An anonymous reader quotes a report from TechCrunch: Ahead of its annual GitHub Universe conference in San Francisco early this fall, GitHub announced Copilot Workspace, a dev environment that taps what GitHub describes as "Copilot-powered agents" to help developers brainstorm, plan, build, test and run code in natural language. Jonathan Carter, head of GitHub Next, GitHub's software R&D team, pitches Workspace as somewhat of an evolution of GitHub's AI-powered coding assistant Copilot into a more general tool, building on recently introduced capabilities like Copilot Chat, which lets developers ask questions about code in natural language. "Through research, we found that, for many tasks, the biggest point of friction for developers was in getting started, and in particular knowing how to approach a [coding] problem, knowing which files to edit and knowing how to consider multiple solutions and their trade-offs," Carter said. "So we wanted to build an AI assistant that could meet developers at the inception of an idea or task, reduce the activation energy needed to begin and then collaborate with them on making the necessary edits across the entire corebase."

Given a GitHub repo or a specific bug within a repo, Workspace -- underpinned by OpenAI's GPT-4 Turbo model -- can build a plan to (attempt to) squash the bug or implement a new feature, drawing on an understanding of the repo's comments, issue replies and larger codebase. Developers get suggested code for the bug fix or new feature, along with a list of the things they need to validate and test that code, plus controls to edit, save, refactor or undo it. The suggested code can be run directly in Workspace and shared among team members via an external link. Those team members, once in Workspace, can refine and tinker with the code as they see fit.

Perhaps the most obvious way to launch Workspace is from the new "Open in Workspace" button to the left of issues and pull requests in GitHub repos. Clicking on it opens a field to describe the software engineering task to be completed in natural language, like, "Add documentation for the changes in this pull request," which, once submitted, gets added to a list of "sessions" within the new dedicated Workspace view. Workspace executes requests systematically step by step, creating a specification, generating a plan and then implementing that plan. Developers can dive into any of these steps to get a granular view of the suggested code and changes and delete, re-run or re-order the steps as necessary. "Since developers spend a lot of their time working on [coding issues], we believe we can help empower developers every day through a 'thought partnership' with AI," Carter said. "You can think of Copilot Workspace as a companion experience and dev environment that complements existing tools and workflows and enables simplifying a class of developer tasks ... We believe there's a lot of value that can be delivered in an AI-native developer environment that isn't constrained by existing workflows."

An international team of scientists used 1.8 billion letters of genetic code from more than 9,500 species covering almost 8,000 known flowering plant genera to create the most up-to-date understanding of the flowering plant tree of life. The research has been published in the journal Nature. Phys.Org reports: The major milestone for plant science, led by [Royal Botanic Gardens, Kew] and involving 138 organizations internationally, was built on 15 times more data than any comparable studies of the flowering plant tree of life. Among the species sequenced for this study, more than 800 have never had their DNA sequenced before. The sheer amount of data unlocked by this research, which would take a single computer 18 years to process, is a huge stride towards building a tree of life for all 330,000 known species of flowering plants -- a massive undertaking by Kew's Tree of Life Initiative.

The flowering plant tree of life, much like our own family tree, enables us to understand how different species are related to each other. The tree of life is uncovered by comparing DNA sequences between different species to identify changes (mutations) that accumulate over time like a molecular fossil record. Our understanding of the tree of life is improving rapidly in tandem with advances in DNA sequencing technology. For this study, new genomic techniques were developed to magnetically capture hundreds of genes and hundreds of thousands of letters of genetic code from every sample, orders of magnitude more than earlier methods. A key advantage of the team's approach is that it enables a wide diversity of plant material, old and new, to be sequenced, even when the DNA is badly damaged. The vast treasure troves of dried plant material in the world's herbarium collections, which comprise nearly 400 million scientific specimens of plants, can now be studied genetically.

[...] Across all 9,506 species sequenced, more than 3,400 came from material sourced from 163 herbaria in 48 countries. Additional material from plant collections around the world (e.g., DNA banks, seeds, living collections) have been vital for filling key knowledge gaps to shed new light on the history of flowering plant evolution. The team also benefited from publicly available data for more than 1,900 species, highlighting value of the open science approach to future genomic research. Flowering plants alone account for about 90% of all known plant life on land and are found virtually everywhere on the planet -- from the steamiest tropics to the rocky outcrops of the Antarctic Peninsula. [...] Utilizing 200 fossils, the authors scaled their tree of life to time, revealing how flowering plants evolved across geological time. They found that early flowering plants did indeed explode in diversity, giving rise to more than 80% of the major lineages that exist today shortly after their origin. However, this trend then declined to a steadier rate for the next 100 million years until another surge in diversification about 40 million years ago, coinciding with a global decline in temperatures. These new insights would have fascinated Darwin and will surely help today's scientists grappling with the challenges of understanding how and why species diversify. A list of "remarkable species" included in the flowering plant tree of life is embedded below the article.

