In this episode, we discuss how Google is improving Android security with Rust, significantly reducing memory-related vulnerabilities and enhancing developer productivity. We also dive into NIST's latest revision of its Digital Identity Guidelines, a crucial standard for protecting digital identities. Next, we explore the ongoing feud between WP Engine and Matt Mullenweg, which is impacting WordPress users. Finally, we touch on the latest legal development where authors suing OpenAI are granted access to the company’s training data for inspection.
Links:
- Android Is Gathering Rust: https://www.theregister.com/2024/09/25/google_rust_safe_code_android/
- NIST Releases Second Draft Revision 4 of Digital Identity Standard: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-4.2pd.pdf
- WP Engine Spat with Matt Mullenweg Prat: https://techcrunch.com/2024/09/25/wordpress-org-bans-wp-engine-blocks-it-from-accessing-its-resources/
- OpenAI’s Training Data To Be Made Available To Search By Authors Who Are Suing Them: https://www.theregister.com/2024/09/26/openai_training_data_author_copyright_case/
[00:00:00.00]
Announcer: Welcome to Tech News of the Week with your host, a slightly judgmental bowl of cream cheese.
[00:00:07.07]
Ned: Welcome to Tech News of the Week. This is our weekly Tech News podcast, where Chris and I talk about four interesting articles that caught our attention. Somehow I'm going to go first? Sure, let's do that. Don't shake your head at me. I see you. Android is gathering rust, and that's a good thing. Google has revealed that a study tracking the adoption of safe coding practices, that's capital S and capital C for safe coding, has reduced the number of vulnerabilities in code and increased developer productivity. Specifically in the world of Android, the use of memory-safe language Rust has reduced memory-related vulnerabilities from 76% in 2019 to 24% in 2024. For note, the industry average is 70%, which is still way too high. Developers are also finding bugs earlier in the code writing process, which tends to increase velocity and lower the need for emergency rollbacks. That's not to say that languages like C and C++ are being eradicated from the code base. However, new code contributions are expected to use a memory-safe language. The researchers from the study claimed that the impact of vulnerabilities from existing code diminishes over time in an exponential fashion, so they are less focused on rewriting older code and more on ensuring new contributions follow the safe coding standards.
[00:01:34.09]
Ned: While Android is the poster child for this effort from Google, it is also part of a larger movement towards memory-safe languages, recommended by the US Cybersecurity and Infrastructure Agency and several cyber security groups from other countries. One can only hope that Google would start applying the same security rigor to the Play Store apps, but alas.
[00:01:57.14]
Chris: Nist This is the second draft revision for version 4 of the Digital Identity Standard.
[00:02:06.21]
Ned: Part 2.
[00:02:10.14]
Chris: From the, This is the most research I have ever done for a Crap. We never made an acronym for this. Tech news of the Week. Tunitnow? Sure. Not Now. No, that sounds negative. We'll work on it. Department, the National Institute of Standards and Technology has been working on a standard for defining and protecting digital identities from, well, it depends on how you start counting, actually, but we can say at least as far back as 2004, when they released the initial version of 800-63 entitled Electronic Authentication Guideline. We are now up to 800-63 Revision 4, and it's got the snazzy new name, Digital Identity Guidelines. The general idea of all of these standards documents is that they evolve with the times, which I know sounds like a contradiction in terms, considering NIST is a government entity. But anyway, the goal is to establish consistent policies around technologies, process, systems, etc. These generally become mandatory for the federal government and people that work with the federal government's IT footprint, but they usually end up also being part of everybody else's as well in some form or another. The question that this one wants to answer is simple.
[00:03:35.02]
Chris: A digital identity being defined as a unique relationship between a person and an online service. A person may have multiple digital identities, and the mapping of that digital identity to a person may or may not be knowable, aka anonymous or pseudo-anonymous. In light of all that, how do organizations and people keep digital identities secure? Okay, so now that I think about it, maybe it's not that simple. But that's also probably why the standard is 96 pages long. It is freely available for review, and the public comments period is open until October seventh, so you still have time to tell NIST about it if anything in the standard makes you feel some way. Happy reading.
