An anonymous reader quotes a report from Krebs On Security: Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally -- including non-Apple devices like Starlink systems -- and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops. At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID. Periodically, Apple and Google mobile devices will forward their locations -- by querying GPS and/or by using cellular towers as landmarks -- along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it's what allows your mobile phone to continue displaying your planned route even when the device can't get a fix on GPS.

With Google's WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths -- via an application programming interface (API) request to Google -- whose WPS responds with the device's computed position. Google's WPS requires at least two BSSIDs to calculate a device's approximate position. Apple's WPS also accepts a list of nearby BSSIDs, but instead of computing the device's location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple's API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user's location based on known landmarks.

In essence, Google's WPS computes the user's location and shares it with the device. Apple's WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own. That's according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple's API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random. They learned that while only about three million of those randomly generated BSSIDs were known to Apple's Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups. "Plotting the locations returned by Apple's WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points," the report adds. "The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America."

The researchers wrote: "We observe routers move between cities and countries, potentially representing their owner's relocation or a business transaction between an old and new owner. While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location."

A copy of the UMD research is available here (PDF).

Microsoft is adding screenshot prevention controls in Edge to block you from taking screenshots at work. "It's all designed to prevent you from sharing screenshots with competitors, relatives, and journalists using Microsoft Edge for Business," reports PCWorld. From the report: Specifically, IT managers at corporations will be able to tag web pages as protected, as defined in various Microsoft policy engines in Microsoft 365, Microsoft Defender for Cloud Apps, Microsoft Intune Mobile Application Management and Microsoft Purview, Microsoft said. The screenshot prevention feature will be available to customers in the "coming months," Microsoft said. It's also unclear whether third-party tools will be somehow blocked from taking screenshots or recording video, too.

Microsoft will also roll out a way to force Edge for Business users to automatically update their browsers. The feature will enter a preview phase over the next few weeks, Microsoft said. "The Edge management service will enable IT admins to see which devices have Edge instances that are out of date and at risk," Microsoft said. "It will also provide mitigating controls, such as forcing a browser restart to install updates, enabling automatic browser updates or enabling enhanced security mode for added protections."

Nvidia reported fiscal first-quarter earnings surpassing expectations with strong forecasts, indicating sustained demand for its AI chips. Following the news, the company's stock rose over 6% in extended trading. Nvidia also said it was splitting its stock 10 to 1. CNBC reports: Nvidia said it expected sales of $28 billion in the current quarter. Wall Street was expecting earnings per share of $5.95 on sales of $26.61 billion, according to LSEG. Nvidia reported net income for the quarter of $14.88 billion, or $5.98 per share, compared with $2.04 billion, or 82 cents, in the year-ago period. [...] Nvidia said its data center category rose 427% from the year-ago quarter to $22.6 billion in revenue. Nvidia CFO Colette Kress said in a statement that it was due to shipments of the company's "Hopper" graphics processors, which include the company's H100 GPU.

Nvidia also highlighted strong sales of its networking parts, which are increasingly important as companies build clusters of tens of thousands of chips that need to be connected. Nvidia said that it had $3.2 billion in networking revenue, primarily its Infiniband products, which was over three times higher than last year's sales. Nvidia, before it became the top supplier to big companies building AI, was known primarily as a company making hardware for 3D gaming. The company's gaming revenue was up 18% during the quarter to $2.65 billion, which Nvidia attributed to strong demand.

The company also sells chips for cars and chips for advanced graphics workstations, which remain much smaller than its data center business. The company reported $427 million in professional visualization sales, and $329 million in automotive sales. Nvidia said it bought back $7.7 billion worth of its shares and paid $98 million in dividends during the quarter. Nvidia also said that it's increasing its quarterly cash dividend from 4 cents per share to 10 cents on a pre-split basis. After the split, the dividend will be a penny a share.

The Consumer Financial Protection Bureau declared on Wednesday that customers of the burgeoning buy now, pay later industry have the same federal protections as users of credit cards. From a report: The agency unveiled what it called an "interpretive rule" that deemed BNPL lenders essentially the same as traditional credit card providers under the decades-old Truth in Lending Act. That means the industry -- currently dominated by fintech firms like Affirm, Klarna and PayPal -- must make refunds for returned products or canceled services, must investigate merchant disputes and pause payments during those probes, and must provide bills with fee disclosures.