Looking ahead, the study's authors believe this data will aid future attempts to identify new species, refine plant classification, uncover new medicinal compounds, and conserve plants in the face of climate change and biodiversity loss.

quonset writes: Just over two weeks ago, NASA figured out why its Voyager 1 spacecraft stopped sending useful data. They suspected corrupted memory in its flight data system (FDS) was the culprit. Today, for the first time since November, Voyager 1 is sending useful data about its health and the status of its onboard systems back to NASA. How did NASA accomplish this feat of long distance repair? They broke up the code into smaller pieces and redistributed them throughout the memory.

From NASA: "... So they devised a plan to divide the affected code into sections and store those sections in different places in the FDS. To make this plan work, they also needed to adjust those code sections to ensure, for example, that they all still function as a whole. Any references to the location of that code in other parts of the FDS memory needed to be updated as well. The team started by singling out the code responsible for packaging the spacecraft's engineering data. They sent it to its new location in the FDS memory on April 18. A radio signal takes about 22 1/2 hours to reach Voyager 1, which is over 15 billion miles (24 billion kilometers) from Earth, and another 22 1/2 hours for a signal to come back to Earth. When the mission flight team heard back from the spacecraft on April 20, they saw that the modification worked: For the first time in five months, they have been able to check the health and status of the spacecraft. During the coming weeks, the team will relocate and adjust the other affected portions of the FDS software. These include the portions that will start returning science data.

Amazon staff went undercover on Walmart, eBay and other marketplaces as a third-party seller called "Big River," WSJ reports. The mission: to scoop up information on pricing, logistics and other business practices. From the report: For nearly a decade, workers in a warehouse in Seattle's Denny Triangle neighborhood have shipped boxes of shoes, beach chairs, Marvel T-shirts and other items to online retail customers across the U.S. The operation, called Big River Services International, sells around $1 million a year of goods through e-commerce marketplaces including eBay, Shopify, Walmart and Amazon under brand names such as Rapid Cascade and Svea Bliss. "We are entrepreneurs, thinkers, marketers and creators," Big River says on its website. "We have a passion for customers and aren't afraid to experiment."

What the website doesn't say is that Big River is an arm of Amazon that surreptitiously gathers intelligence on the tech giant's competitors. Born out of a 2015 plan code named "Project Curiosity," Big River uses its sales across multiple countries to obtain pricing data, logistics information and other details about rival e-commerce marketplaces, logistics operations and payments services, according to people familiar with Big River and corporate documents viewed by The Wall Street Journal. The team then shared that information with Amazon to incorporate into decisions about its own business.

[...] The story of Big River offers new insight into Amazon's elaborate efforts to stay ahead of rivals. Team members attended their rivals' seller conferences and met with competitors identifying themselves only as employees of Big River Services, instead of disclosing that they worked for Amazon. They were given non-Amazon email addresses to use externally -- in emails with people at Amazon, they used Amazon email addresses -- and took other extraordinary measures to keep the project secret. They disseminated their reports to Amazon executives using printed, numbered copies rather than email. Those who worked on the project weren't even supposed to discuss the relationship internally with most teams at Amazon.

An anonymous reader quotes a report from Futurism: In a new blog post from LastPass, the password management firm used by countless personal and corporate clients to help protect their login information, the company explains that someone used AI voice-cloning tech to spoof the voice of its CEO in an attempt to trick one of its employees. As the company writes in the post, one of its employees earlier this week received several WhatsApp communications -- including calls, texts, and a voice message -- from someone claiming to be its CEO, Karim Toubba. Luckily, the LastPass worker didn't fall for it because the whole thing set off so many red flags. "As the attempted communication was outside of normal business communication channels and due to the employee's suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency)," the post reads, "our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally."

