|
|
[ Reuters | Slashdot | BBC News ] [ Image Archive ] |
Slashdot
Aikido Security found that deleted Google API keys can continue authenticating for a median of about 16 minutes and as long as 23 minutes, despite Google Cloud's UI claiming that once a key is deleted it can no longer make API requests. Dark Reading reports: Joe Leon, researcher at Belgian startup Aikido Security, recently analyzed the revocation window -- the time between a key's deletion and its last successful authentication -- for the cloud giant's API keys. In a blog post published today, Leon said Google Cloud Platform (GCP) customers expect API access to end immediately after the key is deleted, but this is not the case. In a series of tests, Leon found that the median revocation window was around 16 minutes, while the longest window was up to 23 minutes, "an incredibly long time" for API keys to continue authenticating successfully, he said. And these windows have serious repercussions for organizations. "An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations," Leon said. "The GCP console will not show the key, and it will not tell you the key is still working. You are trusting Google's infrastructure to eventually catch up." [...] Leon tells Dark Reading the revocation windows for Google's API keys, as well as the unpredictable authentication success rates, complicate matters for incident response teams that are dealing with a potential breach. "This breaks the mental model IR teams have when responding to leaked credentials," he says. "It's assumed that when you click 'Delete' or 'Revoke' that the credential no longer works. Now IR teams need to remember that for GCP credentials, a window exists when that 'Deleted' credential still works for attackers." To that end, Aikido recommended that security teams and IR personnel use a 30-minute window for Google API key deletions. Additionally, organizations should monitor their API requests by credential through the "Enabled APIs and services" portion of the GCP console, and review API requests by credential. "If you see unexpected usage from that credential after deletion, someone could be actively exploiting it," Leon wrote. Aikido reported the findings to Google, but the company closed the report as "won't fix," according to the blog post. 
Read more of this story at Slashdot. - Major Streamers Must Pay 15% of Revenues To Canadian Content, CRTC Says Canada's broadcast regulator says major streaming services such as Netflix must contribute 15% of their Canadian revenues to Canadian and Indigenous content. "That's three times the five-per-cent initial contribution requirement the CRTC set out in 2024, which is being challenged in court by major streamers, including Apple and Amazon," reports Global News. "Contribution requirements for traditional broadcasters, which currently pay between 30 and 45 percent, will be lowered to 25 percent." From the report: "The total contributions are expected to stabilize the funding at more than $2 billion in support of Canadian and Indigenous content, such as French-language content and news," the regulator said in a press release. The CRTC made the decisions as part of its implementation of the Online Streaming Act, which the U.S. has identified as a trade irritant ahead of trade negotiations with Canada. The CRTC also set out rules on how the money must be spent for both streamers and broadcasters, including contributions toward production funds and direct spending on Canadian content. Most of the streamers' financial contributions can go toward content, though the CRTC is imposing rules on how that money must be spent for the largest streamers. For instance, streamers with Canadian revenues of more than $100 million annually must direct 30 percent of spending toward partnerships with Canadian broadcasters and independent producers. Large Canadian broadcasters will have to direct at least 15 percent of their contributions toward news. The new financial contribution rules apply to streamers and broadcasters with at least $25 million in annual Canadian broadcasting revenues. The decision covers audiovisual programming, meaning it affects traditional TV broadcasters and online services that stream television content. The regulator also said Thursday online streamers will have to take steps to ensure Canadian and Indigenous content is available and visible to audiences. "This will make it easier for people to find this content on the platforms they use, while giving broadcasters flexibility in how they meet the new expectations," the CRTC said in the release. Details of those requirements will be determined at a later time.
