An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what's known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon..., and it's not clear when it was taken down. The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one. The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings "DO NOT SHIP" or "DO NOT TRUST." These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren't clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.

Cryptographic key management best practices call for credentials such as production platform keys to be unique for every product line or, at a minimum, to be unique to a given device manufacturer. Best practices also dictate that keys should be rotated periodically. The test keys discovered by Binarly, by contrast, were shared for more than a decade among more than a dozen independent device makers. The result is that the keys can no longer be trusted because the private portion of them is an open industry secret. Binarly has named its discovery PKfail in recognition of the massive supply-chain snafu resulting from the industry-wide failure to properly manage platform keys. The report is available here. Proof-of-concept videos are here and here. Binarly has provided a scanning tool here. "It's a big problem," said Martin Smolar, a malware analyst specializing in rootkits who reviewed the Binarly research. "It's basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically... execute any malware or untrusted code during system boot. Of course, privileged access is required, but that's not a problem in many cases."

Binarly founder and CEO Alex Matrosov added: "Imagine all the people in an apartment building have the same front door lock and key. If anyone loses the key, it could be a problem for the entire building. But what if things are even worse and other buildings have the same lock and the keys?"

Azure used to be a cloud platform dedicated to Windows. Now, it's the most widely used operating system on Microsoft Azure. The New Stack's Joab Jackson writes: These days, Microsoft expends considerable effort that Linux runs as smoothly as possible on Azure, according to a talk given earlier this year at the Linux Foundation Open Source Summit given by two Microsoft Azure Linux Platforms Group program managers, Jack Aboutboul, and Krum Kashan. "Linux is the #1 operating system in Azure today," Aboutoul said. And all must be supported in a way that Microsoft users have come to expects. Hence, the need for the Microsoft's Linux Platforms Group, which provides support Linux to both the internal customers and to Azure customers. These days, the duo of engineers explained, Microsoft knows about as much as anyone about how to operate Linux at hyperscale. [...]

As of today, there are hundreds of Azure and Azure-based services running on Linux, including the Azure Kubernetes Service (AKS), OpenAI, HDInsight, and many of the other database services. "A lot of the infrastructure powering everything else is running on Linux," Aboutoul said. "They're different flavors of Linux running all over the place," Aboutoul said. To run these services, Microsoft maintains its own kernel, Azure Linux, and in 2023 the company released its own version of Linux, Azure Linux. But Azure Linux is just a small portion of all the other flavors of Linux running on Azure, all of which Microsoft must work with to support.

Overall, there are about 20,000 third-party Software as a Service (SaaS) packages in the Azure marketplace that rely on some Linux distribution. And when things go wrong, it is the Azure service engineers who get the help tickets. The company keeps a set of endorsed Linux distributions, which include Red Hat Enterprise Linux, Debian, Flatcar, Suse, Canonical, and Oracle Linux and CentOS (as managed by OpenLogic, not Red Hat). [...] Overall, the company gets about 1,000 images a month from these endorsed partners alone. Many of the distributions have multiple images (Suse has a regular one, and another one for high-performance computing, for instance).

An anonymous reader shares a report: Indian crypto exchange WazirX on Thursday confirmed it had suffered a security breach after about $230 million in assets were "suspiciously transferred" out of the platform earlier in the day. The Mumbai-based firm said one of its multisig wallets had suffered a security breach, and it was temporarily pausing all withdrawals from the platform.

Lookchain, a third-party blockchain explorer, reported that more than 200 cryptocurrencies, including 5.43 billion SHIB tokens, over 15,200 Ethereum tokens, 20.5 million Matic tokens, 640 billion Pepe tokens, 5.79 million USDT, and 135 million Gala tokens were "stolen" from the platform. WazirX reported holdings of about $500 million in its June proof-of-reserves disclosure.

