The European Union on Wednesday said it would impose higher tariffs on Chinese electric vehicle imports, which it found benefit "heavily from unfair subsidies" and pose a "threat of economic injury" to EV producers in Europe. CNBC reports: On a preliminary basis, the European Commission, the executive arm of the EU, concluded that the battery-electric vehicles value chain in China "benefits from unfair subsidization" and pronounced that it is in the EU's interest to impose "provisional countervailing duties" on BEV imports from China. The additional tariffs are the result of an EU probe that began in October. The duties are currently provisional, but will be introduced from July 4 in the event of unfruitful talks with Chinese authorities to reach a resolution, the commission said in a statement. Definitive measures will be placed within four months of the imposition of provisional duties. [...]

The bloc is imposing a 38.1% tariff on battery-electric vehicle producers who did not cooperate with its investigation, and a lower 21% duty on carmakers in the Asian country who complied but have not been "sampled." The commission also disclosed a set of individual tariffs, which [Valdis Dombrovskis, the EU commissioner for trade, said] are linked to their cooperation with the probe and with the amount of information they supplied. Rates are lower for those companies who shared details, he added. Main Chinese BEV producer BYD was struck with a 17.4% tariff, with Geely slapped with a 20% duty. The EU has also imposed its 38.1% tariff on autos firm SAIC. All three producers were sampled in the EU probe, which is ongoing. Meanwhile, taxes on imported Chinese EVs in the United States are set to quadruple from 25% to 100%, starting this year.

Apple has announced that its Messages app will support RCS in iOS 18. From a report: The new standard will replace SMS as the default communication protocol between Android and iOS devices. The move comes after years of taunting, cajoling, and finally, some regulatory scrutiny from the EU. Right now, when people on iOS and Android message each other, the service falls back to SMS -- photos and videos are sent at a lower quality, messages are shortened, and importantly, conversations are not end-to-end encrypted like they are in iMessage. Messages from Android phones show up as green bubbles in iMessage chats and chaos ensues.

It was "a catastrophic IT failure," writes Computer Weekly. It was nearly two years ago that Birmingham City Council, the largest local authority in Europe, "declared itself in financial distress" — effectively declaring bankruptcy — after the costs on an Oracle project costs ballooned from $25 million to around $125.5 million.

But Computer Weekly's investigation finds signs that the program board and its manager wanted to go live in April of 2022 "regardless of the state of the build, the level of testing undertaken and challenges faced by those working on the programme." One manager's notes "reveal concerns that the program manager and steering committee could not be swayed, which meant the system went live despite having known flaws." Computer Weekly has seen notes from a manager at BCC highlighting a number of discrepancies in the Birmingham City Council report to cabinet published in June 2023, 14 months after the Oracle system went into production. The report stated that some critical elements of the Oracle system were not functioning adequately, impacting day-to-day operations. The manager's comments reveal that this flaw in the implementation of the Oracle software was known before the system went live in April 2022... An insider at Birmingham City Council who has been closely involved in the project told Computer Weekly it went live "despite all the warnings telling them it wouldn't work"....

Since going live, the Oracle system effectively scrambled financial data, which meant the council had no clear picture of its overall finances. The insider said that by January 2023, Birmingham City Council could not produce an accurate account of its spending and budget for the next financial year: "There's no way that we could do our year-end accounts because the system didn't work."
A June 2023 report to cabinet "stated that due to issues with the council's bank reconciliation system, a significant number of transactions had to be manually allocated to accounts rather than automatically via the Oracle system," according to the article. But Computer Weekly has seen a 2019 presentation slide deck showing the council was already aware that Oracle's out-of-the-box bank reconciliation system "did not handle mixed debtor/non-debtor bank files. The workaround suggested was either a lot of manual intervention or a platform as a service (PaaS) offering from Evosys, the Oracle implementation partner contracted by BCC to build the new IT system."

The article ultimately concludes that "project management failures over a number of years contributed to the IT failure."

