Kategorie

ChatGPT developer OpenAI is developing a new kind of reasoning AI models with the project name “Strawberry” that can be used for research, according to a report by Reuters. Strawberry was apparently earlier known by the name “Q” and would be considered a breakthrough within OpenAI.

The plan is for the new Strawberry models to not only be able to generate answers based on instructions, but also to be able to plan ahead by navigating the internet independently and reliably perform what OpenAI calls “deep research.”

How Strawberry works under the hood remains unclear; it is also unknown how long the technology may be from completion. In a comment to Reuters, an OpenAI spokesperson said continued research into new AI opportunities is ongoing within the industry. However, the spokesperson did not say anything specific about Strawberry in particular.

More OpenAI news:

• OpenAI has developed a scale to assess how close we are to AGI
• OpenAI reportedly stopped staffers from warning about security risks
• OpenAI whistleblowers seek SEC probe into ‘restrictive’ NDAs with staffers
• OpenAI: Musk’s control issues at heart of ongoing rift
• OpenAI models still available in China via Azure cloud despite company ban

Some employees of ChatGPT-maker OpenAI have reportedly written to the US Securities and Exchange Commission (SEC) seeking a probe into some employee agreements, which they term restrictive non-disclosure agreements (NDAs).

These staffers-turned-whistleblowers have written to the SEC alleging that the company forced their employees to sign agreements that were not in compliance with SEC’s regulations.

“Given the well-documented potential risks posed by the irresponsible deployment of AI, we urge the commissioners to immediately approve an investigation into OpenAI’s prior NDAs, and to review current efforts apparently being undertaken by the company to ensure full compliance with SEC rules,” read the letter shared with Reuters by the office of Senator Chuck Grassley.

The same letter alleges that OpenAI made employees sign agreements that curb their federal rights to whistleblower compensation and urges the financial watchdog to impose individual penalties for each such agreement signed.

Further, the whistleblowers have alleged that OpenAI’s agreements with employees restricted them from making any disclosure to authorities without checking with the management first and any failure to comply with these agreements would attract penalties for the staffers.

The company, according to the letter, also did not create any separate or specific exemptions in the employee non-disparagement clauses for disclosing securities violations to the SEC.

An email sent to OpenAI about the letter went unanswered.

The Senator’s office also cast doubt about the practices at OpenAI. “OpenAI’s policies and practices appear to cast a chilling effect on whistleblowers’ right to speak up and receive due compensation for their protected disclosures,” the Senator was quoted as saying.

Experts in the field of AI have been warning against the use of the technology without proper guidelines and regulations.

In May, more than 150 leading artificial intelligence (AI) researchers, ethicists, and others signed an open letter calling on generative AI (genAI) companies to submit to independent evaluations of their systems to maintain basic protection against the risks of using large-scale AI.

Last April, the who’s who of the technology industry called for AI labs to stop training the most powerful systems for at least six months, citing “profound risks to society and humanity.”

That open letter, which now has more than 3,100 signatories including Apple co-founder Steve Wozniak, called out San Francisco-based OpenAI Lab’s recently announced GPT-4 algorithm in particular, saying the company should halt further development until oversight standards were in place. OpenAI, on the other hand, in May formed a safety and security committee led by board members as they started researching their next large language models.

More OpenAI news:

• OpenAI is working on new reasoning AI technology
• OpenAI reportedly stopped staffers from warning about security risks
• OpenAI: Musk’s control issues at heart of ongoing rift
• OpenAI models still available in China via Azure cloud despite company ban

On Friday, Apple Vision Pro was launched in Europe. But the analysts do not expect any major sales success.

According to research firm IDC, fewer than 500,000 units of the mixed reality headset will be sold in 2024, which is partly due to the high price. Apple’s headset costs $3,499; that corresponds, for example, to almost 50,000 Swedish kronor with included VAT and other fees.

By comparison, Facebook’s parent company Meta sells its Meta Quest 3 headset for $499, and its predecessor, the Meta Quest 2, retails for $299.

According to rumors, a cheaper variant of the Apple Vision Pro will be launched in 2025, but release dates and details remain unclear.

