Category: All

Posted on by

Post Office Capture and Ecco+ users asked to make contact with Scottish statutory body

The Scottish Criminal Cases Review Commission (SCCRC) is attempting to contact any former subpostmasters that could have been prosecuted for unexplained losses on the Post Office’s pre-Horizon Capture software.

There are former subpostmasters that, like Horizon users, could have been convicted of crimes based on data from these systems.

Since the Post Office Horizon scandal hit the mainstream in January 2024 – revealing to a wide audience the suffering experienced by subpostmasters who were blamed for errors in the Horizon accounting system – users of Post Office software that predated Horizon have come forward, supported by campaigning peer Kevan Jones, to tell their stories, which echoed those of victims of the Horizon scandal.

The Criminal Cases Review Commission for England and Wales is now reviewing 21 cases of potential wrongful conviction, put forward by law firm Hudgell Solicitors, where the Capture IT system could be a factor.

Capture was a PC-based application developed by the Post Office and uploaded onto a personal computer to carry out branch accounts.

The software was a standalone system, unlike Horizon, which is a complex, networked system connected to centralised services (see below for timeline of Capture developments since January 2024).

The SCCRC is now calling on people that might have been convicted based on Capture accounts to come forward. “The commission encourages anyone who believes that their criminal conviction, or that of a relative, might have been affected by the Capture system to make contact with it,” it said.

Third system

The statutory body is also investigating a third Post Office system, known as Ecco+, which was also error-prone. It was thought this system was only used in Crown branches (directly managed by the Post Office) and Crown branches that were taken over by subpostmasters. But Computer Weekly has discovered that Ecco+ could actually be bought by subpostmasters for use in their branches.

“We are currently investigating possible miscarriages of justice relating to problems with various computer systems used in Post Office branches in the 1990s (Capture, Ecco+),” the SCCRC said.

Read the SCCRC’s related information sheet.

In May 2024, Scottish Parliament announced its own legislation to exonerate subpostmasters with convictions based on evidence from the Horizon system.

This followed a similar law introduced for England and Wales in March last year that saw over 700 former subpostmasters exonerated.

A total of 64 former subpostmasters in Scotland have now had their convictions overturned through the legislation brought through Scottish Parliament.

So far, 97 convicted subpostmasters have come forward, and 86 have been assessed, out of which the 64 have been overturned. However, 22 have been rejected and another 11 are still to be assessed.

An independent group, fronted by a former Scottish subpostmaster, is also calling on users of any of the Post Office systems to come forward to tell their stories, and for support in seeking justice and redress.

The Scottish Postmasters for Justice and Redress, as the group is known, will officially launch tomorrow at Scottish Parliament. It was set up by Rab Thomson, a former subpostmaster of a branch near Alloa, who had a wrongful theft conviction overturned last year.

The group has the support of former Scottish Nationalist Party MP Marion Fellows, who was chair of the All-Party Post Office Parliamentary Group, and Calum Greenhow, the current CEO of the National Federation of Subpostmasters.

Source

Posted on by

Post Office scandal data leak interim compensation offers made

The Post Office has made interim compensation offers to a number of former subpostmasters affected by a major data breach that was revealed last year.

There is still work to be done on cases, but according to a source, some subpostmasters affected by the breach have been offered interim compensation payments by the Post Office.

The payments are for damages caused by the personal details of members of the Justice for Subpostmasters Alliance (JFSA) campaign group being accidentally published on the Post Office’s website in a document titled Confidential Settlement Deed.

The Post Office would not comment on the interim payments, but a spokesperson said: “We would like to express our sincere apologies to those that were impacted by a human error which saw an unredacted document mistakenly published on Post Office’s website. Once we were made aware of the error, the document was immediately removed. We remain in contact with the Information Commissioner’s Office and the representatives of those who were affected.”

The security breach was first revealed in June 2024, but the data had been exposed for a number of years. It made the personal details of hundreds of former subpostmasters easily available. During a public inquiry hearing in November, it was revealed that this was caused by a botched website upgrade.

Jasvinder Barang, a former subpostmistress and member of the group of affected subpostmasters, said she has not yet heard anything about compensation, “apart from dribs and drabs”.

She questioned the Post Office’s attitude towards the damage the data leak has caused. “I don’t think they’re taking that seriously. We are finding it very, very stressful and very serious, but they don’t seem to think that it’s that serious,” she added.

Barang said the data breach was just another thing on top of all the stress related to the scandal. “I am absolutely stressed. Not knowing who knows where we live and all the rest of it. And of course it’s not just my safety I am worried about, but my family as well.”

During the November public inquiry hearing, Simon Recaldin, who heads up the Post Office’s Horizon scandal financial redress schemes, said: “The link to the [document], which was on the website, had broken. They were refreshing the link, and to do this they had to get the original document to put in there, but they put the unredacted document rather than the redacted document in there.”