"Regardless of whether a shopper swipes a credit card or uses Buy Now, Pay Later, they are entitled to important consumer protections under long-standing laws and regulations already on the books," CFPB Director Rohit Chopra said in a release. The CFPB, which last week was handed a crucial victory by the Supreme Court, has pushed hard against the U.S. financial industry, issuing rules that slashed credit card late fees and overdraft penalties. The agency, formed in the aftermath of the 2008 financial crisis, began investigating the BNPL industry in late 2021.

AI startup Humane has been seeking a buyer for its business, Bloomberg News reported, citing people familiar with the matter, just weeks after the company's closely watched wearable AI device had a rocky public launch. From the report: The company is working with a financial adviser to assist it, said the people, who asked not to be identified because the matter is private. Humane is seeking a price of between $750 million and $1 billion in a sale [non-paywalled link], one person said. The process is still early and may not result in a deal. Humane was founded in 2018 by two longtime Apple veterans, the married couple Imran Chaudhri and Bethany Bongiorno, in an attempt to come up with a new, AI-powered device that could potentially rival the iPhone. Last year it was valued by investors at $850 million, according to tech news site the Information.

An anonymous reader quotes a report from Reuters: Europe's landmark rules on artificial intelligence will enter into force next month after EU countries endorsed on Tuesday a political deal reached in December, setting a potential global benchmark for a technology used in business and everyday life. The European Union's AI Act is more comprehensive than the United States' light-touch voluntary compliance approach while China's approach aims to maintain social stability and state control. The vote by EU countries came two months after EU lawmakers backed the AI legislation drafted by the European Commission in 2021 after making a number of key changes. [...]

The AI Act imposes strict transparency obligations on high-risk AI systems while such requirements for general-purpose AI models will be lighter. It restricts governments' use of real-time biometric surveillance in public spaces to cases of certain crimes, prevention of terrorist attacks and searches for people suspected of the most serious crimes. The new legislation will have an impact beyond the 27-country bloc, said Patrick van Eecke at law firm Cooley. "The Act will have global reach. Companies outside the EU who use EU customer data in their AI platforms will need to comply. Other countries and regions are likely to use the AI Act as a blueprint, just as they did with the GDPR," he said, referring to EU privacy rules.

While the new legislation will apply in 2026, bans on the use of artificial intelligence in social scoring, predictive policing and untargeted scraping of facial images from the internet or CCTV footage will kick in in six months once the new regulation enters into force. Obligations for general purpose AI models will apply after 12 months and rules for AI systems embedded into regulated products in 36 months. Fines for violations range from $8.2 million or 1.5% of turnover to 35 million euros or 7% of global turnover depending on the type of violations.

It seems no industry is safe from consolidation, and the latest target is gaming media. From a report: IGN Entertainment has acquired the website portfolio of UK publisher Gamer Network, which operates a number of beloved games-focused publications. That list includes Gamesindustry.biz, Eurogamer, Rock Paper Shotgun, VG247, and the tabletop site Dicebreaker. The network also holds shares in sites like Nintendo Life and Digital Foundry.

Terms of the deal were not disclosed. Gamesindustry.biz reports that "some redundancies" have been made across the sites, though it's not clear how many workers have been impacted. According to several posts on X, editors at both Rock Paper Shotgun and Gamesindustry.biz have been laid off. IGN Entertainment is owned by Ziff Davis, which, in addition to IGN's site, also operates other subsidiaries like Humble Bundle.

Alphabet's moonshot factory, X, is scaling back its ambitious projects amid concerns over Google's core search business facing competition from AI chatbots like ChatGPT. The lab, once a symbol of Google's commitment to innovation, is now spinning off projects as startups rather than integrating them into Alphabet. The shift reflects a broader trend among tech giants, who are cutting costs and focusing on their core businesses in response to the rapidly evolving AI landscape.

Microsoft is partnering with tutoring organization Khan Academy to provide a generative AI assistant to all teachers in the U.S. for free. From a report: Khanmigo for Teachers, which helps teachers prepare lessons for class, is free to all educators in the U.S. as of Tuesday. The program can help create lessons, analyze student performance, plan assignments, and provide teachers with opportunities to enhance their own learning.

"Unlike most things in technology and education in the past where this is a 'nice-to-have,' this is a 'must-have' for a lot of teachers," Sal Khan, founder and CEO of Khan Academy, said in a CNBC "Squawk Box" interview last Friday ahead of the deal. Khan Academy has roughly 170 million registered users in over 50 languages around the world, and while its videos are best known, its interactive exercise platform was one which Microsoft-funded artificial intelligence company OpenAI's top executives, Sam Altman and Greg Brockman, zeroed in on early when they were looking for a partner to pilot GPT with that offered socially positive use cases.

