Some Motorola automated license plate reader surveillance cameras are live-streaming video and car data to the unsecured internet where anyone can watch and scrape them, a security researcher has found. In a proof-of-concept, a privacy advocate then developed a tool that automatically scans the exposed footage for license plates, and dumps that information into a spreadsheet, allowing someone to track the movements of others in real time.

Matt Brown of Brown Fine Security made a series of YouTube videos showing vulnerabilities in a Motorola Reaper HD ALPR that he bought on eBay. As we have reported previously, these ALPRs are deployed all over the United States by cities and police departments. Brown initially found that it is possible to view the video and data that these cameras are collecting if you join the private networks that they are operating on. But then he found that many of them are misconfigured to stream to the open internet rather than a private network.

“My initial videos were showing that if you’re on the same network, you can access the video stream without authentication,” Brown told 404 Media in a video chat. “But then I asked the question: What if somebody misconfigured this and instead of it being on a private network, some of these found their way onto the public internet?” 

In his most recent video, Brown shows that many of these cameras are indeed misconfigured to stream both video as well as the data they are collecting to the open internet and whose IP addresses can be found using the Internet of Things search engine Censys. The streams can be watched without any sort of login.

In many cases, they are streaming color video as well as infrared black-and-white video of the streets they are surveilling, and are broadcasting that data, including license plate information, onto the internet in real time. 

Will Freeman, the creator of DeFlock, an open-source map of ALPRs in the United States, said that people in the DeFlock community have found many ALPRs that are streaming to the open internet. Freeman built a proof of concept script that takes data from unencrypted Motorola ALPR streams, decodes that data, and adds timestamped information about specific car movements into a spreadsheet. A spreadsheet he sent me shows a car’s make, model, color, and license plate number associated with the specific time that they drove past an unencrypted ALPR near Chicago. So far, roughly 170 unencrypted ALPR streams have been found.

“Let’s say 10 of them are in a city at strategic locations. If you connect to all 10 of them, you’d be able to track regular movements of people,” Freeman said. 

Freeman told 404 Media that this fact is more evidence that the proliferation of ALPRs around the United States and the world represents a significant privacy risk, and Freeman has been a strong advocate against the widespread adoption of ALPRs. 

“I’ve always thought these things were concerning, but this just goes to show that law enforcement agencies and the companies that provide ALPRs are no different than any other data company and can’t be trusted with this information,” Freeman told 404 Media. “So when a police department says there’s nothing to worry about unless you’re a criminal, there definitely is. Here’s evidence of a ton of cameras operated by law enforcement freely streaming sensitive data they’re collecting on us. My hometown is mostly Motorola [ALPRs], so someone could simply write a script that maps vehicles to times and precise locations.”

A Motorola Solutions spokesperson told 404 Media that the company is working on a firmware update that “will introduce additional security hardening.”

“Motorola Solutions designs, develops and deploys our products to prioritize data security and protect the confidentiality, integrity and availability of data,” the spokesperson said. “The ReaperHD camera is a legacy device, sales of which were discontinued in June 2022. Findings in the recent YouTube videos do not pose a risk to customers using their devices in accordance with our recommended configurations. Some customer-modified network configurations potentially exposed certain IP addresses. We are working directly with these customers to restore their system configurations consistent with our recommendations and industry best practices. Our next firmware update will introduce additional security hardening.”

This is not the first time that ALPRs have been found to be streaming directly to the unsecured internet. In 2015, the Electronic Frontier Foundation and researchers at the University of Arizona found hundreds of exposed ALPR streams. In 2019, an ALPR vendor for the Department of Homeland Security was hacked and license plates and images of travelers were leaked onto the dark web. Last year, the U.S. government’s Cybersecurity and Infrastructure Security Agency put out a warning saying that Motorola’s Vigilant ALPR cameras were remotely exploitable. 

Brown said that, although not all Motorola ALPRs are streaming to the internet, the security problems he found are deeply concerning and it’s not likely that ALPR security is something that’s going to suddenly be fixed.

“Let’s say the police or Motorola were like ‘Oh crap, we shouldn’t have put those on the public internet.’ They can clean that up,” he said. “But you still have a super vulnerable device that if you gain access to their network you can see the data. When you deploy the technology into the field, attacks always get easier, they don’t get harder.”

Meta’s HR team is deleting internal employee criticism of new board member, UFC president and CEO Dana White, at the same time that CEO Mark Zuckerberg announced to the world that Meta will “get back to our roots around free expression,” 404 Media has learned. Some employee posts questioning why criticism of White is being deleted are also being deleted. 

Monday, Zuckerberg made a post on a platform for Meta employees called Workplace announcing that Meta is adding Dana White, John Elkann, and Charlie Songhurst to the company’s board of directors (Zuckerberg’s post on Workplace was identical to his public announcement). Employee response to this was mixed, according to screenshots of the thread obtained by 404 Media. Some posted positive or joking comments: “Major W,” one employee posted. “We hire Connor [McGregor] next for after work sparring?,” another said. “Joe Rogan may be next,” a third said. A fourth simply said “LOL.”

But other employees criticized the decision and raised the point that there is video of White slapping his wife in a nightclub; White was not arrested and was not suspended from UFC for the domestic violence incident. McGregor, one of the most famous UFC fighters of all time, was held liable for sexual assault and was ordered by a civil court to pay $260,000 to a woman who accused him of raping her in 2018. McGregor is appealing the decision. 

“Kind of disheartening to see people in the comments celebrating a man who is on video assaulting his wife and another who was recently convicted of rape,” one employee commented, referring to White and McGregor. “I can kind of excuse individuals for being unaware, but Meta surely did their due diligence on White and concluded that what he did is fine. I feel like I’m on another planet,” another employee commented. “We have completely lost the plot,” a third said. 

Several posts critical of White were deleted by Meta’s “Internal Community Relations team” as violating a set of rules called the “Community Engagement Expectations,” which govern internal employee communications. In the thread, the Internal Community Relations team member explained why they were deleting content: “I’m posting a comment here with a reminder about the CEE, as multiple comments have been flagged by the community for review. It’s important that we maintain a respectful work environment where people can do their best work. We need to keep in mind that the CEE applies to how we communicate with and about members of our community—including members of our Board. Insulting, criticizing, or antagonizing our colleagues or Board members is not aligned with the CEE.” In 2022, Meta banned employees from discussing “very disruptive” topics.

Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government.  The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements, and they are threatening to publish the data publicly.

The news is a crystalizing moment for the location data industry. For years, companies have harvested location information from smartphones, either through ordinary apps or the advertising ecosystem, and then built products based on that data or sold it to others. In many cases, those customers include the U.S. government, with arms of the military, DHS, the IRS, and FBI using it for various purposes. But collecting that data presents an attractive target to hackers.

“A location data broker like Gravy Analytics getting hacked is the nightmare scenario all privacy advocates have feared and warned about. The potential harms for individuals is haunting, and if all the bulk location data of Americans ends up being sold on underground markets, this will create countless deanonymization risks and tracking concerns for high risk individuals and organizations,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, and who has followed the location data industry closely, told 404 Media. “This may be the first major breach of a bulk location data provider, but it won't be the last.”

People are using the popular AI video generator Runway to make real videos of murder look like they came from one of the animated Minions movies and upload them to social media platforms where they gain thousands of views before the platforms can detect and remove them. This AI editing method appears to make it harder for major platforms to moderate against infamously graphic videos which previously could only be found on the darkest corners of the internet. 

