Biz & IT

missouri-county-declares-state-of-emergency-amid-suspected-ransomware-attack

Missouri county declares state of emergency amid suspected ransomware attack

Biz & IT, hacking, jackson county, ransomware, Security / /

IT SYSTEMS HELD HOSTAGE —

Outage occurs on same day as special election, but election offices remain open.

Downtown Kansas City, Missouri, which is part of Jackson County.

Enlarge / Downtown Kansas City, Missouri, which is part of Jackson County.

Jackson County, Missouri, has declared a state of emergency and closed key offices indefinitely as it responds to what officials believe is a ransomware attack that has made some of its IT systems inoperable.

“Jackson County has identified significant disruptions within its IT systems, potentially attributable to a ransomware attack,” officials wrote Tuesday. “Early indications suggest operational inconsistencies across its digital infrastructure and certain systems have been rendered inoperative while others continue to function as normal.”

The systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. In response, the Assessment, Collection and Recorder of Deeds offices at all county locations are closed until further notice.

The closure occurred the same day that the county was holding a special election to vote on a proposed sales tax to fund a stadium for MLB’s Kansas City Royals and the NFL’s Kansas City Chiefs. Neither the Jackson County Board of Elections nor the Kansas City Board of Elections have been affected by the attack; both remain open.

To date, ransomware attacks have hit 28 county, municipal, or tribal governments this year, according to Brett Callow, a threat analyst with security firm Emsisoft. Last year, there were 95; 106 occurred in 2022.

The Jackson County website says there are 654,000 residents in the 607-square-mile county, which includes most of Kansas City, the biggest city in Missouri.

The response to the attack and the investigation into it have just begun, but so far, officials said they had no evidence that data had been compromised.

“We are currently in the early stages of our diagnostic procedures, working closely with our cybersecurity partners to thoroughly explore all possibilities and identify the root cause of the situation,” officials wrote. “While the investigation considers ransomware as a potential cause, comprehensive analyses are underway to confirm the exact nature of the disruption.”

Jackson County Executive Frank White Jr. has issued an executive order declaring a state of emergency.

“The potential significant budgetary impact of this incident may require appropriations from the County’s emergency fund and, if these funds are found to be insufficient, the enactment of additional budgetary adjustments or cuts,” White wrote. “It is directed that all county staff are to take whatever steps are necessary to protect resident data, county assets, and continue essential services, thereby mitigating the impact of this potential ransomware attack.”

The attack first came to attention Tuesday morning, county officials said on Facebook.

The county has notified law enforcement and retained IT security contractors to help investigate and remediate the attack.

“The County recognizes the impact these closures have on its residents,” officials wrote. “We appreciate the community’s patience and understanding during this time and will provide more information as it becomes available.”

Missouri county declares state of emergency amid suspected ransomware attack Read More »

billie-eilish,-pearl-jam,-200-artists-say-ai-poses-existential-threat-to-their-livelihoods

Billie Eilish, Pearl Jam, 200 artists say AI poses existential threat to their livelihoods

AI, AI art, AI ethics, AI music, ara, Arists Rights Alliance, Billie Eilish, Biz & IT, chatgpt, chatgtp, culture, Google, machine learning, music, music industry, music synthesis, MusicLM, openai, Pearl Jam, Riffusion, Stable Audio / /

artificial music —

Artists say AI will “set in motion a race to the bottom that will degrade the value of our work.”

Billie Eilish attends the 2024 Vanity Fair Oscar Party hosted by Radhika Jones at the Wallis Annenberg Center for the Performing Arts on March 10, 2024 in Beverly Hills, California.

Enlarge / Billie Eilish attends the 2024 Vanity Fair Oscar Party hosted by Radhika Jones at the Wallis Annenberg Center for the Performing Arts on March 10, 2024, in Beverly Hills, California.

On Tuesday, the Artist Rights Alliance (ARA) announced an open letter critical of AI signed by over 200 musical artists, including Pearl Jam, Nicki Minaj, Billie Eilish, Stevie Wonder, Elvis Costello, and the estate of Frank Sinatra. In the letter, the artists call on AI developers, technology companies, platforms, and digital music services to stop using AI to “infringe upon and devalue the rights of human artists.” A tweet from the ARA added that AI poses an “existential threat” to their art.

Visual artists began protesting the advent of generative AI after the rise of the first mainstream AI image generators in 2022, and considering that generative AI research has since been undertaken for other forms of creative media, we have seen that protest extend to professionals in other creative domains, such as writers, actors, filmmakers—and now musicians.

“When used irresponsibly, AI poses enormous threats to our ability to protect our privacy, our identities, our music and our livelihoods,” the open letter states. It alleges that some of the “biggest and most powerful” companies (unnamed in the letter) are using the work of artists without permission to train AI models, with the aim of replacing human artists with AI-created content.

  • A list of musical artists that signed the ARA open letter against generative AI.

  • A list of musical artists that signed the ARA open letter against generative AI.

  • A list of musical artists that signed the ARA open letter against generative AI.

  • A list of musical artists that signed the ARA open letter against generative AI.

In January, Billboard reported that AI research taking place at Google DeepMind had trained an unnamed music-generating AI on a large dataset of copyrighted music without seeking artist permission. That report may have been referring to Google’s Lyria, an AI-generation model announced in November that the company positioned as a tool for enhancing human creativity. The tech has since powered musical experiments from YouTube.

We’ve previously covered AI music generators that seemed fairly primitive throughout 2022 and 2023, such as Riffusion, Google’s MusicLM, and Stability AI’s Stable Audio. We’ve also covered open source musical voice-cloning technology that is frequently used to make musical parodies online. While we have yet to see an AI model that can generate perfect, fully composed high-quality music on demand, the quality of outputs from music synthesis models has been steadily improving over time.

