Categories
Automobiles china Industrial Espionage International Trade and World Market Mergers, Acquisitions and Divestitures Solar Energy Uncategorized United States International Relations United States Politics and Government Wind Power

How China Obtains American Trade Secrets

BEIJING — The new trade deal between Washington and Beijing is intended in part to address one of the most acrimonious issues between them: China’s tactics in acquiring technology from companies based in the West.

It’s a thorny topic, and one that is unlikely to be fully solved with a trade pact.

The Trump administration blames China for stealing Western trade secrets, and it used those allegations as the legal basis for launching the trade war nearly two years ago. Trade talks between the two sides quickly became about broader issues, but the partial trade pact set to be signed on Wednesday includes pledges by China to stop some of the practices that Western businesses have long criticized. Depending on the details, that could make the deal more palatable for American businesses.

Underpinning these concerns is that China has repeatedly shown that it can acquire technology and, through heavy government subsidies, build competitive rivals to American companies. Businesses worry that it could do the same in other industries, like software and chips.

China has long denied that it forces foreign companies to give up technology. They do it willingly, Beijing asserts, to get access to China’s vast and growing market. Still, Chinese officials say they are taking steps to address the concerns.

The American authorities have long accused Chinese companies and individuals of hacking and other outright theft of American corporate secrets. And some in the Trump administration worry that Chinese companies are simply buying it through corporate deals.

American companies say Chinese companies also use more subtle tactics to get access to valuable technology.

Sometimes China requires foreign companies to form joint ventures with local firms in order to do business there, as in the case of the auto industry. It also sometimes requires that a certain percentage of a product’s value be manufactured locally, as it once did with wind turbines and solar panels.

The technology companies Apple and Amazon set up ventures with local partners to handle data in China to comply with internal security laws.

Companies are loath to accuse Chinese partners of theft for fear of getting punished. Business groups that represent them say Chinese companies use those corporate ties to pressure foreign partners into giving up secrets. They also say Chinese officials have pressured foreign companies to give them access to sensitive technology as part of a review process to make sure those products are safe for Chinese consumers.

Foreign business groups point to renewable energy as one area where China used some of these tactics to build homegrown industries.

Gamesa of Spain was the wind turbine market leader in China when Beijing mandated in 2005 that 70 percent of each wind turbine installed in China had to be manufactured inside the country. The company trained more than 500 suppliers in China to manufacture practically every part in its turbines. It set up a plant to assemble them in the city of Tianjin. Other multinational wind turbine manufacturers did the same.

The Obama administration questioned the policy as a violation of World Trade Organization rules and China withdrew it, but by then it was too late. Chinese state-controlled enterprises had begun to assemble turbines using the same suppliers. China is now the world’s biggest market for wind turbines, and they are mostly made by Chinese companies.

A somewhat similar industrial evolution occurred soon after in solar energy. China required that its first big municipal solar project only use solar panels that were at least 80 percent made in China. Companies rushed to produce in China and share technology.

The Chinese government also heavily subsidized the manufacture of solar panels, mostly for export. Chinese companies ended up producing most of the world’s solar panels.

Some in the Trump administration fear the same thing is happening in cars.

Shortly after opening China to foreign auto companies, Chinese officials held a competition among global automakers for who would be allowed to enter the market. The competition included a detailed review of each company’s offer to transfer technology to a joint venture to be formed with a Chinese state-owned partner.

General Motors beat out Ford Motor and Toyota by agreeing to build a state-of-the-art assembly plant in Shanghai with four dozen robots to make the latest Buicks. Executives at Volkswagen, the German automaker that had entered China even earlier, were furious, because competitive pressures forced them to upgrade their technology as well.

China is now the world’s largest car market. But except for a few luxury models, practically all of the cars sold in China are made there. Steep Chinese tariffs on imported cars and car parts have also played a role, as has the desire of foreign companies to avoid the costs and risks of transporting cars from distant production sites.

In the trade truce expected to be signed on Wednesday, Chinese officials have agreed not to force companies to transfer technology as a condition of doing business, and they undertook to punish firms that infringe on or steal trade secrets. China also agreed not to use Chinese companies to obtain sensitive technology through acquisitions.

Even before that, Chinese officials pledged to drop the joint venture requirement in areas like cars.

The question is whether China will stick to its pledges. Chinese officials have already issued rules echoing much of what they promised in Wednesday’s agreement. Foreign lawyers say the new rules have large loopholes. The rules give Chinese regulators broad discretion to act as they see fit in cases that involve “special circumstances,” “national state interests” and other fuzzy exceptions.

The trade pact calls for consultations within 90 days if the United States thinks Beijing is not living up to its commitments, but it is unclear whether the Trump administration could then force compliance. More broadly, the pact does not address China’s subsidies for new industries, a key factor in what happened in sectors like solar panels. China has largely rebuffed calls to rein in subsidies for homegrown competitors in industries like semiconductors, commercial aircraft, electric cars and other technologies of tomorrow.

The Trump administration is counting on tariffs to counterbalance that. The partial trade pact will leave in place broad tariffs on many of those industries to prevent Chinese competitors from flooding the American market. Leaving broad tariffs in place also gives Western companies a strong financial incentive to reconsider supply chains that are heavily reliant on China.

Categories
Uncategorized

Google Phone app could add support for call recording, code suggests

Code added in the latest version of the Google Phone app suggests that it could support native call recording in the future. XDA-Developers was first to spot the code, which appeared in the app downloaded to a Pixel 4. The dialer app adds a new layout, icon, and other assets consistent with a call recording feature. The Google Phone app is currently the default dialer application on devices including Pixel and Android One phones.