The practice, which people have come to call “Minion Gore” or “Minion AI videos” started gaining popularity in mid-December, and while 404 Media has seen social media platforms remove many of these videos, at the time of writing we’ve seen examples of extremely violent Minion Gore videos hosted on YouTube, TikTok, Instagram, and X, which were undetected until we contacted these platforms for comment. 

Specifically, by comparing the Minion Gore edits to the original videos, I was able to verify that TikTok was hosting a Minionfied video of Ronnie McNutt, who livestreamed his suicide on Facebook in 2020, shooting himself in the head. Instagram is still hosting a Minionfied clip from the 2019 Christchurch mosque shooting in New Zealand, in which a man livestreamed himself killing 51 people. I’ve also seen other Minion Gore videos I couldn’t locate the source materials for, but appear to include other public execution videos, war footage from the frontlines in Ukraine, and workplace accidents on construction sites.

The vast majority of these videos, including the Minion Gore videos of the Christchurch shooting and McNutt’s suicide, include a Runway watermark in the bottom right corner, indicating they were created on its platform. The videos appear to use the company’s Gen-3 “video to video” tool, which allows users to upload a video they can then modify with generative AI. I tested the free version of Runway’s video to video tool and was able to Minionify a video I uploaded to the platform by writing a text prompt asking Runway to “make the clip look like one of the Minions animated movies.” 

Runway did not respond to a request for comment.

I’ve seen several examples of TikTok removing Minion Gore videos before I reached out to the company for comment. For example, all the violent TikTok videos included in the Know Your Meme article about Minion Gore have already been removed. As the same Know Your Meme article notes, however, an early instance of the Minion Gore video of McNutt’s suicide gained over 250,000 views in just 10 days. I’ve also found another version of the same video reuploaded to TikTok in mid-December which wasn’t removed until I reached out to TikTok for comment on Tuesday.

TikTok told me it removes any content that violates its Community Guidelines, regardless of whether it was altered with AI. This, TikTok said, includes its policies prohibiting "hateful content as well as gory, gruesome, disturbing, or extremely violent content." TikTok also said that it has been proactively taking action to remove harmful AI-generated content that violates its policies, that it is continuously updating its detection rules for AI-generated content as the technology evolves, and that when made aware of a synthetic video clip that is spreading online and violates its policies, it creates detection rules to automatically catch and take action on similar versions of that content. 

Major internet platforms create unique “hashes,” a unique string of letters and numbers that acts as a fingerprint for videos based on what they look like, for known videos that violate their policies. This allows platforms to automatically detect and remove these videos or prevent them from being uploaded in the first place. TikTok did not answer specific questions about whether Minion Gore edits of known violating videos would bypass this kind of automated moderation method. In 2020, Sam and I showed that this type of automated moderation can be bypassed with even simple edits of hashed, violating videos.

“In most cases, current hashing/fingerprinting are unable to reliably detect these variants,” Hany  Farid, a professor at UC Berkeley and one of the world’s leading experts on digitally manipulated images and a developer of PhotoDNA, one of the most commonly used image identification and content filtering technologies, told me in an email. “Starting with the original violative content, it would be possible for the platforms to create these minion variations, hash/fingerprint them and add those signatures to the database. The efficacy of this approach would depend on the robustness of the hash algorithm and the ability to closely mimic the content being produced by others. And, of course, this would be a bit of a whack-a-mole problem as creators will replace minions with other cartoon characters.”

This, in fact, is already happening. I’ve seen a video of ISIS executions and the McNutt suicide posted to Twitter, which was also modified with Runway, but instead of turning the people in the video into Minions they were turned into Santa Claus. There are also several different Minion Gore videos of the same violent content, so in theory a hash of one version will not result in the automatic removal of another. Because Runway seemingly is not preventing people from using its tools to edit infamously violent videos, this creates a situation in which people can easily create infinite, slightly different versions of those videos and upload them across the internet. 

YouTube acknowledged our request for comment but did not provide one in time for publication. Instagram and X did not respond to a request for comment.

Instagram has begun testing a feature in which Meta’s AI will automatically generate images of users in various situations and put them into that user’s feed. One Redditor posted over the weekend that they were scrolling through Instagram and were presented an AI-generated slideshow of themselves standing in front of “an endless maze of mirrors,” for example. 

“Used Meta AI to edit a selfie, now Instagram is using my face on ads targeted at me,” the person posted. The user was shown a slideshow of AI-generated images in which an AI version of himself is standing in front of an endless “mirror maze.” “Imagined for you: Mirror maze,” the “location of the post reads.”

“Imagine yourself reflecting on life in an endless maze of mirrors where you’re the main focus,” the caption of the AI images say. The Reddit user told 404 Media that at one point he had uploaded selfies of himself into Instagram’s “Imagine” feature, which is Meta’s AI image generation feature. 

People on Reddit initially did not even believe that these were real, with people posting things like "it's a fake story," and "I doubt that this is true," "this is a straight up lie lol," and "why would they do this?" The Redditor has repeatedly had to explain that, yes, this did happen. "I don’t really have a reason to fake this, I posted screenshots on another thread," he said. 404 Media sent the link to the Reddit post directly to Meta who confirmed that it is real, but not an "ad."

Telegram, the popular social network and messaging application which has also become a hotbed for all sorts of serious criminal activity, provided U.S. authorities with data on more than 2,200 users last year, according to newly released data from Telegram.

The news shows a massive spike in the number of data requests fulfilled by Telegram after French authorities arrested Telegram CEO Pavel Durov in August, in part because of the company’s unwillingness to provide user data in a child abuse investigation. Between January 1 and September 30, 2024, Telegram fulfilled 14 requests “for IP addresses and/or phone numbers” from the United States, which affected a total of 108 users, according to Telegram’s Transparency Reports bot. But for the entire year of 2024, it fulfilled 900 requests from the U.S. affecting a total of 2,253 users, meaning that the number of fulfilled requests skyrocketed between October and December, according to the newly released data.

“Fulfilled requests from the United States of America for IP address and/or phone number: 900,” Telegram’s Transparency Reports bot said when prompted for the latest report by 404 Media. “Affected users: 2253,” it added.

Members of an underground criminal community that hack massive companies, steal swathes of cryptocurrency, and even commission robberies or shootings against members of the public or one another have an unusual method for digging up personal information on a target: the truck and trailer rental company U-Haul. With access to U-Haul employee accounts, hackers can lookup a U-Haul customer’s personal data, and with that try to social engineer their way into the target’s online accounts. Or potentially target them with violence too.

The news shows how members of the community, known as the Com and composed of potentially a thousand people who coalesce on Telegram and Discord, use essentially any information available to them to dox or hack people, no matter how obscure. It also provides context as to why U-Haul may have been targeted repeatedly in recent years, with the company previously disclosing multiple data breaches. 

“U-Haul has lots of information, it can be used for all sorts of stuff. One of the primary cases is for doxing targs [targets] since they [seem] to have information not found online and ofc U-Haul has confirmed this info with the person prior,” Pontifex, the administrator of a phishing tool which advertises the ability to harvest U-Haul logins, told 404 Media in an online chat. The tool, called Suite, also advertises phishing pages for Gmail, Coinbase, and the major U.S. carriers T-Mobile, AT&T, and Verizon.

