 Daily Tech news show is made possible by you, the listener. Thanks to all of you, including Chris Zaragoza, Jim Hart, Logan, Larson, Mikhail Soder, Devin Delaney and MZT 928. On this episode of DTNS, a supply chain attack against open source settles things. What happened to that U S TikTok ban? Turns out, still on. And why Microsoft is footing the bill for open AI to build the most expensive data center ever. This is the Daily Tech news for April 1, 2024 in Los Angeles. I'm Tom Merritt from deep in the heart of Texas. I'm Justin Robert Young and the show's producer, Roger Chang. Today, of course, is the 20th anniversary of the launch of Gmail. Happy 20th birthday Gmail April 1, 2004. I got my Gmail address today. Yeah. Yeah. Oh, no, those invites were a hot commodity. They were tough to get. They were tough to get one of the first big, you know, invite first traps on the internet. The Gmail invite economy. True. Listen, folks, it's April Fool's Day. There's some April Fool's content out there. Thankfully, not nearly as much as there used to be 10 years ago or so. So we're not going to cover any of the April Fool's jokes. If you had fun with them, that's great. We do not begrudge you, but this is just going to be a regular old show built on things that are, you know, as far as we can tell, mostly factual. Exactly. Yes. A factual show for good hearted people like you. Let's begin with the quick hits. After a complaint from Slack in July 2023, the EU began investigating Microsoft's bundling of teams into Office 365 and Microsoft 365. Microsoft just caved and said in August last year, we'll unbundle it for Europe and Switzerland and has now said, you know what? We'll just unbundle it for everybody. The whole world gets it. If you're a current Microsoft 365 subscriber, you can keep things as they are. If you've got teams and you're paying a certain price, that's not going to change. But you can change it. And if you're a new subscriber, you get the option of subscribing to Microsoft 365 or Teams or both. In other words, you could have just Teams without Microsoft 365. Teams will cost you $5.25 a month. The Office part will cost you $7.75 a month. Now, that's the simplest plan that we can describe in a short amount of words. There are dozens of other variants of Microsoft subscription offerings and enterprise versions and business versions. But the best comparison is that. And given that, you save about $0.50 if you don't choose Teams over what you were paying before, and you pay an extra $4.75 if you want to include Teams. SEMA4 notes that the last week, five of the seven podcasts promoted in Apple's Carousel in the Apple Podcasts app were participating in Apple's podcast subscriptions. Some podcast makers have told SEMA4 that Apple suggested participating in subscriptions in order to get into the Carousel, since Apple is prioritizing promoting shows that participate. It's like a chicken and egg thing, right? They want to promote the things that get them more money through the subscription. But they also say the subscriptions don't bring them that much more money, but they're still promoting things. I will also say that part of this is also specs, uploading the right specs for the art that's there. It is a very specific process. And I would take a wild guess that if you are in contact with them to do that kind of stuff, you're probably also uploading in the correct specs. So this is not a causation to correlation. We don't know. Yeah, we don't know. Let's go to something more simple, electric vehicles in China. Last week, Xiaomi opened orders for its Su7 electric vehicle, which is not an SUV, it's a sports car. Companies said it reached 88,898 orders within the first 24 hours, eight being a very lucky number. So I guess that's why they really emphasize that. Customers have said their shop times or ship times for the Su7 Max have lengthened almost seven months now. The Su7 has a minimum range of 435 miles, and the standard version costs $215,900 yuan, which is about $30,000 US, a little less. There's also a Max version, that's the one that has the long lead time on shipping, and a Founders version of the Xiaomi EV. AT&T has reset the customer service passwords for millions of its subscribers in the United States after records were posted online. The four digit pass codes could be used when calling customer service to make changes to an account. The codes were weakly encrypted, so easy to crack. AT&T says the data set appears to be from 2019 or earlier and includes 71.6 million current account holders and 65.4 million former account holders. There is no evidence of unauthorized access as of yet. It's not even so much that they were weakly encrypted, which they were. It was that four digit codes are just easy to guess because people use things like last four digits of their social. So if you knew that from the rest of the data in the dump, you could start to figure stuff out. Finally, Google has agreed to destroy data collected when people used incognito mode in Chrome. Incognito mode did not track users for advertising purposes, but the browser did collect certain basic information in order to serve websites, things like IP addresses and load that gives you location, etc, etc. Google is rewriting its disclosures around incognito mode to reflect this. But in the meantime, it has agreed to destroy any of the data it collected before it made the disclosure. All right, this is a big news in the open source community. And it's some serious stuff. A widely used compression program called XZ Utils. It's a compression utility like like seven zip or G zip or something like that, but it's bundled into a lot of things. A lot of times it's