Researchers say that nearly 336,000 devices exposed to the Internet remain vulnerable to a critical vulnerability in firewalls sold by Fortinet because admins have yet to install patches the company released three weeks ago.
CVE-2023-27997 is a remote code execution in Fortigate VPNs, which are included in the company’s firewalls. The vulnerability, which stems from a heap overflow bug, has a severity rating of 9.8 out of 10. Fortinet released updates silently patching the flaw on June 8 and disclosed it four days later in an advisory that said it may have been exploited in targeted attacks. That same day, the US Cybersecurity and Infrastructure Security Administration added it to its catalog of known exploited vulnerabilities and gave federal agencies until Tuesday to patch it.
Despite the severity and the availability of a patch, admins have been slow to fix it, researchers said.
Since last year, a group of artists have been using an AI image generator called Midjourney to create still photos of films that don't exist. They call the trend "AI cinema." We spoke to one of its practitioners, Julie Wieland, and asked her about her technique, which she calls "synthography," for synthetic photography.
Last year, image synthesis models like DALL-E 2, Stable Diffusion, and Midjourney began allowing anyone with a text description (called a "prompt") to generate a still image in many different styles. The technique has been controversial among some artists, but other artists have embraced the new tools and run with them.
While anyone with a prompt can make an AI-generated image, it soon became clear that some people possessed a special talent for finessing these new AI tools to produce better content. As with painting or photography, the human creative spark is still necessary to produce notable results consistently.
When a London man discovered the front left-side bumper of his Toyota RAV4 torn off and the headlight partially dismantled not once but twice in three months last year, he suspected the acts were senseless vandalism. When the vehicle went missing a few days after the second incident, and a neighbor found their Toyota Land Cruiser gone shortly afterward, he discovered they were part of a new and sophisticated technique for performing keyless thefts.
It just so happened that the owner, Ian Tabor, is a cybersecurity researcher specializing in automobiles. While investigating how his RAV4 was taken, he stumbled on a new technique called CAN injection attacks.
Tabor began by poring over the “MyT” telematics system that Toyota uses to track vehicle anomalies known as DTCs (Diagnostic Trouble Codes). It turned out his vehicle had recorded many DTCs around the time of the theft.
On Thursday, OpenAI announced a plugin system for its ChatGPT AI assistant. The plugins give ChatGPT the ability to interact with the wider world through the Internet, including booking flights, ordering groceries, browsing the web, and more. Plugins are bits of code that tell ChatGPT how to use an external resource on the Internet.
Basically, if a developer wants to give ChatGPT the ability to access any network service (for example: "looking up current stock prices") or perform any task controlled by a network service (for example: "ordering pizza through the Internet"), it is now possible, provided it doesn't go against OpenAI's rules.
Conventionally, most large language models (LLM) like ChatGPT have been constrained in a bubble, so to speak, only able to interact with the world through text conversations with a user. As OpenAI writes in its introductory blog post on ChatGPT plugins, "The only thing language models can do out-of-the-box is emit text."
If you've been thinking your home or workspace is perhaps deficient when it comes to old Apple hardware, then I have some good news for you. Next week, a massive trove of classic Apple computing history goes under the hammer when the auction house Julien's Auctions auctions off the Hanspeter Luzi collection of more than 500 Apple computers, parts, software, and the occasional bit of ephemera.
Ars reported on the auction in February, but Julien's Auctions has posted the full catalog ahead of the March 30 event, and for Apple nerds of a certain age, there will surely be much to catch your eye.
The earliest computers in the collection are a pair of Commodore PET 2001s; anyone looking for a bargain on an Apple 1 will have to keep waiting, unfortunately.
ChatGPT might well be the most famous, and potentially valuable, algorithm of the moment, but the artificial intelligence techniques used by OpenAI to provide its smarts are neither unique nor secret. Competing projects and open source clones may soon make ChatGPT-style bots available for anyone to copy and reuse.
Stability AI, a startup that has already developed and open-sourced advanced image-generation technology, is working on an open competitor to ChatGPT. “We are a few months from release,” says Emad Mostaque, Stability’s CEO. A number of competing startups, including Anthropic, Cohere, and AI21, are working on proprietary chatbots similar to OpenAI’s bot.
In a world where millions of people carry a 1990s-grade supercomputer in their pockets, it's fun to revisit tech from a time when a 1 megahertz machine on a desktop represented a significant leap forward. Recently, a collector named Brian Green showed off his vintage computer collection on Twitter, and we thought it would be fun to ask him about why and how he set up his at-home computer lab.
By day, Green works as a senior systems engineer based in Arkansas. But in his off hours, "Ice Breaker" (as he's often known online) focuses his passion on a vintage computer collection that he has been building for decades—and a bulletin board system (BBS) called "Particles" he has been running since 1992.
Green's interest in computers dates back to 1980, when he first used an Apple II+ at elementary school. "My older sister brought home a printout from a BASIC program she was working on, and I was fascinated that you could tell a computer what to do using something that resembled English," recalls Green. "Once I realized you could code games, I was hooked."
