An anonymous reader quotes a report from Ars Technica: Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products. Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs. For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests. [...] "All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code. Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. "A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process," Binarly researchers wrote in an advisory. "This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR." Advisories are available here, here, and here.

Tom Warren reports via The Verge: Microsoft is naming Pavan Davuluri as its new Windows and Surface chief today. After Panos Panay's surprise departure to Amazon last year, Microsoft split up the Windows and Surface groups under two different leaders. Davuluri took over the Surface silicon and devices work, with Mikhail Parakhin leading a new team focused on Windows and web experiences. Now both Windows and Surface will be Davuluri's responsibility, as Parakhin has "decided to explore new roles."

The Verge has obtained an internal memo from Rajesh Jha, Microsoft's head of experiences and devices, outlining the new Windows organization. Microsoft is now bringing together its Windows and devices teams once more. "This will enable us to take a holistic approach to building silicon, systems, experiences, and devices that span Windows client and cloud for this AI era," explains Jha. Pavan Davuluri is now the leader of Microsoft's Windows and Surface team, reporting directly to Rajesh Jha. Davuluri has worked at Microsoft for more than 23 years and was deeply involved in the company's work with Qualcomm and AMD to create custom Surface processors.

Mikhail Parakhin will now report to Kevin Scott during a transition phase, but his future at Microsoft looks uncertain, and it's likely those "new roles" will be outside the company. Parakhin had been working closely on Bing Chat before taking on the broader Windows engineering responsibilities and changes to Microsoft Edge. The Windows shake-up comes just days after Google DeepMind co-founder and former Inflection AI CEO Mustafa Suleyman joined Microsoft as the CEO of a new AI team. Microsoft also hired a bunch of Inflection AI employees, including co-founder Karen Simonyan who is now the chief scientist of Microsoft AI.

In an interview Saturday, CNN first asked Steve Wozniak about Apple's "walled garden" approach — and whether there's any disconnect between Apple's stated interest in user security and privacy, and its own self-interest?

Wozniak responded, "I think there are things you can say on all sides of it. "I'm kind of glad for the protection that I have for my privacy and for you know not getting hacked as much. Apple does a better job than the others.

And tracking you — tracking you is questionable, but my gosh, look at what we're accusing TikTok of, and then go look at Facebook and Google... That's how they make their business! I mean, Facebook was a great idea. But then they make all their money just by tracking you and advertising.

And Apple doesn't really do that as much. I consider Apple the good guy.
So then CNN directly asked Wozniak's opinion about the proposed ban on TikTok in the U.S. "Well, one, I don't understand it. I don't see why. I mean, I get a lot of entertainment out of TikTok — and I avoid the social web. But I love to watch TikTok, even if it's just for rescuing dog videos and stuff.

And so I'm thinking, well, what are we saying? We're saying 'Oh, you might be tracked by the Chinese'. Well, they learned it from us.

I mean, look, if you have a principle — a person should not be tracked without them knowing it? It's kind of a privacy principle — I was a founder of the EFF. And if you have that principle, you apply it the same to every company, or every country. You don't say, 'Here's one case where we're going to outlaw an app, but we're not going to do it in these other cases.'

So I don't like the hypocrisy. And that's always obviously common from a political realm.

Indian Express calls it "the ultimate smartphone killer". (Coming soon, its laser-on-your-palm feature will display stock prices, sports scores, and flight statuses.)

Humane's Ai Pin can even translate what you say, repeating it out loud in another language (with 50 different languages supported). And it can read you summaries of what's on your favorite web sites, so "You can just surf the web with your voice," according to a new video released this week.

The video also shows it answering specific questions like "What's that song by 21 Savage with the violin intro?" (And later, while the song is playing, answering more questions like "This was sampled from another song. What song was that?") But then co-founder Imran Chaudhri — an iPhone designer and one of several former Apple employees at Humane — demonstrated a "Vision" feature that's coming soon. Holding a Sony Walkman he asks the Pin to "Look at this and tell me when it first came out" — and the Pin obliges. ("The Sony Walkman WM-F73 was released in 1986...") In another demo it correctly supplied the designer of an Air Jordan basketball shoe.

They're also working on integrating this into a Nutrition Tracking application. (A demonstrator held a doughnut and asked the Pin to identify how much sugar was in it.) If you tell the Pin that you've eaten the doughnut, it can then calculate your intake of carbs, protein, and fats.

And in the video the Pin responded within seconds to the command "Make a spreadsheet about top consumer tech reviewers on YouTube [with] real names, subscriber counts, and URLs." It performed the research and created the spreadsheet, which appears on the demonstrator's laptop, apparently logged in to Humane's cloud-based user platform.