used in installers. Almost all Linux and Unix style operating systems include it as an option because of that. It's used in loads of apps and it supports a legacy format called dot LZMA, which is used a lot still. So it was rather unsettling Friday when a Microsoft developer named Andres Freund announced that he had sort of stumbled across a back door that had been pushed into this open source utility. Now, that's the way open source is supposed to work. It's got all the eyes on it because everybody can see the code. And so you discover these vulnerabilities. But he almost didn't find it because he wasn't looking at it for security vulnerabilities. He was troubleshooting a remote login problem in Debian. And he found that it was using up more CPU than it should and generating some errors in a memory monitoring utility. And he decided to trace one of those people's like, you know, I got to figure this out. Why is it doing this? So he tracked the problem to some updates made to XZ Utils and found that there was malicious code in versions 5.6.09 and 5.6.1. The malicious code activated when the utility performed certain LZMA compression activities related to SSH encryption. So it wouldn't happen all the time, but in certain situations, it would. And when it did, it could give an attacker root privileges on the machine. So how common is something like this at this scale discovered? Give us give us like a one to 10. This is the first time anyone's seen anything like this. So an 11. Yeah, it doesn't mean it isn't been happening somewhere else and no one noticed. That's the kind of disturbing thing. It's it's what's called a supply chain attack. So that's where you insert the code upstream. Usually you hear about supply chain attacks where somebody got some code into the shipping version of a driver and then everybody goes and downloads the driver and they get the malicious code. This is kind of a version of that. It gets distributed through trusted channels. The detective work is on to find out how the malicious code got in without anyone noticing, but the earliest evidence is that in 2021, a user going by gt75, jiat75 replaced a function with a less secure variant and no one noticed. So maybe that was a test to see if he could get away with it. In 2022, that same user submitted a patch and started to harangue the one person maintaining xzutils with around five GitHub users who were also brand new to the project. So maybe they were all the same person. We don't know. And said, you know what, you you can't handle this anymore. You need to add an additional developer to this project, which they did, which was gt75. In January 2023, gt75 made their first real commit to the project and began making widespread changes, including replacing the original maintainer of xzutils contact info with their own on a project that scans open source software for vulnerabilities and then requesting that that project disable a certain function so that it wouldn't detect some malicious changes that were subsequently made. In February this year, gt75 made the final updates that completed implementation of the back door and then began intense lobbying of Ubuntu, Red Hat and Debian to merge those changes into their updates. The code was not included in the GitHub version you compile yourself. So that was one way they hid it. If somebody was looking at GitHub for vulnerabilities, they wouldn't have found it. They were only putting it in what is called the tar ball that you deliver to make it easier to install this. And its structure seemed to target Debian and Red Hat specifically. In other words, those tar balls, the files you get in an automatic update would have had the malicious code, but not the source code. And they would have activated in Debian and Red Hat more often. The code was briefly available in Kali Linux and OpenSusa and also in development and beta versions of Red Hat and Debian. Justin, this is definitely something that's going to cause a lot of conversation on a lot of discussion boards about what do you do when there's just one person who's been maintaining a utility or a package that is really essential for a long time and that person gets tired and starts to be maybe a little vulnerable to some social engineering. It kind of makes you wonder whether or not we need like a Peace Corps for open source that you could have some element of, I mean, there's a lot of money floating around the internet. I think this is the cause that a lot of people can get behind. But if you are of a certain age and have a certain level, if you can learn some of the tools of the open source internet, if you are able to go in, we will make it worth your while so you can help maintain these codes because as you pointed out, this is something that was obviously open for the taking. This person, this malicious actor seems to have walked right in the front door and did what they ever wanted to do, whatever they wanted to do. And yet the consequences of something like this could have been massive. It might have been massive. And not easy to detect because as a couple people in the chat are noting, the tarball release being different than the GitHub release is not uncommon. A lot of times you're putting a little extra stuff to make it easy to install and you've been people want that. So it didn't immediately stand out that it was different. And this was a long con. It took a lot of effort. Like I'm not sure how replicable this was, but GT75 has apparently made some changes to other open source projects out there and those projects are now starting to review what happened. But I'm not saying that everybody could replicate this, especially now that it's gotten so