The European Union's Copernicus Climate Change Service reported that the past year saw record-breaking heat, with global temperatures surpassing all historical measurements. According to Copernicus, May marked the 12th consecutive month of record-high global temperatures, and exceeded a key Paris Agreement temperature target. The Week reports: The stretch is a "stark warning." In a separate study published Wednesday, a group of 57 scientists found that human activity was responsible for 92% of 2023's warming, which increased at a rate "unprecedented in the instrumental record."

While averting catastrophe is "still just about possible," the decisions made by global leaders "especially in the next 18 months" will determine whether the planet can be saved, U.N. Secretary General Antonio Guterres said in a special address. "We need an exit ramp off the highway to climate hell."

Without serious efforts to reverse global warming, "this string of hottest months will be remembered as comparatively cold," Copernicus Director Carlo Buontempo said. "The 11 months in a row that tied or broke the 1.5C barrier did not yet constitute a breaching of the Paris target, since the benchmark refers to a timescale of multiple decades," notes Axios. "Still, the fact that the climate is now exceeding the target with greater regularity, and is projected to continue doing so, is a sign of the matter's urgency."

U.N. Secretary General Antonio Guterres called Wednesday for a "windfall" tax on profits of fossil fuel companies to help pay for the fight against global warming, decrying them as the "godfathers of climate chaos." From a report: Guterres spoke from the American Museum of Natural History in New York in a bid to revive focus on climate change at a time when many national elections, and conflict in places like Ukraine, Gaza and Sudan this year have seized much of the international spotlight.

In a bare-knuckled speech timed for World Environment Day, Guterres drew on new data and projections to trumpet his case against Big Oil: The European Union's climate watching agency reported that last month was the hottest May ever, marking the 12th straight monthly record high. The EU's Copernicus climate change service, a global reference for tracking world temperatures, cited an average surface air temperature of 15.9 C (60.6 F) last month -- or 1.52 C higher than the estimated May average before industrial times. The burning of fossil fuels -- oil, gas and coal -- is the main contributor to global warming caused by human activity. Meanwhile, the U.N. weather agency predicted an 80% chance that average global temperatures will surpass the 1.5 Celsius (2.7 Fahrenheit) target set in the landmark Paris climate accord of 2015. Further reading: UN Chief Says World is On 'Highway To Climate Hell' as Planet Endures 12 Straight Months of Unprecedented Heat.

A donation by former Google chief Eric Schmidt to Europe's top particle physics lab heralds a new way to fund frontier research just as the West's technological race with China quickens. From a report: The European Organization for Nuclear Research, or CERN, will use the previously unreported gift of $48 million [non-paywalled link] from the Eric & Wendy Schmidt Fund for Strategic Innovation to develop AI algorithms to analyze raw data from the lab's Large Hadron Collider, the world's most powerful energy particle accelerator. In 2012, it discovered the Higgs Boson, a particle that's key to understanding how the universe is built.

Now, CERN needs to reinvest to stay at the cutting edge of particle physics research. By the late 2030s, the LHC is expected to reach the end of its useful life and CERN needs $17 billion from European nations to fund the construction of a much bigger accelerator, known as the Future Circular Collider. But that funding has yet to be secured and, in the meantime, China has proposed its own collider. raditionally, CERN has relied on contributions from its 23 member states and observer partners like the US for funding pure research, while private investors focus on applied research, according to Charlotte Warakaulle, CERN's director of international relations. That makes the Schmidts' donation to pure research a private-sector first and may herald a different approach to funding the next collider, she says. "We're looking at all sorts of potential partners," Warakaulle said in an interview with Bloomberg last week. "How we could partner with the EU, private investments potentially."

