Helen Toner, a former OpenAI board member, said that the board didn't know about the company's 2022 launch of its chatbot ChatGPT until afterward -- and only found out about it on Twitter. From a report: In a podcast, Toner gave her fullest account to date of the events that prompted her and other board members to fire Sam Altman in November of last year. In the days that followed Chief Executive Officer Sam Altman's sudden ouster, employees threatened to quit, Altman was reinstated, and Toner and other directors left the board. "When ChatGPT came out in November 2022, the board was not informed in advance about that," Toner said on the podcast. "We learned about ChatGPT on Twitter."

In a statement provided to the TED podcast, OpenAI's current board chief, Bret Taylor said, "We are disappointed that Ms. Toner continues to revisit these issues." He also said that an independent review of Altman's firing "concluded that the prior board's decision was not based on concerns regarding product safety or security, the pace of development, OpenAI's finances, or its statements to investors, customers, or business partners." [...] In the podcast, Toner also said that Altman didn't disclose his involvement with OpenAI's startup fund. And she criticized his leadership on safety. "On multiple occasions, he gave us inaccurate information about the formal safety processes that the company did have in place," she said,"meaning that it was basically impossible for the board to know how well those safety processes were working or what might need to change."

The term "auth" is ambiguous, often meaning either authentication (authn) or authorization (authz), which leads to confusion and poor system design. Instead, Nicole Tietz-Sokolskaya, a software engineer at AI market research platform Remesh, argues that the industry adopt the terms "login" for authentication and "permissions" for authorization, as these are clearer and help maintain distinct, appropriate abstractions for each concept. From their blog post: We should always use the most clear terms we have. Sometimes there's not a great option, but here, we have wonderfully clear terms. Those are "login" for authentication and "permissions" for authorization. Both are terms that will make sense with little explanation (in contrast to "authn" and "authz", which are confusing on first encounter) since almost everyone has logged into a system and has run into permissions issues. There are two ways to use "login" here: the noun and the verb form. The noun form is "login", which refers to the information you enter to gain access to the system. And the verb form is "log in", which refers to the action of entering your login to use the system. "Permissions" is just the noun form. To use a verb, you would use "check permissions." While this is long, it's also just... fine? It hasn't been an issue in my experience.

Both of these are abundantly clear even to our peers in disciplines outside software engineering. This to me makes it worth using them from a clarity perspective alone. But then we have the big benefit to abstractions, as well. When we call both by the same word, there's often an urge to combine them into a single module just by dint of the terminology. This isn't necessarily wrong -- there is certainly some merit to put them together, since permissions typically require a login. But it's not necessary, either, and our designs will be stronger if we don't make that assumption and instead make a reasoned choice.

The Internet Archive is "currently in its third day of warding off an intermittent DDoS cyber-attack," writes Chris Freeland, Director of Library Services at Internet Archive, in a blog post. While library staff stress that the archives are safe, access to its services are affected, including the Wayback Machine. From the post: Since the attacks began on Sunday, the DDoS intrusion has been launching tens of thousands of fake information requests per second. The source of the attack is unknown. "Thankfully the collections are safe, but we are sorry that the denial-of-service attack has knocked us offline intermittently during these last three days," explained Brewster Kahle, founder and digital librarian of the Internet Archive. "With the support from others and the hard work of staff we are hardening our defenses to provide more reliable access to our library. What is new is this attack has been sustained, impactful, targeted, adaptive, and importantly, mean." Cyber-attacks are increasingly frequent against libraries and other knowledge institutions, with the British Library, the Solano County Public Library (California), the Berlin Natural History Museum, and Ontario's London Public Library all being recent victims.

In addition to a wave of recent cyber-attacks, the Internet Archive is also being sued by the US book publishing and US recording industries associations, which are claiming copyright infringement and demanding combined damages of hundreds of millions of dollars and diminished services from all libraries. "If our patrons around the globe think this latest situation is upsetting, then they should be very worried about what the publishing and recording industries have in mind," added Kahle. "I think they are trying to destroy this library entirely and hobble all libraries everywhere. But just as we're resisting the DDoS attack, we appreciate all the support in pushing back on this unjust litigation against our library and others."

