An anonymous reader quotes a report from The Intercept: OpenAI this week quietly deleted language expressly prohibiting the use of its technology for military purposes from its usage policy, which seeks to dictate how powerful and immensely popular tools like ChatGPT can be used. Up until January 10, OpenAI's "usage policies" page included a ban on "activity that has high risk of physical harm, including," specifically, "weapons development" and "military and warfare." That plainly worded prohibition against military applications would seemingly rule out any official, and extremely lucrative, use by the Department of Defense or any other state military. The new policy retains an injunction not to "use our service to harm yourself or others" and gives "develop or use weapons" as an example, but the blanket ban on "military and warfare" use has vanished.

The unannounced redaction is part of a major rewrite of the policy page, which the company said was intended to make the document "clearer" and "more readable," and which includes many other substantial language and formatting changes. "We aimed to create a set of universal principles that are both easy to remember and apply, especially as our tools are now globally used by everyday users who can now also build GPTs," OpenAI spokesperson Niko Felix said in an email to The Intercept. "A principle like 'Don't harm others' is broad yet easily grasped and relevant in numerous contexts. Additionally, we specifically cited weapons and injury to others as clear examples." Felix declined to say whether the vaguer "harm" ban encompassed all military use, writing, "Any use of our technology, including by the military, to '[develop] or [use] weapons, [injure] others or [destroy] property, or [engage] in unauthorized activities that violate the security of any service or system,' is disallowed." "OpenAI is well aware of the risk and harms that may arise due to the use of their technology and services in military applications," said Heidy Khlaaf, engineering director at the cybersecurity firm Trail of Bits and an expert on machine learning and autonomous systems safety, citing a 2022 paper (PDF) she co-authored with OpenAI researchers that specifically flagged the risk of military use. "There is a distinct difference between the two policies, as the former clearly outlines that weapons development, and military and warfare is disallowed, while the latter emphasizes flexibility and compliance with the law," she said. "Developing weapons, and carrying out activities related to military and warfare is lawful to various extents. The potential implications for AI safety are significant. Given the well-known instances of bias and hallucination present within Large Language Models (LLMs), and their overall lack of accuracy, their use within military warfare can only lead to imprecise and biased operations that are likely to exacerbate harm and civilian casualties."

"I could imagine that the shift away from 'military and warfare' to 'weapons' leaves open a space for OpenAI to support operational infrastructures as long as the application doesn't directly involve weapons development narrowly defined," said Lucy Suchman, professor emerita of anthropology of science and technology at Lancaster University. "Of course, I think the idea that you can contribute to warfighting platforms while claiming not to be involved in the development or use of weapons would be disingenuous, removing the weapon from the sociotechnical system -- including command and control infrastructures -- of which it's part." Suchman, a scholar of artificial intelligence since the 1970s and member of the International Committee for Robot Arms Control, added, "It seems plausible that the new policy document evades the question of military contracting and warfighting operations by focusing specifically on weapons."

Restrictive US policies limiting advanced chip exports to China have done little to dampen Qualcomm's enthusiasm for the world's second-largest economy. From a report: In an interview at CES 2024 in Las Vegas, CEO Cristiano Amon expressed confidence about Qualcomm's business in the country, its largest market by revenue. "If you have a leading technology, you're going to have a big business in China," he said. The San Diego-based firm finds itself in a difficult situation, as the White House and Congress ramp up a pressure campaign to curb the sale of US chips and chipmaking tools to China, citing national security concerns. The Biden administration has argued that China's access to advanced semiconductors could aid military advancements.

Meanwhile, in China, government agencies and state-owned firms have widened their ban on Apple's iPhones for employees. Qualcomm is one of Apple's biggest suppliers. China remains the largest semiconductor market in the world, with sales in the country accounting for one-third of the global market, according to the Semiconductor Industry Association.

Security researchers warned Apple as early as 2019 about vulnerabilities in its AirDrop wireless sharing function that Chinese authorities claim they recently used to track down users of the feature, the researchers told CNN, in a case that experts say has sweeping implications for global privacy. From a report: The Chinese government's actions targeting a tool that Apple customers around the world use to share photos and documents -- and Apple's apparent inaction to address the flaws -- revive longstanding concerns by US lawmakers and privacy advocates about Apple's relationship with China and about authoritarian regimes' ability to twist US tech products to their own ends.

