10 interesting stories served every morning and every evening.

Swipe left to beginPress right arrow to begin

Meta scales back plan to track workers' clicks and keystrokes to train AI

www.bbc.com

652 shares · 59 trendiness

Meta workers can opt out of being tracked at work - but only for half an hour at a time

13 hours ago

Laura Cress,technology reporterand

Osmond Chia,business reporter

Getty Images

Meta is scaling back its plan to start tracking its employees’ computer activity, according to an internal memo sent on Tuesday.

In April the company received criticism from its own staff after it announced a new tool would log their keystrokes and mouse clicks to train its AI models.

Now, according to Reuters, new controls will allow employees to pause the data collection for “up to 30 minutes at a time” as well as request exemptions from the initiative altogether.

Meta declined to comment on the record.

It follows weeks of backlash from employees, including some who started a petition against the move which now has more than 1,500 signatures.

During the initial announcement of the tool, called the Model Capability Initiative (MCI), Meta told the BBC: “If we’re building agents to help people complete everyday tasks using computers, our models need real examples of how people actually use them.”

It added that the data was “not used for any other purpose,” and the tool had “safeguards in place to protect sensitive content”.

But workers were not impressed, with one Meta employee, who asked not to be identiﬁed, telling the BBC that having their actions train AI models felt “very dystopian” - as workers expected a slew of additional job cuts.

Another person who recently left the company told the BBC the tracking tool was “just the latest way they’re shoving AI down everyone’s throat”.

An internal memo - seen by Reuters - was reportedly authored by Stephane Kasriel, a vice president in Meta’s Superintelligence Labs unit.

In it, he said the team behind the MCI had introduced “several optimizations” to reduce its impact on laptop battery life.

This change came after reports that employees were ﬁnding the tool consumed so much data it was causing their internet usage to surge when working from home.

“While we remain conﬁdent in the privacy protections we put in place at launch, which went through several layers of risk review, we have heard your concerns about personal data on work devices, battery life, and wanting more control over when capturing happens,” Kasriel said in the memo.

Read more Read the original on www.bbc.com →

Read the original on www.bbc.com →

1-Click GitHub Token Stealing via a VSCode Bug

blog.ammaraskar.com

632 shares · 29 trendiness

Just by clicking a link, it’s possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones.

Table of Contents

Background

VSCode Webview Security Model

The Bug

PoC and Protecting Yourself

What VSCode Did Well

Why Full Disclosure

Timeline

Background

Did you know GitHub has this really cool feature called github.dev?

On any repository you have access to, if you can change the url from github.com to github.dev or you click this little menu item:

You’ll be launched into a little light-weight version of VSCode that runs entirely in your browser (I guess that’s one advantage of having your app written with electron).

This browser instance of VSCode is pretty powerful, you can view all the ﬁles in the repo (even if it’s a private one), you can send out pull requests and even make commits.

This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf. The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to.

The presence of this token and the fact that this web-app is running almost the entire brunt of VSCode’s million line Typescript codebase makes it a great target for anyone looking into VSCode bugs. That sort of bug is what we’ll explore here and show how an attacker can use it to exﬁltrate your GitHub token.

VSCode Webview Security Model

Being an electron app on the desktop, executing arbitrary Javascript inside of VSCode would be tantamount to full remote code execution. This is why VSCode implements some sandboxing approaches, the one we’ll focus on here is VSCode’s webviews.

Webviews use an <iframe> with a different origin to the main VSCode window to ensure that any JavaScript executed inside of them is fully isolated. These webviews are used for features such as Markdown previews or editing Jupyter notebooks:

The output of the cell is rendered into an <iframe> from the origin vscode-webview://…, as opposed to the main electron window which has the origin vscode-ﬁle://…. This means that even if the Jupyter notebook uses the built-in features of displaying HTML or using Javascript for interactive widgets, the actual core VScode application is protected from it. One cannot use Electron’s integration with Node.js APIs inside this iframe or call into VSCode’s APIs from this frame.

Great, that gives us the ability to render content, but just static content is boring. How do we implement features like having the Markdown preview show you which source line you currently have highlighted or updating the preview live as we edit it?

The same cross-origin policy that gives us security also prevents our main editor window from interacting with the DOM in the vscode-webview://… frame. After all, you wouldn’t want someone who used an <iframe src=“google.com”> to be able to interact with the google page to steal your cookies or change that website’s behavior.

> document.getElementsByTagName(‘iframe’)[0].contentWindow.ﬁndElementById(‘foo’) Uncaught SecurityError: Failed to read a named property ‘ﬁndElementById’ from ‘Window’: Blocked a frame with origin “vscode-ﬁle://vscode-app” from accessing a cross-origin frame.

The only way to allow this behavior is to have the two web pages in the different origins cooperate with each other using the Window.postMessage() API. This method allows sending JavaScript objects across the different windows. So in that example of showing which rendered Markdown line corresponds to what editor line, the main editor window posts a little message like this:

{ type: “onDidChangeTextEditorSelection”, line: 31 }

and then the corresponding code running inside of the webview has a listener for this message that adds the highlight:

window.addEventListener(‘message’, async event => { const data = event.data as ToWebviewMessage.Type; switch (data.type) { … case ‘onDidChangeTextEditorSelection’: marker.onDidChangeTextEditorSelection(data.line, documentVersion); return;

Note: VSCode in the browser uses a similar sandboxing model. VSCode developer Matt Bierner has a great blogpost about the challenges of porting it over from Electron worth checking out.

The Bug

So our security boundary for webviews roughly looks like this:

but in terms of UI, our webview sits right here in the window. People expect basic things like clicking links, drag and or pressing Ctrl+F to work inside of them:

Hence, VSCode implements a bunch of basic functionality through the message passing mechanism to enable these features. Speaking of keyboard shortcuts, the astute reader who has dealt with <iframe>s may have already picked up on the issue.

As with most things cross-origin, the browser offers a good amount of isolation between the two frames. If you had a page on hackerman.com and you iframed google.com/login, you would not want the hackerman page to be able to attach a keyboard listener onto the iframe. That would let them see all your keystrokes on google.com, allowing them snoop your password.

Okay given that information, try clicking inside a VSCode webview and then pressing Ctrl+Shift+P to bring up the command palette.

Oh yay, that works. Wait. Oh. Oh no. So, to avoid the terrible user experience of your keyboard shortcuts not working when you happen to be clicked inside of a webview, the default set of webview message handlers have an event called did-keydown. When you load a webview, the following code runs inside the webview to register a handler for it:

contentWindow.addEventListener(‘keydown’, handleInnerKeydown);

/** * @param {KeyboardEvent} e */ const handleInnerKeydown = (e) => { // … hostMessaging.postMessage(‘did-keydown’, { key: e.key, keyCode: e.keyCode, code: e.code, shiftKey: e.shiftKey, altKey: e.altKey, ctrlKey: e.ctrlKey, metaKey: e.metaKey, repeat: e.repeat }); };

How convenient, so webviews just bubble up keydown events so the main VSCode window can treat them seamlessly as user keyboard events.

But…there’s nothing preventing our script running in the untrusted web view from pretending like it’s the user and pressing a bunch of keys on their behalf.

We could, say, bring up the command palette and start running dangerous commands such as installing an attacker-controlled extension. All we’d need is a bit of javascript that emits the correct events to simulate the keystrokes…

Ctrl+Shift+P

developer: install extension from location

Enter

Enter

In reality it’s not quite that simple. While we can certainly send the keydown events corresponding to that sequence, the browser will not treat it as if it’s the user typing it in. So VSCode will pop up the command palette but unless VScode is intercepting all keydown events to handle each character being typed manually, our events will not actually type text into the palette. Unfortunately, in this case here, it is not listening to keydown events, the command palette widget just uses an HTML <input> tag.

