Kategorie

HPE Aruba Networking (formerly Aruba Networks) has released security updates to address critical flaws impacting ArubaOS that could result in remote code execution (RCE) on affected systems. Of the 10 security defects, four are rated critical in severity - CVE-2024-26304 (CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed viaNewsroomhttp://www.blogger.com/profile/[email protected]

In the latest set of tweaks to bring itself into compliance with a new European Union law, Apple has confirmed significant changes to the deal originally offered to developers in the EU. Not only will it open up the iPad in the same way as it is opening up the iPhone in Europe, but it is making significant changes to its Core Technology Fee that should benefit smaller developers.

Europe’s iPads will be opened up this fall

iPadOS will be opened up in Europe starting this fall, the company said in a statement on its developer website. “This week, the European Commission designated iPadOS a gatekeeper platform under the Digital Markets Act,” Apple said. “Apple will bring our recent iOS changes for apps in the European Union (EU) to iPadOS later this fall, as required. Developers can choose to adopt the Alternative Business Terms for Apps in the EU that will include these additional capabilities and options on iPadOS or stay on Apple’s existing terms.”

Of course, once developers do choose to adopt Apple’s alternative terms, they can become liable to pay the company a Core Technology Fee (CTF). 

Improvement to the CTF

The fee is designed to compensate Apple for the value it provides developers in terms of tools, tech, and services. There is good news for developers here in that Apple won’t double charge for this, which means users who install the same app on both iOS and iPadOS within a 12-month period will only generate one first annual install for that app. 

While company critics continue to castigate this so-called “Apple Tax”, the company points out that under current data over 99% of developers in the EU will not be liable to any kind of CTF fee. Which rather implies that the 1% of developers who do pay the fee are able to make the most noise because they can afford the best marketing.

But let’s not dwell on that. Instead, let’s look at two additional changes the company has made to its approach. The first change is quite significant. 

Helping sudden success

When Apple’s teams appeared in front of what seemed to be an EU kangaroo court to explain how it was approaching the DMA, one question from one developer rang true. That person spoke about how an app they made had become hugely successful overnight and explained that under Apple’s originally proposed CTF deal he would have been bankrupted by the fees at that time. Apple responded pretty quickly with a range of tweaks.

At first, it introduced a new loophole developers in that situation could use to return to the original terms of business, which I saw as a kind of lifeboat. Today, it introduced a new tweak I think serve to blunt the pain of unexpected success:

As of now, small developers generating under €10 million in global annual business revenue that adopt the alternative business terms receive a three-year free on-ramp to the CTF to help them create innovative apps and rapidly grow business.

What that means is that within those three years, if a developer who has not previously exceeded one million first annual installs crosses the threshold for the first time, they won’t pay the CTF — even if they continue to exceed one million first annual installs during that time. “If a small developer grows to earn global revenue between €10 million and €50 million within the 3-year on-ramp period, they’ll start to pay the CTF after one million first annual installs up to a cap of €1 million per year.”

This sounds incredibly complicated, but basically means that if you are a small developer and happen to introduce an app that generates millions of installs they will not need to pay a fee until they scale their business so they can afford to do so.

No revenue? No fee

Obviously, this doesn’t apply to those wealthy developers whose business has already scaled in that way — rightly, they still need to shoulder the burden to help nurture new dev talent. The one big caveat is that the developer must declare their revenue before their first app surpasses one million first annual installs in order to receive these benefits. Leave it too late and you’ll have missed the chance.

The other improvement is that developers who create free apps won’t suddenly be bankrupted because millions download the app. Apple explains:

“No CTF is required if a developer has no revenue whatsoever. This includes creating a free app without monetization that is not related to revenue of any kind (physical, digital, advertising, or otherwise). This condition is intended to give students, hobbyists, and other non-commercial developers an opportunity to create a popular app without paying the CTF.”

It is also important to point out something else. Only developers who achieve over one million first annual installs per year in the EU need to pay Apple’s Core Technology Fee. Not only that, but non-profit organizations, government entitles, and educational institutions approved for a fee waiver don’t pay it at all.