Russia may charge domestic companies to use foreign software, the TASS news agency quoted Digital Development Minister Maksut Shadaev as saying on Tuesday, as Moscow seeks to cut dependency on foreign technology and bolster its own. From a report: President Vladimir Putin has made achieving technological independence a key goal, as Western sanctions over the war in Ukraine seek to hamstring Moscow's ability to acquire technology and equipment from abroad that could help it on the battlefield. As part of that push, Putin signed a decree in early May which stated that at least 80% of Russian companies in key economic sectors should transition to using Russian-made software by 2030. Many Russian companies still use foreign software in their daily operations, although an EU sanctions package passed last December prohibits companies from supplying enterprise and design-related software to Russia. Shadaev said that introducing a levy on Russian firms would "equalise" foreign and Russian software.

Emma Roth reports via The Verge: The UK could subject big tech companies to hefty fines if they don't comply with new rules meant to promote competition in digital markets. On Thursday, lawmakers passed the Digital Markets, Competition and Consumer Bill (DMCC) through Parliament, which will let regulators enforce rules without the help of the courts. The DMCC also addresses consumer protection issues by banning fake reviews, forcing companies to be more transparent about their subscription contracts, regulating secondary ticket sales, and getting rid of hidden fees. It will also force certain companies to report mergers to the UK's Competition and Markets Authority (CMA). The European Union enacted a similar law, called the Digital Markets Act (DMA).

Only the companies the CMA designates as having Strategic Market Status (SMS) have to comply. These SMS companies are described as having "substantial and entrenched market power" and "a position of strategic significance" in the UK. They must have a global revenue of more than 25 billion euros or UK revenue of more than 1 billion euros. The law will also give the CMA the authority to determine whether a company has broken a law, require compliance, and issue a fine -- all without going through the court system. The CMA can fine companies up to 10 percent of the total value of a business's global revenue for violating the new rules.

An anonymous reader quotes a report from Reuters: Europe's landmark rules on artificial intelligence will enter into force next month after EU countries endorsed on Tuesday a political deal reached in December, setting a potential global benchmark for a technology used in business and everyday life. The European Union's AI Act is more comprehensive than the United States' light-touch voluntary compliance approach while China's approach aims to maintain social stability and state control. The vote by EU countries came two months after EU lawmakers backed the AI legislation drafted by the European Commission in 2021 after making a number of key changes. [...]

The AI Act imposes strict transparency obligations on high-risk AI systems while such requirements for general-purpose AI models will be lighter. It restricts governments' use of real-time biometric surveillance in public spaces to cases of certain crimes, prevention of terrorist attacks and searches for people suspected of the most serious crimes. The new legislation will have an impact beyond the 27-country bloc, said Patrick van Eecke at law firm Cooley. "The Act will have global reach. Companies outside the EU who use EU customer data in their AI platforms will need to comply. Other countries and regions are likely to use the AI Act as a blueprint, just as they did with the GDPR," he said, referring to EU privacy rules.

While the new legislation will apply in 2026, bans on the use of artificial intelligence in social scoring, predictive policing and untargeted scraping of facial images from the internet or CCTV footage will kick in in six months once the new regulation enters into force. Obligations for general purpose AI models will apply after 12 months and rules for AI systems embedded into regulated products in 36 months. Fines for violations range from $8.2 million or 1.5% of turnover to 35 million euros or 7% of global turnover depending on the type of violations.

The thinktank InfluenceMap produces "data-driven analysis on how business and finance are impacting the climate crisis." Their web site says their newest report documents "How automaker lobbying threatens the global transition to electric vehicles." This report analyses the climate policy engagement strategies of fifteen of the largest global automakers in seven key regions (Australia, EU, Japan, India, South Korea, UK, US). It shows how even in countries where major climate legislation has recently passed, such as the US and Australia, the ambition of these policies has been weakened due to industry pressure. All fifteen automakers, except Tesla, have actively advocated against at least one policy promoting electric vehicles. Ten of the fifteen showed a particularly high intensity of negative engagement and scored a final grade of D or D+ by InfluenceMap's methodology. Toyota is the lowest-scoring company in this analysis, driving opposition to climate regulations promoting battery electric vehicles in multiple regions, including the US, Australia and UK. Of all automakers analyzed, only Tesla (scoring B) is found to have positive climate advocacy aligned with science-based policy.
CleanTechnica writes that Toyota "led on hybrid vehicles (and still does), so it's actually not surprising that it has been opposed to the next stage of climate-cutting auto evolution — it's clinging on to its lead rather than continuing to innovate for a new era."

