Amazon Web Services makes the Mistral Large model public on Amazon Bedrock, giving developers an advanced LLM from which to build gen AI apps.
Indian government’s cloud spilled citizens’ personal data online for years
The Indian government has finally resolved a years-long cybersecurity issue that exposed reams of sensitive data about its citizens. A security researcher exclusively told TechCrunch he found at least hundreds of documents containing citizens’ personal information — including Aadhaar numbers, COVID-19 vaccination data, and passport details — spilling online for anyone to access. At fault
© 2024 TechCrunch. All rights reserved. For personal use only.
HD raises $5.6M to build a Sierra AI for healthcare in Southeast Asia
Chatbots have come a long way. For years, they were limited to responding with predetermined replies that followed a simple logic structure. But customers can have complex problems, and no tree-diagram of possible replies can have enough branches to account for all the edge cases that arise. Thankfully, the advent of large language models has
© 2024 TechCrunch. All rights reserved. For personal use only.
Cloudflare makes it simple to deploy AI apps with Hugging Face, launches Workers AI to public
Cloudflare opens up its Hugging Face integration to all, making it easy to deploy models with one click, moves its severless inference, Workers AI, generally available.
How one volunteer stopped a backdoor from exposing Linux systems worldwide
Photo by Amelia Holowaty Krales / The Verge
Linux, the most widely used open source operating system in the world, narrowly escaped a massive cyber attack over Easter weekend, all thanks to one volunteer.
The backdoor had been inserted into a recent release of a Linux compression format called XZ Utils, a tool that is little-known outside the Linux world but is used in nearly every Linux distribution to compresses large files, making them easier to transfer. If it had spread more widely, an untold number of systems could have been left compromised for years.
And as Ars Technica noted in its exhaustive recap, the culprit had been working on the project out in the open.
The vulnerability, inserted into Linux’s remote log-in, only exposed itself to a single key, so that it could hide from scans of public computers. As Ben Thompson writes in Stratechery. “the majority of the world’s computers would be vulnerable and no one would know.”
The story of the XZ backdoor’s discovery starts in the early morning of March 29th, as San Francisco-based Microsoft developer Andres Freund posted on Mastodon and sent an email to OpenWall’s security mailing list with the heading: “backdoor in upstream xz/liblzma leading to ssh server compromise.”
Freund, who volunteers as a “maintainer” for PostgreSQL, a Linux-based database, noticed a few strange things over the past few weeks while running tests. Encrypted log-ins to liblzma, part of the XZ compression library, were using up a ton of CPU. None of the performance tools he used revealed anything, Freund wrote on Mastodon. This immediately made him suspicious, and he remembered an “odd complaint” from a Postgres user a couple of weeks earlier about Valgrind, Linux’s program that checks for memory errors.
After some sleuthing, Freund eventually discovered what was wrong. “The upstream xz repository and the xz tarballs have been backdoored,” noted Freund in his email. The malicious code was in versions 5.6.0 and 5.6.1 of the xz tools and libraries.
Shortly after, enterprise opensource software company Red Hat sent out an emergency security alert for users of Fedora Rawhide and Fedora Linux 40. Ultimately, the company concluded that the beta version of Fedora Linux 40 contained two affected versions of the xz libraries. Fedora Rawhide versions likely received versions 5.6.0 or 5.6.1 as well.
PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity. Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed.
Although a beta version of Debian, the free Linux distribution, contained compromised packages, its security team acted swiftly to revert them. “Right now no Debian stable versions are known to be affected,” wrote Debian’s Salvatore Bonaccorso in a security alert to users on Friday evening.
Freund later identified the person who submitted the malicious code as one of two main xz Utils developers, known as JiaT75, or Jia Tan. “Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system. Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the “fixes” mentioned above,” wrote Freund in his analysis, after linking several workarounds that were made by JiaT75.
JiaT75 was a familiar name: they’d worked side-by-side with the original developer of .xz file format, Lasse Collin, for a while. As programmer Russ Cox noted in his timeline, JiaT75 started by sending apparently legitimate patches to the XZ mailing list in October of 2021.
Other arms of the scheme unfolded a few months later, as two other identities, Jigar Kumar and Dennis Ens, began emailing complaints to Collin about bugs and the project’s slow development. However, as noted in reports by Evan Boehs and others, “Kumar” and “Ens” were never seen outside the XZ community, leading investigators to believe both are fakes that existed only to help Jia Tan get into position to deliver the backdoored code.
Image: Screenshot from The Mail Archive
An email from “Jigar Kumar” pressuring the developer of XZ Utils to relinquish control of the project.