While Apple’s well-resourced critics will continue to attack the company’s approach, it’s hard to avoid the feeling that the company is making it crystal clear that it is not now (and probably never was) the small developers who propped up App Store profits, but the large developers now making the loudest complaints.

And that seems to me to be food for thought. I doubt those larger entities have any plans to give their apps away for free. Why should Apple be made to do so?

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Apple, iOS, iPad, Mobile, Mobile Apps

Citing the surge in layoffs nationwide, particularly within the IT workforce, online technology learning platform Udacity is offering a free trial to access its entire catalogue of courses for the next 30 days. The courses includes certifications in skills such as programming, data science, artificial intelligence, digital marketing.

“Layoffs have affected hundreds of thousands of people in the United States in the past year,”  Udacity COO Victoria Papalian wrote in a blog post. “Unfortunately, the unsettling trend continues. According to the Challenger Report, US job cuts in March 2024 were the highest since January 2023, up 7% over February.”

Udacity, which was founded as the outgrowth of free computer science classes offered in 2011 through Stanford University, said its free courses are part of its “Nanodegree” credential program. They’re available to anyone laid off over the past year.

In its announcement, the company placed a particular emphasis on highly desired industry skills, such as generative artificial intelligence (genAI). According to a recent study led by the Oxford Internet Institute, “AI skills are particularly valuable as they have high levels of skill complementarity, increasing worker wages by 21% on average,” the company said in a statement.

“To capitalize on the [genAI] opportunity — for business as well as individual benefit — learning about various genAI techniques is not sufficient; professionals must be inspired by the many use cases for genAI in the business, and must gain experience in putting that knowledge into practice within organizational contexts,” Papalian said.

Online instructors include educators from various tech companies, such as Advocate Networks, Cape Analytics, DeepMind, LanceDB, Meta, NVIDIA,  SoFi, and UC Berkeley, as well as Udacity’s own instructors. The topics covered include AI, data science, analytics, project management, digital marketing, cloud computing, web development, and mobile development, as well as genAI for business leaders.

Students studying genAI will also have the opportunity to complete projects modeled on the realworld tasks and challenges in professional contexts.

The free courses are available for all levels of IT experience and take about 4 weeks to complete during an average of 10 hours a week. These are examples of some of the courses being offered:

• Introduction to Python (Beginner)
• Introduction to SQL (Beginner)
• Digital Project Management (Beginner)
• Generative AI Fundamentals (Intermediate)
• Intro to Data Science (Advanced)

Students who can spend 20 hours a week learning can complete the following courses in 60 days:

• Business Analytics Nanodegree program (Beginner)
• AI Programming with Python Nanodegree program (Beginner)
• Programming for Data Science with Python Nanodegree program (Beginner)
• AI for Business Leaders Nanodegree program (Intermediate)
• AWS Cloud Architect Nanodegree program (Advanced)

By spending 40 hours a week, the following Nanodegree programs that typically take four months to complete can be finished in a month:

• Introduction to Programming Nanodegree program (Beginner)
• Digital Marketing Nanodegree program (Intermediate)
• Generative AI Nanodegree program (Intermediate)
• AI for Trading Nanodegree program (Advanced)
• Data Scientist Nanodegree program (Advanced)

Udacity students will also have the opportunity to receive feedback on their projects from mentors. The program, including all of Udacity’s tech projects, is now available to All Access subscribers.

“The experience of being laid off is stressful to say the least. And the subsequent job hunt is often no less stressful,” Papalian said. “Knowledge and training are critical to capturing the opportunities.”