An anonymous reader quotes a report from Wired: Two years ago when "Michael," an owner of cryptocurrency, contacted Joe Grand to help recover access to about $2 million worth of bitcoin he stored in encrypted format on his computer, Grand turned him down. Michael, who is based in Europe and asked to remain anonymous, stored the cryptocurrency in a password-protected digital wallet. He generated a password using the RoboForm password manager and stored that password in a file encrypted with a tool called TrueCrypt. At some point, that file got corrupted and Michael lost access to the 20-character password he had generated to secure his 43.6 BTC (worth a total of about [...] $5,300, in 2013). Michael used the RoboForm password manager to generate the password but did not store it in his manager. He worried that someone would hack his computer and obtain the password. "At [that] time, I was really paranoid with my security," he laughs.

Grand is a famed hardware hacker who in 2022 helped another crypto wallet owner recover access to $2 million in cryptocurrencyhe thought he'd lost forever after forgetting the PIN to his Trezor wallet. Since then, dozens of people have contacted Grand to help them recover their treasure. But Grand, known by the hacker handle "Kingpin," turns down most of them, for various reasons. Grand is an electrical engineer who began hacking computing hardware at age 10 and in 2008 cohosted the Discovery Channel's Prototype This show. He now consults with companies that build complex digital systems to help them understand how hardware hackers like him might subvert their systems. He cracked the Trezor wallet in 2022 using complex hardware techniques that forced the USB-style wallet to reveal its password. But Michael stored his cryptocurrency in a software-based wallet, which meant none of Grand's hardware skills were relevant this time. [...] Michael contacted multiple people who specialize in cracking cryptography; they all told him "there's no chance" of retrieving his money. But last June he approached Grand again, hoping to convince him to help, and this time Grand agreed to give it a try, working with a friend named Bruno in Germany who also hacks digital wallets.

Grand and Bruno spent months reverse engineering the version of the RoboForm program that they thought Michael had used in 2013 and found that the pseudo-random number generator used to generate passwords in that version -- and subsequent versions until 2015 -- did indeed have a significant flaw that made the random number generator not so random. The RoboForm program unwisely tied the random passwords it generated to the date and time on the user's computer -- it determined the computer's date and time, and then generated passwords that were predictable. If you knew the date and time and other parameters, you could compute any password that would have been generated on a certain date and time in the past. [...] There was one problem: Michael couldn't remember when he created the password. According to the log on his software wallet, Michael moved bitcoin into his wallet for the first time on April 14, 2013. But he couldn't remember if he generated the password the same day or some time before or after this. So, looking at the parameters of other passwords he generated using RoboForm, Grand and Bruno configured RoboForm to generate 20-character passwords with upper- and lower-case letters, numbers, and eight special characters from March 1 to April 20, 2013. It failed to generate the right password. [...] Instead, they revealed that they had finally found the correct password -- no special characters. It was generated on May 15, 2013, at 4:10:40 pm GMT.

OpenAI said on Tuesday that it has begun training a new flagship AI model that would succeed the GPT-4 technology that drives its popular online chatbot, ChatGPT. From a report: The San Francisco start-up, which is one of the world's leading A.I. companies, said in a blog post that it expects the new model to bring "the next level of capabilities" as it strives to build "artificial general intelligence," or A.G.I., a machine that can do anything the human brain can do. The new model would be an engine for A.I. products including chatbots, digital assistants akin to Apple's Siri, search engines and image generators.