While this LastPass scam attempt failed, those who follow these sorts of things may recall that the company has been subject to successful hacks before. In August 2022, as a timeline of the event compiled by the Cybersecurity Dive blog detailed, a hacker compromised a LastPass engineer's laptop and used it to steal source code and company secrets, eventually getting access to its customer database -- including encrypted passwords and unencrypted user data like email addresses. According to that timeline, the clearly-resourceful bad actor remained active in the company's servers for months, and it took more than two months for LastPass to admit that it had been breached. More than six months after the initial breach, Toubba, the CEO, provided a blow-by-blow timeline of the months-long attack and said he took "full responsibility" for the way things went down in a February 2023 blog post.

Microsoft's Beijing-based research group published a new open source AI model on Tuesday, only to remove it from the internet hours later after the company realized that the model hadn't gone through adequate safety testing. From a report: The team that published the model, which is comprised of China-based researchers in Microsoft Research Asia, said in a tweet on Tuesday that they "accidentally missed" the safety testing step that Microsoft requires before models can be published.

Microsoft's AI policies require that before any AI models can be published, they must be approved by the company's Deployment Safety Board, which tests whether the models can carry out harmful tasks such as creating violent or disturbing content, according to an employee familiar with the process. In a now-deleted blog post, the researchers behind the model, dubbed WizardLM-2, said that it could carry out tasks like generating text, suggesting code, translating between different languages, or solving some math problems.

An anonymous reader shared this report from BleepingComputer: Researchers have demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors. Spectre V2 is a new variant of the original Spectre attack discovered by a team of researchers at the VUSec group from VU Amsterdam. The researchers also released a tool that uses symbolic execution to identify exploitable code segments within the Linux kernel to help with mitigation.

The new finding underscores the challenges in balancing performance optimization with security, which makes addressing fundamental CPU flaws complicated even six years after the discovery of the original Spectre....

As the CERT Coordination Center (CERT/CC) disclosed yesterday, the new flaw, tracked as CVE-2024-2201, allows unauthenticated attackers to read arbitrary memory data by leveraging speculative execution, bypassing present security mechanisms designed to isolate privilege levels. "An unauthenticated attacker can exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget," reads the CERT/CC announcement. "Current research shows that existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient in stopping BHI exploitation against the kernel/hypervisor."
"For a complete list of impacted Intel processors to the various speculative execution side-channel flaws, check this page updated by the vendor."

The Linux Foundation-backed project OpenTofu "has gotten legal pushback from HashiCorp," according to a report — just seven months after forking OpenTofu's code from HashiCorp's IT deployment software Terraform: On April 3, HashiCorp issued a strongly-worded Cease and Desist letter to OpenTofu, accusing that the project has "repeatedly taken code HashiCorp provided only under the Business Software License (BSL) and used it in a manner that violates those license terms and HashiCorp's intellectual property rights." It goes on to note that "In at least some instances, OpenTofu has incorrectly re-labeled HashiCorp's code to make it appear as if it was made available by HashiCorp originally under a different license." Last August, HashiCorp announced that it would be transitioning its software from the open source Mozilla Public License (MPL 2.0) to the Business Source License (BSL), a license that permits the source to be viewed, but not run in production environments without explicit approval by the license owner. HashiCorp gave OpenTofu until April 10 to remove any allegedly copied code from the OpenTofu repository, threatening litigation if the project fails to do so.
Others are also covering the fracas, including Steven J. Vaughan-Nichols at DevOps.com: OpenTofu replied, "The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp's BSL code. All such statements have zero basis in facts." In addition, it said, HashiCorp's claims of copyright infringement are completely unsubstantiated. As for the code in question, OpenTofu claims it can clearly be shown to have been copied from older code under the Mozilla Public License (MPL) 2.0. "HashiCorp seems to have copied the same code itself when they implemented their version of this feature. All of this is easily visible in our detailed SCO analysis, as well as their own comments."

In a detailed source code origination (SCO) examination of the problematic source code, OpenTofu stated that HashiCorp was mistaken. "We believe that this is just a case of a misunderstanding where the code came from." OpenTofu maintains the code was originally licensed under the MPL, not the BSL. If so, then OpenTofu was perfectly within its right to use the code in its codebase...

