Informatief leesvoer:
  • The September Issue

    The JCM Team is proud to present you the September Issue of the Joomla! Community Magazine.

  • The plans for Joomla 4.1

    After the release of Joomla 4.0, I met online with Sigrid Gramlinger-Moser and Benjamin Trenkle to discuss the process and people behind the testing and production of Joomla 4.1, the next Joomla minor version.

  • Explore the core! Structure your Content with Categories

    Guess what’s the most important on your website? A beautiful template? Wrong! Nice colours and barrier-free? Wrong! Good SEO URLs? Wrong again!

  • Apple, John Deere Investors Pressure Companies On Their Backwards Repair Policies

    For years we've noted how both Apple and John Deere have become the face of the kind of obnoxious repair restrictions that have fueled the growing "right to repair" movement. Apple has long been criticized for bullying independent repair shop owners, attempting to monopolize repair, and generally being terrible from an environmental standpoint when it comes to waste and repair. John Deere has been equally criticized for obnoxious DRM and draconian repair policies that force many rural tractor owners to spend thousands of dollars, and sometimes drive thousands of miles, just to get essential agricultural equipment repaired.

    US PIRG is now attempting to pressure both companies via their investors, and alongside a "socially responsible mutual fund company," Green Century Funds, has filed shareholder resolutions with both Apple and John Deere asking them to account for “anti-competitive repair policies." The mutual fund argues that Apple is harming the company's brand value by insisting it's socially responsible, then routinely embracing policies that, well, aren't:

    "Investors are extremely concerned about Apple’s disingenuous combination of promoting environmental sustainability while inhibiting product repair,” said Green Century President Leslie Samuelrich. “The company risks losing its reputation as a climate leader if it does not cease its anti-repair practices."

    Despite growing its independent repair network, Apple continues to earn criticism not only for denying consumers and independent repair shops access to repair materials but also designing products in such a way that hinders repair. Equally troubling, the company has doubled down on this approach by lobbying extensively against Right to Repair laws, which would require electronics manufacturers to provide access to parts and service information to consumers."

    In a statement of its own, US PIRG suggested that improving both companies' repair policies just made decent business sense:

    "Providing more freedom to repair products saves money and cuts waste. It’s common sense. But manufacturers like Deere and Apple commonly refuse to provide the software, parts or information needed to do certain repairs. It’s time for all manufacturers to stop fighting against opening up repair choices and realize that the call for reform isn’t going away. The wise thing to do is to get in front of pending regulatory changes. So far, however, both companies have attempted to appease repair advocates with half measures -- and even their own shareholders appear to see through those schemes. Just let us fix our stuff."

    It's not likely this pressure alone is likely to work. Most investors care little about the broader impact of bad business policies if said policies are providing meaningful quarter over quarter returns. And on the shorter term, being an obnoxious bully in a bid to monopolize repair over your own products potentially generates more money. But the more both companies engage in obnoxious anti-repair behaviors, the louder opposition grows, resulting in a massive push for some sort of state or federal legislation forcing them to do the right thing.

    For now, Apple and John Deere lobbyists have managed to stall any legislative reform, but the more they persist in this kind of behavior, and the more attention the right to repair movement gets, the more difficult that's going to be. As such there's an argument to be made that both companies could do wonders for their brands, the environment, markets, and consumer welfare by getting out ahead of calls for reform, before they're forced to.

  • Three Former US Intelligence Analysts Fined $1.6 Million For Helping The UAE Government Spy On Dissidents And Activists

    Three former US intelligence community employees (two who worked for the NSA) have just agreed to pay $1.68 million in fines for violating export control regulations by providing the United Arab Emirates government with powerful hacking tools that government used to target dissidents, pro-democracy activists, and other perceived enemies of the UAE.

    If that seems a little light for giving authoritarian thugs better ways to locate, punish, or completely disappear residents and citizens who have angered them by asking for basic human rights, you're right: it is. But that's what the DOJ has agreed to do.

    On Sept. 7, U.S. citizens, Marc Baier, 49, and Ryan Adams, 34, and a former U.S. citizen, Daniel Gericke, 40, all former employees of the U.S. Intelligence Community (USIC) or the U.S. military, entered into a deferred prosecution agreement (DPA) that restricts their future activities and employment and requires the payment of $1,685,000 in penalties to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.

    According to court documents, the defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., “hacking”) for the benefit of the U.A.E government between 2016 and 2019. Despite being informed on several occasions that their work for U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a “defense service” requiring a license from the State Department’s Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license.

    These services included the provision of support, direction and supervision in the creation of sophisticated “zero-click” computer hacking and intelligence gathering systems – i.e., one that could compromise a device without any action by the target. U.A.E. CO employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.

