Mobile video game phenomenon Flappy Bird is set to return 10 years after its creator pulled it offline. From a report: In 2014, Vietnam-based developer Dong Nguyen shocked the gaming world when he pulled viral hit Flappy Bird from the App Store and the Google Play Store at a time when it was making tens of thousands of dollars a day. He went on to say: "I can call Flappy Bird a success of mine. But it also ruins my simple life. So now I hate it."

Now, Flappy Bird is set to return, with an expanded version aiming for launch by the end of October across multiple platforms including web browsers, and an iOS and Android version planned for release in 2025. But this new Flappy Bird isn't from Nguyen, it's from 'The Flappy Bird Foundation,' which is described as "a new team of passionate fans committed to sharing the game with the world."
UPDATE (9/15/2024): The original creator of Flappy Bird returned to social media after a seven-year silence just to disavow the resurrected game -- and its possible ties to cryptocurrency. PC Gamer also digs into exactly how the Flappy Bird trademark was acquired.

Android Authority's Mishaal Rahman reports: There are many reasons why you may want to sideload apps on your Android phone, but there are also good reasons why developers would want to block sideloading. A sideloaded app won't contribute to the developer's Play Store metrics, for one, but it also prevents the developer from curating which devices can use their app. Improperly sideloaded apps can also crash due to missing assets or code, or they might be missing certain features because you installed the wrong version for your device. Whatever the reason may be, developers who want to stop you from sideloading their apps now have an easier way to do so thanks to the Play Integrity API.

The Google Play Integrity API is an interface that helps developers "check that interactions and server requests are coming from [their] genuine app binary running on a genuine Android device." It looks for evidence that the app has been tampered with, that the app is running in an "untrustworthy" software environment, that the device has Google Play Protect enabled, and more. If you've heard of or dealt with SafetyNet Attestation before on a rooted phone, then you're probably already familiar with Play Integrity, even if not by that name. Play Integrity is the successor to SafetyNet Attestation, only it comes with even more features for developers.

As is the case with SafetyNet Attestation, developers call the Play Integrity API at any point in their app, receive what's called an integrity verdict, and then decide what they want to do from there. Some apps call the Play Integrity API when they launch and block access entirely depending on what the verdict is, while others only call the API when you're about to perform a sensitive action, so they can warn you that you shouldn't proceed. The Play Integrity API makes it easy for apps to offload the determination of whether the device and its software environment are "genuine," and with the latest update to the API, apps can now easily determine whether the person who installed them is "genuine" as well. "As Google continues to bolster Play Integrity's detection mechanisms and add new features, it's going to become harder and harder for power users to justify rooting Android," concludes Rahman. "At the same time, regular users will be better protected from potentially risky and fraudulent interactions, so it's clear that Play Integrity will continue to be adopted by more and more apps."

An anonymous reader quotes a report from 9to5Google: Rolling out starting today, Google Search results will now directly link to The Internet Archive to add historical context for the links in your results. [...] Google has partnered with The Internet Archive, a non-profit research library that, in part, stores and preserves massive portions of the web to be easily referenced later. This is done through the "Wayback Machine" which can show a website or specific page as it existed on a previous date. Through this new partnership, Google will link directly to The Internet Archive's Wayback Machine for pages that you find in Search.

To access The Internet Archive's Wayback Machine links through Google Search you'll need to click the three-dots menu button that appears alongside all search results and then tap on "More about this page." This new feature is still actively rolling out, but Google was able to provide an image to show what the integration looks like. In a post regarding the announcement, The Internet Archive said that this partnership "underscores the importance of web archiving."

An anonymous reader shares a report: Google co-founder and ex-Alphabet president Sergey Brin said he's back working at Google "pretty much every day" because he hasn't seen anything as exciting as the recent progress in AI -- and doesn't want to miss out. "It's a big, fast-moving field," Brin said at All-In Summit of AI, adding that there is "tremendous value to humanity," before explaining why he doesn't think training more capable AI will require massively scaling up compute.

"I've read some articles that extrapolate [compute] ... and I don't know if I'm quite a believer," he said, "partly because the algorithmic improvements that have come over the last few years maybe are actually even outpacing the increased compute that's being put into these models."