More on Apple Vision Pro:

• Heads on: Apple’s Vision Pro delivers a glimpse of the future
• Apple reportedly cuts Vision Pro production due to low demand
• Yes, Apple’s Vision Pro is an enterprise product
• Apple’s Vision Pro faces an uphill battle
• Apple’s Vision Pro isn’t a full-fledged Mac replacement — yet

Imagine you could gain access to any Fortune 100 company for $10 or less, or even for free. Terrifying thought, isn’t it? Or exciting, depending on which side of the cybersecurity barricade you are on. Well, that’s basically the state of things today. Welcome to the infostealer garden of low-hanging fruit. Over the last few years, the problem has grown bigger and bigger, and only now are we

Imagine you could gain access to any Fortune 100 company for $10 or less, or even for free. Terrifying thought, isn’t it? Or exciting, depending on which side of the cybersecurity barricade you are on. Well, that’s basically the state of things today. Welcome to the infostealer garden of low-hanging fruit. Over the last few years, the problem has grown bigger and bigger, and only now are we The Hacker Newshttp://www.blogger.com/profile/[email protected]

A threat actor that was previously observed using an open-source network mapping tool has greatly expanded their operations to infect over 1,500 victims. Sysdig, which is tracking the cluster under the name CRYSTALRAY, said the activities have witnessed a tenfold surge, adding it includes "mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple [open-source

A threat actor that was previously observed using an open-source network mapping tool has greatly expanded their operations to infect over 1,500 victims. Sysdig, which is tracking the cluster under the name CRYSTALRAY, said the activities have witnessed a tenfold surge, adding it includes "mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple [open-source Newsroomhttp://www.blogger.com/profile/[email protected]

Amazon last week made an unusual deal with a company called Adept in which Amazon will license the company’s technology and also poach members of its team, including the company’s co-founders.

The e-commerce, cloud computing, online advertising, digital streaming and artificial intelligence (AI) giant is no doubt hoping the deal will propel Amazon, which is lagging behind companies like Microsoft, Google and Meta in the all-important area of AI. (In fact, Adept had previously been in acquisition talks with both Microsoft and Meta.) 

Adept specializes in the hottest area of AI that hardly anyone is talking about, but which some credibly claim is the next leap forward for AI technology. 

But wait, what exactly is agentic AI? The easiest way to understand it is by comparison to LLM-based chatbots. 

How agentic AI differs from LLM chatbots

We know all about LLM-based chatbots like ChatGPT. Agentic AI systems are based on the same kind of large language models, but with important additions. While LLM-based chatbots respond to specific prompts, trying to deliver what’s asked for literally, agentic systems take that further by incorporating autonomous goal-setting, reasoning, and dynamic planning. They’re also designed to integrate with applications, systems, and platforms. 

While LLMs, such as ChatGPT, reference huge quantities of data and hybrid systems, like Perplexity AI, combine that with real-time web searches, agentic systems further incorporate changing circumstances and contexts to pursue goals, causing them to reprioritize tasks and change methods to achieve those goals. 

While LLM chatbots have no ability to make actual decisions, agentic systems are characterized by advanced contextual reasoning and decision-making. Agentic systems can plan, “understand” intent, and more fully integrate with a much wider range of third-party systems and platforms. 

What’s it good for?

One obvious use for agentic AI is as a personal assistant. Such a tool could — based on natural-language requests — schedule meetings and manage a calendar, change times based on others’ and your availability, and remind you of the meetings. And it could be useful in the meetings themselves, gathering data in advance, creating an agenda, taking notes and assigning action items, then sending  follow-up reminders. All this could theoretically begin with a single plain-language, but vague, request.

It could read, categorize and answer emails on your behalf, deciding which to answer and which to leave for you to respond to. 

You could tell your agentic AI assistant to fill out forms for you or subscribe to services, entering the requested information and even processing any payment. It could even theoretically surf the web for you, gathering information and creating a report.

Like today’s LLM chatbots, agentic AI assistants could use multimodal input and could receive verbal instructions along with audio, text, and video inputs harvested by cameras and microphones in your glasses. 

Another obvious application for agentic AI is for customer service. Today’s interactive voice response (IVR) systems seem like a good idea in theory — placing the burden on customers to navigate complex decision trees while struggling with inadequate speech recognition so that a company doesn’t need to pay humans to interface with customers — but fail in practice. 

