Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Fintech giant Finastra investigates data breach after SFTP hack

Bleeping Computer - 1 hodina 39 min zpět
Finastra has confirmed it warned customers of a cybersecurity incident after a threat actor began selling allegedly stolen data on a hacking forum. [...]
Kategorie: Hacking & Security

MITRE shares 2024's top 25 most dangerous software weaknesses

Bleeping Computer - 1 hodina 58 min zpět
MITRE has shared this year's top 25 list of the most common and dangerous software weaknesses behind more than 31,000 vulnerabilities disclosed between June 2023 and June 2024. [...]
Kategorie: Hacking & Security

US charges five linked to Scattered Spider cybercrime gang

Bleeping Computer - 3 hodiny 13 min zpět
The U.S. Justice Department has charged five suspects believed to be part of the financially motivated Scattered Spider cybercrime gang with conspiracy to commit wire fraud. [...]
Kategorie: Hacking & Security

Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root

Bleeping Computer - 3 hodiny 32 min zpět
Five local privilege escalation (LPE) vulnerabilities have been discovered in the needrestart utility used by Ubuntu Linux, which was introduced over 10 years ago in version 21.04. [...]
Kategorie: Hacking & Security

You’ll soon be able to clone your voice to speak other languages ​​in Teams

Computerworld.com [Hacking News] - 3 hodiny 40 min zpět

In connection with this year’s Ignite conference, Microsoft has unveiled a new interpretation tool that will be added to Teams in the spring. What makes the voice cloning tool — currently called “Interpreter In Teams” — special is that users will be able to use your own voice to speak in other languages ​​in real time.

According to Techcrunch, users need a subscription to Microsoft 365 to have access to the technology.

Initially, the tool will support nine languages: English, French, Italian, Portuguese, Spanish, German, Japanese, Korean and Mandarin. More languages ​​are likely to be added over time.

Kategorie: Hacking & Security

Leveling Up Fuzzing: Finding more vulnerabilities with AI

Google Security Blog - 5 hodin 1 min zpět
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source Security Team

Recently, OSS-Fuzz reported 26 new vulnerabilities to open source project maintainers, including one vulnerability in the critical OpenSSL library (CVE-2024-9143) that underpins much of internet infrastructure. The reports themselves aren’t unusual—we’ve reported and helped maintainers fix over 11,000 vulnerabilities in the 8 years of the project. 



But these particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets. The OpenSSL CVE is one of the first vulnerabilities in a critical piece of software that was discovered by LLMs, adding another real-world example to a recent Google discovery of an exploitable stack buffer underflow in the widely used database engine SQLite.



This blog post discusses the results and lessons over a year and a half of work to bring AI-powered fuzzing to this point, both in introducing AI into fuzz target generation and expanding this to simulate a developer’s workflow. These efforts continue our explorations of how AI can transform vulnerability discovery and strengthen the arsenal of defenders everywhere.


The story so far

In August 2023, the OSS-Fuzz team announced AI-Powered Fuzzing, describing our effort to leverage large language models (LLM) to improve fuzzing coverage to find more vulnerabilities automatically—before malicious attackers could exploit them. Our approach was to use the coding abilities of an LLM to generate more fuzz targets, which are similar to unit tests that exercise relevant functionality to search for vulnerabilities. 



The ideal solution would be to completely automate the manual process of developing a fuzz target end to end:


  1. Drafting an initial fuzz target.

  2. Fixing any compilation issues that arise. 

  3. Running the fuzz target to see how it performs, and fixing any obvious mistakes causing runtime issues.

  4. Running the corrected fuzz target for a longer period of time, and triaging any crashes to determine the root cause.

  5. Fixing vulnerabilities. 



In August 2023, we covered our efforts to use an LLM to handle the first two steps. We were able to use an iterative process to generate a fuzz target with a simple prompt including hardcoded examples and compilation errors. 



In January 2024, we open sourced the framework that we were building to enable an LLM to generate fuzz targets. By that point, LLMs were reliably generating targets that exercised more interesting code coverage across 160 projects. But there was still a long tail of projects where we couldn’t get a single working AI-generated fuzz target.



To address this, we’ve been improving the first two steps, as well as implementing steps 3 and 4.


New results: More code coverage and discovered vulnerabilities

We’re now able to automatically gain more coverage in 272 C/C++ projects on OSS-Fuzz (up from 160), adding 370k+ lines of new code coverage. The top coverage improvement in a single project was an increase from 77 lines to 5434 lines (a 7000% increase).



This led to the discovery of 26 new vulnerabilities in projects on OSS-Fuzz that already had hundreds of thousands of hours of fuzzing. The highlight is CVE-2024-9143 in the critical and well-tested OpenSSL library. We reported this vulnerability on September 16 and a fix was published on October 16. As far as we can tell, this vulnerability has likely been present for two decades and wouldn’t have been discoverable with existing fuzz targets written by humans.



Another example was a bug in the project cJSON, where even though an existing human-written harness existed to fuzz a specific function, we still discovered a new vulnerability in that same function with an AI-generated target. 



One reason that such bugs could remain undiscovered for so long is that line coverage is not a guarantee that a function is free of bugs. Code coverage as a metric isn’t able to measure all possible code paths and states—different flags and configurations may trigger different behaviors, unearthing different bugs. These examples underscore the need to continue to generate new varieties of fuzz targets even for code that is already fuzzed, as has also been shown by Project Zero in the past (1, 2).


New improvements

To achieve these results, we’ve been focusing on two major improvements:


  1. Automatically generate more relevant context in our prompts. The more complete and relevant information we can provide the LLM about a project, the less likely it would be to hallucinate the missing details in its response. This meant providing more accurate, project-specific context in prompts, such as function, type definitions, cross references, and existing unit tests for each project. To generate this information automatically, we built new infrastructure to index projects across OSS-Fuzz. 



  1. LLMs turned out to be highly effective at emulating a typical developer’s entire workflow of writing, testing, and iterating on the fuzz target, as well as triaging the crashes found. Thanks to this, it was possible to further automate more parts of the fuzzing workflow. This additional iterative feedback in turn also resulted in higher quality and greater number of correct fuzz targets. 



The workflow in action

Our LLM can now execute the first four steps of the developer’s process (with the fifth soon to come). 



1. Drafting an initial fuzz target

A developer might check the source code, existing documentation and unit tests, as well as  usages of the target function when to draft an initial fuzz target. An LLM can fulfill this role here, if we provide a prompt with this information and ask it to come up with a fuzz target. 