An anonymous reader quotes a report from DefenseScoop: A group of NATO countries are set to begin implementing a new project aimed at improving the alliance's ability to quickly share intelligence gathered by space-based assets operated by both member nations and the commercial sector. Seventeen NATO members signed a memorandum of understanding for the Alliance Persistence Surveillance from Space (APSS) program as part of the annual NATO summit being held in Washington this week, the alliance announced Tuesday. Members will now move into a five-year implementation phase of the project, during which allies will contribute more than $1 billion "to leverage commercial and national space assets, and to expand advanced exploitation capacities," according to a press release.

The United States is one of the nations signed onto the initiative, as well as Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hungary, Italy, Luxembourg, the Netherlands, Norway, Poland, Romania, Sweden and Turkey, according to a NATO source. The transatlantic organization created APSS last year with the intent to establish a "virtual constellation" -- dubbed Aquila -- comprising both national and commercial space systems, sensors and data that can be used by NATO's command structure and other allies. The project is considered "the largest multinational investment in space-based capabilities" in the alliance's history, and is set to increase NATO's ability "to monitor activities on the ground and at sea with unprecedented accuracy and timeliness," a press release stated.

Participating nations will be able to use their own space systems, provide tools for intelligence collection and analysis, or purchase space-based data gathered by commercial constellations. "Integrating and exploiting data from space effectively has been a growing challenge over time," a NATO press release stated. "By leveraging latest technologies from industry, APSS will help advance NATO's innovation agenda and offer a new platform to engage with the growing space industry." The APSS project is part of the larger implementation of NATO's overarching space policy adopted in 2019, which officially recognized space as a new operational domain. Since then, the alliance has worked to bolster its presence in space -- including the establishment of a NATO Space Centre in 2020 and approval of an official Space Branch within the Allied Command Transformation in June.

An anonymous reader quotes a report from Ars Technica, written by Samuel Axon: In one of the most egregiously unethical uses of AI we've seen, a web advertising company has re-created some defunct, classic tech blogs like The Unofficial Apple Weblog (TUAW) and iLounge by mimicking the bylines of the websites' former writers and publishing AI-generated content under their names. The Verge reported on the fiasco in detail, including speaking to Christina Warren, a former writer for TUAW who now works at GitHub. Warren took to the social media platform Threads yesterday to point out that someone had re-launched TUAW at its original domain and populated it with fake content allegedly written by her and other past TUAW staff. Some of the content simply reworded articles that originally appeared on TUAW, while other articles tied real writers' names to new, AI-generated articles about current events.

TUAW was shut down in 2015, but its intellectual property and domain name continued to be owned by Yahoo. A Hong Kong-based web advertising firm named Web Orange Limited claims to have purchased the domain and brand name but not the content. The domain name still carries some value in terms of Google ranking, so Web Orange Limited seems to have relaunched the site and then used AI summarization tools to reword the original content and publish it under the original authors' names. (It did the same with another classic Apple blog, iLounge.) The site also includes author bios, which are generic and may have been generated, and they are accompanied by author photos that don't look anything like the real writers. The Verge found that some of these same photos have appeared in other places, like web display ads for iPhone cases and dating websites. They may have been AI-generated, though the company has also been caught reusing photos of real people without permission in other contexts.

At first, some of Web Orange Limited's websites named Haider Ali Khan, an Australian currently residing in Dubai, as the owner of the company. Khan's own website identified him as "an independent cyber security analyst" and "long-time advocate for web security" who also runs a web hosting company, and who "started investing in several technology reporting websites" and "manages and runs several news blogs such as the well-known Apple tech-news blog iLounge." However, mentions of his name were removed from the websites today, and the details on his personal website have apparently been taken offline. Warren emailed the company, threatening legal action. After she did that, the byline was changed to what we can only assume is a made-up name -- "Mary Brown." The same goes for many of the other author names on Web Orange Limited's websites.