An anonymous reader quotes a report from Reuters: Alphabet's Google has preemptively paid damages to the U.S. government, an unusual move aimed at avoiding a jury trial in the Justice Department's antitrust lawsuit over its digital advertising business. Google disclosed (PDF) the payment, but not the amount, in a court filing last week that said the case should be heard and decided by a judge directly. Without a monetary damages claim, Google argued, the government has no right to a jury trial. The Justice Department, which has not said if it will accept the payment, declined to comment on the filing. Google asserted that its check, which it said covered its alleged overcharges for online ads, allows it to sidestep a jury trial whether or not the government takes it.

The Justice Department filed the case last year with Virginia and other states, alleging Google was stifling competition for advertising technology. The government has said Google should be forced to sell its ad manager suite. Google, which has denied the allegations, said in a statement that the Justice Department "manufactured a damages claim at the last minute in an attempt to secure a jury trial." Without disclosing the size of its payment, Google said that after months of discovery, the Justice Department could only point to estimated damages of less than $1 million. The company said the government has said the case is "highly technical" and "outside the everyday knowledge of most prospective jurors."

HP announced today that it will resurrect the "Omni" branding it first coined for its business-oriented laptops introduced in 1993. The vintage branding will now be used for the company's new consumer-facing laptops, with HP retiring the Spectre and Dragonfly brands in the process. Furthermore, computers under consumer PC series names like Pavilion will also no longer be released. "Instead, every consumer computer from HP will be called either an OmniBook for laptops, an OmniDesk for desktops, or an OmniStudio for AIOs," reports Ars Technica. From the report: The computers will also have a modifier, ranging from 3 up to 5, 7, X, or Ultra to denote computers that are entry-level all the way up to advanced. For instance, an HP OmniBook Ultra would represent HP's highest-grade consumer laptop. "For example, an HP OmniBook 3 will appeal to customers who prioritize entertainment and personal use, while the OmniBook X will be designed for those with higher creative and technical demands," Stacy Wolff, SVP of design and sustainability at HP, said via a press announcement today. [...] So far, HP has announced one new Omni computer, the OmniBook X. It has a 12-core Snapdragon X Elite X1E-78-100, 16GB or 32GB of MPDDR5x-8448 memory, up to 2TB of storage, and a 14-inch, 2240x1400 IPS display. HP is pointing to the Latin translation of omni, meaning "all" (or everything), as the rationale behind the naming update. The new name should give shoppers confidence that the computers will provide all the things that they need.

HP is also getting rid of some of its commercial series names, like Pro. From now on, new, lower-end commercial laptops will be ProBooks. There will also be ProDesktop desktops and ProStudio AIOs. These computers will have either a 2 modifier for entry-level designs or a 4 modifier for ones with a little more power. For example, an HP ProDesk 2 is less powerful than an HP ProDesk 4. Anything more powerful will be considered either an EliteBook (laptops), EliteDesk (desktops), or EliteStudio (AIOs). For the Elite computers, the modifiers go from 6 to 8, X, and then Ultra. A Dragonfly laptop today would fall into the Ultra category. HP did less overhauling of its commercial lineup because it "recognized a need to preserve the brand equity and familiarity with our current sub-brands," Wolff said, adding that HP "acknowledged the creation of additional product names like Dragonfly made those products stand out, rather than be seen as part of a holistic portfolio." [...]

As you might now expect of any tech rebranding, marketing push, or product release these days, HP is also announcing a new emblem that will appear on its computers, as well as other products or services, that substantially incorporate AI. The two laptops announced today carry the logo. According to Wolff, on computers, the logo means that the systems have an integrated NPU "at 40+ trillions of operations per second." They also come with a chatbot based on ChatGPT 4, an HP spokesperson told me.

An anonymous reader shares a report: Google is pouncing on Microsoft's weathered enterprise security reputation by pitching its services to government institutions. Pointing to a recent report from the US Cyber Safety Review Board (CSRB) that found that Microsoft's security woes are the result of the company "deprioritizing" enterprise security, Google says it can help. The company's pitch isn't quite as direct as Microsoft CEO Satya Nadella saying he made Google dance, but it's spicy all the same. Repeatedly referring to Microsoft as "the vendor" throughout its blog post on Monday, Google says the CSRB "showed that lack of a strong commitment to security creates preventable errors and serious breaches." Platforms, it added, "have a responsibility" to hold to strong security practices. And of course, who is more responsible than Google?