The subpostmasters, victims of the Horizon scandal, took part in the 2018/19 High Court case that proved bugs in the Post Office’s IT system were responsible for accounting losses for which the victims had been blamed and prosecuted.

The data breach was reported in June last year, and at that time, a Google search suggested it had been online since 2019.

Following the breach being exposed, then Post Office CEO Nick Read said: “This is a truly terrible error, and one for which at this stage I can only apologise.” The Post Office notified the Information Commissioner’s Office (ICO) of the incident.

Although the breach was revealed in June 2024, no action has so far been taken by the ICO. It said: “The Post Office have made us aware of an incident and we are investigating the information provided.”

The Post Office scandal was first exposed by Computer Weekly in 2009, revealing the stories of seven subpostmasters – including Alan Bates – and the problems they suffered due to accounting software. It is one of the biggest miscarriages of justice in British history (see below for timeline of Computer Weekly articles about the scandal, since 2009).

Source

Posted on by

Pure aims at AI beyond the enterprise with FlashBlade//Exa

Pure Storage has announced FlashBlade//Exa, which aims at artificial intelligence (AI) and high-performance computing (HPC) workloads that demand extremely high throughput to graphics processing units (GPUs). That will serve customers between large enterprise users of AI and the hyperscalers.

At the same time, FlashBlade//Exa has also introduced a new architecture to a Pure product line, one in which metadata and bulk storage are disaggregated with different hardware and protocols in use.

All of which is in line with Pure’s orientation towards architectures used by the hyperscalers, and comes hot on the heels of last week’s revelation that Meta is the mystery hyperscaler that decided to buy Pure’s Direct Flash Modules (DFMs) for its own systems (see below).

According to Patrick Smith, field chief technology officer at Pure Storage, Exa addresses challenges in storage for AI that include GPU utilisation, inconsistent performance generally, all specifically with metadata, scalability and management complexity.

Exa aims at a performance level somewhat higher than current FlashBlade products, targeting AI factories and GPU-as-a-service providers such as Coreweave, Tenstorrent, DataCrunch and Foundry, as well as research labs, HPC users and sovereign cloud projects. All of which, Pure said, have performance needs in the 1TBps (terabytes per second) to 50TBps throughput range, with 100PB (petabytes) to multiple exabytes of capacity and support for thousands to tens of thousands of GPUs.

FlashBlade is Pure’s fast file and object family, although Exa appears to be file access-only for now.

“It’s next level in comparison to the FlashBlade S500,” said Smith, citing FlashBlade//Exa performance figures of greater than 10TBps read performance in a single namespace, 3.4TBps throughput per rack, and an increase of 20 times in the number of files handled under single namespace.

The novel architecture – for Pure – that lays the ground for the new product, is disaggregation between the metadata and bulk storage data nodes. Metadata is stored on FlashBlade nodes – ie with controller hardware – and connects to customers’ compute cluster via NFS v4.1 parallel file access and TCP. Meanwhile, data nodes connect via Network File System (NFS) v3 (not parallelised) and Remote Direct Memory Access (RDMA).

For the first time, Pure will offer this with Pure-recommended network interface cards (NICs) in customer-specified commodity non-volatile memory express (NVMe) storage servers, but later this year, Pure DFMs will be available for use with FlashBlade//Exa.

As mentioned, this is the first time Pure has released a product without its own DFM capacity, but according to Smith, a decision was forced by “acceleration in the AI [artificial intelligence] landscape, increased demand and especially increased scale”.

“And so, coming out with a platform that allows customers to meet those scale demands in terms of performance and capacity is something we felt we shouldn’t wait on,” he added.

This disaggregation of metadata storage and bulk storage, as well as the independent supply of its flash modules, is in keeping with recent developments that saw it unveil Meta as a hyperscaler customer for Pure’s DFMs.

Around the turn of the year, Pure announced Kioxia and Micron as quad-level cell (QLC) flash chip providers for DFM modules for supply to “a hyperscaler” customer. That customer has now been revealed as Meta, which has gone public with a blog post detailing a shift from hard disk drives to QLC flash.

That is for workloads that suit QLC’s performance profile of highly sequential data and infrequent/low-intensity writes due to its low write endurance, and because QLC is “not yet price competitive enough for a broader deployment”.

General availability of FlashBlade//Exa will be in summer 2025. Also planned for later this year are S3 object storage access via RDMA, Nvidia certification and Pure Storage Fusion integration.

Source

Posted on by

UK government under-prepared for catastrophic cyber attack, hears PAC

The government is under-prepared for a catastrophic cyber attack and still dogged by legacy IT, but making progress, the Public Accounts Committee of the House of Commons has heard.

