Shannon Garcia – Page 89

Apple must open iPadOS to sideloading within 6 months, EU says

Apple, apple digital markets act, Digital Markets Act, dma, EU, iOS, ipad, Tech / Shannon Garcia / April 30, 2024

big regulations for a big iphone —

iPads must comply with the same DMA regulations as the iPhone.

Andrew Cunningham – Apr 29, 2024 7: 52 pm UTC

Starting in March with the release of iOS 17.4, iPhones in the European Union have been subject to the EU’s Digital Markets Act (DMA), a batch of regulations that (among other things) forced Apple to support alternate app stores, app sideloading, and third-party browser engines in iOS for the first time. Today, EU regulators announced that they are also categorizing Apple’s iPadOS as a “gatekeeper,” meaning that the iPad will soon be subject to the same regulations as the iPhone.

The EU began investigating whether iPadOS would qualify as a gatekeeper in September 2023, the same day it decided that iOS, the Safari browser, and the App Store were all gatekeepers.

“Apple now has six months to ensure full compliance of iPadOS with the DMA obligations,” reads the EU’s blog post about the change.

Apple technically split the iPad’s operating system from the iPhone’s in 2019 when it began calling its tablet operating system “iPadOS” instead of iOS. But practically speaking, little separates the two operating systems under the hood. Both iOS and iPadOS share the same software build numbers, they’re updated in lockstep (with rare exceptions), and most importantly for DMA compliance purposes, they pull software from the same locked-down App Store with the same Apple-imposed restrictions in place.

Apps distributed through alternate app stores or third-party websites will have to abide by many of Apple’s rules and will still generally be limited to using Apple’s public APIs. However, the ability to use alternate app stores and browser engines on the iPad’s large screen (and the desktop-class M-series chips) could make the tablets better laptop replacements by allowing them to do more of the things that Mac users can do on their systems.

Though Apple has made multiple changes to iOS in the EU to comply with the DMA, EU regulators are already investigating Apple (as well as Google and Meta) for “non-compliance.” Depending on the results of that investigation, the EU may require Apple to make more changes to the way it allows third-party apps to be installed in iOS and to the way that third-party developers are allowed to advertise non-Apple app store and payment options. Any changes that Apple makes to iOS to comply with the investigation’s findings will presumably trickle down to the iPad as well.

Of course, none of this directly affects US-based iPhone or iPad users, whose devices remain restricted to Apple’s app stores and the WebKit browsing engine. That said, we have seen some recent App Store rule changes that have arguably trickled down from Apple’s attempts to comply with the DMA, most notably policy changes that have allowed (some, not all) retro game console emulators into the App Store for the first time.

Apple must open iPadOS to sideloading within 6 months, EU says Read More »

FCC fines big three carriers $196M for selling users’ real-time location data

AT&T, Location Data, Policy, T-Mobile, verizon / Shannon Garcia / April 30, 2024

Getty Images | SOPA Images

The Federal Communications Commission today said it fined T-Mobile, AT&T, and Verizon $196 million “for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”

The fines relate to sharing of real-time location data that was revealed in 2018. The FCC proposed the fines in 2020, when the commission had a Republican majority, and finalized them today.

All three major carriers vowed to appeal the fines after they were announced today. The three carriers also said they discontinued the data-sharing programs that the fines relate to.

The fines are $80.1 million for T-Mobile, $57.3 million for AT&T, and $46.9 million for Verizon. T-Mobile is also on the hook for a $12.2 million fine issued to Sprint, which was bought by T-Mobile shortly after the penalties were proposed over four years ago.

Today, the FCC summarized its findings as follows:

The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained. This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.

“Shady actors” got hold of data

The problem first came to light with reports of customer location data “being disclosed by the largest American wireless carriers without customer consent or other legal authorization to a Missouri Sheriff through a ‘location-finding service’ operated by Securus, a provider of communications services to correctional facilities, to track the location of numerous individuals,” the FCC said.

Chairwoman Jessica Rosenworcel said that news reports in 2018 “revealed that the largest wireless carriers in the country were selling our real-time location information to data aggregators, allowing this highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady actors. This ugly practice violates the law—specifically Section 222 of the Communications Act, which protects the privacy of consumer data.”

For a time after the 2018 reports, “all four carriers continued to operate their programs without putting in place reasonable safeguards to ensure that the dozens of location-based service providers with access to their customers’ location information were actually obtaining customer consent,” the FCC said.

The three carriers are ready to challenge the fines in court. “This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted,” T-Mobile said in a statement provided to Ars. “We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it.”

FCC fines big three carriers $196M for selling users’ real-time location data Read More »

UK outlaws awful default passwords on connected devices

Biz & IT, connected devices, DDoS, iot, iot passwords, passwords, Policy, Security, Smart Home, Tech / Shannon Garcia / April 30, 2024

Tacking an S onto IoT —

The law aims to prevent global-scale botnet attacks.

Kevin Purdy – Apr 29, 2024 7: 45 pm UTC

If you build a gadget that connects to the Internet and sell it in the United Kingdom, you can no longer make the default password “password.” In fact, you’re not supposed to have default passwords at all.

