The EU wants to criminalize AI-generated deepfakes and the non-consensual sending of intimate images

Posted on by

[…] the European Council and Parliament have agreed with the proposal to criminalize, among other things, different types of cyber-violence. The proposed rules will criminalize the non-consensual sharing of intimate images, including deepfakes made by AI tools, which could help deter revenge porn. Cyber-stalking, online harassment, misogynous hate speech and “cyber-flashing,” or the sending of unsolicited nudes, will also be recognized as criminal offenses.

The commission says that having a directive for the whole European Union that specifically addresses those particular acts will help victims in Member States that haven’t criminalized them yet. “This is an urgent issue to address, given the exponential spread and dramatic impact of violence online,” it wrote in its announcement.

[…]

In its reporting, Politico suggested that the recent spread of pornographic deepfake images using Taylor Swift’s face urged EU officials to move forward with the proposal.

[…]

“The final law is also pending adoption in Council and European Parliament,” the EU Council said. According to Politico, if all goes well and the bill becomes a law soon, EU states will have until 2027 to enforce the new rules.

Source: The EU wants to criminalize AI-generated porn images and deepfakes

The original article has a seriously misleading title, I guess for clickbait.

COPD: Inhalable nanoparticles could help treat chronic lung disease

Posted on by

Delivering medication to the lungs with inhalable nanoparticles may help treat chronic obstructive pulmonary disease (COPD). In mice with signs of the condition, the treatment improved lung function and reduced inflammation.

COPD causes the lungs’ airways to become progressively narrower and more rigid, obstructing airflow and preventing the clearance of mucus. As a result, mucus accumulates in the lungs, attracting bacterial pathogens that further exacerbate the disease.

This thick mucus layer also traps medications, making it challenging to treat infections. So, Junliang Zhu at Soochow University in China and his colleagues developed inhalable nanoparticles capable of penetrating mucus to deliver medicine deep within the lungs.

The researchers constructed the hollow nanoparticles from porous silica, which they filled with an antibiotic called ceftazidime. A shell of negatively charged compounds surrounding the nanoparticles blocked off pores, preventing antibiotic leakage. This negative charge also helps the nanoparticles penetrate mucus. Then, the slight acidity of the mucus transforms the shells’ charge from negative to positive, opening up pores and releasing the medication.

The researchers used an inhalable spray containing the nanoparticles to treat a bacterial lung infection in six mice with signs of COPD. An equal number of animals received only the antibiotic.

On average, mice treated with the nanoparticles had about 98 per cent less pathogenic bacteria inside their lungs than those given just the antibiotic. They also had fewer inflammatory molecules in their lungs and lower carbon dioxide in their blood, indicating better lung function.

These findings suggest the nanoparticles could improve drug delivery in people with COPD or other lung conditions like cystic fibrosis where thick mucus makes it difficult to treat infections, says Vincent Rotello at the University of Massachusetts Amherst, who wasn’t involved in the study. However, it is unclear if these nanoparticles are cleared by lungs. “If you have a delivery system that builds up over time, that would be problematic,” he says.

Source: COPD: Inhalable nanoparticles could help treat chronic lung disease | New Scientist

OpenAI latest to add ‘Made by AI’ metadata to model output

Posted on by

Images emitted by OpenAI’s generative models will include metadata disclosing their origin, which in turn can be used by applications to alert people to the machine-made nature of that content.

Specifically, the Microsoft-championed super lab is, as expected, adopting the Content Credentials specification, which was devised by the Coalition for Content Provenance and Authenticity (C2PA), an industry body backed by Adobe, Arm, Microsoft, Intel, and more.

Content Credentials is pretty simple and specified in full here: it uses standard data formats to store within media files details about who made the material and how. This metadata isn’t directly visible to the user and is cryptographically protected so that any unauthorized changes are obvious.

Applications that support this metadata, when they detect it in a file’s contents, are expected to display a little “cr” logo over the content to indicate there is Content Credentials information present in that file. Clicking on that logo should open up a pop-up containing that information, including any disclosures that the stuff was made by AI.

The C2PA mark as applied by OpenAI

How the C2PA ‘cr’ logo might appear on an OpenAI-generated image in a supporting app. Source: OpenAI

The idea being here that it should be immediately obvious to people viewing or editing stuff in supporting applications – from image editors to web browsers, ideally – whether or not the content on screen is AI made.

[…]

the Content Credentials strategy isn’t foolproof as we’ve previously reported. The metadata can be easily stripped out or exported without it, or the “cr” cropped out of screenshots, so no “cr” logo will appear on the material in future in any applications. It also relies on apps and services to support the specification, whether they are creating or displaying media.

To work at scale and gain adoption, it also needs some kind of cloud system that can be used to restore removed metadata, which Adobe happens to be pushing, as well as a marketing campaign to spread brand awareness. Increase its brandwidth, if you will.

[…]

n terms of file-size impact, OpenAI insisted that a 3.1MB PNG file generated by its DALL-E API grows by about three percent (or about 90KB) when including the metadata.

[…]

Source: OpenAI latest to add ‘Made by AI’ metadata to model output • The Register

It’s a decent enough idea, a bit like an artist signing their works. Just hopefully it won’t look so damn ugly as in the example and each AI will have their own little logo.

Deep Abandoned Mine In Finland To Be Turned Into A Giant Gravity Battery

Posted on by

[…]

the idea behind gravity batteries is really simple. During times when energy sources are producing more energy than the demand, the excess energy is used to move weights (in the form of water or sometimes sand) upwards, turning it into potential energy. When the power supply is low, these objects can then be released, powering turbines as our good friend (and deadly enemy) gravity sends them towards the Earth.

 

Though generally gravity batteries take the form of reservoirs, abandoned mines moving sand or other weights up when excess power is being produced have also been suggested. Scottish company Gravitricity created a system of winches and hoists that can be installed in such disused mineshafts. The company will install the system in the 1,400-meter-deep (4,600 feet) zinc and copper mine in Pyhäjärvi, Finland.

