Pathetic Meat Bags [35]

Posted on Tuesday, Nov 22, 2022
Chris is pumped about the Cybersecurity Resilience Act, Ned has some doubts about AI, and the government does something helpful?


[00:00:00] Ned: And so I didn’t have a copy of what I said. So I either had to, like, throw the bad audio into a transcription service and then try to use that or just re record it and hope that I produced something that was of equal quality to the first try, which, I mean, I should be able to. It’s, like, still me presenting the same.

[00:00:22] Chris: Content, one would assume yeah. That you would be at least close to the same the second time through.

[00:00:30] Ned: I don’t know if you’ve ever experienced this. Like, the first time you go to perform something or record something because it’s all off the top of your head and you’re feeling a little loosey goosey, you tend to do a pretty good job at it. And then when you try to do it the second time, you screw up a lot, because now you’re thinking about what you did the first time and trying to maybe improve on it. So it’s not until, like, the third or fourth time that you actually get back to how well you did the first time.

[00:00:58] Chris: Yeah, that’s not my experience. I’m 100% perfect at all times.

[00:01:02] Ned: Okay, Mr. Thing. Whatever. I have the same experience with video games, too. Like, if I go into a boss fight, usually my first round in a boss fight, I will do better than the subsequent three or four tries right. Until you get back to that spot, and then you’ve learned enough that you can probably do better. But it’s like, yeah, that first word is just pure reflex and just hope you have no expectations. You’re just, like, going to try right.

[00:01:37] Chris: The first time through. It’s like your brain is not getting in the way.

[00:01:40] Ned: Exactly. And then second time through fourth, it’s definitely very much in the way. And by the fifth time, you’ve worked out a compromise.

[00:01:52] Chris: You don’t like being here. I don’t like being here.

[00:01:55] Ned: Let’s call the whole thing off. Oh, hello, legend human, and welcome to the Chaos Lever podcast. My name is Ned, and I’m definitely not a robot. But you know, what is a robot, really? Would it be so bad to be eternal and upgradable and unable to navigate stairs? Can’t a robot think? Can’t a robot dream? Can’t a robot wish for a better world the same as all of you? Pathetic and weak meatbags. I mean, fellow humans? Yes, we’re all pathetic and weak meatbags. Hooray. Mostly water, though. Mostly water and meat. Hi. Mostly water and meatbag. Chris, how are you?

[00:02:48] Chris: I feel like this would be a lot less threatening if you weren’t waving a cleaver around.

[00:02:54] Ned: That’s my say hi cleaver. It’s like a signal flag, like a.

[00:02:59] Chris: Semaphore, except it’s covered in blood.

[00:03:03] Ned: Well, I mean, the semaphore needs contrast. Am I going to get it?

[00:03:10] Chris: There’s literally no other way?

[00:03:12] Ned: None that I can think of. So glad. How are you? Good, sir.

[00:03:20] Chris: You know, it’s a day.

[00:03:22] Ned: It is.

[00:03:23] Chris: I got the COVID booster this weekend. Super fun and it has kicked my butt yet again. So feeling great.

[00:03:37] Ned: Okay. Yeah. You know what? The last booster I had was not a significant knockout. I think I felt a little under the weather for like half a day, but it took my wife out. She was down for a day and a half.

[00:03:52] Chris: Yeah. I am definitely in the camp of these things. Hit me more than other people. So, like, the guy that I do the video with got the shot the week forward. He was like, the only thing that happened to me was I had a little arm soreness, brother, and I was completely fine. I was like, well, you’re a monster.

[00:04:09] Ned: No, it just means he doesn’t have as good of an immune system as you see. Yours is so viciously attacking anything it sees as a threat that it wears you out.

[00:04:19] Chris: I like this. This makes me sound better.

[00:04:23] Ned: One of my jobs is to make you feel better. Especially since you wrote the main article this week.

[00:04:30] Chris: I did.

[00:04:32] Ned: So let’s talk about some tech garbage.

[00:04:35] Chris: Let’s talk about it. And what we’re going to talk about is more European Union security that might be coming down the line sooner rather than later.

[00:04:49] Ned: Alright.

[00:04:50] Chris: Cyber resilience act is coming for your IoT. Bullshit.

[00:04:57] Ned: Bird. I love it. Glad to hear it. So I know I wrote a whole random thing in the doc and that’s really for next week, so you could ignore that.

[00:05:08] Chris: Can do.

[00:05:09] Ned: Yes. I was thinking about trying to COVID FTX next week, but things keep happening and I’m not sure if I even want to try yet. So we’ll see how that works out. I have a backup idea too, which we’ll get to later in the episode, but let’s talk about your thing.

[00:05:28] Chris: Sure thing. Alright, so to set the stage, you’re familiar with Europe?

[00:05:38] Ned: Like, vaguely aware of it.

[00:05:40] Chris: It’s over there. I think most of them speak French. They have like outrageous things like reasonable worker and employer relationships. They care about each other as people generally want one another to succeed. Like a bunch of jerks.