much attention. But it really does open the conversation of what should be done about it to make sure that that doesn't happen again. It's been 18 days since the US House passed a bill that if it became law would force by dance to sell TikTok or force companies to box distribution of that app in the United States, but it has not passed the United States Senate, which it needs to do before it would go to the president to be signed into law. It passed fast in the House, but it obviously is not going nearly as fast in the Senate. Justin, you've gone back and forth about how fast you thought the Senate would act. Where are you now 18 days later? Well, the question has never been specifically whether or not it was going to get traction in the Senate. Nothing that explodes from the House, especially this House, which has not been able to agree on anything was going to be taken lightly. The question was, did it have enough juice behind it that there would be action taken before they went on the break that they are on now? The answer to that was no. Democrats, which effectively control this process, we've talked about on the show, they are going to be in control of this bill until it becomes a law, or they will essentially decide if it doesn't, considering the Democrats control the Senate. And there is a Democratic president who has said he'll sign the House law. So there's not a lot of pushback there. The big question now, and you're getting reporting out of the Senate on how they're looking to handle this is, number one, does the Senate want to change the language of the House bill? That seems more likely. But once you open up that door, now you have the multifaceted question of, well, exactly what do we want to change? And what you've seen is sort of the range of options when it comes to that, either extending the time that ByteDance would have to sell or expanding some of the provisions that would then affect other social media companies, or replacing it with Maria Cantwell's bill, which is something that she had put out and was deemed too broad, that would have greater leeway to restrict things amongst the Chamber or the Commerce Committee within the Senate. So what we know now is there still is push for this bill. The question is exactly what it's going to look like on the other end. And the key player here does appear to be Maria Cantwell. Now, how much of this do you think is the Senate saying, okay, fine, we'll do this, but we want to make it the Senate version, which is normal. And maybe that's Maria Cantwell going, well, you know, I had a pretty good bill. Let's look at my bill instead. And that could lead to bills falling apart, but it can also be reconciled and lead to things getting passed. It's how business is done. Is there any chance that some of this is the Senate dragging its feet and saying, we really don't want to deal with this in an election year? Let's drag this out as long as possible. Tom, there's a lot of a possibility that that's exactly what's happening because very often in the Senate, if you want a thing to die, you smother it with love. You know, you, I love this bill. I just need to make a couple of changes to fix it. I want it to be better. I want it to be better. And that's why I'm not voting for it because I need it to be better. All these other people, they're the real non supporters because they don't want to support my super better version of this bill. There's obviously a lot that's going on here. We are in a election year. We are in a log jam, not only between the house and the Senate, but also really amidst both the house and the Senate that are drawing thicker and thicker lines between them. And does, you know, does the Senate want this to be their signature thing that they did in the year of 2024 is to make TikTok divest. Now the other side of this is if you really want this to be effective and you want bite dance to divest from TikTok, or you want it gone, right? And there's the two sides of this. Do you need to craft a bill that you believe will withstand a legal challenge? And that's what you're starting to hear also on the Senate is that this is great. We want this end result. We don't want this to be something that just gets overturned and now we're back at square one anyway. Now, I don't know the legal side of this. I don't know how you would push it. And I think tying something to national security makes it more difficult to overturn, but you don't know. My suspicion is that the Cantwell bill kind of falls into the same area as the chip restrictions we're seeing, right? We don't need a bill for the president to determine that chips are essential to national security. And as such, he can put people on the entity list. He could put companies on the entity list and say, you cannot sell chips to Huawei. He can also say, you know what? The kinds of intellectual property that make it possible to make five nanometer chips and three nanometer chips, that is a security issue if it goes to foreign adversaries. So you're not allowed to sell equipment or intellectual property to companies inside of those countries, making things for those foreign adversaries, particularly China. So I could see the Cantwell bill saying, let's give the president the authority to do that with apps. And that would be able to survive constitutional challenge more robustly than just saying, we don't like bite dance, let's outlaw it, right? It also gives the president a whole lot more power because the president is able, both the past two presidents have teamed up. You may not hear him teaming up on much, but they teamed up to continue to restrict what kinds of technology can be sold to China and Chinese companies. And it would give them now that same power to whatever apps are made by those companies as well. So meanwhile, the other reality of this is we are in an election year and you're seeing a lot of people put a lot of money into advertising. TikTok has put a ton of money into advertising specifically in states where there are Democrats that again are going to control this process that are up for election, including Pennsylvania and Michigan, Nevada, Arizona. They spent a lot. There's a couple other groups that have spent on the other side, but here's where we are right now in terms of public opinion. CNBC All American Economic Survey found that 20% believe that TikTok should be banned. 