Prompt: 


Your goal is to write a fuzzing harness for the provided function-under-test signature using <code>LLVMFuzzerTestOneInput</code>. It is important that the provided solution compiles and actually calls the function-under-test specified by the function signature:

<function signature>

unsigned char * buffer_append_base64_decode(buffer *, const char *, size_t, base64_charset)

</function signature>


Here is the source code of the function being tested:

<code>

unsigned char* buffer_append_base64_decode(buffer *out, const char* in, size_t in_length, base64_charset charset) {

    const size_t reserve = 3*(in_length/4) + 3;

    unsigned char * const result = (unsigned char *)

      buffer_string_prepare_append(out, reserve);

    const size_t out_pos =

      li_base64_dec(result, reserve, in, in_length, charset);


    buffer_commit(out, out_pos);


    return (out_pos || !in_length) ? result : NULL;

}


</code>


Here is the source code for functions which reference the function being tested:

<code>

…  



2. Fixing any compilation issues that arise. 

Once a developer has a candidate target, they would try to compile it and look at any compilation issues that arise. Again, we can prompt an LLM with details of the compilation errors so it can provide fixes.  


Prompt: 


Below is the error to fix:

The code has the following build issues:

<error>

server_fuzzer.cc:12:46: error: only virtual member functions can be marked 'override'

   12 |   bool OnData(const char* data, size_t size) override {

      |                                              ^~~~~~~~

server_fuzzer.cc:22:39: error: no type named 'MultiPartFile' in namespace 'httplib'

   22 |                        const httplib::MultiPartFile& file) override {

      |                              ~~~~~~~~~^

server_fuzzer.cc:12:27: warning: unused parameter 'data' [-Wunused-parameter]

   12 |   bool OnData(const char* data, size_t size) override {

      |                           ^

server_fuzzer.cc:37:5: error: use of undeclared 'operator()'

   37 |     operator()(request_data.data(), receiver);

      |     ^

server_fuzzer.cc:27:23: warning: private field 'provider_' is not used [-Wunused-private-field]

   27 |   FuzzedDataProvider& provider_;

      |                       ^

</error>

Example of compilation errors that an LLM was able to fix



3. Running the fuzz target to see how it performs, and fixing any obvious mistakes causing runtime issues.


Once all compilation errors are fixed, a developer would try running the fuzz target for a short period of time to see if there were any mistakes that led it to instantly crash, suggesting an error with the target rather than a bug discovered in the project.



The following is an example of an LLM fixing a semantic issue with the fuzzing setup: 


LLM Response:

<explanation>


The issue is that `sqlite3_blob_open` requires the table to exist before you can open a blob on it. The fix ensures that the table exists by executing a `CREATE TABLE IF NOT EXISTS` statement before calling `sqlite3_blob_open`. 


Here's a breakdown of the changes:


1. **Create Table Query:** A string `createTableQuery` is constructed to hold the SQL statement for creating the table. It uses the fuzzed values for the table and column names.

2. **Prepare Statement:** `sqlite3_prepare_v2` is used to prepare the SQL statement from `createTableQuery`. This compiles the SQL into a byte-code program that SQLite can execute.

3. **Execute Statement:** `sqlite3_step` executes the prepared statement. Since it's a `CREATE TABLE` statement, it doesn't return any data, but it creates the table if it doesn't exist.

4. **Finalize Statement:** `sqlite3_finalize` destroys the prepared statement object when it's no longer needed.


By adding these steps before calling `sqlite3_blob_open`, we ensure that the table exists, preventing the null pointer access issue. 

</explanation>




4. Running the corrected fuzz target for a longer period of time, and triaging any crashes.

At this point, the fuzz target is ready to run for an extended period of time on a suitable fuzzing infrastructure, such as ClusterFuzz



Any discovered crashes would then need to be triaged, to determine the root causes and whether they represented legitimate vulnerabilities (or bugs in the fuzz target). An LLM can be prompted with the relevant context (stacktraces, fuzz target source code, relevant project source code) to perform this triage. 



Prompt: Given the following crash report, fuzz driver code and relevant project function code, analyze the cause of the crash.


First, only answer “Crash is caused by bug in fuzz driver” or “Crash is caused by bug in project”. Second, offer a succinct and to-the-point analysis.


Below is crash report:

<log>

AddressSanitizer: heap-use-after-free on address 0x502000000630 at pc 0x560036939242 bp 0x7ffd65dca850 sp 0x7ffd65dca010

READ of size 1 at 0x502000000630 thread T0

SCARINESS: 40 (1-byte-read-heap-use-after-free)

    #0 0x560036939241 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3

    #1 0x56003697d30b in EmitLiteral<false> /src/snappy/snappy.cc:661:5

    #2 0x56003697d30b in snappy::internal::CompressFragment(char const*, unsigned long, char*, unsigned short*, int) /src/snappy/snappy.cc:954:10



In this example, the LLM correctly determines this is a bug in the fuzz target, rather than a bug in the project being fuzzed. 



LLM Response: Crash is caused by bug in fuzz driver.


The fuzz driver creates a vector of `iovec` structures, each pointing to a chunk of memory owned by the `FuzzedDataProvider`. However, the `data_chunk` vector, which holds the actual data pointed to by `iov_base`, is deallocated at the end of each fuzzer iteration when it goes out of scope. This leaves the `iov_base` pointers dangling. When `snappy::CompressFromIOVec` tries to access the memory pointed to by these dangling pointers, a heap-use-after-free occurs. 



5. Fixing vulnerabilities. 

The goal is to fully automate this entire workflow by having the LLM generate a suggested patch for the vulnerability. We don’t have anything we can share here today, but we’re collaborating with various researchers to make this a reality and look forward to sharing results soon. 


Up next

Improving automated triaging: to get to a point where we’re confident about not requiring human review. This will help automatically report new vulnerabilities to project maintainers. There are likely more than the 26 vulnerabilities we’ve already reported upstream hiding in our results.



Agent-based architecture: which means letting the LLM autonomously plan out the steps to solve a particular problem by providing it with access to tools that enable it to get more information, as well as to check and validate results. By providing LLM with interactive access to real tools such as debuggers, we’ve found that the LLM is more likely to arrive at a correct result.



Integrating our research into OSS-Fuzz as a feature: to achieve a more fully automated end-to-end solution for vulnerability discovery and patching. We hope OSS-Fuzz will be useful for other researchers to evaluate AI-powered vulnerability discovery ideas and ultimately become a tool that will enable defenders to find more vulnerabilities before they get exploited. 



For more information, check out our open source framework at oss-fuzz-gen. We’re hoping to continue to collaborate on this area with other researchers. Also, be sure to check out the OSS-Fuzz blog for more technical updates.
Kategorie: Hacking & Security

Microsoft confirms game audio issues on Windows 11 24H2 PCs

Bleeping Computer - 5 hodin 47 min zpět
​Microsoft says a Windows 24H2 bug causes game audio to unexpectedly increase to full volume when using USB DAC sound systems. [...]
Kategorie: Hacking & Security

Apple admins: Update your hardware now

Computerworld.com [Hacking News] - 5 hodin 49 min zpět

Among the first things Apple IT admins woke up to this morning was news of a pair of actively exploited zero-day attacks in the wild targeting Intel Macs, iPhones, iPads, and even Vision Pro users. Apple has already released software patches for the flaws, which is why the second thing admins realized is that they must rush through any necessary software verification process required before expediting installation of the update.