Read more of this story at Slashdot. - NTSB Wants PDF Removed After It Exposed Final Cockpit Audio From UPS Crash The NTSB temporarily closed public access to nearly all investigation dockets after people used a spectrogram image from a PDF in the UPS flight 2976 crash file to reconstruct approximate cockpit voice recorder audio and post it online. "We show our work and we've been doing this type of thing for years. Nobody was aware that you can recreate audio from a picture," a spokesperson for the board said. "NTSB is looking to make sure there's nothing else in the docket that could compromise anybody's privacy... now that we understand the possibility of a digital recreation." CNN reports: Cockpit voice recordings, often referred to as the CVR, capture everything commercial pilots say and are valuable during NTSB investigations, but are almost never released out of respect for the victims and their families. UPS flight 2976 crashed on November 4, when an engine separated from the wing while it was taking off from Louisville, Kentucky. The three crew members onboard were killed along with 12 people on the ground. During a two-day investigative hearing this week, the board released a docket full of details about the crash. Besides thousands of pages of reports and video showing the engine separating, it included a transcript of the CVR and a PDF file showing an analysis of the spectrogram of the audio it recorded. A spectrogram is a still image that is a visual representation of the audio, showing the ups and downs of the frequencies. Using that still image, members of the public were able to recreate the voices of the pilots in the moments before the plane crashed and post the results online. The clip, which included background noise and echoes, covered the last 30 seconds of the flight as the pilots struggled with the disabled aircraft as well as recordings of testing the NTSB did on another aircraft. In a statement on Thursday, the board made clear it "does not release cockpit voice recordings" due to federal law and because of the highly sensitive nature of what they include, but it was "aware that advances in image recognition and computational methods have enabled individuals to reconstruct approximations of cockpit voice recorder audio from sound spectrum imagery." Investigation dockets are made public for transparency, but this week, the board took the rare step of closing public access to all dockets, including the one for the UPS crash. [...] The NTSB is urging platforms like X and Reddit to remove posts with the audio.
Read more of this story at Slashdot. - Trump Mobile Exposed Customers' Personal Data, Including Phone Numbers and Home Addresses Trump Mobile confirmed that a third-party platform exposed customers' personal data to the open internet. The data included names, email addresses, mailing addresses, phone numbers, and order IDs. TechCrunch reports: Chris Walker, a spokesperson for the Trump-branded phone maker, told TechCrunch that the company is investigating the exposure and has not found evidence that content or financial information spilled online. The company said there was no breach of Trump Mobile's network, systems, or infrastructure. Walker said that the exposure was linked to a third-party platform provider that supports "certain Trump Mobile operations." He did not name the provider. [...] On Wednesday, two YouTubers who ordered Trump Mobile's phone said a researcher alerted them that their personal information was exposed online. The YouTubers Coffeezilla and penguinz0 said they tried to alert Trump Mobile of the exposure after the researcher also tried but to no avail. Walker said Trump Mobile is evaluating whether it needs to notify customers of the exposure of their personal data. Further reading: Trump Phones Start Shipping - But Were There Really 600,000 Preorders?
Read more of this story at Slashdot. - Spotify, UMG To Let Fans Make Their Own Music With AI An anonymous reader quotes a report from Billboard: Spotify and Universal Music Group (UMG) announced a licensing deal for recorded music and publishing rights, enabling Spotify to launch generative AI music models in the future. With this deal, Spotify's models will allow fans to create covers and remixes of their favorite songs from participating artists and songwriters signed to UMG. The new deal was announced on Thursday (May 21) as part of Spotify's Investor Day presentation, and the company touts that it will open up additional revenue streams on top of what artists already earn on Spotify and will provide new discovery opportunities for participating UMG talent. These AI products will eventually become available to premium users as a paid add-on. It is unclear when they are set to launch. "We recognize there's a wide range of views on use of generative music tools within the artistic community," the announcement read. "Therefore, artists and rightsholders will choose if and how to participate to ensure the use of AI tools aligns with the values of the people behind the music." Spotify also announced a feature called "Reserved" that will set aside concert tickets for Premium subscribers it identifies as an artist's most dedicated fans. "Getting concert tickets today can feel like a race you're set up to lose," Spotify wrote in a post on Thursday. "You show up at the right time, refresh endlessly, and still miss out. Too often, the experience is stressful, unpredictable, and disconnected from what should matter most: whether real fans actually get tickets. We think there's a better way."