We can scroll up and down in the command palette if we emit up-arrow ↑, down-arrow ↓ presses and can press Enter to select commands but arbitrary keystrokes are off the table.

Luckily, VSCode comes with a massive set of default keyboard shortcuts, all of which listen directly on keydown that we can try to make use of. After a bunch of tinkering, the easiest way I found is to make use of the “Notiﬁcations: Accept Notiﬁcation Primary Action” action. This default keybind of Ctrl+Shift+A will hit the primary button on whatever notiﬁcation popped up last in VSCode.

Which notiﬁcation are we accepting?

VSCode has this feature where your workspace can recommend extensions by putting them in a ﬁle called .vscode/extensions.json that looks something like

{ “recommendations”: [ “HackerMan.my-malicious-extension” ] }

And then we can use Ctrl+Shift+A to accept that notiﬁcation and install the malicious extension giving us full code execution? Shrimple as?

Again, not quite, VSCode as of 1.97 has this new publisher trust system whereby installing an extension from a new publisher for the ﬁrst time gives you this dialog, even if we hit the Install button in that notiﬁcation:

While we can send Tab key presses to navigate the buttons here, pressing Enter on the Trust Publisher & Install button is impossible as it listens for keydown events specifically on the button and not the entire window.

Instead, we can make use of another VSCode feature called local workspace extensions. As long as you are inside of a trusted workspace (which github.dev/web workspaces always are), then it’s possible to install an extension directly present in .vscode/extensions. Extensions installed in this way skip the trusted publisher check with the trusted workspace check acting as the trust check. So now we can just put our evil payload in .vscode/extensions/extension.js and execute our own code, right?

Well almost, doing this causes a Content Security Policy (CSP) error because the extension worker that loads extensions is expecting them to be from vscode-cdn.net. Local workspace extensions probably weren’t well tested with the web version of VSCode.

This is just a small hiccup though, one of the things that extensions can do as part of their package.json is to contribute extra keybindings to VSCode. Since we can reliably trigger keybindings, we can just add a keybind for whatver VSCode command we want. Such as…installing an extension while skipping the trusted publisher check. So our package.json ends up looking like this to call into workbench.extensions.installExtension while skipping the publisher trust check.

“contributes”: { “keybindings”: [ { “key”: “ctrl+f1″, “command”: “runCommands”, “args”: { “commands”: [ { “command”: “workbench.extensions.installExtension”, “args”: [ “AmmarTest.hello-ammar-github”, { “donotSync”: true, “context”: { “skipPublisherTrust”: true } } ] } ] } } ] }

To put it all together, what we need is a repo with a Jupyter notebook and a local workspace extension. The Jupyter notebook needs to execute a little bit of Javascript which we can do with a markdown cell containing the following:

For our Javascript payload, we need to do the following:

Wait a little bit for VSCode to pop-up asking us if we want to install the recommended extensions.

Emit a keydown event for Ctrl+Shift+A to accept the notiﬁcation.

Wait a little bit for the extension to install and active, putting in our custom keybind.

Emit a keydown event for Ctrl+F1 triggering the installation of our chosen extension.

This payload ends up looking like:

// Wait for VSCode to load and pop open the notiﬁcation. await sleep(10 * 1000);

// ctrl+shift+a, accept the primary notiﬁcation asking if we want to install // the recommended extension window.dispatchEvent( new KeyboardEvent(“keydown”, {key: “a”, code: “KeyA”, keyCode: 65, ctrlKey: true, shiftKey: true}) ); // Wait a little for the extension to install… await sleep(500);

// ctrl+f1, the custom keybind to install the chosen extension. window.dispatchEvent( new KeyboardEvent(“keydown”, {key: “F1″, code: “F1”, keyCode: 112, ctrlKey: true}) );

PoC and Protecting Yourself

Now that we’ve seen the details, let’s take a look at the proof-of-concept. For the bravest among you, go ahead and just directly click:

https://github.dev/ammaraskar/github-dev-token-steal-poc/blob/main/README.ipynb

This will launch the github.dev editor directly to the notebook. You’ll see a little status message of what the Javascript payload is doing.

Once the payload runs, the newly installed extension will grab your GitHub API token and then query https://api.github.com/user/repos to get private repos you have access to. It then prints them out and your token in a little information box.

The code for both the repos used is here:

Installed extension: https://github.com/ammaraskar/vscode-github-token-grab-extension/blob/main/src/extension.ts

Notebook JS: https://github.com/ammaraskar/github-dev-token-steal-poc/blame/main/README.ipynb

If you run the PoC, remember to either clear your github.dev data (see below) or at the very least uninstall the proof-of-concept extension otherwise it will follow you on all github.dev pages.

This vulnerability also exists in the desktop version of VSCode, though it’s a bit harder to exploit since you would need to convince the victim to clone your repo and open the notebook with the webview script payload. Of course, if you had some other XSS in a webview that you can get a victim to open, you get effectively full RCE on their computer.

Protecting Yourself

By a stroke of luck, if you have never used github.dev in the past, there is one dialog to click through when landing on the website. This didn’t used to happen before but some changing of VSCode’s GitHub plugins has caused this.

This means that if you clear your cookies and local site data for github.dev, you can take action and navigate away from the page if someone tries to use this attack on you. I strongly recommend you clear site data for github.dev, in Chrome this can be done by clicking the little icon in the URL bar, clicking Cookies and site data > Manage on-device site data.

and then deleting data for all the domains with the trash can icons:

Unfortunately, if you’ve ever been past that dialog on github.dev and haven’t cleared your browser’s local storage, you’re completely screwed. There are no CSRF tokens or anything for github.dev so any link on the internet can redirect you to this attack.

What VSCode Did Well

VSCode’s approach of not just solely relying on the <iframe> but using defense-in-depth security measures like a strict Content Security Policy and using DOMPurify for rendered markdown pays dividends here. If there was a way to execute arbitrary Javascript inside the Markdown preview shown on an extension’s page, you can imagine how this vulnerability could have even more impact (1-click RCE on desktop by linking someone your extension). However, by using script-src ‘none’ this is effectively nipped in the bud.

Why Full Disclosure?

To summarize the last time I interacted with MSRC regarding reporting a VSCode bug, it was a horrible experience where they silently ﬁxed the bug I pointed out without any credit. They also marked it as not having any security impact. As I mentioned in that post, going forward I would be doing full public disclosure for any security bugs I found in VSCode. Taking a look at a recent report by Starlabs on a VSCode XSS bug marked as ineligible and low severity, it doesn’t look like MSRC has gotten any better about VSCode bugs.

I’m sure the VSCode team would have appreciated a longer heads up on this to come up with solutions. There is legitimately a UI/UX balance here that needs to be struck with the security concerns. To those folks, I am sorry, but this is one of the few levers I have to try to inﬂuence MSRC and the security posture of VSCode. Finding and fully developing security bugs into proof-of-concepts like this takes time and effort on the part of security researchers that should not be disrespected or taken for granted.

Timeline

Jun 2, 2026 - An hour before posting I gave a heads up to an old contact at GitHub security that I would be disclosing this bug.

Jun 2, 2026 - I disclosed the bug here and on the VSCode issue tracker.

Jun 3, 2026 - Microsoft applies a stopgap ﬁx by adding a conﬁrmation when opening notebooks in web VSCode and not allowing trusted publisher to be skipped by commands.

Read more Read the original on blog.ammaraskar.com →

Read the original on blog.ammaraskar.com →

Introducing Gemma 4 12B: a unified, encoder-free multimodal model

blog.google

626 shares · 83 trendiness

Jun 03, 2026

Gemma 4 12B is designed to bring high-performance multimodal intelligence directly to your laptop, combining mobile-ﬁrst efﬁciency with advanced reasoning.

Olivier Lacombe

Director of Product Management, Google Deepmind

Gus Martins

Product Manager, Google DeepMind

Your browser does not support the audio element.