Call recording has had a bumpy road on Android over the years. The feature used to be widely available in third-party apps via an official call recording API, but this was removed with Android 6.0 Marshmallow. Then, with Android 9 Pie, Google removed the workarounds app developers had been using to continue to offer it. In many places, this limited call recording to OEM-specific dialers, some slightly hacky workarounds, and rooted phones. There have been reports that Google is working on bringing widespread call recording functionality back to Android, but “security and privacy implications” prevented it from arriving with Android 10.

Currently, Android call recording appears to be available via third-party apps in some countries and devices but not others, at least according to one app developer. The slightly confusing situation has probably got something to do with call recording laws, which differ a lot between different countries, and even between individual states in the US. While some places let one person record a call without informing the other participant, others require both to consent to it. Adding the functionality to the Google Phone app wouldn’t change the law, but it could make call recording easier in locations where it’s less restricted.

While the code could mean that Google is working on bringing call recording to Pixel and Android One phones, XDA speculates that its release could be limited to Xiaomi devices. The code appeared in the Google Phone app soon after Xiaomi announced it would be switching to using Google’s dialer in Europe instead of its own MIUI dialer, which previously allowed for call recording.

There’s no guarantee the code discovered will ever turn into a fully fledged feature, but after Google did such a good job with the Pixel 4’s Recorder app, it’s hard not to see the potential here.

Categories
California Data Storage General Data Protection Regulation (GDPR) Law and Legislation privacy Science and Technology Uncategorized

What’s the Price of Getting Your Data? More Data

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Categories
Uncategorized

One of the Wii U’s best RPGs is even better on the Switch

At this point, there are vanishingly few reasons to hang on to a Wii U. Since the debut of the Switch in 2017, Nintendo has steadily been porting the Wii U’s best games to its hybrid device, titles that originally didn’t reach a massive audience because the console was largely a flop. That includes everything from Donkey Kong Country: Tropical Freeze to Mario Kart 8 to New Super Mario Bros. U. So far the strategy has worked. In fact, Mario Kart 8 Deluxe is the Switch’s bestselling title, moving close to 20 million copies.

This week, one of the last great Wii U games is making its belated debut on the Switch. Tokyo Mirage Sessions may not be a huge Nintendo franchise, but for role-playing game fans, it’s worth checking out. It blends elements of Persona and Fire Emblem, and then covers them with a fine layer of candy-coated J-pop style. It’s yet another experience that benefits tremendously from the flexible nature of the Switch.

Tokyo Mirage Sessions takes place in modern-day Tokyo, and puts you in the role of a young kid named Itsuki, who, along with some friends, gets pulled into a strange struggle for the fate of the world. Hostile beings called mirages have been attacking the city, often resulting in the disappearance of citizens. In order to fight them off, Itsuki and team have to travel into a sort of parallel dimension filled with dark monsters. Practically speaking, it’s a dungeon-crawling RPG with turn-based battles, where you slowly make your way through various dangerous spaces.

What makes the game stand out is its pop music theme. It’s infused into virtually every aspect of the experience. The main characters aren’t just teens who save the world in their spare time, they’re also budding pop idols. When they enter into battle they’re thrust onto a stage full of screaming fans, while the in-game cut scenes are more like animated J-pop videos. Even the menu reflects the musical theme: characters are called artists, and you adjust their gear by heading to wardrobe. The result is a game that features much of what has made the Persona series so beloved — minus the social links feature — but with a much brighter, more colorful tone.

(For more on the game itself, be sure to check out our review of the original.)

It’s becoming cliche to say that a game is perfect for the Switch, but RPGs in particular benefit from the platform. Tokyo Mirage Sessions is a great example of this. So much of the experience is slowly trawling through maze-like dungeons, with plenty of strategic battles along the way. These moments are perfect for playing on the go, while the story sequences — particularly the gorgeous cut scenes — benefit from a bigger screen. Either way, the game looks great, and the copious text and menus are still legible on a small display. Functionally, the two versions of Tokyo Mirage Sessions are virtually identical, but when a game takes dozens of hours to complete, being able to play how and when you want is a huge deal.

There is one notable change. One of the more unique aspects of the original was its in-game smartphone. Much of the dialogue took place via group texts, and the game handled this in a novel way: you’d pull out your phone in the game, and then look down at the screen on the Wii U’s GamePad to actually read and reply to messages. It was one of the few games that actually made smart use of the console’s unwieldy controller. Obviously that isn’t possible on the Switch. But surprisingly, it still works just fine; the messaging app simply takes over the TV screen instead. It’s not as cool, but you don’t lose anything aside from the novelty factor.

One of the most-requested Switch ports right now is the sprawling JRPG Persona 5. But, aside from an upcoming spinoff, it doesn’t look like that will happen any time soon. Tokyo Mirage Sessions is the next best thing, and yet another perfect fit for the Switch. It’s a game that didn’t get nearly enough attention as it deserved at launch — but one that will hopefully find new life on Nintendo’s tablet.

Tokyo Mirage Sessions launches on January 17th on the Nintendo Switch.

Categories
Uncategorized

Spotify will now make a playlist for your cat

Spotify is launching a silly new playlist generator today that promises to create a playlist that both you and your pet will enjoy. The whole thing seems to be designed to go viral, which is one of the ways Spotify has had luck standing out from competitors like Apple Music that have largely the same exact music offering.

To get a playlist for your pet, you have to head over to Spotify’s Pet Playlist website. It then presents you with five pet options — cat, dog, iguana, bird, or hamster — and asks you to define a few personality traits, like whether they’re energetic or relaxed, shy or friendly, and apathetic or curious. You can then add your pet’s name and a photo, and Spotify will spit out a playlist icon with your animal’s name on it.

