Android doesn’t have su, which this proof of concept exploit requires. Although rooted Android does, so in theory malware written for rooted Android could escalate to root privileges.
Also, the underlying vulnerabilities might be exploitable without su but I don’t fully understand the AF_ALG and authencesn bug limits things, or what other executables can escalate privileges.
I’m not terrified because there’s nothing to be afraid of. but there are dumb, evil little men creating these issues.
Drunk drivers on the highway are terrifying, precisely because they’re so bad at what they’re doing, and are behind the controls of dangerous machines they shouldn’t have been trusted with.
The AI tech execs can hurt us, so it is concerning.
AI avatar man wants you to be afraid: “sleeper agents”! “backdoors”! “poisoned documents”! Terrifying!
It is terrifying. People in positions of power have placed entirely too much trust in these machines that are this easily fooled. I’d argue that we shouldn’t trust these machines as much as they are, but I don’t think the rest of the world is listening enough to these warnings.
I also worry about how broken search result rankings have gotten. For someone like me who doesn’t use these AI products, it concerns me that actual search engines (which I do use) continue to get worse.
Sure, there are lessons here for those who build and maintain LLMs, but everyone else should still be terrified at how the world is moving towards, rather than away, this nonsense.
It’s really important for people to understand that E2EE cannot protect the message portions that aren’t between the ends themselves. The best encryption in the world can’t help you if the person you’re talking to is an undercover cop, because that “end” can do with the plaintext whatever they want, including record/store/forward the plaintext of any messages they then encrypt and send, or any messages they receive and then decrypt.
That’s not a flaw of the E2EE protocol itself, but is a limit to the scope of protection that E2EE provides.
Here’s the original reporting, instead of another website’s summary of Bloomberg’s actual report:
So it sounds like the agent was investigating allegations, from content moderation contractors, that Meta could access the contents of WhatsApp messages, and came to the conclusion that yes, Meta could.
There are a few possibilities here.
Meta claims that it’s #3. They acknowledge they have plaintext access to messages when a party to the thread presses the report button.
This unnamed federal agent believes it’s #1, after 10 months of investigation, and sent out an email to other investigators that they should look into that possibility.
I’m skeptical of #1, simply because I don’t believe that conspiracies to keep that kind of stuff secret can be maintained. It’s not just that there would be technically skilled whistleblowers who have actual access to the code (not the non-technical content moderator contractors who review the content), but a weakness in such an important and widely used protocol would attract all sorts of hackers, state sponsored or otherwise.
But option #2 might explain everything we’ve seen so far. Full wiretap capability that is rarely used and very tightly controlled.
Anybody who believed that quantum computing posed a risk to symmetric encryption was fundamentally misunderstanding how encryption works and what quantum computing might be good at one day.
Asymmetric cryptography is primarily used for the secure exchanging of symmetric keys: use a public/private key pair to exchange secure messages of what symmetric key to use for their session, and then both sides switch to the symmetric key for actual communication of a real payload.
A public/private key pair is two keys that have some interesting mathematical relationship, such that it is easy to confirm that someone possesses the right private key using the public key or to encrypt something that only the correct private key can decrypt. And that mathematical relationship, relating to the product of two very large prime numbers, is at the core of modern asymmetric cryptography.
Quantum computing may make number factorization much, much easier. So once a product of two large primes becomes possible to factor, the public/private key pairs might not be as secure anymore.
But none of this has anything to do with symmetric encryption, or hash functions. Quantum doesn’t move the needle on that particular math.
The real risk, though, is for an adversary to eavesdrop on an encrypted key exchange (which uses asymmetric cryptography) and then the message itself (which uses symmetric cryptography) and then be able to take the two steps of getting the secret symmetric key from the intercepted key exchange over a compromised asymmetric protocol, and being able to decrypt the symmetric portion of the communication too.
Desktop Linux is seeing higher and higher market share, not just because Linux is growing but also because the desktop mode of computing is shrinking, especially for personal use. There are lots of people who used to own laptops/desktops but don’t anymore.
This is actually a pretty common concern for businesses on dealing with whether and how to protect themselves when installing improvements, business-critical equipment, or other hard-to-move stuff on land or in a building without a long term lease in place.
