Researchers have found a flaw in the web connectivity for Kia cars that could let a hacker take over control of some key functions. CC-licensed photo by Sean Davis on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

---

It’s Friday, so there’s another post due at the Social Warming Substack at about 0845 UK time.

---

A selection of 10 links for you. Unkeyed. I’m @charlesarthur on Twitter. On Threads: charles_arthur. On Mastodon: https://newsie.social/@charlesarthur. Observations and links welcome.

---

Millions of vehicles could be hacked and tracked thanks to a simple website bug • WIRED

Andy Greenberg:

»

When security researchers in the past found ways to hijack vehicles’ internet-connected systems, their proof-of-concept demonstrations tended to show, thankfully, that hacking cars is hard. Exploits like the ones that hackers used to remotely take over a Chevrolet Impala in 2010 or a Jeep in 2015 took years of work to develop and required ingenious tricks: reverse engineering the obscure code in the cars’ telematics units, delivering malicious software to those systems via audio tones played over radio connections, or even putting a disc with a malware-laced music file into the car’s CD drive.

This summer, one small group of hackers demonstrated a technique to hack and track millions of vehicles that’s considerably easier—as easy as finding a simple bug in a website.

Today, a group of independent security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group’s findings and hasn’t responded to WIRED’s emails since then. But Kia’s patch is far from the end of the car industry’s web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias’ digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

«

I thought the story sounded familiar. This seems like it will crop up repeatedly because if vehicle makers want to nickel and dime you for things like heated seats, they’ll need to be able to identify your car uniquely, which means it’s hackable in some sense.
unique link to this extract

---

Elon Musk hits back at UK government after he is not invited to tech summit • The Guardian

Ben Quinn:

»

Elon Musk has hit back at the UK government after he was not invited to an international investment summit following his controversial social media posts during last month’s riots.

Musk said on X on Thursday: “I don’t think anyone should go to the UK when they’re releasing convicted pedophiles in order to imprison people for social media posts.”

He seemed to be referring to the prison early release scheme, initiated by the Labour government to ease pressure on a system it has said is “on the point of collapse” due to a lack of capacity.

The billionaire owner of X has used the platform to suggest civil war in Britain is “inevitable”, and to criticise Keir Starmer as rioting broke out after disinformation spread about the killing of three children in Southport.

Ministers initially said the early release scheme would not apply to the most serious offenders, but later confirmed that prisoners who had completed a sentence for a serious crime and were serving a consecutive sentence for a lesser one would qualify. But sex offenders are excluded from the early release programme.

Musk’s latest broadside came after it emerged he is not invited to a global investment summit in Britain on 14 October. The government hopes the event will be a boost for investment in the UK two weeks before the autumn budget. Government sources confirmed Musk was not invited.

Musk took centre stage in November last year at a UK summit on AI, where the then Conservative prime minister, Rishi Sunak, played the role of a chatshow host and flattered the entrepreneur during a 40-minute in-person conversation.

«

Musk’s immaturity is quite astonishing. Steve Jobs at least had years of failure after his first stint at Apple; even that didn’t quench his self-importance. Musk, though, has never hit the utter nadir that’s needed to really get empathy for everyone else.
unique link to this extract

---

LAPD raid goes bad after gun allegedly sucked onto MRI machine • SF Gate

Lester Black, cannabis editor:

»

The owners of NoHo Diagnostic Center are suing the LAPD, the city of Los Angeles and multiple police officers, alleging they violated the business owners’ constitutional rights and demanding an unspecified amount in damages. Officers allegedly raided the diagnostic center, located in the Van Nuys neighborhood of Los Angeles, thinking it was a front for an illegal cannabis cultivation facility, pointing to higher-than-usual energy use and the “distinct odor” of cannabis plants, according to the lawsuit. 

Officers raided the facility on Oct. 18, 2023, and detained the lone female employee while they searched the business, the lawsuit said. However, they didn’t find a single cannabis plant and only saw a typical medical facility with rooms used for conducting x-rays, ultrasounds, CT scans and MRIs, the owners said. 

The officers then released the employee and told her to call a manager, the lawsuit said, while they continued to wander around various rooms of the facility. The plaintiffs say the officers’ behaviour was “nothing short of a disorganized circus, with no apparent rules, procedures, or even a hint of coordination.”