More from InfluenceMap: Only three of fifteen companies — Tesla, Mercedes Benz and BMW — are forecast to produce enough electric vehicles by 2030 to meet the International Energy Agency's updated 1.5 degreesC pathway of 66% electric vehicle (battery electric, fuel cell and plug-in hybrids) sales according to InfluenceMap's independent analysis of industry-standard data from February 2024. Current industry forecasts analyzed for this report show automaker production will reach only 53% electric vehicles in 2030. Transport is the third-largest source of greenhouse gas emissions globally, and road transport is failing to decarbonize at anywhere near the rate of many other industries. InfluenceMap's report also finds that Japanese automakers are the least prepared for an electric vehicle transition and are engaging the hardest against it.
"InfluenceMap highlights that these anti-EV efforts in the industry are often coming from industry associations rather than coming directly from automakers, shielding them a bit from inevitable public backlash," writes CleanTechnica.

"Every automaker included in the study except Tesla remains a member of at least two of these groups," InfluenceMap reports, "with most automakers a member of at least five."

Thanks to Slashdot reader Baron_Yam for sharing the news.

An anonymous reader quotes a report from The New York Times: There's a big debate in the tech world over whether artificial intelligence models should be "open source." Elon Musk, who helped found OpenAI in 2015, sued the startup and its chief executive, Sam Altman, on claims that the company had diverged from its mission of openness. The Biden administration is investigating the risks and benefits of open source models. Proponents of open source A.I. models say they're more equitable and safer for society, while detractors say they are more likely to be abused for malicious intent. One big hiccup in the debate? There's no agreed-upon definition of what open source A.I. actually means. And some are accusing A.I. companies of "openwashing" -- using the "open source" term disingenuously to make themselves look good. (Accusations of openwashing have previously been aimed at coding projects that used the open source label too loosely.)

In a blog post on Open Future, a European think tank supporting open sourcing, Alek Tarkowski wrote, "As the rules get written, one challenge is building sufficient guardrails against corporations' attempts at 'openwashing.'" Last month the Linux Foundation, a nonprofit that supports open-source software projects, cautioned that "this 'openwashing' trend threatens to undermine the very premise of openness -- the free sharing of knowledge to enable inspection, replication and collective advancement." Organizations that apply the label to their models may be taking very different approaches to openness. [...]

The main reason is that while open source software allows anyone to replicate or modify it, building an A.I. model requires much more than code. Only a handful of companies can fund the computing power and data curation required. That's why some experts say labeling any A.I. as "open source" is at best misleading and at worst a marketing tool. "Even maximally open A.I. systems do not allow open access to the resources necessary to 'democratize' access to A.I., or enable full scrutiny," said David Gray Widder, a postdoctoral fellow at Cornell Tech who has studied use of the "open source" label by A.I. companies.

In what's marked as an EU first, the French government has blocked TikTok in its territory of New Caledonia amid widespread pro-independence protests. Politico reports: A French draft law, passed Monday, would let citizens vote in local elections after 10 years' residency in New Caledonia, prompting opposition from independence activists worried it will dilute the representation of indigenous people. The violent demonstrations that have ensued in the South Pacific island of 270,000 have killed at least five people and injured hundreds. In response to the protests, the government suspended the popular video-sharing app -- owned by Beijing-based ByteDance and favored by young people -- as part of state-of-emergency measures alongside the deployment of troops and an initial 12-day curfew.

French Prime Minister Gabriel Attal didn't detail the reasons for shutting down the platform. The local telecom regulator began blocking the app earlier on Wednesday. "It is regrettable that an administrative decision to suspend TikTok's service has been taken on the territory of New Caledonia, without any questions or requests to remove content from the New Caledonian authorities or the French government," a TikTok spokesperson said. "Our security teams are monitoring the situation very closely and ensuring that our platform remains safe for our users. We are ready to engage in discussions with the authorities."