Let’s start 2025 off strong by avoiding it entirely and escaping a thousand years into the past to an Amazonian civilization of forest islands, garden cities, and duck tales. From there, we’ll flee even farther from the present, though we’ll keep the “enchanted forest” vibe going strong. 

Then, the BATS are SURFING. What else do you want to know? Close up shop; we’ve reached the pinnacle of enlightenment. And finally, want to see some robots hula hoop? You came to the right place.

Happy New Year to all who acknowledge the passage of time, and congratulations to anyone who has managed to transcend it.

The Ancient Garden Cities of Llanos de Mojos 

Hermengildo, Tiago et al. “Stable isotope evidence for pre-colonial maize agriculture and animal management in the Bolivian Amazon.” Nature Human Behaviour.

It’s unwise to romanticize any past society or culture. Humans are reliably humans, with all that this entails, across time and continents. But when you encounter tales of garden cities linked by vast causeways and populated by people and their pet ducks, it can be a little hard not to indulge in daydreams about life there. 

That’s the scene unveiled in a new study on the Casarabe culture, who lived in the Llanos de Mojos region of the Bolivian Amazon between 500 and 1400, before the arrival of Europeans. Over the centuries, these people built roughly 200 monumental mounds linked by more than 600 miles of canals and causeways. The sprawl included primary urban centers and small forest islands, which are cultivated patches of trees amid the wetland plains. 

“The sheer volume of sites and their architectural layout, divided into a four-tier settlement system…indicate that the people of the Casarabe culture created a new social and public landscape through monumentality, leading to low-density urbanism,” said researchers led by Tiago Hermengildo of the Max Planck Institute of Geoanthropology. “The extent and complexity of the Casarabe settlement network present a unique context in the South American lowlands.”

To better understand the diets and lifestyles of these people, Hermengildo and his colleagues collected isotope data from the remains of 86 humans and 68 animals (including mammals, reptiles, birds, and fish) that lived in Llanos de Mojos between 700 and 1400. The results revealed that maize was the central staple of the Casarabe diet—both for its people, and its ducks.

“We provide evidence that muscovy ducks (Cairina moschata), the only known domesticated vertebrate in the South American lowlands, had substantial maize intake suggesting intentional feeding, or even their domestication, from as early as 800 CE,” said the team. “Similar isotopic evidence indicative of maize feeding practices was also reported in muscovy duck from Panama, suggesting that maize was a key element in the domestication of ducks throughout the American continent.”

Feeding ducks: a meditative passtime for the ages. Though the birds were raised for sustenance, I like to imagine a few charismatic drakes and hens earned a role as companions. 

But regardless of the charm quotients of bygone ducks, these findings are part of a wave of emerging research revealing that ancient cultures in the Amazon Basin were far more complex and extensive than previously realized—and researchers have only started to scratch the surface of many of these sites. Get your brain checked now, because this field is going to be throwing out head-spinners and mind-bogglers for years to come.

Yellowstone’s Lost Woods 

Pederson, Gregory T. et al. “Dynamic treeline and cryosphere response to pronounced mid-Holocene climatic variability in the US Rocky Mountains.” Proceedings of the National Academy of Sciences.

As global temperatures rise, alpine snowpack and glaciers are receding, a pattern that often exposes fossils, artifacts, and other relics that have been locked in ice for millennia. 

For instance, scientists recently discovered an eerily well-preserved forest of whitepark pines that melted out of an ice patch on Yellowstone’s Beartooth Plateau. This forest stand thrived about 5,500 years ago, but the ice left it in such pristine condition that scientists were able to measure tree rings and reconstruct the climate these trees experienced over five centuries.

“The extraordinary quality of wood preservation at the…ice-patch site provides an opportunity to generate a multicentury, mid-Holocene record of high-elevation temperature during the life of the forest stand, and to elucidate the climate conditions that contributed to the stand’s demise and subsequent growth of the ice patch,” said researchers led by Gregory Pederson of the U.S. Geological Survey. 

The treeline in the Beartooth Mountains was at a much higher elevation 5,500 years ago due to a multi-century warm spell. Then, around 5,100 years ago, Iceland went on an epic volcanic bender, as it is prone to do from time to time, causing a “summer cooling anomaly” that “led to rapid ice-patch growth and preservation of the trees,” according to the study.

In other words, Iceland’s stinky lava breath likely killed off this forest all the way in Wyoming by cooling the Northern Hemisphere, which entombed the stand in ice. 

The study notes that the treeline is likely to creep back up the slopes again as anthropogenic climate change melts ice off at high elevations. Pines may grow once more on the ancestral grounds of this ancient forest, as a consequence of human activity.   

BATS SURF

Hurme, Edward et al. “Bats surf storm fronts during spring migration.” Science. 

Bats surf. 

Let that sentence breathe. Just two words, yet it may well be the shortcut to nirvana. Dust to dust. Hallelujah. BATS SURF.

In addition to being my new incantation for 2025, “bats surf” is a scientific discovery reported this week. Researchers outfitted 71 female common noctule bats (Nyctalus noctule) with tags and followed their spring migration across Europe, which lasted about 46 days and covered nearly 700 miles. Some of these batgirls covered an astonishing 237 miles in just a single night, much farther than previously recorded flights. 

The noctules were able to achieve these distances by timing their flights to coincide with warm fronts that buoyed them along with strong winds. In other words, bats surf the tropospheric waves. This skill is especially important for female noctules, as they must navigate migrations at the same time they are gestating future surfer pups in their bellies.  

“Females are generally pregnant in spring and can delay the embryo’s development through torpor,” said researchers led by Edward Hurme of the Max Planck Institute of Animal Behavior.

“As these bats wait for the right migration conditions, they must either invest in their embryo while increasing their own energetic cost of flight or delay the development of the embryo, possibly affecting the pup’s survival,” the team said. “This phenological flexibility may be key for their long-term survival and maintenance of migration.”

Parenthood is hard enough without having to worry getting literally weighed down by your brood on the road. There’s no hanging loose for these bats; they are truly on a journey of surf-ival. 

Robots Taking Hula Hoop Jobs

Zhu, Xintong et al. “Geometrically modulated contact forces enable hula hoop levitation.” Proceedings of the National Academy of Sciences.

You might be a scientist if you look at a hula hoop and think “this familiar playtime activity can serve as an archetype of the challenging class of problems involving parametric excitation by driven supports and the mechanics of dynamic contact points with frictional and normal forces.”

That’s a quote from a new study that investigated the complex dynamics behind “hula hoop levitation,” which describes how skilled hoopers synchronize their body movements in ways that appear to defy gravity. The study belongs to one of my favorite research traditions—the earnest examination of an outwardly trivial item, a class that also includes the nano-pasta work we recently covered and a legendary 2022 breakdown of the fluid dynamics of Oreos. 

“Seemingly simple toys and games often involve surprisingly subtle physics and mathematics,” said researchers led by Xintong Zhu of New York University. “The physics of hula hooping was first studied as an excitation phenomenon soon after the toy became a fad, and more recent interest has come during its renewed popularity as a form of exercise and performance art.”

In addition to outlining the physical underpinnings of levitation, the authors took the inspired step of experimenting with a variety of hula-hooping robots. The study is punctuated by frankly delightful footage of these machines hooping their cold metal hearts out. See for yourself; the study will be open-access for six months.

