Enlarge / Building with Microsoft logo. (credit: Getty Images)

It’s looking more and more likely that a critical zero-day vulnerability that went unfixed for more than a month in Microsoft Exchange was the cause of one of the UK’s biggest hacks ever—the breach of the country’s Electoral Commission, which exposed data for as many as 40 million residents.

Electoral Commission officials disclosed the breach on Tuesday. They said that they discovered the intrusion last October when they found “suspicious activity” on their networks and that “hostile actors had first accessed the systems in August 2021.” That means the attackers were in the network for 14 months before finally being driven out. The Commission waited nine months after that to notify the public.

The compromise gave the attackers access to a host of personal information, including names and addresses of people registered to vote from 2014 to 2022. Spokespeople for the Commission said the number of affected voters could be as high as 40 million. The Commission has not yet said what the cause of the breach or the means of initial entry was.

Enlarge / An 8th-generation Intel Core desktop CPU, one of several CPU generations affected by the Downfall bug. (credit: Mark Walton)

It's a big week for CPU security vulnerabilities. Yesterday, different security researchers published details on two different vulnerabilities, one affecting multiple generations of Intel processors and another affecting the newest AMD CPUs. " Downfall " and " Inception " (respectively) are different bugs, but both involve modern processors' extensive use of speculative execution (a la the original Meltdown and Spectre bugs ), both are described as being of "medium" severity, and both can be patched either with OS-level microcode updates or firmware updates with fixes incorporated.

AMD and Intel have both already released OS-level microcode software updates to address both issues. Both companies have also said that they're not aware of any active in-the-wild exploits of either vulnerability. Consumer, workstation, and server CPUs are all affected, making patching particularly important for server administrators.

It will be up to your PC, server, or motherboard manufacturer to release firmware updates with the fixes after Intel and AMD make them available.

Enlarge (credit: Getty Images)

Researchers have discovered a suite of vulnerabilities that largely break a next-generation protocol that was designed to prevent the hacking of access control systems used at secure facilities on US military bases and buildings belonging to federal, state, and local governments and private organizations.

The next-generation mechanism, known as Secure Channel, was added about 10 years ago to an open standard known as OSDP, short for the Open Supervised Device Protocol . Like an earlier protocol, known as Wiegand , OSDP provides a framework for connecting card readers, fingerprint scanners, and other types of peripheral devices to control panels that check the collected credentials against a database of valid personnel. When credentials match, the control panel sends a message that opens a door, gate, or other entry system.

Broken before getting out the gate

OSDP came about in the aftermath of an attack demonstrated in 2008 at the BlackHat security conference. In a talk there, researcher Zac Franken demonstrated a device dubbed Gecko, which was no bigger than a US quarter. When surreptitiously inserted by a would-be intruder into the wiring behind a peripheral device, Gecko performed an adversary-in-the-middle attack that monitors all communications sent to and from the control panel.

Enlarge (credit: Aurich Lawson | Getty Images)

Greetings, dear readers, and congratulations—we've reached the end of our four-part series on how Ars Technica is hosted in the cloud, and it has been a journey. We've gone through our infrastructure , our application stack , and our CI/CD strategy (that's "continuous integration and continuous deployment"—the process by which we manage and maintain our site's code).

Now, to wrap things up, we have a bit of a grab bag of topics to go through. In this final part, we'll discuss some leftover configuration details I didn't get a chance to dive into in earlier parts—including how our battle-tested liveblogging system works (it's surprisingly simple, and yet it has withstood millions of readers hammering at it during Apple events). We'll also peek at how we handle authoritative DNS.

Finally, we'll close on something that I've been wanting to look at for a while: AWS's cloud-based 64-bit ARM service offerings. How much of our infrastructure could we shift over onto ARM64-based systems, how much work will that be, and what might the long-term benefits be, both in terms of performance and costs?

Enlarge (credit: Getty Images)

Upon searching Amazon and Goodreads, author Jane Friedman recently discovered a half-dozen listings of fraudulent books using her name, likely filled with either junk or AI-generated content. Both Amazon and Goodreads resisted removing the faux titles until the author's complaints went viral on social media.