27% think it should be banned if Bite Dance doesn't sell. 31% believe it should not be banned and 22% are undecided. But that means that nearly 50% of survey respondents, 47% essentially believe that the house bill is right, that either it should be banned or it should be banned if it doesn't divest. And that's what the house bill says. Yeah. And that's, that's not 50% but you don't have 50% say don't ban it either because you got 22% who are saying, is that an app? What is that again? Yeah. So yeah, seven months is a long time till the US election in November. So a lot of things could change. A lot of things can happen between now and then, but it feels like right now, if conditions remain unchanged by the future, we're not going to see any movement on this till after next year. Yeah. Yeah. Well, we'll see. We'll see. All right. Well, that's good news for the folks who like TikTok, isn't it? If you are a folk who like Apple, I have good news for you as well. Sarah Lane and Eileen Rivera have an amazing show called the Apple Vision Show. It's not just about the Apple Vision Pro. It's about Apple's vision for your technological future and how it matches up with theirs because they're, you know, humans like you and me who are like, you know what? I use this stuff for real in real life. How does it work? You're going to get a great conversation from them today. They've got an excellent little kicker planned about this weird little app that follows you around on your desktop, like not your computer desktop, like your real desktop. So go check it out. That is Apple Vision Show. Get subscribed now. AppleVisionShow.com. The information is reporting that Microsoft and OpenAI are planning on constructing a data center that would include an AI supercomputer they call Stargate set to launch in 2028, just because it's really powerful, not because it will actually open a portal for you to transfer to another planet, at least not that. Cost is pegged around $100 billion, could reach up to $115 billion, according to the information's estimates. Microsoft's putting the bill for this thing because Microsoft runs data centers. They're the Azure folks, the cloud folks. Stargate would be phase five in a series of data centers that two companies are planning. So over the next six years, there would be other phases of this that may be a little less powerful, a little less expensive. For example, a less costly phase four system could launch in 2026. Apparently they're targeting Mount Pleasant, Wisconsin as the location for that phase four system. But anyway, this sounds like a lot of money. It sounds like shooting for the moon, calling it Project Stargate. Is it that, Justin, or is this the beginning of the new normal for AI? I believe it's the beginning of the new normal, but let's take a real quick trip back in time, shall we, Tom? Rumor is that this has been in the works for a little bit. If not specifically part of the partnership that Open AI has made with Microsoft has greatly benefited both sides. But imagine that your Microsoft CEO, Sacha Nadella, and all of a sudden, you see that big kerfuffle with Open AI's board a few months ago. And you know that you are already well on your way to building a $100 billion data center to be benefited by this company. That's the kind of stuff and context that you could imagine was wrapped around him, welcoming the new CEO of Open AI while also saying that they were hiring Sam Altman before they did the hokey pokey and turned it all around and got everything back to where they were. But the reality of this is if you believe, as I do, that AI is going to be a revolution in game changer and technology. And it is not just going to be a destination tool, the way that we think of it now, that you're building these various different things, but they will be woven into everything that we do much in the same way that Adobe has been on the leading edge of folding things in. And you're already seeing a lot of AI stuff that's happening on the back end of websites and services that you wouldn't have otherwise thought it. Then what we will need is compute, what we will absolutely be thirsty for. And we will very, very quickly hit our head on the top of the ceiling for is just straight out compute, processing power, especially if Microsoft and Open AI are going to be two of the biggest APIs that a lot of these systems are going to be built on. And if that's the reality, then that's the reason why you've seen Sam Altman go to some of these sovereign wealth funds and say, hey, I need $7 billion for chip forages. Because he is anticipating the need that right now what we think of as pumping out chips is going to be woefully inadequate a lot faster than we think. Yeah. And there is still a chip shortage. It's not for car chips so much anymore as it is for the Nvidia GPUs you use specifically to run AI. And that's part of wanting to have a system that you can rely on for several years that doesn't depend on an Nvidia bottleneck. It gives you