The upshot: We now have experimental confirmation that people (or robots) with “sufficiently curvy” figures have a hooping advantage. The team notes that “an hourglass-shaped body of hyperboloidal form successfully suspends the hoop.” 

Shout out to all you hyperboloids out there! Happy hooping.

Thanks for reading! See you next week.

Earlier this week, Meta executive Connor Hayes told the Financial Times that the company is going to roll out AI character profiles on Instagram and Facebook that “exist on our platforms, kind of in the same way that accounts do … they’ll have bios and profile pictures and be able to generate and share content powered by AI on the platform.” 

This quote got a lot of attention because it was yet another signal that a “social network” ostensibly made up of human beings and designed for humans to connect with each other is once again betting its future on distinctly inhuman bots designed with the express purpose to pollute its platforms with AI-generated slop, just like spammers are already doing and just like Mark Zuckerberg recently told investors the explicit plan is. In the immediate aftermath of the Financial Times story, people began to notice the exact types of profiles that Hayes was talking about, and assumed that Meta had begun enacting its plan. 

But the Meta controlled, AI-generated Instagram and Facebook profiles going viral right now have been on the platform for well over a year and all of them stopped posting 10 months ago after users almost universally ignored them. Many of the AI-generated profiles that Meta created and announced have been fully deleted; the ones that remain have not posted new content since April 2024, though their chat functionality continues to work. 

Peoples’ understandable aversion to the idea of Meta-controlled AI bots taking up space on Facebook and Instagram has led them to believe that these existing bots are the new ones “announced” by Hayes to the Financial Times. In Hayes’ quote, he says that Meta ultimately envisions releasing tools that allow users to create these characters and profiles, and for those AI profiles to live alongside normal profiles. So Meta has not actually released anything new, but the news cycle has led people to go find Meta’s already existing AI-generated profiles and to realize how utterly terrible they are.

After this article was originally published, Liz Sweeney, a Meta spokesperson, told 404 Media that "there is confusion" on the internet between what Hayes told the Financial Times and what is being talked about online now and Meta is deleting those accounts now. 404 Media confirmed that many of the profiles that were live at the time this article was published have since been deleted.

This is Behind the Blog, where we share our behind-the-scenes thoughts about how a few of our top stories of the week came together. This week, we talk more about magic links and building shelves offline. A light Behind the Blog today but we're back from the holiday on Monday.

JOSEPH: There has been a lot of response to our post We Don’t Want Your Password. Much of it supportive, some of it mad, some of it funny. The TLDR is (although I do think it’s worth a read) is that we’re four journalists trying to spend as much time as possible doing actual journalism, rather than spending our very limited amount of time building things that are not necessary and that we’re not equipped to do. We do want to build, like our big project for a fulltext RSS feed for paying subscribers and for the broader independent media ecosystem, but we’re not interested in using up resources (time, mostly) on introducing a username/password login for the site when the current magic link system works mostly fine and is how the CMS we use is designed.

Capabilities used in or justified by extreme circumstances often become commonplace and are used for much more mundane things in the future. And so the remote investigative actions taken by Elon Musk in Wednesday’s Cybertruck explosion in Las Vegas are a warning and a reminder that Tesla owners do not actually own their Teslas, and that cars, broadly speaking, are increasingly spying on their owners and the people around them.

After the Cybertruck explosion outside of the Trump International Hotel in Vegas on Wednesday, Elon Musk remotely unlocked the Cybertruck for law enforcement and provided video from charging stations that the truck had visited to track the vehicle’s location, according to information released by law enforcement. 

“We have to thank Elon Musk specifically, he gave us quite a bit of additional information in regards to—the vehicle was locked due to the nature of the force from the explosion, as well as being able to capture all of the video from Tesla charging stations across the country, he sent that directly to us, so I appreciate his help on that,” Clark County Police sheriff Kevin McKahill said in a press conference.  

The fact that the CEO of a car company or someone working on his behalf can—and did—remotely unlock a specific vehicle and has the means of tracking its location as well as what Musk described as the vehicle’s “telemetry” is not surprising given everything we have learned about newer vehicles and Teslas in particular. But it is a stark reminder that while you may be able to drive your car, you increasingly do not own it, that the company that manufactured it can inject themselves into the experience whenever it wants, and that information from your private vehicle can be provided to law enforcement. Though Musk is being thanked directly by law enforcement, it is not clear whether Musk himself is performing these actions or whether he’s directing Tesla employees to  do so, but Tesla having and using these powers is concerning regardless of who is doing it.

Reverse engineer Scotty Allen made his own iPhone. Well, more accurately, he made his own iPhone enclosure out of a block of aluminum, put the internal components of an iPhone into it, and managed to make it all work. Then, he used the same schematics he made to 3D print a working iPhone enclosure out of nylon carbon fiber.

Like lots of repair and DIY projects on the iPhone, Allen did tons of painstaking work over the course of a year to more or less recreate something that already exists and that most people do not need. But his work opens the door to a more modifiable iPhone and a DIY culture around smartphones that still doesn’t really exist. Essentially, he took a block of aluminum, used a CNC mill to carve it down, and was able to put all of the components in the custom enclosure, the way someone might when they’re building a PC. Along the way, he made CAD files of the inside of an iPhone, which will allow people to recreate his work. It is now possible to download his design files and 3D print your own iPhone shell.

“There's been an open question for me from the beginning, which is like, we have this culture around modding PCs, right? And custom PCs. Why do we not have that for phones?,” Allen told me in a video chat. “It’s very celebrated in the culture. But then when you talk about building your own phone, everyone is like, ‘No, that’s crazy.’ Apple is going to sue you.”

As you might expect, the iPhone’s enclosure is not just an empty block of metal. There are various tiny holes for screws and engraved areas for cables and antennas to go. Allen studied all of this and, through a roughly year-long process of trial-and-error, was able to recreate this enclosure and create blueprints for other people to replicate it. 

“This was really difficult because I had to reverse engineer it and there was a lot of time spent figuring out, ‘OK, now I’ve got it drawn, but how do I know everything about the interior walls? There’s all these little threaded inserts that are glued in. And I think I actually went about this machining it in a different way than Apple does,” he said.

Over the years, Allen has done lots of cool things with the iPhone, which started with adding a working headphone jack back into the iPhone 7 after Apple removed it. He is part of the right to repair movement, but takes things a step further and says he’s advocating for the right to modify, and the normalization of opening and tweaking things like the iPhone to prove that they’re not just unknowable black boxes.

“I look at this as an infrastructure project, which is, let’s make a 1-to-1 copy,” he said. “It’s not totally 1-to-1, but in terms of overall geometry, it’s a fairly faithful representation and reproduction with the goal that, if you want to do interesting things, you need to start with the boring things first. And now with all the design files that I’ve created, you can really easily begin to modify it to look how you want on the outside, to add space for things on the inside. So this is a base for doing all sorts of more creative things.” 

Allen said that at the moment one challenge is that there are limitations on the types of touchscreens that will work with the iPhone, but that with more work it would be possible to work with additional modifications. 

“My notion is that a phone is a device that you can open up and tinker with, or at least repair,” he said. “I think I’ve had a hand in saying, ‘Look, this isn’t a black box that only Apple is allowed to open.’ … I think consistently what I’ve done is poke at the edges and say, ‘What other things can we do with this?’” 