AirDrop lets Apple users who are near each other share files using a proprietary mix of Bluetooth and other wireless connectivity without having to connect to the internet. The sharing feature has been used by pro-democracy activists in Hong Kong and the Chinese government has cracked down on the feature in response. A Chinese tech firm, Beijing-based Wangshendongjian Technology, was able to compromise AirDrop to identify users on the Beijing subway accused of sharing "inappropriate information," judicial authorities in Beijing said this week. Although Chinese officials portrayed the exploit as an effective law enforcement technique, internet freedom advocates are urging Apple to address the issue quickly and publicly.

E-commerce giant eBay agreed to pay a $3 million penalty for the harassment and stalking of a Massachusetts couple by several of its employees. "The couple, Ina and David Steiner, had been subjected to threats and bizarre deliveries, including live spiders, cockroaches, a funeral wreath and a bloody pig mask in August 2019," reports CBS News. From the report: Thursday's fine comes after several eBay employees ran a harassment and intimidation campaign against the Steiners, who publish a news website focusing on players in the e-commerce industry. "eBay engaged in absolutely horrific, criminal conduct. The company's employees and contractors involved in this campaign put the victims through pure hell, in a petrifying campaign aimed at silencing their reporting and protecting the eBay brand," Levy said. "We left no stone unturned in our mission to hold accountable every individual who turned the victims' world upside-down through a never-ending nightmare of menacing and criminal acts."

The Justice Department criminally charged eBay with two counts of stalking through interstate travel, two counts of stalking through electronic communications services, one count of witness tampering and one count of obstruction of justice. The company agreed to pay $3 million as part of a deferred prosecution agreement. Under the agreement, eBay will be required to retain an independent corporate compliance monitor for three years, officials said, to "ensure that eBay's senior leadership sets a tone that makes compliance with the law paramount, implements safeguards to prevent future criminal activity, and makes clear to every eBay employee that the idea of terrorizing innocent people and obstructing investigations will not be tolerated," Levy said.

Former U.S. Attorney Andrew Lelling said the plan to target the Steiners, which he described as a "campaign of terror," was hatched in April 2019 at eBay. Devin Wenig, eBay's CEO at the time, shared a link to a post Ina Steiner had written about his annual pay. The company's chief communications officer, Steve Wymer, responded: "We are going to crush this lady." About a month later, Wenig texted: "Take her down." Prosecutors said Wymer later texted eBay security director Jim Baugh. "I want to see ashes. As long as it takes. Whatever it takes," Wymer wrote. Investigators said Baugh set up a meeting with security staff and dispatched a team to Boston, about 20 miles from where the Steiners live. "Senior executives at eBay were frustrated with the newsletter's tone and content, and with the comments posted beneath the newsletter's articles," the Department of Justice wrote in its Thursday announcement. Two former eBay security executives were sentenced to prison over the incident.

An anonymous reader quotes a report from SecurityWeek.com: A Dutch engineer recruited by the country's intelligence services used a water pump to deploy the now-infamous Stuxnet malware in an Iranian nuclear facility, according to a two-year investigation conducted by Dutch newspaper De Volkskrant. Stuxnet, whose existence came to light in 2010, is widely believed to be the work of the United States and Israel, its goal being to sabotage Iran's nuclear program by compromising industrial control systems (ICS) associated with nuclear centrifuges. The malware, which had worm capabilities, is said to have infected hundreds of thousands of devices and caused physical damage to hundreds of machines.

De Volkskrant's investigation, which involved interviews with dozens of people, found that the AIVD, the general intelligence and security service of the Netherlands, the Dutch equivalent of the CIA, recruited Erik van Sabben, a then 36-year-old Dutch national working at a heavy transport company in Dubai. Van Sabben was allegedly recruited in 2005 -- a couple of years before the Stuxnet malware was triggered -- after American and Israeli intelligence agencies asked their Dutch counterpart for help. However, the Dutch agency reportedly did not inform its country's government and it was not aware of the full extent of the operation. Van Sabben was described as perfect for the job as he had a technical background, he was doing business in Iran and was married to an Iranian woman.

It's believed that the Stuxnet malware was planted on a water pump that the Dutch national installed in the nuclear complex in Natanz, which he had infiltrated. It's unclear if Van Sabben knew exactly what he was doing, but his family said he appeared to have panicked at around the time of the Stuxnet attack. [...] Michael Hayden, who at the time was the chief of the CIA, did agree to talk to De Volkskrant, but could not confirm whether Stuxnet was indeed delivered via water pumps due to it still being classified information. One interesting piece of information that has come to light in De Volkskrant's investigation is that Hayden reportedly told one of the newspaper's sources that it cost between $1 and $2 billion to develop Stuxnet.

