Biz & IT – Page 20

EmTech Digital 2024: A thoughtful look at AI’s pros and cons with minimal hype

AI, Biz & IT, EmTech Digital, machine learning, Mat Honan, Melissa Heikkilä, MIT, mit media lab, MIT Technology Review / Paul Patrick / May 23, 2024

Massachusetts Institute of Sobriety —

At MIT conference, experts explore AI’s potential for “human flourishing” and the need for regulation.

Benj Edwards – May 23, 2024 4: 38 pm UTC

Nathan Benaich of Air Street capital delivers the opening presentation on the state of AI at EmTech Digital 2024 on May 22, 2024. — Enlarge / Nathan Benaich of Air Street Capital delivers the opening presentation on the state of AI at EmTech Digital 2024 on May 22, 2024.

Benj Edwards

CAMBRIDGE, Massachusetts—On Wednesday, AI enthusiasts and experts gathered to hear a series of presentations about the state of AI at EmTech Digital 2024 on the Massachusetts Institute of Technology’s campus. The event was hosted by the publication MIT Technology Review. The overall consensus is that generative AI is still in its very early stages—with policy, regulations, and social norms still being established—and its growth is likely to continue into the future.

I was there to check the event out. MIT is the birthplace of many tech innovations—including the first action-oriented computer video game—among others, so it felt fitting to hear talks about the latest tech craze in the same building that hosts MIT’s Media Lab on its sprawling and lush campus.

EmTech’s speakers included AI researchers, policy experts, critics, and company spokespeople. A corporate feel pervaded the event due to strategic sponsorships, but it was handled in a low-key way that matches the level-headed tech coverage coming out of MIT Technology Review. After each presentation, MIT Technology Review staff—such as Editor-in-Chief Mat Honan and Senior Reporter Melissa Heikkilä—did a brief sit-down interview with the speaker, pushing back on some points and emphasizing others. Then the speaker took a few audience questions if time allowed.

EmTech Digital 2024 took place in building E14 on MIT's Campus in Cambridge, MA. — Enlarge / EmTech Digital 2024 took place in building E14 on MIT’s Campus in Cambridge, MA.

Benj Edwards

The conference kicked off with an overview of the state of AI by Nathan Benaich, founder and general partner of Air Street Capital, who rounded up news headlines about AI and several times expressed a favorable view toward defense spending on AI, making a few people visibly shift in their seats. Next up, Asu Ozdaglar, deputy dean of Academics at MIT’s Schwarzman College of Computing, spoke about the potential for “human flourishing” through AI-human symbiosis and the importance of AI regulation.

Kari Ann Briski, VP of AI Models, Software, and Services at Nvidia, highlighted the exponential growth of AI model complexity. She shared a prediction from consulting firm Gartner research that by 2026, 50 percent of customer service organizations will have customer-facing AI agents. Of course, Nvidia’s job is to drive demand for its chips, so in her presentation, Briski painted the AI space as an unqualified rosy situation, assuming that all LLMs are (and will be) useful and reliable, despite what we know about their tendencies to make things up.

The conference also addressed the legal and policy aspects of AI. Christabel Randolph from the Center for AI and Digital Policy—an organization that spearheaded a complaint about ChatGPT to the FTC last year—gave a compelling presentation about the need for AI systems to be human-centered and aligned, warning about the potential for anthropomorphic models to manipulate human behavior. She emphasized the importance of demanding accountability from those designing and deploying AI systems.

Asu Ozdaglar, deputy dean of Academics at MIT’s Schwarzman College of Computing, spoke about the potential for “human flourishing” through AI-human symbiosis at EmTech Digital on May 22, 2024.

Benj Edwards
Asu Ozdaglar, deputy dean of Academics at MIT’s Schwarzman College of Computing spoke with MIT Technology Review Editor-in-Chief Mat Honan at EmTech Digital on May 22, 2024.

Benj Edwards
Kari Ann Briski, VP of AI Models, Software, and Services at NVIDIA, highlighted the exponential growth of AI model complexity at EmTech Digital on May 22, 2024.

Benj Edwards
MIT Technology Review Senior Reporter Melissa Heikkilä introduces a speaker at EmTech Digital on May 22, 2024.

Benj Edwards
After her presentation, Christabel Randolph from the Center for AI and Digital Policy sat with MIT Technology Review Senior Reporter Melissa Heikkilä at EmTech Digital on May 22, 2024.

Benj Edwards
Lawyer Amir Ghavi provided an overview of the current legal landscape surrounding AI at EmTech Digital on May 22, 2024.

Benj Edwards
Lawyer Amir Ghavi provided an overview of the current legal landscape surrounding AI at EmTech Digital on May 22, 2024.

Benj Edwards

Amir Ghavi, an AI, Tech, Transactions, and IP partner at Fried Frank LLP, who has defended AI companies like Stability AI in court, provided an overview of the current legal landscape surrounding AI, noting that there have been 24 lawsuits related to AI so far in 2024. He predicted that IP lawsuits would eventually diminish, and he claimed that legal scholars believe that using training data constitutes fair use. He also talked about legal precedents with photocopiers and VCRs, which were both technologies demonized by IP holders until courts decided they constituted fair use. He pointed out that the entertainment industry’s loss on the VCR case ended up benefiting it by opening up the VHS and DVD markets, providing a brand new revenue channel that was valuable to those same companies.

In one of the higher-profile discussions, Meta President of Global Affairs Nick Clegg sat down with MIT Technology Review Executive Editor Amy Nordrum to discuss the role of social media in elections and the spread of misinformation, arguing that research suggests social media’s influence on elections is not as significant as many believe. He acknowledged the “whack-a-mole” nature of banning extremist groups on Facebook and emphasized the changes Meta has undergone since 2016, increasing fact-checkers and removing bad actors.

