apple-provided design templates to “optimize for key purchase and promotion use cases,” Cupertino said. Those templates are now optional.
Screw app marketplaces – let’s distribute on the web
The biggest announcement Apple made was the one that didn’t go live today: Allowing developers to distribute apps directly from their websites. Dubbed “Web Distribution,” Apple said the feature will be available following a software update later in the spring.
The new function will provide APIs “that facilitate the distribution of developers’ apps from the web, integrate with system functionality, back up and restore users’ apps, and more,” Apple explained on a new developer support page.
“Using App Store Connect, developers can easily download signed binary assets and host them on their website for distribution,” the company added. Users will have to give the OK for a developer to install apps on their device and this will require users to be presented with an App Store-esque system sheet that includes information about the app submitted to Apple.
Of course, not everyone will qualify for Web Distribution, which is limited to companies enrolled in the Apple Dev Program with a registration location based in an EU nation, and in good standing (that includes Epic again… for now). Developers distributing apps on the web also can’t offer anyone else’s software, have to publish transparent data collection policies, “be responsive to communications from Apple,” and have to handle their own taxes.
And let’s not forget Apple always ensures it gets a slice of the pie. Like Apple’s previously announced DMA provisions, devs distributing apps via the web will still be subject to a Core Technology Fee that will force them to pay €0.50 for each first annual install over one million in the past 12 months. That could add up quickly for big-name devs, though waivers are available for nonprofits, educational institutions and government entities.
Kenn Dahl says he has always been a careful driver. The owner of a software company near Seattle, he drives a leased Chevrolet Bolt. He’s never been responsible for an accident. So Mr. Dahl, 65, was surprised in 2022 when the cost of his car insurance jumped by 21 percent. Quotes from other insurance companies were also high. One insurance agent told him his LexisNexis report was a factor. LexisNexis is a New York-based global data broker with a “Risk Solutions” division that caters to the auto insurance industry and has traditionally kept tabs on car accidents and tickets. Upon Mr. Dahl’s request, LexisNexis sent him a 258-page “consumer disclosure report,” which it must provide per the Fair Credit Reporting Act. What it contained stunned him: more than 130 pages detailing each time he or his wife had driven the Bolt over the previous six months. It included the dates of 640 trips, their start and end times, the distance driven and an accounting of any speeding, hard braking or sharp accelerations. The only thing it didn’t have is where they had driven the car. On a Thursday morning in June for example, the car had been driven 7.33 miles in 18 minutes; there had been two rapid accelerations and two incidents of hard braking.
According to the report, the trip details had been provided by General Motors — the manufacturer of the Chevy Bolt. LexisNexis analyzed that driving data to create a risk score “for insurers to use as one factor of many to create more personalized insurance coverage,” according to a LexisNexis spokesman, Dean Carney. Eight insurance companies had requested information about Mr. Dahl from LexisNexis over the previous month. “It felt like a betrayal,” Mr. Dahl said. “They’re taking information that I didn’t realize was going to be shared and screwing with our insurance.” In recent years, insurance companies have offered incentives to people who install dongles in their cars or download smartphone apps that monitor their driving, including how much they drive, how fast they take corners, how hard they hit the brakes and whether they speed. But “drivers are historically reluctant to participate in these programs,” as Ford Motor put it in apatent application (PDF) that describes what is happening instead: Car companies are collecting information directly from internet-connected vehicles for use by the insurance industry.
Sometimes this is happening with a driver’s awareness and consent. Car companies have established relationships with insurance companies, so that if drivers want to sign up for what’s called usage-based insurance — where rates are set based on monitoring of their driving habits — it’s easy to collect that data wirelessly from their cars. But in other instances, something much sneakier has happened. Modern cars are internet-enabled, allowing access to services like navigation, roadside assistance and car apps that drivers can connect to their vehicles to locate them or unlock them remotely. In recent years, automakers, including G.M., Honda, Kia and Hyundai, have started offering optional features in their connected-car apps that rate people’s driving. Some drivers may not realize that, if they turn on these features, the car companies then give information about how they drive to data brokers like LexisNexis. Automakers and data brokers that have partnered to collect detailed driving data from millions of Americans say they have drivers’ permission to do so. But the existence of these partnerships is nearly invisible to drivers, whose consent is obtained in fine print and murky privacy policies that few read. Especially troubling is that some drivers with vehicles made by G.M. say they were tracked even when they did not turn on the feature — called OnStar Smart Driver — and that their insurance rates went up as a result.