An anonymous reader writes: Millions of dollars have gone down the drain right when the Chicago Public Schools face a looming budget deficit -- as a brand-new CPS Inspector General report revealed the district lost thousands of computers and devices in a school year. In all, more than $20 million were lost -- as about students failed to return 77,505 laptops and other electronic devices within a year. This is even though the district spends millions to track such devices. The underlying concern is that taxpayer dollars will be used to replace them.

An anonymous reader quotes a report from Motherboard: For much of the 21st century, software engineering has been seen as one of the safest havens in the tenuous and ever-changing American job market. But there are a growing number of signs that the field is starting to become a little less secure and comfortable, due to an industry-wide downturn and the looming threat of artificial intelligence that is spurring growing competition for software jobs. "The amount of competition is insane," said Joe Forzano, an unemployed software engineer who has worked at the mental health startup Alma and private equity giant Blackstone. Since he lost his job in March, Forzano has applied to over 250 jobs. In six cases, he went through the "full interview gauntlet," which included between six and eight interviews each, before learning he had been passed over. "It has been very, very rough," he told Motherboard.

Forzano is not alone in his pessimism, according to a December survey of 9,338 software engineers performed on behalf of Motherboard by Blind, an online anonymous platform for verified employees. In the poll, nearly nine in 10 surveyed software engineers said it is more difficult to get a job now than it was before the pandemic, with 66 percent saying it was "much harder." Nearly 80 percent of respondents said the job market has even become more competitive over the last year. Only 6 percent of the software engineers were "extremely confident" they could find another job with the same total compensation if they lost their job today while 32 percent said they were "not at all confident."

Over 2022 and 2023, the tech sector incurred more than 400,000 layoffs, according to the tracking site Layoffs.fyi. But up until recently, it seemed software engineers were more often spared compared to their co-workers in non-technical fields. One analysis found tech companies cut their recruiting teams by 50 percent, compared to only 10 percent of their engineering departments. At Salesforce, engineers were four times less likely to lose their jobs than those in marketing and sales, which Bloomberg has said is a trend replicated at other tech companies such as Dell and Zoom. But signs of dread among software engineers have started to become more common online. In December, one Amazon employee wrote a long post on the anonymous employee platform Blind saying that the "job market is terrible" and that he was struggling to get interviews of any sort. "In the age of AI, computer science is no longer the safe major," Kelli Maria Korducki wrote in The Atlantic in September. AI programs like ChatGPT and Google Bard allow users to write code using natural language, greatly reducing the time it takes workers to complete coding tasks. It could lead to less job security and lower compensation for all but the very best in the software trade, warns Matt Welsh, a former computer science professor at Harvard.

"More than 60 percent of those surveyed said they believed their company would hire fewer people because of AI moving forward," reports Motherboard.

Previously unknown self-replicating malware has been infecting Linux devices worldwide, installing cryptomining malware using unusual concealment methods. The worm is a customized version of Mirai botnet malware, which takes control of Linux-based internet-connected devices to infect others. Mirai first emerged in 2016, delivering record-setting distributed denial-of-service attacks by compromising vulnerable devices. Once compromised, the worm self-replicates by scanning for and guessing credentials of additional vulnerable devices. While traditionally used for DDoS attacks, this latest variant focuses on covert cryptomining. ArsTechnica adds: On Wednesday, researchers from network security and reliability firm Akamai revealed that a previously unknown Mirai-based network they dubbed NoaBot has been targeting Linux devices since at least last January. Instead of targeting weak telnet passwords, the NoaBot targets weak passwords connecting SSH connections. Another twist: Rather than performing DDoSes, the new botnet installs cryptocurrency mining software, which allows the attackers to generate digital coins using victims' computing resources, electricity, and bandwidth. The cryptominer is a modified version of XMRig, another piece of open source malware. More recently, NoaBot has been used to also deliver P2PInfect, a separate worm researchers from Palo Alto Networks revealed last July.

Akamai has been monitoring NoaBot for the past 12 months in a honeypot that mimics real Linux devices to track various attacks circulating in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that's already infected. The following figure tracks the number of attacks delivered to the honeypot over the past year.

