Barbie producer Mattel has issued an apology after customers spotted its Wicked edition dolls listed an adult website on the packaging. The toy merchandise mistakenly directed customers to the homepage of the Wicked Pictures pornographic movie studio, instead of the correct WickedMovie.com URL.We deeply regret this unfortunate error and are taking immediate action to remedy this, Mattel said in a statement to The Hollywood Reporter. Parents are advised that the misprinted, incorrect website is not appropriate for children.Mattel said that the dolls, which have been released to coincide with Universals film adaptation of the Tony Award-winning musical, are primarily sold in the US and that the error was a misprint. Its unclear how many of the mislabeled toys, which are advertised for children aged four and up, have already been distributed to stores. According to The Hollywood Reporter, impacted products from the toy line are currently being pulled from shelves at various retailers including Walmart. Best Buy, and Amazon.Mattel has advised customers who have already purchased the dolls, which retail between $24.99 to $39.99, to discard the product packaging or obscure the link. Some are taking financial advantage of the blunder, however products advertised to specifically include the printing error are being listed on eBay for hundreds of dollars.Wicked serves as a prequel to The Wizard of Oz thats told from the perspective of the witches Elphaba (Cynthia Erivo) and Galinda (Ariana Grande). Part one of Wicked will debut in theaters on November 22nd, with a second film expected to release in November 2025.

Boost Mobile has announced it is on its way to meeting FCC coverage deadlines by the end of the year and says it has earned the title of MNO Mobile Network Operator rather than MVNO, which is a virtual network operator mainly reselling service from other carriers. Mission... accomplished? Sort of. Its progress, at least.Boost, you will remember, is supposed to be our nations fourth wireless carrier thanks to a wonky deal that allowed T-Mobile to buy Sprint. Dish Network now owned by EchoStar bought the brand as part of the deal and is required by the FCC to hit certain milestones in its 5G network buildout to hold up its part of the bargain. Last June, it was required to cover 70 percent of the US population; by the end of the year, it needs to reach 80 percent. Boosts chief technology officer, Eben Albertyn, told The Verge, We are well on our way to meeting this goal. He says the company has lit up more than 20,000 of the 24,000 cell sites it has promised to deploy by June 2025.Covering 80 percent of the population is one thing; actually providing service to customers on that network is another. While Boosts network has been under construction over the past few years it has mainly offered service through AT&T and T-Mobile as an MVNO. Boost spokespeople werent able to tell me what percentage of customer traffic rides on Boosts own network versus its roaming partners. However, the companys director of communications, Meredith Diers, says it has migrated over half a million customers onto our network and our core since the beginning of this year. New customers in covered areas are also loaded directly on the network, provided they have a phone compatible with its network. Considering that just a couple of years ago, there was just one phone, thats good progress.The effort has certainly come a long way since the days of Project Gene5is, its early pilot program that weirdly had something to do with NFTs. But Boosts subscriber numbers are still small; in its August earnings release the company said it had 7.28 million subscribers. T-Mobile counted 127 million customers in its most recent earnings release. Even if it meets those FCC milestones on time, theres much more work to be done.

Barbie producer Mattel has issued an apology after customers spotted its Wicked edition dolls listed an adult website on the packaging. The toy merchandise mistakenly directed customers to the homepage of the Wicked Pictures pornographic movie studio, instead of the correct WickedMovie.com URL.We deeply regret this unfortunate error and are taking immediate action to remedy this, Mattel said in a statement to The Hollywood Reporter. Parents are advised that the misprinted, incorrect website is not appropriate for children.Mattel said that the dolls, which have been released to coincide with Universals film adaptation of the Tony Award-winning musical, are primarily sold in the US and that the error was a misprint. Its unclear how many of the mislabeled toys, which are advertised for children aged four and up, have already been distributed to stores. According to The Hollywood Reporter, impacted products from the toy line are currently being pulled from shelves at various retailers including Walmart. Best Buy, and Amazon.Mattel has advised customers who have already purchased the dolls, which retail between $24.99 to $39.99, to discard the product packaging or obscure the link. Some are taking financial advantage of the blunder, however products advertised to specifically include the printing error are being listed on eBay for hundreds of dollars.Wicked serves as a prequel to The Wizard of Oz thats told from the perspective of the witches Elphaba (Cynthia Erivo) and Galinda (Ariana Grande). Part one of Wicked will debut in theaters on November 22nd, with a second film expected to release in November 2025.