Agentic AI promises to transform automated customer service. Such technology should be able to function as if it not only understands the words but also the problems and goals of a customer on the phone, then perform multi-step actions to arrive at a solution.

They can do all kinds of things a lower-level employee might do — qualify sales leads, do initial outreach for sales calls, automate fraud detection and loan application processing at a bank, autonomously screen candidates applying for jobs, and even conduct initial interviews and other tasks. 

Agentic AI should be able to achieve very large-scale goals as well — optimize supply chains and distribution networks, manage inventory, optimize delivery routes, reduce operating costs, and more.

The risk of agentic AI

Let’s start with the basics. The idea of AI that can operate “creatively” and autonomously — capable of doing things across sites, platforms and networks, directed by a human-created prompt with limited human oversight — is obviously problematic.

Let’s say a salesperson directs agentic AI to set up a meeting with a hard-to-reach potential client. The AI understands the goal and has vast information about how actual humans do things, but no moral compass and no explicit direction to conduct itself ethically.  

One way to reach that client (based on the behavior of real humans in the real world) could be to send an email, tricking the person into clicking on self-executing malware, which would open a trojan on the target’s system to be used for exfiltrating all personal data and using that data to find out where that person would be at a certain time. The AI could then place a call to that location, and say there’s an emergency. The target would then take the call, and the AI would try to set up a meeting.

This is just one small example of how an agentic AI without coded or prompted ethics could do the wrong thing. The possibilities for problems are endless. 

Agentic AI could be so powerful and capable that there’s no way this ends well without a huge effort on the development and maintenance of AI governance frameworks that include guidelines, safety measures, and constant oversight by well-trained people.

Note: The rise of LLMs, starting with ChatGPT, engendered fears that AI could take jobs away from people; agentic AI is the technology that could really do that at scale.

The worst-case scenario would be for millions of people to be let go and replaced by agentic AI. The best case is that the technology  would be inferior to a human partnering with it. With such a tool, human work could be made far more efficient and less error-prone. 

I’m pessimistic that agentic AI can benefit humanity if the ethical considerations remain completely in the hands of Silicon Valley tech bros, investors, and AI technologists. We’ll need to combine expertise from AI, ethics, law, academia, and specific industry domains and move cautiously into the era of agentic AI.

It’s reasonable to feel both thrilled by the promise of agentic AI and terrified about the potential negative effects. One thing is certain: It’s time to pay attention to this emerging technology. 

With a giant, ambitious, capable, and aggressive company like Amazon making moves to lead in agentic AI, there’s no ignoring it any longer. 

More by Mike Elgan:

• The rise of AI-powered killer robot drones
• Digital nomads just got huge screens and fast internet
• AI washing: Silicon Valley’s big new lie

One of the more tired cliches in IT circles refers to “Cowboy IT” or “Wild West IT,” but it’s the most appropriate way to describe enterprise generative AI (genAI) efforts these days. As much as IT is struggling to keep on top of internal genAI efforts, the biggest danger today involves various business units globally creating or purchasing their very own experimental AI efforts.

We’ve talked extensively about Shadow AI (employees/contractors purchasing AI tools outside of proper channels) and Sneaky AI (longtime vendors silently adding AI features into systems without telling anyone). But Cowboy AI is perhaps the worst of the bunch because no one can get intro trouble. Most boards and CEOs are openly encouraging all business units to experiment with genAI and see what enterprise advantages they can unearth.

The nightmare is that almost none of those line of business (LOB) teams understand how much they are putting the enterprise at risk. Uncontrolled and unmanaged, genAI apps are absolutely dangerous.

Longtime Gartner analyst Avivah Litan (whose official title these days is Distinguished VP Analyst) wrote on LinkedIn recently about the cybersecurity dangers from these kinds of genAI efforts. Although her points were intended for security talent, the problems she describes are absolutely a bigger problem for IT.

“Enterprise AI is under the radar of most Security Operations, where staff don’t have the tools required to protect use of AI,” she wrote. “Traditional Appsec tools are inadequate when it comes to vulnerability scans for AI entities. Importantly, Security staff are often not involved in enterprise AI development and have little contact with data scientists and AI engineers. Meanwhile, attackers are busy uploading malicious models into Hugging Face, creating a new attack vector that most enterprises don’t bother to look at. 