In considering AI’s potential impact on music, it’s instructive to remember historical instances where tech innovations initially sparked concern among artists. For instance, the introduction of synthesizers in the 1960s and 1970s and the advent of digital sampling in the 1980s both faced scrutiny and fear from parts of the music community, but the music industry eventually adjusted.

While we’ve seen fear of the unknown related to AI going around quite a bit for the past year, it’s possible that AI tools will be integrated into the music production process like any other music production tool or technique that came before. It’s also possible that even if that kind of integration comes to pass, some artists will still get hurt along the way—and the ARA wants to speak out about it before the technology progresses further.

“Race to the bottom”

The Artists Rights Alliance is a nonprofit advocacy group that describes itself as an “alliance of working musicians, performers, and songwriters fighting for a healthy creative economy and fair treatment for all creators in the digital world.”

The signers of the ARA’s open letter say they acknowledge the potential of AI to advance human creativity when used responsibly, but they also claim that replacing artists with generative AI would “substantially dilute the royalty pool” paid out to artists, which could be “catastrophic” for many working musicians, artists, and songwriters who are trying to make ends meet.

In the letter, the artists say that unchecked AI will set in motion a race to the bottom that will degrade the value of their work and prevent them from being fairly compensated. “This assault on human creativity must be stopped,” they write. “We must protect against the predatory use of AI to steal professional artist’ voices and likenesses, violate creators’ rights, and destroy the music ecosystem.”

The emphasis on the word “human” in the letter is notable (“human artist” was used twice and “human creativity” and “human artistry” are used once, each) because it suggests the clear distinction they are drawing between the work of human artists and the output of AI systems. It implies recognition that we’ve entered a new era where not all creative output is made by people.

The letter concludes with a call to action, urging all AI developers, technology companies, platforms, and digital music services to pledge not to develop or deploy AI music-generation technology, content, or tools that undermine or replace the human artistry of songwriters and artists or deny them fair compensation for their work.

While it’s unclear whether companies will meet those demands, so far, protests from visual artists have not stopped development of ever-more advanced image-synthesis models. On Threads, frequent AI industry commentator Dare Obasanjo wrote, “Unfortunately this will be as effective as writing an open letter to stop the sun from rising tomorrow.”

Billie Eilish, Pearl Jam, 200 artists say AI poses existential threat to their livelihoods Read More »

broadcom-execs-say-vmware-price,-subscription-complaints-are-unwarranted 

Broadcom execs say VMware price, subscription complaints are unwarranted 

Biz & IT, Broadcom, Europe, European Comission, vmware / /

Broadcom’s defense —

Industry groups aren’t giving up hope for government intervention.

vmware by Broadcom logo

Broadcom has made controversial changes to VMware since closing its acquisition of the virtualization brand in late November. Broadcom executives are trying to convince VMware customers and partners that they’ll eventually see the subscription-fueled light. But discontent remains, as illustrated by industry groups continuing to urge regulators to rein-in what they claim are unfair business practices.

Since Broadcom announced that it would no longer sell perpetual VMware licenses as of December 2023, there have been complaints about rising costs associated with this model. In March, a VMware User Group Town Hall saw attendees complaining of price jumps of up to 600 percent, The Register reported. Small managed service providers that had worked with VMware have reported seeing the price of business rising tenfold, per a February ServeTheHome report.

Broadcom execs defend subscription model

However, Sylvain Cazard, president of Broadcom Software for Asia-Pacific, reportedly told The Register that complaints about higher prices are unwarranted since customers using at least two components of VMware’s flagship Cloud Foundation will end up paying less and because the new pricing includes support, which VMware didn’t include before.

The Register reported that Cazard, as well as Paul Turner, VP of product management at VMware, and Prashanth Shenoy, VP of product and technical marketing for the Cloud, Infrastructure, Platforms, and Solutions group at VMware, all agreed that people who think moving to subscriptions is unfair aren’t considering that VMware waited longer than many in the industry to implement the model.

This is an argument Broadcom has made before. Broadcom CEO and President Hock Tan called subscription-only licensing “the industry standard” in a March blog post defending VMware’s changes.

Pushing for government intervention

Despite Broadcom execs’ efforts to convince people that its changes are reasonable and will eventually end up financially benefitting stakeholders, there’s still effort from industry groups to get federal regulators involved with how Broadcom is running VMware.

As reported by Dutch IT magazine Computable on Friday, representatives from Beltug, a Belgian CIO trade group; Le Cigref, a French network of companies interested in digital technology; the CIO Platform Nederland association for CIOs and CDOs; and VOICE e.V., a German association for IT decisionmakers, sent a letter [PDF] to European Commission President Ursula von der Leyen and European Commissioner Thierry Breton on Thursday to “strongly condemn” Broadcom’s businesses practices and ask the commission to take action.

The letter complains of “sudden changes in policy and practices” that Broadcom issued to VMware that the authors claim led to: “steeply increased prices; non-fulfillment of previous contractual agreements; disallowing reselling of licenses; refusing to maintain security conditions for perpetual licenses; (re)bundling of licenses, leading to higher costs; a shake up of the ecosystem of VMware resellers and partners”; and “a loss of knowledge.”

The letter reads, in part:

In the context of the VMware takeover and the change in business strategy, Broadcom’s contempt and brutality towards its customers are unprecedented in the recent history of the digital economy in Europe. In view of its scale and Broadcom’s impact, this case cannot be left exclusively to competition law technicians.

The letter also discusses concerns about Broadcom driving business to the public cloud with negative consequences for the European economy.

“This will further strengthen the position and power of the hyperscalers, which will have a profound impact on the entire market,” the letter says.