In the video Humane's co-founder stresses that its Ai Pin does all this without downloading applications, "which allows me to stay present in the moment and flow." But while it can also make phone calls and sends text messages, Imran Chaudhri adds that "Ai Pin is a completely new form factor for compute. It's never been about replacing. It's always been about creating new ways to interact with what you need. So instead of having to sit down to use a computer, or reaching in to your pocket and pulling out your phone and navigating apps, Ai Pin allows you to simply act on something the moment you think about it — letting AI do all the work for you."

Or, as they say later "This is about technology adapting and reacting to you. Not you having to adapt to it."

There's also talk about their "AI OS" — named Cosmos — with the Pin described as "our first entry point" into that operating system, with other devices planned to support it in the future. (Mashable's reporter notes that Humane's Ai Pin is backed by OpenAI CEO Sam Altman, and writes "I was impressed with how well it worked.") The video even ends with an update for SDK developers. In the second half of 2024, "you're going to be able to connect your services to the Ai Pin using REST APIs and OAuth." Phase two will let developers run their code directly on Humane's cloud platform — while Phase three will see developers codes on Ai Pin devices, "to get access to the mic, the camera, the sensors, and the laser. We are so excited to see what you're gonna build."

Humane says its Ai Pin will start shipping at the end of March, with priority orders arriving starting on April 11th.

Apple is planning to make further changes in EU countries to allow some developers to distribute their iOS apps directly from a website. From a report: The new web distribution feature will be available with a software update "later this spring," according to Apple, providing developers with a key new way to distribute iOS apps in EU markets without the need for a separate app store -- as long as they're willing to adhere to Apple's strict rules.

While Apple is opening up iOS to more third-party apps here, these are still some key security protections around how apps are distributed via websites -- namely, you'll still have to work within the strict Apple app development ecosystem.

As reported by 404 Media, the New York Times has issued hundreds of copyright takedown requests against Wordle clones "in which it asserts not just ownership over the Wordle name but over the broad concepts and mechanics of the word game, which includes its '5x6 grid' and 'green tiles to indicate correct guesses.'" From the report: The Times filed at least three DMCA takedown requests with coders who have made clones of Wordle on GitHub. These include two in January and, crucially, a new DMCA filed this week against Chase Wackerfuss, the coder of a repository called âoeReactle,â which cloned Wordle in React JS (JavaScript). The most recent takedown request is critical because it not only goes after Reactle but anyone who has forked Reactle to create a different spinoff game; an archive of the Reactle code repository shows that it was forked 1,900 times to create a diverse set of games and spinoffs. These include Wordle clones in dozens of languages, crossword versions of Wordle, emoji and bird versions of world, poker and AI spinoffs, etc.

"I write to submit a revised DMCA Notice regarding an infringing repository (and hundreds of forked repositories) hosted by Github that instruct users how to infringe The New York Times Co.'s ('The Times') copyright in its immensely popular Wordle game and create knock-off copies of the same. Unfortunately, hundreds of individuals have followed these instructions and published infringing Wordle knock-off games that The Times has spent the past month removing, including off of Github's websites," the DMCA takedown request against Reactle reads. "The Times's Wordle copyright includes the unique elements of its immensely popular game, such as the 5x6 grid, green tiles to indicate correct guesses, yellow tiles to indicate the correct letter but the wrong place within the word, and the keyboard directly beneath the grid. This gameplay is copied exactly in the repository, and the owner instructs others how to knock off the game and create an identical word game," it adds.

The DMCA request then says that GitHub must delete forks of the repository, which it writes were "infringing to the same extent as the parent repository" and which it says were made in what was "clearly bad faith." [...] The DMCA takedown requests are particularly notable because they come at a time when the New York Times is financially thriving, while many of its competitors are losing money, laying people off, and shutting down. The Times is thriving in part because Wordle, the crossword puzzle, and its recipe apps are juggernauts. The company has been aggressively expanding its "Games" business with Wordle, Connections, and a brand new word search game called Strands. The New York Times issued a statement in response: "The Times has no issue with individuals creating similar word games that do not infringe The Times's 'Wordle' trademarks or copyrighted gameplay. The Times took action against a GitHub user and others who shared his code to defend its intellectual property rights in Wordle. The user created a 'Wordle clone' project that instructed others how to create a knock-off version of The Times's Wordle game featuring many of the same copyrighted elements. As a result, hundreds of websites began popping up with knock-off 'Wordle' games that used The Times's 'Wordle' trademark and copyrighted gameplay without authorization or permission."

