An investigation by Canva deep dive into the world of font security has uncovered three unexpected vulnerabilities and revealed how choosing the wrong font could spell out a cybersecurity disaster.
In an effort to enhance the security of its tools, Canva has been researching less-explored attack surfaces, including fonts, which play an integral part in graphics processing.
A trio of vulnerabilities have been highlighted in a report entitled “Fonts are still a Helvetica of a Problem", with Canva ultimately declaring that the font landscape is actually quite rich in attack surfaces.
Canva is concerned about the font you use
The first vulnerability, tracked as CVE-2023-45139, was discovered in FontTools, a Python library for manipulating fonts. Canva found that when processing an SVG table to subset a font, FontTools could use an untrusted XML file, leading to an XML External Entity (XXE) vulnerability.
The researchers abused this vulnerability to produce a subsetted font containing an SVG table with an /etc/passwd payload. FontTools released a patch three days after being notified of the vulnerability in September 2023.
The other two vulnerabilities, CVE-2024-25081 and CVE-2024-25082, both rated at 4.2/10, were associated with naming conventions and font compression. Canva found the potential for command injection when dealing with filenames in tools like FontForge and ImageMagick. Both have also been addressed.
Acknowledging the timely work of open-source font software and tool maintainers, Canva noted that IT workers should “treat fonts like any other untrusted input” by implementing sandboxing and using tools like OpenType-Sanitizer.
This isn’t the first time that font security has been raised, with Google exploring similar issues nearly a decade ago, however with the increased prevalence and more severe consequences of cyber attacks, Canva’s recommendation that we pay attention to less obvious attack surfaces is a mighty sensible one.
From stylish and sleek to semiprofessional, along with a few budget buys, these are the best kitchen sink faucets for style and function you can get in 2024
Cybercriminals are using compromised WordPress websites to form a huge army for credential stuffing attacks, experts have warned.
A report from cybersecurity researchers Sucuri spotted the campaign, and believe they know what its goal is - namely looking for vulnerable sites from the website builder, where they can install a small script in the HTML templates. That script forces the website visitor’s computer to visit a different WordPress website (in the background, unbeknownst to the victim) and try to log in using different username and password combinations.
Once the victim cracks the login code, they would, still unaware, relay that information back to the attackers, and receive further instructions (another website to crack).
Building a base
Citing information from the HTML source code search engine, PublicHTML, BleepingComputer reported that there are currently more than 1,700 websites hosting this script, “providing a massive pool of users who will be unwittingly conscripted into this distributed bruteforce army.” Among the victims, the publication further reports, is the website of Ecuador’s Association of Private Banks.
Sucuri says it’s been tracking this threat actor in the past. Until now, the group used the same technique for a different purpose - to install the AngelDrainer malware. AngelDrainer is a piece of code that, as the name suggests, “drains” all of the funds a victim may have in their cryptocurrency wallets. To do that, the victim needs to connect their wallet (such as the MetaMask wallet, for example) to a crypto service. The group even built their own fake Web3 websites to get people to connect their wallets.
The researchers aren’t certain why the group decided to pivot into credential stuffing. One explanation is that they’re building a bigger base of compromised sites that can then be used to launch more destructive attacks - such as wallet draining campaigns.
"Most likely, they realized that at their scale of infection (~1000 compromised sites) the crypto drainers are not very profitable yet," Sucuri concluded.
"Moreover, they draw too much attention and their domains get blocked pretty quickly. So, it appears reasonable to switch the payload with something stealthier, that at the same time can help increase their portfolio of compromised sites for future waves of infections that they will be able to monetize in one way or another."
Chinese engineers at the Institute for Intelligent Computing, Alibaba Group, have developed an AI app called Emote Portrait Live that can animate a still photo of a face and synchronize it to an audio track.
The technology behind this relies on the generative capabilities of diffusion models (mathematical models used to describe how things spread or diffuse over time), which can directly synthesize character head videos from a provided image and any audio clip. This process bypasses the need for complex pre-processing or intermediate representations, thus simplifying the creation of talking head videos.
The challenge lies in capturing the nuances and diversity of human facial movements during video synthesis. Traditional methods simplify this by imposing constraints on the final video output, such as using 3D models to limit facial keypoints or extracting head movement sequences from base videos to guide overall motion. However, these constraints may limit the naturalness and richness of the resulting facial expressions.