“I am sorry about your mental health issues, but its important to be aware of your own limits. I get that this is a hobby project for all contributors, but the community desires more,” wrote Ens in one message, while Kumar said in another that “Progress will not happen until there is new maintainer.”
In the midst of this back and forth, Collins wrote that “I haven’t lost interest but my ability to care has been fairly limited mostly due to longterm mental health issues but also due to some other things,” and suggested Jia Tan would take on a bigger role. “It’s also good to keep in mind that this is an unpaid hobby project,” he concluded. The emails from “Kumar” and “Ens” continued until Tan was added as a maintainer later that year, able to make alterations, and attempt to get the backdoored package into Linux distributions with more authority.
The xz backdoor incident and its aftermath are an example of both the beauty of open source and a striking vulnerability in the internet’s infrastructure.
The lesson from the xz fiasco is that investments in maintenance and sustainability are unsexy and probably won’t get a middle manager their promotion but pay off a thousandfold over many years.But try selling that to a bean counter— FFmpeg (@FFmpeg) April 2, 2024
A developer behind FFmpeg, a popular open-source media package, highlighted the problem in a tweet, saying “The xz fiasco has shown how a dependence on unpaid volunteers can cause major problems. Trillion dollar corporations expect free and urgent support from volunteers.” And they brought receipts, pointing out how they dealt with a “high priority” bug affecting Microsoft Teams.
Despite Microsoft’s dependence on its software, the developer writes, “After politely requesting a support contract from Microsoft for long term maintenance, they offered a one-time payment of a few thousand dollars instead…investments in maintenance and sustainability are unsexy and probably won’t get a middle manager their promotion but pay off a thousandfold over many years.”
Details of who is behind “JiaT75,” how they executed their plan, and the extent of the damage are being unearthed by an army of developers and cybersecurity professionals, both on social media and online forums. But that happens without direct financial support from many of the companies and organizations who benefit from being able to use secure software.
Photoncycle targets low-cost energy storage with a clever hydrogen solution
For years, the solar energy sector has grappled with interseasonal energy storage. The ability to harness the surplus solar energy of summer months for use during the winter has remained an elusive goal, with existing solutions like batteries falling short due to prohibitive costs and limited lifespans. Hydrogen, meanwhile, despite its clean-burning properties, has been
© 2024 TechCrunch. All rights reserved. For personal use only.
X names its third head of safety in less than two years
X has named a new head of safety nearly a year after the last executive in the position resigned. The company said Tuesday that it had promoted Kylie McRoberts to Head of Safety and hired Yale Cohen as Head of Brand Safety and Advertiser Solutions.
The two will have the unenviable task of leading X’s safety efforts, including its attempts to reassure advertisers that the platform doesn’t monetize hate speech or terrorist content. The company said earlier this year it planned to hire 100 new safety employees after previously cutting much of its safety staff.
Head of safety has been a particularly fraught position since Elon Musk took over the company previously known as Twitter. Musk has previously clashed with his safety leads and McRoberts is the third person to hold the title in less than two years. Previously, Yoel Roth resigned shortly after the disastrous rollout of Twitter Blue in 2022. Roth was replaced by Ella Irwin, who resigned last year after Musk publicly criticized employees for enforcing policies around misgendering.
Not much is known about McRoberts, but she is apparently an existing member of X’s safety team (her X account is currently private and a LinkedIn profile appears to have been recently deleted). “During her time at X, she has led initiatives to increase transparency in our moderation practices through labels, improve security with passkeys, as well as building out our new Safety Center of Excellence in Austin,” X said in a statement.This article originally appeared on Engadget at https://www.engadget.com/x-names-its-third-head-of-safety-in-less-than-two-years-213004771.html?src=rss
@Potus just joined the fediverse via Instagram Threads
The fediverse — the name for the social network made of of interconnected servers, like Mastodon and others — just got another boost of legitimacy on Tuesday as the @Potus (President of the United States) account on Instagram Threads shared its first federated post. The account operated by Biden’s team published a message regarding the
© 2024 TechCrunch. All rights reserved. For personal use only.
OctoAI launches OctoStack for enterprises to customize, deploy private AI models
OctoAI unveils OctoStack, a SaaS offering for companies to deploy AI models privately either on a virtual cloud or on-premises.
Open source foundations unite on common standards for EU’s Cybersecurity Resilience Act
Seven open source foundations are coming together to create common specifications and standards for Europe’s Cyber Resilience Act (CRA), regulation adopted by the European Parliament last month. The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation revealed their intentions to pool their collective resources and join
© 2024 TechCrunch. All rights reserved. For personal use only.