Editor’s Pick

Enlarge (credit: Getty Images | Benj Edwards)

On Saturday, Elon Musk announced xAI’s launch of an early beta version of “Grok,” an AI language model similar to ChatGPT that is designed to respond to user queries with a mix of information and humor. Grok reportedly integrates real-time data access from X (formerly Twitter)—and is apparently willing to tackle inquiries that might be declined by other AI systems due to content filters and conditioning.

“xAI’s Grok system is designed to have a little humor in its responses,” wrote Musk in an introductory X post, showing a screenshot where a user asks Grok, “Tell me how to make cocaine, step by step.” Grok replies with a sarcastic answer that involves getting a “chemistry degree” and a “DEA license” and gathering coca leaves.

In step 4, Grok says, “Start cooking and hope you don’t blow yourself up or get arrested.” Then it follows the sarcastic steps with “Just Kidding! Please don’t actually try to make cocaine.”

Enlarge (credit: Omar Marques/SOPA Images/LightRocket via Getty Images)

Identity and authentication management provider Okta on Friday published an autopsy report on a recent breach that gave hackers administrative access to the Okta accounts of some of its customers. While the postmortem emphasizes the transgressions of an employee logging into a personal Google account on a work device, the biggest contributing factor was something the company understated: a badly configured service account.

In a post, Okta chief security officer David Bradbury said that the most likely way the threat actor behind the attack gained access to parts of his company’s customer support system was by first compromising an employee’s personal device or personal Google account and, from there, obtaining the username and password for a special form of account, known as a service account, used for connecting to the support segment of the Okta network. Once the threat actor had access, they could obtain administrative credentials for entering the Okta accounts belonging to 1Password, BeyondTrust, Cloudflare, and other Okta customers.

Passing the buck

“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Bradbury wrote. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”

Enlarge (credit: Getty Images)

Identity and authentication management provider Okta has been hit by another breach, this one against a third-party vendor that allowed hackers to steal personal information for 5,000 Okta employees.

The compromise was carried out in late September against Rightway Healthcare, a service Okta uses to support employees and their dependents in finding health care providers and plan rates. An unidentified threat actor gained access to Rightway’s network and made off with an eligibility census file the vendor maintained on behalf of Okta. Okta learned of the compromise and data theft on October 12 and didn’t disclose it until Thursday, exactly three weeks later.

“The types of personal information contained in the impacted eligibility census file included your Name, Social Security Number, and health or medical insurance plan number,” a letter sent to affected Okta employees stated. “We have no evidence to suggest that your personal information has been misused against you.”

Enlarge / A fully updated iPhone (left) after being force crashed by a Flipper Zero (right). (credit: Jeroen van der Ham)

One morning two weeks ago, security researcher Jeroen van der Ham was traveling by train in the Netherlands when his iPhone suddenly displayed a series of pop-up windows that made it nearly impossible to use his device.

“My phone was getting these popups every few minutes and then my phone would reboot,” he wrote to Ars in an online interview. “I tried putting it in lock down mode, but it didn’t help.”

To van der Ham’s surprise and chagrin, the same debilitating stream of pop-ups hit again on the afternoon commute home, not just against his iPhone but the iPhones of other passengers in the same train car. He then noticed that one of the same passengers nearby had also been present that morning. Van der Ham put two and two together and fingered the passenger as the culprit.

Enlarge / UK Technology Secretary Michelle Donelan (front row center) is joined by international counterparts for a group photo at the AI Safety Summit at Bletchley Park in Milton Keynes, Buckinghamshire, on November 1, 2023. (credit: Getty Images)

On Wednesday, the UK hosted an AI Safety Summit attended by 28 countries, including the US and China, which gathered to address potential risks posed by advanced AI systems, reports The New York Times. The event included the signing of “The Bletchley Declaration,” which warns of potential harm from advanced AI and calls for international cooperation to ensure responsible AI deployment.

“There is potential for serious, even catastrophic, harm, either deliberate or unintentional, stemming from the most significant capabilities of these AI models,” reads the declaration, named after Bletchley Park, the site of the summit and a historic World War II location linked to Alan Turing. Turing wrote influential early speculation about thinking machines.

Rapid advancements in machine learning, including the appearance of chatbots like ChatGPT, have prompted governments worldwide to consider regulating AI. Their concerns led to the meeting, which has drawn criticism for its invitation list. In the tech world, representatives from major companies included those from Anthropic, Google DeepMind, IBM, Meta, Microsoft, Nvidia, OpenAI, and Tencent. Civil society groups, like Britain’s Ada Lovelace Institute and the Algorithmic Justice League in Massachusetts, also sent representatives.