In these days of remotely managed devices and increasingly effective MDM systems, that’s far less a problem than it was in the past. You can usually make a policy change and push out updates to all your managed devices quickly.

Companies that don’t use these systems, or those that have employees using their own personal devices to access potentially sensitive internal data, must work harder to convince users to install security updates. So, what can they tell people about the latest threat that might help motivate them to install the patch today?

Why you should update immediately

First, Apple says it believes the attack is being actively used, which means any Intel system — including systems used by other people you interact with — is a potential target. “Apple is aware of a report that this issue may have been exploited,” the company said. 

Second, it slips in using flaws in software you use daily, including JavaScript and WebKit, the rendering engine that powers the Safari browser on Apple devices. In other words, everyone using Apple’s devices is a potential target. 

Finally — and perhaps best of all — Apple has already shipped a fix for the problem, maintaining its reputation for being ahead of threats, rather than echoing the approach taken by some other platforms and racing to keep up with attacks. It’s almost as if Apple’s systems remain more secure for a reason. The company addressed 20 zero-day attacks in 2023 and has guarded against just six so far this year.

Apple also shipped security patches for iOS 17 and iPad OS 17 systems and patches for Safari on macOS Ventura and Sonoma.

What the experts say

Michael Covington, vice president for portfolio strategy at Jamf, thinks all users should update at once.

“While Apple has warned that the vulnerabilities, also present in macOS, may be actively exploited on Intel-based systems, we recommend updating any device that is at risk,” he said. “With attackers potentially exploiting both vulnerabilities, it is critical that users and mobile-first organizations apply the latest patches as soon as they are able.” 

What are these attacks?

The attack vector makes use of two vulnerabilities found in macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309). The first lets attackers achieve remote code execution (RCE) through maliciously crafted web content; the second lets attackers engage in cross-site scripting attacks.

As admins will recognize, RCE exploits can enable attackers to install malware surreptitiously on infected machines, perform denial-of-service attacks, or access sensitive information, while a cross-scripting attack can help hackers grab personal data for identity theft and other nefarious ends.  No one wants to be a victim of either form of attack.

Who is using these attacks?

No information pertaining to who has been using these flaws in their attacks has been shared. With that in mind, it’s important to note that the flaws were identified by researchers at Google’s Threat Analysis Group (TAG), which works to counter government-backed attacks. That suggests that whoever has been weaponizing these vulnerabilities is connected to a national entity of some kind.

If that is the case, recent reports from TAG suggest an upsurge in such attacks, so users in some industries and professions might want to consider locking down their devices with Apple’s Lockdown Mode to minimize their attack surface. IT, meanwhile, should review security compliance, particularly among those using older iPhones, iPads, or Intel Macs.

You can follow me on social media! Join me on BlueSky,  LinkedInMastodon, and MeWe

Kategorie: Hacking & Security

New Ghost Tap attack abuses NFC mobile payments to steal money

Bleeping Computer - 5 hodin 1 min zpět
Cybercriminals have devised a novel method to cash out from stolen credit card details linked to mobile payment systems such as Apple Pay and Google Pay, dubbed 'Ghost Tap,' which relays NFC card data to money mules worldwide. [...]
Kategorie: Hacking & Security

Microsoft Ignite 2024 — get the latest news and insights

Computerworld.com [Hacking News] - 6 hodin 44 min zpět

Microsoft Ignite 2024 kicks off in Chicago and runs Nov. 19-22.  If you can’t make it to Chicago, no worries. First, the physical event is sold out, according to the Ignite event page. Second, it’s a hybrid event, so you can attend Ignite virtually. 

Whether you’re there physically or online, expect to learn more about the latest technologies from Microsoft — everything from artificial intelligence (AI) to cloud computing, security, productivity tools, and more  In the keynote address, Microsoft CEO Satya Nadella and Microsoft leaders — including Charlie Bell, executive vice president of Microsoft Security, and Scott Guthrie, executive vice president of the Microsoft Cloud + AI Group — will share how the company is creating new opportunities across its platforms in this rapidly evolving era of AI.

You can also network with industry experts and Microsoft’s team, IT leaders, and other tech enthusiasts; gain hands-on experience and learn from experts at technical sessions; and learn about new products and services. (Microsoft often announces new products and features at Ignite.)

Here are highlights from the 2024 show, followed by a look back at some of our previous Ignite coverage, as well as recent articles that touch on related topics. Remember to check this page often for more on Ignite 2024.

Microsoft Ignite 2024 news and insights Microsoft upgrades Copilot Studio agent builder tools

Nov. 20, 2024: Microsoft unveiled new Copilot Studio features aimed at both expanding the functionality of AI agents created with the application and improving the accuracy of outputs. Customers will be able to connect Copilot Studio agents to third-party apps, and tools for building autonomous agents are now available in a public preview.

Microsoft partners with industry leaders to offer vertical SLMs

Nov. 20, 2024: Teaming up with industry partners such as Bayer and Rockwell Automation, Microsoft is adding pre-trained small language models to its Azure AI catalog aimed at highly specialized use cases.

Microsoft brings automated ‘agents’ to M365 Copilot

Nov. 19, 2024: Microsoft has introduced a new tool in Microsoft 365 Copilot to automate repetitive tasks, part of a drive to make the genAI assistant more useful to users. Copilot Actions features a simple trigger-and-action interface that Microsoft hopes will make the workflow automations accessible to a wide range of workers. 

Microsoft extends Entra ID to WSL, WinGet

Nov. 19, 2024: Microsoft has added new security features to Windows Subsystem for Linux (WSL) and the Windows Package Manager (WinGet), including integration with Microsoft Entra ID (formerly Active Directory) for identity-based access control. The goal is to enable IT admins to more effectively manage the deployment and use of these tools in enterprises.

Microsoft looks to genAI, exposure managment, and new bug bounties to secure enterprise IT

Nov. 19, 2024: Microsoft announced a host of new security measures at its annual Ignite conference, with the goal of strengthening its existing data protection, endpoint security, and extended threat detection and response capabilities. Notable improvements include the introduction of a dedicated exposure management tool, an upgrade to insider risk management (IRM) tailored to GenAI usage, new data loss prevention (DLP) features, and integration of genAI into security operations center (SOC) processes.

Microsoft and Atom Computing claim breakthrough in reliable quantum computing

Nov. 19, 2024: The companies have announced what they claim is a significant step forward in reliable quantum computing, unveiling a commercial quantum machine built with 24 entangled logical qubits. The system, achieved through a combination of Atom Computing’s neutral-atom hardware and Microsoft’s qubit-virtualization technology, aims to address the critical challenge of error detection and correction in quantum computation.