America's Federal Trade Commission and 17 states filed an antitrust suit against Amazon in September. This week Amazon responded in court about its usage of Signal's "disappearing messages" feature.

Long-time Slashdot reader theodp shares GeekWire's report: At a company known for putting its most important ideas and strategies into comprehensive six-page memos, quick messages between executives aren't the place for meaningful business discussions. That's one of the points made by Amazon in its response Monday to the Federal Trade Commission's allegations about executives' use of the Signal encrypted communications app, known for its "disappearing messages" feature. "For these individuals, just like other short-form messaging, Signal was not a means to send 'structured, narrative text'; it was a way to get someone's attention or have quick exchanges on sensitive topics like public relations or human resources," the company says as part of its response, filed Monday in U.S. District Court in Seattle. Of course, for regulators investigating the company's business practices, these offhanded private comments between Amazon executives could be more revealing than carefully crafted memos meant for wider internal distribution. But in its filing this week, Amazon says there is no evidence that relevant messages have been lost, or that Signal was used to conceal communications that would have been responsive to the FTC's discovery requests. The company says "the equally logical explanation — made more compelling by the available evidence — is that such messages never existed."

In an April 25 motion, the FTC argued that the absence of Signal messages from Amazon discussing substantive business issues relevant to the case was a strong indication that such messages had disappeared. "Amazon executives deleted many Signal messages during Plaintiffs' pre-Complaint investigation, and Amazon did not instruct its employees to preserve Signal messages until over fifteen months after Amazon knew that Plaintiffs' investigation was underway," the FTC wrote in its motion. "It is highly likely that relevant information has been destroyed as a result of Amazon's actions and inactions...."

Amazon's filing quotes the company's founder, Jeff Bezos, saying in a deposition in the case that "[t]o discuss anything in text messaging or Signal messaging or anything like that of any substance would be akin to business malpractice. It's just too short of a messaging format...." The company's filing traces the initial use of Signal by executives back to the suspected hacking of Bezos' phone in 2018, which prompted the Amazon founder to seek ways to send messages more securely.

In an elaborate scam in January, "a finance worker, was duped into attending a video call with people he believed were the chief financial officer and other members of staff," remembers CNN. But Hong Kong police later said that all of them turned out to be deepfake re-creations which duped the employee into transferring $25 million. According to police, the worker had initially suspected he had received a phishing email from the company's UK office, as it specified the need for a secret transaction to be carried out. However, the worker put aside his doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized.
Now the targeted company has been revealed: a major engineering consulting firm, with 18,500 employees across 34 offices: A spokesperson for London-based Arup told CNN on Friday that it notified Hong Kong police in January about the fraud incident, and confirmed that fake voices and images were used. "Unfortunately, we can't go into details at this stage as the incident is still the subject of an ongoing investigation. However, we can confirm that fake voices and images were used," the spokesperson said in an emailed statement. "Our financial stability and business operations were not affected and none of our internal systems were compromised," the person added...

Authorities around the world are growing increasingly concerned about the sophistication of deepfake technology and the nefarious uses it can be put to. In an internal memo seen by CNN, Arup's East Asia regional chairman, Michael Kwok, said the "frequency and sophistication of these attacks are rapidly increasing globally, and we all have a duty to stay informed and alert about how to spot different techniques used by scammers."
The company's global CIO emailed CNN this statement. "Like many other businesses around the globe, our operations are subject to regular attacks, including invoice fraud, phishing scams, WhatsApp voice spoofing, and deepfakes.

"What we have seen is that the number and sophistication of these attacks has been rising sharply in recent months."

Slashdot reader st33ld13hl adds that in a world of Deep Fakes, insurance company USAA is now asking its customers to authenticate with voice. (More information here.)

Thanks to Slashdot reader quonset for sharing the news.

