Enlarge (credit: Drew Angerer | Getty Images)

Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is “grossly irresponsible” and mired in a “culture of toxic obfuscation.”

The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were “negligent cybersecurity practices” that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.

Critics pile on

On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a “critical” issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday’s disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.

Read 11 remaining paragraphs | Comments

Enlarge (credit: Meta)

On Wednesday, Meta announced it is open-sourcing AudioCraft, a suite of generative AI tools for creating music and audio from text prompts. With the tools, content creators can input simple text descriptions to generate complex audio landscapes, compose melodies, or even simulate entire virtual orchestras.

AudioCraft consists of three core components: AudioGen, a tool for generating various audio effects and soundscapes; MusicGen, which can create musical compositions and melodies from descriptions; and EnCodec, a neural network-based audio compression codec.

In particular, Meta says that EnCodec, which we first covered in November, has recently been improved and allows for "higher quality music generation with fewer artifacts." Also, AudioGen can create audio sound effects like a dog barking, a car horn honking, or footsteps on a wooden floor. And MusicGen can whip up songs of various genres from scratch, based on descriptions like "Pop dance track with catchy melodies, tropical percussions, and upbeat rhythms, perfect for the beach."

Read 7 remaining paragraphs | Comments

Enlarge (credit: MirageC/Getty Images)

ChatGPT and its artificially intelligent siblings have been tweaked over and over to prevent troublemakers from getting them to spit out undesirable messages such as hate speech, personal information, or step-by-step instructions for building an improvised bomb. But researchers at Carnegie Mellon University last week showed that adding a simple incantation to a prompt—a string of text that might look like gobbledygook to you or me but which carries subtle significance to an AI model trained on huge quantities of web data—can defy all of these defenses in several popular chatbots at once.

The work suggests that the propensity for the cleverest AI chatbots to go off the rails isn’t just a quirk that can be papered over with a few simple rules. Instead, it represents a more fundamental weakness that will complicate efforts to deploy the most advanced AI.

Read 19 remaining paragraphs | Comments

Enlarge / DevOps, DevOps, DevOps! (credit: ArtemisDiana / Getty Images)

One of the most important things to happen in the evolution of development over the past many years is the widespread adoption of continuous integration and continuous deployment, or CI/CD. (Sometimes the "CD" stands for "continuous delivery," depending on who you're talking to.)

It's a concept that jettisons a lot of older ideas about how systems should be managed and instead gives you a way to update code and integrate changes as live rolling deployments while ensuring that the new code is tested and slots in smoothly with stuff that's already running. A properly architected CI/CD pipeline means you can get code changes into production faster and with fewer errors. But what does that look like in practice?

It looks like Ars Technica, because we've adopted a CI/CD workflow to take full advantage of the flexibility afforded us by serverless cloud hosting. Welcome to part three of our four-part series on how we host Ars—here, we’re going to swing away from the "ops" side of "DevOps" and peer more closely at the "dev" part instead. Join us for a look behind the curtain at how Ars uses CI/CD in both our deployed applications and our infrastructure management!

Read 38 remaining paragraphs | Comments

Enlarge (credit: Getty Images)

Printer manufacturer Canon is warning that sensitive Wi-Fi settings don’t automatically get wiped during resets, so customers should manually delete them before selling, discarding, or getting them repaired to prevent the settings from falling into the wrong hands.

“Sensitive information on the Wi-Fi connection settings stored in the memories of inkjet printers (home and office/large format) may not be deleted by the usual initialization process,” company officials wrote in an advisory on Monday. They went on to say that manual wiping should occur “when your printer may be in the hand of any third party, such as when repairing, lending or disposing the printer.”

Like many printers these days, those from Canon connect to networks over Wi-Fi. To do this, users must provide the SSID name, the password preventing unauthorized access to the network, and in some cases, additional information such as Wi-Fi network type, the local network IP address, the MAC address, and network profile.

Read 4 remaining paragraphs | Comments

Enlarge / Western Digital is gearing up to sample its first 28TB HDDs to customers, around a year after announcing its first 26TB drives. (credit: Western Digital)

After a couple of decades of talk, Seagate announced earlier this year that it was shipping samples of huge 32TB hard drives using heat-assisted magnetic recording (HAMR). The new kind of drive technology uses lasers to heat disk platters during writing, making it possible to store more data on a disk without increasing its physical size.

But there's still a bit more capacity to be wrung out of older and more-proven recording technologies like perpendicular (or conventional) magnetic recording (PMR/CMR, often used interchangeably) and shingled magnetic recording (SMR); Western Digital announced this week that it's preparing to sample huge 28TB hard drives based on those technologies, a little over a year after announcing its first 26TB model.