Listen to article

This content is generated by Google AI. Generative AI is experimental

[[duration]] minutes

Today, we are introducing Gemma 4 12B, our latest model designed to bring agentic multimodal intelligence directly to laptops. Bridging the gap between our edge-friendly E4B and our more advanced 26B Mixture of Experts (MoE), Gemma 4 12B packages powerful capabilities inside a reduced memory footprint. It is also our ﬁrst mid-sized model to feature native audio inputs.

Thanks to the developer community, Gemma 4 models have now crossed 150 million downloads. You’ve built everything from wearable robotic arms for physical assistance to enterprise-grade AI security. We’re excited to see what you build with this latest addition.

Here’s an overview of what makes Gemma 4 12B unique:

Novel uniﬁed architecture: No multimodal encoders. The vision and audio inputs ﬂow directly into the LLM backbone.

Advanced reasoning: Benchmark performance nearing our 26B model, unlocking powerful multi-step reasoning and agentic workﬂows.

Laptop ready: Small enough to run locally with just 16GB of VRAM or uniﬁed memory.

Open and accessible: Released under an Apache 2.0 license with support across the developer ecosystem.

Drafter-ready: Gemma 4 12B comes equipped with Multi-Token Prediction (MTP) drafters to reduce latency.

Together, these features bring advanced multimodal capabilities to everyday hardware without sacriﬁcing speed or reasoning. Let’s now take a closer look at how Gemma 4 12B achieves this.

Run state-of-the-art agents locally

Gemma 4 12B delivers performance nearing our larger 26B MoE model on standard benchmarks, but at less than half the total memory footprint. Small enough to run locally on consumer laptops with 16GB of RAM, it unlocks powerful multimodal and agentic experiences right on your machine.

Experience a uniquely efﬁcient, uniﬁed architecture

What makes Gemma 4 12B stand out is its streamlined approach to processing visual and audio inputs. Traditional multimodal models typically rely on separate encoders to translate images and audio before passing those representations to the language model. Because these split encoders add latency and increase memory usage, we trained Gemma 4 12B with an encoder-free architecture to integrate audio and vision input directly.

Here is how Gemma 4 12B processes multimodal inputs natively:

Vision: We replaced Gemma 4’s vision encoder with a lightweight embedding module consisting of a single matrix multiplication, positional embedding and normalizations. This allows the LLM backbone to take over visual processing.

Audio: We simpliﬁed audio processing even further. We removed the audio encoder entirely and projected the raw audio signal into the same dimensional space as text tokens.

For developers who want a breakdown, head over to our companion Gemma 4 12B Developer Guide.

Get started today

Try it yourself: Experiment with a couple of clicks in LM Studio, Ollama, Google AI Edge Gallery App, the Google AI Edge Eloquent app and the LiteRT-LM CLI

Download the weights: Download the pre-trained and instruction-tuned checkpoints directly from Hugging Face and Kaggle.

Integrate & learn: Review the developer documentation and the quick start notebook.

Use your favorite development tools: Implement local inference pipelines with Hugging Face Transformers, llama.cpp, MLX, SGLang, and vLLM, or ﬁne-tune with efﬁciency using Unsloth.

Unlock Agentic Development with Gemma Skills: To support agents to build with the latest Gemma advancements, we are releasing our ofﬁcial Skills Repository. This is a library of skills designed specifically to enable agents to build with Gemma models.

Deploy your way: Spin up endpoints in production using Google Cloud. Deploy your way through Gemini Enterprise Agent Platform Model Garden, Cloud Run and GKE.

Pwnd Blaster: Hacking your PC using your speaker without ever touching it

blog.nns.ee

623 shares · 48 trendiness

In my last post, I talked about reverse engineering my new Creative Sound Blaster Katana V2X’s ﬁrmware.

What initially started as simply wanting to write a Linux tool for communicating with my speaker ended up with me discovering vulnerabilities which allow any attacker within a ~15M range of any Katana V2X to turn it into a covert spying tool and Rubber Ducky - all without ever having to pair with or physically touch the device.

CTprotocol background

As I explained in my previous post, the Katana V2X is a USB-connected PC sound bar. Being USB-connected, Creative has an app which allows you to change the settings of the speaker - the DSP, the LED conﬁguration, the output source, and so on.

To do this, they use a custom protocol called CTP (short for Creative Transport Protocol would be my guess). Basically, it seems to be a fairly simple proprietary protocol for sending various commands and reading the responses to that. I won’t go into much detail here, but if you’re interested, I described how it works in my last post.

What’s important to note, however, is that in order to do anything with CTP over USB, you ﬁrst have to do challenge-response authentication with the device. The key is static and can be derived from the binaries that ship with the Creative App, and I’m unsure why this is even the case, but the speaker won’t accept any commands until you’ve performed authentication. Fine.

Another thing that’ll become important later is that ﬁrmware updates are also performed over CTP. That’s how I initially got my hands on a ﬁrmware image - I sniffed the USB trafﬁc using Wireshark and extracted the data from the captures.

Firmware analysis

The ﬁrmware container, which is also proprietary but is essentially a primitive Zip ﬁle, contains three parts that are of significant value.

First, there’s FBOOT, which I previously presumed to be a bootloader (hence the name), but also contains a sort of recovery mode for the speaker. This recovery mode can be entered by holding down the SOURCE button while powering the device on, and allows you to recover from a bad state. This saved my device from being bricked many times, which I’m pretty grateful for.

The second part is FMAIN, which is the main ﬁrmware of the device. This runs when you boot the device “normally”. While FBOOT implements a lot of the same functionality as FMAIN (they both handle CTP commands, for example), FMAIN is about ~6.5x larger than FBOOT.

Both FBOOT and FMAIN are based on a (fairly heavily-modiﬁed) version of FreeRTOS, as hinted by a string present in the binaries: /home/jieyi/mcuos2.5/kernel/freertos-8.2.3/.

The last part of note is CHK2, which is a SHA-256 checksum over the entire ﬁrmware container appended to the very end.

While not exactly shocking, considering the amount of effort that went into CTP authentication, I was a bit surprised to see that besides this CHK2 SHA-256 checksum, which was trivial to patch, there was no other protection in place for ﬂashing ﬁrmwares. I would’ve expected to ﬁnd signature checks here or at the very least a hashsum(secret_value + container_contents) type of protection, but after reimplementing the ﬁrmware upgrade functionality in my own tool v2x-ctl, I found that the device happily accepts patched ﬁrmwares as long as CHK2 is correct.

To test this, I made a pretty simple modiﬁcation - I replaced the string WELCOME, which is shown on the segment display on the device when booting up, with PATCHED. After ﬂashing the ﬁrmware and rebooting the device, I was happy to see my string being shown to me:

The hacker part of me thinks this is great - people should be able to do what they want with the devices they’ve bought and own. The security professional part of me thinks that having absolutely no protection in place (like having to unlock a bootloader for mobile devices) is pretty bad practice. But it’s not exactly the end of the world if you need physical access to update the device over USB.

If.

Everybody loves Bluetooth

Like all “self-respecting” speakers these days, of course the Katana V2X also needs to have Bluetooth, even though it’s most likely going to spend most of its life wired up to a PC or gaming console.

And of course Creative needs to have an app which lets you control the speaker’s settings and fancy LED lights from your phone over Bluetooth.

The way BLE (Bluetooth Low Energy) works is that each device has various registers (called GATT characteristics) that, if you’re connected to the device, you can write to, read, subscribe to notiﬁcations for, and so on. What’s important to note is that to connect to a device, you don’t need to (necessarily) pair with it. You can often just connect with a device and immediately start reading and writing data to characteristics. Pairing establishes encryption, but a connection can be made without it.

While digging through the Katana’s ﬁrmware, I discovered that the internal CTP handler is bridged to both USB and apparently Bluetooth:

Intrigued by this, I downloaded the Creative mobile app and tried connecting to my speaker.

