Author name: Mike M.

san-francisco-to-ban-software-that-“enables-price-collusion”-by-landlords

San Francisco to ban software that “enables price collusion” by landlords

Algorithmic devices —

Software helps landlords “indirectly coordinate” by sharing nonpublic information.

View of a San Francisco street with apartment buildings and parked cars along the side of the road.

Enlarge / View of San Francisco with Russian Hill in the background.

Getty Images | Terraxplorer

San Francisco’s Board of Supervisors this week approved a ban on software that is allegedly used by landlords to collude on rent prices. Board of Supervisors President Aaron Peskin recently proposed what his office called “the first local ordinance in the country banning the sale or use of software which enables price collusion among large corporate landlords for the purpose of rent-gouging.”

The ordinance was approved on a first reading by a 10-0 vote by the board on Tuesday. It still needs to pass a final vote scheduled for September 3, Bloomberg wrote.

The ban targets software companies RealPage and Yardi. “RealPage has exacerbated our rent crisis and empowered corporate landlords to intentionally keep units vacant. So we’re taking action locally to ensure our working renters can afford to live here,” Peskin said.

RealPage and Yardi “collect and combine proprietary large landlord data and make pricing and occupancy recommendations,” Peskin’s office said. “These recommendations then effectively become the lay of the land, with multiple investigations finding they amount to illegal price-fixing. RealPage’s own executives have told investors that its software has driven double-digit increases in rents, increased ‘turnover’ of units, and increased vacancy rates.”

A March 2024 White House statement criticized the use of algorithms to set rent prices. “In a recent filing, the Department of Justice (DOJ) made clear its position that inflated rents caused by algorithmic use of sensitive nonpublic pricing and supply information violate antitrust laws,” the White House statement said. “Earlier this month, the Federal Trade Commission and DOJ filed a joint brief further arguing that it is illegal for landlords and property managers to collude on pricing to inflate rents—including when using algorithms to do so.”

The FTC/DOJ brief was filed in a class-action case against Yardi and property owners in US District Court for the Western District of Washington. There were also numerous lawsuits against RealPage and property owners, and those cases were consolidated into one case in a Tennessee federal court. The District of Columbia’s attorney general sued RealPage and landlords as well.

RealPage says its software helps renters

In June, RealPage issued a statement addressing what it called “false and misleading claims about RealPage and its revenue management software.” RealPage said its software “benefits both housing providers and residents.”

“RealPage revenue management software makes price recommendations in all directions—up, down, or no change—to align with property-specific objectives of the housing providers using the software,” the company said. RealPage said its property-owning customers can accept or reject the software’s price recommendations, and that the “revenue management software never recommends that a customer withhold vacant units from the market.”

The consolidated class action complaint alleged that vacancy rates rose because property owners “could (and did) allow a larger share of their units to remain vacant, thereby artificially restricting supply, while maintaining higher rental prices across their properties. This behavior is only rational if Defendants know that their competitors are setting rental prices using RealPage’s RMS [revenue management software] and thus would not attempt to undercut them.”

We asked RealPage and Yardi whether they plan to challenge the San Francisco ordinance in court and will update this article if we get any comment.

“While we share the San Francisco Board of Supervisors’ goal of helping renters, this ordinance will do nothing to make housing more affordable in the city, where there is a severe supply shortage of rental units that needs to be addressed,” a RealPage spokesperson told KRON4 after the vote.

RealPage told KRON4 that its “software is purposely built to be legally compliant and can be configured to comply with the new ordinance should it pass a final vote.” It also criticized the San Francisco board for what it called a “misplaced focus on nonpublic information.”

Ban on “algorithmic devices”

The San Francisco proposal said the software “programs enable landlords to indirectly coordinate with one another through the sharing of nonpublic competitively sensitive data, in order to artificially inflate rents and vacancy rates for rental housing. Participating landlords provide vast amounts of proprietary data to the programs, which in turn do not just summarize statistical data, but also perform calculations with the data to then set or provide recommendations for rent and occupancy levels.”

The ordinance “would prohibit the sale or use of ‘algorithmic devices’ to set, recommend, or advise on rents or occupancy levels for residential rental units in San Francisco.” It defines “algorithmic device” as including revenue management software “that uses algorithms to analyze nonpublic competitor rental data for the purposes of providing a landlord recommendations on whether to leave their unit vacant or on what rent to charge.”

“An entity that sold such a device for use on residential rental units in San Francisco, or a San Francisco landlord that used such a device, could face a civil action and be ordered to pay damages, restitution, civil penalties of up to $1,000 per violation, and/or attorneys’ fees,” the proposal said.

San Francisco to ban software that “enables price collusion” by landlords Read More »

senators-propose-“digital-replication-right”-for-likeness,-extending-70-years-after-death

Senators propose “Digital replication right” for likeness, extending 70 years after death

NO SCRUBS —

Law would hold US individuals and firms liable for ripping off a person’s digital likeness.

A stock photo illustration of a person's face lit with pink light.

On Wednesday, US Sens. Chris Coons (D-Del.), Marsha Blackburn (R.-Tenn.), Amy Klobuchar (D-Minn.), and Thom Tillis (R-NC) introduced the Nurture Originals, Foster Art, and Keep Entertainment Safe (NO FAKES) Act of 2024. The bipartisan legislation, up for consideration in the US Senate, aims to protect individuals from unauthorized AI-generated replicas of their voice or likeness.

The NO FAKES Act would create legal recourse for people whose digital representations are created without consent. It would hold both individuals and companies liable for producing, hosting, or sharing these unauthorized digital replicas, including those created by generative AI. Due to generative AI technology that has become mainstream in the past two years, creating audio or image media fakes of people has become fairly trivial, with easy photorealistic video replicas likely next to arrive.