Michelle Lewis reports via Electrek: One of the US's largest nuclear power plants will directly power cloud service provider Amazon Web Services' new data center. Power provider Talen Energy sold its data center campus, Cumulus Data Assets, to Amazon Web Services for $650 million. Amazon will develop an up to 960-megawatt (MW) data center at the Salem Township site in Luzerne County, Pennsylvania. The 1,200-acre campus is directly powered by an adjacent 2.5 gigawatt (GW) nuclear power station also owned by Talen Energy.

The 1,075-acre Susquehanna Steam Electric Station is the sixth-largest nuclear power plant in the US. It's been online since 1983 and produces 63 million kilowatt hours per day. The plant has two General Electric boiling water reactors within a Mark II containment building that are licensed through 2042 and 2044. According to Talen Energy's investor presentation, it will supply fixed-price nuclear power to Amazon's new data center as it's built. Amazon has minimum contractual power commitments that ramp up in 120 MW increments over several years. The cloud service giant has a one-time option to cap commitments at 480 MW and two 10-year extension options tied to nuclear license renewals.

Apple is reversing its previous decision to remove support for Home Screen web apps in iOS 17.4 for EU users. Apple's statement: Previously, Apple announced plans to remove the Home Screen web apps capability in the EU as part of our efforts to comply with the DMA. The need to remove the capability was informed by the complex security and privacy concerns associated with web apps to support alternative browser engines that would require building a new integration architecture that does not currently exist in iOS.

We have received requests to continue to offer support for Home Screen web apps in iOS, therefore we will continue to offer the existing Home Screen web apps capability in the EU. This support means Home Screen web apps continue to be built directly on WebKit and its security architecture, and align with the security and privacy model for native apps on iOS.

Developers and users who may have been impacted by the removal of Home Screen web apps in the beta release of iOS in the EU can expect the return of the existing functionality for Home Screen web apps with the availability of iOS 17.4 in early March.

Apple has now offered an explanation for why iOS 17.4 removes support for Home Screen web apps in the European Union. Spoiler: it's because of the Digital Markets Act that went into effect last August. 9to5Mac reports: Last week, iPhone users in the European Union noticed that they were no longer able to install and run web apps on their iPhone's Home Screen in iOS 17.4. Apple has added a number of features over the years to improve support for progressive web apps on iPhone. For example, iOS 16.4 allowed PWAs to deliver push notifications with icon badges. One change in iOS 17.4 is that the iPhone now supports alternative browser engines in the EU. This allows companies to build browsers that don't use Apple's WebKit engine for the first time. Apple says that this change, required by the Digital Markets Act, is why it has been forced to remove Home Screen web apps support in the European Union.

Apple explains that it would have to build an "entirely new integration architecture that does not currently exist in iOS" to address the "complex security and privacy concerns associated with web apps using alternative browser engines." This work "was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps," Apple explains. "And so, to comply with the DMA's requirements, we had to remove the Home Screen web apps feature in the EU." "EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality," Apple continues.

It's understandable that Apple wouldn't offer support for Home Screen web apps for third-party browsers. But why did it also remove support for Home Screen web apps for Safari? Unfortunately, that's another side effect of the Digital Markets Act. The DMA requires that all browsers have equality, meaning that Apple can't favor Safari and WebKit over third-party browser engines. Therefore, because it can't offer Home Screen web apps support for third-party browsers, it also can't offer support via Safari. [...] iOS 17.4 is currently available to developers and public beta testers, and is slated for a release in early March. The full explanation was published on Apple's developer website today.

It's "a free and open-source, software-defined storage platform," according to Wikipedia, providing object storage, block storage, and file storage "built on a common distributed cluster foundation". The charter advisory board for Ceph included people from Canonical, CERN, Cisco, Fujitsu, Intel, Red Hat, SanDisk, and SUSE.

And Nite_Hawk (Slashdot reader #1,304) is one of its core engineers — a former Red Hat principal software engineer named Mark Nelson. (He's now leading R&D for a small cloud systems company called Clyso that provides Ceph consulting.) And he's returned to Slashdot to share a blog post describing "a journey to 1 TiB/s". This gnarly tale-from-Production starts while assisting Clyso with "a fairly hip and cutting edge company that wanted to transition their HDD-backed Ceph cluster to a 10 petabyte NVMe deployment" using object-based storage devices [or OSDs]...) I can't believe they figured it out first. That was the thought going through my head back in mid-December after several weeks of 12-hour days debugging why this cluster was slow... Half-forgotten superstitions from the 90s about appeasing SCSI gods flitted through my consciousness...