[…]

Source: Deep Abandoned Mine In Finland To Be Turned Into A Giant Gravity Battery | IFLScience

Decrypting / Mounting Bitlocker protected drives

Posted on by

Attacks come in two main forms: one is scanning the drive for memory dumps and the other is by sniffing the bitlocker key through RAM dumping on cold boots.

Cold Boot Attacks

We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials.
Introductory blog post
Frequently asked questions
Experiment guide
Source code

Source: Lest We Remember: Cold Boot Attacks on Encryption Keys

Over time there have been many different physical attacks against full disk encryption, such as Cold Boot attacks [0][1] that we have previously researched. In addition, various attacks based on TPM interface sniffing [2] or DMA [3] have been used to gain access to an ­­­­encryption key.

[…]

I captured the SPI signals with the Saleae Logic Pro 8 logic analyzer, which is capable of recording four signals up to 100 MHz. The wide terminal pitch of SOIC-8 package allows an effortless way to hook the probes, and the whole capture process can be performed under one minute.

The Logic 2 application supports SPI decoding out-of-the-box. The only caveat is to remember that the SS-line is inverted. Fortunately, the decoding options of Saleae allow us to choose whether the chip is selected when the SS-line is high or low. The screenshot below shows decoded MOSI and MISO byte streams from the capture.

[…]

Even though Proof of Concepts are awesome, proper weaponizing usually takes the attack to a whole new level, and as we stated at the beginning of this post, the real advantage comes if this can be performed with minimal effort. Therefore, I decided to automate the attack process as far as possible. The toolchain consists of the following parts:

  • Custom High-Level Analyzer for searching VMK entries from TPM transactions.
  • Docker container, which includes all the necessary tools to mount the drive just by giving VMK.

The workflow with the tooling is as follows:

  1. Sniff the SPI bus and extract VMK.
  2. Remove the drive and attach it to the attacker’s machine or boot the target directly from a USB-stick if allowed.
  3. Decrypt and mount the drive.

The video below show how the analyzer is able to extract the VMK from the sniffed data. The key can be then passed to the mount tool which decrypts the content and drops you to a shell where you are able to modify the volume content.

video

You can find the above tooling on GitHub.

Source: Sniff, there leaks my BitLocker key

TLDR: You can sniff BitLocker keys in the default config, from either a TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code, or with a sufficiently fancy logic analyzer. After sniffing, you can decrypt the drive. Don’t want to be vulnerable to this? Enable additional pre-boot authentication.

Source: Extracting BitLocker keys from a TPM

Scanning RAM dumps / hiberyfile.sys

Volatility is a framework for memory analysis and forensics. The Volatility plugin: BitLocker allows you to retrieves the Full Volume Encryption Key (FVEK) in memory. The FVEK can then be used with Dislocker to decrypt the volume. This plugin has been tested on every 64-bit Windows version from Windows 7 to Windows 10 and is fully compatible with Dislocker.

Elcomsoft Forensic Disk Decryptor is a commercial (and expensive!) way to automate the use of this tooling. Instantly access data stored in encrypted BitLocker, FileVault 2, PGP Disk, TrueCrypt and VeraCrypt disks and containers. The tool extracts cryptographic keys from RAM captures, hibernation and page files or uses plain-text password or escrow keys to decrypt files and folders stored in crypto containers or mount encrypted volumes as new drive letters for instant, real-time access.

Supports: BitLocker (including TPM configurations), FileVault 2 (including APFS volumes), LUKS, PGP Disk, TrueCrypt and VeraCrypt encrypted containers and full disk encryption, BitLocker To Go, XTS-AES BitLocker encryption, Jetico BestCrypt, RAM dumps, hibernation files, page files

They do offer a trial version and the current version seems to be 2.20.1011

Hackers find out worth of Iranian drones sold to Russia

Posted on by

Shahed-136 drones in launcher

Hackers from the Prana Network group have compromised the mail servers of the Iranian company IRGC Sahara Thunder, which contained an array of data on the production of Shahed-136 attack drones for Russia.

Source: a statement by Prana Network, reported by Militarnyi

Details: As noted, the IRGC Sahara Thunder company is a fictitious company run by the Islamic Revolutionary Guard Corps that facilitates the sale of weapons to Russia.

In particular, the hackers published information about negotiations between the Iranian and Russian sides on the location of production in the Russian free economic zone Alabuga.

It is noted that the Iranian side announced the starting price of the Shahed attack drone at 23 million roubles per unit (about US$375,000). However, during the negotiations, an agreement was reached at the level of 12 million roubles per unit, when ordering 6,000 units (about US$193,000) or 18 million roubles (about US$290,000) when ordering 2,000 units.

According to other published documents, at least part of the Russian Federation’s financial transactions and payments with Iran are made in gold.

For example, in February 2023, Alabuga Machinery transferred 2 million grams of gold to the Iranian shell company Sahara Thunder, presumably as payment for services and goods.

Background: In August 2023, The Washington Post obtained internal documents on the operation of the Iranian drone manufacturing plant in the Alabuga Special Economic Zone in Tatarstan, Russia, which is scheduled to produce 6,000 Shahed kamikaze drones by 2025.

Source: Hackers find out worth of Iranian drones sold to Russia

Astronomers Measure the Mass of the Milky Way by Calculating How Hard it is to Escape

Posted on by

[…] how can we determine the mass of something larger, such as the Milky Way? One method is to estimate the number of stars in the galaxy and their masses, then estimate the mass of all the interstellar gas and dust, and then rough out the amount of dark matter… It all gets very complicated.

A better way is to look at how the orbital speed of stars varies with distance from the galactic center. This is known as the rotation curve and gives an upper mass limit on the Milky Way, which seems to be around 600 billion to a trillion solar masses. The wide uncertainty gives you an idea of just how difficult it is to measure our galaxy’s mass. But a new study introduces a new method, and it could help astronomers pin things down.

