It seems like every company is scrambling to stake their claim in the AI goldrush — check out the CEO of Kroger promising to bring LLMs into the dairy aisle. And front line workers are following suit–experimenting with AI so they can work faster and do more.

In the few short months since ChatGPT debuted, hundreds of AI-powered tools have come on the market. But while AI-based tools have genuinely helpful applications, they also pose profound security risks. Unfortunately, most companies still haven’t come up with policies to manage those risks. In the absence of clear guidance around responsible AI use, employees are blithely handing over sensitive data to untrustworthy tools.

AI-based browser extensions offer the clearest illustration of this phenomenon. The Chrome store is overflowing with extensions that (claim to) harness ChatGPT to do all manner of tasks: punching up emails, designing graphics, transcribing meetings, and writing code . But these tools are prone to at least three types of risk.

1. Malware: Security researchers keep uncovering AI-based extensions that steal user data. These extensions play on users’ trust of the big tech platforms (“it can’t be dangerous if Google lets it on the Chrome store!”) and they often appear to work, by hooking up to ChatGPT et al’s APIs.
2. Data Governance: Companies including Apple and Verizon have banned their employees from using LLMs because these products rarely offer a guarantee that a user’s inputs won’t be used as training data.
3. Prompt Injection Attacks: In this little known but potentially unsolvable attack , hidden text on a webpage directs an AI tool to perform malicious actions–such as exfiltrate data and then delete the records.

Up until now, most companies have been caught flat-footed by AI, but these risks are too serious to ignore.

At Kolide, we’re taking a two-part approach to governing AI use.

1. Draft AI policies as a team. We don’t want to totally ban our team from using AI, we just want to use it safely. So our first step is meeting with representatives from multiple teams to figure out what they’re getting out of AI-based tools, and how we can provide them with secure options that don’t expose critical data or infrastructure.
2. Use Kolide to block malicious tools. Kolide lets IT and security teams write Checks that detect device compliance issues , and we’ve already started creating Checks for malicious (or dubious) AI-based tools. Now if an employee accidentally downloads malware, they’ll be prevented from logging into our cloud apps until they’ve removed it.

Every company will have to craft policies based on their unique needs and concerns, but the important thing is to start now. There’s still time to seize the reins of AI, before it gallops away with your company’s data.

To learn more about how Kolide enforces device compliance for companies with Okta, click here to watch an on-demand demo .

William Grimes, writing for The New York Times:

William Friedkin, a filmmaker whose gritty, visceral style and fascination with characters on the edge helped make “The French Connection” and “The Exorcist” two of the biggest box-office hits of the 1970s, died on Monday at his home in the Bel Air neighborhood of Los Angeles. He was 87.

The cause was heart failure and pneumonia, said his wife, Sherry Lansing, the former head of Paramount Pictures in Hollywood. His death came just weeks before the release of his most recent directorial effort, “The Caine Mutiny Court-Martial,” a movie based on the Herman Wouk play.

Amongst his lesser-known films, Sorcerer is an absolute gem: riveting, visceral, and gritty.

Casey Liss:

When I watch a movie or TV show, I’m constantly trying to figure out who that actor is, who the director is, and so on. Early this year, I wanted a way to look this up that was native to iOS/iPadOS, but also fast, with no fluff that I wasn’t interested in. I wanted a bespoke version of the IMDB app.

So I wrote it. It’s called Callsheet, and I’d love for you to try it. Callsheet is a subscription-based app, but all subscription plans have a one-week free trial. Additionally, your first twenty searches are free, before you’re compelled to subscribe.

A few years ago I switched from IMDB to The Movie Database (TMDB) for my movie/TV lookups. IMDB, once great, is now laden with obtrusive ads to an extent that is user-hostile. But I’d been vaguely wishing that there were a top-notch native iPhone TMDB app. Callsheet is that app. I’ve been beta-testing it for months, and ever since, Callsheet has been one of the few apps I use almost daily. Super-useful, super-convenient.

