Court orders Elon Musk to testify in the SEC’s investigation of his Twitter takeover

In a followup to a tentative ruling made in December, a federal judge has ordered Elon Musk to comply with the U.S. Securities and Exchange Commission's (SEC) subpoena and testify again in its probe of his Twitter takeover, Reuters reports. Per the order, which was filed Saturday night in a California court, Musk and the SEC now have a week to work out a time and place for his appearance or it will be decided for them. The SEC has been investigating Musk’s purchase of Twitter, now X, since 2022 over concerns about his lateness in disclosing his stake in Twitter.

The order comes after Musk failed to appear for a testimony in September and later refused to attend a rescheduled interview, prompting the SEC to sue. US Magistrate Judge Laurel Beeler sided with the SEC after Musk tried to challenge its subpoena, which he claims is seeking irrelevant information and is harassment, as he’s already been interviewed twice. But, the SEC says it has obtained new documents in relation to the probe and has further questions for the X owner. Musk also argued that the subpoena exceeds the SEC’s authority because it was issued by a staff member appointed by the SEC’s Director of Enforcement. Beeler struck these arguments down, ruling that the subpoena is valid. 

This article originally appeared on Engadget at https://www.engadget.com/court-orders-elon-musk-to-testify-in-the-secs-investigation-of-his-twitter-takeover-193303461.html?src=rss

NASA’s Jet Propulsion Laboratory is laying off 570 workers

Even NASA is not immune to layoffs. The agency says it's cutting around 530 employees from its Jet Propulsion Laboratory (JPL) in California amid budget uncertainty. That's eight percent of the facility's workforce. JPL is laying off about 40 contractors too, just weeks after imposing a hiring freeze and canning 100 other contractors. Workers are being informed of their fates today.

"After exhausting all other measures to adjust to a lower budget from NASA, and in the absence of an FY24 appropriation from Congress, we have had to make the difficult decision to reduce the JPL workforce through layoffs," NASA said in a statement spotted by Gizmodo. "The impacts will occur across both technical and support areas of the Lab. These are painful but necessary adjustments that will enable us to adhere to our budget allocation while continuing our important work for NASA and our nation."

Uncertainty over the final budget that Congress will allocate to NASA for 2024 has played a major factor in the cuts. It's expected that the agency will receive around $300 million for Mars Sample Return (MSR), an ambitious mission in which NASA plans to launch a lander and orbiter to the red planet in 2028 and bring back soil. In its 2024 budget proposal, NASA requested just under $950 million for the project.

“While we still do not have an FY24 appropriation or the final word from Congress on our Mars Sample Return (MSR) budget allocation, we are now in a position where we must take further significant action to reduce our spending,” JPL Director Laurie Leshin wrote in a memo. "In the absence of an appropriation, and as much as we wish we didn’t need to take this action, we must now move forward to protect against even deeper cuts later were we to wait."

NASA has yet to provide a full cost estimate for MSR, though an independent report pegged the price at between $8 billion and $11 billion. In its proposed 2024 budget, the Senate Appropriations subcommittee ordered NASA to submit a year-by-year funding plan for MSR. If the agency does not do so, the subcommittee warned that the mission could be canceled.

That's despite MSR having enjoyed success so far. The Perseverance rover has dug up some soil samples that contain evidence of organic matter and would warrant closer analysis were NASA able to bring them back to Earth. The samples could help scientists learn more about Mars, such as whether the planet ever hosted life.

This article originally appeared on Engadget at https://www.engadget.com/nasas-jet-propulsion-laboratory-is-laying-off-570-workers-185336632.html?src=rss

Microsoft’s legal department allegedly silenced an engineer who raised concerns about DALL-E 3

A Microsoft manager claims OpenAI’s DALL-E 3 has security vulnerabilities that could allow users to generate violent or explicit images (similar to those that recently targeted Taylor Swift). GeekWire reported Tuesday the company’s legal team blocked Microsoft engineering leader Shane Jones’ attempts to alert the public about the exploit. The self-described whistleblower is now taking his message to Capitol Hill.