It’s worth noting that this group has written letters to the commission before and that the commission approved Broadcom’s VMware acquisition in July 2023 after an antitrust probe. However, Broadcom was recently contacted by antitrust authorities in Europe regarding claims that it was changing VMware software licensing and support conditions, MLex reported on Wednesday.

Regardless of whether a government body steps in, longtime VMware users and partners are reconsidering whether the company’s vision aligns with their own businesses. Meanwhile, rivals are pushing hard to capitalize on the disruption happening at VMware.

Cloud Foundation updates

Broadcom has a couple of big updates planned for VMware’s Cloud Foundation that, execs told The Register, will help people understand the value of the new VMware.

In July, Broadcom plans to update Cloud Foundation so that a single license key can be used for all components. The update is also supposed to heighten OAuth support as the company seeks to bring single sign-on to all VMware products and add a VMware NSX overlay. Turner told The Register that the changes are examples of how Broadcom is trying to make VMware Cloud Foundation easier to implement than before Broadcom took over.

In the first half of 2025, VMware plans to release the VCF 9 update, which will be “the fullest expression of Broadcom’s vision for product integration,” Shenoy told The Register. Turner claimed that because of the update, users with multiple VMware products would no longer need individual silos for discrete storage.

Broadcom execs say VMware price, subscription complaints are unwarranted  Read More »

openai-drops-login-requirements-for-chatgpt’s-free-version

OpenAI drops login requirements for ChatGPT’s free version

AI, AI assistants, AI models, Anthropic, Antrhopic Claude, Biz & IT, chatgpt, chatgtp, Claude 3, Google, Google Gemini, GPT-3.5, GPT-4, GPT-4-turbo, large language models, machine learning, openai / /

free as in beer? —

ChatGPT 3.5 still falls far short of GPT-4, and other models surpassed it long ago.

A glowing OpenAI logo on a blue background.

Benj Edwards

On Monday, OpenAI announced that visitors to the ChatGPT website in some regions can now use the AI assistant without signing in. Previously, the company required that users create an account to use it, even with the free version of ChatGPT that is currently powered by the GPT-3.5 AI language model. But as we have noted in the past, GPT-3.5 is widely known to provide more inaccurate information compared to GPT-4 Turbo, available in paid versions of ChatGPT.

Since its launch in November 2022, ChatGPT has transformed over time from a tech demo to a comprehensive AI assistant, and it’s always had a free version available. The cost is free because “you’re the product,” as the old saying goes. Using ChatGPT helps OpenAI gather data that will help the company train future AI models, although free users and ChatGPT Plus subscription members can both opt out of allowing the data they input into ChatGPT to be used for AI training. (OpenAI says it never trains on inputs from ChatGPT Team and Enterprise members at all).

Opening ChatGPT to everyone could provide a frictionless on-ramp for people who might use it as a substitute for Google Search or potentially gain new customers by providing an easy way for people to use ChatGPT quickly, then offering an upsell to paid versions of the service.

“It’s core to our mission to make tools like ChatGPT broadly available so that people can experience the benefits of AI,” OpenAI says on its blog page. “For anyone that has been curious about AI’s potential but didn’t want to go through the steps to set up an account, start using ChatGPT today.”

When you visit the ChatGPT website, you're immediately presented with a chat box like this (in some regions). Screenshot captured April 1, 2024.

Enlarge / When you visit the ChatGPT website, you’re immediately presented with a chat box like this (in some regions). Screenshot captured April 1, 2024.

Benj Edwards

Since kids will also be able to use ChatGPT without an account—despite it being against the terms of service—OpenAI also says it’s introducing “additional content safeguards,” such as blocking more prompts and “generations in a wider range of categories.” What exactly that entails has not been elaborated upon by OpenAI, but we reached out to the company for comment.

There might be a few other downsides to the fully open approach. On X, AI researcher Simon Willison wrote about the potential for automated abuse as a way to get around paying for OpenAI’s services: “I wonder how their scraping prevention works? I imagine the temptation for people to abuse this as a free 3.5 API will be pretty strong.”

With fierce competition, more GPT-3.5 access may backfire

Willison also mentioned a common criticism of OpenAI (as voiced in this case by Wharton professor Ethan Mollick) that people’s ideas about what AI models can do have so far largely been influenced by GPT-3.5, which, as we mentioned, is far less capable and far more prone to making things up than the paid version of ChatGPT that uses GPT-4 Turbo.

“In every group I speak to, from business executives to scientists, including a group of very accomplished people in Silicon Valley last night, much less than 20% of the crowd has even tried a GPT-4 class model,” wrote Mollick in a tweet from early March.

With models like Google Gemini Pro 1.5 and Anthropic Claude 3 potentially surpassing OpenAI’s best proprietary model at the moment —and open weights AI models eclipsing the free version of ChatGPT—allowing people to use GPT-3.5 might not be putting OpenAI’s best foot forward. Microsoft Copilot, powered by OpenAI models, also supports a frictionless, no-login experience, but it allows access to a model based on GPT-4. But Gemini currently requires a sign-in, and Anthropic sends a login code through email.

For now, OpenAI says the login-free version of ChatGPT is not yet available to everyone, but it will be coming soon: “We’re rolling this out gradually, with the aim to make AI accessible to anyone curious about its capabilities.”

OpenAI drops login requirements for ChatGPT’s free version Read More »

microsoft-splits-up-the-teams-and-office-apps-worldwide,-following-eu-split

Microsoft splits up the Teams and Office apps worldwide, following EU split

Biz & IT, microsoft, microsoft 365, Microsoft office, Microsoft Teams, office, Teams / /

different teams —

Changes may save a bit of money for people who want Office apps without Teams.