“Please press the POWER button to pair.”

I wondered how this pairing process worked, exactly. Maybe it used the same authentication scheme as for USB and maybe I could just use the shared secret to authenticate with any speaker over Bluetooth, as was the case with my e-scooter.

I set up a Bluetooth sniffing environment and observed that in order to initiate the pairing process, the phone wrote a payload like 5a 0b… to a characteristic 9e9daaec-3a10 – 4fe8-b69f-7397aff77886, and read a response from characteristic 9e9daaeb-3a10 – 4fe8-b69f-7397aff77886.

5a had me very, very suspicious, as it’s the same byte that all CTP commands start with. Out of a hunch, I connected to the device over Bluetooth from my laptop and wrote the payload 5a 09 01 02, which is the CTP command for reading the ﬁrmware version, and requires authentication to send over USB.

To my surprise, upon reading the characteristic 9e9daaeb-3a10 – 4fe8-b69f-7397aff77886, I was greeted with the full version string. This means anyone can just connect to any Katana V2X over Bluetooth and start sending CTP commands to it, reading information, changing settings, etc.

Over-the-air updates (the bad kind)

It didn’t take me too long to connect the dots that ﬁrmware upgrades were also performed over CTP. Combined with the fact that anyone can construct valid custom ﬁrmware, I wondered if it was possible for an attacker to simply upload a custom ﬁrmware over Bluetooth without ever having to authenticate or pair.

After wrestling with a few BLE quirks (which I’ll describe in detail later in this article), I wrote a relatively simple Python script that does exactly what my v2x-ctl tool does to upgrade ﬁrmware, but over Bluetooth instead. Using that, I attempted to upload the modiﬁed ﬁrmware I had crafted earlier to my speaker. Since BLE is quite slow, it took around 10 minutes to ﬁnish, but after it was done, I was once again greeted with my lovely “PATCHED” welcome message.

I thought of the implications for a bit. The speaker has a microphone. An attacker could, theoretically, upload a custom ﬁrmware that effectively turns the speaker into a covert monitoring device, listening in on conversations and forwarding them to a receiver over Bluetooth.

What was more interesting to me was the fact that the speaker is, in a standard setup, connected to a PC over USB. It’s by all means a trusted USB device.

What if we wrote custom ﬁrmware that forced the speaker into acting as a keyboard, sending keystrokes for opening up the terminal and executing arbitrary commands? We would turn the speaker into a Rubber Ducky, but remotely, without ever having to plug anything into either the speaker or the PC.

Living off the kernel land

At ﬁrst, I thought this would be a herculean task. Since I don’t have access to the source code of the ﬁrmware, I would have to somehow jury-rig in an entire section of code that sets the device up as a HID (human interface device) USB device (if that’s even possible for this SoC), a procedure for then using this to send keystrokes to the PC over USB, and continuing to run the rest of the code in the ﬁrmware so the speaker would still behave as normal.

However, after digging around some more in the ﬁrmware, I realized it’s likely not as difﬁcult as it seems.

First off, it turns out the speaker already sets itself up as a HID device. Not as a full keyboard, mind you, but as a Consumer Control device - basically letting the speaker change the volume and media status (play/pause) on the PC, but not much else.

This could be seen in the kernel logs:

The way this is done with USB devices is that the device presents the PC with a USB descriptor set, which is basically a report of its capabilities, what it can do, how many interfaces to enumerate, and so on.

The report descriptor in the ﬁrmware was pretty easy to locate and to my luck, it had enough space to append a second report descriptor entry that also presented the device as a keyboard. Running dmesg now shows that the device also reports being a keyboard:

The second issue was sending actual HID data and emulating keystrokes. Much to my luck, the ﬁrmware already had a neatly usable routine for sending HID data, all I had to do was provide it with data (the key to press or unpress) and call it.

The third issue I struggled with quite a bit. It was difﬁcult to ﬁnd enough free space that I could write in (which would get properly mapped in memory or wouldn’t immediately crash the device when booting), ﬁnding a trampoline that worked properly and didn’t crash returning back to the normal instruction ﬂow, etc.

I eventually realized that if this is running on FreeRTOS, there’s likely numerous tasks being executed on boot anyways. I don’t need to write a trampoline and juggle the execution ﬂow, I can just overwrite an existing task and let the ﬁrmware spawn it for me. I ended up ﬁnding a diagnostic task, which didn’t seem to do anything in normal use - from what I could tell, it was only used for gathering diagnostic data from a DSP coprocessor.

I overwrote that task with a task that:

Waits ~20 seconds for the speaker to boot and bring up the USB subsystem

Types in echo pwned and hits enter, with ~20ms between each keystroke

Ends the task, leaving the rest of the speaker’s functionality intact

This would be executed every time the device booted up.

The patches ended up being pretty minimal - only 83 bytes for the USB report and 102 bytes of hand-written ARM/Thumb assembly for the keystroke injector, plus 2 bytes for every keystroke I wanted to send.

The result

Chaining it all together, I was able to totally remotely, over the air, upload a custom ﬁrmware to my speaker which I hadn’t paired with, which would reboot, ﬂash the custom ﬁrmware, and after rebooting type in the command echo pwned and execute it.

In a real attack scenario, I would execute the keystrokes for opening powershell.exe or similar and paste an actually malicious one-liner into that, but as a proof of concept, this was more than enough for me. A real attacker would also likely disable the routine for updating the ﬁrmware in both normal and recovery mode, making it impossible to wipe the malicious ﬁrmware from the device or patch it in the future.

This is worsened by the fact that Bluetooth is always on for the speaker, even in sleep mode, with no apparent way to disable it.

Remediation

Getting in touch with Creative was a frustrating process.

They do not have any security contacts. In fact, I wasn’t even able to ﬁnd regular contacts that wasn’t just a support form on their website. I tried (two times) to get in contact with them via the web form before giving up and contacting SingCERT to act as an intermediary, hoping they would have better luck reaching Creative.

Initially, SingCERT didn’t seem to be able to get in contact with Creative either. It took Creative nearly two months to respond to SingCERT. Unfortunately, their response was that “they do not consider this to be a vulnerability, as it does not present a cybersecurity risk”. I don’t know how they reached this conclusion, but it became clear that Creative had no interest in responding to or addressing this issue.

Due to this, there are no patches currently available via Creative themselves. The latest ﬁrmware is vulnerable.

As a partial remedy, to ensure that people are still able to use these devices securely, I wrote a patch for the ﬁrmware that blocks CTP-over-Bluetooth. This likely breaks the Creative mobile app, but without the source code, it’s fairly hard to patch the ﬁrmware with proper authentication in-place.

If you’re interested in using this patch, I’ve created a tool that downloads the ofﬁcial ﬁrmware from Creative’s servers, patches it in memory, and uploads it to your USB-connected Katana V2X. You can get it from the releases page here: https://git.dog/xx/v2x-patcher (or build it yourself with cargo if you want to inspect the patches beforehand).

The nitty gritty

What follows are a few technical details of the reverse engineering process and the binary patches in no speciﬁc order.

Memory layout woes

For Ghidra’s (or any other RE toolkit’s) automatic analysis to work properly, the binary needs to have the correct base address. Otherwise, pointers calculated using the base address will point to the wrong data and you’ll just get disassembly that doesn’t make much sense.

With FMAIN.bin, I struggled quite a bit. It wasn’t enough to simply load the ﬁrmware with what I assumed to be the correct base (0x10000000). When I loaded the binary using this base, the auto-analysis seemed to produce valid results, the startup code and FreeRTOS core seemed correct, but after that brief section in the beginning, auto-analysis seemed to fail and produce garbage.

As it turns out, FMAIN.bin is not a monolithic image and is instead scatter-loaded, with different sections of the ﬁrmware loaded at different addresses.