The thinktank InfluenceMap produces "data-driven analysis on how business and finance are impacting the climate crisis." Their web site says their newest report documents "How automaker lobbying threatens the global transition to electric vehicles." This report analyses the climate policy engagement strategies of fifteen of the largest global automakers in seven key regions (Australia, EU, Japan, India, South Korea, UK, US). It shows how even in countries where major climate legislation has recently passed, such as the US and Australia, the ambition of these policies has been weakened due to industry pressure. All fifteen automakers, except Tesla, have actively advocated against at least one policy promoting electric vehicles. Ten of the fifteen showed a particularly high intensity of negative engagement and scored a final grade of D or D+ by InfluenceMap's methodology. Toyota is the lowest-scoring company in this analysis, driving opposition to climate regulations promoting battery electric vehicles in multiple regions, including the US, Australia and UK. Of all automakers analyzed, only Tesla (scoring B) is found to have positive climate advocacy aligned with science-based policy.
CleanTechnica writes that Toyota "led on hybrid vehicles (and still does), so it's actually not surprising that it has been opposed to the next stage of climate-cutting auto evolution — it's clinging on to its lead rather than continuing to innovate for a new era."

More from InfluenceMap: Only three of fifteen companies — Tesla, Mercedes Benz and BMW — are forecast to produce enough electric vehicles by 2030 to meet the International Energy Agency's updated 1.5 degreesC pathway of 66% electric vehicle (battery electric, fuel cell and plug-in hybrids) sales according to InfluenceMap's independent analysis of industry-standard data from February 2024. Current industry forecasts analyzed for this report show automaker production will reach only 53% electric vehicles in 2030. Transport is the third-largest source of greenhouse gas emissions globally, and road transport is failing to decarbonize at anywhere near the rate of many other industries. InfluenceMap's report also finds that Japanese automakers are the least prepared for an electric vehicle transition and are engaging the hardest against it.
"InfluenceMap highlights that these anti-EV efforts in the industry are often coming from industry associations rather than coming directly from automakers, shielding them a bit from inevitable public backlash," writes CleanTechnica.

"Every automaker included in the study except Tesla remains a member of at least two of these groups," InfluenceMap reports, "with most automakers a member of at least five."

Thanks to Slashdot reader Baron_Yam for sharing the news.

The Washington Post reports that America took "one of its biggest steps yet to keep fossil fuels in the ground," announcing Thursday that it will end new coal leasing in the Powder River Basin, "which produces nearly half the coal in the United States...

"It could prevent billions of tons of coal from being extracted from more than 13 million acres across Montana and Wyoming, with major implications for U.S. climate goals." A significant share of the nation's fossil fuels come from federal lands and waters. The extraction and combustion of these fuels accounted for nearly a quarter of U.S. carbon dioxide emissions between 2005 and 2014, according to a study by the U.S. Geological Survey. In a final environmental impact statement released Thursday, Interior's Bureau of Land Management found that continued coal leasing in the Powder River Basin would harm the climate and public health. The bureau determined that no future coal leasing should happen in the basin, and it estimated that coal mining in the Wyoming portion of the region would end by 2041.

Last year, the Powder River Basin generated 251.9 million tons of coal, accounting for nearly 44 percent of all coal produced in the United States. Under the bureau's determination, the 14 active coal mines in the Powder River Basin can continue operating on lands they have leased, but they cannot expand onto other public lands in the region... "This means that billions of tons of coal won't be burned, compared to business as usual," said Shiloh Hernandez, a senior attorney at the environmental law firm Earthjustice. "It's good news, and it's really the only defensible decision the BLM could have made, given the current climate crisis...."

The United States is moving away from coal, which has struggled to compete economically with cheaper gas and renewable energy. U.S. coal output tumbled 36 percent from 2015 to 2023, according to the Energy Information Administration. The Sierra Club's Beyond Coal campaign estimates that 382 coal-fired power plants have closed down or proposed to retire, with 148 remaining. In addition, the Environmental Protection Agency finalized an ambitious set of rules in April aimed at slashing air pollution, water pollution and planet-warming emissions spewing from the nation's power plants. One of the most significant rules will push all existing coal plants by 2039 to either close or capture 90 percent of their carbon dioxide emissions at the smokestack.

"The nation's electricity generation needs are being met increasingly by wind, solar and natural gas," said Tom Sanzillo, director of financial analysis at the Institute for Energy Economics and Financial Analysis, an energy think tank. "The nation doesn't need any increase in the amount of coal under lease out of the Powder River Basin."

Jeremy Allison — Sam (Slashdot reader #8,157) is a Distinguished Engineer at Rocky Linux creator CIQ. This week he published a blog post responding to promises of Linux distros "carefully selecting only the most polished and pristine open source patches from the raw upstream open source Linux kernel in order to create the secure distribution kernel you depend on in your business."