A U.S.-born chip technology called RISC-V has become critical to China's ambitions. Washington is debating whether and how to limit the technology. From a report: It evolved from a university computer lab in California to a foundation for myriad chips that handle computing chores. RISC-V essentially provides a kind of common language for designing processors that are found in devices like smartphones, disk drives, Wi-Fi routers and tablets. RISC-V has ignited a new debate in Washington in recent months about how far the United States can or should go as it steadily expands restrictions on exporting technology to China that could help advance its military. That's because RISC-V, which can be downloaded from the internet for free, has become a central tool for Chinese companies and government institutions hoping to match U.S. prowess in designing semiconductors.

Last month, the House Select Committee on the Chinese Communist Party -- in an effort spearheaded by Representative Mike Gallagher, Republican of Wisconsin -- recommended that an interagency government committee study potential risks of RISC-V. Congressional aides have met with members of the Biden administration about the technology, and lawmakers and their aides have discussed extending restrictions to stop U.S. citizens from aiding China on RISC-V, according to congressional staff members. The Chinese Communist Party is "already attempting to use RISC-V's design architecture to undermine our export controls," Representative Raja Krishnamoorthi of Illinois, the ranking Democrat on the House select committee, said in a statement. He added that RISC-V's participants should be focused on advancing technology and "not the geopolitical interests of the Chinese Communist Party."

Arm Holdings, a British company that sells competing chip technology, has also lobbied officials to consider restrictions on RISC-V, three people with knowledge of the situation said. Biden administration officials have concerns about China's use of RISC-V but are wary about potential complications with trying to regulate the technology, according to a person familiar with the discussions. The debate over RISC-V is complicated because the technology was patterned after open-source software, the free programs like Linux that allow any developer to view and modify the original code used to make them. Such programs have prompted multiple competitors to innovate and reduce the market power of any single vendor.

According to Bloomberg, Apple's AirDrop feature has been cracked by a Chinese state-backed institution to identify senders who share "undesirable content". MacRumors reports: AirDrop is Apple's ad-hoc service that lets users discover nearby Macs and iOS devices and securely transfer files between them over Wi-Fi and Bluetooth. Users can send and receive photos, videos, documents, contacts, passwords and anything else that can be transferred from a Share Sheet. Apple advertises the protocol as secure because the wireless connection uses Transport Layer Security (TLS) encryption, but the Beijing Municipal Bureau of Justice (BMBJ) says it has devised a way to bypass the protocol's encryption and reveal identifying information.

According to the BMBJ's website, iPhone device logs were analyzed to create a "rainbow table" which allowed investigators to convert hidden hash values into the original text and correlate the phone numbers and email accounts of AirDrop content senders. The "technological breakthrough" has successfully helped the public security authorities identify a number of criminal suspects, who use the AirDrop function to spread illegal content, the BMBJ added. "It improves the efficiency and accuracy of case-solving and prevents the spread of inappropriate remarks as well as potential bad influences," the bureau added.

It is not known if the security flaw in the AirDrop protocol has been exploited by a government agency before now, but it is not the first time a flaw has been discovered. In April 2021, German researchers found that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. According to the researchers, Apple was informed of the flaw in May of 2019, but did not fix it.

HP has used its "Dynamic Security" firmware updates to "create a monopoly" of replacement printer ink cartridges, a lawsuit filed against the company on January 5 claims. From a report: The lawsuit, which is seeking class-action certification, represents yet another form of litigation against HP for bricking printers when they try to use ink that doesn't bear an HP logo. The lawsuit (PDF), which was filed in US District Court in the Northern District of Illinois, names 11 plaintiffs and seeks an injunction against HP requiring the company to disable its printer firmware updates from preventing the use of non-HP branded ink. The lawsuit also seeks monetary damages greater than $5,000,000 and a trial by jury. [...] HP was wrong to issue a firmware update affecting printer functionality, and users were not notified that accepting firmware updates "could damage any features of the printer," the lawsuit says.

According to an analysis of U.S. Bureau of Labor Statistics data, the U.S. added a mere 700 IT jobs compared to 267,000 the year prior. The Register reports: Yet while layoffs have generally kept IT job growth flat for the past year (2023's net 700 comes despite more than 21,000 IT jobs being created in Q4), there's still a surplus of vacant roles, with [tech consultancy Janco Associates] finding some 88,000 remain open. "Based on our analysis, the IT job market and opportunities for IT professionals are poor at best," said Janco CEO M Victor Janulaitis. "Currently, there are almost 100K unfilled jobs with over 101K unemployed IT Pros -- a skills mismatch."

