Code-Generating AI Can Introduce Security Vulnerabilities, Study Finds

An anonymous reader quotes a report from TechCrunch: A recent study finds that software engineers who use code-generating AI systems are more likely to cause security vulnerabilities in the apps they develop. The paper, co-authored by a team of researchers affiliated with Stanford, highlights the potential pitfalls of code-generating systems as vendors like GitHub start marketing them in earnest. The Stanford study looked specifically at Codex, the AI code-generating system developed by San Francisco-based research lab OpenAI. (Codex powers Copilot.) The researchers recruited 47 developers — ranging from undergraduate students to industry professionals with decades of programming experience — to use Codex to complete security-related problems across programming languages including Python, JavaScript and C.

Codex was trained on billions of lines of public code to suggest additional lines of code and functions given the context of existing code. The system surfaces a programming approach or solution in response to a description of what a developer wants to accomplish (e.g. “Say hello world”), drawing on both its knowledge base and the current context. According to the researchers, the study participants who had access to Codex were more likely to write incorrect and “insecure” (in the cybersecurity sense) solutions to programming problems compared to a control group. Even more concerningly, they were more likely to say that their insecure answers were secure compared to the people in the control.

Megha Srivastava, a postgraduate student at Stanford and the second co-author on the study, stressed that the findings aren’t a complete condemnation of Codex and other code-generating systems. The study participants didn’t have security expertise that might’ve enabled them to better spot code vulnerabilities, for one. That aside, Srivastava believes that code-generating systems are reliably helpful for tasks that aren’t high risk, like exploratory research code, and could with fine-tuning improve in their coding suggestions. “Companies that develop their own [systems], perhaps further trained on their in-house source code, may be better off as the model may be encouraged to generate outputs more in-line with their coding and security practices,” Srivastava said. The co-authors suggest vendors use a mechanism to “refine” users’ prompts to be more secure — “akin to a supervisor looking over and revising rough drafts of code,” reports TechCrunch. “They also suggest that developers of cryptography libraries ensure their default settings are secure, as code-generating systems tend to stick to default values that aren’t always free of exploits.”

Read more of this story at Slashdot.

FTX’s Sam Bankman-Fried Borrowed From Alameda To Buy Robinhood Shares

Former FTX chief Sam Bankman-Fried borrowed hundreds of millions of dollars from Alameda Research to purchase his stake in trading app Robinhood Markets (HOOD), according to court documents (PDF). CoinDesk reports: In an affidavit provided to a Caribbean court before his arrest, Bankman-Fried said he and FTX co-founder Gary Wang together borrowed over $546 million from Alameda via promissory notes in April and May. They used that money to capitalize Emergent Fidelity Technologies Ltd., the shell corporation that in May bought a 7.6% stake of Robinhood. The affidavit provides a new curveball in the three-way race to lay claim to the 56 million Robinhood shares. Crypto lender BlockFi, FTX Group and Bankman-Fried himself have all attempted to lay claim to the shares, which could be worth over $440 million.

Crypto lender BlockFi, which like FTX has filed for bankruptcy, alleged in a court document (PDF) that it was owed the rights to the Robinhood shares due to a deal Bankman-Fried made in early November. The shares were pledged as collateral against a loan taken out by Alameda Research — the same firm whose funds were used to purchase the shares to begin with, according to Tuesday’s filing.

Read more of this story at Slashdot.

Archer Maclean, Commodore 64 Developer, Dies At 60

Game developer Archer Maclean recently passed away at the age of 60. Maclean was a longtime programmer and designer best known for Dropzone on the Atari 8-bit and Commodore 64. Game Developer reports: Born January 28, 1962, Maclean’s first game was the aforementioned Dropzone. Following the success of that title, he would go on to do design and graphics for 1986’s International Karate (and its 1987 sequel, International Karate+), and several snooker simulation games, including Archer Maclean Presents Pool Paradise. Several of these titles were developed at Awesome Studios, a subsidiary of the now defunct Ignition Entertainment. Maclean co-founded Awesome in 2002, and later left the developer in 2005. He went on to found Awesome Play, creators of the 2009 Nintendo Wii title Speedzone (or Wheelspin in Europe). Though Speedzone marked the end of his time as a game developer, Maclean also wrote columns for Retro Gamer Magazine.

Read more of this story at Slashdot.