Not without challenges
The research team's objective is to develop a talking head framework that can capture a wide range of realistic facial expressions, including subtle micro-expressions, and allow for natural head movements.
However, the integration of audio with diffusion models presents its own challenges due to the ambiguous relationship between audio and facial expressions. This can result in instability in the videos produced by the model, including facial distortions or jittering between video frames. To overcome this, the researchers included stable control mechanisms in their model, specifically a speed controller and a face region controller, to improve stability during the generation process.
Despite the potential of this technology, there are certain drawbacks. The process is more time-consuming than methods that don't use diffusion models. Additionally, since there are no explicit control signals to guide the character’s motion, the model may unintentionally generate other body parts, like hands, resulting in artifacts in the video.
The group has published a paper on its work on the arXiv preprint server, and this website is home to a number of other videos showcasing the possibilities of Emote Portrait Live, including clips of Joaquin Phoenix (as The Joker), Leonardo DiCaprio, and Audrey Hepburn.
You can watch the Mona Lisa recite Rosalind's monologue from Shakespeare's As You Like It, Act 3, Scene 2, below.
Samsung was a pioneer of the folding phone, and the Galaxy Z Fold series constantly ranks among the best foldable phones on the market. So we’re excited to see what could be next for the line – and rumored to be on the horizon is the Samsung Galaxy Z Fold 6, and possibly a Galaxy Z Fold 6 Ultra.
It's the Ultra model that's caught our eye here. The now a lot more competition in the folding phone market, notably in the shape of the OnePlus Open and the Google Pixel Fold. So there's some logic to Samsung potentially looking to stand out from the pack it arguably helped create with a premium version of the Fold.
If legitimate, a Galaxy Z Fold 6 Ultra would effectively take the Fold 6 as the baseline and integrate in features found in the Samsung Galaxy S24 Ultra; say a built-in S Pen and 200-megapixel camera.
But it's early days for such foldable phone rumors and leaks, so read on for what we know so far about the so-called Samsung Galaxy Z Fold 6 Ultra and what we'd like to see from the phone.
Release date and price
What is it? A rumored new ultra-premium foldable from Samsung
When is it out? Possibly July
How much will it cost? Likely more than $1,799 / £1,749 / AU$2,599
Samsung Galaxy Z Fold 6 Ultra: potential release date and price
(Image credit: @OnLeaks / SmartPrix)
If Samsung does unveil a Galaxy Z Fold 6 Ultra, it'll likely take place at the next Galaxy Unpacked event, currently tipped for July 10 in Paris, and be launched alongside the rumored Galaxy Z Fold 6 and Galaxy Z Flip 6, as well as the Galaxy Ring.
As a Galaxy Z Fold 6 Ultra would be a more premium version of Samsung’s already expensive folding flagship, we’d expect to cost a fair bit more than the Galaxy Z Fold 5’s starting price of $1,799.99 / £1,749 / AU$2,599.
If the renders are to be believed, Samsung will shake-up its design for the Galaxy Z Fold 6 Ultra – and presumably for the ‘standard’ Galaxy Z Fold 6 – moving away from the gentle curves used in the Galaxy S series and the Galaxy Z Fold 5 and adopting the more angular design seen on the Galaxy S24 Ultra and Galaxy S23 Ultra.
The renders point to the Galaxy Z Fold 6 Ultra being slightly shorter but wider than the Fold 5, measuring 153.5 x 132.5 x 6.1mm compared to 154.9 x 129.9 x 6.1mm of its predecessor.
The renders also match the look of a prototype Galaxy Z Fold 6 design that leaker IceUniverse posted last year. If both are accurate then the design for the next-generation Fold phones may draw from the aesthetics of the Galaxy S24 Ultra.
Samsung Galaxy Z Fold 6 Ultra: what we want to see
Improved display and toughness
(Image credit: @OnLeaks / SmartPrix)
There are a few things we’d like to see in a Galaxy Z Fold 6 Ultra, but topping our list is something we’d like to see less of: the crease in the center of the main screen. Samsung has tended to make this less noticeable and distracting with each iteration of the Galaxy Z Fold – so could the Galaxy Z Fold 6, and a potential Galaxy Z Fold 6 Ultra, be the first phones on which Samsung manages to make it disappear completely?