“Noma Security reported they just detected a model a customer had downloaded that mimicked a well-known open-source LLM model. The attacker added a few lines of code that caused a forward function. Still, the model worked perfectly well, so the data scientists didn’t suspect anything. But every input to the model and every output from the model were also sent to the attacker, who was able to extract it all. Noma also discovered thousands of infected data science notebooks. They recently found a keylogging dependency that logged all activities on their customer’s Jupyter notebooks. The keylogger sent the captured activity to an unknown location, evading Security which didn’t have the Jupyter notebooks in its sights.”

IT leaders: How many of the phrases above sound a little too familiar? 

Your team “often not involved in enterprise AI development and have little contact with data scientists and AI engineers?” Bad guys “creating a new attack vector that most enterprises don’t bother to look at?” Or maybe “the model worked perfectly well so the data scientists didn’t suspect anything. But every input to the model and every output from the model were also sent to the attacker, who was able to extract it all” or a manipulated external app which your IT team “didn’t have in its sights?”

Some enterprises have debated creating a new AI executive, but that’s unlikely to help. It will more than likely be an executive with lots of responsibilities, far too little budget and no actual authority to get any business unit to comply with the AI chief’s edicts. It’s sort of like many CISOs today, a toothless manager but with even more headaches. 

The better answer is to use the best power in the world to force LOB executives to take AI efforts seriously: make it an HR-approved criteria for their annual bonus. Put massive financial penalties on any problems that result from AI efforts their unit undertakes. (Paycheck hits get their attention because it is literally money out of their pockets.) Then add a caveat: If IT approves the effort in writing, then you are fully blameless for anything bad that later happens.

Magically, getting IT signoff becomes important to those LOB leaders. Then and only then, the CIO will have the clout to protect the company from errant AI.

Another possible outcome of this carrot-stick approach is that business execs will still want to maintain control and will instead hire AI experts for their units directly. That works, too. 

The cost of trying out many of these genAI efforts — especially for a relatively short time — is often negligible. That can be bad because it makes it easy for LOB workers to underestimate the risks to the business that they are accepting. 

The potential of genAI is unlimited and exciting, but if strict rules aren’t put in place right away, it could well destroy a business before it has a chance to help. 

Yippee-ki-yay, CIO.

Retail banking institutions in Singapore have three months to phase out the use of one-time passwords (OTPs) for authentication purposes when signing into online accounts to mitigate the risk of phishing attacks. The decision was announced by the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) on July 9, 2024. "Customers who have activated their digital

Retail banking institutions in Singapore have three months to phase out the use of one-time passwords (OTPs) for authentication purposes when signing into online accounts to mitigate the risk of phishing attacks. The decision was announced by the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) on July 9, 2024. "Customers who have activated their digitalNewsroomhttp://www.blogger.com/profile/[email protected]

Cybersecurity researchers have shed light on a new version of a ransomware strain called HardBit that comes packaged with new obfuscation techniques to deter analysis efforts. "Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection," Cybereason researchers Kotaro Ogino and Koshi Oyama said in an analysis. "The passphrase needs to be provided during

Cybersecurity researchers have shed light on a new version of a ransomware strain called HardBit that comes packaged with new obfuscation techniques to deter analysis efforts. "Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection," Cybereason researchers Kotaro Ogino and Koshi Oyama said in an analysis. "The passphrase needs to be provided duringNewsroomhttp://www.blogger.com/profile/[email protected]

**Microsoft vydal 9. července večer servisní aktualizace pro Windows **Průzkumník ve Windows 11 podporuje tvorbu archivů 7Z a TAR **Vývojový tým opravil 139 slabých míst zabezpečení

American telecom service provider AT&T has confirmed that threat actors managed to access data belonging to "nearly all" of its wireless customers as well as customers of mobile virtual network operators (MVNOs) using AT&T's wireless network. "Threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated

American telecom service provider AT&T has confirmed that threat actors managed to access data belonging to "nearly all" of its wireless customers as well as customers of mobile virtual network operators (MVNOs) using AT&T's wireless network. "Threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated Newsroomhttp://www.blogger.com/profile/[email protected]

Microsoft released 132 updates in its July Patch Tuesday update while addressing four zero-days (CVE-2024-35264, CVE-2024-37985, CVE-2024-38080 and CVE-2024-38112) affecting Windows desktop, Microsoft .NET and Visual Studio. This is a very significant patch cycle for Microsoft SQL Server, but there are no updates for Microsoft browsers and a low profile set of patches for Microsoft Office. No major revisions require attention, with testing focused squarely on SQL dependent applications. 