I didn’t ﬁnd any easy way to read what the correct memory map should be, but I deduced (and later veriﬁed by reading memory right off the device, when I was able to patch and upload ﬁrmware) the following layout:

Using this memory map in Ghidra seemed to actually produce valid analysis results.

String x-refs for ARM ﬁrmware

Even though my memory map was correct, I was still not getting many X-refs deﬁned for my strings. Some strings were referenced by some functions, but this seemed inconsistent and most strings seemed to be wholly unreferenced, which didn’t make any sense.

Working back from what I assumed to be the log method in the ﬁrmware, I realized that string pointers weren’t being loaded directly. Instead, string pointers were loaded using a pair of movw and movt instructions:

movw r0, #0x29A4 ; low 16 bits movt r0, #0x400A ; high 16 bits, r0 = 0x400A29A4

I tried searching online, but didn’t ﬁnd much information on why exactly Ghidra’s analysis seems to not recognize these as pointers to strings (perhaps the scatter-loading?), but I wrote a script that went over all movw/movt pairs which loaded into the same register, ﬁltered out the ones pointing to valid memory, and set up DATA references to those. This created ~13k references and made my life so much easier.

Firmware patches for reading, writing and executing memory

After I ﬁgured out how to modify the ﬁrmware and inject my own code, the ﬁrst order of business was setting up a method of reading, writing and executing memory. This was important for a few reasons, but most importantly for verifying the actual memory layout, reading what was going on in the heap, and being able to write and execute payloads on the ﬂy without having to patch the ﬁrmware itself and ﬂash it. Flashing the ﬁrmware was sloooow, and a lot of my RE time was taken up simply waiting for the ﬁrmware to upload to the device, the device to reboot, realize that my patches were wrong and the device is bootlooping or has been bricked, rebooting into recovery mode (which required pulling the power), and repeating the whole process again.

To set up these handlers, I decided that the best way to implement this would to overwrite a CTP handler that already exists and is properly routed, but which doesn’t do anything important. The CTP opcode 0x54 seemed like a pretty good candidate, all it did was echo back the data it was sent, and the handler was about 106 bytes long. This seemed a bit tight to ﬁt three commands into, but ended up being just barely enough room to work with - my ﬁnal handler with all three commands implemented ended up being 96 bytes long.

On the host side, I simply modiﬁed my v2x-ctl tool to support this custom CTP command. With this, I was able to execute arbitrary code over USB without having to reﬂash the whole ﬁrmware, which made testing patches etc so much more convenient.

Watchdogs doing their jobs

While writing the payload for sending HID commands, I kept running into an issue where my code, which was seemingly ﬁne and worked for sending singular keypresses, rebooted the device whenever I tried to implement sending multiple keypresses.

This was before I came up with the “replace an existing task” approach, and was simply running my payload using mem-exec as I described above. The weirdest thing was that the device seemed to crash when I called a benign function vTaskDelay built into FreeRTOS to add a small delay between each keypress event.

It turns out that Creative had implemented per-task watchdog timers, and if a critical task was taking too long, the OS would panic and reboot (my best guess). When I called vTaskDelay through mem-exec, I was calling it in the USB handling task context. The delays for each character added up, the watchdog timer wasn’t being kicked in time, and the system rebooted.

This issue ﬁxed itself when I injected my code into the diagnostic service task instead of calling it from the USB task directly.

All tests and reverse engineering was performed on the ﬁrmware version 1.3.230619.1820.

Timeline

01/04/2026 - Attempt 1 to get in contact with vendor via their support form (vendor lacks any public security contacts)

07/04/2026 - Attempt 2 to get in contact with vendor via their support form

09/04/2026 - Submission of vulnerabilities to SingCERT

16/04/2026 - Response from SingCERT requesting further information

16/04/2026 - Sent additional details to SingCERT

20/04/2026 - Response from SingCERT requesting further information

20/04/2026 - Sent additional details to SingCERT

20/04/2026 - Response from SingCERT acknowledging the report and conﬁrming they’ve reached out to vendor

08/05/2026 - Email from SingCERT stating they’ve been unable to reach the vendor and asking whether they should continue attempting to follow up

08/05/2026 - Sent conﬁrmation to SingCERT

25/05/2026 - Email from SingCERT stating vendor has responded and is aware of the case

03/06/2026 - Email from SingCERT stating vendor “do not consider this to be a vulnerability, as it does not present a cybersecurity risk.”

03/06/2026 - Write-up published

Read more Read the original on blog.nns.ee →

Read the original on blog.nns.ee →

Elixir v1.20 released: now a gradually typed language

elixir-lang.org

433 shares · 91 trendiness

In 2022, we announced the effort to add set-theoretic types to Elixir. In June 2023, we published an award winning paper on Elixir’s type system design and said our work was transitioning from research to development.

With Elixir v1.20, we have completed our ﬁrst development milestone which is to perform type inference and gradually type check every Elixir program, without introducing type annotations. This means Elixir increasingly reports dead code and veriﬁed bugs: typing violations that are guaranteed to fail at runtime if executed. Elixir can ﬁnd veriﬁed bugs in existing programs efﬁciently, without introducing developer overhead, and with an extremely low false positives rate.

In this announcement, we will break down the type system goals, what the dynamic() type means in Elixir, and how it ﬁnds veriﬁed bugs. In particular, our implementation performs well in the “If T: Benchmark for Type Narrowing” benchmark. Elixir passes 12 of the 13 categories, showing that it can recover precise type information from ordinary Elixir code, which we use to ﬁnd veriﬁed bugs in dynamically typed programs.

The type system was made possible thanks to a partnership between CNRS and Remote. The development work is currently sponsored by Fresha, and Tidewave.

Types, in my Elixir?

Our goal is to introduce a type system which is:

sound - the types inferred and assigned by the type system align with the behaviour of the program

gradual - Elixir’s type system includes the dynamic() type, which can be used when the type of a variable or expression is checked at runtime. In the absence of dynamic(), Elixir’s type system behaves as a static one

developer friendly - the types are described, implemented, and composed using basic set operations: unions, intersections, and negations (hence it is a set-theoretic type system), with clear error messages

Introducing a type system into an existing language is a complex change. For this reason, our ﬁrst milestone was to implement the type system without introducing typing annotations but still have it provide value to developers by ﬁnding dead code and veriﬁed bugs. This is done through the dynamic() type, which in Elixir is quite different from other gradually typed languages. Let’s break it down.

The dynamic() type

Many gradual type systems have the any() type, which, from the point of view of the type system, often means “anything goes” and no type violations are reported. On the other hand, Elixir’s gradual type is called dynamic() and it has two important properties: compatibility and narrowing.

In static type systems, when you have a type of shape integer() or binary() and you invoke a function, said function must accept both types. However, because type systems cannot capture the intention of all of our programs with precision, this may lead to false positives. For example, take the simple code below:

def percentage_or_error(value) when is_integer(value) do value_or_error = if value > 1 do value else “not well” end

# … more code …

if value > 1 do value_or_error / 100 else String.upcase(value_or_error) end end

Although value_or_error has type integer() or binary(), the operator / accepts only numbers, and String.upcase accepts only binaries/strings, the program above is valid and emits no exceptions at runtime. However, a type system would still report two violations, because the types supplied to / and String.upcase are not a subtype of the accepted types.

While the program above could be better written to have no typing violations, type systems will always reject valid programs, and if Elixir were to introduce too many false positives in existing codebases, it would quickly erode the trust in the type system. Therefore, Elixir’s gradual type system tags the value_or_error variable above with the type dynamic(integer() or binary()), which means the type is either integer() or binary() at runtime.