Ultimately they decided to go with a Dell architecture we designed, which quoted at roughly 13% cheaper than the original configuration despite having several key advantages. The new configuration has less memory per OSD (still comfortably 12GiB each), but faster memory throughput. It also provides more aggregate CPU resources, significantly more aggregate network throughput, a simpler single-socket configuration, and utilizes the newest generation of AMD processors and DDR5 RAM. By employing smaller nodes, we halved the impact of a node failure on cluster recovery....

The initial single-OSD test looked fantastic for large reads and writes and showed nearly the same throughput we saw when running FIO tests directly against the drives. As soon as we ran the 8-OSD test, however, we observed a performance drop. Subsequent single-OSD tests continued to perform poorly until several hours later when they recovered. So long as a multi-OSD test was not introduced, performance remained high. Confusingly, we were unable to invoke the same behavior when running FIO tests directly against the drives. Just as confusing, we saw that during the 8 OSD test, a single OSD would use significantly more CPU than the others. A wallclock profile of the OSD under load showed significant time spent in io_submit, which is what we typically see when the kernel starts blocking because a drive's queue becomes full...

For over a week, we looked at everything from bios settings, NVMe multipath, low-level NVMe debugging, changing kernel/Ubuntu versions, and checking every single kernel, OS, and Ceph setting we could think of. None these things fully resolved the issue. We even performed blktrace and iowatcher analysis during "good" and "bad" single OSD tests, and could directly observe the slow IO completion behavior. At this point, we started getting the hardware vendors involved. Ultimately it turned out to be unnecessary. There was one minor, and two major fixes that got things back on track.
It's a long blog post, but here's where it ends up:

• Fix One: "Ceph is incredibly sensitive to latency introduced by CPU c-state transitions. A quick check of the bios on these nodes showed that they weren't running in maximum performance mode which disables c-states."

• Fix Two: [A very clever engineer working for the customer] "ran a perf profile during a bad run and made a very astute discovery: A huge amount of time is spent in the kernel contending on a spin lock while updating the IOMMU mappings. He disabled IOMMU in the kernel and immediately saw a huge increase in performance during the 8-node tests." In a comment below, Nelson adds that "We've never seen the IOMMU issue before with Ceph... I'm hoping we can work with the vendors to understand better what's going on and get it fixed without having to completely disable IOMMU."

• Fix Three: "We were not, in fact, building RocksDB with the correct compile flags... It turns out that Canonical fixed this for their own builds as did Gentoo after seeing the note I wrote in do_cmake.sh over 6 years ago... With the issue understood, we built custom 17.2.7 packages with a fix in place. Compaction time dropped by around 3X and 4K random write performance doubled."

The story has a happy ending, with performance testing eventually showing data being read at 635 GiB/s — and a colleague daring them to attempt 1 TiB/s. They built a new testing configuration targeting 63 nodes — achieving 950GiB/s — then tried some more performance optimizations...

"The ambient light sensors present in most mobile devices can be accessed by software without any special permissions, unlike permissions required for accessing the microphone or the cameras," writes longtime Slashdot reader BishopBerkeley. "When properly interrogated, the data from the light sensor can reveal much about the user." IEEE Spectrum reports: While that may not seem to provide much detailed information, researchers have already shown these sensors can detect light intensity changes that can be used to infer what kind of TV programs someone is watching, what websites they are browsing or even keypad entries on a touchscreen. Now, [Yang Liu, a PhD student at MIT] and colleagues have shown in a paper in Science Advances that by cross-referencing data from the ambient light sensor on a tablet with specially tailored videos displayed on the tablet's screen, it's possible to generate images of a user's hands as they interact with the tablet. While the images are low-resolution and currently take impractically long to capture, he says this kind of approach could allow a determined attacker to infer how someone is using the touchscreen on their device. [...]

"The acquisition time in minutes is too cumbersome to launch simple and general privacy attacks on a mass scale," says Lukasz Olejnik, an independent security researcher and consultant who has previously highlighted the security risks posed by ambient light sensors. "However, I would not rule out the significance of targeted collections for tailored operations against chosen targets." But he also points out that, following his earlier research, the World Wide Web Consortium issued a new standard that limited access to the light sensor API, which has already been adopted by browser vendors.

Liu notes, however, that there are still no blanket restrictions for Android apps. In addition, the researchers discovered that some devices directly log data from the light sensor in a system file that is easily accessible, bypassing the need to go through an API. The team also found that lowering the resolution of the images could bring the acquisition times within practical limits while still maintaining enough detail for basic recognition tasks. Nonetheless, Liu agrees that the approach is too complicated for widespread attacks. And one saving grace is that it is unlikely to ever work on a smartphone as the displays are simply too small. But Liu says their results demonstrate how seemingly harmless combinations of components in mobile devices can lead to surprising security risks.