The tenant deals with it by either building out a portable infrastructure to where they can move their business quickly if need be, or by protecting themselves legally to where the landlord can’t kick them out on a short notice, by negotiating a long term lease.
Yes, this has everything to do with AI, because this is an AI vendor locking out a customer from their ordinary workflow.
At the same time, this is a generalizable example not limited to AI, where any form of vendor lock-in on a critical business function becomes a potential point of failure when the vendor drops the customer or stops working. It’s true of a cloud provider, an email provider, an ISP, any software provider that can revoke access/authority, or even non-tech vendors like a landlord or a temp agency or an electric utility.
I think it’s worth being clear about the scope of the rating. iFixit has always been about repairability defined by parts availability, and its ratings consider software restrictions only to the point where it interferes with the user experience when replacing parts to restore things to the original performance.
Customizability (in software or otherwise) isn’t part of the score. Durability/longevity isn’t part of the score, either. Those are things that I want, too, but I can recognize those are outside the scope of what iFixit advocates for.
I do have some concerns about the partnerships creating a conflict of interest, but sometimes that feedback loop is helpful for improving the product, where the maintainer of a standard also has a consulting business in helping others meet that standard. Ideally there’s a wall between the two sides (advisors versus raters), but the mere fact that one company might do both things isn’t that big of a deal in itself.
briefly released millions of tracks that were scraped from Spotify via BitTorrent.
That’s just an awkward sentence construction but it makes sense: they released track via Bittorrent. The tracks were scraped from Spotify.
I sold my car that was purchased from a dealership via private party sale.
I charged my laptop that normally accepts 100W via a 20W phone charger.
I would’ve used a “which” phrase with commas to avoid the confusion, but the sentence as written is valid and makes sense.
You can reason from a few principles:
So when people start making claims about things with clear, objective definitions (a win condition in chess, the fastest route to take through a maze, a highest lossless compression algorithm for real world text), it’s reasonable to believe that the current AI infrastructure can lead to breakthroughs on that front. So image recognition, voice recognition, and things like that were largely solved a decade ago. Text generation with clear and simple definitions of good or bad (simple summaries, basic code that accomplishes a clearly defined goal) is what LLMs have been doing well.
On things that have much more fuzzy or even internally inconsistent definitions, the AI world gets much more controversial.
But I happen to believe that finding and exploiting bugs or security vulnerabilities falls more into the well defined problem with well defined successes and failures. So I take it seriously when people claim that AI tools are helpful for developing certain exploits.
but isn’t the memory on the Neo on the same die as the processor?
Not actually on the same die, but in the same package, stacked on top using TSMC’s Integrated Fan-Out Package on Package (InFO-PoP).
So the memory still needs to be sourced from memory manufacturers, sent to TSMC, and then have TSMC package it all together in a single package. It’s unclear whether they had locked up this supply at pre-AI prices, though. The underlying A18 Pro chip/package was annoinced and launched about 18 months ago, so if they had the manufacturing pipeline set up for that they might have kept the contractual rights to continue buying memory at the old prices.
This reporting says that the subpoena requires that Reddit produce the information and appear for a hearing.
No, it’s not volunteering, at least not anymore.
Subpoena is legal Latin for “under penalty,” because noncompliance with a subpoena carries a penalty.
Originally, it was an information request from the feds, and Reddit refused. Then they escalated to getting a grand jury subpoena (which means they got a bunch of normal citizens to agree that the information was relevant to a criminal investigation), so now noncompliance carries a penalty.
Reddit notified the users, who hired their own lawyers, who are resisting the subpoena and will litigate it to where they need a judge to decide whether Reddit will have to turn the information over.
That’s the process for these things, and we’re a couple steps in already.
The article describes how they immediately went to look for an unsigned 32-bit millisecond counter when they noticed it was happening around 50 days since last reboot, because they already knew that association you describe.
Interesting writeup. Fun little story about the detective work involved.
God I wish democracy meant that we could vote on decisions like this
You can! Only problem is that it’s one vote per dollar instead of one vote per person.
It sucks though, I agree - software should get more efficient over time, just like hardware does.
It generally does, for any given computing task, but the problem is that generally software adds more features over time, not least of which is supporting new hardware that hits the ecosystem.
Ah yeah. Plus apparently Android’s default SELinux configuration blocks this separately, as well.