Tuesday, June 30, 2026

SpaceX's AI boom comes with a perk for Memphis residents: half-price for Starlink
SpaceX's AI boom comes with a perk for Memphis residents: half-price for Starlink
Gas turbines are visible at an xAI data center on Riverport Rd in Memphis, TN on April 25, 2025. (Photo by Brandon Dill for The Washington Post via Getty Images)
SpaceX is offering Memphis residents 50% off Starlink as its data centers expand in the region.
  • SpaceX is offering Memphis residents 50% off Starlink.
  • SpaceX's vice president of Starlink engineering framed the discount as a community give-back.
  • Community groups in Memphis have been protesting SpaceX's data center.

SpaceX is offering Memphis-area residents a steep discount on Starlink internet as its AI ambitions continue to expand in the region.

Customers with eligible addresses in the Memphis area can sign up for Starlink at half the standard monthly price, and both new and existing subscribers won't have to pay upfront for hardware, xAI Memphis said on X.

The company linked the promotion to its growing AI infrastructure in the city, home to xAI's Colossus data center.

"The unique capabilities of the Colossus datacenters could not be accomplished without the partnership and support from the local Memphis community." SpaceX's vice president of Starlink engineering, Michael Nicolls, wrote on X on Tuesday.

"Happy to bring affordable and great @SpaceX @Starlink connectivity to our neighbors," Nicolls added.

Elon Musk also promoted the offer on X, posting simply that Starlink would be available at "half price" for residents in the Memphis region.

The promotion comes as xAI rapidly expands its presence in the area. Colossus, launched in 2024, has become one of the world's largest AI computing clusters, powering Grok training and supporting compute needs across Musk's companies. The campus has continued to grow, including an expansion into nearby Southaven, Mississippi.

Meanwhile, the facility has also drawn scrutiny from local residents and environmental advocates. Community groups, including Memphis Community Against Pollution, have criticized the project's energy use and emissions. Business Insider previously reported that the data center relies on enough methane gas generation to power roughly 280,000 homes, and that local organizations have launched efforts to monitor air pollution and urge elected officials to take action.

The Starlink offer automatically applies to eligible addresses, reducing the monthly subscription price by 50% while waiving hardware costs. SpaceX has not announced when the promotion will end and has not responded to a request for comment.

Read the original article on Business Insider

Source: All Content from Business Insider

Who Runs the Ransomware Group ‘The Gentlemen?’
Who Runs the Ransomware Group ‘The Gentlemen?’

A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group.

A graphic created and shared by The Gentlemen ransomware group administrator Hastalamuerte on Breachforums in May 2026. Credit: ke-la.com.

Experts at the security firm Check Point Software have been closely covering exploits of The Gentlemen, a so-called “ransomware-as-a-service” (RaaS) offering that pays affiliates handsomely to help spread the group’s malware.

“A 90/10 affiliate revenue split — compared to the industry standard 80/20 — is accelerating the group’s growth by attracting experienced operators from competing programs,” the researchers wrote in April.

Check Point found The Gentlemen are the second most active ransomware group by victim count so far this year, claiming at least 332 published victims since the group’s inception in mid-2025 and more than 240 in 2026 alone.

According to Check Point, the group targets Internet-facing devices (VPNs, firewalls) as their entry point, and once inside moves quickly to encrypt entire networks within hours.

Check Point says the administrator and primary operator of the ransomware group uses the nickname Zeta88 on the Russian-language cybercrime forums, and that this individual was previously known under the moniker Hastalamuerte. Check Point noted that a breach of the group’s backend infrastructure made it clear that Hastalamuerte/Zeta88 is the person who assembles the locker and RaaS panel, manages payments, and is essentially the administrator of the entire program who receives 10 percent of all ransoms.

WHO IS HASTALAMUERTE?

The cyber intelligence firm Intel 471 shows that the user Hastalamuerte is a Russian and English speaking person who registered on almost a dozen cybercrime forums between 2019 and the present day, including Exploit, Breachforums, Ramp_V2, BHF, Raidforums, and Nulled.

Intel 471 reveals that Hastalamuerte registered on Breachforums in January 2025 from an Internet address in Izhevsk, the capital city of Russia’s Udmurt Republic. Likewise, the user Zeta88 signed up at the English-language cybercrime forum Breached in August 2022 from a different Internet address in Izhevsk.

Intel 471 finds Hastalamuerte registered on Raidforums in 2020 using the email address hastalamuerte1488@protonmail.com (1488 is a common combination of two numeric symbols associated with white supremacy). A lookup on this address at the open source intelligence service Epieos shows it is connected to an account at Apple and to a phone number ending in 04.

Epieos says that Protonmail address is also linked to a GitHub account under the username SantaMuerte. That account is marked private, but a history of this user’s activity shows they are watching and developing a number of malware tools and exploits.

In April 2020, Hastalamuerte said on the crime forum Nulled that they could be contacted at the Telegram instant messenger name @hastalamuerte18, and the threat intelligence company Flashpoint finds this username is assigned the unique Telegram ID number 30907522 [full disclosure: Flashpoint is an advertiser on this blog].

The breach tracking service Constella Intelligence reports that Hastalamuerte’s Telegram ID is connected to another username — “bu4vs” — and to the Russian phone number 79127650004. Pivoting on this phone number in Constella fetches multiple records from hacked Russian government databases showing it is assigned to one Alexander Andreevich Yapaev, a 36-year-old from Izhevsk.

Constella reveals that phone number was used to create an account at the Russian social media platform Pikabu under the name “4apai18,” and shows Mr. Yapaev has signed up at a number of websites using the common surname Ivanov, or else “Chapaev” (the numeral 4 is often used as shorthand for a “ch” sound in Russian).

A search in Intel 471 for cybercrime forum members with the nickname SantaMuerte unearths an account by the same name created in 2020 on the Russian hacking forum Codeby. Intel 471 shows this user originally registered on Codeby with the not-so-subtle nickname Alexandr 4apaev.

Constella finds Mr. Yapaev regularly used the email address bu4vs@mail.ru. Meanwhile, Epieos shows this address is connected to a LinkedIn account for Alexander Yapaev, who lists himself as the head of B2B marketing at the company Uralenergo Udmurtia, one of Russia’s largest suppliers of electrotechnical and lighting products.

Mr. Yapaev did not respond to multiple requests for comment.

Nearly every time we publish one of these Breadcrumbs stories, readers are curious to know why it seems like so many cybercriminals from Russia apparently do little to hide their real life identities. The truth is that — Russian or not — most didn’t exactly set out to be arch criminals, but instead got drawn into the scene gradually over several years as their skills broadened and sharpened.

Another important dynamic is that the Russian government generally either co-opts or ignores cybercriminal activity within its borders so long as the hackers do not steal from or attack Russian businesses and citizens. As a result, successful cybercriminals in Russia are usually insulated from prosecution and arrest by foreign law enforcement agencies provided they occasionally pay off the right people and do not travel abroad. And cybercriminals who intend to strictly adhere to those unwritten rules may (at least initially) be less concerned about covering their tracks online.

But the simplest explanation is that cybercriminals of all nationalities tend to make a number of basic operational security mistakes early in their careers, when they are less savvy and have far less to lose by their carelessness. A review of Hastalamuerte’s early posts on the crime forums (circa 2019-2020) shows a relatively unsophisticated and low-skilled hacker still trying to learn the ropes and earn a positive reputation on these communities.