OpenAI also said it was creating a new Safety and Security Committee to explore how it should handle the risks posed by the new model and future technologies. "While we are proud to build and release models that are industry-leading on both capabilities and safety, we welcome a robust debate at this important moment," the company said. OpenAI is aiming to move A.I. technology forward faster than its rivals, while also appeasing critics who say the technology is becoming increasingly dangerous, helping to spread disinformation, replace jobs and even threaten humanity. Experts disagree on when tech companies will reach artificial general intelligence, but companies including OpenAI, Google, Meta and Microsoft have steadily increased the power of A.I. technologies for more than a decade, demonstrating a noticeable leap roughly every two to three years.

A hacker group called RansomHub said it was behind the cyberattack that hit the Christie's website just days before its marquee spring sales began, forcing the auction house to resort to alternatives to online bidding. From a report: In a post on the dark web on Monday, the group claimed that it had gained access to sensitive information about the world's wealthiest art collectors, posting only a few examples of names and birthdays. It was not immediately possible to verify RansomHub's claims, but several cybersecurity experts said they were a known ransomware operation and that the claim was plausible. Nor was it clear if the hackers had gained access to more sensitive information, including financial data and client addresses. The group said it would release the data, posting a countdown timer that would reach zero by the end of May.

At Christie's, a spokesman said in a statement, "Our investigations determined there was unauthorized access by a third party to parts of Christie's network." The spokesman, Edward Lewine, said that the investigations "also determined that the group behind the incident took some limited amount of personal data relating to some of our clients." He added, "There is no evidence that any financial or transactional records were compromised." Hackers said that Christie's failed to pay a ransom when one was demanded.

"Merged this Friday evening into the Linux 6.10 kernel is the new mseal() system call for memory sealing," reports Phoronix: The mseal system call was led by Jeff Xu of Google's Chrome team. The goal with memory sealing is to also protect the memory mapping itself against modification. The new mseal Linux documentation explains:

"Modern CPUs support memory permissions such as RW and NX bits. The memory permission feature improves security stance on memory corruption bugs, i.e. the attacker can't just write to arbitrary memory and point the code to it, the memory has to be marked with X bit, or else an exception will happen. Memory sealing additionally protects the mapping itself against modifications. This is useful to mitigate memory corruption issues where a corrupted pointer is passed to a memory management system... Memory sealing can automatically be applied by the runtime loader to seal .text and .rodata pages and applications can additionally seal security-critical data at runtime. A similar feature already exists in the XNU kernel with the VM_FLAGS_PERMANENT flag and on OpenBSD with the mimmutable syscall."

The mseal system call is designed to be used by the likes of the GNU C Library "glibc" while loading ELF executables to seal non-writable memory segments or by the Google Chrome web browser and other browsers for protecting security sensitive data structures.

A Rust Foundation blog post begins by reminding readers that Rust programs "are unable to compile if memory management rules are violated, essentially eliminating the possibility of a memory issue at runtime."

But then it goes on to explore "Unsafe Rust in the wild" (used for a small set of actions like dereferencing a raw pointer, modifying a mutable static variable, or calling unsafe functions). "At a superficial glance, it might appear that Unsafe Rust undercuts the memory-safety benefits Rust is becoming increasingly celebrated for. In reality, the unsafe keyword comes with special safeguards and can be a powerful way to work with fewer restrictions when a function requires flexibility, so long as standard precautions are used."

The Foundation lists those available safeguards — which "make exploits rare — but not impossible." But then they go on to analyze just how much Rust code actually uses the unsafe keyword: The canonical way to distribute Rust code is through a package called a crate. As of May 2024, there are about 145,000 crates; of which, approximately 127,000 contain significant code. Of those 127,000 crates, 24,362 make use of the unsafe keyword, which is 19.11% of all crates. And 34.35% make a direct function call into another crate that uses the unsafe keyword [according to numbers derived from the Rust Foundation project Painter]. Nearly 20% of all crates have at least one instance of the unsafe keyword, a non-trivial number.

Most of these Unsafe Rust uses are calls into existing third-party non-Rust language code or libraries, such as C or C++. In fact, the crate with the most uses of the unsafe keyword is the Windows crate, which allows Rust developers to call into various Windows APIs. This does not mean that the code in these Unsafe Rust blocks are inherently exploitable (a majority or all of that code is most likely not), but that special care must be taken while using Unsafe Rust in order to avoid potential vulnerabilities...