In a press statement, Coons emphasized the importance of protecting individual rights in the age of AI. “Everyone deserves the right to own and protect their voice and likeness, no matter if you’re Taylor Swift or anyone else,” he said, referring to a widely publicized deepfake incident involving the musical artist in January. “Generative AI can be used as a tool to foster creativity, but that can’t come at the expense of the unauthorized exploitation of anyone’s voice or likeness.”

The introduction of the NO FAKES Act follows the Senate’s passage of the DEFIANCE Act, which allows victims of sexual deepfakes to sue for damages.

In addition to the Swift saga, over the past few years, we’ve seen AI-powered scams involving fake celebrity endorsements, the creation of misleading political content, and situations where school kids have used AI tech to create pornographic deepfakes of classmates. Recently, X CEO Elon Musk shared a video that featured an AI-generated voice of Vice President Kamala Harris saying things she didn’t say in real life.

These incidents, in addition to concerns about actors’ likenesses being replicated without permission, have created an increasing sense of urgency among US lawmakers, who want to limit the impact of unauthorized digital likenesses. Currently, certain types of AI-generated deepfakes are already illegal due to a patchwork of federal and state laws, but this new act hopes to unify likeness regulation around the concept of “digital replicas.”

Digital replicas

An AI-generated image of a person.

Enlarge / An AI-generated image of a person.

Benj Edwards / Ars Technica

To protect a person’s digital likeness, the NO FAKES Act introduces a “digital replication right” that gives individuals exclusive control over the use of their voice or visual likeness in digital replicas. This right extends 10 years after death, with possible five-year extensions if actively used. It can be licensed during life and inherited after death, lasting up to 70 years after an individual’s death. Along the way, the bill defines what it considers to be a “digital replica”:

DIGITAL REPLICA.-The term “digital replica” means a newly created, computer-generated, highly realistic electronic representation that is readily identifiable as the voice or visual likeness of an individual that- (A) is embodied in a sound recording, image, audiovisual work, including an audiovisual work that does not have any accompanying sounds, or transmission- (i) in which the actual individual did not actually perform or appear; or (ii) that is a version of a sound recording, image, or audiovisual work in which the actual individual did perform or appear, in which the fundamental character of the performance or appearance has been materially altered; and (B) does not include the electronic reproduction, use of a sample of one sound recording or audiovisual work into another, remixing, mastering, or digital remastering of a sound recording or audiovisual work authorized by the copyright holder.

(There’s some irony in the mention of an “audiovisual work that does not have any accompanying sounds.”)

Since this bill bans types of artistic expression, the NO FAKES Act includes provisions that aim to balance IP protection with free speech. It provides exclusions for recognized First Amendment protections, such as documentaries, biographical works, and content created for purposes of comment, criticism, or parody.

In some ways, those exceptions could create a very wide protection gap that may be difficult to enforce without specific court decisions on a case-by-case basis. But without them, the NO FAKES Act could potentially stifle Americans’ constitutionally protected rights of free expression since the concept of “digital replicas” outlined in the bill includes any “computer-generated, highly realistic” digital likeness of a real person, whether AI-generated or not. For example, is a photorealistic Photoshop illustration of a person “computer-generated?” Similar questions may lead to uncertainty in enforcement.

Wide support from entertainment industry

So far, the NO FAKES Act has gained support from various entertainment industry groups, including Screen Actors Guild-American Federation of Television and Radio Artists (SAG-AFTRA), the Recording Industry Association of America (RIAA), the Motion Picture Association, and the Recording Academy. These organizations have been actively seeking protections against unauthorized AI re-creations.

The bill has also been endorsed by entertainment companies such as The Walt Disney Company, Warner Music Group, Universal Music Group, Sony Music, the Independent Film & Television Alliance, William Morris Endeavor, Creative Arts Agency, the Authors Guild, and Vermillio.

Several tech companies, including IBM and OpenAI, have also backed the NO FAKES Act. Anna Makanju, OpenAI’s vice president of global affairs, said in a statement that the act would protect creators and artists from improper impersonation. “OpenAI is pleased to support the NO FAKES Act, which would protect creators and artists from unauthorized digital replicas of their voices and likenesses,” she said.

In a statement, Coons highlighted the collaborative effort behind the bill’s development. “I am grateful for the bipartisan partnership of Senators Blackburn, Klobuchar, and Tillis and the support of stakeholders from across the entertainment and technology industries as we work to find the balance between the promise of AI and protecting the inherent dignity we all have in our own personhood.”

Senators propose “Digital replication right” for likeness, extending 70 years after death Read More »

the-10-things-car-buyers-say-they-want-in-their-next-car

The 10 things car buyers say they want in their next car

how much will you pay though? —

The data explains why we keep seeing certain features on many new cars.

Salesman handling car keys to customer

Getty Images

A wireless charging pad is now the most-desired in-car feature among people intending to buy a new vehicle. Being able to forget about a USB cable and still not run down one’s battery topped the list of 163 features that AutoPacific asked about in its annual survey on future demand. Almost 15,000 people intending to buy a new car within the next three years replied to the survey, with 44 percent ticking the box for wireless charging for the front passengers.

This market research data is rather illuminating; as we test new cars, they’re increasingly equipped with features or gadgets that don’t seem exactly necessary—an extra infotainment screen for the front seat passenger, for example, or remote parking via a smartphone app. Sometimes, the features are even mandatory—several luxury brands won’t let you order certain cars without a glass moonroof.

These decisions are justified by product planners as responding to customer demand, so it’s helpful to see one of the sources that feeds into that.

In joint second place were a second wireless charging pad for the back seats and heated and ventilated seats. These were each picked by 37 percent, narrowly beating out rain-sensing windscreen wipers (36 percent).