Estimated escape velocities at different galactic radii. Credit: Roche, et al

The method looks at the escape velocity of stars in our galaxy. If a star is moving fast enough, it can overcome the gravitational pull of the Milky Way and escape into interstellar space. The minimum speed necessary to escape depends upon our galaxy’s mass, so measuring one gives you the other. Unfortunately, only a handful of stars are known to be escaping, which is not enough to get a good handle on galactic mass. So the team looked at the statistical distribution of stellar speeds as measured by the Gaia spacecraft.

The method is similar to weighing the Moon with a handful of dust. If you were standing on the Moon and tossed dust upward, the slower-moving dust particles would reach a lower height than faster particles. If you measured the speeds and positions of the dust particles, the statistical relation between speed and height would tell you how strongly the Moon pulls on the motes, and thus the mass of the Moon. It would be easier just to bring our kilogram and scale to measure lunar mass, but the dust method could work.

In the Milky Way, the stars are like dustmotes, swirling around in the gravitational field of the galaxy. The team used the speeds and positions of a billion stars to estimate the escape velocity at different distances from the galactic center. From that, they could determine the overall mass of the Milky Way. They calculated a mass of 640 billion Suns.

This is on the lower end of earlier estimates, and if accurate it means that the Milky Way has a bit less dark matter than we thought.

Source: Astronomers Measure the Mass of the Milky Way by Calculating How Hard it is to Escape – Universe Today

Inside the Underground Site Where ‘Neural Networks’ Churn Out Fake IDs

Posted on by

An underground website called OnlyFake is claiming to use “neural networks” to generate realistic looking photos of fake IDs for just $15, radically disrupting the marketplace for fake identities and cybersecurity more generally. This technology, which 404 Media has verified produces fake IDs nearly instantly, could streamline everything from bank fraud to laundering stolen funds.

In our own tests, OnlyFake created a highly convincing California driver’s license, complete with whatever arbitrary name, biographical information, address, expiration date, and signature we wanted. The photo even gives the appearance that the ID card is laying on a fluffy carpet, as if someone has placed it on the floor and snapped a picture, which many sites require for verification purposes.

[…]

 

Source: Inside the Underground Site Where ‘Neural Networks’ Churn Out Fake IDs

Hugging Face launches open source AI assistant maker to rival OpenAI’s custom GPTs

Posted on by

Hugging Face, the New York City-based startup that offers a popular, developer-focused repository for open source AI code and frameworks (and hosted last year’s “Woodstock of AI”), today announced the launch of third-party, customizable Hugging Chat Assistants.

The new, free product offering allows users of Hugging Chat, the startup’s open source alternative to OpenAI’s ChatGPT, to easily create their own customized AI chatbots with specific capabilities, similar both in functionality and intention to OpenAI’s custom GPT Builder — though that requires a paid subscription

[…]

Phillip Schmid, Hugging Face’s Technical Lead & LLMs Director, posted the news […] explaining that users could build a new personal Hugging Face Chat Assistant “in 2 clicks!” Schmid also openly compared the new capabilities to OpenAI’s custom GPTs.

However, in addition to being free, the other big difference between Hugging Chat Assistant and the GPT Builder and GPT Store is that the latter tools depend entirely on OpenAI’s proprietary large language models (LLM) GPT-4 and GPT-4 Vision/Turbo.

Users of Hugging Chat Assistant, by contrast, can choose which of several open source LLMs they wish to use to power the intelligence of their AI Assistant on the backend

[…]

Like OpenAI with its GPT Store launched last month, Hugging Face has also created a central repository of third-party customized Hugging Chat Assistants which users can choose between and use on their own time here.

The Hugging Chat Assistants aggregator page bears a very close resemblance to the GPT Store page

[…]

 

Source: Hugging Face launches open source AI assistant maker to rival OpenAI’s custom GPTs | VentureBeat

Virgin Galactic: Alignment pin mishap reported to FAA. If only Musk did that too.

Posted on by

Virgin Galactic has reported itself to the US Federal Aviation Administration (FAA) after discovering a detached alignment pin from the mechanism used to keep its suborbital spaceplane attached to the mothership aircraft.

According to the company, the alignment pin is used to ensure the spaceplane (in this case, Unity) is aligned correctly to the mothership (VMS Eve) during the mating of the vehicles on the ground.

In flight, the pin helps to transfer load from drag and other forces from Unity to the shear pin fitting assembly and into the pylon and center wing of the mothership. The alignment pin remained in place during the mated portion of the flight, but detached after Unity was released.

Virgin Galactic said: “While both parts play a role during mated flight, they do not support the spaceship’s weight, nor do they have an active function once the spaceship is released.”

However, having bits of your launch system detach unexpectedly is not great, despite the success of Galactic 06, a suborbital spaceflight launched on January 26, 2024. The mission carried a crew of six, including four private passengers, on a jaunt to just over 55 miles above the Earth before gliding back to a landing at Spaceport America.

The next flight of Unity is planned for the second quarter of 2024, although Virgin Galactic cautioned that this would depend on the review’s outcome.

In November 2023, boss Michael Colglazier announced that flights would be paused from mid-2024 to allow the company to focus on building its upcoming Delta class of spaceplane. Colglazier also announced that approximately 18 percent of the workforce were to be let go.

Virgin Galactic said of the incident: “At no time did the detached alignment pin pose a safety impact to the vehicles or the crew on board.”

VMS Eve completed a lengthy maintenance period just over a year ago, followed by the company commencing commercial operations. Having something fall off, even as minor as a pin that did not affect flight safety is, therefore, a worry.

The company has not elaborated on the cause of the incident or responded to The Register’s queries.

The FAA gave us the following statement: “A mishap occurred during the Virgin Galactic Galactic 06 commercial human spaceflight mission from Spaceport America in New Mexico on Jan. 26. Eight people were on the suborbital mission: two pilots on the WhiteKnightTwo carrier aircraft, and two pilots and four spaceflight participants on the SpaceShipTwo spacecraft. The mishap involved an issue with an alignment pin that provides connection between the carrier aircraft and the spacecraft.

