Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

Lukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. From a report: The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets. [...] Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.

Last year, Google announced Android Open Source Project (AOSP) support for Rust, and today the company provided an update, while highlighting the decline in memory safety vulnerabilities. 9to5Google reports: Google says the "number of memory safety vulnerabilities have dropped considerably over the past few years/releases."; Specifically, the number of annual memory safety vulnerabilities fell from 223 to 85 between 2019 and 2022. They are now 35% of Android's total vulnerabilities versus 76% four years ago. In fact, "2022 is the first year where memory safety vulnerabilities do not represent a majority of Android's vulnerabilities."

That count is for "vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through our vulnerability rewards program (VRP) and vulnerabilities reported internally." During that period, the amount of new memory-unsafe code entering Android has decreased: "Android 13 is the first Android release where a majority of new code added to the release is in a memory safe language. "

Rust makes up 21% of all new native code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other components and their open source dependencies." Google considers it significant that there have been "zero memory safety vulnerabilities discovered in Android's Rust code" so far across Android 12 and 13. Google's blog post today also talks about non-memory-safety vulnerabilities, and its future plans: "... We're implementing userspace HALs in Rust. We're adding support for Rust in Trusted Applications. We've migrated VM firmware in the Android Virtualization Framework to Rust. With support for Rust landing in Linux 6.1 we're excited to bring memory-safety to the kernel, starting with kernel drivers.

Google will take its appeal of the record $4.5 billion European Union antitrust fine over its dominance in the Android mobile market to the bloc's top court. From a report: The penalty hits at the heart of the US tech giant's power over the Android mobile-phone ecosystem, and in September judges at a lower court mostly sided with the European Commission's arguments but reduced the overall fine to $4.3 billion.

Android OEMs still don't provide the six years of updates you get with Apple phones, but some manufacturers are trying to close that gap. From a report: OnePlus is adding an extra year to its smartphone update promise and is now offering four years of major OS updates and five years of security updates. Timeline-wise, this plan matches Samsung's, though Samsung offers monthly security updates and OnePlus doesn't. The company is still only promising security updates every other month, so it can't do too much bragging. Android-maker Google -- who you'd think would have the best update plan -- is in a distant third, with only three years of OS updates and five years of security updates.

For the last thirteen years the Free Software Foundation has published its Ethical Tech Giving Guide, notes a recent FSF blog post. "The right to determine what a device you've purchased does or doesn't do is something too valuable to lose."

Or, as they put it in the guide: It's time to reclaim our freedom from the abuse of multinational corporations, who use proprietary software and malicious "antifeatures" to keep us powerless, dependent, and surveilled by the devices that we use. There's no time at which it's more important to turn these unfortunate facts into positive action than the holiday season.

The gifts that we recommend here might not be making headlines, but they're the rare exception to the apparent rule that devices should mistreat their users.
For technical users, the guide recommends pairing the FSF-sponsored Replicant, a fully-free distribution of Android, with the F-Droid app repository, which has hundreds of applications including Syncthing, Tor, Minetest, and Termux.

They also praise the X200 laptop, "one of the few home user devices that's able to run fully free software from top to bottom." With easy-to-repair hardware, it's the laptop most frequently used in the FSF's own office — just one of several freedom-respecting devices from Vikings. And there's shout-outs to MNT's Reform laptop, products from PINE64 and Purism, plus a freedom-respecting VPN, and a mini wifi adapter .

The guide even recommends places to buy DRM-free ebooks, including No Starch Press, Smashwords, Leanpub, Standard Ebooks, Nantucket E-Books, Libreture (which also offers a storage solution). Meanwhile for print books, there's the Gnu Press Shop

And it also recommends sources for DRM-free music (including Bandcamp, Emusic, the Smithsonian Institute's Folkways, the classic punk label Dischord, HDTracks, and Mutopia).

And it also tells you where to find free (as in freedom) films...

Google has disclosed several security flaws for phones that have Mali GPUs, such as those with Exynos chipsets. From a report: The company's Project Zero team says it flagged the problems to ARM (which produces the GPUs) back in the summer. ARM resolved the issues on its end in July and August. However, smartphone manufacturers including Samsung, Xiaomi, Oppo and Google itself hadn't deployed patches to fix the vulnerabilities as of earlier this week, Project Zero said.

Researchers identified five new issues in June and July and promptly flagged them to ARM. "One of these issues led to kernel memory corruption, one led to physical memory addresses being disclosed to userspace and the remaining three led to a physical page use-after-free condition," Project Zero's Ian Beer wrote in a blog post. "These would enable an attacker to continue to read and write physical pages after they had been returned to the system." Beer noted that it would be possible for a hacker to gain full access to a system as they'd be able to bypass the permissions model on Android and gain "broad access" to a user's data. The attacker could do so by forcing the kernel to reuse the afore-mentioned physical pages as page tables.

