New XZ Backdoor Scanner Detects Implants In Any Linux Binary

Bill Toulas reports via BleepingComputer: Firmware security firm Binarly has released a free online scanner to detect Linux executables impacted by the XZ Utils supply chain attack, tracked as CVE-2024-3094. CVE-2024-3094 is a supply chain compromise in XZ Utils, a set of data compression tools and libraries used in many major Linux distributions. Late last month, Microsoft engineer Andres Freud discovered the backdoor in the latest version of the XZ Utils package while investigating unusually slow SSH logins on Debian Sid, a rolling release of the Linux distribution.

The backdoor was introduced by a pseudonymous contributor to XZ version 5.6.0, which remained present in 5.6.1. However, only a few Linux distributions and versions following a “bleeding edge” upgrading approach were impacted, with most using an earlier, safe library version. Following the discovery of the backdoor, a detection and remediation effort was started, with CISA proposing downgrading the XZ Utils 5.4.6 Stable and hunting for and reporting any malicious activity.

Binarly says the approach taken so far in the threat mitigation efforts relies on simple checks such as byte string matching, file hash blocklisting, and YARA rules, which could lead to false positives. This approach can trigger significant alert fatigue and doesn’t help detect similar backdoors on other projects. To address this problem, Binarly developed a dedicated scanner that would work for the particular library and any file carrying the same backdoor. […] Binarly’s scanner increases detection as it scans for various supply chain points beyond just the XZ Utils project, and the results are of much higher confidence. Binarly has made a free API available to accomodate bulk scans, too.

Read more of this story at Slashdot.

Phil Spencer Wants Epic Games Store and Others On Xbox Consoles

Chris Plante reports via Polygon: Phil Spencer doesn’t just want Xbox games on other consoles. He wants other video game retailers on Xbox, too. In an interview with Microsoft’s CEO of Gaming during the annual Game Developers Conference, Spencer told Polygon about the ways he’d like to break down the walled gardens that have historically limited players to making purchases through the first-party stores tied to each console. Or, in layperson terms, why you should be able to buy games from other stores on Xbox — not just the official storefront. Spencer mentioned his frustrations with closed ecosystems, so we asked for clarity. Could he really see a future where stores like Itch.io and Epic Games Store existed on Xbox? Was it just a matter of figuring out mountains of paperwork to get there? “Yes,” said Spencer. “[Consider] our history as the Windows company. Nobody would blink twice if I said, ‘Hey, when you’re using a PC, you get to decide the type of experience you have [by picking where to buy games]. There’s real value in that.” Spencer believes console players would benefit from that freedom too — and so would console makers like Microsoft.

Spencer explained how, in the past, console makers would typically subsidize the cost of expensive hardware, knowing that a portion of every dollar spent on games for the platform over the years would eventually make it back to the console maker. Then, in time, the console maker would recoup the subsidy — and hopefully more. But, Spencer said, “Moore’s Law has slowed down. The price of the components of a console aren’t coming down as fast as they have in previous generations.” Worse, he explained, the console market isn’t growing, with more gamers moving to PC and handheld options. Now, the notion of subsidizing a console — and forcing players to purchase games through the official storefront to help recoup costs — might not make sense. The walls meant to lock people into consoles might be motivating them to stay out.

“[Subsidizing hardware] becomes more challenging in today’s world,” Spencer said. “And I will say, and this may seem too altruistic, I don’t know that it’s growing the industry. So I think, what are the barriers? What are the things that create friction in today’s world for creators and players? And how can we be part of opening up that model?” The answer, in part, is scrapping exclusivity on more and more Xbox games. Spencer explained that the game experience is hindered when it matters what consoles we play on or what shops sell us our games. As an example, he pointed to Sea of Thieves. A player, he explained, shouldn’t have to worry about what hardware they or their friends own. They should just know if their friends have and want to play Sea of Thieves. Now, Spencer said, “if I want to play on a gaming PC, then I feel like I’m more a continuous part of a gaming ecosystem as a whole. As opposed to [on console], my gaming is kind of sharded — to use a gaming term — based on these different closed ecosystems that I have to play across.”

Read more of this story at Slashdot.