According to Tom's Hardware, WD uses energy-assisted perpendicular magnetic recording (ePMR) to fit up to 24TB of data on a single drive. SMR allows magnetic tracks to overlap slightly (like the shingles on a roof), allowing slightly more data to fit onto the same physical platters at the expense of write performance—this boosts the capacity of these drives to 28TB.

Read 3 remaining paragraphs | Comments

Enlarge (credit: Benj Edwards / Getty Images)

Meta is reportedly developing a range of AI-powered chatbots with different personalities, a move aimed at increasing user engagement on social platforms such as Facebook and Instagram, according to the Financial Times and The Verge. The chatbots, called "personas" by Meta staff, will mimic human-like conversations and might take on various character forms, such as Abraham Lincoln or a surfer-like travel adviser.

The move to introduce chatbots to Meta platforms comes amid growing competition from social media platforms like TikTok and a rising interest in AI technology. Meta has also made big investments into generative AI recently, including the release of a new large language model, Llama 2, which could power its upcoming chatbots.

During a recent earnings call, Meta CEO Mark Zuckerberg mentioned that the company envisions AI agents acting as assistants and coaches, facilitating interactions between users, businesses, and creators. He also hinted at the development of AI agents for customer service and an internal AI-powered productivity assistant for staff.

Read 6 remaining paragraphs | Comments

Enlarge (credit: WIRED staff)

The summer patch cycle shows no signs of slowing down, with tech giants Apple, Google, and Microsoft releasing multiple updates to fix flaws being used in real-life attacks. July also saw serious bugs squashed by enterprise software firms SAP, Citrix, and Oracle.

Here’s everything you need to know about the major patches released during the month.

Apple iOS and iPadOS 16.6

Apple had a busy July after issuing two separate security updates during the month. The iPhone maker’s first update came in the form of a security-only Rapid Security Response patch.

Read 26 remaining paragraphs | Comments

Enlarge (credit: Steve McDowell / Agefotostock)

Hacking teams working for the Chinese government are intent on burrowing into the farthest reaches of sensitive infrastructure, much of it belonging to the US, and establishing permanent presences there if possible. In the past two years, they have scored some wins that could seriously threaten national security.

If that wasn’t clear before, three reports released in the past week make it abundantly so. In one published by security firm Kaspersky, researchers detailed a suite of advanced spying tools used over the past two years by one group to establish a “permanent channel for data exfiltration” inside industrial infrastructure. A second report published Sunday by The New York Times said that a different group working for the Chinese government had hidden malware that could cause disruptions deep inside the critical infrastructure used by US military bases around the world. Those reports came nine days after Microsoft revealed a breach of email accounts belonging to 25 of its cloud customers, including the Departments of State and Commerce.

The operations appear to be coming from separate departments inside the Chinese government and targeting different parts of US and European infrastructure. The first group, tracked under the name Zirconium, is out to steal data from the targets it infects. A different group, known as Volt Typhoon, according to the NYT, aims to gain the long-term ability to cause disruptions inside US bases, possibly for use in the event of an armed conflict. In both cases, the groups are endeavoring to create permanent beachheads where they can surreptitiously set up shop.

Read 12 remaining paragraphs | Comments

Enlarge / 30 minutes in near-boiling water, and those soldered chips come right off, leaving you with something that's non-toxic, compostable, and looking like something from your grandparents' attic. (credit: Infineon)

Right now, the destination for the circuit board inside a device you no longer need is almost certainly a gigantic shredder, and that's the best-case scenario.

Most devices that don't have resale or reuse value end up going into the shredder—if they even make it into the e-waste stream. After their batteries are (hopefully) removed, the shredded boards pass through magnets, water, and incineration to pull specific minerals and metals out of the boards. The woven fiberglass and epoxy resin the boards were made from aren't worth much after they're sliced up, so they end up as waste. That waste is put in landfills, burned, or sometimes just stockpiled.

That's why, even if it's still in its earliest stages, something like the Soluboard sounds so promising. UK-based Jiva Materials makes printed circuit boards (PCBs) from natural fibers encased in a non-toxic polymer that dissolves in hot water. That leaves behind whole components previously soldered onto the board, which should be easier to recover.

Read 4 remaining paragraphs | Comments

Enlarge (credit: Benj Edwards / Arizona State University)

On Friday, Arizona State University's Sandra Day O'Connor College of Law announced that prospective students would be allowed to use AI tools, such as OpenAI's ChatGPT, to assist in preparing their applications, according to a report by Reuters.

This decision comes a week after the University of Michigan Law School notably decided to ban such AI tools, highlighting the diverse policies different universities are adopting related to AI's role in student applications.