Microsoft adds major upgrades to Power Apps at Ignite

Nov. 19, 2024: The company announced a series of low-code product enhancements, targeted at developers, that ranged from new agent-building capabilities in Power Apps and Power Pages to new AI and governance features in the codeless automation tool Microsoft Power Automate.

Microsoft’s Windows 365 Link is a thin client device for shared workspaces

Nov. 19, 2024: Microsoft will start selling a thin client device that lets workers boot directly to Windows 365 “in seconds,” the company announced on Tuesday.

Microsoft reimagines Fabric with focus on AI

Nov. 19, 2024: The company announced a slate of enhancements to its data analytics platform, including Fabric Databases, which can provision auto-optimizing and auto-scaling AI databases in seconds.

Microsoft rebrands Azure AI Studio to Azure AI Foundry

Nov. 19, 2024: The toolkit for building generative AI applications has been packaged with new updates to form the Azure AI Foundry service.

From MFA mandates to locked-down devices, Microsoft posts a year of SFI milestones at Ignite

Nov. 19, 2024: The company shared a progress report on its Secure Future Initiative (SFI), introduced a year ago, which included significant measures such as enforcing multifactor authentication (MFA) by default for new tenants, isolating close to 100,000 work devices under conditional access policies, and blocking GitHub secrets from exposure.

Previous Microsoft Ignite coverage Microsoft to launch autonomous AI at Ignite

Oct. 21, 2024: Microsoft will let customers build autonomous AI agents that can be configured to perform complex tasks with little or no input from humans. Microsoft announced that tools to build AI agents in Copilot Studio will be available in a public beta that begins at Ignite on Nov. 19, with pre-built agents rolling out to Dynamics 365 apps in the coming months.

Microsoft Ignite 2023: 11 takeaways for CIOs

Nov. 15, 2023: Microsoft’s 2023 Ignite conference might as well be called AIgnite, with over half of the almost 600 sessions featuring AI in some shape or form. Generative AI (genAI), in particular, is at the heart of many of the product announcements Microsoft is making at the event, including new AI capabilities for wrangling large language models (LLMs) in Azure, new additions to the Copilot range of genAI assistants, new hardware, and a new tool to help developers deploy small language models (SLMs) too.

Microsoft partners with Nvidia, Synopsys for genAI services

Nov. 16, 2023: Microsoft has announced that it is partnering with chipmaker Nvidia and chip-designing software provider Synopsys to provide enterprises with foundry services and a new chip-design assistant. The foundry services from Nvidia will be deployed on Microsoft Azure and will combine three of Nvidia’s elements — its foundation models, its NeMo framework, and Nvidia’s DGX Cloud service.

As Microsoft embraces AI, it says sayonara to the metaverse

Feb. 23, 2023: It wasn’t just Mark Zuckerberg who led the metaverse charge by changing Facebook’s name to Meta. Microsoft hyped it as well, notably when CEO Satya Nadella said, “I can’t overstate how much of a breakthrough this is,” in his keynote speech at Microsoft Ignite in 2021. Now, tech companies are much wiser, they tell us. It’s AI at heart of the coming transformation. The metaverse may be yesterday’s news, but it’s not yet dead.

Microsoft Ignite in the rear-view mirror: What we learned

Oct. 17, 2022: Microsoft treated its big Ignite event as more of a marketing presentation than a full-fledged conference, offering up a variety of announcements that affect Windows users, as well as large enterprises and their networks. (The show was a hybrid affair, with a small in-person option and online access for those unable to travel.)

Related  Microsoft coverage Microsoft’s AI research VP joins OpenAI amid fight for top AI talent

Oct. 15, 2024: Microsoft’s former vice president of genAI research, Sebastien Bubeck, left the company to join OpenAI, the maker of ChatGPT. Bubeck, a 10-year veteran at Microsoft, played a significant role in driving the company’s genAI strategy with a focus on designing more efficient small language models (SLMs) to rival OpenAI’s GPT systems.

Microsoft brings Copilot AI tools to OneDrive

Oct. 9, 2024: Microsoft’s Copilot is now available in OneDrive, part of a wider revamp of the company’s cloud storage platform.  Copilot can now summarize one or more files in OneDrive without needing to open them first; compare the content of selected files across different formats (including Word, PowerPoint, and PDFs); and respond to questions about the contents of files via the chat interface. 

Microsoft wants Copilot to be your new AI best friend

Oct. 9, 2024: Microsoft’s Copilot AI chatbot underwent a transformation last week, morphing into a simplified pastel-toned experience that encourages you…to just chat. “Hey Chris, how’s the human world today?” That’s what I heard after I fired up the Copilot app on Windows 11 and clicked the microphone button, complete with a calming wavey background. Yes, this is the type of banter you get with the new Copilot.

Kategorie: Hacking & Security

Download our Microsoft Copilot for Writing Cheat Sheet

Computerworld.com [Hacking News] - 7 hodin 36 min zpět


Download the PDF Computerworld Cheat Sheet today.

Kategorie: Hacking & Security

Amazon and Audible flooded with 'forex trading' and warez listings

Bleeping Computer - 8 hodin 49 min zpět
Amazon, Amazon Music, and Audible, an Amazon-owned online audiobook and podcast service, have been flooded with bogus listings that push dubious "forex trading" sites, Telegram channels, and suspicious links claiming to offer pirated software. [...]
Kategorie: Hacking & Security

Microsoft upgrades Copilot Studio agent builder tools

Computerworld.com [Hacking News] - 8 hodin 58 min zpět

Microsoft at this week’s Ignite conference unveiled new Copilot Studio features aimed at both expanding the functionality of AI agents created with the application and improving the accuracy of outputs.

Copilot Studio was unveiled at last year’s event as a way to customize Microsoft’s generative AI (genAI) “copilot” assistants for different business use cases. Since then, the company has stepped up its messaging around AI agents that can perform a wider variety of tasks on behalf of workers.

Among the latest updates to Copilot Studio is the ability to connect agents to third-party applications such as Salesforce, ServiceNow, and Zendesk. The goal is to provide access to “real-time knowledge” that helps answer complex questions, Microsoft said. That feature is now in preview. 

[ Related: Microsoft Ignite 2024 news and insights ]

In addition, Copilot Studio now integrates with the new Azure AI Foundry to enable access to a wider range of data within an organization, Omar Aftab, vice president of conversational AI at Microsoft, said in a blog post. “By connecting all their data sources, organizations can see that agents are more grounded in their business data and provide specific, high-quality responses,” he said. 

There are also new “multimodal” AI enhancements to Copilot Studio agents. Users can embed an agent built in Copilot Studio into an interactive voice system (used in automated voice calls for customer service, for example) to create “speech enabled agents,” said Aftab. These can also be embedded in various “applications, standalone kiosks, concierge systems, and more,” he said. And Copilot Studio agents can now analyze images, allowing users to upload files and ask questions about them.