Developers who want to sideload apps on Android, or offer apps outside the Play Store, will have to pay for this .
It has been possible to have so-called apk files installed on Android smartphones and tablets for some time, but now Google is going to charge money for this. The company does this on the basis of the new European Digital Markets Act (DMA).
Firstly, there is a 10 percent purchase fee for in-app purchases or 5 percent for two-year subscriptions. In addition, there will be an ongoing fee for processing in-app purchases. This amounts to 17 percent (7 percent for subscriptions).
The European Commission has been reprimanded for infringing data protection regulations when using Microsoft 365.
The rebuke came from the European Data Protection Supervisor (EDPS) and is the culmination of an investigation that kicked off in May 2021, following the Schrems II judgement.
According to the EDPS, the EC infringed several data protection regulations, including rules around transferring personal data outside the EU / European Economic Area (EEA.)
According to the organization, “In particular, the Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA.
“Furthermore, in its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365.”
While the concerns are more about EU institutions and transparency, they should also serve as notice to any company doing business in the EU / EEA to take a very close look at how it has configured Microsoft 365 regarding the EU Data Protection Regulations.
Who knew? An American Company running an American cloud product on American Servers and the EU was putting it’s data on it. Who would have thought that might end up in America?!
India has waded into global AI debate by issuing an advisory that requires “significant” tech firms to get government permission before launching new models.
India’s Ministry of Electronics and IT issued the advisory to firms on Friday. The advisory — not published on public domain but a copy of which TechCrunch has reviewed — also asks tech firms to ensure that their services or products “do not permit any bias or discrimination or threaten the integrity of the electoral process.”
Though the ministry admits the advisory is not legally binding, India’s IT Deputy Minister Rajeev Chandrasekhar says the notice is “signalling that this is the future of regulation.” He adds: “We are doing it as an advisory today asking you to comply with it.”
In a tweet Monday, Chandrasekhar said the advisory is aimed at “untested AI platforms deploying on the India internet” and doesn’t apply to startups.
The ministry cites power granted to it through the IT Act, 2000 and IT Rules, 2021 in its advisory. It seeks compliance with “immediate effect” and asks tech firms to submit “Action Taken-cum-Status Report” to the ministry within 15 days.
The new advisory, which also asks tech firms to “appropriately” label the “possible and inherent fallibility or unreliability” of the output their AI models generate, marks a reversal from India’s previous hands-off approach to AI regulation. Less than a year ago, the ministry had declined to regulate AI growth, instead identifying the sector as vital to India’s strategic interests.
Donald Trump supporters are creating and sharing AI-generated images of the former president with Black voters. The photos appear to be an attempt to inflate Trump’s popularity with the Black community, which may be irreparably harmed by his ties to white supremacist groups, but the photos are nothing but fakes.
In the leadup to the 2024 Presidential Election, several of these AI-generated dupes of Black Trump supporters have popped up on social media. One image is a holiday photo depicting Trump embracing several Black people. However, it’s an AI dupe created by The Mark Kaye Show, a conservative talk show, and distributed on Facebook to over one million of Kaye’s Facebook followers. The post from November, first reported by the BBC, was not labeled as being AI-generated in any way.
“I never thought I would read the words ‘BLM Leader endorses Donald Trump,’ but then again, Christmas is the time for miracles,” said Kaye in a Facebook post.
The image is obviously an AI fake. Trump’s hands look deformed, and the person on the far left is missing a ring finger.
Over the last 48 hours, Roku has slowly been rolling out a mandatory update to its terms of service. In this terms it changes the dispute resolution terms but it is not clear exactly why. When the new terms and conditions message shows up on a Roku Player or TV, your only option is to accept them or turn off your Roku and stop using it.
[…]
Roku does offer a way to opt out of these new arbitration rules if you write them a letter to an address listed in the terms of service. You do need to hurry though as you only get 30 days to write a letter to Roku to opt out. Though it is unclear if that is from when you buy your Roku or agree to these new terms.
Customers are understandably confused by these new terms of service that have appeared in recent days. Raising questions about why now and why such an aggressive messaging about them that forces you to manually accept them or stop using your device.
[…] X began rolling out the audio and video calling feature, which was previously restricted to paid users, to everyone last week. However, hawk-eyed sleuths quickly noticed that the feature was automatically turned on, meaning that users had to manually go to their settings to turn it off. Only your mutuals or someone you’ve exchanged DMs with can call you by default, but that’s still potentially a lot of people.