For example, in June 2020 Hastalamuerte’s Telegram account joined a multi-month training program (@pntst) to learn how to use popular penetration testing tools, and their candid posts to this hacker training camp show Hastalamuerte struggling to use these tools effectively. A Google-translated record of Hastalmuerte’s posts to @pntst is here.

Update, June 11, 10:23 a.m. ET:  The threat research group PRODAFT has released a detailed writeup on the history and current operations of The Gentlemen. PRODAFT said its findings match the same persona with “high confidence,” and found the administrator (Zeta88/Hastalamuerte) supplies affiliates with initial access directly, primarily Fortinet SSL-VPN credentials obtained through brute-force attacks or sourced from the group’s own leak database. They also discovered the administrator is using AI to develop and maintain the ransomware and associated tooling, as well as to assist with post-exploitation activity.


Source: Krebs on Security

Journalist Kara Swisher made her mark on Silicon Valley. Her next target: The 2028 campaign | Quick Read
Journalist Kara Swisher made her mark on Silicon Valley. Her next target: The 2028 campaign

Kara Swisher is everywhere.

She’s filling in for Joy Behar on ABC’s The View. Appearing alongside Meryl Streep in The Devil Wears Prada 2. Starring in a CNN documentary. Preparing a national tour. And churning out four podcasts most weeks featuring long-form interviews and commentary.

It’s a ubiquity born of more than three decades chronicling the technology industry with a professed indifference to power that vaulted her into a rare echelon of journalism celebrity.

She harnessed that reputation to persuade rivals Steve Jobs and Bill Gates to appear onstage together and make Mark Zuckerberg so uncomfortable under questioning that he broke out into a sweat. She had Elon Musk’s cellphone number—the two aren’t currently speaking—and often texts tech and business leaders.

She’s betting the influence that made her a Silicon Valley force will translate into politics as podcasts supplant traditional media as a destination for candidates seeking attention.

During Republican President Donald Trump’s second term, potential Democratic presidential candidates ranging from California Gov. Gavin Newsom and former Vice President Kamala Harris to onetime Transportation Secretary Pete Buttigieg and former White House chief of staff Rahm Emanuel have appeared on Swisher’s shows. She expects that roster to grow.

“We get called by all the presidential candidates,” the 63-year-old Swisher said in an interview at her home in a leafy corner of Washington, where her trademark high self-regard was on display. “We’re going to get to all of them.”

Swisher is hardly the only podcaster talking politics. Conservatives like Megyn Kelly and Tucker Carlson and some liberals like the former Barack Obama aides who host Pod Save America have larger audiences. They’re all dwarfed by Joe Rogan.

But Swisher, who has evolved from a traditional print journalist to business owner and podcast host, has few rivals who can match her technology expertise and connect those observations to the broader political debate.

“When I first went on her podcast when I just got into Congress in 2017, she was very well respected in tech circles,” said Rep. Ro Khanna, a California Democrat whose district includes Silicon Valley. “But now she’s emerged as a larger cultural force, especially at a time where there’s such anger at the tech billionaires and tech arrogance.”

Interviews that produce revealing moments

When she’s not on the road, Swisher typically records from a basement studio in the Washington home she shares with her wife, children, and a cat named Lovely. The conversations on her interview podcast On with Kara Swisher are often referenced later on Pivot, which she co-hosts with entrepreneur Scott Galloway.

They frequently produce revealing moments, as when Newsom filled in for Galloway on Pivot. Swisher derided him for being too easy on Steve Bannon when the longtime Trump aide appeared on Newsom’s own podcast.

“You had an opportunity to engage,” Swisher pressed. “Why not engage?”

The typically self-possessed Newsom conceded, “I’m not the pro that some of these others are, but I appreciate the insight.”

Swisher pushed Buttigieg on why he took so long to say President Joe Biden, a fellow Democrat, shouldn’t have sought reelection. Buttigieg said he wasn’t consulted.

“Sure, but you have eyes,” Swisher responded.

Her interview with Harris captured the former vice president’s tenacious side as she called policies from Trump’s Health and Human Services secretary, Robert F. Kennedy Jr., “f—– up.” Harris said gravely that she “can’t laugh” about such matters, though Swisher noted on a later podcast that the two had just joked about Kennedy backstage.

“Be the person backstage because that’s the person who gave a great answer,” Swisher said in the later podcast.

In an interview, Newsom said Swisher “calls out my bulls—-.”

“She’ll send me missives unsolicited,” he said. “She’s usually right, and it drives me crazy.”

Sen. Mark Warner, a Virginia Democrat who has long known Swisher, agreed that being interviewed by Swisher is “not a layup.”

Even Sen. Thom Tillis of North Carolina, a rare Republican to go on her show, said it was a worthwhile experience despite being pressed on whether his willingness to speak out against the Trump White House emerged only after he opted against reelection.

“If you’re a politician, you should be able to walk up anywhere and hold your own,” Tillis said. “Do the prep, get on the show. You may end up having an opportunity, like in my experience, to give a completely different perspective.”

“Pivot” was initially focused on tech and business

Shaping the political conversation wasn’t the objective when Pivot launched in 2018.

Galloway, who hosts his own Prof G and Raging Moderates podcasts, recalled the idea for Pivot was to focus on the intersection of technology and business. That’s still much of the show’s focus, but the biggest stories in those spaces, such as the initial public offering for Musk’s SpaceX or the rise of artificial intelligence, are now inevitably linked to politics.

“Show me a big business or tech story, and I’m going to show you a political overlay,” Galloway said.

The expansion converges with a sense of urgency among Democrats to be more aggressive on digital platforms, where audiences are increasingly concentrated.

“The single most important quality that every candidate needs to have is the ability to talk and the ability to talk anywhere,” said Teddy Goff, the co-founder of Precision Strategies and the digital director for Obama’s 2012 presidential campaign. “That might mean a two-hour podcast interview. It might mean a 15-second digital video.”

Democrats are still stung by Rogan’s nearly three-hour Trump interview in the final weeks of the 2024 campaign. Rogan, who doesn’t consider himself a journalist, has said Harris’ campaign didn’t agree to his terms. Harris has described being spurned by Rogan.

Swisher agreed Democrats should embrace podcasts but insisted she’s not a left-leaning counter to Rogan.

“You can’t manufacture this stuff,” she said. “It just doesn’t work, right? The kids like what the kids like.”

Still, the podcasts add up to influence and financial success.

Galloway said Pivot, which is effectively a joint venture between himself, Swisher, and Vox Media, will be a $15 million to $20 million business this year. With a staff of just five, that’s a robust moneymaker as media is disrupted by a wave of mergers and acquisitions.

Vox Media itself has been reborn after a recent acquisition by James Murdoch, who swept New York magazine, the Vox Media Podcast Network, and the Vox editorial brand into a single company where podcasts are the fastest-growing business.

“Podcasts are the NBA,” Galloway said. “There’s a small amount of people making a lot of money.”

While Swisher largely hosts Democrats, she’s recently interviewed Tillis and Scott Jennings, a conservative CNN commentator. She hopes to soon bring on additional Republicans and said she texted Steve Hilton’s wife, a former Google executive, in hopes of booking him shortly after he advanced in California’s governor’s race.