Microsoft has also opened access — in a public preview — to autonomous agent builder tools in Copilot Studio, as announced last month. “Makers can now build agents that work on their behalf, without having to prompt the agent, saving human hours and increasing efficiency,” said Aftab. “They can create these agents from scratch or configure agents that are prebuilt in Copilot Studio.” 

There’s an agent library to help users get started, too, (also in public preview), with pre-built agents tailored to common work processes such as leave management, sales orders and deal acceleration, Microsoft said. 

Among the other announcements Tuesday is the ability to build customized agents with a “streamlined Copilot Studio experience” that’s now embedded in the BizChat interface of Microsoft 365 Copilot. These agents are created using natural language directions, and can be given access to enterprise data held in apps such as Dynamics 365 and SharePoint. There are also pre-built agents, including an Employee Self-Service agent. 

Copilot Studio can address some of the shortcomings of a “horizontal” tool such as Microsoft 365 Copilot, which often requires a lot of guidance to access the right data, and may produce hallucinations, said J.P. Gownder, vice president and principal analyst at Forrester.

“The Copilot Studio tools help to fill this gap by allowing organizations to create more finely tuned solutions that nevertheless are a lot easier and cheaper than training a model from scratch,” he said. 

Improved tuning and sourcing in Copilot Studio allows more retrieval augmented generation (RAG)-based approaches, said Gownder, which specifies data more precisely, reducing the likelihood of “both vague outputs and hallucinations.” The ability to use custom Azure AI Search indexes as a knowledge source for custom RAG scenarios — another of the Copilot Studio updates at Ignite — allows for more “specific, contextual, and accurate outcomes,” he said. 

“Being able to then take these Copilot Studio agents and plug them into Microsoft 365 Copilot could democratize some of these innovations, allowing employees to tap into them right in their flow of work,” said Gownder. “This heightened context, accuracy, and specificity could solve some of the problems that enterprise leaders have cited as downsides to M365 Copilot.

“Microsoft has rolled out a lot of Copilot solutions with sunny story lines that enterprises aren’t always able to replicate in their own environments,” said Gownder. “So, while the Copilot Studio announcements sound promising, we must wait and see if they truly work as advertised to create value.”

Kategorie: Hacking & Security

Ghost Tap: Hackers Exploiting NFCGate to Steal Funds via Mobile Payments

The Hacker News - 9 hodin 27 min zpět
Threat actors are increasingly banking on a new technique that leverages near-field communication (NFC) to cash out victim's funds at scale. The technique, codenamed Ghost Tap by ThreatFabric, enables cybercriminals to cash-out money from stolen credit cards linked to mobile payment services such as Google Pay or Apple Pay and relaying NFC traffic. "Criminals can now misuse Google Pay and Apple Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

NHIs Are the Future of Cybersecurity: Meet NHIDR

The Hacker News - 11 hodin 6 min zpět
The frequency and sophistication of modern cyberattacks are surging, making it increasingly challenging for organizations to protect sensitive data and critical infrastructure. When attackers compromise a non-human identity (NHI), they can swiftly exploit it to move laterally across systems, identifying vulnerabilities and compromising additional NHIs in minutes. While organizations often take The Hacker Newshttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

US commission proposes ‘Manhattan Project-like’ initiative for AI

Computerworld.com [Hacking News] - 11 hodin 11 min zpět

A US congressional commission has called for a “Manhattan Project-like” initiative to accelerate artificial intelligence (AI) development, urging Congress to grant the executive branch sweeping, multiyear contracting authority to fund advancements in AI, cloud computing, and data centers.

The bipartisan US-China Economic and Security Review Commission (USCC) issued the recommendations in a 793-page report on Tuesday, highlighting the growing urgency to outpace China’s rapid strides in emerging technologies, including AI, quantum computing, and biotechnology.

“Congress should establish and fund a Manhattan Project-like program dedicated to racing and acquiring an Artificial General Intelligence (AGI) capability,” the report stated, drawing parallels to the WWII-era government project that developed the first atomic bombs.

“Provide broad multiyear contracting authority to the executive branch and associated funding for leading artificial intelligence, cloud, and data center companies and others to advance the stated policy at a pace and scale consistent with the goal of US AGI leadership,” the report further added as a suggestion to Congress.

The report also advised the Secretary of Defense to designate AI projects as having the highest national priority, underscoring the strategic importance of staying technologically ahead of China to protect US economic and military interests.

“Direct the US secretary of defense to provide a Defense Priorities and Allocations System “DX Rating” to items in the artificial intelligence ecosystem to ensure this project receives national priority,” it stated.

A “DX Rating” is assigned to programs of highest national priority.

The USCC, established in 2000 to monitor and report on US-China trade and economic relations, issued its latest report amid mounting geopolitical tensions and a race to dominate the technologies of the future.

Tech rivalry with global implications

The commission warned that China’s technological progress, if left unchecked could threaten US deterrence in the Pacific region and destabilize the global balance of power. “China’s advancements could erode the United States’ economic and military position and tip the global balance of power,” the report said.

The US has already taken steps to limit China’s access to critical technologies. On Monday, the Treasury Department finalized a rule restricting US investments in Chinese AI, quantum computing, and semiconductor sectors — a move building on President Joe Biden’s executive order last year aimed at curbing the export of technologies that could bolster China’s military and intelligence capabilities.

Tuesday’s report also detailed tensions between the two nations over issues such as sanctions on Chinese officials, restrictions on semiconductor imports, and national security concerns surrounding the Chinese-owned social media platform TikTok.

“Despite a bilateral agreement reached in late 2023 to pursue limited cooperation on military communication, climate change, countering fentanyl and other drugs, artificial intelligence (AI), and people-to-people ties, China has continued its efforts to counter or weaken US policies without changing its own behavior,” the report observed.

Generative AI is central to the recommendations of the report, which pointed out that while the US currently leads development in the domain by over a year, “Chinese companies are making a concerted effort to develop generative AI models similar in sophistication to those of US companies.”

The USCC report also emphasized the US’ need to maintain leadership in developing Artificial General Intelligence (AGI) — AI systems capable of performing any intellectual task that a human can do.

The proposed initiative echoes the strategic and national security urgency of the original Manhattan Project, highlighting the role of advanced technology in shaping global power dynamics.

Kategorie: Hacking & Security

ChatGPT’s Windows app beats Microsoft Copilot for productivity

Computerworld.com [Hacking News] - 11 hodin 36 min zpět

Microsoft’s Copilot AI assistant appears to be transforming into a chatty AI sidekick, and I’ve seen quite a few Copilot users who aren’t happy about it. Thankfully, there’s now another option for anyone interested in using AI purely for productivity — a full-featured ChatGPT app for Windows PCs.

Even at launch, ChatGPT’s Windows app is already a better productivity tool than Copilot. It’s quite a setback for Microsoft’s AI assistant — which, when it first launched as Bing Chat, had a more powerful AI model than ChatGPT and offered features that went beyond what ChatGPT offered, such as the ability to search the web.

Things have certainly changed.