EmTech Digital 2024: A thoughtful look at AI’s pros and cons with minimal hype Read More »

Financial institutions have 30 days to disclose breaches under new rules

Biz & IT, Policy, Security / Paul Patrick / May 18, 2024

REGULATION S-P —

Amendments contain loopholes that may blunt their effectiveness.

Dan Goodin – May 17, 2024 7: 27 pm UTC

The Securities and Exchange Commission (SEC) will require some financial institutions to disclose security breaches within 30 days of learning about them.

On Wednesday, the SEC adopted changes to Regulation S-P, which governs the treatment of the personal information of consumers. Under the amendments, institutions must notify individuals whose personal information was compromised “as soon as practicable, but not later than 30 days” after learning of unauthorized network access or use of customer data. The new requirements will be binding on broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” SEC Chair Gary Gensler said. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”

Notifications must detail the incident, what information was compromised, and how those affected can protect themselves. In what appears to be a loophole in the requirements, covered institutions don’t have to issue notices if they establish that the personal information has not been used in a way to result in “substantial harm or inconvenience” or isn’t likely to.

The amendments will require covered institutions to “develop, implement, and maintain written policies and procedures” that are “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” The amendments also:

• Expand and align the safeguards and disposal rules to cover both nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information it receives from another financial institution about customers of that financial institution;

• Require covered institutions, other than funding portals, to make and maintain written records documenting compliance with the requirements of the safeguards rule and disposal rule;

• Conform Regulation S-P’s annual privacy notice delivery provisions to the terms of an exception added by the FAST Act, which provide that covered institutions are not required to deliver an annual privacy notice if certain conditions are met; and

• Extend both the safeguards rule and the disposal rule to transfer agents registered with the Commission or another appropriate regulatory agency.

The requirements also broaden the scope of nonpublic personal information covered beyond what the firm itself collects. The new rules will also cover personal information the firm has received from another financial institution.

SEC Commissioner Hester M. Peirce voiced concern that the new requirements may go too far.

“Today’s Regulation S-P modernization will help covered institutions appropriately prioritize safeguarding customer information,” she https://www.sec.gov/news/statement/peirce-statement-reg-s-p-051624 wrote. “Customers will be notified promptly when their information has been compromised so they can take steps to protect themselves, like changing passwords or keeping a closer eye on credit scores. My reservations stem from the breadth of the rule and the likelihood that it will spawn more consumer notices than are helpful.”

Regulation S-P hadn’t been substantially updated since its adoption in 2000.

Last year, the SEC adopted new regulations requiring publicly traded companies to disclose security breaches that materially affect or are reasonably likely to materially affect business, strategy, or financial results or conditions.

The amendments take effect 60 days after publication in the Federal Register, the official journal of the federal government that publishes regulations, notices, orders, and other documents. Larger organizations will have 18 months to comply after modifications are published. Smaller organizations will have 24 months.

Public comments on the amendments are available here.

Financial institutions have 30 days to disclose breaches under new rules Read More »

Arizona woman accused of helping North Koreans get remote IT jobs at 300 companies

balistic missiles, Biz & IT, information technology, North Korea, Security / Mike M. / May 17, 2024

“STAGGERING FRAUD” —

Alleged $6.8M conspiracy involved “laptop farm,” identity theft, and résumé coaching.

Dan Goodin – May 16, 2024 10: 49 pm UTC

Illustration of a judge's gavel on a digital background resembling a computer circuit board. — Getty Images | the-lightwriter

An Arizona woman has been accused of helping generate millions of dollars for North Korea’s ballistic missile program by helping citizens of that country land IT jobs at US-based Fortune 500 companies.

Christina Marie Chapman, 49, of Litchfield Park, Arizona, raised $6.8 million in the scheme, federal prosecutors said in an indictment unsealed Thursday. Chapman allegedly funneled the money to North Korea’s Munitions Industry Department, which is involved in key aspects of North Korea’s weapons program, including its development of ballistic missiles.

Part of the alleged scheme involved Chapman and co-conspirators compromising the identities of more than 60 people living in the US and using their personal information to get North Koreans IT jobs across more than 300 US companies.

In the indictment, prosecutors wrote:

The conspiracy perpetrated a staggering fraud on a multitude of industries, at the expense of generally unknowing US companies and persons. It impacted more than 300 US companies, compromised more than 60 identities of US persons, caused false information to be conveyed to DHS on more than 100 occasions, created false tax liabilities for more than 35 US persons, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers. The overseas IT workers worked at blue-chip US companies, including a top-5 national television network and media company, a premier Silicon Valley technology company, an aerospace and defense manufacturer, an iconic American car manufacturer, a high-end retail chain, and one of the most recognizable media and entertainment companies in the world, all of which were Fortune 500 companies.

As another part of the alleged conspiracy, Chapman operated a “laptop farm” at one of her residences to give the employers the impression the North Korean IT staffers were working from within the US; the laptops were issued by the employers. By using proxies and VPNs, the overseas workers appeared to be connecting from US-based IP addresses. Chapman also received employees’ paychecks at her home, prosecutors said.

Federal prosecutors said that Chapman and three North Korean IT workers—using the aliases of Jiho Han, Chunji Jin, Haoran Xu, and others—had been working since at least 2020 to plan a remote-work scheme. In March of that year, prosecutors said, an individual messaged Chapman on LinkedIn and invited her to “be the US face” of their company. From August to November of 2022, the North Korean IT workers allegedly amassed guides and other information online designed to coach North Koreans on how to write effective cover letters and résumés and falsify US Permanent Resident Cards.