Almost two years ago, Louisiana passed a law that started a wave that’s since spread across the entire U.S. south, and has changed the way people there can access adult content. As of today, Florida, Tennessee, and South Carolina join the list of 17 states that can’t access some of the most popular porn sites on the internet, because of regressive laws that claim to protect children but restrict adults’ use of the internet, instead.

That law, passed as Act 440, was introduced by “sex addiction” counselor and state representative Laurie Schegel and quickly copied across the country. The exact phrasing varies, but in most states, the details of the law are the same: Any “commercial entity” that publishes “material harmful to minors” online can be held liable—meaning, tens of thousands of dollars in fines and/or private lawsuits—if it doesn’t “perform reasonable age verification methods to verify the age of individuals attempting to access the material.”

To remain compliant with the law while protecting users’ privacy, Aylo—the company that owns Pornhub and a network of sites including Brazzers, RedTube, YouPorn, Reality Kings, and several others—is making the choice, state by state, to block users altogether. 

Pornhub is currently blocked in:

Here's a special year in review episode of the 404 Media Podcast! We riff on the last year in AI, media, journalism, and more. We'll be back with a normal news show in the new year!

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

Since we launched 404 Media one of the most common feature requests we’ve received from readers is the ability to log into the site with a username and password, as opposed to the magic links used by Ghost, the open source publishing platform we use for our site and newsletters. 

If you don’t have a 404 Media account, here is how magic links work: Rather than enter a username and password to register for our site and log in, you give us your email. We then send you an email with a link that you click, which logs you into the site. That email also comes with a URL you can copy/paste into the address bar of your browser of choice for reasons we’ll get into in a minute. That’s it. As long as you remain logged in you never have to think about this again, and if you are logged out or want to login on a different device you just repeat the same process. 

We find this to be a much easier login process and wish it was more common across the web where appropriate. But there’s a much more important reason why we have embraced Ghost’s login method and are not in a rush to develop our own solution for a username and password login in the same way we invested time and money in developing full text private RSS feeds for paying subscribers, for example. The gist is that it’s safer for us and for you to not share any passwords with us. 

It’s impossible to say what the exact number is, but a huge portion of cybersecurity breaches start with compromised credentials. There are a few ways hackers can compromise your passwords, many of which Joseph has covered on 404 Media recently, but one common method is exploiting the fact that the majority of people reuse their passwords across the internet (a study of 28.8 million users found that 52 percent of them reuse passwords). This is why it’s much safer for people to use password managers that generate unique, strong passwords for every account, and why Have I Been Pwned is such an important resource—by keeping track of sites and services that have been hacked, it acts a constant reminder to use a different password on every service. Otherwise, a hacker could take your password from that random forum hack, and then use it to break into your workplace account, or whatever other account shares that password.

It is standard best practice for sites that ask for your password to hash it, meaning even if a site got hacked, hackers can’t just run off with your password. However, that is not always the case, with some companies storing passwords in plain text, and depending on what hashing algorithm the site has used, hackers may be able to crack it.

But you know what’s the safest way for us to keep your password safe? Not asking for one to begin with. By not creating a password with us you have no risk of it leaking, and we don’t have to deal with the responsibility of keeping it secure. The sign in link is going to your email, which presumably is protected with two-factor authentication, if you have it set up (which you should!).

“The main reason (as you know!) is security,” Ghost CEO John O’Nolan told us when asked about the company’s choice to use magic links. “Passwords get hacked all the time, but they can’t be hacked if they don’t exist. Then what I would usually add to that is how this allows a small team like 404 to spend less time managing security administration, and more time investing in bringing you stories you care about.”

That being said, we want to acknowledge that the magic link system isn’t perfect because no system is. We also understand that some people don’t like the magic link system or have extenuating circumstances where it does not work for them, and would prefer a password system. We’re writing this article in part to explain our thinking behind having the magic link system and to explain why a password system is not currently feasible for us.

We have, on a couple of rare occasions, heard from users complain that the emailed links take a while to come in. This almost never happens and when it has we’ve seen it resolved within a few hours. More often than not, users will sign up to our site via a work email with aggressive security or content filtering rules that block our emails. If you ever think that might be the case for you please reach out to [email protected], but also keep in mind you are always free to change the email associated with your account to a personal email address. We want to make our articles as easy as possible for subscribers to access, which is why we set up private RSS feeds that don’t require a login to read our stories.

Probably the most common problem people run into with magic links is they think they have logged into the site on their normal browser, but they’re actually logged in through an in-app browser. For example, someone might receive the login link to their email. They open up the Gmail app, click the “Sign in to 404 Media” button, and their phone loads the webpage. But this is loading the website in Gmail’s web browser, not your native Safari one. People then navigate the site as they would normally in their default browser, and are surprised when they are not logged in. These two browsers are not sharing any cookies or log in sessions.

It’s annoying when apps open stuff in their own browsers rather than the phone’s native one. This is a more fundamental design issue with how many apps or operating systems work. A solution on iPhone is when receiving the login link, click and hold the “Sign in to 404 Media” button to bring up the contextual menu, and hit “Open Link.” This will open the link, and sign you in, on your native browser. Or, copy and paste the sign in link which is also in the email. Regardless, we recommend you login to 404 Media wherever you expect to read it. 

We totally understand that this is a frustrating experience, and frankly a flaw with the mobile web in general. But we also recognize that for a lot more people, not having to remember or save a password is the easiest, more preferred, most secure option we can offer right now. The benefits of the magic link system outweigh the costs, both to us as a small business, and to our readers who are privacy-conscious. 

Ultimately, it is much safer for us, and for you.

The Secret Service never actually checked whether people gave proper consent to be tracked by a mobile phone location monitoring tool, despite claiming the data was collected with peoples’ permission, the agency admitted in an email obtained by 404 Media.

The email undermines the Secret Service’s and other U.S. federal agencies' justification that monitoring the movements of phones with commercially available location data without a warrant is possible because people allegedly agreed to the terms of services of ordinary apps that may collect it. The news also comes after the Federal Trade Commission (FTC) banned Venntel, the company that provided the underlying dataset for the surveillance tool used by the Secret Service, from selling sensitive location data, and alleged that it did not obtain that consent in multiple cases. The tool used by the Secret Service is called Locate X, which is made by a company called Babel Street.

In the 2022 email, the office of Senator Ron Wyden asked the Secret Service what steps it had taken to verify that the location data it purchased from Babel Street was obtained from consumers who consented to “the onwards sale and sharing of the data.” Venntel collates location data from a variety of sources, including apps installed on peoples’ phones such as weather or navigation tools. The Secret Service’s one word response to that question read “None,” according to a copy of the email Wyden’s office shared with 404 Media.

Welcome back to a very special holiday edition of the Abstract! I hope this week brought you all the seasonal mirth to which you are entitled. 

As the year winds to a close, I’m sharing five studies that stood out to me in 2024. They are not judged by any specific criteria other than general mind bogglery. We’ll start with banana galaxies; no further explanation needed. Then, the new record-holders for brightest thingummy and biggest genome. Next, we are living in an RNA world and we are all RNA girls. And to close out 2024, a vision of life in the lunar underground. 

It’s Bananas All the Way Down

Pandya, Viraj et al. “Galaxies Going Bananas: Inferring the 3D Geometry of High-redshift Galaxies with JWST-CEERS.” The Astrophysical Journal.