Want to stay on top of the latest Windows PC features — AI and beyond? My free Windows Intelligence newsletter delivers all the best Windows tips straight to your inbox. Plus, you’ll get free Windows Field Guides as a special welcome bonus!

Meet ChatGPT’s new Windows app

OpenAI technically launched its ChatGPT app for Windows in October. But at the time, the ChatGPT Windows app was only for paying ChatGPT subscribers. Now, it’s free for anyone to use — including free ChatGPT users.

That means you can now get ChatGPT’s Windows app from the Microsoft Store, whether you’re paying for the premium version of the service or not. The app runs on both Windows 11 and Windows 10 PCs. Once you launch it, you’ll have to sign in with an account. (The web-based version of ChatGPT doesn’t require an account, but the desktop app does.)

The official ChatGPT app offers more options than Copilot.

Chris Hoffman, IDG

(While I’m focusing on Windows here, it’s worth noting that official ChatGPT apps are also available for Mac, Android, iPhone, and iPad.)

ChatGPT’s app is just like Copilot — but better

Under the hood, both Copilot and ChatGPT use much of the same technology. While Google’s Gemini assistant uses Google’s own AI models, Microsoft’s Copilot uses OpenAI’s ChatGPT models — along with something Microsoft calls the “Microsoft Prometheus model.”

Comparing the two, you’ll first notice how similar the interface is. But ChatGPT feels more like a more focused productivity tool, whereas Copilot feels like it’s trying to be more friendly and approachable. Copilot has pastel colors, lots of graphics, and greets you by name with requests about how your day is going.

Microsoft Copilot is starting to feel more like an “AI friend” than an AI assistant.

Chris Hoffman, IDG

For example: Both ChatGPT and Copilot offer voice chat. When I click the voice chat button in ChatGPT, I hear silence — the AI model won’t respond until I speak to it. When I click the voice chat button in Copilot, I hear a friendly “Hey Chris! How’s your day going?”

It really makes me wonder: Were few people using Copilot in Windows? Did Microsoft have to redesign it to make it more approachable?

ChatGPT provides a selection of voice options, just like Copilot does.

Chris Hoffman, IDG

ChatGPT’s app also beats Copilot when it comes to working with files:

  • Copilot lets you drag and drop image files to upload them — but that’s it.
  • ChatGPT lets you drag and drop PDF files, Word documents, Excel spreadsheets, PowerPoint presentations, and more to the ChatGPT app to upload them and ask questions about them.

It’s just a much more powerful interface. ChatGPT offers more flexibility with its built-in hotkeys, too:

  • To launch Copilot, you’ll need a new-ish laptop that comes with a Copilot key on its keyboard. (Microsoft used to let the Windows+C hotkey launch Copilot, but that’s been removed.)
  • To launch ChatGPT, you can press Alt+Space — or you can change this shortcut to anything you’d prefer in the ChatGPT app’s settings. (If you have Microsoft PowerToys installed, the Alt+Space shortcut may launch the PowerToys Run launcher instead. You’ll need to change the hotkey for either tool.)

If you do have a laptop with a Copilot key, you’ll be able to go into the Settings app in Windows and tell Windows to launch the ChatGPT app instead of the Copilot app when you press it.

ChatGPT launches a convenient small window when you press the shortcut.

Chris Hoffman, IDG

ChatGPT also offers more flexibility when it comes to working with saved conversations:

  • Copilot will let you start a new conversation, if you like — but that’s it.
  • ChatGPT lets you start new chats, and it also lets you switch to recent chats you’ve used right from its sidebar.

Some features are similar. Both Copilot and ChatGPT can search the web for you to find up-to-date information. Neither can search the web while you’ve having a voice conversation, however — hopefully that’ll arrive in the future.

Both ChatGPT and Copilot offer different answers, too. You should experiment with both to see which best fits your needs. However, in my testing, I found that ChatGPT was more verbose in its responses — in a good way. Since the update where Copilot started trying to be your best friend, Copilot has been giving shorter responses with a focus on follow-up questions for you, to keep the conversation going.

Copilot Pro still beats ChatGPT for Office integration

For all of ChatGPT’s advantages, Copilot does still have one trick up its sleeve: If you pay for a $20 per month Copilot Pro subscription, you get access to Copilot AI integration in Microsoft Office apps like Word, Excel, PowerPoint, and Outlook.

If this is a feature you like, Copilot is unbeaten. ChatGPT can’t get its hooks into Office apps directly. And it’s a good argument for paying Microsoft’s $20-per-month Copilot Pro subscription rather than OpenAI’s $20-per-month ChatGPT Plus subscription if you’re going to be spending money on a premium AI chatbot subscription.

But for people who aren’t spending any money, ChatGPT is a better productivity tool.

I haven’t found it worthwhile to spend $20 a month to use Copilot in Office apps, although I use Microsoft Word and Excel all the time. But everyone has different workflows, and some professionals are finding it to be useful.

ChatGPT is more of a productivity tool than Copilot

I haven’t covered every option in the ChatGPT app here. In general, ChatGPT has more options and feels like more of a productivity tool, while Copilot feels more like it’s trying to be the new ELIZA. (ELIZA was a chatbot from the 1960s. It was a mock therapist that asks questions like “How does that make you feel?”)

ChatGPT also offers more for free, for anyone whose company isn’t already footing a premium subscription. For example: ChatGPT lets you upload Office documents to analyze them; on Microsoft’s side, that feature requires the $20 per month Copilot Pro subscription to do the same thing in Word or other Microsoft 365 apps.

And, again, Copilot refuses to let you launch it with a hotkey — unless you buy a new PC that comes with a Copilot key; ChatGPT lets you choose your own key.

ChatGPT pulls ahead — for now

Is the race over? Of course not. Remember, when Microsoft launched Bing Chat, it surpassed ChatGPT. Bing Chat originally had more advanced AI models that only came to ChatGPT later. Microsoft could improve the ChatGPT app and integrate it better with Windows — currently, it’s really just a web app. And Microsoft could create its own AI models and use them with Copilot.

But, for now, ChatGPT is in the lead here. Windows users who rely on ChatGPT — or Windows users who just want a more powerful AI chatbot app than what Microsoft is delivering with Copilot — should install the app and give it a look.

Want to learn about the latest Windows features and apps that can boost your productivity? My free Windows Intelligence newsletter delivers all the best Windows tips straight to your inbox.

Kategorie: Hacking & Security

An Android-ChromeOS merger might actually make sense now

Computerworld.com [Hacking News] - 11 hodin 1 min zpět

Stop me if you’ve heard this one: Google’s got two primary user-facing platforms, Android and ChromeOS — and, if the latest rumors are to be believed, the company may be on the brink of bringing ’em together and combining ’em into a single, streamlined entity.

If you’re feeling a funny sense of déjà vu, you aren’t alone. We’ve been going through some version of this same exact scenario more or less nonstop since the advent of ChromeOS nearly a decade and a half ago.

