Security Policy as Code: An Architect’s Perspective on the Evolving Landscape
error code: 502
Security Policy as Code: An Architect’s Perspective on the Evolving Landscape Read More »
Popular Juicebox EV home chargers to lose connectivity as owner quits US
Owners of the popular home EV chargers made by Juicebox are about to lose a whole lot of features. Its owner, the energy company Enel X, has just announced that it is leaving the North American market entirely as of October 11.
Enel X says its strategy will be to pursue “further growth by providing bundled offers, including private charging solutions, to its electricity customers as well as by developing public charging infrastructure in countries where it has an electricity retail business.” And since it does not have an electricity business in the US, merely a charging hardware and software one, it makes little sense to remain active here.
The company also blames high interest rates and a cooling EV market as reasons for its exit.
Enel X says Juicebox residential hardware will continue to work, so if you’ve been using one to charge at home, you can keep plugging it in. But Enel X is ending all software support—there will be no updates, and it’s removing its apps, so online functions like scheduling a charge will no longer work.
Commercial charging stations will be worse affected—according to Enel X, these “will lose functionality in the absence of software continuity.” The company also says its customer support is no longer available, effective immediately, and any questions or claims should be directed to juiceboxnorthamerica.com.
Popular Juicebox EV home chargers to lose connectivity as owner quits US Read More »
Identity, Endpoint, and Network Security Walk into a Bar
With a macrotrend/backdrop of platformization and convergence, the industry is exploring places where identity security, endpoint security, and network security naturally meet. This intersection is the browser.
The Browser: The Intersection of Identity, Endpoint, and Network Security
Why?
- If we expect identity security, it must be tied to users, their permissions, authorization, and authentication.
- If we expect endpoint security, it must be running on the endpoint or able to secure the endpoint itself.
- If we expect network security, it must manage most (if not all) ingress and egress traffic.
The browser meets all of these requirements. It runs on the user’s endpoint, its whole purpose is to make and receive web requests, and as it’s only used by human agents, it intrinsically uses identity elements.
Secure enterprise browsing solutions can considerably improve security posture while also simplifying the technology stack. Injecting security functions in the most used application means that end users do not experience additional friction introduced by other security products. This is an appealing proposition, so we expect that the adoption of enterprise browsers will very likely increase considerably over the next few years.
So, what does it mean? As they can enforce security policies for users accessing web resources, secure enterprise browsing solutions can replace clunkier secure access solutions (those that require routing traffic through proxies or inserting more appliances) such as virtual private networks, secure web gateways, virtual desktop infrastructure, remote browser isolation, and cloud access security brokers.
What it doesn’t mean is that you can replace your EDR, your firewalls, or identity security solutions. On the contrary, secure enterprise browsing solutions work best in conjunction with these. For example, the solutions can inherit identity and access management user attributes and security policies, while integrations with EDR solutions can help for OS-level controls.
The Browser’s Bidirectional Magic
Users are both something to protect and to be protected from. With the browser controlling both ingress and egress traffic, it can secure multiple types of interactions, namely:
- Protecting end users from malicious web resources and phishing attacks.
- Protecting enterprises from negligent users.
- Protecting enterprises from malicious insiders.
- Protecting enterprises from compromised accounts.
I am not aware of any other type of solution on the market that can deliver all of the above with a single product. A secure browsing solution can fill many gaps in an organization’s security architecture, for both small and large organizations.
The market is still in the early stages, so the most responsible way of deploying these solutions is as an add-on to your current security stack. As these solutions mature and prove their efficacy in the real world, they can support a mandate to replace other security solutions that are either inadequate or obsolete.
Next Steps
To learn more, take a look at GigaOm’s secure enterprise browsing solutions Key Criteria and Radar reports. These reports provide a comprehensive overview of the market, outline the criteria you’ll want to consider in a purchase decision, and evaluate how a number of vendors perform against those decision criteria.
- GigaOm Key Criteria for Evaluating Secure Enterprise Browsing Solutions
- GigaOm Radar for Secure Enterprise Browsing Solutions
If you’re not yet a GigaOm subscriber, sign up here.
Identity, Endpoint, and Network Security Walk into a Bar Read More »
AI digests repetitive scatological document into profound “poop” podcast
Enlarge / This AI prompt stinks… or does it?
Aurich Lawson
Imagine you’re a podcaster who regularly does quick 10- to 12-minute summary reviews of written works. Now imagine your producer gives you multiple pages of nothing but the words “poop” and “fart” repeated over and over again and asks you to have an episode about the document on their desk within the hour.
Speaking for myself, I’d have trouble even knowing where to start with such a task. But when Reddit user sorryaboutyourcats gave the same prompt to Google’s NotebookLM AI model, the result was a surprisingly cogent and engaging AI-generated podcast that touches on the nature of art, the philosophy of attention, and the human desire to make meaning out of the inherently meaningless.