“What we’re going for is to be popular among the entire populace,” she said. “So that people who don’t feel they want to be in a constant state of anger, whether it’s on the left or the right, can have a place to go.”

But her barbed comments about Trump and other Republicans could complicate that goal.

Kelly McBride, an ethics expert at the Poynter Institute, a journalism think tank, said shows like Swisher’s can sometimes “butt right up against the type of podcasts that I would not consider journalism.”

“The way you separate them out is that the intention and the system surrounding the podcast is engineered in a way to create fact-based information,” she said.

Swisher describes her work as “reported analysis,” citing tech writer Om Malik, who died last week, as an inspiration.

As for the tone of the podcasts, it’s all part of the authenticity that is central to Swisher’s brand. Beyond the takes on the day’s news, she and Galloway have developed a strong—if unlikely—chemistry in which his penchant for vulgarities can make her seem almost highbrow.

“We don’t shy away from our faults,” she said. “We don’t shy away from our biases. You know, we don’t shy away from things that most people try to.”

—By Steven Sloan, Associated Press


Source: Fast Company - technology

A better way to manage LLM spending | Tech News
A better way to manage LLM spending

As an old Delphi guy, I remember well the “language wars” we had with the Visual Basic guys. An early codename for Delphi was “VBK” — VB Killer — and the VB community took exception. They’d come to our Delphi forums and pick fights. Naturally, we brash Delphi guys would fight back, engaging in big flame wars and getting all worked up over what wasn’t much more than a personal preference. Good times.

These days, we’ve moved the discussion up a layer — what is the better model for coding? Things aren’t quite as intense as the VB/Delphi dustups, but people have their opinions. Companies are taking a look at different models before choosing one for their teams. Most teams have arrived at a family of models that they use. 

At some point, chatting with Claude or Codex started to seem a bit raw. It wasn’t long before scaffolding tools like GStack and Superpowers were adding underpinnings for interacting with LLMs — baseline instructions for handling prompts before they get to the model itself. They help establish useful context and act as a layer above “raw prompting”. Context engineering is the first and most common layer to add on top of the chat interface.

And then once the choice of models and harnesses was made, everyone went crazy with tokenmaxxing. If you have a model, of course you want to get the most out of it. But when the bill came in, managers were not pleased. As costs skyrocketed, leadership worried that the money wasn’t being well spent. 

Model routing – the next layer

Just as assembly language and hand-tuning registers gave way to compilers and structured languages, which led to frameworks and libraries, and most recently to LLMs and prompting, it is starting to occur to developers and managers that there is a better way to manage LLM spending. 

But naturally, the minute you figure out how things work, another layer appears, making all your hard-earned knowledge outdated. Apparently being able to code in English isn’t enough to stop the next abstraction from appearing.

So as is always the case, another layer of abstraction has come along. (Sic semper fuit.) Thus model routing is the latest way to maximize the value for each dollar spent on tokens. 

The idea is that not all prompts are created equal. Not everything that you ask Claude is going to require the deep thinking of a frontier model. A model router can take a look at the prompt and decide what model is best suited to answer that prompt and direct the query to that model. Maybe simpler requests are better suited for an older model. Maybe code reviews are better done with a model specifically designed for that purpose. 

Model routing leads to more efficient token spending. When you run Claude Code today, you have to choose a model for the whole session, and if you want to use the top-tier model, you have to pay for it no matter what you end up doing. A model router lets you vary the model — and thus the cost. Organizations like Coinbase are seeing their AI spend cut in half while their token usage increases. 

From tokenmaxxing to tokenmatching

LLMs are constantly evolving, becoming both more powerful and more specialized. Being able to route a prompt to the model that is both well-suited for the task and cost-effective is the way to maximize token effectiveness. Teams are doing this manually now, but AI itself will become the best way to make such decisions. 

For example, Claude Code Router can route prompts to any number of popular models, depending on the type of work each prompt requires. And it’s open source.

The next layer that is coming is the preprocessing of prompts. We can work to write good prompts, but AI itself can improve upon what we ask. One of the best techniques in prompting is to tell the LLM to “ask the questions that I’m not asking but should be asking”. I can easily imagine a world in which you write a prompt, AI helps you clarify it, improves it, and then routes it to the best, most cost-effective model for an answer.

You won’t be choosing a given LLM provider anymore. Instead, you can focus on specifying exactly what you want. So stop hand-crafting your prompts for a specific model. Let the coming model routers and prompt preprocessors do the hard work for you.


Source: Rust introduces new Range types | InfoWorld

2026: In an AI world, taste is a competitive advantage for brands
In an AI world, taste is a competitive advantage for brands
The AI Marketer roundtable at Cannes Lions 2026
Marketing leaders gathered during the 2026 Cannes Lions for. a roundtable on "The AI Marketer"
  • AI is enhanced by human creativity, making originality more crucial in marketing strategies today.
  • Brands are moving from AI experimentation to long-term integration for better business outcomes.
  • Marketing roles decline sharply; AI proficiency and impact measurement are key for job security.

AI hype may finally be giving way to something more interesting: Taste.

At Business Insider's "The AI Marketer" roundtable, convened during Cannes Lions 2026 and presented by Bluefish AI, senior marketing leaders invoked the prevailing zeitgeist of the Festival — that human discernment is essential, and that taking more time to consider organizational change will drive better outcomes.

The roundtable included marketing leaders from Autodesk, Accenture Song, Adobe, Babylist, Comcast, SharkNinja, Anduril, Hilton, Kimberly-Clark, Deloitte Digital, Zoom, Indeed, and Instacart.

The discussion underscored a shift in how some of the largest brands are approaching AI, becoming less about accelerating adoption and more rooted in thoughtful change management and infrastructure.

The taste difference

As leaders discussed creative workflows, the conversation shifted towards one key word in tech and advertising circles today: taste.

"I think one of the things that's been really important is not taking an existing process and layering AI on top of that. That's actually a recipe for disaster and you start to have a lot of issues," said Dara Treseder, chief marketing officer at Autodesk.

"What outcome are we trying to accomplish and what is the new system we should design to get there using humans and AI?" she asked.

Treseder called this "the golden age for marketers and creatives who have excellent taste."

"The work we do is art and science," she said. "Master the tools, have excellent taste, know how and when to use AI—and, most importantly, have the discernment to know when not to."

Executives argued that while AI is making content production dramatically faster, it is also making originality more valuable.

"I think the reason why we're talking about humans is because they will give you the competitive

advantage because as everyone adopts AI tools, it democratizes the playing field and the smaller companies will be able to create content that looks as good as the bigger companies, said Theo Ricketts, vice president of global sales, marketing and digital transformation at Kimberly-Clark.

"So where is our advantage?" He continued. "That has to be in the human and the insights that we're bringing that drives better outcomes than our competitors."

The experimentation phase is ending

Michelle Crossan-Matos, chief brand and experience officer at SharkNinja, described how the company is using AI to coach customer service agents in real time, helping them respond to customers while measuring whether each interaction builds trust in the brand. The company also uses AI to identify recurring customer issues from thousands of service interactions, turning what was once anecdotal feedback into measurable insights that product and marketing teams can act on.