Rust lives up to its reputation as an excellent and transformative tool for safe and secure programming, even in an Unsafe context. But this reputation requires resources, collaboration, and constant examination to uphold properly. For example, the Rust Project is continuing to develop tools like Miri to allow the checking of unsafe Rust code. The Rust Foundation is committed to this work through its Security Initiative: a program to support and advance the state of security within the Rust Programming language ecosystem and community. Under the Security Initiative, the Rust Foundation's Technology team has developed new tools like [dependency-graphing] Painter, TypoMania [which checks package registries for typo-squatting] and Sandpit [an internal tool watching for malicious crates]... giving users insight into vulnerabilities before they can happen and allowing for a quick response if an exploitation occurs.

"Microsoft has confirmed plans to pull the plug on VBScript in the second half of 2024 in a move that signals the end of an era for programmers," writes Tech Radar.

Though the language was first introduced in 1996, Microsoft's latest announcement says the move was made "considering the decline in VBScript usage": Beginning with the new OS release slated for later this year [Windows 11, version 24H2], VBScript will be available as features on demand. The feature will be completely retired from future Windows OS releases, as we transition to the more efficient PowerShell experiences.
Around 2027 it will become "disabled by default," with the date of its final removal "to be determined."

But the announcement confirms VBScript will eventually be "retired and eliminated from future versions of Windows." This means all the dynamic link libraries (.dll files) of VBScript will be removed. As a result, projects that rely on VBScript will stop functioning. By then, we expect that you'll have switched to suggested alternatives.
The post recommends migirating applications to PowerShell or JavaScript.

This year's annual "feature update" for Windows will also include Sudo for Windows, Rust in the Windows kernel, "and a number of user interface tweaks, such as the ability to create 7-zip and TAR archives in File Explorer," reports the Register. "It will also include the next evolution of Copilot into an app pinned to the taskbar."

But the downgrading of VBScript "is part of a broader strategy to remove Windows and Office features threat actors use as attack vectors to infect users with malware," reports BleepingComputer: Attackers have also used VBScript in malware campaigns, delivering strains like Lokibot, Emotet, Qbot, and, more recently, DarkGate malware.

Roughly 160,000 U.S.-based amateur radio enthusiasts belong to the American Radio Relay League, a nonprofit with 100 full-time and part-time staff members.

Nine days ago it announced "that it suffered a cyberattack that disrupted its network and systems," reports BleepingComputer, "including various online services hosted by the organization." "We are in the process of responding to a serious incident involving access to our network and headquarters-based systems. Several services, such as Logbook of The World and the ARRL Learning Center, are affected," explained ARRL in a press release... [T]he ARRL took steps to allay members' concerns about the security of their data, confirming that they do not store credit card information or collect social security numbers.

However, the organization confirmed that its member database contains some private information, including names, addresses, and call signs. While they do not specifically state email addresses are stored in the database, one is required to become a member of the organization.
"The ARRL has not specifically said that its member database has been accessed by hackers," Security Week points out, "but its statement suggests it's possible."

The site adds that it has also "reached out to ARRL to find out if this was a ransomware attack and whether the attackers made any ransom demand."

Thanks to Slashdot reader AzWa Snowbird for sharing the news.

An anonymous reader quotes a report from The Register: The Federal Trade Commission (FTC) has shared data on the most impersonated companies in 2023, which include Best Buy, Amazon, and PayPal in the top three. The federal agency detailed the top ten companies scammers impersonate and how much they make depending on the impersonation. By far the most impersonated corp was Best Buy and its repair business Geek Squad, with a total of 52k reports. Amazon impersonators came in second place with 34k reports, and PayPal a distant third with 10,000. Proportionally, the top three made up roughly 72 percent of the reports among the top ten, and Best Buy and Geek Squad scam reports were about 39 percent on their own. Though, high quantity doesn't necessarily translate to greater success for scammers, as the FTC also showed how much scammers made depending on what companies they impersonated. Best Buy and Geek Squad, Amazon, and PayPal scams made about $15 million, $19 million, and $16 million respectively, but that's nothing compared to the $60 million that Microsoft impersonators were able to fleece. [...]