Updated

Teams is being decoupled from the other Office apps worldwide, six months after Microsoft did the same thing for the EU.

Enlarge / Teams is being decoupled from the other Office apps worldwide, six months after Microsoft did the same thing for the EU.

Microsoft/Andrew Cunningham

Months after unbundling the apps in the European Union, Microsoft is taking the Office and Teams breakup worldwide. Reuters reports that Microsoft will begin selling Teams and the other Microsoft 365 apps to new commercial customers as separate products with separate price tags beginning today.

“To ensure clarity for our customers, we are extending the steps we took last year to unbundle Teams from M365 and O365 in the European Economic Area and Switzerland to customers globally,” a Microsoft spokesperson told Ars. “Doing so also addresses feedback from the European Commission by providing multinational companies more flexibility when they want to standardize their purchasing across geographies.”

The unbundling is a win for other team communication apps like Slack and videoconferencing apps like Zoom, both of which predate Teams but haven’t had the benefits of the Office apps’ huge established user base.

The separation follows an EU regulatory investigation that started in July of 2023, almost exactly three years after Slack initially filed a complaint alleging that Microsoft was “abusing its market dominance to extinguish competition in breach of European Union competition law.”

In August of 2023, Microsoft announced that it would be unbundling the apps in the EU and Switzerland in October. Bloomberg reported in September that Zoom had met with EU and US Federal Trade Commission regulators about Microsoft, further ratcheting up regulatory pressure on Microsoft.

In October, Microsoft European Government Affairs VP Nanna-Louise Linde described the unbundling and other moves as “proactive changes that we hope will start to address these concerns in a meaningful way,” though the EU investigation is ongoing, and the company may yet be fined. Linde also wrote that Microsoft would allow third-party apps like Zoom and Slack to integrate more deeply with the Office apps and that it would “enable third-party solutions to host Office web applications.”

Microsoft has put up a blog post detailing its new pricing structure here—for now, the changes only affect the Microsoft 365 plans for the Business, Enterprise, and Frontline versions of Microsoft 365. Consumer, Academic, US Government, and Nonprofit editions of Microsoft 365 aren’t changing today and will still bundle Teams as they did before.

Current Office/Microsoft 365 Enterprise customers who want to keep using the Office apps and Teams together can continue to subscribe to both at their current prices. New subscribers to the Enterprise versions of Microsoft 365/Office 365 can pay $5.25 per user per month for Teams, whether they’re buying Teams as standalone software or adding it on top of a Teams-free Office/Microsoft 365 subscription.

For the Business and Frontline Microsoft 365 versions, you can either buy the version with Teams included for the same price as before, or choose a new Teams-less option that will save you a couple of dollars per user per month. For example, the Teams-less version of Microsoft 365 Business Standard costs $10.25 per user per month, compared to $12.50 for the version that includes Teams.

Updated April 1, 2024, at 4: 12 pm to add more details about pricing and a link to Microsoft’s official blog post about the announcement; also added a statement from a Microsoft spokesperson.

Microsoft splits up the Teams and Office apps worldwide, following EU split Read More »

redis’-license-change-and-forking-are-a-mess-that-everybody-can-feel-bad-about

Redis’ license change and forking are a mess that everybody can feel bad about

Amazon AWS, Amazon Web Services, AWS, Biz & IT, cloud services, data stores, elasticsearch, Google Cloud Services, opensearch, opentofu, redis, Tech, terraform / /

Licensing is hard —

Cloud firms want a version of Redis that’s still open to managed service resale.

AWS data centers built right next to suburban cul-de-sac housing

Enlarge / An Amazon Web Services (AWS) data center under construction in Stone Ridge, Virginia, in March 2024. Amazon will spend more than $150 billion on data centers in the next 15 years.

Getty Images

Redis, a tremendously popular tool for storing data in-memory rather than in a database, recently switched its licensing from an open source BSD license to both a Source Available License and a Server Side Public License (SSPL).

The software project and company supporting it were fairly clear in why they did this. Redis CEO Rowan Trollope wrote on March 20 that while Redis and volunteers sponsored the bulk of the project’s code development, “the majority of Redis’ commercial sales are channeled through the largest cloud service providers, who commoditize Redis’ investments and its open source community.” Clarifying a bit, “cloud service providers hosting Redis offerings will no longer be permitted to use the source code of Redis free of charge.”

Clarifying even further: Amazon Web Services (and lesser cloud giants), you cannot continue reselling Redis as a service as part of your $90 billion business without some kind of licensed contribution back.

This generated a lot of discussion, blowback, and action. The biggest thing was a fork of the Redis project, Valkey, that is backed by The Linux Foundation and, critically, also Amazon Web Services, Google Cloud, Oracle, Ericsson, and Snap Inc. Valkey is “fully open source,” Linux Foundation execs note, with the kind of BSD-3-Clause license Redis sported until recently. You might note the exception of Microsoft from that list of fork fans.

As noted by Matt Asay, who formerly ran open source strategy and marketing at AWS, most developers are “largely immune to Redis’ license change.” Asay suggests that, aside from the individual contributions of AWS engineer and former Redis core contributor Madelyn Olson (who contributed in her free time) and Alibaba’s Zhao Zhao, “The companies jumping behind the fork of Redis have done almost nothing to get Redis to its current state.”

Olson told TechCrunch that she was disappointed by Redis’ license change but not surprised. “I’m more just disappointed than anything else.” David Nally, AWS’ current director for open source strategy and marketing, demurred when asked by TechCrunch if AWS considered buying a Redis license from Redis Inc. before forking. “[F]rom an open-source perspective, we’re now invested in ensuring the success of Valkey,” Nally said.