Privacy researchers also sounded the alarm on the feature after learning that it revealed users’ IP address during calls. Notably, the option to protect users’ IP addresses is toggled off, which frankly makes no sense.
Zach Edwards, an independent privacy researcher, told Gizmodo that an IP address can allow third parties to track down your location and get their hands on other details of your online life.
“In major cities, an IP address can sometimes identify someone’s exact location, but usually it’s just close enough to be creepy. Like a 1 block radius around your house,” Edwards said via X direct messages. However, “sometimes if in a remote/rural location, the IP address 1000% identifies you.”
Law enforcement can use IP addresses to track down illegal behavior, such as child sexual abuse material or pirating online content. Meanwhile, hackers can launch DDoS attacks to take down your internet connection or even steal your data.
How to turn off audio and video calls on X
Luckily, you can avoid potential IP security nightmares by turning off audio and video calls on X. As you’ll see in the screenshots below, it’s pretty straightforward:
– First, go to Settings and Support. Then click on Settings and Privacy. (If you’re on desktop, click on the More button and then go to Settings and Privacy).
– Next, click on Privacy and Safety. Select Direct Messages from the menu that pops up.
– Toggle off the option that says Enable audio and video calling.
Screenshot: Oscar Gonzalez
And that’s it. Some may not see the Enable audio and video calling option in their settings yet, which means the feature hasn’t been rolled out to them. That doesn’t mean they won’t eventually get it in a future update.
Key dashboard touchscreen functions will soon be kicked into touch and physical switches will be required instead for car manufacturers to be granted the highest safety ratings.
Euro NCAP, the automotive safety industry body for Europe, is introducing new guidance for 2026 which means that five important tasks in every car will have to be performed by actual buttons instead of by accessing a screen.
Indicators, hazard warning lights, windscreen wipers, horn, and SOS features will have to be controlled by proper switches in order for cars to be granted Euro NCAP’s coveted five star safety rating.
“The overuse of touchscreens is an industry-wide problem, with almost every vehicle-maker moving key controls onto central touchscreens, obliging drivers to take their eyes off the road and raising the risk of distraction crashes,” explained Matthew Avery, director of strategic development at Euro NCAP.
“New Euro NCAP tests due in 2026 will encourage manufacturers to use separate, physical controls for basic functions in an intuitive manner, limiting eyes-off-road time and therefore promoting safer driving.
Several manufacturers have already come under fire for excessively complex touch screen controls forcing drivers to access menu after menu to adjust seats, mirrors and ventilation—we’re especially looking at you Tesla and VW.
Although it won’t be mandatory to comply with Euro NCAP’s new rules car makers that don’t will lose valuable points in their safety ratings. It sounds like a sensible idea—a positive move in the battle against distracted driving—and one, that, hopefully, the NHTSA will follow.
Microsoft is coming out swinging over claims by the New York Times that the Windows giant and OpenAI infringed copyright by using its articles to build ChatGPT and other models.
In yesterday’s filing [PDF], Microsoft’s lawyers recall the early 1980s efforts of the Motion Picture Association to stifle the growth of VCR technology, likening it to the legal efforts of the New York Times (NYT) to stop OpenAI in their work on the “latest profound technological advance.”
The motion describes the NYT’s allegations that the use of GPT-based products “harms The Times,” and “poses a mortal threat to independent journalism” as “doomsday futurology.”
[…]
Microsoft’s response doesn’t appear to suggest that content has not been lifted. Instead, it says: “Despite The Times’s contentions, copyright law is no more an obstacle to the LLM than it was to the VCR (or the player piano, copy machine, personal computer, internet, or search engine.)”
[…]
In its demands for the dismissal of the three claims in particular, the motion points out that Microsoft shouldn’t be held liable for end-user copyright infringement through GPT-based tools. It also says that to get the NYT content regurgitated, a user would need to know the “genesis of that content.”
“And in any event, the outputs the Complaint cites are not copies of works at all, but mere snippets.”
Finally, the filing delves into the murky world of “fair use,” the American copyright law, which is relatively permissive in the US compared to other legal jurisdictions.
OpenAI hit back at the NYT last month and accused the company of paying someone to “hack” ChatGPT in order to persuade it to spit out those irritatingly verbatim copies of NYT content.
Rooster Teeth, a Warner Bros. Discovery Global Streaming & Interactive Entertainment subsidiary, is ending operations after 20+ years. The news was announced on March 6 in a company memo and blog post on the digital content creator’s site.