When calling a function with a dynamic() type, Elixir will only emit a typing violation if the supplied types and the accepted types are disjoint. In the program above, even though / expects only numbers, dynamic(integer() or binary()) can be an integer() and given the accepted and supplied types are not disjoint, there are no typing violations. However, if we were to change the program to this:

value_or_error = if value > 1 do value else “not well” end

Map.fetch!(value_or_error, :some_key)

Because Map.fetch! expects a map data structure, and value_or_error can only be integer or binary at runtime, the accepted and supplied types are disjoint, which turns into a violation. This is known as the compatibility property and it explains how Elixir reports only veriﬁed bugs.

However, reporting only veriﬁed bugs would not be useful if we can’t ﬁnd many bugs in the ﬁrst place. We addressed this problem by making sure Elixir’s dynamic type can be narrowed. Take this code:

def add_a_and_b(data) do data.a + data.b end

In the program above, data starts as a dynamic() type. We then use it as data.a and data.b inside the plus operator, so Elixir will reﬁne the data variable to have type %{…, a: number(), b: number()}, which implies it is a map with both a and b ﬁelds with number values (and potentially any other ﬁeld, hence the leading …). Therefore, if you were to forget to select the .b ﬁeld and write this:

def add_a_and_b(data) do data.a + data end

data would be ﬁrst narrowed to a map of shape %{…, a: number()}, then attempted to be used as a number(), which would emit a violation.

In other words, the dynamic() type in Elixir effectively works as a range, which can be reﬁned as it is used throughout the program and reports violations whenever type checks fall outside of the range. This is a contrast to other gradual type systems, which use the dynamic type to discard all type information.

Behind the scenes, our type inference and type checking algorithms behave as if we annotated all argument types as dynamic(). Once we introduce user-supplied type annotations, Elixir’s type system will behave as any statically typed language as long as dynamic() is not used. And whenever you cross the static-dynamic boundary, we developed new techniques that ensure our gradual typing is sound, without a need for additional runtime checks.

Typing guards, clauses, and more

Most of the work behind this release was to introduce type checking and narrowing to several constructs. Let’s see some of them.

When it comes to guards, we can infer unions, intersections, and negations:

def example(x, y) when is_list(x) and is_integer(y)

The code above correctly infers x is a list and y is an integer.

def example({:ok, x} = y) when is_binary(x) or is_integer(x)

The one above infers x is a binary or an integer, and y is a two element tuple with :ok as ﬁrst element and a binary or integer as second.

def example(x) when is_map_key(x, :foo)

The code above infers x is a map which has the :foo key, represented as %{…, foo: dynamic()}. Remember the leading … indicates the map may have other keys.

def example(x) when not is_map_key(x, :foo)

And the code above infers x is a map that does not have the :foo key, which has the type: %{…, foo: not_set()}. Hence x.foo within the function body will raise a typing violation.

You can also have expressions that assert on the size of data structures:

def example(x) when tuple_size(x) < 3

Elixir will correctly track the tuple has at most two elements, and therefore accessing elem(x, 3) will emit a typing violation. For maps and lists, we convert size checks into emptiness ones. In other words, Elixir can look at complex guards, infer types, and use this information to ﬁnd bugs in our code.

When it comes to constructs such as case and conditionals, Elixir uses information from previous clauses to reﬁne subsequent ones:

case System.get_env(“SOME_VAR”) do nil -> :not_found value -> {:ok, String.upcase(value)} end

System.get_env(“SOME_VAR”) returns either nil or a binary(). Because the ﬁrst clause matches on nil, the type system knows value can no longer be nil, and therefore it must only be a binary(), which allows the second clause to also type check without violations. Narrowing across clauses also helps the type system ﬁnd redundant clauses and dead code in existing codebases.

Furthermore, we have typed many functions in the standard library that work with tuples and maps. You can ﬁnd more details in the release notes.

Compilation time improvements

Elixir v1.20 also improves compilation times once more, especially on applications running on machines with many cores. Even though BEAM languages are efﬁcient to compile in general, our synthetic benchmarks now place Elixir’s build tool as the fastest among them. If you would like to contribute more examples and scenarios, please start a discussion so we can provide a transparent suite of benchmarks and results.

It also introduces a new compiler option called :module_deﬁnition, which speciﬁes if the module definition should be :compiled (the default) or :interpreted. This may improve compilation times in large projects and it does not affect the .beam ﬁles written to disk, only how the contents inside defmodule are executed. You can enable it by setting elixirc_options: [module_deﬁnition: :interpreted] in your mix.exs. Read the documentation to learn more.

What is next?

The biggest question ahead of us is: when will Elixir introduce new type signatures that leverage set-theoretic types? As recently discussed in my ElixirConf EU 2026 keynote, we still have both research and development work ahead of us. We will only introduce type signatures:

if we are satisﬁed with the type system performance in Elixir v1.20 (and we have done extensive work optimizing it)

if we can implement recursive types efﬁciently

if we can implement parametric types efﬁciently

if we can implement traversing key-value pairs of maps as an enumerable efﬁciently (we are still researching the possible solutions here)

Once those problems are tackled, we will start to explore and discuss typed struct definitions and ﬁnally type signatures. As usual, we will keep the community posted through news and in the Elixir Forum.

We appreciate everyone who tried the release candidates, ran benchmarks, and gave us feedback! Give Elixir v1.20 a try and remember to ﬁx all of the bugs it will ﬁnd for free!

Read more Read the original on elixir-lang.org →

Read the original on elixir-lang.org →

Encephalitis - Andrew Gallant's Blog

burntsushi.net

431 shares · 59 trendiness

I was recently diagnosed with anti-NMDA receptor encephalitis. It is an autoimmune disorder where your body’s normally helpful antibodies start acting strangely. This leads to inﬂammation in the brain. This short blog brieﬂy discusses some of my experience and prognosis.

Target audience: Anyone relying on my work for their own projects.

It all started with ﬂu-like symptoms: heart racing, night sweats, the chills and trouble sleeping. But no congestion or cough. I also felt really off mentally. A deep sort of anxiety, along with panic attacks, that I had never experienced before in my 38 years of life. It was terrifying, especially because I had no idea what was causing it. There were no life events or obvious triggers that precipitated the psychological symptoms, nor was there any obvious biological explanation for the physical symptoms at the time. This was only the beginning.

Over the ensuing weeks my physical symptoms progressed to chronic jaw pain, making it incredibly difﬁcult to eat. I also had problems with my balance. As someone who has easily juggled 3 balls and played sports for my entire childhood, I couldn’t catch a ball lobbed to me from a few feet away by my 5 year old son. My psychological symptoms were perhaps even more horrifying to me. I had suicidal ideation and suffered from psychosis. Speciﬁcally, delusions and auditory hallucinations.

The problems with balance and the overwhelming nature of my psychological symptoms eventually led me to fall and hit my head. This in turn led myself and my wife to decide that I couldn’t be safe at home. And that brought us to my ﬁrst emergency room visit. They cleared me physically and sent me to an in-patient psychiatric hospital, which, at the time, I welcomed because my symptoms had progressed beyond what we could manage at home.

It is common for anti-NMDA receptor encephalitis to be misdiagnosed as (in my case) generalized anxiety disorder or schizophrenia. Since I had been cleared physically, getting out of the psychiatric hospital quickly to see a neurologist proved difﬁcult. This was the single point, in retrospect, where our health care system let me down. It took a lucky connection with someone who happened to be a doctor to get me out of the psychiatric facility and into the neurology department at Brigham and Women’s Hospital in Boston.

After that, I was in and out of Brigham and Women’s Hospital for almost a month. I had several MRIs, a lumbar puncture, EEGs and many more tests. As a result of what I now see as a life saving treatment protocol, I very quickly received intravenous immunoglobulin (IVIG) and methylprednisolone, even before my diagnosis was known. In particular, MRIs revealed a lesion in my brain. However, conﬁrming a diagnosis of anti-NMDA receptor encephalitis would come later since it is best done with at least a positive antibody test in your cerebral spinal ﬂuid. Results from this speciﬁc test typically take a couple weeks to come back.