The FTC also reported the vectors scammers use to contact their victims. Phone and email are still the most common means, but social media is becoming increasingly important for scamming and features the most costly scams. The feds additionally disclosed the kinds of payment methods scammers use for all sorts of frauds, including company and individual impersonation scams, investment scams, and romance scams. Cryptocurrency and bank transfers were popular for investment scammers, who are the most prolific on social media, while gift cards were most common for pretty much every other type of scam. However, not all scammers ask for digital payment, as the Federal Bureau of Investigation says that even regular old mail is something scammers are relying on to get their ill-gotten gains.

Messaging app Signal's president Meredith Whittaker criticized rival Telegram's security on Friday, saying Telegram founder Pavel Durov is "full of s---" in his claims about Signal. "Telegram is a social media platform, it's not encrypted, it's the least secure of messaging and social media services out there," Whittaker told TechCrunch in an interview. The comments come amid a war of words between Whittaker, Durov and Twitter owner Elon Musk over the security of their respective platforms. Whittaker said Durov's amplification of claims questioning Signal's security was "incredibly reckless" and "actually harms real people."

"Play your games, but don't take them into my court," Whittaker said, accusing Durov of prioritizing being "followed by a professional photographer" over getting facts right about Signal's encryption. Signal uses end-to-end encryption by default, while Telegram only offers it for "secret chats." Whittaker said many in Ukraine and Russia use Signal for "actual serious communications" while relying on Telegram's less-secure social media features. She said the "jury is in" on the platforms' comparative security and that Signal's open source code allows experts to validate its privacy claims, which have the trust of the security community.

Hackers have compromised a popular courtroom recording software, JAVS, gaining full control through a backdoored update. Louisville, Kentucky-based Justice AV Solutions, its maker, pulled the compromised software, reset passwords, and audited its systems. Cybersecurity firm Rapid7 found that the corrupted installer grants attackers full access and transmits host system data to a command-and-control server. The Record adds: In its advisory, Rapid7 stressed the need to reimage all endpoints where the software was installed, and to reset credentials on web browsers and for any accounts logged into affected endpoints, both local and remote. "Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate," they wrote. "Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials."

An anonymous reader quotes a report from NPR: Hospital staff are forced to write notes by hand and deliver orders for tests and prescriptions in person in the ongoing fallout from a recent ransomware attack at the national health system Ascension. Ascension is one of the largest health systems in the United States, with some 140 hospitals located across 19 states and D.C. A spokesperson said in a statement that "unusual activity" was first detected on multiple technology network systems Ascension uses on Wednesday, May 8. Later, representatives confirmed that some of Ascension's electronic health records systems had been affected, along with systems used "to order certain tests, procedures and medications."

Some phone capabilities have also been offline, and patients have been unable to access portals used to view medical records and get in touch with their doctors. Due to these interruptions, hospital staff had to shift to "manual and paper based" processes. "Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible," an Ascension spokesperson said in a May 8 statement. Kris Fuentes, who works in the neonatal intensive care unit at Ascension Seton Medical Center in Austin, said she remembers when paper charting was the norm. But after so many years of relying on digital systems, she said her hospital wasn't ready to make such an abrupt shift. "It's kind of like we went back 20 years, but not even with the tools we had then," Fuentes said. "Our workflow has just been really unorganized, chaotic and at times, scary."