Amazon Fined In Poland For Dark Pattern Design Tricks

Poland has fined Amazon close to $8 million for misleading consumers about the conclusion of sales contracts on its online marketplace. The sanction “also calls out the e-commerce giant for deceptive design elements which may inject a false sense of urgency into the purchasing process and mislead shoppers about elements like product availability and delivery dates,” reports TechCrunch. From the report: The country’s consumer and competition watchdog, the UOKiK, has been looking into complaints about Amazon’s sales practices since September 2021, following complaints from shoppers, including some who did not receive their purchases. The authority opened a formal investigation into Amazon’s practices in February 2023. Wednesday’s sanction is the conclusion of that probe. The UOKiK found consumers who ordered products on Amazon could have their purchases subsequently cancelled by the tech giant as it does not treat the moment of purchase as the conclusion of a sales contract, despite sending consumers confirmation of their order — even after consumers have paid for the product. For Amazon, the conclusion of a sales contract only occurs once it has sent information about the actual shipment. […]

Its enforcement also calls out Amazon for using deceptive design to encourage shoppers to click buy by presenting misleading information about product availability and delivery windows — such as by listing how many items were in stock to be purchased and providing a countdown clock to order an item in order to get it on a particular delivery date. Its investigation found Amazon does not always meet these deadlines for orders, nor ship products immediately as they may be out of stock despite claims to the contrary shown to consumers. “Amazon treats the data it provides on availability and shipping date as indicative but the way it is presented does not indicate this,” the UOKiK noted, adding: “Consumers can only find out about this in the terms of sale on the platform.”

While Amazon does offer a delivery guarantee — offering a refund if items do not ship within the stated time — the authority found it failed to provide consumers with information about the rules of this service before placing an order. It only offers details at the order summary stage. And then only “if the consumer decides to read the subsequent links specifying delivery details.” Shoppers who did not follow the link to read more may not have been aware of their right to apply for and receive a refund from Amazon if there is a delay in shipment. It also found the e-commerce giant failed to provide information about the “Delivery Guarantee” in the purchase confirmation sent to shoppers. Amazon said it will appeal the fine. The company also writes: “Fast and reliable delivery across a wide selection of products is a top priority for us, and Amazon.pl has millions of items available with fast and free Prime delivery. Since launching Amazon.pl in 2021, we have continuously invested and worked hard to provide customers with a clear, reliable delivery promise at check out, and while the vast majority of our deliveries arrive on time, customers can contact us in the rare event that they experience a delay or order cancellation, and we will make it right.

Over the last year, we have collaborated with the Office of Competition and Consumer Protection (UOKiK), and proposed multiple voluntary amendments to continue to improve the customer experience on Amazon.pl. We strictly follow legal standards in all countries where we operate and we strongly disagree with the assessment and penalty issued by the UOKiK. We will appeal this decision.”

Read more of this story at Slashdot.

Why the US Could Be On the Cusp of a Productivity Boom

Neil Irwin reports via Axios: The dearth of productivity growth over the last couple of decades has held back incomes in the U.S. and other rich countries, according to a report out Wednesday from the McKinsey Global Institute, the research arm of the global consultancy. Productivity growth has been weak in the U.S. and Western Europe since the 2008 global financial crisis, but things looked better among many emerging markets. The McKinsey report finds that global labor productivity growth was 2.3% a year from 1997 to 2022, a rapid rate that has increased incomes and quality of life in large parts of the world. China and India account for the largest portion of that surge — half of overall global productivity improvement, with other emerging markets accounting for another 25%, led by Central and Eastern Europe and emerging Asian economies.

In the U.S., the report finds that the decline in capital investment following the 2008 financial crisis has resulted in a $4,500 lower per-capita GDP in 2022 than it would have if pre-crisis trends had continued. Rapid advances in manufacturing technology, especially for electronics, petered out in the same time period, subtracting another $5,000 from per-capita GDP. “Digitization was much discussed as the main candidate to rev up productivity again, but its impact failed to spread beyond” the tech sector, the authors write. The authors are optimistic that a confluence of factors will make the years ahead different.

The rise in global interest rates and inflation are evidence of stronger global demand. Many countries are experiencing labor shortages that may incentivize more productivity-enhancing investment. And artificial intelligence and related technologies create big opportunities. “Inflationary pressure and rising interest rates could be signs that we are leaving behind secular stagnation and entering an era of higher demand and investment,” the report finds. “In corporate boardrooms around the world right now, there’s a tremendous amount of conversation associated with [generative] AI, and I think there’s a broad acknowledgment that this could very much transform productivity at the company level,” Olivia White, a McKinsey senior partner and co-author of the report, tells Axios. “Another thing that’s happening right now is the conversation about labor. Labor markets in all advanced economies, and the U.S. is really sort of top of the heap, are very, very tight right now. So there’s a lot of conversation around what do we do to make the people that we have as productive as they can be?”