“No public injuries or public property damage have been reported. The FAA is overseeing the Virgin Galactic-led mishap investigation to ensure the company complies with its FAA-approved mishap investigation plan and other regulatory requirements.” ®

Source: Virgin Galactic: Alignment pin mishap wouldn’t affect safety • The Register

Netherlands reveals Chinese attack on defence servers using CoatHanger malware on Fortinet Devices – a real pain to remove

Posted on by

Dutch authorities are lifting the curtain on an attempted cyberattack last year at its Ministry of Defense (MoD), blaming Chinese state-sponsored attackers for the espionage-focused intrusion.

Specialists from the Netherlands’ Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) were called in to investigate an intrusion at an MOD network last year, uncovering a previously unseen malware they’re calling Coathanger.

The name, authorities said, was conjured up based on the “peculiar phrase” displayed by the malware when encrypting the configuration on disk: “She took his coat and hung it up.”

A deep dive into Coathanger’s code revealed the remote access trojan (RAT) was purpose-built for Fortinet’s FortiGate next-generation firewalls (NGFWs) and the initial access to the MoD’s network was gained through exploiting CVE-2022-42475.

According to the MIVD and AIVD, the RAT operates outside of traditional detection measures and acts as a second-stage malware, mainly to establish persistent access for attackers, surviving reboots and firmware upgrades.

Even fully patched FortiGate devices could still have Coathanger installed if they were compromised before upgrading.

In the cybersecurity advisory published today, authorities said the malware was highly stealthy and difficult to detect using default FortiGate CLI commands, since Coathanger hooks most system calls that could identify it as malicious.

They also made clear that Coathanger is definitely different from BOLDMOVE, another RAT targeting FortiGate appliances.

“For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” said defense minister Kajsa Ollongren in an automatically translated statement. “In this way, we increase international resilience against this type of cyber espionage.”

The advisory also noted that Dutch authorities had previously spotted Coathanger present on other victims’ networks too, prior to the incident at the MOD.

As for attribution, MIVD and AIVD said they can pin Coathanger to Chinese state-sponsored attackers with “high confidence.”

“MIVD and AIVD emphasize that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies,” the advisory reads.

The attackers responsible for the attack were known for conducting “wide and opportunistic” scans for exposed FortiGate appliances vulnerable to CVE-2022-42475 and then exploiting it using an obfuscated connection.

After gaining an initial foothold inside the network, which was used by the MOD’s research and development division, the attackers performed reconnaissance and stole a list of user accounts from the Active Directory server.

Not much else was said about the attacker’s activity, other than the fact that the overall impact of the intrusion was limited thanks to the MOD’s network segmentation.

For those worried about whether Chinese cyberspies are lurking in their firewall, the Joint Signal Cyber Unit of the Netherlands (JCSU-NL) published a full list of indicators of compromise (IOCs) and various detection methods on its GitHub page.

The collection of materials includes YARA rules, a JA3 hash, CLI commands, file checksums, and more. The authorities said each detection method should be seen as independent and used together since some focus on general IOCs and others were developed to spot Coathanger activity specifically.

If there is evidence of compromise, it’s possible other hosts that are reachable by the FortiGate device are also compromised. There is also an increased likelihood that attackers may perform hands-on-keyboard attacks.

Affected users should isolate their device immediately, collect and review logs, and consider calling in third-party digital forensics specialists, the advisory reads. Victims should also inform their country’s cybersecurity authority: NCSC, CISA, etc.

The only way to remove Coathanger from an infected device is to completely reformat the device, before reinstalling and reconfiguring it.

Whiffs of China’s involvement in CVE-2022-42475 exploits have long been suspected, but for the first time they’re confirmed today.

First disclosed in December 2022, a month later Fortinet said it was aware that the vulnerability was tied to the breach of a government or government-related organization that had been infected with custom-made malware.

At the time, no fingers were officially pointed other than the fact that this custom malware was compiled on a machine in the UTC+8 timezone, so realistically it was most likely going to be either China or Russia.

China was also accused of being behind exploits of separate Fortinet bug in March, again using bespoke malware for the purposes of cyber espionage. ®

Source: Netherlands reveals Chinese spies attacked its defense dept • The Register

You should be reading your news through an RSS reader

Posted on by

[…] one of the main roles of RSS is to supply directly to you a steady stream of updates from a website. Every new article published on that site is served up in a list that can be interpreted by an RSS reader.

In earlier, simpler internet times, RSS was the way to keep up to date with what was happening on all of your favorite sites. You would open your RSS reader and tap through newly published articles one by one, in chronological order, in the same way you would check your email. It was an easy way to keep tabs on what was new and what was of interest.

[…]

RSS is essentially a standard for serving up text and images in a feed-like format, and not all that dissimilar to HTML. Typically, the feed includes the headline of an article, some of the text (often just the introduction), and perhaps the main image.

[…]

Even when a site doesn’t explicitly offer RSS feeds, the best RSS readers can now produce their own approximation of them by watching for new activity on a site, so you can direct the app toward the site you want to keep tabs on.

[…]

RSS is clearly useful if you have a selection of favorite websites and you want to skim through everything they publish (or everything they publish in a certain category, if the site has several feeds).

[…]

Using RSS means you can catch up on everything, methodically and chronologically, even if you’ve been offline for a week (you don’t have to catch up on everything, of course—but you can, if you want, as your feed will operate on an infinite scroll). It’s also a cleaner, less cluttered way of using the internet, as you only need click through on the specific articles you want to read.

[…]

The best RSS feed running is arguably Feedly, which offers a bunch of features across free and paid-for plans: It has a clean, clear interface, it can generate RSS feeds for sites that don’t have them, it can sort feeds in a variety of ways, it can incorporate email newsletters, and much more besides.

[…]

Source: Embrace RSS: These Are the Best RSS Reader Apps in 2024 | Lifehacker

This is an amazing way to run through multiple news sources quickly.

