Agregátor RSS

Teams wanting the cash have to commit to handing their models to OpenSSF after next year's final

One year after it began, the DARPA AI Cyber Challenge (AIxCC) has whittled its pool of contestants down to seven semifinalists.…

Peter Shor published one of the earliest algorithms for quantum computers in 1994. Running Shor’s algorithm on a hypothetical quantum computer, one could rapidly factor enormous numbers—a seemingly innocuous superpower. But because the security of digital information relies on such math, the implications of Shor’s algorithm were ground-shaking.

It’s long been prophesied that modern cryptography, employed universally across the devices we use every day, will die at the hands of the first practical quantum computer.

Naturally, researchers have been searching for secure alternatives.

In 2016, the US National Institute of Standards and Technology (NIST) announced a competition to create the first post-quantum cryptographic algorithms. These programs would run on today’s computers but defeat attacks by future quantum computers.

Beginning with a pool of 82 submissions from around the world, NIST narrowed the list to four in 2022. The finalists went by the names CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+, and FALCON. This week, NIST announced three of these have become the first standardized post-quantum algorithms. They’ll release a standard draft of the last, FALCON, by the end of the year.

The algorithms, according to NIST, represent the best of the best. Kyber, Dilithium, and FALCON employ an approach called lattice-based cryptography, while Sphincs+ uses an alternative hash-based method. They’ve survived several years of stress testing by security experts and are ready for immediate use.

The release includes code for the algorithms alongside instructions on how to implement them and their intended uses. Like earlier encryption standards developed by the agency in the 1970s, it’s hoped wide adoption will ensure interoperability between digital products and consistency, lowering the risk of error. The first of the group, renamed ML-KEM, is for general encryption, while the latter three (now ML-DSA, SLH-DSA, and FN-DSA) are for digital signatures—that is, proving that sources are who they say they are.

Arriving at standards was a big effort, but broad adoption will be bigger.

While the idea that future quantum computers could defeat standard encryption is fairly uncontroversial, when it will happen is murkier. Today’s machines, still small and finicky, are nowhere near up to the task. The first machines able to complete useful tasks faster than classical computers aren’t expected until later this decade at the very earliest. But it’s not clear how powerful these computers will have to be to break encryption.

Still, there are solid reasons to get started now, according to proponents. For one, it’ll take as long as 10 to 15 years to roll out post-quantum cryptography. So, the earlier we kick things off the better. Also, hackers may steal and store encrypted data today with the expectation it can be cracked later—a strategy known as “harvest now, decrypt later.”

“Today, public key cryptography is used everywhere in every device,” Lily Chen, head of cryptography at NIST, told IEEE Spectrum. “Now our task is to replace the protocol in every device, which is not an easy task.”

There are already some early movers, however. The Signal Protocol underpinning Signal, WhatsApp, and Google Messages—products used by more than a billion people—implemented post-quantum cryptography based on NIST’s Kyber algorithm alongside more traditional encryption in late 2023. Apple did the same for iMessages earlier this year.

It’s notable both opted to run the two in parallel, as opposed to going all-in on post-quantum security. NIST’s algorithms have been scrutinized, but they haven’t been out in the wild for nearly as long as traditional approaches. There’s no guarantee they won’t be defeated in the future.

An algorithm in the running two years ago, SIKE, met a quick and shocking end when researchers took it down with some clever math and a desktop computer. And this April, Tsinghua University’s, Yilei Chen, published a pre-print on the arXiv in which he claimed to show lattice-based cryptography actually was vulnerable to quantum computers—though his work was later shown to be flawed and lattice cryptography still secure.

To be safe, NIST is developing backup algorithms. The agency is currently vetting two groups representing alternative approaches for general encryption and digital signatures. In parallel, scientists are working on other forms of secure communication using quantum systems themselves, though these are likely years from completion and may complement rather than replace post-cryptographic algorithms like those NIST is standardizing.

“There is no need to wait for future standards,” said Dustin Moody, a NIST mathematician heading the project, in a release. “Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event.”