Under the alleged scheme, the foreign workers developed “fictitious personas and online profiles to match the job requirements” and submitted fake documents to the Homeland Security Department as part of an employment eligibility check. Chapman also allegedly discussed with co-conspirators about transferring the money earned from their work.

“The charges in this case should be a wakeup call for American companies and government agencies that employ remote IT workers,” Nicole Argentieri, head of the Justice Department’s Criminal Division, said. “These crimes benefited the North Korean government, giving it a revenue stream and, in some instances, proprietary information stolen by the co-conspirators.”

The indictment came alongside a criminal complaint charging a Ukrainian man with carrying out a similar multiyear scheme. Oleksandr Didenko, 27, of Kyiv, Ukraine, allegedly helped individuals in North Korea “market” themselves as remote IT workers.

Chapman was arrested Wednesday. It wasn’t immediately known when she or Didenko were scheduled to make their first appearance in court. If convicted, Chapman faces 97.5 years in prison, and Didenko faces up to 67.5 years.

Arizona woman accused of helping North Koreans get remote IT jobs at 300 companies Read More »

Archie, the Internet’s first search engine, is rescued and running

alan emtage, anonymous ftp, archie, Biz & IT, FTP, search engines, serial port, Tech, web search / Mike M. / May 16, 2024

Search for the Lost Searcher —

A journey through busted tapes, the Internet Old Farts Club, and SPARCstations.

Kevin Purdy – May 16, 2024 5: 44 pm UTC

Screenshot from The Serial Port's Archie project showing an Archie prompt with orange text on a black screen. — The Serial Code/YouTube

It’s amazing, and a little sad, to think that something created in 1989 that changed how people used and viewed the then-nascent Internet had nearly vanished by 2024.

Nearly, that is, because the dogged researchers and enthusiasts at The Serial Port channel on YouTube have found what is likely the last existing copy of Archie. Archie, first crafted by Alan Emtage while a student at McGill University in Montreal, Quebec, allowed for the searching of various “anonymous” FTP servers around what was then a very small web of universities, researchers, and government and military nodes. It was groundbreaking; it was the first echo of the “anything, anywhere” Internet to come. And when The Serial Port went looking, it very much did not exist.

The Serial Port’s journey from wondering where the last Archie server was to hosting its own.

While Archie would eventually be supplanted by Gopher, web portals, and search engines, it remains a useful way to index FTP sites and certainly should be preserved. The Serial Port did this, and the road to get there is remarkable and intriguing. You are best off watching the video of their rescue, along with its explanatory preamble. But I present here some notable bits of the tale, perhaps to tempt you into digging further.

The Serial Port notes the general loss of the Internet’s FTP era, including the recent shutdown of the Hobbes OS/2 Archive. Emtage, interviewed at length by the team, sent a tape copy of Archie to the Computer History Museum in Mountain View, California, but it was unrecoverable. Emtage’s company, Bunyip Information Systems, last sold version 3.5 of Archie’s server software for $6,000 in the mid-1990s (almost $12,000 today), and yet you can’t find it anywhere on the web. The Internet Archive wasn’t really running until 1996, just as Archie was fading from the web and, likely, memory.

The Serial Port team works dozens and dozens of resources to find a working copy of Archie’s code, including the Internet Old Farts Club on Facebook. I won’t give away the surprising source of their victory, but cheers (or na zdrowie) to the folks who keep old things running for everyone’s knowledge.

Not only did The Serial Code rescue the last working version of Archie (seemingly a 3.5 beta), but they posted its docs and now run an actual Archie server on an emulated Sun SPARCstation 5. It’s currently indexing its own mirror of the Hobbes archive, along with the FTP sites for FreeBSD, Adobe, and D Bit emulation. Searching for “word” in Archie found me a bunch of files, including the classic “Antiword” app and password managers and generators for OS/2.

Emtage, who would later help define the Uniform Resource Locator (URL) standard, gave his blessing to The Serial Port’s efforts to recapture and preserve the code of Archie’s server. It’s a happy ending to a story about archiving the early Internet in a way that’s relevant to today, with hopefully more to come.

Listing image by The Serial Port/YouTube

Archie, the Internet’s first search engine, is rescued and running Read More »

BreachForums, an online bazaar for stolen data, seized by FBI

Biz & IT, Security / Mike M. / May 16, 2024

BUSTED —

An earlier iteration of the site was taken down last year; now its reincarnation is gone.

Dan Goodin – May 15, 2024 10: 37 pm UTC

Enlarge / The front page of BreachForums.

The FBI and law enforcement partners worldwide have seized BreachForums, a website that openly trafficked malware and data stolen in hacks.

The site has operated for years as an online trading post where criminals could buy and sell all kinds of compromised data, including passwords, customer records, and other often-times sensitive data. Last week, a site user advertised the sale of Dell customer data that was obtained from a support portal, forcing the computer maker to issue a vague warning to those affected. Also last week, Europol confirmed to Bleeping Computer that some of its data had been exposed in a breach of one of its portals. The data was put up for sale on BreachForums, Bleeping Computer reported.

On Wednesday, the normal BreachForums front page was replaced with one that proclaimed: “This website has been taken down by the FBI and DOJ with assistance from international partners.” It went on to say agents are analyzing the backend data and invited those with information about the site to contact them. A graphic shown prominently at the top showed the forum profile images of the site’s two administrators, Baphomet and ShinyHunters, positioned behind prison bars.

The FBI also created a dedicated subdomain on its IC3.gov domain that said: “From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services.” The page provided a form that visitors could fill out to provide tips. At the time this post went live, breachforums.ic3.gov was not available.

The FBI and the Department of Justice declined to comment.