The playlist generator seems to grab songs that Spotify thinks you — the human owner and operator of the Spotify account — might enjoy, with how fast, slow, or varied they are, depending on the personality traits you chose. The site determined that my extremely energetic cat Pretzel would like Black Moth Super Rainbow, Das Racist, and The Smiths. These are all bands that I’m sure I’ve listened to on Spotify but not with any regularity. For good measure, it also threw in a handful of songs that just happen to have the word “cat” in the title, like The Rolling Stones’ “Stray Cat Blues” and Hot Chip’s “Alley Cats.” I hate to say it, but the playlist seems pretty good.

As for whether my cat will like it, that’s harder to say. He’s never really acknowledged playing music before, though he does quite enjoy sitting on top of my bookshelf speaker.

Categories
Uncategorized

Twitter’s Jack Dorsey on edit button: ‘We’ll probably never do it’

Twitter users have been asking for the option to edit tweets ever since the service launched in 2006, but the company has always prevaricated, saying it’s looking into the problem, or considering it deeply, or a hundred other ways of saying “please stop bothering us about this, please.”

Now, Twitter CEO Jack Dorsey has given perhaps the most definitive answer on the question to date. During a video Q&A with Wired, Dorsey was asked if there’ll be an edit button for Twitter in 2020. He replies, with a faint smile: “The answer is no.” Watch below:

This isn’t a huge surprise. Although Twitter’s users have long argued for the benefits of an edit button, the company has always been ambivalent; happy to consider the question to placate its users, but never actually committing to a fix. As Twitter’s product lead Kayvon Beykpour said last summer: “Honestly, it’s a feature that I think we should build at some point, but it’s not anywhere near the top of our priorities.”

In the video Q&A, Dorsey expands on this thinking, noting that the decision to leave out an edit button has its roots in Twitter’s original design. “We started as an SMS, text message service. And as you all know, when you send a text, you can’t really take it back,” he says. “We wanted to preserve that vibe, that feeling, in the early days.”

He notes that the service has moved on since, but the company doesn’t consider an edit button worth it. There are good reasons for editing tweets, he says, like fixing typos and broken links, but also malicious applications, like editing content to mislead people.

“So, these are all the considerations,” says Dorsey. “But we’ll probably never do it.”

But again, note that there’s just a sliver of ambiguity in what he says (“we’ll probably never do it”), which leaves open the possibility of enabling edits in future. Whether out of strategy or spite, Dorsey just won’t fully commit to an answer, giving himself the option of changing his mind in future. At least, then, he understands the appeal of an edit button.

Categories
Uncategorized

Windows 7 is gone, but what’s next for Windows 10?

Yesterday’s computer news was about something old: Windows 7. After 11 years, Microsoft is officially ending support for it — though as Tom Warren notes, there’s a healthy chance the company will blink and provide some kind of security update at some point for something critical.

Windows has a reputation for shipping a good version, then a bad version. Windows 7 was one of the good versions, and upgrades to Windows 10 are free for consumers. That means you can skip right over Windows 8, and more power to you.

Now, the future for Windows is harder to divine. Microsoft won’t be releasing a “Windows 11,” but instead updating Windows 10 on whatever cadence it can decide on from year to year. Early on it seemed like it wanted to be a lot like Chrome OS in issuing updates on a regular and frequent cadence, but lately things are moving a little slower as some bugs have crept in. There’s also Windows 10X coming later this year, the version of Windows 10 designed for foldable devices.

When I interviewed Microsoft’s CEO back in May 2018 (time flies!!), it was clear to me that Microsoft wants to make sure its fortunes don’t depend on Windows — and Nadella has achieved that goal already. Microsoft is as focused on making sure its software runs well on other platforms as it is on maintaining the platform that made the company — maybe more so.

I think the action for the next while is going to be centered around the new Edge browser — based on Chromium — and what Microsoft can do with it. I’m confident the Edge browser itself will run fairly well and hopeful it’ll be less of a battery killer than Chrome. For me, the thing to watch is whether Microsoft can use that technology elsewhere in Windows and Office or if Edge will just feel tacked-on.

Goodbye, Windows 7

Microsoft bids farewell to Windows 7 and the millions of PCs that still run it

Thank you to Windows 7 for undoing some of Vista’s excesses. Thank you also to Windows 7 for being good enough to allow millions of people to skip Windows 8 because of its excesses. You have been stalwart and true, but now is the time for you to rest. May your registry always be clean and your start menu uncluttered.

I salute you, oh Windows 7, with the salute emoticon, which happily includes the number seven: o7

How to upgrade from Windows 7 to Windows 10 for free

The PC market just had its first year of growth since 2011

With Microsoft ending support for Windows 7 today, businesses around the world are being forced to upgrade their legacy devices, leading to “vibrant business demand” for Windows 10, according to Gartner.

Microsoft patches Windows 10 security flaw discovered by the NSA

It’s unusual to see the NSA reporting these types of vulnerabilities directly to Microsoft, but it’s not the first time the government agency has done so. This is the first time the NSA has accepted attribution from Microsoft for a vulnerability report, though

More news from The Verge

Trump accuses Apple of refusing to unlock criminals’ iPhones, setting the stage for a fight

Latest Galaxy S20 Plus leak shows off 120Hz display and no headphone jack

Max Weinbach is back with more details and specs. Looks like 120Hz screens is going to be baseline for Android flagships this year. I’m also intrigued by the taller/longer shape. I really did like it on the Sony Xperia phones last year.

By the way — the consensus is that “Bloom” was the codename for Samsung’s folding phone and the actual product name is going to be “Galaxy Z Flip.” I think my concerns about addressing gender could still stand, though, depending on how Samsung positions the phone. I will say that the only thing that endears me to the phrase “Galaxy Z Flip” is that is has the last three letters of the English alphabet all a row.