Read more of this story at Slashdot. - This Cannes Film Cost $500,000 to Make. $400,000 Was AI Compute Costs. Higgsfield AI is debuting a 95-minute fully AI-generated film at Cannes called "Hell Grind" that reportedly cost $500,000 to make, $400,000 of which was spent on compute alone. The project took just two weeks to produce and is intended to showcase the startup's AI production tools. But it also underscores the current limits of AI filmmaking: thousands of detailed prompts, endless iteration, high costs, and plenty of traditional filmmaking judgment were still required. The Wall Street Journal reports: What might surprise viewers is how much technical film know-how was needed to create the movie, said Adil Alimzhanov, a content lead at Higgsfield who also worked on it. "You have to understand camera composition, which shots are changed. Like you can't have two close-ups back to back, you have to start with an establishing shot," he said. "You still need those filmmaking skills." Higgsfield, which was valued at $1.3 billion in its latest funding round earlier this year, crossed $400 million in annual revenue run rate in May. It doesn't make the actual video-generation models, relying instead on existing tools like Google's Veo 3. But it does provide the tooling on top to make sure that the visuals are consistent across all the incoming generations. The core of the movie-making process here was prompting the AI models and getting clips back, Alimzhanov said. Each prompt would generate about 15 seconds of footage. Those 15 seconds needed to be generated a number of times, with tweaks to the prompt to get the best possible version. The first 25 minutes of the movie required 16,181 initial video generations, which ended up as 253 final shots. One of the biggest difficulties in making longer-form films with AI is maintaining consistency across the outputs. AI models can be unpredictable, and a feature-length film can't have scenes that look completely different from one moment to the next. Because of that, every prompt had to be extremely long and detailed. Each one would typically start with a prefix that defined requirements like style (8k IMAX, photorealistic), lighting (natural light only, "contre-jour" backlight, camera on shadow side) and the type of camera it should look like it was being shot on ("cine lens," 180-degree shutter motion blur). The lighting was key to avoiding the AI sheen that typically gets branded as "slop," said Alimzhanov. AI-generated video tends to over-light scenes in an unnatural way. That prefix would also have to remind the AI to obey the laws of physics with wording like: "gravity and inertia respected -- mass has real weight, correct contact shadows, no floating props." The individual prompts were, on average, 3,000 words each. One aspect of what Higgsfield has built, and sells to clients, is an AI tool that generates these complex, detailed prompts. Users can enter a page from the original script, and the Higgsfield tool will return with a prompt that could be thousands of words long, designed to create production-quality outputs. And all that prompting is how the company racked up a $400,000 AI compute bill on the project. Co-founder and CEO Alex Mashrabov, however, noted that working with "cloud" providers, like Nebius and CoreWeave, rather than big hyperscalers, helped it keep costs from going even higher. You can watch the trailer for Hell Grind on YouTube and judge the results for yourself.
Read more of this story at Slashdot. - Venmo Redesign Makes New Users' Posts Friends-Only by Default Venmo is testing a major redesign that will make new users' payment posts viewable by their friends by default instead of being public. The Verge reports: It's a notable update for a platform that has struggled with privacy in the past. In 2021, BuzzFeed News tracked down President Joe Biden's Venmo account and the accounts of people in his inner circle because Venmo, at the time, had no way to keep your Venmo contacts private. It fixed that soon after. As part of the redesign, if you're a new user and you do want your posts to be public (or private just to you), you'll be able to set that as part of the new onboarding flow. You can also change your preference in settings after the fact; an updated screen for sending money will also show if that post is private, visible just to friends, or is visible publicly before you make the transaction.