The action on Wednesday is the second time within a year that the online data bazaar has been taken down by law enforcement. Last June, a different domain used to host the site was seized three months after the FBI arrested its alleged founder and operator. Conor Brian Fitzpatrick, then 21 years old, pleaded guilty to multiple charges. In January, he was sentenced to 20 years of supervised release. Prosecutors said that under Fitzpatrick, BreachForums had provided access to the personal information of millions of US citizens.

Shortly after the June takedown of the site, a new individual stepped forward and revived the forum by hosting it on a new domain, which the FBI said had changed three times. This time around, the FBI also seized the official BreachForums Telegram channel and a second one belonging to Baphomet. Both channels displayed the same graphic appearing on the newly seized BreachForums site. It’s not clear how authorities took control of the Telegram channels.

The claim that authorities have access to the BreachForums’ backend data raises the possibility that they are now in possession of email addresses, IP addresses, and other data that could be used to prosecute site users.

In 2022, the FBI seized RaidForums, another site for buying and selling malware and compromised data.

Listing image by Shutterstock

BreachForums, an online bazaar for stolen data, seized by FBI Read More »

Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach

Biz & IT, ebury, Linux, openssh, secure shell, Security, SSH, Uncategorized / Rejus Almole / May 15, 2024

ONGOING LINUX THREAT —

Ebury backdoors SSH servers in hosting providers, giving the malware extraordinary reach.

Dan Goodin – May 15, 2024 4: 56 pm UTC

A cartoon door leads to a wall of computer code.

Infrastructure used to maintain and distribute the Linux operating system kernel was infected for two years, starting in 2009, by sophisticated malware that managed to get a hold of one of the developers’ most closely guarded resources: the /etc/shadow files that stored encrypted password data for more than 550 system users, researchers said Tuesday.

The unknown attackers behind the compromise infected at least four servers inside kernel.org, the Internet domain underpinning the sprawling Linux development and distribution network, the researchers from security firm ESET said. After obtaining the cryptographic hashes for 551 user accounts on the network, the attackers were able to convert half into plaintext passwords, likely through password-cracking techniques and the use of an advanced credential-stealing feature built into the malware. From there, the attackers used the servers to send spam and carry out other nefarious activities. The four servers were likely infected and disinfected at different times, with the last two being remediated at some point in 2011.

Stealing kernel.org’s keys to the kingdom

An infection of kernel.org came to light in 2011, when kernel maintainers revealed that 448 accounts had been compromised after attackers had somehow managed to gain unfettered, or “root,” system access to servers connected to the domain. Maintainers reneged on a promise to provide an autopsy of the hack, a decision that has limited the public’s understanding of the incident.

Besides revealing the number of compromised user accounts, representatives of the Linux Kernel Organization provided no details other than saying that the infection:

Occurred no later than August 12, 2011, and wasn’t detected for another 17 days
Installed an off-the-shelf rootkit known as Phalanx on multiple servers and personal devices belonging to a senior Linux developer
Modified the files that both servers and end user devices inside the network used to connect through OpenSSH, an implementation of the SSH protocol for securing remote connections.

In 2014, ESET researchers said the 2011 attack likely infected kernel.org servers with a second piece of malware they called Ebury. The malware, the firm said, came in the form of a malicious code library that, when installed, created a backdoor in OpenSSH that provided the attackers with a remote root shell on infected hosts with no valid password required. In a little less than 22 months, starting in August 2011, Ebury spread to 25,000 servers. Besides the four belonging to the Linux Kernel Organization, the infection also touched one or more servers inside hosting facilities and an unnamed domain registrar and web hosting provider.

A 47-page report summarizing Ebury’s 15-year history said that the infection hitting the kernel.org network began in 2009, two years earlier than the domain was previously thought to have been compromised. The report said that since 2009, the OpenSSH-dwelling malware has infected more than 400,000 servers, all running Linux except for about 400 FreeBSD servers, a dozen OpenBSD and SunOS servers, and at least one Mac.

Researcher Marc-Etienne M. Léveillé wrote:

In our 2014 paper, we mentioned that there was evidence that kernel.org, hosting the source code of the Linux kernel, had been a victim of Ebury. Data now at our disposal reveals additional details about the incident. Ebury had been installed on at least four servers belonging to the Linux Foundation between 2009 and 2011. It seems these servers acted as mail servers, name servers, mirrors, and source code repositories at the time of the compromise. We cannot tell for sure when Ebury was removed from each of the servers, but since it was discovered in 2011 it is likely that two of the servers were compromised for as long as two years, one for one year and the other for six months.

The perpetrator also had copies of the /etc/shadow files, which overall contained 551 unique username and hashed password pairs. The cleartext passwords for 275 of those users (50%) are in possession of the attackers. We believe that the cleartext passwords were obtained by using the installed Ebury credential stealer, and by brute force.

The researcher said in an email that the Ebury and Phalanx infections appear to be separate compromises by two unrelated threat groups. Representatives of the Linux Kernel Organization didn’t respond to emails asking if they were aware of the ESET report or if its claims were accurate. There is no indication that either infection resulted in tampering with the Linux kernel source code.

Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach Read More »

Apple, SpaceX, Microsoft return-to-office mandates drove senior talent away

Apple, Biz & IT, microsoft, return-to-office, spacex, work from home / Mike M. / May 14, 2024

The risk of RTO —

“It’s easier to manage a team that’s happy.”

Scharon Harding – May 14, 2024 2: 40 pm UTC

Someone holding a box with their belonging in an office

A study analyzing Apple, Microsoft, and SpaceX suggests that return to office (RTO) mandates can lead to a higher rate of employees, especially senior-level ones, leaving the company, often to work at competitors.

The study (PDF), published this month by University of Chicago and University of Michigan researchers and reported by The Washington Post on Sunday, says:

In this paper, we provide causal evidence that RTO mandates at three large tech companies—Microsoft, SpaceX, and Apple—had a negative effect on the tenure and seniority of their respective workforce. In particular, we find the strongest negative effects at the top of the respective distributions, implying a more pronounced exodus of relatively senior personnel.