Earlier today, the news of Rooster Teeth shutting down was first shared at an all-hands company meeting followed by an internal memo from RT’s general manager, Jordan Levin. This memo was then posted alongside a message from community director Chelsea Atkinson confirming that the site was winding down, and adding that a livestream about the shutdown was planned for tomorrow, March 7.
“Since inheriting ownership and control of Rooster Teeth from AT&T following its acquisition of TimeWarner, Warner Bros. Discovery continued its investment in our company, content, and community,” said Levin in the memo.
“Now however, it’s with a heavy heart I announce that Rooster Teeth is shutting down due to challenges facing digital media resulting from fundamental shifts in consumer behavior and monetization across platforms, advertising, and patronage.”
[…]
Rooster Teeth started back in 2003 in Texas. It was founded by Burnie Burns, Matt Hullum, Geoff Ramsey, Jason Saldaña, Gus Sorola, and Joel Heyman. The company’s first big hit was the Halo machinima series, Red Vs. Blue. That show would become incredibly popular, leading to millions of views, DVDs, spin-offs, and loads of merchandise. Elijah Wood even had a role in one season. The show’s 19th and final season is still set to arrive later this year.
iOS 17.4 is the first version of Apple’s operating system to comply with the regulatory framework of the European Digital Markets Act. Apple must also support alternative app stores, where apps can be installed around the App Store.
The availability of this functionality is only geographically limited to the EU, and Apple has revealed for the first time that alternative app stores will stop working if you leave the EU for too long.
Furthermore, your Apple ID must be set to one of the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
The exact period during which you can travel outside the EU is not specified.
Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don’t represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability.
A rootkit “holy grail”
“When it comes to Windows security, there is a thin line between admin and kernel,” Jan Vojtěšek, a researcher with security firm Avast, explained last week. “Microsoft’s security servicing criteria have long asserted that ‘[a]dministrator-to-kernel is not a security boundary,’ meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel.”
The Microsoft policy proved to be a boon to Lazarus in installing “FudModule,” a custom rootkit that Avast said was exceptionally stealthy and advanced.
[…]
In years past, Lazarus and other threat groups have reached this last threshold mainly by exploiting third-party system drivers, which by definition already have kernel access. To work with supported versions of Windows, third-party drivers must first be digitally signed by Microsoft to certify that they are trustworthy and meet security requirements. In the event Lazarus or another threat actor has already cleared the admin hurdle and has identified a vulnerability in an approved driver, they can install it and exploit the vulnerability to gain access to the Windows kernel. This technique—known as BYOVD (bring your own vulnerable driver)—comes at a cost, however, because it provides ample opportunity for defenders to detect an attack in progress.
The vulnerability Lazarus exploited, tracked as CVE-2024-21338, offered considerably more stealth than BYOVD because it exploited appid.sys, a driver enabling the Windows AppLocker service, which comes preinstalled in the Microsoft OS. Avast said such vulnerabilities represent the “holy grail,” as compared to BYOVD.
In August, Avast researchers sent Microsoft a description of the zero-day, along with proof-of-concept code that demonstrated what it did when exploited. Microsoft didn’t patch the vulnerability until last month. Even then, the disclosure of the active exploitation of CVE-2024-21338 and details of the Lazarus rootkit came not from Microsoft in February but from Avast 15 days later. A day later, Microsoft updated its patch bulletin to note the exploitation.
More than one-quarter of scholarly articles are not being properly archived and preserved, a study of more than seven million digital publications suggests. The findings, published in the Journal of Librarianship and Scholarly Communication on 24 January1, indicate that systems to preserve papers online have failed to keep pace with the growth of research output.
“Our entire epistemology of science and research relies on the chain of footnotes,” explains author Martin Eve, a researcher in literature, technology and publishing at Birkbeck, University of London. “If you can’t verify what someone else has said at some other point, you’re just trusting to blind faith for artefacts that you can no longer read yourself.”
[…]
The sample of DOIs included in the study was made up of a random selection of up to 1,000 registered to each member organization. Twenty-eight per cent of these works — more than two million articles — did not appear in a major digital archive, despite having an active DOI. Only 58% of the DOIs referenced works that had been stored in at least one archive. The other 14% were excluded from the study because they were published too recently, were not journal articles or did not have an identifiable source.
Preservation challenge
Eve notes that the study has limitations: namely that it tracked only articles with DOIs, and that it did not search every digital repository for articles (he did not check whether items with a DOI were stored in institutional repositories, for example).