The James Webb Space Telescope, launched on Christmas Day 2021, has been looking at weird space stuff for over two years now, yielding a constant stream of insights about the early universe, alien exoplanets, and whatever else it sets its unprecedented sights on.

To that end, 2024 kicked off with the landmark discovery that baby galaxies from the dawn of time were…bananas. Scientists reported in January that galaxies at high redshifts—meaning they were observed in the very ancient universe—often seem to take on a “banana-like” shape. 

“In this paper, we place new constraints on the 3D shapes of high-redshift galaxies using JWST observations from the Cosmic Evolution Early Release Science (CEERS) survey,” said researchers led by Viraj Pandya of Columbia University. “We will illustrate how this curved ‘banana-like’ joint distribution” arises from galaxies “with intrinsically elongated 3D shapes.” 

The results suggest that many galaxies go through an awkward “prolate” phase of morphological elongation before maturing into more familiar galactic shapes we see today, like clusters and disks. And while Pandya and his colleagues see bananas in space, these shapes have also been described as pickles or cigars. It all depends on what kind of treat you want to see at the edge of the universe.  

A Sun a Day Keeps the Doctor Away

Wolf, Christian et al. “The accretion of a solar mass per day by a 17-billion solar mass black hole.” Nature Astronomy. 

2024 had its fair share of dark moments, but there was one very literal bright spot: Scientists identified the most radiant object known in the universe, which is a quasar called J0529−4351. Quasars are pyrotechnic galactic cores and the most ludicrously luminous entities in space. Their “implausibly huge output of light,” as it is described in the above study, is generated by intense gravitational interactions between supermassive black holes at the center of galaxies, and forms of matter (gas, dust, doomed civilizations) that accrete around those holes.  

“In terms of luminosity and likely growth rate, J0529−4351 is the most extreme quasar known,” said researchers led by Christian Wolf of Australian National University. “The black hole in this quasar accretes around one solar mass per day onto an existing mass of ∼17 billion solar masses.”

In other words, J0529−4351 is eating the equivalent of a whole Sun every single day. It’s the Gaston of quasars. As a consequence of this insane diet, J0529−4351 is 500 trillion times more luminous than the Sun. Just utterly incomprehensible radiance. What’s wild is that the record for brightest quasar has been repeatedly broken in recent years, so it’s possible that even J0529−4351—an unprecedented light-barfing marvel—may be outshone in the near future. 

Big Genome Energy

Fernández, Pol et al. "A 160 Gbp fork fern genome shatters size record for eukaryotes." Cell.

Pop quiz: What species has the biggest genome ever found? You would be forgiven for not guessing that it is (drumroll) some random fern in New Caledonia. And yet, in May, scientists reported that Tmesipteris oblanceolata, a tropical fork fern that appears totally inconspicuous, bears the most “obese genome” ever discovered. 

The fern’s genome contains 160 billion base pairs, making it 50 times bigger than a human genome and 7 percent bigger than the genome of the Japanese andromeda, a flowering plant that previously held the record. 

“Here, we present the discovery of the largest eukaryotic genome so far reported,” said researchers led by Pol Fernández of the Institut Botanic de Barcelona. “This record-breaking genome challenges current understanding and opens new avenues to explore the evolutionary dynamics of genomic gigantism.”

“It cannot be completely ruled out that even larger genomes may be uncovered in the future,” the team concluded. “Nevertheless, the multiple physiological, ecological, and evolutionary costs associated with genomic expansions at such gigantic scales most likely suggest that if the upper limit has not been reached yet, that of Tmesipteris oblanceolata must be very close to it.”

In other words, this species may well be the world's genomic heavyweight champion. And it’s just some tropical fern! Nature: an inscrutable weirdo.

It’s a Mad (RNA) World 

Papastavrou, Nikolaos et al, “RNA-catalyzed evolution of catalytic RNA.” Proceedings of the National Academy of Sciences.

How did life first arise on Earth? There are lots of compelling mythological answers to this question, such as “the Sky and Earth Hooked Up” and “Magic Dirt.” The question has also inspired a number of tantalizing scientific hypotheses, including what’s known as “RNA World.” In this leading scenario, the first Earthlings were self-replicating molecules of ribonucleic acid (RNA) that emerged about four billion years ago, before the emergence of proteins or deoxyribonucleic acid (DNA).

In March, scientists bolstered support for RNA World by developing an RNA enzyme that can perform some of the functions associated with these early speculative molecules, including making accurate copies of RNA strands and introducing variants over time. This discovery is a stepping stone toward recreating forms of primordial evolution in laboratory conditions, where they can be directly probed for clues about the origins of life, known as abiogenesis.

“At some point during the early history of RNA-based evolution, it is thought that RNA evolved the ability to catalyze its own replication, acting as an RNA-dependent RNA polymerase,” said researchers led by Nikolaos Papastavrou of the Salk Institute for Biological Studies. “This study demonstrates the critical importance of replication fidelity for maintaining heritable information in an RNA-based evolving system, such as is thought to have existed during the early history of life on Earth.”

The study offers a new piece of a puzzle that has enraptured untold generations: How can life spring up from non-living materials? What kind of cosmic magic trick is that? Enchanted dirt may genuinely not be far off from the truth, in the end.

You Can Take the Human Out of the Cave, But…

Carrer, Leonardo et al. “Radar evidence of an accessible cave conduit on the Moon below the Mare Tranquillitatis pit.” Nature Astronomy. 

Humans simply cannot resist a cozy cave. Caves were our starter homes; spaces used not just as shelters but as canvases for our imaginations and hubs of social and ritual activity (see: tortoise parties). So perhaps it’s no surprise that as we expand our exploratory efforts into outer space, we still cannot pass up a snug subterranean pad, even if it is on the Moon.

To that end, scientists reported in July that the Mare Tranquillitatis pit (MPT), a 330-foot-deep opening about 250 miles away from the Apollo 11 landing site, may be the entrance to an underground cave system made of ancient lava tubes. The team was able to map out this structure, which is the deepest known pit on the Moon, with radar reflections from NASA’s  Lunar Reconnaissance Orbiter.

“We find that a portion of the radar reflections originating from the MTP can be attributed to a subsurface cave conduit tens of metres long, suggesting that the MTP leads to an accessible cave conduit beneath the Moon’s surface,” said researchers led by Leonardo Carrer of the University of Trento. “This discovery suggests that the MTP is a promising site for a lunar base, as it offers shelter from the harsh surface environment and could support long-term human exploration of the Moon.”

It would be hilarious if all of those lofty human aspirations of a spacefaring techno-utopia culminated in us becoming cavemen again, just on a different world. The study also gets extra points for occasionally sounding like a high-end real estate listing, describing the pit as “an elliptical skylight with vertical or overhanging walls and a sloping pit floor that seems to extend further underground.” Dang, finally a Moon cave with the right specs—though it comes unfurnished and lacks desirable amenities (including breathable air).  Who’s up for some space spelunking?

That’s a wrap on the Abstract for 2024. Thanks so much for reading, and Happy New Year! 

AI-generated books and images are threatening the nearly 500-year-old art of lace making. 

It’s already come for the crochet community, and researchers have tried to teach machines to knit. But lace-making—a craft that even Renaissance artists struggled to master, and in which there are a literal infinite number of patterns to be created—is now having its AI slop moment. 