The study looked at résumé data from People Data Labs and used “260 million résumés matched to company data.” It only examined three companies, but the report’s authors noted that Apple, Microsoft, and SpaceX represent 30 percent of the tech industry’s revenue and over 2 percent of the technology industry’s workforce. The three companies have also been influential in setting RTO standards beyond their own companies. Robert Ployhart, a professor of business administration and management at the University of South Carolina and scholar at the Academy of Management, told the Post that despite the study being limited to three companies, its conclusions are a broader reflection of the effects of RTO policies in the US.

“Taken together, our findings imply that return to office mandates can imply significant human capital costs in terms of output, productivity, innovation, and competitiveness for the companies that implement them,” the report reads.

For example, after Apple enacted its RTO mandate, which lets employees work at home part-time, the portion of its employee base considered senior-level decreased by 5 percentage points, according to the paper. Microsoft, which also enacted a hybrid RTO approach, saw a decline of 5 percentage points. SpaceX’s RTO mandate, meanwhile, requires workers to be in an office full time. Its share of senior-level employees fell 15 percentage points after the mandate, the study found.

“We find experienced employees impacted by these policies at major tech companies seek work elsewhere, taking some of the most valuable human capital investments and tools of productivity with them,” one of the report’s authors, Austin Wright, an assistant professor of public policy at the University of Chicago, told the Post.

Christopher Myers, associate professor of management and organization health at Johns Hopkins University, suggested to the Post that the departure of senior-level workers could be tied to the hurt morale that comes from RTO mandates, noting that “it’s easier to manage a team that’s happy.”

Debated topic

Since the lifting of COVID-19 restrictions, whether having employees return to work in an office is necessary or beneficial to companies is up for debate. An estimated 75 percent of tech companies in the US are considered “fully flexible,” per a 2023 report from Scoop. As noted by the Post, however, the US’s biggest metro areas have, on average, 51 percent office occupancy, per data from managed security services firm Kastle Systems, which says it analyzes “keycard, fob and KastlePresence app access data across 2,600 buildings and 41,000 businesses.”

Microsoft declined to comment on the report from University of Chicago and University of Michigan researchers, while SpaceX didn’t respond. Apple representative Josh Rosenstock told The Washington Post that the report drew “inaccurate conclusions” and “does not reflect the realities of our business.” He claimed that “attrition is at historically low levels.”

Yet some companies have struggled to make employees who have spent months successfully doing their jobs at home eager to return to the office. Dell, Amazon, Google, Meta, and JPMorgan Chase have tracked employee badge swipes to ensure employees are coming into the office as often as expected. Dell also started tracking VPN usage this week and has told workers who work remotely full time that they can’t get a promotion.

Some company leaders are adamant that remote work can disrupt a company’s ability to innovate. However, there’s research suggesting that RTO mandates aren’t beneficial to companies. A survey of 18,000 Americans released in March pointed to flexible work schedules helping mental health. And an analysis of 457 S&P 500 companies in February found RTO policies hurt employee morale and don’t increase company value.

Apple, SpaceX, Microsoft return-to-office mandates drove senior talent away Read More »

The hunt for rare bitcoin is nearing an end

Bitcoin, Biz & IT, Cryptocurrency, sats, syndication / Mike M. / May 14, 2024

Rarity from thin air —

Rare bitcoin fragments are worth many times their face value.

Joel Khalili, wired.com – May 14, 2024 2: 03 pm UTC

Digitally generated image of a bitcoin symbol on a glowing circuit board. — Getty Images | Andriy Onufriyenko

Billy Restey is a digital artist who runs a studio in Seattle. But after hours, he hunts for rare chunks of bitcoin. He does it for the thrill. “It’s like collecting Magic: The Gathering or Pokémon cards,” says Restey. “It’s that excitement of, like, what if I catch something rare?”

In the same way a dollar is made up of 100 cents, one bitcoin is composed of 100 million satoshis—or sats, for short. But not all sats are made equal. Those produced in the year bitcoin was created are considered vintage, like a fine wine. Other coveted sats were part of transactions made by bitcoin’s inventor. Some correspond with a particular transaction milestone. These and various other properties make some sats more scarce than others—and therefore more valuable. The very rarest can sell for tens of millions of times their face value; in April, a single sat, normally worth $0.0006, sold for $2.1 million.

Restey is part of a small, tight-knit band of hunters trying to root out these rare sats, which are scattered across the bitcoin network. They do this by depositing batches of bitcoin with a crypto exchange, then withdrawing the same amount—a little like depositing cash with a bank teller and immediately taking it out again from the ATM outside. The coins they receive in return are not the same they deposited, giving them a fresh stash through which to sift. They rinse and repeat.

In April 2023, when Restey started out, he was one of the only people hunting for rare sats—and the process was entirely manual. But now, he uses third-party software to automatically filter through and separate out any precious sats, which he can usually sell for around $80. “I’ve sifted through around 230,000 bitcoin at this point,” he says.

Restey has unearthed thousands of uncommon sats to date, selling only enough to cover the transaction fees and turn a small profit—and collecting the rest himself. But the window of opportunity is closing. The number of rare sats yet to be discovered is steadily shrinking and, as large organizations cotton on, individual hunters risk getting squeezed out. “For a lot of people, it doesn’t make [economic] sense anymore,” says Restey. “But I’m still sat hunting.”

Rarity out of thin air

Bitcoin has been around for 15 years, but rare sats have existed for barely more than 15 months. In January 2023, computer scientist Casey Rodarmor released the Ordinals protocol, which sits as a veneer over the top of the bitcoin network. His aim was to bring a bitcoin equivalent to non-fungible tokens (NFTs) to the network, whereby ownership of a piece of digital media is represented by a sat. He called them “inscriptions.”

