SoylentNews

Both the Hadza and Yao people have their own unique languages, and sounds from them may have been incorporated into their calls. But there is more to it than that. The Hadza often hunt animals when hunting for honey. Therefore, the Hadza don't want their calls to be recognized as human, or else the prey they are after might sense a threat and flee. This may be why they use whistles to communicate with honeyguides—by sounding like birds, they can both attract the honeyguides and stalk prey without being detected.

In contrast, the Yao do not hunt mammals, relying mostly on agriculture and fishing for food. This, along with the fact that they try to avoid potentially dangerous creatures such as lions, rhinos, and elephants, and can explain why they use recognizably human vocalizations to call honeyguides. Human voices may scare these animals away, so Yao honey hunters can safely seek honey with their honeyguide partners. These findings show that cultural diversity has had a significant influence on calls to honeyguides.

While animals might not literally speak our language, the honeyguide is just one of many species that has its own way of communicating with us. They can even learn our cultural traditions.

I wonder if that's why it's called the Honeyguide bird?

Journal Reference:
Claire N. Spottiswoode and Brian Wood, Culturally determined interspecies communication between humans and honeyguides, Science Vol. 382, No. 6675, DOI: 10.1126/science.adh412

Original Submission

The Reuters piece is quite long, and earns its length with an incredible wealth of damning receipts, including internal Tesla communications making clear that the company has known about its own shoddy work for a long time, even as it deceived investors, regulators, and drivers. [...]

All the upside-down incentives and warped prerogatives of the startup world are on display here (including a preference for lying and monkeying with data over actually doing good work). They're also, in turn, mere appendages of a deeper and more profound decadence. In 2023, discovery, exploration, and invention are just vibes you rent, by investing in a future-costumed effort to ignore all of what's already been learned and pretend "making a car that works" (or tunnels, or spaceships, or social media) is a new frontier. What matters isn't whether any of this has been done before, and more authentically, and well enough to be built upon—what matters is that this particular rich man-child hasn't done it yet, from scratch, for himself and for his own dream of being The Most Special Boy. In the absence of any real opportunity to envision a brighter future, you sign up to support some inheritance goober's personal fantasy camp by dumping money into his company or buying his stupid-looking car. In this way, you are meant to understand, you have participated in the great grand adventure of discovering tomorrow.

The Reuters piece: Tesla blamed drivers for failures of parts it long knew were defective

Original Submission

[...] "They aren't really Red Hat any longer, they're IBM," Perens writes in the note he shared with The Register. "And of course they stopped distributing CentOS, and for a long time they've done something that I feel violates the GPL, and my defamation case was about another company doing the exact same thing: They tell you that if you are a RHEL customer, you can't disclose the GPL source for security patches that RHEL makes, because they won't allow you to be a customer any longer. IBM employees assert that they are still feeding patches to the upstream open source project, but of course they aren't required to do so.

"This has gone on for a long time, and only the fact that Red Hat made a public distribution of CentOS (essentially an unbranded version of RHEL) made it tolerable. Now IBM isn't doing that any longer. So I feel that IBM has gotten everything it wants from the open source developer community now, and we've received something of a middle finger from them.

"Obviously CentOS was important to companies as well, and they are running for the wings in adopting Rocky Linux. I could wish they went to a Debian derivative, but OK. But we have a number of straws on the Open Source camel's back. Will one break it?"

Another straw burdening the Open Source camel, Perens writes, "is that Open Source has completely failed to serve the common person. For the most part, if they use us at all they do so through a proprietary software company's systems, like Apple iOS or Google Android, both of which use Open Source for infrastructure but the apps are mostly proprietary. The common person doesn't know about Open Source, they don't know about the freedoms we promote which are increasingly in their interest. Indeed, Open Source is used today to surveil and even oppress them."

Free Software, Perens explains, is now 50 years old and the first announcement of Open Source occurred 30 years ago. "Isn't it time for us to take a look at what we've been doing, and see if we can do better? Well, yes, but we need to preserve Open Source at the same time. Open Source will continue to exist and provide the same rules and paradigm, and the thing that comes after Open Source should be called something else and should never try to pass itself off as Open Source. So far, I call it Post-Open."

Post-Open, as he describes it, is a bit more involved than Open Source. It would define the corporate relationship with developers to ensure companies paid a fair amount for the benefits they receive. It would remain free for individuals and non-profit, and would entail just one license.