A critical challenge in Subjective Speech Quality Assessment (SSQA) is enabling models to generalize across diverse and unseen speech domains. General SSQA models evaluate many models in performing poorly outside their training domain, mainly because such a model is often met with cross-domain difficulty in performance, however, due to the quite distinct data characteristics and scoring systems that exist among different types of SSQA tasks including TTS, VC, and speech enhancement, it is equally challenging. Effective generalization of SSQA is necessary to ensure alignment of human perception in these fields, however, many such models remain limited to the data on which they have been trained, thus constraining them in their real-world utility in applications such as automated speech evaluation for TTS and VC systems.Current SSQA approaches include both reference-based and model-based methods. Reference-based models evaluate quality by comparing speech samples with a reference. On the other hand, model-based methods, especially DNNs, learn directly from human-annotated datasets. Model-based SSQA has a strong potential for capturing human perception much more precisely but, at the same time, shows some very significant limitations:Generalization Constraints: SSQA models often break down while tested over new out-of-domain data, resulting in inconsistent performance.Dataset Bias and Corpus Effect: The models then may become too adapted to the characteristics of the dataset with all its peculiarities, such as scoring biases or data types, which might then make them less effective across different datasets.Computational Complexity: The ensemble models increase the robustness of SSQA, but at the same time increase the computational cost compared to the baseline model, reducing it to impractical possibilities for real-time assessment in low-resource settings. The limitations mentioned above collectively hound the development of good SSQA models, with the ability to generalize well across different datasets and application contexts.To address these limitations, researchers introduce MOS-Bench, a benchmark collection that includes seven training datasets and twelve test datasets across varied speech types, languages, and sampling frequencies. In addition to MOS-Bench, SHEET is a toolkit proposed that provides a standardized workflow for training, validation, and testing of SSQA models. Such a combination of MOS-Bench with SHEET allows SSQA models to be evaluated systematically, and those specifically entail the generalization ability of models. MOS-Bench incorporates the multi-dataset approach, combining data across different sources to expand the exposure of the model to varying conditions. Besides that, a best score difference/ratio new performance metric is also introduced to provide a holistic assessment of the SSQA models performance on these datasets. This doesnt just provide a framework for consistent evaluation but generalizes better as the models are brought in agreement with the variability of the real world, which is a pretty notable contribution towards SSQA.The MOS-Bench dataset collection consists of a wide range of datasets that have diversity in their sampling frequencies and listener labels to capture cross-domain variability in SSQA. Major datasets are:BVCC- A dataset for English that comes with samples for TTS and VC.SOMOS: Speech quality data about English TTS models trained on LJSpeech.SingMOS: A singing voice sampling dataset in Chinese and Japanese.NISQA: Noisy speech samples that have undergone communications over networks. Datasets are multilingual, multiple domains, and speech types for widespread training scope. MOS-Bench uses the SSL-MOS model and the modified AlignNet as backbones, utilizing SSL to learn rich feature representations. SHEET takes the SSQA process one step ahead with data processing, training, and evaluation workflows. SHEET also includes retrieval-based scoring non-parametric kNN inference to improve the faithfulness of models. In addition, hyperparameter tuning, such as batch size and optimization strategies, has been included for further improvement of model performance.Using MOS-Bench and SHEET, both make tremendous improvements in the generalization of SSQA across synthetic and non-synthetic test sets to the point where models learn to achieve high ranks and highly faithful quality predictions even for out-of-domain data. Models trained on MOS-Bench datasets, like PSTN and NISQA, are highly robust on synthetic test sets, and the need for synthetic-focused data as previously required for generalization becomes obsolete. Further, this incorporation of visualizations firmly established that models trained on MOS-Bench captured a wide variety of data distributions and reflected better adaptability and consistency. In this regard, the introduction of these results by MOS-Bench further establishes a reliable benchmark, allowing SSQA models to apply accurate performance across different domains with greater effectiveness and applicability of automated speech quality assessment.This methodology, through MOS-Bench and SHEET, was to challenge the generalization problem of SSQA through several datasets as well as by introducing a new metric of evaluation. Providing a reduction in dataset-specific biases and cross-domain applicability, this methodology will move the frontiers of SSQA research to make it possible for models to generalize across applications effectively. An important advancement is that cross-domain datasets have been gathered by MOS-Bench and with its