A new version of the 2022 Product Security and Telecommunications Infrastructure Act (PTSI) is now in effect, covering just about everything that a consumer can buy that connects to the web. Under the guidelines, even the tiniest Wi-Fi board must either have a randomized password or else generate a password upon initialization (through a smartphone app or other means). This password can’t be incremental (“password1,” “password54”), and it can’t be “related in an obvious way to public information,” such as MAC addresses or Wi-Fi network names. A device should be sufficiently strong against brute-force access attacks, including credential stuffing, and should have a “simple mechanism” for changing the password.

There’s more, and it’s just as head-noddingly obvious. Software components, where reasonable, “should be securely updateable,” should actually check for updates, and should update either automatically or in a way “simple for the user to apply.” Perhaps most importantly, device owners can report security issues and expect to hear back about how that report is being handled.

Violations of the new device laws can result in fines up to 10 million pounds (roughly $12.5 million) or 4 percent of related worldwide revenue, whichever is higher.

Besides giving consumers better devices, these regulations are aimed squarely at malware like Mirai, which can conscript devices like routers, cable modems, and DVRs into armies capable of performing distributed denial-of-service attacks (DDoS) on various targets.

As noted by The Record, the European Union’s Cyber Resilience Act has been shaped but not yet passed and enforced, and even if it does pass, would not take effect until 2027. In the US, there is the Cyber Trust Mark, which would at least give customers the choice of buying decently secured or genially abandoned devices. But the particulars of that label are under debate and seemingly a ways from implementation. At the federal level, a 2020 bill tasked the National Institutes of Standard and Technology with applying related standards to connected devices deployed by the feds.

UK outlaws awful default passwords on connected devices Read More »

Account compromise of “unprecedented scale” uses everyday home devices

Biz & IT, credential stuffing, okta, Security / Shannon Garcia / April 30, 2024

STUFF THIS —

Credential-stuffing attack uses proxies to hide bad behavior.

Dan Goodin – Apr 29, 2024 7: 35 pm UTC

Authentication service Okta is warning about the “unprecedented scale” of an ongoing campaign that routes fraudulent login requests through the mobile devices and browsers of everyday users in an attempt to conceal the malicious behavior.

The attack, Okta said, uses other means to camouflage the login attempts as well, including the TOR network and so-called proxy services from providers such as NSOCKS, Luminati, and DataImpulse, which can also harness users’ devices without their knowledge. In some cases, the affected mobile devices are running malicious apps. In other cases, users have enrolled their devices in proxy services in exchange for various incentives.

Unidentified adversaries then use these devices in credential-stuffing attacks, which use large lists of login credentials obtained from previous data breaches in an attempt to access online accounts. Because the requests come from IP addresses and devices with good reputations, network security devices don’t give them the same level of scrutiny as logins from virtual private servers (VPS) that come from hosting services threat actors have used for years.

“The net sum of this activity is that most of the traffic in these credential-stuffing attacks appears to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers,” according to an advisory that Okta published over the weekend.

Okta’s advisory comes two weeks after Cisco’s Talos security team reported seeing a large-scale credential compromise campaign that was indiscriminately assailing networks with login attempts aimed at gaining unauthorized access to VPN, SSH, and web application accounts. These login attempts used both generic and valid usernames targeted at specific organizations. Cisco included a list of more than 2,000 usernames and almost 100 passwords used in the attacks, along with nearly 4,000 IP addresses that are sending the login traffic. The attacks led to hundreds of thousands or even millions of rejected authentication attempts.

Within days of Cisco’s report, Okta’s Identity Threat Research team observed a spike in credential-stuffing attacks that appeared to use a similar infrastructure. Okta said the spike lasted from April 19 through April 26, the day the company published its advisory.

Okta officials wrote:

Residential Proxies are networks of legitimate user devices that route traffic on behalf of a paid subscriber. Providers of residential proxies effectively rent access to route authentication requests through the computer, smartphone, or router of a real user, and proxy traffic through the IP of these devices to anonymize the source of the traffic.

Residential Proxy providers don’t tend to advertise how they build these networks of real user devices. Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download “proxyware” into their device in exchange for payment or something else of value. At other times, a user device is infected with malware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet. More recently, we have observed a large number of mobile devices used in proxy networks where the user has downloaded a mobile app developed using compromised SDKs (software development kits). Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network.

People who want to ensure that malicious behavior isn’t routed through their devices or networks should pay close attention to the apps they install and the services they enroll in. Free or discounted services may be contingent on a user agreeing to terms of service that allow their networks or devices to proxy traffic from others. Malicious apps may also surreptitiously provide such proxy services.

Okta provides guidance for network administrators to repel credential-stuffing attacks. Chief among them is protecting accounts with a strong password—meaning one randomly generated and consisting of at least 11 characters. Accounts should also use multifactor authentication, ideally in a form that is compliant with the FIDO industry standard. The Okta advisory also includes advice for blocking malicious behavior from anonymizing proxy services.

Account compromise of “unprecedented scale” uses everyday home devices Read More »

Customers say Meta’s ad-buying AI blows through budgets in a matter of hours

AI, Meta, Tech / Shannon Garcia / April 30, 2024

Spending money is just so hard … can’t a computer do it for me? —

Based on your point of view, the AI either doesn’t work or works too well.

Ron Amadeo – Apr 29, 2024 6: 23 pm UTC

Enlarge / AI is here to terminate your bank account.