Google is adding some new features to Chrome that aim to help users organize and keep track of their browser tabs across both desktop and mobile devices. From a report: The search giant announced in a new blog post that tab groups -- which enable Android and desktop Chrome users to keep related pages together in custom-labeled groups -- will start rolling out to Chrome for iOS starting today. Once Chrome is updated, iPhone and iPad users can access the feature by opening the tab grid, long-pressing on a tab, and selecting "Add Tab to New Group." Custom names and colors can then be assigned to the created tab groups to help keep them organized and easily identifiable. Another feature that's rolling out across Android and desktop Chrome apps is the ability to sync those saved tab groups across multiple devices.

An anonymous reader quotes a report from TechCrunch: A group of Democratic senators is urging the FTC and Justice Department to investigate whether AI tools that summarize and regurgitate online content like news and recipes may amount to anticompetitive practices. In a letter to the agencies, the senators, led by Amy Klobuchar (D-MN), explained their position that the latest AI features are hitting creators and publishers while they're down. As journalistic outlets experience unprecedented consolidation and layoffs, "dominant online platforms, such as Google and Meta, generate billions of dollars per year in advertising revenue from news and other original content created by others. New generative AI features threaten to exacerbate these problems."

The letter continues: "While a traditional search result or news feed links may lead users to the publisher's website, an AI-generated summary keeps the users on the original search platform, where that platform alone can profit from the user's attention through advertising and data collection. [] Moreover, some generative AI features misappropriate third-party content and pass it off as novel content generated by the platform's AI. Publishers who wish to avoid having their content summarized in the form of AI-generated search results can only do so if they opt out of being indexed for search completely, which would result in a materially significant drop in referral traffic. In short, these tools may pit content creators against themselves without any recourse to profit from AI-generated content that was composed using their original content. This raises significant competitive concerns in the online marketplace for content and advertising revenues."

Essentially, the senators are saying that a handful of major companies control the market for monetizing original content via advertising, and that those companies are rigging that market in their favor. Either you consent to having your articles, recipes, stories, and podcast transcripts indexed and used as raw material for an AI, or you're cut out of the loop. The letter goes on to ask the FTC and DOJ to investigate whether these new methods are "a form of exclusionary conduct or an unfair method of competition in violation of the antitrust laws." [...] The letter was co-signed by Senators Richard Blumenthal (D-CT), Mazie Hirono (D-HI), Dick Durbin (D-IL), Sheldon Whitehouse (D-RI), Tammy Duckworth (D-IL), Elizabeth Warren (D-MA), and Tina Smith (D-MN).

An anonymous reader quotes a report from Data Center Dynamics: Google has signed a $10 million deal to pull 100,000 tons of carbon dioxide out of the air. The company will buy direct air capture (DAC) credits from startup Holocene, to be delivered in the early 2030s. The deal is the lowest price on record for DAC, at $100 per ton -- a price the Department of Energy previously said was needed to make carbon capture mainstream. Google will provide the funds up front, but there is no guarantee that Holocene will hit that goal. Running Tide, a carbon removal company that Microsoft paid to capture 12,000 tons of CO2 in 2023, shut down in 2024. The $100 price was also made possible thanks to the US government's 45Q tax credit, which provides DAC suppliers $180 per ton of carbon removed.

Holocene passes air through a waterfall with an amino acid added to it which binds CO2. This is then mixed with guanidine to form a solid crystal mass. Next, the amino acid is sent back to the beginning of the loop, while the solid is lightly heated to release pure CO2 -- which can then be stored. The company plans to capture and store 100,000 tons of CO2 by the early 2030s. "The structure of this partnership -- providing immediate funding to achieve an ambitious but important price in the medium term -- is just one way to support carbon removal as it scales," Randy Spock, carbon credits and removals lead, said.

An anonymous reader quotes a report from Gizmodo: Within the next several months, Nevada plans to launch a generative AI system powered by Google that will analyze transcripts of unemployment appeals hearings and issue recommendations to human referees about whether or not claimants should receive benefits. The system will be the first of its kind in the country and represents a significant experiment by state officials and Google in allowing generative AI to influence a high-stakes government decision -- one that could put thousands of dollars in unemployed Nevadans' pockets or take it away. Nevada officials say the Google system will speed up the appeals process -- cutting the time it takes referees to write a determination from several hours to just five minutes, in some cases -- helping the state work through a stubborn backlog of cases that have been pending since the height of the COVID-19 pandemic.