In a blog post titled "I Would Rather See My Books Get Pirated Than This (Or: Why Goodreads and Amazon Are Becoming Dumpster Fires)," published on Monday, Friedman detailed her struggle with the counterfeit books.

"Whoever’s doing this is obviously preying on writers who trust my name and think I’ve actually written these books," she wrote. "I have not. Most likely they’ve been generated by AI."

Enlarge (credit: Andriy Onufriyenko )

Google and Universal Music are in talks to license artists’ melodies and voices for songs generated by artificial intelligence as the music business tries to monetize one of its biggest threats.

The discussions, confirmed by four people familiar with the matter, aim to strike a partnership for an industry that is grappling with the implications of new AI technology.

The rise of generative AI has bred a surge in “deepfake” songs that can convincingly mimic the voices, lyrics, or sound of established artists, often without their consent.

Enlarge / The Disneyland castle in Anaheim, California. (credit: Getty Images)

The Walt Disney Company has formed a task force to investigate the potential applications of AI throughout its various business units, reports Reuters, including cutting costs and enhancing customer experiences. This comes despite ongoing Hollywood writers' and actors' strikes that have put some AI technologies in the crosshairs.

Among other uses, Disney hopes that AI can help control the soaring costs of movie and television production, which can sometimes reach $300 million for major film releases. AI could also enhance customer support and create unique interactions within Disney's theme parks. In 2021, Disney showed off Groot , a free-roaming AI-powered robot, based on the Marvel character, that can interact with park guests.

Currently, Disney's website lists several job openings seeking employees with expertise in machine learning or artificial intelligence, showing the company's commitment to exploring AI applications. These positions range from the company's film studios to its theme parks and advertising team, which is hoping to build an AI-powered advertising system.

Enlarge (credit: Getty Images)

Discussion about artificial intelligence is everywhere these days—even the Vatican. On Tuesday, Pope Francis issued a communiqué announcing the theme for World Day of Peace 2024 as “Artificial Intelligence and Peace,” emphasizing the potential impact of AI on human life and calling for responsible use, ethical reflection, and vigilance to prevent negative consequences.

It's been a wild year for AI in the public eye, with the rise of ChatGPT and Bing Chat spurring concerns over AI takeover , several prominent but controversial letters and statements warning that AI could potentially threaten human civilization, and OpenAI CEO Sam Altman making a world tour with heads of state. Talk of AI regulation has been rampant. The concept of ethical dangers from AI has been high-profile enough that even the Pope feels the need to address it.

In the communiqué, Pope Francis' office called for "an open dialogue on the meaning of these new technologies, endowed with disruptive possibilities and ambivalent effects." Echoing common ethical sentiments related to AI, he said society needs to be vigilant about the technology so that "a logic of violence and discrimination does not take root in the production and use of such devices, at the expense of the most fragile and excluded."

Enlarge / Silicon wafers from a TSMC factory. (credit: Taiwan Semiconductor Manufacturing Co., Ltd.)

It's been rumored for several months now that Apple will be using a new 3 nm manufacturing process from Taiwan Semiconductor (TSMC) for its next-generation chips, including M3 series processors for Macs and the A17 Bionic for some next-gen iPhones . But new reporting from The Information illuminates some of the favorable terms that Apple has secured to keep its costs down: Apple places huge chip orders worth billions of dollars, and in return, TSMC eats the cost of defective processor dies.

At a very high level, chip companies use large silicon wafers to create multiple chips at once, and the wafer is then sliced into many individual processor dies. It's normal, especially early in the life of an all-new manufacturing process, for many of those dies to end up with defects—either they don't work at all, or they don't perform to the specifications of the company that ordered them.

Normally, chip designers would have to pay for each individual die whether it worked or not; that's a major reason why companies sell cut-down or "binned" chips that run at lower clock speeds or have parts switched off. That way, they can recover some money from a defective die instead of none. Apple's orders with TSMC are apparently large enough that TSMC can afford not to charge Apple for defective dies.