Orient at 45o for stronger, better looking 3D Printed Enclosures

Posted on by

When it comes to 3D printing, the orientation of your print can have a significant impact on strength, aesthetics, and functionality or ease of printing. The folks at Slant 3D have found that printing enclosures at a 45° provides an excellent balance of these properties, with some added advantages for high volume printing. The trick is to prevent the part from falling over when balance on a edge, but in the video after the break [Gabe Bentz]  demonstrate Slant 3D’s solution of minimalist custom supports.

The traditional vertical or horizontal orientations come with drawbacks like excessive post-processing and weak layer alignment. Printing at 45° reduces waste and strengthens the end product by aligning the layer lines in a way that resists splitting across common stress points. When scaling up production, this orientation comes with the added advantage of minimal bed contact area, allowing the printer to auto-eject the part by pushing it off the bed with print head.

 

To keep the part stable while printing in this orientation Slant 3D designed a fin-like support structure attached to the back of the enclosure with small sprues. This wastes significantly less time and material than auto-generated supports, and snaps away cleanly, leaving behind minimal imperfections that are easily addressed. To improve aesthetics and hide layer lines, Slant 3D also recommend adding texture to the external surfaces of enclosures. On 3D printed parts this detail costs nothing, while it would have added significant costs to injection molded parts.

We’re intrigued by this creative twist on 3D printing’s capabilities—proving once again that a simple shift in perspective (or in this case, orientation) can unlock new design potentials.

Slant 3D use FDM 3D printing for mass production [Gabe] even hosted a Hack Chat on the subject. They have come up with a number of innovative design tricks which are also useful for the hobbyist. These include improved corner brackets, robust living hinges and better alignment features for 3d printed assemblies.

Source: An Alternative Orientation For 3D Printed Enclosures | Hackaday

Criticism as Dutch domain registry plans move to Amazon cloud

Posted on by

Questions are being asked in parliament about the decision by Dutch domain registration foundation SIDN to transfer the dot nl domain and its “complete ICT services” to Amazon’s cloud services. 

SIDN says the move will make managing the technology easier but some tech entrepreneurs have doubts, and now MPs have asked the government, which supports the idea of keeping .nl on Dutch or European servers, to explain why the move has been sanctioned. 

Tech entrepreneur Bert Hubert told BNR radio he opposes the idea of shifting the domain to cloud operators in the US. “If your servers are on your own continent and under your legal surveillance, then you can also be sure that no one will mess with your data,” he said. 

The added value of keeping .nl domain names under Dutch control also means “we control it ourselves and can innovate with it ourselves… When you outsource, you always lose your knowledge,” he said. 

Simon Besteman, managing director of the Dutch Cloud Community said on social media he was shocked by SIDN’s decision. “We have been inundated with questions from the Dutch internet community and our members… who have questions about the ethical as well as compliance and moral aspects.”

SIDN says that all data will remain on European servers and that users will not notice any difference in practice. It also argues that Amazon has the extremely specialised services it needs, and that these are not available in Europe.  

It was a difficult decision to move the systems to Amazon, SIDN technology chief Loek Bakker said in a reaction to the criticism.

“Although we seek to contribute to the strategic digital autonomy of the Netherlands and Europe in numerous ways, the need to assure the permanent availability of .nl and the protection of our data was decisive in this instance. That is, after all, our primary responsibility as a registry.”

Nevertheless, he said “We will be using generic, open-source technology, so that, as soon as it becomes responsible to migrate the system to a Dutch or European cloud service provider, we can do so relatively easily.”

You can smell the nonsense here very clearly – SIDN was and should be a  highly technical company. Apparently the bean counters have taken over and kicked out all the expertise in the name of… cost cutting? Are they aware that the costs of AWS are often higher than the costs of self maintenance? But the manager gets a nice trip to the US in a private jet or something like it?

And nothing about AWS is open source – they are in fact known for taking open source projects and then forking them and then pricing them through the nose.

MPs from GroenLinks, the PvdA and D66 have now asked the government to explain why the move is being made, Hubert said.

SIDN is a foundation that has the right to exploit the .nl domain name, earning some €21 million a year in the process. More than six million .nl domains have been registered. 

Source: Criticism as Dutch domain registry plans move to Amazon cloud – DutchNews.nl

Cloudflare Hacked

Posted on by

cloudflare bad gateway error page

Web security company Cloudflare on Thursday revealed that a threat actor used stolen credentials to gain access to some of its internal systems.

The incident was discovered on November 23, nine days after the threat actor, believed to be state-sponsored, used credentials compromised in the October 2023 Okta hack to access Cloudflare’s internal wiki and bug database.

The stolen login information, an access token and three service account credentials, were not rotated following the Okta incident, allowing the attackers to probe and perform reconnaissance of Cloudflare systems starting November 14, the security firm explains.

According to Cloudflare, the attackers managed to access an AWS environment, as well as Atlassian Jira and Confluence, but network segmentation prevented them from accessing its Okta instance and the Cloudflare dashboard.

With access to the Atlassian suite, the threat actor started looking for information on the Cloudflare network, searching the wiki for “things like remote access, secret, client-secret, openconnect, cloudflared, and token”. In total, 36 Jira tickets and 202 wiki pages were accessed.

On November 16, the attackers created an Atlassian account to gain persistent access to the environment, and on November 20 returned to verify that they still had access.

On November 22, the threat actor installed the Sliver Adversary Emulation Framework, gaining persistent access to the Atlassian server, which was then used to move laterally. They attempted to access a non-production console server at a São Paulo, Brazil, data center that is not yet operational.

The attackers viewed 120 code repositories and downloaded 76 of them to the Atlassian server, but did not exfiltrate them.

“The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes. A small number of the repositories contained encrypted secrets which were rotated immediately even though they were strongly encrypted themselves,” Cloudflare notes.

The attackers used a Smartsheet service account to access Cloudflare’s Atlassian suite, and the account was terminated on November 23, within 35 minutes after the unauthorized access was identified. The user account created by the attacker was found and deactivated 48 minutes later.

Cloudflare says it also put in place firewall rules to block the attackers’ known IP addresses and that the Sliver Adversary Emulation Framework was removed on November 24.

