Comment and no one can use it (Score 2) 39
Microsoft Brings Its New AI-powered Bing To the Windows 11 Taskbar
... and no one can use it, because everyone is in the waiting list
Comment Re:tl;dr (Score 1) 30
Bugs were found, Apple patched them.
There is much more to it than that. The news is that Trellix just discovered these vulnerabilities only now and made it public.
As a result, both national security agencies and criminals hide certain software vulnerabilities from both users and the original developer.
Governments face a trade-off between protecting their citizens' privacy through the reporting of vulnerabilities to private companies on one hand and undermining the communication technologies used by their targets—who also threaten the security of the public—on the other. The protection of national security through exploitation of software vulnerabilities unknown to both companies and the public is an ultimate resource for security agencies but also compromises the safety of every single user because any third party, including criminal organizations, could be making use of the same resource.
Comment Re:Bugs already fixed by Apple (Score 2) 30
According to Trellix (formerly FireEye and McAfee Enterprise) in section The Vulnerabilities:
There were also vulnerabilities of this class in services that could be accessed by any app, with no entitlements necessary. The first of these we found was in OSLogService, an XPC service that can be used to read potentially sensitive information from the syslog. More significantly an attacker can exploit an NSPredicate vulnerability in UIKitCore on the iPad. By setting malicious scene activation rules an app can achieve code execution inside of SpringBoard, a highly privileged app that can access location data, the camera and microphone, call history, photos, and other sensitive data, as well as wipe the device.
Submission + - SPAM: NASA and open-source software
guest reader writes: From LWN Article:
From the moon landing to the James Webb Space Telescope and many other scientific missions, software is critical for the US National Aeronautics and Space Administration (NASA). Sharing information has also been in the DNA of the space agency from the beginning. As a result, NASA also contributes to and releases open-source software and open data. In a keynote at FOSDEM 2023, Science Data Officer Steve Crawford talked about NASA and open-source software, including the challenges NASA has faced in using open source and the agency's recent initiatives to lower barriers.
Software has always been a big part of NASA's work. Who hasn't seen the photo of computer scientist Margaret Hamilton next to a hard-copy stack of the Apollo software she and her team at MIT produced? The stack of code is as tall as she is. In 2016, the original Apollo 11 Guidance Computer source code for the command and lunar modules was published on GitHub in the public domain. You can even compile the code and run it in a simulator.
In recent years, more and more of this sharing was also in the form of releasing software. For instance, when NASA's drone copter Ingenuity made it first flight on Mars in 2021 as part of the Perseverance mission, it used an open-source flight-control framework, F Prime. NASA's Jet Propulsion Laboratory (JPL) released the framework in 2017 under the Apache 2.0 license. One of the example deployments even runs on the Raspberry Pi. But the NASA mission also used a lot of open-source dependencies. To celebrate Ingenuity's first flight, GitHub recognized the more than 12,000 people who contributed to these dependencies with a badge on their profile.
While the previous examples may be some high-profile successes, open source at NASA doesn't come without its challenges. "Civil servants can't release anything copyrightable", Crawford said, referring to the fact that under US copyright law, a work prepared by an officer or employee of the United States Government as part of that person's official duties is in the public domain.
Of course NASA has contributed to many open-source projects, but according to Crawford people often do this "not in their official capacity as NASA employees". In 2003 NASA created a license to enable the release of software by civil servants, the NASA Open Source Agreement. This license has been approved by the Open Source Initiative (OSI), but the Free Software Foundation doesn't consider it a free-software license because it does not allow changes to the code that come from third-party free-software projects. "It isn't widely used in the community and complicates the reuse of NASA software with this license", Crawford said.
Another challenge is NASA's famous bureaucracy, Crawford admitted: "NASA does not always engage well with the open-source community." As an example, he showed how curl's main developer Daniel Stenberg received an email from NASA's Commercial IT Acquisition Team, asking him to supply country of origin information for curl, as well as a list of all "authorized resellers". Stenberg noted the keynote (which he barely missed attending) in a recent blog post.
Open-source software will clearly play an important role in open science, and was already instrumental in various breakthrough discoveries. When scientists created the first image of a black hole in 2019 from data generated by the Event Horizon Telescope, Dr. Katie Bouman who led the development of the imaging algorithm was explicit about it: "We're deeply grateful to all the open source contributors who made our work possible." This was also the message Crawford ended his talk with: "Keep contributing, building, and sustaining your code." After his "Thank you for your contributions", his words were followed by big applause from a room full of open-source developers.