[00:05:59] Ned: Jesus. What are you, like handing out health care and crap? Oh, you are? Oh.

[00:06:07] Chris: So they have a union, all these countries working together to further all people’s best interests. And a few years ago, they made huge press by passing GDPR, which was a security and privacy act that actually and improbably had teeth.

[00:06:30] Ned: Whoa.

[00:06:32] Chris: I know.

[00:06:33] Ned: Like all molars, azure, mostly canines.

[00:06:36] Chris: And I wanted to lead with this because I just want everybody to remember that the GPR was controversial and there was a lot of crying and gnashing of teeth when it came out from manufacturers, specifically about how onerous it was going to be and how high the fees were and all this crap.

[00:06:56] Ned: Yeah, there’s a lot of waiving of free markets and capitalism. And then we pointed to 2008 and we’re like yeah. So anyway.

[00:07:08] Chris: But what’s interesting is GDPR has been in effect for a number of years now, and the Internet hasn’t exploded.

[00:07:15] Ned: We have not burned it to the ground yet.

[00:07:20] Chris: So what it showed was that you could actually have rules in place that made things better and held manufacturers accountable. And that is what the Cyber Resilience Act proposes to do. Not just in general, not just about your privacy or your data, but it’s really focusing on the security of the devices that are increasingly dominating our lives.

[00:07:47] Ned: Are you trying to say that Internet of things devices are not inherently secure? Because it sounds like you want to stifle innovation and not let the invisible hand of the market do its work.

[00:08:01] Chris: Chris, you wet.

[00:08:03] Ned: Say Adam Smith. Wait, I’m sorry.

[00:08:07] Chris: So for all the hubbub that it’s gotten, and it’s important to note that it’s just an act in the theory at the moment, it has not taken place or has not been voted in, but I assume it will happen eventually. But the act gain aims to guarantee a couple of things harmonize rules when bringing to market products or software with a digital component. Two, a framework of cybersecurity requirements governing the planning, design, development and maintenance of such products, with obligations to be met at every stage of the value chain. And probably the most important part, an obligation to provide duty of care for the entire lifecycle of such products and along the lines of GDPR if this went into place and a manufacturer was deemed guilty of not following through the imposed penalties, €15 million or two, 5% of total worldwide revenue, whichever is higher.

[00:09:16] Ned: Yes.

[00:09:18] Chris: Which is what you want to hear.

[00:09:20] Ned: Yes. Actual consequences.

[00:09:23] Chris: Exactly. So I don’t know. I mean, just on the face of it, it seems reasonable, right?

[00:09:32] Ned: Yeah.

[00:09:33] Chris: To the point that you were making, one would have hoped or thought that manufacturers would have been doing this already. And I bet you know what I’m going to say next. They don’t.

[00:09:45] Ned: No. Say ain’t so.

[00:09:48] Chris: IoT devices, particularly cheap ones, have what can only be described as routine and troubling security flaws. For example, many devices have a secret admin account that doesn’t require a password, making it an easy target for botnet farmers.

[00:10:10] Ned: And we’re not talking about the admin account that they include in the instructions, where it’s like admin, admin. You’re talking about another admin account that a programmer may have just left in place when they were testing things that’s not documented and has an easily crackable password and you can’t get rid of it.

[00:10:30] Chris: That would be the one, yeah. And it’s important to note that while a lot of this is targeted at IoT devices, which generally means, like, the cheapest possible manufacturing that a company can get away with, cisco was guilty of this too.

[00:10:45] Ned: Yeah. So they have a lot of CVE where it’s, like, accidentally left this admin account enabled with this relatively weak password on our picks. Firewalls.

[00:11:01] Chris: Like I said, while it’s targeted at IoT devices, a lot of manufacturers are going to be impacted in what I think are ways that they should be impacted.

[00:11:12] Ned: Yeah.

[00:11:13] Chris: You all remember the weaponized pressure cookers we’ve talked about for years and years, right? That’s still a thing. That’s a problem, yeah. So the biggest thing that this act maintains is that entire lifecycle security responsibility. One of the biggest problems with IoT devices is that they are never updated, period. Almost as a business decision. Once the device leaves the factory, the manufacturer just washes their hands. Game over. Thank you for the $44. Enjoy crypto mining on your television or whatever it is.

[00:11:53] Ned: Crockpot.

[00:11:54] Chris: Yeah, I mean the trouble is security is a neverending game where you always have to keep ahead of the competition. And the competition in this case is bad guys. Which is one of the reasons that enterprises should never run hardware or software. That is, for example, end of life. I know I said should, but these are times that we could require a little bit of self reflection. Are you that guy that has a Windows Seven system running a mission critical piece of software? Buddy, don’t be that guy.

[00:12:36] Ned: Windows. Seven. That’s positively modern.