[…]

The goal of the attack, Cloudflare says, was to obtain information on the company’s infrastructure, likely to gain a deeper foothold. CrowdStrike performed a separate investigation into the incident, but discovered no evidence of additional compromise.

“We are confident that between our investigation and CrowdStrike’s, we fully understand the threat actor’s actions and that they were limited to the systems on which we saw their activity,” Cloudflare notes.

Source: Cloudflare Hacked by Suspected State-Sponsored Threat Actor  – SecurityWeek

EU countries give crucial nod to first-of-a-kind Artificial Intelligence law

Posted on by

The ambassadors of the 27 countries of the European Union unanimously approved the world’s first comprehensive rulebook for Artificial Intelligence, rubber-stamping the political agreement reached in December.

In December, EU policymakers reached a political agreement on the main sticking points of the AI Act, a flagship bill to regulate Artificial Intelligence based on its capacity to cause harm. The complexity of the law meant its technical refinement took more than one month.

On 24 January, the Belgian presidency of the Council of EU Ministers presented the final version of the text, leaked in an exclusive by Euractiv, at a technical meeting. Most member states maintained reservations at the time as they did not have enough time to analyse the text comprehensively.

These reservations were finally lifted with the adoption of the AI Act from the Committee of Permanent Representatives on Friday (2 February). However, the green light from EU ambassadors was not guaranteed since some European heavyweights resisted parts of the provisional deal until the very last days.

European Union squares the circle on the world’s first AI rulebook

After a 36-hour negotiating marathon, EU policymakers reached a political agreement on what is set to become the global benchmark for regulating Artificial Intelligence.

Powerful AI models

The primary opponent of the political agreement was France, which, together with Germany and Italy, asked for a lighter regulatory regime for powerful AI models, such as Open AI’s GPT-4, that support General Purpose AI systems like ChatGPT and Bard.

Europe’s three largest economies asked for limiting the rules in this area to codes of conduct, as they did not want to clip the wings to promising European start-ups like Mistral AI and Aleph Alpha that might challenge American companies in this space.

Read: France, Germany and Italy were deeply in the pocket of AI firm lobbyists and created a lot of time wasting opposition to good laws, allowing the big boys to gain further grounds over the little guys whilst they were themselves signing letters asking for moratoriums on dangerous world destroying AI research.

However, the European Parliament was united in asking for hard rules for these models, considering that it was unacceptable to carve out the most potent types of Artificial Intelligence from the regulation while leaving all the regulatory burden on smaller actors.

The compromise was based on a tiered approach, with horizontal transparency rules for all models and additional obligations for compelling models deemed to entail a systemic risk.

[…]

The Belgian presidency put the member states before a ‘take-it-or-leave-it’ scenario and, despite attempts from France to delay the ambassadors’ vote, kept a tight timeline -partially to allow enough time for the legal polishing of the text and partially to limit last-minute lobbying.

French back-room manoeuvring aimed at gathering sufficient opposition to obtain concessions in the text or even reject the provisional agreement.

However, the balance titled decisively against Paris as Berlin decided to support the text earlier this week. The German Digital Minister, the liberal Volker Wissing, found himself isolated in its opposition to the AI rulebook from the coalition partners and had to drop his reservations.

Italy, always the most defiladed country of the sceptical trio as it does not have a leading AI start-up to defend, also decided not to oppose the AI Act. Despite discontent with the agreement, Rome opted to avoid drama as it holds the rotating presidency of the G7, where AI is a crucial topic.

[…]

EU countries still have room to influence how the AI law will be implemented, as the Commission will have to issue around 20 acts of secondary legislation. The AI Office, which will oversee AI models, is also set to be significantly staffed with seconded national experts.

Next steps

The European Parliament’s Internal Market and Civil Liberties Committees will adopt the AI rulebook on 13 February, followed by a plenary vote provisionally scheduled for 10-11 April. The formal adoption will then be complete with endorsement at the ministerial level.

The AI Act will enter into force 20 days after publication in the official journal. The bans on the prohibited practices will start applying after six months, whereas the obligations on AI models will start after one year.

All the rest of the rules will kick in after two years, except for the classification of AI systems that have to undergo third-party conformity assessment under other EU rules as high-risk, which was delayed by one additional year.

Source: EU countries give crucial nod to first-of-a-kind Artificial Intelligence law – Euractiv

Google Search’s cache links are unfortunately being retired

Posted on by

Google has removed links to page caches from its search results page, the company’s search liaison Danny Sullivan has confirmed. “It was meant for helping people access pages when way back, you often couldn’t depend on a page loading,” Sullivan wrote on X. “These days, things have greatly improved. So, it was decided to retire it.”

The cache feature historically let you view a webpage as Google sees it, which is useful for a variety of different reasons beyond just being able to see a page that’s struggling to load. SEO professionals could use it to debug their sites or even keep tabs on competitors, and it can also be an enormously helpful news gathering tool, giving reporters the ability to see exactly what information a company has added (or removed) from a website, and a way to see details that people or companies might be trying to scrub from the web. Or, if a site is blocked in your region, Google’s cache can work as a great alternative to a VPN.

A page’s cache has typically been accessible via a couple of different routes. There was a “Cached” button that would appear at the bottom of the “About this result” panel accessible from the three button menu next to a search result. And, for those in the know, you could also append the prefix “cache:” to a URL before searching for it to hop instantly into Google’s cached version.

[…]

It doesn’t sound like Google has any immediate plans to replace the feature, but Sullivan says he hopes that Google could add links to the Internet Archive that could instead be used to show how a webpage has changed over time. “No promises,” he cautions. “We have to talk to them, see how it all might go — involves people well beyond me. But I think it would be nice all around.”

Source: Google Search’s cache links are officially being retired – The Verge

Read: this useful feature wasn’t making Google any money, so they decided to go cost cutting.

Consumers still pay too much to call another EU country – wait, wasn’t there free roaming?!

Posted on by

The EU single market holds many advantages. To be able to travel, work or purchase goods effortlessly across numerous different countries creates all kinds of opportunities for consumers. But there are still areas where it is not working or has simply not been accomplished, even if it would be the most logical and appropriate thing to do.