Threat actors connected to the North Korean government have been targeting security researchers in a hacking campaign that uses new techniques and malware in hopes of gaining a foothold inside the companies the targets work for, researchers said.
Researchers from security firm Mandiant said on Thursday that they first spotted the campaign last June while tracking a phishing campaign targeting a US-based customer in the technology industry. The hackers in this campaign attempted to infect targets with three new malware families, dubbed by Mandiant as Touchmove, Sideshow, and Touchshift. The hackers in these attacks also demonstrated new capabilities to counter endpoint detection tools while operating inside targets’ cloud environments.
“Mandiant suspects UNC2970 specifically targeted security researchers in this operation,” Mandiant researchers wrote.
When you first start messing with the command line, it can feel like there's an impermeable wall between the local space you're messing around in and the greater Internet. On your side, you've got your commands and files, and beyond the wall, there are servers, images, APIs, webpages, and more bits of useful, ever-changing data. One of the most popular ways through that wall has been cURL, or "client URL," which turns 25 this month.
The cURL tool started as a way for programmer Daniel Stenberg to let Internet Chat Relay users quickly fetch currency exchange rates while still inside their chat window. As detailed in an archived history of the project, it was originally built off an existing command-line tool, httpget, built by Rafael Sagula. A 1.0 version was released in 1997, then changed names to urlget by 2.0, as it had added in GOPHER, FTP, and other protocols. By 1998, the tool could upload as well as download, and so version 4.0 was named cURL.
Over the next few years, cURL grew to encompass nearly every Internet protocol, work with certificates and encryption, offer bindings for more than 50 languages, and be included in most Linux distributions and other systems. The cURL project now encompasses both the command-line command itself and the libcurl library. In 2020, the project's history estimated the command and library had been installed in more than 10 billion instances worldwide.
Update, 4:36pm: Microsoft has updated its post to indicate that the "ground up" redesign coming for the Mac version of Outlook will continue to be a "native Mac app," and not a "Progressive Web App (PWA)" like the one the company is testing in Windows. We've updated the article accordingly. We've also added a reference to the free version of Outlook being ad-supported.
Original story: Microsoft is making the Outlook for Mac app free to use, the company announced this week. Previously available with a Microsoft 365 account or as part of the Office for Mac app suite, the Outlook app is downloadable from the Mac App Store and works with Outlook.com, Gmail, iCloud, Yahoo, and plain old IMAP and POP email accounts. The free version of Outlook will look and work mostly the same way as the paid version, but it will be ad supported.
Microsoft already offers a free version of the Outlook client for iOS and Android, and it's currently testing a preview of a redesigned Outlook app that will replace the free built-in Mail and Calendar apps that ship with Windows 11.
Researchers have uncovered advanced malware that’s turning business-grade routers into attacker-controlled listening posts that can sniff email and steal files in an ongoing campaign hitting North and South America and Europe.
Besides passively capturing IMAP, SMTP, and POP email, the malware also backdoors routers with a remote-access Trojan that allows the attackers to download files and run commands of their choice. The backdoor also enables attackers to funnel data from other servers through the router, turning the device into a covert proxy for concealing the true origin of malicious activity.
“This type of agent demonstrates that anyone with a router who uses the Internet can potentially be a target—and they can be used as proxy for another campaign—even if the entity that owns the router does not view themselves as an intelligence target,” researchers from security firm Lumen’s Black Lotus Labs wrote. “We suspect that threat actors are going to continue to utilize multiple compromised assets in conjunction with one another to avoid detection.”
On Monday, Microsoft bundled ChatGPT-style AI technology into its Power Platform developer tool and Dynamics 365, Reuters reports. Affected tools include Power Virtual Agent and AI Builder, both of which have been updated to include GPT large language model (LLM) technology created by OpenAI.
The move follows the trend among tech giants such as Alphabet and Baidu to incorporate generative AI technology into their offerings—and of course, the multi-billion dollar partnership between OpenAI and Microsoft announced in January.
Microsoft's Power Platform is a development tool that allows the creation of apps with minimal coding. Its updated Power Virtual Agent allows businesses to point an AI bot at a company website or knowledge base and then ask it questions, which it calls Conversation Booster. "With the conversation booster feature, you can use the data source that holds your single source of truth across many channels through the chat experience, and the bot responses are filtered and moderated to adhere to Microsoft’s responsible AI principles," writes Microsoft in a blog post.
Twitter's revenue and adjusted earnings reportedly fell about 40 percent year over year in December 2022 amid an advertiser exodus following Elon Musk's takeover.
Twitter no longer reports earnings publicly since Musk bought the company and took it private in late October. But Twitter reported the December 2022 revenue and earnings declines in an update to investors, according to "people familiar with the matter" cited in a Wall Street Journal report on Friday.
Many big companies cut advertising spending on Twitter shortly after Musk's acquisition, largely over concerns about content moderation. Twitter offered special deals to advertisers throughout December 2022, but it wasn't enough to prevent the 40 percent revenue and earnings declines.