Shifts in open source licensing have triggered previous keep-it-open forks, including OpenSearch (from ElasticSearch) and OpenTofu (from Terraform). With the backing of the Linux Foundation and some core contributors, though, Valkey will likely soon evolve far beyond a drop-in Redis replacement, and Redis is likely to follow suit.

If you’re reading all this and you don’t own a gigascale cloud provider or sit on the board of a source code licensing foundation, it’s hard to know what to make of the fiasco. Every party in this situation is doing what is legally permissible, and software from both sides will continue to be available to the wider public. Taking your ball and heading home is a longstanding tradition when parties disagree on software goals and priorities. But it feels like there had to be another way this could have worked out.

Redis’ license change and forking are a mess that everybody can feel bad about Read More »

playboy-image-from-1972-gets-ban-from-ieee-computer-journals

Playboy image from 1972 gets ban from IEEE computer journals

AI, Biz & IT, centerfold, computer ethics, computer vision, ethics, gender issues, graphics processing, ieee, IEEE Computer Society, Lena, Lena Forsén, Lena image, Lenna, Lenna image, machine learning, playboy, sexism / /

image processing —

Use of “Lenna” image in computer image processing research stretches back to the 1970s.

Playboy image from 1972 gets ban from IEEE computer journals

Aurich Lawson | Getty Image

On Wednesday, the IEEE Computer Society announced to members that, after April 1, it would no longer accept papers that include a frequently used image of a 1972 Playboy model named Lena Forsén. The so-called “Lenna image,” (Forsén added an extra “n” to her name in her Playboy appearance to aid pronunciation) has been used in image processing research since 1973 and has attracted criticism for making some women feel unwelcome in the field.

In an email from the IEEE Computer Society sent to members on Wednesday, Technical & Conference Activities Vice President Terry Benzel wrote, “IEEE’s diversity statement and supporting policies such as the IEEE Code of Ethics speak to IEEE’s commitment to promoting an including and equitable culture that welcomes all. In alignment with this culture and with respect to the wishes of the subject of the image, Lena Forsén, IEEE will no longer accept submitted papers which include the ‘Lena image.'”

An uncropped version of the 512×512-pixel test image originally appeared as the centerfold picture for the December 1972 issue of Playboy Magazine. Usage of the Lenna image in image processing began in June or July 1973 when an assistant professor named Alexander Sawchuck and a graduate student at the University of Southern California Signal and Image Processing Institute scanned a square portion of the centerfold image with a primitive drum scanner, omitting nudity present in the original image. They scanned it for a colleague’s conference paper, and after that, others began to use the image as well.

The original 512×512

The original 512×512 “Lenna” test image, which is a cropped portion of a 1972 Playboy centerfold.

The image’s use spread in other papers throughout the 1970s, 80s, and 90s, and it caught Playboy’s attention, but the company decided to overlook the copyright violations. In 1997, Playboy helped track down Forsén, who appeared at the 50th Annual Conference of the Society for Imaging Science in Technology, signing autographs for fans. “They must be so tired of me … looking at the same picture for all these years!” she said at the time. VP of new media at Playboy Eileen Kent told Wired, “We decided we should exploit this, because it is a phenomenon.”

The image, which features Forsén’s face and bare shoulder as she wears a hat with a purple feather, was reportedly ideal for testing image processing systems in the early years of digital image technology due to its high contrast and varied detail. It is also a sexually suggestive photo of an attractive woman, and its use by men in the computer field has garnered criticism over the decades, especially from female scientists and engineers who felt that the image (especially related to its association with the Playboy brand) objectified women and created an academic climate where they did not feel entirely welcome.

Due to some of this criticism, which dates back to at least 1996, the journal Nature banned the use of the Lena image in paper submissions in 2018.

The comp.compression Usenet newsgroup FAQ document claims that in 1988, a Swedish publication asked Forsén if she minded her image being used in computer science, and she was reportedly pleasantly amused. In a 2019 Wired article, Linda Kinstler wrote that Forsén did not harbor resentment about the image, but she regretted that she wasn’t paid better for it originally. “I’m really proud of that picture,” she told Kinstler at the time.

Since then, Forsén has apparently changed her mind. In 2019, Creatable and Code Like a Girl created an advertising documentary titled Losing Lena, which was part of a promotional campaign aimed at removing the Lena image from use in tech and the image processing field. In a press release for the campaign and film, Forsén is quoted as saying, “I retired from modelling a long time ago. It’s time I retired from tech, too. We can make a simple change today that creates a lasting change for tomorrow. Let’s commit to losing me.”

It seems like that commitment is now being granted. The ban in IEEE publications, which have been historically important journals for computer imaging development, will likely further set a precedent toward removing the Lenna image from common use. In his email, the IEEE’s Benzel recommended wider sensitivity about the issue, writing, “In order to raise awareness of and increase author compliance with this new policy, program committee members and reviewers should look for inclusion of this image, and if present, should ask authors to replace the Lena image with an alternative.”

Playboy image from 1972 gets ban from IEEE computer journals Read More »

backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections

Backdoor found in widely used Linux utility breaks encrypted SSH connections

backdoors, Biz & IT, Linux, Security, supply chain attack, xz utils / /

SUPPLY CHAIN ATTACK —

Malicious code planted in xz Utils has been circulating for more than a month.

Internet Backdoor in a string of binary code in a shape of an eye.

Enlarge / Internet Backdoor in a string of binary code in a shape of an eye.

Getty Images

Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.

The compression utility, known as xz Utils, introduced the malicious code in versions ​​5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions—specifically, in Fedora 40 and Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable release of Arch Linux is also affected. That distribution, however, isn’t used in production systems.

Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it’s not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that’s only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now rolled back the utility to version 5.4.6. Maintainers have more details available here.

Breaking SSH authentication

The first signs of the backdoor were introduced in a February 23 update that added obfuscated code, officials from Red Hat said in an email. An update the following day included a malicious install script that injected itself into functions used by sshd, the binary file that makes SSH work. The malicious code has resided only in the archived releases—known as tarballs—which are released upstream. So-called GIT code available in repositories aren’t affected, although they do contain second-stage artifacts allowing the injection during the build time. In the event the obfuscated code introduced on February 23 is present, the artifacts in the GIT version allow the backdoor to operate.

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” an official with distributor OpenWall wrote in an advisory. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here.

On Thursday, someone using the developer’s name took to a developer site for Ubuntu to ask that the backdoored version 5.6.1 be incorporated into production versions because it fixed bugs that caused a tool known as Valgrind to malfunction.

“This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass,” the person warned, from an account that was created the same day.

One of maintainers for Fedora said Friday that the same developer approached them in recent weeks to ask that Fedora 40, a beta release, incorporate one of the backdoored utility versions.

“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added),” the Ubuntu maintainer said.

He has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise.

Maintainers for xz Utils didn’t immediately respond to emails asking questions.

The malicious versions, researchers said, intentionally interfere with authentication performed by SSH, a commonly used protocol for connecting remotely to systems. SSH provides robust encryption to ensure that only authorized parties connect to a remote system. The backdoor is designed to allow a malicious actor to break the authentication and, from there, gain unauthorized access to the entire system. The backdoor works by injecting code during a key phase of the login process.

“I have not yet analyzed precisely what is being checked for in the injected code, to allow unauthorized access,” Freund wrote. “Since this is running in a pre-authentication context, it seems likely to allow some form of access or other form of remote code execution.”

In some cases, the backdoor has been unable to work as intended. The build environment on Fedora 40, for example, contains incompatibilities that prevent the injection from correctly occurring. Fedora 40 has now reverted to the 5.4.x versions of xz Utils.

Xz Utils is available for most if not all Linux distributions, but not all of them include it by default. Anyone using Linux should check with their distributor immediately to determine if their system is affected. Freund provided a script for detecting if an SSH system is vulnerable.

Backdoor found in widely used Linux utility breaks encrypted SSH connections Read More »

openai-holds-back-wide-release-of-voice-cloning-tech-due-to-misuse-concerns

OpenAI holds back wide release of voice-cloning tech due to misuse concerns

AI, AI ethics, AI privacy, AI safety, API, Biz & IT, chatgpt, chatgtp, machine learning, openai, Voice Engine, voice synthesis / /
AI speaks letters, text-to-speech or TTS, text-to-voice, speech synthesis applications, generative Artificial Intelligence, futuristic technology in language and communication.

Voice synthesis has come a long way since 1978’s Speak & Spell toy, which once wowed people with its state-of-the-art ability to read words aloud using an electronic voice. Now, using deep-learning AI models, software can create not only realistic-sounding voices, but also convincingly imitate existing voices using small samples of audio.

Along those lines, OpenAI just announced Voice Engine, a text-to-speech AI model for creating synthetic voices based on a 15-second segment of recorded audio. It has provided audio samples of the Voice Engine in action on its website.

Once a voice is cloned, a user can input text into the Voice Engine and get an AI-generated voice result. But OpenAI is not ready to widely release its technology yet. The company initially planned to launch a pilot program for developers to sign up for the Voice Engine API earlier this month. But after more consideration about ethical implications, the company decided to scale back its ambitions for now.

“In line with our approach to AI safety and our voluntary commitments, we are choosing to preview but not widely release this technology at this time,” the company writes. “We hope this preview of Voice Engine both underscores its potential and also motivates the need to bolster societal resilience against the challenges brought by ever more convincing generative models.”

Voice cloning tech in general is not particularly new—we’ve covered several AI voice synthesis models since 2022, and the tech is active in the open source community with packages like OpenVoice and XTTSv2. But the idea that OpenAI is inching toward letting anyone use their particular brand of voice tech is notable. And in some ways, the company’s reticence to release it fully might be the bigger story.

OpenAI says that benefits of its voice technology include providing reading assistance through natural-sounding voices, enabling global reach for creators by translating content while preserving native accents, supporting non-verbal individuals with personalized speech options, and assisting patients in recovering their own voice after speech-impairing conditions.

But it also means that anyone with 15 seconds of someone’s recorded voice could effectively clone it, and that has obvious implications for potential misuse. Even if OpenAI never widely releases its Voice Engine, the ability to clone voices has already caused trouble in society through phone scams where someone imitates a loved one’s voice and election campaign robocalls featuring cloned voices from politicians like Joe Biden.

Also, researchers and reporters have shown that voice-cloning technology can be used to break into bank accounts that use voice authentication (such as Chase’s Voice ID), which prompted Sen. Sherrod Brown (D-Ohio), the chairman of the US Senate Committee on Banking, Housing, and Urban Affairs, to send a letter to the CEOs of several major banks in May 2023 to inquire about the security measures banks are taking to counteract AI-powered risks.

OpenAI holds back wide release of voice-cloning tech due to misuse concerns Read More »

pypi-halted-new-users-and-projects-while-it-fended-off-supply-chain-attack

PyPI halted new users and projects while it fended off supply-chain attack

Biz & IT, malware, Open Source, pypi, repositories, Security / /

ONSLAUGHT —

Automation is making attacks on open source code repositories harder to fight.

Supply-chain attacks, like the latest PyPI discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common.

Enlarge / Supply-chain attacks, like the latest PyPI discovery, insert malicious code into seemingly functional software packages used by developers. They’re becoming increasingly common.

