Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

PUBLOAD and Pubshell Malware Used in Mustang Panda's Tibet-Specific Attack

The Hacker News - 27 Červen, 2025 - 15:25
A China-linked threat actor known as Mustang Panda has been attributed to a new cyber espionage campaign directed against the Tibetan community. The spear-phishing attacks leveraged topics related to Tibet, such as the 9th World Parliamentarians' Convention on Tibet (WPCT), China's education policy in the Tibet Autonomous Region (TAR), and a recently published book by the 14th Dalai Lama, Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Apple changes EU App Store rules, but will fight Europe’s demands

Computerworld.com [Hacking News] - 27 Červen, 2025 - 13:31

Critics might argue that Apple at the 11th hour stepped forward with new rules for developers in Europe that might be acceptable to the region’s anti-trust regulators — but that’s not how Apple sees it. That company, which is appealing the rules Europe has applied to directly constrain its business, says regulators have not been transparent throughout the process, making arbitrary decisions despite constant communication between both sides on the matter.

Apple does, however, hope the changes it has now introduced to its steering arrangements for developers in will bring its business in line with Europe’s Digital Markets Act. It certainly has reasons to think so; Apple said it worked with the regulators on the arrangements and believes they bring it into harmony there. 

Apple announced the latest rounds of EU DMA-inspired changes via a Thursday note on its developer’s website.

Malicious compliance

But there is still a problem; Apple says that even though it’s been meeting intensively with European Commission regulators for more than a year, the experience has been a frustrating one. Regulators have continuously moved the goalposts on what compliance looks like. The company complains that they have even prevented Apple from implementing new solutions to bring its business into compliance and then fined the company for not making changes. 

This has placed a big burden on the company, which has had to invest thousands of hours in attempting to meet the Commission’s ever-changing demands. From what I hear, it’s akin to throwing darts at a board attached to a rope, allowing the board to move out the way once the dart is fired. It’s an unequal, opaque process seemingly designed for Apple to lose and perhaps in itself an articulation of malicious compliance — with malice from the regulators.

We’ll have to wait and see whether the changes Apple announced do actually meet European regulators’ demands. They should, as Apple is very much giving the impression they were introduced in collaboration with EC authorities. 

Apple will appeal

That doesn’t mean Apple accepts the changes it’s been forced to make. The company has until July 7 to appeal and will do so. Apple is quite open that it opposes the demands Europe has made of it and continues to warn that the patchwork of changes it introduced will erode security and privacy, dent the user experience, and make it harder for the company to innovate. 

Apple’s enemies, typically, remain critical of the changes. Epic Games CEO Tim Sweeney, who has spent millions on his assault on Apple business practices, slams the new terms as “blatantly unlawful,” calling them a “mockery of fair competition.”

I imagine Apple might suggest that they are inherently lawful and support Europe’s view of fair competition. The changes can loosely be grouped as changes in the way steering is supported on the platform, and changes in business terms.

What steering changes did Apple introduce?

In short, the changes comprise policy and payment tweaks and the removal of some restrictions.

One of the biggest alterations concerns the warning notice Apple provides users to warn them when they tap on external links. Critics had complained this mandatory warning got in the way of consumer choice and wanted it removed. It looks as if Apple partially won that argument, in that the warning will now appear the first time a user taps on an external link, but there is now an option to opt out of seeing the warning later when tapping external links in the same app.

In other words, you’ll be warned the first time you tap out from an app but can override future warnings if you trust the developer. Apple had wanted a warning to appear each time you tap an external link.

Additionally:

  • Changes apply to all developers, whether or not they have wanted to use alternative business terms in Europe.
  • Developers can use URLs in their apps that direct traffic to external websites, other apps, and alternative app marketplaces. They can also link to in-app promotions — and they can use multiple URLs inside their app, not just one as before. 
  • The links developers put inside their apps can collect additional user information through tracking parameters, redirects, and intermediate links. This will increase the burden on consumers to verify the security and privacy of a link they find in an app before they use it.
  • Apple had originally insisted developers use its own templates for interfaces to links and promotions; under the new rules, developers can freely design these.
What business changes has Apple made?

The company also changed its business terms in the EU. These do not apply to apps sold via third-party app stores, and they are not applied against offers directed from inside an app. But they do apply to links that direct users to the web, as well as in-app alternative payment service providers.

The deal is that Apple charges an Initial Acquisition Fee, a Store Services Fee and Core Technology charges.

In brief, these consist of:

Initial Acquisition Fee

This is designed to recognize Apple’s role in connecting users to developers.

