Technology

cross-posted from: https://programming.dev/post/36083939

cross-posted from: https://programming.dev/post/36081990

cross-posted from: https://programming.dev/post/36082211

Techspot has a table of some known bad VPNs, and concludes:

The report does not speculate heavily on Qihoo 360's motives for concealing ownership of so many free VPN apps, an approach that likely helped boost downloads while avoiding reputational risks. The company, which has well-documented ties to Beijing's communist regime, may have pursued this strategy to minimize costs and maintain deniability.

For more details on the security issues, this is about the same paper: https://cyberinsider.com/vpn-apps-used-by-millions-contain-shared-keys-and-hidden-backdoors/

This week, dozens of Microsoft employees occupied the company's east campus in Redmond, Washington in protest against the use of Azure and generative AI technologies by the Israeli military, during their on-going assault on Palestinians in the West Bank and Gaza.

This follows an announcement from Microsoft that they would commission another "external" inquiry into their business relationship with Israel's armed forces, after the Guardian and other papers reported on an alleged collaboration with one particular intelligence division, Unit 8200, that has seen Israel gather data from phones and store it on Microsoft servers overseas.

Amongst other things, the surveillance data is reportedly being used to target airstrikes in the course of an invasion of Gaza that has claimed the lives of tens of thousands, the majority of them civilians. Microsoft declined to comment on the recent Guardian allegations concerning Unit 8200 when approached by RPS, but have previously insisted that their own internal reporting has found "no evidence to date that Microsoft’s Azure and AI technologies have been used to target or harm people in the conflict in Gaza."

The protest at Microsoft's campus was brief. According to the Guardian, current and former staff declared one area a 'Free Zone', and occupied it with placards that read "Join The Worker Intifada - No Labor for Genocide" and "Martyred Palestinian Children's Plaza".

cross-posted from: https://programming.dev/post/36063172

Source.

Archive link

Finally!

Proton is beginning to shift its physical infrastructure out of Switzerland, fearing a fresh bout of government snooping baked into the country's updated surveillance laws.

The company has confirmed that Lumo, its newly launched AI chatbot positioned as a privacy-friendly ChatGPT rival, is the first to move. Servers for the product are now being housed in Germany, with Norway also in the frame for future operations. This comes amid serious grumbling about amendments to the country’s existing surveillance ordinance, which would force VPNs and messaging apps to identify users and store their data for up to six months.

Proton has been vocal about its opposition since May. In a statement roton’s head of anti-abuse and account security Eamonn Maguire said: “Because of legal uncertainty around Swiss government proposals to introduce mass surveillance, proposals that have been outlawed in the EU, Proton is moving most of its physical infrastructure out of Switzerland. Lumo will be the first product to move."

Well, fuck. "You can keep your Nazi gold to yourself, but we need your LLM interactions."

Recently, OpenAI ChatGPT users were shocked – shocked, I tell you! – to discover that their searches were appearing in Google search. You morons! What do you think AI chatbots are doing? Doing all your homework for free or a mere $20 a month? I think not!

When you ask an AI chatbot for an answer, whether it's about the role of tariffs in decreasing prices (spoiler: tariffs increase them,); whether your girlfriend is really that into you; or, my particular favorite, "How to Use a Microwave Without Summoning Satan," OpenAI records your questions. And, until recently, Google kept the records for anyone who is search savvy to find them.

It's not like OpenAI didn't tell you that if you shared your queries with other people or saved them for later use, it wasn't copying them down and making them potentially searchable. The company explicitly said this was happening.

The warning read: "When users clicked 'Share,' they were given the option to 'Make this chat discoverable.' Under that, in smaller text, was the explanation that you were allowing it to be 'shown in web searches'."

Well, of course.

A now-patched flaw in popular AI model runner Ollama allows drive-by attacks in which a miscreant uses a malicious website to remotely target people's personal computers, spy on their local chats, and even control the models the victim's app talks to, in extreme cases by serving poisoned models.

GitLab's Security Operations senior manager Chris Moberly found and reported the flaw in Ollama Desktop v0.10.0 to the project's maintainers on July 31. According to Moberly, the team fixed the issue within hours and released the patched software in v0.10.1 — so make sure you've applied the update because Moberly on Tuesday published a technical writeup about the attack along with proof-of-concept exploit code.

"Exploiting this in the wild would be trivial," Moberly told The Register. "There is a little bit of work to build the proper attack infrastructure and to get the interception service working, but it's something an LLM could write pretty easily."

This makes me less enthusiastic about local models. I mean, nothing on the internet is inherently secure and the patch came quickly, but local LLMs being hackable in the first place opens a new can of worms.