Fresh from the feed

Software group behind TurboTax and Credit Karma will pay AI start-up to use its technology

Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East. The activity has been attributed by Google-owned Mandiant to a threat cluster tracked as UNC1549 (aka Nimbus Manticore or Subtle Snail), which was first documented by the threat

AI accounting startup Maxima raises $41 million in Kleiner Perkins-backed round Reuters

Cloudflare is investigating an outage affecting its global network services, with users encountering "internal server error" messages when attempting to access affected websites and online platforms. [...]

Bitcoin price at lowest level since April while FTSE 100 falls as Google boss warns there is ‘irrationality’ in AI boom Business live – latest updates More than $1tn (£760bn) has been wiped off the value of the cryptocurrency market in the past six weeks amid fears of a tech bubble and fading expectations for a US rate cut next month. Tracking more than 18,500 coins, the value of the crypto market has fallen by a quarter since a high in early October, according to the data company CoinGecko. Continue reading...

Trail of Bits is publicly disclosing two vulnerabilities in elliptic , a widely used JavaScript library for elliptic curve cryptography that is downloaded over 10 million times weekly and is used by close to 3,000 projects. These vulnerabilities, caused by missing modular reductions and a missing length check, could allow attackers to forge signatures or prevent valid signatures from being verified, respectively. One vulnerability is still not fixed after a 90-day disclosure window that ended in October 2024. It remains unaddressed as of this publication. I discovered these vulnerabilities using Wycheproof , a collection of test vectors designed to test various cryptographic algorithms against known vulnerabilities. If you’d like to learn more about how to use Wycheproof, check out this guide I published . In this blog post, I’ll describe how I used Wycheproof to test the elliptic library, how the vulnerabilities I discovered work, and how they can enable signature forgery or prevent signature verification. Methodology During my internship at Trail of Bits, I wrote a detailed guide on using Wycheproof for the new cryptographic testing chapter of the Testing Handbook . I decided to use the elliptic library as a real-world case study for this guide, which allowed me to discover the vulnerabilities in question. I wrote a Wycheproof testing harness for the elliptic package, as described in the guide. I then analyzed the source code covered by the various failing test cases provided by Wycheproof to classify them as false positives or real findings. With an understanding of why these test cases were failing, I then wrote proof-of-concept code for each bug. After confirming they were real findings, I began the coordinated disclosure process. Findings In total, I identified five vulnerabilities, resulting in five CVEs. Three of the vulnerabilities were minor parsing issues. I disclosed those issues in a public pull request against the repository and subsequently requested CVE IDs to keep track of them. Two of the issues were more severe. I disclosed them privately using the GitHub advisory feature. Here are some details on these vulnerabilities. CVE-2024-48949: EdDSA signature malleability This issue stems from a missing out-of-bounds check, which is specified in the NIST FIPS 186-5 in section 7.8.2, “HashEdDSA Signature Verification”: Decode the first half of the signature as a point R and the second half of the signature as an integer s . Verify that the integer s is in the range of 0 ≤ s 0 ) msg = msg . ushrn ( delta ); ... }; The delta variable calculates the difference between the size of the hash and the order n of the current generator for the curve. If msg occupies more bits than n , it is shifted by the difference. For this specific test case, we use secp192r1, which uses 192 bits, and SHA-256, which uses 256 bits. The hash should be shifted by 64 bits to the right to retain the leftmost 192 bits. The issue in the elliptic library arises because the new BN(msg, 16) conversion removes leading zeros, resulting in a smaller hash that takes up fewer bytes. 690ed426ccf17803ebe2bd0884bcd58a1bb5e7477ead3645f356e7a9 During the delta calculation, msg.byteLength() then returns 28 bytes instead of 32. EC . prototype . _truncateToN = function _truncateToN ( msg , truncOnly ) { var delta = msg . byteLength () * 8 - this . n . bitLength (); ... }; This miscalculation results in an incorrect delta of 32 = (288 - 192) instead of 64 = (328 - 192) . Consequently, the hashed message is not shifted correctly, causing verification to fail. This issue causes valid signatures to be rejected if the message hash contains enough leading zeros, with a probability of 2 -32 . To fix this issue, an additional argument should be added to the verification function to allow the hash size to be parsed: EC . prototype . verify = function verify ( msg , signature , key , enc , msgSize ) { msg = this . _truncateToN ( new BN ( msg , 16 ), undefined , msgSize ); ... } EC . prototype . _truncateToN = function _truncateToN ( msg , truncOnly , msgSize ) { var size = ( typeof msgSize === 'undefined' ) ? ( msg . byteLength () * 8 ) : msgSize ; var delta = size - this . n . bitLength (); ... }; On the importance of continuous testing These vulnerabilities serve as an example of why continuous testing is crucial for ensuring the security and correctness of widely used cryptographic tools. In particular, Wycheproof and other actively maintained sets of cryptographic test vectors are excellent tools for ensuring high-quality cryptography libraries. We recommend including these test vectors (and any other relevant ones) in your CI/CD pipeline so that they are rerun whenever a code change is made. This will ensure that your library is resilient against these specific cryptographic issues both now and in the future. Coordinated disclosure timeline For the disclosure process, we used GitHub’s integrated security advisory feature to privately disclose the vulnerabilities and used the report template as a template for the report structure. July 9, 2024: We discovered failed test vectors during our run of Wycheproof against the elliptic library. July 10, 2024: We confirmed that both the ECDSA and EdDSA module had issues and wrote proof-of-concept scripts and fixes to remedy them. For CVE-2024-48949 July 16, 2024: We disclosed the EdDSA signature malleability issue using the GitHub security advisory feature to the elliptic library maintainers and created a private pull request containing our proposed fix. July 16, 2024: The elliptic library maintainers confirmed the existence of the EdDSA issue, merged our proposed fix , and created a new version without disclosing the issue publicly. Oct 10, 2024: We requested a CVE ID from MITRE. Oct 15, 2024: As 90 days had elapsed since our private disclosure, this vulnerability became public. For CVE-2024-48948 July 17, 2024: We disclosed the ECDSA signature verification issue using the GitHub security advisory feature to the elliptic library maintainers and created a private pull request containing our proposed fix. July 23, 2024: We reached out to add an additional collaborator to the ECDSA GitHub advisory, but we received no response. Aug 5, 2024: We reached out asking for confirmation of the ECDSA issue and again requested to add an additional collaborator to the GitHub advisory. We received no response. Aug 14, 2024: We again reached out asking for confirmation of the ECDSA issue and again requested to add an additional collaborator to the GitHub advisory. We received no response. Oct 10, 2024: We requested a CVE ID from MITRE. Oct 13, 2024: Wycheproof test developer Daniel Bleichenbacher independently discovered and disclosed issue #321 , which is related to this discovery. Oct 15, 2024: As 90 days had elapsed since our private disclosure, this vulnerability became public.