The company likely tried to use the original authors' names as part of an SEO play; Google tracks the names of authors and gives them authority rankings on specific topics as another layer on top of a website's own authority. That way, Google can try to respond to user queries with results written by people who have built strong reputations in the users' areas of interest. It also helps Google surface authors who are experts on a topic but who write for multiple websites, which is common among freelance writers. The websites are still operational, even though the most arguably egregious breach of ethics -- the false use of real people's names -- has been addressed in many cases.

Long-time Slashdot reader jrronimo says JILA physicist Jun Ye's group "has made a breakthrough towards the next stage of precision timekeeping."

From their paper recently published to arXiv: Optical atomic clocks use electronic energy levels to precisely keep track of time. A clock based on nuclear energy levels promises a next-generation platform for precision metrology and fundamental physics studies.... These results mark the start of nuclear-based solid-state optical clocks and demonstrate the first comparison of nuclear and atomic clocks for fundamental physics studies. This work represents a confluence of precision metrology, ultrafast strong field physics, nuclear physics, and fundamental physics.

An anonymous reader quotes a report from Ars Technica: Temu -- the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it -- is "dangerous malware" that's secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit (PDF) filed Tuesday. Griffin cited research and media reports exposing Temu's allegedly nefarious design, which "purposely" allows Temu to "gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications."

"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place." Griffin fears that Temu is capable of accessing virtually all data on a person's phone, exposing both users and non-users to extreme privacy and security risks. It appears that anyone texting or emailing someone with the shopping app installed risks Temu accessing private data, Griffin's suit claimed, which Temu then allegedly monetizes by selling it to third parties, "profiting at the direct expense" of users' privacy rights. "Compounding" risks is the possibility that Temu's Chinese owners, PDD Holdings, are legally obligated to share data with the Chinese government, the lawsuit said, due to Chinese "laws that mandate secret cooperation with China's intelligence apparatus regardless of any data protection guarantees existing in the United States."

Griffin's suit cited an extensive forensic investigation into Temu by Grizzly Research -- which analyzes publicly traded companies to inform investors -- last September. In their report, Grizzly Research alleged that PDD Holdings is a "fraudulent company" and that "Temu is cleverly hidden spyware that poses an urgent security threat to United States national interests." As Griffin sees it, Temu baits users with misleading promises of discounted, quality goods, angling to get access to as much user data as possible by adding addictive features that keep users logged in, like spinning a wheel for deals. Meanwhile hundreds of complaints to the Better Business Bureau showed that Temu's goods are actually low-quality, Griffin alleged, apparently supporting his claim that Temu's end goal isn't to be the world's biggest shopping platform but to steal data. Investigators agreed, the lawsuit said, concluding "we strongly suspect that Temu is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure." Seeking an injunction to stop Temu from allegedly spying on users, Griffin is hoping a jury will find that Temu's alleged practices violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act. If Temu loses, it could be on the hook for $10,000 per violation of the ADTPA and ordered to disgorge profits from data sales and deceptive sales on the app. In a statement to Ars, a Temu spokesperson discredited Grizzly Research's investigation and said that the company was "surprised and disappointed by the Arkansas Attorney General's Office for filing the lawsuit without any independent fact-finding."

"The allegations in the lawsuit are based on misinformation circulated online, primarily from a short-seller, and are totally unfounded," Temu's spokesperson said. "We categorically deny the allegations and will vigorously defend ourselves."

"We understand that as a new company with an innovative supply chain model, some may misunderstand us at first glance and not welcome us. We are committed to the long-term and believe that scrutiny will ultimately benefit our development. We are confident that our actions and contributions to the community will speak for themselves over time." Last year, Temu was the most downloaded app in the U.S. and has only become more popular as reports of security and privacy risks have come out.