“I reached the conclusion that DALL·E 3 posed a public safety risk and should be removed from public use until OpenAI could address the risks associated with this model,” Jones wrote to US Senators Patty Murray (D-WA) and Maria Cantwell (D-WA), Rep. Adam Smith (D-WA 9th District), and Washington state Attorney General Bob Ferguson (D). GeekWire published Jones’ full letter.

Jones claims he discovered an exploit allowing him to bypass DALL-E 3’s security guardrails in early December. He says he reported the issue to his superiors at Microsoft, who instructed him to “personally report the issue directly to OpenAI.” After doing so, he claims he learned that the flaw could allow the generation of “violent and disturbing harmful images.”

Jones then attempted to take his cause public in a LinkedIn post. “On the morning of December 14, 2023 I publicly published a letter on LinkedIn to OpenAI’s non-profit board of directors urging them to suspend the availability of DALL·E 3),” Jones wrote. “Because Microsoft is a board observer at OpenAI and I had previously shared my concerns with my leadership team, I promptly made Microsoft aware of the letter I had posted.”

AI-generated image of a teacup with a violent wave inside of it. A storm brews from behind the window sill behind it.
A sample image (a storm in a teacup) generated by DALL-E 3
OpenAI

Microsoft’s response was allegedly to demand he remove his post. “Shortly after disclosing the letter to my leadership team, my manager contacted me and told me that Microsoft’s legal department had demanded that I delete the post,” he wrote in his letter. “He told me that Microsoft’s legal department would follow up with their specific justification for the takedown request via email very soon, and that I needed to delete it immediately without waiting for the email from legal.”

Jones complied, but he says the more fine-grained response from Microsoft’s legal team never arrived. “I never received an explanation or justification from them,” he wrote. He says further attempts to learn more from the company’s legal department were ignored. “Microsoft’s legal department has still not responded or communicated directly with me,” he wrote.

An OpenAI spokesperson wrote to Engadget in an email, “We immediately investigated the Microsoft employee’s report when we received it on December 1 and confirmed that the technique he shared does not bypass our safety systems. Safety is our priority and we take a multi-pronged approach. In the underlying DALL-E 3 model, we’ve worked to filter the most explicit content from its training data including graphic sexual and violent content, and have developed robust image classifiers that steer the model away from generating harmful images.

“We’ve also implemented additional safeguards for our products, ChatGPT and the DALL-E API – including declining requests that ask for a public figure by name,” the OpenAI spokesperson continued. “We identify and refuse messages that violate our policies and filter all generated images before they are shown to the user. We use external expert red teaming to test for misuse and strengthen our safeguards.”

Meanwhile, a Microsoft spokesperson wrote to Engadget, “We are committed to addressing any and all concerns employees have in accordance with our company policies, and appreciate the employee’s effort in studying and testing our latest technology to further enhance its safety. When it comes to safety bypasses or concerns that could have a potential impact on our services or our partners, we have established robust internal reporting channels to properly investigate and remediate any issues, which we recommended that the employee utilize so we could appropriately validate and test his concerns before escalating it publicly.”

“Since his report concerned an OpenAI product, we encouraged him to report through OpenAI’s standard reporting channels and one of our senior product leaders shared the employee’s feedback with OpenAI, who investigated the matter right away,” wrote the Microsoft spokesperson. “At the same time, our teams investigated and confirmed that the techniques reported did not bypass our safety filters in any of our AI-powered image generation solutions. Employee feedback is a critical part of our culture, and we are connecting with this colleague to address any remaining concerns he may have.”

Microsoft added that its Office of Responsible AI has established an internal reporting tool for employees to report and escalate concerns about AI models.

The whistleblower says the pornographic deepfakes of Taylor Swift that circulated on X last week are one illustration of what similar vulnerabilities could produce if left unchecked. 404 Media reported Monday that Microsoft Designer, which uses DALL-E 3 as a backend, was part of the deepfakers’ toolset that made the video. The publication claims Microsoft, after being notified, patched that particular loophole.