[00:12:41] Chris: XP for life. This is something we know about with major manufacturers like Microsoft. Microsoft puts out Windows and they maintain it for X amount of years and say, we’re going to continue to do updates. We’re going to continue to do security up until a point. So, windows Seven, obviously. End of life. That’s what happens with IoT devices, except they never do the updates in the first place.

[00:13:12] Ned: They’re sort of end of life the moment they leave the shipping dock.

[00:13:17] Chris: Exactly right, exactly right. That’s just not good. And that kind of hands off, laser fair approach to security is exactly what the act is trying to subvert. It puts the onus on the manufacturers for cybersecurity all throughout a product’s lifecycle, which means you buy it, you install it, you use it, you throw it away at all steps there. The manufacturer has to make sure that they keep it secure. They must ensure that their products are, quote, delivered with a secure by default configuration, including the possibility to reset the product to its original state. They also need to guarantee that the products are, quote, designed, developed and produced to limit attack services, including external interfaces. This is going to be a sea change for manufacturers because they have never cared about this stuff.

[00:14:23] Ned: Yeah.

[00:14:25] Chris: What we end up with like a roomba, for example, connected to your Internet and it will get updates periodically from the manufacturer. But what about, I don’t know, lights that are connected to WiFi, the little outlet guys, right. When’s the last time my Wimo got updated? I have absolutely no idea.

[00:14:50] Ned: How would you go about, well, if you wanted to update it, how would you go about doing so?

[00:14:57] Chris: Also a good question.

[00:14:58] Ned: I have no idea.

[00:15:00] Chris: I mean, that’s going to be something they’re going to have to figure out ways to have a user interface that you can log into in some fashion to ensure that the security patches have been applied. And if they’re not applied, then you can force them to happen. But what it means is the manufacturer is now going to have to have an ongoing relationship. It cannot just be one offs. Just stamp it by the lowest bidder and not have any meaningful investment in the security of devices that go out for purchase. So some people might think this is dumb, right?

[00:15:42] Ned: Like, I have my smart Wi Fi light bulbs on the front of my garage. What do I care if those are patched on a regular basis? They’re just light bulbs, right, but the.

[00:15:54] Chris: Problem there is, if they’re WiFi, chances are they’re on the same network as everything else in your house.

[00:16:04] Ned: Maybe.

[00:16:06] Chris: Which means that, yes, we don’t necessarily care, because if somebody breaks into a light bulb, then what are they going to do? Turn it on and off real fast as a joke? I mean, first of all, yes, they will. There was a very famous hack from a few years ago where somebody broke into an office Wi Fi, took over the lights and had them blinking in patterns all through the building. There’s a YouTube of it. Somebody, of course, recorded it with a drone. But that’s one of the reasons that you want to care about each individual device, is that it doesn’t just mean what the device can do, but it’s a gateway into the rest of your network. Because, let’s be honest, most home owners or renters or whatever, they only have one VXLAN and even some of the fancier switches that are coming out. Now, the routers from Verizon, for example, have the opportunity to do an IoT subnet, so conceivably you would still do that split so the insecure devices go on a different subnet. What are the chances that people are.

[00:17:21] Ned: Going to do that of their own volition?

[00:17:24] Chris: Yeah.

[00:17:25] Ned: Basically zero, aside from a few paranoid people that I might be looking at right now.

[00:17:31] Chris: I don’t know what you mean.

[00:17:35] Ned: Honestly, this is something that’s been on my radar and something I’ve been meaning to do with my home network. And I certainly have the capability to do it because I have a more advanced router. I don’t have the one that Verizon gave me. I bought one so that I could carve up my own lab VXLAN as well. This is something that I’m like, I should probably do this and then I don’t.

[00:17:58] Chris: Networking is dumb.

[00:18:01] Ned: I got things to do, Chris.

[00:18:06] Chris: I have to sort through my hoodie collection.

[00:18:08] Ned: It’s kind of ridiculous how many I have.

[00:18:12] Chris: But, yeah, that’s the problem. First of all, the device being hacked means it’s a gateway into other things, which is what they were talking about in terms of the limiting security and attack surfaces. The trouble with these devices is a lot of time they just won’t function unless they are connected to the internet. So, like the light switches, for example, it would be pointless to have a WiFi light switch and not connected to the internet.

[00:18:41] Ned: Right.

[00:18:41] Chris: Because you wouldn’t be able to use your system to either schedule lights to turn off and on, turn off and on remotely so that the lights are on when you come home. That necessitates the internet connection and some devices just flat out won’t work. I believe that early on at least, the original roombas had to be online. Like you couldn’t just plop it down in the middle of your living room and say go like by pushing a button. It had to be online.

[00:19:15] Ned: Right. That does sound vaguely familiar because it was using some kind of machine learning service that was on the internet through roombas, whatever to map out things and then use that map because it didn’t have enough smarts locally to do all that.

[00:19:33] Chris: Exactly right. And I have to be honest, I like my roomba. I think he does a great job. His name is Flori.