"The call center agents know exactly how he or she is helping our brand," Crossan-Matos said. "I have campaigns built from the customer service team now."

Kim Storin, chief marketing officer at Zoom, framed marketing as a bidirectional function increasingly embedded across the organization, not confined to a single insights team.

"Our job is to be the voice of and the voice to the market," Storin said.

That idea showed up in how Zoom is restructuring customer understanding internally. Rather than concentrating feedback in a dedicated function, she described an effort to push customer exposure across teams.

"It's not just the customer insights team anymore," she said. "Is the search team, is the paid media team talking to customers?"

People, jobs and change

The discussion became noticeably more candid when the topic turned to marketing talent.

James Whitmore, chief marketing officer at Indeed, pointed to hiring data showing that marketing roles have declined faster than nearly any other profession.

"If you learn AI and learn how to demonstrate your impact on the business and measure results, then no, you're not at risk. If you sit back and let things happen to you, then of course you're at risk," he said.

Jeff Miller, chief marketing officer at Anduril pushed the conversation further.

"As inspirational as we all can be about the power and future of AI, you're going to have to learn the tools and prove that you have taste, then you're going to succeed, you're going to thrive in your role. But, I don't think that will be true of most people working in the marketing industry. I just fundamentally don't believe that, he said.

The group also acknowledged that change needs to come from the CEO, specifically.

"The integration [of AI] has to happen cross functionally, it always has to come from the CEO. If it does not come from the CEO, it really doesn't happen, said Sean Lyons, chief strategy officer at Accenture Song.

"The organizational operational lift is super high based on fear… trying to get those teams to understand that they can do better work this way," he said.

Read the original article on Business Insider

Source: All Content from Business Insider

Inside the rise of the global scam-economy powered by AI and Starlink
Inside the rise of the global scam-economy powered by AI and Starlink

The instructions were clear: He had four days to make each victim fall in love.

And there were a lot of victims. Online, Safeer Mohammed Koorimannil, who was trafficked to a scam center in Myanmar, impersonated a 28-year-old Singaporean woman named Ella. On a typical shift, he said, he chatted with more than 100 people across dozens of profiles at the same time, as supervisors prowled among the desks with electric batons.

In just a month, Koorimannil targeted some 50,000 victims from at least 17 countries, according to records he smuggled out to The Associated Press. His “clients” included a widowed tailor in Kurdistan, a pastry chef in Turkey, a sheep farmer in Kyrgyzstan, soldiers in Iraq, an engineer in Russia, a building painter in Germany, a port officer in Argentina, a student in Indonesia, a security guard in Poland and a dairy farmer in the Republic of Georgia. And he did it using software built with artificial intelligence models from American tech companies that scammers are abusing to target victims at unprecedented speed and scale. “Everyone is a robot there,” he told AP from his home in southern India in his native Malayalam language.

Technology from American companies is being used to power a revolution in the scam industry, playing a key role in the industrialization and globalization of fraud in ways that have not been clear until now, an AP/”FRONTLINE” investigation has found. Watchdogs say these companies have the technical capacity to do more to protect against abuse but lack the legal, regulatory, and business incentives to crack down on a crime the Federal Trade Commission estimates cost Americans nearly $200 billion in losses in 2024.

While most public scrutiny of the technology that fuels scams has focused on the social media platforms victims see, the infrastructure exploited to commit fraud begins much farther upstream, the investigation showed. American technology is present all along the digital supply chains that connect scammers with the scammed, from AI models baked into powerful new tools to optimize workflow and create more perfect fakes, to satellite dishes that enable scammers to evade internet crackdowns, to internet service providers that carry traffic from the lawless borderlands of Myanmar to the phones and computers of millions of victims.

The AP found no evidence to suggest these companies were doing anything illegal themselves. However, the abuse of their tools and tech infrastructure at scam compounds in Myanmar, as documented by the AP and “FRONTLINE,” raises questions about how vigorously they are enforcing their own terms of service, which prohibit illegal activity and, in many cases, explicitly ban fraud.

Among the AP’s findings:

—American-made AI models—chiefly ChatGPT and Gemini—have been used to build specialized software that allows scammers to seamlessly work across dozens of languages, surveil workers and target victims around the world, the investigation found with the help of C4ADS, a Washington-based nonprofit focused on global security. Scammers who purchased these tools took in tens of millions of dollars, according to blockchain analysis by TRM Labs at the request of AP/”FRONTLINE.”

—A sophisticated, global internet infrastructure supports Myanmar’s scam-compound economy, which relies on services from Cogent Communications, AT&T, DigitalOcean, and Oracle, among others. One in five signals from devices at four scam compounds linked to sanctioned entities in Myanmar was carried by a U.S.-registered company, according to an AP analysis of more than 200,000 device connections provided by International Justice Mission, an anti-trafficking nonprofit.

Elon Musk‘s satellite internet company, Starlink, is the number one internet service provider in Myanmar, including to scam centers, according to device data, public records and interviews—despite public pressure from Congress and a widely publicized crackdown last fall.

—At least 25 new scam compounds have been built deep inside Myanmar since a high-profile crackdown along the Thai border last fall, new satellite imagery shows. Scammers from at least 13 of these outposts used Starlink IP addresses to get online between early March and the end of May, an AP analysis of device and satellite data from International Justice Mission shows.

The AP/”FRONTLINE” investigation was based on tens of thousands of leaked scam center files, videos and photos; an analysis with C4ADS of misuse of AI at scam centers; an examination of more than 200,000 connections made by devices over a year at four scam compounds in Myanmar linked to entities sanctioned by the U.S. government; and interviews with 58 scam victims and three dozen current and former scammers from 19 countries.

Cybersecurity experts say internet service providers, AI companies, and Starlink could do more to prevent the abuse by scammers—but lack the legal, regulatory, and business incentives.

“If there’s no disincentive to continuing this, if there’s no cost to actually facilitating scamming, then why would I spend a dollar to prevent scamming?” said Sascha Meinrath, the Palmer chair in telecommunications at Penn State University. “This is the problem. It’s identifiable, it’s addressable—at least somewhat—but it costs something. And right now the cost of facilitating scamming is zero.”

Outside the United States, that cost is starting to rise. The United Kingdom, the European Union, Australia, and Singapore have introduced new regulations that require companies to do more to prevent scams or face financial penalties.

Meanwhile, in Washington, lawmakers and government officials have been asking American tech companies to cooperate to cut scammers off from U.S. infrastructure, but on a voluntary basis.

In November, District of Columbia U.S. Attorney Jeanine Pirro created the Scam Center Strike Force to target scam compounds. In a four-day exercise in May, the Strike Force worked with Meta, SpaceX, Google, and others to disrupt more than 1.4 million social media and email accounts, interrupt malicious IP address traffic, seize satellite internet terminals, and decommission servers and hosting infrastructure linked to Southeast Asian scam networks. “We will not allow criminal organizations to weaponize our own infrastructure against us or devastate the life savings of hardworking families,” Pirro said in an email to AP. “Our message is clear: we will find you, we will stop you, and we will protect the American people.”

OpenAI and Google both said they have robust programs in place to proactively disrupt scammers from abusing their tools. Starlink did not respond to detailed requests for comment.