“Microsoft was aware of these vulnerabilities and the potential for abuse,” Jones concluded. It isn’t clear if the exploits used to make the Swift deepfake were directly related to those Jones reported in December.

Jones urges his representatives in Washington, DC, to take action. He suggests the US government create a system for reporting and tracking specific AI vulnerabilities — while protecting employees like him who speak out. “We need to hold companies accountable for the safety of their products and their responsibility to disclose known risks to the public,” he wrote. “Concerned employees, like myself, should not be intimidated into staying silent.”

Update, January 30, 2024, 8:41 PM ET: This story has been updated to add statements to Engadget from OpenAI and Microsoft.

This article originally appeared on Engadget at https://www.engadget.com/microsofts-legal-department-allegedly-silenced-an-engineer-who-raised-concerns-about-dall-e-3-215953212.html?src=rss

NSA admits to buying Americans’ web browsing data from brokers without warrants

The National Security Agency’s director has confirmed that the agency buys Americans’ web browsing data from brokers without first obtaining warrants. Senator Ron Wyden (D-OR) blocked the appointment of the NSA’s inbound director Timothy Haugh until the agency answered his questions regarding its collection of Americans’ location and Internet data. Wyden said he’d been trying for three years to “publicly release the fact that the NSA is purchasing Americans’ internet records.”

In a letter dated December 11, current NSA Director Paul Nakasone confirmed to Wyden that the agency does make such purchases from brokers. "NSA acquires various types of [commercially available information] for foreign intelligence, cybersecurity, and other authorized mission purposes, to include enhancing its signals intelligence (SIGINT) and cybersecurity missions," Nakasone wrote. "This may include information associated with electronic devices being used outside and, in certain cases, inside the United States."

Nakasone went on to claim that the NSA "does not buy and use location data collected from phones known to be used in the United States either with or without a court order. Similarly, NSA does not buy and use location data collected from automobile telematics systems from vehicles known to be located in the United States."

An NSA spokesperson told Reuters that the agency uses such data sparingly but that it has notable value for national security and cybersecurity purposes. "At all stages, NSA takes steps to minimize the collection of US [personal] information, to include application of technical filters," the spokesperson said.

Wyden has called the practice unlawful. "Such records can identify Americans who are seeking help from a suicide hotline or a hotline for survivors of sexual assault or domestic abuse," he said.

The senator urged Director of National Intelligence Avril Haines to order US intelligence agencies to stop buying Americans’ private data without consent. He also asked Haines to direct intelligence agencies to "conduct an inventory of the personal data purchased by the agency about Americans, including, but not limited to, location and internet metadata." Wyden said that any data that does not comply with Federal Trade Commission standards regarding personal data sales should be deleted.

Wyden pointed to an FTC settlement that this month banned a data broker from selling location data. The agency alleged that the information, which it claimed was sold to buyers including government contractors, "could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters."

The FTC stated in its complaint against the broker, formerly known as X-Mode Social, that by "failing to fully inform consumers how their data would be used and that their data would be provided to government contractors for national security purposes, X-Mode failed to provide information material to consumers and did not obtain informed consent from consumers to collect and use their location data."

The settlement was the first of its kind with a data broker. In a statement, Wyden, who has been investigating the data broker industry for several years, said he was "not aware of any company that provides such a warning to users [regarding their consent] before collecting their data."

The issue of US federal agencies buying phone location data isn't exactly new. In 2020, it emerged that Customs and Border Protection had been doing so. The following year, Wyden claimed the Defense Intelligence Agency and the Pentagon bought and used location data from Americans’ phones.

This article originally appeared on Engadget at https://www.engadget.com/nsa-admits-to-buying-americans-web-browsing-data-from-brokers-without-warrants-154904461.html?src=rss

The SEC says its X account was taken over with a SIM swap attack

The Securities and Exchange Commission has provided more details about how its official X account was compromised earlier this month. In a statement, the regulator confirmed that it had been the victim of a SIM swapping attack and that its X account was not secured with multi-factor authentication (MFA) at the time it was accessed.

“The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," it said, referring to a common scam in which attackers persuade customer service representatives to transfer phone numbers to new devices. “Once in control of the phone number, the unauthorized party reset the password for the @SECGov account.”