Developer Uses iOS 16 Exploit To Change System Font Without Jailbreak

A developer managed to use an exploit found in iOS 16 to change the default font of the system without jailbreak. 9to5Mac reports: Zhuowei Zhang shared his project on Twitter, which he calls a “proof-of-concept app.” According to Zhang, the app he developed uses the CVE-2022-46689 exploit to overwrite the default iOS font, so that users can customize the system’s appearance with a different font other than the default (which is San Francisco). The CVE-2022-46689 exploit affects devices running iOS 16.1.2 or earlier versions of the operating system, and it basically lets apps execute arbitrary code with kernel privileges. The exploit was fixed with iOS 16.2, which also fixed a bunch of other security breaches found in the previous version of iOS.

Since iOS has its own font format, the developer performed the experiment using only a few fonts, including DejaVu Sans Condensed, Serif, Mono, and Choco Cooky. And in case you’re wondering, Choco Cooky is the weird font that used to come pre-installed by default on Samsung smartphones. Now you can finally have it on your iPhone. Zhang explains that the process should be safe for everyone, since all changes are reversed after rebooting the device. Still, the developer recommends users trying out the app to back up their devices before replacing the default system font. He also details that the change only affects some of the text on iOS, as other parts of the system use different fonts. More details about the project, including its source code, are available on GitHub.

Read more of this story at Slashdot.

Americans Duped Into Losing $10 Billion By Illegal Indian Call Centres in 2022

US citizens lost over $10 billion due to phishing calls by illegal Indian call centres in 2022, as per the Federal Bureau of Investigation (FBI) data. From a report: Most of the victims of these fraud calls from Indian phishing gangs were elderly US citizens above the age of 60 years who lost over $3 billion, Times Of India reported citing FBI data. After several incidents were reported in 2022, the FBI has now deputed a permanent representative at the US embassy in New Delhi. The representative will work closely with the CBI, Interpol and the Delhi Police to bust these gangs that have put India under the threat to be termed as the hub of such illegal call centres. Several Americans lost a total of $10.2 billion in 2022 so far, which is a 47 per cent increase from 2021’s $6.9 billion, to such fraud calls.

Read more of this story at Slashdot.

The Worst-Selling Microsoft Software Product of All Time: OS/2 for the Mach 20

Raymond Chen, writing for Microsoft DevBlogs: In the mid-1980’s, Microsoft produced an expansion card for the IBM PC and PC XT, known as the Mach 10. In addition to occupying an expansion slot, it also replaced your CPU: You unplugged your old and busted 4.77 MHz 8088 CPU and plugged into the now-empty socket a special adapter that led via a ribbon cable back to the Mach 10 card. On the Mach 10 card was the new hotness: A 9.54 MHz 8086 CPU. This gave you a 2x performance upgrade for a lot less money than an IBM PC AT. The Mach 10 also came with a mouse port, so you could add a mouse without having to burn an additional expansion slot. Sidebar: The product name was stylized as MACH [PDF] in some product literature. The Mach 10 was a flop.

Undaunted, Microsoft partnered with a company called Portable Computer Support Group to produce the Mach 20, released in 1987. You probably remember the Portable Computer Support Group for their disk cache software called Lightning. The Mach 20 took the same basic idea as the Mach 10, but to the next level: As before, you unplugged your old 4.77 MHz 8088 CPU and replaced it with an adapter that led via ribbon cable to the Mach 20 card, which you plugged into an expansion slot. This time, the Mach 20 had an 8 MHz 80286 CPU, so you were really cooking with gas now. And, like the Mach 10, it had a mouse port built in. According to a review in Info World, it retailed for $495. The Mach 20 itself had room for expansion: it had an empty socket for an 80287 floating point coprocessor. One daughterboard was the Mach 20 Memory Plus Expanded Memory Option, which gave you an astonishing 3.5 megabytes of RAM, and it was high-speed RAM since it wasn’t bottlenecked by the ISA bus on the main motherboard. The other daughterboard was the Mach 20 Disk Plus, which lets you connect 5 1/4 or 3 1/2 floppy drives.

A key detail is that all these expansions connected directly to the main Mach 20 board, so that they didn’t consume a precious expansion slot. The IBM PC came with five expansion slots, and they were in high demand. You needed one for the hard drive controller, one for the floppy drive controller, one for the video card, one for the printer parallel port, one for the mouse. Oh no, you ran out of slots, and you haven’t even gotten to installing a network card or expansion RAM yet! You could try to do some consolidation by buying so-called multifunction cards, but still, the expansion card crunch was real. But why go to all this trouble to upgrade your IBM PC to something roughly equivalent to an IBM PC AT? Why not just buy an IBM PC AT in the first place? Who would be interested in this niche upgrade product?