The committee, chaired by Geoffrey Clifton-Brown, Conservative MP for North Cotswolds, took testimony on 10 March from four high-ranking government IT leaders about the cyber resilience of Whitehall departments. This followed the publication, in January, of a report by the National Audit Office (NAO), which found government cyber resilience lacking, weakened by legacy IT and skills shortages, and facing mounting threats.

In its Government cyber resilience report, the public spending watchdog warned that the cyber threat to the UK government is “severe and advancing quickly”. It found that 58 critical government IT systems, assessed in 2024, had significant gaps in cyber resilience, and the government does not know how vulnerable at least 228 “legacy” IT systems are to cyber attack.

The NAO spotted that the government’s cyber assurance scheme, GovAssure, found significant gaps in cyber resilience, with multiple fundamental system controls at low levels of maturity across departments. GovAssure assesses the critical systems of government organisations. It was set up in April 2023.

The question, according to the report under review at the PAC committee session, is no longer if the government will face a damaging cyber attack, but how severe the impacts may be, as the sophistication and number of attacks continues to rise.

As the government’s operations become increasingly digitised, so too does the severity of potential impacts resulting from cyber attacks. In an effort to combat this, the government published a Cyber Security Strategy in 2022, which set out plans to make the public sector resilient to cyber attacks by 2030. The PAC chair said the committee would look at “how the government understands the severity of the cyber threat that it faces, how it can best achieve the aim of the strategy, and build the government’s resilience to cyber attacks”.

Testifying before the committee were: Cat Little, chief operating officer for the Civil Service and permanent secretary to the Cabinet Office; Vincent Devine, government chief security officer and head of the Cabinet Office’s Government Security Function; Joanna Davinson, interim government chief digital officer at the Department for Science, Innovation and Technology; and Bella Powell, cyber director of the Cabinet Office’s Government Security Group.

One matter of concern to the MPs on the committee is the lack of visibility civil servants seem to have into the very number of government IT systems, spread across departments and “arms-length bodies”, and to what extent they are “legacy” systems especially vulnerable to cyber attack.

Clive Betts, Labour MP for Sheffield South East, said: “This is quite a critical issue. This is about the threat from potential cyber attack that could be launched against a legacy system, and we don’t yet know what the systems are to begin with.”

This is quite a critical issue. This is about the threat from potential cyber attack that could be launched against a legacy system, and we don’t yet know what the systems are to begin with Clive BettsLabour MP for Sheffield South East

Davinson responded: “It’s not a simple, ‘What’s the list?’ We’ve asked that question of departments, and have had responses through our legacy risk framework. We’ve got that understanding and we are continuing to expand that out to other organisations. [But] it’s not a resource-free exercise.”

Little added: “What this part of our discussion really brings to light is that government, in a period of scarce resources, has got to make prioritised decisions based on risks and how much assurance is desired. And it’s for the government to set its risk appetite, and to use that risk appetite and information to allocate resources accordingly.

“We’ve made huge progress in understanding the most significant issues that we’ve got [in terms of legacy], and whilst it’s not every single system, it is the vast majority … [and] we’re using both GovAssure and our technical expertise in legacy IT to set out for ministers the choices about risk and how much risk they want to buy out. That is the fundamental question. If you’ve got X billion pounds available to fund people, resources, skills, to remediate legacy IT, and to invest in new technology, how you use your allocative resource has got to be risk based, and it’s got to be outcome based. The whole point of the Spending Review process is to bring outcomes and risks together so that ministers can make a funding allocation choice.”

Powell said: “We are ramping up the number of systems that we’re looking at. We are not doing that in an exponential fashion, but I think it’s also worth noting that with GovAssure, we are driving the car and building it at the same time. We launched it in April 2023 following some early pilots with departments [when] it was still at an early-stage assurance process.

“There is much more that we can and need to do, particularly in terms of automation of that process, in terms of providing stronger support and guidance to departments in implementing it, and also in the root cause analysis to better understand the data that we are gathering from that process. It is by no means a finished product, it is by no means a perfect product, but what it’s already starting to do is give us the outcomes that we need in terms of understanding resilience levels and where we can take action.”

MPs were also concerned about the extent to which the government has, as the NAO report states, under-estimated the extent of cyber risk.

Devine was candid in relation to the lateness of the introduction of GovAssure in April 2023. “We probably have woken up to the scale of cyber risk more slowly than we should have done. We were probably unrealistic in relying upon self-assessment [of government departments],” he said.

We didn’t ramp up the government response to cyber security from assurance through to response as quickly as we should have … because we [weren’t] as alive to the threats as we should have been Vincent DevineCabinet Office

“Despite recognising this in 2010, starting to invest money significantly in 2016, we didn’t ramp up the government response to cyber security from assurance through to response as quickly as we should have, in retrospect. Why? Because I don’t think we were as alive to the threats as we should have been, and probably because we hadn’t had the incidents that brought it to life for us that we and our allies have had over the last five years. It’s not a good answer, but it is the true answer,” Devine added.