Analyzing Poop & Fart written 1,000 times – Creating meaning from the meaningless
byu/sorryaboutyourcats in notebooklm
When I asked NotebookLM to review my Minesweeper book last week, commenter Defenstrar smartly asked “what would happen if you fed it a less engrossing or well written body of text.” The answer, as seen here, shows the interesting directions a modern AI model can go in when you let it just spin its wheels and wander off from an essentially unmoored starting point.
“Sometimes a poop is just a poop…”
While Google’s NotebookLM launched over a year ago, the model’s recently launched “Audio Overview” feature has been getting a lot of attention for what Google calls “a new way to turn your documents into engaging audio discussions.” At its heart is a LLM similar to the kind that powers ChatGPT, which creates a podcast-like script for two convincing text-to-speech models to read, complete with “ums,” interruptions, and dramatic pauses.
Experimenters have managed to trick these AI-powered “hosts” into what sounds like an existential crisis by telling them that they aren’t really human. And investigators have managed to get NotebookLM to talk about its own system prompts, which seem to focus on “going beyond surface-level information” to unearth “golden nuggets of knowledge” from the source material.
The “poop-fart” document (as I’ll be calling it for simplicity) is a pretty interesting test case for this kind of system. After all, what “golden nuggets of knowledge” could be buried beyond the “surface level” of two scatological words repeated for multiple pages? How do you “highlight intriguing points with enthusiasm”—as the unearthed NotebookLM prompt suggests—when the document’s only oft-repeated points are “poop” and “fart”?
Enlarge / Artist’s conception of a portion of the poop-fart document, as fed to NotebookLM.
Here, NotebookLM manages to use that complete lack of context as its own starting point for an interesting stream-of-consciousness, podcast-like conversation. After some throat-clearing about how the audience has “outdone itself” with “a unique piece of source material,” the ersatz podcast hosts are quick to compare the repetition in the document to Andy Warhol’s soup cans or “minimalist music” that can be “surprisingly powerful.” Later, the hosts try to glean some meaning by comparing the document to “a modern dadaist prank” (pronounced as “daday-ist” by the speech synthesizer) or the vase/faces optical illusion.
Artistic comparisons aside, NotebookLM’s virtual hosts also delve a bit into the psychology behind the “very human impulse” to “search for a pattern” in this “accidental Rorschach test” and our tendency to “try to impose order” on the “information overload” of the world around us. In almost the same breath, though, the hosts get philosophical about “confront[ing] the absurdity in trying to find meaning in everything” and suggest that “sometimes a poop is just a poop and a fart is just a fart.”
AI digests repetitive scatological document into profound “poop” podcast Read More »
Car dealers renew their opposition to EV mandates
they said what —
An EV mandate would make gasoline cars too expensive, say the dealers.
Aurich Lawson | Getty Images
A group of more than 5,000 car dealers have made public their worries about a lack of demand for electric vehicles. Earlier this year the group lobbied the White House to water down impending federal fuel efficiency regulations that would require automakers to sell many more EVs. Now, they’re sounding an alarm over impending EV mandates, particularly in the so-called Zero Emissions Vehicle states.
The ZEV states—California, Connecticut, Colorado, Delaware, Maine, Maryland, Massachusetts, Minnesota, Nevada, New Jersey, New York, Pennsylvania, Oregon, Rhode Island, Vermont, Virginia, Washington, and the District of Columbia—all follow the emissions standards laid out by the California Air Resources Board, which require that by 2035, 100 percent of all new cars and light trucks be zero-emissions vehicles (which includes plug-in hybrid EVs as well as battery EVs).
That goes into effect starting with model-year 2026 (i.e. midway through next calendar year) and would require a third of all new vehicles to be a BEV, claim the car dealers. But there is not enough customer demand for electrified vehicles to buy those cars, the dealers say. Worse yet, it would make gasoline-powered cars more expensive.
“This is a de facto mandate, as dealerships will be allocated fewer internal combustion engine and hybrid vehicles, and due to the lack of BEV sales, the result will create excessive demand driving up prices for customers,” the group wrote in a statement.
EV sales are growing more slowly in 2024 than the 50 percent growth we saw in 2023 (to this writer, calling a 12.5 percent growth rate “flatlining” seems hyperbolic).
A lot of the dealers’ concerns are around a lack of knowledge about EVs among their customers. The open letter complains that customers are ignorant about where to charge and how long that takes, how long batteries last and how expensive they are, and range loss in winter. In defense of those car buyers, a place that sells cars, including electric ones, would surely seem like the obvious place to ask those questions—again, at least to this writer.
Car dealers renew their opposition to EV mandates Read More »
Illinois city plans to source its future drinking water from Lake Michigan
The Great Lakes Compact —
As aquifers dry up, some Midwest communities are looking to the region’s natural resources.
Enlarge / Waves roll ashore along Lake Michigan in Whiting, Indiana.
This article originally appeared on Inside Climate News, a nonprofit, independent news organization that covers climate, energy, and the environment. It is republished with permission. Sign up for their newsletter here.
The aquifer from which Joliet, Illinois, sources its drinking water is likely going to run too dry to support the city by 2030—a problem more and more communities are facing as the climate changes and groundwater declines. So Joliet eyed a huge water source 30 miles to the northeast: Lake Michigan.