Frederick P. Brooks Jr., whose innovative work in computer design and software engineering helped shape the field of computer science, died on Thursday at his home in Chapel Hill, N.C. He was 91. His death was confirmed by his son, Roger, who said Dr. Brooks had been in declining health since having a stroke two years ago. The New York Times reports: Dr. Brooks had a wide-ranging career that included creating the computer science department at the University of North Carolina and leading influential research in computer graphics and virtual reality. But he is best known for being one of the technical leaders of IBM's 360 computer project in the 1960s. At a time when smaller rivals like Burroughs, Univac and NCR were making inroads, it was a hugely ambitious undertaking. Fortune magazine, in an article with the headline "IBM's $5,000,000,000 Gamble," described it as a "bet the company" venture.

Until the 360, each model of computer had its own bespoke hardware design. That required engineers to overhaul their software programs to run on every new machine that was introduced. But IBM promised to eliminate that costly, repetitive labor with an approach championed by Dr. Brooks, a young engineering star at the company, and a few colleagues. In April 1964, IBM announced the 360 as a family of six compatible computers. Programs written for one 360 model could run on the others, without the need to rewrite software, as customers moved from smaller to larger computers. The shared design across several machines was described in a paper, written by Dr. Brooks and his colleagues Gene Amdahl and Gerrit Blaauw, titled "Architecture of the IBM System/360." "That was a breakthrough in computer architecture that Fred Brooks led," Richard Sites, a computer designer who studied under Dr. Brooks, said in an interview.

But there was a problem. The software needed to deliver on the IBM promise of compatibility across machines and the capability to run multiple programs at once was not ready, as it proved to be a far more daunting challenge than anticipated. Operating system software is often described as the command and control system of a computer. The OS/360 was a forerunner of Microsoft's Windows, Apple's iOS and Google's Android. At the time IBM made the 360 announcement, Dr. Brooks was just 33 and headed for academia. He had agreed to return to North Carolina, where he grew up, and start a computer science department at Chapel Hill. But Thomas Watson Jr., the president of IBM, asked him to stay on for another year to tackle the company's software troubles. Dr. Brooks agreed, and eventually the OS/360 problems were sorted out. The 360 project turned out to be an enormous success, cementing the company's dominance of the computer market into the 1980s. "Fred Brooks was a brilliant scientist who changed computing," Arvind Krishna, IBM's chief executive and himself a computer scientist, said in a statement. "We are indebted to him for his pioneering contributions to the industry."

Dr. Brooks published a book in 1975 titled, "The Mythical Man-Month: Essays on Software Engineering." It was "a quirky classic, selling briskly year after year and routinely cited as gospel by computer scientists," reports the Times.

Longtime Slashdot reader BenFenner writes: While Chromium recently abandoned the JPEG-XL format (to much discussion on the feature request), it seems the Pale Moon browser quietly became the first to release support for the much-awaited image format. For those unfamiliar with Pale Moon, it is a Goanna-based web browser available for Windows, Linux and Android, focusing on efficiency and ease of use. Pale Moon 31.4.0 also adds support for MacOS 13 "Ventura" and addresses a number of performance- and security-related issues. A full list of the changes/fixes are available in the release notes.

Support for JPEG-XL was confirmed on GitHub.

An anonymous reader quotes a report from Ars Technica: Google announced that Android's space-saving app file format, Android App Bundles (AABs), will finally be the standard on Android TV. By May 2023 -- that's in six months -- Google will require all Android TV apps to switch to the new file format, which can cut down on app storage requirements by 20 percent.

Android App Bundles were announced with Android 9 in 2018 as a way to save device storage by breaking an app up into modules, rather than one big monolithic APK (the old Android app format) with every possible piece of data. Android apps support a ton of different languages, display resolutions, and CPU architectures, but each individual device only needs to cherry-pick a few of those options to work. Android App Bundles integrate with the Play Store to create a dynamic delivery system for each module. Your phone communicates which modules it needs to the Play Store, and Google's servers bundled up an appropriate package and sent it to your device. It's even possible for developers to move some lesser-used app functionality into a bundle that can be downloaded on the fly if a user needs it. [...]

Google says Android App Bundles average around a 20 percent space savings compared to a monolithic APK, which will be a huge help for these storage-starved devices. Since 2021, they have been the required standard for phones and tablets, and in six months, TV apps will be required to use them, too. Developers who don't switch in time will have their TV apps hidden from search, so they'd better get to work! Google estimates that "in most cases it will take one engineer about three days to migrate."