Such a move would likely require the use of improved ultra-thin glass, but Samsung's display arm continues to produce impressive foldable and rollable AMOLED screens, so there's certainly scope to further reduce a Fold's crease or get rid of it completely.
Going by the rumors so far, the cover screen would likely keep the narrow 6.2-inch size seen on the Galaxy Z Fold 5, rather than a larger 6.4-inch panel other rumors have mentioned. If that’s the case it could be a wasted opportunity on Samsung’s part, as a wider cover display can make for a more usable foldable phone when it's closed.
We hope that Samsung would make use of the Corning Gorilla Glass Armor to protect the cover display, as that's being used in the Galaxy S24 Ultra, so sees like a good feature for an phone bearing the Ultra suffix.
And an IP52 rating dust and water resistance rating, as seen in the Motorola Razr Plus, would be appreciated too. That's because while the Galaxy Z Fold 5 had an IPX8 water resistance rating it lacked dust protection, which we feel is important due the the complex moving parts in folding phones that run the risk of being gunked up with dust or grime.
Proper Ultra-grade cameras
(Image credit: Future | Alex Walker-Todd)
The Galaxy Z Fold 5's camera system was rather good, but it was unchanged from the Galaxy Z Fold 4’s 50MP, f/1.8 wide, 10MP, f/2.4, telephoto, and 12MP, f/2.2 ultra-wide combo.
We’re hoping that Samsung updates this with something closer to the Galaxy S24 Ultra‘s more impressive camera setup, which features a 200MP, f/1.7 main camera, 12MP f/2.2 ultra-wide, 50MP, f/3.4, periscope telephoto with 5x optical zoom, and a 10MP, f/2.4, telephoto offering 3x optical zoom. However, if the specifications in Smartprix's renders are for the Galaxy Z Fold 6 Ultra and not a standard Z Fold 6 then fans could be very disappointed, as they lack camera specs with an Ultra flavor.
from TechRadar - All the latest technology news https://ift.tt/chGt0bj
In case you somehow missed it, Sora is a text-to-video AI meaning you can write a simple request and it’ll compose a video (just as image generation previously worked, but obviously a much more complex endeavor).
(Image credit: OpenAI)
Now OpenAI’s Sora research lead Tim Brooks has released some new content generated by Sora on X (formerly Twitter).
This is Sora’s crack at fulfilling the following request: “Fly through tour of a museum with many paintings and sculptures and beautiful works of art in all styles.”
Pretty impressive to say the least. On top of that, Bill Peebles, also a Sora research lead, showed us a clip generated from the following prompt: “An alien blending in naturally with new york city, paranoia thriller style, 35mm film.”
(Image credit: OpenAI)
Content creator Blaine Brown then stepped in to embellish the above clip, cutting it to repeat the footage and make it longer, while having the alien rapping, complete with lip-syncing. The music is generated by Suno AI by the way (with the lyrics written by Brown, mind), and lip-syncing is done with Pika Labs AI.
This Sora clip is 🔥 when the alien guy busts out in a lip-synced rap about how tough it is being different than everyone else. Workflow in the thread.@suno_ai_ @pika_labs (lip sync)Alienate Yourself 🆙🔊🔊 pic.twitter.com/kc5FI83q5RMarch 3, 2024
See more
Analysis: Still early days for Sora
(Image credit: OpenAI)
It’s worth underlining how fast things seem to be progressing with the capabilities of AI. Image creation powers were one thing – and extremely impressive in themselves – but this is entirely another. Especially when you remember that Sora is still just in testing at OpenAI, with a limited set of ‘red teamers’ (testers hunting out bugs and smoothing over those wrinkles).
The camera work in the museum fly-through flows realistically and feels nicely imaginative in the way it swoops around (albeit with the occasional judder). And the last tweet shows how you can take a base clip and flesh it out with content including AI-generated music.
Of course, AI can write a script as well, and so it begs the question: how long will it be before a blue alien is starring in an AI-generated post-apocalyptic drama. Or an (unintentional) comedy perhaps?
You get the idea, and we’re getting carried away, of course, but still – what AI could be capable of in just a few years is potentially mind-blowing, frankly.