Image Credit: IBM

ClamAV (Wikipedie), tj. multiplatformní antivirový engine s otevřeným zdrojovým kódem pro detekci trojských koní, virů, malwaru a dalších škodlivých hrozeb, byl vydán ve verzi 1.4.0.

A group of Massachusetts Institute of Technology (MIT) researchers have opted to not just discuss all of the ways artificial intelligence (AI) can go wrong, but to create what they described in an abstract released Wednesday as “a living database” of 777 risks extracted from 43 taxonomies.

According to an article in MIT Technology Review outlining the initiative, “adopting AI can be fraught with danger. Systems could be biased or parrot falsehoods, or even become addictive. And that’s before you consider the possibility AI could be used to create new biological or chemical weapons, or even one day somehow spin out of control. To manage these potential risks, we first need to know what they are.”

Vybrali jsme nejlepší programy pro úpravu fotek ve Windows • Pokročilé grafické editory upraví fotografie k nepoznání • Překvapivě použitelné jsou i aplikace na webu nebo dostupné zdarma

Jamf has removed yet another brick in the wall put up by Windows-centric IT staffers to fend off acceptance Macs in the enterprise, revealing a new partnership with Microsoft that simplifies management of both Windows and Apple devices using Microsoft Azure.

The arrangement means Jamf device management solutions will be hosted on Microsoft Azure and made available for purchase on the Azure Marketplace. 

The Apple device management company has also joined the Microsoft ISV Partner Program and reached a five-year agreement to expand its existing collaboration with new and innovative Microsoft Cloud and AI-powered solutions.

Apple is in the enterprise tent

This builds on work both companies have been doing since at least 2017, as they responded to the realization that most enterprises now recognize the value of Apple products within their ecosystems.

This trend kick-started when the iPhone entered the workplace as an employee-owned device and grew to include employee-choice schemes across multiple platforms.

Of course, those in IT with vested (and sometimes expensively qualified) interest in Microsoft’s hegemony continue to sit on their thrones before a restless ocean to deny the changing tides — and those are the ones most likely to benefit from the new partnership between Jamf and MIcrosoft.

That’s because the move to make Jamf Pro available via Azure (cloud and marketplace) means those accustomed to using Azure to help manage and secure Windows devices can now use Jamf to manage and secure Apple devices from within the same familiar, unified environment. 

More than Windows

This goes beyond just the PC. Many companies rely on Microsoft’s back-end technologies and services, so the move to bring Jamf into Azure will make life a little easier there too. 

To an extent, this reflects what current Jamf CEO, John Strosahl told me last year: “Many companies still use Windows applications and services, and we do support some of those activities on network security and the like — things that are further from the device. But the closer you get to the device, the more we believe that Apple is the future.”

With Azure, it will be much easier to integrate iPhones, iPads, and Macs in complex IT workflows built on Microsoft’s enterprise cloud platform.

The direction of travel has been clear for a while, particularly as Jamf integrates with Microsoft Intune and Entra ID. In truth, Jamf and Microsoft have created a string of landmark partnerships in recent years, including integrations across Sentinel, Defender, and Copilot for Security. Jamf joined the Microsoft Intelligent Security Association (MISA) in 2023. 

The Apple enterprise

The news should also help Windows-based tech support take better control over the security of those Apple devices that are already deployed across their networks.

With as many as 75% of enterprise employees ready to choose a Mac if given a choice, IT really should take security seriously. Earlier this year, Jamf reported that 40% of mobile users and 39% of organizations are running a device with known vulnerabilities. Apple itself has also warned that the number of data breaches has at least tripled since 2013. (Though it is fair to say that Apple is not the platform most impacted, which is a story that speaks many volumes on its own account.) Timely updates on every platform should be in your supplier SLAs.

“It’s time for organizations to get their modern device estates in order by embracing industry best practices and building a defense-in-depth strategy for the hybrid workforce,” Michael Covington, vice president of portfolio strategy at Jamf, said earlier this year.