The tool will generate recommendations based on hearing transcripts and evidentiary documents, supplying its own analysis of whether a person's unemployment claim should be approved, denied, or modified. At least one human referee will then review each recommendation, said Christopher Sewell, director of the Nevada Department of Employment, Training, and Rehabilitation (DETR). If the referee agrees with the recommendation, they will sign and issue the decision. If they don't agree, the referee will revise the document and DETR will investigate the discrepancy. "There's no AI [written decisions] that are going out without having human interaction and that human review," Sewell said. "We can get decisions out quicker so that it actually helps the claimant."

Judicial scholars, a former U.S. Department of Labor official, and lawyers who represent Nevadans in appeal hearings told Gizmodo they worry the emphasis on speed could undermine any human guardrails Nevada puts in place. "The time savings they're looking for only happens if the review is very cursory," said Morgan Shah, director of community engagement for Nevada Legal Services. "If someone is reviewing something thoroughly and properly, they're really not saving that much time. At what point are you creating an environment where people are sort of being encouraged to take a shortcut?" Michele Evermore, a former deputy director for unemployment modernization policy at the Department of Labor, shared similar concerns. "If a robot's just handed you a recommendation and you just have to check a box and there's pressure to clear out a backlog, that's a little bit concerning," she said. In response to those fears about automation bias Google spokesperson Ashley Simms said "we work with our customers to identify and address any potential bias, and help them comply with federal and state requirements." "There's a level of risk we have to be willing to accept with humans and with AI," added Amy Perez, who oversaw unemployment modernization efforts in Colorado and at the U.S. Department of Labor. "We should only be putting these tools out into production if we've established it's as good as or better than a human."

Oracle missed the tech industry's move to cloud computing last decade and ended up an also-ran. Now the AI boom has given it another shot. WSJ: The 47-year-old company that made its name on relational database software has emerged as an attractive cloud-computing provider for AI developers such as OpenAI, sending its long-stagnant stock to new heights. Oracle shares are up 34% since January, well outpacing the Nasdaq's 14% rise and those of bigger competitors Microsoft, Amazon.com and Google.

It is a surprising revitalization for a company many in the tech industry had dismissed as a dinosaur of a bygone, precloud era. Oracle appears to be successfully making a case to investors that it has become a strong fourth-place player in a cloud market surging thanks to AI. Its lateness to the game may have played to its advantage, as a number of its 162 data centers were built in recent years and are designed for the development of AI models, known as training.

In addition, Oracle isn't developing its own large AI models that compete with potential clients. The company is considered such a neutral and unthreatening player that it now has partnerships with Microsoft, Google and Amazon, all of which let Oracle's databases run in their clouds. Microsoft is also running its Bing AI chatbot on Oracle's servers.

Europe's top court on Tuesday upheld a 2.4 billion euro ($2.65 billion) fine imposed on Google for abusing its dominant position by favoring its own shopping comparison service. From a report: The fine stems from an antitrust investigation by the European Commission, the executive arm of the European Union, which concluded in 2017. The commission said at the time that Google had favored its own shopping comparison service over those of its rivals. Google appealed the decision with the General Court, the EU's second-highest court, which also upheld the fine. Google then brought the case before the European Court of Justice, the EU's top court.

The ECJ on Tuesday dismissed the appeal and upheld the commission's fine. "We are disappointed with the decision of the Court," a Google spokesperson told CNBC on Tuesday. "This judgment relates to a very specific set of facts. We made changes back in 2017 to comply with the European Commission's decision. Our approach has worked successfully for more than seven years, generating billions of clicks for more than 800 comparison shopping services."

An anonymous reader quotes a report from the New York Times: For years, Google has faced complaints about how it dominates the online advertising market. Many of the concerns stem from the internet giant's suite of software known as Google Ad Manager, which websites around the world use to sell ads on their sites. The technology conducts split-second auctions to place ads each time a user loads a page. The dominance of that technology has landed Google in federal court. On Monday, Judge Leonie Brinkema of the U.S. District Court for the Eastern District of Virginia will preside over the start of a trial in which the Department of Justice accuses the company of abusing control of its ad technology and violating antitrust law (Warning: source may be paywalled; alternative source).

It would be Google's second antitrust trial in less than a year. In August, a federal judge ruled in a separate case that Google had illegally maintained a monopoly in online search, a major victory for the Justice Department. The new trial is the latest salvo by federal antitrust regulators against Big Tech, testing a century-old competition law against companies that have reshaped the way people shop, communicate and consume information. Federal regulators have also filed antitrust lawsuits against Apple,Amazon and Meta, which owns Facebook, Instagram and WhatsApp, saying those companies have also abused their power. Google's vice president for regulatory affairs, Lee-Anne Mulholland, said in a blog post on Sunday that the Justice Department was "picking winners and losers in a highly competitive industry."