To that, Little added: “It’s really difficult to go back in time to our predecessors. Like all good risk management, you manage risks as best you can until they become an issue. When they become an issue, and they’re live and they’re real, you step up your response…. We’ve always known about the risks, but it wasn’t until it became a real, live issue that the scale of what we were dealing with became clear, and it needs a different sort of response.”

The original NAO report gave, as an example of how damaging cyber attacks can be, the instance, in June 2024, of an attack on a supplier of pathology services to the NHS in south-east London, which led to two NHS foundation trusts postponing 10,152 acute outpatient appointments and 1,710 elective procedures. It also cited the British Library ransomware attack in October 2023, which has already cost £600,000 to rebuild services. The library expects to spend many times more as it continues to recover. These were mentioned in the PAC session.

The report found that the biggest risk to making the UK government resilient to cyber attack is a gaping skills gap. One in three cyber security roles in government were vacant or filled by temporary – and more expensive – staff in 2023-24, while more than half of cyber roles in several departments were vacant, and 70% of specialist security architects were staff on temporary contracts.

In the Public Accounts Committee meeting, Little said she was sad to see a continued over-reliance on contractors, but that initiatives such as a cyber security Fast Stream and a new “digital pay framework” were “starting to have an impact”.

Powell added that the overall number of digital technology professionals in the civil service has grown, and stands at nearly 6%. “It’s not as much as we’d like it to be. We are struggling with the very technical resources, and that’s a market problem – they are scarce in the private sector as well as in the public sector,” she said.

Source

Posted on by

ChatGPT celebrity deepfakes are going viral, and there’s only one way to stop them

The new ChatGPT 4o image generation model is the talk of the town, and not just for good reasons. Everyone is marveling at the AI’s amazing new abilities, which include generating legible text in images, creating fake photos out of real ones, creating deepfakes of celebrities, and replicating copyrighted content like Studio Ghibli characters. It all happens incredibly fast, with the AI able to respond to your needs.

But some people have been quick to point out the bad things about the new AI image model. First, the most obvious problem that we’re not really talking about is that ChatGPT has dealt a swift blow to all sorts of content creators, including graphic designers and photographers. Of course, we already have other AI image-generation programs that endanger those professions. This isn’t a ChatGPT safety issue, either.

The fact that ChatGPT-created images have no visible watermark to inform unsuspecting people they’re not real images is a big safety concern. More visible is the Studio Ghibli controversy, which shows that OpenAI is willing to let 4o image generation easily rip off copyrighted content.

The even more annoying thing about ChatGPT’s new image generation abilities is how easy it is to make deepfakes of celebrities. This one is especially troubling to me, an internet user, because malicious actors have unfettered access to the tool.

Tech. Entertainment. Science. Your inbox.

Sign up for the most interesting tech & entertainment news out there.

By signing up, I agree to the Terms of Use and have reviewed the Privacy Notice.

OpenAI has started paying attention to the criticism it received since the launch of 4o image generation, but it’s not taking any action, especially on the deepfake problem. It turns out the only way to stop someone from using your face with ChatGPT is to opt out of it with OpenAI.

As I pointed out before, OpenAI never addressed these ChatGPT security matters in its original announcement. But the company retweeted a blog post from OpenAI engineer Joanne Jang explaining the lax security features in ChatGPT 4o image generation. Sam Altman also retweeted the same blog post. Why not publish it on the OpenAI blog if this is the company’s official stance?

Jang, who leads model behavior at OpenAI, took to Substack to explain the lax safety features in ChatGPT 4o image generation. The engineer makes the case for OpenAI giving ChatGPT more freedom so users can unleash their creativity rather than be stopped by the AI’s refusal to generate images based on more drastic safety features.

“Images are visceral,” Jang says, and I definitely agree. “There’s something uniquely powerful and visceral about images; they can deliver unmatched delight and shock. Unlike text, images transcend language barriers and evoke varied emotional responses. They can clarify complex ideas instantly.”

Also, it’s great to see that OpenAI is more malleable when it comes to certain censorship features. Jang gives an example of how ChatGPT offensive content:

When it comes to “offensive” content, we pushed ourselves to reflect on whether any discomfort was stemming from our personal opinions or preferences vs. potential for real-world harm. Without clear guidelines, the model previously refused requests like “make this person’s eyes look more Asian” or “make this person heavier,” unintentionally implying these attributes were inherently offensive.

The blog also covers the use of hate symbols in images and the “stronger protections and tighter guardrails” for people under 18.

What’s more problematic is OpenAI’s openness to allowing ChatGPT to create deepfakes with such ease.