  • A 2% fee on the sale of digital goods and services to new users.
  • The fee applies for the first six months after the user first downloads an app from the app store.
  • The fee is waived for developers in Apple’s Small Business Program
  • There is no fee for existing users.
Store Services Fee

Apple’s App Store offers a range of services to developers, who can now choose between a basic set of mandatory services, or the full collection of services:

Tier One Store Services: A 5% fee in exchange for which developers get trust and safety features, app management, and app distribution and delivery services. The fee does not extend to automatic app updates or automatic downloads across devices.

Tier Two Store Services: Set at 13% (or 10% for Small Business Program members), this fee gives developers access to all the services the App Store presently provides, including promotions, search suggestions, discovery, automatic downloads and automatic updates.

Core Technology charges
  • Developers signed up to Apple’s alternative terms in the EU will pay the previously announced Core Technology Fee of €0.50 per install for each first annual install over 1 million.
  • Developers on Apple’s standard business terms will now pay a Core Technology Commission of 5% on sales made through in-app promotion of alternate payments.
  • Apple will migrate all its European developers to the new fee structure by Jan. 1, 2026.
Where can I find out more about Apple’s European changes?

The company has published a range of pages describing the changes it has applied:

What will happen?

I remain concerned about the dilution of warnings on the store and the lack of implicit control over what links developers use to direct their audiences to external traffic. I’m in no doubt whatsoever that these openings will be abused to form new attack surfaces over which Apple has little control. Enterprise users will no doubt use device management policy to forbid use of third-party payment services and installs in an attempt to protect corporate data.

Even more concerning: Apple’s accusations concerning its negotiations with the EC as if that body has been deliberately opaque, meaning enforcement of the DMA has very swiftly become a political weapon, perhaps in some unspoken European economic battle against the US. I doubt we’ve heard the last of this ongoing battle, which will likely last longer than the game that kicked it off.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

Kategorie: Hacking & Security

Business Case for Agentic AI SOC Analysts

The Hacker News - 27 Červen, 2025 - 13:00
Security operations centers (SOCs) are under pressure from both sides: threats are growing more complex and frequent, while security budgets are no longer keeping pace. Today’s security leaders are expected to reduce risk and deliver results without relying on larger teams or increased spending. At the same time, SOC inefficiencies are draining resources. Studies show that up to half of all [email protected]
Kategorie: Hacking & Security

Chinese Group Silver Fox Uses Fake Websites to Deliver Sainbox RAT and Hidden Rootkit

The Hacker News - 27 Červen, 2025 - 12:25
A new campaign has been observed leveraging fake websites advertising popular software such as WPS Office, Sogou, and DeepSeek to deliver Sainbox RAT and the open-source Hidden rootkit. The activity has been attributed with medium confidence to a Chinese hacking group called Silver Fox (aka Void Arachne), citing similarities in tradecraft with previous campaigns attributed to the threat actor. Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Is Microsoft’s new Mu for you?

Computerworld.com [Hacking News] - 27 Červen, 2025 - 12:00

Microsoft announced this week a new generative AI (genAI) system called Mu, and it’s a true glimpse into the future of how we’ll use everything, from PCs to toasters. 

Mu lets people control their computers using plain language. For example, you can type or say, “turn on dark mode” or “make my mouse pointer bigger,” and the computer will do it. The first place Mu appears is in the Windows 11 Settings app. You say or type how you want a specific setting to change, and the genAI tool figures out what you want and makes the change for you. 

Crucially, this isn’t a large language model (LLM) running in the cloud. Mu is a small language model (SLM) with a comparatively paltry 330 million parameters, built to run on a specialized AI chip called a neural processing unit, or NPU. (This chip is found in the latest Copilot+ PCs from Microsoft, Dell, HP, Lenovo, Samsung, and Acer. These new PCs started shipping in June 2024 and are the only computers that can use Mu and other advanced AI features in Windows 11.)

It’s not an LLM-based chatbot that lives in the cloud. It’s an SLM that runs entirely on the PC, even when disconnected from the internet. 

Microsoft Copilot+ PCs can run Mu because they have an NPU that can handle at least 40 trillion operations per second. Microsoft collaborated with Qualcomm, AMD, and Intel to ensure Mu runs smoothly on their NPUs, which are now standard in all Copilot+ PCs.

Mu uses a transformer encoder-decoder design, which means it splits the work into two parts. The encoder takes your words and turns them into a compressed form. The decoder takes that form and produces the correct command or answer. 

This design is more efficient than older models, especially for tasks such as changing settings. Mu has 32 encoder layers and 12 decoder layers, a setup chosen to fit the NPU’s memory and speed limits. The model utilizes rotary positional embeddings to maintain word order, dual-layer normalization to maintain stability, and grouped-query attention to use memory more efficiently. These technical choices let Mu process more than 100 tokens per second and respond in less than 500 milliseconds.