The aforementioned moonroof (or sunroof) shared fifth place (35 percent) with having the ability to store more than one driver profile. Interestingly, this feature has grown in popularity over the years, rising from 19th-most requested in 2022 up to 10th-most in 2023. More and more automakers are moving to Android Automotive OS, which uses Google accounts to bring a driver’s digital life seamlessly into their vehicle; others are building their own solutions on private clouds, but either way, it’s increasingly becoming built into every new car we test. (It’s probably time I created a Google account to test out those features on AAOS cars going forward, too.)

Seventh on the list is a feature that requires a car to be electrified—it’s a household 110 V socket (34 percent). Ford’s much in-demand Maverick hybrid pickup—now in AWD, too—is a good example, with some EVs offering enough onboard juice to run a little outdoor office or movie theater.

I’m not sure I can remember seeing rear sunshades in a car—I probably wasn’t looking—but a third of survey respondents wanted them in their next vehicle. Only 32 percent showed interest in rear-cross traffic alert with automatic emergency braking.

I’m surprised this safety tech didn’t rate higher—its value is easily proven when reversing in a crowded parking lot when the spaces on either side of your car are occupied by gargantuan SUVs and pickups. Perhaps the other two-thirds only ever reverse into parking spaces? That’s certainly safer and much easier to do now that backup cameras have been legally required for the past few years.

Who wants hands-free?

Finally, 31 percent of the people who replied to AutoPacific also said that a built-in air compressor would be on their list, too. Notably, hands-free driving tech like Super Cruise or Autopilot did not crack the top 10.

But perhaps first place should really have gone to unresponsive driver detection. AutoPacific says that this idea was represented by two different options: a system that stops the car in its lane and a system that pulls the car over to the shoulder in the event of an unresponsive driver. When combined (45 percent), the demand for these two features edged out the demand seen in 2023 (43 percent) for a less well-defined unresponsive driver system.

The 10 things car buyers say they want in their next car Read More »

apple-stealthily-adds-minor-features-in-ios-176,-macos-14.6-releases

Apple stealthily adds minor features in iOS 17.6, macOS 14.6 releases

Catch Up —

The M3 MacBook Pro now supports multiple external monitors.

An iPhone lies on a wood surface, showing the Software Update panel on its screen

Enlarge / iOS 17.6 installing on an iPhone 13 Pro.

Samuel Axon

Apple has some minor updates for all its operating systems, and the releases include iOS 17.6, iPadOS 17.6, tvOS 17.6, watchOS 10.6, and macOS Sonoma 14.6.

Apple’s notes for these updates simply say they include bug fixes, security updates, or optimizations. However, there are a few hidden features.

macOS 14.6 reportedly enables multi-display support in clamshell mode on the M3 MacBook Pro, allowing users of that device to use two external displays at once. That was already possible on the M3 Pro and M3 Max variations. Apple had previously released a similar update to bring that functionality to the M3 MacBook Air.

iOS 17.6 and iPadOS 17.6 have added a feature called Catch Up, which is targeted at sports fans who use Apple’s TV app.

The feature allows users to watch a quick sequence of highlights that have been produced so far from an in-progress Major League Soccer game before joining the live feed.

That’s about it, though. These are minor updates, and they are likely the final ones other than security hotfixes until Apple begins rolling out its annual updates, such as iOS 18 and macOS Sequoia 15, later this fall.

Those updates are expected to include several new features, though the biggest—Apple Intelligence, a suite of generative AI features—will not arrive until iOS 18.1, which was just released as a developer beta for the first time.

iOS 17.6, iPadOS 17.6, tvOS 17.6, watchOS 10.6, and macOS Sonoma 14.6 are available to download and install on all supported devices now.

Apple stealthily adds minor features in iOS 17.6, macOS 14.6 releases Read More »

outsourcing-emotion:-the-horror-of-google’s-“dear-sydney”-ai-ad

Outsourcing emotion: The horror of Google’s “Dear Sydney” AI ad

Here's an idea: Don't be a deadbeat and do it yourself!

Enlarge / Here’s an idea: Don’t be a deadbeat and do it yourself!

If you’ve watched any Olympics coverage this week, you’ve likely been confronted with an ad for Google’s Gemini AI called “Dear Sydney.” In it, a proud father seeks help writing a letter on behalf of his daughter, who is an aspiring runner and superfan of world-record-holding hurdler Sydney McLaughlin-Levrone.

“I’m pretty good with words, but this has to be just right,” the father intones before asking Gemini to “Help my daughter write a letter telling Sydney how inspiring she is…” Gemini dutifully responds with a draft letter in which the LLM tells the runner, on behalf of the daughter, that she wants to be “just like you.”

Every time I see this ad, it puts me on edge in a way I’ve had trouble putting into words (though Gemini itself has some helpful thoughts). As someone who writes words for a living, the idea of outsourcing a writing task to a machine brings up some vocational anxiety. And the idea of someone who’s “pretty good with words” doubting his abilities when the writing “has to be just right” sets off alarm bells regarding the superhuman framing of AI capabilities.

But I think the most offensive thing about the ad is what it implies about the kinds of human tasks Google sees AI replacing. Rather than using LLMs to automate tedious busywork or difficult research questions, “Dear Sydney” presents a world where Gemini can help us offload a heartwarming shared moment of connection with our children.

The “Dear Sydney” ad.

It’s a distressing answer to what’s still an incredibly common question in the AI space: What do you actually use these things for?

Yes, I can help

Marketers have a difficult task when selling the public on their shiny new AI tools. An effective ad for an LLM has to make it seem like a superhuman do-anything machine but also an approachable, friendly helper. An LLM has to be shown as good enough to reliably do things you can’t (or don’t want to) do yourself, but not so good that it will totally replace you.