It’s the second-largest of the Great Lakes, which together provide drinking water to about 10 percent of the US population, according to the National Oceanic and Atmospheric Administration’s Office for Coastal Management.
Soon, Joliet residents will join them. After years of deliberation, their city government decided last year to replace the aquifer by piping it in from Lake Michigan, buying it from the city of Chicago.
Project construction will start in 2025 with the intent to have water flowing to residents by 2030, said Theresa O’Grady, an engineering consultant working with the city of Joliet. Joliet will foot the approximately $1 billion bill for the project, including the cost to build 65 miles of piping that will transport water from Chicago to Joliet and neighboring communities.
Not just anyone can gain access to Lake Michigan’s pristine, saltless water. That’s rooted in the Great Lakes Compact, an agreement that governs how much water each state or Canadian province can withdraw from the lakes each day. With some exceptions, only municipalities located within the 295,200-square-mile basin (which includes the surface area of the lakes themselves) can get approved for a diversion to use Great Lakes drinking water.
Joliet is one of those exceptions.
“I’ve seen occasional news stories about, ‘Is Kansas suddenly going to get Lake Michigan water because Joliet got Lake Michigan water?’ We are going above and beyond to demonstrate how much we respect the privilege we have to use Lake Michigan water. We are spending hundreds of millions of dollars to be good stewards of that,” said Allison Swisher, Joliet’s director of public utilities.
In April 2023, then-Chicago Mayor Lori Lightfoot signed an agreement with Joliet and five other nearby communities to supply them with treated Lake Michigan water. Now, legal experts and other Great Lakes communities are left wondering how Joliet, located well outside of the Great Lakes basin, fits in.
The exemption in the Great Lakes Compact
The Great Lakes Region, which encompasses portions of New York, Pennsylvania, Ohio, Indiana, Illinois, Michigan, Wisconsin, and Minnesota, as well as the Canadian province of Ontario, is governed through the Great Lakes Compact, enacted in 2008.
“If you do not live in a straddling community, or you’re not a city in a straddling county, you don’t have a ticket to the dance. You can’t even ask for a Great Lakes water diversion,” said Peter Annin, director of the Mary Griggs Burke Center for Freshwater Innovation at Northland College and author of The Great Lakes Water Wars.
“With the exception of the state of Illinois,” he added.
The Chicago exemption, as it is often referred to, has roots in the 1800s, when animal waste from the city’s stockyards would flush into the Chicago River, ultimately pouring into Lake Michigan.
“That’s why Chicago embarks on this massive Panama Canal-like water diversion project, to take all that sewage and put it into this long canal, which then would connect with the Des Plaines River southwest of the city, and then the Illinois River, and then the Mississippi River,” Annin said, referring to the infamous reversal of the Chicago River. “Chicago’s solution was to flush its toilet to St. Louis.”
Every day, Chicago had the right to use billions of gallons of Lake Michigan water to divert this water and dilute the pollution downstream. The state of Wisconsin began challenging the diversion in the 1920s, arguing that Illinois’ superfluous water use was depleting water levels in the lake. In 1967, the Supreme Court sided with Illinois, and now, Chicago can do whatever it wants with its 2.1 billion gallons per day.
“So here we are today with this really kind of unbelievable Joliet water diversion proposal,” Annin said.
Illinois city plans to source its future drinking water from Lake Michigan Read More »
SpaceX launches mission to bring Starliner astronauts back to Earth
Ch-ch-changes —
SpaceX is bringing back propulsive landings with its Dragon capsule, but only in emergencies.
Stephen Clark – Updated
Enlarge / SpaceX’s Crew Dragon spacecraft climbs away from Cape Canaveral Space Force Station, Florida, on Saturday atop a Falcon 9 rocket.
NASA/Keegan Barber
NASA astronaut Nick Hague and Russian cosmonaut Aleksandr Gorbunov lifted off Saturday from Florida’s Space Coast aboard a SpaceX Dragon spacecraft, heading for a five-month expedition on the International Space Station.
The two-man crew launched on top of SpaceX’s Falcon 9 rocket at 1: 17 pm EDT (17: 17 UTC), taking an advantage of a break in stormy weather to begin a five-month expedition in space. Nine kerosene-fueled Merlin engines powered the first stage of the flight on a trajectory northeast from Cape Canaveral Space Force Station, then the booster detached and returned to landing at Cape Canaveral as the Falcon 9’s upper stage accelerated SpaceX’s Crew Dragon Freedom spacecraft into orbit.
“It was a sweet ride,” Hague said after arriving in space. With a seemingly flawless launch, Hague and Gorbunov are on track to arrive at the space station around 5: 30 pm EDT (2130 UTC) Sunday.
Empty seats
This is SpaceX’s 15th crew mission since 2020, and SpaceX’s 10th astronaut launch for NASA, but Saturday’s launch was unusual in a couple of ways.
“All of our missions have unique challenges and this one, I think, will be memorable for a lot of us,” said Ken Bowersox, NASA’s associate administrator for space operations.