An anonymous reader quotes a report from Ars Technica: Google is updating the warning on Chrome's Incognito mode to make it clear that Google and websites run by other companies can still collect your data in the web browser's semi-private mode. The change is being made as Google prepares to settle a class-action lawsuit that accuses the firm of privacy violations related to Chrome's Incognito mode. The expanded warning was recently added to Chrome Canary, a nightly build for developers. The warning appears to directly address one of the lawsuit's complaints, that the Incognito mode's warning doesn't make it clear that Google collects data from users of the private mode.

Many tech-savvy people already know that while private modes in web browsers prevent some data from being stored on your device, they don't prevent tracking by websites or Internet service providers. But many other people may not understand exactly what Incognito mode does, so the more specific warning could help educate users. The new warning seen in Chrome Canary when you open an incognito window says: "You've gone Incognito. Others who use this device won't see your activity, so you can browse more privately. This won't change how data is collected by websites you visit and the services they use, including Google." The wording could be interpreted to refer to Google websites and third-party websites, including third-party websites that rely on Google ad services. The new warning was not yet in the developer, beta, and stable branches of Chrome as of today. It also wasn't in Chromium. The change to Canary was previously reported by MSPowerUser.

Incognito mode in the stable version of Chrome still says: "You've gone Incognito. Now you can browse privately, and other people who use this device won't see your activity." Among other changes, the Canary warning replaces "browse privately" with "browse more privately." The stable and Canary warnings both say that your browsing activity might still be visible to "websites you visit," "your employer or school," or "your Internet service provider." But only the Canary warning currently includes the caveat that Incognito mode "won't change how data is collected by websites you visit and the services they use, including Google." The old and new warnings both say that Incognito mode prevents Chrome from saving your browsing history, cookies and site data, and information entered in forms, but that "downloads, bookmarks and reading list items will be saved." Both warnings link to this page, which provides more detail on Incognito mode.

An anonymous reader quotes a report from The Intercept: OpenAI this week quietly deleted language expressly prohibiting the use of its technology for military purposes from its usage policy, which seeks to dictate how powerful and immensely popular tools like ChatGPT can be used. Up until January 10, OpenAI's "usage policies" page included a ban on "activity that has high risk of physical harm, including," specifically, "weapons development" and "military and warfare." That plainly worded prohibition against military applications would seemingly rule out any official, and extremely lucrative, use by the Department of Defense or any other state military. The new policy retains an injunction not to "use our service to harm yourself or others" and gives "develop or use weapons" as an example, but the blanket ban on "military and warfare" use has vanished.

The unannounced redaction is part of a major rewrite of the policy page, which the company said was intended to make the document "clearer" and "more readable," and which includes many other substantial language and formatting changes. "We aimed to create a set of universal principles that are both easy to remember and apply, especially as our tools are now globally used by everyday users who can now also build GPTs," OpenAI spokesperson Niko Felix said in an email to The Intercept. "A principle like 'Don't harm others' is broad yet easily grasped and relevant in numerous contexts. Additionally, we specifically cited weapons and injury to others as clear examples." Felix declined to say whether the vaguer "harm" ban encompassed all military use, writing, "Any use of our technology, including by the military, to '[develop] or [use] weapons, [injure] others or [destroy] property, or [engage] in unauthorized activities that violate the security of any service or system,' is disallowed." "OpenAI is well aware of the risk and harms that may arise due to the use of their technology and services in military applications," said Heidy Khlaaf, engineering director at the cybersecurity firm Trail of Bits and an expert on machine learning and autonomous systems safety, citing a 2022 paper (PDF) she co-authored with OpenAI researchers that specifically flagged the risk of military use. "There is a distinct difference between the two policies, as the former clearly outlines that weapons development, and military and warfare is disallowed, while the latter emphasizes flexibility and compliance with the law," she said. "Developing weapons, and carrying out activities related to military and warfare is lawful to various extents. The potential implications for AI safety are significant. Given the well-known instances of bias and hallucination present within Large Language Models (LLMs), and their overall lack of accuracy, their use within military warfare can only lead to imprecise and biased operations that are likely to exacerbate harm and civilian casualties."

"I could imagine that the shift away from 'military and warfare' to 'weapons' leaves open a space for OpenAI to support operational infrastructures as long as the application doesn't directly involve weapons development narrowly defined," said Lucy Suchman, professor emerita of anthropology of science and technology at Lancaster University. "Of course, I think the idea that you can contribute to warfighting platforms while claiming not to be involved in the development or use of weapons would be disingenuous, removing the weapon from the sociotechnical system -- including command and control infrastructures -- of which it's part." Suchman, a scholar of artificial intelligence since the 1970s and member of the International Committee for Robot Arms Control, added, "It seems plausible that the new policy document evades the question of military contracting and warfighting operations by focusing specifically on weapons."