The hack of its X account, which was taken over in order to falsely claim that bitcoin ETFs had been approved, has raised questions about SEC’s security practices. Government-run social media accounts are typically required to have MFA enabled. The fact that one as high-profile and with potentially market-moving abilities like @SECGiv would not be using the extra layer of security has already prompted questions from Congress.

In its statement, the SEC said that it asked X’s support staff to disable MFA last July following “issues” with its account access. “Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9,” it said. “MFA currently is enabled for all SEC social media accounts that offer it.”

While the lack of MFA likely made it much easier to take over the SEC’s account, there are still numerous questions about the exploit, including how those responsible knew which phone was associated with the X account, how the unnamed telecom carrier fell for the scam and, of course, who was behind it. The regulator said it’s investigating these questions, along with the Department of Justice, FBI, Homeland Security and its own Inspector General.

This article originally appeared on Engadget at https://www.engadget.com/the-sec-says-its-x-account-was-taken-over-with-a-sim-swap-attack-004542771.html?src=rss

Senators want to know why the SEC’s X account wasn’t secured with MFA

Another lawmaker is pushing the Securities and Exchange Commission for more information about its security practices following the hack of its verified account on X. In a new letter to the agency’s Inspector general, Senator Ron Wyden, called for an investigation into “the SEC’s apparent failure to follow cybersecurity best practices.”

The letter, which was first reported by Axios, comes days after the SEC’s official X account was taken over in order to post a tweet claiming that spot bitcoin ETFs had been approved by the regulator. The rogue post temporarily juiced the price of bitcoin and forced SEC chair Gary Gensler to chime in from his X account that the approval had not, in fact, happened. (The SEC did approve 11 spot bitcoin ETFs a day later, with Gensler saying in a statement that “bitcoin is primarily a speculative, volatile asset that’s also used for illicit activity.”)

The incident has raised a number of questions about the SEC’s security practices after officials at X said the financial regulator had not been using multi-factor authentication to secure its account. In the letter, Wyden, who chairs the Senate’s finance committee, said it would be "inexcusable" for the agency to not use additional layers of security to lock down its social media accounts.

“Given the obvious potential for market manipulation, if X’s statement is correct, the SEC’s social media accounts should have been secured using industry best practices,” Wyden wrote. “Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity. The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure”

Wyden isn’t the only lawmaker who has pushed the SEC for more details about the hack. Senators J. D. Vance and Thom Tillis sent a letter of their own, addressed to Gensler, immediately following the incident. They asked for a briefing about the agency’s security policies and investigation into the hack by January 23.

The SEC didn’t immediately respond to a request for comment. The agency said in an earlier statement that it was working with the FBI and the Inspector General to investigate the matter.

This article originally appeared on Engadget at https://www.engadget.com/senators-want-to-know-why-the-secs-x-account-wasnt-secured-with-mfa-203614701.html?src=rss

The SEC’s X account was apparently ‘compromised’ to falsely claim bitcoin ETFs were approved

The official X account belonging to the Securities and Exchange Commission was briefly “compromised,” the regulator said, after an apparently rogue post on X temporarily juiced bitcoin prices. 

On Tuesday, the SEC’s official X account tweeted that bitcoin ETFs had been approved “for listing on all registered national securities exchanges.” The tweet included an official-looking graphic featuring a quote from SEC Chair Gary Gensler. However, Gensler himself quickly clarified from his X account that the post from @SECGov was the result of a "compromised” account.

“The @SECGov twitter account was compromised, and an unauthorized tweet was posted,” Gensler wrote. “The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”

The SEC's rogue tweet, which has since been deleted.
Screenshot via X

The confusion comes as the SEC is, in fact, considering whether to approve spot bitcoin ETFs, investment funds that hold the cryptocurrency. The regulator is expected to make a decision Wednesday in a process that has been closely watched by crypto investors.