Compared with LLM-based chatbots like OpenAI’s ChatGPT, Mu is super fast. 

Microsoft trained Mu on 3.6 million examples focused on Windows settings and related tasks. The training happened on Azure using NVIDIA A100 GPUs. After training, Microsoft fine-tuned Mu and used quantization to shrink its memory needs, so it would run well on NPUs from all three chipmakers. As a result, Mu is about one-tenth the size of Microsoft’s Phi-3.5-mini model, but performs almost as well for the tasks it was built to do.

Mu is truly groundbreaking because it is the first SLM built to let users control system settings using natural language, running entirely on a mainstream shipping device. Apple’s iPhones, iPads, and Macs all have a Neural Engine NPU and run on-device AI for features like Siri and Apple Intelligence. But Apple does not have a small language model as deeply integrated with system settings as Mu. Siri and Apple Intelligence can change some settings, but not with the same range or flexibility. 

Samsung’s Galaxy S25 and other recent flagship phones feature a custom NPU and Galaxy AI, which can perform various device control and personal assistant tasks. However, they too lack an SLM for comprehensive system settings control. 

Google’s Chromebook Plus devices have an NPU and support on-device AI, but it don’t use an SLM for system settings in the way Mu does.

By processing data directly on the device, Mu keeps personal information private and responds instantly. This shift also makes it easier to comply with privacy laws in places like Europe and the US since no data leaves your computer.

The industry is moving in this direction for obvious reasons. SLMs are now powerful enough to handle focused tasks on par with larger cloud-based models. They are cheaper to run, use less energy, and can be tailored for specific jobs or languages. 

Note that NPUs are not rare. They’re currently available in new phones, tablets, and even home appliances. These chips are designed to run neural networks efficiently and with low power, making it possible to offer smart features that work anywhere, even without a reliable internet connection. 

Most importantly, SLMs running on NPUs are a BFD — not just for PCs, phones, and tablets, but for everything. As the power and capabilities go up and the costs come down, we can expect car dashboards, thermostats, washing machines, tractors, and everything else (including toasters) to eschew nested menus for user control in favor of voice-controlled settings. 

You’ll walk into the kitchen and tell the toaster to toast your bagel lightly in about 20 minutes before telling the coffee maker to make you a flat white. After breakfast, you’ll go into your home office and remotely control all manner of IoT devices and other objects by talking to an SLM dedicated to each device. 

Note that these SLMs for device control will also work directly with LLMs for information and other actions, like writing code, building websites and apps, and facilitating all your business communications. That SLM you’ll be talking to will mainly live and execute locally on your smart glasses. 

You may never own or use a Copilot+ PC. But you will definitely use something like Mu every day for most of your professional and personal life on many devices. It’s a true glimpse of the future of how we interact with machines. 

Kategorie: Hacking & Security

A clever new way to create instant reminders on Android

Computerworld.com [Hacking News] - 27 Červen, 2025 - 11:45

I don’t know how my brain would even function at this point if it weren’t for reminders.

No joke: This rusty ol’ noggin of mine is overloaded with info these days (and, as I’ve noted before, it ran out of internal storage space approximately 12 years ago — and I’ve yet to find an affordable hippocampus RAM upgrade). So more and more, I find myself relying on a complex web of reminders both physical and digital to make sure I manage everything from day-to-day chores to Very Important Business Matters.

One area where such a need seems to come up constantly is on my Android device — when I see something in a text message, a Slack message, an email, or maybe even a website that makes me think, “Hey, you handsome but mushy-brained miscreant, you’d better not forget to come back to this later!” 

And one tool I’ve found absolutely indispensable in such scenarios is the native screenshot reminder system built into Google’s Pixel 9-level gadgets.

It couldn’t be much easier to use: Anytime you see anything reminder-worthy, you snag a screenshot — by pressing your device’s physical power and volume-down buttons at the same time — then look for the handy little bell icon that pops up as a part of the standard screenshot confirmation in the lower-left corner of the screen.

It’s incredibly handy. But it’s also, unfortunately, available only on the very latest Google Pixel devices — which means the vast majority of Android-appreciating animals are unable to take advantage of it.

But fear not, my fellow memory-challenged manatee: I’ve got an awesomely effective new way to bring a similar sort of superpower onto any Android device this instant — no matter who made it or how old it may be.

[Psst: Love shortcuts? My free Android Shortcut Supercourse will teach you tons of time-saving tricks. Start now!]

