close
    • chevron_right

      PyPI halted new users and projects while it fended off supply-chain attack

      news.movim.eu / ArsTechnica · Yesterday - 18:50

    Supply-chain attacks, like the latest PyPI discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common.

    Enlarge / Supply-chain attacks, like the latest PyPI discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common. (credit: Getty Images)

    PyPI, a vital repository for open source developers, temporarily halted new project creation and new user registration following an onslaught of package uploads that executed malicious code on any device that installed them. Ten hours later, it lifted the suspension.

    Short for the Python Package Index, PyPI is the go-to source for apps and code libraries written in the Python programming language. Fortune 500 corporations and independent developers alike rely on the repository to obtain the latest versions of code needed to make their projects run. At a little after 7 pm PT on Wednesday, the site started displaying a banner message informing visitors that the site was temporarily suspending new project creation and new user registration. The message didn’t explain why or provide an estimate of when the suspension would be lifted.

    About 10 hours later, PyPI restored new project creation and new user registration. Once again, the site provided no reason for the 10-hour halt.

    Read 10 remaining paragraphs | Comments

    • chevron_right

      Ubuntu will manually review Snap Store after crypto wallet scams

      news.movim.eu / ArsTechnica · Yesterday - 18:23 · 1 minute

    Man holding a piggy bank at his desk, with the piggy wired up with strange circuits and hardware

    Enlarge / One thing you can say about this crypto wallet: You can't confuse it for any other. (credit: Getty Images)

    The Snap Store, where containerized Snap apps are distributed for Ubuntu's Linux distribution, has been attacked for months by fake crypto wallet uploads that seek to steal users' currencies. As a result, engineers at Ubuntu's parent firm are now manually reviewing apps uploaded to the store before they are available.

    The move follows weeks of reporting by Alan Pope, a former Canonical/Ubuntu staffer on the Snapcraft team, who is still very active in the ecosystem. In February, Pope blogged about how one bitcoin investor lost nine bitcoins (about $490,000 at the time) by using an "Exodus Wallet" app from the Snap store. Exodus is a known cryptocurrency wallet, but this wallet was not from that entity. As detailed by one user wondering what happened on the Snapcraft forums , the wallet immediately transferred his entire balance to an unknown address after a 12-word recovery phrase was entered (which Exodus tells you on support pages never to do).

    Pope takes pains to note that cryptocurrency is inherently fraught with loss risk. Still, Ubuntu's App Center, which presents the Snap Store for desktop users, tagged the "Exodus" app as "Safe," and the web version of the Snap Store describes Snaps as "safe to run." While Ubuntu is describing apps as "Safe" in the sense of being an auto-updating container with runtime confinement (or "sandboxed"), a green checkmark with "Safe" next to it could be misread, especially by a newcomer to Ubuntu, Snaps, and Linux generally.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      Proxmox gives VMware ESXi users a place to go after Broadcom kills free version

      news.movim.eu / ArsTechnica · Yesterday - 17:15

    Proxmox gives VMware ESXi users a place to go after Broadcom kills free version

    Enlarge (credit: Proxmox )

    Broadcom has made sweeping changes to VMware's business since acquiring the company in November 2023, killing off the perpetually licensed versions of VMware's software and instituting large-scale layoffs . Broadcom executives have acknowledged the " unease " that all of these changes have created among VMware's customers and partners but so far haven't been interested in backtracking.

    Among the casualties of the acquisition is the free version of VMware's vSphere Hypervisor, also known as ESXi. ESXi is "bare-metal hypervisor" software, meaning that it allows users to run multiple operating systems on a single piece of hardware while still allowing those operating systems direct access to disks, GPUs, and other system resources.

    One alternative to ESXi for home users and small organizations is Proxmox Virtual Environment , a Debian-based Linux operating system that provides broadly similar functionality and has the benefit of still being an actively developed product. To help jilted ESXi users, the Proxmox team has just added a new " integrated import wizard " to Proxmox that supports importing of ESXi VMs, easing the pain of migrating between platforms.