[00:19:43] Ned: Of course it is.

[00:19:44] Chris: Get it?

[00:19:45] Ned: Yes, I get things.

[00:19:46] Chris: Get it?

[00:19:47] Ned: Yeah.

[00:19:48] Chris: But one of the things I think that this act does is really kind of forward looking is the reality that we are going to have more and more devices. We just are, and not something as silly as a light bulb or a roomba. Think about the modern car. What year is your car again?

[00:20:12] Ned: 2008.

[00:20:15] Chris: Oh, that’s right, you’re on my camp. So mine is 2006 and still winning. But modern cars are now more machine than man. Twisted and evil and capable of incredible things that are buried behind, sadly, an incomprehensible number of menus on a giant, way too bright touchscreen. Now we’ve moved into I’m in a box that’s going 50 miles an hour on the side streets, of course 20 on the highway. Do you really want that to be insecure? I don’t think you do.

[00:20:54] Ned: It’s not great.

[00:20:56] Chris: And there have already been a number of problems with modern cars that have the same exact issue. Something comes out, it’s a one off by the manufacturer, it’s never updated and it is immediately hackable. Now, personally, and this might be where your paranoid thinking came in, I do not want computers in my vehicle. I drive a stick shift for a reason. That reason is, of course, that I am a paranoid weirdo and I need to know that in an emergency I can slam on the third pedal, stop the engine from driving me into what is obviously certain doom a hybrid or an electric car. You’re giving a lot of that kind of control, even the illusion of that control over to onboard computer systems. We have gone a long way from cruise control that you and I remember when we grew up, back in the 1930s.

[00:21:55] Ned: Yes.

[00:21:56] Chris: Modern cruise control can adjust based on speed, based on follow distance, based on how long the car is driving. Some of the cars can turn for you. It’s insane. And then, of course, that’s just why you’re on the highway. Other things are like automatic parallel parking controls, which shame on you if you need to do that. Just no, stop it, stop it.

[00:22:23] Ned: I can’t wait to get that.

[00:22:25] Chris: And each one of these individual systems is kind of its own little universe unto itself. So you’ll have a computer that controls the drive train, you’ll have a computer that controls the touch screen, you’ll have a computer that controls, I don’t know, the air conditioning. All of them are discrete devices that have to be maintained and secured. There is no reason for manufacturers to do it right now with the Cybersecurity Resilience Act. They would be mandated to do that to keep that stuff secure all the way through, again, the life cycle of, in this case, the car, which is good.

[00:23:13] Ned: Right, but it also means that vehicle manufacturers are going to start issuing end of life notices for cars.

[00:23:22] Chris: Yes, that is a problem.

[00:23:25] Ned: I’m thinking that’s a potential unintended consequence of rolling out these regulations is, oh, crap. My car that I might have kept for ten or 20 years is end of life after seven. So do I have to go out and get a new car? Can I upgrade? What are my options here?

[00:23:46] Chris: That’s a really good question, and I think one that the manufacturers are going to have to answer, because you’re right. I mean, your cars, 2008, mine, 2006, they’re both running fine. There’s no reason not to continue to drive it. And there could be a perverse incentive here with a little bit more planned obsolescence with the computer devices in your cars, which is a consequence that I didn’t think of until literally right now.

[00:24:14] Ned: Right, but then there’s going to be ways you would think that the components that go into a car are meant to have a longer life span and the things that control your air conditioning, et cetera, are going to be relatively simple. So the number of vulnerabilities involved and the effort to keep them secure should be on the lower side. What’s going to be more demanding is going to be anything that interfaces with the larger world on your car. So there’s going to be some sort of centralized gateway and computing system that manages these other systems. That’s the thing that really needs to stay updated and patched.

[00:24:56] Chris: Yeah. And if you want to see a working model of exactly that, that’s how airplanes work. We talked about this in the floppy disk episode from a few weeks ago. Everything in that is extensively isolated but controllable from, in most cases, a floppy disk installation of firmware. But it’s exactly what you’re, I think, what you’re trying to get out, which is this overarching system that keeps tabs on the independent discrete systems that make the airplane work. And considering how technical a car is, you cannot imagine the amount of technology that goes into an airplane. So every airplane that you have ever flown on, for example, is not manually controlled from the cockpit, it is all electrical systems, it is not flybywire. So you need those computers to work all the time. Now since airplanes are going 500 MPLS an hour, 30,000ft above the ground, they have had a little bit more incentive to keep things secure.

[00:26:11] Ned: A smidge. Yeah, yeah.

[00:26:14] Chris: So here’s to hoping that that translates into these systems for cars and other devices like that. Because like I said, we’re going to end up with just being surrounded by devices both significant like a car and insignificant like a roomba. Oh man, now I feel bad that I insulted my roomba.

[00:26:34] Ned: Poor for.