Education and Training Software, IT Jobs, IT Skills, Technology Industry

Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability codenamed the Dirty Stream attack that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app's home directory. "The implications of this vulnerability pattern include arbitrary code execution and token theft,

Several popular Android applications available in Google Play Store are susceptible to a path traversal-affiliated vulnerability codenamed the Dirty Stream attack that could be exploited by a malicious app to overwrite arbitrary files in the vulnerable app's home directory. "The implications of this vulnerability pattern include arbitrary code execution and token theft, Newsroomhttp://www.blogger.com/profile/[email protected]

Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to streamline the management of hybrid cloud environments. While RHEL 7.9 received four more years of support, RHEL 7 Extended Life Cycle Support (ELS) is a one-time extension and may not be seen with other RHEL versions. Thus, Red Hat urges users to upgrade to RHEL 9.4 . This latest version enhances management and automation capabilities while providing proactive support for building standard operating environments (SOEs) for distributed systems.

A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims. Yaroslav Vasinskyi (aka Rabotnik), 24, along with his co-conspirators part of the REvil ransomware group orchestrated more than 2,500 ransomware attacks and demanded ransom payments in

A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims. Yaroslav Vasinskyi (aka Rabotnik), 24, along with his co-conspirators part of the REvil ransomware group orchestrated more than 2,500 ransomware attacks and demanded ransom payments in Newsroomhttp://www.blogger.com/profile/[email protected]

Sriram Karra and Christiaan Brand, Google product managers

Last year, Google launched passkey support for Google Accounts. Passkeys are a new industry standard that give users an easy, highly secure way to sign-in to apps and websites. Today, we announced that passkeys have been used to authenticate users more than 1 billion times across over 400 million Google Accounts.

As more users encounter passkeys, we’re often asked questions about how they relate to security keys, how Google Workspace administrators can configure passkeys for the user accounts that they manage, and how they relate to the Advanced Protection Program (APP). This post will seek to clarify these topics.

Passkeys and security keys

Passkeys are an evolution of security keys, meaning users get the same security benefits, but with a much simplified experience. Passkeys can be used in the Google Account sign-in process in many of the same ways that security keys have been used in the past — in fact, you can now choose to store your passkey on your security key. This provides users with three key benefits:

• Stronger security. Users typically authenticate with passkeys by entering their device’s screen lock PIN, or using a biometric authentication method, like a fingerprint or a face scan. By storing the passkey on a security key, users can ensure that passkeys are only available when the security key is plugged into their device, creating a stronger security posture.

• Flexible portability. Today, users rely on password managers to make passkeys available across all of their devices. Security keys provide an alternate way to use your passkeys across your devices: by bringing your security keys with you.

• Simpler sign-in. Passkeys can act as a first- and second-factor, simultaneously. By creating a passkey on your security key, you can skip entering your password. This replaces your remotely stored password with the PIN you used to unlock your security key, which improves user security. (If you prefer to continue using your password in addition to using a passkey, you can turn off “Skip password when possible” in your Google Account security settings.)

Passkeys bring strong and phishing-resistant authentication technology to a wider user base, and we’re excited to offer this new way for passkeys to meet more user needs.

Google Workspace admins have additional controls and choice

Google Workspace accounts have a domain level “Allow users to skip passwords at sign-in by using passkeys” setting which is off by default, and overrides the corresponding user-level configuration. This retains the need for a user’s password in addition to presenting a passkey. Admins can also change that setting and allow users to sign-in with just a passkey.

When the domain-level setting is off, end users will still see a “use a security key” button on their “passkeys and security keys” page, which will attempt to enroll any security key for use as a second factor only. This action will not require the user to set up a PIN for their security key during registration. This is designed to give enterprise customers who have deployed legacy security keys additional time to make the change to passkeys, with or without a password.

Passkeys for Advanced Protection Program (APP) users

Since the introduction of passkeys in 2023, users enrolled in APP have been able to add any passkey to their account and use it to sign in. However users are still required to present two security keys when enrolling into the program. We will be updating the enrollment process soon to enable a user with any passkey to enroll in APP. By allowing any passkey to be used (rather than only hardware security keys) we expect to reach more high risk users who need advanced protection, while maintaining phishing-resistant authentication.

A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's delve into the details of the Spectre v2 exploit, its implications, and the measures being taken to mitigate its impact.