He imagines a simple yearly compliance process that gets companies all the rights they need to use Post-Open software. And they'd fund developers who would be encouraged to write software that's usable by the common person, as opposed to technical experts.

Pointing to popular applications from Apple, Google, and Microsoft, Perens says: "A lot of the software is oriented toward the customer being the product – they're certainly surveilled a great deal, and in some cases are actually abused. So it's a good time for open source to actually do stuff for normal people."

The reason that doesn't often happen today, says Perens, is that open source developers tend to write code for themselves and those who are similarly adept with technology. The way to avoid that, he argues, is to pay developers, so they have support to take the time to make user-friendly applications.

Companies, he suggests, would foot the bill, which could be apportioned to contributing developers using the sort of software that instruments GitHub and shows who contributes what to which products. Merico, he says, is a company that provides such software.

Perens acknowledges that a lot of stumbling blocks need to be overcome, like finding an acceptable entity to handle the measurements and distribution of funds. What's more, the financial arrangements have to appeal to enough developers.

"And all of this has to be transparent and adjustable enough that it doesn't fork 100 different ways," he muses. "So, you know, that's one of my big questions. Can this really happen?"

Original Submission

[...] "For a brand, they have total control versus a real person who comes with potential controversy, their own demands, their own opinions," McGrath added.

[...] "A lot of companies are coming out with virtual influencers they have generated in a day, and they are not really putting that human element [into the messaging] . . . and I don't think that is going to be the long-term strategy," she added.

[...] The Clueless's creations, among other virtual influencers, have also been criticized for being overly sexualised, with Aitana regularly appearing in underwear. The agency said sexualisation is "prevalent with real models and influencers" and that its creations "merely mirror these established practices without deviating from the current norms in the industry."

Mercer, the human influencer, argued: "It feels like women in recent years have been able to take back some agency, through OnlyFans, through social media, they have been able to take control of their bodies and say 'for so long men have made money off me, I am going to make money for myself'."

But she said AI-generated creations, often made by men, were once again profiting from female sexuality. "That is the reason behind growing these accounts. It is to make money."

Original Submission

[...] It wasn't until four years after the war's end that the first Type I Beetle made its way to North America, thanks to Dutch importer Ben Pon. He brought the first Beetles across the Atlantic in January of 1949 and drove one of them fruitlessly up and down the Eastern Seaboard, looking for a buyer, eventually selling it for $800 to help pay off a hotel bill. By the year's end, however, he had only sold two of the vehicles that reporters dubbed "Hitler's car," which Pon tried to re-label as the "Victory Wagon." 

Pon returned to Europe, and importer Max Hoffman stepped in as the first official stateside Volkswagen dealer. Hoffman earned the exclusive right to sell Volkswagens east of the Mississippi, and by 1960 he had placed 300,000 American buyers behind their wheels.

[...] Disney took advantage of the Beetle's popularity and unique style, making it the star of the 1969 film "Herbie the Love Bug," along with several movie sequels and a 1982 television series. 

According to the Disney website D23, writer and producer Bill Walsh conducted a multi-car audition to select the right car to star as Herbie. "As the employees passed by on their way to lunch," Walsh said, "they looked at the little cars, kicked the tires, and turned the steering wheels. But everybody who went by patted the Volkswagen. The VW had a personality of its own that reached out and embraced people."

[...] By 1974, Volkswagen had moved production of the Beetle from Wolfsburg to its new plants in Mexico and Brazil, and, beginning in 1977, only sold the Type I Beetle in the U.S. in convertible form. Throughout the 1970s, the Type I gradually grew more powerful and driver-friendly, getting a larger windshield, automatic transmission, and electronic fuel injection.

Volkswagen introduced the New Beetle in 1998, with the familiar rounded shape but proper 20th-century features like a sunroof, air bags, and a turbocharger. While the early New Beetles had these modern features, VW tried to maintain the link to the car's hippie roots by including a flower vase as a dealer accessory.  Car and Driver clocked the 1999 New Beetle as capable of going from zero to 60 in 7.3 seconds.

The last Type I came off the assembly line in Mexico in 2003, and the new version of the Beetle saw several updates and revisions before it was finally dropped for good in 2019.