Mary Mangan, the librarian for her New England-based lace making group, told me that she first became aware of AI infiltrating lace spaces when someone in her group asked her to research a book that featured a cover photo that she wanted to try to make herself. “So I began to research the book. It smelled funny and I tried to search for the author's other work but couldn't find any,” Mangan said. She asked r/BobbinLace, a Reddit community for the bobbin lace-making technique, and users there helped track down the original, not-AI image from a lace catalog that the cover photo seemed to be based on. 

Longtime lace makers and experts from all around the community have started raising the alarm on AI grifting in their tight-knit community. Karen Bovard-Sayre, who has published several books about lace techniques, posted a video in November addressing the issue, saying she found 36 books about lace and tatting—a lacemaking technique—that seemed AI generated. She said she was looking at Amazon books about tatting to see what else was being published on the topic, and found many of the AI books targeting beginners. 

“As you probably all know, the tatting world's not that big even though it's around the world, but we kind of know who's doing what, who's making content, who's making books and all that,” Bovard-Sayre said in her video. “I started reading the summaries and they all kind of sounded flowery and didn't really say what they were, and then I started looking at the covers and back covers, and said wait a minute, something's wrong here.” She spends the rest of the video demonstrating what these books get wrong, and how to spot AI generated lace making materials. 

Some of the AI signs Bovard-Sayre points out include odd punctuation in the authors’ name (in the case of the book she’s examining in her video, “Sheila .A Richard,” where there’s a period before the middle initial), references to video tutorials like “This is a wonderful instructional video” which makes no sense in a printed book, obvious misspellings, and distorted or blurry photos.

She also finds designs in the book that she recognized as being the work of other lace designers, including Marilee Rockley, a fiber artist who specializes in tatting. Rockley also recently addressed the rise in AI generated materials on her website. “Some of you may have heard about the miserable thieves who are using Artificial Intelligence technology to ‘make’ books to sell,” she wrote. “Really horrible, fake books loaded with wrong information (lies) and stolen photos. They're so bad it would be laughable except they hurt a lot of innocent people who are looking to learn a new-to-them craft.” 

Preying on beginners’ lack of knowledge and relative inability to spot blatant fakes is a tactic used in other AI book grifts, too. The mushroom foraging community recently discovered AI scam books were flooding Amazon, directing newcomers to bad, potentially deadly misinformation. Unlike eating a poisonous mushroom because a chatbot or AI book told you it’s safe, buying a book on lacemaking that contains sloppily-generated images or instructions isn’t a matter of life and death—but it does threaten to devalue and dilute the integrity of a centuries-old art, as well as deterring newcomers. 

“Lace is a small hobby and a pretty tight community. We know who the designers and vendors are, and we trust them. However, until you become part of the lace community there's no way to know who is trustworthy and what is dubious. You need some level of skill and time within the network to really assess this,” Mangan told me. “Unfortunately, for newcomers who might be excited to dive into this hobby, they could get burned by the inadequate books—and frankly the thievery—of the work of our cherished lacemakers and designers. This could sour newbies on the craft and that would be unfortunate. And it could harm designers who opt out of sharing their works, and we'll all lose then.”

Lacemaker and textile historian Elena Kanagy-Loux told me she first noticed the proliferation of AI-generated books on bobbin lace while teaching a course last summer. A student showed her a book she’d recommended to her students on Amazon, but the recommended books on the site seemed off. “There were a number of suggested lace books with strange covers that did not represent real lace techniques, and subsequently I have been warning all of my students to avoid Amazon and buy from independent lace suppliers (a good practice for a multitude of reasons),” she said. “Now I see that there are a number of them advertising different lace techniques with strange AI images on the cover that don’t represent real lace or tools, and contents that—according to reviews—are either nonsense that provide no tangible instructions, or directly plagiarized from real lace books.” 

Some of the books Elena Kanagy-Loux found on Amazon included: 

• Bobbin Lace Crafting: Unleashing Your Creativity with Torchon Ground Patterns Book by Sarah DV Martin, which has a description that cites the book, as if it were a review. “Recently, I came across a fantastic book titled ‘Bobbin Lace Crafting: Unleashing Your Creativity with Torchon Ground Patterns’ that has truly inspired me in my lace making journey. The book not only provides detailed instructions on how to create stunning Torchon ground patterns but also offers valuable tips and tricks to help crafters unleash their creativity.” The cover shows crochet and machine-made lace on the cover, not bobbin lace.
• Lace Crafting Mastery: Beginner's Guide to Needle Tatting: Discover the Art of Needle Tatting to Create Stunning Lace Crafts by Alanah .F Thatcher. A reviewer wrote: “This is an AI written book whose parameters were set by someone who doesn’t know the difference between embroidery, tatting, and bobbin lace. That is like not knowing the difference between running, swimming, and cycling.” 
• NEEDLE TATTING FOR BEGINNERS: MASTER THE ART WITH ESSENTIAL TECHNIQUES AND FOUR STUNNING PROJECTS: AN EXPERT GUIDE TO CREATING ELEGANT NEEDLE TATTED LACE WITH STEP-BY-STEP INSTRUCTIONS by Evanna Harrington. The cover is AI-generated and “does not in any way resemble needle tatting (just a mess of threads, not real techniques)” Kanagy-Loux said.
• Bobbin Lace Mastery for Absolute Beginners: A Step by Step Guide to Elegant Patterns and Techniques in making Bobbin lace Paperback by Gloria Brock. Reviewers say it has no images inside and repeats instructions: “It keeps repeating the same thing over and over. It does provide some written instructions for a bookmark or flowers or leaves but doesn't provide visual patterns to use on the pillow,” one reviewer wrote. “I don't think this book is completed for a beginner since I am more confused now than before going over it. Sorry.”
• HOW TO MAKE BOBBIN LACE: A Step-by-Step Beginner’s Guide to Mastering Bobbin Lace Techniques and Patterns Paperback by Patricia Walcott, which has a cover that doesn’t even resemble bobbin lace
• The Bobbin Lace Bible: An Essential Book for Crafters by James XL Garcia, which a reviewer notes is ripping off the work of Jo Edkins, an established and respected bobbin lace instructor. The description follows the pattern seen on a lot of AI-generated books on Amazon, with phrases like “one thing I love” and “in conclusion” as if it’s a book report written by a grade school child. “Of course, no book is good, and ‘The Bobbin Lace Bible’ is not exempt from its flaws,” the description of the book says. “Some crafters may find certain sections a bit too technical or challenging, especially if they are complete beginners. However, with patience and practice, I believe that anyone can master the art of bobbin lace making with the help of this book.” Probably not!  

I sent all of the above listings to Amazon for comment, and the platform removed all of them except for the first one. “We have content guidelines governing which books can be listed for sale, and we have proactive and reactive methods that help us detect content that violates our guidelines, whether AI-generated or not. We invest significant time and resources to ensure our guidelines are followed, and remove books that do not adhere to those guidelines," a spokesperson for Amazon told me in a statement. "We aim to provide the best possible shopping, reading, and publishing experience, and we are constantly evaluating developments that impact that experience, which includes the rapid evolution and expansion of generative AI tools. We continue to enhance our protections against non-compliant content, and our process and guidelines will keep evolving as we see changes in AI-driven publishing.”