Several significant vulnerabilities have been found in the Thunderbird email client and Firefox web browser. An attacker could exploit these issues to disrupt services, obtain sensitive data, bypass security restrictions, perform cross-site tracing, run rogue programs on your computer, or escalate privileges on impacted systems.

Like antivirus software, vulnerability scans rely on a database of known weaknesses. That’s why websites like VirusTotal exist, to give cyber practitioners a chance to see whether a malware sample is detected by multiple virus scanning engines, but this concept hasn’t existed in the vulnerability management space. The benefits of using multiple scanning engines Generally speaking

Like antivirus software, vulnerability scans rely on a database of known weaknesses. That’s why websites like VirusTotal exist, to give cyber practitioners a chance to see whether a malware sample is detected by multiple virus scanning engines, but this concept hasn’t existed in the vulnerability management space. The benefits of using multiple scanning engines Generally speakingThe Hacker Newshttp://www.blogger.com/profile/[email protected]

Cloud storage services provider Dropbox on Wednesday disclosed that Dropbox Sign (formerly HelloSign) was breached by unidentified threat actors, who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The company, in a filing with the U.S. Securities and Exchange Commission (SEC), said it became aware of the "

Cloud storage services provider Dropbox on Wednesday disclosed that Dropbox Sign (formerly HelloSign) was breached by unidentified threat actors, who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The company, in a filing with the U.S. Securities and Exchange Commission (SEC), said it became aware of the "Newsroomhttp://www.blogger.com/profile/[email protected]

A never-before-seen botnet called Goldoon has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks. The vulnerability in question is CVE-2015-2051 (CVSS score: 9.8), which affects D-Link DIR-645 routers and allows remote attackers to execute arbitrary

A never-before-seen botnet called Goldoon has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks. The vulnerability in question is CVE-2015-2051 (CVSS score: 9.8), which affects D-Link DIR-645 routers and allows remote attackers to execute arbitrary Newsroomhttp://www.blogger.com/profile/[email protected]

Some of the most influential influencers on social media sites aren’t people, but computer-generated digital creations. And soon digital “people” will be commonplace in business. 

In the past, fabricated fake folks were built the old-fashioned way — using Generative Adversarial Networks (GAN) AI technology (the process behind video deepfakes). Nowadays, phony friends are build using LLM-based genAI tools.

One early digital influencer on Instagram, named Lil Miquela, has been 19 years old since 2016, is worth millions of dollars and was named one of the 25 most influential people on the Internet back in 2018, despite not being a person.

Other computer-generated influencers include Lu do Magalu, Shudu Gram, Imma, Ion Göttlich, K/DA, Bermuda, Thalasya and Aitana Lopez.

To me, the most fascinating dimension to the digital influencer phenomenon is the reaction of the public. Followers who presumably know these influencers are computer-generated actually leave comments on their posts, addressing the non-person as if they were capable of reading and understanding comments. 

It’s unsettling to think that these commenters don’t know they’re talking to a fake person, and also unsettling to think they do know — and comment anyway. Some commenters are themselves virtual influencers (no doubt playing the Instagram game of performative engagement on the accounts one wishes to steal followers from).

This is a clue to the future: A huge chunk of the public appears to be indifferent to whether the person who is “influencing” them is real or fake. 

Taking a cue from online AI influencers, businesses are starting to look at creating humans from scratch —or cloning existing humans in digital form. 

The avatar age

While non-existent social media influencers gain millions of followers, Silicon Valley’s heaviest hitters are hard at work to perfect virtual humans for business users. 

Of course, Apple, Microsoft and Meta are making huge strides with real-time avatars for communication. 

Meta’s most advanced tech — still in the lab — was demonstrated last year in an amazing video conversation between Lex Fridman and Mark Zuckerberg. 

These technologies are being employed for real-time communication. Replacing video, a 3D representation of you copies your mouth movements to match your actual voice, as well as facial expressions and body language for real-time, live communication. 

But another way to use these life-like puppets is to feed them a script, and let a computer-generated voice determine the mouth movements and all the rest. 