First, only two people rode into orbit on SpaceX’s Crew Dragon spacecraft, rather than the usual complement of four astronauts. This mission, known as Crew-9, originally included Hague, Gorbunov, commander Zena Cardman, and NASA astronaut Stephanie Wilson.
But the troubled test flight of Boeing’s Starliner spacecraft threw a wrench into NASA’s plans. The Starliner mission launched in June with NASA astronauts Butch Wilmore and Suni Williams. Boeing’s spacecraft reached the space station, but thruster failures and helium leaks plagued the mission, and NASA officials decided last month it was too risky to being the crew back to Earth on Starliner.
NASA selected SpaceX and Boeing for multibillion-dollar commercial crew contracts in 2014, with each company responsible for developing human-rated spaceships to ferry astronauts to and from the International Space Station. SpaceX flew astronauts for the first time in 2020, and Boeing reached the same milestone with the test flight that launched in June.
Ultimately, the Starliner spacecraft safely returned to Earth on September 6 with a successful landing in New Mexico. But it left Wilmore and Williams behind on the space station with the lab’s long-term crew of seven astronauts and cosmonauts. The space station crew rigged two temporary seats with foam inside a SpaceX Dragon spacecraft currently docked at the outpost, where the Starliner astronauts would ride home if they needed to evacuate the complex in an emergency.
Enlarge / NASA astronaut Nick Hague and Russian cosmonaut Aleksandr Gorbunov in their SpaceX pressure suits.
NASA/Kim Shiflett
This is a temporary measure to allow the Dragon spacecraft to return to Earth with six people instead of the usual four. NASA officials decided to remove two of the astronauts from the next SpaceX crew mission to free up normal seats for Wilmore and Williams to ride home in February, when Crew-9 was already slated to end its mission.
The decision to fly the Starliner spacecraft back to Earth without its crew had several second order effects on space station operations. Managers at NASA’s Johnson Space Center in Houston had to decide who to bump from the Crew-9 mission, and who to keep on the crew.
Nick Hague and Aleksandr Gorbunov ended up keeping their seats on the Crew-9 flight. Hague originally trained as the pilot on Crew-9, and NASA decided he would take Zena Cardman’s place as commander. Hague, a 49-year-old Space Force colonel, is a veteran of one long-duration mission on the International Space Station, and also experienced a rare in-flight launch abort in 2018 due to a failure of a Russian Soyuz rocket.
NASA announced the original astronaut assignments for the Crew-9 mission in January. Cardman, a 36-year-old geobiologist, would have been the first rookie astronaut without test pilot experience to command a NASA spaceflight. Three-time space shuttle flier Stephanie Wilson, 58, was the other astronaut removed from the Crew-9 mission.
The decision on who to fly on Crew-9 was a “really close call,” said Bowersox, who oversees NASA’s spaceflight operations directorate. “They were thinking very hard about flying Zena, but in this situation, it made sense to have somebody who had at least one flight under their belt.”
Gorbunov, a 34-year-old Russian aerospace engineer making his first flight to space, moved over to take pilot’s seat in the Crew Dragon spacecraft, although he remains officially designated a mission specialist. His remaining presence on the crew was preordained because of an international agreement between NASA and Russia’s space agency that provides seats for Russian cosmonauts on US crew missions and US astronauts on Russian Soyuz flights to the space station.
Bowersox said NASA will reassign Cardman and Wilson to future flights.
Enlarge / NASA astronauts Suni Williams and Butch Wilmore, seen in their Boeing flight suits before their launch.
Operational flexibility
This was also the first launch of astronauts from Space Launch Complex-40 (SLC-40) at Cape Canaveral, SpaceX’s busiest launch pad. SpaceX has outfitted the launch pad with the equipment necessary to support launches of human spaceflight missions on the Crew Dragon spacecraft, including a more than 200-foot-tall tower and a crew access arm to allow astronauts to board spaceships on top of Falcon 9 rockets.
SLC-40 was previously based on a “clean pad” architecture, without any structures to service or access Falcon 9 rockets while they were vertical on the pad. SpaceX also installed slide chutes to give astronauts and ground crews an emergency escape route away from the launch pad in an emergency.
SpaceX constructed the crew tower last year and had it ready for the launch of a Dragon cargo mission to the space station in March. Saturday’s launch demonstrated the pad’s ability to support SpaceX astronaut missions, which have previously all departed from Launch Complex-39A (LC-39A) at NASA’s Kennedy Space Center, a few miles north of SLC-40.
Bringing human spaceflight launch capability online at SLC-40 gives SpaceX and NASA additional flexibility in their scheduling. For example, LC-39A remains the only launch pad configured to support flights of SpaceX’s Falcon Heavy rocket. SpaceX is now preparing LC-39A for a Falcon Heavy launch October 10 with NASA’s Europa Clipper mission, which only has a window of a few weeks to depart Earth this year and reach its destination at Jupiter in 2030.
