Code-Generating AI Can Introduce Security Vulnerabilities, Study Finds

An anonymous reader quotes a report from TechCrunch: A recent study finds that software engineers who use code-generating AI systems are more likely to cause security vulnerabilities in the apps they develop. The paper, co-authored by a team of researchers affiliated with Stanford, highlights the potential pitfalls of code-generating systems as vendors like GitHub start marketing them in earnest. The Stanford study looked specifically at Codex, the AI code-generating system developed by San Francisco-based research lab OpenAI. (Codex powers Copilot.) The researchers recruited 47 developers — ranging from undergraduate students to industry professionals with decades of programming experience — to use Codex to complete security-related problems across programming languages including Python, JavaScript and C.

Codex was trained on billions of lines of public code to suggest additional lines of code and functions given the context of existing code. The system surfaces a programming approach or solution in response to a description of what a developer wants to accomplish (e.g. “Say hello world”), drawing on both its knowledge base and the current context. According to the researchers, the study participants who had access to Codex were more likely to write incorrect and “insecure” (in the cybersecurity sense) solutions to programming problems compared to a control group. Even more concerningly, they were more likely to say that their insecure answers were secure compared to the people in the control.

Megha Srivastava, a postgraduate student at Stanford and the second co-author on the study, stressed that the findings aren’t a complete condemnation of Codex and other code-generating systems. The study participants didn’t have security expertise that might’ve enabled them to better spot code vulnerabilities, for one. That aside, Srivastava believes that code-generating systems are reliably helpful for tasks that aren’t high risk, like exploratory research code, and could with fine-tuning improve in their coding suggestions. “Companies that develop their own [systems], perhaps further trained on their in-house source code, may be better off as the model may be encouraged to generate outputs more in-line with their coding and security practices,” Srivastava said. The co-authors suggest vendors use a mechanism to “refine” users’ prompts to be more secure — “akin to a supervisor looking over and revising rough drafts of code,” reports TechCrunch. “They also suggest that developers of cryptography libraries ensure their default settings are secure, as code-generating systems tend to stick to default values that aren’t always free of exploits.”

Read more of this story at Slashdot.

Developer Uses iOS 16 Exploit To Change System Font Without Jailbreak

A developer managed to use an exploit found in iOS 16 to change the default font of the system without jailbreak. 9to5Mac reports: Zhuowei Zhang shared his project on Twitter, which he calls a “proof-of-concept app.” According to Zhang, the app he developed uses the CVE-2022-46689 exploit to overwrite the default iOS font, so that users can customize the system’s appearance with a different font other than the default (which is San Francisco). The CVE-2022-46689 exploit affects devices running iOS 16.1.2 or earlier versions of the operating system, and it basically lets apps execute arbitrary code with kernel privileges. The exploit was fixed with iOS 16.2, which also fixed a bunch of other security breaches found in the previous version of iOS.

Since iOS has its own font format, the developer performed the experiment using only a few fonts, including DejaVu Sans Condensed, Serif, Mono, and Choco Cooky. And in case you’re wondering, Choco Cooky is the weird font that used to come pre-installed by default on Samsung smartphones. Now you can finally have it on your iPhone. Zhang explains that the process should be safe for everyone, since all changes are reversed after rebooting the device. Still, the developer recommends users trying out the app to back up their devices before replacing the default system font. He also details that the change only affects some of the text on iOS, as other parts of the system use different fonts. More details about the project, including its source code, are available on GitHub.

Read more of this story at Slashdot.

The Worst-Selling Microsoft Software Product of All Time: OS/2 for the Mach 20

Raymond Chen, writing for Microsoft DevBlogs: In the mid-1980’s, Microsoft produced an expansion card for the IBM PC and PC XT, known as the Mach 10. In addition to occupying an expansion slot, it also replaced your CPU: You unplugged your old and busted 4.77 MHz 8088 CPU and plugged into the now-empty socket a special adapter that led via a ribbon cable back to the Mach 10 card. On the Mach 10 card was the new hotness: A 9.54 MHz 8086 CPU. This gave you a 2x performance upgrade for a lot less money than an IBM PC AT. The Mach 10 also came with a mouse port, so you could add a mouse without having to burn an additional expansion slot. Sidebar: The product name was stylized as MACH [PDF] in some product literature. The Mach 10 was a flop.