Read more of this story at Slashdot.

Bitcoin Hashrate Drops Nearly 40% as Deadly US Storm Unplugs Miners

Customers React to McDonalds’ Almost Fully-Automated Restaurant

“The first mostly non-human-run McDonald’s is open for business just outside Fort Worth, Texas,” reports the Guardian. CNN calls it “an almost fully-automated restaurant,” noting there’s just one self-service kiosk (with a credit card reader) for ordering food.

McDonalds tells CNN there’s “some interaction between customers and the restaurant team” when picking up orders or drinks. But at the special “order ahead” drive-through lane, your app-ordered bag of food is instead delivered to a platform by your car’s window using a vertical conveyor belt.

CNN reports that it’s targetted to customers on the go. For example, there’s dedicated parking spaces outside for curbside pickup orders, while inside there’s a room with bags to be picked up by food-delivery couriers (who also get their own designated parking spaces outside). But for regular customers, CBS emphasizes that “ordering is done through kiosks or an app — no humans involved there, either.”
But not all customers are loving it. “Well there goes millions of jobs,” one commenter on a TikTok video said about the new restaurant said.

“Oh no first we have to talk with Siri and Google [and] now we have to talk to another computer,” another one opined.

“I’m not giving my money to robots,” another commenter wrote. “Raise the minimum wage!”
Other customers had more personal concerns, expressing worries about how they could get their order fixed if it was incorrectly prepared or how to ask for extra condiments. “And if they forget an item. Who you supposed to tell, the robot? It defeats the purpose of using the drive thru if you have to go inside for it,” one consumer noted….

To be sure, not everyone had negative views about the concept. Some customers expressed optimism that the automated restaurant could improve service and their experience.

Read more of this story at Slashdot.

Did YouTube Pay Too Much to Broadcast Sunday Football Games?

Subscribers to “NFL Sunday Ticket” can watch broadcasts of every Sunday game of American football. But for access next season, “fans will have to Google it…” warns the Associated Press — because Thursday the football league announced plans to distribute their game package on YouTube TV and YouTube Primetime Channels.
Google beat out both Apple and Amazon by offering over $2 billion a year for 7 years — but Yahoo Finance believes it’s more about drawing attention to YouTube’s streaming TV services. “Don’t expect the package to be profitable, one analyst warned.”

“They’re not making money on this — this is a loss leader,” Michael Pachter, managing director of equity research at Wedbush, told Yahoo Finance Live, referencing YouTube TV’s current price point of $64.99. “I don’t think they make a penny at that level….”

“It’s an extremely expensive package of content,” Tim Nollen, analyst at Macquarie Group, previously told Yahoo Finance Live, noting the Sunday Ticket package was not a profitable service for DirecTV [which since 1994 has held the exclusive broadcast rights in the U.S.]

[…] YouTube TV has more than 5 million subscribers and trial users as of July. “Five million subscribers is just not enough,” Pachter stressed. “Even if all 5 million pay the $400 bucks a year…they’re going to barely cover their costs.” Still, despite the lack of profitability and sky-high price tag, Pachter noted YouTube might be best positioned to take advantage of the package, especially as the demand for live sports escalates. “I think they can be smart about how they carve up the content,” Pachter said, suggesting the platform could more easily sell games to bars and restaurants.

Read more of this story at Slashdot.

Mozilla Just Fixed an 18-Year-Old Firefox Bug

Mozilla recently fixed a bug that was first reported 18 years ago in Firebox 1.0, reports How-to Geek:

Bug 290125 was first reported on April 12, 2005, only a few days before the release of Firefox 1.0.3, and outlined an issue with how Firefox rendered text with the ::first-letter CSS pseudo-element. The author said, “when floating left a :first-letter (to produce a dropcap), Gecko ignores any declared line-height and inherits the line-height of the parent box. […] Both Opera 7.5+ and Safari 1.0+ correctly handle this.”

The initial problem was that the Mac version of Firefox handled line heights differently than Firefox on other platforms, which was fixed in time for Firefox 3.0 in 2007. The issue was then re-opened in 2014, when it was decided in a CSS Working Group meeting that Firefox’s special handling of line heights didn’t meet CSS specifications and was causing compatibility problems. It led to some sites with a large first letter in blocks of text, like The Verge and The Guardian, render incorrectly in Firefox compared to other browsers.
The issue was still marked as low priority, so progress continued slowly, until it was finally marked as fixed on December 20, 2022. Firefox 110 should include the updated code, which is expected to roll out to everyone in February 2023.

Read more of this story at Slashdot.