Twitter suffered an embarrassing technology failure today that temporarily broke links to outside websites and even to Twitter's own webpages. The problem lasted for about 45 minutes or so.
In our tests, clicking any link brought up this error message:
{"errors":[{"message":"Your current API plan does not include access to this endpoint, please see https://developer.twitter.com/en/docs/twitter-api for more information","code":467}]}
Clicking that developer link didn't clear anything up while the problem was still happening because it brought up the same API error message. In addition to news articles and other outbound links, the error message appeared when we tried to click Twitter's terms of service, privacy policy, cookie policy, and other similar pages. Some images embedded in tweets were broken, and there were reports of TweetDeck being broken too.
Researchers on Wednesday announced a major cybersecurity find—the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.
Dubbed BlackLotus, the malware is what’s known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI—short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC’s device firmware with its operating system, the UEFI is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.
Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to launch malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.
On Wednesday, Microsoft employee Mike Davidson announced that the company has rolled out three distinct personality styles for its experimental AI-powered Bing Chat bot: Creative, Balanced, or Precise. Microsoft has been testing the feature since February 24 with a limited set of users. Switching between modes produces different results that shift its balance between accuracy and creativity.
Bing Chat is an AI-powered assistant based on an advanced large language model (LLM) developed by OpenAI. A key feature of Bing Chat is that it can search the web and incorporate the results into its answers.
Microsoft announced Bing Chat on February 7, and shortly after going live, adversarial attacks regularly drove an early version of Bing Chat to simulated insanity, and users discovered the bot could be convinced to threaten them. Not long after, Microsoft dramatically dialed back Bing Chat's outbursts by imposing strict limits on how long conversations could last.
The Biden administration on Thursday pushed for new mandatory regulations and liabilities to be imposed on software makers and service providers in an attempt to shift the burden of defending US cyberspace away from small organizations and individuals.
"The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” administration officials wrote in a highly anticipated updated National Cybersecurity Strategy document. “Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity."
The 39-page document cited recent ransomware attacks that have disrupted hospitals, schools, government services, pipeline operations, and other critical infrastructure and essential services. One of the most visible such attacks occurred in 2021 with a ransomware attack on the Colonial Pipeline, which delivers gasoline and jet fuel to much of the Southeastern US. The attack shut down the vast pipeline for several days, prompting fuel shortages in some states.
David Wakeling, head of London-based law firm Allen & Overy's markets innovation group, first came across law-focused generative AI tool Harvey in September 2022. He approached OpenAI, the system’s developer, to run a small experiment. A handful of his firm’s lawyers would use the system to answer simple questions about the law, draft documents, and take first passes at messages to clients.
The trial started small, Wakeling says, but soon ballooned. Around 3,500 workers across the company’s 43 offices ended up using the tool, asking it around 40,000 queries in total. The law firm has now entered into a partnership to use the AI tool more widely across the company, though Wakeling declined to say how much the agreement was worth. According to Harvey, one in four at Allen & Overy’s team of lawyers now uses the AI platform every day, with 80 percent using it once a month or more. Other large law firms are starting to adopt the platform too, the company says.
The rise of AI and its potential to disrupt the legal industry has been forecast multiple times before. But the rise of the latest wave of generative AI tools, with ChatGPT at its forefront, has those within the industry more convinced than ever.
One side effect of unlimited content-creation machines—generative AI—is unlimited content. On Monday, the editor of the renowned sci-fi publication Clarkesworld Magazine announced that he had temporarily closed story submissions due to a massive increase in machine-generated stories sent to the publication.
In a graph shared on Twitter, Clarkesworld editor Neil Clarke tallied the number of banned writers submitting plagiarized or machine-generated stories. The numbers totaled 500 in February, up from just over 100 in January and a low baseline of around 25 in October 2022. The rise in banned submissions roughly coincides with the release of ChatGPT on November 30, 2022.
A graph provided by Neil Clarke of Clarkesworld Magazine: "This is the number of people we've had to ban by month. Prior to late 2022, that was mostly plagiarism. Now it's machine-generated submissions." (credit: Neil Clarke)
Large language models (LLM) such as ChatGPT have been trained on millions of books and websites and can author original stories quickly. They don't work autonomously, however, and a human must guide their output with a prompt that the AI model then attempts to automatically complete.
A human player has comprehensively defeated a top-ranked AI system at the board game Go, in a surprise reversal of the 2016 computer victory that was seen as a milestone in the rise of artificial intelligence.
Kellin Pelrine, an American player who is one level below the top amateur ranking, beat the machine by taking advantage of a previously unknown flaw that had been identified by another computer. But the head-to-head confrontation in which he won 14 of 15 games was undertaken without direct computer support.
The triumph, which has not previously been reported, highlighted a weakness in the best Go computer programs that is shared by most of today’s widely used AI systems, including the ChatGPT chatbot created by San Francisco-based OpenAI.