In other words, while we're definitely dealing with correction from pandemic overhiring, we're also wading into a new paradigm where a lot of tech talent is going to have to retrain because AI is being crammed wherever C-level employees can stick it. Much of the layoff debt to hit IT jobs have come to entry-level positions, especially those in the customer service telecommunications and hosting automation areas. In turn, some of the responsibilities of those jobs are being reassigned to the latest and greatest AIs, says Janco.

According to the tech consultancy, entry-level IT demand is shrinking, though demand for those with AI, security, development, and blockchain skills remain desired. "Artificial Intelligence and Machine Learning IT Professionals remain in high demand," said Janulaitis. Still, plans to further replace humans with AI workers at the entry level are hardly far-fetched, with multiple reports finding much the same. [...] Those caught up by this year's tech layoffs seem to have a simple solution on their hands, as far as Janco's data suggests: Retrain for AI. Problem solved ... until the next big thing comes along.

25 years ago, Slashdot's CmdrTaco posted an announcement from Slashdot reader #257. "Jabber is a new project I recently started to create a complete open-source platform for Instant Messaging with transparent communication to other Instant Messaging systems (ICQ, AIM, etc).

"Most of the initial design and protocol work is done, as well as a working server and a few test clients."

You can find the rest of the story on Wikipedia. "Its major outcome proved to be the development of the XMPP protocol." ("Based on XML, it enables the near-real-time exchange of structured data between two or more network entities.") Originally developed by the open-source community, the protocols were formalized as an approved instant messaging standard in 2004 and have been continuously developed with new extensions and features... In addition to these core protocols standardized at the IETF, the XMPP Standards Foundation (formerly the Jabber Software Foundation) is active in developing open XMPP extensions...

XMPP features such as federation across domains, publish/subscribe, authentication and its security even for mobile endpoints are being used to implement the Internet of Things.
"Designed to be extensible, the protocol offers a multitude of applications beyond traditional IM in the broader realm of message-oriented middleware, including signalling for VoIP, video, file transfer, gaming and other uses..."

Slashdot reader #257 turned out to be Jeremie Miller (who at the time was just 23 years old). And according to his own page on Wikipedia, "Currently, Miller sits on the board of directors for Bluesky Social, a social media platform."

An anonymous reader quotes a report from Reuters: Russian hackers were inside Ukrainian telecoms giant Kyivstar's system from at least May last year in a cyberattack that should serve as a "big warning" to the West, Ukraine's cyber spy chief told Reuters. The hack, one of the most dramatic since Russia's full-scale invasion nearly two years ago, knocked out services provided by Ukraine's biggest telecoms operator for some 24 million users for days from Dec. 12. In an interview, Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cybersecurity department, disclosed exclusive details about the hack, which he said caused "disastrous" destruction and aimed to land a psychological blow and gather intelligence. "This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable," he said. He noted Kyivstar was a wealthy, private company that invested a lot in cybersecurity.

The attack wiped "almost everything", including thousands of virtual servers and PCs, he said, describing it as probably the first example of a destructive cyberattack that "completely destroyed the core of a telecoms operator." During its investigation, the SBU found the hackers probably attempted to penetrate Kyivstar in March or earlier, he said in a Zoom interview on Dec. 27. "For now, we can say securely, that they were in the system at least since May 2023," he said. "I cannot say right now, since what time they had ... full access: probably at least since November." The SBU assessed the hackers would have been able to steal personal information, understand the locations of phones, intercept SMS-messages and perhaps steal Telegram accounts with the level of access they gained, he said. A Kyivstar spokesperson said the company was working closely with the SBU to investigate the attack and would take all necessary steps to eliminate future risks, adding: "No facts of leakage of personal and subscriber data have been revealed."