Android reminders, on demand

Now, first things first: If you’re a regular reader of this increasingly crusty column, you might be thinking to yourself: “Uh, Mr. Memory Man? You’ve written this same story before.”

And, well, you’re kinda right — with the key word being kinda. Shortly after the Pixel 9’s debut, whilst I was first basking in the beauty of its underappreciated and barely-mentioned on-demand reminder brilliance, I came up with a rather convoluted way to emulate something similar on any Android device, with the help of a third-party task app and some other optional elements.

It got the job done, all right, but it wasn’t exactly easy — and it required you to rely on an external app for storing and managing your reminders, too, which isn’t exactly optimal.

Today, inspired by the crafty thinking of one of my Intelligence Insider community members, I’ve got an even better way to rev up your reminders while remaining well within Google’s core apps and services.

With my thanks to Joshua G. from our forum, the fix leans entirely on Google’s next-gen Gemini Android assistant. And if you’re a generative-AI eye-roller who’s tired of everyone pretending these systems aren’t glorified pattern-predictors with shockingly disqualifying accuracy issues, don’t worry — ’cause this setup, like the many excellent Gemini possibilities I uncovered and shared with you last week, has nothing to do with the typically touted genAI goofiness and is instead more of a conventional virtual assistant ability.

But enough blathering — here’s the trick to try out on your own:

  • The next time you see something you need to remember anywhere on Android, snag a screenshot — just like you would with the Pixel 9 approach we went over a minute ago. (Again, power button and volume-down button together.)
  • Then, when you see the little screenshot confirmation pop-up, tap the share icon within it and select Gemini from the list of options.
    • Gemini now comes preinstalled on most current devices, and many older devices have also been updated to include it. If your device doesn’t yet show Gemini as an option, you can manually download the official Gemini app and then open it once to get things going.
    • Also, bonus tip: If you want to make this even more convenient moving forward, you can use Android’s oft-forgotten share menu pinning option to stick Gemini to the top of the list for especially easy ongoing access.
  • Now, once Gemini comes up — with your screenshot already in place within its prompt box — either type in the text or tap the microphone button and then speak the command to remind me about this, optionally with a specific day and time at the end.

Take a screenshot, share it to Gemini, then ask it to creator a reminder — and poof: The deed is done.

JR Raphael, Foundry

You can follow this pattern for practically anything, but where it’s especially handy is when the underlying info on the screen was already about a specific task or activity you need to remember.

In that sort of scenario, Gemini will automatically extract and implement all the details from within the screenshot — including the nature of the task and, if present, even the date and time it mentions.

Instant extraction and intelligent reminder creation, all thanks to Gemini on Android.

JR Raphael, Foundry

You get the idea.

In the right sort of situation and with the right thinking around it, it’s yet another way Gemini can actually be useful on Android — without any of the asterisks or eye-rolling that accompany its most publicly promoted possibilities.

Teach yourself even more advanced shortcut sorcery with my free Android Shortcut Supercourse. Tons of time-saving tricks await!

Kategorie: Hacking & Security

Retail giant Ahold Delhaize says data breach affects 2.2 million people

Bleeping Computer - 27 Červen, 2025 - 11:12
Ahold Delhaize, one of the world's largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems. [...]
Kategorie: Hacking & Security

MOVEit Transfer Faces Increased Threats as Scanning Surges and CVE Flaws Are Targeted

The Hacker News - 27 Červen, 2025 - 09:43
Threat intelligence firm GreyNoise is warning of a "notable surge" in scanning activity targeting Progress MOVEit Transfer systems starting May 27, 2025—suggesting that attackers may be preparing for another mass exploitation campaign or probing for unpatched systems.MOVEit Transfer is a popular managed file transfer solution used by businesses and government agencies to share sensitive data Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Windows 11 KB5060829 update released with 38 new changes, fixes

Bleeping Computer - 27 Červen, 2025 - 09:28
​​Microsoft has released the KB5060829 preview cumulative update for Windows 11 24H2, which includes 38 changes, including improvements to the taskbar and a new PC-to-PC migration experience. [...]
Kategorie: Hacking & Security

OneClik Malware Targets Energy Sector Using Microsoft ClickOnce and Golang Backdoors

The Hacker News - 27 Červen, 2025 - 08:31
Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsoft's ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas sectors. "The campaign exhibits characteristics aligned with Chinese-affiliated threat actors, though attribution remains cautious," Trellix researchers Nico Paulo Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Whole Foods supplier UNFI restores core systems after cyberattack

Bleeping Computer - 27 Červen, 2025 - 08:21
American grocery wholesale giant United Natural Foods (UNFI) reports that it has restored its core systems and brought online the electronic ordering and invoicing systems affected by a cyberattack. [...]
Kategorie: Hacking & Security