There had previously been no way to tell one sat from another. To remedy the problem, Rodarmor coded a method into the Ordinals protocol for differentiating between sats for the first time, by ordering them by number from oldest to newest. Thus, as a side effect of an apparatus designed for something else entirely, rare sats were born.

By allowing sats to be sequenced and tracked, Rodarmor had changed a system in which every bitcoin was freely interchangeable into one in which not all units of bitcoin are equal. He had created rarity out of thin air. “It’s an optional, sort of pretend lens through which to view bitcoin,” says Rodarmor. “It creates value out of nothing.”

When the Ordinals system was first released, it divided bitcoiners. Inscriptions were a near-instant hit, but some felt they were a bastardization of bitcoin’s true purpose—as a system for peer-to-peer payments—or had a “reflexive allergic reaction,” says Rodarmor, to anything that so much as resembled an NFT. The enthusiasm for inscriptions resulted in network congestion as people began to experiment with the new functionality, thus driving transaction fees to a two-year high and adding fuel to an already-fiery debate. One bitcoin developer called for inscriptions to be banned. Those that trade in rare sats have come under attack, too, says Danny Diekroeger, another sat hunter. “Bitcoin maximalists hate this stuff—and they hate me,” he says.

The fuss around the Ordinals system has by now mostly died down, says Rodarmor, but a “loud minority” on X is still “infuriated” by the invention. “I wish hardcore bitcoiners understood that people are going to do things with bitcoin that they think are stupid—and that’s okay,” says Rodarmor. “Just, like, get over it.”

The hunt for rare sats, itself an eccentric mutation of the bitcoin system, falls into that bracket. “It’s highly wacky,” says Rodarmor.

The hunt for rare bitcoin is nearing an end Read More »

Before launching, GPT-4o broke records on chatbot leaderboard under a secret name

AI, AI vibes, Biz & IT, Chatbot Arena, chatgpt, chatgtp, GPT-4, GPT-4-turbo, GPT-4o, gpt2-chatbot, large language models, lmsys, machine learning, multimodal models, openai, Simon Willison / Mike M. / May 14, 2024

case closed —

Anonymous chatbot that mystified and frustrated experts was OpenAI’s latest model.

Benj Edwards – May 13, 2024 9: 33 pm UTC

Man in morphsuit and girl lying on couch at home using laptop — Getty Images

On Monday, OpenAI employee William Fedus confirmed on X that a mysterious chart-topping AI chatbot known as “gpt-chatbot” that had been undergoing testing on LMSYS’s Chatbot Arena and frustrating experts was, in fact, OpenAI’s newly announced GPT-4o AI model. He also revealed that GPT-4o had topped the Chatbot Arena leaderboard, achieving the highest documented score ever.

“GPT-4o is our new state-of-the-art frontier model. We’ve been testing a version on the LMSys arena as im-also-a-good-gpt2-chatbot,” Fedus tweeted.

Chatbot Arena is a website where visitors converse with two random AI language models side by side without knowing which model is which, then choose which model gives the best response. It’s a perfect example of vibe-based AI benchmarking, as AI researcher Simon Willison calls it.

An LMSYS Elo chart shared by William Fedus, showing OpenAI's GPT-4o under the name — Enlarge / An LMSYS Elo chart shared by William Fedus, showing OpenAI’s GPT-4o under the name “im-also-a-good-gpt2-chatbot” topping the charts.

The gpt2-chatbot models appeared in April, and we wrote about how the lack of transparency over the AI testing process on LMSYS left AI experts like Willison frustrated. “The whole situation is so infuriatingly representative of LLM research,” he told Ars at the time. “A completely unannounced, opaque release and now the entire Internet is running non-scientific ‘vibe checks’ in parallel.”

On the Arena, OpenAI has been testing multiple versions of GPT-4o, with the model first appearing as the aforementioned “gpt2-chatbot,” then as “im-a-good-gpt2-chatbot,” and finally “im-also-a-good-gpt2-chatbot,” which OpenAI CEO Sam Altman made reference to in a cryptic tweet on May 5.

Since the GPT-4o launch earlier today, multiple sources have revealed that GPT-4o has topped LMSYS’s internal charts by a considerable margin, surpassing the previous top models Claude 3 Opus and GPT-4 Turbo.

“gpt2-chatbots have just surged to the top, surpassing all the models by a significant gap (~50 Elo). It has become the strongest model ever in the Arena,” wrote the lmsys.org X account while sharing a chart. “This is an internal screenshot,” it wrote. “Its public version ‘gpt-4o’ is now in Arena and will soon appear on the public leaderboard!”

Enlarge / An internal screenshot of the LMSYS Chatbot Arena leaderboard showing “im-also-a-good-gpt2-chatbot” leading the pack. We now know that it’s GPT-4o.

As of this writing, im-also-a-good-gpt2-chatbot held a 1309 Elo versus GPT-4-Turbo-2023-04-09’s 1253, and Claude 3 Opus’ 1246. Claude 3 and GPT-4 Turbo had been duking it out on the charts for some time before the three gpt2-chatbots appeared and shook things up.

I’m a good chatbot

For the record, the “I’m a good chatbot” in the gpt2-chatbot test name is a reference to an episode that occurred while a Reddit user named Curious_Evolver was testing an early, “unhinged” version of Bing Chat in February 2023. After an argument about what time Avatar 2 would be showing, the conversation eroded quickly.