Yahoo parent Verizon promises it won’t track you with OneSearch, its new privacy-focused search engine

From the company that brought you the Super Cookie, a …privacy-focused search engine? Fool me once but I guess we could take Verizon at its word here, because it would be quite a scandal if it turned out otherwise. Maybe.

Let’s just call this a trust-but-verify kind of situation — if we’ve learned anything about tracking over the past decade, its that people find ways to do it that you never would have imagined.

Jeopardy! The Greatest of All Time is the GOAT of low-stakes television

One sign of admiration that you can see in this article and everywhere else is that we write it “Jeopardy!,” exclamation point included and do so without the usual millennial irony. (Or is it Gen X irony?). If you want to teach somebody how to be stoic, kind, funny, and empathetic all at once, you could do a lot worse than sit them down have them watch Alex Trebek host this show.

Time zones mess up more than just your sense of time

You might think you know what you’re getting into with this video by Cory Zapatka and Verge Science, but it takes a fascinating and vital turn halfway through. For some, setting their watch is a political act.

Coral is Google’s quiet initiative to enable AI without the cloud

Little, easily programmable AI chips are going to be an essential part of our computing infrastructure — it can’t all go to the cloud. James Vincent looks into Google’s offering in that regard, Coral. It’s a little too tightly tied to Google’s own AI ecosystem for many, though.

Anyway, if you’ve heard Microsoft CEO Satya Nadella talk about “the intelligent edge” any time in the past year and wondered what he’s on about, this story is a good primer on what these devices are, why they’re needed, and what their potential might be — whether they’re made by Google or not.

Instagram starts bringing DMs to the web

Good get from Ashley Carman. Access on the desktop may not be the main way mobile chat apps are used these days, but it’s essential for people who have office jobs. If you’re staring at a certain screen all day and your fingers are on a certain keyboard, you’re more likely to use the chat app that can appear on that screen and work with that keyboard.

Google to ‘phase out’ third-party cookies in Chrome, but not for two years

Here’s me, touching briefly on what’s going on with the browser war. It really does inflame a lot of passions and I really do think every side here is not giving the other side the benefit of the doubt. And that those sides would probably say ‘you darn tootin’ we’re not giving those varmints the benefit of the doubt!’ That’s how web developers talk, you see. There are very good reasons for everybody to distrust everybody else in this whole privacy mess.

Here comes the cliche, though: good, so long as all that contention leads to a more resilient and long-lasting solution. We need to have this conversation and the web and the browsers we use to access it need to develop more quickly. Too many things are broken right now.

SpaceX continues to blast satellites into orbit as the space community worries

Elon Musk’s plan to put 42,000(!) internet-providing satellites into space raises a lot of legitimate issues, especially when it comes to tracking satellites and preventing collisions. Loren Grush has a deep, nuanced look at the current state of things for both that and astronomy. Worth your time:

The truth about Starlink is that there is no solid truth. Depending on who you ask, the constellation either won’t be that much of a problem, or it will lead to a space apocalypse

OnePlus CEO Pete Lau doesn’t think folding phones are good enough

This was a fun podcast — Lau’s first, he says.

Categories
Cluster Munitions Defense Department Iraq Iraq War (2003-11) Iraqi Army Persian Gulf War Shanahan, Patrick M (1962- ) Uncategorized United States Army United States Defense and Military Forces

A Myth That Won’t Die About a Gulf War Weapon, and Why It Matters

At the end of Operation Desert Storm in early 1991, the United States Army was extolling the performance of America’s new and technically advanced weapons. Making their combat debuts were the Patriot missile, the Bradley Fighting Vehicle, the Abrams tank and a somewhat curious looking truck that looked like a cross between a tank and a shipping container: the M270 Multiple Launch Rocket System, or M.L.R.S., with the chassis and treads of a Bradley and two packs of six rockets on its back.

Each rocket carried 644 dual-purpose improved conventional munitions, or DPICM grenades, which looked like D-cell batteries with a nylon loop streaming from the top. The trucks were designed to fire 12 of these rockets in less than one minute and spread 7,728 small explosive charges over 30 acres. The rockets could be fired deep into enemy territory — dropping millions of explosive charges onto large groups of armored vehicles — without American forces ever having to get near enemy territory.

[Sign up for the weekly At War newsletter to receive stories about duty, conflict and consequence.]

Rumors were soon circulating that Iraqi soldiers had been so overwhelmed by the M.L.R.S.’s firepower that they had begged the Americans to stop dropping the “steel rain.” For the Army’s long-range artillery units, this phrase became a rallying cry, and a way to evoke the overwhelming victory that left America’s enemy trembling with fear — even today. The problem, however, is that the documentation behind the steel-rain narrative does not exist.

Though some Iraqi soldiers may have been scared of those rockets and their effects, there seem to be no official interrogation records confirming it. There is also evidence that the steel-rain moniker predates Desert Storm in American artillery circles. But those details got lost in the mythmaking.

Just two years after the war’s end, the Government Accountability Office reported that M.L.R.S. rockets failed at far higher rates in combat than the Army had advertised, and that dud grenades left over from rocket attacks had killed and wounded at least 16 American troops. An Army report in the early 2000s noted that even though the M.L.R.S. was deployed in Bosnia and Kosovo in the 1990s, “not one rocket was fired because of the lack of precision and potential for collateral damage as well as the high submunition dud rate.” By the 2000s, the Army seemed to be moving away from the old unguided M.L.R.S. rockets all together, and the steel rain myth seemed to go with it.