Fuentes said orders for medication, labs and imaging are being handwritten and then distributed by hand to various departments, whereas typically these requests are quickly accessed via computer. A lack of safety checks with these backup methods has introduced errors, she said, and every task is taking longer to complete. "Medications are taking longer to get to patients, lab results are taking longer to get back," she said. "Doctors need the lab results, often, to decide the next treatment plan, but if there's a delay in access to the labs, there's a delay in access to the care that they order." As of Tuesday, Ascension still had no timeline for when the issues might be resolved, and reported that it continued to work with "industry-leading cybersecurity experts" to investigate the ransomware attack and restore affected systems. The FBI and Cybersecurity and Infrastructure Security Agency are also involved in the investigation. "While Ascension facilities remain open, a health system representative said on May 9 that in some cases, emergency patients were being triaged to different hospitals, and some non-emergent appointments and procedures were postponed," reports NPR. "Certain Ascension pharmacies are not operational, and patients are being asked to bring in prescription bottles or numbers."

"Individuals who are enrolled in Ascension health insurance plans are being directed to mail in monthly payments while the electronic payment system is down."

An anonymous reader shares a report: Did your company recently send you a phishing email? Employers will sometimes simulate phishing messages to train workers on how to spot the hacking threat. But one Google security manager argues the IT industry needs to drop the practice, calling it counterproductive. "PSA for Cybersecurity folk: Our co-workers are tired of being 'tricked' by phishing exercises y'all, and it is making them hate us for no benefit," tweeted Matt Linton, a security incident manager at Google.

Linton also published a post on the Google Security blog about the pitfalls of today's simulated phishing tests. The company is required to send fake phishing emails to its employees to meet the US government's security compliance requirements. In these tests, Google sends an employee a phishing email. If the worker clicks a link in the email, they'll be told they failed the test and will usually be required to take some sort of training course. However, Linton argues that simulated phishing tests can lead to harmful side effects, which can undermine a company's security. "There is no evidence that the tests result in fewer incidences of successful phishing campaigns," Linton said, noting that phishing attacks continue to help hackers gain a foothold inside networks, despite such training. He also pointed to a 2021 study that ran for 15 months and concluded that these phishing tests don't "make employees more resilient to phishing."

A server maintained by Cogent Communications, one of the 13 root servers crucial to the Internet's domain name system, fell out of sync with its peers for over four days due to an unexplained glitch. This issue, which could have caused worldwide stability and security problems, was resolved on Wednesday.

The root servers store cryptographic keys necessary for authenticating intermediate servers under the DNSSEC mechanism. Inconsistencies in these keys across the 13 servers could lead to an increased risk of attacks such as DNS cache poisoning. Engineers postponed planned updates to the .gov and .int domain name servers' DNSSEC to use ECDSA cryptographic keys until the situation stabilized. Cogent stated that it became aware of the issue on Tuesday and resolved it within 25 hours. ArsTechnica, which has a great writeup about the incident, adds: Initially, some people speculated that the depeering of Tata Communications, the c-root site outage, and the update errors to the c-root itself were all connected somehow. Given the vagueness of the statement, the relation of those events still isn't entirely clear.

A hacker claims to have breached a scam call center, stolen the source code for the company's tools, and emailed the company's scam victims, according to multiple screenshots and files provided by the hacker to 404 Media. From the report: The hack is the latest in a long series of vigilante actions in which hackers take matters into their own hands and breach or otherwise disrupt scam centers. A massively popular YouTube community, with creators mocking their targets, also exists around the practice.

"Hello, everyone! If you are seeing this email then you have been targeted by a fake antivirus company known as 'Waredot,'" the hacker wrote in their alleged email to customers, referring to the scam call center. The email goes on to suggest that customers issue a chargeback "as this trash software isn't worth anywhere NEAR $300-$400 per month, and these trash idiots don't deserve your money!"