Here’s Jang’s explanation of how ChatGPT 40 image generation handles public figures:

We know it can be tricky with public figures—especially when the lines blur between news, satire, and the interests of the person being depicted. We want our policies to apply fairly and equally to everyone, regardless of their “status.” But rather than be the arbiters of who is “important enough,” we decided to create an opt-out list to allow anyone who can be depicted by our models to decide for themselves.

Remember when Scarlett Johansson called out that deepfake anti-Kanye video that used her face without her permission and asked the government to take action against the use of deepfakes?

Well, ChatGPT makes it easier than ever for anyone to come up with deepfakes showing celebrities in fake photos. I’m not talking about Ghibli-style images showing President Trump announcing the Stargate AI initiative. We all know how to interpret that. I’m talking about AI images that are indiscernible from real photos and can manipulate public opinion. 

Satire has nothing to do with it, either. Those capable of drawing cartoons featuring political figures to mock their actions never needed ChatGPT to do it. Also, people seeing those images would recognize it’s satire and not real. Now, ChatGPT makes it incredibly easy to generate fake news.

What’s more annoying is that Jang says people who feel “important enough” can opt out. Where? How? Where is the list? Why didn’t OpenAI announce this list before making ChatGPT 4o image generation available to the masses? After all, ChatGPT has already started using celebrities in their ChatGPT creations, and those celebrities might not like it.

It sure looks like OpenAI is using the new image generation product to introduce much more laxer AI safety features than before. I hope that’s not the case, but that’s what it feels like right now. Jang’s blog further confirms that OpenAI won’t necessarily take a stronger safety approach for the 4o image generation tool right away.

Then again, so many AI safety engineers left OpenAI in the past years that it makes sense to see the company lower safety protections. By the way, it’s not just OpenAI that’s going for a very lax safety policy for AI image models. Others have been doing it, too. It’s just that ChatGPT has just gone viral for its incredible image-generation powers, so we can’t ignore the safety protocols governing it.

Source

Posted on by

ByteDance’s InfiniteYou AI lets you create infinite fake photos of yourself

ChatGPT’s 4o image generation model is the talk of the town right now, but it’s not the only AI software that can offer mind-blowing image generation. TikTok parent company ByteDance has a new AI model called InfiniteYou, whose sole purpose is to let users generate photos of themselves starting from a single uploaded photo.

It’s not that ChatGPT’s new image generation powers can’t edit photos you upload to the chatbot while preserving the identity of those characters. Other AI tools exist to let you edit your images in ways that fit your needs, even if that essentially means creating fakes; photos showing events that never happened and people who weren’t in that picture when it was taken.

However, the purpose of ByteDance’s new model is to generate fake pictures of a real subject while preserving their identity. That’s the whole point of InfiniteYou: To let you create any sort of image, starting from a simple photo upload that contains the main subject and a text prompt that describes what you want the AI to generate.

I’ll say from the get-go that the whole premise here is disturbing, not because I’m already worried about how incredibly easy it is to create lifelike fakes that can manipulate public opinion, but that the whole InfiniteYou research project comes from a company behind a product that’s often been accused of influencing public opinion via content algorithms. That’s social network TikTok, which still faces a major ban in the US.

Tech. Entertainment. Science. Your inbox.

Sign up for the most interesting tech & entertainment news out there.

By signing up, I agree to the Terms of Use and have reviewed the Privacy Notice.

The InfiniteYou service isn’t available as a standalone mobile app or web app, but you can test it at this link. Also, the AI research project is listed on HuggingFace, with the full study being available at this link.

As you’ll see in the following screenshot, you don’t even have to upload your own image to see what the AI can do. Just pick one of the available images, as I did, and then text a prompt. The photo I picked already came with the following prompt, so I didn’t even change it, as I was curious to see what the result would be:

A sophisticated gentleman exuding confidence. He is dressed in a 1990s brown plaid jacket with a high collar, paired with a dark grey turtleneck. His trousers are tailored and charcoal in color, complemented by a sleek leather belt. The background showcases an elegant library with bookshelves, a marble fireplace, and warm lighting, creating a refined and cozy atmosphere. His relaxed posture and casual hand-in-pocket stance add to his composed and stylish demeanor

The AI took a while to process the uploaded photo and the requirements in the text, and then it generated the image on the right side here:

ByteDance's InfiniteYou: Example of creating fake photos.ByteDance’s InfiniteYou test: Example of creating fake photos. Image source: HuggingFace

As you can see, the AI image preserved the subject’s likeness and recreated the entire background and the subject’s body to adhere to the prompt’s requirements.

The resemblance between the subject in the photo and the AI version is clear, though you can tell the image on the right is AI-generated. There’s no watermark to indicate it’s an AI photo (which itself is a red flag), but you can tell this isn’t a real photo.

Perhaps that’s a good thing. Otherwise, InfiniteYou could be easily used to create deepfakes of celebrities in lifelike photos, a problem the new ChatGPT image generation model already has.