Hawaiian Airlines discloses cyberattack, flights not affected

Bleeping Computer - 27 Červen, 2025 - 07:37
Hawaiian Airlines, the tenth-largest commercial airline in the United States, is investigating a cyberattack that has disrupted access to some of its systems. [...]
Kategorie: Hacking & Security

Don’t trust that email: It could be from a hacker using your printer to scam you

Computerworld.com [Hacking News] - 27 Červen, 2025 - 05:01

Printers and scanners are increasingly becoming ways for cyber crooks to deliver phishing attacks, thanks to a flaw in the Microsoft 365 Direct Send feature.

The Varonis forensics team has uncovered an exploit which allows internal devices such as printers to send emails without authentication. The vulnerability has been used to target more than 70 organizations, predominantly in the US, with threat actors spoofing internal users and delivering phishing emails without needing to compromise any accounts whatsoever.

The campaign has been successful because emails sent from within Microsoft 365 (M365) undergo less scrutiny than standard inbound email.

Kategorie: Hacking & Security

Microsoft/OpenAI AGI argument unlikely to impact enterprise IT

Computerworld.com [Hacking News] - 27 Červen, 2025 - 04:26

There may be trouble in the industry’s biggest AI alliance, with a contract dispute about AGI threatening to topple the partnership between OpenAI and Microsoft.

The dispute, according to a report from The Information, involves a line in their contract that allows for the alliance to die once AGI (artificial general intelligence), the ability for genAI to replicate the capabilities of human thought, is achieved.

The problem is not with the lack of a precise AGI definition. It is that the concept is impossible to prove. OpenAI could deliver 100 proofs that show that they have achieved AGI and Microsoft could counter with 100 proofs that it hasn’t. Sentience is impossible to prove — or to disprove — with examples.

“They’re never going to settle on a definition of AGI that is intuitively satisfying to all. Any attempt to define AGI by looking at the internals of how the mind works often gets muddied by things like qualia and consciousness, which are notoriously difficult to pin down using an externally verifiable measure,” said John Licato, an associate professor at the University of South Florida’s Bellini College of Artificial Intelligence. “Instead, I expect they’re going to need to pick a somewhat arbitrary dividing line, purely tied to tests of performance. One example might be based on some consensus-based variant of the Turing Test in which a group of laypeople are asked to interact [blindly] with either humans or the AI, and they are then asked which they interacted with. If a large enough percentage of people are fooled, then the test is passed.”

Both sides want to exit the deal

Setting aside any AGI test, what is likely behind the argument is the desire by both parties to end the agreement, given how much has changed since the deal was struck in 2019.

The contractual AGI trigger appears to end any additional code-sharing, but there are no indications that Microsoft would have to surrender, or even stop using OpenAI code it had received before AGI was declared. 

And analysts and enterprise IT executives agree that Microsoft is well-positioned to aggressively continue its genAI efforts without continuing to receive code from OpenAI.

Microsoft no longer needs OpenAI

Justin St-Maurice, a technical counselor at Info-Tech Research Group, said he doubts that ending the partnership would set Microsoft back in any serious way.

“Microsoft has its own models, a strong Azure ecosystem, and access to increasingly capable open-source LLMs. They don’t actually need OpenAI to deliver a successful product. Right now, the real bottleneck with Copilot isn’t the underlying model, but the rigid, rules-based implementation layered on top,” St-Maurice said. “Swapping out OpenAI with a different LLM won’t break an already weak user experience …. As LLMs are becoming commoditized, the magic lies in the integration, not the engine.”

St-Maurice had a strong reaction to one reference in The Information‘s story about the stated reason for the AGI deal killer clause during the original contract negotiations.

It said: “The idea behind the AGI contract provision is that Microsoft, as one of the world’s most powerful for-profit firms, shouldn’t get access to technology that might eventually help people colonize other planets or develop nuclear fusion. Doing so would go against OpenAI’s founding principle in 2015 to develop technology for the benefit of all of humanity, an idea that has roots in the beliefs of OpenAI founders, including CEO Sam Altman and Tesla CEO Elon Musk, who wanted to ensure the most powerful technologies didn’t end up in the hands of for-profit firms.”

OpenAI’s principles have changed since 2019

St-Maurice said that claim is rather absurd, given how OpenAI has not been acting at all like a non-profit.

“Sorry, how exactly is OpenAI sticking to its founding principles in 2025?” St-Maurice asked. “It’s hard not to wonder if OpenAI doesn’t want the world’s most powerful for-profit firms to have AGI technology because it would rather be the world’s most powerful for-profit firm with AGI technology.”