But do carefully curated software patches (applied to a known "frozen" Linux kernel) really bring greater security? "After a lot of hard work and data analysis by my CIQ kernel engineering colleagues Ronnie Sahlberg and Jonathan Maple, we finally have an answer to this question. It's no." The data shows that "frozen" vendor Linux kernels, created by branching off a release point and then using a team of engineers to select specific patches to back-port to that branch, are buggier than the upstream "stable" Linux kernel created by Greg Kroah-Hartman. How can this be? If you want the full details the link to the white paper is here. But the results of the analysis couldn't be clearer.

- A "frozen" vendor kernel is an insecure kernel. A vendor kernel released later in the release schedule is doubly so.

- The number of known bugs in a "frozen" vendor kernel grows over time. The growth in the number of bugs even accelerates over time.

- There are too many open bugs in these kernels for it to be feasible to analyze or even classify them....

[T]hinking that you're making a more secure choice by using a "frozen" vendor kernel isn't a luxury we can still afford to believe. As Greg Kroah-Hartman explicitly said in his talk "Demystifying the Linux Kernel Security Process": "If you are not using the latest stable / longterm kernel, your system is insecure."
CIQ describes its report as "a count of all the known bugs from an upstream kernel that were introduced, but never fixed in RHEL 8." For the most recent RHEL 8 kernels, at the time of writing, these counts are: RHEL 8.6 : 5034 RHEL 8.7 : 4767 RHEL 8.8 : 4594

In RHEL 8.8 we have a total of 4594 known bugs with fixes that exist upstream, but for which known fixes have not been back-ported to RHEL 8.8. The situation is worse for RHEL 8.6 and RHEL 8.7 as they cut off back-porting earlier than RHEL 8.8 but of course that did not prevent new bugs from being discovered and fixed upstream....

This whitepaper is not meant as a criticism of the engineers working at any Linux vendors who are dedicated to producing high quality work in their products on behalf of their customers. This problem is extremely difficult to solve. We know this is an open secret amongst many in the industry and would like to put concrete numbers describing the problem to encourage discussion. Our hope is for Linux vendors and the community as a whole to rally behind the kernel.org stable kernels as the best long term supported solution. As engineers, we would prefer this to allow us to spend more time fixing customer specific bugs and submitting feature improvements upstream, rather than the endless grind of backporting upstream changes into vendor kernels, a practice which can introduce more bugs than it fixes.
ZDNet calls it "an open secret in the Linux community." It's not enough to use a long-term support release. You must use the most up-to-date release to be as secure as possible. Unfortunately, almost no one does that. Nevertheless, as Google Linux kernel engineer Kees Cook explained, "So what is a vendor to do? The answer is simple: if painful: Continuously update to the latest kernel release, either major or stable." Why? As Kroah-Hartman explained, "Any bug has the potential of being a security issue at the kernel level...."

Although [CIQ's] programmers examined RHEL 8.8 specifically, this is a general problem. They would have found the same results if they had examined SUSE, Ubuntu, or Debian Linux. Rolling-release Linux distros such as Arch, Gentoo, and OpenSUSE Tumbleweed constantly release the latest updates, but they're not used in businesses.
Jeremy Allison's post points out that "the Linux kernel used by Android devices is based on the upstream kernel and also has a stable internal kernel ABI, so this isn't an insurmountable problem..."

Bloomberg reports that self-driving car company Cruise "reached an $8 million to $12 million settlement with a pedestrian who was dragged by one of its self-driving vehicles in San Francisco, according to a person familiar with the situation." The settlement was struck earlier this year and the woman is out of the hospital, said the person, who declined to be identified discussing a private matter. In the October incident, the pedestrian crossing the road was struck by another vehicle before landing in front of one of GM's Cruise vehicles. The robotaxi braked hard but ran over the person. It then pulled over for safety, driving 20 feet at a speed of up to seven miles per hour with the pedestrian still under the car.
The incident "contributed to the company being blocked from operating in San Francisco and halting its operations around the country for months," reports the Washington Post: The company initially told reporters that the car had stopped just after rolling over the pedestrian, but the California Public Utilities Commission, which regulates permits for self-driving cars, later said Cruise had covered up the truth that its car actually kept going and dragged the woman. The crash and the questions about what Cruise knew and disclosed to investigators led to a firestorm of scrutiny on the company. Cruise pulled its vehicles off roads countrywide, laid off a quarter of its staff and in November its CEO Kyle Vogt stepped down. The Department of Justice and the Securities and Exchange Commission are investigating the company, adding to a probe from the National Highway Traffic Safety Administration.