Much of the US economy rests on AI’s future. On this episode of The Big Interview podcast, Odd Lots cohost Joe Weisenthal breaks down why AI’s impact on finance goes beyond billion-dollar investments.

Bubble or breakout? Nvidia earnings put AI boom under the microscope Reuters

Nvidia set for $320 billion price swing after earnings, options indicate Reuters

Decision tree-based models in machine learning are frequently used for a wide range of predictive tasks such as classification and regression, typically on structured, tabular data.

Identity security fabric (ISF) is a unified architectural framework that brings together disparate identity capabilities. Through ISF, identity governance and administration (IGA), access management (AM), privileged access management (PAM), and identity threat detection and response (ITDR) are all integrated into a single, cohesive control plane. Building on Gartner’s definition of “identity

As Gore Verbinski’s AI-apocalypse film Good Luck, Have Fun, Don’t Die hurtles towards us, it’s clear from the over-caffeinated trailer that we won’t be getting another ponderous parable about robot souls, digital enlightenment or the hubris of man It’s easy to forget, given the current glut of robot-uprising doom flicks, that Hollywood has been doing the artificial intelligence thing for decades – long before anything resembling true AI existed in the real world. And now we live in an era in which a chatbot can write a passable sonnet, it is perhaps surprising that there hasn’t been a huge shift in how film-makers approach this particular corner of sci-fi. Gareth Edwards’ The Creator (2023) is essentially the same story about AIs being the newly persecuted underclass as 1962’s The Creation of the Humanoids, except that the former has an $80m VFX budget and robot monks while the latter has community-theatre production values. Moon (2009) and 1968’s 2001: A Space Odyssey are both about the anxiety of being trapped with a soft-voiced machine that knows more than you. Her (2013) is basically Electric Dreams (1984) with fewer synth-pop arpeggios. Continue reading...

Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites. The malicious npm packages, published by a threat actor named "dino_reborn" between September and November 2025, are

Google has released an emergency security update to fix the seventh Chrome zero-day vulnerability exploited in attacks this year. [...]

His company is potentially creating the ultimate state surveillance tool, and Karp has recently been on a striking political and philosophical journey. His biographer reveals what makes him tick In a recent interview , Alex Karp said that his company Palantir was “the most important software company in America and therefore in the world”. He may well be right. To some, Palantir is also the scariest company in the world, what with its involvement in the Trump administration’s authoritarian agenda. The potential end point of Palantir’s tech is an all-powerful government system amalgamating citizens’ tax records, biometric data and other personal information – the ultimate state surveillance tool. No wonder Palantir has been likened to George Orwell’s Big Brother, or Skynet from the Terminator movies. Does this make Karp the scariest CEO in the world? There is some competition from Elon Musk, Mark Zuckerberg, Jeff Bezos and Palantir’s co-founder Peter Thiel. But 58-year-old Karp could give them all a run for their money in terms of influence, self-belief, ambition and – even in this gallery of oddballs – sheer eccentricity. In his increasingly frequent media appearances, Karp is a striking presence, with his cloud of unkempt grey hair, his 1.25x speed diction, and his mix of combative conviction and almost childish mannerisms. On CNBC’s Squawk Box, he shook both fists simultaneously as he railed against short sellers betting against Palantir, whose share price has climbed nearly 600% in the past year: “It’s super triggering,” he complained. “Why do they have to go after us?” Continue reading...

AI's scary new trick: Conducting cyberattacks instead of just helping out ZDNET

Sundar Pichai says artificial intelligence models are ‘prone to some errors’ and warns of impact if AI bubble bursts The head of Google’s parent company has said people should not “blindly trust” everything artificial intelligence tools tell them. In an interview with the BBC , Sundar Pichai, the chief executive of Alphabet, said AI models were “prone to errors” and urged people to use them alongside other tools. Continue reading...

Microsoft on Monday disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia that measured 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). The tech giant said it was the largest DDoS attack ever observed in the cloud, and that it originated from a TurboMirai-class Internet of

We introduce Deep Research Tulu (DR Tulu), an open post-training recipe and framework for long-form deep research agents.

Barry Callebaut to use NotCo AI to develop chocolate recipes Reuters