Enlarge (credit: Thomas Barwick via Getty)

The latest breakthroughs in artificial intelligence could lead to the automation of a quarter of the work done in the US and eurozone, according to research by Goldman Sachs.

The investment bank said on Monday that “generative” AI systems such as ChatGPT, which can create content that is indistinguishable from human output, could spark a productivity boom that would eventually raise annual global gross domestic product by 7 percent over a 10-year period.

But if the technology lived up to its promise, it would also bring “significant disruption” to the labor market, exposing the equivalent of 300 million full-time workers across big economies to automation, according to Joseph Briggs and Devesh Kodnani, the paper’s authors. Lawyers and administrative staff would be among those at greatest risk of becoming redundant.

Enlarge / An AI-generated photo of Pope Francis wearing a puffy white coat that went viral on social media. (credit: @skyferrori on Twitter)

Over the weekend, an AI-generated image of Pope Francis wearing a puffy white coat went viral on Twitter, and apparently many people believed it was a real image. Since then, the puffy pontiff has inspired commentary on the deceptive nature of AI-generated images, which are now nearly photorealistic.

The pope image, created using Midjourney v5 (an AI image synthesis model), first appeared in a tweet by a user named Leon (@skyferrori) on Saturday and quickly began circulating as part of other meme tweets featuring similar images as well, including one that humorously speculates about a pope "lifestyle brand."

Not long after, Twitter attached a reader-added context warning to the tweet that reads, "This is an AI-generated image of Pope Francis. It is not a genuine photo."

Enlarge (credit: Getty Images)

President Joe Biden on Monday signed an executive order barring many uses by the federal government of commercial spyware, which has been increasingly used by other countries in recent years to surveil dissidents, journalists, and politicians.

The signing of the executive order came as administration officials told journalists that roughly 50 US government personnel in at least 10 countries had been infected or targeted by such spyware, a larger number than previously known. The officials didn’t elaborate.

Commercial spyware is sold by a host of companies, with the best known being NSO Group of Israel. The company sells a hacking tool known as Pegasus that can surreptitiously compromise both iPhones and Android devices using “clickless” exploits, meaning they require no user interaction. By sending a text or ringing the device, Pegasus can install spying software that steals contacts, messages, geo locations, and more, even when the text or call isn’t answered. Other companies selling commercial spyware include Cytrox, Candiru, and Paragon.

Enlarge / A photo of an IBM PC 5155 portable computer running a ChatGPT client written by Yeo Kheng Meng. (credit: Yeo Kheng Meng)

On Sunday, Singapore-based retrocomputing enthusiast Yeo Kheng Meng released a ChatGPT client for MS-DOS that can run on a 4.77 MHz IBM PC from 1981, providing a unique way to converse with the popular OpenAI language model.

Vintage computer development projects come naturally to Yeo, who created a Slack client for Windows 3.1 back in 2019. "I thought to try something different this time and develop for an even older platform as a challenge," he writes on his blog. In this case, he turned his attention to MS-DOS, a text-only operating system first released in 1981, and ChatGPT, an AI-powered large language model (LLM) released by OpenAI in November.

As a conversational AI model, ChatGPT draws on knowledge scraped from the Internet to answer questions and generate text. Thanks to an API that launched his month, anyone with the programming chops can interface ChatGPT with their own custom application.

Enlarge (credit: Getty Images | Future Publishing)

Portions of Twitter's source code recently appeared on GitHub, and Twitter is trying to force GitHub to identify the user or users who posted the code.

GitHub disabled the repository on Friday shortly after Twitter filed a DMCA (Digital Millennium Copyright Act) takedown notice but apparently hasn't provided the information Twitter is seeking. Twitter's DMCA takedown notice asked GitHub to provide the code submitter's "upload/download/access history," contact information, IP addresses, and any session information or "associated logs related to this repo or any forks."

The GitHub user who posted the Twitter source code has the username "FreeSpeechEnthusiast," possibly a reference to Twitter owner Elon Musk casting himself as a protector of free speech.

Enlarge (credit: Getty Images)

Android apps digitally signed by China’s third-biggest e-commerce company exploited a zero-day vulnerability that allowed them to surreptitiously take control of millions of end-user devices to steal personal data and install malicious apps, researchers from security firm Lookout have confirmed.

The malicious versions of the Pinduoduo app were available in third-party markets, which users in China and elsewhere rely on because the official Google Play market is off-limits or not easy to access. No malicious versions were found in Play or Apple’s App Store. Last Monday, TechCrunch reported, Pinduoduo was pulled from Play after Google discovered a malicious version of the app available elsewhere. TechCrunch reported the malicious apps available in third-party markets exploited several zero-days, which are vulnerabilities that are known or exploited before a vendor has a patch available.