"With the cost of ads going down and the number of ads sold going up, the market is working," she said. "The DOJ's case risks inefficiencies and higher prices -- the last thing that America's economy or our small businesses need right now."

An anonymous reader shared this report from CNBC: Britain's competition watchdog on Friday issued a statement of objections over Google's ad tech practices, which the regulator provisionally found are impacting competition in the U.K. In a statement, the Competition and Markets Authority alleged that the U.S. internet search titan "has harmed competition by using its dominance in online display advertising to favour its own ad tech services." The "vast majority" of the U.K.'s thousands of publishers and advertisers use Google's technology in order to bid for and sell space to display ads in a market where players were spending £1.8 billion annually as of a 2019 study, according to the CMA.

The regulator added that it is also "concerned that Google is actively using its dominance in this sector to preference its own services." So-called "self-preferencing" of services by technology giants is a key concern for regulators scrutinizing these companies. The CMA further noted that Google disadvantages ad technology competitors, preventing them from competing on a "level playing field...." In the CMA's decision Friday, the watchdog said that, since 2015, Google has abused its dominant position as the operator of both ad buying tools "Google Ads" and "DV360," and of a publisher ad server known as "DoubleClick For Publishers," in order to strengthen the market position of its advertising exchange, AdX...

AdX, on which Google charges its highest fees to advertisers, is the "centre of the ad tech stack" for the company, the CMA said, with Google taking roughly 20% of the amount for each bid that's processed on its platform.

The Register reports that Google "recently rewrote the firmware for protected virtual machines in its Android Virtualization Framework using the Rust programming language." And they add that Google "wants you to do the same, assuming you deal with firmware."

A post on Google's security blog by Android engineers Ivan Lozano and Dominik Maier promises to show "how to gradually introduce Rust into your existing firmware," adding "You'll see how easy it is to boost security with drop-in Rust replacements, and we'll even demonstrate how the Rust toolchain can handle specialized bare-metal targets."

This prompts the Register to quip that easy "is not a term commonly heard with regard to a programming language known for its steep learning curve." Citing the lack of high-level security mechanisms in firmware, which is often written in memory-unsafe languages such as C or C++, Lozano and Maier argue that Rust provides a way to avoid the memory safety bugs like buffer overflows and use-after-free that account for the majority of significant vulnerabilities in large codebases. "Rust provides a memory-safe alternative to C and C++ with comparable performance and code size," they note. "Additionally it supports interoperability with C with no overhead."
At one point the blog post explains that "You can replace existing C functionality by writing a thin Rust shim that translates between an existing Rust API and the C API the codebase expects." But their ultimate motivation is greater security. "Android's use of safe-by-design principles drives our adoption of memory-safe languages like Rust, making exploitation of the OS increasingly difficult with every release."

And the Register also got this quote from Lars Bergstrom, Google's director of engineering for Android Programming Languages (and chair of the Rust Foundation's board of directors). "At Google, we're increasing Rust's use across Android, Chromium, and more to reduce memory safety vulnerabilities. We're dedicated to collaborating with the Rust ecosystem to drive its adoption and provide developers with the resources and training they need to succeed.

"This work on bringing Rust to embedded and firmware addresses another critical part of the stack."

Harvard's school of public policy is publishing a Misinformation Review for peer-reviewed, scholarly articles promising "reliable, unbiased research on the prevalence, diffusion, and impact of misinformation worldwide."

This week it reported that "Academic journals, archives, and repositories are seeing an increasing number of questionable research papers clearly produced using generative AI." They are often created with widely available, general-purpose AI applications, most likely ChatGPT, and mimic scientific writing. Google Scholar easily locates and lists these questionable papers alongside reputable, quality-controlled research. Our analysis of a selection of questionable GPT-fabricated scientific papers found in Google Scholar shows that many are about applied, often controversial topics susceptible to disinformation: the environment, health, and computing.

