The Associated Press reports that an F-16 performing aerial combat tests at 550 miles per hour was "controlled by artificial intelligence, not a human pilot."

And riding in the front seat was the U.S. Secretary of the Air Force... AI marks one of the biggest advances in military aviation since the introduction of stealth in the early 1990s, and the Air Force has aggressively leaned in. Even though the technology is not fully developed, the service is planning for an AI-enabled fleet of more than 1,000 unmanned warplanes, the first of them operating by 2028.

It was fitting that the dogfight took place at [California's] Edwards Air Force Base, a vast desert facility where Chuck Yeager broke the speed of sound and the military has incubated its most secret aerospace advances. Inside classified simulators and buildings with layers of shielding against surveillance, a new test-pilot generation is training AI agents to fly in war. [U.S. Secretary of the Air Force] Frank Kendall traveled here to see AI fly in real time and make a public statement of confidence in its future role in air combat.

"It's a security risk not to have it. At this point, we have to have it," Kendall said in an interview with The Associated Press after he landed... At the end of the hourlong flight, Kendall climbed out of the cockpit grinning. He said he'd seen enough during his flight that he'd trust this still-learning AI with the ability to decide whether or not to launch weapons in war... [T]he software first learns on millions of data points in a simulator, then tests its conclusions during actual flights. That real-world performance data is then put back into the simulator where the AI then processes it to learn more.
"Kendall said there will always be human oversight in the system when weapons are used," the article notes.

But he also said looked for to the cost-savings of smaller and cheaper AI-controlled unmanned jets.

Slashdot reader fjo3 shared a link to this video. (More photos at Sky.com.)

Last month Reuters reported that Venezuela's state-run oil company "plans to increase digital currency usage in its crude and fuel exports as the U.S. reimposes oil sanctions on the country, three people familiar with the plan said." [The oil company] since last year had been slowly moving oil sales to USDT, a digital currency also known as Tether whose value is pegged to the U.S. dollar and designed to maintain a stable value. The return of oil sanctions is speeding up the shift, a move to reduce the risk of sale proceeds getting frozen in foreign bank accounts due to the measures, the people said...

Tether said in an email it respects the U.S. Treasury's list of sanctioned entities and "is committed to working to ensure sanction addresses are frozen promptly."
This week Reuters reported that now experts are saying the situation "will require greater scrutiny by regulators and law enforcement." They spoke to Kristofer Doucett, national security leader at U.S. blockchain analysis firm Chainalysis, who said "Structures must be set up to combat this type of money laundering." Reuters writes: Technology for digital transactions is changing fast and transactions are rapidly growing in developing regions including Latin America and Africa benefiting people without access to the banking system. But some corrupt governments are moving faster, making it difficult to prevent fraud, the experts said. Doucette and Sigal Mandelker, a lawyer who previously worked at the U.S. Treasury Department, said during a conference organized by the Wilson Center in Washington that the U.S. administration is making efforts to increase regulation and encourage other countries to improve supervision.
Slashdot reader RossCWilliams asks a loaded question. Whether this is "the beginning of the end of unregulated cryptocurrencies... the recognition of cryptocurrency as a national security threat that threatens international financial controls."

The blog Its FOSS has 15,000 followers for its Mastodon account — which they think is causing problems: When you share a link on Mastodon, a link preview is generated for it, right? With Mastodon being a federated platform (a part of the Fediverse), the request to generate a link preview is not generated by just one Mastodon instance. There are many instances connected to it who also initiate requests for the content almost immediately. And, this "fediverse effect" increases the load on the website's server in a big way.

Sure, some websites may not get overwhelmed with the requests, but Mastodon does generate numerous hits, increasing the load on the server. Especially, if the link reaches a profile with more followers (and a broader network of instances)... We tried it on our Mastodon profile, and every time we shared a link, we were able to successfully make our website unresponsive or slow to load.
Slashdot reader nunojsilva is skeptical that "blurbs with a thumbnail and description" could create the issue (rather than, say, poorly-optimized web content). But the It's Foss blog says they found three GitHub issues about the same problem — one from 2017, and two more from 2023. And other blogs also reported the same issue over a year ago — including software developer Michael Nordmeyer and legendary Netscape programmer Jamie Zawinski.