Then again, I only briefly tested this new AI on HuggingFace. A commercial product will likely offer even higher-quality images that are harder to identify as AI-generated images.

InfiniteYou examples from the ByteDance study.InfiniteYou examples from the ByteDance study. Image source: HuggingFace

After all, the images the researchers offered in the study suggest that the AI model can create high-quality, albeit fake, images of a subject with the help of a real photo and a text prompt.

Take the examples above, each containing the original photo, the text prompt InfiniteYou was given, and the result. We are looking at high-end, frontier AI tech here.

The ByteDance engineers also provided the following comparison between InfiniteYou and other AI models that can generate images.

Comparison between ByteDance and other AI image generation services.Comparison between ByteDance and other AI image generation services. Image source: HuggingFace

It’s unclear where ByteDance might use this AI tech next, but it’s clear where it might want to deploy it. TikTok comes to mind again, as AI tech like InfiniteYou would certainly come in handy to creators.

That would not be a problem as long as AI content is clearly labeled as such and is not used for malicious purposes.

The AI researchers addressed safety concerns in the study, but only briefly. Rather than offering solutions to prevent fakes, they suggest InfiniteYou can be further improved. As for creating fake images, the researchers say they “developing robust media forensics approaches can serve as effective safeguards:”

Limitations and societal impact. Despite promising results, the identity similarity and overall quality of InfU could be further improved. Potential solutions include additional model scaling and an enhanced InfuseNet design. On another note, InfU may raise concerns about its potential to facilitate high-quality fake media synthesis. However, we believe that developing robust media forensics approaches can serve as effective safeguards.

Who will develop those safeguards? Who knows?

Meanwhile, you can explore ByteDance’s sophisticated InfiniteYou AI model at this link.

Source

Posted on by

Secret London tribunal to hear appeal in Apple vs government battle over encryption

A secret tribunal is due to meet at the High Court in London this week to hear tech giant Apple appeal against a Home Office order to compromise the encryption of data stored by its customers on the iCloud service worldwide.

The Investigatory Powers Tribunal (IPT) has taken the unusual step of publishing a notification of a closed-door hearing on Friday 14 March, days after leaks revealed that Apple was intending to appeal against the secret order.

Press and civil society groups are expected to petition the Tribunal, which rules on matters of national security, to hold the hearings in open court, given the important public interest surrounding the case and the fact the government’s order has been widely leaked.

The decision by home secretary Yvette Cooper to issue a Technical Capability Notice requiring Apple to give UK law enforcement and intelligence services “backdoor” access to data stored by Apple’s customers on the encrypted version of its iCloud service, has raised tensions between the UK and the US.

US lawmakers are expected to intervene further in the case after the US director of national intelligence Tulsi Gabbard – President Trump’s most senior advisor on intelligence and security – warned that any order from the UK that could put Americans’ privacy at risk would be a “clear and egregious violation”.

As a result of the UK government’s move, Apple in the UK has withdrawn its Advanced Data Protection (ADP) service which allows users to store data in end-to-end encrypted form on iCloud.

The decision is likely to expose people in the UK using Apple services to greater risk of cyber threat as they will no longer have the ability to encrypt their personal data on Apple’s iCloud with end-to-end encryption, though the service will remain available elsewhere in the world.

The president of the IPT, Lord Justice Rabinder Singh, and a senior High Court Judge, Mr Justice Jeremy Johnson, have made themselves available at short notice to hear a case behind closed doors on the morning of 14 March, according to court listings.

The IPT hears national security cases in secure courts at the High Court in the Strand – the only central London venue authorised for national security cases, aside from a secure court on Chancery Lane used for immigration cases.

A series of leaks about the secret order issued by the UK have made it more difficult for the Home Office and security agencies to maintain a stance of neither confirming nor denying the move against Apple.

Privacy International, which has brought a number of cases against government agencies in the IPT, said the Apple hearings should be conducted in public.

Caroline Wilson Palow, legal director and general counsel at Privacy International said: “This is a very important debate to have in public, because we’re talking about the security of our computer systems that can affect millions, if not billions, of people around the world, given the reported technical capability notice has global reach.”

Last month, over 100 cyber security experts, companies and civil society groups signed a letter calling for home secretary Cooper to drop the demands for Apple to create a backdoor that would allow government access to encrypted communications and data stored on Apple’s iCloud service.

Apple has previously said that despite withdrawing Advanced Data Protection from the UK 14 categories of data stored on Apples iCloud will still be end-to-end encrypted by default, including health data.

UK users will not be able to opt for more secure end-to-end encryption for iCloud Backup; iCloud Drive; Photos; Notes; Reminders; Safari Bookmarks; Siri Shortcuts; Voice Memos; Wallet Passes; and Freeform, a collaboration tool.