Link to Original Source
From the moon landing to the James Webb Space Telescope and many other scientific missions, software is critical for the US National Aeronautics and Space Administration (NASA). Sharing information has also been in the DNA of the space agency from the beginning. As a result, NASA also contributes to and releases open-source software and open data. In a keynote at FOSDEM 2023, Science Data Officer Steve Crawford talked about NASA and open-source software, including the challenges NASA has faced in using open source and the agency's recent initiatives to lower barriers.
Software has always been a big part of NASA's work. Who hasn't seen the photo of computer scientist Margaret Hamilton next to a hard-copy stack of the Apollo software she and her team at MIT produced? The stack of code is as tall as she is. In 2016, the original Apollo 11 Guidance Computer source code for the command and lunar modules was published on GitHub in the public domain. You can even compile the code and run it in a simulator.
In recent years, more and more of this sharing was also in the form of releasing software. For instance, when NASA's drone copter Ingenuity made it first flight on Mars in 2021 as part of the Perseverance mission, it used an open-source flight-control framework, F Prime. NASA's Jet Propulsion Laboratory (JPL) released the framework in 2017 under the Apache 2.0 license. One of the example deployments even runs on the Raspberry Pi. But the NASA mission also used a lot of open-source dependencies. To celebrate Ingenuity's first flight, GitHub recognized the more than 12,000 people who contributed to these dependencies with a badge on their profile.
While the previous examples may be some high-profile successes, open source at NASA doesn't come without its challenges. "Civil servants can't release anything copyrightable", Crawford said, referring to the fact that under US copyright law, a work prepared by an officer or employee of the United States Government as part of that person's official duties is in the public domain.
Of course NASA has contributed to many open-source projects, but according to Crawford people often do this "not in their official capacity as NASA employees". In 2003 NASA created a license to enable the release of software by civil servants, the NASA Open Source Agreement. This license has been approved by the Open Source Initiative (OSI), but the Free Software Foundation doesn't consider it a free-software license because it does not allow changes to the code that come from third-party free-software projects. "It isn't widely used in the community and complicates the reuse of NASA software with this license", Crawford said.
Another challenge is NASA's famous bureaucracy, Crawford admitted: "NASA does not always engage well with the open-source community." As an example, he showed how curl's main developer Daniel Stenberg received an email from NASA's Commercial IT Acquisition Team, asking him to supply country of origin information for curl, as well as a list of all "authorized resellers". Stenberg noted the keynote (which he barely missed attending) in a recent blog post.
Open-source software will clearly play an important role in open science, and was already instrumental in various breakthrough discoveries. When scientists created the first image of a black hole in 2019 from data generated by the Event Horizon Telescope, Dr. Katie Bouman who led the development of the imaging algorithm was explicit about it: "We're deeply grateful to all the open source contributors who made our work possible." This was also the message Crawford ended his talk with: "Keep contributing, building, and sustaining your code." After his "Thank you for your contributions", his words were followed by big applause from a room full of open-source developers.
Link to Original Source
Submission + - SPAM: IBM says it's been running 'AI supercomputer' but chose now to tell the world
guest reader writes: The Register writes:
IBM is the latest tech giant to unveil its own "AI supercomputer," this one composed of a bunch of virtual machines running within IBM Cloud.
The system known as Vela, which the company claims has been online since May last year, is touted as IBM's first AI-optimized, cloud-native supercomputer, created with the aim of developing and training large-scale AI models.
But Vela is not running on any old standard IBM Cloud node hardware; each is a twin-socket system with 2nd Gen Xeon Scalable processors configured with 1.5TB of DRAM, and four 3.2TB NVMe flash drives, plus eight 80GB Nvidia A100 GPUs, the latter connected by NVLink and NVSwitch.
This makes the Vela infrastructure closer to that of a high performance compute (HPC) site than typical cloud infrastructure, despite IBM's insistence that it was taking a different path as "traditional supercomputers weren't designed for AI."
It is also notable that IBM chose to use x86 processors rather than its own Power 10 chips, especially as these were touted by Big Blue as being ideally suited for memory-intensive workloads such as large-model AI inferencing.
Link to Original Source
IBM is the latest tech giant to unveil its own "AI supercomputer," this one composed of a bunch of virtual machines running within IBM Cloud.
