Editor’s Pick

Enlarge / A screenshot of Taylor Swift’s Kamala Harris Instagram post, captured on September 11, 2024. (credit: Taylor Swift / Instagram)

On Tuesday night, Taylor Swift endorsed Vice President Kamala Harris for US President on Instagram, citing concerns over AI-generated deepfakes as a key motivator. The artist’s warning aligns with current trends in technology, especially in an era where AI synthesis models can easily create convincing fake images and videos.

“Recently I was made aware that AI of ‘me’ falsely endorsing Donald Trump’s presidential run was posted to his site,” she wrote in her Instagram post. “It really conjured up my fears around AI, and the dangers of spreading misinformation. It brought me to the conclusion that I need to be very transparent about my actual plans for this election as a voter. The simplest way to combat misinformation is with the truth.”

In August 2024, former President Donald Trump posted AI-generated images on Truth Social falsely suggesting Taylor Swift endorsed him, including a manipulated photo depicting Swift as Uncle Sam with text promoting Trump. The incident sparked Swift’s fears about the spread of misinformation through AI.

Enlarge (credit: Aurich Lawson | Getty Images)

It’s not every day that a security researcher acquires the ability to generate counterfeit HTTPS certificates, track email activity, and execute code of his choice on thousands of servers—all in a single blow that cost only $20 and a few minutes to land. But that’s exactly what happened recently to Benjamin Harris.

Harris, the CEO and founder of security firm watchTowr, did all of this by registering the domain dotmobilregistry.net. The domain was once the official home of the authoritative WHOIS server for .mobi, a top-level domain used to indicate that a website is optimized for mobile devices. At some point—it’s not clear precisely when—this WHOIS server, which acts as the official directory for every domain ending in .mobi, was relocated, from whois.dotmobiregistry.net to whois.nic.mobi. While retreating to his Las Vegas hotel room during last month’s Black Hat security conference in Las Vegas, Harris noticed that the previous dotmobiregistry.net owners had allowed the domain to expire. He then scooped it up and set up his own .mobi WHOIS server there.

Misplaced trust

To Harris’s surprise, his server received queries from slightly more than 76,000 unique IP addresses within a few hours of setting it up. Over five days, it received roughly 2.5 million queries from about 135,000 unique systems. The entities behind the systems querying his deprecated domain included a who’s who of Internet heavyweights comprising domain registrars, providers of online security tools, governments from the US and around the world, universities, and certificate authorities, the entities that issue browser-trusted TLS certificates that make HTTPS work.

Enlarge (credit: SOPA Images via Getty Images)

On Friday, Roblox announced plans to introduce an open source generative AI tool that will allow game creators to build 3D environments and objects using text prompts, reports MIT Tech Review. The feature, which is still under development, may streamline the process of creating game worlds on the popular online platform, potentially opening up more aspects of game creation to those without extensive 3D design skills.

Roblox has not announced a specific launch date for the new AI tool, which is based on what it calls a “3D foundational model.” The company shared a demo video of the tool where a user types, “create a race track,” then “make the scenery a desert,” and the AI model creates a corresponding model in the proper environment.

The system will also reportedly let users make modifications, such as changing the time of day or swapping out entire landscapes, and Roblox says the multimodal AI model will ultimately accept video and 3D prompts, not just text.

Enlarge (credit: Getty Images)

Researchers have discovered more than 280 malicious apps for Android that use optical character recognition to steal cryptocurrency wallet credentials from infected devices.

The apps masquerade as official ones from banks, government services, TV streaming services, and utilities. In fact, they scour infected phones for text messages, contacts, and all stored images and surreptitiously send them to remote servers controlled by the app developers. The apps are available from malicious sites and are distributed in phishing messages sent to targets. There’s no indication that any of the apps were available through Google Play.

A high level of sophistication

The most notable thing about the newly discovered malware campaign is that the threat actors behind it are employing optical character recognition software in an attempt to extract cryptocurrency wallet credentials that are shown in images stored on infected devices. Many wallets allow users to protect their wallets with a series of random words. The mnemonic credentials are easier for most people to remember than the jumble of characters that appear in the private key. Words are also easier for humans to recognize in images.

Enlarge (credit: VGG | Getty Images)

The cost of renting cloud services using Nvidia’s leading artificial intelligence chips is lower in China than in the US, a sign that the advanced processors are easily reaching the Chinese market despite Washington’s export restrictions.

Four small-scale Chinese cloud providers charge local tech groups roughly $6 an hour to use a server with eight Nvidia A100 processors in a base configuration, companies and customers told the Financial Times. Small cloud vendors in the US charge about $10 an hour for the same setup.

The low prices, according to people in the AI and cloud industry, are an indication of plentiful supply of Nvidia chips in China and the circumvention of US measures designed to prevent access to cutting-edge technologies.