International intra-EU calls are one of them. It is often still prohibitively expensive to call someone who lives in a different EU country.

Since the end of roaming charges in 2017, which used to apply when you travelled to another country and called somebody back home, consumers have enjoyed their phones without the risk of a bill shock on a trip inside the EU. But they are confused that, today, calling their friends and family in another country from the comfort of their own home can cost up to €0.19 per minute on top of what they pay for their phone subscription.

Caps in place

At least since 2019, there have been EU price caps on what telecom operators can apply as a surcharge for this call. EU decision-makers then placed limits rather than remove the surcharges altogether to review the caps by 2024.

But that review has not taken place. The price caps will lapse in May this year if no action is taken, threatening to dramatically increase the prices consumers pay for a call to another country.

This could mean consumers end up with less usable alternatives like online messaging apps, with all the data protection and privacy risks they can sometimes entail, or simply stop calling another EU country.

How can we face this situation today, six years after roaming ended?

Good for telecoms, bad for everyone else

Consumers and companies who do business across borders are losing out daily by paying higher prices, while telecom companies pay the difference for their shareholders.

This is despite telecom companies admitting that costs for such calls are decreasing yearly as better, more efficient infrastructure gets rolled out.

Companies like Telefonica or Deutsche Telekom have argued passionately over 2023 for the need to loosen EU competition rules so that they can consolidate across borders because we live in a European single market. But strangely, they do not want to let consumers benefit from a market without borders. It is time for the single market to work for consumers, not just telecom companies.

Intra-EU call surcharges are a gift from a bygone era to a sector asking for all kinds of advantages today. The surcharges should be banned, just as they were for roaming.

[…]

The Gigabit Infrastructure Act and its expected final round of negotiations on Monday, 5 February, is the last chance not only to ‘save the caps’ and continue the status quo, as many want but also the opportunity for the EU to go one step further and finally ban the surcharges altogether.

Source: Call me maybe (not)? Consumers still pay too much to call another EU country – Euractiv

Oddly enough, Dutch telecom providers don’t charge to call another EU country, so for Dutch people, it will be a surprise that other countries telecom providers do charge

The European Space Agency will test 3D metal printer metal on the ISS

Posted on by

The first metal 3D printer that will be used in space is on its way to the International Space Station. The Cygnus NG-20 supply mission, which is carrying the 180kg (397 lbs) printer, launched on Tuesday and is set to arrive at the ISS on Thursday.

Astronaut Andreas Mogensen will install the printer, which Airbus developed for the European Space Agency. The machine will then be controlled and monitored from Earth.

Polymer-based 3D printers have been employed on the ISS in the past, but metal 3D printing in orbit is said to pose a trickier challenge. The machine will use a form of stainless steel that’s often used for water treatment and medical implants because of how well it resists corrosion.

After the stainless steel wire is pushed into the printing area, the printer melts it with a laser said to be a million times more powerful than a typical laser pointer. The printer then adds the melted metal to the print.

The melting point of the metal is around 1,400°C and the printer will run inside a completely sealed box. Before the printer can operate, it needs to vent its oxygen into space and replace its atmosphere with nitrogen. Otherwise, the melted metal would oxidize when it became exposed to oxygen.

Given the higher temperatures that are employed compared with a plastic 3D printer (which heats to around 200°C), “the safety of the crew and the Station itself have to be ensured — while maintenance possibilities are also very limited,” ESA technical officer Rob Postema told the agency’s website. “If successful though, the strength, conductivity and rigidity of metal would take the potential of in-space 3D printing to new heights.”

Four test prints are scheduled. The printer will replicate reference prints that have been created back on Earth. The two versions will be compared to help scientists understand how printing quality and performance differs in space. Even though each print will weigh less than 250g (8.8 ounces) and be smaller than a soda can, it will take the printer between two and four weeks to create each one. The printer will only be in operation for a maximum of four hours each day, since its fans and motor are fairly loud and the ISS has noise regulations.

[…]

Source: The European Space Agency will test 3D printing metal on the ISS

Cory Doctorow’s McLuhan lecture on enshittification (30 Jan 2024)

Posted on by

Last year, I coined the term ‘enshittification,’ to describe the way that platforms decay. That obscene little word did big numbers, it really hit the zeitgeist. I mean, the American Dialect Society made it their Word of the Year for 2023 (which, I suppose, means that now I’m definitely getting a poop emoji on my tombstone).

So what’s enshittification and why did it catch fire? It’s my theory explaining how the internet was colonized by platforms, and why all those platforms are degrading so quickly and thoroughly, and why it matters – and what we can do about it.

We’re all living through the enshittocene, a great enshittening, in which the services that matter to us, that we rely on, are turning into giant piles of shit.

It’s frustrating. It’s demoralizing. It’s even terrifying.

I think that the enshittification framework goes a long way to explaining it, moving us out of the mysterious realm of the ‘great forces of history,’ and into the material world of specific decisions made by named people – decisions we can reverse and people whose addresses and pitchfork sizes we can learn.

Enshittification names the problem and proposes a solution. It’s not just a way to say ‘things are getting worse’ (though of course, it’s fine with me if you want to use it that way. It’s an English word. We don’t have der Rat für Englisch Rechtschreibung. English is a free for all. Go nuts, meine Kerle).

[…]

Source: Pluralistic: My McLuhan lecture on enshittification (30 Jan 2024) – Pluralistic: Daily links from Cory Doctorow

It’s a good essay on what enshittification is, what causes it, why it’s so bad and some ideas on how to get rid of it. Very worth reading.

EASA and IATA start work on aviation GPS interference

Posted on by

flight course of an aircraft being gps spoofed and almost entering dangerous airspace

The European Union Aviation Safety Agency (EASA) and the International Air Transport Association (IATA) held a recent workshop on incidents where people spoofed and jammed satellite navigation systems, and concluded these pose a “significant challenge” to safety.