Getty Images

PyPI, a vital repository for open source developers, temporarily halted new project creation and new user registration following an onslaught of package uploads that executed malicious code on any device that installed them. Ten hours later, it lifted the suspension.

Short for the Python Package Index, PyPI is the go-to source for apps and code libraries written in the Python programming language. Fortune 500 corporations and independent developers alike rely on the repository to obtain the latest versions of code needed to make their projects run. At a little after 7 pm PT on Wednesday, the site started displaying a banner message informing visitors that the site was temporarily suspending new project creation and new user registration. The message didn’t explain why or provide an estimate of when the suspension would be lifted.

Screenshot showing temporary suspension notification.

Enlarge / Screenshot showing temporary suspension notification.

Checkmarx

About 10 hours later, PyPI restored new project creation and new user registration. Once again, the site provided no reason for the 10-hour halt.

According to security firm Checkmarx, in the hours leading up to the closure, PyPI came under attack by users who likely used automated means to upload malicious packages that, when executed, infected user devices. The attackers used a technique known as typosquatting, which capitalizes on typos users make when entering the names of popular packages into command-line interfaces. By giving the malicious packages names that are similar to popular benign packages, the attackers count on their malicious packages being installed when someone mistakenly enters the wrong name.

“The threat actors target victims with Typosquatting attack technique using their CLI to install Python packages,” Checkmarx researchers Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornstain wrote Thursday. “This is a multi-stage attack and the malicious payload aimed to steal crypto wallets, sensitive data from browsers (cookies, extensions data, etc.) and various credentials. In addition, the malicious payload employed a persistence mechanism to survive reboots.”

Screenshot showing some of the malicious packages found by Checkmarx.

Enlarge / Screenshot showing some of the malicious packages found by Checkmarx.

Checkmarx

The post said the malicious packages were “most likely created using automation” but didn’t elaborate. Attempts to reach PyPI officials for comment weren’t immediately successful. The package names mimicked those of popular packages and libraries such as Requests, Pillow, and Colorama.

The temporary suspension is only the latest event to highlight the increased threats confronting the software development ecosystem. Last month, researchers revealed an attack on open source code repository GitHub that was ​​flooding the site with millions of packages containing obfuscated code that stole passwords and cryptocurrencies from developer devices. The malicious packages were clones of legitimate ones, making them hard to distinguish to the casual eye.

The party responsible automated a process that forked legitimate packages, meaning the source code was copied so developers could use it in an independent project that built on the original one. The result was millions of forks with names identical to the original ones. Inside the identical code was a malicious payload wrapped in multiple layers of obfuscation. While GitHub was able to remove most of the malicious packages quickly, the company wasn’t able to filter out all of them, leaving the site in a persistent loop of whack-a-mole.

Similar attacks are a fact of life for virtually all open source repositories, including npm pack picks and RubyGems.

Earlier this week, Checkmarx reported a separate supply-chain attack that also targeted Python developers. The actors in that attack cloned the Colorama tool, hid malicious code inside, and made it available for download on a fake mirror site with a typosquatted domain that mimicked the legitimate files.pythonhosted.org one. The attackers hijacked the accounts of popular developers, likely by stealing the authentication cookies they used. Then, they used the hijacked accounts to contribute malicious commits that included instructions to download the malicious Colorama clone. Checkmarx said it found evidence that some developers were successfully infected.

In Thursday’s post, the Checkmarx researchers reported:

The malicious code is located within each package’s setup.py file, enabling automatic execution upon installation.

In addition, the malicious payload employed a technique where the setup.py file contained obfuscated code that was encrypted using the Fernet encryption module. When the package was installed, the obfuscated code was automatically executed, triggering the malicious payload.

Checkmarx

Upon execution, the malicious code within the setup.py file attempted to retrieve an additional payload from a remote server. The URL for the payload was dynamically constructed by appending the package name as a query parameter.

Screenshot of code creating dynamic URL.

Enlarge / Screenshot of code creating dynamic URL.

Checkmarx

The retrieved payload was also encrypted using the Fernet module. Once decrypted, the payload revealed an extensive info-stealer designed to harvest sensitive information from the victim’s machine.

The malicious payload also employed a persistence mechanism to ensure it remained active on the compromised system even after the initial execution.

Screenshot showing code that allows persistence.

Enlarge / Screenshot showing code that allows persistence.

Checkmarx

Besides using typosquatting and a similar technique known as brandjacking to trick developers into installing malicious packages, threat actors also employ dependency confusion. The technique works by uploading malicious packages to public code repositories and giving them a name that’s identical to a package stored in the target developer’s internal repository that one or more of the developer’s apps depend on to work. Developers’ software management apps often favor external code libraries over internal ones, so they download and use the malicious package rather than the trusted one. In 2021, a researcher used a similar technique to successfully execute counterfeit code on networks belonging to Apple, Microsoft, Tesla, and dozens of other companies.

There are no sure-fire ways to guard against such attacks. Instead, it’s incumbent on developers to meticulously check and double-check packages before installing them, paying close attention to every letter in a name.

PyPI halted new users and projects while it fended off supply-chain attack Read More »

ubuntu-will-manually-review-snap-store-after-crypto-wallet-scams

Ubuntu will manually review Snap Store after crypto wallet scams

Biz & IT, Canonical, containerization, containers, mark shuttleworth, snap store, snaps, Tech, Ubuntu / /

Linux app distribution —

Former Canonical employee calls out the “Safe” label applied to Snap apps.

Man holding a piggy bank at his desk, with the piggy wired up with strange circuits and hardware

Enlarge / One thing you can say about this crypto wallet: You can’t confuse it for any other.