    Read 3 remaining paragraphs | Comments

    • chevron_right

      Thousands of servers hacked in ongoing attack targeting Ray AI framework

      news.movim.eu / ArsTechnica · 2 days ago - 22:40

    Thousands of servers hacked in ongoing attack targeting Ray AI framework

    Enlarge (credit: Getty Images)

    Thousands of servers storing AI workloads and network credentials have been hacked in an ongoing attack campaign targeting a reported vulnerability in Ray, a computing framework used by OpenAI, Uber, and Amazon.

    The attacks, which have been active for at least seven months, have led to the tampering of AI models. They have also resulted in the compromise of network credentials, allowing access to internal networks and databases and tokens for accessing accounts on platforms including OpenAI, Hugging Face, Stripe, and Azure. Besides corrupting models and stealing credentials, attackers behind the campaign have installed cryptocurrency miners on compromised infrastructure, which typically provides massive amounts of computing power. Attackers have also installed reverse shells, which are text-based interfaces for remotely controlling servers.

    Hitting the jackpot

    “When attackers get their hands on a Ray production cluster, it is a jackpot,” researchers from Oligo, the security firm that spotted the attacks, wrote in a post . “Valuable company data plus remote code execution makes it easy to monetize attacks—all while remaining in the shadows, totally undetected (and, with static security tools, undetectable).”

    Read 12 remaining paragraphs | Comments

    • chevron_right

      Canva’s Affinity acquisition is a subscription-based weapon against Adobe

      news.movim.eu / ArsTechnica · 2 days ago - 19:27

    Affinity's photo editor.

    Enlarge / Affinity's photo editor. (credit: Canva )

    Online graphic design platform provider Canva announced its acquisition of Affinity on Tuesday. The purchase adds tools for creative professionals to the Australian startup's repertoire, presenting competition for today's digital design stronghold, Adobe.

    The companies didn't provide specifics about the deal, but Cliff Obrecht, Canva's co-founder and COO, told Bloomberg that it consists of cash and stock and is worth "several hundred million pounds."

    Canva, which debuted in 2013, has made numerous acquisitions to date, including Flourish, Kaleido, and Pixabay, but its purchase of Affinity is its biggest yet—by both price and headcount (90). Affinity CEO Ashley Hewson said via a YouTube video that Canva approached Affinity about a potential deal two months ago.

    Read 14 remaining paragraphs | Comments

    • chevron_right

      “MFA Fatigue” attack targets iPhone owners with endless password reset prompts

      news.movim.eu / ArsTechnica · 2 days ago - 18:10

    iPhone showing three password reset prompts

    Enlarge / They look like normal notifications, but opening an iPhone with one or more of these stacked up, you won't be able to do much of anything until you tap "Allow" or "Don't Allow." And they're right next to each other. (credit: Kevin Purdy)

    Human weaknesses are a rich target for phishing attacks. Making humans click "Don't Allow" over and over again in a phone prompt that can't be skipped is an angle some iCloud attackers are taking—and likely having some success.

    Brian Krebs' at Krebs on Security detailed the attacks in a recent post , noting that "MFA Fatigue Attacks" are a known attack strategy . By repeatedly hitting a potential victim's device with multifactor authentication requests, the attack fills a device's screen with prompts that typically have yes/no options, often very close together. Apple's devices are just the latest rich target for this technique.

    Both the Kremlin-backed Fancy Bear advanced persistent threat group and a rag-tag bunch of teenagers known as Lapsus$ have been known to use the technique, also known as MFA prompt bombing , successfully.

    Read 11 remaining paragraphs | Comments

    • chevron_right

      “The king is dead”—Claude 3 surpasses GPT-4 on Chatbot Arena for the first time

      news.movim.eu / ArsTechnica · 2 days ago - 16:32 · 1 minute

    Two toy robots fighting, one knocking the other's head off.