St-Maurice added: “They’re not doing this for humanity, and OpenAI has a lot of work to do to convince me otherwise. The rhetoric about ‘benefiting all of humanity’ rings a little hollow when Sam Altman is openly forecasting mass job displacement and a future where society becomes dependent on the technology class. It’s hard to see altruism when it also appears to conveniently consolidate control.”

Execs see little impact

Enterprise IT executives appeared to agree that even if the partnership dissolves, they will feel little to no impact.

Vinod Goje, the VP engineering manager at Bank of America, said Microsoft is well-positioned for a post-OpenAI model future. It has the cloud infrastructure, the enterprise relationships, and the financial firepower to pivot faster than most realize, he pointed out, stressing that he was speaking personally and not representing his employer. While losing exclusive access to OpenAI’s latest models would sting, they’ve got partnerships with Meta, their own research teams, and enough resources to acquire or develop alternatives.

“The real disruption isn’t whether Microsoft can survive without OpenAI. It’s that we’re essentially flying blind on the most consequential technology decisions of our lifetime,” he noted. “When you can’t even agree on what AGI looks like, how do you write contracts? How do you regulate it? How do you prevent it from being controlled by whoever gets there first? It’s a preview of the governance chaos coming if we don’t get serious about how AGI is defined, verified and shared. What this really reveals is the structural weakness in how we govern foundational technologies.”

Goje argued that the MS-OpenAI situation shows how unprepared the industry is for the implications of GenAI.

“The Microsoft-OpenAI standoff is a canary in the coal mine for the entire AI industry. We’re watching a $10 billion partnership potentially unravel over something as fundamental as ‘What is intelligence?’” Goje said. “This dispute is forcing the industry to confront an uncomfortable truth: we’re building the future without a roadmap. The companies that figure out governance frameworks first, not just the technology, will be the ones that actually shape what comes next.”

Another enterprise IT executive agreed.

“I don’t think there will be any material impact [if Microsoft and OpenAI split],” said Brian Phillips, VP of Macy’s technology, “especially if they can keep the code they have been using.”

Next read this:

>
Kategorie: Hacking & Security

FTC approves $126 million in Fortnite refunds over ‘dark patterns’

Bleeping Computer - 26 Červen, 2025 - 22:27
The Federal Trade Commission (FTC) has approved $126,000,000 in refunds to be sent to 969,173 Fortnite players as part of a settlement over allegations that Epic Games tricked users into making unwanted purchases. [...]
Kategorie: Hacking & Security

Brother printer bug in 689 models exposes default admin passwords

Bleeping Computer - 26 Červen, 2025 - 20:10
A total of 689 printer models from Brother, along with 53 other models from Fujifilm, Toshiba, and Konica Minolta, come with a default administrator password that remote attackers can generate. Even worse, there is no way to fix the flaw via firmware in existing printers. [...]
Kategorie: Hacking & Security

OpenAI productivity suite could change the way users create documents

Computerworld.com [Hacking News] - 26 Červen, 2025 - 18:48

OpenAI’s planned productivity suite could dismantle traditional habits of how users create and consume documents in the same the way the company changed browsing and search habits.

“OpenAI is increasingly seeing itself as a productivity tool, and that would include the need to address actual creation tools like Office does,” said Jack Gold, principal analyst at J. Gold Associates.

OpenAI hasn’t officially announced a product, but The Information reported (subscription required) that the generative AI (genAI) company has already designed a rival to the dominant productivity tools.

But good luck getting customers to move from Microsoft 365 or Google Workspace, analysts said, noting that the top two productivity suites are well entrenched among users and organizations.

OpenAI is already including certain elements of a productivity suite in its offerings, such as multiple export format support, said Wayne Kurtzman, research vice president of collaboration and communities at IDC. The feature is available in ChatGPT features such as Canvas, which “is a new interface for working with ChatGPT on writing and coding projects that require editing and revisions,” according to OpenAI’s website.

“That can be construed, correctly or not, as starting to build a productivity suite,” Kurtzman said.

IDC sees the market favoring newer digital experiences in creating and consuming content, he said. “Whether OpenAI sees this as an opportunity they would like to pursue in new ways is yet to be seen,” Kurtzman said.

The future of productivity and collaboration suites lies in user interface simplification via genAI, said J.P. Gownder, vice president and principal analyst on Forrester’s Future of Work team. He described it as “a lot less pulling down menus or drawing and a lot more prompt engineering and providing sources to the AI so it can compose the asset.”

Document creation could look something like this: GenAI would take a first swing at creating a business document that the user then edits, iterates, and finalizes. That approach will become much more common.