With SLC-40 now certified for astronaut launches, SpaceX and NASA teams are able to support the Crew-9 and Europa Clipper missions without worrying about scheduling conflicts. The Florida spaceport now has three launch pads certified for crew flights—two for SpaceX’s Dragon and one for Boeing’s Starliner—and NASA will add a fourth human-rated launch pad with the Artemis II mission to the Moon late next year.
“That’s pretty exciting,” said Pam Melroy, NASA’s deputy administrator. “I think it’s a reflection of where we are in our space program at NASA, but also the capabilities that the United States has developed.”
Earlier this week, Hague and Gorbunov participated in a launch day dress rehearsal, when they had the opportunity to familiarize themselves with SLC-40. The launch pad has the same capabilities as LC-39A, but with a slightly different layout. SpaceX also test-fired the Falcon 9 rocket Tuesday evening, before lowering the rocket horizontal and moving it back into a hangar for safekeeping as the outer bands of Hurricane Helene moved through Central Florida.
Inside the hangar, SpaceX technicians discovered sooty exhaust from the Falcon 9’s engines accumulated on the outside of the Dragon spacecraft during the test-firing. Ground teams wiped the soot off of the craft’s solar arrays and heat shield, then repainted portions of the capsule’s radiators around the edge of Dragon’s trunk section before rolling the vehicle back to the launch pad Friday.
“It’s important that the radiators radiate heat in the proper way to space, so we had to put some some new paint on to get that back to the right emissivity and the right reflectivity and absorptivity of the solar radiation that hit those panels so it will reject the heat properly,” said Bill Gerstenmaier, SpaceX’s vice president of build and flight reliability.
Gerstenmaier also outlined a new backup ability for the Crew Dragon spacecraft to safely splash down even if all of its parachutes fail to deploy on final descent back to Earth. This involves using the capsule’s eight powerful SuperDraco thrusters, normally only used in the unlikely instance of a launch abort, to fire for a few seconds and slow Dragon’s speed for a safe splashdown.
Enlarge / A hover test using SuperDraco thrusters on a prototype Crew Dragon spacecraft in 2015.
SpaceX
“The way it works is, in the case where all the parachutes totally fail, this essentially fires the thrusters at the very end,” Gerstenmaier said. “That essentially gives the crew a chance to land safely, and essentially escape the vehicle. So it’s not used in any partial conditions. We can land with one chute out. We can land with other failures in the chute system. But this is only in the case where all four parachutes just do not operate.”
When SpaceX first designed the Crew Dragon spacecraft more than a decade ago, the company wanted to use the SuperDraco thrusters to enable the capsule to perform propulsive helicopter-like landings. Eventually, SpaceX and NASA agreed to change to a more conventional parachute-assisted splashdown.
The SuperDracos remained on the Crew Dragon spacecraft to push the capsule away from its Falcon 9 rocket during a catastrophic launch failure. The eight high-thrust engines burn hydrazine and nitrogen tetroxide propellants that combust when making contact with one another.
The backup option has been activated for some previous commercial Crew Dragon missions, but not for a NASA flight, according to Gerstenmaier. The capability “provides a tolerable landing for the crew,” he added. “So it’s a true deep, deep contingency. I think our philosophy is, rather than have a system that you don’t use, even though it’s not maybe fully certified, it gives the crew a chance to escape a really, really bad situation.”
Steve Stich, NASA’s commercial crew program manager, said the emergency propulsive landing capability will be enabled for the return of the Crew-8 mission, which has been at the space station since March. With the arrival of Hague and Gorbunov on Crew-9—and the extension of Wilmore and Williams’ mission—the Crew-8 mission is slated to depart the space station and splash down in early October.
This story was updated after confirmation of a successful launch.
SpaceX launches mission to bring Starliner astronauts back to Earth Read More »
Man tricks OpenAI’s voice bot into duet of The Beatles’ “Eleanor Rigby”
Enlarge / A screen capture of AJ Smith doing his Eleanor Rigby duet with OpenAI’s Advanced Voice Mode through the ChatGPT app.
OpenAI’s new Advanced Voice Mode (AVM) of its ChatGPT AI assistant rolled out to subscribers on Tuesday, and people are already finding novel ways to use it, even against OpenAI’s wishes. On Thursday, a software architect named AJ Smith tweeted a video of himself playing a duet of The Beatles’ 1966 song “Eleanor Rigby” with AVM. In the video, Smith plays the guitar and sings, with the AI voice interjecting and singing along sporadically, praising his rendition.
“Honestly, it was mind-blowing. The first time I did it, I wasn’t recording and literally got chills,” Smith told Ars Technica via text message. “I wasn’t even asking it to sing along.”
Smith is no stranger to AI topics. In his day job, he works as associate director of AI Engineering at S&P Global. “I use [AI] all the time and lead a team that uses AI day to day,” he told us.
In the video, AVM’s voice is a little quavery and not pitch-perfect, but it appears to know something about “Eleanor Rigby’s” melody when it first sings, “Ah, look at all the lonely people.” After that, it seems to be guessing at the melody and rhythm as it recites song lyrics. We have also convinced Advanced Voice Mode to sing, and it did a perfect melodic rendition of “Happy Birthday” after some coaxing.