Internet service providers emphasized that they can’t see the content their networks carry or what end users are doing online—privacy by design that constrains their ability to monitor for abuse. All said they respond to valid abuse reports and cooperate with law enforcement. None would disclose specific customer information, citing privacy rules, but several said they had taken concrete action in response to AP’s reporting.

OpenAI said that based on the information AP shared, it identified and banned three accounts that had been using its models to support online scams. Oracle said it was “diligently working with law enforcement” on the material shared by AP. UpCloud, a Finnish cloud services provider with servers in the U.S., said AP’s query had prompted an internal review and refinement of its risk assessment processes.

OpenAI CEO Sam Altman has likened artificial intelligence to a utility, akin to electricity or water. But unlike water utilities, tech and telecom companies in the United States are generally not responsible for proactively ensuring the safety of the content they carry.

Some people believe that should change.

“This has to be like clean water,” said Matthew Moynahan, the CEO of GetReal Security, a cybersecurity firm. “Anything coming out of the tap for an end user, whether that tap is a PC, a browser somewhere, or your mobile phone, dirty water shouldn’t get to you. This is what this is.”

Almost Automated: American AI abused for industrial-scale scamming in SE Asia

The use of AI in scams is exploding so fast that many in the cybersecurity community fear fully-automated scams run by AI agents will soon become commonplace.

“We’re moving towards a world where maybe you don’t need human scammers anymore,” said Ari Redbord, global head of policy at TRM Labs, a crypto analytics firm. “All you need is hundreds, thousands, millions of agentic agents who don’t need to sleep, don’t need to eat, who are 24/7 doing this.”

Already, the basic AI-powered tools Koorimannil used required scant human intervention. His job was to cut and paste responses from scripts his scam bosses generated.

Koorimannil and his best friend had answered an ad online for jobs encouraging tourism to Thailand. From the airport in Bangkok, however, a waiting black car sped them to the border with Myanmar, he said, and the next morning armed men escorted them across the Moei River to Tai Chang, a scam compound the U.S. government sanctioned last year.

Koorimannil managed to sneak out a screenshot from his computer that AP and security nonprofit C4ADS used to identify the key to his productivity—a software platform called Kongtian Intelligent Customer Acquisition, or KT for short.

AP also identified a similar suite of software, called Global Social Traffic Navigation, or 007TG, described by a former scammer as a “one-stop shop” for running scams at industrial scale.

KT and 007TG are part of a thriving gray market for tech that has both legitimate and illegitimate uses and is widely exploited by scammers, according to blockchain analysis, a review of Telegram channels frequented by scammers, and interviews with scammers from three countries. KT and 007TG were created by for-profit businesses using AI models from leading global companies and sold to scammers—who in turn generated tens of millions of dollars in illicit profits.

OpenAI’s ChatGPT played the most prominent role, along with Google’s Gemini, though the software incorporated other AI models as well, including from Europe and China. Both KT and 007TG used ChatGPT and Gemini to generate automated replies, power a role-play chatbot, which scammers could use to develop convincing characters, and embed real-time translation in over 100 languages, C4ADS found. KT and 007TG software also tracked the performance of workers—to devastating effect, in Koorimannil’s case.

He was beaten for being bad at scamming people, leaving his body red and swollen with lashes, photographs show.

“When they came near my computer, my hands would shake and sweat,” Koorimannil told AP.

At night, he said, he and his best friend curled in the same narrow bunk, too frightened to sleep alone.

Blockchain analysis, done for AP/”FRONTLINE” by TRM Labs, shows how powerful these tools can be. Cryptocurrency transactions are recorded on an indelible public ledger, or blockchain, which can be analyzed to show the pattern and volume of cryptocurrency transactions. TRM Labs found that a single crypto wallet used by 007TG received $860,000 in payments between April 2024 and December 2025—including transfers from at least four cryptocurrency wallets associated with known scam networks. Those scammers, in turn, raked in at least $75 million.

Stopping AI abuses at scale is challenging because scammers often use ChatGPT the same way hundreds of millions of other people do—to translate, help write messages, create content, and do basic research, according to OpenAI. The intimacy, financial pressure and manipulative language in romance scams, for example, may be hard to distinguish from genuine users seeking help with a divorce. And tools like KT and 007TG can have legitimate uses, especially for Chinese businesses seeking to expand overseas.

But by tracking user behavior over time to surface patterns of deception and manipulation, OpenAI said it detects scams with 95% accuracy and takes down 100,000 scam accounts each month. The company said it has also independently disrupted service to scam networks operating from Cambodia, Myanmar, and Nigeria.

Even as fraud networks exploit their technology, a growing number of people are using the same tools to fight back. OpenAI said people use ChatGPT millions of times a month to identify and avoid scams—up to three times more often, the company estimates, than the model is abused by scammers. OpenAI also recently collaborated with the Global Anti-Scam Alliance to launch scam.org, which helps users assess the risk they are being targeted by scammers.

Google did not respond to specific questions about AP’s findings, but said the company is “committed to developing AI responsibly” and engineers its models with safety guardrails to filter out content that promotes scams. 007TG went dark in December but has since claimed to be back up and running. Neither it nor KT responded to requests for comment.

In the end, through a connection in Bahrain, Koorimannil and his friend found a broker who oversaw ransom payments for 21 Indians from their compound, he said.

They each had to pay 500,000 Indian rupees ($5,300) for their freedom.

Missed signals: U.S. internet service providers play outsize role in carrying scam center traffic

It took a long time for Chris Colocousis to understand the extent to which scammers around the world use American technology to prey on people like him. At first, all he saw was that the woman who reached out to him on Facebook had a New York phone number—not too far away from his home in Massachusetts—and said she worked at a well-known financial firm in Atlanta.

“Eliza” suggested a video call. And there she was—the same blond beauty as in her Facebook photos. She even had little bags under her eyes. She was too real not to be real.

Now Colocousis, a divorced man in his 60s, has no idea where “Eliza” really is, whether he was talking with her or with ChatGPT—and even if she’s a she. He does know that the $400,000 he says he “invested” under Eliza’s guidance is now gone, robbing him of the secure retirement he’d spent years working for.

“You just feel like your whole world fell apart,” he said. “I’m thinking about all this time that I invested into reaching a point where I could retire at a certain age—and it’s just gone.”

Each step of a fraud is a digital signal, said John Breyault, vice president of public policy, telecommunications and fraud at the nonprofit National Consumers League. And internet service providers are the network on which many of these services ride.

“The ISPs are in a particularly critical place in this chain,” he said.

New data shows that U.S. internet service providers play an outsized role in scams run out of Myanmar. The AP analyzed a sample of 202,013 connections made by devices at four scam compounds in Myanmar—KK Park, Tai Chang, Deko Park, and a newer site near Hpakalu. One in five was routed through U.S. internet service providers. No other nonregional country came close.

Among them were Cogent Communications, Oracle, AT&T, and DigitalOcean. Companies outside the United States—including UpCloud, the Finnish cloud provider, and GlobalTeleHost, a Canadian hosting and internet infrastructure company—also used servers in the U.S. to host high-risk traffic from scam centers, the data shows.

“They are getting paid a lot of money to route these IP addresses,” said Riley Kilmer, co-founder of Spur Intelligence Corporation, a cybersecurity company. “Right now the revenue outweighs the risk. And if you could shift that balance, the ISPs would have to act.”