The resulting enhanced potential for malicious manipulation of society's evidence base, particularly in politically divisive domains, is a growing concern... [T]he abundance of fabricated "studies" seeping into all areas of the research infrastructure threatens to overwhelm the scholarly communication system and jeopardize the integrity of the scientific record. A second risk lies in the increased possibility that convincingly scientific-looking content was in fact deceitfully created with AI tools and is also optimized to be retrieved by publicly available academic search engines, particularly Google Scholar. However small, this possibility and awareness of it risks undermining the basis for trust in scientific knowledge and poses serious societal risks.
"Our analysis shows that questionable and potentially manipulative GPT-fabricated papers permeate the research infrastructure and are likely to become a widespread phenomenon..." the article points out.

"Google Scholar's central position in the publicly accessible scholarly communication infrastructure, as well as its lack of standards, transparency, and accountability in terms of inclusion criteria, has potentially serious implications for public trust in science. This is likely to exacerbate the already-known potential to exploit Google Scholar for evidence hacking..."

Digital rights activists want device manufacturers to disclose a "guaranteed minimum support time" for devices — and federal regulations ensuring a product's core functionality will work even after its software updates stop.

Influential groups including Consumer Reports, EFF, the Software Freedom Conservancy, iFixit, and U.S. Pirg have now signed a letter to the head of America's Consumer Protection bureau (at the Federal Trade Commision), reports The Register: In an eight-page letter to the Commission (FTC), the activists mentioned the Google/Levis collaboration on a denim jacket that contained sensors enabling it to control an Android device through a special app. When the app was discontinued in 2023, the jacket lost that functionality. The letter also mentions the "Car Thing," an automotive infotainment device created by Spotify, which bricked the device fewer than two years after launch and didn't offer a refund...

Environmental groups and computer repair shops also signed the letter... "Consumers need a clear standard for what to expect when purchasing a connected device," stated Justin Brookman, director of technology policy at Consumer Reports and a former policy director of the FTC's Office of Technology, Research, and Investigation. "Too often, consumers are left with devices that stop functioning because companies decide to end support without little to no warning. This leaves people stranded with devices they once relied on, unable to access features or updates...."

Brookman told The Register that he believes this is the first such policy request to the FTC that asks the agency to help consumers with this dilemma. "I'm not aware of a previous effort from public interest groups to get the FTC to take action on this issue — it's still a relatively new issue with no clear established norms," he wrote in an email. "But it has certainly become an issue" that comes up more and more with device makers as they change their rules about product updates and usage.
"Both switching features to a subscription and 'bricking' a connected device purchased by a consumer in many cases are unfair and deceptive practices," the groups write, arguing that the practices "infringe on a consumer's right to own the products they buy." They're requesting clear "guidance" for manufacturers from the U.S. government. The FTC has a number of tools at its disposal to help establish standards for IoT device support. While a formal rulemaking is one possibility, the FTC also has the ability to issue more informal guidance, such as its Endorsement Guides12 and Dot Com Disclosures.13 We believe the agency should set norms...
The groups are also urging the FTC to:

• Encourage tools and methods that enable reuse if software support ends.

• Conduct an educational program to encourage manufacturers to build longevity into the design of their products.

• Protect "adversarial interoperability"... when a competitor or third-party creates a reuse or modification tool [that] adds to or converts the old device.

Thanks to long-time Slashdot reader Z00L00K for sharing the article.

Long-time Slashdot reader theodp writes: "The Impact of AI on Computer Science Education" recounts an experiment Eric Klopfer conducted in his undergrad CS class at MIT. He divided the class into three groups and gave them a programming task to solve in the Fortran language, which none of them knew. Reminiscent of how The Three Little Pigs used straw, sticks, and bricks to build their houses with very different results, Klopfer allowed one group to use ChatGPT to solve the problem, while the second group was told to use Meta's Code Llama LLM, and the third group could only use Google. The group that used ChatGPT, predictably, solved the problem quickest, while it took the second group longer to solve it. It took the group using Google even longer, because they had to break the task down into components.

Then, the students were tested on how they solved the problem from memory, and the tables turned. The ChatGPT group "remembered nothing, and they all failed," recalled Klopfer. Meanwhile, half of the Code Llama group passed the test. The group that used Google? Every student passed.

"This is an important educational lesson," said Klopfer. "Working hard and struggling is actually an important way of learning. When you're given an answer, you're not struggling and you're not learning. And when you get more of a complex problem, it's tedious to go back to the beginning of a large language model and troubleshoot it and integrate it." In contrast, breaking the problem into components allows you to use an LLM to work on small aspects, as opposed to trying to use the model for an entire project, he says. "These skills, of how to break down the problem, are critical to learn."

