cross-posted from !apple@lemdro.id > - Beijing has imposed restrictions on iPhone use among its government staff, causing Apple's stock to drop by more than 3%. > - The move exacerbates already high tensions between the U.S. and China, affecting U.S. tech companies with significant exposure to the Chinese market. > - U.S. lawmakers from both major parties express national security concerns and urge a tougher stance against Beijing. > - Apple suppliers like Qualcomm and Broadcom also experience stock declines, leading losses among major tech firms. > - The restrictions indicate that even companies with good relations with China are not immune to geopolitical tensions. > - Despite U.S. sanctions on Huawei, Apple faces competitive pressure in China, where it earns nearly a fifth of its revenue.

cross-posted from !android@lemdro.id >- New regulations will target six major tech companies to improve consumer experience and data privacy. These include Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. > - Pre-installed apps like weather and email that are difficult to delete will be disallowed, aiming to promote interoperability and reduce "gatekeeping" activities. > - Companies will be prohibited from monetizing user data collected from phone apps for advertising purposes. > - The regulations will encourage competition by allowing alternative payment systems, benefiting startups and consumers. > - The European Commission aims to empower consumers and ensure tech giants adhere to European rules, providing immediate accountability for any issues.

cross-posted from !google@lemdro.id >Original source: https://arxiv.org/pdf/2308.16321.pdf > > - Researchers at the University of Wisconsin–Madison found that Chrome browser extensions can still steal passwords, despite compliance with Chrome's latest security standard, Manifest V3. > - A proof of concept extension successfully passed the Chrome Web Store review process, demonstrating the vulnerability. > - The core issue lies in the extensions' full access to the Document Object Model (DOM) of web pages, allowing them to interact with text input fields like passwords. > - Analysis of existing extensions showed that 12.5% had the permissions to exploit this vulnerability, identifying 190 extensions that directly access password fields. > - Researchers propose two fixes: a JavaScript library for websites to block unwanted access to password fields, and a browser-level alert system for password field interactions. >

cross-posted from !technology@lemmy.ml >- Indian telecom operators, including Jio, Airtel, and Vodafone-Idea, have recommended that internet companies contribute to telecom network costs. > - They propose that these contributions should be based on factors like traffic consumption, turnover, and the number of users. > - The telecom operators argue that this would create a level playing field and help boost their margins in a market with low average revenue per user. > - Critics, however, raise concerns about potential violations of net neutrality and the possibility of shifting costs to consumers if internet companies are forced to cover network expenses.

cross-posted from !sony@lemdro.id

cross-posted from !aistuff@lemdro.id

cross-posted from: https://lemdro.id/post/486175 ([!aistuff@lemdro.id](https://lemdro.id/c/aistuff)) > Eager early adopters recently descended upon a Mexico City cafe where their eyes were scanned by a futuristic sphere, part of an ambitious project that ultimately seeks to create a unique digital identification for everyone on the planet. > > Mexico is one of nearly three dozen countries where participants are allowing the sphere, outfitted with cameras and dubbed an orb, to scan their iris. The project's goal is to distinguish people from bots online, while doling out a cryptocurrency bonus as a incentive to participate. > > The so-called Worldcoin project is a biometric verification tool led by Sam Altman, the chief executive of Open AI, and the crypto company he co-founded, Tools for Humanity. This doesn't sound creepy at all... thoughts?

cross-posted from [!aistuff@lemdro.id](https://lemdro.id/c/aistuff) > - **CoreWeave**, a company that provides cloud services, has secured a **$2.3 billion loan** using Nvidia chips as security. > - This large loan reflects a growing trend of securing loans with physical assets, especially when banks aren't lending as much. > - **CoreWeave** has grown quickly thanks to a boom in AI. It has special access to advanced Nvidia chips, which gives it an advantage over big cloud providers like Microsoft, Amazon, and Google. > - **CoreWeave** will use the loan to buy more chips, build data centers, and hire more staff. It's aiming to have 14 data centers in the U.S. by the end of the year. > - Earlier this year, **CoreWeave** also raised **$421 million in equity**, pushing its value to over $2 billion. >