Sophisticated attack

A preliminary analysis by Lookout found that at least two off-Play versions of Pinduoduo for Android exploited CVE-2023-20963, the tracking number for an Android vulnerability Google patched in updates that became available to end users two weeks ago. This privilege-escalation flaw, which was exploited prior to Google’s disclosure, allowed the app to perform operations with elevated privileges. The app used these privileges to download code from a developer-designated site and run it within a privileged environment.

Enlarge (credit: Aurich Lawson | Getty Images)

On Thursday, OpenAI announced a plugin system for its ChatGPT AI assistant. The plugins give ChatGPT the ability to interact with the wider world through the Internet, including booking flights, ordering groceries, browsing the web, and more. Plugins are bits of code that tell ChatGPT how to use an external resource on the Internet.

Basically, if a developer wants to give ChatGPT the ability to access any network service (for example: "looking up current stock prices") or perform any task controlled by a network service (for example: "ordering pizza through the Internet"), it is now possible, provided it doesn't go against OpenAI's rules.

Conventionally, most large language models (LLM) like ChatGPT have been constrained in a bubble, so to speak, only able to interact with the world through text conversations with a user. As OpenAI writes in its introductory blog post on ChatGPT plugins, "The only thing language models can do out-of-the-box is emit text."

Enlarge / I mostly recognize this early laptop from its resemblance to a similar-looking computer in the film 2010. It's up for auction along with hundreds of other old Apple computers. (credit: Julien's Auctions)

If you've been thinking your home or workspace is perhaps deficient when it comes to old Apple hardware, then I have some good news for you. Next week, a massive trove of classic Apple computing history goes under the hammer when the auction house Julien's Auctions auctions off the Hanspeter Luzi collection of more than 500 Apple computers, parts, software, and the occasional bit of ephemera.

Ars reported on the auction in February, but Julien's Auctions has posted the full catalog ahead of the March 30 event, and for Apple nerds of a certain age, there will surely be much to catch your eye.

The earliest computers in the collection are a pair of Commodore PET 2001s; anyone looking for a bargain on an Apple 1 will have to keep waiting, unfortunately.

Enlarge / An Orbi 750 series router. (credit: Netgear)

If you rely on Netgear’s Orbi mesh wireless system to connect to the Internet, you’ll want to ensure it’s running the latest firmware now that exploit code has been released for critical vulnerabilities in older versions.

The Netgear Orbi mesh wireless system comprises a main hub router and one or more satellite routers that extend the network’s range. By setting up multiple access points in a home or office, they form a mesh system that ensures Wi-Fi coverage is available throughout.

Remotely injecting arbitrary commands

Last year, researchers on Cisco’s Talos security team discovered four vulnerabilities and privately reported them to Netgear. The most severe of the vulnerabilities, tracked as CVE-2022-37337, resides in the access control functionality of the RBR750. Hackers can exploit it to remotely execute commands by sending specially crafted HTTP requests to the device. The hacker must first connect to the device, either by knowing the SSID password or by accessing an unprotected SSID. The severity of the flaw is rated 9.1 out of a possible 10.

Enlarge / Ecuadorian police tweeted this picture of officials investigating a drive mailed to a journalist in Guayaquil. (credit: Policía Ecuador/Twitter)

It's no secret that USB flash drives, as small and unremarkable as they may look, can be turned into agents of chaos. Over the years, we've seen them used to infiltrate an Iranian nuclear facility, infect critical control systems in US power plants, morph into programmable, undetectable attack platforms, and destroy attached computers with a surprise 220-volt electrical surge. Although these are just a few examples, they should be enough to preclude one from inserting a mysterious, unsolicited USB drive mailed to them into a computer. Unfortunately, one Ecuadorian journalist didn't get the memos.

As reported by the Agence France-Presse (via CBS News) on Tuesday, five Ecuadorian journalists have received USB drives in the mail from Quimsaloma. Each of the USB sticks was meant to explode when activated.

Upon receiving the drive, Lenin Artieda of the Ecuavisa TV station in Guayaquil inserted it into his computer, at which point it exploded. According to a police official who spoke with AFP, the journalist suffered mild hand and face injuries, and no one else was harmed.

Enlarge / An Adobe Firefly AI image generator example. (credit: Adobe)

On Tuesday, Adobe unveiled Firefly, its new AI image synthesis generator. Unlike other AI art models such as Stable Diffusion and DALL-E, Adobe says its Firefly engine, which can generate new images from text descriptions, has been trained solely on legal and ethical sources, making its output clear for use by commercial artists. It will be integrated directly into Creative Cloud, but for now, it is only available as a beta.