Read more of this story at Slashdot. - Samsung Chip Workers To Get $340,000 Average Bonus In AI Boom Samsung is reportedly set to pay chip-division workers an average bonus of about $340,000 after reaching a tentative deal with its union, according to Bloomberg (paywalled). The deal ended a standoff that "could have cost the economy as much as 1 trillion won ($658 million) daily, with losses potentially multiplying to 100 trillion won ($68 billion) if in-progress semiconductor wafers were rendered unusable," reports Quartz. From the report: The agreement, subject to a union ratification vote running May 22 through May 27, calls for Samsung to direct 10.5% of operating profit into stock bonuses along with a separate 1.5% cash component, according to Bloomberg. The program runs for 10 years, contingent on the company meeting profit thresholds. One-third of the stock award can be liquidated right away, with the rest parceled out in installments across the next two years, Bloomberg reported. The first payout is expected in early 2027. Not all workers will fare equally. As an illustration, Reuters cited a union source estimating that someone in the memory chip unit earning an 80-million-won base salary could take home roughly 626 million won in total bonuses this year. By comparison, workers at SK Hynix stand to collect upward of 700 million won should their employer post annual profit of 250 trillion won, Reuters calculated. Unlike at Samsung, SK Hynix employees are not limited to stock payouts and may instead opt for cash, Reuters reported.
Read more of this story at Slashdot. - A Bipartisan Amendment Would End Police License Plate Tracking Nationwide An anonymous reader quotes a report from Wired: US lawmakers plan to introduce an amendment Thursday at a House committee markup hearing that would prohibit any recipient of federal highway funding from using automated license plate readers for any purpose other than tolling -- a sweeping restriction that, if adopted, would bring an immediate end to state and local ALPR programs across the United States. The amendment, obtained first by WIRED, is sponsored by Representative Scott Perry, a Pennsylvania Republican and Freedom Caucus member, and Representative Jesus "Chuy" Garcia, an Illinois progressive whose state has become a flash point in the national fight over ALPR misuse. The House Transportation and Infrastructure Committee will mark up the underlying bill -- a $580 billion, five-year reauthorization of federal surface transportation programs -- at 10 am ET on Thursday. The amendment runs a single sentence: "A recipient of assistance under Title 23, United States Code, may not use automated license plate readers for any purpose other than tolling." The amendment is brief, but its reach would be vast. Title 23 funds roughly a quarter of all public road mileage in the US, including most state and county arteries and many city streets where ALPR cameras are becoming ubiquitous. Conditioning that funding on a ban of the technology would, in practical effect, force any state, county, or municipality that takes federal highway money (essentially all of them) to either remove the cameras or restructure their use around tolling alone. The amendment's cosponsors, Perry and Garcia, represent opposite ends of the House's ideological spectrum but converge on a surveillance concern that has gathered momentum in legislatures and city halls across the US as ALPR networks have quietly become a pervasive layer of American road infrastructure. ALPR cameras -- mounted on poles, overpasses, traffic signals, and police cruisers -- photograph every passing license plate, log times and locations, and feed data into searchable databases shared across agencies and jurisdictions. [...] Privacy advocates have long warned that the aggregation of license plate data amounts to a de facto warrantless tracking system. New York University School of Law's Brennan Center for Justice has documented the integration of ALPR feeds into police data-fusion systems that combine plate data with surveillance and social media monitoring. And the Electronic Frontier Foundation, a digital rights nonprofit, has documented a range of police misuse, including the past targeting of mosques and the disproportionate deployment of the technology in low-income neighborhoods. Earlier this week, 404 Media reviewed FBI procurement records that reveal the agency is seeking up to $36 million for nationwide access to ALPR data, which could let it query vehicle movements across the U.S. and its territories through a commercial database.
Read more of this story at Slashdot. - Steve Wozniak Tells Graduates They All Have 'AI': Actual Intelligence While other commencement speeches have been met with boos for hyping up artificial intelligence, Apple cofounder Steve Wozniak reminded college graduates that they already posses "AI" of their own: "actual intelligence." He framed AI as an attempt to duplicate brain-like routines, and encouraged students to "think different" as they enter a workforce being reshaped by automation. Business Insider reports: Steve Wozniak did what other college graduation commencement speakers couldn't this year: earn applause when talking about AI. The Apple cofounder took the stage during Grand Valley State University's graduation ceremony earlier this month. During his speech, Wozniak offered reassurance to new graduates who are entering the workforce at the height of the AI revolution. "It would take too long to go deeply into what I think about AI, but we've been trying to create a brain," Wozniak said. "Is there a way we can duplicate a routine a trillion times and have it work like a brain? AI is one of those attempts." [...] During his commencement address, Wozniak reflected on working at Apple and offered students some advice as they begin their careers. "You should always try to think different," he said. "Don't follow the same steps as a million other people. Think, is there something I can do a little different?" You can watch the clip on YouTube.