[00:04:20.25]
Ned: Wp Engine spat with Matt Mullenweg Pratt. I don't actually have a strong opinion on Matt Mullenweg, but a snappy headline is irresistible. Wordpress is one of the most popular publishing platforms for websites, powering about 40% of all websites on the internet. I didn't realize that. That is way more than I would think. While WordPress itself is open source and available to be deployed by anyone, most people find it easier to let a WordPress hosting service do the heavy lifting. Two such hosting providers are in a bit of a feud right now, namely WP Engine and It just so happens that the CEO of Automatic is Matt Mullenweg, who also is the co-creator of WordPress, and he doesn't like WP Engine very much, calling it a cancer to WordPress. Matt claims in a blog post that WP Engine confuses customers by using the WP initials and that they do not sufficiently contribute back to the open source project, and thus he is demanding that they either contribute more hours or give him millions of Cool, cool, cool. Wp engine answered back by sending a cease and desist letter to Matt and automatic to retract these statements and demands, to which Matt has now responded by cutting off WP engine's access to key WordPress services, in particular, themes and plugins.
[00:05:51.19]
Ned: Sure enough, existing and new WP engine sites will no longer be able to install new plugins and themes or update their existing ones. The online backlash has been immediate and mostly against Molenweg, who folks rightly point out that this move disproportionately punishes end users who are not really part of the fight. To quote one redditor, We work hard to convince large organizations that WordPress is enterprise-ready, and Matt's outbursts send the absolute wrong message about that. So maybe my Pratt headline wasn't so uncalled for after You're out of focus again.
[00:06:33.14]
Chris: What is going on?
[00:06:35.16]
Ned: Well, if you would just turn off automatic focus, you'd be fine.
[00:06:39.19]
Chris: It's supposed to follow. Oh, I know why. It's because of the reflection in the glasses.
[00:06:45.07]
Ned: Well, if you just stop wearing glasses, you'd be fine.
[00:06:48.28]
Chris: Then I won't be able to read.
[00:06:51.03]
Ned: Even better.
[00:06:55.00]
Chris: Anyway, OpenAI's training data to be made available to search by authors who are suing OpenAI. Ai.
[00:07:01.12]
Ned: All right.
[00:07:02.19]
Chris: You might have heard of OpenAI and their ChatGPT product. It and other LLMs like it have been a big deal over the past few years. Not all the news about them was good. For OpenAI in particular, as one of the first and most enduring controversies about it has been, what in the world do we as a society do about the training data situation? What data should they be allowed to How did they even get that data in the first place? Well, in 2023, OpenAI and others were sued by authors who claimed that OpenAI downloaded thousands upon thousands of copyrighted books from pirate e-book repositories and then began using that material to train AI products. Among other things, this particular suit claims that OpenAI is guilty of vicarious copyright infringement, violation of the Digital Millennium Copyright Act, which I forgot was a thing, and I felt good about it for a while. Unfair competition, negligence, and unjust enrichment. Openai has, of course, been fighting these charges, primarily by attempting to state that what they're doing is protected under fair use, claiming in 2023 that, Each of those ChatGPT outputs would simultaneously be an infringing derivative of each of the millions of other individual works contained in the training corpus, regardless of whether there are any similarities between the output and the training works.
[00:08:34.26]
Chris: Which, yeah, obviously, guys, that's the whole point of this fight. This week, a judge ruled that the plaintiffs will be able to search OpenAI's training data directly, which ought to be interesting. Now, there are restrictions. The plaintiffs will only be able to search on a single computer at OpenAI's headquarters. It will not have Internet access, and they will not be allowed to carry any electronic devices in. Also, OpenAI's legal team will be allowed to inspect any notes made by the plaintiffs while they do their investigation. Of course, we on the outside have absolutely no idea about anything when it comes to this data, including what format it's in or if it's even remotely human-readable. So let's hope that Stephen King at all are super tech savvy because I am sure OpenAI isn't super inclined to help any of the plaintiffs understand what it is that they're actually seeing.
[00:09:36.22]
Ned: We've rendered the entire corpus in pig latin, translated to German, and then retranslated to Japanese. Good luck.
[00:09:44.14]
Chris: Also, the font is wingdings. You can't change it.
[00:09:47.13]
Ned: All right, that's it. We're done now. Go away. Bye.