Author name: Paul Patrick

windows-version-of-the-venerable-linux-“sudo”-command-shows-up-in-preview-build

Windows version of the venerable Linux “sudo” command shows up in preview build

Tech, Windows 11, Windows Server / /

sudo start your photocopiers —

Feature is experimental and, at least currently, not actually functional.

Not now, but maybe soon?

Enlarge / Not now, but maybe soon?

Andrew Cunningham

Microsoft opened its arms to Linux during the Windows 10 era, inventing an entire virtualized subsystem to allow users and developers to access a real-deal Linux command line without leaving the Windows environment. Now, it looks like Microsoft may embrace yet another Linux feature: the sudo command.

Short for “superuser do” or “substitute user do” and immortalized in nerd-leaning pop culture by an early xkcd comic, sudo is most commonly used at the command line when the user needs administrator access to the system—usually to install or update software, or to make changes to system files. Users who aren’t in the sudo user group on a given system can’t run the command, protecting the rest of the files on the system from being accessed or changed.

In a post on X, formerly Twitter, user @thebookisclosed found settings for a Sudo command in a preview version of Windows 11 that was posted to the experimental Canary channel in late January. WindowsLatest experimented with the setting in a build of Windows Server 2025, which currently requires Developer Mode to be enabled in the Settings app. There’s a toggle to turn the sudo command on and off and a separate drop-down to tweak how the command behaves when you use it, though as of this writing the command itself doesn’t actually work yet.

The sudo command is also part of the Windows Subsystem for Linux (WSL), but that version of the sudo command only covers Linux software. This one seems likely to run native Windows commands, though obviously we won’t know exactly how it works before it’s enabled and fully functional. Currently, users who want a sudo-like command in Windows need to rely on third-party software like gsudo to accomplish the task.

The benefit of the sudo command for Windows users—whether they’re using Windows Server or otherwise—would be the ability to elevate the privilege level without having to open an entirely separate command prompt or Windows Terminal window. According to the options available in the preview build, commands run with sudo could be opened up in a new window automatically, or they could happen inline, but you’d never need to do the “right-click, run-as-administrator” dance again if you didn’t want to.

Microsoft regularly tests new Windows features that don’t make it into the generally released public versions of the operating system. This feature could also remain exclusive to Windows Server without making it into the consumer version of Windows. But given the command’s presence in Linux and macOS, it will be a nice quality-of-life improvement for Windows users who spend lots of time staring at the command prompt.

Microsoft is borrowing a longstanding Linux feature here, but that road goes both ways—a recent update to the Linux systemd software added a Windows-inspired “blue screen of death” designed to give users more information about crashes when they happen.

Windows version of the venerable Linux “sudo” command shows up in preview build Read More »

microsoft-in-deal-with-semafor-to-create-news-stories-with-aid-of-ai-chatbot

Microsoft in deal with Semafor to create news stories with aid of AI chatbot

AI, Biz & IT, chatbot, microsoft, Semafor, syndication / /

a meeting-deadline helper —

Collaboration comes as tech giant faces multibillion-dollar lawsuit from The New York Times.

Cube with Microsoft logo on top of their office building on 8th Avenue and 42nd Street near Times Square in New York City.

Enlarge / Cube with Microsoft logo on top of their office building on 8th Avenue and 42nd Street near Times Square in New York City.

Microsoft is working with media startup Semafor to use its artificial intelligence chatbot to help develop news stories—part of a journalistic outreach that comes as the tech giant faces a multibillion-dollar lawsuit from the New York Times.

As part of the agreement, Microsoft is paying an undisclosed sum of money to Semafor to sponsor a breaking news feed called “Signals.” The companies would not share financial details, but the amount of money is “substantial” to Semafor’s business, said a person familiar with the matter.

Signals will offer a feed of breaking news and analysis on big stories, with about a dozen posts a day. The goal is to offer different points of view from across the globe—a key focus for Semafor since its launch in 2022.

Semafor co-founder Ben Smith emphasized that Signals will be written entirely by journalists, with artificial intelligence providing a research tool to inform posts.

Microsoft on Monday was also set to announce collaborations with journalist organizations including the Craig Newmark School of Journalism, the Online News Association, and the GroundTruth Project.

The partnerships come as media companies have become increasingly concerned over generative AI and its potential threat to their businesses. News publishers are grappling with how to use AI to improve their work and stay ahead of technology, while also fearing that they could lose traffic, and therefore revenue, to AI chatbots—which can churn out humanlike text and information in seconds.

The New York Times in December filed a lawsuit against Microsoft and OpenAI, alleging the tech companies have taken a “free ride” on millions of its articles to build their artificial intelligence chatbots, and seeking billions of dollars in damages.

Gina Chua, Semafor’s executive editor, has been involved in developing Semafor’s AI research tools, which are powered by ChatGPT and Microsoft’s Bing.

“Journalism has always used technology whether it’s carrier pigeons, the telegraph or anything else . . . this represents a real opportunity, a set of tools that are really a quantum leap above many of the other tools that have come along,” Chua said.

For a breaking news event, Semafor journalists will use AI tools to quickly search for reporting and commentary from other news sources across the globe in multiple languages. A Signals post might include perspectives from Chinese, Indian, or Russian media, for example, with Semafor’s reporters summarizing and contextualizing the different points of view, while citing its sources.

Noreen Gillespie, a former Associated Press journalist, joined Microsoft three months ago to forge relationships with news companies. “Journalists need to adopt these tools in order to survive and thrive for another generation,” she said.

Semafor was founded by Ben Smith, the former BuzzFeed editor, and Justin Smith, the former chief executive of Bloomberg Media.

Semafor, which is free to read, is funded by wealthy individuals, including 3G capital founder Jorge Paulo Lemann and KKR co-founder Henry Kravis. The company made more than $10 million in revenue in 2023 and has more than 500,000 subscriptions to its free newsletters. Justin Smith said Semafor was “very close to a profit” in the fourth quarter of 2023.