[…]
“Everybody thinks of the immediate gains they might get from having a paper out somewhere, but we really should be thinking about the long-term sustainability of the research ecosystem,” Eve says. “After you’ve been dead for 100 years, are people going to be able to get access to the things you’ve worked on?”
Security researchers report they uncovered a design flaw that let them hijack a Tesla using a Flipper Zero, a controversial $169 hacking tool. Partners Tommy Mysk and Talal Haj Bakry of Mysk Inc. said the attack is as simple as swiping a Tesla owner’s login information, opening the Tesla app, and driving away. The victim would have no idea they lost their $40,000 vehicle. Mysk said the exploit takes minutes, and to prove it all works, he stole his own car.
The issue isn’t “hacking” in the sense of breaking into software, it’s a social engineering attack that fools a user into handing over their information. Using a Flipper, the researchers set up a WiFi network called “Tesla Guest,” the name Tesla uses for its guest networks at service centers. Mysk then created a website that looks like Tesla’s login page.
The process is simple. In this scenario, hackers could broadcast the network near a charging station, where a bored driver might be looking for entertainment. The victim connects to the WiFi network and enters their username and password on the fake Tesla website. The hacker then uses the credentials to log in to the real Tesla app, which triggers a two-factor authentication code. The victim enters that code into the fake website, and the thief gains access to their account. Once you’re logged into the Tesla app, you can set up a “phone key” which lets you unlock and control the car over Bluetooth with a smartphone. From there, the car is yours.
You can see Mysk’s demonstration of the attack in the video below.
Cybersecurity: Can a Tesla stop phishing and social engineering attacks?
According to Mysk, Tesla doesn’t notify users when new keys are created, so the victim wouldn’t know they’ve been compromised. Mysk said the bad guys wouldn’t need to steal the car right away, either, because the app shows you the physical location of the vehicle. The Tesla owner could finish charging the car and drive off to go shopping or park outside their house. The thief would just watch the car’s location using the app, and then waltz up at an opportune moment and drive away.
“This means with a leaked email and password, an owner could lose their Tesla vehicle.
Apple’s anti-steering provisions that prevent music streaming apps from directing users outside the App Store for paid services were smacked down in the European Union today and earned the iGiant a fine of more than €1.8 billion ($1.95 billion).
The European Commission said Apple’s policies “amount to unfair trading conditions” and “are neither necessary nor proportionate for the protection of Apple’s commercial interests.”
“Apple will have to open the gates to its ecosystem, to allow end users to easily find the apps they want, pay for them in any way they want, and use them on any device they want,” EU antitrust chief Margrethe Vestager said of the decision.
Apple’s anti-steering rules have prevented developers from directing users outside the App Store – thereby circumventing Apple’s 30 percent commission – for in-app purchases and subscriptions. As part of the EC decision, Apple is being forced to end the use of anti-steering provisions in the bloc, but this restriction applies only to music streaming apps, an EC spokesperson told The Register.
Vestager described Apple’s anti-competitive conduct as having gone on for nearly a decade, resulting in iOS users paying “significantly higher prices for music streaming subscriptions.” The anti-steering provisions also led to a “degraded user experience,” Vestager said, as users were forced to “engage in a cumbersome search” to find cheaper prices outside the App Store because the anti-steering rule also prevented developers from telling users about cheaper prices available elsewhere.
[…] Earlier this week, four out of 15 communication cables were cut, disrupting network traffic that flows through the Red Sea. The damaged cables affected 25% of traffic between Asia, Europe, and the Middle East, according to Hong Kong telecoms company HGC Global Communications. The cause of the damage is still unknown, and the company is working on a fix, which it referred to as an “exceptionally rare occurrence.” Although HGC did not reveal the cause behind the damaged cables, a U.S. National Security Council spokesperson blamed it on the anchor of a cargo ship that was sunk by the Houthi group in Yemen. The Houthis, however, issued a statement denying its involvement.
Regardless of the cause, satellite companies have stepped up by beaming connectivity from space to reroute some of that impacted traffic. Satellite operators such as Intelsat are providing back up connectivity to fill in the gaps for the severed cables, SpaceNews reported.
Intelsat has a fleet of 52 communication satellites in orbit, providing broadband internet and offering airline passengers inflight connectivity. Other companies, like Eutelsat OneWeb, SES, and, more famously, SpaceX are also in the business of beaming connectivity from Earth orbit.