Investigating the attack is harder because of the wiping of Kyivstar's infrastructure. Vitiuk said he was "pretty sure" it was carried out by Sandworm, a Russian military intelligence cyberwarfare unit that has been linked to cyberattacks in Ukraine and elsewhere. A year ago, Sandworm penetrated a Ukrainian telecoms operator, but was detected by Kyiv because the SBU had itself been inside Russian systems, Vitiuk said, declining to identify the company. The earlier hack has not been previously reported. Vitiuk said SBU investigators were still working to establish how Kyivstar was penetrated or what type of trojan horse malware could have been used to break in, adding that it could have been phishing, someone helping on the inside or something else. If it was an inside job, the insider who helped the hackers did not have a high level of clearance in the company, as the hackers made use of malware used to steal hashes of passwords, he said. Samples of that malware have been recovered and are being analysed, he added.

Dan Goodin reports via Ars Technica: Software maker Ivanti is urging users of its end-point security product to patch a critical vulnerability that makes it possible for unauthenticated attackers to execute malicious code inside affected networks. The vulnerability, in a class known as a SQL injection, resides in all supported versions of the Ivanti Endpoint Manager. Also known as the Ivanti EPM, the software runs on a variety of platforms, including Windows, macOS, Linux, Chrome OS, and Internet of Things devices such as routers. SQL injection vulnerabilities stem from faulty code that interprets user input as database commands or, in more technical terms, from concatenating data with SQL code without quoting the data in accordance with the SQL syntax. CVE-2023-39336, as the Ivanti vulnerability is tracked, carries a severity rating of 9.6 out of a possible 10.

"If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication," Ivanti officials wrote Friday in a post announcing the patch availability. "This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server." RCE is short for remote code execution, or the ability for off-premises attackers to run code of their choice. Currently, there's no known evidence the vulnerability is under active exploitation. Ivanti has also published a disclosure that is restricted only to registered users. A copy obtained by Ars said Ivanti learned of the vulnerability in October. [...]

Putting devices running Ivanti EDM behind a firewall is a best practice and will go a long way to mitigating the severity of CVE-2023-39336, but it would likely do nothing to prevent an attacker who has gained limited access to an employee workstation from exploiting the critical vulnerability. It's unclear if the vulnerability will come under active exploitation, but the best course of action is for all Ivanti EDM users to install the patch as soon as possible.

An anonymous reader quotes a report from VICE News: Last week border officials in the Punjab region of India revealed they intercepted 107 drug-carrying drones sent by smuggling gangs last year over the border from Pakistan, the highest number on record. Most were carrying heroin or opium from Pakistan to be dropped and received by collaborators in the Punjab, notorious for having India's worst levels of opiate addiction. Last year the head of a police narcotics unit in Lahore, a city in Pakistan which borders the Punjab, was dismissed after he was suspected of running a drug trafficking gang sending drones over to India. But the use of cheap flying robots instead of humans to smuggle drugs across borders is a worldwide phenomenon. [...]

[D]rones will likely become an everyday part of drug dealing too, according to Peter Warren Singer, author of multiple books on national security and a Fellow at think tank New America, with legit medicines due to be delivered by drone in the U.S. later this year and maybe in the U.K. too. "We are just scraping the surface of what is possible, as drone deliveries become more and more common in the commercial world, it will be the same with delivery of illicit goods. In our book, Burn-In, we explain how a future city will see drones zipping about delivering everything from groceries and burritos to drugs, both prescribed by a doctor or bought off a dealer. Drones have traditionally been used by governments and corporations for what are known as the "3 D's" jobs that are too dull, dirty, or dangerous for humans. For criminals, it is the same, except add in another D: Dependable. A drone doesn't steal the product and can't be arrested or snitch if caught."

Liam O'Shea, senior research fellow for organized crime and policing at defense and security thinktank RUSI, said drones were at the moment of limited value to wholesale traffickers and organized criminal gangs because of their range and the weight they can carry. "It makes sense that smugglers would seek to use drones. They are cheap and easy to acquire. They also lower the risks involved in some transactions, as smugglers do not have to be physically present during transactions. They offer opportunities for smuggling in areas where previous routes were too risky, such as prisons and over securitized borders. "I expect them to be of greater value to smaller players and distributors dealing with smaller quantities. Wholesale drug traffickers will still need to use routes that facilitate smuggling at higher volume or using drones to make multiple trips, which entails risks of detection. That may well change as improvements in technology improve drones' carrying capacity and crime groups are better able to access drones with greater capacity."