“What we’re trying to go after is this really weird space of breaking news on the Internet now, in which you have these really splintered, fragmented, rushed efforts to get the first sentence of a story out for search engines . . . and then never really make any effort to provide context,” Ben Smith said.

“We’re trying to go the other way. Here are the confirmed facts. Here are three or four pieces of really sophisticated, meaningful analysis.”

© 2024 The Financial Times Ltd. All rights reserved. Please do not copy and paste FT articles and redistribute by email or post to the web.

Microsoft in deal with Semafor to create news stories with aid of AI chatbot Read More »

facebook-rules-allowing-fake-biden-“pedophile”-video-deemed-“incoherent”

Facebook rules allowing fake Biden “pedophile” video deemed “incoherent”

Artificial Intelligence, cheap fakes, Deepfakes, facebook, generative ai, Joe Biden, Meta, misinformation, Policy / /

Not to be misled —

Meta may revise AI policies that experts say overlook “more misleading” content.

Facebook rules allowing fake Biden “pedophile” video deemed “incoherent”

A fake video manipulated to falsely depict President Joe Biden inappropriately touching his granddaughter has revealed flaws in Facebook’s “deepfake” policies, Meta’s Oversight Board concluded Monday.

Last year when the Biden video went viral, Facebook repeatedly ruled that it did not violate policies on hate speech, manipulated media, or bullying and harassment. Since the Biden video is not AI-generated content and does not manipulate the president’s speech—making him appear to say things he’s never said—the video was deemed OK to remain on the platform. Meta also noted that the video was “unlikely to mislead” the “average viewer.”

“The video does not depict President Biden saying something he did not say, and the video is not the product of artificial intelligence or machine learning in a way that merges, combines, replaces, or superimposes content onto the video (the video was merely edited to remove certain portions),” Meta’s blog said.

The Oversight Board—an independent panel of experts—reviewed the case and ultimately upheld Meta’s decision despite being “skeptical” that current policies work to reduce harms.

“The board sees little sense in the choice to limit the Manipulated Media policy to cover only people saying things they did not say, while excluding content showing people doing things they did not do,” the board said, noting that Meta claimed this distinction was made because “videos involving speech were considered the most misleading and easiest to reliably detect.”

The board called upon Meta to revise its “incoherent” policies that it said appear to be more concerned with regulating how content is created, rather than with preventing harms. For example, the Biden video’s caption described the president as a “sick pedophile” and called out anyone who would vote for him as “mentally unwell,” which could affect “electoral processes” that Meta could choose to protect, the board suggested.

“Meta should reconsider this policy quickly, given the number of elections in 2024,” the Oversight Board said.

One problem, the Oversight Board suggested, is that in its rush to combat AI technologies that make generating deepfakes a fast, cheap, and easy business, Meta policies currently overlook less technical ways of manipulating content.

Instead of using AI, the Biden video relied on basic video-editing technology to edit out the president placing an “I Voted” sticker on his adult granddaughter’s chest. The crude edit looped a 7-second clip altered to make the president appear to be, as Meta described in its blog, “inappropriately touching a young woman’s chest and kissing her on the cheek.”

Meta making this distinction is confusing, the board said, partly because videos altered using non-AI technologies are not considered less misleading or less prevalent on Facebook.

The board recommended that Meta update policies to cover not just AI-generated videos, but other forms of manipulated media, including all forms of manipulated video and audio. Audio fakes currently not covered in the policy, the board warned, offer fewer cues to alert listeners to the inauthenticity of recordings and may even be considered “more misleading than video content.”

Notably, earlier this year, a fake Biden robocall attempted to mislead Democratic voters in New Hampshire by encouraging them not to vote. The Federal Communications Commission promptly responded by declaring AI-generated robocalls illegal, but the Federal Election Commission was not able to act as swiftly to regulate AI-generated misleading campaign ads easily spread on social media, AP reported. In a statement, Oversight Board Co-Chair Michael McConnell said that manipulated audio is “one of the most potent forms of electoral disinformation.”

To better combat known harms, the board suggested that Meta revise its Manipulated Media policy to “clearly specify the harms it is seeking to prevent.”

Rather than pushing Meta to remove more content, however, the board urged Meta to use “less restrictive” methods of coping with fake content, such as relying on fact-checkers applying labels noting that content is “significantly altered.” In public comments, some Facebook users agreed that labels would be most effective. Others urged Meta to “start cracking down” and remove all fake videos, with one suggesting that removing the Biden video should have been a “deeply easy call.” Another commenter suggested that the Biden video should be considered acceptable speech, as harmless as a funny meme.

While the board wants Meta to also expand its policies to cover all forms of manipulated audio and video, it cautioned that including manipulated photos in the policy could “significantly expand” the policy’s scope and make it harder to enforce.

“If Meta sought to label videos, audio, and photographs but only captured a small portion, this could create a false impression that non-labeled content is inherently trustworthy,” the board warned.

Meta should therefore stop short of adding manipulated images to the policy, the board said. Instead, Meta should conduct research into the effects of manipulated photos and then consider updates when the company is prepared to enforce a ban on manipulated photos at scale, the board recommended. In the meantime, Meta should move quickly to update policies ahead of a busy election year where experts and politicians globally are bracing for waves of misinformation online.

“The volume of misleading content is rising, and the quality of tools to create it is rapidly increasing,” McConnell said. “Platforms must keep pace with these changes, especially in light of global elections during which certain actors seek to mislead the public.”

Meta’s spokesperson told Ars that Meta is “reviewing the Oversight Board’s guidance and will respond publicly to their recommendations within 60 days.”

Facebook rules allowing fake Biden “pedophile” video deemed “incoherent” Read More »

new-e.-coli-strain-will-accelerate-evolution-of-the-genes-of-your-choice

New E. coli strain will accelerate evolution of the genes of your choice

biochemistry, Biology, E. coli, evolution, mutation rate, mutations, Science / /

Making mutants —

Strain eliminates the trade-offs of a high mutation rate.