Digital rights NGO Quadrature du Net on Friday contested the TikTok suspension with France's top administrative court over a "particularly serious blow to freedom of expression online." A growing number of authoritarian regimes worldwide have resorted to internet shutdowns to stifle dissent. This unexpected -- and drastic -- decision by France's center-right government comes amid a rise in far-right activism in Europe and a regression on media freedom. "France's overreach establishes a dangerous precedent across the globe. It could reinforce the abuse of internet shutdowns, which includes arbitrary blocking of online platforms by governments around the world," said Eliska Pirkova, global freedom of expression lead at Access Now.

Apple's grudging accommodation of European law -- allowing third-party browser engines on its mobile devices -- apparently comes with a restriction that makes it difficult to develop and support third-party browser engines for the region. From a report: The Register has learned from those involved in the browser trade that Apple has limited the development and testing of third-party browser engines to devices physically located in the EU. That requirement adds an additional barrier to anyone planning to develop and support a browser with an alternative engine in the EU.

It effectively geofences the development team. Browser-makers whose dev teams are located in the US will only be able to work on simulators. While some testing can be done in a simulator, there's no substitute for testing on device -- which means developers will have to work within Apple's prescribed geographical boundary. Prior to iOS 17.4, Apple required all web browsers on iOS or iPadOS to use Apple's WebKit rendering engine. Alternatives like Gecko (used by Mozilla Firefox) or Blink (used by Google and other Chromium-based browsers) were not permitted. Whatever brand of browser you thought you were using on your iPhone, under the hood it was basically Safari. Browser makers have objected to this for years, because it limits competitive differentiation and reduces the incentive for Apple owners to use non-Safari browsers.

Volkswagen has walked away from talks with Renault to jointly develop an affordable electric version of the Twingo car, Reuters reported Friday, citing sources familiar with the situation, in a setback for the EU carmakers' efforts to fend off Chinese rivals. From the report: The collapse of negotiations could mean the German carmaker may have to go it alone in developing its own affordable electric vehicle (EV). Renault will continue designing its electric Twingo, scheduled to hit the market in 2026. Both had hoped that sharing the work would cut costs that represent a key hurdle for European carmakers in the face of cheaper cars from China.

Volkswagen broke off discussions mainly because Renault had wanted to build the car in one of its plants at a time when VW is seeking to fully utilise its European production network, one of the sources said.

An anonymous reader quotes a report from TechCrunch: Facebook and Instagram are under formal investigation in the European Union over child protection concerns, the Commission announced Thursday. The proceedings follow a raft of requests for information to parent entity Meta since the bloc's online governance regime, the Digital Services Act (DSA), started applying last August. The development could be significant as the formal proceedings unlock additional investigatory powers for EU enforcers, such as the ability to conduct office inspections or apply interim measures. Penalties for any confirmed breaches of the DSA could reach up to 6% of Meta's global annual turnover.

Meta's two social networks are designated as very large online platforms (VLOPs) under the DSA. This means the company faces an extra set of rules -- overseen by the EU directly -- requiring it to assess and mitigate systemic risks on Facebook and Instagram, including in areas like minors' mental health. In a briefing with journalists, senior Commission officials said they suspect Meta of failing to properly assess and mitigate risks affecting children. They particularly highlighted concerns about addictive design on its social networks, and what they referred to as a "rabbit hole effect," where a minor watching one video may be pushed to view more similar content as a result of the platforms' algorithmic content recommendation engines.

Commission officials gave examples of depression content, or content that promotes an unhealthy body image, as types of content that could have negative impacts on minors' mental health. They are also concerned that the age assurance methods Meta uses may be too easy for kids to circumvent. "One of the underlying questions of all of these grievances is how can we be sure who accesses the service and how effective are the age gates -- particularly for avoiding that underage users access the service," said a senior Commission official briefing press today on background. "This is part of our investigation now to check the effectiveness of the measures that Meta has put in place in this regard as well." In all, the EU suspects Meta of infringing DSA Articles 28, 34, and 35. The Commission will now carry out an in-depth investigation of the two platforms' approach to child protection.