My thanks to Warp for sponsoring last week at DF. Warp is a blazingly fast, Rust-based terminal reimagined from the ground up to work like a modern app. A lot of “modern” terminal apps just offer ways to make your windows look cool — colors, transparency, stuff like that. Warp offers all of that in spades — it’s a very cool-looking terminal. But Warp is highly innovative in functional ways too. Even if you don’t care at all how your terminal looks, Warp is definitely worth checking out.

Warp lets you edit your commands like in an IDE, with selections, auto-suggestions, and completion menus. Generate commands from natural language using AI so you don’t have to context switch to Google (or whatever your preferred search engine is) anymore. Navigate through your terminal output command-by-command instead of scrolling through a wall of text.

And with the newly released Warp Drive, there’s a secure place to save your commands as workflows so you can annotate, share, and execute them on-demand.

Warp works with bash, zsh, and fish (my favorite shell) and requires zero config. You can just download it and start using it. Warp is available today on Mac .

Hayden Field, reporting for CNBC last month :

Last week, the text-based social media platform reported a record 100 million sign-ups in just five days, but according to data from Sensor Tower and Similarweb, the service has seen some dropoff in growth and engagement.

“The Threads launch really did ‘break the internet,’ or at least the Sensor Tower models,” Anthony Bartolacci, managing director at Sensor Tower, a marketing intelligence firm, told CNBC. “In the 10-plus years Sensor Tower has been estimating app installs, the first 72 hours of Threads was truly in a class by itself.”

But, he added, Sensor Tower data suggests a significant pullback in user engagement since Threads’ launch: On Tuesday and Wednesday, the platform’s number of daily active users were down about 20% from Saturday, and the time spent for user was down 50%, from 20 minutes to 10 minutes.

I wrote earlier this week about the onslaught of “ turns out Threads is a bust ” news stories following in the wake of “ Threads launches as a sensational hit ” stories. One thing that’s struck me while following this is just how many of these stories cite Sensor Tower data . But how much should we take Sensor Tower’s usage data at face value? Sensor Tower can only estimate these numbers, it can’t know them. They aren’t Apple or Google (the owners of the app stores through which Threads remains exclusively distributed, and mobile OSes that report back analytics data from all users who opt-in), nor do they have any access to Meta’s own copious data.

Here’s what Sensor Tower claims about their data collection, under “ Where our data comes from ”:

Our data scientists and algorithms process and enrich trillions of aggregated data points contributed to us from millions of devices, to cultivate our one-of-a-kind data estate. They get this data from a statistical panel of consumers we have built to continuously learn from millions of people around the world. Our panelists provide us data as they use our popular privacy-compliant mobile apps. We employ best practices to ensure that our panelists understand what data they are providing us in exchange for the use of our apps.

The team in our app studio publishes apps in several categories:

• Wellbeing [ sic ] apps aid in improving our users’ quality of life, such as ActionDash and StayFree

• Games provide entertainment and escape for users, such as Melodies Run [ sic , sort of ¹ ]

• Advanced apps and browser plugins provide convenience, such as Friendly Streaming, Friendly Retail, Stayfocusd and Adblock Luna

So Sensor Tower’s information comes from analytics it collects from its own apps. They name these apps, but don’t link to them, so I will:

• ActionDash — Exclusive to Android , ActionDash is described as a “screen time helper” that is “trusted globally by over 1 million users to break their phone addiction”. The developer is listed as “ActionDash”, not Sensor Tower, but the app’s website says “Copyright © 2020 Sensor Tower, Inc” in the footer. As a screen-time monitor, you can see how this app would, by definition, provide Sensor Tower with information about everything a user does on their phone.

• StayFree — Another “screen time tracker”, available for both Android and iOS . The Android description:

  StayFree - Screen Time & Limit App Usage is a self control, productivity and phone addiction controller app that allows you to show how much time you spend on your smartphone and helps you focus by restricting the usage of apps. You can set usage limits for your apps and receive alerts when exceeding those usage limits.

  The iOS description:

  StayFree - Web Analytics & Screen Time Tracker is an analytics, self control, productivity, and web addiction controller extension. This app works with the Safari web browser on your iOS device. StayFree provides analytics to help you understand how you are using the internet (daily website usage statistics) and focus your time by restricting the usage of distracting websites.