The team at Readiness has provided a useful infographic detailing the risks with each of the updates this cycle. 

Known issues 

Each month, Microsoft publishes a list of known issues included in its latest release, including two reported minor issues:

• After you install KB5034203 (dated 01/23/2024) or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Microsoft offered two options to mitigate the issue through setting the Cache Hostname or using group policies. Microsoft is still working on a resolution.
• Context menus and dialog buttons in some Windows apps, or parts of the Windows OS user interface (UI), might display in English when English is not set as the display language. This might also affect font size.

We fully expect to see more issues relating to how the Windows UI presented over the coming months as Microsoft works through some of the core level issues with new ARM builds. This means that even non-ARM builds will be affected (see CVE-2024-37985). Look out for input method editor, language pack, and dialog box language issues for non-English builds.

Major revisions 

This Patch Tuesday saw Microsoft publishing the following major revisions to past  security and feature updates, including:

• CVE-2024-30098 : Windows Cryptographic Services Security Feature Bypass. Microsoft has added a FAQ to explain how this vulnerability is being addressed and further actions customers must take to be protected from it. This is an informational change only; no further action is required.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations for this month’s release cycle: 

• CVE-2024-38077, CVE-2024-38076 and CVE-2024-38074: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability. Microsoft has (rather helpfully) offered guidance that disabling the Remote Desktop licensing feature mitigates this vulnerability. 
• CVE-2024-38030: Windows Themes Spoofing Vulnerability. If you have Windows NTLM disabled, this vulnerability will not affect your system.

Each month, the Readiness team analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and app installations.

For this cycle, we have grouped the critical updates and required testing efforts into different functional areas:

Microsoft Office

• Test out your Teams logins (which shouldn’t take too long).
• Because SharePoint was updated, third-party extensions or dependencies will require testing.
• Due to the change in Outlook, Internet Calendars (ICS files) will require testing.
• With the Visio update, large CAD drawings will require a basic import and load test.

Microsoft .NET and developer tools

Microsoft has updated the Microsoft .NET, MSI Installer and Visual Studio with the following testing guidance:

• PowerShell updates will require a diagnostics test. Try the command, “import-module Microsoft.powershell.diagnostics – verbose” and validate that you are getting the correct results from your home directory.
• Due to the change in the Windows core installation technology (MSI), please validate that User Account Control (UAC) still functions as expected.

Microsoft SQL Server

This month is a big update for both Microsoft SQL Server and the local, or workstation supporting elements of OLE. The primary focus for this kind of complex effort should be your line-of-business or core applications. These are the applications that have multiple data connections and rely on complex, multiple object/session requirements. Due to the changes this month, we can’t recommend specific Windows feature testing regimes, as we are most concerned that the business logic (and resulting data) of the application in question might be affected. Only you will know what looks good; we advise a comparative testing regime across unpatched and newly patched systems looking for data disparities.

Windows

Microsoft made another update to the Win32 and GDI subsystems with a recommendation to test out a significant portion of your application portfolio. We also recommend that you test the following functional areas in the Windows platform:

• File compression has been updated, so file and archive extraction scenarios will need to be exercised.
• Due to the Microsoft codec updates, perform a system reboot and test that your audio and camera still work together.
• Security updates will require the testing of the creation of new Windows certificates.
• Networking changes will require a test of DNS and DHCP, specifically the DHCP R_DhcpAddSubnetElement API. As part of these changes, testing VPN authentication will be required. Try to include your Network Policy Server (NPS) as part of the connection creation and deletion effort.
• This month’s update to Remote Desktop Services (RDS) will require the creation and revocation of license requests.
• A significant update to the Network Driver Interface Specification (NDIS) will require testing of network traffic involving repeated bursts of large files. Try using Teams while this networking burst testing is in progress.
• Backup and printing have been updated, so test your volumes and ensure that when you print out a test page, your OS does not crash (yes, really). Try printing out TIFF files. (Hey, you might like it.)