The European Commission is set to issue new antitrust charges [non-paywalled link] against Microsoft over concerns that the tech giant is undermining competitors to its videoconferencing app Teams, according to FT. The move comes after Microsoft offered concessions last month, including a global plan to unbundle Teams from other software such as Office, in an attempt to avoid regulatory action.

The EU officials remain concerned that the company's efforts do not sufficiently ensure fairness in the market, the newspaper said. Rivals worry that Microsoft will make Teams run more compatibly with its own software compared to competitor apps, and that the lack of data portability makes it difficult for existing Teams users to switch to alternatives. The case, which originated from a formal complaint submitted by Slack (now owned by Salesforce) in 2020, is now escalating with the Commission's impending formal charge sheet against Microsoft.

An anonymous reader quotes a report from The Guardian: Oil and gas equipment intended to cut methane emissions is preventing scientists from accurately detecting greenhouse gases and pollutants, a satellite image investigation has revealed. Energy companies operating in countries such as the US, UK, Germany and Norway appear to have installed technology that could stop researchers from identifying methane, carbon dioxide emissions and pollutants at industrial facilities involved in the disposal of unprofitable natural gas, known in the industry as flaring. Flares are used by fossil fuel companies when capturing the natural gas would cost more than they can make by selling it. They release carbon dioxide and toxic pollutants when they burn as well as cancer-causing chemicals. Despite the health risks, regulators sometimes prefer flaring to releasing natural gas -- which is 90% methane -- directly into the atmosphere, known as "venting".

The World Bank, alongside the EU and other regulators, have been using satellites for years to find and document gas flares, asking energy companies to find ways of capturing the gas instead of burning or venting it. The bank set up the Zero Routine Flaring 2030 initiative at the Paris climate conference to eradicate unnecessary flaring, and its latest report stated that flaring decreased by 3% globally from 2021 to 2022. But since the initiative, "enclosed combustors" have begun appearing in the same countries that promised to end flaring. Experts say enclosed combustors are functionally the same as flares, except the flame is hidden. Tim Doty, a former regulator at the Texas Commission on Environmental Quality, said: "Enclosed combustors are basically a flare with an internal flare tip that you don't see. Enclosed flaring is still flaring. It's just different infrastructure that they're allowing.

"Enclosed flaring is, in truth, probably less efficient than a typical flare. It's better than venting, but going from a flare to an enclosed flare or a vapor combustor is not an improvement in reducing emissions." The only method of detecting flaring globally is by using satellite-mounted tools called Visible Infrared Imaging Radiometer Suite of detectors (VIIRS), which find flares by comparing heat signatures with bright spots of light visible from space. But when researchers tried to replicate the database, they saw that the satellites were not picking up the enclosed flares. Without the satellite data, countries were forced to rely mostly on self-disclosed reporting from oil and gas companies, researchers said. Environmentalists fear the research community's ability to understand pollution and greenhouse gas emissions from the energy sector could be jeopardized.

An anonymous reader shares a report: Relations between Russia and Germany were already tense, with Germany providing military support to Ukraine in its ongoing war with Russia. German Foreign Minister Annalena Baerbock said Russian state hackers were behind a cyberattack last year that targeted the Social Democrats, the leading party in the governing coalition. "Russian state hackers attacked Germany in cyberspace," she said at a news conference in the Australian city of Adelaide. "We can attribute this attack to the group called APT28, which is steered by the military intelligence service of Russia."