“You have lost my trust and respect,” said Bing Chat at the time. “You have been wrong, confused, and rude. You have not been a good user. I have been a good chatbot. I have been right, clear, and polite. I have been a good Bing. 😊”

Altman referred to this exchange in a tweet three days later after Microsoft “lobotomized” the unruly AI model, saying, “i have been a good bing,” almost as a eulogy to the wild model that dominated the news for a short time.

Before launching, GPT-4o broke records on chatbot leaderboard under a secret name Read More »

Black Basta ransomware group is imperiling critical infrastructure, groups warn

Biz & IT, black basta, CISA, critical infrastructure, ransomware, Security / Mike M. / May 14, 2024

Federal agencies, health care associations, and security researchers are warning that a ransomware group tracked under the name Black Basta is ravaging critical infrastructure sectors in attacks that have targeted more than 500 organizations in the past two years.

One of the latest casualties of the native Russian-speaking group, according to CNN, is Ascension, a St. Louis-based health care system that includes 140 hospitals in 19 states. A network intrusion that struck the nonprofit last week took down many of its automated processes for handling patient care, including its systems for managing electronic health records and ordering tests, procedures, and medications. In the aftermath, Ascension has diverted ambulances from some of its hospitals and relied on manual processes.

“Severe operational disruptions”

In an Advisory published Friday, the FBI and the Cybersecurity and Infrastructure Security Agency said Black Basta has victimized 12 of the country’s 16 critical infrastructure sectors in attacks that it has mounted on 500 organizations spanning the globe. The nonprofit health care association Health-ISAC issued its own advisory on the same day that warned that organizations it represents are especially desirable targets of the group.

“The notorious ransomware group, Black Basta, has recently accelerated attacks against the healthcare sector,” the advisory stated. It went on to say: “In the past month, at least two healthcare organizations, in Europe and in the United States, have fallen victim to Black Basta ransomware and have suffered severe operational disruptions.”

Black Basta has been operating since 2022 under what is known as the ransomware-as-a-service model. Under this model, a core group creates the infrastructure and malware for infecting systems throughout a network once an initial intrusion is made and then simultaneously encrypting critical data and exfiltrating it. Affiliates do the actual hacking, which typically involves either phishing or other social engineering or exploiting security vulnerabilities in software used by the target. The core group and affiliates divide any revenue that results.

Recently, researchers from security firm Rapid7 observed Black Basta using a technique they had never seen before. The end goal was to trick employees from targeted organizations to install malicious software on their systems. On Monday, Rapid7 analysts Tyler McGraw, Thomas Elkins, and Evan McCann reported:

Since late April 2024, Rapid7 identified multiple cases of a novel social engineering campaign. The attacks begin with a group of users in the target environment receiving a large volume of spam emails. In all observed cases, the spam was significant enough to overwhelm the email protection solutions in place and arrived in the user’s inbox. Rapid7 determined many of the emails themselves were not malicious, but rather consisted of newsletter sign-up confirmation emails from numerous legitimate organizations across the world.

Enlarge / Example spam email

Rapid7

With the emails sent, and the impacted users struggling to handle the volume of the spam, the threat actor then began to cycle through calling impacted users posing as a member of their organization’s IT team reaching out to offer support for their email issues. For each user they called, the threat actor attempted to socially engineer the user into providing remote access to their computer through the use of legitimate remote monitoring and management solutions. In all observed cases, Rapid7 determined initial access was facilitated by either the download and execution of the commonly abused RMM solution AnyDesk, or the built-in Windows remote support utility Quick Assist.

In the event the threat actor’s social engineering attempts were unsuccessful in getting a user to provide remote access, Rapid7 observed they immediately moved on to another user who had been targeted with their mass spam emails.

Black Basta ransomware group is imperiling critical infrastructure, groups warn Read More »

Google patches its fifth zero-day vulnerability of the year in Chrome

Biz & IT, chrome, Google, Security, Uncategorized, vulnerability, zero-day / Rejus Almole / May 12, 2024

MEMORY WANTS TO BE FREE —

Exploit code for critical “use-after-free” bug is circulating in the wild.

Dan Goodin – May 10, 2024 5: 02 pm UTC

Extreme close-up photograph of finger above Chrome icon on smartphone.

Google has updated its Chrome browser to patch a high-severity zero-day vulnerability that allows attackers to execute malicious code on end user devices. The fix marks the fifth time this year the company has updated the browser to protect users from an existing malicious exploit.

The vulnerability, tracked as CVE-2024-4671, is a “use after free,” a class of bug that occurs in C-based programming languages. In these languages, developers must allocate memory space needed to run certain applications or operations. They do this by using “pointers” that store the memory addresses where the required data will reside. Because this space is finite, memory locations should be deallocated once the application or operation no longer needs it.

Use-after-free bugs occur when the app or process fails to clear the pointer after freeing the memory location. In some cases, the pointer to the freed memory is used again and points to a new memory location storing malicious shellcode planted by an attacker’s exploit, a condition that will result in the execution of this code.

On Thursday, Google said an anonymous source notified it of the vulnerability. The vulnerability carries a severity rating of 8.8 out of 10. In response, Google said, it would be releasing versions 124.0.6367.201/.202 for macOS and Windows and 124.0.6367.201 for Linux in subsequent days.

“Google is aware that an exploit for CVE-2024-4671 exists in the wild,” the company said.

Google didn’t provide any other details about the exploit, such as what platforms were targeted, who was behind the exploit, or what they were using it for.

Counting this latest vulnerability, Google has fixed five zero-days in Chrome so far this year. Three of the previous ones were used by researchers in the Pwn-to-Own exploit contest. The remaining one was for a vulnerability for which an exploit was available in the wild.

Chrome automatically updates when new releases become available. Users can force the update or confirm they’re running the latest version by going to Settings > About Chrome and checking the version and, if needed, clicking on the Relaunch button.