  That’s a very different description. But the latest iOS release, version 2.2, claims:

  We are introducing usage monitoring for applications in addition to websites! This marks the first stage of the feature, which is currently in beta. Although it may initially be somewhat sluggish and prone to errors, we anticipate ongoing improvements in future updates.

  StayFree observes your Safari usage through an extension that prompts for permission to observe every single website you visit. Here’s the alert I OK’d to permit this . It monitors your app usage by asking for access to your Screen Time. In installed StayFree last week and, in the name of science, granted it access to both my web browsing and Screen Time. (I plan to delete it as soon as I publish this story.) I have found it be exactly as described: very slow and prone to errors. What it does report can be viewed faster and with a better presentation in the Screen Time section of Settings. The StayFree Safari extension keeps many web pages from even loading for me.

• Melody Run — An infinite runner game, where you slide the hero left/right to hit squares, and each square you hit plays the note from a song. You score gems that can be cashed in to unlock new songs, and you can collect hundreds of gems at a time by watching video ads, which seem to all be for other games. It strikes me as neither fun nor challenging but it is a real game, and there’s apparently a level editor you can unlock if you play more than I was willing to. The game seems identical on both iOS and Android , but only the iOS app asks whether you agree to let the game track you while using other apps. Even with tracking permitted, though, I fail to see how this game is able to collect the sort of detailed usage data Sensor Tower reports, except for your usage of other apps that embed the same tracking frameworks. There’s no way, for example, that playing Melody Run would allow Sensor Tower to gain any information about Threads. Not how long you use it, not how often you launch it, not even whether you have it installed. That’s the whole point of sandboxing .

• Friendly — Sensor Tower mentions apps named Friendly Streaming and Friendly Retail. I can’t find any apps with those exact names, but I believe they’re referring to a small suite of apps from a company called Friendly , which publishes apps for iOS , MacOS , and Android . Friendly’s privacy policy declares that they’re “an affiliate of Sensor Tower Inc.” Friendly Social Browser is a web browser with built-in bookmarks for sites like Facebook, Twitter, and Instagram. Friendly Streaming Browser is a Mac app that’s just a web browser with built-in bookmarks for YouTube and major streaming sites. (Somehow Friendly Streaming Browser was deemed by Apple worthy of this App Store feature story .) Friendly Shopping Browser is, you guessed it, a web browser with built-in bookmarks for shopping sites like Amazon, Walmart, Costco, and Target. Friendly Shopping Insights is an app dedicated to Amazon — you log in with your Amazon credentials and it shows you your spending history and habits. Basically it’s an app that, I think, lets Sensor Tower see everything you buy or look at in Amazon, along with your purchase history. I say “I think” because I didn’t actually log into my Amazon account after installing it. Why anyone would ever use any of these apps I have no idea.

• StayFocused — “a productivity extension for Google Chrome that helps you stay focused on work by restricting the amount of time you can spend on time-wasting websites.”

• Adblock Luna — Adblock Luna is a VPN promoted specifically for ad blocking. When a VPN is installed and active, all network traffic is tunneled through the VPN. Your VPN provider can see (and thus track) everything you do on the internet, whether it’s through a browser (including private/incognito tabs) or an app. Sensor Tower claims “more than 15 million users have already installed Luna”. These users are an incredibly rich source of information for Sensor Tower.

  Adblock Luna is in Google’s Play Store , but when you tap the “Install for Android” button on the Luna website, instead of linking to the Play Store, they instead show this popover instructing you to (1) enable the Android setting to allow apps to be installed from unknown sources (a.k.a. sideloading); then (2) install the .apk app bundle that was just downloaded to your device. I don’t know why they steer users to sideloading rather than the version of Adblock Luna in the Play Store, but to me that’s a red flag.

  Adblock Luna is not in Apple’s App Store. For iOS devices, they direct you to this page . First, they require you type the year you were born to “prove” you’re over 18. Then you download a VPN profile and they walk you through the steps in Settings to enable their root trust certificate. It’s obvious why this isn’t in the App Store. This is about as close as you can get to installing third-party system software on iOS.