[OpenTofu's lawyer] concluded, "In the future, if you should have any concerns or questions about how source code in OpenTofu is developed, we would ask that you contact us first. Immediately issuing DMCA takedown notices and igniting salacious negative press articles is not the most helpful path to resolving concerns like this."

theodp writes: From a Wednesday press release: "Code.org, in collaboration with The Piech Lab at Stanford University, launched today its AI Teaching Assistant, ushering in a new era of computer science instruction to support teachers in preparing students with the foundational skills necessary to work, live and thrive in an AI world. [...] Launching as a part of Code.org's leading Computer Science Discoveries (CSD) curriculum [for grades 6-10], the tool is designed to bolster teacher confidence in teaching computer science." EdWeek reports that in a limited pilot project involving twenty teachers nationwide, the AI computer science grading tool cut one middle school teacher's grading time in half. Code.org is now inviting an additional 300 teachers to give the tool a try. "Many teachers who lead computer science courses," EdWeek notes, "don't have a degree in the subject -- or even much training on how to teach it -- and might be the only educator in their school leading a computer science course."

Stanford's Piech Lab is headed by assistant professor of CS Chris Piech, who also runs the wildly-successful free Code in Place MOOC (30,000+ learners and counting), which teaches fundamentals from Stanford's flagship introduction to Python course. Prior to coming up with the new AI teaching assistant, which automatically assesses Code.org students' JavaScript game code, Piech worked on a Stanford Research team that partnered with Code.org nearly a decade ago to create algorithms to generate hints for K-12 students trying to solve Code.org's Hour of Code block-based programming puzzles (2015 paper [PDF]). And several years ago, Piech's lab again teamed with Code.org on Play-to-Grade, which sought to "provide scalable automated grading on all types of coding assignments" by analyzing the game play of Code.org students' projects. Play-to-Grade, a 2022 paper (PDF) noted, was "supported in part by a Stanford Hoffman-Yee Human Centered AI grant" for AI tutors to help prepare students for the 21st century workforce. That project also aimed to develop a "Super Teaching Assistant" for Piech's Code in Place MOOC. LinkedIn co-founder Reid Hoffman, who was present for the presentation of the 'AI Tutors' work he and his wife funded, is a Code.org Diamond Supporter ($1+ million). In other AI grading news, Texas will use computers to grade written answers on this year's STAAR tests. The state will save more than $15 million by using technology similar to ChatGPT to give initial scores, reducing the number of human graders needed.

NASA engineers have traced the Voyager 1 spacecraft's transmitted gibberish to corrupted memory hardware in its flight data system (FDS). "The team suspects that a single chip responsible for storing part of the affected portion of the FDS memory isn't working," NASA wrote in an update. Gizmodo reports: FDS collects data from Voyager's science instruments, as well as engineering data about the health of the spacecraft, and combines them into a single package that's transmitted to Earth through one of the probe's subsystems, the telemetry modulation unit (TMU), in binary code. FDS and TMU have been having trouble communicating with one another. As a result, TMU has been sending data to mission control in a repeating pattern of ones and zeroes. NASA's engineers aren't quite sure what corrupted the FDS memory hardware; they think that either the chip was hit by an energetic particle from space or that it's just worn out after operating for 46 years. [...] The engineers are hoping to resolve the issue by finding a way for FDS to operate normally without the corrupted memory hardware, enabling Voyager 1 to begin transmitting data about the cosmos and continue its journey through deep space.

An anonymous reader shared this report from The Register: Chinese spies exploited a couple of critical-severity bugs in F5 and ConnectWise equipment earlier this year to sell access to compromised U.S. defense organizations, UK government agencies, and hundreds of other entities, according to Mandiant.

The Google-owned threat hunters said they assess, "with moderate confidence," that a crew they track as UNC5174 was behind the exploitation of CVE-2023-46747, a 9.8-out-of-10-CVSS-rated remote code execution bug in the F5 BIG-IP Traffic Management User Interface, and CVE-2024-1709, a path traversal flaw in ConnectWise ScreenConnect that scored a perfect 10 out of 10 CVSS severity rating.

UNC5174 uses the online persona Uteus, and has bragged about its links to China's Ministry of State Security (MSS) — boasts that may well be true. The gang focuses on gaining initial access into victim organizations and then reselling access to valuable targets... Just last month, Mandiant noticed the same combination of tools, believed to be unique to this particular Chinese gang, being used to exploit the ConnectWise flaw and compromise "hundreds" or entities, mostly in the U.S. and Canada. Also between October 2023 and February 2024, UNC5174 exploited CVE-2023-22518 in Atlassian Confluence, CVE-2022-0185 in Linux kernels, and CVE-2022-3052, a Zyxel Firewall OS command injection vulnerability, according to Mandiant.