Naturally, we’ll be seeing the cream of the crop of what Sora is capable of in these teasers, and there have been some buggy and weird efforts aired too. (Just as when ChatGPT and other AI chatbots first rolled onto the scene, we saw AI hallucinations and general unhinged behavior and replies).
Perhaps the broader worry with Sora, though, is how this might eventually displace, rather than assist, content creators. But that’s a fear to chew over on another day – not forgetting the potential for misuse with AI-created videos which we recently discussed in more depth here.
A class-action lawsuit filed in early March 2024 accuses Apple of restricting certain files critical to cloud backups of its devices to its own iCloud platform, and raising the price of the service to the point where it is ‘generating almost pure profit’.
The filing for Gamboa v. Apple Inc, submitted in the US District Court of the Northern District of California, would include a nationwide class of users impacted by the monopoly, and a class of Californians who claim to have been overcharged for an iCloud plan.
We are not lawyers and make no claim to be scholars on California’s corporation laws - however, with Bloomberg noting that iCloud gives Apple a 70% share of the cloud storage market, owing to the sheer ubiquity of their mobile devices, we think it's fair to question the fairness of locking backups to one service and trapping users in one ever increasing pricing model.
iCloud’s competition
iCloud’s competitors include Amazon, Google and Microsoft, which all have cloud storage services available on iOS devices for the purposes of storing user data.
The prospective lawsuit alleges, however, that requiring the use of iCloud for device backups makes maintaining accounts across multiple services - which may be cheaper, and have a more generous free cloud storage allowance than iCloud’s 5GB - inconvenient.
Apple has yet to respond to the filing, but it seems unlikely that it’ll be able to convincingly argue that backup data specific to Apple devices is sensitive enough to require locking to iCloud when, in 2022, Apple settled another class-action lawsuit, Williams v. Apple Inc, for $14.8 million, allowing it to continue to deny that it breached its own terms and conditions by storing user data on servers belonging to its competitors.
Google is leveling up Google Drive with several shiny new improvements, such as speeding up the loading times of videos and introducing search filters.
The speedier loading times will come thanks to Google’s addition of DASH transcode technology, which lets Drive adapt video quality based on the user’s network conditions. The improved search filters for Drive, which have been in development since at least October 2023, are limited to iOS for now - but Android users can look forward to these very soon.
For the uninitiated, Google Drive is a popular cloud file storage service and it’s an integral part of Google’s suite of productivity apps known as Google Workspace. Google Workspace apps like Drive and Docs get a lot of praise for being intuitive and interfacing well with one another, as well as for their overall functionality. One of the features that gets a lot of love is Google Drive’s uploading and sharing capabilities for video, in part thanks to the sharing tools in the Android share sheet.
Unfortunately, Google Drive’s video playback wasn’t up to the same high standard as the rest of Google Workspace - and this stuck out like a sore thumb since Google also runs the video hosting giant, YouTube.
Faster video for Google Drive incoming
That looks like it’s about to change, with the Google Drive team announcing these new features and improvements in a Google Workspace blog post. It will be adding DASH (Dynamic Adaptive Streaming over HTTP) transcodes to help process any videos hosted on Drive. This technology helps facilitate adaptive bitrate playback (the rate at which data is processed and sent during video and audio playback), which is adjusted to offer higher or lower-resolution video based on factors like the quality of the local network connection of the user. This development should result in improved “join times,” which refers to the time taken from the user clicking on the video to the start of playback.
The newly applied DASH transcodes will affect new videos that are applied to Google Drive from here on out, while existing videos will be updated to comply with this change by the end of the year, according to Google.
(Image credit: Shutterstock)
But wait! Better search filters are being added, too
Along with the boost to video loading times, another feature that’s coming soon is the souped-up search filters that will soon be included in the Google Drive app for Android and iOS. These were spotted by Android Police back in October, hidden under code flags, with the web version receiving them first back in November.
Now, these improved search filters are being introduced to the Drive app on mobile devices. The filters are coming to iOS first, and “coming soon” to Android, although an exact date hasn’t yet been given. Google does clarify in its blog post that an update for the app on Android will be available when these search filters are added to it. The new filters will show up when you tap the search bar, and include Type, People, and Date Modified, and are already available to many Google Workspace users on Apple devices.