The recent incident, although rare, does offer a glimpse into what a hybrid connectivity solution would look like, providing internet from both underwater cables, as well as orbital satellites. Subsea customers, or those getting internet from both ends, can restore their connectivity within 15 minutes should there be an issue with a terrestrial provider, Rhys Morgan, regional vice president for Intelsat, told SpaceNews.
VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products.
A constellation of four vulnerabilities—two carrying severity ratings of 9.3 out of a possible 10—are serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that’s segmented from the host machine. VMware officials said that the prospect of a hypervisor escape warranted an immediate response
[…]
A VMware advisory included the following matrix showing how the vulnerabilities—tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255—affect each of the vulnerable products:
Three of the vulnerabilities affect the USB controller the products use to support peripheral devices such as keyboards and mice. The advisory describes the vulnerabilities as:
CVE-2024-22252: a use-after-free vulnerability in XHCI USB controller with a maximum severity range of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. Someone with local administrative privileges on a virtual machine can execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox, whereas, on Workstation and Fusion, this could lead to code execution on the machine where Workstation or Fusion is installed.
CVE-2024-22253: a use-after-free vulnerability in UHCI USB controller with a maximum severity rating of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. Exploitation requirements and outcomes are the same as for CVE-2024-22252.
CVE-2024-22254: an out-of-bounds write vulnerability with a maximum severity base score of 7.9. This vulnerability makes it possible for someone with privileges within the VMX process to trigger an out-of-bounds write, leading to a sandbox escape.
CVE-2024-22255: an information disclosure vulnerability in the UHCI USB controller with a maximum CVSSv3 base score of 7.1. Someone with administrative access to a virtual machine can exploit it to leak memory from the vmx process.
Broadcom, the VMware parent company, is urging customers to patch vulnerable products. As a workaround, users can remove USB controllers from vulnerable virtual machines, but Broadcom stressed that this measure could degrade virtual console functionality and should be viewed as only a temporary solution.
President Joe Biden will issue an executive order that aims to limit the mass-sale of Americans’ personal data to “countries of concern,” including Russia and China. The order specifically targets the bulk sale of geolocation, genomic, financial, biometric, health and other personally identifying information.
During a briefing with reporters, a senior administration official said that the sale of such data to these countries poses a national security risk. “Our current policies and laws leave open access to vast amounts of American sensitive personal data,” the official said. “Buying data through data brokers is currently legal in the United States, and that reflects a gap in our national security toolkit that we are working to fill with this program.”
Researchers and privacy advocates have long warned about the national security risks posed by the largely unregulated multibillion-dollar data broker industry. Last fall, researchers at Duke University reported that they were able to easily buy troves of personal and health data about US military personnel while posing as foreign agents.
Biden’s executive order attempts to address such scenarios. It bars data brokers and other companies from selling large troves of Americans’ personal information to countries or entities in Russia, China, Iran, North Korea, Cuba and Venezuela either directly or indirectly.
[…]
As the White House points out, there are currently few regulations for the multibillion-dollar data broker industry. The order will do nothing to slow the bulk sale of Americans’ data to countries or companies not deemed to be a security risk. “President Biden continues to urge Congress to do its part and pass comprehensive bipartisan privacy legislation, especially to protect the safety of our children,” a White House statement says.
Divergent thinking is characterized by the ability to generate a unique solution to a question that does not have one expected solution, such as “What is the best way to avoid talking about politics with my parents?” In the study, GPT-4 provided more original and elaborate answers than the human participants
[…]
The three tests utilized were the Alternative Use Task, which asks participants to come up with creative uses for everyday objects like a rope or a fork; the Consequences Task, which invites participants to imagine possible outcomes of hypothetical situations, like “what if humans no longer needed sleep?”; and the Divergent Associations Task, which asks participants to generate 10 nouns that are as semantically distant as possible. For instance, there is not much semantic distance between “dog” and “cat” while there is a great deal between words like “cat” and “ontology.”
Answers were evaluated for the number of responses, length of response and semantic difference between words. Ultimately, the authors found that “Overall, GPT-4 was more original and elaborate than humans on each of the divergent thinking tasks, even when controlling for fluency of responses. In other words, GPT-4 demonstrated higher creative potential across an entire battery of divergent thinking tasks.”
This finding does come with some caveats. The authors state, “It is important to note that the measures used in this study are all measures of creative potential, but the involvement in creative activities or achievements are another aspect of measuring a person’s creativity.” The purpose of the study was to examine human-level creative potential, not necessarily people who may have established creative credentials.