Since the mainstream debut of image synthesis models last year, the field has been fraught with issues around ethics and copyright. For example, the AI art generator called Stable Diffusion gained its ability to generate images from text descriptions after researchers trained an AI model to analyze hundreds of millions of images scraped from the Internet. Many (probably most) of those images were copyrighted and obtained without the consent of their rights holders, which led to lawsuits and protests from artists.

To avoid those legal and ethical issues, Adobe created an AI art generator trained solely on Adobe Stock images, openly licensed content, and public domain content, ensuring the generated content is safe for commercial use. Adobe goes into more detail in its news release:

Enlarge / Windows 10 and 11 have their own version of the Acropalypse screenshot editing bug. (credit: acropalypse.app/Andrew Cunningham)

Earlier this week, programmer and "accidental security researcher" Simon Aarons disclosed a bug in Google's Markup screenshot editing tool for its Pixel phones. Dubbed "acropalypse," the bug allows content you've cropped out of your Android screenshot to be partially recovered, which can be a problem if you've cropped out sensitive information.

Today, Aarons' collaborator David Buchanan revealed that a similar bug affects the Snipping Tool app in Windows 11. As detailed by Bleeping Computer, which was able to verify the existence of the bug, PNG files all have an "IEND" data chunk that tells software where the image file ends. A screenshot cropped with Snipping Tool and then saved over the original (the default behavior) adds a new IEND chunk to the PNG image but leaves a bunch of the original screenshot's data after the IEND chunk.

Buchanan says that a version of the acropalypse script "with minor changes" can be used to read and recover that data, partially restoring the part of the image you cropped out of your original screenshot. Buchanan is "holding off on publishing" Windows-compatible versions of those scripts since Microsoft (unlike Google) hasn't had time to patch the vulnerability.

Enlarge / A BATM sold by General Bytes. (credit: General Bytes)

Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that can’t be reversed, the kiosk manufacturer has revealed.

The heist targeted ATMs sold by General Bytes, a company with multiple locations throughout the world. These BATMs, short for bitcoin ATMs, can be set up in convenience stores and other businesses to allow people to exchange bitcoin for other currencies and vice versa. Customers connect the BATMs to a crypto application server (CAS) that they can manage or, until now, that General Bytes could manage for them. For reasons that aren’t entirely clear, the BATMs offer an option that allows customers to upload videos from the terminal to the CAS using a mechanism known as the master server interface.

Going, going, gone

Over the weekend, General Bytes revealed that more than $1.5 million worth of bitcoin had been drained from CASes operated by the company and by customers. To pull off the heist, an unknown threat actor exploited a previously unknown vulnerability that allowed it to use this interface to upload and execute a malicious Java application. The actor then drained various hot wallets of about 56 BTC, worth roughly $1.5 million. General Bytes patched the vulnerability 15 hours after learning of it, but due to the way cryptocurrencies work, the losses were unrecoverable.

Enlarge (credit: Nikon)

Amazon has plans to lay off at least 27,000 workers this year, including 9,000 that were announced in an internal email Monday morning. One unexpected casualty: Digital Photography Review, also known as DPReview, is losing its entire editorial staff, and the site will stop publishing on April 10.

The announcement post, written by DPReview General Manager Scott Everett, says that new pieces will continue to be posted through April 10, and "the site will be locked" afterward. It's unclear what will happen to the site's content afterward—the post promises only that the site's articles "will be available in read-only mode for a limited period afterwards." Any photos and text that readers have uploaded to their accounts can be requested and downloaded until April 6, "after which we will not be able to complete the request."

Former site editor Gannon Burgett said on Twitter that the decision to lay off the staff was announced in January and that "Amazon hasn't yet come up with an archival plan" for the site. Cameras, even digital ones, tend to have a pretty long shelf life, and there's an active used market for lenses and camera bodies—if DPReview.com goes offline entirely, that would be a huge blow to anyone trying to research older products.

Enlarge / "A gaming PC riding a skateboard" as generated by the DALL-E 2-powered Bing Image Creator. The version of DALL-E in the Bing Chat preview may be more advanced. (credit: Bing Image Creator)

Microsoft is giving its work-in-progress Bing AI chatbot the ability to generate images, the company announced today. Bing preview users can generate images by typing "create an image" (or something similar) followed by the prompt. As with other AI-powered image generators, the more detailed a prompt you provide, the more specific and consistent the output is.

Not all Bing preview users will be able to generate images right away, as Microsoft is rolling the feature out in phases (it's not working for me as of this writing). Initially, it will only work in the chatbot's "Creative" mode. The bot has three "personalities," and "Creative" is the most prone to giving wrong answers and inaccurate information.