Shortly after the premium email service Hey announced a standalone Hey Calendar app, co-founder David Heinemeier Hansson said it was rejected by Apple for violating App Store rules.

"Apple just called to let us know they're rejecting the HEY Calendar app from the App Store (in current form)," wrote DHH on X. "Same bullying tactics as last time: Push delicate rejections to a call with a first-name-only person who'll softly inform you it's your wallet or your kneecaps. Since it's clear we're never going to pay them the extortionate 30% ransom, they're back to the bullshit about 'the app doesn't do anything when you download it.' Despite the fact that after last time, they specifically carved out HEY in App Store Review Guidelines 3.1.3 (f)!" The Verge's Amrita Khalid reports: New users can't sign up for Hey Calendar directly on the app -- Basecamp, which makes Hey, makes users first sign up through a browser. Apple's App Store rules require most paid services to offer users the ability to pay and sign up through the app, ensuring the company gets up to a 30 percent cut. The controversial rule has a ton of gray areas and carve-outs (i.e. reader apps like Spotify and Kindle get an exception) and is the subject of antitrust fights in multiple countries. But as Hansson detailed on X and in a subsequent blog post, he found Apple's rejection insulting for another reason. Close to four years ago, the company rejected Hey's original iOS app for its email service for the exact same reason.

The outcome of the 2020 fight actually worked out in Hey's favor. After days of back and forth between Apple's App Store Review Board and Basecamp, the Hey team agreed to a rather creative solution suggested by Apple exec Phil Schiller. Hey would offer a free option for the iOS app, allowing new users to sign up directly. But the company had a slight twist -- users who signed up via the iOS app got a free, temporary randomized email address that worked for 14 days -- after which they had to pay to upgrade. Currently, Hey email users can only pay for an account through the browser. Following the saga with Hey, Apple made a carve-out to its App Store rules that stated that free companion apps to certain types of paid web services were not required to have an in-app payment mechanism. But, as Hansson mentions on X, a calendar app wasn't mentioned in the list of services that Apple now makes an exception for, which includes VOIP, cloud storage, web hosting -- and of course -- email. Hansson plans to fight Apple's decision without elaborating on exactly how he intends to do so.

Alphabet will pay $700 million and alter its Google Play policies to settle claims that the app store unlawfully dominates the Android mobile applications market, resolving antitrust complaints brought by attorneys general of about three dozen states and consumers. From a report: The deal disclosed in a court filing late Monday calls for tweaks to Google Play policies designed to reduce barriers to competition in the markets for app distribution and payment processing. The lawsuits that were grouped together in federal court in California had threatened billions of dollars in revenue generated by the sale and distribution of apps through Google Play. Google will also make a series of changes to its business practices as part of the settlement. In a blog post, the Android-maker said: Streamlining sideloading while prioritizing security: Unlike on iOS, Android users have the option to sideload apps, meaning they can download directly from a developer's website without going through an app store like Google Play. While we maintain it is critical to our safety efforts to inform users that sideloading on mobile could come with unique risks, as part of our settlement we will be further simplifying the sideloading process and updating the language that informs users about these potential risks of downloading apps directly from the web for the first time.
Expanding user choice billing to more people: App and game developers will be able to implement an alternative billing option alongside Google Play's billing system for their U.S. users who can then choose which option to use when making in-app purchases. We have been piloting user choice billing in the U.S. for over a year and will now expand this option further.
Expanding open communication on pricing: We have always given developers more ways to interact with their customers than iOS and other operating systems. For example, Google Play allows developers to communicate freely with their customers outside the app about subscription offers or lower-cost options available on a rival app store or the developer's website. This openness has spurred competition and benefited consumers and developers. As part of user choice billing, which we're expanding with today's settlement announcement, developers are also able to show different pricing options within the app when a user makes a digital purchase.

Meta, OpenAI, and Microsoft said at an AMD investor event today that they will use AMD's newest AI chip, the Instinct MI300X, as an alternative to Nvidia's expensive graphic processors. "If AMD's latest high-end chip is good enough for the technology companies and cloud service providers building and serving AI models when it starts shipping early next year, it could lower costs for developing AI models and put competitive pressure on Nvidia's surging AI chip sales growth," reports CNBC. From the report: "All of the interest is in big iron and big GPUs for the cloud," AMD CEO Lisa Su said Wednesday. AMD says the MI300X is based on a new architecture, which often leads to significant performance gains. Its most distinctive feature is that it has 192GB of a cutting-edge, high-performance type of memory known as HBM3, which transfers data faster and can fit larger AI models. Su directly compared the MI300X and the systems built with it to Nvidia's main AI GPU, the H100. "What this performance does is it just directly translates into a better user experience," Su said. "When you ask a model something, you'd like it to come back faster, especially as responses get more complicated."