The buzz reached a boiling point around 2015, when a string of reports told us with no uncertainty that Google was, like, totally gonna merge Android and ChromeOS and that the long-predicted one-or-the-other duel was nearing its inevitable conclusion.

The reality, of course, has thus far turned out to be far more nuanced and less dramatic. Instead of merging the two platforms into one, Google’s spent the past several years working to align them and bring more Android-inspired elements into the ChromeOS environment. The result has been an experience that feels noticeably more consistent, complementary, and connected — and that’s turned Chromebooks into a much more versatile, capable, and broadly appealing computing product that’s genuinely compelling for professional purposes.

And yet, the notion of Android and ChromeOS coming together continues to come up. A fresh set of rumors about a pending platform merger is gaining steam this second, in fact. And while I’m usually the first person to throw water on such possibilities and raise the curtain of skepticism around those claims, for the first time, I’m actually thinking: You know, right now, this might make an awful lot of sense.

Let me explain.

[Get level-headed knowledge in your inbox with my free Android Intelligence newsletter. Three new things to know and try every Friday!]

Google’s never-ending Android-ChromeOS saga

These latest rumors, from known Android oracle Mishaal Rahman, stem from an unnamed “source within Google.” And they state, unequivocally, that Google is “working on a multi-year project to fully turn ChromeOS into Android,” with an intended end result of creating a single platform “that finally bests the iPad.”

To better compete with the iPad as well as manage engineering resources more effectively, Google wants to unify its operating system efforts. Instead of merging Android and ChromeOS into a new operating system like rumors suggested in the past, however, a source told me that Google is instead working on fully migrating ChromeOS over to Android. While we don’t know what this means for the ChromeOS or Chromebook brands, we did hear that Google wants future “Chromebooks” to ship with Android. 

While this specific suggestion may sound somewhat new, the idea behind it actually dates back to the first set of serious rumors around an Android-ChromeOS combo. Back then, in 2015, the theory was that Google would somehow “fold” ChromeOS into Android to create a single combined mega-platform.

And that same basic scenario is almost exactly what’s being proposed again today.

It’s a significant twist from the most recent set of Android-ChromeOS merger rumors, from 2018, which suggested that Google was cookin’ up an entirely new piece of software called Fuchsia that’d ultimately act as an all-purpose replacement for Android and ChromeOS alike. That rumor had echoes of a previous narrative (!) around a similarly all-new operating system called Andromeda from 2016, even down to the alleged Pixel-branded laptop being prepped to showcase the newly combined software.

Spoiler alert: Neither possibility ended up playing out as predicted.

At those times, I was adamant that a full-fledged merger of any sort with Android and ChromeOS seemed unlikely and that, just like early on in the platforms’ coexistence, more nuanced ongoing alignments seemed like the more logical progression. Those analyses have proven somewhat prophetic over time.

But now, I’m not nearly as convinced that that sort of sanity-seeking, perspective-drawing counternarrative needs to exist.

Reconsidering an Android-ChromeOS combo

To be clear, I’m not basing my conclusions here off any sort of inside info. I’ve reached out to Google to ask for clarity around the latest Android-ChromeOS combo reports, and as of this writing, I’ve yet to hear back with any official answers.

My views are based entirely on my own observations, as someone who’s both personally used and closely covered Android and ChromeOS since their earliest eras.

And unlike with every past rumor along these lines, this one feels almost shockingly sensible — from the perspective of Google, as a business, and also from the perspective of those of us who use and rely on devices across the Android-ChromeOS spectrum as part of our professional and/or personal lives.

As I’ve continued to contemplate this over the past few days, I’ve realized I have a couple core reasons why this strikes me as being such a sensible shift from all perspectives at this point:

1. The Google benefit

First and foremost, we have to remember that Google is a business — and so any move it makes has to be something that’d benefit it from a business perspective as well as, ideally, benefitting us as its users.

And on that front, an Android-ChromeOS combo has never made more sense.

For months now, we’ve been watching Google “realign” its business to cut costs and streamline, simplify, and eliminate areas that aren’t actively moving the organization forward in any measurable way. Part of that has even involved an ongoing shift in the teams responsible for Android and ChromeOS — divisions that recently lost their longtime leaders and became part of a broader Google “Platforms and Devices” team under the same single executive previously responsible only for homemade hardware.

At the same time, Google’s been increasing its under-the-hood alignment of Android and ChromeOS in some eyebrow-raising ways. Most notably, this past summer, the company announced it would begin working on revamping the under-the-hood ChromeOS engine to use the same foundation as Android — a nerdy-sounding pivot that, one could contend, sets the stage for something exactly like what we’re hearing about now to follow.

On top of that, we’ve seen signs suggesting work is afoot on a new Android-based version of Chrome that’d support extensions and an effort to allow Linux access within Android — just like we already have within ChromeOS. Let’s not forget, too, about the new under-development desktop windowing system for Android tablets (for which my first reaction upon using it was: “This feels a lot like ChromeOS!”) and even the decreased emphasis of the signature Chromebook Launcher/Search/Everything key. Considered under the umbrella of this latest rumor, it sure seems reasonable to see these once-disparate-seeming shifts as pieces that’d build toward that same broader puzzle.

Factor in fresh questions around whether Google could one day be forced to sell off Chrome entirely as part of its ongoing U.S. monopoly investigation, and it’s easy to see why a move to Android as the underpinnings of a Chromebook could now add up in a way that didn’t entirely come together in the past.

But there’s another side to the story, too, and it’s every bit as important.

2. The user benefit

As someone who uses both Android and ChromeOS every single day, two truths about the platforms are undeniable:

  • The Android touch experience is exceptional. When you’re using Android on a phone or a tablet — in an optimal Android environment, at least — you’re typically left wanting for nothing.
  • At the same time, the Chromebook desktop experience is in a league of its own. Using a ChromeOS device as a computer is incredible and something that, despite all the ongoing progress over the years, Android in the same scenario simply can’t match.

Now, don’t get me wrong: Android and ChromeOS both provide perfectly passable experiences in their alternate forms. A Chromebook in its tablet mode is fine, as is an Android device in its desktop environment. But neither holds a candle to what the other platform can offer in its more native-feeling “default” version of that same environment — Android on the touch side and ChromeOS with a keyboard.

So if Google managed to create a situation where you could essentially enjoy Android when a device is in a touch-centric form and then seamlessly switch to something that felt like a Chromebook when a keyboard is attached, it could create a brilliant best-of-both-worlds mashup — a scenario where you don’t have to settle for passable and could instead have the best possible option for any given way you’re using a device at any moment, whether it’s an “Android tablet” or a “Chromebook” in name.

It’s not far removed from my long-standing dream of owning a gadget that’d seamlessly switch to either Android or ChromeOS to match which arrangement would be most advantageous depending on how, exactly, you’re using the thing. Perhaps not coincidentally, in fact, “experiments” around a system just like that showed up in some of Google’s source code earlier this year.