Amazon is full of these books, but it’s not the only retailer selling them. Mangan showed me several she and others found on eBay, including Bobbin Lace Magic: Unlocking the Secrets of Colorous Book by Ethan CC Lee which, like the ones above, has a book-report description as if the author is reviewing their own book. And then there’s A Bobbin Lace Book by Tim M. Enoch, with a description that includes an error from generating the text: “This response was truncated by the cut-off limit (max tokens). Open the sidebar, Increase the parameter in the settings and then regenerate.” eBay did not respond to a request for comment.

Mangan wondered if the onslaught of AI-generated slop in lacemaking might drive people to connect to real humans more. “Gathering in groups and discussing valuable books might be a good outcome, and we can host public gatherings for the lace-curious folks,” she said. “One other thing that I do is to edit Wikipedia with good books as references when I hear about them—maybe that could become another route to connect people to higher quality and current materials.” Used and older books could become more valuable, too, she said. 

“Over the years of posting videos about lacemaking on social media, I have gotten many snarky comments saying ‘AI will replace this.’ At first I laughed it off, because for lacemakers like myself the joy is in the process of working with our hands, which can never be replaced by technology,” Kanagy-Loux said. “But now I have genuine concerns that beginners seeking affordable books will be scammed by AI-generated books that contain no real information about the techniques and give up in frustration. This misinformation is why it is so important to me to share resources online and make knowledge about lacemaking and lace history accessible to a broader audience. Fortunately, our community continues to grow all the time, so I hope we can combat the proliferation of AI pattern books with the instructions of human beings.”

Hello! Here's a holiday gift: an episode of the 404 Media Podcast that was previously only for paying subscribers! It gives a lot more context on the how and why we cover AI they way we do. Here's the original description of the episode:

We got a lot of, let's say, feedback, with some of our recent stories on artificial intelligence. One was about people using Bing's AI to create images of cartoon characters flying a plane into a pair of skyscrapers. Another was about 4chan using the same tech to quickly generate racist images. Here, we use that dialogue as a springboard to chat about why we cover AI the way we do, the purpose of journalism, and how that relates to AI and tech overall. This was fun, and let us know what you think. Definitely happy to do more of these sorts of discussions for our subscribers in the future.

Listen to the weekly podcast on Apple Podcasts, Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.

AI slop has consumed Facebook, is running Wikipedia editors ragged, is rapidly destroying Google search, probably put an extra finger on the scales of election influence, is confusing and annoying crafters, steals endlessly from authors, is on its way to demolish YouTube comment sections, and will probably end up in a movie theater near you sooner than you think. But if you’re streaming Christmas music today, did something seem a little off to you? If so, there’s a very good chance you’ve been listening to AI-generated carol-slop.

As spotted by video game developer Karbonic, YouTube compilation videos are sneaking AI generated songs into their mixes. 

The example they posted, “Best of 1950s to 1970s Christmas Carols ~ vintage christmas songs that will melt your heart 🎅🎄⛄❄️,” has more than five million views and more than 2,000 comments. A ton of the comments appear to be engagement-farming bots, saying things like “I'm looking forward to Christmas 2024, is anyone else like me?” but many seem human. “It takes me back to my childhood and I realize how wonderful life was before worries about money and so many futile things that dont matter,” one person wrote. Another commented, “Missing  memories of my youth. But, grateful for the blessings in my life. Merry Christmas and God bless you.❤” 

If I put this on in the background while doing something else, I might not think anything of it. But there are points in the one hour 18 minute video that give it away as AI: “O Little Town of Bethlehem,” around the 36:55 mark, is the lyrics of that song but the melody of “Silent Night.” If you compare it to an actual recording of Nat King Cole singing “O Little Town,” the difference is even more obvious. Once you start noticing the warped tunes, they’re hard to un-hear. “Oh Holy Night” is listed in the video as being by “Nei Diamond,” who as far as I can tell doesn’t exist, or is a typo of Neil Diamond, who is definitely not the singer in the song on this compilation. “The First Noel,” attributed here to Nat King Cole, is either an undiscovered recording where Nat and the choir run some really wild riffs, or is AI. 

I won’t list every tell in this video, but there are many and they give me the heebie jeebies. Other videos in this channel, Holiday Serenade Library, seem to be pulling the same grift, sometimes with AI-generated video of people blurring around outdoor markets, Santa with a burning sleigh and reindeer on fire, or children with weird mustaches skipping through the snow.

A quick search around the internet to see if anyone else has encountered other holiday-flavored AI slop turned up a recent Reddit thread where people were complaining about seemingly fabricated Spotify artists haunting retail workers during an already agonizing season. They list Dean Snowfield, North Star Notesmiths, Sleighbelle, Frosty Nights, The Humbugs, Snowdrift Sleighs, and Daniel & The Holly Jollies as artists on Spotify that have snuck into Christmas playlists but have little to no trace of a career outside of the streaming platform. Some of them, like several of Dean Snowfield’s songs, sound like midi mixes with a stilted voice singing the lyrics. These artists make it onto huge, popular playlists like “Old Christmas Music” alongside real songs. It’s honestly hard to tell whether these artists are AI-generated or just mass produced. But their Spotify artist bios often have the same exact text, or follow this pattern: 

“Dean Snowfield are songwriters, artists, and musicians who have combined forces to release holiday themed cover songs on their independent record label, distributed by Warner Music's ADA. In November and December, their ‘A Nostalgic Noel’ sampler managed to generate over 8,000,000 streams across Spotify and Apple Music. As a collective of artists, Sleighbelle have a great deal of respect for the original songwriters and producers who created these beloved holiday classics, and ask that you support them by streaming their original versions. Without songwriters like Edward Polo, George Wyle, Huge Martin, and Ralph Blane, we wouldn't have this music to interpret and cover. Thanks for listening to our labor of love, and make sure to follow us on our socials. - Dean Snowfield” 

They didn’t just appear this year: Third Bridge Creative, a music creative agency, noticed these artists dwelling in the uncanny valley last Christmas, too. “Is it a coincidence that each of their top songs match up with the respective iconic Christmas hits? Why would I ‘immerse [my]self in the enchanting world of Christmas music with Dean Snowfield’s’ low-key creepy Nostalgic Noel when I can put on The Dean Martin Christmas Album instead?,” they wrote.

These artists are still massively popular on Spotify, with hundreds of thousands of listeners each. The North Star Notesmiths and Dean Snowfield have a very similar male singer’s voice on several songs. Frosty Nights and Daniel & The Holly Jollies also sound awfully alike. They’re all signed by Warner Music’s ADA label, according to their Spotify bios—the “label services arm of Warner Music Group, breaking brand new artists and supporting industry legends,” according to the label’s site—so I’ve reached out to Warner Music to ask what is going on here and will update if I hear back. Spotify also did not respond to a request for comment. 

Again, it’s still not clear whether these artists are AI-generated or human, but a lot of people seem to think there’s something amiss. To make it all a little weirder, after I emailed ADA for comment, Dean Snowfield commented on one of my Instagram posts and said “Congrats on the book release!” I hadn’t interacted with, or found a way to reach out to, Snowfield at all prior to his comment. Snowfield’s Instagram account is private, and he keeps rejecting my requests to follow it. He has 36 followers and 3 posts. 

In the meantime, stay vigilant out there and Merry Christmas from a real human.