Source

Posted on by

Pixel 9a will arrive on April 10 missing some of Google’s best AI features

Google’s newest budget phone is finally ready for release. After an inexplicable delay due to a “component quality issue,” the company has confirmed the Pixel 9a release date: April 10 in the US, Canada, and the UK.

The rest of the world will follow shortly after, with launches in Europe on April 14 and select Asian-Pacific regions on April 16. We’ve known about the Pixel 9a for at least a week now—with official confirmation giving us a price and a good look at the design.

The Pixel 9a might look like a flagship at first glance, sharing the same sleek design language and housing Google’s Tensor G4 chip. But look closer, and it’s clear that a few of Google’s headline features didn’t make the trip down to this more affordable device.

That’s especially true when it comes to AI.

Tech. Entertainment. Science. Your inbox.

Sign up for the most interesting tech & entertainment news out there.

By signing up, I agree to the Terms of Use and have reviewed the Privacy Notice.

Despite sporting the same chip as the Pixel 9 and 9 Pro, the 9a has a tighter memory ceiling at just 8GB of RAM. That limitation means the phone can’t run the full version of Gemini Nano, Google’s powerful on-device AI model. Instead, it comes with a lightweight, text-only variant.

Google Pixel 9 Pro Fold GeminiDon’t expect the same level of Gemini support on the 9a as Google’s flagship devices. Image source: Christian de Looper for BGR

In practical terms, that means you won’t be using the 9a for AI-powered voice summarization or multimodal features like image-based Q&A and contextual suggestions, which are available on Google’s flagship devices.

This is likely an intentional move by Google, aimed at balancing affordability with performance. But it also means buyers hoping for a full suite of on-device AI tools will need to temper their expectations.

That’s not the only trade-off. The Pixel 9a also skips satellite communication support and features an older cellular modem, which could affect signal efficiency and battery life in fringe areas.

Still, for $499 in the US (with a $100 bump for double the storage), the 9a offers a competitive entry point into the Pixel ecosystem. Pricing varies slightly by region, with a price tag of $679 CAD in Canada, £499 in the UK, and €549 in most of Europe.

Interestingly, Japan—a regular participant in Google’s device launches—still lacks a confirmed Pixel 9a release date, though Google insists it’s coming “soon.”

If you’ve already signed up for availability notifications through the Google Store, you’ll be among the first to know when preorders go live. And if you’re after a clean Android experience with a side of pared-down AI, the 9a could still hit the sweet spot.

Just don’t expect the same Gemini-powered goodies its flagship siblings enjoy.

Source

Posted on by

Perimeter security appliances source of most ransomware hits

Compromised or vulnerable perimeter security appliances and devices – especially virtual private networks (VPNs) – formed the initial access vector in over half of observed ransomware attacks during 2024, according to data released this week by cyber security insurance provider Coalition in its latest annual threat report, covering 2024.

US-based Coalition, which began offering its so-called Active Insurance policies in the UK back in 2022, said that cyber criminals compromised such appliances in 58% of claims with which it dealt during 2024, with the second most widespread access point being remote desktop products, blamed in 18% of claims.

“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much – they’re still going after the same tried and true technologies with many of the same methods,” said Alok Ojha, head of security products at Coalition.

“This means that businesses can have a reliable playbook too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack. Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident.”

Unsurprisingly, the most commonly compromised products were all built by ‘household’ names in the industry, including the likes of Cisco, Fortinet, Microsoft, Palo Alto Networks and SonicWall. The most common initial access vectors (IAVs) were stolen credentials, used in 47% of such intrusions, and software exploits, seen in 29% of cases.

Coalition’s analysts warned that exposed logins were fast-emerging as an underappreciated and acute driver of ransomware risks. They claimed that the organisation detected more than five million remote management solutions and tens of thousands of login panels exposed on the public internet. It added that, according to its data, most applicants for cyber insurance (65%) had at least one internet-exposed web login panel, and securing these is a requirement for buying its products.

Out of these, the most commonly exposed admin login panels related to VPNs from Cisco and SonicWall, which between them accounted for over 19% of detected exposed panels, followed by Microsoft email services.

In 2024, Coalition also observed a significant number of exposed Citrix panels, which caused significant losses, including more than a billion dollars from the infamous Change Healthcare incident in the US, in which a ransomware gang used stolen Citrix credentials and exploited a lack of multifactor authentication to access the victim’s systems.

CVEs set to jump in 2025

As part of the set of services Coalition provides, it sends out zero-day alerts to its customers as and when new vulnerabilities are discovered, and constantly monitors for new vulnerabilities.

As such, its annual report also includes data on some of the more widespread common vulnerabilities and exposures (CVEs) it saw in 2024 – issues with Citrix, Fortinet, Ivanti and Palo Alto Networks prominent among them.