Woman holding a plate of bacteria with clusters of bacteria on it.

Genetic mutations are essential for innovation and evolution, yet too many—or the wrong ones—can be fatal. So researchers at Cambridge established a synthetic “orthogonal” DNA replication system in E. coli that they can use as a risk-free way to generate and study such mutations. It is orthogonal because it is completely separate from the system that E. coli uses to copy its actual genome, which contains the genes E. coli needs to survive.

The genes in the orthogonal system are copied with an extraordinarily error-prone DNA replication enzyme, which spurs rapid evolution by generating many random mutations. This goes on while E. coli’s genes are replicated by its normal high-fidelity DNA copying enzyme. The two enzymes work alongside each other, each doing their own thing but not interfering with the other’s genes.

Engineering rapid mutation

Such a cool idea, right? The scientists stole it from nature. Yeast already has a system like this, with a set of genes copied by a dedicated enzyme that doesn’t replicate the rest of the genome. But E. coli is much easier to work with than yeast, and its population can double in 20 minutes, so you can get a lot of rounds of replication and evolution done fast.

The researchers generated the system by pillaging a phage—a virus that infects E. coli. They took out all of the phage genes that allow the phage to grow uncontrollably until it bursts the E. coli cell it infected open. The engineering left only a cassette containing the genes responsible for copying the phage genome. Once this cassette was inserted into the E. coli genome, it could simultaneously replicate at least three different strings of genes placed next to it in the DNA, maintaining them for over a hundred generations—all while leaving the rest of the E. coli genome to be copied by other enzymes.

The scientists then tweaked the mutation rate of the orthogonal DNA-replicating enzyme, eventually enhancing it 1,000-fold. To test if the system could be used to evolve new functions, they inserted a gene for resistance to one antibiotic and saw how long it took for that gene to mutate into one conferring resistance to a different antibiotic. Within twelve days, they got 150 times more resistance to the new antibiotic. They also inserted the gene encoding green fluorescent protein and increased its fluorescence over 1,000-fold in five days.

Evolving detoxification

Not 20 pages later, in the same issue of Science, Frances Arnold’s lab has a paper that provides evidence of how powerful this approach could be. This team directed the evolution of an enzyme the old-fashioned way: through sequential rounds of random mutagenesis and selection for the desired trait. Arnold won The Nobel Prize in Chemistry 2018 for the directed evolution of enzymes, so she knows what she’s about. In this recent work, her lab generated an enzyme that can biodegrade volatile methyl siloxanes. We make megatons of these compounds every year to stick in cleaning products, shampoos and lotions, and industrial products, but they linger in the environment. They contain carbon-silicon bonds, which were never a thing until humans made them about 80 years ago; since nature never made these bonds, there is no natural way to break them, either.

“Directed evolution with siloxane was particularly challenging,” the authors note in their introduction, for various technical reasons. “We started from an enzyme we had previously engineered for other chemistry on siloxanes—that enzyme, unlike the natural enzyme, showed a tiny bit of activity for siloxane Si-C bond cleavage. The overall project, however, from initial discovery to figuring out how to measure what we wanted, took several years,” Arnold said. And it is only the first step in possibly rendering siloxanes biodegradable. The accelerated continuous evolution that the new orthologous system allows will hopefully greatly facilitate the development of enzymes and other proteins like this that will have applications in research, medicine, and industry.

We do not (yet) have machines that can efficiently assemble long stretches of DNA or make proteins. But cells do these things extremely efficiently, and E. coli cells have long been the ones used in the lab as little factories, churning out whatever genes or proteins researchers program into them. Now E. coli can be used for one more molecular task—they can be little hotbeds of evolution.

Science, 2024.  DOI: 10.1126/science.adi5554, 10.1126/science.adk1281

New E. coli strain will accelerate evolution of the genes of your choice Read More »

andretti-cadillac-didn’t-snub-formula-1—f1’s-email-went-to-spam-folder

Andretti Cadillac didn’t snub Formula 1—F1’s email went to spam folder

Andretti Cadillac, Cars, F1, Formula 1, racing / /

go on, let them in —

Formula 1 emailed the prospective team but never followed up when it got no reply.

Close up of spam email folder on screen

Enlarge / Don’t you hate it when an important email ends up here?

Getty Images

Last week, Formula 1 formally rejected a bid by Andretti Cadillac to join the sport as an 11th team and constructor. Among the details in a lengthy justification of its decision, Formula 1 wrote that on December 12, it invited the Andretti team to an in-person meeting, “but the Applicant did not take us up on this offer.” Now, it turns out that the Andretti team never saw the email, which instead got caught by a spam filter.

Not even a follow-up?

“We were not aware that the offer of a meeting had been extended and would not decline a meeting with Formula One Management,” the team said in a statement. “An in-person meeting to discuss commercial matters would be and remains of paramount importance to Andretti Cadillac. We welcome the opportunity to meet with Formula One Management and have written to them confirming our interest.”

F1 apparently never followed up with a phone call or even subsequent email during the six weeks between that initial invitation and its announcement at the end of January. Had the two parties gotten together, it’s likely that Andretti could have cleared up some other things for F1 as well.

You just assumed 2025

As F1 noted in its justification, Formula 1 is about to go through a significant rule change in 2026. The cars will be a little narrower and lighter, and the expensive, complicated hybrid system that recovers waste heat energy (known as the MGU-H) is going away—to compensate, the hybrid system that recovers energy under braking (the MGU-K) will get far more powerful.

Designing a car to enter the 2025 season and then a completely different car to a new set of rules in 2026 would be quite the challenge. No one appears to have understood this more than Andretti, which has instead been concentrating on designing a car to those 2026 rules.