These are positive updates for everyone who uses Google Drive for video storage and file organization (and will help it achieve some parity with competitors: we already see sophisticated search parameters in cloud storage services like Microsoft OneDrive).
The video processing improvement also seems somewhat overdue, considering Google’s video hosting expertise and resources. Changes and updates like this may not be the flashiest, but good, intuitive, and functional products like those we’ve come to expect from Google are what ultimately win and keep users.
The latest analysis from TrendForce makes for bleak reading for most monitor manufacturers’ with the exception of Apple.
TrendForce’s latest findings reveal global monitor shipments declined 7.3% in 2023. The estimated 125 million units takes shipments below pre-pandemic levels, due in no small part to the current global economic crisis. Brighter days do lie ahead, however.
The company says “given the low shipment base in 2023, alongside the potential for a gradual economic recovery and the typical 4 to 5-year PC replacement cycle, PCs purchased during the pandemic are expected to be upgraded between the second half of 2024 and 2025. This is anticipated to drive a 2% increase in global monitor shipments in 2024, reaching approximately 128 million units.”
Apple dominates the 5K display market
The top three commercial monitor brands all saw over 20% YoY declines. For Dell it was a drop of 20.4%. HP declined further with 20.7%, and Lenovo was hit worst of all with a 21.4% drop.
Not every manufacturer saw declines however. AOC/Philips benefited from strong demand in China’s gaming market, recording an 8.8% increase in shipments. Acer strategically upgraded its 60/75Hz products to 100Hz with a minimal price difference, resulting in a 6.7% shipment boost.
There is good news for high-end products, such as gaming monitors, too. These have seen a noticeable shift from FHD to QHD. TrendForce told us that “the market share of QHD gaming monitors increased to 34% last year, and it is expected to further rise this year”.
While some brands have introduced 27-inch 5K products, the shipment volume is not substantial due to their pricey, high-end nature. This, as you might expect, is where Apple – with its top-end products and dedicated customer base - thrives. TrendForce puts the monthly shipment of 5K products at around 20-30k units, with over 90% attributed to Apple via its Studio Display and Pro Display XDR.
Samsung has launched a Spring Sale at the official site this week, offering a wide range of discounts on TVs, appliances, and the stunning new Samsung Galaxy S24 Ultra.
Today only, you can get a free storage upgrade on this stunning flagship on top of a huge trade-in rebate of up to $1,000 on AT&T or T-Mobile carrier devices. That means you could potentially snag yourself a 512GB storage model for just $200 instead of the heady $1,400 upfront price.
The obvious caveat with this Galaxy S24 Ultra deal is that it's currently only available on AT&T or T-Mobile devices right now - not on the unlocked devices that are usually very popular at the official Samsung store. Verizon devices are also currently available with a free storage upgrade, but for some reason, the trade-in rebate caps out at $800, which is $200 less than what you can get directly at Verizon right now.
Otherwise, this deal at Samsung is essentially a re-run of the Galaxy S24 Ultra deals from the initial preorder period, where all retailers were offering a storage upgrade across the board. It's a great promotion - not only because extra storage is always handy but because upgraded models always fetch more in trade-ins down the line.
If you're interested in more deals from this event, you can head on over to our main Samsung Spring Sale page to see discounts on TVs, appliances, and monitors.
Samsung Galaxy S24 Ultra deal
Samsung Galaxy S24 Ultra:free memory upgrade, plus up to $1,000 off with a trade-in at Samsung Samsung's latest deal on the excellent Galaxy S24 Ultra now gets you a free storage upgrade alongside an exceptional trade-in rebate of up to $1,000 for AT&T, Verizon, and T-Mobile devices. That's enough to cut that hefty price tag right down to just $200 over the duration of a 24 or 36-month plan - and get you even more space for all your apps, files, and games.View Deal
You can head on over to our Samsung Galaxy S24 Ultra review for a detailed breakdown of this stunning flagship. With a gorgeous phablet-like design, powerful chipset, and innovative (for Samsung) new set of AI features, we highly recommend this device to anyone. Yes, it's pricey, but it's worth the money, and we liked it enough to award it a glowing four and a half stars out of five.
from TechRadar - All the latest technology news https://ift.tt/oOBI37x