So, I see three ways Sensor Tower collects usage information for apps and websites that aren’t their own: (1) ad-blocking web browser extensions, (2) screen time monitoring apps for Android and iOS, which on iOS requires access to Screen Time, and (3) the Adblock Luna VPN. (Perhaps I’m underestimating how much data they can collect from users who play Melody Run.)

These apps may well be popular — again, they claim that Adblock Luna has been installed by over 15 million users — but is the data they collect from them representative of the general public? ActionDash and StayFree are advertised for people who are looking to “break their phone addiction”. Data collected from these apps might be accurate for those users, but are users who self-identify as having an “addiction” to their devices representative of the general public? This seems a bit like trying to glean beverage consumption statistics by polling self-professed alcoholics — neither those actively struggling with an addiction nor those who are successfully managing one strike me as likely to be representative of the general public.

The user base for these apps must be comprised largely of technically naive, uninformed users. (Also: cheapskates, given that Sensor Tower’s tools are free of charge. Quite literally, their users are their product.) Both iOS and Android have built-in screen-time monitoring features, Screen Time on iOS, Digital Wellbeing on Android. Both allow you to track usage and set limits. If there’s a single advantage to installing ActionDash or StayFree instead of using the built-in system features, I don’t know what it is. Ad blocking, of course, is very popular, but using a VPN for ad blocking, instead of web browser extension, is like using a chainsaw to remove the kernels from a cob of corn — not just overkill but dangerous. There’s a reason why it’s not in the iOS App Store, and why Sensor Tower steers Android users to a self-hosted version that’s not in the Play Store.

The vast majority of the public would never even think to install a third-party screen-time monitor. And by most estimates, only 40 percent of people use ad blockers . Anyone looking for screen time monitoring and controls should use the built-in features on their device. I find it hard to believe that anyone who truly understands the nature of a VPN, when looking for an ad-blocking tool, would choose to use a free VPN from a data analytics company. But those are the people whose internet usage Sensor Tower tracks, and thus the people whom the mainstream news media blindly cites, by way of Sensor Tower’s pronouncements, ² as representative of world at large.

The installation instructions for Adblock Luna are surely scary to non-technical laypeople, and they’re downright terrifying to anyone expert enough to understand how VPNs works. So who is left? The ignorant but brazen. Perhaps such people’s web and app usage really is representative of the public at large. But there’s no way to know. We can judge the accuracy of, say, political pollsters by comparing their data to the actual results of elections. There’s no such reckoning for the usage data published by Sensor Tower and their ilk. It’s all unverifiable, but never reported as such. The news media so badly wants to know usage data that they just accept Sensor Tower and other such firms’ pronouncements at face value, without ever describing — let alone questioning — how they ostensibly know what they claim to know about very private data. ³

Color me dubious.

Zack Whittaker, reporting for TechCrunch:

Poland-based spyware LetMeSpy is no longer operational and said it will shut down after a June data breach wiped out its servers, including its huge trove of data stolen from thousands of victims’ phones. [...]

LetMeSpy was an Android phone monitoring app that was purposefully designed to stay hidden on a victim’s phone home screen, making the app difficult to detect and remove. When planted on a person’s phone — often by someone with knowledge of their phone passcode — apps like LetMeSpy continually steal that person’s messages, call logs and real-time location data.

A copy of the database was obtained by nonprofit transparency collective DDoSecrets, which indexes leaked datasets in the public interest, and shared with TechCrunch for analysis. The data showed that LetMeSpy, until recently, had been used to steal data from more than 13,000 compromised Android devices worldwide, though LetMeSpy’s website claimed prior to the breach that it controlled more than 236,000 devices.

The database also contained information that shows the spyware was developed by a Krakow-based tech company called Radeal, whose chief executive Rafal Lidwin did not respond to a request for comment. LetMeSpy is the latest spyware operation to shut down in the past year in the wake of a security incident that exposed victims’ data, but also the identities of its real-world operators.

