Newsletter

open source and cybersecurity news

December 7, 2023

It's 5:05, December 7, 2023. TIme for your cybersecurity and open source headlines

In this Episode:

Marcel Brown: December 7, 1999. The Recording Industry Association of America sues the peer to peer file sharing service Napster, alleging copyright infringement for allowing users to download copyrighted music for free. The recording industry in general was caught with its pants down when it came to digital music and the internet.

Edwin Kwan: WordPress administrators are being targeted by a fake security advisory email campaign to install a malicious plugin on their websites. According to security researchers, the attackers sent deceptive emails to website administrators pretending to be from WordPress.

Katy Craig: A recent revelation has come to light about governments using smartphone apps’ push notifications to surveil users. US Senator Ron Wyden warned that unidentified governments are demanding push notification data from Google and Apple. This news raises significant privacy concerns, highlighting the often overlooked implications of push notifications.

Mark Miller: With the headline grabbing news of Sam Altman and the mess at OpenAI a couple of weeks ago, what’s gotten lost in the media is that OpenAI’s ChatGPT isn’t the only game in town. There are dozens of other AI chat engines that can provide you with something more specific to your needs than a general AI model that tries to be the best of everything.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Malicious WordPress Plugin Issues Fake Security Advisories

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastWordPress administrators are being targeted by a fake security advisory email campaign that exploits a fictitious vulnerability (CVE-2023-45124) to install a malicious plugin on their websites.

This is Edwin Kwan from Sydney, Australia.

According to security researchers, the attackers sent deceptive emails to website administrators pretending to be from WordPress. The email is a fake WordPress security advisory for a critical Remote Code Execution (RCE) flaw. It encourages the download and install of a supposed security patch plugin. Clicking the “Download Plugin” button redirects victims to a fake landing page that mimics the legitimate WordPress.com site. The fake plugin, with a likely inflated download count and phony user reviews, creates a hidden admin user and sends victim information to the attacker’s server. The plugin downloads a backdoor payload providing file management capabilities, database client, a PHP console, and a command line terminal. The backdoor hides itself from the installed plugin list, so it requires manual remover.

While the operational goal of the plugin is unknown, it could potentially be used for various malicious activities such as injecting ads, redirecting visitors, stealing sensitive information, or threatening website owners with database content leaks.

Resources
– Patch Stack: https://patchstack.com/articles/fake-cve-phishing-campaign-tricks-wordpress-users-to-install-malware/
– Bleeping Computer: https://www.bleepingcomputer.com/news/security/fake-wordpress-security-advisory-pushes-backdoor-plugin/

 

Katy Craig
Feds surveilling us via push notifications

A recent revelation has come to light about governments using smartphone apps’ push notifications to surveil users. US Senator Ron Wyden, in a letter to the Department of Justice, warned that unidentified governments are demanding push notification data from Google and Apple.

This is Katy Craig in San Diego, California.

Push notifications, those dings and visual alerts we get for emails or other updates, travel through Google and Apple servers. This transit gives these tech giants a unique view into app user communications, placing them in a position to facilitate government surveillance.

Senator Wyden has urged the Department of Justice to allow public discussions about this surveillance method. In response, Apple has announced that it will update its transparency reports to include these government requests, now that the method is public. Google has also expressed its commitment to keeping users informed about such requests.

The identity of the foreign governments involved and the extent of the surveillance remain unclear. However, a source familiar with the matter confirmed that both foreign and US agencies have been using this data to link anonymous app users to specific accounts.

This news raises significant privacy concerns, highlighting the often overlooked implications of push notifications. Stay tuned for more on how this story develops and the broader implications for digital privacy.

This is Katy Craig, stay safe out there.

Resources
– Washington Post: https://www.washingtonpost.com/technology/2023/12/06/push-notifications-surveillance-apple-google/
– Reuters: https://www.reuters.com/technology/cybersecurity/governments-spying-apple-google-users-through-push-notifications-us-senator-2023-12-06/

 

Mark Miller
Special Report: ChatGPT Isn’t the Only AI Game in Town

Mark Miller, Executive Producer, It's 5:05With the headline grabbing news of Sam Altman and the mess at OpenAI a couple weeks ago, what’s gotten lost in the media is that OpenAI’s ChatGPT isn’t the only game in town. What many don’t realize, or didn’t realize before yesterday’s Gemini announcement by Google, is that there are dozens of other AI chat engines that can provide you with something more specific to your needs than a general AI model that tries to be the best of everything.

This is Mark Miller in White Rock, New Mexico, after spending the morning trying to digest the tsunami of news that’s coming out daily around AI chatbots.

Miguel Rebelo from Zapier wrote a good article, summarizing the capabilities of over 20 chatbot engines. As I was looking over the list, it confirmed what Shannon Lietz and I have been talking about offline for a while now: there’s no one-size-fits-all model… yet. OpenAI with ChatGPT was just the first out of the gate and grabbed the majority of mindshare.