Microsoft’s 2024 Super Bowl ad for Copilot is a good example of an attempt to thread this needle, featuring a handful of examples of people struggling to follow their dreams in the face of unseen doubters. “Can you help me?” those dreamers ask Copilot with various prompts. “Yes, I can help” is the message Microsoft delivers back, whether through storyboard images, an impromptu organic chemistry quiz, or “code for a 3D open world game.”

Microsoft’s Copilot marketing sells it as a helper for achieving your dreams.

The “Dear Sydney” ad tries to fit itself into this same box, technically. The prompt in the ad starts with “Help my daughter…” and the tagline at the end offers “A little help from Gemini.” If you look closely near the end, you’ll also see Gemini’s response starts with “Here’s a draft to get you started.” And to be clear, there’s nothing inherently wrong with using an LLM as a writing assistant in this way, especially if you have a disability or are writing in a non-native language.

But the subtle shift from Microsoft’s “Help me” to Google’s “Help my daughter” changes the tone of things. Inserting Gemini into a child’s heartfelt request for parental help makes it seem like the parent in question is offloading their responsibilities to a computer in the coldest, most sterile way possible. More than that, it comes across as an attempt to avoid an opportunity to bond with a child over a shared interest in a creative way.

It’s one thing to use AI to help you with the most tedious parts of your job, as people do in recent ads for Salesforce’s Einstein AI. It’s another to tell your daughter to go ask the computer for help pouring their heart out to their idol.

Outsourcing emotion: The horror of Google’s “Dear Sydney” AI ad Read More »

logitech-has-an-idea-for-a-“forever-mouse”-that-requires-a-subscription

Logitech has an idea for a “forever mouse” that requires a subscription

“I don’t think we’re necessarily super far away from that.” —

Exec says mouse that requires a regular fee for software updates is possible.

Studio shot of hand using computer mouse

Logitech CEO Hanneke Faber recently discussed the possibility of one day selling a mouse that customers can use “forever.” The executive said such a mouse isn’t “necessarily super far away” and will rely on software updates, likely delivered through a subscription model.

Speaking on a July 29 episode of The Verge’s Decoder podcast, Faber, who Logitech appointed as CEO in October, said that members of a “Logitech innovation center” showed her “a forever mouse” and compared it to a nice but not “super expensive” watch. She said:

… I’m not planning to throw that watch away ever. So why would I be throwing my mouse or my keyboard away if it’s a fantastic-quality, well-designed, software-enabled mouse? The forever mouse is one of the things that we’d like to get to.

The concept mouse that Faber examined was “a little heavier” than the typical mouse. But what drives its longevity potential for Logitech is the idea of constantly updated software and services.

To be clear, Logitech hasn’t announced concrete plans to release such a product. But Faber seemed optimistic about the idea of a mouse that people never need to replace. The challenge, she admitted, is finding a business model that supports that idea without requiring an exorbitant hardware price. “Our stuff will have to change, but does the hardware have to change?” she asked. “I’m not so sure. We’ll have to obviously fix it and figure out what that business model is. We’re not at the forever mouse today, but I’m intrigued by the thought.”

The price of a “forever mouse”

Speaking with Faber, Decoder host and Verge Editor-in-Chief Nilay Patel suggested that a “forever mouse” could cost $200. While that would be expensive compared to the typical mouse, such a product wouldn’t be the first software-heavy, three-figure-price computer mouse. Still, a price tag of around $200 would limit the audience to professionals or enthusiasts.

Faber also said the average price of a mouse or keyboard is $26, though she didn’t cite her source. Logitech is seeking growth by appealing to the many people who don’t own both a mouse and keyboard and by selling more expensive devices. A “forever mouse” could fall under the latter. Alternatively, the price of the mouse’s hardware could be subsidized by subscription payments.

In any case, pushing out software updates would require Logitech to convince its customers to use an app to control their mouse. Such software can offer a lot of programmability and macro support, but the need to constantly run peripheral software could be a nuisance that eats up computer resources. Earlier this year, users complained when Logitech added a ChatGPT launcher to its peripherals.

Mouse subscription

Subscription models have been gaining popularity among business-to-business (B2B) and business-to-consumer (B2C) tech companies because they offer a more reliable, recurring revenue source than hardware sales. When Patel asked Faber if she could “envision a subscription mouse,” she responded, “possibly.”

Faber said subscription software updates would mean that people wouldn’t need to worry about their mouse. The business model is similar to what Logitech already does with video conferencing services (Logitech’s B2B business includes Logitech Select, a subscription service offering things like apps, 24/7 support, and advanced RMA).

Having to pay a regular fee for full use of a peripheral could deter customers, though. HP is trying a similar idea with rentable printers that require a monthly fee. The printers differ from the idea of the forever mouse in that the HP hardware belongs to HP, not the user. However, concerns around tracking and the addition of ongoing expenses are similar.

What about hardware durability?

Logitech’s CEO didn’t discuss what durability features a long-lasting mouse might incorporate. But enabling easier self-repairs and upgrades would be a different approach to a longer-lasting computer mouse that could more directly appeal to users.

Logitech already sells parts for self-repairs of some of its mice and other gadgets through iFixit. This shop could be expanded to feature more parts, offer more guides, and support more products.

A “forever mouse” would also benefit from a design with self-repairability in mind. Features like hot-swappability for mouse button switches for upgrades/repairs; easily replaceable shells, wheels, and feet; detachable cables; and customization options—all accompanied by readily available parts and guides—could go a long way toward making a mouse that fits users’ long-term needs.

During the interview, Faber also discussed Logitech’s goals of doubling its business and cutting its carbon footprint by 50 percent by 2031.

Logitech has an idea for a “forever mouse” that requires a subscription Read More »

hackers-exploit-vmware-vulnerability-that-gives-them-hypervisor-admin

Hackers exploit VMware vulnerability that gives them hypervisor admin

AUTHENTICATION NOT REQUIRED —

Create new group called “ESX Admins” and ESXi automatically gives it admin rights.