Like cockroaches scurrying when the lights come on.

Richard Lawler, reporting for The Verge:

In news that isn’t very surprising given the recent history of Twitter, which Elon Musk is currently rebranding to X, the company won’t be able to make some promised payments on time. The X Support account says that because its “Ads Revenue Sharing” program is so popular, “We need a bit more time to review everything for the next payout and aim to get all eligible accounts paid as soon as possible.”

Elon Musk, on Twitter/X :

If you can afford it, please subscribe to as many creators on this platform as you find interesting. People from every corner of the world post incredible content on X, but often live in tough circumstances, where even a few hundred dollars a month changes their life.

While we had previously said that X would keep nothing for the 12 months, then 10%, we are amending that policy to X keeps nothing forever, until payout exceeds $100k, then 10%. First 12 months is still free for all.

Apple does take 30%, but I will speak with @tim_cook and see if that can be adjusted to be just 30% of what X keeps in order to maximize what creators receive.

A couple of thoughts on this. First, it strikes me as exceedingly unlikely that Apple is going to carve out any sort of exception for X Corp. And even if Apple were to carve out an exception for Twitter creator subscriptions, it certainly wouldn’t be to only take 30 percent of what X Corp keeps from these subscriptions, especially given these — admittedly creator-friendly — terms.

Second, even if Apple were in the business of carving out case-by-case exceptions to their in-app-purchase revenue split terms — and they’re not — why in the world would they grant such an exception to X Corp, when Musk’s oft-stated goal is to grow the platform into an “everything app” that encompasses chat, shopping, banking, entertainment, publishing, ride-hailing, and more. Gaming, of course, would be an area near and dear to Apple’s financial interests. As I wrote about this “everything app” pipe dream last October , the exemplars in Asia — WeChat in China, Line in Japan, etc. — are best thought of not as apps but as platforms , and we already have platforms that encompass everything: iOS and Android. This is why Apple (and Google) feel fully justified in taking their cuts of digital-goods transactions on their platforms — they’re the ones who built the platforms that enable this commerce. If Musk were to succeed in building X into an “everything app”, it would implicitly mean usurping the role iOS and Android play today as the everything platforms. Why would Apple help X Corp get started down that path by agreeing to let them conduct reduced-fee — let alone no-fee — transactions?

Third, it’s striking to me that Musk only mentions Apple and Tim Cook. Not a word about Android. One factor is that Google dropped the Play Store’s revenue split for content subscriptions to 85/15 two years ago. I think Apple should drop their entire App Store fee structure to a flat 85/15, for purchases and subscriptions alike, for everything other than gaming (which is both where the money is and where a 70/30 split remains commensurate with the rest of the industry). But still, Google is charging 15 percent on every Twitter/X creator subscription made using the Android app. I suspect they’re escaping Musk’s attention simply because people on Android spend so much less money than people on iOS.

Last, Musk doesn’t mention that these creator subscriptions can be made on X Corp’s website (twitter.com). Why not just pull the in-app subscriptions from X’s iPhone app and steer all purchases to the web? Probably because people are far less likely to subscribe over the web — which makes Apple’s case for them that they’re entitled to a hefty cut for having built a platform where people are so willing to buy and subscribe to things.

Jason Snell, Six Colors:

Apple announced its results for its fiscal third quarter on Thursday. As expected, it was a down quarter — though at a 1% drop over the year-ago quarter, it’s a better result than the previous quarter, which was down 3% year-over-year. The company reported $81.8B in revenue and $19.9B in profit.

The three key hardware categories were all down year-over-year: Mac was down 7%, iPad was down 20%, and the all-important iPhone was down 2%. Things were a little different in the two portions of Apple’s business that have shown indefatigable growth in recent years: Services revenue was up 8% and the Wearables, Home, and Accessories category was up 2%.

In a press release accompanying the results , Apple CFO Luca Maestri trumpeted that it has broken the billion paid subscriptions barrier.

No big surprises. Still lots of switchers coming to iPhone and Mac, and a lot of first-time iPad buyers. That, to me, is a healthy pulse check.