And back in 2022, security engineer Chris Partridge wrote: [A] single roughly ~3KB POST to Mastodon caused servers to pull a bit of HTML and... an image. In total, 114.7 MB of data was requested from my site in just under five minutes — making for a traffic amplification of 36704:1. [Not counting the image.]
Its Foss reports Mastodon's official position that the issue has been "moved as a milestone for a future 4.4.0 release. As things stand now, the 4.4.0 release could take a year or more (who knows?)."

They also state their opinion that the issue "should have been prioritized for a faster fix... Don't you think as a community-powered, open-source project, it should be possible to attend to a long-standing bug, as serious as this one?"

Thursday the Verge reported that a new report from Microsoft "outlines the steps the company took to release responsible AI platforms last year." Microsoft says in the report that it created 30 responsible AI tools in the past year, grew its responsible AI team, and required teams making generative AI applications to measure and map risks throughout the development cycle. The company notes that it added Content Credentials to its image generation platforms, which puts a watermark on a photo, tagging it as made by an AI model.

The company says it's given Azure AI customers access to tools that detect problematic content like hate speech, sexual content, and self-harm, as well as tools to evaluate security risks. This includes new jailbreak detection methods, which were expanded in March this year to include indirect prompt injections where the malicious instructions are part of data ingested by the AI model.

It's also expanding its red-teaming efforts, including both in-house red teams that deliberately try to bypass safety features in its AI models as well as red-teaming applications to allow third-party testing before releasing new models.
Microsoft's chief Responsible AI officer told the Washington Post this week that "We work with our engineering teams from the earliest stages of conceiving of new features that they are building." "The first step in our processes is to do an impact assessment, where we're asking the team to think deeply about the benefits and the potential harms of the system. And that sets them on a course to appropriately measure and manage those risks downstream. And the process by which we review the systems has checkpoints along the way as the teams are moving through different stages of their release cycles...

"When we do have situations where people work around our guardrails, we've already built the systems in a way that we can understand that that is happening and respond to that very quickly. So taking those learnings from a system like Bing Image Creator and building them into our overall approach is core to the governance systems that we're focused on in this report."
They also said " it would be very constructive to make sure that there were clear rules about the disclosure of when content is synthetically generated," and "there's an urgent need for privacy legislation as a foundational element of AI regulatory infrastructure."

CircleID reports that Multinational internet service provider Cogent recently announced that it was offering $206 million in secured notes (a corporate bond backed by assets). "The unusual part is what it's using as security: some of its IPv4 addresses and the leases on those IPv4 addresses." All internet service providers (ISPs) give IP addresses to their users, but Cogent was among the first to lease those addresses independently of internet access. (Internet access customers normally require a unique address as part of their service.) Sources are hard to find, but prevailing wisdom is that they have over 10M addresses leased for about $0.30 per month, or $36M per year in revenue.

The notes are expected to be repaid in five years.

Thanks to long-time Slashdot reader penciling_in for sharing the article.

Senior Department arms control official Paul Dean on Thursday urged China and Russia to declare that artificial intelligence would never make decisions on deploying nuclear weapons. Washington had made a "clear and strong commitment" that humans had total control over nuclear weapons, said Dean. Britain and France have made similar commitments. Reuters reports: "We would welcome a similar statement by China and the Russian Federation," said Dean, principal deputy assistant secretary in the Bureau of Arms Control, Deterrence and Stability. "We think it is an extremely important norm of responsible behaviour and we think it is something that would be very welcome in a P5 context," he said, referring to the five permanent members of the United Nations Security Council.

An anonymous reader quotes a report from The Independent, published last month: Humans now share the web equally with bots, according to a major new report -- as some fear that the internet is dying. In recent months, the so-called "dead internet theory" has gained new popularity. It suggests that much of the content online is in fact automatically generated, and that the number of humans on the web is dwindling in comparison with bot accounts. Now a new report from cyber security company Imperva suggests that it is increasingly becoming true. Nearly half, 49.6 per cent, of all internet traffic came from bots last year, its "Bad Bot Report" indicates. That is up 2 percent in comparison with last year, and is the highest number ever seen since the report began in 2013. In some countries, the picture is worse. In Ireland, 71 per cent of internet traffic is automated, it said.