    Enlarge (credit: Getty Images / Benj Edwards )

    On Tuesday, Anthropic's Claude 3 Opus large language model (LLM) surpassed OpenAI's GPT-4 (which powers ChatGPT) for the first time on Chatbot Arena , a popular crowdsourced leaderboard used by AI researchers to gauge the relative capabilities of AI language models. "The king is dead," tweeted software developer Nick Dobos in a post comparing GPT-4 Turbo and Claude 3 Opus that has been making the rounds on social media. "RIP GPT-4."

    Since GPT-4 was included in Chatbot Arena around May 10, 2023 (the leaderboard launched May 3 of that year), variations of GPT-4 have consistently been on the top of the chart until now, so its defeat in the Arena is a notable moment in the relatively short history of AI language models. One of Anthropic's smaller models, Haiku, has also been turning heads with its performance on the leaderboard.

    "For the first time, the best available models—Opus for advanced tasks, Haiku for cost and efficiency—are from a vendor that isn't OpenAI," independent AI researcher Simon Willison told Ars Technica. "That's reassuring—we all benefit from a diversity of top vendors in this space. But GPT-4 is over a year old at this point, and it took that year for anyone else to catch up."

    Read 8 remaining paragraphs | Comments

    • chevron_right

      Thousands of phones and routers swept into proxy service, unbeknownst to users

      news.movim.eu / ArsTechnica · 3 days ago - 19:56 · 1 minute

    Thousands of phones and routers swept into proxy service, unbeknownst to users

    Enlarge (credit: Getty Images)

    Crooks are working overtime to anonymize their illicit online activities using thousands of devices of unsuspecting users, as evidenced by two unrelated reports published Tuesday.

    The first, from security firm Lumen Labs, reports that roughly 40,000 home and office routers have been drafted into a criminal enterprise that anonymizes illicit Internet activities, with another 1,000 new devices being added each day. The malware responsible is a variant of TheMoon , a malicious code family dating back to at least 2014. In its earliest days, TheMoon almost exclusively infected Linksys E1000 series routers. Over the years it branched out to targeting the Asus WRTs, Vivotek Network Cameras, and multiple D-Link models.

    In the years following its debut, TheMoon’s self-propagating behavior and growing ability to compromise a broad base of architectures enabled a growth curve that captured attention in security circles. More recently, the visibility of the Internet of Things botnet trailed off, leading many to assume it was inert. To the surprise of researchers in Lumen’s Black Lotus Lab, during a single 72-hour stretch earlier this month, TheMoon added 6,000 ASUS routers to its ranks, an indication that the botnet is as strong as it’s ever been.

    Read 9 remaining paragraphs | Comments

    • chevron_right

      1960s chatbot ELIZA beat OpenAI’s GPT-3.5 in a recent Turing test study

      news.movim.eu / ArsTechnica · Friday, 1 December - 21:27 · 1 minute

    An illustration of a man and a robot sitting in boxes, talking.

    Enlarge / An artist's impression of a human and a robot talking. (credit: Getty Images | Benj Edwards)

    In a preprint research paper titled "Does GPT-4 Pass the Turing Test?", two researchers from UC San Diego pitted OpenAI's GPT-4 AI language model against human participants, GPT-3.5, and ELIZA to see which could trick participants into thinking it was human with the greatest success. But along the way, the study, which has not been peer-reviewed, found that human participants correctly identified other humans in only 63 percent of the interactions—and that a 1960s computer program surpassed the AI model that powers the free version of ChatGPT.

    Even with limitations and caveats, which we'll cover below, the paper presents a thought-provoking comparison between AI model approaches and raises further questions about using the Turing test to evaluate AI model performance.

    British mathematician and computer scientist Alan Turing first conceived the Turing test as "The Imitation Game" in 1950 . Since then, it has become a famous but controversial benchmark for determining a machine's ability to imitate human conversation. In modern versions of the test, a human judge typically talks to either another human or a chatbot without knowing which is which. If the judge cannot reliably tell the chatbot from the human a certain percentage of the time, the chatbot is said to have passed the test. The threshold for passing the test is subjective, so there has never been a broad consensus on what would constitute a passing success rate.

    Read 13 remaining paragraphs | Comments