Hackers exploit VMware vulnerability that gives them hypervisor admin

Getty Images

Microsoft is urging users of VMware’s ESXi hypervisor to take immediate action to ward off ongoing attacks by ransomware groups that give them full administrative control of the servers the product runs on.

The vulnerability, tracked as CVE-2024-37085, allows attackers who have already gained limited system rights on a targeted server to gain full administrative control of the ESXi hypervisor. Attackers affiliated with multiple ransomware syndicates—including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest—have been exploiting the flaw for months in numerous post-compromise attacks, meaning after the limited access has already been gained through other means.

Admin rights assigned by default

Full administrative control of the hypervisor gives attackers various capabilities, including encrypting the file system and taking down the servers they host. The hypervisor control can also allow attackers to access hosted virtual machines to either exfiltrate data or expand their foothold inside a network. Microsoft discovered the vulnerability under exploit in the normal course of investigating the attacks and reported it to VMware. VMware parent company Broadcom patched the vulnerability on Thursday.

“Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks,” members of the Microsoft Threat Intelligence team wrote Monday. “In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments.”

The post went on to document an astonishing discovery: escalating hypervisor privileges on ESXi to unrestricted admin was as simple as creating a new domain group named “ESX Admins.” From then on, any user assigned to the domain—including newly created ones—automatically became admin, with no authentication necessary. As the Microsoft post explained:

Further analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named “ESX Admins” to have full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist. Additionally, the membership in the group is determined by name and not by security identifier (SID).

Creating the new domain group can be accomplished with just two commands:

  • net group “ESX Admins” /domain /add
  • net group “ESX Admins” username /domain /add

They said over the past year, ransomware actors have increasingly targeted ESXi hypervisors in attacks that allow them to mass encrypt data with only a “few clicks” required. By encrypting the hypervisor file system, all virtual machines hosted on it are also encrypted. The researchers also said that many security products have limited visibility into and little protection of the ESXi hypervisor.

The ease of exploitation, coupled with the medium severity rating VMware assigned to the vulnerability, a 6.8 out of a possible 10, prompted criticism from some experienced security professionals.

ESXi is a Type 1 hypervisor, also known as a bare-metal hypervisor, meaning it’s an operating system unto itself that’s installed directly on top of a physical server. Unlike Type 2 hypervisors, Type 1 hypervisors don’t run on top of an operating system such as Windows or Linux. Guest operating systems then run on top. Taking control of the ESXi hypervisor gives attackers enormous power.

The Microsoft researchers described one attack they observed by the Storm-0506 threat group to install ransomware known as Black Basta. As intermediate steps, Storm-0506 installed malware known as Qakbot and exploited a previously fixed Windows vulnerability to facilitate the installation of two hacking tools, one known as Cobalt Strike and the other Mimikatz. The researchers wrote:

Earlier this year, an engineering firm in North America was affected by a Black Basta ransomware deployment by Storm-0506. During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization.

The threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices. The threat actor then used Cobalt Strike and Pypykatz (a Python version of Mimikatz) to steal the credentials of two domain administrators and to move laterally to four domain controllers.

On the compromised domain controllers, the threat actor installed persistence mechanisms using custom tools and a SystemBC implant. The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC. The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection.

Microsoft observed that the threat actor created the “ESX Admins” group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor.   The actor was also observed to use PsExec to encrypt devices that are not hosted on the ESXi hypervisor. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint were able to stop these encryption attempts in devices that had the unified agent for Defender for Endpoint installed.

The attack chain used by Storm-0506.

Enlarge / The attack chain used by Storm-0506.

Microsoft

Anyone with administrative responsibility for ESXi hypervisors should prioritize investigating and patching this vulnerability. The Microsoft post provides several methods for identifying suspicious modifications to the ESX Admins group or other potential signs of this vulnerability being exploited.

Hackers exploit VMware vulnerability that gives them hypervisor admin Read More »

low-income-homes-drop-internet-service-after-congress-kills-discount-program

Low-income homes drop Internet service after Congress kills discount program

No more broadband discounts —

Charter CEO says “customers’ ability to pay” a concern after $30 discounts end.

A Charter Spectrum service vehicle.

Enlarge / A Charter Spectrum vehicle.

The death of the US government’s Affordable Connectivity Program (ACP) is starting to result in disconnection of Internet service for Americans with low incomes. On Friday, Charter Communications reported a net loss of 154,000 Internet subscribers that it said was mostly driven by customers canceling after losing the federal discount. About 100,000 of those subscribers were reportedly getting the discount, which in some cases made Internet service free to the consumer.

The $30 monthly broadband discounts provided by the ACP ended in May after Congress failed to allocate more funding. The Biden administration requested $6 billion to fund the ACP through December 2024, but Republicans called the program “wasteful.”

Republican lawmakers’ main complaint was that most of the ACP money went to households that already had broadband before the subsidy was created. FCC Chairwoman Jessica Rosenworcel warned that killing the discounts would reduce Internet access, saying an FCC survey found that 77 percent of participating households would change their plan or drop Internet service entirely once the discounts expired.

Charter’s Q2 2024 earnings report provides some of the first evidence of users dropping Internet service after losing the discount. “Second quarter residential Internet customers decreased by 154,000, largely driven by the end of the FCC’s Affordable Connectivity Program subsidies in the second quarter, compared to an increase of 70,000 during the second quarter of 2023,” Charter said.

Across all ISPs, there were 23 million US households enrolled in the ACP. Research released in January 2024 found that Charter was serving over 4 million ACP recipients and that up to 300,000 of those Charter customers would be “at risk” of dropping Internet service if the discounts expired. Given that ACP recipients must meet low-income eligibility requirements, losing the discounts could put a strain on their overall finances even if they choose to keep paying for Internet service.