Original Submission

On Apple devices equipped with these protections, such attackers are still unable to perform key post-exploitation techniques such as injecting malicious code into other processes, or modifying kernel code or sensitive kernel data. This powerful protection was bypassed by exploiting a vulnerability in the secret function. The protection, which has rarely been defeated in exploits found to date, is also present in Apple's M1 and M2 CPUs.

[...] The researchers found that several of MMIO addresses the attackers used to bypass the memory protections weren't identified in any device tree documentation, which acts as a reference for engineers creating hardware or software for iPhones. Even after the researchers further scoured source codes, kernel images, and firmware, they were still unable to find any mention of the MMIO addresses.

[...] The findings presented Wednesday also detail the intricacies of the exploit chain that underpinned the Triangulation infections. As noted earlier, the chain exploited four zero-days to ensure that the Triangulation malware ran with root privileges and gained complete control over the device and user data stored on it.

[...] Wednesday's presentation, titled What You Get When You Attack iPhones of Researchers, is a further reminder that even in the face of innovative defenses like the one protecting the iPhone kernel, ever more sophisticated attacks continue to find ways to defeat them.

"We discover and analyze new exploits and attacks using them on a daily basis," Larin wrote. "We've discovered and reported more than thirty in the wild zero-days in Adobe/Apple/Google/Microsoft products, but this is definitely the most sophisticated attack chain we've ever seen."

Original Submission

In 1986, a 28-page paper [PDF] — co-written with Larry Rowe — announced the design for Postgres, as it was then known, setting out six guiding ambitions. Among them were two that would prove pertinent to the database system's longevity. One was to provide better support for complex objects. The second was to provide user extendibility for data types, operators and access methods.

[...] Nonetheless it was Oracle that made a decision which provided a boost to open source PostgreSQL. It bought open source MySQL, which some of the community did not trust in the hands of the proprietary software giant. At the same time Illustra and other companies commercialized Postgres, Berkeley released the code for POSTGRES under the MIT license, allowing other developers to work on it.

In 1994, Andrew Yu and Jolly Chen, both Berkeley graduates, replaced query language POSTQUEL with SQL. The resulting Postgres95 was made freely available and modifiable under a more permissive license and renamed PostgreSQL.

"What ended up happening was Illustra kind of gaining traction, but the big kicker was when this group of totally unrelated people I didn't even know, picked up the open source Postgres code, which was still around, and ran with it, totally unbeknownst to me. That was a wonderful accident," he says.

"When MySQL was bought by Oracle, developers got suspicious in droves, and defected to PostgreSQL. It was another happy accident. It's commercial success is wonderful, but it was largely serendipitous," Stonebraker adds.

[...] Despite many of his ideas being so widely used in the database industry, which Gartner said was worth $91 billion in 2022, Stonebraker is laid back about other people using his ideas.

"I've done well financially. I knew Ted Codd, who was very magnanimous about saying you guys should all run the [ideas]. You want to change the world; any particular person is only part of that. I've always done open source code and shared code with anybody who wanted it. In the process, I've done well financially so yeah, I have no regrets at all," he says.

But that's not to say he is ready to retire. In his latest project, Stonebraker is ready to change the world again.

The idea for DBOS, a Database-Oriented Operating System, came from a conversation with Matei Zaharia, the author of Apache Spark who is also co-founder of analytics and ML company Databricks and associate professor at Berkeley.

[...] The new project replaced Linux and Kubernetes with a new operating system stack at the bottom of which is a database system, the prototype multi-node multi-core, transactional, highly-available VoltDB, which Stonebraker started.

"Basically, the operating system is an application to the database, rather than the other way around," he says.

A paper Stonebraker co-authored with Zaharia and others explains: "All operating system state should be represented uniformly as database tables, and operations on this state should be made via queries from otherwise stateless tasks. This design makes it easy to scale and evolve the OS without whole-system refactoring, inspect and debug system state, upgrade components without downtime, manage decisions using machine learning, and implement sophisticated security features."

Successful or otherwise, the OS-as-a-database application idea is unlikely to be Stonebraker's last. After turning 80 in October, he tells The Register he is not about to slow down.

"I can't imagine playing golf three days a week. I like what I do, and I will do it as long as I can be intellectually competitive," he says.

Original Submission

"Settled copyright law protects our journalism and content. If Microsoft and OpenAI want to use our work for commercial purposes, the law requires that they first obtain our permission. They have not done so."