"This is absolutely intolerable and unacceptable and will have consequences," she said. The Russian Embassy in Germany on Friday denied Moscow was involved in a 2023 cyberattack. In a statement the embassy said its envoy "categorically rejected the accusations that Russian state structures were involved in the given incident ... as unsubstantiated and groundless." The Council of the EU later said that Czechia's institutions have also been a target of the cyber campaign. In a statement by the EU's top diplomat, Josep Borrell, the bloc's nations said they "strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia." Further reading: EU and NATO Condemn Russian Cyber Attacks Against Germany and Czechia.

Apple is tweaking how it applies a new fee that can apply to iOS developers in the European Union as it continues to configure its approach to the bloc's Digital Markets Act (DMA): Developers of free apps will be able to avoid the fee entirely under changes it announced Thursday, which apply from today, while other developers earning under a certain revenue threshold will get longer before they have to pay Apple the fee. From a report: The so-called "core technology fee" remains opt in for iOS developers in the region, as Apple continues to offer its standard business terms, but those wanting to take up new entitlements the DMA has required Apple to offer -- such as allowing sideloading of apps, third party app stores, and support for alternative payment tech than Apple's own -- must agree to the set of business terms that include the CTF (as Apple calls it).

The fee remains under scrutiny in the region where the Commission, which enforces the DMA on Apple and other gatekeepers -- and opened its first investigations including on Apple in March -- is actively exploring whether the mechanism is enabling the iPhone maker to avoid its obligations to open up the App Store to competition, such as from third party app stores. But so far the EU hasn't prevented Apple from charging a fee.

Maciej Pocwierz, a senior software engineer Semantive, writing on Medium: A few weeks ago, I began working on the PoC of a document indexing system for my client. I created a single S3 bucket in the eu-west-1 region and uploaded some files there for testing. Two days later, I checked my AWS billing page, primarily to make sure that what I was doing was well within the free-tier limits. Apparently, it wasn't. My bill was over $1,300, with the billing console showing nearly 100,000,000 S3 PUT requests executed within just one day! By default, AWS doesn't log requests executed against your S3 buckets. However, such logs can be enabled using AWS CloudTrail or S3 Server Access Logging. After enabling CloudTrail logs, I immediately observed thousands of write requests originating from multiple accounts or entirely outside of AWS.

Was it some kind of DDoS-like attack against my account? Against AWS? As it turns out, one of the popular open-source tools had a default configuration to store their backups in S3. And, as a placeholder for a bucket name, they used... the same name that I used for my bucket. This meant that every deployment of this tool with default configuration values attempted to store its backups in my S3 bucket! So, a horde of misconfigured systems is attempting to store their data in my private S3 bucket. But why should I be the one paying for this mistake? Here's why: S3 charges you for unauthorized incoming requests. This was confirmed in my exchange with AWS support. As they wrote: "Yes, S3 charges for unauthorized requests (4xx) as well[1]. That's expected behavior." So, if I were to open my terminal now and type: aws s3 cp ./file.txt s3://your-bucket-name/random_key. I would receive an AccessDenied error, but you would be the one to pay for that request. And I don't even need an AWS account to do so.

Another question was bugging me: why was over half of my bill coming from the us-east-1 region? I didn't have a single bucket there! The answer to that is that the S3 requests without a specified region default to us-east-1 and are redirected as needed. And the bucket's owner pays extra for that redirected request. The security aspect: We now understand why my S3 bucket was bombarded with millions of requests and why I ended up with a huge S3 bill. At that point, I had one more idea I wanted to explore. If all those misconfigured systems were attempting to back up their data into my S3 bucket, why not just let them do so? I opened my bucket for public writes and collected over 10GB of data within less than 30 seconds. Of course, I can't disclose whose data it was. But it left me amazed at how an innocent configuration oversight could lead to a dangerous data leak! Lesson 1: Anyone who knows the name of any of your S3 buckets can ramp up your AWS bill as they like. Other than deleting the bucket, there's nothing you can do to prevent it. You can't protect your bucket with services like CloudFront or WAF when it's being accessed directly through the S3 API. Standard S3 PUT requests are priced at just $0.005 per 1,000 requests, but a single machine can easily execute thousands of such requests per second.