Some of that rise is the result of the adoption of generative artificial intelligence and large language models. Companies that build those systems use bots scrape the internet and gather data that can then be used to train them. Some of those bots are becoming increasingly sophisticated, Imperva warned. More and more of them come from residential internet connections, which makes them look more legitimate. "Automated bots will soon surpass the proportion of internet traffic coming from humans, changing the way that organizations approach building and protecting their websites and applications," said Nanhi Singh, general manager for application security at Imperva. "As more AI-enabled tools are introduced, bots will become omnipresent."

"Players who made Steam purchases of Helldivers 2 are now, months after the fact, being told by Sony that their games will be useless unless linked to a PSN account," writes longtime Slashdot reader Baron_Yam. From a report: Publisher Sony Interactive Entertainment announced today that Helldivers 2 players on Steam will soon be required to link their in-game profiles to a PlayStation Network account -- a feature that was optional at launch due to "technical issues" -- or risk losing access to the game. SIE explained that account linking allows players to take advantage of "safety and security" provided by PlayStation, as it can more easily protect folks from "griefing and abuse by enabling the banning of players that engage in that type of behavior."

Many Steam players haven't responded well to the news. As of the time of writing, over 2,500 negative user reviews have been submitted to the game's storefront page today, blemishing an otherwise spotless "Very Positive" rating. Some reviews cite data harvesting and security concerns as potential worries. Others point to the fact that Sony waited months after launch to make account linking mandatory. How this affects players in regions that don't have access to the PlayStation Network is a bigger concern, though. In the Helldivers 2 Discord, community manager Thomas 'Twinbeard' Petersson said they aren't yet sure what these rule changes meant for players in areas without PSN access, which could be another factor contributing to the negative downturn.

A bipartisan group of senators, led by Jeff Merkley, John Kennedy, and Roger Marshall, is advocating for limitations on the Transportation Security Administration's use of facial recognition technology due to concerns about privacy and civil liberties. PBS reports: In a letter on Thursday, the group of 14 lawmakers called on Senate leaders to use the upcoming reauthorization of the Federal Aviation Administration as a vehicle to limit TSA's use of the technology so Congress can put in place some oversight. "This technology poses significant threats to our privacy and civil liberties, and Congress should prohibit TSA's development and deployment of facial recognition tools until rigorous congressional oversight occurs," the senators wrote.

The effort, led by Sens. Jeff Merkley, D-Ore., John Kennedy, R-La., and Roger Marshall, R-Kan., "would halt facial recognition technology at security checkpoints, which has proven to improve security effectiveness, efficiency, and the passenger experience," TSA said in a statement. The technology is currently in use at 84 airports around the country and is planned to expand in the coming years to the roughly 430 covered by TSA.

An anonymous reader shares a report: Relations between Russia and Germany were already tense, with Germany providing military support to Ukraine in its ongoing war with Russia. German Foreign Minister Annalena Baerbock said Russian state hackers were behind a cyberattack last year that targeted the Social Democrats, the leading party in the governing coalition. "Russian state hackers attacked Germany in cyberspace," she said at a news conference in the Australian city of Adelaide. "We can attribute this attack to the group called APT28, which is steered by the military intelligence service of Russia."

"This is absolutely intolerable and unacceptable and will have consequences," she said. The Russian Embassy in Germany on Friday denied Moscow was involved in a 2023 cyberattack. In a statement the embassy said its envoy "categorically rejected the accusations that Russian state structures were involved in the given incident ... as unsubstantiated and groundless." The Council of the EU later said that Czechia's institutions have also been a target of the cyber campaign. In a statement by the EU's top diplomat, Josep Borrell, the bloc's nations said they "strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia." Further reading: EU and NATO Condemn Russian Cyber Attacks Against Germany and Czechia.

The UK government's climate action plan is unlawful, the high court has ruled, as there is not enough evidence that there are sufficient policies in place to reduce greenhouse gas emissions. From a report: The energy secretary, Claire Coutinho, will now be expected to draw up a revised plan within 12 months. This must ensure that the UK achieves its legally binding carbon budgets and its pledge to cut emissions by more than two-thirds by 2030, both of which the government is off track to meet. The environmental charities Friends of the Earth and ClientEarth took joint legal action with the Good Law Project against the Department for Energy Security and Net Zero (DESNZ) over its decision to approve the carbon budget delivery plan (CBDP) in March 2023.