Carolco Pictures

Give the AI access to your credit card, they said. It’ll be fine, they said. Users of Meta’s ad platform who followed that advice have been getting burned by an AI-powered ad purchasing system, according to The Verge. The idea was to use a Meta-developed AI to automatically set up ads and spend your ad budget, saving you the hassle of making decisions about your ad campaign. Apparently, the AI funnels money to Meta a little too well: Customers say it burns, though, what should be daily ad budgets in a matter of hours, and costs are inflated as much as 10-fold.

The AI-powered software in question is the “Advantage+ Shopping Campaign.” The system is supposed to automate a lot of ad setup for you, mixing and matching various creative elements and audience targets. The power of AI-powered advertising (Google has a similar product) is that the ad platform can get instant feedback on its generated ads via click-through rates. You give it a few guard rails, and it can try hundreds or thousands of combinations to find the most clickable ad at a speed and efficiency no human could match. That’s the theory, anyway.

The Verge spoke to “several marketers and businesses” with similar stories of being hit by an AI-powered spending spree once they let Meta’s system take over a campaign. The description of one account says the AI “had blown through roughly 75 percent of the daily ad budgets for both clients in under a couple of hours” and that “the ads’ CPMs, or cost per impressions, were roughly 10 times higher than normal.” Meanwhile, the revenue earned from those AI-powered ads was “nearly zero.” The report says, “Small businesses have seen their ad dollars get wiped out and wasted as a result, and some have said the bouts of overspending are driving them from Meta’s platforms.”

Meta’s Advantage+ sales pitch promises to “Use machine learning to identify and aim for your highest value customers across all of Meta’s family of apps and services, with minimal input.” The service can “Automatically test up to 150 creative combinations and deliver the highest performing ads.” Meta promises that “on average, companies have seen a 17 percent reduction in cost per action [an action is typically a purchase, registration, or sign-up] and a 32 percent increase in return on ad spend.”

In response to the complaints, a Meta spokesperson told The Verge the company had fixed “a few technical issues” and that “Our ads system is working as expected for the vast majority of advertisers. We recently fixed a few technical issues and are researching a small amount of additional reports from advertisers to ensure the best possible results for businesses using our apps.” The Verge got that statement a few weeks ago, though, and advertisers are still having issues. The report describes the service as “unpredictable” and says what “other marketers thought was a one-time glitch by Advantage Plus ended up becoming a recurring incident for weeks.”

To make matters worse, layoffs in Meta’s customer service department mean it’s been difficult to get someone at Meta to deal with the AI’s spending sprees. Some accounts report receiving refunds after complaining, but it can take several tries to get someone at customer service to deal with you and upward of a month to receive a refund. Some customers quoted in the report have decided to return to pre-AI, non-automated way of setting up a Meta ad campaign, which can take “an extra 10 to 20 minutes.”

Customers say Meta’s ad-buying AI blows through budgets in a matter of hours Read More »

Swimming and spinning aquatic spiders use slick survival strategies

aquatic spiders, arachnids, Science, syndication / Shannon Garcia / April 29, 2024

Spider (He is our hero) —

Some make nests inside seashells, others tote bubbles of air on their backs.

Amber Dance, Knowable Magazine – Apr 28, 2024 11: 11 am UTC

Diving bell spider — Enlarge / Of all the aquatic spiders, the diving bell spider is the only one known to survive almost entirely underwater, using bubbles of air it brings down from the surface.

Shrubbery, toolsheds, basements—these are places one might expect to find spiders. But what about the beach? Or in a stream? Some spiders make their homes near or, more rarely, in water: tucking into the base of kelp stalks, spinning watertight cocoons in ponds or lakes, hiding under pebbles at the seaside or creek bank.

“Spiders are surprisingly adaptable, which is one of the reasons they can inhabit this environment,” says Ximena Nelson, a behavioral biologist at the University of Canterbury in Christchurch, New Zealand.

Finding aquatic or semiaquatic spiders is difficult work, Nelson says: She and a student have spent four years chasing a jumping spider known as Marpissa marina around the pebbly seaside beaches it likes, but too often, as soon as they manage to find one it disappears again under rocks. And sadly, some aquatic spiders may disappear altogether before they come to scientists’ attention, as their watery habitats shrivel due to climate change and other human activities.

What scientists do know is that dozens of described spider species spend at least some of their time in or near the water, and more are almost surely awaiting discovery, says Sarah Crews, an arachnologist at the California Academy of Sciences in San Francisco. It also appears that spiders evolved aquatic preferences on several distinct occasions during the history of this arthropod order. Crews and colleagues surveyed spiders and reported in 2019 that 21 taxonomic families include semiaquatic species, suggesting that the evolutionary event occurred multiple independent times. Only a swashbuckling few—not even 0.3 percent of described spider species—are seashore spiders; many more have been found near fresh water, says Nelson.

It’s not clear what would induce successful land-dwelling critters to move to watery habitats. Spiders, as a group, probably evolved about 400 million years ago from chunkier creatures that had recently left the water. These arthropods lacked the skinny waist sported by modern spiders. Presumably, the spiders that later returned to a life aquatic were strongly drawn by something to eat there, or driven by unsafe conditions on land, says Geerat Vermeij, a paleobiologist and professor emeritus at the University of California, Davis — because water would have presented major survival challenges.