The UK's antitrust watchdog has moved to deepen its scrutiny of the Apple and Google mobile duopoly -- kicking off an in-depth investigation into elements of the pair's mobile ecosystem dominance by probing their approach toward rival mobile browsers and cloud gaming services which it's concerned could be restricting competition and harming consumers. From a report: The move follows a market study conducted by the Competition and Markets Authority (CMA) last year that led to a final report this summer which concluded there are substantial competition concerns -- with the regulator finding the tech giants have what it described as "an effective duopoly on mobile ecosystems that allows them to exercise a stranglehold over operating systems, app stores and web browsers on mobile devices."

At the same time, the CMA proposed to undertake what's known as a market investigation reference (MIR) with two points of focus: One looking at Apple's and Google's market power in mobile browsers; and another probing Apple's restrictions on cloud gaming through its App Store. That proposal for an MIR kicked off a standard consultation process, with the regulator seeking feedback on the scope of its proposed probe, and today it's confirmed the decision to make a market investigation -- opening what's referred to as a 'Phase 2' (in-depth) investigation which could take up to 18 months to complete. The probe will focus on the supply of mobile browsers and browser engines; and the distribution of cloud gaming services through app stores on mobile devices, the CMA said today.

An anonymous reader quotes a report from CNET: Fortnite developer Epic Games said Google paid the equivalent of $360 million to Call of Duty developer Activision Blizzard as part of a broad agreement that included a promise the gaming giant would not create a rival app store. The move, Epic said, helped solidify Google's hold on phones and tablets powered by its Android software. In the filing, newly unredacted Thursday, Epic said Google paid other developers in a similar way to Activision. Epic cited an agreement Google struck with Tencent, the Chinese company that owns League of Legends developer Riot Games, giving it about $30 million over one year. Like Activision, that money too was part of a larger agreement for Riot to maintain its Google-powered games and spend money promoting them as part of Android.

Google and Activision Blizzard both denied Epic's allegations about competing app stores. Google said the agreements are designed to provide incentives for developers to create apps for Google Play. "Epic is mischaracterizing business conversations," a Google spokesperson said in a statement. "It does not prevent developers from creating competing app stores, as Epic falsely alleges." Activision, for its part, said Google never "asked us, pressured us, or made us agree not to compete with Google Play." Activision is in the midst of being acquired by software giant Microsoft for $68.7 billion. [...] The filing is the latest allegation in Epic's ongoing lawsuit against Google, which it accuses of operating a monopoly with Google Play, which sells apps for Android. Epic's ongoing lawsuit is similar to another battle it's waging against Apple and its App Store over similar concerns of monopolistic practices. In both cases, Epic is pushing the companies to reduce the control they exert over their respective platforms, both in terms of how phone and tablet owners pay for apps and where to download them from.

It's unclear whether Epic's argument that Google paid developers to not compete will win in an eventual court case. Epic said in its complaint that "Google understood" the agreement would mean that Activision would "abandon its plans to launch a competing app store, and Google intended this result." But Armin Zerza, now Activision Blizzard's finance chief, said in one of the court filings that the company chose not to launch a rival app store because of the risk of failure, in addition to costs for development and marketing. When asked about entering a deal with Google that "accomplished your objectives," Zerza said that the Activision Blizzard board approved a deal with the Android maker because it "created multi-hundred-million dollars of value for us across multiple ecosystems." If Activision is ultimately purchased by Microsoft though, it may end up helping create an app store after all. Microsoft told regulators in October that it intends to build its own mobile app store to rival Google and Apple. Activision's deep library of popular games, including Candy Crush Saga and World of Warcraft, will be a key part of that effort. "Epic's allegations are nonsense," an Activision representative said in a statement sent to PC Gamer. "We can confirm that Google never asked us, pressured us, or made us agree not to compete with Google Play -- and we've already submitted documents and testimony that prove this."

Google announced today that it's introducing a slew of new Maps, Search and Shopping features. The company revealed a majority of the new features during its Search On event in September and is now starting to roll them out to users. TechCrunch reports: Search
Starting today, users will be able to use Search to find their favorite dish at a restaurant near them. For example, you can search "truffle mac and cheese near me" to see which nearby restaurants carry the dish on their menu. Once you find a specific dish that you're looking for, you can get more information about its price, ingredients and more. Another new Search functionality lets you use Google's multisearch feature to find specific food near you. Say you see something tasty-looking online, but don't know what it is or where to find it. You can now use Lens in the Google app for Android or iOS to snap a picture or take a screenshot of a dish and add the words "near me" to find a place that sells it nearby. Later this year, Google is going roll out an update to its Lens AR Translate capabilities so users can more seamlessly translate text on complex backgrounds. Instead of covering up the original text like it currently does, Google is going to erase the text and re-create the pixels underneath with an AI-generated background, and then overlay the translated text on top of the image.