Michael Larabel reports via Phoronix: The latest RISC-V port updates have been merged for the in-development Linux 6.10 kernel. Most notable with today's RISC-V merge to Linux 6.10 is now supporting the Rust programming language within the Linux kernel. RISC-V joins the likes of x86_64, LoongArch, and ARM64 already supporting the use of the in-kernel Rust language support. The use of Rust within the mainline Linux kernel is still rather limited with just a few basic drivers so far and a lot of infrastructure work taking place, but there are a number of new drivers and other subsystem support on the horizon. RISC-V now supporting Rust within the Linux kernel will become more important moving forward.

The RISC-V updates for Linux 6.10 also add byte/half-word compare-and-exchange, support for Zihintpause within hwprobe, a PR_RISCV_SET_ICACHE_FLUSH_CTX prctl(), and support for lockless lockrefs. More details on these RISC-V updates for Linux 6.10 via this Git merge.

An anonymous reader quotes a report from The Guardian: Hopes that replacement fuels for airplanes will slash carbon pollution are misguided and support for these alternatives could even worsen the climate crisis, a new report has warned. There is currently "no realistic or scalable alternative" to standard kerosene-based jet fuels, and touted "sustainable aviation fuels" are well off track to replace them in a timeframe needed to avert dangerous climate change, despite public subsidies, the report by the Institute for Policy Studies, a progressive thinktank, found. "While there are kernels of possibility, we should bring a high level of skepticism to the claims that alternative fuels will be a timely substitute for kerosene-based jet fuels," the report said. [...]

In the U.S., Joe Biden's administration has set a goal for 3 billion gallons of sustainable aviation fuel, which is made from non-petroleum sources such as food waste, woody biomass and other feedstocks, to be produced by 2030, which it said will cut aviation's planet-heating emissions by 20%. [...] Burning sustainable aviation fuels still emits some carbon dioxide, while the land use changes needed to produce the fuels can also lead to increased pollution. Ethanol biofuel, made from corn, is used in these fuels, and meeting the Biden administration's production goal, the report found, would require 114m acres of corn in the U.S., about a 20% increase in current land area given over to to the crop. In the UK, meanwhile, 50% of all agricultural land will have to be given up to sustain current flight passenger levels if jet fuel was entirely replaced. "Agricultural land use changes could threaten global food security as well as nature-based carbon sequestration solutions such as the preservation of forests and wetlands," the report states. "As such, SAF production may actively undermine the Paris agreement goal of achieving greatly reduced emissions by 2050." Chuck Collins, co-author of the report, said: "To bring these fuels to the scale needed would require massive subsidies, the trade-offs would be unacceptable and would take resources aware from more urgent decarbonization priorities."

"It's a huge greenwashing exercise by the aviation industry. It's magical thinking that they will be able to do this."

Phil Ansell, director of the Center for Sustainable Aviation at the University of Illinois, added: "There's an underappreciation of how big the energy problem is for aviation. We are still many years away from zero pollution flights. But it's true that the industry has been slow to pick things up. We are now trying to find solutions, but we are working at this problem and realizing it's a lot harder than we thought. We are late to the game. We are in the dark ages in terms of sustainability, compared to other sectors."

The House Foreign Affairs Committee on Wednesday voted overwhelmingly to advance a bill that would make it easier for the Biden administration to restrict the export of AI systems, citing concerns China could exploit them to bolster its military capabilities. From a report: The bill, sponsored by House Republicans Michael McCaul and John Molenaar and Democrats Raja Krishnamoorthi and Susan Wild, also would give the Commerce Department express authority to bar Americans from working with foreigners to develop AI systems that pose risks to U.S. national security. Without this legislation "our top AI companies could inadvertently fuel China's technological ascent, empowering their military and malign ambitions," McCaul, who chairs the committee, warned on Wednesday.

"As the (Chinese Communist Party) looks to expand their technological advancements to enhance their surveillance state and war machine, it is critical we protect our sensitive technology from falling into their hands," McCaul added. The Chinese Embassy in Washington did not immediately respond to a request for comment. The bill is the latest sign Washington is gearing up to beat back China's AI ambitions over fears Beijing could harness the technology to meddle in other countries' elections, create bioweapons or launch cyberattacks.