These campaigns included "extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions," the threat intel team noted.
More details from The Record. "One of the strangest things the researchers found was that UNC5174 would create backdoors into compromised systems and then patch the vulnerability they used to break in. Mandiant said it believes this was an 'attempt to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance.'"

"There is a new side channel attack against Apple 'M' series CPUs that does not appear to be fixable without a major performance hit," writes Slashdot reader EncryptedSoldier. SecurityWeek reports: A team of researchers representing several universities in the United States has disclosed the details of a new side-channel attack method that can be used to extract secret encryption keys from systems powered by Apple CPUs. The attack method, dubbed GoFetch, has been described as a microarchitectural side-channel attack that allows the extraction of secret keys from constant-time cryptographic implementations. These types of attacks require local access to the targeted system. The attack targets a hardware optimization named data memory-dependent prefetcher (DMP), which attempts to prefetch addresses found in the contents of program memory to improve performance.

The researchers have found a way to use specially crafted cryptographic operation inputs that allow them to infer secret keys, guessing them bits at a time by monitoring the behavior of the DMP. They managed to demonstrate end-to-end key extraction attacks against several crypto implementations, including OpenSSL Diffie-Hellman Key Exchange, Go RSA, and the post-quantum CRYSTALS-Kyber and CRYSTALS-Dilithium. The researchers have conducted successful GoFetch attacks against systems powered by Apple M1 processors, and they have found evidence that the attack could also work against M2 and M3 processors. They have also tested an Intel processor that uses DMP, but found that it's 'more robust' against such attacks.

The experts said Apple is investigating the issue, but fully addressing it does not seem trivial. The researchers have proposed several countermeasures, but they involve hardware changes that are not easy to implement or mitigations that can have a significant impact on performance. Apple told SecurityWeek that it thanks the researchers for their collaboration as this work advances the company's understanding of these types of threats. The tech giant also shared a link to a developer page that outlines one of the mitigations mentioned by the researchers. The researchers have published a paper (PDF) detailing their work.

Ars Technica's Dan Goodin also reported on the vulnerability.

An anonymous reader quotes a report from Wired: When thousands of security researchers descend on Las Vegas every August for what's come to be known as "hacker summer camp," the back-to-back Black Hat and Defcon hacker conferences, it's a given that some of them will experiment with hacking the infrastructure of Vegas itself, the city's elaborate array of casino and hospitality technology. But at one private event in 2022, a select group of researchers were actually invited to hack a Vegas hotel room, competing in a suite crowded with their laptops and cans of Red Bull to find digital vulnerabilities in every one of the room's gadgets, from its TV to its bedside VoIP phone. One team of hackers spent those days focused on the lock on the room's door, perhaps its most sensitive piece of technology of all. Now, more than a year and a half later, they're finally bringing to light the results of that work: a technique they discovered that would allow an intruder to open any of millions of hotel rooms worldwide in seconds, with just two taps.

Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba. The Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries. By exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel -- say, by booking a room there or grabbing a keycard out of a box of used ones -- then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock's data, and the second opens it.

Dormakaba says that it's been working since early last year to make hotels that use Saflok aware of their security flaws and to help them fix or replace the vulnerable locks. For many of the Saflok systems sold in the last eight years, there's no hardware replacement necessary for each individual lock. Instead, hotels will only need to update or replace the front desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door. Wouters and Carroll say they were nonetheless told by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated. Given that the locks aren't connected to the internet and some older locks will still need a hardware upgrade, they say the full fix will still likely take months longer to roll out, at the very least. Some older installations may take years.

"Engineers have sent a 'poke' to the Voyager 1 probe," reports CNN, "and received a potentially encouraging response..."

"A new signal recently received from the spacecraft suggests that the NASA mission team may be making progress in its quest to understand what Voyager 1 is experiencing..." [T]hey hope to fix a communication issue with the aging spacecraft that has persisted for five months. Launched in 1977, Voyager 1 and its twin, Voyager 2, are venturing through uncharted cosmic territory along the outer reaches of the solar system. While Voyager 1 has continued to relay a steady radio signal to its mission control team on Earth, that signal has not carried any usable data since November, which has pointed to an issue with one of the spacecraft's three onboard computers...