Long-time FOSS-watcher Bruce Byfield writes that while people "still dream of a completely free alternative, increasingly the emphasis in FOSS seems to be on accepting coexistence with proprietary software." Many, too, have always preferred the permissive BSD licenses, which permits combining FOSS and proprietary software. From some perspectives, Debian's newest [non-free firmware] repository or Nobara's popularity [a Fedora-based distro but with proprietary drivers and gaming applications] is simply an admission of the true state of affairs...

On the other hand, the FOSS philosophy may be weakened because it no longer has a strong advocate. Sixteen years ago, the FSF reached a peak of authority in the discussions of 2006-2007 about the structure of GPLv3 — then immediately lost that authority by not reaching a consensus. That was followed by the cancellation of Richard Stallman in 2017, which, deserved or not, had the side effect of silencing free software's most influential representative. Today the FSF that Stallman led continues to function, with Stallman returned to the board of directors, but its actions go unreported, and it seems to speak to a much smaller group of loyalists. The Linux Foundation, with its corporate emphasis, is not an adequate substitution. In these circumstances, there is reason to wonder whether FOSS has lost its way.

While the issue has yet to reach the mainstream, Bruce Perens, one of the coiners of the term "open source" in 1998, is already trying to describe what he calls the Post-Open Source era. Not only does Perens believe that FOSS licenses no longer fulfill their original purpose, but they no longer inform or benefit the average user. According to Perens,

"Open Source has completely failed to serve the common person. For the most part, if they use us at all they do so through a proprietary software company's systems, like Apple iOS or Google Android, both of which use Open Source for infrastructure but the apps are mostly proprietary. The common person doesn't know about Open Source, they don't know about the freedoms we promote which are increasingly in their interest. Indeed, Open Source is used today to surveil and even oppress them."

As a remedy, Perens proposes that licenses should be replaced by contracts. He envisions that companies pay for the benefits they receive from using FOSS. Compliance for each contract would be checked, renewed, and paid for yearly, and the payments would go towards funding FOSS development. Individuals and nonprofits would continue to use FOSS for free. In March 2024, Perens posted a draft Post-Open license. The draft includes a description of the contract-related files to be shipped with FOSS software, a description of the status of derivative works, how revenue is collected, and conditions of termination. The draft has yet to be reviewed by a lawyer, but what is immediately noticeable is how it draws on both contract language and FOSS licenses to produce something different.
Byfield concludes that "free licenses are straining to respond to loopholes, and a discussion needs to be had about whether they are adequate to modern pressures."

Slashdot reader echo123 shared a new article from Wired titled "Signal Is More Than Encrypted Messaging. Under Meredith Whittaker, It's Out to Prove Surveillance Capitalism Wrong." ("On its 10th anniversary, Signal's president wants to remind you that the world's most secure communications platform is a nonprofit. It's free. It doesn't track you or serve you ads. It pays its engineers very well. And it's a go-to app for hundreds of millions of people.") Ten years ago, WIRED published a news story about how two little-known, slightly ramshackle encryption apps called RedPhone and TextSecure were merging to form something called Signal. Since that July in 2014, Signal has transformed from a cypherpunk curiosity — created by an anarchist coder, run by a scrappy team working in a single room in San Francisco, spread word-of-mouth by hackers competing for paranoia points — into a full-blown, mainstream, encrypted communications phenomenon... Billions more use Signal's encryption protocols integrated into platforms like WhatsApp...

But Signal is, in many ways, the exact opposite of the Silicon Valley model. It's a nonprofit funded by donations. It has never taken investment, makes its product available for free, has no advertisements, and collects virtually no information on its users — while competing with tech giants and winning... Signal stands as a counterfactual: evidence that venture capitalism and surveillance capitalism — hell, capitalism, period — are not the only paths forward for the future of technology.

Over its past decade, no leader of Signal has embodied that iconoclasm as visibly as Meredith Whittaker. Signal's president since 2022 is one of the world's most prominent tech critics: When she worked at Google, she led walkouts to protest its discriminatory practices and spoke out against its military contracts. She cofounded the AI Now Institute to address ethical implications of artificial intelligence and has become a leading voice for the notion that AI and surveillance are inherently intertwined. Since she took on the presidency at the Signal Foundation, she has come to see her central task as working to find a long-term taproot of funding to keep Signal alive for decades to come — with zero compromises or corporate entanglements — so it can serve as a model for an entirely new kind of tech ecosystem...