[...] OpenAI has tried to allay news publishers concerns. In December, the company announced a partnership with Axel Springer — the parent company of Business Insider, Politico, and European outlets Bild and Welt — which would license its content to OpenAI in return for a fee.

Also at CNBC and The Guardian.

Previously:

• Report: Potential NYT lawsuit could force OpenAI to wipe ChatGPT and start over
• Microsoft, GitHub, and OpenAI Sued for $9B in Damages Over Piracy

NY Times Sues Open AI, Microsoft Over Copyright Infringement

upstart writes:

NY Times sues Open AI, Microsoft over copyright infringement:

In August, word leaked out that The New York Times was considering joining the growing legion of creators that are suing AI companies for misappropriating their content. The Times had reportedly been negotiating with OpenAI regarding the potential to license its material, but those talks had not gone smoothly. So, eight months after the company was reportedly considering suing, the suit has now been filed.

The Times is targeting various companies under the OpenAI umbrella, as well as Microsoft, an OpenAI partner that both uses it to power its Copilot service and helped provide the infrastructure for training the GPT Large Language Model. But the suit goes well beyond the use of copyrighted material in training, alleging that OpenAI-powered software will happily circumvent the Times' paywall and ascribe hallucinated misinformation to the Times.

Journalism is expensive

The suit notes that The Times maintains a large staff that allows it to do things like dedicate reporters to a huge range of beats and engage in important investigative journalism, among other things. Because of those investments, the newspaper is often considered an authoritative source on many matters.

All of that costs money, and The Times earns that by limiting access to its reporting through a robust paywall. In addition, each print edition has a copyright notification, the Times' terms of service limit the copying and use of any published material, and it can be selective about how it licenses its stories. In addition to driving revenue, these restrictions also help it to maintain its reputation as an authoritative voice by controlling how its works appear.

The suit alleges that OpenAI-developed tools undermine all of that. "By providing Times content without The Times's permission or authorization, Defendants' tools undermine and damage The Times's relationship with its readers and deprive The Times of subscription, licensing, advertising, and affiliate revenue," the suit alleges.

Part of the unauthorized use The Times alleges came during the training of various versions of GPT. Prior to GPT-3.5, information about the training dataset was made public. One of the sources used is a large collection of online material called "Common Crawl," which the suit alleges contains information from 16 million unique records from sites published by The Times. That places the Times as the third most references source, behind Wikipedia and a database of US patents.

OpenAI no longer discloses as many details of the data used for training of recent GPT versions, but all indications are that full-text NY Times articles are still part of that process. [...] Expect access to training information to be a major issue during discovery if this case moves forward.

Not just training

A number of suits have been filed regarding the use of copyrighted material during training of AI systems. But the Times' suite goes well beyond that to show how the material ingested during training can come back out during use. "Defendants' GenAI tools can generate output that recites Times content verbatim, closely summarizes it, and mimics its expressive style, as demonstrated by scores of examples," the suit alleges.

Original Submission #1  Original Submission #2  Original Submission #3 

[...] It is important to note that, despite the hype, to exploit these vulnerabilities it is necessary to have access to the system in the first place, and in that access, to have privileges to write to the EFI partition and UEFI non-volatile ram (nvram). The keen-eyed reader will realize that, if you already have that level of access, then it's not necessarily the LogoFAIL exploit itself that is the problem, but rather the persistence that it enables for other malware to abuse. Consider, for example, a ransomware that persists even system reimaging attempts after an infrastructure-wide attack. It would cripple recovery operations.

Adding insult to injury, the vulnerabilities exist across multiple platforms and architectures. It impacts both x86 and ARM-based devices. BIOS vendors like AMI, Phoenix, and others, create firmware that is affected by LogoFAIL. In turn, this makes motherboards using that firmware to also be affected by it – it doesn't matter if server-grade or consumer-grade hardware, as the same BIOS vendors will provide software for all of them. Vendors like Intel, Dell, Supermicro, Acer, and many others are therefore affected.

[...] These findings highlight another dimension of software supply chain risks. Directly targeting hardware adds to the already complex array of threats affecting software supply chains, from developer tools to source code repositories.

The fact that a given workload is potentially affected by vulnerabilities all throughout this large dependency and environment chain is something that we seem to turn a blind eye to – either through a lack of awareness or an inability to effectively prevent it – but which doesn't make it any more secure.