On March 3, the team noticed that activity from one part of the flight data system stood out from the rest of the garbled data. While the signal wasn't in the format the Voyager team is used to when the flight data system is functioning as expected, an engineer with NASA's Deep Space Network was able to decode it... The decoded signal included a readout of the entire flight data system's memory, according to an update NASA shared.

"The (flight data system) memory includes its code, or instructions for what to do, as well as variables, or values used in the code that can change based on commands or the spacecraft's status," according to a NASA blog post. "It also contains science or engineering data for downlink. The team will compare this readout to the one that came down before the issue arose and look for discrepancies in the code and the variables to potentially find the source of the ongoing issue."
"The source of the issue appears to be with one of three onboard computers, the flight data subsystem (FDS), which is responsible for packaging the science and engineering data before it's sent to Earth," according to NASA's statement.

CNN reminds readers that Voyager 1 "is currently the farthest spacecraft from Earth at about 15 billion miles (24 billion kilometers) away." Both Voyager 1 and Voyager 2 are now in interstellar space.

Thanks to Slashdot reader Thelasko for sharing the news.

A new startup called Cognition AI can turn a user's prompt into a website or video game. From a report: A new installment of Silicon Valley's most exciting game, Are We in a Bubble?!, has begun. This time around the game's premise hinges on whether AI technology is poised to change the world as the consumer internet did -- or even more dramatically -- or peter out and leave us with some advances but not a new global economy. This game isn't easy to play, and the available data points often prove more confusing than enlightening. Take the case of Cognition AI Inc.

You almost certainly have not heard of this startup, in part because it's been trying to keep itself secret and in part because it didn't even officially exist as a corporation until two months ago. And yet this very, very young company, whose 10-person staff has been splitting time between Airbnbs in Silicon Valley and home offices in New York, has raised $21 million from Peter Thiel's venture capital firm Founders Fund and other brand-name investors, including former Twitter executive Elad Gil. They're betting on Cognition AI's team and its main invention, which is called Devin.

Devin is a software development assistant in the vein of Copilot, which was built by GitHub, Microsoft and OpenAI, but, like, a next-level software development assistant. Instead of just offering coding suggestions and autocompleting some tasks, Devin can take on and finish an entire software project on its own. To put it to work, you give it a job -- "Create a website that maps all the Italian restaurants in Sydney," say -- and the software performs a search to find the restaurants, gets their addresses and contact information, then builds and publishes a site displaying the information. As it works, Devin shows all the tasks it's performing and finds and fixes bugs on its own as it tests the code being written. The founders of Cognition AI are Scott Wu, its chief executive officer; Steven Hao, the chief technology officer; and Walden Yan, the chief product officer. Hao was most recently one of the top engineers at Scale AI, a richly valued startup that helps train AI systems. Yan, until recently at Harvard University, requested that his status at the school be left ambiguous because he hasn't yet had the talk with his parents.

Contributors from Apple, Google, Microsoft, and Mozilla, writing for BrowserBench: Since the initial version of the Speedometer benchmark was released in 2014 by the WebKit team, it has become a key tool for browser engines to drive performance optimizations as users and developers continue to demand richer and smoother experiences online.

We're proud to release Speedometer 3.0 today as a collaborative effort between the three major browser engines: Blink, Gecko, and WebKit. Like previous releases (Speedometer 2 in 2018 and Speedometer 1 in 2014), it's designed to measure web application responsiveness by simulating user interactions on real web pages. Today's release of Speedometer 3.0 marks a major step forward in web browser performance testing: it introduces a better way of measuring performance and a more representative set of tests that reflect the modern Web.

This is the first time the Speedometer benchmark, or any major browser benchmark, has been developed through a cross-industry collaboration supported by each major browser engine: Blink/V8, Gecko/SpiderMonkey, and WebKit/JavaScriptCore. It's been developed under a new governance model, driven by consensus, and is hosted in a shared repository that's open to contribution. This new structure involves a lot of collective effort: discussions, research, debates, decisions, and hundreds of PRs since we announced the project in December 2022.

Speedometer 3 adds many new tests. We started designing this new benchmark by identifying some key scenarios and user interactions that we felt were important for browsers to optimize. In particular, we added new tests that simulate rendering canvas and SVG charts (React Stockcharts, Chart.js, Perf Dashboard, and Observable Plot), code editing (CodeMirror), WYSIWYG editing (TipTap), and reading news sites (Next.js and Nuxt.js).