Having realized some time ago that the entire process—which began in February 2023—had dragged on so long that it would be virtually impossible to field an entry for next year, the team said it had “been operating with 2026 as the year of entry for many months now. The technicality of 2025 still being part of the application is a result of the length of this process.”

Hey, I know you!

That in-person meeting would also have allowed F1’s management to say hello to some old faces it knows well; Andretti’s chief designer John McQuilliam, head of aerodynamics Jon Tomlinson, and technical director Nick Chester have all worked under F1 technical director Pat Symonds in the past.

As many have pointed out, F1’s claim that any new team has to be competitive and able to challenge for wins doesn’t hold much water, particularly since a single team took home all but one winner’s trophy last season. But it also remains clear that F1 really doesn’t want to add an 11th team to its roster, despite how advantageous a new American team could be as the sport attempts to grow its presence here in the US.

The entry process was not opened by F1 but by the FIA (Fédération Internationale de l’Automobile), which writes the rulebook and used to have sole jurisdiction over this kind of thing until the European Union’s antitrust action forced the FIA to give up its commercial interest in the sport in 1999. At first, the commercial rights were owned by Bernie Ecclestone, then the private equity group CVC Capital Partners, and since 2018, Liberty Media. Under the current agreement between the FIA, F1, and the teams, F1 has a veto on any new addition to the sport, even if—as is the case with Andretti Cadillac—an entrant passes the FIA’s due diligence.

Now that the communications breakdown has been revealed, perhaps Andretti and F1 can get back together and have a more civilized discussion about an entry in 2026.

Andretti Cadillac didn’t snub Formula 1—F1’s email went to spam folder Read More »

someone-finally-cracked-the-“silk-dress-cryptogram”-after-10-years

Someone finally cracked the “Silk Dress cryptogram” after 10 years

code-breaking, cryptology, Science / /
page of antique paper with coded text found in silk dress

Enlarge / “Paul Ramify loamy event false new event” was one of the lines written on two sheets of paper found in a hidden pocket.

Sara Rivers Cofield

In December 2013, a curator and archaeologist purchased an antique silk dress with an unusual feature: a hidden pocket that held two sheets of paper with mysterious coded text written on them. People have been trying to crack the code ever since, and someone finally succeeded: University of Manitoba data analyst Wayne Chan. He discovered that the text is actually coded telegraph messages describing the weather used by the US Army and (later) the weather bureau. Chan outlined all the details of his decryption in a paper published in the journal Cryptologia.

“When I first thought I cracked it, I did feel really excited,” Chan told the New York Times. “It is probably one of the most complex telegraphic codes that I’ve ever seen.”

Sara Rivers-Cofield purchased the bronze-colored silk bustle dress with striped rust velvet accents for $100 at an antique shop in Maine, noting on her blog that it was in a style that was fashionable in the mid-1880s among middle-class or well-off women. There wasn’t any fitted boning in the bodice, so the dress was meant to be worn with a corset. It had a draped skirt and bustle with metal buttons decorated with an “Ophelia motif.” While the dress had been machine-stitched, the original buttons had been sewn by hand. A tag with the name “Bennett” was sewn into the bodice.

Sara Rivers-Cofield purchased the dress at an antique shop in Maine.

Enlarge / Sara Rivers-Cofield purchased the dress at an antique shop in Maine.

Sara Rivers Cofield

Rivers-Cofield also noted the ingenious structure of the bustle, which used built-in channels for flexible wires to achieve just the right amount of puff, combined with strategic tacking to keep “the bustle bunched in all the right places.” One bustle pin was still in place, and Rivers-Cofield thought it was used to pull up a layer of the overskirt to expose a bit of the hem ruffle “for a little peek-a-boo with onlookers.” Such pins often show up during excavations of 19th century sites, so she was delighted to find one in situ. “There is one Baltimore laundry site in particular where drainage pipes were found absolutely clogged with pins, buttons, and other clothing attachments—as if launderers put the clothes through a rough washing process … even if removable pins were still on them,” she wrote.

But an even more intriguing discovery awaited. When Rivers-Cofield turned the dress inside-out, she found a small hidden pocket. Many women’s dresses of the era had pockets, but this one would only be accessible by hiking up the overskirt. She puzzled over why anyone would make a pocket so inaccessible and thought it might have been used to smuggle messages. Hidden inside, she found two sheets of wadded-up translucent paper measuring about 7.5 inches by 11 inches. The text on each sheet consisted of 12 lines of recognizable common English words—except they made no sense. “Bismark omit leafage buck bank”? “Paul Ramify loamy event false new event”?

No wonder Rivers-Cofield’s blogged reaction was a simple “What the—?”  She thought it might be some kind of list or a writing exercise and posted all the details on her blog, hoping that “there’s some decoding prodigy out there looking for a project.” It became known as the “Silk Dress cryptogram.” German cryptoblogger Klaus Schmeh noted in 2017 that he considered it to be among the top 50 such coded messages yet unsolved.

Hidden pocket of dress.

Enlarge / Hidden pocket of dress.

Sarah Rovers-Cofield

Schmeh first wrote about the Silk Dress cryptogram in 2014 and invited readers to weigh in. By 2017, he had concluded that the text was probably a telegram—possibly several telegrams—and that the words were chosen from an 1880s code book. There was a numeral at the start of most lines that seemed to indicate the number of words, and each sheet had what appeared to be the time of day written at the top.

Chan started working on the code in the summer of 2018 but didn’t initially make much progress and abandoned the project a few months later. He picked up the challenge again toward the end of 2022 and thought it might be a telegraphic code. With the invention of the telegraph, “For the first time in history, observations from distant locations could be rapidly disseminated, collated, and analyzed to provide a synopsis of the state of weather across an entire nation,” Chan wrote in his paper. But it was expensive to send telegrams since companies charged by the word, so codes were developed to condense as much information into as few words as possible.