“Since they depend on air so much, they are severely limited in whether they can do anything at all when they are submerged, other than just toughing it out,” says Vermeij. Newly aquatic spiders would have had to compete with predators better adapted to watery conditions, such as crustaceans, with competition particularly fierce in the oceans, Vermeij says. And if water floods a spider’s air circulation system, it will die, so adaptations were obviously needed.

Swimming and spinning aquatic spiders use slick survival strategies Read More »

NASA still doesn’t understand root cause of Orion heat shield issue

artemis, artemis II, human spaceflight, Lockheed Martin, moon, NASA, orion, Space / Shannon Garcia / April 27, 2024

Flight rationale —

“When we stitch it all together, we’ll either have flight rationale or we won’t.”

Stephen Clark – Apr 27, 2024 12: 22 am UTC

NASA's Orion spacecraft descends toward the Pacific Ocean on December 11, 2021, at the end of the Artemis I mission. — Enlarge / NASA’s Orion spacecraft descends toward the Pacific Ocean on December 11, 2021, at the end of the Artemis I mission.

NASA

NASA officials declared the Artemis I mission successful in late 2021, and it’s hard to argue with that assessment. The Space Launch System rocket and Orion spacecraft performed nearly flawlessly on an unpiloted flight that took it around the Moon and back to Earth, setting the stage for the Artemis II, the program’s first crew mission.

But one of the things engineers saw on Artemis I that didn’t quite match expectations was an issue with the Orion spacecraft’s heat shield. As the capsule streaked back into Earth’s atmosphere at the end of the mission, the heat shield ablated, or burned off, in a different manner than predicted by computer models.

More of the charred material than expected came off the heat shield during the Artemis I reentry, and the way it came off was somewhat uneven, NASA officials said. Orion’s heat shield is made of a material called Avcoat, which is designed to burn off as the spacecraft plunges into the atmosphere at 25,000 mph (40,000 km per hour). Coming back from the Moon, Orion encountered temperatures up to 5,000° Fahrenheit (2,760° Celsius), hotter than a spacecraft sees when it reenters the atmosphere from low-Earth orbit.

Despite heat shield issue, the Orion spacecraft safely splashed down in the Pacific Ocean. Engineers discovered the uneven charring during post-flight inspections.

No answers yet

Amit Kshatriya, who oversees development for the Artemis missions in NASA’s exploration division, said Friday that the agency is still looking for the root cause of the heat shield issue. Managers want to be sure they understand the cause before proceeding with Artemis II, which will send astronauts Reid Wiseman, Victor Glover, Christina Koch, and Jeremy Hansen on a 10-day flight around the far side of the Moon.

This will be the first time humans fly near the Moon since the last Apollo mission in 1972. In January, NASA announced a delay in the launch of Artemis II from late 2024 until September 2025, largely due to the unresolved investigation into the heat shield issue.

“We are still in the middle of our investigation on the performance of the heat shield from Artemis I,” Kshatriya said Friday in a meeting with a committee of the NASA Advisory Council.

Engineers have performed sub-scale heat shield tests in wind tunnels and arc jet facilities to better understand what led to the uneven charring on Artemis I. “We’re getting close to the final answer in terms of that cause,” Kshatriya said.

NASA officials previously said it is unlikely they will need to make changes to the heat shield already installed on the Orion spacecraft for Artemis II, but haven’t ruled it out. A redesign or modifications to the Orion heat shield on Artemis II would probably delay the mission by at least a year.

Instead, engineers are analyzing all of the possible trajectories the Orion spacecraft could fly when it reenters the atmosphere at the end of the Artemis II mission. On Artemis I, Orion flew a skip reentry profile, where it dipped into the atmosphere, skipped back into space, and then made a final descent into the atmosphere, sort of like a rock skipping across a pond. This profile allows Orion to make more precise splashdowns near recovery teams in the Pacific Ocean and reduces g-forces on the spacecraft and the crew riding inside. It also splits up the heat load on the spacecraft into two phases.

The Apollo missions flew a direct reentry profile. There is also a reentry mode available called a ballistic entry, in which the spacecraft would fly through the atmosphere unguided.

Ground teams at NASA's Kennedy Space Center in Florida moved the Orion spacecraft for the Artemis II mission into an altitude chamber earlier this month. — Enlarge / Ground teams at NASA’s Kennedy Space Center in Florida moved the Orion spacecraft for the Artemis II mission into an altitude chamber earlier this month.

The charred material began flying off the heat shield in the first phase of the skip reentry. Engineers are looking at how the skip reentry profile affected the performance of the Orion heat shield. NASA wants to understand how the Orion heat shield would perform during each of the possible reentry trajectories for Artemis II.

“What we have the analysis teams off doing is saying, ‘OK, independent of what the constraints are going to be, what can we tolerate?” Kshatriya said.

Once officials understand the cause of the heat shield charring, engineers will determine what kind of trajectory Artemis II needs to fly on reentry to minimize risk to the crew. Then, managers will look at building what NASA calls flight rationale. Essentially, this is a process of convincing themselves the spacecraft is safe to fly.

“When we stitch it all together, we’ll either have flight rationale or we won’t,” Kshatriya said.

Assuming NASA approves the flight rationale for Artemis II, there will be additional discussions about how to ensure Orion heat shields are safe to fly on downstream Artemis missions, which will have higher-speed reentry profiles as astronauts return from landings on the Moon.