    There's even more detail in the indictment [PDF] filed last September, which contains a long list of charges against each of the defendants. There are also many details left hidden -- details that have been made public by previous reporting, but which the DOJ insists on pretending it can't say out loud.

    Reuters published a long expose of this trio's efforts back in 2019. It did so with the help of former NSA employee, Lori Stroud, who became part of "Project Raven," a clandestine group composed of former US intelligence analysts who aided UAE in surveilling other governments, militants, and activists opposed to the UAE's oppressive governing.

    They also apparently helped the UAE spy on US citizens:

    [I]n 2016, the Emiratis moved Project Raven to a UAE cybersecurity firm named DarkMatter. Before long, Stroud and other Americans involved in the effort say they saw the mission cross a red line: targeting fellow Americans for surveillance.

    “I am working for a foreign intelligence agency who is targeting U.S. persons,” she told Reuters. “I am officially the bad kind of spy.”

    Project Raven originated in Cyberpoint, a Maryland-based computer security company. Baier worked for Cyberpoint when he recruited Stroud. Cyberpoint has its own disturbing connections -- ones exposed by the hacking of Italian malware purveyor, Hacking Team.

    The document dump includes lists of client information, including an Excel file that appears to show that Cyberpoint was the partner used to sell Hacking Team spyware to the United Arab Emirates. The firm began selling to the UAE in 2011 and has earned at least $634,500 in revenue from the relationship. The UAE paid an annual maintenance fee through January of this year.

    Cyberpoint’s point of contact with Hacking Team is “,” according to the client document.

    As can be inferred from the email address, Marc Baier was instrumental in this effort, which allowed Hacking Team to elude local restrictions and UN bans on selling to blacklisted countries. By using Cyberpoint as a middleman, Hacking Team sold UAE powerful exploits. And it appears Project Raven developed some nasty tricks of its own -- ones capable of taking over targets' phones to bcc: UAE on all communications.

    The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.

    In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the hackers harvest saved passwords, which could be used for other intrusions.

    Despite this information being in the public domain since January 2019, the DOJ's September 14, 2021 statement tries to play it coy:

    U.S. Company Two updated the operating system for its smartphones and other mobile devices in September 2016, undercutting the usefulness of KARMA. Accordingly, CIO created KARMA 2, which relied on a different exploit. In the summer of 2017, the FBI informed U.S. Company Two that its devices were vulnerable to the exploit used by KARMA 2. In August 2017, U.S. Company Two updated the operating system for its smartphones and other mobile devices, limiting KARMA 2’s functionality. However, both KARMA and KARMA 2 remained effective against U.S. Company Two devices that used older versions of its operating system.

    Back to the Reuters report:

    The former operatives said that by the end of 2017, security updates to Apple Inc’s iPhone software had made Karma far less effective.

    And that makes the mysterious "U.S. Company One" that Baier and the other two defendants worked for Cyberpoint, Hacking Team's middleman and eventual partner in hacking crime with the UAE government following the migration of Project Raven from Cyberpoint to Darkmatter (i.e., the "U.A.E. Co.")

    Given what has already been made public about this, the fine (which is split between the three defendants) seems incredibly low. And yet the DOJ personnel involved are out there trying to pretend this wrist slap will act as some kind of deterrent. Here's Acting Assistant Attorney General Mark Lesko:

    “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”

    Great. Except no real prosecution happened here. Here's more:

    “The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences.”

    This only shows both the risks and the consequences are minimal.

    What it really shows is that if you commit the right kinds of crime, you can pretty much get away with it. I doubt anyone but the defendants are happy with this agreement. But a case like this -- one that involves multiple malware developers involved with multiple shady governments -- is already problematic for all of the involved stakeholders, who would prefer to keep their cyber secrets secret. It also involves former NSA employees who brokered deals with malware developers to allow UAE to purchase regulated digital weapons from companies that were either forbidden or unwilling to sell to the UAE government directly. And then there's Apple, which had to patch its own products twice to eliminate the flaws being exploited by UAE government spies -- itself not a fan of discussing proprietary info in public.

    That's a lot of information no one would want to see discussed, even in general terms, in open court. There's only so much redaction and sealed documents can hide. And there's a chance the defendants -- with little left to lose during a serious prosecution -- would start advocating for this information to be revealed to the public. A lot of entities wanted these people punished. And many of those same entities had no desire to see this thing go to trial.