In a ruling on Friday, Mr Justice Sheldon upheld four of the five grounds of the groups' legal challenge, stating that the decision by the former energy security and net zero secretary Grant Shapps was "simply not justified by the evidence." He said: "If, as I have found, the secretary of state did make his decision on the assumption that each of the proposals and policies would be delivered in full, then the secretary of state's decision was taken on the basis of a mistaken understanding of the true factual position."

The judge agreed with ClientEarth and Friends of the Earth that the secretary of state was given "incomplete" information about the likelihood that proposed policies would achieve their intended emissions cuts. This breached section 13 of the Climate Change Act, which requires the secretary of state to adopt plans and proposals that they consider will enable upcoming carbon budgets to be delivered. Sheldon also agreed with the environment groups that the central assumption that all the department's policies would achieve 100% of their intended emissions cuts was wrong. The judge said the secretary of state had acted irrationally, and on the basis of an incorrect understanding of the facts. This comes after the Guardian revealed the government would be allowing oil and gas drilling under offshore wind turbines, a decision criticised by climate experts as "deeply irresponsible."

Microsoft is making security its number one priority for every employee, following years of security issues and mounting criticisms. The Verge: After a scathing report from the US Cyber Safety Review Board recently concluded that "Microsoft's security culture was inadequate and requires an overhaul," it's doing just that by outlining a set of security principles and goals that are tied to compensation packages for Microsoft's senior leadership team. Last November, Microsoft announced a Secure Future Initiative (SFI) in response to mounting pressure on the company to respond to attacks that allowed Chinese hackers to breach US government email accounts.

Just days after announcing this initiative, Russian hackers managed to breach Microsoft's defenses and spy on the email accounts of some members of Microsoft's senior leadership team. Microsoft only discovered the attack nearly two months later in January, and the same group even went on to steal source code. These recent attacks have been damaging, and the Cyber Safety Review Board report added fuel to Microsoft's security fire recently by concluding that the company could have prevented the 2023 breach of US government email accounts and that a "cascade of security failures" led to that incident. "We are making security our top priority at Microsoft, above all else -- over all other features," explains Charlie Bell, executive vice president for Microsoft security, in a blog post today. "We will instill accountability by basing part of the compensation of the company's Senior Leadership Team on our progress in meeting our security plans and milestones."

Dan Goodin reports via Ars Technica: A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January. A change GitLab implemented in May 2023 made it possible for users to initiate password changes through links sent to secondary email addresses. The move was designed to permit resets when users didn't have access to the email address used to establish the account. In January, GitLab disclosed that the feature allowed attackers to send reset emails to accounts they controlled and from there click on the embedded link and take over the account.

While exploits required no user interaction, hijackings worked only against accounts that weren't configured to use multi-factor authentication. Even with MFA, accounts remained vulnerable to password resets. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of a possible 10. The vulnerability, classified as an improper access control flaw, could pose a grave threat. GitLab software typically has access to multiple development environments belonging to users. With the ability to access them and surreptitiously introduce changes, attackers could sabotage projects or plant backdoors that could infect anyone using software built in the compromised environment. An example of a similar supply chain attack is the one that hit SolarWinds in 2021, infecting more than 18,000 of its customers. Other recent examples of supply chain attacks are here, here, and here. These sorts of attacks are powerful. By hacking a single, carefully selected target, attackers gain the means to infect thousands of downstream users, often without requiring them to take any action at all. According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances. In order to protect your system, you should enable MFA and install the latest patch. "GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits," notes Goodin.

According to CNBC, Google is laying off at least 200 employees from its "Core" teams and moving some roles to India and Mexico. From the report: The Core unit is responsible for building the technical foundation behind the company's flagship products and for protecting users' online safety, according to Google's website. Core teams include key technical units from information technology, its Python developer team, technical infrastructure, security foundation, app platforms, core developers, and various engineering roles. At least 50 of the positions eliminated were in engineering at the company's offices in Sunnyvale, California, filings show. Many Core teams will hire corresponding roles in Mexico and India, according to internal documents viewed by CNBC.