At one point, an officer walked into an MRI room, past a sign warning that metal was prohibited inside, with his rifle “dangling… in his right hand, with an unsecured strap,” the lawsuit said. The MRI machine’s magnetic force then allegedly sucked his rifle across the room, pinning it against the machine. MRI machines are tube-shaped scanners that use incredibly strong magnetic fields to create images of the brain, bones, joints and other internal organs.

An officer then allegedly pulled a sealed emergency release button that shut the MRI machine down, deactivating it, evaporating thousands of liters of helium gas and damaging the machine in the process. The officer then grabbed his rifle and left the room, leaving behind a magazine filled with bullets on the office floor, according to the lawsuit.

«

1: I so hope there is CCTV of this. 2: What idiots. 3: wasting that much helium should be a crime. 4: How remarkable that SF Gate has a cannabis editor – though of course it is legal in California.
unique link to this extract

---

Large language models will upend human rituals

Marion Fourcade and Henry Farrell:

»

Arthur C. Clarke wrote a story in which the entire universe was created so that monks could ritually write out the nine billion names of God. The monks buy a computer to do this faster and better, with unfortunate consequences for the rest of us: the story’s last sentence is “Overhead, without any fuss, the stars were going out.”

Rituals aren’t just about God, but about people’s relations with each other. Everyday life depends on ritual performances such as being polite, dressing appropriately, following proper procedure and observing the law. The particulars vary, often mightily, across time, space and societies. But they are the foundation of all formal and informal institutions, making co-ordination between people feel effortless. They seem invisible, only because we take them so much for granted.

…Organisational ceremonies, such as the annual performance evaluations that can lead to employees being promoted or fired, can be carried out far more quickly and easily with LLMs. All the manager has to do is fire up ChatGPT, enter in a brief prompt with some cut-and-pasted data, and voilà! Tweak it a little, and an hour’s work is done in seconds. The efficiency gains could be remarkable.

And perhaps, sometimes, efficiency is all we care about. If a ritual is performed just to affirm an organisational shibboleth, then a machine’s words may suit just as well, or even better.

Still, things might get awkward if everyone suspects that everyone else is inauthentically using an LLM. As Erving Goffman, a sociologist, argued, belief in the sincerity of others—and the ritualistic performance of that belief—is one of the bedrocks of social life. What happens when people lose their faith? A bad performance evaluation is one thing if you think the manager has sweated over it, but quite another if you suspect he farmed it out to an algorithm. Some managers might feel ashamed, but will that really stop them for long?

What may hurt even more is the “decoupling” of organisational rituals from the generation of real knowledge. Scientific knowledge may seem impersonal, but it depends on a human-run infrastructure of evaluation and replication. Institutions like peer review are shot through with irrationality, jealousy and sloppy behaviour, but they are essential to scientific progress. Even AI optimists, such as Ethan Mollick, worry that they will not bear the strain of LLMs. Letters of recommendation, peer reviews and even scientific papers themselves will become less trustworthy. Plausibly, they already are.

«

Fourcade is a professor of sociology (UCal Berkeley), Farrell a professor of democracy and international affairs at Johns Hopkins University.
unique link to this extract

---

Meta’s going to put AI-generated images in your Facebook and Instagram feeds • The Verge

Emma Roth:

»

If you think avoiding AI-generated images is difficult as it is, Facebook and Instagram are now going to put them directly into your feeds. At the Meta Connect event on Wednesday, the company announced that it’s testing a new feature that creates AI-generated content for you “based on your interests or current trends” — including some that incorporate your face.

When you come across an “Imagined for You” image in your feed, you’ll see options to share the image or generate a new picture in real time. One example shows several AI-generated images of “an enchanted realm, where magic fills the air.” But others could contain your face… which I’d imagine will be a bit creepy to stumble upon as you scroll.

Other examples include captions that say you can “imagine yourself” as a video game character or an astronaut exploring space. Both images appear to use a person’s photos to create an AI-generated version of them in made-up scenarios.

In a statement to The Verge, Meta spokesperson Amanda Felix says the platform will only generate AI images of your face if you “onboarded to Meta’s Imagine yourself feature, which includes adding photos to that feature” and accepting its terms. You’ll be able to remove AI images from your feed as well.

Last week, 404 Media found that using Snapchat’s AI selfie feature gives the company permission to use your face in ads seen only by you (unless you disable the option). It looks like Facebook and Instagram will similarly only show the AI-generated content to you, while sharing remains optional.