“The real question is the customers’ ability to pay”

Charter, which offers service under the brand name Spectrum, has 28.3 million residential Internet customers in 41 states. The company’s earnings report said Charter made retention offers to customers that previously received an ACP subsidy. The customer loss apparently would have been higher if not for those offers.

Light Reading reported that Charter attributed about 100,000 of the 154,000 customer losses to the ACP shutdown. Charter said it retained most of its ACP subscribers so far, but that low-income households might not be able to continue paying for Internet service without a new subsidy for much longer:

“We’ve retained the vast majority of ACP customers so far,” Charter CEO Chris Winfrey said on [Friday’s] earnings call, pointing to low-cost Internet programs and the offer of a free mobile line designed to keep those customers in the fold. “The real question is the customers’ ability to pay—not just now, but over time.”

The ACP only lasted a couple of years. The FCC implemented the $30 monthly benefit in early 2022, replacing a previous $50 monthly subsidy from the Emergency Broadband Benefit Program that started enrolling users in May 2021.

Separately, the FCC Lifeline program that provides $9.25 monthly discounts is in jeopardy after a court ruling last week. Lifeline is paid for by the Universal Service Fund, which was the subject of a constitutional challenge.

The US Court of Appeals for the 5th Circuit found that Universal Service fees on phone bills are a “misbegotten tax” that violate the Constitution. But in similar cases, the 6th and 11th circuit appeals courts ruled that the fund is constitutional. The circuit split increases the chances that the Supreme Court will take up the case.

Disclosure: The Advance/Newhouse Partnership, which owns 12.4 percent of Charter, is part of Advance Publications, which also owns Ars Technica parent Condé Nast.

Low-income homes drop Internet service after Congress kills discount program Read More »

the-summit-1-is-not-peak-mountain-bike,-but-it’s-a-great-all-rounder

The Summit 1 is not peak mountain bike, but it’s a great all-rounder

Image of a blue hard tail mountain bike leaning against a grey stone wall.

John Timmer

As I mentioned in another recent review, I’ve been checking out electric hardtail mountain bikes lately. Their relative simplicity compared to full-suspension models tends to allow companies to hit a lower price point without sacrificing much in terms of component quality, potentially opening up mountain biking to people who might not otherwise consider it. The first e-hardtail I checked out, Aventon’s Ramblas, fits this description to a T, offering a solid trail riding experience at a price that’s competitive with similar offerings from major manufacturers.

Velotric’s Summit 1 has a slightly different take on the equation. The company has made a few compromises that allowed it to bring the price down to just under $2,000, which is significantly lower than a lot of the competition. The result is something that’s a bit of a step down on some more challenging trails. But it still can do about 90 percent of what most alternatives offer, and it’s probably a better all-around bicycle for people who intend to also use it for commuting or errand-running.

Making the Summit

Velotric is another e-bike-only company, and we’ve generally been impressed by its products, which offer a fair bit of value for their price. The Summit 1 seems to be a reworking of its T-series of bikes (which also impressed us) into mountain bike form. You get a similar app experience and integration of the bike into Apple’s Find My system, though the company has ditched the thumbprint reader, which is supposed to function as a security measure. Velotric has also done some nice work adapting its packaging to smooth out the assembly process, placing different parts in labeled sub-boxes.

Velotric has made it easier to find what you need during assembly.

Enlarge / Velotric has made it easier to find what you need during assembly.

John Timmer

These didn’t help me avoid all glitches during assembly, though. I ended up having to take apart the front light assembly and remove the handlebars clamp to get the light attached to the bike—all contrary to the instructions. And connecting the color-coded electric cables was more difficult than necessary because two cables had the same color. But it only started up in one of the possible combinations, so it wasn’t difficult to sort out.

The Summit 1’s frame is remarkably similar to the Ramblas; if there wasn’t branding on it, you might need to resort to looking over the components to figure out which one you were looking at. Like the Ramblas, it has a removable battery with a cover that protects from splashes, but it probably won’t stay watertight through any significant fords. The bike also lacks an XL size option, and as usual, the Large was just a bit small for my legs.

The biggest visible difference is at the cranks, which is not where the motor resides on the Summit. Instead, you’ll find that on the rear hub, which typically means a slight step down in performance, though it is often considerably cheaper. For the Summit, the step down seemed very slight. I could definitely feel it in some contexts, but I’m pretty unusual in terms of the number of different hub and mid-motor configurations I’ve experienced (which is my way of saying that most people would never notice).

The Summit 1 has a hub motor on the rear wheel and a relatively compact set of gears.

Enlarge / The Summit 1 has a hub motor on the rear wheel and a relatively compact set of gears.

John Timmer

There are a number of additional price/performance compromises to be found. The biggest is the drivetrain in the back, which has a relatively paltry eight gears and lacks the very large gear rings you’d typically find on mountain bikes without a front derailleur—meaning almost all of them these days. This isn’t as much of a problem as it might seem because the bike is built around a power assist that can easily handle the sort of hills those big gear rings were meant for. But it is an indication of the ways Velotric has kept its costs down. Those gears are paired with a Shimano Altus rear derailleur, which is controlled by a standard dual-trigger shifter and a plastic indicator to track which gear you’re in.

The bike also lacks a dropper seat that you can get out of your way during bouncy descents. Because the frame was small for me anyway, I didn’t really feel its absence. The Summit does have a dedicated mountain bike fork from a Chinese manufacturer called YDH that included an easy-to-access dial that lets you adjust the degree of cushioning you get on the fly. One nice touch is a setting that locks the forks if you’re going to be on smooth pavement for a while. I’m not sure who makes the rims, as I was unable to interpret the graphics on them. But the tires were well-labeled with Kenda, a brand that shows up on a number of other mountain bikes.