TikTok is already developing an AI-powered feature enabling virtual influencers to appear in video advertising on the platform. And Microsoft recently talked up an AI system called VASA-1, which can make what is basically a deepfake video, all from a single photograph and an audio clip. 

Microsoft says it won’t release the technology to the public, citing concern about possible misuse, but the technology’s existence suggests a future where people will be able to create versions of themselves (or others) via free smartphone apps. 

In fact, a company called Synthesia (backed by Nvidia) offers 160 canned AI humans, listed on a menu from which customers can choose. Users write the script (or use Synthesia’s ChatGPT-based tool to auto-create the script), then the avatar “reads” the script using natural looking mouth movements, gestures and facial expressions. The result is a polished presentation in any of 130 languages, and the final presentation is user-editable.

Why do this? For starters, Synthesia claims its product cuts video presentation creation time by 90% and dramatically reduces cost. And, of course, the multi-language feature is fantastic for companies with global reach.

Now, Synthesia is working on technology designed to turn users into avatars — full-body digital clones that are hard to tell from the real person. 

It starts with a full-body scan. From that point forward, the user has possession of a photorealistic digital double who can do all the presentations and other video content that would normally be done personally. The AI clone takes emotive cues from the words in the script, smiling during light moments, looking appropriately sad delivering bad news. The ability to convey non-verbal communication naturally is the result of Synthesia’s Express-1 AI model, which itself was trained using professional actors. 

The benefit here is that you can give high-quality video presentations without a camera or a microphone — you can build it from an airplane or the beach. Plus, you speak 130 languages and never age. 

When your clone gets an AI brain

But far more interesting than an avatar that looks and acts like you is one that thinks and communicates like you — a virtual you with an AI brain for interacting with others on your behalf. 

Meta is working on tech called “Creator A.I.” that will enable real Instagram influencers to create fake digital AI versions of themselves to interact with fans through direct messages and comments. That initiative is a glimpse of the near future of business communication. 

We’ve been talking about “digital transformation” for a decade. But it’s only recently when that transformation involved digitizing ourselves. 

Businesses are now looking to embrace the concept of digital avatars for all the same reasons as other digital transformation initiatives: Higher productivity and lower costs. This process involves the cloning of existing people. 

Any day now, an industry will emerge where your face and body are scanned, your voice is recorded and your communications are fed into the system, so it knows how you use words. From that point, a virtual version of you can leave high-resolution video messages from a simple command you give to your AI glasses. 

In other words, you say: “Send Janet a message and let her know I’ll be late.” Then Janet receives a video of “you” telling her you’ll be late. When she asks where you are now, the digital video you will tell her based on your current location. When she tells the digital you that she can’t meet late today, and that we should schedule it for another time, the video you says: “Ok, no problem. How about tomorrow, same time?” You get a notification and, after your approval, the meeting is rescheduled on your calendar. 

Likewise, when someone tries to video call you and you don’t answer, the virtual you can take your place and try to handle whatever business comes via the call.

Within a few short years, this technology will advance to the point where nobody can be sure whether they’re doing a video call with you or your AI clone. 

Presentations, pitches, training and other forms of communication you’d normally be recorded doing will be created in far less time by simply uploading a script or even a cryptic, brief set of instructions or descriptions of what your digital self is supposed to communicate. And then the AI can create a solid, appealing, polished presentation delivered by you or, rather, your clone.

Whether the ubiquity of AI clones in business sounds creepy or exciting, I can tell you that it’s absolutely going to happen. 

The embrace of virtual humans in a business context — as weird as that is — should be approached like any other major digital initiative: Define the strategy, identify specific needs, evaluate and select the right technologies and providers, estimate ROI, focus on data privacy and regulatory compliance and all the rest.

If you’re feeling overwhelmed, don’t worry. Help is on the way. Soon you’ll have a clone of your own.

Augmented Reality, Emerging Technology, Generative AI, Virtual Reality

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild. Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild. Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email Newsroomhttp://www.blogger.com/profile/[email protected]