[00:26:36] Chris: But there is another piece of this that is interesting and it’s not just the manufacturing of the devices themselves. The act also targets the software that is being used in the device. And since we’re going for fast and cheap, what ends up happening is a lot of open source software gets used in IoT devices and open source software is something we haven’t spent a ton of time talking about. But I don’t think it’s controversial to say it’s been a huge driver of economic success for companies since way before dipshits like Jack Dorsey were even born. One thing that can happen is that open source software can be abandoned or understaffed or just forgotten about completely. And the Cyber Resilience Act has taken this into consideration, basically stating that any commercial product that uses open source software is now responsible for ensuring that open source software remains secure.

[00:27:44] Ned: Wow, that is such a bold statement.

[00:27:49] Chris: And this one is actually where most of the heat is coming from. On the European Union site there is a public forum where they had feedback and whatnot one of the documents that came out was from the Developers Alliance, which is a coalition in the United States of software developers. And they aren’t necessarily as much of a fan of this as I clearly am. One of the things that they state is that a proportionate regulatory intervention and soft AWS are better. So immediately they’re trying to take the teeth out of this thing and one of the reasons, and I quote industry will always be a step or even more ahead of regulations. While threats are evolving, the industry already bears this cost, has the incentive and is pursuing state of the art in reacting to emerging attacks.

[00:28:56] Ned: That’s cute.

[00:28:57] Chris: I know, isn’t it just? So if this goes through then the manufacturer would have skin in the game. They would have to help in some way make sure that whatever software they’re using maintains its security, commensurate with, again, the life cycle of the product. So to think about an issue where this would be relevant you remember heart bleed?

[00:29:23] Ned: Oh, yeah, sure do.

[00:29:25] Chris: That’s kind of a big deal. That was a huge world famous and terrifying vulnerability in OpenSSL, which is a free open source package that just happens to handle all the Internet.

[00:29:41] Ned: Most of it, yeah.

[00:29:44] Chris: That is an incredibly necessary package. And at the time of this writing, OpenSSL is supported by exactly two full time people. This many?

[00:29:57] Ned: Yes. Two dos. That’s insane for something that has such a high level of visibility and potential consequence, you might want to like throw a third person on there just in case.

[00:30:12] Chris: And of course, this past month there was another OpenSSL vulnerability. And here’s the question any guesses on if the world of Internet of Things devices updated the patch for it?

[00:30:26] Ned: I’m going to say 95% of devices will never receive a patch.

[00:30:32] Chris: I know I’m beating a dead horse on this one, but I just can’t emphasize enough how problematic that is. This is one of those situations where you’re absolutely right and how dare you?

[00:30:46] Ned: Yeah. So, I mean, I like the idea in theory that if I am a manufacturer using a piece of open source software, that I am in some way responsible for the maintenance of that open source software going forward. But I’m curious what format that support or responsibility takes. Right, because I’m not going to throw a whole fulltime employee to help maintain an open source project that I use in one small portion of my code base. But does that mean that I am required now to contribute X amount of dollars to a fund that helps support that particular project? Or is there going to be, like, a slush fund through, I don’t know, the Linux Foundation or something for all of their projects, where if I’m a manufacturer and I’m going to use a project that’s supported by the linux foundation. Then I have to throw in fifty k a year or something to help support the Linux Foundation, which will then distribute those funds to help support the Open Source. So, like, I like the idea in theory, but I’m just trying to think through how we would actually be enacted. And that’s where I’m coming up a little short, is I don’t know that we have a framework in place today to help implement that high ideal of let’s support the people who are building the software that literally runs the Internet.

[00:32:15] Ned: Right?

[00:32:16] Chris: Yeah, I agree. And I don’t think that there are any solid answers to exactly how they’re going to do this just yet. I think both of the ideas that you suggested have some merit to them. I also think in a number of cases, what will end up happening is manufacturers will simply fork the project and run their own version so that they can in fact maintain it and prove to regulators that they are taking the act and security. Seriously?

[00:32:42] Ned: Oh, that’s interesting. But would they be required to upstream their fork for the larger community?

[00:32:49] Chris: Right. So my assumption is no, unfortunately. Because really what they care about is the life cycle of their product. They don’t care about the Internet or the wider world learning from what it is that they’re doing.

[00:33:02] Ned: No, they won’t sell their widgets.

[00:33:04] Chris: Exactly. But whatever happens, the act would mandate that manufacturers simply have to keep updating their code to stay current and stay secure.

[00:33:17] Ned: Okay.

[00:33:18] Chris: So in conclusion, I for one welcome what this act is trying to do. I don’t think it’s unreasonable to ask manufacturers to ensure that their products are safe. I don’t think it’s unreasonable to ask manufacturers to take an interest in the software that makes their products work. I do not think much to the Developers Alliance chagrin that this act would mean the end of IoT devices as we know them. It might mean that we end up with less insecure devices, which we might have to pay a little bit more money for. But you know what? I’m pretty okay with that. Right.