But it’s now making a comeback. Advocates in recent years have repeatedly and enthusiastically cited the steel-rain myth as they call on the Pentagon to bring back long-range artillery rockets and missiles in the face of rising tensions with Russia and China — and military planners are listening. As the Army looks to invest in an artillery force that was deliberately gutted for much of the conflicts in Iraq and Afghanistan, it’s important to look back at the lionization of M.L.R.S. cluster weapons used during the Persian Gulf war and the misconceptions that surround them.

What is this “steel rain” myth, and where did it come from?

On May 9, 1991, the Army’s chief of staff gave a speech at a gathering of senior artillery leaders at Fort Sill, Okla. — the home of Army and Marine Corps artillery. Gen. Carl Vuono, a career artillery officer, was pumping up the troops with tales of how well the Pentagon’s howitzers and ground-fired rockets had performed in the desert sands of Kuwait and Iraq. “It was training that created the skill in artillery batteries to bring such timely and accurate fires on the Iraqis, which they described as ‘steel rain,’” Vuono said.

What’s inaccurate about this story?

Reporters in the region in February 1991 — during the Desert Storm air and artillery campaign that preceded the ground war — wrote that it was American soldiers themselves who were calling their M.L.R.S. rocket attacks “steel rain.” A now-retired Army colonel named Hampton Hite — who as a captain commanded one of the M.L.R.S. batteries firing at Iraqi targets and was briefly interviewed in a Washington Post report about the rocket system — confirmed to The Times in 2017 that his unit (A Battery, 21st Field Artillery) had used the radio call sign “Steel Rain” since the unit was established in 1986. His soldiers would have been using that name on radio networks heard by many troops in other units, and it is possible that those other soldiers conflated that name with the rockets Hite’s battery fired. “I don’t doubt that these Iraqi P.O.W.s didn’t like being on the receiving end of M.L.R.S.,” Hampton said in 2017. “But I know for a fact that ‘steel rain’ didn’t come from them.”

How did the story spread?

Vuono’s speech injected the story directly into the artillery corps’s bloodstream. He was echoed by Maj. Gen. Raphael J. Hallada, the head of Army field artillery at the time. “As recipients of your firepower and also professional admirers,” Hallada wrote in June 1991 for Field Artillery, an Army journal, “the Iraqi enemy prisoners of war spoke of the terrible, pervasive ‘Steel Rain’ of your cannons and rockets.” The name evolved a bit, with one officer calling it “iron rain” in the same journal a few months later, though he still attributed the coining of the term to Iraqi prisoners.

The Defense Department’s final report to Congress on Desert Storm, published in April 1992, transmitted the narrative to lawmakers, saying that the M.L.R.S. had “a tremendous psychological impact on Iraqi soldiers. Enemy soldiers were terrified of its destructive force, which they sometimes referred to as ‘steel rain.’ ” The myth was then chiseled into stone in the Army’s own history of the war, which was made public in 1993 and sold as a book.

That document also misattributed a mass-fratricide bomblet attack on a unit of the First Armored Division to enemy fire. It correctly states that one American cavalry troop suffered at least 23 wounded when howitzers fired cluster shells at them; however, in a 2017 interview with The Times, the squadron operations officer at the time, Mark Hertling, now a retired lieutenant general, says he believes it was friendly fire that wounded his soldiers. Hertling himself was awarded a Purple Heart for shrapnel wounds he suffered in that incident.

So did Iraqis really surrender because of these artillery bomblets?

A lot of Iraqi soldiers surrendered to allied troops in 1991, but without the Pentagon’s producing the records, there are no publicly available documents that point to Iraqis’ surrendering specifically because of these DPICM grenades falling on them. Responding to a query from The Times, the Department of the Army was unable to locate any records from Desert Storm that cited Iraqi prisoners calling M.L.R.S. “steel rain,” and did not respond when asked if the service would continue to stand by its story. The only sources offering the narrative about Iraqis doing so are those written by Army artillery soldiers in the months and years following Desert Storm, citing secondhand accounts.

How did these rocket and artillery bomblets perform in combat?

In many cases, they failed to work as advertised. They were supposed to be able to destroy Soviet armored vehicles, with small armor-piercing warheads. But the attack on the First Armored Unit shows that the DPICMs not only failed to destroy Bradley Fighting Vehicles; they also failed to destroy the troop’s unarmored Chevrolet S.U.V.s — even those that took more than one direct hit.

These weapons had a much more pernicious effect, though, that was barely mentioned in the Army’s 1993 history. American howitzers fired nearly 27,450 cluster shells in the war, and batteries fired more than 17,000 submunition-loaded rockets. In all, those munitions disgorged 13.7 million DPICM grenades on Iraq and Kuwait. Pentagon documents estimate that between 10 and 20 percent or more likely failed to explode on impact, littering the battlefield with highly dangerous duds that would still explode if disturbed.

Why didn’t they work like they were supposed to?

During Desert Storm, the simplest reason is that the bomblets often landed in soft sand, when they were designed to hit the steel plates of armored vehicles. These submunitions relied on a simple fuze that needed to hit its target within a certain angle and provide enough resistance to work. Before his 2018 death, Bill Kincheloe, the inventor of that submunition’s fuze, gave multiple interviews to The Times and explained those parameters. “When that thing hits the ground, it has to hit within 45 degrees to fire,” Kincheloe said. “If it hits at 46 degrees, it won’t fire.” Kincheloe said that the sloped sides of tire tracks and footprints left in the sand could provide enough of an angle to send the submunitions tumbling upon impact, instead of detonating. The problem was even more acute because in early 1991, frequent and unusually intense rainstorms made the sand those bomblets landed in even softer. “If you dropped them on the soft sand, about 60 percent would go off,” Kincheloe said. “You’d have between 3 and 12 percent plain old duds, and the rest would be ground-impact duds.”