    In the end, it's a settlement, not an agreement, and it gives the appearance the DOJ doesn't really want to push a prosecution where its own dirty spyware laundry, along with that of some of its preferred contractors, might be aired. The $1.6 million fine seems more like a buyout, with the DOJ obtaining a little credibility and no one accused of anything left stinging too much from this performative slap.

  • Sony Pictures, Defenders Of The Creative Industry, Appears To Be Using Fan Art Without Giving Credit

    It will come as no surprise that we have done many, many posts at Techdirt that involve Sony. While not all of those posts are critical of the company, many of those posts deal with Sony wielding IP law about while claiming it is doing so to "protect creators" of content. We've also discussed instances where some of these IP-wielding companies, that are supposedly the vanguards of the creative community, also have managed to use the art created by their own fans without bothering to credit them. To be clear, that likely doesn't run afoul of copyright law, given that the fan art typically uses IP owned by these companies. But it doesn't change the fact that it's both quite hypocritical to not bother even crediting the fan that created the art, as well as being just plain shitty.

    So back to Sony: the company appears to be both quite hypocritical and just plain shitty to one fan that seems to have found his fan art used on a movie poster for Venom: Let There Be Carnage.

    Reddit user RealJohnGillman posted to r/Spiderman and several other Venom and movie-related subreddits a day after the poster's release, claiming the poster art was "traced from fanart." The fan art in question, posted to DeviantArt in October 2018, depicts Michelle Williams' She-Venom, who appeared briefly in Venom. The character poster teases Williams' return in the sequel. The Reddit post shows a zoomed-in version of the poster next to the fan art to emphasize the similarity. The poster art appears to be a silhouetted version of the fan art; however, some areas, like the curve of the shoulders, don't completely match up.

    You can see the images in question below, including a zoomed in image of the part of the poster in question. Poster on the left, fan art on the right.

    You can say the images don't match up precisely if you like, but they're certainly very damned close. As mentioned about similar past cases, this likely isn't a copyright infringement issue; the fan artist doesn't own any rights to the character he drew. But, again, if the copyright industries are going to do their maximalist routine under the guise of protecting those that create content, well, fan art is content. And if we stipulate that copyright isn't at issue here, we should certainly be able to agree that Sony or its sub-contracted marketers could at least have given the original artist credit if they were going to use his art, no?

    Commenters on the post were quick to discuss the possible copyright-related consequences of the alleged theft. "Whelp, someone is getting an unexpected paycheck," one user wrote, while another replied, "Um... no. You have no ownership over an image you create using a licensed character you don't own; it's unethical to use it without compensation, I'll agree, but they own the character."

    It's hard to imagine any argument that any of this is ethical on the part of Sony. Protector of creators though it claims to be, it seems the company is also happy to just use art created by others if it suits them.

  • Survey Suggests Eager Starlink Users Don't Understand Service Will Have Limited Reach

    So we've noted more than a few times that while Elon Musk's Starlink will be a good thing if you can actually get and afford the service, it's going to have a decidedly small impact on the broadband industry as a whole. Between 20 and 42 million Americans lack access to broadband entirely, 83 million live under a monopoly, and tens of millions more are stuck under a duopoly (usually your local cable company and a regional, apathetic phone company). In turn, Starlink is going to reach somewhere between 300,000 to 800,000 subscribers in its first few years, a drop in the overall bucket.

    Thanks to massive frustration with broadband market failure (and the high prices, dubious quality, and poor customer service that results), users are decidedly excited about something new. But not only are there limited slots due to limited capacity and physics, a lot of those slots are going to get gobbled up by die-hard Elon Musk fans excited to affix Starlink dishes to their boats, RVs, and Cybertrucks. As a result it will be extremely unlikely that most users who truly need the improved option will absolutely be able to get it.

    But a new PC Magazine survey continues to make it clear that most consumers don't quite understand they'll never actually have the option (especially if they live in a major metro market):

    Starlink is expected to come out of beta next month for a broader commercial launch, and has seen 600,000 orders so far. But many of the customers who have signed up say getting a status update from Starlink customer service is effectively impossible. While major Wall Street analysts like Craig Moffett estimate the service may be able to scale to 6 million users over a period of many years, he also notes that guess is extremely optimistic, and will require a significantly updated fleet of 42,000 satellites to achieve.

    This all assumes that Starlink will remain financially viable as it works toward that goal, something that's not really guaranteed in a low-orbit satellite industry that has a history of major failures. And there will be questions about throttling and other restrictions once the network gets fully loaded with hungry users. Again, Starlink will be great for off the grid folks if they can get -- and afford -- it, but I suspect there's going to be some heartache when folks excited about the service realize the limitations of its actual reach. And this scarcity is only going to drive even greater interest in a service you probably won't be able to get anytime soon.