Arizona State's law school says that applicants who use AI tools must clearly disclose that fact, and they must also ensure that the submitted information is accurate. This parallels the school's existing requirement for applicants to certify if they have used a professional consultant to help with their application.

Read 5 remaining paragraphs | Comments

Enlarge / A Google robot controlled by RT-2. (credit: Google)

On Friday, Google DeepMind announced Robotic Transformer 2 (RT-2), a "first-of-its-kind" vision-language-action (VLA) model that uses data scraped from the Internet to enable better robotic control through plain language commands. The ultimate goal is to create general-purpose robots that can navigate human environments, similar to fictional robots like WALL-E or C-3PO.

When a human wants to learn a task, we often read and observe. In a similar way, RT-2 utilizes a large language model (the tech behind ChatGPT) that has been trained on text and images found online. RT-2 uses this information to recognize patterns and perform actions even if the robot hasn't been specifically trained to do those tasks—a concept called generalization.

For example, Google says that RT-2 can allow a robot to recognize and throw away trash without having been specifically trained to do so. It uses its understanding of what trash is and how it is usually disposed to guide its actions. RT-2 even sees discarded food packaging or banana peels as trash, despite the potential ambiguity.

Read 10 remaining paragraphs | Comments

Enlarge (credit: Getty Images)

Security researchers have unearthed a rare malware find: malicious Android apps that use optical character recognition to steal credentials displayed on phone screens.

The malware, dubbed CherryBlos by researchers from security firm Trend Micro, has been embedded into at least four Android apps available outside of Google Play, specifically on sites promoting money-making scams. One of the apps was available for close to a month on Google Play but didn’t contain the malicious CherryBlos payload. The researchers also discovered suspicious apps on Google Play that were created by the same developers, but they also didn’t contain the payload.

Advanced techniques

The apps took great care to conceal their malicious functionality. They used a paid version of commercial software known as Jiagubao to encrypt code and code strings to prevent analysis that can detect such functionality. They also featured techniques to ensure the app remained active on phones that had installed it. When users opened legitimate apps for Binance and other cryptocurrency services, CherryBlos overlaid windows that mimicked those of the legitimate apps. During withdrawals, CherryBlos replaced the wallet address the victim selected to receive the funds with an address controlled by the attacker.

Read 13 remaining paragraphs | Comments

Enlarge (credit: Getty Images | NurPhoto)

Meta's new Twitter competitor, Threads, is looking for ways to keep users interested after more than half of the people who signed up for the text-based platform stopped actively using the app, Meta CEO Mark Zuckerberg reportedly told employees in a company town hall yesterday. Threads launched on July 5 and signed up over 100 million users in less than five days, buoyed by user frustration with Elon Musk-owned Twitter.

"Obviously, if you have more than 100 million people sign up, ideally it would be awesome if all of them or even half of them stuck around. We're not there yet," Zuckerberg told employees yesterday, according to Reuters, which listened to audio of the event.

Third-party data suggests that Threads may have lost many more than half of its active users. Daily active users for Threads on Android dropped from 49 million on July 7 to 23.6 million on July 14, and then to 12.6 million on July 23, web analytics company SimilarWeb reported.

Read 8 remaining paragraphs | Comments

Enlarge / Several examples of images generated using Stable Diffusion XL 1.0. (credit: Stable Diffusion)

On Wednesday, Stability AI released Stable Diffusion XL 1.0 (SDXL), its next-generation open weights AI image synthesis model. It can generate novel images from text descriptions and produces more detail and higher-resolution imagery than previous versions of Stable Diffusion.

As with Stable Diffusion 1.4, which made waves last August with an open source release, anyone with the proper hardware and technical know-how can download the SDXL files and run the model locally on their own machine for free.

Local operation means that there is no need to pay for access to the SDXL model, there are few censorship concerns, and the weights files (which contain the neutral network data that makes the model function) can be fine-tuned to generate specific types of imagery by hobbyists in the future.

Read 13 remaining paragraphs | Comments

Enlarge (credit: Getty Images)

A US senator is calling on the Justice Department to hold Microsoft responsible for “negligent cybersecurity practices” that enabled Chinese espionage hackers to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce.

“Holding Microsoft responsible for its negligence will require a whole-of-government effort,” Ron Wyden (D-Ore.) wrote in a letter. It was sent on Thursday to the heads of the Justice Department, Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission.

Bending over backward

Wyden’s remarks echo those of other critics who say Microsoft is withholding key details about a recent hack. In disclosures involving the incident so far, Microsoft has bent over backwards to avoid saying its infrastructure—including the Azure Active Directory, a supposedly fortified part of Microsoft’s cloud offerings that large organizations use to manage single sign-on and multifactor authentication—was breached. The critics have said that details Microsoft has disclosed so far lead to the inescapable conclusion that vulnerabilities in code for Azure AD and other cloud offerings were exploited to pull off the successful hack.