There are seven models I’ve got on my short list that I use for specific purposes. I’ll run through why you might consider using each for specific tasks based upon my personal experience. Your mileage may vary.

OpenAI: ChatGPT, the 800 pound gorilla
https://chat.openai.com/
There’s not much I want to say here, other than one of the most recent enhancements for their mobile app allows me to “talk” conversationally with the voice of Samantha from the movie “Her”. They opened it to the free accounts a couple weeks ago. When I first used it, it was disconcerting, fun and scary at the same time… too close to real for comfort at this stage of the game. It’s worth playing around with if you want a conversational assistant in the voice of Samantha or TARS from Interstellar.

Google: Gemini, the new kid on the block
https://blog.google/technology/ai/google-gemini-ai/
There was a big, BIG rollout by Google this week with Gemini. It kind of makes Bard look like the red-headed stepchild. There are dozens of video examples online, but the main one Google is pushing is picture recognition in realtime. There’s much more there, but I haven’t had time to play around with it yet.

Microsoft: Bing, online search
https://www.bing.com/
Bing is pretty self explanatory. It wants to be your conversational search engine. Honesty, I don’t use Google or Bing, so I don’t have an opinion on how goog Bing’s conversational responses are, but if the progress in the industry is any indication, it’s worth trying out.

Anthropic: Claude, File upload and large conversational memory
https://claude.ai/
I’ve used Claude quite a bit. Shannon Lietz, lawyer Joel MacMull and I are recording the first episodes for the “AI and the Law” podcast that launches in January. Claude allows me to take a 150 page filing and ask for a summary with bullet points that gives an almost immediate overview of the case filing. If you have to review long documents, or decide if a document is worth doing a deep dive, Claude is indispensable.

Meta: Llama 2, open source, open license AI model
https://www.perplexity.ai/pro
https://ai.meta.com/llama/
Meta’s contribution into the game is an interesting one. Because this is an open source engine, if you’re technically inclined, this one’s worth looking at. The idea of building your own localized model is intriguing.

Perplexity: deep dive research
https://blog.perplexity.ai/blog/introducing-pplx-online-llms
A lot of people don’t know about Perplexity. I’ve been using it quite a bit since John Willis introduced me to it six months ago. The most important feature for me as a researcher is that it shows provenance of the responses, with direct links to the original sources it’s drawing its inferences from.

Jasper AI: Dedicated marketing and content generation
https://www.swagscale.com/who-created-jasper-ai/
Jasper is an interesting proposition. It focuses on a very niche market: marketing and content generation. For you older programmers, do you remember VI? A very simple tool that did one thing very well. That’s what Jasper’s trying to do: be the best of one thing

Those are my personal preference on these engines. If you want to see other alternatives, read “The Best AI Chatbots in 2024”. Links to the engines referenced here, and the article from Zapier are available at the bottom of this segment at 505updates.com

https://zapier.com/blog/best-ai-chatbot/

 

Marcel Brown
This Day, December 7, in Tech History

Marcel Brown, Contributing Journalist, It's 5:05 PodcastThis is Marcel Brown bringing you some technology history for December 7th.

December 7, 1999. The Recording Industry Association of America sues the peer to peer file sharing service Napster, alleging copyright infringement for allowing users to download copyrighted music for free. The RIAA would eventually win injunctions against Napster. forcing the service to suspend operation and eventually file bankruptcy.

In the end, the RIAA and its members would settle with Napster’s financial backers for hundreds of millions of dollars. While the case was ostensibly about copyright violations, the bigger picture for the RIAA was also about control.

The recording industry in general was caught with its pants down when it came to digital music and the internet. They were not prepared for the sudden popularity of digital music downloads that Napster introduced and were not ready with a model to monetize downloaded music. This lawsuit, along with future lawsuits targeting individuals, was intended to squash the practice of downloading music as much as it was to recover compensation.

However, the practice of downloading music could not be stopped as other non centralized peer to peer file sharing services popped up in place of Napster. Faced with the ever increasing tide of users downloading music for free, eventually the recording industry reluctantly got on board with commercialized music downloading services like the iTunes Music Store.

However, they still lost a great deal of control over the marketplace. Leveraging the huge success of iTunes, Apple enforced a strict pricing policy, much to the consternation of the record companies. By creating a de facto pricing standard for downloaded music, Apple became the major powerhouse in the music industry.

The runaway success of iTunes also had the effect of Apple displacing established retail and radio outlets as the gatekeepers of popular music. As well, the ability for artists, independent of record companies, to distribute their music and gain followings greatly disrupted the control the RIAA and its members had over the music industry.

While the RIAA may have taken down Napster, what Napster started completely changed the direction of both the music and technology industries forever.

That’s your technology history for today. For more, tune in tomorrow and visit my website, ThisDayInTechHistory.com.

Resources
This Day in Tech History: https://thisdayintechhistory.com/12/07

Contributors:

Comments:

Leave the first comment

Newsletter