Someone finally cracked the “Silk Dress cryptogram” after 10 years Read More »

youtube-tv-starts-testing-customizable-2×2-multiview-options

YouTube TV starts testing customizable 2×2 multiview options

Tech, youtube TV / /

Just in time for football to end —

YouTube TV has been promising customizable multiview for 10 months.

For the NBA YouTube launched

Enlarge / For the NBA YouTube launched “Multiview,” which is coming to Sunday Ticket. It’s four games in a split screen.

YouTube

YouTube TV may finally get a configurable split-screen mode. Google’s cable TV replacement service launched a 2×2 “multiview” feature in 2023, but it relied on pre-made choices cooked up by some person (or maybe AI) inside Google. It’s 10 months later, and now some users on Reddit are seeing a “Build a multiview” option that would let you pick which four channels you want to watch. Cord Cutters News got confirmation from Google that the feature is now being tested.

The current multiview is a fun way to stay on top of multiple games, but getting the games you want is an awkward experience. I’ve been watching NFL Sunday Ticket through YouTube TV this year, and there will be times when there are nine games on simultaneously, and you get only a handful of pre-made multiview options to sift through. Is your desired combination of four games in one of those multiview options? You’d better hope so! The canned combinations only get more awkward as the day goes on: one game ends early, and the station cuts to coverage of another game, and now two of your four windows have duplicate games. If an early game runs long and you want to watch the end next to an already-started late game, that was never an option either. The canned options were always four NFL games, too. If you wanted to watch the NFL and some non-NFL content, you were out of luck. You were easily looking at hundreds of multiview possibilities, so canned selections don’t scale well at all.

The Reddit user claims to have access to the feature and says that, during NBA games, the feature is limited to only selecting other NBA games, but at least that is better than scrolling through random pre-made combinations.

YouTube told Cord Cutters News that the feature would roll out to all devices that currently support multiview, but YouTube did not say when that would happen. YouTube has been promising customizable multiview since the feature launched last March. It also promised mixing and matching content types back in June, but that feature hasn’t widely launched, either. Testing is a good sign, at least.

The calls for customizable multiview have been so loud that the feature request once made it into a Deadline interview with YouTube Chief Business Officer Mary Ellen Coe. Without explaining too much, Coe called the feature “a very hard thing to do technically.”

YouTube TV starts testing customizable 2×2 multiview options Read More »

ars-technica-used-in-malware-campaign-with-never-before-seen-obfuscation

Ars Technica used in malware campaign with never-before-seen obfuscation

ars technica, Biz & IT, malware, Security / /

WHEN USERS ATTACK —

Vimeo also used by legitimate user who posted booby-trapped content.

Ars Technica used in malware campaign with never-before-seen obfuscation

Getty Images

Ars Technica was recently used to serve second-stage malware in a campaign that used a never-before-seen attack chain to cleverly cover its tracks, researchers from security firm Mandiant reported Tuesday.

A benign image of a pizza was uploaded to a third-party website and was then linked with a URL pasted into the “about” page of a registered Ars user. Buried in that URL was a string of characters that appeared to be random—but were actually a payload. The campaign also targeted the video-sharing site Vimeo, where a benign video was uploaded and a malicious string was included in the video description. The string was generated using a technique known as Base 64 encoding. Base 64 converts text into a printable ASCII string format to represent binary data. Devices already infected with the first-stage malware used in the campaign automatically retrieved these strings and installed the second stage.

Not typically seen

“This is a different and novel way we’re seeing abuse that can be pretty hard to detect,” Mandiant researcher Yash Gupta said in an interview. “This is something in malware we have not typically seen. It’s pretty interesting for us and something we wanted to call out.”

The image posted on Ars appeared in the about profile of a user who created an account on November 23. An Ars representative said the photo, showing a pizza and captioned “I love pizza,” was removed by Ars staff on December 16 after being tipped off by email from an unknown party. The Ars profile used an embedded URL that pointed to the image, which was automatically populated into the about page. The malicious base 64 encoding appeared immediately following the legitimate part of the URL. The string didn’t generate any errors or prevent the page from loading.

Pizza image posted by user.

Enlarge / Pizza image posted by user.

Malicious string in URL.

Enlarge / Malicious string in URL.

Mandiant researchers said there were no consequences for people who may have viewed the image, either as displayed on the Ars page or on the website that hosted it. It’s also not clear that any Ars users visited the about page.

Devices that were infected by the first stage automatically accessed the malicious string at the end of the URL. From there, they were infected with a second stage.

The video on Vimeo worked similarly, except that the string was included in the video description.

Ars representatives had nothing further to add. Vimeo representatives didn’t immediately respond to an email.

The campaign came from a threat actor Mandiant tracks as UNC4990, which has been active since at least 2020 and bears the hallmarks of being motivated by financial gain. The group has already used a separate novel technique to fly under the radar. That technique spread the second stage using a text file that browsers and normal text editors showed to be blank.

Opening the same file in a hex editor—a tool for analyzing and forensically investigating binary files—showed that a combination of tabs, spaces, and new lines were arranged in a way that encoded executable code. Like the technique involving Ars and Vimeo, the use of such a file is something the Mandiant researchers had never seen before. Previously, UNC4990 used GitHub and GitLab.

The initial stage of the malware was transmitted by infected USB drives. The drives installed a payload Mandiant has dubbed explorerps1. Infected devices then automatically reached out to either the malicious text file or else to the URL posted on Ars or the video posted to Vimeo. The base 64 strings in the image URL or video description, in turn, caused the malware to contact a site hosting the second stage. The second stage of the malware, tracked as Emptyspace, continuously polled a command-and-control server that, when instructed, would download and execute a third stage.

Mandiant

Mandiant has observed the installation of this third stage in only one case. This malware acts as a backdoor the researchers track as Quietboard. The backdoor, in that case, went on to install a cryptocurrency miner.

Anyone who is concerned they may have been infected by any of the malware covered by Mandiant can check the indicators of compromise section in Tuesday’s post.