In the meantime, preparations on the Orion spacecraft for Artemis II continue at NASA’s Kennedy Space Center. The crew and service modules for Artemis II were mated together earlier this year, and the entire Orion spacecraft is now inside a vacuum chamber for environmental testing.

NASA still doesn’t understand root cause of Orion heat shield issue Read More »

Putting Microsoft’s cratering Xbox console sales in context

gaming, microsoft, Nintendo, PlayStation, ps4, ps5, Sony, Switch, xbox / Shannon Garcia / April 27, 2024

Down but not out —

Why declining quarterly numbers might not be awful news for Microsoft’s gaming business.

Kyle Orland – Apr 26, 2024 9: 31 pm UTC

Enlarge / Scale is important, especially when talking about relative console sales.

Aurich Lawson | Getty Images

Yesterday, Microsoft announced that it made 31 percent less off Xbox hardware in the first quarter of 2024 (ending in March) than it had the year before, a decrease it says was “driven by lower volume of consoles sold.” And that’s not because the console sold particularly well a year ago, either; Xbox hardware revenue for the first calendar quarter of 2023 was already down 30 percent from the previous year.

Those two data points speak to a console that is struggling to substantially increase its player base during a period that should, historically, be its strongest sales period. But getting wider context on those numbers is a bit difficult because of how Microsoft reports its Xbox sales numbers (i.e., only in terms of quarterly changes in total console hardware revenue). Comparing those annual shifts to the unit sales numbers that Nintendo and Sony report every quarter is not exactly simple.

Context clues

Significant declines in Xbox hardware revenue for four of the last five quarters stand out relative to competitors' unit sales. — Enlarge / Significant declines in Xbox hardware revenue for four of the last five quarters stand out relative to competitors’ unit sales.

Kyle Orland

To attempt some direct contextual comparison, we took unit sales numbers for some recent successful Sony and Nintendo consoles and converted them to Microsoft-style year-over-year percentage changes (aligned with the launch date for each console). For this analysis, we skipped over each console’s launch quarter, which contains less than three months of total sales (and often includes a lot of pent-up early adopter demand). We also skipped the first four quarters of a console’s life cycle, which don’t have a year-over-year comparison point from 12 months prior.

This still isn’t a perfect comparison. Unit sales don’t map directly to total hardware revenue due to things like inflation, remainder sales of Xbox One hardware, and price cuts/discounts (though the Xbox Series S/X, PS5, and Switch still have yet to see official price drops). It also doesn’t take into account the baseline sales levels from each console’s first year of sales, making total lifetime sales performance on the Xbox side hard to gauge (though recent data from a Take-Two investment call suggests the Xbox Series S/X has been heavily outsold by the PS5, at this point).

Even with all those caveats, the comparative data trends are pretty clear. At the start of their fourth full year on the market, recent successful consoles have been enjoying a general upswing in their year-over-year sales. Microsoft stands out as a major outlier, making less revenue from Xbox hardware in four of the last five quarters on a year-over-year basis.

Enlarge / Falling like dominoes.

Aurich Lawson

Those numbers suggest that the hardware sales rate for the Xbox Series S/X may have already peaked in the last year or two. That would be historically early for a console of this type; previous Ars analyses have shown PlayStation consoles generally see their sales peaks in their fourth or fifth year of life, and Nintendo portables have shown a similar sales trend, historically. The Xbox Series S/X progression, on the other hand, looks more similar to that of the Wii U, which was already deep in a “death spiral” at a similar point in its commercial life.

This is not the end

In the past, console sales trends like these would have been the sign of a hardware maker’s wider struggles to stay afloat in the gaming business. However, in today’s gaming market, Microsoft is in a place where console sales are not strictly required for overall success.

For instance, Microsoft’s total gaming revenue for the latest reported quarter was up 51 percent, thanks in large part to the “net impact from the Activision Blizzard acquisition.” Even before that (very expensive) merger was completed, Microsoft’s total gaming revenue was often partially buoyed by “growth in Game Pass” and strong “software content” sales across PC and other platforms.

Enlarge / Owning Call of Duty means being one of the biggest PS5 game publishers almost by definition.

Activision

Perhaps it’s no surprise that Microsoft has shown increasing willingness to take some former Xbox console exclusives to other platforms in recent months. In fact, following the Activision/Blizzard merger, Microsoft is now publishing more top-sellers on the PS5 than Sony. And let’s not forget the PC market, where Microsoft continues to sell millions of games above and beyond its PC Game Pass subscription business.

So, while the commercial future of Xbox hardware may look a bit uncertain, the future of Microsoft’s overall gaming business is in much less dire straits. That would be true even if Microsoft’s Xbox hardware revenue fell by 100 percent.

Putting Microsoft’s cratering Xbox console sales in context Read More »

Court upholds New York law that says ISPs must offer $15 broadband

affordable broadband, Policy / Shannon Garcia / April 27, 2024

A judge's gavel resting on a pile of one-dollar bills — Getty Images | Creativeye99

A federal appeals court today reversed a ruling that prevented New York from enforcing a law requiring Internet service providers to sell $15 broadband plans to low-income consumers. The ruling is a loss for six trade groups that represent ISPs, although it isn’t clear right now whether the law will be enforced.