The main question facing AMD is whether companies that have been building on Nvidia will invest the time and money to add another GPU supplier. "It takes work to adopt AMD," Su said. AMD on Wednesday told investors and partners that it had improved its software suite called ROCm to compete with Nvidia's industry standard CUDA software, addressing a key shortcoming that had been one of the primary reasons AI developers currently prefer Nvidia. Price will also be important. AMD didn't reveal pricing for the MI300X on Wednesday, but Nvidia's can cost around $40,000 for one chip, and Su told reporters that AMD's chip would have to cost less to purchase and operate than Nvidia's in order to persuade customers to buy it.

On Wednesday, AMD said it had already signed up some of the companies most hungry for GPUs to use the chip. Meta and Microsoft were the two largest purchasers of Nvidia H100 GPUs in 2023, according to a recent report from research firm Omidia. Meta said it will use MI300X GPUs for AI inference workloads such as processing AI stickers, image editing, and operating its assistant. Microsoft's CTO, Kevin Scott, said the company would offer access to MI300X chips through its Azure web service. Oracle's cloud will also use the chips. OpenAI said it would support AMD GPUs in one of its software products, called Triton, which isn't a big large language model like GPT but is used in AI research to access chip features.

An anonymous reader quotes a report from Ars Technica: App developer Elias Saba has had some bad luck with Digital Millennium Copyright Act (DMCA) takedowns. His Android TV app Downloader, which combines a web browser with a file manager, was suspended by Google Play in May after several Israeli TV companies complained that the app could be used to load a pirate website. Google reversed that suspension after three weeks. But Downloader has been suspended by Google Play again, and this time the reason is even harder to understand. Based on a vague DMCA notice, it appears that Downloader was suspended simply because it can load the Warner Bros. website. [...]

The notice includes a copy of the DMCA complaint, which came from MarkScan, a "digital asset protection" firm that content owners hire to enforce copyrights. MarkScan said in its complaint that it represents Warner Bros. Discovery Inc. A DMCA notice is supposed to identify and describe the copyrighted work that was infringed. But MarkScan's notice about Downloader identifies the copyrighted work only as "Properties of Warner Bros. Discovery Inc." It provides no detail on which Warner Bros. work was infringed by Downloader. A DMCA notice is also supposed to provide an example of where someone can see "an authorized example of the work." In this field, MarkScan simply entered the main Warner Bros. URL: https://www.warnerbros.com/. The Downloader app had been installed over 10 million times before the takedown, according to an Internet Archive capture taken before the latest suspension.

Saba appealed the takedown today, but he told us that the appeal was rejected by Google Play after 24 minutes. Saba said he also submitted a DMCA counter-notice, which gives the complainant 10 business days from today to file a legal action. After his first takedown in May, his app was reinstated after the DMCA complainant didn't take any legal action. Saba also wrote a blog post today about the latest takedown. "Given that my app still does not contain any copyright-infringing content and never has, I've countered this new DMCA takedown which will, hopefully, mean the app will be restored sometime in the coming weeks," he wrote. "In the meantime, you can sideload the app onto your Google TV or Android TV devices by downloading the APK from https://www.aftvnews.com/downloader.apk. Downloader remains available on Fire TV devices directly from the Amazon Appstore." Saba said it's "absurd that Google seems to make no effort at all to verify the copyright claims being made on my app which is just a web browser that can download files and has no content of any sort in it."

"If loading a website with infringing content in a standard web browser is enough to violate DMCA, then every browser in the Google Play Store including @googlechrome should also be removed," said Saba in May. "It's a ridiculous claim and an abuse of the DMCA."

"The abolition of third-party cookies will make it possible to protect privacy-related data such as what sites users visit and what pages they view from advertising companies," notes the Japan-based site Gigazine.

And this month "Google has confirmed that it is on track to start disabling third-party cookies across its Chrome browser in a matter of weeks," writes TechRadar: An internal email published online sees Google software engineer Johann Hofmann share with colleagues the company's plan to switch off third-party cookies for 1% of Chrome users from Q1 2024 — a plan that was shared months ago and that, surprisingly, remains on track, given the considerable pushbacks so far... Hofmann explains that Google is still awaiting a UK Competition and Markets Authority consultation in order to address any final concerns before "Privacy Sandbox" gets the go-ahead.
The Register explores Google's "Privacy Sandbox" idea: Since 2019 — after it became clear that European data protection rules would require rethinking how online ads work — Google has been building a set of ostensibly privacy-preserving ad tech APIs known as the Privacy Sandbox... One element of the sandbox is the Topics API: that allows websites to ask Chrome directly what the user is interested in, based on their browser history, so that targeted ads can be shown. Thus, no need for any tracking cookies set by marketers following you around, though it means Chrome squealing on you unless you tell it not to...