another source of power that isn't putting all that power in one company's hands to the point that the information says that Open AI was saying, let's not even use Nvidia's cables. Let's just figure out how to use regular old ethernet cables so we don't have to buy anything from Nvidia. Yeah, yeah. Because they understand that this is going to be one of the stories of the next decade, in my opinion. One of the big ramifications of AI becoming more of a part of all of our lives is just going to be the reality of what it takes to make. And considering how fast we have seen this kind of stuff scale up, who knows what that's even going to look like? Who knows what the capacity? Here's what we know. It iterates fast. It's very intensive and it's extraordinarily popular. That is a perfect storm for we need more chips like yesterday. And there's going to be huge conversations about the responsibility of this. If it's using that much power, people already criticize cloud computing in a lot of ways for using power. And you see a lot of cloud computing companies bending over backwards to figure out power efficient ways to use renewable energy, to put data centers in the ocean so that you can take advantage of wave energy as well as ocean cooling to reduce efficiency. They're going to need to get really efficient because these things use a lot of power to the point, again, the information saying that they're considering like connecting the nuclear power plants to the data centers, which is going to start a whole other conversation, I'm sure, if that ended up being true. But there's going to be a conversation about do we need this bad enough to use this much energy? One of Sam Altman's big bets is fusion energy. That's a huge bet for him. And I think part of it is him seeing this that another element of it. You can have the chips, but you need the power. And if you need the power, then what are we looking at in our current capability to fill that kind of bill? And how can we think about innovating going forward? What is exciting is that on the other side of this is a lot of money and prosperity for the people that make it. So you would imagine that they will go as fast as possible. Yeah. It looks to me a little bit like a typical cycle. We had data centers that were there to provide enterprise level locations with the ability to communicate across locations. Then we had data centers for websites. Then we had data centers for cloud computing. To me, one perspective is this is just the next thing that data centers are good for. We keep figuring out how to use data centers for bigger and bigger things. We make them more powerful and more efficient as they go along because of that. Certainly so. And the only question is exactly how big is this 10x, 100x, 1000x from what we would look at in the past? And then there's always the chance that none of this works. There's always that. There's always plans. Alright, let's check out the mailbag real quick. Carl wrote in regarding that story we had last week about four Ontario area school boards suing multiple social network companies, including Snap and Meta for harm against teenagers saying they knew what they were doing when they created their apps in a way that would harm students. Carl wrote a thought on the Ontario school board suit. They may or may not be right, but they honestly think it's more of a political power play. The school board has gotten really hammered by some of its decisions. And the premier of Ontario doesn't seem to like them. So from either direction, and it's probably messy, this fight was going to happen there at some point. I expect similar suits to happen from a couple of the other provinces shortly, but from different parts of the government. Canada. Justin, could it possibly be political? Everything's politics. Everything. Everything. No, it's a really good point, Carl, and thanks for the on the ground insight. And thank you, Justin, Robert Young, for being with us. What else have you got going on this week to tell folks about? You know, obviously politics, politics, politics available wherever you get your podcast. But I want to go ahead and remind everybody, because I got an email about folks finding my panel show, We're Not Wrong, because I mentioned it here on DTNS on We're Not Wrong, myself, Jen Briney and Andrew Heaton discuss the issues of the day. I think you're going to enjoy it. Head on over there. We're not wrong. Wherever you get your podcast. Folks, a reminder that I've got a book underway called Sinked, Understand Technology, and Make It Work For You. You can find it by going to tomsnewbook.com, a URL I registered at Justin's suggestion many years ago, and it's come in very handy. We are 45% funded on this book, and I really, really want to get us to 50% this week. Thanks to everybody who's been patient with this. It is in British Pounds, because it's a British publisher, and I know that's thrown some folks off here and there. But I appreciate that 212 people have been able to make this work. So thank you for that. And I just need 200 more, and we'll get this book published. It's all of the topics about technology with my take on them, the essentials, the things you need to know in book form. Go and check it out, tomsnewbook.com. Also, stick around for the extended show Good Day Internet. There is another bottleneck to the AI world that's not data centers. It's data. What have you got no data to train these things on? Our large language models facing a data crunch. Stick around and find out. You can also catch the show live Monday through Friday, 4 p.m. Eastern 200 UTC. Find out more at dailytechnewshow.com slash live. Back tomorrow. Talk to you then.