New York’s Affordable Broadband Act (ABA) was blocked in June 2021 by a US District Court judge who ruled that the state law is rate regulation and preempted by federal law. Today, the US Court of Appeals for the 2nd Circuit reversed the ruling and vacated the permanent injunction that barred enforcement of the state law.

For consumers who qualify for means-tested government benefits, the state law requires ISPs to offer “broadband at no more than $15 per month for service of 25Mbps, or $20 per month for high-speed service of 200Mbps,” the ruling noted. The law allows for price increases every few years and makes exemptions available to ISPs with fewer than 20,000 customers.

“First, the ABA is not field-preempted by the Communications Act of 1934 (as amended by the Telecommunications Act of 1996), because the Act does not establish a framework of rate regulation that is sufficiently comprehensive to imply that Congress intended to exclude the states from entering the field,” a panel of appeals court judges stated in a 2-1 opinion.

Trade groups claimed the state law is preempted by former Federal Communications Commission Chairman Ajit Pai’s repeal of net neutrality rules. Pai’s repeal placed ISPs under the more forgiving Title I regulatory framework instead of the common-carrier framework in Title II of the Communications Act.

2nd Circuit judges did not find this argument convincing:

Second, the ABA is not conflict-preempted by the Federal Communications Commission’s 2018 order classifying broadband as an information service. That order stripped the agency of its authority to regulate the rates charged for broadband Internet, and a federal agency cannot exclude states from regulating in an area where the agency itself lacks regulatory authority. Accordingly, we REVERSE the judgment of the district court and VACATE the permanent injunction.

Be careful what you lobby for

The judges’ reasoning is similar to what a different appeals court said in 2019 when it rejected Pai’s attempt to preempt all state net neutrality laws. In that case, the US Court of Appeals for the District of Columbia Circuit said that “in any area where the Commission lacks the authority to regulate, it equally lacks the power to preempt state law.” In a related case, ISPs were unable to block a California net neutrality law.

Several of the trade groups that sued New York “vociferously lobbied the FCC to classify broadband Internet as a Title I service in order to prevent the FCC from having the authority to regulate them,” today’s 2nd Circuit ruling said. “At that time, Supreme Court precedent was already clear that when a federal agency lacks the power to regulate, it also lacks the power to preempt. The Plaintiffs now ask us to save them from the foreseeable legal consequences of their own strategic decisions. We cannot.”

Judges noted that there are several options for ISPs to try to avoid regulation:

If they believe a requirement to provide Internet to low-income families at a reduced price is unfair or misguided, they have several pathways available to them. They could take it up with the New York State Legislature. They could ask Congress to change the scope of the FCC’s Title I authority under the Communications Act. They could ask the FCC to revisit its classification decision, as it has done several times before But they cannot ask this Court to distort well-established principles of administrative law and federalism to strike down a state law they do not like.

Coincidentally, the 2nd Circuit issued its opinion one day after current FCC leadership reclassified broadband again in order to restore net neutrality rules. ISPs might now have a better case for preempting the New York law. The FCC itself won’t necessarily try to preempt New York’s law, but the agency’s net neutrality order does specifically reject rate regulation at the federal level.

Court upholds New York law that says ISPs must offer $15 broadband Read More »

Android TV has access to your entire account—but Google is changing that

Google, Tech / Shannon Garcia / April 27, 2024

It’s all just Android —

Should sideloading Chrome on an old smart TV really compromise your entire account?

Ron Amadeo – Apr 26, 2024 7: 35 pm UTC

Google says it has patched a nasty loophole in the Android TV account security system, which would grant attackers with physical access to your device access to your entire Google account just by sideloading some apps. As 404 Media reports, the issue was originally brought to Google’s attention by US Sen. Ron Wyden (D-Ore.) as part of a “review of the privacy practices of streaming TV technology providers.” Google originally told the senator that the issue was expected behavior but, after media coverage, decided to change its stance and issue some kind of patch.

“My office is mid-way through a review of the privacy practices of streaming TV technology providers,” Wyden told 404 Media. “As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set-top box, a criminal could get access to private emails of the Gmail user who set up the TV.”

The video in question was a PSA from YouTuber Cameron Gray, and it shows that grabbing any Android TV device and sideloading a few apps will grant access to the current Google account. This is obvious if you know how Android works, but it’s not obvious to most users looking at a limited TV interface.

The heart of the issue is how Android treats your Google account. Since the OS started on phones, every Android device starts with the assumption that it is a private, one-person device. Google has built on top of that feature with multiuser support and guest accounts, but these aren’t part of the default setup flow, can be hard to find, and are probably disabled on many Android TV boxes. The result is that signing in to an Android TV device often gives it access to your entire Google account.

Android has a centralized Google account system shared by a million Google-centric background and syncing processes, the Play Store, and nearly all Google apps. When you boot an Android device for the first time, the guided setup asks for a Google account, which is expected to live on the device forever as the owner’s primary account. Any new Google app you add to your device automatically gets access to this central Google account repository, so if you set up the phone and then install Google Keep, Keep automatically gets signed in and gains access to your notes. During the initial setup, where you might install 10 different apps that use a Google account, it would be annoying to enter your username and password over and over again.