Ars Technica used in malware campaign with never-before-seen obfuscation Read More »

lawsuit:-citibank-refused-to-reimburse-scam-victims-who-lost-“life-savings”

Lawsuit: Citibank refused to reimburse scam victims who lost “life savings”

citibank fraud, Policy / /

Online banking fraud —

Citibank’s poor security helped scammers steal millions, NY AG’s lawsuit says.

A large Citibank logo on the outside of a bank building.

Enlarge / The Citibank logo on a bank in New York City in January 2024.

Citibank has illegally refused to reimburse scam victims who lost money due partly to Citibank’s poor online security practices, New York Attorney General Letitia James alleged in a lawsuit filed today in US District Court for the Southern District of New York.

“The lawsuit alleges that Citi does not implement strong online protections to stop unauthorized account takeovers, misleads account holders about their rights after their accounts are hacked and funds are stolen, and illegally denies reimbursement to victims of fraud,” James’ office said in a press release.

The AG’s office alleged that Citi customers “have lost their life savings, their children’s college funds, or even money needed to support their day-to-day lives as a result of Citi’s illegal and deceptive acts and practices.”

“Defendant Citi has not deployed sufficiently robust data security measures to protect consumer financial accounts, respond appropriately to red flags, or limit theft by scam,” the lawsuit said. “Instead, Citi has overpromised and underdelivered on security, reacted ineffectively to fraud alerts, misled consumers, and summarily denied their claims. Citi’s illegal and deceptive practices have cost New Yorkers millions.”

Citi approved large wire transfers

Describing the case of a New York woman who lost $35,000 to a scammer in July 2022, the AG’s press release stated:

She was reviewing her online account and found a message that her account had been suspended and was instructed to call a phone number. She called the number provided and a scammer told her that he would send her Citi codes to verify recent suspicious activity. The scammer then transferred all of the money in the customer’s three savings accounts into her checking account, changed her online passwords, and attempted a $35,000 wire transfer.

Citi attempted to verify the wire transfer by calling the customer, but she was working and did not see the call at the time. Less than an hour later, the scammer attempted another $35,000 wire transfer, which Citi approved without ever having made direct contact with the customer. She lost nearly everything she had saved, and Citi refused to reimburse her.

In an October 2021 incident, a customer clicked a link in a scammer’s message “but did not provide additional information” and then “called her local branch to report the suspicious activity but was told not to worry about it,” the AG’s office said.

“Three days later, the customer discovered that a scammer changed her banking password, enrolled in online wire transfers, transferred $70,000 from her savings to her checking account, and then electronically executed a $40,000 wire transfer, none of which was consistent with her past account activity,” the AG’s office said. “For weeks, the customer continued to contact the bank and submit affidavits, but in the end, she was told that her claim for fraud was denied.”

Citi: No refunds when people “follow criminals’ instructions”

Citi defended its security and refund practices in a statement provided to Ars.

“Citi closely follows all laws and regulations related to wire transfers and works extremely hard to prevent threats from affecting our clients and to assist them in recovering losses when possible. Banks are not required to make clients whole when those clients follow criminals’ instructions and banks can see no indication the clients are being deceived,” the company said.

Citi acknowledged that there has been an “industry-wide surge in wire fraud during the last several years,” and said it has “taken proactive steps to safeguard our clients’ accounts with leading security protocols, intuitive fraud prevention tools, clear insights about the latest scams, and driving client awareness and education. Our actions have reduced client wire fraud losses significantly, and we remain committed to investing in fraud prevention measures to help our clients secure their accounts against emerging threats.”

James’ lawsuit argues that Citibank must provide reimbursement under the Electronic Fund Transfer Act (EFTA), a US law passed in 1978. “As with credit cards, so long as consumers promptly alert banks to unauthorized activity, the EFTA limits losses and requires reimbursement of stolen funds. These consumer protections cannot be waived or modified by contract… Under the EFTA, Citi’s electronic debits of consumers’ accounts are unauthorized and Citi must reimburse all debited amounts,” the lawsuit said.

The lawsuit seeks a permanent injunction against Citibank, an accounting of customer losses over the last six years, payment of restitution and damages to harmed consumers, and civil penalties.

Lawsuit: Citibank refused to reimburse scam victims who lost “life savings” Read More »

rhyming-ai-powered-clock-sometimes-lies-about-the-time,-makes-up-words

Rhyming AI-powered clock sometimes lies about the time, makes up words

AI, AI clock, Biz & IT, chatgpt, chatgtp, confabulation, hallucination, hallucinations, machine learning, Matt Webb / /

Confabulation time —

Poem/1 Kickstarter seeks $103K for fun ChatGPT-fed clock that may hallucinate the time.

A CAD render of the Poem/1 sitting on a bookshelf.

Enlarge / A CAD render of the Poem/1 sitting on a bookshelf.

On Tuesday, product developer Matt Webb launched a Kickstarter funding project for a whimsical e-paper clock called the “Poem/1” that tells the current time using AI and rhyming poetry. It’s powered by the ChatGPT API, and Webb says that sometimes ChatGPT will lie about the time or make up words to make the rhymes work.

“Hey so I made a clock. It tells the time with a brand new poem every minute, composed by ChatGPT. It’s sometimes profound, and sometimes weird, and occasionally it fibs about what the actual time is to make a rhyme work,” Webb writes on his Kickstarter page.

The $126 clock is the product of Webb’s Acts Not Facts, which he bills as “.” Despite the net-connected service aspect of the clock, Webb says it will not require a subscription to function.

A labeled CAD rendering of the Poem/1 clock, representing its final shipping configuration.

Enlarge / A labeled CAD rendering of the Poem/1 clock, representing its final shipping configuration.