Some lessons of Desert Storm went unheeded when the United States went to war with Iraq in 2003. Whether because of the “steel rain” myth or not, the military still considered DPICM weapons desirable. One Army unit fired nearly 800 M.L.R.S. rockets after the invasion, and at least one Marine artillery unit shot cluster artillery shells in combat.

Their use had some unfortunate and completely foreseeable negative effects on civilians and American troops alike. A dud DPICM fired in a strike on a suspected insurgent position in late March 2003 exploded after Lance Cpl. Jesus A. Suarez del Solar accidentally stepped on it near Ad Diwaniyah, killing him. In July 2003, Cpl. Travis Bradach-Nall died near Karbala after a Marine nearby dropped a DPICM grenade he was trying to defuse, causing it to detonate.

Are these same weapons being added to the Army’s artillery arsenal today?

In the mid-1990s, when the Pentagon decided to make a precision-guided version of the M.L.R.S. rocket, the first variant was going to contain 406 DPICM grenades with more reliable fuzes that would also cause any duds to detonate after a set amount of time. Israeli Military Industries, the manufacturer of these grenades, claimed that they had a dud rate of less than 1 percent — an attractive feature for American military officials. However, despite spending millions in live-fire testing at ranges in New Mexico and Arizona, the dud rate was still around 5 percent, and the program was canceled in late 2008.

After several different Army munition-development initiatives failed to create a new kind of DPICM with a lower dud rate, the Pentagon appears to have given up on the idea. The effort to improve their reliability was driven in part by a directive from the secretary of defense in 2008 that would have prohibited the use existing cluster munitions like M26 rockets and DPICM artillery shells after 2018 because of their high dud rates, and mandated that only cluster weapons with a reliability rate over 99 percent could be used from then on. In the interim, new weapons programs designed to meet that standard were failing in tests, and the Army began to destroy its less-reliable weapons. That changed abruptly in late 2017 when the Pentagon reversed course and decided to simply retain the massive stockpile of older munitions that performed so poorly in Desert Storm. Patrick Shanahan, the deputy secretary of defense at the time, indicated that they would be kept in service for use in a potential war with North Korea.

As for how many of them remain, the military does not typically disclose its weapons inventories in real time, but there is relatively recent data available in online briefings. According to one report, the Army still had 360,192 rockets in its inventory in 2008. And a 2012 Army briefing noted that the service still had more than 3.6 million 155-millimeter DPICM artillery shells.

The Pentagon’s interest in long-range artillery rockets and missiles continues, though it is unclear whether new models will incorporate cluster-munition warheads. The maximum range of the Pentagon’s current inventory of ground-launched missiles was limited since the 1980s by the Intermediate-Range Nuclear Forces Treaty, but following the United States’ withdrawal from that treaty last year, the Pentagon can once again field land-based missiles that can fly more than 300 miles before striking their targets — meaning for the first time in more than 30 years the Pentagon is pursuing nonnuclear weapons that can fly as far as modern technology allows. Defense contractors are already offering prototypes for the Army’s consideration, and Congress allocated $160 million for the program in 2019 and $243 million in 2020.

Categories
computer security Computers and the Internet Cyberattacks and Hackers Cyberwarfare and Defense Espionage and Intelligence Services Microsoft Corp National Security Agency North Korea russia Shadow Brokers Software Uncategorized Windows (Operating System)

N.S.A. Takes Step Toward Protecting World’s Computers, Not Just Hacking Them

WASHINGTON — The National Security Agency has taken a significant step toward protecting the world’s computer systems, announcing Tuesday that it alerted Microsoft to a vulnerability in its Windows operating system rather than following the agency’s typical approach of keeping quiet and exploiting the flaw to develop cyberweapons.

The warning allowed Microsoft to develop a patch for the problem and gave the government an early start on fixing the vulnerability. In years past, the National Security Agency has collected all manner of computer vulnerabilities to gain access to digital networks to gather intelligence and generate hacking tools to use against American adversaries.

But that policy was heavily criticized in recent years when the agency lost control of some of those tools, which fell into the hands of cybercriminals and other malicious actors, including North Korean and Russian hackers.

By taking credit for spotting a critical vulnerability and leading the call to update computer systems, the National Security Agency appeared to adopt a shift in strategy and took on an unusually public role for one of the most secretive arms of the American government. The move shows the degree to which the agency was bruised by accusations that it caused hundreds of millions of dollars in preventable damage by allowing vulnerabilities to circulate.

“We wanted to take a new approach to sharing and also really work to build trust with the cybersecurity community,” Anne Neuberger, the agency’s cybersecurity director, told reporters.

The vulnerability exists in Windows 10, Microsoft’s flagship operating system, as well as some versions of its server software. It allows hackers to insert malicious code into a target computer and make it appear to be from a safe and trusted source. The vulnerability could also allow hackers to decrypt secret communications.

The vulnerability was serious, officials said. The National Security Agency warned government officials who oversee classified systems about the flaw and the coming Microsoft patch before discussing it publicly, Ms. Neuberger said.

The agency has in the past privately shared vulnerabilities it found with Microsoft and other technology companies. During the Obama administration, officials said, they shared about 90 percent of the flaws they discovered.

But the agency never allowed those firms to publicly identify the agency as the source of those discoveries, Ms. Neuberger said. The agency wanted the public acknowledgment of its role in finding the new defect to demonstrate the importance of patching the flaw, she said.

“Ensuring vulnerabilities can be mitigated is an absolute priority,” Ms. Neuberger said.

The National Security Agency’s action suggests the vulnerability for American government systems likely outweighed its usefulness as a tool for the agency to gather intelligence.