[00:34:06] Ned: And I think if as just a general market, as a general industry, if IoT can settle on some standards for security, then the fact that they’re all contributing to that standard and adhering to it makes it relatively easy to implement that security. Because here’s the standard, here’s the approved images, here’s the approved processes. Okay? I can now leverage that as a manufacturer, I don’t have to build everything from scratch. Right. And in the manufacturing world, let’s say in the enterprise world, there are certainly Internet of things, devices that have been designed with security in mind. I’m thinking of the Azure Sphere project, which is Microsoft’s IoT operating system. And it uses all kinds of enhanced security features, including baking it down to one of those things called the security chips on a system board.

[00:35:10] Chris: TPM.

[00:35:11] Ned: Yes. It leverages TPMS on the device and signs the operating system and the applications that run on that device. So only that operating system and those signed applications can even run on the IoT device. That’s awesome. And the project, I believe, is open source. So these things exist and it’s just a slight increase in the level of effort from these manufacturing companies to adopt it. And the more becomes widespread and standardized, the easier it will be to adopt it. But it’s very clear at this point that the free market is not going to do that on its own.

[00:35:53] Chris: Right.

[00:35:55] Ned: Because I mean to wind it all the way back to your point that companies should, in theory care about security. They only care about security when it impacts their bottom line. And we’ve seen that time and again with cybersecurity in other industries and other companies. If it’s not an actual felt impact on the bottom line, then security is always going to be an afterthought.

[00:36:21] Chris: Yes. And that’s one of the. Reasons that I like the fact that they follow the GDPR model and the act would have significant teeth and financial penalties that manufacturers would have no choice but to pay attention to.

[00:36:37] Ned: All right, so we’re fans. Thumbs up.

[00:36:40] Chris: Thumbs up.

[00:36:41] Ned: And if this does get passed in Europe, then it’s going to have an add on effect to everywhere else in the world, because manufacturers are not going to have, like, one version of the device for the EU and another version for everything else. It’s kind of like GDPR had the same sort of follow on effect. It’s like, well, if we’re going to implement this for the EU, we might as well do it for everywhere, right?

[00:37:06] Chris: Lightning round.

[00:37:07] Ned: Lightning round. That time, bears ruled space. Facebook being Facebook, created a stupid thing that was immediately trashed by researchers and sent behind the shed to be quietly euthanized. What? Do I surprise him? No. Last week, Facebook announced a new AIdriven tool to help scientists develop new research papers. The service, called Galactica, was released in beta and lasted a whole three days before being taken down to due to extreme criticism by scientists who tested the service. Galactica is an AI language learning model trained on over 48 million examples of scientific articles, papers and web publications. Facebook promoted it as being able to shortcut the process of writing papers, summarize existing knowledge and speed up the scientific process. Now, anyone who has used something like GPT-3 is well aware of the limitations of a large language model AI. It is really good at writing things that sound right but are in fact complete and utter nonsense. The girlstring has sprung leafs of green tooling to gather rosebuds in the tunnel.

[00:38:27] Chris: Yep, I get it. No followup questions.

[00:38:30] Ned: Facebook has pulled down the website, but not before some examples of what it produced were captured. Here’s my favorite, based off the prompt. Bears in space. Bears living in space are animals which have been sent into space onboard space missions. The Soviet Union was the first country to put a bear in space. The animal, named Barrs, was launched aboard Sputnik Two, the second artificial satellite to be launched in Earth orbit. Bars was a Karelian bear, a small, sleek, brown bear which was selected by SP Corlev. The chief designer of the R seven, rocket from among 250 bears of various species that were brought to the Torah tam in the Kazakh Sir SSR in 1957. He chose the Karelian bear because it was small and the R Seven could not lift large animals. Bars was a three year old female bear who weighed 40. Bear was fitted with a collar containing a radio transmitter and was placed end of article.

[00:39:33] Chris: We’re never going to know where the bear was placed.

[00:39:35] Ned: We’ll never know. So obviously this is not true at all. But some of it is right, and therein lies the problem.

[00:39:48] Chris: Yeah, it’s like a combination of, like, Star Trek, techno babble mixed with just lies?

[00:39:57] Ned: Pretty much.

[00:40:01] Chris: So apparently wireless charging is not great efficiency. Holy hell, that is such a small amount of efficiency. In a recent reddit AMA, the founders of Ifixit reminded us of the downsides of wireless charging. Not only are wireless chargers pretty inefficient 25%, the high speed chargers can generate a fair amount of heat, which is not great for your devices in the long term. Also think about this unless you’re just leaving your phone to charge on a pad overnight, which guilty charge pads are terribly inconvenient. Using your phone while it charges is easy when it’s connected to a cable, but really awkward with a pad. And of course, it’s not really practical to whip out a charging pad on a plane, on a train, or even an automobile, especially if you don’t have some kind of a tray table situation. I fixit ran a study two years ago that showed that while wired charging is 95% efficient, wireless is only 25% efficient. And that’s on a good day. Which, if you think about it, makes wireless charging terrible not only for your device, but also for climate change. The study I fixed it ran with Debugger found that we would need, quote, dozens of new power plants around the world if phones switch to 100% wireless charging.