Mitigating the risks posed by such actions will require measures to be enacted in the short term as well as medium and long term timescales, the two bodies said. They want to start by sharing information about the incidents and any potential remedies.

In Europe, this information sharing will occur through the European Occurrence Reporting scheme and EASA’s Data4Safety program. Given the global nature of the problem, a broader solution would be better, but this would have to be pursued at a later date, EASA said.

Inevitably, another of the measures involves retaining traditional navigation aids to ensure there is a conventional backup for GNSS navigation, while a third calls for guidance from aircraft manufacturers to airlines and other aircraft operators to ensure they know how to manage jamming and spoofing situations.

As a further measure, EASA said it will inform all relevant stakeholders, which includes airlines, air navigation service providers, airports and the air industry, about recorded incidents.

Interference with global navigation systems can take one of two forms: jamming requires nothing more than transmitting a radio signal strong enough to drown out those from GPS satellites, while spoofing is more insidious and involves transmitting fake signals that fool the receiver into calculating its position incorrectly.

According to EASA, jamming and spoofing incidents have increasingly threatened the integrity of location services across Eastern Europe and the Middle East in recent years.

[…]

Source: GPS interference now a major flight safety concern • The Register

Design Secrets Of Fantastic, Hand-made Puzzle Boxes

Posted on by

[Kagen Sound] is a woodworker and artist who gives a great behind-the-scenes look at his amazingly high-quality puzzle boxes (video). Not only do his varied puzzle box designs show his math background, but they are all made entirely of wood. There are no nails or fasteners; just intricately-fitted wood and some glue.

There’s a lot of variety in his designs, and while it’s all fantastic from beginning to end, two things stood out to us as being of particular interest. One is the “Plus Box” which makes a clicking sound when the pieces are moved (at 2:47) thanks to a clever wooden spring. [Kagen] shows an example of the concept, where a flat wood piece with slots cut from the sides acts as a spring and clicks into notches when moved, providing audible and tactile feedback without anything other than wood.

The other is a patterned puzzle box (at 7:10) whose geometric designs change as the user moves the pieces. A reminder that [Kagen]’s devices are made entirely of wood and glue, so the design comes from two different types of wood assembled and cut at an angle to create the patterns seen. [Kagen] shaves thin layers of veneer from this block to attach to the puzzle pieces as needed to create the patterns without resorting to ink, paint, or decals.

[Kagen] has a math degree but is entirely self-taught as a woodworker, so don’t let lack of formal training stop you from experimenting. You can watch him give a tour of his work in the video, embedded below.

Feeling the urge to make your own puzzle boxes? Take a look at some we’ve seen over the years, and we even have a collection of single-line cryptex fonts to make laser-engraving puzzle bits a little easier.

 

Source: Design Secrets Of Fantastic, Hand-made Puzzle Boxes | Hackaday

Music causes similar emotions and bodily sensations across cultures

Posted on by

people of different ethnic backgrounds dancing with music notes floating in the air

“Music that evoked different emotions, such as happiness, sadness or fear, caused different bodily sensations in our study. For example, happy and danceable music was felt in the arms and legs, while tender and sad music was felt in the chest area,” explains Academy Research Fellow Vesa Putkinen.

The emotions and bodily sensations evoked by music were similar across Western and Asian listeners. The bodily sensations were also linked with the music-induced emotions.

“Certain acoustic features of music were associated with similar emotions in both Western and Asian listeners. Music with a clear beat was found happy and danceable while dissonance in music was associated with aggressiveness. Since these sensations are similar across different cultures, music-induced emotions are likely independent of culture and learning and based on inherited biological mechanisms,” says Professor Lauri Nummenmaa.

“Music’s influence on the body is universal. People move to music in all cultures and synchronized postures, movements and vocalizations are a universal sign for affiliation

[…]

Source: Music causes similar emotions and bodily sensations across cultures | ScienceDaily

AI can better retain what it learns by mimicking human sleep

Posted on by

[…]

Concetto Spampinato and his colleagues at the University of Catania, Italy, were looking for ways to avoid a phenomenon known as “catastrophic forgetting”, where an AI model trained to do a new task loses the ability to carry out jobs it previously aced. For instance, a model trained to identify animals could learn to spot different fish species, but then it might inadvertently lose its proficiency at recognising birds.

They developed a new method of training AI called wake-sleep consolidated learning (WSCL), which mimics the way human brains reinforce new information. People shuffle short-term memories of experiences and lessons learned throughout the day into long-term memories while sleeping. The researchers say this method of learning can be applied to any existing AI.

Models using WSCL are trained as usual on a set of data for the “awake” phase. But they are also programmed to have periods of “sleeping”, where they parse through a sample of awake data, as well as a highlight reel from previous lessons.

Take an animal identification model more recently trained on images of marine life: during a sleep period, it would be shown snapshots of fishes, but also a smattering of birds, lions and elephants from older lessons. Spampinato says this is akin to humans mulling over new and old memories while sleeping, spotting connections and patterns and integrating them into our minds. The new data teaches the AI a fresh ability, while the remainder of the old data prevents the recently acquired skill from pushing out existing ones.

Crucially, WSCL also has a period of “dreaming”, when it consumes entirely novel data made from mashing together previous concepts. For instance, the animal model might be fed abstract images showing combinations of giraffes crossed with fish, or lions crossed with elephants. Spampinato says this phase helps to merge previous paths of digital “neurons”, freeing up space for other concepts in the future. It also primes unused neurons with patterns that will help them pick up new lessons more easily.

[…]

Spampinato tested three existing AI models using a traditional training method, followed by WSCL training. Then he and his team compared the performances using three standard benchmarks for image identification. The researchers found their newly developed technique led to a significant accuracy boost – the sleep-trained models were 2 to 12 per cent more likely to correctly identify the contents of an image. They also measured an increase in the WSCL systems’ “forward transfer”, a metric indicating how much old knowledge a model uses to learn a new task. The research indicated AI trained with the sleep method remembered old tasks better than the traditionally trained systems.

[…]

Source: AI can better retain what it learns by mimicking human sleep | New Scientist