This centralized account system is hungry for Google accounts, so any Google account you use to sign in to any Google app gets sucked into the central account system, even if you decline the initial setup. A common annoyance is to have a Google Workspace account at work, then sign into Gmail for work email and then have to deal with this useless work account showing up in the Play Store, Maps, Photos, etc.

For TVs, this presents a unique gotcha because, while you will still be forced to log in to download something from the Play Store, it’s not obvious to the user that you’re granting this device access to your entire Google account—including to potentially sensitive things like location history, emails, and messages. To the average user, a TV device just shows “TV stuff” like your YouTube recommendations and a few TV-specific Play Store apps, so you might not consider it to be a high-sensitivity sign-in. But if you just sideload a few more Google apps, you can get access to anything. Further confusing matters is Google’s OAuth strategy, which teaches users that there are things like scoped access to a Google account on third-party devices or sites, but Android does not work that way.

In the video, Gray simply grabs an Android TV device, goes to a third-party Android app site, then sideloads Chrome. Chrome automatically signs in to the TV owner’s Google account and has access to all passwords and cookies, which means access to Gmail, Photos, Chat history, Drive files, YouTube accounts, AdSense, any site that allows for Google sign-in, and partial credit card info. It’s all available in Chrome without any security checks. Individual apps like Gmail and Google Photos would immediately start working, too.

As Gray’s video points out, Android TV devices can be dongles, set-top boxes, or code installed right into a TV. In businesses and hotels, they can be semi-public devices. It’s also not hard to imagine a TV device falling into the hands of someone else. You might not worry too much about forgetting a $30 Chromecast in a hotel room, or you might sign in to a hotel TV and forget to delete your account, or you might throw out a TV and not think twice about what account it’s signed in to. If an attacker gets access to any of these devices later, it’s trivial to unlock your entire Google account.

Google says it has fixed this problem, though it doesn’t explain how. The company’s statement to 404 says, “Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of the devices. As a best security practice, we always advise users to update their devices to the latest software.”

Many Android TV devices, especially those built-in to TV sets, are abandonware and run an old version of the software, but Google’s account system is updatable via the Play Store, so there’s a good chance a fix can roll out to most devices.

Android TV has access to your entire account—but Google is changing that Read More »

Hackers try to exploit WordPress plugin vulnerability that’s as severe as it gets

Biz & IT, Security, SQL injection, vulnerability, wordpress / Shannon Garcia / April 27, 2024

GOT PATCHES? —

WP Automatic plugin patched, but release notes don’t mention the critical fix.

Dan Goodin – Apr 26, 2024 7: 07 pm UTC

Hackers are assailing websites using a prominent WordPress plugin with millions of attempts to exploit a high-severity vulnerability that allows complete takeover, researchers said.

The vulnerability resides in WordPress Automatic, a plugin with more than 38,000 paying customers. Websites running the WordPress content management system use it to incorporate content from other sites. Researchers from security firm Patchstack disclosed last month that WP Automatic versions 3.92.0 and below had a vulnerability with a severity rating of 9.9 out of a possible 10. The plugin developer, ValvePress, silently published a patch, which is available in versions 3.92.1 and beyond.

Researchers have classified the flaw, tracked as CVE-2024-27956, as a SQL injection, a class of vulnerability that stems from a failure by a web application to query backend databases properly. SQL syntax uses apostrophes to indicate the beginning and end of a data string. By entering strings with specially positioned apostrophes into vulnerable website fields, attackers can execute code that performs various sensitive actions, including returning confidential data, giving administrative system privileges, or subverting how the web app works.

“This vulnerability is highly dangerous and expected to become mass exploited,” Patchstack researchers wrote on March 13.

Fellow web security firm WPScan said Thursday that it has logged more than 5.5 million attempts to exploit the vulnerability since the March 13 disclosure by Patchstack. The attempts, WPScan said, started slowly and peaked on March 31. The firm didn’t say how many of those attempts succeeded.

WPScan said that CVE-2024-27596 allows unauthenticated website visitors to create admin‑level user accounts, upload malicious files, and take full control of affected sites. The vulnerability, which resides in how the plugin handles user authentication, allows attackers to bypass the normal authentication process and inject SQL code that grants them elevated system privileges. From there, they can upload and execute malicious payloads that rename sensitive files to prevent the site owner or fellow hackers from controlling the hijacked site.

Successful attacks typically follow this process:

SQL Injection (SQLi): Attackers leverage the SQLi vulnerability in the WP‑Automatic plugin to execute unauthorized database queries.

Admin User Creation: With the ability to execute arbitrary SQL queries, attackers can create new admin‑level user accounts within WordPress.

Malware Upload: Once an admin‑level account is created, attackers can upload malicious files, typically web shells or backdoors, to the compromised website’s server.

File Renaming: Attacker may rename the vulnerable WP‑Automatic file, to ensure only he can exploit it.

WPScan researchers explained:

Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue. It’s worth mentioning that it may also be a way attackers find to avoid other bad actors to successfully exploit their already compromised sites. Also, since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code.

The attacks began shortly after March 13, 15 days after ValvePress released version 3.92.1 without mentioning the critical patch in the release notes. ValvePress representatives didn’t immediately respond to a message seeking an explanation.

While researchers at Patchstack and WPScan are classifying CVE-2024-27956 as SQL injection, an experienced developer said his reading of the vulnerability is that it’s either improper authorization (CWE-285) or a subcategory of improper access control (CWE-284).