By the time I received my ofﬁcial diagnosis, the IVIG and steroids had kicked in and I was feeling much better, albeit, not nearly at 100%. I’ve since continued on a course of steroids that I am now already tapering off of. I’m also tapering off of medications I had been prescribed as a result of my psychological symptoms, before encephalitis was known to be the cause. Moreover, I am now ofﬁcially in the CIELO clinical trial for testing the effectiveness of satralizumab in treating anti-NMDA receptor encephalitis.

While autoimmune disorders don’t have a known cure, the prognosis for anti-NMDA receptor encephalitis is very good. My doctors have said that it was caught early (despite the early tangent into a psychiatric hospital), and that this is associated with better long term outcomes. Indeed, I am feeling great now and recovery is exceeding my own expectations.

There is some speculation that anti-NMDA receptor encephalitis could partially explain past accounts of demonic possession. Many of the people in my life, close or not, could tell that there was something seriously wrong with me. Without science and modern medicine, I can only imagine what kind of speculation folks might have ventured for the underlying cause.

My full story of this disease of chaos is quite long and I’m not sure I will ever publish it in full. However, Susannah Cahalan did just that in her book, Brain on Fire: My Month of Madness. There is also a movie adaptation (as of June 2026) available for free on YouTube. My disease didn’t progress as far as Susannah’s, nor did it do so in the same way. For example, I didn’t have any (known) seizures or catatonia. The rest of her symptoms, especially the psychosis, were quite similar.

This has been the absolute worst experience of my life, bar none. It is also the explanation behind my higher-than-usual inactivity over the last few months. But I am slowly getting back into the swing of things with a renewed vigor. I’m excited for where the industry is headed and I can’t wait to see what things will look like one year from today. I’m so happy that I get to be my “normal” self to experience that, which is a stark juxtaposition from how I felt just two months ago.

Finally, I want to express some gratitude to two people in particular.

First and foremost is my wife, Kaitlyn Brady. She saved my life. She never stopped believing that there was some neurological component and she never stopped ﬁghting for me. I feel so grateful that she is in my corner. More than that, the burden she carried before my diagnosis was known is something that is truly remarkable. She wasn’t just there for me when I needed her. She was there for our son. She was there for the doctors whenever they called, even late into the night. She was there when our basement ﬂooded. And when we all caught inﬂuenza. I’ll never know how she juggled everything, but I’ll be in her debt for the rest of my life.

Secondly is Charlie Marsh. He was patient, understanding and my partner through it all. He didn’t just exceed expectations for how you want your employer to deal with a serious medical condition, but he went above and beyond even that in more ways than one. It’s not often I can say that someone has handled a situation perfectly, but the word ﬁts in this case.

Thank you to my friends, family and doctors as well. Their support during this time was unwavering and I’m not sure what would have happened without them. “Nothing good” is what a nurse said when I posed that question to her.

Happy hacking.

Read more Read the original on burntsushi.net →

Read the original on burntsushi.net →

AI Outperforms Law Professors in Stanford Law Study | Stanford Law School

law.stanford.edu

389 shares · 17 trendiness

A groundbreaking study led by Stanford Law School Professor Julian Nyarko reveals that law professors overwhelmingly prefer AI-generated answers to student questions over responses written by their fellow instructors—a ﬁnding that could reshape how legal education is delivered.

The study, titled “Law Professors Prefer AI Over Peer Answers,” was conducted with 16 law professors across U.S. law schools and tested whether large language models could serve as effective tutors for contract law courses.In a blind evaluation of nearly 3,000 anonymized comparisons, professors rated AI responses significantly higher than answers written by other professors, with AI winning 75% of head-to-head matchups.

“This study challenges important assumptions about AI’s role in legal education,” said Nyarko, who leads Stanford Law School’s Legal Innovation through Frontier Technology Lab, or liftlab. He co-authored the paper with colleagues from Yale, NYU, University of Chicago, and other leading institutions. “We focused on law precisely because it requires judgment, nuanced reasoning, and the ability to navigate ambiguity—not just factual recall.”

Can LLMs Reason?

The study is particularly notable because previous AI evaluations have focused primarily on subjects with clear right-or-wrong answers. Legal reasoning, by contrast, demands careful analysis of competing arguments and defensible conclusions.

“We were frankly surprised by the magnitude of the results,” Nyarko added. “These weren’t just simple questions with obvious answers. Many of them required synthesizing complex material, applying it to new situations, and explaining legal concepts in ways that would help students develop their own analytical skills.”

Participants created 40 representative contracts law questions that students might ask after class or during ofﬁce hours, wrote their own answers, and then evaluated responses without knowing whether they came from AI or other participating professors. The AI systems performed comparably to the best human instructor in the study.

Perhaps most striking: professors ﬂagged AI responses as pedagogically harmful only 3.5% of the time, compared to 12% for peer-written answers.

“In most ﬁelds where AI gets tested, there’s a right answer. In law, there often isn’t.” said Sarath Sanga, co-author and professor at Yale Law School. “Two opposing arguments can both be good. What we wanted to know is whether AI can meet the latent professional standard that lawyers use to evaluate each other’s arguments. In this case, the answer was yes.”

The research team took extensive precautions to ensure the study’s validity. They calibrated AI responses to match the length and structure of human answers, used multiple evaluation methods, and had professors assess whether responses might mislead or confuse students.

Transforming Legal Education

“We designed this study to be as rigorous as possible because the stakes are so high,” Nyarko explained. “Legal education is about training future lawyers to think critically, argue persuasively, and navigate ethical complexities. Our study makes important steps towards ﬁnding out whether AI could support that mission.”

Alejandro Salinas, ﬁrst author of the study and a researcher at Nyarko’s liftlab, emphasized the educational implications: “Our study shifts attention to what AI tutoring can contribute to learning in judgment-rich ﬁelds like law. We ﬁnd that, when evaluated by legal educators, AI tutors can offer high-quality, on-demand support that complements classroom instruction, and may broaden access to expert guidance.”

The study also examined speciﬁc AI models, including commercial tutoring systems and Google’s NotebookLM, ﬁnding varying levels of performance. However, even when context limitations affected AI responses, professors still frequently preferred them to human-written alternatives.

The ﬁndings arrive as law schools nationwide grapple with integrating AI tools into legal education while maintaining rigorous academic standards. Some institutions have embraced AI experimentation, while others remain cautious about potential risks including hallucinations, overreliance, and the erosion of critical thinking skills.

“Our study evaluates the quality of answers given by AI tools. But how to implement these tools to most effectively improve student learning is still an open question. So we’re not advocating for wholesale adoption of AI tutors,” Nyarko cautioned. “But our data suggests that blanket skepticism may be equally unwarranted. The conversation should shift from whether AI can give accurate, high quality responses to how we can deploy it responsibly to the beneﬁt of our students.”

View the Publication Link to SSRN

About liftlab

Liftlab is among the ﬁrst academic efforts in legal AI to unite research, prototyping, and real-time collaboration with industry. Its mission is to increase access to high quality legal services in the private sector by leveraging AI and other frontier technologies. To bridge the gap between theory and practice, liftlab’s work extends beyond conceptualization and encompasses the building of prototypes that help explore the utility of AI-based solutions.

About Stanford Law School

Stanford Law School is one of the world’s leading institutions for legal scholarship and education. Its alumni are among the most inﬂuential decision makers in law, politics, business, and high technology. Faculty members argue before the Supreme Court, testify before Congress, produce outstanding legal scholarship and empirical analysis, and contribute regularly to the nation’s press as legal and policy experts. Stanford Law School has established a model for legal education that provides rigorous interdisciplinary training, hands-on experience, global perspective and a focus on public service.