Experts and technology companies praised the agency. But some noted that even as one arm of the government was moving to protect the public’s ability to encrypt its communications, another was taking the opposite tack. A day earlier, the Justice Department called on Apple to break the encryption on its phones, and it has pushed for so-called back doors on Facebook’s encrypted message services.

The Washington Post earlier reported on the agency’s warning to Microsoft, which released a patch for the vulnerability on Tuesday.

Customers who automatically update their operating systems or applied Tuesday’s patch “are already protected,” said Jeff Jones, a senior director at Microsoft.

Microsoft said no evidence had emerged that malicious actors had exploited the vulnerability and said its security software could detect malware trying to do so.

The National Security Agency’s decision to reveal the flaw to Microsoft — and then to publicly announce its move — is in sharp contrast to how it handled another flaw that it discovered but told Microsoft about too late to prevent global damage.

In early 2017, agency officials told Microsoft’s president, Brad Smith, that it had found a flaw in its operating systems but lost it to a group called the Shadow Brokers, which somehow obtained hacking tools that the United States had used to spy on other countries. The agency had known about the flaw for some time but held on to it, believing that one day it might be useful for surveillance or the development of a cyberweapon.

But when the agency’s arsenal of flaws leaked out — presumably through insiders, though the National Security Agency has never said — among it was code nicknamed “Eternal Blue.” While Microsoft had raced to get people to patch the erroneous code, many systems remained unprotected.

Soon North Korean hackers used the code to develop “WannaCry,” software that crippled the British health care system, which used an outdated version of Microsoft Windows. And Russian hackers used it in the NotPetya attacks, among the most damaging cyberattacks in history, costing hundreds of million of dollars to companies including FedEx and Maersk, the shipping giant.

The agency dismissed the idea that it was responsible for the malicious use of the code — arguing that the responsibility lay with North Korea and Russia, which mounted the attacks. But privately, many agency officials acknowledged that the tendency to hoard such flaws in hopes of developing weapons had come at a huge price and that the United States bore some responsibility for the damage caused by Eternal Blue and other tools.

Some experts believe Eternal Blue is continuing to cause problems, allowing hackers to disrupt computer systems.

The White House often decides whether to hold on to a flaw for future use or reveal it to the manufacturer. Obama administration officials set up a system to make the decision. Trump administration officials say a similar process still exists, but they have stopped publishing information about the percentage of vulnerabilities they make public.

The National Security Council reviewed the latest decision to share information about the new flaw with Microsoft, Ms. Neuberger said.

The vulnerability involves Windows’ digital signature system, according to one of the people familiar with the issue. Microsoft, and other companies, use digital signatures to identify software and updates as authentic.

The vulnerability unearthed by the National Security Agency could potentially allow a hacker to add a fake signature that could allow malware to be inserted onto a vulnerable computer. Because the vulnerability was not yet public, no known malware has taken advantage of it.

Criminal hackers or nation states typically take weeks to exploit a new vulnerability, so businesses, governments and individuals may have a little time to install the security patch developed by Microsoft. Experts urged them to move quickly nonetheless.

It was not clear how much of a strategic shift the agency’s announcement amounted to. The agency presumably is still hunting for vulnerabilities and flaws that could allow them to infiltrate Iranian computer systems, as well as those used by Russia, China and other adversarial countries.

But if the agency continues to follow the example set Tuesday, future vulnerabilities that affect not just one critical computer system but instead millions of users or more across the world, its experts could help fix the problem rather than exploit it.

Categories
Apple Inc Barr, William P computer security Computers and the Internet Cook, Timothy D Corporate Social Responsibility iPhone Justice Department Naval Air Station Pensacola Shooting (2019) privacy Software Uncategorized United States Politics and Government

Apple Takes a (Cautious) Stand Against Opening a Killer’s iPhones

SAN FRANCISCO — Apple is privately preparing for a legal fight with the Justice Department to defend encryption on its iPhones while publicly trying to defuse the dispute, as the technology giant navigates an increasingly tricky line between its customers and the Trump administration.

Timothy D. Cook, Apple’s chief executive, has marshaled a handful of top advisers, while Attorney General William P. Barr has taken aim at the company and asked it to help penetrate two phones used by a gunman in a deadly shooting last month at a naval air station in Pensacola, Fla.

Executives at Apple have been surprised by the case’s quick escalation, said people familiar with the company who were not authorized to speak publicly. And there is frustration and skepticism among some on the Apple team working on the issue that the Justice Department hasn’t spent enough time trying to get into the iPhones with third-party tools, said one person with knowledge of the matter.

The situation has become a sudden crisis at Apple that pits Mr. Cook’s longstanding commitment to protecting people’s privacy against accusations from the United States government that it is putting the public at risk. The case resembles Apple’s clash with the F.B.I. in 2016 over another dead gunman’s phone, which dragged on for months.

This time, Apple is facing off against the Trump administration, which has been unpredictable. The stakes are high for Mr. Cook, who has built an unusual alliance with President Trump that has helped Apple largely avoid damaging tariffs in the trade war with China. That relationship will now be tested as Mr. Cook confronts Mr. Barr, one of the president’s closest allies.

“We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements,” Mr. Trump said Tuesday in a post on Twitter. “They will have to step up to the plate and help our great Country.”

Apple declined to comment on the issue on Tuesday. Late Monday, after Mr. Barr had complained that the company had provided no “substantive assistance” in gaining access to the phones used in the Pensacola shooting, Apple said it rejected that characterization. It added that “encryption is vital to protecting our country and our users’ data.”

But Apple also offered conciliatory language, in a sign that it did not want the showdown to intensify. The company said it was working with the F.B.I. on the Pensacola case, with its engineers recently holding a call to provide technical assistance.

“We will work tirelessly to help them investigate this tragic attack on our nation,” Apple said.