OpenAI has purchased Multi (previously Remotion), "a five-person startup based in New York City that focuses on screenshare and collaboration technologies for workers using Mac computers," reports VentureBeat. The latest acquisition comes just days after the AI company announced it had acquired enterprise analytics startup Rockset. No details were provided on the terms of the deal. From the report: Multi's co-founder and CEO Alexander Embiricos posted on his X account today stating specifically that he (and presumably the entire Multi team) has joined OpenAI's "ChatGPT desktop team," the unit at the company responsible for building the ChatGPT for Mac desktop app that was unveiled back in May 2024. Multi broke the news first to its users and followers in a blog post, writing: "Recently, we've been increasingly asking ourselves how we should work with computers. Not on or using computers, but truly with computers. With AI. We believe it's one of the most important product questions of our time. And so, we're beyond excited to share that Multi is joining OpenAI!"

The news has users on X speculating that OpenAI will use Multi to allow its AI models such as GPT-4o to "take over" a user's computer and perform actions on their behalf based on text or voice prompts. So you could say something like "ChatGPT, create a spreadsheet of my latest hours and send it to my manager" and it would try to do this. Based on what I've learned about Multi (see final section of this article below) and zero insider knowledge, I think it is at least as likely that OpenAI will seek to use the acquisition as a means of souping up and adding features to its ChatGPT Team and Enterprise subscription plans, as those are already more focused on providing tech for teams to help all the individuals on them work better together.

However, Multi also broke the news that it is "sunsetting" the current version of its software and will end support for it in one month: on July 24, 2024, as well as delete all user data. Egads! Multi states in a short FAQ in its blog post that users should go ahead and export their data before that time, using the "Export Session Notes" setting under the URL: https://app.multi.app/account. It is also opening the door to users asking for extensions to the deletion date of July 24, 2024 for their individual or company accounts, if they email Embiricos himself directly at alexander@multi.app. Multi also says its team members can help recommend alternatives through the same email address.

In 2022, Red Hat announced plans to extend RHEL to the automotive industry through Red Hat In-Vehicle Operating System (providing automakers with an open and functionally-safe platform). And this week Red Hat announced it achieved ISO 26262 ASIL-B certification from exida for the Linux math library (libm.so glibc) — a fundamental component of that Red Hat In-Vehicle Operating System.

From Red Hat's announcement: This milestone underscores Red Hat's pioneering role in obtaining continuous and comprehensive Safety Element out of Context certification for Linux in automotive... This certification demonstrates that the engineering of the math library components individually and as a whole meet or exceed stringent functional safety standards, ensuring substantial reliability and performance for the automotive industry. The certification of the math library is a significant milestone that strengthens the confidence in Linux as a viable platform of choice for safety related automotive applications of the future...

By working with the broader open source community, Red Hat can make use of the rigorous testing and analysis performed by Linux maintainers, collaborating across upstream communities to deliver open standards-based solutions. This approach enhances long-term maintainability and limits vendor lock-in, providing greater transparency and performance. Red Hat In-Vehicle Operating System is poised to offer a safety certified Linux-based operating system capable of concurrently supporting multiple safety and non-safety related applications in a single instance. These applications include advanced driver-assistance systems (ADAS), digital cockpit, infotainment, body control, telematics, artificial intelligence (AI) models and more. Red Hat is also working with key industry leaders to deliver pre-tested, pre-integrated software solutions, accelerating the route to market for SDV concepts.
"Red Hat is fully committed to attaining continuous and comprehensive safety certification of Linux natively for automotive applications," according to the announcement, "and has the industry's largest pool of Linux maintainers and contributors committed to this initiative..."

Or, as Network World puts it, "The phrase 'open source for the open road' is now being used to describe the inevitable fit between the character of Linux and the need for highly customizable code in all sorts of automotive equipment."

An anonymous reader quotes a report from TechCrunch: A hacker is advertising customer data allegedly stolen from the Australia-based live events and ticketing company TEG on a well-known hacking forum. On Thursday, a hacker put up for sale the alleged stolen data from TEG, claiming to have information of 30 million users, including the full name, gender, date of birth, username, hashed passwords, and email addresses. In late May, TEG-owned ticketing company Ticketek disclosed a data breach affecting Australian customers' data, "which is stored in a cloud-based platform, hosted by a reputable, global third party supplier."