AJ Smith’s video of singing a duet with OpenAI’s Advanced Voice Mode.
Normally, when you ask AVM to sing, it will reply something like, “My guidelines won’t let me talk about that.” That’s because in the chatbot’s initial instructions (called a “system prompt“), OpenAI instructs the voice assistant not to sing or make sound effects (“Do not sing or hum,” according to one system prompt leak).
OpenAI possibly added this restriction because AVM may otherwise reproduce copyrighted content, such as songs that were found in the training data used to create the AI model itself. That’s what is happening here to a limited extent, so in a sense, Smith has discovered a form of what researchers call a “prompt injection,” which is a way of convincing an AI model to produce outputs that go against its system instructions.
How did Smith do it? He figured out a game that reveals AVM knows more about music than it may let on in conversation. “I just said we’d play a game. I’d play the four pop chords and it would shout out songs for me to sing along with those chords,” Smith told us. “Which did work pretty well! But after a couple songs it started to sing along. Already it was such a unique experience, but that really took it to the next level.”
This is not the first time humans have played musical duets with computers. That type of research stretches back to the 1970s, although it was typically limited to reproducing musical notes or instrumental sounds. But this is the first time we’ve seen anyone duet with an audio-synthesizing voice chatbot in real time.
Man tricks OpenAI’s voice bot into duet of The Beatles’ “Eleanor Rigby” Read More »
Musk’s X blocks links to JD Vance dossier and suspends journalist who posted it
JD Vance dossier —
X says it suspended reporter for “posting unredacted personal information.”
Enlarge / Former US President Donald Trump and Republican vice presidential nominee JD Vance at the National 9/11 Memorial and Museum on September 11, 2024, in New York City.
Getty Images | Michael M. Santiago
Elon Musk’s X is blocking links to the JD Vance “dossier” containing the Trump campaign’s research on the vice presidential nominee. X also suspended Ken Klippenstein, the journalist who published the dossier that apparently comes from an Iranian hack of the Trump campaign.
“Ken Klippenstein was temporarily suspended for violating our rules on posting unredacted private personal information, specifically Sen. Vance’s physical addresses and the majority of his Social Security number,” X’s safety account wrote yesterday. Klippenstein’s account was still suspended as of this writing.
X is blocking attempts to post links to the Klippenstein article in which he explained why he published the leaked dossier. An error message says, “We can’t complete this request because the link has been identified by X or our partners as being potentially harmful.”
Klippenstein’s article explains that the “dossier has been offered to me and I’ve decided to publish it because it’s of keen public interest in an election season. It’s a 271-page research paper the Trump campaign prepared to vet now vice presidential candidate JD Vance.”
The article doesn’t contain Vance’s address or Social Security number, but it provides a download link for the dossier. Klippenstein published another article yesterday after his X suspension, writing that he stands by his decision not to redact Vance’s private information. But the version of the Vance dossier available on Klippenstein’s website today has redactions of addresses and his Social Security number.
“I never published any private information on X”
“Self-styled free speech warrior Elon Musk’s X (Twitter) banned me after I published a copy of the Donald Trump campaign’s JD Vance research dossier,” Klippenstein wrote. “X says that I’ve been suspended for ‘violating our rules against posting private information,’ citing a tweet linking to my story about the JD Vance dossier. First, I never published any private information on X. I linked to an article I wrote here, linking to a document of controversial provenance, one that I didn’t want to alter for that very reason.”
Klippenstein also wrote, “We should be honest about so-called private information contained in the dossier and ‘private’ information in general. It is readily available to anyone who can buy it. The campaign purchased this information from commercial information brokers.”
US intelligence agencies said last week that “Iranian malicious cyber actors” have been sending “stolen, non-public material associated with former President Trump’s campaign to US media organizations.” This is part of a strategy “to stoke discord and undermine confidence in our electoral process,” US agencies said. Most media outlets decided not to publish the materials.
Musk slammed Twitter’s Hunter Biden decision
Elon Musk claimed that he bought Twitter in order to protect free speech, and he criticized the social network for an October 2020 incident in which Twitter blocked a New York Post story about Hunter Biden’s emails for allegedly violating a policy against posting hacked materials.
“Suspending the Twitter account of a major news organization for publishing a truthful story was obviously incredibly inappropriate,” Musk wrote in April 2022, one day after he struck a deal to buy Twitter for $44 billion. After completing the purchase, Musk leaked so-called “Twitter Files” containing the company’s internal deliberations about the Hunter Biden laptop story and other matters.
Twitter’s Hunter Biden decision drew immediate criticism when it happened, and the company changed its hacked materials policy just one day later. Under the October 2020 policy change, Twitter said it would stop removing hacked content unless it was directly shared by hackers or those acting in concert with them and that it would label tweets to provide context instead of blocking links from being shared on Twitter.
“Straight blocking of URLs was wrong, and we updated our policy and enforcement to fix,” Jack Dorsey, Twitter’s former CEO, wrote at the time. “Our goal is to attempt to add context, and now we have capabilities to do that.”