Read more of this story at Slashdot. - At Least 80% Responsibility For Ill Health In Old Age Down to Individual, Study Says A new Oxford Longevity Project report argues that individuals bear at least 80% of the responsibility for ill health in old age. "The report (PDF), launched at the Smart Ageing Summit in Oxford last week, argues that individuals have far greater control over their longevity than is commonly understood," reports The Guardian. "The authors call on the government to take legislative action on alcohol comparable to restrictions on smoking." From the report: Living Longer, Better -- the Oxford Longevity Project's first Age-less report -- was co-authored by an interdisciplinary panel of UK-based experts in medicine, physiology, ageing and education policy. It was sponsored by Oxford Healthspan. The report's authors, Sir Christopher Ball, Sir Muir Gray, Dr Paul Ch'en, Leslie Kenny and Prof Denis Noble, present the figure of 80% as a conservative estimate. [...] The claim, however, has been described as simplistic and said to neglect wider arguments about whether people are genuinely in control of individual choices when it comes to issues including poverty, pollution and healthcare access. [...] Ball, however, pointed to research including the Landmark Twins Study, where researchers concluded at least 75% of human lifespan is determined by environmental and modifiable lifestyle factors. He also cited large-scale analysis led by Oxford Population Health using data from nearly 500,000 UK Biobank participants which found that environmental exposures and habits carry far greater weight in premature death and biological ageing than inherited genetics. The report's recommendations include avoiding processed foods, abstaining entirely from alcohol, prioritising sleep, not eating after 6.30pm, and cultivating what it calls "a not-meat mindset." On alcohol, it takes a position more forthright than current government guidance. "Alcohol is toxic, don't drink it," said Ball. "The report bravely says so -- whereas the government is afraid to tell the public the truth."
Read more of this story at Slashdot. - AT&T Sues California In Bid To Stop Offering Traditional Phone Service An anonymous reader quotes a report from Reuters: AT&T on Wednesday filed suit (PDF) against California officials seeking a court order declaring it does not have to continue offering traditional copper wire phone service to new customers as it vowed to spend $19 billion on modern telecom services. California requires the U.S. wireless carrier to spend $1 billion annually to maintain a century-old telephone network that few use, AT&T said, saying the network now serves just 3% of households in AT&T's California territory. AT&T's suit named the California Public Utilities Commission and the state attorney general. AT&T said it is committing to investing $19 billion in California as it works to connect more than 4 million additional households and businesses across California by 2030 and added IP-based networks are far more reliable and efficient. AT&T also Wednesday asked the Federal Communications Commission for permission to discontinue traditional phone service in parts of California where it has faster, more reliable service available. It also filed a petition with the FCC to declare that California's rules that effectively require AT&T to power, repair and sell traditional phone service, even after the FCC has authorized the service to be phased out, are preempted by federal standards. AT&T added that transitioning from copper will save an estimated 300 million kilowatt-hours annually by 2030 or the equivalent of eliminating emissions from 17 million gallons of gasoline. The company added that California has already suffered about 2,000 outages from copper thefts this year and it struggles to find replacement parts. The federal government and virtually all states where AT&T historically offered copper-wire service "have now eliminated outdated regulatory obstacles" allowing AT&T to begin powering down its old network and increasing its investments in modern communication technologies, the company said in its lawsuit filed in U.S. District Court in southern California.