Hubert and Awa further note that “AI, unlike humans, does not have agency” and is “dependent on the assistance of a human user. Therefore, the creative potential of AI is in a constant state of stagnation unless prompted.”
Also, the researchers did not evaluate the appropriateness of GPT-4 responses. So while the AI may have provided more responses and more original responses, human participants may have felt they were constrained by their responses needing to be grounded in the real world.
[…]
Whether the tests are perfect measures of human creative potential is not really the point. The point is that large language models are rapidly progressing and outperforming humans in ways they have not before. Whether they are a threat to replace human creativity remains to be seen. For now, the authors continue to see “Moving forward, future possibilities of AI acting as a tool of inspiration, as an aid in a person’s creative process or to overcome fixedness is promising.”
More than 130 petitions seeking access to push notification metadata have been filed in US courts, according to a Washington Post investigation – a finding that underscores the lack of privacy protection available to users of mobile devices.
The poor state of mobile device privacy has provided US state and federal investigators with valuable information in criminal investigations involving suspected terrorism, child sexual abuse, drugs, and fraud – even when suspects have tried to hide their communications using encrypted messaging.
But it also means that prosecutors in states that outlaw abortion could demand such information to geolocate women at reproductive healthcare facilities. Foreign governments may also demand push notification metadata from Apple, Google, third-party push services, or app developers for their own criminal investigations or political persecutions. Concern has already surfaced that they may have done so for several years.
In December 2023, US senator Ron Wyden (D-OR) sent a letter to the Justice Department about a tip received by his office in 2022 indicating that foreign government agencies were demanding smartphone push notification records from Google and Apple.
[…]
Apple and Google operate push notification services that relay communication from third-party servers to specific applications on iOS and Android phones. App developers can encrypt these messages when they’re stored (in transit they’re protected by TLS) but the associated metadata – the app receiving the notification, the time stamp, and network details – is not encrypted.
[…]
push notification metadata is extremely valuable to marketing organizations, to app distributors like Apple and Google, and also to government organizations and law enforcement agencies.
“In 2022, one of the largest push notification companies in the world, Pushwoosh, was found to secretly be a Russian company that deceived both the CDC and US Army into installing their technology into specific government apps,” said Edwards.
“These types of scandals are the tip of the iceberg for how push notifications can be abused, and why countless serious organizations focus on them as a source of intelligence,” he explained.
“If you sign up for push notifications, and travel around to unique locations, as the messages hit your device, specific details about your device, IP address, and location are shared with app stores like Apple and Google,” Edwards added. “And the push notification companies who support these services typically have additional details about users, including email addresses and user IDs.”
Edwards continued that other identifiers may further deprive people of privacy, noting that advertising identifiers can be connected to push notification identifiers. He pointed to Pushwoosh as an example of a firm that built its push notification ID using the iOS advertising ID.
“The simplest way to think about push notifications,” he said, is “they are just like little pre-scheduled messages from marketing vendors, sent via mobile apps. The data that is required to ‘turn on any push notification service’ is quite invasive and can unexpectedly reveal/track your location/store your movement with a third-party marketing company or one of the app stores, which is merely a court order or subpoena away from potentially exposing those personal details.”
Apple has reversed its decision to limit the functionality of Home Screen web apps in Europe following an outcry from the developer community and the prospect of further investigation.
“We have received requests to continue to offer support for Home Screen web apps in iOS, therefore we will continue to offer the existing Home Screen web apps capability in the EU,” the iPhone giant said in an update to its developer documentation on Friday.
“This support means Home Screen web apps continue to be built directly on WebKit and its security architecture, and align with the security and privacy model for native apps on iOS.”
Apple said Home Screen web app support would return with the general availability of iOS 17.4, presently in beta testing and due in the next few days.
[…]
In January, Apple said it would make several changes to its iOS operating system to comply with the law. These include: Allowing third-party app stores; making its NFC hardware accessible to third-party developers for contactless payment applications; and supporting third-party browser engines as alternatives to Safari’s WebKit.
Last month, with the second beta release of iOS 17.4, it became clear Apple would impose a cost for its concessions. The iCloud goliath said, “to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.”
Essentially, Apple has to support third-party browser engines in the EU, the biz didn’t want PWAs to use those non-WebKit engines, and so it chose to just banish the web apps from its Home Screen. Now it’s changed its mind and allowed the apps to stay albeit using WebKit.