As part of the ongoing effort to support the new ARM architecture, Microsoft released the first patch for this new platform, CVE-2024-37985. This is an Intel assigned processor-level vulnerability that has been mitigated by a Microsoft OS level patch. The Readiness team has provided guidance on potential ARM-related compatibility and testing issues. 

Specifically, the Readiness team was concerned with Input Method Editors (IMEs). We suggest a full test cycle of Windows input related features such as keyboard, mouse, touch, pen, gesture and dictation. Some internet shortcuts might be affected as well as wallpapers.

Windows lifecycle update 

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.

• Home and Pro editions of Windows 11, version 22H2 will reach end of service on Oct. 8, 2024. Until then, these editions will only receive security updates. They will no longer receive non-security, preview updates.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server); 
• Microsoft Office;
• Microsoft Exchange Server ;
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
• Adobe (if you get this far).

Browsers

Microsoft did not release any updates for its non-Chromium browsers. Following the stable channel release of Chrome (applicable until July 25, 2024) we have not seen any changes, deprecations or testing profile updates to this browser. No further action required.
 

Windows

Microsoft released four critical and 83 updates rated as important with two zero-day patches (CVE-2024-38080 and CVE-2024-38112) affecting the Microsoft Hyper-V and MSHTML feature groups, respectively. In addition to these critical updates, Microsoft patches for July affect the following Windows feature groups:

• Windows NTLM, Kernel, GDI and Graphics;
• Windows Backup;
• Windows Codecs;
• Microsoft Hyper-V;
• Windows (Line) Print and Fax ;
• Windows Remote Desktop and Gateway;
• Windows Secure Boot and Enrolment Manager.

Add these Windows updates to your Patch Now release cycle.

Microsoft Office 

Microsoft returns to form with a critical update for Office this month (CVE-2024-38023) for the SharePoint platform. We have another update for Outlook related to spoofing (CVE-2024-38020), but this vulnerability is not wormable and requires user interaction. There are four more, lower rated updates; please add all of these updates to your standard release schedule.

Microsoft SQL (nee Exchange) Server 

There were no updates for Microsoft Exchange Server this month. However, we have seen the largest release of Microsoft SQL updates in the past few years. These SQL-related updates cover 37 separate reported vulnerabilities (CVEs) and the following main product features

• SQL Server Native Client OLE DB Provider;
• Microsoft OLE DB Driver for SQL.

We covered the testing requirements for this SQL update in our testing guidance section above. This month’s SQL updates will require some preparation and dedicated testing before adding to your standard release schedule.

Microsoft development platforms 

Microsoft released four, low-profile updates to the Microsoft .NET and Visual Studio platforms. We do not expect serious testing requirements for these vulnerabilities. However, CVE-2024-35264 has been reported as publicly disclosed by Microsoft. This makes this an unusually urgent patch for Microsoft Visual Studio attracting a “Patch Now” rating this month.

Adobe Reader (and other third-party updates) 

Very much as our Microsoft Exchange section has been “hijacked” by SQL Server updates this month, we’re using the Adobe section for third-party updates. (There are no updates to Adobe Reader.) 

• CVE-2024-3596: NPS RADIUS Server. A vulnerability exists in the RADIUS protocol that potentially affects many products and implementations of the RFC 2865 in the UDP version of the RADIUS protocol. 
• CVE-2024-38517 and CVE-2024-39684: GitHub Active Directory Management Rights. The  vulnerability assigned to this CVE is in the RapidJSON library which is consumed by the Microsoft Active Directory Rights Management Services Client, hence the inclusion of this CVE with this update.
• CVE-2024-37985: This memory related update from Intel relates to its prefetcher technology. Affected: Core Windows OS memory related components — particularly the new ARM builds, which I find both confusing and ironic.

Read Greg Lambert‘s 2024 Patch Tuesday reports:

• June
• May
• April
• March
• February
• January

The European Commission has released the preliminary findings from an investigation launched last year into X (formerly Twitter), and said it believes the company is in breach of the Digital Services Act (DSA), which applies to marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms.