Internet service providers have access to a trove of data that could be used to minimize illicit activity, but doing so requires significant investment, cybersecurity analysts say.

“The policy in much of the hosting world tends to be, we will take action after the fact,” said Dan Winchester, co-founder of Scamalytics, a fraud prevention company. “That’s not really very effective. What you need to be doing is proactively stopping fraud on your servers.”

The ad tech data was compiled by International Justice Mission between February 2025 and January 2026. This data captures a slice of activity from apps that share information with data brokers, which can reveal the location and IP address a given device is using when it goes online. AP then identified the companies those IP addresses had been allocated to using a database maintained by Scamalytics, which also rates IP addresses for potential fraud risk.

These companies were among the most significant players in the dataset:

ORACLE
More than 100 U.S.-geolocated IP addresses allocated to Oracle were used at the KK Park scam compound between February and April 2025. AP shared the detailed connection data with Oracle. “We are diligently working with law enforcement on this matter,” an Oracle spokesperson told AP.

COGENT COMMUNICATIONS
Cogent Communications was among the biggest players, with connections from KK Park and Tai Chang scam compounds. Nearly 40% of the IP addresses allocated to Cogent appeared on publicly available blacklists of potential abuse, according to Scamalytics data. Scamalytics rated 99.6% of them as potentially risky. Cogent says it relies on third parties to report fraud and investigates every verified complaint, but like other ISPs, it can’t see user traffic directly.

AT&T
IP addresses allocated to AT&T were used at three compounds between February 2025 and January 2026. AT&T says it’s cracking down on fraud by making traffic on its network more transparent. In September it began enforcing new rules that require business customers to route traffic under their own network identity, not AT&T’s, to make it harder to disguise questionable activity.

DIGITALOCEAN
Devices from KK Park and Hpakalu used at least 41 IP addresses allocated to DigitalOcean, a cloud infrastructure provider based in Colorado. Scamalytics rated nearly all as potentially risky. DigitalOcean said it reviewed the data shared by AP but declined to disclose the outcome. The company said it does not control how customer applications are used and works closely with them to fight abuse.

UPCLOUD
UpCloud had a single IP address—linked to a server in New York City and rated very high risk by Scamalytics—which connected at least 382 times between February and April 2025 with devices inside KK Park. UpCloud said the data AP shared “triggered a thorough internal review on our side to ensure that the risk of similar situations is further reduced going forward.” The company said it may have involved a VPN hosted on its platform, but noted that it cannot access customer systems, which are private. They declined to provide further details, citing European data protection laws. The firm said it monitors for illegal activity as mandated by EU law but does not rely on Scamalytics because their risk assessments are not detailed enough.

GLOBALTELEHOST
GlobalTeleHost, a Canadian company that provides data center equipment and network connectivity for business customers, was allocated IP addresses used at KK Park and Tai Chang. Two-thirds appeared on public blacklists as potentially abusive, according to Scamalytics, which rated 99.9% as potentially risky.

GlobalTeleHost said it does not serve end users directly and does not control its customers’ applications, traffic or internal review processes. The company said the IPs shared by AP were assigned to commercial VPN providers. The company said it passed AP’s technical findings to those customers and asked them to investigate, but some responded that their records were not detailed enough to identify specific users. GlobalTeleHost said it does not rely on Scamalytics risk ratings but acts on “verified abuse complaints and lawful requests from authorities.”


In many cases, scammers in Myanmar routed their internet connections through U.S.-based cloud services to hide where they were really located before connecting to major platforms—chiefly Meta, which owns Facebook, Instagram, and WhatsApp, according to Kentik, a network monitoring firm in San Francisco that mapped internet traffic from a sample of data shared by AP. That makes it easier for scammers to appear to be somewhere else and slip past platform safety checks.

Meta said that kind of deliberate evasion is why collaboration—with law enforcement and across industry, including connectivity and technology companies—is key to disrupting bad actors at scale.

“Scammers are determined criminals who use increasingly sophisticated tactics to defraud people and evade detection on our platforms and across the internet,” a spokesperson said in a statement. By analyzing behavioral patterns of users, Meta said it has been able to disrupt millions of accounts tied to scam centers across Southeast Asia and the United Arab Emirates.

“This stuff is so pervasive,” said Doug Madory, director of internet analysis at Kentik. “You can successfully launder connections to your heart’s content.”

One way to do that is by leasing IP addresses, which can be more valuable when traffic appears to originate from a well-known provider. This profitable loophole can be exploited to evade security controls. AT&T began enforcing a change in September that tightened this loophole by requiring business customers to announce their own network identity.

“It would be great if everybody did what AT&T did,” Madory said. “They probably lost some customers out of that policy, but those were pretty bad customers.”

Colocousis said people who think scam victims like him are gullible idiots don’t understand the sophistication of criminal organizations behind online fraud.

On Jan. 25, 2025, Colocousis laid out $80,000 cash in neat rows on his table, just as the customer service representative at his crypto trading app had instructed. Eliza had told him if he just paid this last bit, he could unlock his funds and withdraw all his money.

“I will tell you that I feel a little uneasy but I know you keep telling me it’s ok,” he messaged her. She responded instantly with a string of kiss emojis.

The next morning, a young man, who Colocousis said showed up in a Jeep with New York plates, trudged across a thin layer of snow to his doorstep. Once inside, the man—who said his name was Vincent—told Colocousis to put the stacks of $50 and $100 bills in a plastic shopping bag. Vincent sent a message and the money instantly appeared in the fraudulent crypto trading account Eliza had helped Colocousis open, he said.

Vincent left with a big smile and a quick, amiable wave. “See you next time,” he said. “Maybe. OK. Bye-bye.”

Colocousis believes American tech companies should do more to protect people like him. He is still so shaken that he says he sometimes has trouble leaving his house.

“The greed is—,” Colocousis searched for words. “I’m all for capitalism, but when it’s totally ruining people’s lives, people that have worked their whole life towards a goal so that they don’t have to work anymore, only to have it just ripped out of their chest—you know, something’s wrong.”

Today, Musk’s Starlink satellite service is the most widely used internet provider in Myanmar, including at known scam compounds, AP found—despite an ongoing congressional investigation, a November order from a U.S. court to seize Starlink accounts from specific Myanmar scam compounds and announcements, in October and June, that Starlink had cut service to thousands of units around scam centers.

Sen. Maggie Hassan, a New Hampshire Democrat who is leading a bipartisan congressional investigation into the role Starlink and other companies play in the surging losses of scam victims in America, has pressed SpaceX for details on Starlink’s role in transnational fraud and urged the company to do more to prevent the criminal misuse of its devices. “We need to do more at every level to combat the scams that are plaguing Americans across the country,” she said in an email to the AP. “Given that SpaceX’s Starlink is the first choice of satellite internet technology for many scammers, cutting off scammers’ access to Starlink is a key way to prevent scams at the source.”

To be sure, Starlink has been a lifeline for schools, humanitarian groups, hospitals, media and more in Myanmar, according to Amnesty International and others. But data from the Asia Pacific Network Information Center (APNIC), the regional internet registry, indicates that scammers represent a disproportionate share of its user base.

Myanmar has become a haven for industrial-scale scam compounds, which have drafted some 300,000 people from dozens of countries, often against their will, according to the United Nations. One of those compounds is Deko Park, a conglomeration of big, blue-roofed buildings dotted with white satellite dishes near the Thai border.