“According to Patchstack.com, the program is supposed to receive and execute an SQL query, but only from an authorized user,” the developer, who didn’t want to use his name, wrote in an online interview. “The vulnerability is in how it checks the user’s credentials before executing the query, allowing an attacker to bypass the authorization. SQL injection is when the attacker embeds SQL code in what was supposed to be only data, and that’s not the case here.”

Whatever the classification, the vulnerability is about as severe as it gets. Users should patch the plugin immediately. They should also carefully analyze their servers for signs of exploitation using the indicators of compromise data provided in the WPScan post linked above.

Hackers try to exploit WordPress plugin vulnerability that’s as severe as it gets Read More »

US’s power grid continues to lower emissions—everything else, not so much

carbon emissions, coal, electric grid, Energy, natural gas, Science, solar, Sustainability, Wind / Shannon Garcia / April 27, 2024

Down, but not down enough —

Excluding one pandemic year, emissions are lower than they’ve been since the 1980s.

John Timmer – Apr 26, 2024 6: 51 pm UTC

Graph showing total US carbon emissions, along with individual sources. Most trends are largely flat or show slight declines.

On Thursday, the US Department of Energy released its preliminary estimate for the nation’s carbon emissions in the previous year. Any drop in emissions puts us on a path that would avoid some of the catastrophic warming scenarios that were still on the table at the turn of the century. But if we’re to have a chance of meeting the Paris Agreement goal of keeping the planet from warming beyond 2° C, we’ll need to see emissions drop dramatically in the near future.

So, how is the US doing? Emissions continue to trend downward, but there’s no sign the drop has accelerated. And most of the drop has come from a single sector: changes in the power grid.

Off the grid, on the road

US carbon emissions have been trending downward since roughly 2007, when they peaked at about six gigatonnes. In recent years, the pandemic produced a dramatic drop in emissions in 2020, lowering them to under five gigatonnes for the first time since before 1990, when the EIA’s data started. Carbon dioxide release went up a bit afterward, with 2023 marking the first post-pandemic decline, with emissions again clearly below five gigatonnes.

The DOE’s Energy Information Agency (EIA) divides the sources of carbon dioxide into five different sectors: electricity generation, transportation, and residential, commercial, and industrial uses. The EIA assigns 80 percent of the 2023 reduction in US emissions to changes in the electric power grid, which is not a shock given that it’s the only sector that’s seen significant change in the entire 30-year period the EIA is tracking.

With hydro in the rearview mirror, wind and solar are coming after coal and nuclear.

What’s happening with the power grid? Several things. At the turn of the century, coal accounted for over half of the US’s electricity generation; it’s now down to 16 percent. Within the next two years, it’s likely to be passed by wind and solar, which were indistinguishable from zero percent of generation as recently as 2004. Things would be even better for them if not for generally low wind speeds leading to a decline in wind generation in 2023. The biggest change, however, has been the rise of natural gas, which went from 10 percent of generation in 1990 to over 40 percent in 2023.

A small contributor to the lower emissions came from lower demand—it dropped by a percentage point compared to 2022. Electrification of transport and appliances, along with the growth of AI processing, are expected to send demand soaring in the near future, but there’s no indication of that on the grid yet.

Currently, generating electricity accounts for 30 percent of the US’s carbon emissions. That places it as the second most significant contributor, behind transportation, which is responsible for 39 percent of emissions. The EIA rates transportation emissions as unchanged relative to 2022, despite seeing air travel return to pre-pandemic levels and a slight increase in gasoline consumption. Later in this decade, tighter fuel efficiency rules are expected to drive a decline in transportation emissions, which are only down about 10 percent compared to their 2006 peak.

Buildings and industry

The remaining sectors—commercial, residential, and industrial—have a more complicated relationship with fossil fuels. Some of their energy comes via the grid, so its emissions are already accounted for. Thanks to the grid decarbonizing, these would be going down, but for business and residential use, grid-dependent emissions are dropping even faster than that would imply. This suggests that things like more efficient lighting and appliances are having an impact.

Separately, direct use of fossil fuels for things like furnaces, water heaters, etc., has been largely flat for the entire 30 years the EIA is looking at, although milder weather led to a slight decline in 2023 (8 percent for residential properties, 4 percent for commercial).

In contrast, the EIA only tracks the direct use of fossil fuels for industrial processes. These are down slightly over the 30-year period but have been fairly stable since the 2008 economic crisis, with no change in emissions between 2022 and 2023. As with the electric grid, the primary difference in this sector has been due to the growth of natural gas and the decline of coal.

Overall, there are two ways to look at this data. The first is that progress at limiting carbon emissions has been extremely limited and that there has been no progress at all in several sectors. The more optimistic view is that the technologies for decarbonizing the electric grid and improving building electrical usage are currently the most advanced, and the US has focused its decarbonization efforts where they’ll make the most difference.

From either perspective, it’s clear that the harder challenges are still coming, both in terms of accelerating decarbonization, and in terms of tackling sectors where decarbonization will be harder. The Biden administration has been working to put policies in place that should drive progress in this regard, but we probably won’t see much of their impact until early in the following decade.

Listing image by Yaorusheng

US’s power grid continues to lower emissions—everything else, not so much Read More »

Author name: Shannon Garcia