«

This is very weird. Also, you can imagine that some people are going to be vain enough that they will embrace this with delight. There’s some small text on one of the example pictures saying “Only you can see this”, which some might feel is a blessing.

Anyhow, my principal IG feed is for my dog, so let’s see how the AI copes with that.
unique link to this extract

---

Rail bodies investigate cyberattack at UK’s busiest stations • The Register

Connor Jones:

»

A cybersecurity incident is being probed at Network Rail, the UK non-departmental public body responsible for repairing and developing train infrastructure, after unsavoury messaging was displayed to those connecting to major stations’ free Wi-Fi portals.

The message displayed to users via a compromised Wi-Fi landing page, seen by The Register, is Islamophobic in nature and references the 2017 Manchester Arena bombings.

All 20 stations managed by Network Rail across the UK are thought to be affected, with Wi-Fi services still unavailable this morning while investigations into the root cause continue.

The stations affected include 10 in London – all the major rail hubs in the city – and other key commuter stations such as Manchester Piccadilly, Birmingham New Street, Leeds, Reading, Glasgow Central, Bristol Temple Meads, and more.

Network Rail and the British Transport Police (BTP) are on the case, with the latter telling us: “We received reports at around 1703 yesterday [25 September] of a cyberattack displaying Islamophobic messaging on some Network Rail Wi-Fi services. We are working alongside Network Rail to investigate the incident at pace.”

Network Rail’s Wi-Fi is operated by Warwickshire-based communications company Telent, which said it’s working alongside the two transport bodies to resolve the issues.

«

I’ll go with “racist script kiddie discovered how to hack the landing page” – rather than the preferred one of a couple of writers, which was “OMG IT IS NIGHTSLEEPER NOW THEY WILL HACK THE TRAINS AND SIGNALLING.” (For reference, for non-UK readers, Nightsleeper is a BBC drama whose premise is the utterly not-possible hacking of an Edinburgh-London overnight train along with all the signalling.)
unique link to this extract

---

Trail running and drug-testing: where do we go from here? • Trail Runner Magazine

Brian Metzler:

»

For years, trail running has had a reputation as a clean sport with a bit of a “wild west” vibe. 

But the globalization of the sport, increased level of competition, more sponsorship contracts, and the advent of bigger prize purses has started to change the sport in the past decade, and with it, the concern about performance-enhancing drug use has followed. 

Because there is very little authentic drug testing in trail and ultra-distance running, no out-of-competition testing and often delayed and inconsistent communication among anti-doping agencies, the sport is at a critical juncture with a growing influx of money and professionalism — especially after the results of one of the sport’s most prestigious events were tarnished by doping last year. 

On January 7, Esther Chesang, the women’s winner of the 2022 Sierra-Zinal trail running race last August in Switzerland, was provisionally suspended by the Athletics Integrity Unit (AIU) after it was revealed that the 28-year-old Kenyan runner had triamcinolone acetonide (glucocorticoid) — an anti-inflammatory steroid on banned by World Anti-Doping Agency — present in her system after an in-competition drug test last May 11. 

«

A followup on yesterday’s article about ultrarunner Camille Herron fiddling with Wikipedia – which, it turns out, has nothing on the pharmaceutical fiddling going on in the sport. (Thanks wendyg for the link.)
unique link to this extract

---

WordPress vs WP Engine – community drama 2024 • WPJohnny

Johnny Nguyen on the drama (which you may not have heard of) between Matt Mullenweg, whose Automattic company owns Tumblr and also runs the WordPress open source project, who is having a verbal fight with a company called WP Engine:

»

I suspect this fight isn’t a matter of principle and values, but rather of personal conflict. On the WordPress side, we have Matt Mullenweg who’s done a good job of expressing his views as being his views alone. But on WP Engine’s side…it’s Lee Wittlinger, managing director for Silver Lake who overseas the WP Engine brand.

If I had to guess, this probably came down to Matt wanting more financial support from brands who profit off the WordPress space. And/or also wanting more development support. Perhaps feeling certain things should not have to be be managed or developed by WordPress core. And he wanted the big commercial companies in the WordPress space (the ones who profit the most from it) to help contribute to improving WordPress, perhaps maximizing its features and compatibility with 3rd-party extensions. Except only, maybe WP Engine did not lend their help to the degree of Matt’s liking.