Orange Espana, Spain's second-biggest mobile operator, suffered a major outage on Wednesday after an unknown party obtained a "ridiculously weak" password and used it to access an account for managing the global routing table that controls which networks deliver the company's Internet traffic, researchers said. From a report: The hijacking began around 9:28 Coordinated Universal Time (about 2:28 Pacific time) when the party logged into Orange's RIPE NCC account using the password "ripeadmin" (minus the quotation marks). The RIPE Network Coordination Center is one of five Regional Internet Registries, which are responsible for managing and allocating IP addresses to Internet service providers, telecommunication organizations, and companies that manage their own network infrastructure. RIPE serves 75 countries in Europe, the Middle East, and Central Asia.

The password came to light after the party, using the moniker Snow, posted an image to social media that showed the orange.es email address associated with the RIPE account. RIPE said it's working on ways to beef up account security. Security firm Hudson Rock plugged the email address into a database it maintains to track credentials for sale in online bazaars. In a post, the security firm said the username and "ridiculously weak" password were harvested by information-stealing malware that had been installed on an Orange computer since September. The password was then made available for sale on an infostealer marketplace.

Generative AI models like Google Bard and GitHub Copilot are increasingly being used in various industries, but users often overlook their limitations, leading to serious errors and inefficiencies. Daniel Stenberg of curl and libcurl highlights a specific problem of AI-generated security reports: when reports are made to look better and to appear to have a point, it takes a longer time to research and eventually discard it. "Every security report has to have a human spend time to look at it and assess what it means," adds Stenberg. "The better the crap, the longer time and the more energy we have to spend on the report until we close it." The Register reports: The curl project offers a bug bounty to security researchers who find and report legitimate vulnerabilities. According to Stenberg, the program has paid out over $70,000 in rewards to date. Of 415 vulnerability reports received, 64 have been confirmed as security flaws and 77 have been deemed informative -- bugs without obvious security implications. So about 66 percent of the reports have been invalid. The issue for Stenberg is that these reports still need to be investigated and that takes developer time. And while those submitting bug reports have begun using AI tools to accelerate the process of finding supposed bugs and writing up reports, those reviewing bug reports still rely on human review. The result of this asymmetry is more plausible-sounding reports, because chatbot models can produce detailed, readable text without regard to accuracy.

As Stenberg puts it, AI produces better crap. "A crap report does not help the project at all. It instead takes away developer time and energy from something productive. Partly because security work is considered one of the most important areas so it tends to trump almost everything else." As examples, he cites two reports submitted to HackerOne, a vulnerability reporting community. One claimed to describe Curl CVE-2023-38545 prior to actual disclosure. But Stenberg had to post to the forum to make clear that the bug report was bogus. He said that the report, produced with the help of Google Bard, "reeks of typical AI style hallucinations: it mixes and matches facts and details from old security issues, creating and making up something new that has no connection with reality." [...]

Stenberg readily acknowledges that AI assistance can be genuinely helpful. But he argues that having a human in the loop makes the use and outcome of AI tools much better. Even so, he expects the ease and utility of these tools, coupled with the financial incentive of bug bounties, will lead to more shoddy LLM-generated security reports, to the detriment of those on the receiving end.

An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims. From a report: San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023. Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims' information in order to notify state authorities and the individuals affected. In a series of data breach notification letters sent to affected individuals, Orrick said the hackers stole reams of data from its systems that pertain to security incidents at other companies, during which Orrick served as legal counsel.

Several prominent museums have been unable to display their collections online since a cyberattack hit a prominent technological service provider that helps hundreds of cultural organizations show their works digitally and manage internal documents. From a report: The Museum of Fine Arts Boston, the Rubin Museum of Art in New York and the Crystal Bridges Museum of American Art in Arkansas were among the institutions confirming that their systems have experienced outages in recent days. The service provider, Gallery Systems, said in a recent message to clients, which was obtained by The New York Times, that it had noticed a problem on Dec. 28, when computers running its software became encrypted and could no longer operate.

"We immediately took steps to isolate those systems and implemented measures to prevent additional systems from being affected, including taking systems offline as a precaution," the company said in the message. "We also launched an investigation and third-party cybersecurity experts were engaged to assist. In addition, we notified law enforcement." Signs of disruption were evident on several museum websites because eMuseum, a tool that usually lets visitors search online collections, was down. There was also disruption behind the scenes: Some curators said that they had returned from their winter vacations to find themselves unable to access sensitive information from another Gallery Systems program called TMS. That system can include the names of donors, loan agreements, provenance records, shipping information and storage locations of priceless artworks.