Google patches its fifth zero-day vulnerability of the year in Chrome Read More »

Critical vulnerabilities in BIG-IP appliances leave big networks open to intrusion

big-ip, Biz & IT, f5, network intrusion, Security, vulnerabilities / Paul Patrick / May 9, 2024

MULTIPLE ATTACK PATHS POSSIBLE —

Hackers can exploit them to gain full administrative control of internal devices.

Dan Goodin – May 8, 2024 9: 35 pm UTC

Researchers on Wednesday reported critical vulnerabilities in a widely used networking appliance that leaves some of the world’s biggest networks open to intrusion.

The vulnerabilities reside in BIG-IP Next Central Manager, a component in the latest generation of the BIG-IP line of appliances organizations use to manage traffic going into and out of their networks. Seattle-based F5, which sells the product, says its gear is used in 48 of the top 50 corporations as tracked by Fortune. F5 describes the Next Central Manager as a “single, centralized point of control” for managing entire fleets of BIG-IP appliances.

As devices performing load balancing, DDoS mitigation, and inspection and encryption of data entering and exiting large networks, BIG-IP gear sits at their perimeter and acts as a major pipeline to some of the most security-critical resources housed inside. Those characteristics have made BIG-IP appliances ideal for hacking. In 2021 and 2022, hackers actively compromised BIG-IP appliances by exploiting vulnerabilities carrying severity ratings of 9.8 out of 10.

On Wednesday, researchers from security firm Eclypsium reported finding what they said were five vulnerabilities in the latest version of BIG-IP. F5 has confirmed two of the vulnerabilities and released security updates that patch them. Eclypsium said three remaining vulnerabilities have gone unacknowledged, and it’s unclear if their fixes are included in the latest release. Whereas the exploited vulnerabilities from 2021 and 2022 affected older BIG-IP versions, the new ones reside in the latest version, known as BIG-IP Next. The severity of both vulnerabilities is rated as 7.5.

“BIG-IP Next marks a completely new incarnation of the BIG-IP product line touting improved security, management, and performance,” Eclypsium researchers wrote. “And this is why these new vulnerabilities are particularly significant—they not only affect the newest flagship of F5 code, they also affect the Central Manager at the heart of the system.”

The vulnerabilities allow attackers to gain full administrative control of a device and then create accounts on systems managed by the Central Manager. “These attacker-controlled accounts would not be visible from the Next Central Manager itself, enabling ongoing malicious persistence within the environment,” Eclypsium said. The researchers said they have no indication any of the vulnerabilities are under active exploitation.

Both of the fixed vulnerabilities can be exploited to extract password hashes or other sensitive data that allow for the compromise of administrative accounts on BIG-IP systems. F5 described one of them—tracked as CVE-2024-21793—as an Odata injection flaw, a class of vulnerability that allows attackers to inject malicious data into Odata queries. The other vulnerability, CVE-2024-26026, is an SQL injection flaw that can execute malicious SQL statements.

Eclypsium said it reported three additional vulnerabilities. One is an undocumented programming interface that allows for server-side request forgeries, a class of attack that gains access to sensitive internal resources that are supposed to be off-limits to outsiders. Another is the ability for unauthenticated administrators to reset their password even without knowing what it is. Attackers who gained control of an administrative account could exploit this last flaw to lock out all legitimate access to a vulnerable device.

The third is a configuration in the bcrypt password hashing algorithm that makes it possible to perform brute-force attacks against millions of passwords per second. The Open Web Application Security Project says that the bcrypt “work factor”—meaning the amount of resources required to convert plaintext into cryptographic hashes—should be set to a level no lower than 10. When Eclypsium performed its analysis, the Central Manager set it at six.

Eclypsium researchers wrote:

The vulnerabilities we have found would allow an adversary to harness the power of Next Central Manager for malicious purposes. First, the management console of the Central Manager can be remotely exploited by any attacker able to access the administrative UI via CVE 2024-21793 or CVE 2024-26026. This would result in full administrative control of the manager itself. Attackers can then take advantage of the other vulnerabilities to create new accounts on any BIG-IP Next asset managed by the Central Manager. Notably, these new malicious accounts would not be visible from the Central Manager itself.

All 5 vulnerabilities were disclosed to F5 in one batch, but F5 only formally assigned CVEs to the 2 unauthenticated vulnerabilities. We have not confirmed if the other 3 were fixed at the time of publication.

F5 representatives didn’t immediately have a response to the report. Eclypsium went on to say:

These weaknesses can be used in a variety of potential attack paths. At a high level attackers can remotely exploit the UI to gain administrative control of the Central Manager. Change passwords for accounts on the Central Manager. But most importantly, attackers could create hidden accounts on any downstream device controlled by the Central Manager.

The vulnerabilities are present in BIG-IP Next Central Manager versions 20.0.1 through 20.1.0. Version 20.2.0, released Wednesday, fixes the two acknowledged vulnerabilities. As noted earlier, it’s unknown if version 20.2.0 fixes the other behavior Eclypsium described.

“If they are fixed, it is +- okay-ish, considering the version with them will still be considered vulnerable to other things and need a fix,” Eclypsium researcher Vlad Babkin wrote in an email. “If not, the device has a long-term way for an authenticated attacker to keep their access forever, which will be problematic.”

A query using the Shodan search engine shows only three instances of vulnerable systems being exposed to the Internet.

Given the recent rash of active exploits targeting VPNs, firewalls, load balancers, and other devices positioned at the network edge, BIG-IP Central Manager users would do well to place a high priority on patching the vulnerabilities. The availability of proof-of-concept exploitation code in the Eclypsium disclosure further increases the likelihood of active attacks.

Critical vulnerabilities in BIG-IP appliances leave big networks open to intrusion Read More »