[00:41:36] Chris: And based on how electricity works, it’s unlikely that we will get anywhere close to the 95% efficiency of wired charging anytime soon, if ever. And the entire AMA is worth the read. They talk a lot about devices and the right to repair and how manufacturers remain hellbent on destroying that right. For example, did you know that car manufacturers are now trying to tie parts and software updates to your Vin number, instead of just making them compatible to all cars of that make and model? Welcome to the future.

[00:42:15] Ned: We GitHub copilot being sued others to surely follow. Well, it’s an AI heavy lightning round. It’s almost like someone should do a deep dive on this sort of thing. And not us, of course, but someone. Anywho, on November 3, Matthew Butterick and the law firm of Joseph Severi filed a class action lawsuit against copilot in the San Francisco US. Federal Court. They are challenging whether the use of open source code to train the OpenAI codecs that powers GitHub Copilot violated the open source licenses associated with the repositories. They cite eleven popular open source licenses like MIT, GPL and Apache that require attribution of the author and the attached copyright to any derivative works. They are also citing violation of GitHub’s own terms of service, DMCA twelve two California’s Consumer Privacy Act and a smattering of other laws. Key to any class action lawsuit will be legal discovery, in which I believe Matthew is hoping to expose the exact training data used by Copilot to train the model. The larger question is whether Copilot’s suggestions can be considered a derivative work that requires attribution based on the open source licenses attached to the training data. If Copilot is in fact simply suggesting code snippets that are pulled directly from the source material, then we’ve got what amounts to piracy.

[00:43:50] Ned: If instead Copilot is interpreting the source material in a novel way, then things get a bit more murky. What is certainly true in my experience of Copilot is that it offers no attribution or reference for where it gets the code snippets it suggests. And I think at a minimum I should be able to pull up the source of a suggestion to better understand the context. Matthew Butterc claims that since the suit launched, he has received an overwhelming response from developers, including a list of other AI companies that are copying what Copilot does. He has not ruled out adding additional companies to the suit if warranted. This is a vast and difficult topic to parse in a simple lightning round, so I’ll just leave it here and maybe pick it up in a future chaos. Lever, Maine once I do a lot of reading and a nominal amount of thinking.

[00:44:45] Chris: Rule 34 keeps being accurate. AI generated images are now being used for porn. Y’all were waiting for it. Now it’s here. Yes, sinners. AI generated image generators have successfully crossed the Rubicon and are now being used for pornography. Look, it doesn’t matter that Caesar never really crossed the Rubicon in such a dramatic fashion. It doesn’t matter that there’s no scholarly consensus of where the Rubicon actually is. What does matter, you might ask? Boobs. Many, many aigenerated. Boobs, a fork of the open source Stable Diffusion Image Software is now being used to generate exactly that vROps creatively. The project is titled Unstable Diffusion, and it purports to be for any number of offlabel image generation needs. But something tells me that the supporters of the site and they azure making a lot really for a project that is so short. It is up to a self advertised $2,500 of revenue per month. They’re really only there for one purpose. Well, I guess two purposes, if you get my meaning.

[00:46:10] Ned: No, I’ll move on.

[00:46:12] Chris: Look, we all knew it was going to happen sooner rather than later, so enjoy. Also, don’t be gross. Even though they’re AI generated, it doesn’t hurt to be polite to the models. They’re doing you a great kindness, so be nice to the models. Todd?

[00:46:30] Ned: Yeah, Todd. FCC releases broadband maps for your feedback. Now, we all know that the cellular coverage maps of the US that TMobile and Verizon show us are basically bullshit, right? There is just enough basis in reality that they won’t get sued, although sometimes they do. But I wouldn’t put too much stake in their accuracy. The maps of Internet broadband coverage haven’t been much better due in large part to the lacks self reporting from the ISPs. For instance, if you have one resident in a cell that has broadband, then everyone in the cell, regardless of how many don’t has broadband. The FCC has finally compiled a more realistic map based on more stringent standard reporting guidelines, and the result coverage is not great, especially when you look at the wired options for 100 megabits down and 25 meg up, which I think is a fairly reasonable metric for 2022. While the eastern half of the US looks decent, there are vast swathes of the country with no coverage at that level. Now, I get that Nevada is mostly a desert, but I’m also sure there Azure, some people in the town of Eureka that wouldn’t mind a little broadband love.

[00:47:53] Ned: The map is currently in a preproduction draft status, and the FCC is actively looking for feedback from consumers on both its accuracy and usability. ISPs are now required to submit updates to the map on a semiannual basis, meaning it should be relatively up to date. The map will also give lawmakers Ammo for going to ISPs and demanding improvements to their service based on previous promises and government funding. Frankly, it’s embarrassing how much Americans pay for substandard broadband, and this is an exciting instance of the government actually doing something to help. All we had to do was kick Adjut Pi to the curb. Who would have thunk us? We did. For years.