Peter Snyder, VP of privacy engineering at Brave Software, which makes the Brave browser, told The Register in an email that the cookie cutoff and Privacy Sandbox remains problematic as far as Brave is concerned. "Replacing third-party cookies with Privacy Sandbox won't change the fact that Google Chrome has the worst privacy protections of any major browser, and we're very concerned about their upcoming plans," he said. "Google's turtle-paced removal of third-party cookies comes along with a large number of other changes, which when taken together, seriously harm the progress other browsers are making towards a user-first, privacy-protecting Web.

"Recent Google Chrome changes restrict the ability for users to modify, make private, and harden their Web experience (Manifest v3), broadcasting users' interests to websites they visit (Topics), dissolving privacy boundaries on the Web (Related Sites), offloading the battery-draining costs of ad auctions on users (FLEDGE/Protected Audience API), and reducing user control and Web transparency (Signed Exchange/WebBundles)," Snyder explained. "And this is only a small list of examples from a much longer list of harmful changes being shipped in Chrome."

Snyder said Google has characterized the removal of third-party cookies as getting serious about privacy, but he argued the truth is the opposite. "Other browsers have shown that a more private, more user-serving Web is possible," he said. "Google removing third-party cookies should be more accurately understood as the smallest possible change it can make without harming Google's true priority: its own advertising business."
The Register notes that other browser makers such as Apple, Brave, and Mozilla have already begun blocking third-party cookies by default, while Google Chrome and Microsoft Edge "provide that option, just not out of the box."

EFF senior staff technologist Jacob Hoffman-Andrews told The Register that "When Google Chrome finishes the project on some unspecified date in the future, it will be a great day for privacy on the web. According to the announcement, the actual phased rollout is slated to begin in Q3 2024, with no stated deadline to reach 100 percent. Let's hope Google's advertising wing does not excessively delay these critical privacy improvements."

TechRadar points out that after the initial testing period in 2024, Google will begin its phased rollout of the cookie replacement program — starting in June.

Thanks to long-time Slashdot reader AmiMoJo for sharing the news.

Amazon "is investing millions in training an ambitious large language model," reports Reuters, "hoping it could rival top models from OpenAI and Alphabet, two people familiar with the matter told Reuters." The model, codenamed as "Olympus", has 2 trillion parameters, the people said, which could make it one of the largest models being trained. OpenAI's GPT-4 model, one of the best models available, is reported to have one trillion parameters...

The team is spearheaded by Rohit Prasad, former head of Alexa, who now reports directly to CEO Andy Jass... Amazon believes having homegrown models could make its offerings more attractive on AWS, where enterprise clients want to access top-performing models, the people familiar with the matter said, adding there is no specific timeline for releasing the new model.
"While the parameter count doesn't automatically mean Olympus will outperform GPT-4, it's probably a good bet that it will, at minimum, be very competitive with its rival from OpenAI," argues a financial writer at the Motley Fool — as well as Googles nascent AI projects. Amazon could have a key advantage over its competition, one that CEO Andy Jassy alluded to in the company's third-quarter earnings call. Jassy said, "Customers want to bring the models to their data, not the other way around. And much of that data resides in AWS [Amazon Web Services] as the clear market segment leader in cloud infrastructure...."

Amazon will likely also leverage Olympus in other ways. For example, the company could make its CodeWhisperer generative AI coding companion more powerful. Jassy noted in the Q3 call that all of Amazon's "significant businesses are working on generative AI applications to transform their customer experiences." Olympus could make those initiatives even more transformative.
They point out that Amazon's profits more than tripled in the third quarter of 2023 from where they were in 2022.

And Amazon's stock price has already jumped more than 40% in 2023.

Google announced Thursday that users who have opted-in for its Search Generative Experience (SGE) will be able to create AI images directly from the standard Search bar. From a report: SGE is Google's vision for our web searching future. Rather than picking websites from a returned list, the system will synthesize a (reasonably) coherent response to the user's natural language prompt using the same data that the list's links led to. Thursday's updates are a natural expansion of that experience, simply returning generated images (using the company's Imagen text-to-picture AI) instead of generated text. Users type in a description of what they're looking for (a Capybara cooking breakfast, in Google's example) and, within moments, the engine will create four alternatives to pick from and refine further. Users will also be able to export their generated images to Drive or share them via email.