The hacked materials policy was still active as of January 2024, but the policy page no longer exists.
Meanwhile, The New York Times examined five days’ worth of Musk’s X posts in an article published today. “In 171 posts and reposts during that frenetic five-day period, the tech mogul railed against illegal immigration, boosted election fraud conspiracy theories and attacked Democratic candidates, according to a New York Times analysis… Nearly a third of his posts last week were false, misleading or missing vital context. They included misleading posts claiming Democrats were making memes ‘illegal’ and falsehoods that they want to ‘open the border’ to gain votes from illegal immigrants,” the article said.
Musk’s X blocks links to JD Vance dossier and suspends journalist who posted it Read More »
More unidentified illnesses linked to unexplained bird flu case in Missouri
Enlarge / A warning sign outside a laboratory testing the H5N1 bird flu virus at The Pirbright Institute in Woking, UK, on Monday, March 13, 2023.
More than a month after a person in Missouri mysteriously fell ill with H5-type bird flu, investigators in the state are still identifying people who became ill after contact with the patient, raising questions about the diligence of the ongoing health investigation.
On September 6, Missouri’s health department reported the state’s first human case of H5-type bird flu, one that appears closely related to the H5N1 bird flu currently causing a nationwide outbreak among dairy cows. But the infected person had no known contact with infected animals—unlike all of the other 13 human cases identified amid the dairy outbreak this year. Those previous cases have all occurred in dairy- or poultry-farm workers. In fact, Missouri has not reported bird flu in its dairy herds nor recent poultry outbreaks.
Given the unexplained source of infection, health investigators in the state have been working to track the virus both backward in time—to try to identify the source—and forward—to identify any potential onward spread. The bird flu patient was initially hospitalized on August 22 but recovered and had been released by the time the state publicly reported the case.
In an update Friday, September 27, the Centers for Disease Control and Prevention relayed that Missouri officials have now identified four more health care workers who experienced mild respiratory illnesses after caring for the person with bird flu. None of the four workers were tested for flu at the time of their illnesses and all have since recovered.
Testing new cases for antibodies to H5N1
The four newly identified cases bring the total number of health care workers who fell ill after contact to six. Missouri investigators had previously identified two other health care workers who developed mild respiratory symptoms. One of those workers was tested for flu around the time of their illness—and tested negative. But the other, like the four newly identified cases, was not tested. That person has since submitted a blood sample to test for bird flu antibodies, which would indicate a previous infection.
In addition, a household contact of the bird flu patient also fell ill at the same time as the patient, suggesting a possible common source of the infection.
The illnesses are concerning, given the fear that H5N1 bird flu could begin spreading from human to human and spark a widespread outbreak or even a pandemic. However, it can’t be overlooked that a plethora of other respiratory viruses are around—and SARS-CoV-2 transmission was relatively high in Missouri at the time—it’s impossible to draw any conclusions at this point about whether the illnesses were bird flu infections.
But, the illnesses do clearly raise concern about the health investigation, which is being conducted by Missouri officials. “The slow trickle of info is the most concerning part,” infectious disease expert Krutika Kuppalli wrote on social media Friday. The CDC can get involved at the request of a state, but such a request has not been made. For now, the CDC is only providing technical assistance from Atlanta.
In its update today, the CDC emphasized that “to date, only one case of influenza A(H5N1) has been detected in Missouri. No contacts of that case have tested positive for influenza A(H5N1).” The agency added that blood testing results for H5 antibodies are pending.
Currently, 239 dairy herds in 14 states have been infected with H5N1.
More unidentified illnesses linked to unexplained bird flu case in Missouri Read More »
Meta pays the price for storing hundreds of millions of passwords in plaintext
GOT HASHES? —
Company failed to follow one of the most sacrosanct rules for password storage.
Getty Images
Officials in Ireland have fined Meta $101 million for storing hundreds of millions of user passwords in plaintext and making them broadly available to company employees.
Meta disclosed the lapse in early 2019. The company said that apps for connecting to various Meta-owned social networks had logged user passwords in plaintext and stored them in a database that had been searched by roughly 2,000 company engineers, who collectively queried the stash more than 9 million times.
Meta investigated for five years
Meta officials said at the time that the error was found during a routine security review of the company’s internal network data storage practices. They went on to say that they uncovered no evidence that anyone internally improperly accessed the passcodes or that the passcodes were ever accessible to people outside the company.
Despite those assurances, the disclosure exposed a major security failure on the part of Meta. For more than three decades, best practices across just about every industry have been to cryptographically hash passwords. Hashing is a term that applies to the practice of passing passwords through a one-way cryptographic algorithm that assigns a long string of characters that’s unique for each unique input of plaintext.
Because the conversion works in only one direction—from plaintext to hash—there is no cryptographic means for converting the hashes back into plaintext. More recently, these best practices have been mandated by laws and regulations in countries worldwide.