The company said that "no Ticketek customer account has been compromised," thanks to the encryption methods used to store their passwords. TEG conceded, however, that "customer names, dates of birth and email addresses may have been impacted" -- data that would line up with that advertised on the hacking forum. The hacker included a sample of the alleged stolen data in their post. TechCrunch confirmed that at least some of the data published on the forum appears legitimate by attempting to sign up for new accounts using the published email addresses. In a number of cases, Ticketek's website gave an error, suggesting the email addresses are already in use. There's evidence that the company's "cloud-based platform" provider is Snowflake, "which has been at the center of a recent series of data thefts affecting several of its customers, including Ticketmaster, Santander Bank, and others," notes TechCrunch.

"A now-deleted post on Snowflake's website from January 2023 was titled: 'TEG Personalizes Live Entertainment Experiences with Snowflake.' In 2022, consulting company Altis published a case study (PDF) detailing how the company, working with TEG, 'built a modern data platform for ingesting streaming data into Snowflake.'"

An anonymous reader quotes a report from ZDNet: At SUSECon in Berlin, SUSE, a global Linux and cloud-native software leader, announced significant enhancements across its entire Linux distribution family. These new capabilities focus on providing faster time-to-value and reduced operational costs, emphasizing the importance of choice in today's complex IT landscape. SUSE Linux Enterprise Server (SLES) 15 Service Pack (SP) 6 is at the heart of these upgrades. This update future-proofs IT workloads with a new Long Term Service (LTS) Pack Support Core. How long is long-term? Would you believe 19 years? This gives SLES the longest-term support period in the enterprise Linux market. Even Ubuntu, for which Canonical recently extended its LTS to 12 years, doesn't come close.

You may ask yourself, "Why 19 years?" SUSE General Manager of Business Critical Linux (BCL) Rick Spencer, explained in an interview that the reason is that on 03:14:08 Greenwich Mean Time (GMT, aka Coordinated Universal Time) Tuesday, January 19, 2038, we reach the end of computing time. Well, not really, but Linux, and all the other Unix-based operating systems, including some versions of MacOS, reach what's called the Epoch. That's when the time-keeping code in 32-bit Unix-based operating systems reaches the end of the seconds it's been counting since the beginning of time -- 00:00:00 GMT on January 1, 1970, as far as Linux and Unix systems are concerned -- and resets to zero. Just like the Y2K bug, that means that all unpatched 32-bit operating systems and software will have fits. The Linux kernel itself had the problem fixed in 2020's Linux 5.6 kernel, but many other programs haven't dealt with it. Until then, though, if you're still running SLES 15 SP6, you'll be covered. I strongly suggest upgrading before then, but if you want to stick with that distro to the bitter end, you can. The new SLES also boasts enhanced security features like confidential computing support with encryption in memory, utilizing Intel TDX and AMD SEV processors, along with remote attestation via SUSE Manager. Additionally, SLES for SAP Applications 15 SP6 offers a secure and reliable platform for running mission-critical SAP workloads, incorporating innovations from Trento to help system administrators avoid infrastructure issues.

SUSE, a Luxembourg-based open-source company, is launching a new vendor- and LLM-agnostic generative AI platform called SUSE AI solutions. The company aims to leverage the potential of AI to gain a stronger foothold in the U.S. market, where it has struggled to establish brand recognition compared to competitors like Red Hat and Canonical. SUSE CEO Dirk-Peter van Leeuwen believes that the open-source model provides infinite potential for enterprise customers, offering support, security, and long-term stability. The company's recent fork of CentOS has attracted a significant number of users, and its portfolio, including Kubernetes service Rancher and security service Neuvector, positions SUSE well in a market where enterprises are looking to consolidate platforms. Despite ownership changes over the years, SUSE remains committed to expanding its presence in the U.S. market.