Data from a sample of devices at Deko Park, provided by International Justice Mission, shows Starlink among the top internet service providers in use from Dec. 10, 2025, to Jan. 6, 2026, just after two regional telecom companies.

An Ethiopian engineer named Ebisa told AP he used Starlink at Deko Park from December 2024 through December 2025, when he managed to escape. He asked AP to only publish his first name because he wants to protect his privacy. Ebisa’s job was to collect the WhatsApp numbers of rich, vulnerable men. He said he was constantly punished—beaten, shocked, detained and forced to exercise for hours at a time—for failing to meet impossible performance goals.

One day, he said, he got fed up and tried to evade a beating. He didn’t get very far. He said the security guards at Deko Park beat him so badly he was blinded in one eye. Photographs show his eye injuries and AP spoke with an NGO who helped him seek medical care in Thailand.

“It was hard to survive,” he told AP. “Finally, God helped us out from that hell.”

Speaking from a shelter for human trafficking victims in Thailand in December, he said he wanted to get his eye fixed before going home because his mother’s health is fragile and he worried the sight of his injury might kill her.

“It’s very shameful,” he said. “If God helps me, if I get medication, maybe I can get back my eye.”

He told AP on Monday from his home in Ethiopia that doctors had informed him they could not save his eye. “It’s been a tough reality to face,” he said. “They told me that it’s too late to bring back my sight.”

A Nigerian who was also tricked into working at Deko Park, Obinna Okeadu, never made it back home, according to three co-workers, a human rights activist and reports from his family back in Nigeria.

On the afternoon of Oct. 28, 2025, Okeadu and his roommate, Ogbonnaya Tochukwu Agwu—known as Valentine—came off an unsuccessful overnight shift and were called out for punishment.

Back in their dorm room after the beating, Valentine watched as Okeadu began to tremble uncontrollably. Okeadu slid to the ground with a thud, his head lolling strangely, with sharp, anguished sounds rising from his body.

“It’s OK,” a friend told him softly. “We’re here.”

But Okeadu was not OK.

“I’m going to die like this,” Okeadu called out, according to Valentine.

Valentine said Okeadu was taken away—presumably to a hospital. He prayed for his friend. But the next day, Okeadu’s computer disappeared and his name was deleted from work chats.

Valentine never saw him again.

This kind of abuse—and the swelling cost of cyberscams to victims around the world—has led to periodic crackdowns. In early 2025, Thailand temporarily cut off internet connectivity, electricity and gas supplies to scam compounds just over its border with Myanmar.

Starlink was a way around the blockade at the time. Satellite dishes proliferated on the rooftops of scam centers in Myanmar, satellite imagery showed, and Starlink usage in Myanmar surged, according to APNIC data.

In April 2025, as the United States prepared sanctions against foreign scam networks in Southeast Asia, SpaceX reassigned IP addresses from Tanzania to create a dedicated block for Myanmar. It’s not clear why, but experts say that step is usually taken to serve growing demand or prepare for entry into a new market.

By June 2025, Starlink was the number one internet service provider in the impoverished, war-torn country, with a 14% share of the market—despite its relatively high cost, according to APNIC data.

In October, amid another sweeping crackdown, Starlink said it cut services to more than 2,500 units near scam compounds in Myanmar. It lost nearly half of its users in the country and its market share plunged from 15% to 6.5%, according to APNIC data.

But in December, Starlink use surged back, and by February, the company was again number one in Myanmar. Today it has a nearly 20% share of the market, APNIC data show.

SpaceX’s October service cuts demonstrated that the company can sever scam centers from its satellites when it wants to—and shows just how important the criminal networks that pay for scam center infrastructure have been to its user base.

According to Starlink’s own coverage map, it does not sell services in Myanmar. AP asked Myanmar’s ruling military government whether Starlink was legally authorized to work in the country but got no response.

Starlink also declined to respond to detailed requests for comment. But in public comments, Lauren Dreyer, vice president of Starlink business operations at SpaceX, has said that Starlink has “zero tolerance” for abuse.

“We proactively detect and disable terminals involved in illegal activity,” she said in a June statement about the company’s work with the Scam Center Strike Force. “Through collaboration with law enforcement and technology companies, we advance global anti-scam efforts and ensure Starlink remains a force for good.”

Yet Starlink’s service cuts have not stopped scammers—not even from one of the most high-profile scam compounds in Asia, KK Park.

In October, in response to growing international pressure, Myanmar’s military government began demolishing the compound and broadcast images of dozens of seized Starlink terminals. But when the scammers scattered, they brought their tech with them.

By January, at least seven devices used at KK Park had migrated to a new compound some 30 kilometers to the northwest, near Hpakalu, according to International Justice Mission, which tracked the devices using ad tech data.

“These new compounds are showing up in the middle of nowhere and they’re walled multibuilding complexes with a bunch of these terminals on the roof,” said Eric Heintz, a global analyst at IJM. “You should be able to shut them down, and there should be a paper trail for who’s paying the subscriptions for them.”

Heintz has identified at least 25 new sites in Myanmar that have appeared or grown significantly since the crackdown last fall. Satellite imagery, verified by AP, shows empty fields transformed into industrial-scale office parks in just a few months and new roads cut through thick trees.

White satellite dishes dot the rooftops of some of them, and geolocated device data shows that scammers from at least 13 are logging on just as they did before: With Starlink.

This story is part of an ongoing collaboration between The Associated Press and “FRONTLINE” (PBS) that includes an upcoming documentary.

Kinetz reported from Rome, Washington, London, and Lisbon, Portugal. AP journalists Juliet Linderman in Washington and Raynham, Mass, Ope Adetayo in Lagos, Nigeria, Larry Fenn in New York, Huizhong Wu in Bangkok, and Michael Reo in Washington contributed to this story. Freelance reporter Rejimon Kuttappan in Thiruvananthapuram, India, and Anthony DeLorenzo, Martha Mendoza, and Peter Klein from “FRONTLINE” (PBS) also contributed.

The Associated Press receives financial support from multiple private foundations. AP is solely responsible for all content. Find AP’s standards for working with philanthropies, a list of supporters and funded coverage areas at AP.org.

Contact AP’s global investigative team at Investigative@ap.org or https://www.ap.org/tips/

—By Erika Kinetz, Associated Press


Source: Fast Company - technology

How GitHub maintains compliance for open source dependencies | Full Breakdown
How GitHub maintains compliance for open source dependencies

Every day, GitHub engineers introduce new dependencies into the GitHub platform, internal applications, and open source projects. GitHub is not just the home of open source; it is powered by open source! And an important part of using open source responsibly is respecting the licenses that govern the projects you depend on.

At GitHub, we are committed to upholding our obligations to the open source community and to the dependencies we use. Here’s how our Open Source Program Office (OSPO) uses the new GitHub License Compliance feature to manage thousands of dependencies.

Managing the open source license compliance process

Nearly all software carries some kind of license agreement. The license gives you permission to use a project, provided you comply with its obligations. Those obligations may be as simple as giving credit to the original author in your documentation, or they may require you to distribute all your source code when shipping your program. In some cases, licenses may also restrict certain activities or categories of use.