Undaunted, Microsoft partnered with a company called Portable Computer Support Group to produce the Mach 20, released in 1987. You probably remember the Portable Computer Support Group for their disk cache software called Lightning. The Mach 20 took the same basic idea as the Mach 10, but to the next level: As before, you unplugged your old 4.77 MHz 8088 CPU and replaced it with an adapter that led via ribbon cable to the Mach 20 card, which you plugged into an expansion slot. This time, the Mach 20 had an 8 MHz 80286 CPU, so you were really cooking with gas now. And, like the Mach 10, it had a mouse port built in. According to a review in Info World, it retailed for $495. The Mach 20 itself had room for expansion: it had an empty socket for an 80287 floating point coprocessor. One daughterboard was the Mach 20 Memory Plus Expanded Memory Option, which gave you an astonishing 3.5 megabytes of RAM, and it was high-speed RAM since it wasn’t bottlenecked by the ISA bus on the main motherboard. The other daughterboard was the Mach 20 Disk Plus, which lets you connect 5 1/4 or 3 1/2 floppy drives.

A key detail is that all these expansions connected directly to the main Mach 20 board, so that they didn’t consume a precious expansion slot. The IBM PC came with five expansion slots, and they were in high demand. You needed one for the hard drive controller, one for the floppy drive controller, one for the video card, one for the printer parallel port, one for the mouse. Oh no, you ran out of slots, and you haven’t even gotten to installing a network card or expansion RAM yet! You could try to do some consolidation by buying so-called multifunction cards, but still, the expansion card crunch was real. But why go to all this trouble to upgrade your IBM PC to something roughly equivalent to an IBM PC AT? Why not just buy an IBM PC AT in the first place? Who would be interested in this niche upgrade product?

Read more of this story at Slashdot.

Customers React to McDonalds’ Almost Fully-Automated Restaurant

“The first mostly non-human-run McDonald’s is open for business just outside Fort Worth, Texas,” reports the Guardian. CNN calls it “an almost fully-automated restaurant,” noting there’s just one self-service kiosk (with a credit card reader) for ordering food.

McDonalds tells CNN there’s “some interaction between customers and the restaurant team” when picking up orders or drinks. But at the special “order ahead” drive-through lane, your app-ordered bag of food is instead delivered to a platform by your car’s window using a vertical conveyor belt.

CNN reports that it’s targetted to customers on the go. For example, there’s dedicated parking spaces outside for curbside pickup orders, while inside there’s a room with bags to be picked up by food-delivery couriers (who also get their own designated parking spaces outside). But for regular customers, CBS emphasizes that “ordering is done through kiosks or an app — no humans involved there, either.”
But not all customers are loving it. “Well there goes millions of jobs,” one commenter on a TikTok video said about the new restaurant said.

“Oh no first we have to talk with Siri and Google [and] now we have to talk to another computer,” another one opined.

“I’m not giving my money to robots,” another commenter wrote. “Raise the minimum wage!”
Other customers had more personal concerns, expressing worries about how they could get their order fixed if it was incorrectly prepared or how to ask for extra condiments. “And if they forget an item. Who you supposed to tell, the robot? It defeats the purpose of using the drive thru if you have to go inside for it,” one consumer noted….

To be sure, not everyone had negative views about the concept. Some customers expressed optimism that the automated restaurant could improve service and their experience.

Read more of this story at Slashdot.

Did YouTube Pay Too Much to Broadcast Sunday Football Games?

Subscribers to “NFL Sunday Ticket” can watch broadcasts of every Sunday game of American football. But for access next season, “fans will have to Google it…” warns the Associated Press — because Thursday the football league announced plans to distribute their game package on YouTube TV and YouTube Primetime Channels.
Google beat out both Apple and Amazon by offering over $2 billion a year for 7 years — but Yahoo Finance believes it’s more about drawing attention to YouTube’s streaming TV services. “Don’t expect the package to be profitable, one analyst warned.”

“They’re not making money on this — this is a loss leader,” Michael Pachter, managing director of equity research at Wedbush, told Yahoo Finance Live, referencing YouTube TV’s current price point of $64.99. “I don’t think they make a penny at that level….”

“It’s an extremely expensive package of content,” Tim Nollen, analyst at Macquarie Group, previously told Yahoo Finance Live, noting the Sunday Ticket package was not a profitable service for DirecTV [which since 1994 has held the exclusive broadcast rights in the U.S.]

[…] YouTube TV has more than 5 million subscribers and trial users as of July. “Five million subscribers is just not enough,” Pachter stressed. “Even if all 5 million pay the $400 bucks a year…they’re going to barely cover their costs.” Still, despite the lack of profitability and sky-high price tag, Pachter noted YouTube might be best positioned to take advantage of the package, especially as the demand for live sports escalates. “I think they can be smart about how they carve up the content,” Pachter said, suggesting the platform could more easily sell games to bars and restaurants.

Read more of this story at Slashdot.