Soon, with Jamf and Azure, it will become a little easier to do just that. The multi-platform future of enterprise technology continues to emerge, and Apple will play a big part.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

US politicians and Israeli officials among the top targets for the IRGC’s cyber unit

Google has joined Microsoft in publishing intel on Iranian cyber influence activity following a recent uptick in attacks that led to data being leaked from the Trump re-election campaign.…

For almost as long as it has existed, Google has been at the center of controversies around its data strategy, ranging from privacy concerns, data retention with its related cybersecurity implications, and compliance, to the debate about what kind of limits there should be for leveraging data.

A series of Google internal documents, which were entered as exhibits in an ongoing United States prosecution of the company on antitrust issues, shines a light on the data giant’s strategy and positioning. The documents are roughly seven years old, so these memos may not reflect Google’s current thinking, but they do give IT leaders a peek into Google’s candid views on data strategies.

The Google documents are part of the United States Vs. Google litigation being heard in the US District Court for Virginia’s Eastern District, and were made public August 6.

The internal documents made clear Google’s enthusiasm for coordinating all possible data about users so that they could sell the most focused details to advertisers. Google said that it needs to “use a combination of advertiser data such as email subscription lists, Google signed-in data such as web traversal data, Gmail data such as receipts, and subscribed newsletters, to target users across multiple devices.” 

It also showed a fondness for various corporate-speak euphemisms for spying on users, such as “sharing of conversational corpus” and “being able to harvest the conversation signals that could improve ad timeliness and applicability will be important to stay competitive.” 

Google said that it needed to invest more heavily “to improve our understanding of the message that is being exchanged between the parties. To be used to better understand the funnel position of a user and as well as broad quality uplift.”

Google also wrote that it needed to “evaluate tradeoffs between user happiness and shorter-term revenue gains.”

The notes also revealed hesitation by some at Google to push data usage too far, saying, “The capabilities of Gmail ads format has remained a quite limited set over the last couple of years, mostly due to security concerns by the consumer Gmail team.”

One document did express corporate worries about privacy, but it was not involving the privacy of users. It involved the privacy of Google itself. 

“Once again, the privacy protections here are key. We would never allow audiences generated with Google data to leave the Google ecosystem, nor impression level reports based on those media buys,” it said. “Ad tech vendors or agencies could then use these reports and the ability to activate media from them within their own systems. We suggest we require Google-branded, or alternatively white-labeled or otherwise branded by the partner.”

The documents also show that Google at the time was starting to see the need to focus more on what users were doing online and less on where they were doing it. Google said that it wanted to focus on “geo-targeting based on weather/travel searches, not IP address, auto make/model/year, e-commerce product catalogs, user profile/ transaction data, etc.”

Google strategists elaborated on these possibilities as they evaluated efforts by various companies that were luring away Google advertisers. 

“Services have enough data — typically location, logged-in users, intent data — to offer unique targeting aligned with their brand. Weather.com can command a premium with weather data, Pandora can optimize based on what type of music someone listens to, etc. TripAdvisor can target based on destination searches. Commerce companies can even expand into audience extension, buying third-party inventory on behalf of advertisers. We lost Wayfair because AppNexus is better at this than us,” the documents said.

“Audio services like Pandora and Spotify are heavily subscription-driven and many content companies are pursuing subscriptions with increasing success. NYT [New York Times] makes as much from subscriptions as ads and wants to emulate Netflix’s sophistication with upsells. Conde Nast is trying to build a universal subscriber ID to manage on-site subscription offers.”

The documents also included management discussions about Google’s strategic weaknesses, pointing out that some advertisers who had left Google fared significantly better.

“Weather.com ended exclusivity with Google and is seeing 30%+ revenue lift,” it said.

The documents also looked at Gmail’s global challenges at the time, under “coverage shortcomings,” noting:

“Gmail lacking strong penetration in Apple devices. No obvious differentiator from Apple Mail to merit standalone download, unlike data differentiator in Maps. Gmail lacking footprint in key countries/regions. China: no Google products. Japan: Yahoo mail is the leading provider. Russia: Mail.ru is the key player.”

The Virginia case, one of multiple antitrust actions involving Google at the moment, is heading to a jury trial. Many more documents, some of them much more recent, are expected to be published soon. Those are likely to shed even more light on Google’s data strategies.