Users will go “over the top,” asking Microsoft’s Copilot to create PowerPoint presentations, specifying the documents such as meeting notes or oral instructions that it should use to create the deck.

“I predict that, by 2029, Microsoft PowerPoint will hide or remove 80% of the elements on the Ribbon, the set of navigation controllers. Why? Because you won’t need them anymore; you will go ‘over the top,'” Gownder said.

OpenAI trying to innovate in this area makes sense; companies like Zoom and beautiful.ai already do this, though not to the level of sophistication users will see in the future with Microsoft’s suite, Gownder said. “…Entering this space, for OpenAI, is a lot riskier, because of its partial ownership by Microsoft and because Copilot uses OpenAI’s models,” he said.

Microsoft is already heading in the direction of making Copilot its main interface to create documents, spreadsheets and presentations, the company’s chief product officer of experiences and devices, Aparna Chennapragada, told Computerworld in a recent interview.

Google has already integrated genAI capabilities into Workspace, but hasn’t managed to capture much market share from Microsoft, Gold said. “But like so many other companies have found when they try to compete with Office, it’s very hard to have much impact,” he said.

Gold floated the idea of OpenAI possibly leveraging open-source tools such as OpenOffice or LibreOffice, which could help from a time-to-market and cost perspective. “Let the open ecosystem provide the necessary capabilities, which already results in a pretty rich productivity suite, and just have OpenAI do the integration of AI tools,” he said.

There remain a lot of open questions about OpenAI’s ability to deliver a productivity suite, which isn’t easy, said Jeff Kagan, an independent analyst.

OpenAI needs the talent, product groups, and market share to carve out a sizable niche, Kagan said. “I don’t expect Microsoft to sit back. I expect they will quickly intensify their offerings to hang onto their market share,” he said.

Also, if OpenAI CEO Sam Altman decides to implement competing features, he will need to think hard about the relationship with Microsoft CEO Satya Nadella.

“It’s still way too early to have any idea what the next step will be. Stay tuned,” Kagan said.

Kategorie: Hacking & Security

Critical Open VSX Registry Flaw Exposes Millions of Developers to Supply Chain Attacks

The Hacker News - 26 Červen, 2025 - 18:46
Cybersecurity researchers have disclosed a critical vulnerability in the Open VSX Registry ("open-vsx[.]org") that, if successfully exploited, could have enabled attackers to take control of the entire Visual Studio Code extensions marketplace, posing a severe supply chain risk. "This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Ex-student charged over hacking university for cheap parking, data breaches

Bleeping Computer - 26 Červen, 2025 - 18:24
New South Wales police in Australia have arrested a 27-year-old former Western Sydney University (WSU) student for allegedly hacking into the University's systems on multiple occasions, starting with a scheme to obtain cheaper parking. [...]
Kategorie: Hacking & Security

Why you can’t make a Trump phone in the US (yet)

Computerworld.com [Hacking News] - 26 Červen, 2025 - 17:55

A frisson of Trump-related news fizzled out in the last week. No, not a temporary outbreak of peace in the Middle East, but news of a smartphone originally announced as being made in America. Except, since making that claim, the Trump organization has changed to somewhat more ambiguous claims.

Which raises the question, why can’t you make a mass market phone in the US?

To get into this, it’s important to think about what is required when making a phone.

First, you need a design; secondly, you need components; third, you need an operating system; fourth, you require highly skilled labor to build the devices; and finally, you need a factory and distribution network big enough to handle manufacturing, logistics, and supply. Assembling the logistics of smartphone supply takes a lot of time and a lot of money. Pulling all these pieces together is a lot more complex than making a pencil — and that’s complicated enough, as the classic text by Leonard E. Read explains

To be honest, it’s complicated

That’s not to say it’s completely impossible. There is one device — Purism’s Liberty smartphone — that claims to be made in the US. The hangup is that the device costs $2,000, has limited specifications, and can only be produced in small quantities. It’s not completely made in the USA, either, since many of its components are made outside the US

That’s unlikely to change without major investment in component manufacturing plants, the cost of which could be prohibitive when you look at the fast pace with which those components might need to be upgraded or replaced as technology advances.

This is even before you consider the risk of entering markets already populated by incumbents and the low margins shared by those already-established manufacturers. It means that the entities most likely to bring component manufacturing in the US are probably going to be the same people who already make those components. And as they have the economy of scale behind them, it’s going to be next to impossible for US firms to compete. 