Getty Images

The Snap Store, where containerized Snap apps are distributed for Ubuntu’s Linux distribution, has been attacked for months by fake crypto wallet uploads that seek to steal users’ currencies. As a result, engineers at Ubuntu’s parent firm are now manually reviewing apps uploaded to the store before they are available.

The move follows weeks of reporting by Alan Pope, a former Canonical/Ubuntu staffer on the Snapcraft team, who is still very active in the ecosystem. In February, Pope blogged about how one bitcoin investor lost nine bitcoins (about $490,000 at the time) by using an “Exodus Wallet” app from the Snap store. Exodus is a known cryptocurrency wallet, but this wallet was not from that entity. As detailed by one user wondering what happened on the Snapcraft forums, the wallet immediately transferred his entire balance to an unknown address after a 12-word recovery phrase was entered (which Exodus tells you on support pages never to do).

Pope takes pains to note that cryptocurrency is inherently fraught with loss risk. Still, Ubuntu’s App Center, which presents the Snap Store for desktop users, tagged the “Exodus” app as “Safe,” and the web version of the Snap Store describes Snaps as “safe to run.” While Ubuntu is describing apps as “Safe” in the sense of being an auto-updating container with runtime confinement (or “sandboxed”), a green checkmark with “Safe” next to it could be misread, especially by a newcomer to Ubuntu, Snaps, and Linux generally.

More than that, Pope’s post points out that writing, packaging, and uploading the Snap to Ubuntu’s store results in an app that is “immediately searchable, and available for anyone, almost anywhere to download, install and run it” (emphasis Pope’s). There are, he noted, “No humans in the loop.”

Mark Shuttleworth, founder of Ubuntu and CEO of Canonical, responded to a related thread on whether crypto apps should be banned entirely. “I agree that cryptocurrency is largely a cesspit of ignoble intentions, even if the mathematics are interesting,” Shuttleworth wrote. At Ubuntu, it was “fair to challenge ourselves” to offer additional safety measures, “even if they will never be perfect.” Making apps safer for people vulnerable to social engineering is “a very hard problem but one I think we can and should engage in,” Shuttleworth wrote.

He did not, however, agree that cryptocurrency apps should be broadly banned.

After what Shuttleworth described as “a quiet war with these malicious actors for the past few months” (which was, according to Pope, ongoing as of earlier this month), Snaps are indeed changing.

At the Snapcraft forums, Holly Hall, product lead for Ubuntu’s backing services company Canonical, wrote last week about a new policy of manual review for all new Snap registrations. Engineering teams will review apps and reach out to publishers to verify names and intents. A name that is “suspected as being malicious or is crypto-wallet-related” will be rejected. A policy regarding how to properly publish a crypto wallet in the Snap store is forthcoming, Hall wrote.

As noted by The Register, a different sandboxed app platform (store), Flathub, recently made related changes to its validation process. Flathub now flags apps that have made notable changes to permission requests or package names. Open software repositories have long faced issues with malicious look-alike uploads, including the PyPI index for Python programming.

Ars has reached out to Canonical for comment and will update this post if we receive a response.

Ubuntu will manually review Snap Store after crypto wallet scams Read More »

proxmox-gives-vmware-esxi-users-a-place-to-go-after-broadcom-kills-free-version

Proxmox gives VMware ESXi users a place to go after Broadcom kills free version

Biz & IT, Broadcom, esxi, proxmox, Tech, vmware / /

time to migrate —

Proxmox is a Linux-based hypervisor that could replace ESXi for some users.

Proxmox gives VMware ESXi users a place to go after Broadcom kills free version

Broadcom has made sweeping changes to VMware’s business since acquiring the company in November 2023, killing off the perpetually licensed versions of VMware’s software and instituting large-scale layoffs. Broadcom executives have acknowledged the “unease” that all of these changes have created among VMware’s customers and partners but so far haven’t been interested in backtracking.

Among the casualties of the acquisition is the free version of VMware’s vSphere Hypervisor, also known as ESXi. ESXi is “bare-metal hypervisor” software, meaning that it allows users to run multiple operating systems on a single piece of hardware while still allowing those operating systems direct access to disks, GPUs, and other system resources.

One alternative to ESXi for home users and small organizations is Proxmox Virtual Environment, a Debian-based Linux operating system that provides broadly similar functionality and has the benefit of still being an actively developed product. To help jilted ESXi users, the Proxmox team has just added a new “integrated import wizard” to Proxmox that supports importing of ESXi VMs, easing the pain of migrating between platforms.

The announcement claims that an imported ESXi VM will have “most of its config mapped to Proxmox VE’s config model” to minimize downtime. The documentation indicates that the import wizard is still “in tech preview state” and “under active development,” though it’s also said to be “working stable.” The importer works with VMs made in ESXi versions 6.5 through 8.0, which was the most recent version available before Broadcom discontinued the software.

A wiki article from Proxmox also provides more information about preparing your VMs for the move. The article recommends uninstalling guest tools made to work with ESXi, noting network configuration settings like MAC addresses or any manually assigned IP addresses, and disabling any full-disk encryption that stores its keys in your hypervisor’s virtual TPM. It’s currently not possible to migrate vTPM settings from one hypervisor to another, so booting up a VM with disk encryption enabled will require a recovery key before the machine will boot.

Like the free version of ESXi, the free version of Proxmox VE doesn’t include technical support beyond what is offered in Proxmox’s community forums. For people who use Proxmox VE and want to deploy it more widely in a business, Proxmox does offer a few subscription tiers that provide access to its more stable Enterprise Repositories and actual technical support from the software’s developers.

Proxmox gives VMware ESXi users a place to go after Broadcom kills free version Read More »