And he decided to write them off, and officially end ties with them. Clarifying any mis-affiliations between WordPress and WP Engine moving forward, making clear they aren’t the same. That WP Engine isn’t an official WordPress entity and should not be allowed to profit of it.

• Publicly, WP Engine released a post showing how much contributions they’ve given to the WordPress community in the form of event sponsorships, developing extensions and frameworks.>br />• Privately, WP Engine opened legal action against WordPress…presumably to defend its brand and probably seek monetary damages for Matt’s statements.

«

I have tried reading a few takes on this topic, and this one delivers it best. I honestly don’t get Mullenweg’s complaint. The whole thing about OSS is that you can’t stop others using it as they want, including making tons of money. Nor can you force them to contribute back. If you want that, you need a different licence. (Thanks Caleb for the link.)

Though Mullenweg has now blocked WP Engine from accessing WordPress resources (eg themes and plugins). Taste for drama.
unique link to this extract

---

X’s first transparency report since Elon Musk’s takeover is finally here • WIRED

Vittoria Elliott:

»

Comparing the 2021 report to the current X transparency report [released earlier this week] is a bit difficult, as the way the company measures different things has changed. For instance, in 2021, 11.6 million accounts were reported. Of this 11.6 million, 4.3 million were “actioned” and 1.3 million were suspended.

According to the new X report, there were over 224 million reports, of both accounts and pieces of individual content, but the result was 5.2 million accounts being suspended.

While some numbers remain seemingly consistent across the reports—reports of abuse and harassment are, somewhat predictably, high—in other areas, there’s a stark difference. For instance, in the 2021 report, accounts reported for hateful content accounted for nearly half of all reports, and 1 million of the 4.3 million accounts actioned. (The reports used to be interactive on the website; the current PDF no longer allows users to flip through the data for more granular breakdowns.)

In the new X report, the company says it has taken action on only 2,361 accounts for posting hateful content.

But this may be due to the fact that X’s policies have changed since it was Twitter, which Theodora Skeadas, a former member of Twitter’s public policy team who helped put together its Moderation Research Consortium, says might change the way the numbers look in a transparency report. For instance, last year the company changed its policies on hate speech, which previously covered misgendering and deadnaming, and rolled back its rules around Covid-19 misinformation in November of 2022.

“As certain policies have been modified, some content is no longer violative. So if you’re looking at changes in the quality of experience, that might be hard to capture in a transparency report,” she says.

«

Even so, it’s quite a change. Far fewer active users, but an absolutely dramatic drop in the number of accounts removed. Hatefulness is totally permissible now, it seems. Hilariously, Musk’s Twitter has blocked links to a dossier about JD Vance allegedly obtained by hacking. After all the fulminating about the blocking of links to stories about Hunter Biden’s laptop? The hypocrisy is stratospheric.
unique link to this extract

---

LG Smart TVs, including OLEDs, now show screensaver ads • FlatpanelsHD

Rasmus Larsen:

»

Almost a decade ago, ads began creeping onto user interfaces on our TVs. Initially appearing as paid placements (“recommendations”), the initiative has since expanded to include large ad carousels at the top of the screen and full-screen ads that take over your screen.

While reviewing LG’s latest high-end G4 OLED TV (review here), FlatpanelsHD discovered that it now shows full-screen screensaver ads. The ad appeared before the conventional screensaver kicks in, as shown below, and was localized to the region the TV was set to.

We saw an ad for LG Channels – the company’s free, ad-supported streaming service – but there can also be full-screen ads from external partners, as shown in the company’s own example below.

The ad we saw was muted, but it is unclear if this will remain the case. We observed the ad on a 2024 LG model, but there are no indications to suggest that it will be exclusive to new LG Smart TVs.

Digging a little deeper, we discovered that the initiative is spearheaded by LG Ad Solutions, the company’s division for “connected TV (CTV) and cross-screen advertising”.

The announcement (link) about screensaver ads on LG Smart TVs makes it sound as if the advertising team’s priorities now overshadow those of LG’s webOS team

«

Advertising, like gambling, corrodes everything it touches.
unique link to this extract

---

• Why do social networks drive us a little mad? • Why does angry content seem to dominate what we see? • How much of a role do algorithms play in affecting what we see and do online? • What can we do about it? • Did Facebook have any inkling of what was coming in Myanmar in 2016? Read Social Warming, my latest book, and find answers – and more.

---

Errata, corrigenda and ai no corrida: none notified