For those not in the know: The Home Screen web apps feature refers to one of the capabilities afforded to Progressive Web Apps that makes them perform and appear more like native iOS apps. It allows web apps or websites to be opened from an iOS device and take over the whole screen, just like a native app, instead of loading within a browser window.
“Cupertino’s attempt to scuttle PWAs under cover of chaos is exactly what it appears to be: a shocking attempt to keep the web from ever emerging as a true threat to the App Store and blame regulators for Apple’s own malicious choices,”
[…]
In response to Apple’s about-face, OWA credited both vocal protests from developers and the reported decision by regulators to open an investigation into Apple’s abandonment of Home Screen web app support.
[…]
“This simply returns us back to the status quo prior to Apple’s plan to sabotage web apps for the EU,” the group said. “Apple’s over-a-decade suppression of the web in favor of the App Store continues worldwide, and their attempt to destroy web apps in the EU is just their latest attempt.
“If there is to be any silver lining, it is that this has thoroughly exposed Apple’s genuine fear of a secure, open and interoperable alternative to their proprietary App Store that they can not control or tax.”
Apple has thrown a real tantrum about being forced to comply with the DMCA and whilst hammering hands and feet and rolling on the floor like a toddler who can’t get their way has broken a lot of stuff. Turns out they are now kind of fixing some of it.
As spotted by Linux benchmarking outfit Phoronix, AMD is having problems releasing certain versions of open-source drivers it’s developed for its GPUs – because, according to the Ryzen processor designer, the HDMI Forum won’t allow the code to be released as open source. Specifically, we’re talking about AMD’s FOSS drivers for HDMI 2.1 here.
For some years, AMD GPU customers running Linux have faced difficulties getting high-definition, high-refresh-rate displays connected over HMDI 2.1 to work correctly.
[,…]
The issue isn’t missing drivers: AMD has already developed them under its GPU Open initiative. As AMD developer Alex Deucher put it in two different comments on the Freedesktop.org forum:
HDMI 2.1 is not available on Linux due to the HDMI Forum.
The HDMI Forum does not currently allow an open source HDMI 2.1 implementation.
The High-Definition Multimedia Interface is not just a type of port into which to plug your monitor. It’s a whole complex specification, of which version 2.1, the latest, was published in 2017.
[…]
HDMI cables are complicated things, including copyright-enforcing measures called High-bandwidth Digital Content Protection (HDCP) – although some of those were cracked way back in 2010. As we reported when it came out, you needed new cables to get the best out of HDMI 2.1. Since then, that edition was supplemented by version 2.1b in August 2023 – so now, you may need even newer ones.
This is partly because display technology is constantly improving. 4K displays are old tech: We described compatibility issues a decade ago, and covered 4K gaming the following year.
Such high-quality video brings two consequences. On the one hand, the bandwidth the cables are expected to carry has increased substantially. On the other, some forms of copying or duplication involving a reduction in image quality – say, halving the vertical and horizontal resolution – might still result in an perfectly watchable quality copy.
[…]
As we have noted before, we prefer DisplayPort to HDMI, and one reason is that you can happily drive an HDMI monitor from a DisplayPort output using a cheap cable, or if you have an HDMI cable to hand, an inexpensive adapter. We picked a random example which is a bargain at under $5.
But the converse does not hold. You can’t drive a DisplayPort screen from an HDMI port. That needs an intelligent adaptor which can resample the image and regenerate a display. Saying that, they are getting cheaper, and for lower-quality video such as old VGA or SCART outputs, these days, a circa-$5 microcontroller board such as a Raspberry Pi Pico can do the job, and you can build your own.
Update:
They are now excusing it all with this error.
Update 2:
I argue it is fully artificial override since when loading the webpage it does momentarily flicker your true asset value and it gets then updated to zero when page finishes loading, even after one purges the browser data. So their data comes through, it is just forced to go zero to disable trading. I wait to be debunked. I do have some funds over there purely for science.
Update 3:
I now see my assets again after 70 minutes since the initial downtime began, missing a lot of “valuable” volatility. Trading is still disabled though.
And in particular BTC-USD advanced trading doesn’t seem to load whatsoever.
…issues with Coinbase may have more significance these days, considering the outsized role the company plays in helping to manage the new spot-Bitcoin ETFs. Coinbase provides a variety of services to the fund issuers, including serving as custodian for eight of the 10 spot Bitcoin ETFs.
Basically trading from Coinbase has been suspended now that BTC is flying up. A bit like how Robin Hood and a few other traders stopped people from selling Gamestop when it flew up.