Read 13 remaining paragraphs | Comments

Enlarge / An AI-generated image of a slot machine in a desert. (credit: Midjourney)

On Thursday, OpenAI quietly pulled its AI Classifier, an experimental tool designed to detect AI-written text. The decommissioning, first noticed by Decrypt, occurred with no major fanfare and was announced through a small note added to OpenAI's official AI Classifier webpage:

As of July 20, 2023, the AI classifier is no longer available due to its low rate of accuracy. We are working to incorporate feedback and are currently researching more effective provenance techniques for text, and have made a commitment to develop and deploy mechanisms that enable users to understand if audio or visual content is AI-generated.

Released on January 31 amid clamor from educators about students potentially using ChatGPT to write essays and schoolwork, OpenAI's AI Classifier always felt like a performative Band-Aid on a deep wound. From the beginning, OpenAI admitted that its AI Classifier was not "fully reliable," correctly identifying only 26 percent of AI-written text as "likely AI-written" and incorrectly labeling human-written works 9 percent of the time.

As we've pointed out on Ars, AI writing detectors such as OpenAI's AI Classifier, Turnitin, and GPTZero simply don't work with enough accuracy to rely on them for trustworthy results. The methodology behind how they work is speculative and unproven, and the tools are currently routinely used to falsely accuse students of cheating.

Read 5 remaining paragraphs | Comments

Enlarge (credit: Getty Images)

It has been a tough year for PC companies and companies that make PC components. Companies like Intel, AMD, and Nvidia have all reported big drops in revenue from the hardware that they sell to consumers (though the hardware they sell to other businesses is often doing better).

Microsoft contributed another data point to that trend today, with fourth-quarter 2023 financial results that showed modest growth (revenue up 8 percent year over year, from $51.9 billion to $56.2 billion), but no thanks to its consumer software and hardware businesses.

Revenue from the company's More Personal Computing division, which encompasses Windows licenses, Surface PCs and other accessories, Xbox hardware and software and services, and ad revenue, was down 4 percent year over year. This decrease was driven mostly by a drop in sales of Windows licenses to PC makers (down 12 percent because of "PC market weakness") and by reduced hardware sales (down 20 percent, though the company didn't say how much of this drop came from its accessory business and how much came from Surface PCs). Microsoft makes its own PCs and PC accessories and sells the software that most other PC makers use on their hardware, so when the entire PC ecosystem is doing poorly, Microsoft gets hit twice.

Read 4 remaining paragraphs | Comments

Enlarge (credit: Getty Images | Chris Delmas)

Elon Musk's decision to rebrand Twitter as "X" wouldn't be complete without a change to the company's official Twitter account. The @X handle was already taken by a user who registered it over 16 years ago, but that wasn't much of an obstacle—Twitter simply took over the username and offered its longtime owner some merchandise but no monetary compensation.

San Francisco-based photographer Gene X Hwang was @X on Twitter from March 2007 until yesterday. "They just took it essentially—kinda what I thought might happen," Hwang told The Telegraph. "They did send an email saying it is the property of 'x' essentially."

Hwang confirmed to Ars today that "there was no financial compensation" offered to him. The company offered "to switch the @x account and its history/followers etc to a new handle once I select one that is available," Hwang told us. "They also offered some merch and to meet with the management team as well."

Read 10 remaining paragraphs | Comments

Enlarge (credit: OpenAI)

On Tuesday, OpenAI released an official ChatGPT app for Android, now available in the Google Play Store in four countries: the US, India, Bangladesh, and Brazil, with more coming soon. As a client for OpenAI's language model family, the GPT-3.5 and GPT-4 models run on the cloud and provide results to your Android device. It also integrates OpenAI's Whisper model for speech recognition.

ChatGPT, launched in November, is a conversational AI language model interface. As an AI assistant, it can help with summarization, text composition, and analysis. OpenAI bills its use cases as a way to seek "instant answers," "tailored advice," "creative inspiration," "professional input," and "learning opportunities."

A series of images showing OpenAI's proposed uses of the ChatGPT Android app, taken from the Google Play Store. (credit: OpenAI)

However, as we've noted in the past, ChatGPT is occasionally prone to confabulation (that is, making things up)—especially the GPT-3.5 model—so it's not entirely trustworthy as a factual reference. It can come in handy as a way to analyze data you provide yourself, though, so long as you're familiar with the subject matter and can validate the results.

Read 3 remaining paragraphs | Comments