The system known as Vela, which the company claims has been online since May last year, is touted as IBM's first AI-optimized, cloud-native supercomputer, created with the aim of developing and training large-scale AI models.
But Vela is not running on any old standard IBM Cloud node hardware; each is a twin-socket system with 2nd Gen Xeon Scalable processors configured with 1.5TB of DRAM, and four 3.2TB NVMe flash drives, plus eight 80GB Nvidia A100 GPUs, the latter connected by NVLink and NVSwitch.
This makes the Vela infrastructure closer to that of a high performance compute (HPC) site than typical cloud infrastructure, despite IBM's insistence that it was taking a different path as "traditional supercomputers weren't designed for AI."
It is also notable that IBM chose to use x86 processors rather than its own Power 10 chips, especially as these were touted by Big Blue as being ideally suited for memory-intensive workloads such as large-model AI inferencing.
Link to Original Source
Comment Re:We know (Score 1) 13
The second story from Monday 13 has the following links:
1 www.theregister.com/2023/02/13/linux_ai_assistant_killed_off/
2 www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant/posts/3729060
3 mycroft.ai/product/mark-ii/
The first story from Sunday 12 has the following links:
1 hardware.slashdot.org/story/19/12/14/1954242/building-your-own-open-source-privacy-protecting-voice-assistant-with-a-raspberry-pi
2 www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant/posts/3729060
These two stories have 50% match of linked sources.
That is very easy to detect as possible dupe when someone hits preview button in story submissions. It could be displayed just as a warning.
Is there a way to contribute to the Slashdot code so that we can fix it?
Submission + - SPAM: Update broke the game updater and the Division 2 devs can't update the game 1
guest reader writes: GamesRadar reports:
Never before have I seen live service game development summarized so well: The Division 2 currently cannot be updated because a recently delayed seasonal update broke the system used to update the game, so the developers trying to update it have to first update the updater to accept new updates. So that they can update it.
The worst part is I'm barely exaggerating. As the dev team explained in a recent Twitter post: "Last week, we shared news that the season would be delayed due to a localization issue. This past Saturday, in the process of creating the update which would resolve the issue, we encountered an error that brought down the build generation system for The Division 2. As a result, we cannot update the game until this system has been rebuilt."
To recap: the fix for an error that delayed an update resulted in an error that broke the updater which would deliver that update to The Division 2. I'm not a game developer, but that doesn't sound very good. Consequently, the devs "are unable to make server or client side updates until the build generation system is restored," meaning they can't even extend existing seasonal content to help fill the gap between updates.
Link to Original Source
Never before have I seen live service game development summarized so well: The Division 2 currently cannot be updated because a recently delayed seasonal update broke the system used to update the game, so the developers trying to update it have to first update the updater to accept new updates. So that they can update it.
The worst part is I'm barely exaggerating. As the dev team explained in a recent Twitter post: "Last week, we shared news that the season would be delayed due to a localization issue. This past Saturday, in the process of creating the update which would resolve the issue, we encountered an error that brought down the build generation system for The Division 2. As a result, we cannot update the game until this system has been rebuilt."
To recap: the fix for an error that delayed an update resulted in an error that broke the updater which would deliver that update to The Division 2. I'm not a game developer, but that doesn't sound very good. Consequently, the devs "are unable to make server or client side updates until the build generation system is restored," meaning they can't even extend existing seasonal content to help fill the gap between updates.
Link to Original Source
Comment Re:why? (Score 1) 186
Was there something fundamentally wrong with the core utilities that have had multiple decades of development and refinement that they need replacing? As far as I know, they are already efficient, secure, and cross-platform.
Well, at least it is not re-implemented in JavaScript. Oh, wait
Submission + - SPAM: Can C++ Be Saved? Bjarne Stroustrup on Ensuring Memory Safety
guest reader writes: C++ creator Bjarne Stroustrup joins calls for changing the programming language itself to address security concerns, though other core contributors want to make more modest moves.
There's turmoil in the C++ community. In mid-January, the official C++ "direction group" — which makes recommendations for the programming language's evolution — issued a statement addressing concerns about C++ safety. While many languages now support "basic type safety" — that is, ensuring that variables access only sections of memory that are clearly defined by their data types — C++ has struggled to offer similar guarantees.
This new statement, co-authored by C++ creator Bjarne Stroustrup, now appears to call for changing the C++ programming language itself to address safety concerns. "We now support the idea that the changes for safety need to be not just in tooling, but visible in the language/compiler, and library."