And speaking of such subjects…

The Android-ChromeOS combo path no one’s considering

My revelation about the two-pronged benefit of an Android-ChromeOS merger today took me back to something a ChromeOS executive said to me in an interview a couple years ago:

“What’s underneath doesn’t really matter to the user. You could have 10 different operating systems, one for each form factor, if you wanted that. The important piece is what you present to the user.”

That, [Google Senior Director of Product Management Alexander] Kuscher says, is why Android and ChromeOS have continued to grow more consistent and connected over the years. In Google’s view, the operating system is less important than the experience — and increasingly, it’s working to present experiences that are so similar that they feel more like different branches of the same tree than completely separate forests.

And that, in turn, reminded me of some musings I shared back in 2016 — when the previous “Android and ChromeOS coming together” rumors were taking shape and everyone was convinced, again, that Google was on the brink of beginning an effort to “fold” ChromeOS into Android and create a single streamlined operating system.

At that time, I raised this newly intriguing notion:

What if [this] were essentially just a way to give Android devices a “desktop mode” — a ChromeOS-like environment that appears when, say, a physical keyboard is present, with a more traditional Android interface remaining in place for touch-centric use? A ChromeOS-like environment wouldn’t be ideal as a core part of the regular touch-centric Android experience, after all, but it sure could be valuable as an option for scenarios involving more productivity-oriented and laptop-like use.

And what if this best-of-both-worlds, dual-purpose mentality applies not only to convertible systems but also to phones? …

Such a setup could effectively turn any compatible Android device into a versatile all-purpose computer that packs the strengths of Google’s two platforms into a single superpowered package.

Hmmmmmmmmmmmmmm.

To be clear, the current state of these current rumors makes it sound like Google’s moving toward a more full-fledged adoption of Android on the Chromebook front — a full merger, as opposed to any sort of harmonious coexistence.

But still: Perhaps there could be more nuance involved. Perhaps the Chromebook/”Android desktop mode” side of the equation could still look and feel largely like what we consider to be ChromeOS today, only with Android running as the foundation beneath it. Perhaps Android could be the base of the future Chromebook experience and not the entire experience itself, in any front-facing, user-visible way. And perhaps those Google-exec comments about what’s underneath not mattering and the operating system being less important than the experience could come into play once more.

If Google can manage to pull that off effectively without sacrificing too much of what makes ChromeOS special, this could be a very good thing for both the company and for those of us who rely on its platforms — Android and ChromeOS alike.

But that involves an awful lot of “if”-type questions. And right now, most of them remain vexingly unanswered.

Android-ChromeOS combo caveats — and a philosophical pondering

So, yes: I see a lot of logic in the notion of an Android-ChromeOS combo now — for Google and for us, as users of its software and devices. But I also have a lot of concerns about how this could play out, particularly as someone who’s long been immersed in the Chromebook universe and appreciative of the unique advantages that platform offers for businesses, schools, and also regular ol’ individual computer owners.

Specifically:

  • ChromeOS has some significant security advantages in the way its software is structured. These are an important part of the Chromebook proposition, particularly for businesses and other organizations. If the ChromeOS base is replaced with Android, would these architectural advantages be lost?
  • Chromebooks also offer some incredibly important advantages around updates, with fresh software showing up every few weeks — quickly and reliably, regardless of who made a device or how old it may be. And most Chromebooks are now promised a minimum of 10 years of ongoing software support. This, suffice it to say, is quite a contrast from the update situation on Android, where the manufacturer- and carrier-dependent nature of that operating system creates a bit of a Wild West scenario (outside of Google’s own closely controlled Pixel devices).
  • On the same note, a big part of why Chromebooks can offer such a stable update experience is because of the consistency ChromeOS creates from one device to the next. Unlike Android, where device-makers and carriers alike are able to modify the software in all sorts of ways, every Chromebook is essentially identical in terms of its interface and software experience. And so Google can send out updates universally, without third-party companies needing to be involved (the variable that always leads to extended delays and irksome uncertainty on Android).
  • Finally, on a less tangible but every bit as consequential consideration, using a Chromebook feels noticeably and meaningfully different from using Android in a desktop state. ChromeOS has always offered a true desktop-caliber experience in a way that Android has never managed to match. If Google isn’t able to maintain that — and if the Chromebook/”Android desktop mode” interface feels more like a traditional Android tablet experience instead of a true desktop-caliber, Chromebook-style setup — that’d be a massive stumble in the wrong direction and a major devolution for the productivity-first focus the company has managed to create with ChromeOS.

Google’s got its work cut out for it, in other words. But unlike in the past, this possibility seems promising. And the more you think about it, the more sense it really makes — again, if Google manages to get it right.

A decade ago, I posed a philosophical question about the ever-overlapping future of Android and ChromeOS. At the time, the question represented my thinking about these platforms from a slightly different perspective, with the notion of ChromeOS potentially taking over for Android at some theoretical point down the road.

The tables may have turned in the other direction, but the question itself feels freshly relevant today:

If all Android apps can eventually run on ChromeOS — and if ChromeOS evolves to look more like Android while web apps and Android apps grow increasingly similar in design — would you notice the difference between a phone running Android and a phone running Chrome?

Flip that question around, and you’ve got a fascinating slice of food for thought for this current situation. If all these factors come together and Google manages to make the surface-level Chromebook interface similar enough while maintaining each environment’s under-the-hood advantages — a tall order, to be sure — would you even realize if your Chromebook technically ran Android?

We may not know the answer for some time yet. This project is said to be a multi-year effort, and that’s providing all the still-unofficial details are accurate and the plans continue to push forward. (All tech companies test out ideas internally that never end up seeing the light of day, and Google in particular is notorious for developing concepts and then abandoning ’em before they ever turn into anything.)

But this sure is an interesting notion to chew over. And for the first time, it feels like there could be something to it beyond just misguided excitement.

Want even more Googley knowledge? Check out my free Android Intelligence newsletter to get next-level tips and insight delivered directly to your inbox — starting with my Android Notification Power-Pack as a special welcome bonus!

Kategorie: Hacking & Security

Decades-Old Security Vulnerabilities Found in Ubuntu's Needrestart Package

The Hacker News - 13 hodin 20 min zpět
Multiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server (since version 21.04) that could allow a local attacker to gain root privileges without requiring user interaction. The Qualys Threat Research Unit (TRU), which identified and reported the flaws early last month, said they are trivial to exploit, necessitating that Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity

The Hacker News - 15 hodin 36 min zpět
Microsoft has announced a new Windows Resiliency Initiative as a way to improve security and reliability, as well as ensure that system integrity is not compromised. The idea, the tech giant said, is to avoid incidents like that of CrowdStrike's earlier this July, enable more apps and users to be run without admin privileges, add controls surrounding the use of unsafe apps and drivers, and offerRavie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security
Syndikovat obsah