Overall, it wasn’t that hard to spot the places Velotric made compromises to bring the bike in at under $2,000. The striking thing was just how few of them there were. The obvious question is whether you’d notice them in practice. We’ll get back to that after we go over the bike’s electronics.

The Summit 1 is not peak mountain bike, but it’s a great all-rounder Read More »

nasa-nears-decision-on-what-to-do-with-boeing’s-troubled-starliner-spacecraft

NASA nears decision on what to do with Boeing’s troubled Starliner spacecraft

Boeing's Strainer spacecraft is seen docked at the International Space Station in this picture taken July 3.

Enlarge / Boeing’s Strainer spacecraft is seen docked at the International Space Station in this picture taken July 3.

The astronauts who rode Boeing’s Starliner spacecraft to the International Space Station last month still don’t know when they will return to Earth.

Astronauts Butch Wilmore and Suni Williams have been in space for 51 days, six weeks longer than originally planned, as engineers on the groundwork through problems with Starliner’s propulsion system.

The problems are twofold. The spacecraft’s reaction control thrusters overheated, and some of them shut off as Starliner approached the space station June 6. A separate, although perhaps related, problem involves helium leaks in the craft’s propulsion system.

On Thursday, NASA and Boeing managers said they still plan to bring Wilmore and Williams home on the Starliner spacecraft. In the last few weeks, ground teams completed testing of a thruster on a test stand at White Sands, New Mexico. This weekend, Boeing and NASA plan to fire the spacecraft’s thrusters in orbit to check their performance while docked at the space station.

“I think we’re starting to close in on those final pieces of flight rationale to make sure that we can come home safely, and that’s our primary focus right now,” Stich said.

The problems have led to speculation that NASA might decide to return Wilmore and Williams to Earth in a SpaceX Crew Dragon spacecraft. There’s one Crew Dragon currently docked at the station, and another one is slated to launch with a fresh crew next month. Steve Stich, manager of NASA’s commercial crew program, said the agency has looked at backup plans to bring the Starliner crew home on a SpaceX capsule, but the main focus is still to have the astronauts fly home aboard Starliner.

“Our prime option is to complete the mission,” Stich said. “There are a lot of good reasons to complete this mission and bring Butch and Suni home on Starliner. Starliner was designed, as a spacecraft, to have the crew in the cockpit.”

Starliner launched from Cape Canaveral Space Force Station in Florida on June 5. Wilmore and Williams are the first astronauts to fly into space on Boeing’s commercial crew capsule, and this test flight is intended to pave the way for future operational flights to rotate crews of four to and from the International Space Station.

Once NASA fully certifies Starliner for operational missions, the agency will have two human-rated spaceships for flights to the station. SpaceX’s Crew Dragon has been flying astronauts since 2020.

Tests, tests, and more tests

NASA has extended the duration of the Starliner test flight to conduct tests and analyze data in an effort to gain confidence in the spacecraft’s ability to safely bring its crew home and to better understand the root causes of the overheating thrusters and helium leaks. These problems are inside Starliner’s service module, which is jettisoned to burn up in the atmosphere during reentry, while the reusable crew module, with the astronauts inside, parachutes to an airbag-cushioned landing.

The most important of these tests was a series of test-firings of a Starliner thruster on the ground. This thruster was taken from a set of hardware slated to fly on a future Starlink mission, and engineers put it through a stress test, firing it numerous times to replicate the sequence of pulses it would see in flight. The testing simulated two sequences of flying up to the space station, and five sequences the thruster would execute during undocking and a deorbit burn for return to Earth.

“This thruster has seen quite a bit of pulses, maybe even more than what we would anticipate we would see during a flight, and more aggressive in terms of two uphills and five downhills,” Stich said. “What we did see in the thruster is the same kind of thrust degradation that we’re seeing on orbit. In a number of the thrusters (on Starliner), we’re seeing reduced thrust, which is important.”

Starliner’s flight computer shut off five of the spacecraft’s 28 reaction control system thrusters, produced by Aerojet Rocketdyne, during the rendezvous with the space station last month. Four of the five thrusters were recovered after overheating and losing thrust, but officials have declared one of the thrusters unusable.

The thruster tested on the ground showed similar behavior. Inspections of the thruster at White Sands showed bulging in a Teflon seal in an oxidizer valve, which could restrict the flow of nitrogen tetroxide propellant. The thrusters, each generating about 85 pounds of thrust, consume the nitrogen tetroxide, or NTO, oxidizer and mix it with hydrazine fuel for combustion.

A poppet valve, similar to an inflation valve on a tire, is designed to open and close to allow nitrogen tetroxide to flow into the thruster.

“That poppet has a Teflon seal at the end of it,” Nappi said. “Through the heating and natural vacuum that occurs with the thruster firing, that poppet seal was deformed and actually bulged out a little bit.”

Stich said engineers are evaluating the integrity of the Teflon seal to determine if it could remain intact through the undocking and deorbit burn of the Starliner spacecraft. The thrusters aren’t needed while Starliner is attached to the space station.

“Could that particular seal survive the rest of the flight? That’s the important part,” Stich said.

NASA nears decision on what to do with Boeing’s troubled Starliner spacecraft Read More »

x-is-training-grok-ai-on-your-data—here’s-how-to-stop-it

X is training Grok AI on your data—here’s how to stop it

Grok Your Privacy Options —

Some users were outraged to learn this was opt-out, not opt-in.

An AI-generated image released by xAI during the launch of Grok

Enlarge / An AI-generated image released by xAI during the open-weights launch of Grok-1.

Elon Musk-led social media platform X is training Grok, its AI chatbot, on users’ data, and that’s opt-out, not opt-in. If you’re an X user, that means Grok is already being trained on your posts if you haven’t explicitly told it not to.