Enlarge / “Hmm, no signal here. I’m trying to figure it out, but nothing comes to mind …” (credit: Getty Images)

One issue in getting office buildings networked that you don’t typically face at home is concrete—and lots of it. Concrete walls are an average of 8 inches thick inside most commercial real estate.

Keeping a network running through them is not merely a matter of running cord. Not everybody has the knowledge or tools to punch through that kind of wall. Even if they do, you can’t just put a hole in something that might be load-bearing or part of a fire control system without imaging, permits, and contractors. The bandwidths that can work through these walls, like 3G, are being phased out, and the bandwidths that provide enough throughput for modern systems, like 5G, can’t make it through.

That’s what WaveCore, from Airvine Scientific, aims to fix, and I can’t help but find it fascinating after originally seeing it on The Register. The company had previously taken on lesser solid obstructions, like plaster and thick glass, with its WaveTunnel. Two WaveCore units on either side of a wall (or on different floors) can push through a stated 12 inches of concrete. In their in-house testing, Airvine reports pushing just under 4Gbps through 12 inches of garage concrete, and it can bend around corners, even 90 degrees. Your particular cement and aggregate combinations may vary, of course.

Enlarge (credit: Getty Images)

Federal prosecutors on Thursday unsealed an indictment charging six Russian nationals with conspiracy to hack into the computer networks of the Ukrainian government and its allies and steal or destroy sensitive data on behalf of the Kremlin.

The indictment, filed in US District Court for the District of Maryland, said that five of the men were officers in Unit 29155 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. Along with a sixth defendant, prosecutors alleged, they engaged in a conspiracy to hack, exfiltrate data, leak information, and destroy computer systems associated with the Ukrainian government in advance of the Russian invasion of Ukraine in February 2022.

Targeting critical infrastructure with WhisperGate

The indictment, which supersedes one filed earlier, comes 32 months after Microsoft documented its discovery of a destructive piece of malware, dubbed WhisperGate, had infected dozens of Ukrainian government, nonprofit, and IT organizations. WhisperGate masqueraded as ransomware, but in actuality was malware that permanently destroyed computers and the data stored on them by wiping the master boot record—a part of the hard drive needed to start the operating system during bootup.

Enlarge

AT&T filed a lawsuit against Broadcom on August 29 accusing it of seeking to “retroactively change existing VMware contracts to match its new corporate strategy.” The lawsuit, spotted by Channel Futures, concerns claims that Broadcom is not letting AT&T renew support services for previously purchased perpetual VMware software licenses unless AT&T meets certain conditions.

Broadcom closed its $61 billion VMware acquisition in November and swiftly enacted sweeping changes. For example, in December, Broadcom announced the end of VMware perpetual license sales in favor of subscriptions of bundled products. Combined with higher core requirements per CPU subscription, complaints ensued that VMware was getting more expensive to work with.

AT&T uses VMware software to run 75,000 virtual machines (VMs) across about 8,600 servers, per the complaint filed at the Supreme Court of the State of New York [PDF]. It reportedly uses the VMs to support customer service operations and for operations management efficiency.

Enlarge (credit: anilyanik via Getty Images)

On Wednesday, federal prosecutors charged a North Carolina musician with defrauding streaming services of $10 million through an elaborate scheme involving AI, as reported by The New York Times. Michael Smith, 52, allegedly used AI to create hundreds of thousands of fake songs by nonexistent bands, then streamed them using bots to collect royalties from platforms like Spotify, Apple Music, and Amazon Music.

While the AI-generated element of this story is novel, Smith allegedly broke the law by setting up an elaborate fake listener scheme. The US Attorney for the Southern District of New York, Damian Williams, announced the charges, which include wire fraud and money laundering conspiracy. If convicted, Smith could face up to 20 years in prison for each charge.

Smith’s scheme, which prosecutors say ran for seven years, involved creating thousands of fake streaming accounts using purchased email addresses. He developed software to play his AI-generated music on repeat from various computers, mimicking individual listeners from different locations. In an industry where success is measured by digital listens, Smith’s fabricated catalog reportedly managed to rack up billions of streams.

Enlarge (credit: Jorg Greuel via Getty Images)

Over the weekend, the nonprofit National Novel Writing Month organization (NaNoWriMo) published an FAQ outlining its position on AI, calling categorical rejection of AI writing technology “classist” and “ableist.” The statement caused a backlash online, prompted four members of the organization’s board to step down, and prompted a sponsor to withdraw its support.

“We believe that to categorically condemn AI would be to ignore classist and ableist issues surrounding the use of the technology,” wrote NaNoWriMo, “and that questions around the use of AI tie to questions around privilege.”

NaNoWriMo, known for its annual challenge where participants write a 50,000-word manuscript in November, argued in its post that condemning AI would ignore issues of class and ability, suggesting the technology could benefit those who might otherwise need to hire human writing assistants or have differing cognitive abilities.