Read more of this story at Slashdot.

Scientists Turn To AI To Make Beer Taste Even Better

Researchers say they have used AI to make brews even better. From a report: Prof Kevin Verstrepen, of KU Leuven university, who led the research, said AI could help tease apart the complex relationships involved in human aroma perception. “Beer — like most food products — contains hundreds of different aroma molecules that get picked up by our tongue and nose, and our brain then integrates these into one picture. However, the compounds interact with each other, so how we perceive one depends also on the concentrations of the others,” he said.

Writing in the journal Nature Communications, Verstrepen and his colleagues report how they analysed the chemical makeup of 250 commercial Belgian beers of 22 different styles including lagers, fruit beers, blonds, West Flanders ales, and non-alcoholic beers. Among the properties studied were alcohol content, pH, sugar concentration, and the presence and concentration of more than 200 different compounds involved in flavour — such as esters that are produced by yeasts and terpenoids from hops, both of which are involved in creating fruity notes.

A tasting panel of 16 participants sampled and scored each of the 250 beers for 50 different attributes, such as hop flavours, sweetness, and acidity — a process that took three years. The researchers also collected 180,000 reviews of different beers from the online consumer review platform RateBeer, finding that while appreciation of the brews was biased by features such as price meaning they differed from the tasting panel’s ratings, the ratings and comments relating to other features — such as bitterness, sweetness, alcohol and malt aroma — these correlated well with those from the tasting panel.

Read more of this story at Slashdot.

World Poker Tour Bets on AI Dubbing of Tournaments for Latin America

Georg Szalai reports via the Hollywood Reporter: The World Poker Tour (WPT) is betting on AI-powered dubbing tools under a partnership with Papercup, a London-based AI dubbing company, that will replace WPT’s traditional localization methods in Latin America. Papercup will work with the World Poker Tour to translate 184 of the franchise’s 44-minute-long episodes into Brazilian Portuguese, the companies said.

“This will amount to nearly 140 hours of content and enable viewers across South America to access WPT’s latest shows and tournaments in their native language quicker than ever before,” they explained. “Forced to deal with lead times of up to six months, the company experienced ongoing challenges with timely content delivery and adaptation.” The Papercup deal will cut those lead times in half, the partners said. “Now the premier poker content produced by WPT will be able to reach international fans watching on OTT platforms, as well as its own FAST channel, faster than ever before,” they touted. Financial terms weren’t disclosed.

Papercup uses a combination of machine-learning tools and expert human translators to “deliver maximal linguistic and tonal accuracy.” Its AI voices are built using data from real voice actors to ensure they “have all the warmth and expressivity of human speech,” it says. “The quality of Papercup dubbing has been second to none. A big part of that is down to their AI voices and expert translators who go through every sentence to make sure the moment is truly captured in the new AI dubs,” said Marc Dion, director of distribution & ad sales at WPT. “The major streaming platforms have very stringent criteria when it comes to dubbed content and if it’s going to connect with our shared viewers.”

Read more of this story at Slashdot.

Judge Orders YouTube to Reveal Everyone Who Viewed A Video

“If you’ve ever jokingly wondered if your search or viewing history is going to ‘put you on some kind of list,’ your concern may be more than warranted,” writes Mashable :

In now unsealed court documents reviewed by Forbes, Google was ordered to hand over the names, addresses, telephone numbers, and user activity of Youtube accounts and IP addresses that watched select YouTube videos, part of a larger criminal investigation by federal investigators.

The videos were sent by undercover police to a suspected cryptocurrency launderer… In conversations with the bitcoin trader, investigators sent links to public YouTube tutorials on mapping via drones and augmented reality software, Forbes details. The videos were watched more than 30,000 times, presumably by thousands of users unrelated to the case. YouTube’s parent company Google was ordered by federal investigators to quietly hand over all such viewer data for the period of Jan. 1 to Jan. 8, 2023…

“According to documents viewed by Forbes, a court granted the government’s request for the information,” writes PC Magazine, adding that Google was asked “to not publicize the request.”
The requests are raising alarms for privacy experts who say the requests are unconstitutional and are “transforming search warrants into digital dragnets” by potentially targeting individuals who are not associated with a crime based simply on what they may have watched online.
That quote came from Albert Fox-Cahn, executive director at the Surveillance Technology Oversight Project, who elaborates in Forbes’ article. “No one should fear a knock at the door from police simply because of what the YouTube algorithm serves up. I’m horrified that the courts are allowing this.”