Non-compliance in three areas

In a statement, the Commission said X was found non-compliant in three areas: 

• The “verified account” mechanism is designed and implemented in a way that deceives users and does not correspond to industry practice. “Since anyone can subscribe to obtain such a ‘verified’ status, it negatively affects users’ ability to make free and informed decisions about the authenticity of the accounts and the content they interact with,” the Commission said, adding there is “evidence of motivated malicious actors abusing the ‘verified account’ to deceive users.”
• X does not comply with requirements around transparency in advertising. “In particular, the design does not allow for the required supervision and research into emerging risks brought about by the distribution of advertising online,” the Commission  argued.
• X does not provide access to its public data to researchers, as specified by conditions in the DSA. Its terms of service prohibit researchers from independently accessing public data, and its process for granting researchers access via its application programming interfaces (APIs) “appears to dissuade researchers from carrying out their research projects or leave them with no other choice than to pay disproportionally high fees.”

X now has the right to examine the commission’s documentation and prepare a defense. 

If the preliminary findings are confirmed, the company faces a non-compliance decision that could result in fines of up to 6% of its global annual revenue, an order to address the issues detailed in the decision, and the potential for a period of enhanced supervision. The commission  can also impose periodic penalty payments.

The move could be seen as a warning shot to other companies.

“While the ruling may not have a direct impact on enterprise CIOs, it emphasizes learning from broader implications and the mistakes of others,” said Phil Brunkard, executive counselor at Info-Tech Research Group, UK. “It sets a precedent for public trust in online marketplaces or social media, highlighting the importance of integrity and transparency in data privacy. Regulation is not just about ticking the compliance box — it’s crucial for customer trust. CIOs must ensure strong governance to protect their brands and maintain customer trust, as trust is the foundation for successful organizations.”

Investigations continue

Investigations continue into X’s risk management around the dissemination of illegal content and the effectiveness of how it combats information manipulation.

To assist in its investigations, the Commission released a whistleblower tool that allows people to contact it anonymously with information contributing to compliance monitoring of X and other entities designated Very Large Online Platforms (VLOP) under the DSA.

X is not the only organization under scrutiny. The Commission has also initiated formal proceedings against TikTok, Meta (in separate proceedings launched in April and May 2024, respectively), and AliExpress.

OpenAI, the company behind the popular AI ​​chatbot Chat GPT, has now developed an evaluation scale to assess how closely AI models can approach human levels of intelligence, according to a Bloomberg report.

The scale has a total of five levels. The higher the level, the closer the AI ​​model is judged to be to human intelligence. Today’s large-scale language models are currently judged to be at level one; that corresponds to basic intelligence, but not a more advanced problem-solving ability.

Level two means that the system has a basic problem-solving ability that should be comparable to a human with a PhD. Level three means the system can act as a representative for the user. Level four means that the system can create new innovations. Finally, level five involves the step to achieve artificial general intelligence (AGI), an AI system can perform the work of entire organizations.

OpenAI has previously defined AGI as a highly automated system that can outperform humans on the majority of economically valuable tasks. OpenAI’s evaluation scale is considered preliminary and could be adjusted in the future.

More OpenAI news:

• OpenAI is working on new reasoning AI technology
• OpenAI reportedly stopped staffers from warning about security risks
• OpenAI whistleblowers seek SEC probe into ‘restrictive’ NDAs with staffers
• OpenAI: Musk’s control issues at heart of ongoing rift
• OpenAI models still available in China via Azure cloud despite company ban

Microsoft will soon enable the company’s AI assistant Copilot to read and analyze handwritten notes, The Verge reports . The function was expected to begin as a beta test at the end of last month.

Onenote users can use the function to make handwritten notes with a stylus and then let Copilot, for example, sum them up, generate a to-do list, or ask questions about the notes.

The feature can also be used to turn handwritten notes into text that is easier to edit and share. Once live, the feature will only be available to Copilot for Microsoft 365 subscribers and Copilot Pro users.

More on Microsoft Copilot:

• Copilot for Microsoft 365 deep dive: Productivity at a steep price
• 7 ways to use Microsoft Copilot right
• Microsoft Copilot Pro review: Office joins the genAI revolution
• Microsoft’s Team Copilot aims to help manage meetings, group chats
• Microsoft debuts Copilot for finance pros