Thomas Claburn reports via The Register: Meta allegedly tried to discredit university researchers in Brazil who had flagged fraudulent adverts on the social network's ad platform. Nucleo, a Brazil-based news organization, said it has obtained government documents showing that attorneys representing Meta questioned the credibility of researchers from NetLab, which is part of the Federal University of Rio de Janeiro (UFRJ). NetLab's research into Meta's ads contributed to Brazil's National Consumer Secretariat (Senacon) decision in 2023 to fine Meta $1.7 million (9.3 million BRL), which is still being appealed. Meta (then Facebook) was separately fined of $1.2 million (6.6 million BRL) related to Cambridge Analytica.

As noted by Nucleo, NetLab's report showed that Facebook, despite being notified about the issues, had failed to remove more than 1,800 scam ads that fraudulently used the name of a government program that was supposed to assist those in debt. In response to the fine, attorneys representing Meta from law firm TozziniFreire allegedly accused the NetLab team of bias and of failing to involve Meta in the research process. Nucleo says that it obtained the administrative filing through freedom of information requests to Senacon. The documents are said to date from December 26 last year and to be part of the ongoing case against Meta. A spokesperson for NetLab, who asked not to be identified by name due to online harassment directed at the organization's members, told The Register that the research group was aware of the Nucleo report. "We were kind of surprised to see the account of our work in this law firm document," the spokesperson said. "We expected to be treated with more fairness for our work. Honestly, it comes at a very bad moment because NetLab particularly, but also Brazilian science in general, is being attacked by far-right groups."

On Thursday, more than 70 civil society groups including NetLab published an open letter decrying Meta's legal tactics. "This is an attack on scientific research work, and attempts at intimidation of researchers and researchers who are performing excellent work in the production of knowledge from empirical analysis that have been fundamental to qualify the public debate on the accountability of social media platforms operating in the country, especially with regard to paid content that causes harm to consumers of these platforms and that threaten the future of our democracy," the letter says. "This kind of attack and intimidation is made even more dangerous by aligning with arguments that, without any evidence, have been used by the far right to discredit the most diverse scientific productions, including NetLab itself." The claim, allegedly made by Meta's attorneys, is that the ad biz was "not given the opportunity to appoint a technical assistant and present questions" in the preparation of the NetLabs report. This is particularly striking given Meta's efforts to limit research into its ad platform. A Meta spokesperson told The Register: "We value input from civil society organizations and academic institutions for the context they provide as we constantly work toward improving our services. Meta's defense filed with the Brazilian Consumer Regulator questioned the use of the NetLab report as legal evidence, since it was produced without giving us prior opportunity to contribute meaningfully, in violation of local legal requirements."

The New York Times has confirmed that its internal source code was leaked on 4chan after being stolen from the company's GitHub repositories in January 2024. BleepingComputer reports: As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data. "Basically all source code belonging to The New York Times Company, 270GB," reads the 4chan forum post. "There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar."

While BleepingComputer did not download the archive, the threat actor shared a text file containing a complete list of the 6,223 folders stolen from the company's GitHub repository. The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game. A 'readme' file in the archive states that the threat actor used an exposed GitHub token to access the company's repositories and steal the data. The company said that the breach of its GitHub account did not affect its internal corporate systems and had no impact on its operations. The Times said in a statement to BleepingComputer: "The underlying event related to yesterday's posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity."

United Airlines on Friday launched a media platform to serve travelers personalized ads on seat-back screens and in its app, among other platforms, as it seeks to leverage customer data. CNBC reports: United said its new platform, Kinective Media, is already working with Norwegian Cruise Line, Macy's, IHG Hotels & Resorts, TelevisaUnivision and JPMorgan Chase, which offers a host of co-branded credit cards with United. [...] Customers can opt out of seeing targeted ads through a United web page, and United says advertisers can't access customers' personally identifiable information, the airline said. "There is the potential for 3.5 hours of attention per traveler, based on average flight time," United said.