Thanks to long-time Slashdot reader schwit1 for sharing the article.

Read more of this story at Slashdot.

GitHub Introduces AI-Powered Tool That Suggests Ways It Can Auto-Fix Your Code

“It’s a bad day for bugs,” joked TechCrunch on Wednesday. “Earlier today, Sentry announced its AI Autofix feature for debugging production code…”

And then the same day, BleepingComputer reported that GitHub “introduced a new AI-powered feature capable of speeding up vulnerability fixes while coding.”

This feature is in public beta and automatically enabled on all private repositories for GitHub Advanced Security customers. Known as Code Scanning Autofix and powered by GitHub Copilot and CodeQL, it helps deal with over 90% of alert types in JavaScript, Typescript, Java, and Python… After being toggled on, it provides potential fixes that GitHub claims will likely address more than two-thirds of found vulnerabilities while coding with little or no editing.

“When a vulnerability is discovered in a supported language, fix suggestions will include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss,” GitHub’s Pierre Tempel and Eric Tooley said…
Last month, the company also enabled push protection by default for all public repositories to stop the accidental exposure of secrets like access tokens and API keys when pushing new code. This was a significant issue in 2023, as GitHub users accidentally exposed 12.8 million authentication and sensitive secrets via more than 3 million public repositories throughout the year.

GitHub will continue adding support for more languages, with C# and Go coming next, according to their announcement.

“Our vision for application security is an environment where found means fixed.”

Read more of this story at Slashdot.

Has ‘Silicon Valley-style Startup Disruption’ Arrived for Book Publishing?

The Baffler says a new publishing house launched earlier this month “brings Silicon Valley-style startup disruption to the business of books.”

Authors Equity has “a tiny core staff, offloading its labor to a network of freelancers,” and like a handful of other publishers “is upending the way that authors get paid, eschewing advances and offering a higher percentage of profits instead.”

It is worth watching because its team includes several of the most important publishing people of the twenty-first century. And if it works, it will offer a model for tightening the connection between book culture and capitalism, a leap forward for the forces of efficiency and the fantasies of frictionless markets, ushering in a world where literature succeeds if and only if it sells….

Authors Equity’s website presents its vision in strikingly neoliberal corporatespeak. The company has four Core Principles: Aligned Incentives; Bespoke Teams; Flexibility and Transparency; and Long-Term Collaboration. What do they mean by these MBA keywords? Aligned Incentives is explained in the language of human capital: “Our profit-share model rewards authors who want to bet on themselves.” Authors, that is, take on more of the financial risk of publication. At a traditional publishing house, advances provide authors with guaranteed cash early in the process that they can use to live off while writing. With Authors Equity, nothing is guaranteed and nothing given ahead of time; an author’s pay depends on their book’s profits.

In an added twist, “Profit participation is also an option for key members of the book team, so we’re in a position to win together.” Typically, only an author’s agent’s income is directly tied to an author’s financial success, but at Authors Equity, others could have a stake. This has huge consequences for the logic of literary production. If an editor, for example, receives a salary and not a cut of their books’ profits, their incentives are less immediately about profit, offering more wiggle room for aesthetic value. The more the people working on books participate in their profits, the more, structurally, profit-seeking will shape what books look like.

“Bespoke Teams” is a euphemism for gigification. With a tiny initial staff of six, Authors Equity uses freelance workers to make books, unlike traditional publishers, which have many employees in many departments… Their fourth Core Principle — Long-Term Collaboration — addresses widespread frustration with a systemic problem in traditional publishing: the fetishization of debut authors who receive decent or better advances, fail to earn out, and then struggle to have a career. It’s a real problem and one where authors’ interests and capitalist rationalization are, as it were, aligned. Authors Equity sees that everyone might profit when an author can build a readership and develop their skill.
The article concludes with this prediction. “It’s not impossible that we’ll look back in twenty years and see its founding as auguring the beginning of the startup age in publishing.”

Food for thought… Pulp-fiction mystery writer Mickey Spillane once said, “I’m a writer, not an author. The difference is, a writer makes money.”

Read more of this story at Slashdot.