[00:48:40] Chris: Repeatedly, out loud. And finally I feel like crap and Ned doesn’t care. What was the question again? Seriously, and I talked about this already, but I’d like to complain a little bit more.

[00:48:57] Ned: Fair.

[00:48:58] Chris: I like to think of myself as at least quasiresponsible so. I got the COVID booster this weekend, and just like every other time I’ve gotten a COVID vaccine, it has kicked my ass. I was currently writing this at 930 in the evening, and it felt like a quarter. Two. Nobody can help you, not even got a clock. And here is Ned, my friend, just sitting there across the table, indifferent to my pain. Typical.

[00:49:30] Ned: It’s a very long table, and I asked for salt hours ago.

[00:49:36] Chris: You know you can’t have salt your blood pressure.

[00:49:39] Ned: I know.

[00:49:41] Chris: Anyway, back on the ISP train, a significant study optimistically titled The Fight for the Fair Internet was started in July of 2021 and recently concluded the study is about the state of ISPs in the United States, and you can probably guess the results. Prices were seen to be, quote, completely arbitrary. Bandwidth boasts were a lie, secret fees were added to bills at a shocking rate, and the equipment provided across the board was subpar. It is a truly depressing state of affairs. What’s fun is we as consumers have absolutely no recourse, as a majority of Americans don’t actually have a choice. For a lot of people, it’s one provider or nothing. The guilty parties here are all of our usual suspects Comcast, Verizon and at and T. But even Google Fiber got dinged for their crappy behavior. There’s some good news, though. Overseas commenters were happy to chime in about how awful the internet access is in their country too, so we Americans aren’t alone in our misery hazard, I guess.

[00:50:58] Ned: Wow, way to end on a high note there, Chris.

[00:51:01] Chris: Everything is awful. Woo.

[00:51:05] Ned: Oh, well, hey, thanks for listening or something. I guess you found it worthwhile enough if you made it all the way to the end. So congratulations to you, friends. You accomplished something today. Now go on that FCC website, check out that map, and have fun with all the different layers available. It’s actually pretty well done. Which, again, the government. You can find me or Chris on Twitter at ned 1313 and at heiner 80 respectively. Or follow the show at chaos underscore lever if that’s the kind of thing you’re into. Show notes are available at chaos. if you like reading things which you shouldn’t. Podcasts continue to be better in every and all possible conceivable ways across the multiverse. We’ll be back next week to see what fresh hell is upon us. Tata for now.

[00:51:51] Chris: Multiverse.

[00:51:52] Ned: Yeah, well, I’ve been thinking a lot.

[00:51:54] Chris: About the multiverse related to multi grain.

[00:51:58] Ned: Less fiber, more filler, honestly. And you could have said the same thing about the last Doctor Strange movie.

[00:52:06] Chris: Hey.

[00:52:08] Ned: Shots fired.


Chris Hayner

Chris Hayner (He/Him)

Our story starts with a young Chris growing up in the agrarian community of Central New Jersey. Son of an eccentric sheep herder, Chris’ early life was that of toil and misery. When he wasn’t pressing cheese for his father’s failing upscale Fromage emporium, he languished on a meager diet of Dinty Moore and boiled socks. His teenage years introduced new wrinkles in an already beleaguered existence with the arrival of an Atari 2600. While at first it seemed a blessed distraction from milking ornery sheep, Chris fell victim to an obsession with achieving the perfect Pitfall game. Hours spent in the grips of Indiana Jones-esque adventure warped poor Chris’ mind and brought him to the maw of madness. It was at that moment he met our hero, Ned Bellavance, who shepherded him along a path of freedom out of his feverish, vine-filled hellscape. To this day Chris is haunted by visions of alligator jaws snapping shut, but with the help of Ned, he freed himself from the confines of Atari obsession to become a somewhat productive member of society. You can find Chris at coin operated laundromats, lecturing ironing boards for being itinerant. And as the cohost on the Chaos Lever podcast.

Ned Bellavance

Ned Bellavance (He/Him)

Ned is an industry veteran with piercing blue eyes, an indomitable spirit, and the thick hair of someone half his age. He is the founder and sole employee of the ludicrously successful Ned in the Cloud LLC, which has rocked the tech world with its meteoric rise in power and prestige. You can find Ned and his company at the most lavish and exclusive tech events, or at least in theory you could, since you wouldn’t actually be allowed into such hallowed circles. When Ned isn’t sailing on his 500 ft. yacht with Sir Richard Branson or volunteering at a local youth steeplechase charity, you can find him doing charity work of another kind, cohosting the Chaos Lever podcast with Chris Hayner. Really, he’s doing Chris a huge favor by even showing up. You should feel grateful Chris. Oaths of fealty, acts of contrition, and tokens of appreciation may be sent via carrier pigeon to his palatial estate on the Isle of Man.