That makes that part of the supply chain a huge risk, which means it makes a lot more sense for US manufacturers and the US government to think about what components mobile devices will need in the future and begin to invest in the patents, raw materials, and manufacturing capabilities to make those things. But that’s going to take time, require long-term investment, and has its own set of risks — as everyone who invested in Betamax found out when VHS won the video format wars.

To some extent, this inherent risk is part of what US firms have outsourced internationally in the past, because lower-cost economies meant that the cost of building factories for components that never shipped was lower, which also reduced the risk. The US got the benefit of other people’s risk and didn’t pay the consequences when risks went wrong.

Mysterious materials

Of course, components are made of something, and that raises the other reason it’s pretty difficult to make a smartphone entirely in the US: raw materials. So many of the raw materials used in various components packed inside smartphones are incredibly rare and found only in specific geographies. 

This alone makes it inevitable that at least some raw material will need to be imported. But the cost of the materials and the cost of importing them sometimes makes it cheaper to manufacture components closer to the raw material source of supply. After all, if you use one ton of rare materials to manufacture 10 pounds of considerably more valuable components then it makes sense (because it is cheaper) to ship the component, not the material.

So now we have an inevitability in which at least some key smartphone components are unlikely ever to be made in the US. Perhaps those technologies can be replaced down the road, but that is limited by the laws of physics — which is to say it isn’t guaranteed. And to develop new things, you also need access to trained staff.

The alternative is to make smartphones that use components harvested from recycled devices, though doing so immediately means the devices might be dated, not as powerful, and potentially exposed to component-based security risks.

Magical people

Scientists, engineers, researchers, electronics experts, metallurgists, all of these skills are essential to the smartphone value chain. America just doesn’t have enough trained people to occupy all these roles. Sure, it’s possible you could replace some of the lower value skills with robots (made where?), but meeting that skill shortage is going to take a big commitment to education and training, or a focused approach to immigration, or both. And it will take years. 

That’s going to cost, and because there is presently a shortage of these skills, you’ll find that salaries will be far higher in the US than elsewhere. The cost increases the magnitude of risk for manufacturers/suppliers, meaning they will raise prices for the components or assembly services they provide. I’m not sure, but I imagine that these costs, including assembly costs, are why the Liberty phone costs $2,000.

Magical places

Once you have raw materials and components logistics sorted, and you’ve hired enough good staff to make the devices, you’re hit the next problem — location. Where will you put the factories? If you choose to centralize production in a low-cost, perhaps less-popular part of the US, you might have difficulty recruiting staff who won’t want to abandon their existing lives to move. That means for a serious manufacturing deployment you’ll put your factories in places where people with the skills you need might actually want to live.

This further increases costs, but also means access to factory space becomes another competitive challenge. It’s one you can solve with money, of course, but that’s yet another level of risk and investment that needs to be met in order to make phones in the good old US of A.

Then, once you’ve got the materials, components, people, and factories — you need to bring it all together. Even assuming it has become possible through some triumph of magical thinking to make most of the components in the US, it is unlikely all these parts will be made in the same place, or even the same state. 

Being where?

That means you’ll need to spend time putting together an effective and affordable logistics system for just-in-time delivery of components sourced from wherever they come from to the central assembly location. There are problems to this, but the impact once those are resolved is likely to be more traffic on local roads, more housing demands in local communities, and more demand for water, energy, and other infrastructure. 

What this usually means is that local property prices increase, usually at a rate that exceeds local wages. In most other places, what happens then is that people born and brought up in those areas can no longer afford to continue to live there and are priced out of the property market, increasing resentment, frustration, and poverty.

All of these changes damage local cohesion, even as local authorities need to somehow find the money to invest in roads, airports and all the other infrastructure the new people and factories are suddenly making much more excessive use of.

Think of the scale here.

iPhone factories in China and India employ tens of thousands of people — whole cities are dedicated to the task. And while it is somehow a little tempting to imagine the creation of an “iPhone City” somewhere in America, achieving that already looks a lot harder than first thought. 

The future will be better tomorrow

Fundamentally, what I’m saying is that shifting manufacturing ecosystems is a vastly complex task that demands huge investments of time and money — and even if the will is there, (and the US did actually vote for this), it makes more sense to invest gradually than to expect change overnight. Those investments have not yet been made, which is why the iPhone, Trump phone, or any other phone, is really not likely to be made in mass market quantities in the US before 2030 at the earliest, and probably not until later than that, if at all.

Will we even need smartphones by then? Who knows?

Think about the complexity of the above and it’s hard not to think that it makes more sense to focus investment on the big technologies the world will need tomorrow, rather than reinventing supply chains for the things we already have today. Because future tech innovation is where the money — and the jobs — will be.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

Kategorie: Hacking & Security
Syndikovat obsah