Microsoft said it was using "an advanced version" of the DALL-E generator without providing additional details. The Bing chatbot was using OpenAI's GPT-4 model several weeks before it was formally announced to the public, so Microsoft could also be using a more powerful pre-release version of the DALL-E model. The image generator Microsoft made available to the public in October uses DALL-E 2.

Enlarge / Amazon has announced 27,000 layoffs since November 2022. (credit: Nathan Stirk/Getty Images)

Amazon will fire another 9,000 workers in the coming weeks. The news was delivered in an email from company CEO Andy Jassy to employees this morning and follows large cuts in November and again in January.

In his email to staff, Jassy wrote that most of the job cuts will come in four parts of the company: amazon web services or AWS; "People Experience and Technology Solutions"; advertising; and the game-streaming platform Twitch, which has been owned by the Internet behemoth since 2014. Those areas of the company were also heavily affected by the earlier layoffs, which involved 18,000 workers.

"This was a difficult decision, but one that we think is best for the company long term," Jassy wrote.

Enlarge (credit: Anthropic)

On Tuesday, Anthropic introduced Claude, a large language model (LLM) that can generate text, write code, and function as an AI assistant similar to ChatGPT. The model originates from core concerns about future AI safety and Anthropic has trained it using a technique it calls "Constitutional AI."

Two versions of the AI model, Claude and "Claude Instant," are available now for a limited "early access" group and to commercial partners of Anthropic. Those with access can use Claude through either a chat interface in Anthropic's developer console or via an application programming interface (API). With the API, developers can hook into Anthropic's servers remotely and add Claude's analysis and text completion abilities to their apps.

Anthropic claims that Claude is "much less likely to produce harmful outputs, easier to converse with, and more steerable" than other AI chatbots while maintaining "a high degree of reliability and predictability." The company cites use cases such as search, summarization, collaborative writing, and coding. And, like ChatGPT's API, Claude can change personality, tone, or behavior depending on use preference.

Enlarge / Images of the Samsung Galaxy S21, which runs with an Exynos chipset. (credit: Samsung)

Google is urging owners of certain Android phones to take urgent action to protect themselves from critical vulnerabilities that give skilled hackers the ability to surreptitiously compromise their devices by making a specially crafted call to their number.  It’s not clear if all actions urged are even possible, however, and even if they are, the measures will neuter devices of most voice-calling capabilities.

The vulnerability affects Android devices that use the Exynos chipset made by Samsung’s semiconductor division. Vulnerable devices include the Pixel 6 and 7, international versions of the Samsung Galaxy S22, various mid-range Samsung phones, the Galaxy Watch 4 and 5, and cars with the Exynos Auto T5123 chip. These devices are ONLY vulnerable if they run the Exynos chipset, which includes the baseband that processes signals for voice calls. The US version of the Galaxy S22 runs a Qualcomm Snapdragon chip.

A bug tracked as CVE-2023-24033 and three others that have yet to receive a CVE designation make it possible for hackers to execute malicious code, Google’s Project Zero vulnerability team reported on Thursday. Code-execution bugs in the baseband can be especially critical because the chips are endowed with root-level system privileges to ensure voice calls work reliably.

Enlarge / An example of lighting and skin effects in the AI image generator Midjourney v5. (credit: Julie W. Design)

On Wednesday, Midjourney announced version 5 of its commercial AI image synthesis service, which can produce photorealistic images at a quality level that some AI art fans are calling creepy and "too perfect." Midjourney v5 is available now as an alpha test for customers who subscribe to the Midjourney service, which is available through Discord.

"MJ v5 currently feels to me like finally getting glasses after ignoring bad eyesight for a little bit too long," said Julie Wieland, a graphic designer who often shares her Midjourney creations on Twitter. "Suddenly you see everything in 4k, it feels weirdly overwhelming but also amazing."

Wieland shared some of her Midjourney v5 generations with Ars Technica (seen below in a gallery and in the main image above), and they certainly show a progression in image detail since Midjourney first arrived in March 2022. Version 3 debuted in August, and version 4 debuted in November. Each iteration added more detail to the generated results, as our experiments show:

Enlarge (credit: Getty Images)

Multiple threat actors—one working on behalf of a nation-state—gained access to the network of a US federal agency by exploiting a four-year-old vulnerability that remained unpatched, the US government warned.

Exploit activities by one group likely began in August 2021 and last August by the other, according to an advisory jointly published by the Cybersecurity and Infrastructure Security Agency, the FBI, and the Multi-State Information Sharing and Analysis Center. From last November to early January, the server exhibited signs of compromise.

Vulnerability not detected for 4 years

Both groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX, which was located in the agency’s Microsoft Internet Information Services (IIS) web server. The advisory didn’t identify the agency other than to say it was a Federal Civilian Executive Branch Agency under the CISA authority.