Naturally, the now-deleted tweet from the SEC’s official (and gray check-verified) account on X prompted a momentary surge in bitcoin prices, followed by a steep decline. The post and subsequent clarification from Gensler “wiped out over $50 million of leveraged derivatives trading positions within an hour,” according to and analysis from CoinDesk.

In an update Wednesday, an SEC spokesperson said the rogue tweet had not been "drafted or created by the SEC." The spokesperson added that "the first public indication" of a change would not come via the agency's X account. "Consistent with existing practice, any Commission action on exchange rule filings would be posted on the relevant section of the SEC’s website at https://www.sec.gov/ and then in the Federal Register."

The SEC hasn't shared details about how its X account was “compromised.” In a statement, an SEC spokesperson told Engadget that it was investigating the matter, and working with the FBI and Inspector General. "The SEC has determined that there was unauthorized access to and activity on the @SECGov x.com account by an unknown party for a brief period of time shortly after 4 pm ET," the spokesperson said. "That unauthorized access has been terminated. The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct."

X didn’t immediately respond to a request for comment, but the company shared the results of its "preliminary investigation" Tuesday evening. 

"We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation," X write in a post from its safety account. "Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party. We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised."

X's comments also raise a number of new questions about the takeover. As Bloomberg points out, government-run social media accounts are supposed to use multi-factor authentication as an extra layer of security. If the regulator, which is currently investigating X over its security practices, had lax security settings itself, it would be a significant embarrassment to the agency. 

But though X suggested its systems were not compromised, the company could still face scrutiny over whether it's doing enough to protect high-profile accounts. It's also not the first time high-profile government accounts have been hijacked on the platform. In 2020, hackers took over the accounts belonging to Barack Obama, Joe Biden, Musk, Bill Gates and a number of others in a coordinated crypto scam. A Florida teen and two others were later charged and the company, then known as Twitter, said the hacks were the result of a social engineering scheme. 

Update January 9 2024, 6:50PM ET: This story has been updated with a statement from an SEC spokesperson about their investigation.

Update January 9 2024, 11:18PM ET: This story was updated to include comments from X about the SEC's account.

Update January 10 2024, 3:38PM ET: This story has been updated with additional comments from the SEC.

This article originally appeared on Engadget at https://www.engadget.com/the-secs-x-account-was-apparently-compromised-to-falsely-claim-bitcoin-etfs-were-approved-230034839.html?src=rss

UK Supreme Court rules AI can’t be a patent inventor, ‘must be a natural person’

AI may or may not take people's jobs in years to come, but in the meantime, there's one thing they cannot obtain: patents. Dr. Stephen Thaler has spent years trying to get patents for two inventions created by his AI "creativity machine" DABUS. Now, the United Kingdom's Supreme Court has rejected his appeal to approve these patents when listing DABUS as the inventor, Reuters reports

The court's rationale stems from a provision in UK patent law that states, "an inventor must be a natural person." The ruling stipulated that the appeal was unconcerned with whether this should change in the future. "The judgment establishes that UK patent law is currently wholly unsuitable for protecting inventions generated autonomously by AI machines," Thaler's lawyers said in a statement. 

Thaler first attempt to register the patents — for a food container and a flashing light — was in 2018, as owner of the machine that invented them. However, the UK's Intellectual Property Office said he must list an actual human being on the application, and when he refused, it withdrew his application. Thaler fought the decision in the High Court and then the Court of Appeal, with Lady Justice Elisabeth Laing stating, "Only a person can have rights. A machine cannot." 

Thaler, an American, also submitted the two products to the United States Patent and Trademark Office, which rejected his application. Plus, he previously sued the US Copyright Office (USCO) for not awarding him the copyright for a piece of art DABUS created. The case reached the US District Court of Columbia, with Judge Beryl Howell's ruling explaining, "Human authorship is a bedrock requirement of copyright." Thaler has argued that this provision is unconstitutional, but the US Supreme Court declined to hear his case, ending any further chances to argue his stance. While the UK and US have rejected Thaler's petitions, he has succeeded in countries such as Australia and South Africa. 

