By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: June 25, 2024

Tuesday, 25 June 2024

Microsoft Edge Has an ‘Enhanced Security’ Mode That Disables the JIT ★

Sergiu Gatlan, writing for Bleeping Computer in 2021 (thanks to Kevin van Haaren):

Microsoft has announced that the Edge Vulnerability Research team is experimenting with a new feature dubbed “Super Duper Secure Mode” and designed to bring security improvements without significant performance losses. When enabled, the new Microsoft Edge Super Duper Secure Mode will remove Just-In-Time Compilation (JIT) from the V8 processing pipeline, reducing the attack surface threat actors can use to hack into Edge users’ systems.

Based on CVE (Common Vulnerabilities and Exposures) data collected since 2019, around 45% of vulnerabilities found in the V8 JavaScript and WebAssembly engine were related to the JIT engine, more than half of all “in the wild” Chrome exploits abusing JIT bugs.

“Super Duper Secure Mode” was a funner name, but they settled on “Enhanced Security Mode”.

This is why Apple considers BrowserEngineKit — which is complex and requires a special entitlement with stringent requirements to use — necessary for complying with the DMA’s mandate to allow third-party browser engines. JITs are inherently vulnerable. It’s not about known bugs — it’s the unknown bugs.

The anti-WebKit peanut gallery responded to my piece on JITs yesterday with a collective response along the lines of “Who’s to say WebKit’s JIT is any more secure than Chrome’s or Gecko’s?” That’s not really the point, but that answer is, Apple is to say. iOS is their platform and they’ve decided that it’s better for the platform to reduce the attack surface to a single browser engine, WebKit, the one they themselves control. And Apple isn’t saying WebKit as a whole, or its JavaScript JIT compiler in particular, is more secure than Chrome or Gecko. They’re saying, implicitly, that it’s safer to have just one that they themselves are fully responsible for. And that the safest way to comply with the DMA’s mandate to allow third-party rendering engines is via a stringent framework like BrowserEngineKit.

You might think it would be just fine for iOS to work just like MacOS, where you can install whatever software you want. But Apple, expressly, does not. iOS is designed to be significantly more secure than MacOS.

Reuters: Amazon Is Considering $5 Monthly Charge for Improved Alexa ★

Greg Bensinger, reporting for Reuters:

Amazon is planning a major revamp of its decade-old money-losing Alexa service to include a conversational generative AI with two tiers of service and has considered a monthly fee of around $5 to access the superior version, according to people with direct knowledge of the company’s plans.

Known internally as “Banyan,” a reference to the sprawling ficus trees, the project would represent the first major overhaul of the voice assistant since it was introduced in 2014 along with the Echo line of speakers. Amazon has dubbed the new voice assistant “Remarkable Alexa,” the people said.

A bit of a role reversal here. Apple, which is not known for giving away much for free, isn’t charging users for Apple Intelligence, including ChatGPT integration. Amazon, which is known for ruthlessly pursuing low prices, is, according to this report, looking to charge for an LLM-powered version of Alexa. Maybe that new version of Alexa really is that good? But I sort of think that if they gate this new Alexa behind a paywall, it will just be added to the existing package for Prime.

Speaking of Alexa, though, I’m reminded that Apple’s WWDC announcements didn’t include anything about bringing the new Apple-Intelligence-powered Siri to devices like HomePods or Apple Watches. Let’s say you have an iPhone 15 Pro or buy a new iPhone 16 this fall. What happens when you talk to Siri through your Apple Watch? Do you get the new Apple Intelligence Siri, because your watch is paired to your iPhone, which meets the device requirements for Apple Intelligence? Or do you get old dumb Siri on your Watch and only get new Siri when talking directly to your iPhone?

Gurman Just Pantsed the WSJ on Their Report About Apple and Meta Working on an AI Deal ★

Salvador Rodriguez, Aaron Tilley, Miles Kruppa, reporting for The Wall Street Journal Sunday morning (News+):

In its hustle to catch up on AI, Apple has been talking with a longtime rival: Meta. Facebook’s parent has held discussions with Apple about integrating Meta Platforms’ generative AI model into Apple Intelligence, the recently announced AI system for iPhones and other devices, according to people familiar with the matter.

This didn’t make much sense, given Tim Cook’s strident condemnation of Meta and Mark Zuckerberg. E.g. this interview with Kara Swisher, which, though it was six years ago, doesn’t leave much room for a strange bedfellows partnership today: “Asked by Swisher what he would do if he were in Zuckerberg’s position, Cook said pointedly: ‘I wouldn’t be in this situation.’” Cook and Apple’s entire problem with Meta is their approach to privacy and monetizing through targeted advertising based on user profiles. Apple is trying to convince customers that Apple’s approach to AI is completely private and trustworthy; a partnership with Meta would run counter to that. And, quite frankly, Meta’s AI technology is not enviable.

Now here’s Mark Gurman, reporting for Bloomberg yesterday evening (News+):

Apple Inc. rejected overtures by Meta Platforms Inc. to integrate the social networking company’s AI chatbot into the iPhone months ago, according to people with knowledge of the matter.

The two companies aren’t in discussions about using Meta’s Llama chatbot in an AI partnership and only held brief talks in March, said the people, who asked not to be identified because the situation is private. The dialogue about a partnership didn’t reach any formal stage, and Apple has no active plans to integrate Llama. [...]

Apple decided not to move forward with formal Meta discussions in part because it doesn’t see that company’s privacy practices as stringent enough, according to the people. Apple has spent years criticizing Meta’s technology, and integrating Llama into the iPhone would have been a stark about-face.

Spokespeople for Apple and Meta declined to comment. The Wall Street Journal reported on Sunday that the two companies were in talks about an AI partnership.

Delicious, right down to the fact that Bloomberg’s link on “reported on Sunday” points not to the Journal but to Bloomberg’s own regurgitation of the WSJ’s report.