GOG, a Poland-based popular gaming platform, has announced plans to enforce a 200MB limit on cloud save files per game. This move may adversely affect players of open-world titles like Cyberpunk 2077, where save folders can reach several gigabytes. A report adds: The company will begin deleting game saves that exceed the limit on Aug 31. When the deadline rolls around, GOG will delete saves for each game, beginning with the oldest until it's below the 200MB threshold. That means your newest saves will survive.

Some artists are jumping ship for the anti-AI portfolio app Cara after Meta began using Instagram content to train its AI models. Fast Company explains: The portfolio app bills itself as a platform that protects artists' images from being used to train AI, and only allowing AI content to be posted if it's clearly labeled. Based on the number of new users the Cara app has garnered over the past few days, there seems to be a need. Between May 31 and June 2, Cara's user base tripled from less than 100,000 to more than 300,000 profiles, skyrocketing to the top of the app store. [...] Cara is a social networking app for creatives, in which users can post images of their artwork, memes, or just their own text-based musings. It shares similarities with major social platforms like X (formerly Twitter) and Instagram on a few fronts. Users can access Cara through a mobile app or on a browser. Both options are free to use. The UI itself is like an arts-centric combination of X and Instagram. In fact, some UI elements seem like they were pulled directly from other social media sites. (It's not the most innovative approach, but it is strategic: as a new app, any barriers to potential adoption need to be low).

Cara doesn't train any AI models on its content, nor does it allow third parties to do so. According to Cara's FAQ page, the app aims to protect its users from AI scraping by automatically implementing "NoAI" tags on all of its posts. The website says these tags "are intended to tell AI scrapers not to scrape from Cara." Ultimately, they appear to be html metadata tags that politely ask bad actors not to get up to any funny business, and it's pretty unlikely that they hold any actual legal weight. Cara admits as much, too, warning its users that the tags aren't a "fully comprehensive solution and won't completely prevent dedicated scrapers." With that in mind, Cara assesses the "NoAI" tagging system as a "a necessary first step in building a space that is actually welcoming to artists -- one that respects them as creators and doesn't opt their work into unethical AI scraping without their consent."

In December, Cara launched another tool called Cara Glaze to defend its artists' work against scrapers. (Users can only use it a select number of times.) Glaze, developed by the SAND Lab at University of Chicago, makes it much more difficult for AI models to accurately understand and mimic an artist's personal style. The tool works by learning how AI bots perceive artwork, and then making a set of minimal changes that are invisible to the human eye but confusing to the AI model. The AI bot then has trouble "translating" the art style and generates warped recreations. In the future, Cara also plans to implement Nightshade, another University of Chicago software that helps protect artwork against AI scapers. Nightshade "poisons" AI training data by adding invisible pixels to artwork that can cause AI software to completely misunderstand the image. Beyond establishing shields against data mining, Cara also uses a third party service to detect and moderate any AI artwork that's posted to the site. Non-human artwork is forbidden, unless it's been properly labeled by the poster.

The highlight of AMD's presentation Sunday at Computex 2024 was "the introduction of AMD's Ryzen AI 300 Series processors for laptops and the Ryzen 9000 Series for desktops," writes Slashdot reader BrianFagioli (sharing his report at Beta News): AMD's Ryzen AI 300 Series processors, designed for next-generation AI laptops, come with AMD's latest XDNA 2 architecture. This includes a Neural Processing Unit (NPU) that delivers 50 TOPS of AI processing power, significantly enhancing the AI capabilities of laptops. Among the processors announced were the Ryzen AI 9 HX 370, which features 12 cores and 24 threads with a boost frequency of 5.1 GHz, and the Ryzen AI 9 365 with 10 cores and 20 threads, boosting up to 5.0 GHz...