There are 1,440 minutes in a day, so Poem/1 needs to display 1,440 unique poems to work. The clock features a monochrome e-paper screen and pulls its poetry rhymes via Wi-Fi from a central server run by Webb’s company. To save money, that server pulls poems from ChatGPT’s API and will share them out to many Poem/1 clocks at once. This prevents costly API fees that would add up if your clock were querying OpenAI’s servers 1,440 times a day, non-stop, forever. “I’m reserving a % of the retail price from each clock in a bank account to cover AI and server costs for 5 years,” Webb writes.

For hackers, Webb says that you’ll be able to change the back-end server URL of the Poem/1 from the default to whatever you want, so it can display custom text every minute of the day. Webb says he will document and publish the API when Poem/1 ships.

Hallucination time

A photo of a Poem/1 prototype with a hallucinated time, according to Webb.

Enlarge / A photo of a Poem/1 prototype with a hallucinated time, according to Webb.

Given the Poem/1’s large language model pedigree, it’s perhaps not surprising that Poem/1 may sometimes make up things (also called “hallucination” or “confabulation” in the AI field) to fulfill its task. The LLM that powers ChatGPT is always searching for the most likely next word in a sequence, and sometimes factuality comes second to fulfilling that mission.

Further down on the Kickstarter page, Webb provides a photo of his prototype Poem/1 where the screen reads, “As the clock strikes eleven forty two, / I rhyme the time, as I always do.” Just below, Webb warns, “Poem/1 fibs occasionally. I don’t believe it was actually 11.42 when this photo was taken. The AI hallucinated the time in order to make the poem work. What we do for art…”

In other clocks, the tendency to unreliably tell the time might be a fatal flaw. But judging by his humorous angle on the Kickstarter page, Webb apparently sees the clock as more of a fun art project than a precision timekeeping instrument. “Don’t rely on this clock in situations where timekeeping is vital,” Webb writes, “such as if you work in air traffic control or rocket launches or the finish line of athletics competitions.”

Poem/1 also sometimes takes poetic license with vocabulary to tell the time. During a humorous moment in the Kickstarter promotional video, Webb looks at his clock prototype and reads the rhyme, “A clock that defies all rhyme and reason / 4: 30 PM, a temporal teason.” Then he says, “I had to look ‘teason’ up. It doesn’t mean anything, so it’s a made-up word.”

Rhyming AI-powered clock sometimes lies about the time, makes up words Read More »

raspberry-pi-is-planning-a-london-ipo,-but-its-ceo-expects-“no-change”-in-focus

Raspberry Pi is planning a London IPO, but its CEO expects “no change” in focus

ARM, arm holdings plc, Biz & IT, eben upton, IPO, Raspberry Pi, Stock Market, Tech / /

Just enough RAM to move markets —

Eben Upton says hobbyists remain “incredibly important” while he’s involved.

Updated

Raspberry Pi 5 with Active Cooler installed on a wood desktop

Enlarge / Is it not a strange fate that we should suffer so much fear and doubt for so small a thing? So small a thing!

Andrew Cunningham

The business arm of Raspberry Pi is preparing to make an initial public offering (IPO) in London. CEO Eben Upton tells Ars that should the IPO happen, it will let Raspberry Pi’s not-for-profit side expand by “at least a factor of 2X.” And while it’s “an understandable thing” that Raspberry Pi enthusiasts could be concerned, “while I’m involved in running the thing, I don’t expect people to see any change in how we do things.”

CEO Eben Upton confirmed in an interview with Bloomberg News that Raspberry Pi had appointed bankers at London firms Peel Hunt and Jefferies to prepare for “when the IPO market reopens.”

Raspberry previously raised money from Sony and semiconductor and software design firm ARM, and it sought public investment. Upton denied or didn’t quite deny IPO rumors in 2021, and Bloomberg reported Raspberry Pi was considering an IPO in early 2022. After ARM took a minority stake in the company in November 2023, Raspberry Pi was valued at roughly 400 million pounds, or just over $500 million.

Given the company’s gradual recovery from pandemic supply chain shortages, and the success of the Raspberry Pi 5 launch, the company’s IPO will likely jump above that level, even with a listing in the UK rather than the more typical US IPO. Upton told The Register that “the business is in a much better place than it was last time we looked at it [an IPO]. We partly stopped because the markets got bad. And we partly stopped because our business became unpredictable.”

News of the potential transformation of Raspberry Pi Ltd from the private arm of the education-minded Raspberry Pi Foundation into a publicly traded company, obligated to generate profits for shareholders, reverberated about the way you’d expect on Reddit, Hacker News, and elsewhere. Many pointed with concern to the company’s decision to prioritize small business customers requiring Pi boards for their businesses as a portent of what investors might prioritize. Many expressed confusion over the commercial entity’s relationship to the foundation and what an IPO meant for that arrangement.

Seeing comments after the Bloomberg story, Upton said he understood concerns about a potential shift in mission or a change in the pricing structure. “It’s a good thing, in that people care about us,” Upton said in a phone interview. But he noted that Raspberry Pi’s business arm has had both strategic and private investors in its history, along with a majority shareholder in its Foundation (which in 2016 owned 75 percent of shares), and that he doesn’t see changes to what Pi has built.

“What Raspberry Pi [builds] are the products we want to buy, and then we sell them to people like us,” Upton said. “Certainly, while I’m involved in it, I can’t imagine an environment in which the hobbyists are not going to be incredibly important.”

The IPO is “about the foundation,” Upton said, with that charitable arm selling some of its majority stake in the business entity to raise funds and expand. (“We’ve not cooked up some new way for a not-for-profit to do an IPO, no,” he noted.) The foundation was previously funded by dividends from the business side, Upton said. “We do this transaction, and the proceeds of that transaction allow the foundation to train teachers, run clubs, expand programs, and… do those things at, at least, a factor of 2X. That’s what I’m most excited about.”

Asked about concerns that Raspberry Pi could focus its attention on higher-volume customers after public investors are involved, Upton said there would be “no change” to the kinds of products Pi makes, and that makers are “culturally important to us.” Upton noted that Raspberry Pi, apart from a single retail store, doesn’t sell Pis directly but through resellers. Margin structures at Raspberry Pi have “stayed the same all the way through,” Upton said and should remain so after the IPO.