Asim Husain, vice president of Google Developer Ecosystem, announced news of the layoffs to his team in an email last week. He also spoke at a town hall and told employees that this was the biggest planned reduction for his team this year, an internal document shows. "We intend to maintain our current global footprint while also expanding in high-growth global workforce locations so that we can operate closer to our partners and developer communities," Husain wrote in the email. [...] "Announcements of this sort may leave many of you feeling uncertain or frustrated," Husain wrote in the email to developers. He added that his message to developers is that the changes "are in service of our broader goals" as a company. The teams involved in the reorganization have been key to the company's developer tools, an area Google is streamlining as it incorporates more artificial intelligence into the products.

An anonymous reader quotes a report from Bloomberg: Dropbox said its digital-signature product, Dropbox Sign, was breached by hackers, who accessed user information including emails, user names and phone numbers. The software company said it became aware of the cyberattack on April 24, sought to limit the incident and reported it to law enforcement and regulatory authorities. "We discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and user names, in addition to general account settings," Dropbox said Wednesday in a regulatory filing. "For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication."

Dropbox said there is no evidence hackers obtained user accounts or payment information. The company said it appears the attack was limited to Dropbox Sign and no other products were breached. The company didn't disclose how many customers were affected by the hack. The hack is unlikely to have a material impact on the company's finances, Dropbox said in the filing. The shares declined about 2.5% in extended trading after the cyberattack was disclosed and have fallen 20% this year through the close.

The National Archives and Records Administration (NARA) told employees Wednesday that it is blocking access to ChatGPT on agency-issued laptops to "protect our data from security threats associated with use of ChatGPT," 404 Media reported Wednesday. From the report: "NARA will block access to commercial ChatGPT on NARANet [an internal network] and on NARA issued laptops, tablets, desktop computers, and mobile phones beginning May 6, 2024," an email sent to all employees, and seen by 404 Media, reads. "NARA is taking this action to protect our data from security threats associated with use of ChatGPT."

The move is particularly notable considering that this directive is coming from, well, the National Archives, whose job is to keep an accurate historical record. The email explaining the ban says the agency is particularly concerned with internal government data being incorporated into ChatGPT and leaking through its services. "ChatGPT, in particular, actively incorporates information that is input by its users in other responses, with no limitations. Like other federal agencies, NARA has determined that ChatGPT's unrestricted approach to reusing input data poses an unacceptable risk to NARA data security," the email reads. The email goes on to explain that "If sensitive, non-public NARA data is entered into ChatGPT, our data will become part of the living data set without the ability to have it removed or purged."

Microsoft has confirmed that the April 2024 Windows security updates break VPN connections across client and server platforms. From a report: The company explains on the Windows health dashboard that "Windows devices might face VPN connection failures after installing the April 2024 security update or the April 2024 non-security preview update."

"We are investigating user reports, and we will provide more information in the coming days," Redmond added. The list of affected Windows versions includes Windows 11, Windows 10, and Windows Server 2008 and later.

An anonymous reader shares a report: Two months after hackers broke into Change Healthcare systems stealing and then encrypting company data, it's still unclear how many Americans were impacted by the cyberattack. Last month, Andrew Witty, the CEO of Change Healthcare's parent company UnitedHealth Group, said that the stolen files include the personal health information of "a substantial proportion of people in America." On Wednesday, during a House hearing, when Witty was pushed to give a more definitive answer, testifying that the breach impacted "I think, maybe a third [of Americans] or somewhere of that level."

LastPass, the password manager company, has officially separated from its parent company, GoTo, following a series of high-profile hacks in recent years. The company will now operate under a shareholder holding company called LMI Parent.

LastPass -- owned by private equity firms Francisco Partners and Elliott Management -- has faced criticism for its handling of the breaches, which resulted in the theft of customer data and encryption keys. The company has since enforced a 12-character minimum for master passwords to improve security.

Kaiser Permanente is the latest healthcare giant to report a data breach. Kaiser said 13.4 million current and former insurance members had their patient data shared with third-party advertisers, thanks to an improperly implemented tracking code the company used to see how its members navigated through its websites. Dark Reading reports: The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company's online health encyclopedia. Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn't a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata.

"The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome -- an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."