Looking ahead to 2025, Coalition’s analysts said the number of published vulnerabilities would likely increase to more than 45,000, a rate of nearly 4,000 every month, up 15% over the first 10 months of 2024.

This aligns closely with data released in February by the Forum of Incident Response and Security Teams (First), a non-profit, which suggested that CVE volumes may even top 50,000 this year.

A combination of new players in the CVE ecosystem, evolving disclosure compliance practices and a rapidly expanding attack surface are likely behind the growing number of vulnerabilities being reported on.

“This year’s report focuses on the most crucial security risks that under-resourced organisations should understand to better calibrate their defensive investments to bolster resilience,” said Daniel Woods, senior security researcher at Coalition.

“Calibration involves balancing security investment across vulnerabilities, misconfigurations and threat intelligence, while also responding to emerging threats, such as zero-day vulnerabilities exploited in the wild. That’s why Coalition issues Zero-Day Alerts to help businesses, especially SMEs with limited security resources, stay ahead of these vulnerabilities and reduce alert fatigue by prioritising those posing the greatest risk.”

Source

Posted on by

Musk claims of Ukraine DDoS attack derided by cyber community

Tech oligarch Elon Musk has drawn criticism from cyber security experts following unsubstantiated claims that Ukraine was behind an apparent distributed denial of service (DDoS) attack on his social media platform, X, formerly known as Twitter.

Musk, who currently heads the US government’s Department of Government Efficiency (Doge) that has fired thousands of federal workers, accused the Ukrainian government of being behind the incident that brought down X services for many users on Monday 10 March. Speaking to the Fox Business news channel, he claimed a “massive cyber attack” targeting X appeared to have originated from IP addresses located in Ukraine.

The incident came amid a serious deterioration in relations between Ukraine and the US, and just days after US Cyber Command, the country’s military offensive and defensive cyber unit, suspended offensive operations against Russia in a significant climbdown.

Ukrainian officials were quick to refute the suggestion Kyiv was behind the cyber attack, and in conversation with the BBC, former National Cyber Security Centre head Ciaran Martin described Musk’s accusations as unconvincing and “pretty much garbage”.

Martin told the BBC he would be hard-pressed to think of an organisation of X’s scale that has been so badly impacted by such an incident in recent years and suggested the incident did not paint a good picture of the platform’s wider cyber resilience.

In a DDoS attack, malicious actors bombard a server with junk web traffic to overwhelm it, forcing it offline and leaving legitimate users unable to access it.

Such crude forms of cyber attack are well-known and relatively common – they frequently form a key element in hacktivist actions thanks to their accessibility, which at first glance lends a certain element of credibility to Musk’s claims.

However, DDoS attacks are launched via geographically disperse networks of computers and other devices that have been co-opted into botnets without their owner’s knowledge or consent. This makes it very hard to accurately locate the individuals responsible for them.

Tom Parker, cyber security author and chief technology officer (CTO) at NetSPI, said the magnitude of the attack did strongly suggest the involvement of a sophisticated threat actor but it was important to understand that accurately attributing DDoS incidents is “notoriously difficult”.

“Such adversaries are highly adept at concealing their tracks. We must be extremely cautious about pointing fingers and sabre rattling without clear and compelling evidence to demonstrate capability, motive,and likely benefit for the party involved,” Parker told Computer Weekly. 

“Despite recent events, I do believe Ukraine is still seeking to foster a more positive relationship with the US, which would make it unlikely that the claims of Ukrainian involvement are well-grounded. Rather, the scenario appears to align more with a ‘false flag’ operation deliberately crafted to implicate Ukraine.

“As we often see in these complex situations, the most straightforward explanation isn’t always correct, and drawing conclusions prematurely can lead us astray,” he said.

Pro-Palestine group

Lending more weight to arguments against Musk, a pro-Palestinian hacktivist group known as Dark Storm Team subsequently claimed via Telegram that it had been behind the incident.

An account on the Bluesky social media platform claiming to be associated with this group and appearing to have links to the Anonymous collective, described the DDoS attack as a peaceful protest and said attacks would continue.

Jake Moore, global cyber security advisor at ESET, said: “Cyber criminals attack from all angles and are incredibly fearless in their attempts. Whether they are directed by geopolitical groups or financially motivated gangs, DDoS attacks are a clever way of targeting a website without having to hack into the mainframe, and therefore the perpetrators can remain largely anonymous and difficult to point a finger at.

“This also makes it that much more difficult to protect from when the landscape is completely unknown apart from having generic DDoS protection. However, even with such protection, each year, threat actors become better equipped and use even more IP addresses such as home IoT devices to flood systems, making it increasingly more difficult to protect from.”

Added Moore: “Unfortunately, X remains one of the most talked about platforms, making it a typical target for hackers marking their own territory. All that can be done to future-proof their networks is to continue to expect the unexpected and build even more robust DDoS protection layers.”

Source