The group still also supports its long-preferred use of debugging tools to ensure safety (and "pushing tooling to enable more global analysis in identifying hard for humans to identify safety concerns"). But that January statement emphasizes its recommendation for changes within C++.
Related story
Link to Original Source
There's turmoil in the C++ community. In mid-January, the official C++ "direction group" — which makes recommendations for the programming language's evolution — issued a statement addressing concerns about C++ safety. While many languages now support "basic type safety" — that is, ensuring that variables access only sections of memory that are clearly defined by their data types — C++ has struggled to offer similar guarantees.
This new statement, co-authored by C++ creator Bjarne Stroustrup, now appears to call for changing the C++ programming language itself to address safety concerns. "We now support the idea that the changes for safety need to be not just in tooling, but visible in the language/compiler, and library."
The group still also supports its long-preferred use of debugging tools to ensure safety (and "pushing tooling to enable more global analysis in identifying hard for humans to identify safety concerns"). But that January statement emphasizes its recommendation for changes within C++.
Related story
Link to Original Source
Comment Mistake (Score 1, Insightful) 130
"I said to the manager, 'This can harm somebody,' and she said by harming a few we can help the greater masses" said Hayward, former employee
Always say "Yes" if you want to have a job in corporate environment and when you are asked to do something.
Comment Re:yeah? (Score 1) 38
They "cracked" it. How? What? What did they crack? Maybe they just read the metadata that wasn't encrypted? Who says it was "secure"? Doesn't sound secure to me. I read the article/link, but still had all these questions.
If you really want to know, then my advice would be to apply for a job in Homeland security. You will obviously have to sign an NDA to never reveal such information.
Comment Re:OTPs rule, all others drool. (Score 2) 38
The ONLY unbreakable encryption is the One Time Pad.
When someone uses that and becomes a person of interest, then the homeland security simply bundles some keyboard logger into their next android/os update.
Submission + - SPAM: AI models spit out photos of real people and copyrighted images
guest reader writes: Popular image generation models can be prompted to produce identifiable photos of real people, potentially threatening their privacy, according to new research. The work also shows that these AI systems can be made to regurgitate exact copies of medical images and copyrighted work by artists. It's a finding that could strengthen the case for artists who are currently suing AI companies for copyright violations.
The researchers, from Google, DeepMind, UC Berkeley, ETH Zürich, and Princeton, got their results by prompting Stable Diffusion and Google's Imagen with captions for images, such as a person's name, many times. Then they analyzed whether any of the images they generated matched original images in the model's database. The group managed to extract over 100 replicas of images in the AI's training set.
The paper with title "Extracting Training Data from Diffusion Models" is the first time researchers have managed to prove that these AI models memorize images in their training sets, says Ryan Webster, a PhD student at the University of Caen Normandy in France.
For example, recent class-action lawsuit accusing DeviantArt, Midjourney and Stability AI uses the following arguments as a claim:
The resulting image is necessarily a derivative work, because it is generated exclusively from a combination of the conditioning data and the latent images, all of which are copies of copyrighted images. It is, in short, a 21st-century collage tool.
A diffusion model is a form of lossy compression applied to the Training Images. Because a trained diffusion model can produce a copy of any of its Training Images—which could number in the billions—the diffusion model can be considered an alternative way of storing a copy of those images. In essence, it's similar to having a directory on your computer of billions of JPEG image files. But the diffusion model uses statistical and mathematical methods to store these images in an even more efficient and compressed manner.
A diffusion model is then able to reconstruct copies of each Training Image. Furthermore, being able to reconstruct copies of the Training Images is not an incidental side effect. The primary goal of a diffusion model is to reconstruct copies of the training data with maximum accuracy and fidelity to the Training Image. It is meant to be a duplicate.
There are a number of laws that protect and preserve the rights and interests with respect to their art. Provided references are 17 U.S.C. 106 and Section 1202(c) of the DMCA.
Link to Original Source
The researchers, from Google, DeepMind, UC Berkeley, ETH Zürich, and Princeton, got their results by prompting Stable Diffusion and Google's Imagen with captions for images, such as a person's name, many times. Then they analyzed whether any of the images they generated matched original images in the model's database. The group managed to extract over 100 replicas of images in the AI's training set.