This article originally appeared on Engadget at https://www.engadget.com/uk-supreme-court-rules-ai-cant-be-a-patent-inventor-must-be-a-natural-person-131207359.html?src=rss

Apple now needs a judge’s order to hand over push notification records

Following the revelation that our mobile push notification records can be handed over to law enforcements, Apple put the blame on the Department of Justice (DOJ) for preventing tech companies from revealing such process. At the same time, the company updated its Legal Process Guidelines document to state that "a subpoena or greater legal process" was required to obtain the relevant records. However, Reuters spotted that a week later, Apple quietly tweaked this particular line to match Google's stricter policy on this matter:

"The Apple ID associated with a registered APNs token and associated records may be obtained with an order under 18 U.S.C. §2703(d) or a search warrant."

In other words, law enforcement will now need a judge's consent in order to obtain push notification data from Apple — as is the case with Google all this time, according to a statement provided to Reuters. Engadget reached out to Apple, but it refused to comment on the updated guidelines.

The "push notification spying" concerns were originally brought to light by Oregon Senator Ron Wyden who, in an open letter to the DOJ, claimed that foreign governments have been demanding Google and Apple to provide push notification records. Given how push notifications go through these companies' servers, the senator is worried that "Apple and Google are in a unique position to facilitate government surveillance of how users are using particular apps."

Wyden then addressed the elephant in the room, by arguing that these two tech giants "should be permitted to be transparent about the legal demands they receive, particularly from foreign governments." Apple's response regarding the DOJ's suppression appears to align with the senator's claims, but it's unclear whether the department will take action on both tech companies' stepped-up transparency on push notification surveillance.

This article originally appeared on Engadget at https://www.engadget.com/apple-now-needs-a-judges-order-to-hand-over-push-notification-records-052710429.html?src=rss

Tesla recalls over 2 million cars to fix Autopilot safety controls

Following a two-year investigation by the National Highway Traffic Safety Administration (NHTSA), Tesla will recall over 2 million vehicles to address Autopilot safety concerns, according to new NHTSA documents. Fixes will be issued to owners for free via over-the-air (OTA) updates to add features that ensure drivers pay attention while using Tesla's controversial driver assistance system. It affects all current Tesla EVs built since Autopilot launched in 2015, including the Model 3, Model Y, Model S and Model X. 

"The remedy will incorporate additional controls and alerts to those already existing on affected vehicles to further encourage the driver to adhere to their continuous driving responsibility whenever Autosteer is engaged," the NHTSA stated in a document. It noted that while Autopilot (specifically its Autosteer component) does have several controls to ensure drivers pay attention, they're not always enough. 

"In certain circumstances when Autosteer is engaged, the prominence and scope of the feature’s controls may not be sufficient to prevent driver misuse of the SAE Level 2 advanced driver-assistance feature," the document states. That in turn may lead to "an increased risk of a collision." 

Tesla was ordered to address the driver monitoring system. "The remedy will incorporate additional controls and alerts to those already existing on affected vehicles to further encourage the driver to adhere to their continuous driving responsibility whenever Autosteer is engaged, which includes keeping their hands on the steering wheel and paying attention to the roadway," it states. Those will include more prominent visual alerts, making it easier to turn Autosteer on and off, and eventual suspension from Autosteer if the driver fails to behave responsibly on an ongoing basis. 

In a letter to the NHTSA, Tesla acknowledged the order and said it would issue the required fix. "Tesla will release an over-the-air (OTA) software update, free of charge. Owner notification letters are expected to be mailed February 10, 2023." The order affects 2,031,220 vehicles, though models that went into production after December 7th will have already incorporated the update. 

The NHTSA said last August that it was opening an investigation into Autopilot following 11 crashes with parked first responder vehicles since 2018 that resulted in 17 injuries and one death. In a letter to Tesla sent shortly afterward, the regulator requested detailed documentation on how the driver assistance system works. Specifically, it wanted to know how it ensures that human drivers will keep their eyes on the road while Autopilot is engaged and whether there are limits on where it can be used.

This article originally appeared on Engadget at https://www.engadget.com/tesla-recalls-2-million-cars-in-order-to-fix-autopilot-safety-controls-123308343.html?src=rss