Meredith Whittaker: "The Signal model is going to keep growing, and thriving and providing, if we're successful. We're already seeing Proton [a startup that offers end-to-end encrypted email, calendars, note-taking apps, and the like] becoming a nonprofit. It's the paradigm shift that's going to involve a lot of different forces pointing in a similar direction."
Key quotes from the interview:

• "Given that governments in the U.S. and elsewhere have not always been uncritical of encryption, a future where we have jurisdictional flexibility is something we're looking at."

• "It's not by accident that WhatsApp and Apple are spending billions of dollars defining themselves as private. Because privacy is incredibly valuable. And who's the gold standard for privacy? It's Signal."

• "We also see growth in response to things like what we call a Big Tech Fuckup, like when WhatsApp changed its terms of service. We saw a boost in desktop after Zoom announced that they were going to scan everyone's calls for AI. And we anticipate more of those."

• "AI is a product of the mass surveillance business model in its current form. It is not a separate technological phenomenon."

• "...alternative models have not received the capital they need, the support they need. And they've been swimming upstream against a business model that opposes their success. It's not for lack of ideas or possibilities. It's that we actually have to start taking seriously the shifts that are going to be required to do this thing — to build tech that rejects surveillance and centralized control — whose necessity is now obvious to everyone."

GitHub Actions let developers "automate software builds and tests," writes CSO Online, "by setting up workflows that trigger when specific events are detected, such as when new code is committed to the repository."

They also "can be reused and shared with others on the GitHub Marketplace, which currently lists thousands of public Actions that developers can use instead of coding their own. Actions can also be included as dependencies inside other Actions, creating an ecosystem similar to other open-source component registries." Researchers from Orca Security recently investigated the impact typosquatting can have in the GitHub Actions ecosystem by registering 14 GitHub organizations with names that are misspellings of popular Actions owners — for example, circelci instead of circleci, actons instead of actions, google-github-actons instead of google-github-actions... One might think that developers making typos is not very common, but given the scale of GitHub — over 100 million developers with over 420 million repositories — even a statistically rare occurrence can mean thousands of potential victims. For example, the researchers found 194 workflow files calling the "action" organization instead of "actions"; moreover, 12 public repositories started referencing the researchers' fake "actons" organization within two months of setting it up.

"Although the number may not seem that high, these are only the public repositories we can search for and there could be multiple more private ones, with numbers increasing over time," the researchers wrote... Ultimately this is a low-cost high-impact attack. Having the ability to execute malicious actions against someone else's code is very powerful and can result in software supply chain attacks, with organizations and users that then consume the backdoored code being impacted as well...

Out of the 14 typosquatted organizations that Orca set up for their proof-of-concept, GitHub only suspended one over a three-month period — circelci — and that's likely because someone reported it. CircleCI is one of the most popular CI/CD platforms.
Thanks to Slashdot reader snydeq for sharing the article.

SpyAgent is a new Android malware that uses optical character recognition (OCR) to steal cryptocurrency wallet recovery phrases from screenshots stored on mobile devices, allowing attackers to hijack wallets and steal funds. The malware primarily targets South Korea but poses a growing threat as it expands to other regions and possibly iOS. BleepingComputer reports: A malware operation discovered by McAfee was traced back to at least 280 APKs distributed outside of Google Play using SMS or malicious social media posts. This malware can use OCR to recover cryptocurrency recovery phrases from images stored on an Android device, making it a significant threat. [...] Once it infects a new device, SpyAgent begins sending the following sensitive information to its command and control (C2) server:

- Victim's contact list, likely for distributing the malware via SMS originating from trusted contacts.
- Incoming SMS messages, including those containing one-time passwords (OTPs).
- Images stored on the device to use for OCR scanning.
- Generic device information, likely for optimizing the attacks.

SpyAgent can also receive commands from the C2 to change the sound settings or send SMS messages, likely used to send phishing texts to distribute the malware. McAfee found that the operators of the SpyAgent campaign did not follow proper security practices in configuring their servers, allowing the researchers to gain access to them. Admin panel pages, as well as files and data stolen from victims, were easily accessible, allowing McAfee to confirm that the malware had claimed multiple victims. The stolen images are processed and OCR-scanned on the server side and then organized on the admin panel accordingly to allow easy management and immediate utilization in wallet hijack attacks.