Maps
As for the new Maps features, Google is launching a new visual search experience called Live View in London, Los Angeles, New York, Paris, San Francisco and Tokyo. [...] In addition to displaying information about where places are, users will be able to see key information about each spot overlaid, such as whether the location is busy, if its open, what the price range is, etc. Another new Maps feature makes it easier for EV owners to find the best charging station for their vehicle. Now, you can search for "EV charging stations" and select the "fast charge" filter. You can also filter for stations that offer your EV's plug type. Google also announced that it's expanding its "accessible places" feature globally after initially launching it in the U.S., Australia, Japan and the U.K. in 2020. The feature is designed to help people determine whether a place is wheelchair accessible.

Shopping
Google has announced a new AR shopping feature that is designed to make it easier to find your exact foundation match. The company says its new photo library features 148 models representing a diverse spectrum of skin tones, ages, genders, face shapes, ethnicities and skin types. As a result, it should be easier for shoppers to better visualize what different products will look like on them. [...] Users can now also shop for shoes using AR.

An anonymous reader quotes a report from Ars Technica: Privacy-focused search site DuckDuckGo has added yet another way to prevent more of your data from going to advertisers, opening its App Tracking Protection for Android to beta testers. DuckDuckGo is positioning App Tracking Protection as something like Apple's App Tracking Transparency for iOS devices, but "even more powerful." Enabling the service in the DuckDuckGo app for Android (under the "More from DuckDuckGo" section) installs a local VPN service on your phone, which can then start automatically blocking trackers on DDG's public blocklist. DuckDuckGo says this happens "without sending app data to DuckDuckGo or other remote servers."

Google recently gave Android users some native tools to prevent wanton tracking, including app-by-app location-tracking approval and a limited native ad-tracking opt-out. Apple's App Tracking Transparency asks if users want to block apps from accessing the Identifier for Advertisers (IDFA), but apps can still use the largest tracking networks across many apps to better profile app users. Allison Goodman, senior communications manager for DuckDuckGo, told Ars Technica that App Tracking Protection needs Android's VPN permission so it can monitor network traffic. When it recognizes a tracker from its blocklist, it "looks at the destination domain for any outbound request and blocks them if they are in our blocklist and the requesting app is not owned by the same company that owns the domain." Goodman added that "much of the data collected by trackers is not controlled by [Android] permissions," making App Tracking Protection a complementary offering.

Netflix has introduced a new account management page called "Manage Access and Devices" that gives users the ability to remove access privileges from specific devices. The feature is available on the web and in the streaming service's Android and iOS apps. Ars Technica reports: Previously, users could see a list of devices that had recently accessed their accounts, and they could revoke access to all devices simultaneously, but they could not revoke access on a case-by-case basis. Each item in the list of devices will include an IP address-based location, a device type, and the user profile that most recently accessed Netflix from that device.

Netflix describes it as a security feature, in that it's useful to users who don't share their passwords at all. For example, you now have a way to clean up after yourself if you stayed at an Airbnb and signed into your Netflix account on the smart TV there but forgot to sign out before you left. Further, the page could help you identify if someone has gained access to your account via a compromised password.

An anonymous reader quotes a report from Ars Technica: It has been over a year now since a US District Court ruled that Apple did not violate antitrust law by forcing iOS developers (like plaintiff and Fortnite-maker Epic Games) to use its App Store and in-app payments systems. But that doesn't mean the case is settled, as both sides demonstrated Monday during oral arguments in front of the 9th Circuit Court of Appeals. The hearing was full of arcane discussion of legal standards and procedures for reviewing the case and its precedents, as well as input from state and federal governments on how the relevant laws should be interpreted. In the end, though, the core arguments before the appeals court once again centered on issues of walled gardens, user lock-in, and security versus openness in platform design.