Over the past day or so, users of the platform noticed the checkbox to opt out of this data usage in X’s privacy settings. The discovery was accompanied by outrage that user data was being used this way to begin with.

The social media posts about this sometimes seem to suggest that Grok has only just begun training on X users’ data, but users actually don’t know for sure when it started happening.

Earlier today, X’s Safety account tweeted, “All X users have the ability to control whether their public posts can be used to train Grok, the AI search assistant.” But it didn’t clarify either when the option became available or when the data collection began.

You cannot currently disable it in the mobile apps, but you can on mobile web, and X says the option is coming to the apps soon.

On the privacy settings page, X says:

To continuously improve your experience, we may utilize your X posts as well as your user interactions, inputs, and results with Grok for training and fine-tuning purposes. This also means that your interactions, inputs, and results may also be shared with our service provider xAI for these purposes.

X’s privacy policy has allowed for this since at least September 2023.

It’s increasingly common for user data to be used this way; for example, Meta has done the same with its users’ content, and there was an outcry when Adobe updated its terms of use to allow for this kind of thing. (Adobe quickly backtracked and promised to “never” train generative AI on creators’ content.)

How to opt out

  • To stop Grok from training on your X content, first go to “Settings and privacy” from the “More” menu in the navigation panel…

    Samuel Axon

  • Then click or tap “Privacy and safety”…

    Samuel Axon

  • Then “Grok”…

    Samuel Axon

  • And finally, uncheck the box.

    Samuel Axon

You can’t opt out within the iOS or Android apps yet, but you can do so in a few quick steps on either mobile or desktop web. To do so:

  • Click or tap “More” in the nav panel
  • Click or tap “Settings and privacy”
  • Click or tap “Privacy and safety”
  • Scroll down and click or tap “Grok” under “Data sharing and personalization”
  • Uncheck the box “Allow your posts as well as your interactions, inputs, and results with Grok to be used for training and fine-tuning,” which is checked by default.

Alternatively, you can follow this link directly to the settings page and uncheck the box with just one more click. If you’d like, you can also delete your conversation history with Grok here, provided you’ve actually used the chatbot before.

X is training Grok AI on your data—here’s how to stop it Read More »

97%-of-crowdstrike-systems-are-back-online;-microsoft-suggests-windows-changes

97% of CrowdStrike systems are back online; Microsoft suggests Windows changes

falcon punch —

Kernel access gives security software a lot of power, but not without problems.

A bad update to CrowdStrike's Falcon security software crashed millions of Windows PCs last week.

Enlarge / A bad update to CrowdStrike’s Falcon security software crashed millions of Windows PCs last week.

CrowdStrike

CrowdStrike CEO George Kurtz said Thursday that 97 percent of all Windows systems running its Falcon sensor software were back online, a week after an update-related outage to the corporate security software delayed flights and took down emergency response systems, among many other disruptions. The update, which caused Windows PCs to throw the dreaded Blue Screen of Death and reboot, affected about 8.5 million systems by Microsoft’s count, leaving roughly 250,000 that still need to be brought back online.

Microsoft VP John Cable said in a blog post that the company has “engaged over 5,000 support engineers working 24×7” to help clean up the mess created by CrowdStrike’s update and hinted at Windows changes that could help—if they don’t run afoul of regulators, anyway.

“This incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience,” wrote Cable. “These improvements must go hand in hand with ongoing improvements in security and be in close cooperation with our many partners, who also care deeply about the security of the Windows ecosystem.”

Cable pointed to VBS enclaves and Azure Attestation as examples of products that could keep Windows secure without requiring kernel-level access, as most Windows-based security products (including CrowdStrike’s Falcon sensor) do now. But he stopped short of outlining what specific changes might be made to Windows, saying only that Microsoft would continue to “harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community.”

When running in kernel mode rather than user mode, security software has full access to a system’s hardware and software, which makes it more powerful and flexible; this also means that a bad update like CrowdStrike’s can cause a lot more problems.

Recent versions of macOS have deprecated third-party kernel extensions for exactly this reason, one explanation for why Macs weren’t taken down by the CrowdStrike update. But past efforts by Microsoft to lock third-party security companies out of the Windows kernel—most recently in the Windows Vista era—have been met with pushback from European Commission regulators. That level of skepticism is warranted, given Microsoft’s past (and continuing) record of using Windows’ market position to push its own products and services. Any present-day attempt to restrict third-party vendors’ access to the Windows kernel would be likely to draw similar scrutiny.

Microsoft has also had plenty of its own security problems to deal with recently, to the point that it has promised to restructure the company to make security more of a focus.

CrowdStrike’s aftermath

CrowdStrike has made its own promises in the wake of the outage, including more thorough testing of updates and a phased-rollout system that could prevent a bad update file from causing quite as much trouble as the one last week did. The company’s initial incident report pointed to a lapse in its testing procedures as the cause of the problem.

Meanwhile, recovery continues. Some systems could be fixed simply by rebooting, though they had to do it as many as 15 times—this could give systems a chance to grab a new update file before they could crash. For the rest, IT admins were left to either restore them from backups or delete the bad update file manually. Microsoft published a bootable tool that could help automate the process of deleting that file, but it still required laying hands on every single affected Windows install, whether on a virtual machine or a physical system.

And not all of CrowdStrike’s remediation solutions have been well-received. The company sent out $10 UberEats promo codes to cover some of its partners’ “next cup of coffee or late night snack,” which occasioned some eye-rolling on social media sites (the code was also briefly unusable because Uber flagged it as fraudulent, according to a CrowdStrike representative). For context, analytics company Parametrix Insurance estimated the cost of the outage to Fortune 500 companies somewhere in the realm of $5.4 billion.

97% of CrowdStrike systems are back online; Microsoft suggests Windows changes Read More »