In Cruise's absence, Google's Waymo self-driving cars have become the only robotaxis operating in San Francisco.

in June, the company's president and chief technology officer Mohamed Elshenawy is slated to speak at a conference on artificial-intelligence quality in San Francisco.
Dow Jones news services published this quote from a Cruise spokesperson. "The hearts of all Cruise employees continue to be with the pedestrian, and we hope for her continued recovery."

A blind worker for the National Federation of the Blind said Sonos had a reputation for making products usable for people with disabilities, but that "Overnight they broke that trust," according to the Washington Post.

They're not the only angry customers about the latest update to Sonos's wireless speaker system. The newspaper notes that nonprofit worker Charles Knight is "among the Sonos die-hards who are furious at the new app that crippled their options to stream music, listen to an album all the way through or set a morning alarm clock." After Sonos updated its app last week, Knight could no longer set or change his wake-up music alarm. Timers to turn off music were also missing. "Something as basic as an alarm is part of the feature set that users have had for 15 years," said Knight, who has spent thousands of dollars on six Sonos speakers for his bedroom, home office and kitchen. "It was just really badly thought out from start to finish." Some people who are blind also complained that the app omitted voice-control features they need.

What's happening to Sonos speaker owners is a cautionary tale. As more of your possessions rely on software — including your car, phone, TV, home thermostat or tractor — the manufacturer can ruin them with one shoddy update... Sonos now says it's fixing problems and adding back missing features within days or weeks. Sonos CEO Patrick Spence acknowledged the company made some mistakes and said Sonos plans to earn back people's trust. "There are clearly people who are having an experience that is subpar," Spence said. "I would ask them to give us a chance to deliver the actions to address the concerns they've raised." Spence said that for years, customers' top complaint was the Sonos app was clunky and slow to connect to their speakers. Spence said the new app is zippier and easier for Sonos to update. (Some customers disputed that the new app is faster.)

He said some problems like Knight's missing alarms were flaws that Sonos found only once the app was about to roll out. (Sonos updated the alarm feature this week.) Sonos did remove but planned to add back some lesser-used features. Spence said the company should have told people upfront about the planned timeline to return any missing functions.
In a blog post Sonos thanked customers for "valuable feedback," saying they're "working to address them as quickly as possible" and promising to reintroduce features, fix bugs, and address performance issues. ("Adding and editing alarms" is available now, as well as VoiceOver fixes for the home screen on iOS.)

The Washington Post adds that Sonos "said it initially missed some software flaws and will restore more voice-reader functions next week."

An anonymous reader quotes a report from The New York Times: There's a big debate in the tech world over whether artificial intelligence models should be "open source." Elon Musk, who helped found OpenAI in 2015, sued the startup and its chief executive, Sam Altman, on claims that the company had diverged from its mission of openness. The Biden administration is investigating the risks and benefits of open source models. Proponents of open source A.I. models say they're more equitable and safer for society, while detractors say they are more likely to be abused for malicious intent. One big hiccup in the debate? There's no agreed-upon definition of what open source A.I. actually means. And some are accusing A.I. companies of "openwashing" -- using the "open source" term disingenuously to make themselves look good. (Accusations of openwashing have previously been aimed at coding projects that used the open source label too loosely.)

In a blog post on Open Future, a European think tank supporting open sourcing, Alek Tarkowski wrote, "As the rules get written, one challenge is building sufficient guardrails against corporations' attempts at 'openwashing.'" Last month the Linux Foundation, a nonprofit that supports open-source software projects, cautioned that "this 'openwashing' trend threatens to undermine the very premise of openness -- the free sharing of knowledge to enable inspection, replication and collective advancement." Organizations that apply the label to their models may be taking very different approaches to openness. [...]

The main reason is that while open source software allows anyone to replicate or modify it, building an A.I. model requires much more than code. Only a handful of companies can fund the computing power and data curation required. That's why some experts say labeling any A.I. as "open source" is at best misleading and at worst a marketing tool. "Even maximally open A.I. systems do not allow open access to the resources necessary to 'democratize' access to A.I., or enable full scrutiny," said David Gray Widder, a postdoctoral fellow at Cornell Tech who has studied use of the "open source" label by A.I. companies.