Because hashing algorithms works in one direction, the only way to obtain the corresponding plaintext is to guess, a process that can require large amounts of time and computational resources. The idea behind hashing passwords is similar to the idea of fire insurance for a home. In the event of an emergency—the hacking of a password database in one case, or a house fire in the other—the protection insulates the stakeholder from harm that otherwise would have been more dire.
For hashing schemes to work as intended, they must follow a host of requirements. One is that hashing algorithms must be designed in a way that they require large amounts of computing resources. That makes algorithms such as SHA1 and MD5 unsuitable, because they’re designed to quickly hash messages with minimal computing required. By contrast, algorithms specifically designed for hashing passwords—such as Bcrypt, PBKDF2, or SHA512crypt—are slow and consume large amounts of memory and processing.
Another requirement is that the algorithms must include cryptographic “salting,” in which a small amount of extra characters are added to the plaintext password before it’s hashed. Salting further increases the workload required to crack the hash. Cracking is the process of passing large numbers of guesses, often measured in the hundreds of millions, through the algorithm and comparing each hash against the hash found in the breached database.
The ultimate aim of hashing is to store passwords only in hashed format and never as plaintext. That prevents hackers and malicious insiders alike from being able to use the data without first having to expend large amounts of resources.
When Meta disclosed the lapse in 2019, it was clear the company had failed to adequately protect hundreds of millions of passwords.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Graham Doyle, deputy commissioner at Ireland’s Data Protection Commission, said. “It must be borne in mind, that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”
The commission has been investigating the incident since Meta disclosed it more than five years ago. The government body, the lead European Union regulator for most US Internet services, imposed a fine of $101 million (91 million euros) this week. To date, the EU has fined Meta more than $2.23 billion (2 billion euros) for violations of the General Data Protection Regulation (GDPR), which went into effect in 2018. That amount includes last year’s record $1.34 billion (1.2 billion euro) fine, which Meta is appealing.
Meta pays the price for storing hundreds of millions of passwords in plaintext Read More »
Sony, Ubisoft scandals prompt Calif. ban on deceptive sales of digital goods
No more now you see it, now you don’t —
New California law reminds us we don’t own games and movies.
California recently became the first state to ban deceptive sales of so-called “disappearing media.”
On Tuesday, Governor Gavin Newsom signed AB 2426 into law, protecting consumers of digital goods like books, movies, and video games from being duped into purchasing content without realizing access was only granted through a temporary license.
Sponsored by Democratic assemblymember Jacqui Irwin, the law makes it illegal to “advertise or offer for sale a digital good to a purchaser with the terms buy, purchase, or any other term which a reasonable person would understand to confer an unrestricted ownership interest in the digital good, or alongside an option for a time-limited rental.”
Moving forward, sellers must clearly mark when a buyer is only receiving a license for—rather than making a purchase of—a digital good. Sellers must also clearly disclose that access to the digital good could be revoked if the seller no longer retains rights to license that good.
Perhaps most significantly, these disclosures cannot be buried in terms of service, but “shall be distinct and separate from any other terms and conditions of the transaction that the purchaser acknowledges or agrees to,” the law says.
An exception applies for goods that are advertised using “plain language” that states that “buying or purchasing the digital good is a license.” And there are also carve-outs for free goods and subscription services providing limited access based on a subscription’s duration. Additionally, it’s OK to advertise a digital good if access isn’t ever revoked, such as when users purchase a permanent download that can be accessed offline, regardless of a seller’s rights to license the content.
Ubisoft, Sony called out for consumer harms
In a press release earlier this month, Irwin noted that the law was drafted to “address the increasingly-common instance of consumers losing access to their digital media purchases through no fault of their own.”
She pointed to Ubisoft revoking licenses for purchases of its video game The Crew last April and Sony stirring backlash by threatening to yank access to Discovery TV shows last year as prominent examples of consumer harms.
Irwin noted that the US has been monitoring this problem since at least 2016, when the Department of Commerce’s Internet Policy Task Force published a white paper concluding that “consumers would benefit from more information on the nature of the transactions they enter into, including whether they are paying for access to content or for ownership of a copy, in order to instill greater confidence and enhance participation in the online marketplace.”
It took eight years for the first state lawmakers to follow through on the recommendation, Irwin said, noting that sellers are increasingly licensing content over selling goods and rarely offer refunds for “disappearing media.”
“As retailers continue to pivot away from selling physical media, the need for consumer protections on the purchase of digital media has become increasingly more important,” Irwin said. “AB 2426 will ensure the false and deceptive advertising from sellers of digital media incorrectly telling consumers they own their purchases becomes a thing of the past.”
In Irwin’s press release, University of Michigan law professor Aaron Perzanowski praised California for trailblazing with a law that clearly labels this practice as false advertising.
“Consumers around the world deserve to understand that when they spend money on digital movies, music, books, and games, those so-called ‘purchases’ can disappear without notice,” Perzanowski said. “There is still important work to do in securing consumers’ digital rights, but AB 2426 is a crucial step in the right direction.”
Sony, Ubisoft scandals prompt Calif. ban on deceptive sales of digital goods Read More »