Your organization likely has its own policies about acceptable licenses based on your business model, software ecosystem, and distribution strategy. For example, suppose your organization sells a commercial, closed source binary application. You may want to prevent dependencies that would require you to open source your proprietary code.

Or, you may have a project that you plan to release as an open source package. In this case, you may want to avoid including dependencies governed by commercial or incompatible open source licenses.

If you can’t comply with the obligations required in either scenario, you should avoid the dependency to prevent legal or operational risks. It may require engineering effort to remove these licenses after the fact. For enterprise software, the business risk of noncompliance is huge because it can lead to costly litigation and reputational damage.

Traditionally, license reviews have been performed manually or with third-party software. But now, GitHub has introduced a license compliance feature for GitHub Advanced Security customers, enabling you to review new dependencies directly on pull requests. This review helps ensure that the licenses for those dependencies’ comply with your policy, while also giving you the flexibility to expand your policy to allow new licenses or individual projects.

Two months ago, GitHub’s OSPO migrated from internal-only tools that we’d built to manage compliance onto the new feature. As early adopters, we gave the development team quick feedback and helped ensure the feature would clear the bar for large, fast-moving enterprises with complex compliance requirements.

Setting up for policy success

Because GitHub had built internal license compliance tools prior to the introduction of the product, we had an existing list of acceptable licenses to use as our initial policy. You’ll likely find that many dependencies use common permissive licenses such as MIT, Apache 2.0, and BSD-3-Clause, which are a good starting list to seed your policy. We initially rolled the feature out using the “Evaluate” mode on an organization-wide ruleset, which generated annotations in pull requests without blocking merges, so we were able to get developers accustomed to the new workflow without impeding their productivity. Running the old and new tools in parallel also let us see if their behavior diverged. After about a month of this mode of operation, we got to a state where the alerts were mainly on packages with unusual, missing, or explicitly disallowed licenses.

The enterprise license policy screen has a paginated list of SPDX licenses, with the ability to add more via manual input or a selection dialog.

How GitHub license compliance works

Under the hood, license compliance checks are enabled via rulesets. We target repositories via a custom property, where the value of the property determines whether license checks are enabled in “Active” or “Evaluate” mode. In repositories that are targeted by a ruleset, pull requests that modify a project’s dependencies trigger a scan that looks up the licenses used by each of the new dependencies. If the new dependencies’ licenses are already permitted, or there are package-specific exceptions, the checks pass. If there are failures, either in the direct or transitive dependencies, the tool comments on the pull request with alerts for each problematic package.

A license alert page, with the name of the package and the noncompliant license identifier and a timeline showing communications between the developer and approver.

The developer then reviews the alerts. If they decide the dependency is unacceptable, they can update their code or close the pull request to remove it. If they believe the license or package should be allowed, they can raise an exception request which will notify a specific team in the organization who can decide whether and how to amend the policy.

A day in the life of the license policy team

GitHub’s license policy team consists of OSPO members and engineers with expertise in license reviews and supply chain analysis. Since we are a worldwide company, our policy review team has members across time zones to review alerts in a timely manner. We are in the process of formalizing an SLA for reviewing license requests, but in practice it’s rarely more than a couple of hours before we can triage an incoming request.

Team members receive email notifications of new review requests and can also access a dashboard to see the backlog of pending requests.

An email notification sent to the license reviewer team, with the name of the user who raised the alert, the repository where the alert was generated, and a comment from the developer requesting the package be permitted because it is a private, internal package.

When approving a request, we have two decision points: first, whether to permit the license or the package. Then, decide what scope – enterprise or repository – to use. If it’s a safe license that simply hasn’t shown up before, we’ll add it at the enterprise level and thus allow dependencies with that license anywhere at GitHub. Some packages carry a commercial license which can’t be permitted everywhere but should be allowed in the repository owned by a team which has paid for the software, so those policy amendments get added at the repository level. Package exceptions are useful for internal software which usually doesn’t have license data associated with it. Helpfully, the tool supports wildcard matches for package exceptions. For example, we’ve permitted everything in the @github-ui/* React namespace, so we don’t need to approve those packages one by one.

Making it easy for developers

To support this process, we’ve established procedures about contacting the GitHub OSPO, and how to use an emergency “break glass” override. These situations should be rare, but a clear emergency override process is essential for critically time-sensitive pull requests. As we mentioned above, the license policy enforcement happens via ruleset, and the ruleset condition keys off a custom property. So toggling the value of the property can temporarily turn off enforcement if there’s a critical fix that’s blocked by a license alert. So far, we’ve only needed to use this once, but it was very helpful to have the option.

We’ve also provided internal documentation and training to help developers understand the importance of license compliance. Ultimately, it’s everyone’s job to help ensure compliance and manage risk and it’s our job to make that as easy as possible.

Wrapping up

License compliance is a critical part of managing our software supply chain. By helping developers make informed dependency choices aligned with GitHub’s license policy we prevent costly rewrites and potential legal problems. We’ve been enthusiastically using and providing feedback on the new GitHub License Compliance feature for several months. Now that it’s in public preview, we are excited to see more companies adopt it and hope our experience provides some guidance if you’re just getting started.

GitHub Enterprise Cloud customers can use the License Compliance feature across repositories which have an active GHAS Code Security license. For more information, see About open source license compliance.

The post How GitHub maintains compliance for open source dependencies appeared first on The GitHub Blog.


Source: The GitHub Blog

Rust introduces new Range types | Latest Update
Rust introduces new Range types

Rust 1.96.0 has arrived, bringing new Range* types to the programming language known for its memory safety.

Announced May 28, Rust 1.96.0 can be installed by current users by running the command rustup update stable.

In elaborating on the new Range* types, the Rust team said many users expect Range and related core::ops types to be Copy, but this is not the case. These types implement Iterator directly, so “it is a footgun to implement both Iterator and Copy on the same type”. RFC3550 proposed replacement range types that implement IntoIterator rather than Iterator, meaning they also can be Copy. The standard library portion of that RFC is now stable, introducing the types core::range::Range, core::range::RangeFrom, core::range::RangeInclusive, and associated iterators.

A future Rust version will add core::range::RangeFull and core::range::RangeTo as re-exports from core::ops. These do not implement Iterator and already implement Copy, the Rust team said. A future Rust version will also introduce core::range::legacy::* as the new home for the current ranges. Range syntax like 0..1 still produces the legacy types for now, the Rust team said, but will be updated to core::range types in an upcoming edition. With these stabilizations, it is now possible to store slice accessors in Copy types without splitting start and end, according to the team. Additionally, the new RangeInclusive type makes its fields public, unlike the legacy version that avoided exposing the exhausted iterator state.

Elsewhere in Rust 1.96.0, two new macros, assert_matches! and debug_assert_matches!, check that a value matches a given pattern, panicking with a Debug representation of the value otherwise. And WebAssembly targets no longer pass --allow-undefined to the linker, which means that undefined symbols when linking are now a linker error instead of being converted to WebAssembly imports from the "env" module. This change prevents modules from linking unless all linking-related symbols are defined to catch bugs earlier and prevent accidental issues with symbol naming or similar.

The Rust team on June 30 published a point release, Rust 1.96.1, which offers a series of fixes for Cargo, MIR, and libssh2:


Source: Rust introduces new Range types | InfoWorld