Just About Every Windows and Linux Device Vulnerable to New LogoFAIL Firmware Attack

upstart writes:

UEFIs booting Windows and Linux devices can be hacked by malicious logo images:

Hundreds of Windows and Linux computer models from virtually all hardware makers are vulnerable to a new attack that executes malicious firmware early in the boot-up sequence, a feat that allows infections that are nearly impossible to detect or remove using current defense mechanisms.

The attack—dubbed LogoFAIL by the researchers who devised it—is notable for the relative ease in carrying it out, the breadth of both consumer- and enterprise-grade models that are susceptible, and the high level of control it gains over them. In many cases, LogoFAIL can be remotely executed in post-exploit situations using techniques that can't be spotted by traditional endpoint security products. And because exploits run during the earliest stages of the boot process, they are able to bypass a host of defenses, including the industry-wide Secure Boot, Intel's Secure Boot, and similar protections from other companies that are devised to prevent so-called bootkit infections.

Game over for platform security

LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux. The vulnerabilities are the product of almost a year's worth of work by Binarly, a firm that helps customers identify and secure vulnerable firmware.

[...] As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.

"Once arbitrary code execution is achieved during the DXE phase, it's game over for platform security," researchers from Binarly, the security firm that discovered the vulnerabilities, wrote in a whitepaper. "From this stage, we have full control over the memory and the disk of the target device, thus including the operating system that will be started."

From there, LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started. The following video demonstrates a proof-of-concept exploit created by the researchers. The infected device—a Gen 2 Lenovo ThinkCentre M70s running an 11th-Gen Intel Core with a UEFI released in June—runs standard firmware defenses, including Secure Boot and Intel Boot Guard.

Detecting LogoFAIL Vulnerabilities and Exploits at Enterprise Scale

Detecting LogoFAIL Vulnerabilities and Exploits at Enterprise Scale - Eclypsium:

IT security teams are assessing new UEFI vulnerabilities that affect Windows and Linux systems. The vulnerabilities are collectively called LogoFAIL because they exist in UEFI image parsers that display the manufacturer logo when the system boots up.

Affected vendors include UEFI suppliers AMI, Insyde, and Phoenix and device manufacturers such as Lenovo, Dell, and HP. Some vendors have already issued advisories, but we should expect the list to expand as more vendors assess their exposure.

[...] Defenders need to know which systems are affected by LogoFAIL vulnerabilities and the associated severity. The CERT Coordination Center at Carnegie Mellon has a dynamic list of affected vendors and associated security advisories.

So far, it is difficult to determine the severity as no public exploit has been published, and some of the now public vulnerabilities have been scored differently by the researchers from Binarly who discovered the LogoFAIL vulnerabilities, the UEFI firmware vendors (Phoenix Technologies, Insyde, and AMI), and the National Vulnerability Database (NVD). The severity and exploitability of each LogoFAIL vulnerability will likely depend on how affected firmware vendors and equipment manufacturers (OEMs) store and process logo images. An attacker's ability to modify these logo images or paths to them may depend on malicious software running locally on a system (with administrative or root-level privileges), by an attacker remotely accessing the system, or by an attacker who gained physical access to a target.

You should monitor and apply patches as they become available from each OEM for each product model. As of the time of this writing, the list of affected products that have associated CVE identifiers includes the following:

Insyde has issued INSYDE-SA-2023053 and assigned it a CVSS score of 4.4. The associated CVE is CVE-2023-40238 and has been scored a CVSS 5.5 (Medium) by the NVD. The aforementioned CVE correlates to Binarly's vulnerability identifier BRLY-LOGOFAIL-2023-006 with an assigned CVSS of 8.2 (High). The difference in CVSS score appears to result from differences in perceived potential impact on confidentiality, integrity, and availability.

AMI has issued AMI-SA-2023009 and assigned a score of 7.5 to each of the associated CVEs, while the NVD has assigned a score of 7.8:

• CVE-2023-39538 – AMI CVSS = 7.5 (High), NVD CVSS = 7.8 (High)
• CVE-2023-39539 – AMI CVSS = 7.5 (High), NVD CVSS = 7.8 (High)

The severity rating for the AMI vulnerabilities is higher than the CVE in Insyde firmware due to stated impact on confidentiality and integrity.

Original Submission #1  Original Submission #2