Microsoft revealed earlier this year that Russian state-sponsored hackers had been spying on the email accounts of some members of its senior leadership team. Now, Microsoft is disclosing that the attack, from the same group behind the SolarWinds attack, has also led to some source code being stolen in what Microsoft describes as an ongoing attack. From a report: "In recent weeks, we have seen evidence that Midnight Blizzard [Nobelium] is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," explains Microsoft in a blog post. "This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised."

It's not clear what source code was accessed, but Microsoft warns that the Nobelium group, or "Midnight Blizzard," as Microsoft refers to them, is now attempting to use "secrets of different types it has found" to try to further breach the software giant and potentially its customers. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures," says Microsoft.

An anonymous reader quotes a report from Krebs on Security: There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. "ALPHV") as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change's network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate's disclosure appears to have prompted BlackCat to cease operations entirely. [...]

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a "ransomware-as-service" collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid. "But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin," the affiliate "Notchy" wrote. "Sadly for Change Healthcare, their data [is] still with us." [...] On the bright side, Notchy's complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems. BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers. However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code. [...] BlackCat's website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat's network.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an "exit scam" on affiliates by withholding many ransomware payment commissions at once and shutting down the service. "ALPHV/BlackCat did not get seized," Wosar wrote on Twitter/X today. "They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice." Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat's exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own. "The affiliates still have this data, and they're mad they didn't receive this money, Smilyanets told Wired.com. "It's a good lesson for everyone. You cannot trust criminals; their word is worth nothing."

An anonymous reader quotes a report from Liliputing: Yuzu is a free and open source emulator that makes it possible to run Nintendo Switch games on Windows, Linux, and Android devices. First released in 2018, the software has been under constant development since then (the Android port was released less than a year ago). But last week Nintendo sued the developers, claiming that the primary purpose of the software is to circumvent Nintendo Switch encryption and allow users to play pirated games. Rather than fight the case in court, Tropic Haze (the developers behind Yuzu) have agreed to a settlement which involves paying $2.4 million in damages to Nintendo and basically shutting down Yuzu.

As part of a permanent injunction, Tropic Haze has agreed to stop distributing, advertising, or promoting Yuzu or any of its source code or features or any other "software or devices that circumvent Nintendo's technical protection measures." The court is also ordering the developers to turn over the yuzu-emu.org website to Nintendo and bars them "from supporting or facilitating access" to any other related websites, social media, chatrooms, or apps. In one of the more bizarre parts of the court order, the Yuzu team is told to delete all "circumvention devices," which includes any tools used for development of Yuzu and "all copies of Yuzu."

Rust's official survey team released results from their 8th annual survey "focused on gathering insights and feedback from Rust users". In terms of operating systems used by Rustaceans, the situation is very similar to the results from 2022, with Linux being the most popular choice of Rust users [69.7%], followed by macOS [33.5%] and Windows [31.9%], which have a very similar share of usage. Rust programmers target a diverse set of platforms with their Rust programs, even though the most popular target by far is still a Linux machine [85.4%]. We can see a slight uptick in users targeting WebAssembly [27.1%], embedded and mobile platforms, which speaks to the versatility of Rust.

We cannot of course forget the favourite topic of many programmers: which IDE (developer environment) do they use. Visual Studio Code still seems to be the most popular option [61.7%], with RustRover (which was released last year) also gaining some traction [16.4%].
The site ITPro spoke to James Governor, co-founder of the developer-focused analyst firm RedMonk, who said Rust's usage is "steadily increasing", pointing to its adoption among hyperscalers and cloud companies and in new infrastructure projects. "Rust is not crossing over yet as a general-purpose programming language, as Python did when it overtook Java, but it's seeing steady growth in adoption, which we expect to continue. It seems like a sustainable success story at this point."

But InfoWorld writes that "while the use of Rust language by professional programmers continues to grow, Rust users expressed concerns about the language becoming too complex and the low level of Rust usage in the tech industry." Among the 9,374 respondents who shared their main worries for the future of Rust, 43% were most concerned about Rust becoming too complex, a five percentage point increase from 2022; 42% were most concerned about low usage of Rust in the tech industry; and 32% were most concerned about Rust developers and maintainers not being properly supported, a six percentage point increase from 2022. Further, the percentage of respondents who were not at all concerned about the future of Rust fell, from 30% in 2022 to 18% in 2023.