The paper with title "Extracting Training Data from Diffusion Models" is the first time researchers have managed to prove that these AI models memorize images in their training sets, says Ryan Webster, a PhD student at the University of Caen Normandy in France.
For example, recent class-action lawsuit accusing DeviantArt, Midjourney and Stability AI uses the following arguments as a claim:
The resulting image is necessarily a derivative work, because it is generated exclusively from a combination of the conditioning data and the latent images, all of which are copies of copyrighted images. It is, in short, a 21st-century collage tool.
A diffusion model is a form of lossy compression applied to the Training Images. Because a trained diffusion model can produce a copy of any of its Training Images—which could number in the billions—the diffusion model can be considered an alternative way of storing a copy of those images. In essence, it's similar to having a directory on your computer of billions of JPEG image files. But the diffusion model uses statistical and mathematical methods to store these images in an even more efficient and compressed manner.
A diffusion model is then able to reconstruct copies of each Training Image. Furthermore, being able to reconstruct copies of the Training Images is not an incidental side effect. The primary goal of a diffusion model is to reconstruct copies of the training data with maximum accuracy and fidelity to the Training Image. It is meant to be a duplicate.
There are a number of laws that protect and preserve the rights and interests with respect to their art. Provided references are 17 U.S.C. 106 and Section 1202(c) of the DMCA.
Link to Original Source
Comment Re:Why that obsession with "office"? (Score 2) 61
Comment Old Telegram posts from story archive (Score 2) 56
https://tech.slashdot.org/comm...
Telegram is NOT secure & Russia IS spying on i (Score:4, Interesting), Tuesday December 06, 2022
Telegram is not secure and its continued use in Ukraine may lead to users' deaths.
A recent security-focused review looking at a Nov 11 Washington Post story [washingtonpost.com] on Russian "stay behind" operations in Kherson has concluded that Russia is spying on Telegram chats in occupied Ukrainian regions [pwnallthethings.com]. A tidbit for you:
Telegram's security has long been called into question by the information security community. There's lots of aspects of how it is built that don't make sense from a security perspective. But so far, there's never been any good evidence that it's been exploited by the Russian security services in practice.
Until now.
Ihor's story is particularly amazing because it doesn't just reveal that Russian forces are surveilling Telegram chats. It also gives us a good hint as to how.
It even tells us what Russia wasn't doing--at least in the narrow case of Ihor. And it reveals how at least one other major and well-known security defect in Telegram--ones that have been left open on purpose by Telegram--would very likely have led to Ihor's death if Russian occupation forces had been only slightly more competent and successfully exploited them.
https://tech.slashdot.org/comm...
Telegram does NOT use the Signal protocol (Score:2) December 08, 2022
By default, chats are not encrypted. You can optionally encrypt 1 to 1 chats, but not group chats. Encryption uses the Signal protocol.
Yes, Telegram supports encrypted chats, but Telegram users overwhelmingly ignore that feature. As you noted, it has limited applicability (no encryption for group chats). IIRC, it also feels less usable (even beyond the fact that the option is buried in the UI).
According to Telegram's own website, they have implemented their own protocol called MTProto [telegram.org]. This is not Signal.
At least MTProto 1.0 was rather riddled with flaws. It was written by mathematicians without any knowledge of cryptography and was very roundly criticized. See this question on crypto.StackExchange [stackexchange.com] for detail. Presumably MTProto 2.0 addressed all of that, but Telegram's callous responses have alienated cryptographers. Telegram has given the impression that its chats are secure and encrypted and they've buried the option to actually enable encryption (regardless of its implementation). In other words, stay away from it.
https://yro.slashdot.org/comme...
Re:Let me be the first to say (Score:5, Interesting), November 30, 2022
Telegram sends the username in the SSL SNI field. (maybe only for verified users...)
So technically it doesn't need to give much more to authorities, its snoopable.
https://mastodon.technology/@r... [mastodon.technology]
Please do not recommend Telegram, its about as private as WhatsApp. Meaning pretty much not.
https://apple.slashdot.org/com...
Re: They can't do what Amazon does?, October 29, 2022
Have you tried to make an instant messenger that focuses on privacy and that they cannot decrypt your shit for anyone... present your decrypted content on their own website
Our software can decrypt Telegram protocol and process the messages as text.
A court warrant is required to investigate the content when some message triggers an alarm.
Our software runs on Internet backbone.
Slashdot Top Deals
All syllogisms have three parts, therefore this is not a syllogism.