At the heart of the tussle is a debate between Apple and the government over whether security or privacy trumps the other. Apple has said it chooses not to build a “backdoor” way for governments to get into iPhones and to bypass encryption because that would create a slippery slope that could damage people’s privacy.

The government has argued it is not up to Apple to choose whether to provide help, as the Fourth Amendment allows the government to violate individual privacy in the interest of public safety. Privacy has never been an absolute right under the Constitution, Mr. Barr said in a speech in October.

Mr. Cook publicly took a stand on privacy in 2016 when Apple fought a court order from the F.B.I. to open the iPhone of a gunman involved in a San Bernardino, Calif., mass shooting. The company said it could open the phone in a month, using a team of six to 10 engineers. But in a blistering, 1,100-word letter to Apple customers at the time, Mr. Cook warned that creating a way for the authorities to gain access to someone’s iPhone “would undermine the very freedoms and liberty our government is meant to protect.”

Bruce Sewell, Apple’s former general counsel who helped lead the company’s response in the San Bernardino case, said in an interview last year that Mr. Cook had staked his reputation on the stance. Had Apple’s board not agreed with the position, Mr. Cook was prepared to resign, Mr. Sewell said.

The San Bernardino case was bitterly contested by the government and Apple until a private company came forward with a way to break into the phone. Since then, Mr. Cook has made privacy one of Apple’s core values. That has set Apple apart from tech giants like Facebook and Google, which have faced scrutiny for vacuuming up people’s data to sell ads.

“It’s brilliant marketing,” Scott Galloway, a New York University marketing professor who has written a book on the tech giants, said of Apple. “They’re so concerned with your privacy that they’re willing to wave the finger at the F.B.I.”

Mr. Cook’s small team at Apple is now aiming to steer the current situation toward an outside resolution that doesn’t involve the company breaking its own security, even as it prepares for a potential legal battle over the issue, said the people with knowledge of the thinking.

Some of the frustration within Apple over the Justice Department is rooted in how police have previously exploited software flaws to break into iPhones. The Pensacola gunman’s phones were an iPhone 5 and an iPhone 7 Plus, according to a person familiar with the investigation who declined to be named because the detail was confidential.

Those phones, released in 2012 and 2016, lack Apple’s most sophisticated encryption. The iPhone 5 is even older than the device in the San Bernardino case, which was an iPhone 5C.

Security researchers and a former senior Apple executive who spoke on the condition of anonymity said tools from at least two companies, Cellebrite and Grayshift, have long been able to bypass the encryption on those iPhone models.

Cellebrite said in an email that it helps “thousands of organizations globally to lawfully access and analyze” digital information; it declined to comment on an active investigation. Grayshift declined to comment.

Cellebrite’s and Grayshift’s tools exploit flaws in iPhone software that let them remove limits on how many passwords can be tried before the device erases its data, the researchers said. Typically, iPhones allow 10 password attempts. The tools then use a so-called brute-force attack, or repeated automated attempts of thousands of passcodes, until one works.

“The iPhone 5 is so old, you are guaranteed that Grayshift and Cellebrite can break into those every bit as easily as Apple could,” said Nicholas Weaver, a lecturer at the University of California, Berkeley, who has taught iPhone security.

Chuck Cohen, who recently retired as head of the Indiana State Police’s efforts to break into encrypted devices, said his team used a $15,000 device from Grayshift that enabled it to regularly get into iPhones, particularly older ones, though the tool didn’t always work.

In the San Bernardino case, the Justice Department’s Office of Inspector General later found the F.B.I. had not tried all possible solutions before trying to force Apple to unlock the phone. In the current case, Mr. Barr and other Justice Department officials have said they have exhausted all options, though they declined to detail exactly why third-party tools have failed on these phones as the authorities seek to learn if the gunman acted alone or coordinated with others.

“The F.B.I.’s technical experts — as well as those consulted outside of the organization — have played an integral role in this investigation,” an F.B.I. spokeswoman said. “The consensus was reached, after all efforts to access the shooter’s phones had been unsuccessful, that the next step was to reach out to start a conversation with Apple.”

Security researchers speculated that in the Pensacola case, the F.B.I. might still be trying a brute-force attack to get into the phones. They said major physical damage may have impeded any third-party tools from opening the devices. The Pensacola gunman had shot the iPhone 7 Plus once and tried destroying the iPhone 5, according to F.B.I. photos.

The F.B.I. said it fixed the iPhones in a lab so that they would turn on, but the authorities still couldn’t bypass their encryption. Security researchers and the former Apple executive said any damage that prevented third-party tools from working would also preclude a solution from Apple.

A Justice Department spokeswoman said in an email: “Apple designed these phones and implemented their encryption. It’s a simple, ‘front-door’ request: Will Apple help us get into the shooter’s phones or not?”

While Apple has closed loopholes that police have used to break into its devices and resisted some law enforcement requests for access, it has also routinely helped police get information from phones in cases that don’t require it to break its encryption. Apple has held seminars for police departments on how to quickly get into a suspect’s phone, and it has a hotline and dedicated team to aid police in time-sensitive cases.

In the past seven years, Apple has also complied with roughly 127,000 requests from American law enforcement agencies for data stored on its computer servers. Such data is unencrypted and access is possible without a customer’s passcode.

In 2016, when the standoff between Apple and the government was at its most acrimonious, Mr. Cook said Congress should pass a law to decide the boundaries between public safety and technological security. In court filings, Apple even identified an applicable law, the Communications Assistance for Law Enforcement Act.

On Monday, Mr. Barr said the Trump administration had revived talks with Congress to come up with such a law.

Jack Nicas reported from San Francisco, and Katie Benner from Washington.