Read more Read the original on law.stanford.edu →

Read the original on law.stanford.edu →

32GB of DDR5 now costs $375 minimum — AI shortage continues to squeeze PC building

www.tomshardware.com

367 shares · 33 trendiness

As the demands of AI continue to consume manufacturing capacity at every level of the PC hardware supply chain, 32GB of DDR5 RAM — broadly understood to be the sweet spot for gaming PCs and enthusiast builds — can no longer be found for less than $375. Well, $374.97 to be precise.

RAM price tracking through 2026 will show you that kits that routinely cost less than $100 just a year ago are now fetching upwards of $240 (16GB). As the AI frenzy has taken hold, retailers far and wide have been pumping up their RAM prices to exorbitant levels. However, there’s so much ﬂuctuation and noise that average pricing is now something of a ludicrous fugazi. The going rate for 32GB of DDR5 RAM — the cheapest you can expect to pay — has hovered around $320 for some time, climbing past $350 in recent weeks. Price tracking courtesy of PCPartPicker now reveals the cheapest 32GB DDR5 RAM you can buy is $375. Speciﬁcally, four XPOWER kits from Silicon Power will set you back $374.97 thanks to a promo code. You can see the listings yourself below.

Silicon Power Zenith Gaming DDR5 6000MT/s (PC5 – 48000) CL36 32GB(2x16GB)

Silicon Power Zenith RGB DDR5 6000MT/s (PC5 – 48000) CL36 32GB(2x16GB)

Silicon Power Pulse Gaming DDR5 6000MT/s (PC5 – 48000) CL36 32GB(2x16GB)

Silicon Power Zenith RGB DDR5 6000MT/s (PC5 – 48000) CL36 32GB(2x16GB)

As you can imagine, this is enormous pricing pressure for enthusiasts trying to build gaming PCs or upgrade their rigs in 2026. A component that once cost less than $100 and was something of an afterthought now costs almost four times as much, and that’s before you’ve even ﬁred a neuron in consideration of aesthetics, timings, or brand. More popular kits from the likes of Corsair and Crucial, or RGB offerings to match the rest of your build, will easily set you back more than $400.

Of course, 32GB is really the minimum sweet spot you should be aiming for when building a PC in 2026. If you did want more capacity, 64GB will set you back an astonishing $679.99. 16GB of RAM as a compromise can be found for $200 at B&H Photo, but with SK hynix warning that manufacturing constraints will persist through 2030, there’s no sign of prices letting up so that you can upgrade capacity any time soon.

The humble RAM combo deals we’ve been highlighting in recent months are a small source of solace for builders, letting you score RAM for less than the $375 going rate if you pair it with a decent motherboard, a processor, or even an entire set of PC components. A theme of ongoing Computex 2026 announcements remains a lack of pricing clarity on lots of PC hardware, including Nvidia’s RTX Spark laptops and PCs, as well as new-build systems and, of course, RAM components themselves. Vendors are likely wary of scaring off potential buyers with higher-than-expected prices ahead of release. Perhaps more likely, the prices haven’t been set because they’re still going up. Storage isn’t much better, with SSD price tracking revealing that drives which once cost as little as $38 are now fetching $200.

AMD is making a noticeable effort to keep PC gaming prices down, this week announcing the return of its Ryzen 7 5800X3D, and the advent of a new Ryzen 7 7700X3D. Intel, which warned this week that “something has to give” when it comes to memory prices, also teased dragging out some of its legacy products to give users more options on older memory technologies, namely Raptor Lake and DDR4.

Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.

Stephen is Tom’s Hardware’s News Editor with almost a decade of industry experience covering technology, having worked at TechRadar, iMore, and even Apple over the years. He has covered the world of consumer tech from nearly every angle, including supply chain rumors, patents, and litigation, and more. When he’s not at work, he loves reading about history and playing video games.

Read more Read the original on www.tomshardware.com →

Read the original on www.tomshardware.com →

Uber Caps Usage of AI Tools Like Claude Code to Manage Costs

simonwillison.net

320 shares · 31 trendiness

3rd June 2026 - Link Blog

Uber Caps Usage of AI Tools Like Claude Code to Manage Costs. I wrote the other day about Uber blowing its 2026 AI budget in four months, and how that wasn’t particularly surprising given they would have set that budget in 2025, before anyone could have predicted how popular token-burning coding agents were about to become.

Natalie Lung for Bloomberg:

The rideshare giant is limiting all employees to $1,500 in monthly token spending per AI coding tool, an Uber spokesperson said in response to a Bloomberg News inquiry. That means spending on one tool doesn’t have a bearing on the budget for another. The limits, which have been instituted in recent months, only apply to agentic coding software such as Cursor or Anthropic PBC’s Claude Code.

A $1,500 monthly limit per tool strikes me as a rational policy response to over-spending, and much more sensible than those tokenmaxxing leaderboards encouraging employees to compete for as much AI usage as possible.

It’s also interesting in that it hints at a real dollar value for what Uber is getting out of these tools. If we assume two actively used tools per engineer that’s $3,000 * 12 = $36,000 cap per engineer per year. Levels.fyi lists the median yearly compensation package for Uber software engineers in the USA at $330,000.

That means each employee’s AI spending cap is ~11% of that median compensation package.

I noted that my own token usage comes to about $1,000/month against each of Anthropic and OpenAI - which currently costs me just $100 per provider thanks to their generous subsidized plans for individual subscribers. Those plans are no longer available to larger companies like Uber.

Their new policy means if I were working at Uber I’d still have ~$500/month of tokens to spare for each of those tools, given my current usage patterns.

Read more Read the original on simonwillison.net →

Read the original on simonwillison.net →

MacBook Neo is So Popular That Apple Reportedly Doubled Production

www.macrumors.com

301 shares · 48 trendiness

On an earnings call in late April, Apple’s CEO Tim Cook said that customer response to the MacBook Neo was “off the charts,” and the popularity of the laptop has reportedly led the company to significantly boost production.

Apple supply chain analyst Ming-Chi Kuo this week said he believes that MacBook Neo shipments to Apple were doubled from an initial target of 5 million units to 10 million units in 2026 at some point after the laptop launched in March.

Apple was very optimistic about the MacBook Neo before announcing it, but the company still “undercalled” the level of enthusiasm that the laptop would generate, according to Cook. He said that MacBook Neo demand exceeded Apple’s expectations and helped to drive a record number of ﬁrst-time Mac buyers last quarter.

New ﬁgures from market research ﬁrm IDC support Apple’s claim that the MacBook Neo is selling well, and the Windows PC industry has taken notice. For example, Dell recently introduced a redesigned XPS 13 laptop from $699 and said it has features “you won’t ﬁnd on a MacBook Neo,” such as a touch screen and a backlit keyboard.

“Apple’s MacBook Neo is a capable machine, and its arrival conﬁrms that there’s real appetite for premium quality at accessible prices,” admitted Dell.

With a starting price of $599 in the U.S., or $499 for college students, the MacBook Neo is Apple’s most affordable MacBook ever. Powered by the iPhone’s A18 Pro chip, the laptop is available in colorful ﬁnishes like Citrus and Blush.

A second-generation MacBook Neo is expected to be released next year with an A19 Pro chip and 12GB of RAM.

Meta scales back plan to track workers' clicks and keystrokes to train AI

1-Click GitHub Token Stealing via a VSCode Bug

Introducing Gemma 4 12B: a unified, encoder-free multimodal model

Pwnd Blaster: Hacking your PC using your speaker without ever touching it

Elixir v1.20 released: now a gradually typed language

Encephalitis - Andrew Gallant's Blog

AI Outperforms Law Professors in Stanford Law Study | Stanford Law School

32GB of DDR5 now costs $375 minimum &mdash; AI shortage continues to squeeze PC building

Uber Caps Usage of AI Tools Like Claude Code to Manage Costs

MacBook Neo is So Popular That Apple Reportedly Doubled Production

32GB of DDR5 now costs $375 minimum — AI shortage continues to squeeze PC building