cross-posted from [!googlepixel@lemdro.id](https://lemdro.id/c/googlepixel) [!android@lemdro.id](https://lemdro.id/c/android) > August 4, 2023 > > Jay Hou, Software Engineer, *TrustFabric (transparency.dev) * > > Pixel Binary Transparency > ------------------------- > > With Android powering billions of devices, we've [long put security first](https://www.android.com/safety/). There's the more visible security features you might interact with regularly, like spam and phishing protection, as well as less obvious integrated security features, like daily scans for malware. For example, [Android Verified Boot](https://source.android.com/docs/security/features/verifiedboot) strives to ensure all executed code comes from a trusted source, rather than from an attacker or corruption. And with attacks on software and mobile devices constantly evolving, we're continually strengthening these features and adding transparency into how Google protects users. This blog post peeks under the hood of [Pixel Binary Transparency](https://developers.google.com/android/binary_transparency/overview), a recent addition to Pixel security that puts you in control of checking if your Pixel is running a trusted installation of its operating system.  > > Supply Chain Attacks & Binary Transparency > ------------------------------------------ > > Pixel Binary Transparency responds to a new wave of attacks targeting the software supply chain---that is, attacks on software while in transit to users. These attacks [are on the rise](https://www.sonatype.com/state-of-the-software-supply-chain/introduction) in recent years, likely in part because of the enormous impact they can have. In recent years, tens of thousands of software users from Fortune 500 companies to branches of the US government have been affected by supply chain attacks that targeted the systems that create software to install a backdoor into the code, allowing attackers to access and steal customer data. > > One way Google protects against these types of attacks is by auditing Pixel phone  firmware (also called "factory images") before release, during which the software is thoroughly checked for backdoors. Upon boot, Android Verified Boot runs a check on your device to be sure that it's still running the audited code that was officially released by Google. Pixel Binary Transparency now expands on that function, allowing you to personally confirm that the image running on your device is the official factory image---meaning that attackers haven't inserted themselves somewhere in the source code, build process, or release aspects of the software supply chain. Additionally, this means that even if a signing key were compromised, binary transparency would flag the unofficially signed images, deterring attackers by making their compromises more detectable. > > How it works > ------------ > > Pixel Binary Transparency is a [public, cryptographic log](https://developers.google.com/android/binary_transparency/pixel#log_implementation) that records metadata about official factory images. With this log, Pixel users can mathematically prove that their Pixels are running factory images that match what Google released and haven't been tampered with. > > The Pixel Binary Transparency log is cryptographically guaranteed to be append-only, which means entries can be added to the log, but never changed or deleted. Being append-only provides resilience against attacks on Pixel images as attackers know that it's more difficult to insert malicious code without being caught, since an image that's been altered will no longer match the metadata Google added to the log. There's no way to change the information in the log to match the tampered version of the software without detection (Ideally the metadata represents the entirety of the software, but it cannot attest to integrity of the build and release processes.) > > For those who want to understand more about how this works, the Pixel Binary Transparency log is append-only thanks to a data structure called a [Merkle tree](https://transparency.dev/verifiable-data-structures/), which is also used in blockchain, Git, Bittorrent, and certain NoSQL databases. The append-only property is derived from the single root hash of the Merkle tree---the top level cryptographic value in the tree. The root hash is computed by hashing each leaf node containing data (for example, metadata that confirms the security of your Pixel's software), and recursively hashing intermediate nodes.  > >  > > The root hash of a Merkle tree should not change, if and only if, the leaf nodes do not change. By keeping track of the most recent root hash, you also keep track of all the previous leaves. You can read more about the details in the Pixel Binary Transparency [documentation](https://developers.google.com/android/binary_transparency/pixel).  > > ### Merkle Trees Proofs > > There are two important computations that can be performed on a Merkle tree: the consistency proof and inclusion proof. These two proofs together allow you to check whether an entry is included in a transparency log and to trust that the log has not been tampered with. > > Before you trust the contents of the log, you should use the consistency proof to check the integrity of the append-only property of the tree. The consistency proof is a set of hashes that show when the tree grows, the root hash only changes from the addition of new entries and not because previous entries were modified. > > Once you have established that the tree has not been tampered with, you can use the inclusion proof to check whether a particular entry is in the tree. In the case of Pixel Binary Transparency, you can check that a certain version of firmware is published in the log (and thus, an official image released by Google) before trusting it. > > You can [learn more about Merkle trees](https://transparency.dev/verifiable-data-structures/) on Google's [transparency.dev](https://transparency.dev) site, which goes deeper into the same concepts in the context of our Trillian transparency log implementation. > > ### Try It Out > > Most Pixel owners won't ever need to perform the consistency and inclusion proofs to check their Pixel's image---Android Verified Boot already has multiple safeguards in place, including verifying the hash of the code and data contents and checking the validity of the cryptographic signature. However, we've made the process available to anyone who wants to check themselves---the [Pixel Binary Transparency Log Technical Detail Page](https://developers.google.com/android/binary_transparency/pixel) will walk you through extracting the metadata from your phone and then running the inclusion and consistency proofs to compare against the log. > > More Security to Come > --------------------- > > The first iteration of Pixel Binary Transparency lays the groundwork for more security checks. For example, building on Pixel Binary Transparency, it will be possible to make even more security data transparent for users, allowing proactive assurance for a device's other executed code beyond its factory image. We look forward to building further on Pixel Binary Transparency and continually increasing resilience against software supply chain attacks. >

Original source: https://www.blackhat.com/us-23/briefings/schedule/index.html#jailbreaking-an-electric-vehicle-in--or-what-it-means-to-hotwire-teslas-x-based-seat-heater-33049

cross-posted from: https://lemdro.id/post/190327 ([!android@lemdro.id](https://lemdro.id/c/android)) > Every so often a piece of security research will generate a level of excitement and buzz that's palpable. Dan Kaminsky's DNS bug, Barnaby Jack's ATM Jackpotting, Chris Valasek and Charlie Miller's Jeep hacking escapades. There's something special about the overheard conversations, the whispered sightings of the superstar du jour, and the packed-to-the-rafters conference hall. These moments have delivered something more than just research: they delivered entertainment. > > Stagefright was one of these big moments. A frenzied feeling in the air, a willing showman, and a message to deliver. Mobile security was broken, seriously broken. > > It's been 8 years since Stagefright's careful dissection of Android's remote security posture, and it seems like a great time to revisit the event and its aftermath. Like any great piece of research, Stagefright changed the world, and it's only with hindsight that it's really possible to understand how. > > [See article for more.](https://blog.isosceles.com/the-legacy-of-stagefright/)

cross-posted from: https://lemdro.id/post/190707 > The Overture Maps Foundation (OMF) is a collaborative effort by Amazon Web Services (AWS), Meta, Microsoft, and TomTom "to enable current and next-generation interoperable open map products". This is their first open map dataset.

cross-posted from: https://lemdro.id/post/126296 > Microsoft reportedly let go of 1,000 employees over the past week in addition to the 10,000 it cut earlier this year, while Minnesota-based healthcare organization Allina Health announced plans to lay off nearly 350 employees, making them the latest U.S. companies to conduct layoffs this year as recession fears continue to push employers to make cuts...