Raspberry Pi’s lower-cost products, like the Zero 2 W and Pico, are fulfilling the educational and tinkering missions of the project, now at far better capability and lower price points than the original Pi products, Upton said. “If people think that an IPO means we’re going to … push prices up, push the margins up, push down the feature sets, the only answer we can give is, watch us. Keep watching,” he said. “Let’s look at it in 15, 20 years’ time.”

This post was updated at 2: 30 pm ET on January 30 to include an Ars interview with Raspberry Pi CEO Eben Upton.

Raspberry Pi is planning a London IPO, but its CEO expects “no change” in focus Read More »

sim-swapping-ring-stole-$400m-in-crypto-from-a-us-company,-officials-allege

SIM-swapping ring stole $400M in crypto from a US company, officials allege

Cryptocurrency, cryptocurrency scam, cryptocurrency scheme, cryptocurrency wallets, device fraud, Identity theft, mobile device security, Policy, sim swap, sim swapping, wire fraud / /

Undetected for years —

Scheme allegedly targeted Apple, AT&T, Verizon, and T-Mobile stores in 13 states.

SIM-swapping ring stole $400M in crypto from a US company, officials allege

The US may have uncovered the nation’s largest “SIM swap” scheme yet, charging a Chicago man and co-conspirators with allegedly stealing $400 million in cryptocurrency by targeting over 50 victims in more than a dozen states, including one company.

A recent indictment alleged that Robert Powell—using online monikers “R,” “R$,” and “ElSwapo1″—was the “head of a SIM swapping group” called the “Powell SIM Swapping Crew.” He allegedly conspired with Indiana man Carter Rohn (aka “Carti” and “Punslayer”) and Colorado woman Emily Hernandez (allegedly aka “Em”) to gain access to victims’ devices and “carry out fraudulent SIM swap attacks” between March 2021 and April 2023.

SIM-swap attacks occur when someone fraudulently induces a wireless carrier to “reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor,” the indictment said. Once the swap occurs, the bad actor can defeat multi-factor authentication protections and access online accounts to steal data or money.

Powell’s accused crew allegedly used identification card printers to forge documents, then posed as victims visiting Apple, AT&T, Verizon, and T-Mobile retail stores in Minnesota, Illinois, Indiana, Utah, Nebraska, Colorado, Florida, Maryland, Massachusetts, Texas, New Mexico, Tennessee, Virginia, and the District of Columbia.

According to the indictment, many of the alleged victims did not suffer financial losses, but those that did were allegedly hit hard. The hardest hit appears to be an employee of a company whose AT&T device was allegedly commandeered at a Texas retail store, resulting in over $400 million being allegedly transferred from the employee’s company to co-conspirators’ financial accounts. Other individual victims allegedly lost cryptocurrency valued between $15,000 and more than $1 million.

Co-conspirators are accused of masking stolen funds, sometimes by allegedly hiding transfers in unhosted or self-hosted virtual currency wallets. If convicted, all stolen funds must be forfeited, the indictment said.

Powell has been charged with conspiracy to commit wire fraud and conspiracy to commit aggravated identity theft and access device fraud, Special Agent Brent Bledsoe said in the indictment. This Friday, Powell faces a detention hearing, where he has been ordered by the US Marshals Service to appear in person.

Powell’s attorney, Gal Pissetzky, told Ars that Powell has no comment on the indictment at this time.

SIM swaps escalating in US?

When Powell’s alleged scheme began in 2021, the FBI issued a warning, noting that criminals were increasingly using SIM-swap attacks, fueling total losses that year of $68 million.

Since then, US law enforcement has made several arrests, but none of the uncovered schemes come close to the alleged losses from the thefts Powell’s crew are being accused of.

In 2022, a Florida man, Nicholas Truglia, was sentenced to 18 months for stealing more than $20 million from a single victim. On top of forfeiting the stolen funds, Truglia was also ordered to forfeit more than $900,000 as a criminal penalty. According to security blogger Brian Krebs, Truglia was connected to a group that allegedly stole $100 million using SIM-swap attacks.

Last year, there were a few notable arrests. In October, the Department of Justice sentenced a hacker, Jordan Dave Persad, to 30 months for stealing nearly $1 million from “dozens of victims.” And in December, four Florida men received sentences between eight and 27 months for stealing more than $509,475 in SIM-swap attacks.

Ars could not find any FBI warnings since 2021 raising awareness that losses from SIM-swap attacks may be further increasing to amounts as eye-popping as the alleged losses in Powell’s case.

A DOJ official was unable to confirm if this is the biggest SIM-swapping scheme alleged in the US, directing Ars to another office. Ars will update this report with any new information the DOJ provides.

US officials seem aware that some bad actors attempting SIM-swap attacks appear to be getting bolder. Earlier this year, the Securities and Exchange Commission was targeted in an attack that commandeered the agency’s account on X, formerly known as Twitter. That attack led to a misleading X post falsely announcing the approval of bitcoin exchange-traded funds, causing a brief spike in bitcoin’s price.

To protect consumers from SIM-swap attacks, the Federal Communications Commission announced new rules last year to “require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts and take additional steps to protect customers from SIM swap and port-out fraud.” But an Ars review found these new rules may be too vague to be effective.

In 2021, when European authorities busted a SIM-swapping ring allegedly targeting high-profile individuals worldwide, Europol advised consumers to avoid becoming targets. Tips included using multifactor authentication, resisting associating sensitive accounts with mobile phone numbers, keeping devices updated, avoiding replying to suspicious emails or callers requesting sensitive information, and limiting personal data shared online. Consumers can also request the highest security settings possible from mobile carriers and are encouraged to always use stronger, longer security PINs or passwords to protect devices.

SIM-swapping ring stole $400M in crypto from a US company, officials allege Read More »