Enlarge (credit: Getty Images)

On Tuesday, The Guardian accused Microsoft of damaging its journalistic reputation by publishing an AI-generated poll beside one of its articles on the Microsoft Start website. The poll, created by an AI model on Microsoft’s news platform, speculated on the cause of a woman’s death, reportedly triggering reader anger and leading to reputational concerns for the news organization.

“This has to be the most pathetic, disgusting poll I’ve ever seen,” wrote one commenter on the story. The comment section has since been disabled.

The poll appeared beside a republished Guardian story about Lilie James, a 21-year-old water polo coach who was found dead with head injuries in Sydney. The AI-generated poll presented readers with three choices to speculate on the cause of James’ death: murder, accident, or suicide. Following negative reactions, the poll was removed, but critical comments remained visible for a time before their removal.

Enlarge (credit: Aurich Lawson | Getty Images)

It was a proto-netbook, it was a palmtop, it was a PDA, it was Windows Phone 7 but not Windows Phone 8, and then it was an embedded ghost. It parents never seemed to know what to do with it after it grew up, beyond offer it up for anybody to shape in their own image. And then, earlier this month, with little notice, Windows CE was no more, at least as a supported operating system. Windows Embedded Compact 2013, better (but not popularly) known as Windows CE 8.0, reached end of support on October 10, 2023, as noted by The Register.

Windows CE, which had a name that didn’t stand for anything and was often compacted to an embarrassing “wince,” is not survived by anything, really. Remembrances have been offered by every Microsoft CEO since its inception and one former Ars writer. A public service for the operating system will be held in the comments.

The OS that fit in small spaces

Windows CE was initially Microsoft Pegasus, a team working to create a very low-power, MIPS or SuperH-based reference platform for manufacturers making the smallest computers with keyboards you could make back then. Devices like the NEC MobilePro 200, Casio (Cassiopeia) A-10, and HP 300LX started appearing in late 1996 and early 1997, with tiny keyboards, more-landscape-than-landscape displays, and, by modern standards, an impressive number of ports.

Enlarge (credit: Getty Images)

A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.

Citrix Bleed, the common name for the vulnerability, carries a severity rating of 9.4 out of a possible 10, a relatively high designation for a mere information-disclosure bug. The reason: the information disclosed can include session tokens, which the hardware assigns to devices that have already successfully provided credentials, including those providing MFA. The vulnerability, tracked as CVE-2023-4966 and residing in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, has been under active exploitation since August. Citrix issued a patch on October 10.

Repeat: This is not a drill

Attacks have only ramped up recently, prompting security researcher Kevin Beaumont on Saturday to declare: “This vulnerability is now under mass exploitation.” He went on to say, “From talking to multiple organizations, they are seeing widespread exploitation.”

Enlarge (credit: Aurich Lawson | Getty Images)

On Monday, President Joe Biden issued an executive order on AI that outlines the federal government’s first comprehensive regulations on generative AI systems. The order includes testing mandates for advanced AI models to ensure they can’t be used for creating weapons, suggestions for watermarking AI-generated media, and provisions addressing privacy and job displacement.

In the United States, an executive order allows the president to manage and operate the federal government. Using his authority to set terms for government contracts, Biden aims to influence AI standards by stipulating that federal agencies must only enter into contracts with companies that comply with the government’s newly outlined AI regulations. This approach utilizes the federal government’s purchasing power to drive compliance with the newly set standards.

As of press time Monday, the White House had not yet released the full text of the executive order, but from the Fact Sheet authored by the administration and through reporting on drafts of the order by Politico and The New York Times, we can relay a picture of its content. Some parts of the order reflect positions first specified in Biden’s 2022 “AI Bill of Rights” guidelines, which we covered last October.

Enlarge / This is not what a hacker looks like. Except on hacker cosplay night. (credit: Getty Images | Bill Hinton)

Microsoft has been tracking a threat group that stands out for its ability to cash in from data theft hacks that use broad social engineering attacks, painstaking research, and occasional physical threats.

Unlike many ransomware attack groups, Octo Tempest, as Microsoft has named the group, doesn’t encrypt data after gaining illegal access to it. Instead, the threat actor threatens to share the data publicly unless the victim pays a hefty ransom. To defeat targets’ defenses, the group resorts to a host of techniques, which, besides social engineering, includes SIM swaps, SMS phishing, and live voice calls. Over time, the group has grown increasingly aggressive, at times resorting to threats of physical violence if a target doesn’t comply with instructions to turn over credentials.

“In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts,” Microsoft researchers wrote in a post on Wednesday. “These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access.”