In defending Apple's position, counsel Mark Perry argued that the company's restraints on iOS app distribution were put in place from the beginning to protect iPhone users. Based on its experience managing software security and privacy on Macs, Apple decided it "did not want the phone to be like a computer. Computers are buggy, they crash, they have problems. They wanted the phone to be better." If the Mac App Store was the equivalent of a lap belt, the iOS App Store, with its costly human review system, is "a six-point racing harness," Perry said. "It's safer. They're both safe, but it's safer." While Epic argued that the iPhone's walled garden "only keeps out competition," Perry shot back that "what's kept out by walled gardens is fraudsters and pornsters and hackers and malware and spyware and foreign governments..." Providing superior user safety, Perry said, is a key "non-price feature" that helps set the iPhone apart from its Android-based competition. Users who want the more open system that Epic is fighting for can already buy an Android phone and choose from a variety of App Stores, Perry said. By doing so, though, those users "open themselves up to more intrusion" compared to an iPhone, he argued. Those kinds of "pro-competitive" security features Apple offers with its App Store restrictions legally outweigh the "minor anti-competitive effects" iOS app developers face on the platform, Perry said.

[...] Apple's Perry argued that Epic presented "no data or empirical evidence" to show that users felt locked in to Apple's app ecosystem. Epic failed to commission the usual survey that would show users were worried about switching costs or information costs in a case like this, Perry said, a "failure of proof" that he said obviates all other technical legal claims. At the same time, Perry said Epic carefully "crafted a market definition only fitting Google and Apple" in arguing its case and has not been able to bring in other developers to support a class action. Epic "didn't want to pick a fight with the consoles, didn't want to pick a fight with Microsoft," he said, despite similarities in the "walled garden" approaches in those markets. The three-judge appeals panel betrayed little as to which arguments it favored during Monday's hearing, offering pointed questions for both sides. A ruling in the appeals case is expected sometime next year.

Google has paid out $70,000 to a security researcher for privately reporting an "accidental" security bug that allowed anyone to unlock Google Pixel phones without knowing its passcode. From a report: The lock screen bypass bug, tracked as CVE-2022-20465, is described as a local escalation of privilege bug because it allows someone, with the device in their hand, to access the device's data without having to enter the lock screen's passcode. Hungary-based researcher David Schutz said the bug was remarkably simple to exploit but took Google about five months to fix.

Schutz discovered anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android's operating system's lock screen protections. In a blog post about the bug, published now that the bug is fixed, Schutz described how he found the bug accidentally, and reported it to Google's Android team.

In a post to /r/reddit, Reddit announced that it began rolling out a feature that will allow users to mute specific communities that contain content they don't want to see. Ars Technica reports: If you mute a subreddit using this feature, posts from it won't show up in your notifications, home feed recommendations, or Popular, Reddit's feed of the most upvoted content from across its various communities. Later, Reddit plans to apply muting to other places like "All" and "Discover." Muting a community won't stop you from being able to visit or post it, though. You can mute up to 1,000 communities and tweak your muted list at any time in Settings. The report notes that this new muting feature is only available in Reddit's iOS and Android apps for now. For updates on availability, Reddit directs users to their changelog feed.

Google says it has evidence that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities found in newer Samsung smartphones. From a report: The vulnerabilities, discovered in Samsung's custom-built software, were used together as part of an exploit chain to target Samsung phones running Android. The chained vulnerabilities allow an attacker to gain kernel read and write privileges as the root user, and ultimately expose a device's data. Google Project Zero security researcher Maddie Stone said in a blog post that the exploit chain targets Samsung phones with a Exynos chip running a specific kernel version. Samsung phones are sold with Exynos chips primarily across Europe, the Middle East, and Africa, which is likely where the targets of the surveillance are located.

Stone said Samsung phones running the affected kernel at the time include the S10, A50, and A51. The flaws, since patched, were exploited by a malicious Android app, which the user may have been tricked into installing from outside of the app store. The malicious app allows the attacker to escape the app sandbox designed to contain its activity, and access the rest of the device's operating system. Only a component of the exploit app was obtained, Stone said, so it isn't known what the final payload was, even if the three vulnerabilities paved the way for its eventual delivery.

Google today announced it's expanding its user choice billing pilot, which allows Android app developers to use other payment systems besides Google's own. The program will now become available to new markets, including the U.S., Brazil and South Africa, and Bumble will now join Spotify as one of the pilot testers. From a report: Google additionally announced Spotify will now begin rolling out its implementation of the program starting this week. The company had first announced its intention to launch a third-party billing option back in March of this year, with Spotify as the initial tester. Since then, the program has steadily expanded. Last month, for example, Google invited other non-game developers to apply for the user choice billing program in select markets, including India, Australia, Indonesia, Japan and the European Economic Area (EEA). The company also introduced a similar policy for developers in the EEA region in July, but the new guidelines raised the commission discount from 3% to 4% for developers who opted in. With today's expansion, user choice billing will be made available to 35 countries worldwide. Google says it's been working with Spotify to help develop the experience and now the streaming music service will begin to put the new features into action in supported markets. The experience could still change over time, Google warned, as this is still the early days of the pilot test.