Read more of this story at Slashdot. - Thousands of Zillow Listings In Chicago Have Vanished Thousands of Chicago-area Zillow and Trulia listings disappeared after Midwest Real Estate Data cut off Zillow's access to its feed, "in the latest escalation of a legal battle with Lisle-based Midwest Real Estate Data (MRED)," reports the Chicago Sun-Times. "The fight is over MRED's private listing network, where homes for sale are shared among real estate professionals. And MRED followed through on a threat to cut Zillow's access to its listing data feed." From the report: There were nearly 5,000 Chicago homes listed on Zillow Tuesday, but as of Wednesday afternoon, that number plummeted to about 1,700. Meanwhile, other listing sites like Redfin and Realtor.com show about 5,000 to 8,000 listings in Chicago. MRED manages listings -- submitted by brokers -- throughout Illinois, as well as parts of Wisconsin and Indiana. The regional multiple listing service has more than 43,000 members and processed more than 264,000 listings worth $43 billion in 2025. The loss of listings on Zillow's websites have made a behind-the-scenes real estate industry fight public. And it now hinders some consumers in their search to buy a home, while also limiting the marketing opportunity for sellers. The legal fight is basically over who gets to control how home listings are marketed and displayed online. Zillow recently adopted a rule saying that if a home is marketed privately, such as behind a paywall, login, or private listing network, it should not also appear on Zillow. The policy, the real estate marketplace says, is meant to discourage "pocket listings," preserve transparency, and make sure buyers can see the full market. MRED sees it differently. It expanded its private listing network and partnered with Compass, which wants to give sellers more control over whether their homes are broadly publicized or marketed privately first. MRED argues that Zillow is violating MLS rules and licensing agreements by refusing to display certain listings, including private Compass listings. Consumers are now caught in the middle...
Read more of this story at Slashdot. - Vivaldi 8.0 Arrives With 'Most Significant Design Overhaul' In Browser's History Vivaldi 8.0 is being pitched as the browser's "most significant design overhaul" yet, featuring a new unified, edge-to-edge interface, six preset layouts, and deeper customization across tabs, toolbars, panels, and themes. The company is also taking a swipe at rivals chasing questionable AI features. Neowin reports: After updating to version 8.0, Vivaldi will present you with the ability to select one of the six pre-built styles. You can select a minimal edge-to-edge theme, one with the UI fully hidden for focused work, or a power user variant with everything on the screen. The update comes with a built-in collection theme, and users are free to select one of over 7,000 community themes available on the official website. Vivaldi says that while other browsers were busy adding questionable AI features, it focused on "a foundation that no other browser can match" with flexible tab management, built-in productivity tools, and advanced customization. At the same time, Vivaldi does not force the new design onto its users, so those who prefer the previous user interface can go back to it at any moment in settings. "With 8.0, we have done something we have been working toward for a long time: we have given the browser itself a visual system worthy of everything it can do," says Vivaldi's CEO and co-founder, Jon Stephenson von Tetzchner. "With this update Vivaldi feels like one considered, coherent tool." You can download Vivaldi 8.0 and view the changelog at their respective links.
Read more of this story at Slashdot. - Trump Calls Off AI Executive Order Over Concern It Could Weaken US Tech Edge Trump called off a planned AI executive order just hours before a signing ceremony because he said he was worried the framework could slow America's lead over China. "We're leading China, we're leading everybody, and I don't want to do anything that's going to get in the way of that lead," Trump told reporters. The Associated Press reports: The order would have established a framework for the government to vet the national security risks of the most advanced AI systems before their public release, according to a person familiar with the White House's deliberations with the tech industry but not authorized to speak about it publicly. The directive was being characterized as a voluntary collaboration with participating U.S.-based tech companies, including Anthropic, OpenAI and Google, the person said. There are competing factions within the administration, said Serena Booth, a computer science professor at Brown University and former AI policy fellow in a Democratic-led Senate committee. "We do see this kind of public fighting," she said. "'We will release an executive order. No, we won't. We're going to sign it this afternoon. Oh, the signing is canceled.' I think this whiplash is because we're seeing these fractures.'" Some of those divides are balancing what Booth said is a "reasonable idea" to test the most capable AI models before their public release, with a concern that government scrutiny, if it takes too long, could burden AI developers. "It does come at a potential very large cost to innovation and speed of development," she said. "There is, I think, a real risk here and I do see both sides." [...] "They don't want to do it because it's politically risky in a million different ways," said Dean Ball, now at the Foundation for American Innovation. Ball said he would welcome an executive order that would get those companies working more closely with the government on cybersecurity but "ultimately, I'm fine with them taking time to get this right."
Read more of this story at Slashdot. |
|