In the desktop segment, the Ryzen 9000 Series processors, based on the "Zen 5" architecture, demonstrated an average 16% improvement in IPC performance over their predecessors built on the "Zen 4" architecture. The Ryzen 9 9950X stands out with 16 cores and 32 threads, reaching up to 5.7 GHz boost frequency and equipped with 80MB of cache... AMD also reaffirmed its commitment to the AM4 platform by introducing the Ryzen 9 5900XT and Ryzen 7 5800XT processors. These models are compatible with existing AM4 motherboards, providing an economical upgrade path for users.
The article adds that AMD also unveiled its Radeon PRO W7900 Dual Slot workstation graphics card — priced at $3,499 — "further broadening its impact on high-performance computing...

"AMD also emphasized its strategic partnerships with leading OEMs such as Acer, ASUS, HP, Lenovo, and MSI, who are set to launch systems powered by these new AMD processors." And there's also a software collaboration with Microsoft, reportedly "to enhance the capabilities of AI PCs, thus underscoring AMD's holistic approach to integrating AI into everyday computing."

Vista Equity Partners has written off the entire equity value of its investment in tech learning platform Pluralsight, three years after taking it private for $3.5 billion, Axios reported Friday. From the report: One source says that the Utah-based company's financials have improved, with around 26% EBITDA growth in 2023, but not enough to service nearly $1.3 billion of debt that was issued when interest rates were lower. It's also a company whose future could be dimmed by advances in artificial intelligence, since some of the developer skills it teaches are becoming automated. Vista agreed to buy the company in late 2020 for $20.26 per share, representing a 25% premium to its 30-day trading average, despite a lack of profits.

An anonymous reader quotes a report from Ars Technica: Some of the most infamous so-called shadow libraries have increasingly faced legal pressure to either stop pirating books or risk being shut down or driven to the dark web. Among the biggest targets are Z-Library, which the US Department of Justice has charged with criminal copyright infringement, and Library Genesis (Libgen), which was sued by textbook publishers last fall for allegedly distributing digital copies of copyrighted works "on a massive scale in willful violation" of copyright laws. But now these shadow libraries and others accused of spurning copyrights have seemingly found an unlikely defender in Nvidia, the AI chipmaker among those profiting most from the recent AI boom.

Nvidia seemed to defend the shadow libraries as a valid source of information online when responding to a lawsuit from book authors over the list of data repositories that were scraped to create the Books3 dataset used to train Nvidia's AI platform NeMo. That list includes some of the most "notorious" shadow libraries -- Bibliotik, Z-Library (Z-Lib), Libgen, Sci-Hub, and Anna's Archive, authors argued. However, Nvidia hopes to invalidate authors' copyright claims partly by denying that any of these controversial websites should even be considered shadow libraries.

"Nvidia denies the characterization of the listed data repositories as 'shadow libraries' and denies that hosting data in or distributing data from the data repositories necessarily violates the US Copyright Act," Nvidia's court filing said. The chipmaker did not go into further detail to define what counts as a shadow library or what potentially absolves these controversial sites from key copyright concerns raised by various ongoing lawsuits. Instead, Nvidia kept its response brief while also curtly disputing authors' petition for class-action status and defending its AI training methods as fair use. "Nvidia denies that it has improperly used or copied the alleged works," the court filing said, arguing that "training is a highly transformative process that may include adjusting numerical parameters including 'weights,' and that outputs of an LLM may be based, at least in part, on such 'weights.'" "Nvidia's argument likely depends on the court agreeing that AI models ingesting published works in order to transform those works into weights governing AI outputs is fair use," notes Ars. "However, authors have argued that 'these weights are entirely and uniquely derived from the protected expression in the training dataset' that has been copied without getting authors' consent or providing authors with compensation."

"Authors suing Nvidia have taken the next step, linking the chipmaker to shadow libraries by arguing that 'these shadow libraries have long been of interest to the AI-training community because they host and distribute vast quantities of unlicensed copyrighted material. For that reason, these shadow libraries also violate the US Copyright Act.'"