Obrázková sociální síť Instagram navyšuje počet fotek a videí, které mohou uživatelé publikovat v rámci jednoho příspěvku. Každý příspěvek může nyní obsahovat až 20 fotek nebo videí, zatímco od roku 2017 až dosud mohli uživatelé přidat maximálně 10 položek. Podrobnosti přináší magazín ...

Po sadě dvou jednočipletových Ryzenů jdou na trh i vícečipletové modely, dnes se podíváme na vrcholový model pro socket AM5.

Ukrajinci použili vodíkový palivový článek ze zničeného automobilu Toyota Mirai k sestrojení malé improvizované bomby. Podrobnosti přinesl portál Euromaidan Press. Dotyčná bomba po svém dokončení vážila zhruba 200 kilo, v důsledku čehož nemohla být shozena ze vzdušného dronu. Proto se vojáci ...

Microsoft’s facial matching verification system, Face Check, is now available. The feature, part of Entra Verified ID, offers a new way to confirm a user’s identity and protect against unauthorized login attempts, Microsoft said. 

Face Check works by comparing selfie footage taken on a user’s smartphone in real-time with a verified photo held on Microsoft’s servers — a passport photo or driver’s license, for example. The real-time selfie footage won’t be stored after a verification attempt, Microsoft said.

A successful match will confirm a user’s identity and authorize a login to an account. This could be useful for purposes such as remote employee onboarding or password changes, the company said. 

Microsoft’s Azure AI Vision Face API is used to power the face detection and recognition. The software can also conduct a “liveness” check, which helps prevent the use of a static photo or 2D video to trick the verification system, Microsoft said, so deepfakes shouldn’t be effective.  

Customer organizations can choose the level of confidence required to accept a Face Check login attempt. The higher the confidence score threshold, the less likely Face Check will incorrectly verify an impersonator. The default score is a 50% match, which equates to a one in 100,000 chance of getting a false positive; at 90%, the chances are  one in a billion, Microsoft said. (A higher confidence score requirement also increases the likelihood a legitimate login attempt will be rejected.)

Changes in a user’s appearance compared to the verified photo — a different haircut, for example –—could lower the match score, as well as differences in surroundings, such as lighting.

Microsoft Entra ID customers can access Face Check as a standalone service (which costs 25 cents per verification) or with a subscription to the Entra Suite paid add-on ($12 per user each month).  

SolarWinds has released patches to address a critical security vulnerability in its Web Help Desk software that could be exploited to execute arbitrary code on susceptible instances. The flaw, tracked as CVE-2024-28986 (CVSS score: 9.8), has been described as a deserialization bug. "SolarWinds Web Help Desk was found to be susceptible to a Java deserialization remote code execution vulnerability

SolarWinds has released patches to address a critical security vulnerability in its Web Help Desk software that could be exploited to execute arbitrary code on susceptible instances. The flaw, tracked as CVE-2024-28986 (CVSS score: 9.8), has been described as a deserialization bug. "SolarWinds Web Help Desk was found to be susceptible to a Java deserialization remote code execution vulnerabilityRavie Lakshmananhttp://www.blogger.com/profile/[email protected]

Ruská prokuratura požaduje zákaz distribuce počítačové hry Last Train Home (ProtonDB Platinum), kterou vyvinulo brněnské studio Ashborne Games. Hra o československých legionářích podle ruských úřadů podněcuje nenávist vůči vládě v Moskvě a vojákům Rudé armády.

Tails (The Amnesic Incognito Live System) offers hope to privacy activists and anyone seeking anonymity online. A live operating system and secure Linux distro that can be started from any USB stick or DVD, Tails provides anonymity by routing internet connections through Tor and leaving no trace on computers being used unless explicitly asked by the user.

Na Kickstarteru běží kampaň na podporu zařízení CrowView Note aneb notebooku bez procesoru a paměti aneb přenosného monitoru s klávesnicí. Objednat si lze i rozšiřující desky pro snadné připojení Raspberry Pi 5 a Jetson Nano Dev Kit.

He’ll also have to pay back $1.2 million from fraudulent transactions he facilitated

A Russian national is taking a trip to prison in the US after being found guilty of peddling stolen credentials on a popular dark web marketplace.…