standardized toolkit. Rather excitingly, the resources are now available for researchers to develop SSQA models that are robust in the presence of a variety of speech types and the presence of real-world applications.Check out the Paper. All credit for this research goes to the researchers of this project. Also,dont forget to follow us onTwitter and join ourTelegram Channel andLinkedIn Group. If you like our work, you will love ournewsletter.. Dont Forget to join our55k+ ML SubReddit. Aswin Ak+ postsAswin AK is a consulting intern at MarkTechPost. He is pursuing his Dual Degree at the Indian Institute of Technology, Kharagpur. He is passionate about data science and machine learning, bringing a strong academic background and hands-on experience in solving real-life cross-domain challenges. Listen to our latest AI podcasts and AI research videos here

Marvel Studios boss Kevin Feige has issued a number of somewhat vague but tantalizing updates on various M.I.A. MCU projects and characters at D23 Brazil, the same event that showcased new Thunderbolts and Captain America: Brave New World trailers.Lets start with Marvels troubled Blade film, which Disney recently delayed from its announced November 2025 release date into some TBA release date. The delay to Blade came as little surprise given the behind-the-scenes drama it has suffered. In June, news surfaced that director Yann Demange had left the project, which will see Mahershala Ali portray the titular vampire slayer should it eventually get off the ground and into production.Demange's departure was the second time someone had vacated the director's chair, as Bassam Tariq previously relinquished the role because of a scheduling conflict that came to light before the movie was due to begin shooting. A report at the time claimed that Ali was frustrated with the movie's progress, with production grinding to a halt shortly after. Marvel Studios boss Kevin Feige at D23 Brazil. Photo by Ricardo Moreira/Getty Images for Disney.Now, speaking to Brazilian entertainment website Omelete, Feige provided an update on Blade, insisting the character will reach the MCU."We're committed to Blade, Feige said. We love the character, we love Mahershala's version of him. And rest assured: whenever we change direction with a project, or are still trying to figure out how it fits into our schedule, we let the public know. You're up to date on what's going on. But I can tell you that the character will be coming to the MCU.So, according to Feige, Mahershala Alis Blade is still coming out eventually. But what of the future of Elizabeth Olsens Scarlet Witch / Wanda Maximoff?Warning! Spoilers for Doctor Strange in the Multiverse of Madness and Agatha All Along Season 1 follow.Scarlet Witch apparently died at the end of 2022 MCU film Doctor Strange in the Multiverse of Madness, and failed to make a dramatic return in Disney+ show Agatha All Along, much to the disappointment of fans. Olsen recently confirmed shed be up for playing Scarlet Witch once again, if theres a good way to use her. So, has Feige worked out a good way to use her?Again, speaking to Omelete, Feige gave fans a tease thats already got Scarlet Witch fans excited.We had Agatha Forever on Disney+ just now, and that series was great for us, he said. Since then, there have been a lot of questions about Wanda on fans' minds... So all I can say is that we're excited to find out when and how the Scarlet Witch might return.Thats not an outright confirmation that Scarlet Witch will return to the MCU, but it certainly sounds like Feige wants to make it work.Who Will Be the New Avengers in the MCU?Moving on to Miles Morales and Feige was more definitive, insisting that shortly after the third Spider-Verse movie, Spider-Man: Beyond the Spider-Verse, comes out Miles will make his debut in the live-action MCU."Miles will appear in the third Spider Verse, which is currently in production, Feige told Omelete. I hope that, shortly after that, he can enter the MCU in live-action.Unfortunately, Spider-Man: Beyond the Spider-Verse does not have a release date. Indeed some speculate it wont come out until 2027, so it may be a few years before we get to see Miles Morales in live-action. Its worth noting that Tom Hollands Spider-Man 4 comes out on July 24, 2026, just two months after Avengers: Doomsday. Avengers: Secret Wars releases on May 7, 2027.And finally, Feige has hinted that it may also be some time before the X-Men make their long-awaited full-blown entry into the MCU, telling Omelete the X-Men will be an important part of the future following Secret Wars."When we were preparing for Avengers: Endgame years ago, it was a question of getting to the grand finale of our narrative, and then we had to start all over again after that, Feige said. This time, on the road to Secret Wars, we already know very well what the story is going to be until then and afterwards. The X-Men are an important part of that future," he commented.In October, Marvel Studios added three untitled movie projects to its 2028 release schedule: February 18, 2028; May 5, 2028; and November 10, 2028. It seems increasingly likely one of these movies is X-Men.Thats plenty to digest for MCU fans, but in the shorter term Marvel Studios has Captain America: Brave New World out in February 2025, Thunderbolts* out in May 2025, TV shows Daredevil: Born Again out in March and Ironheart out in June. Phase 6 kicks off with The Fantastic Four: First Steps in July.Photo by Ricardo Moreira/Getty Images for Disney.Wesley is the UK News Editor for IGN. Find him on Twitter at @wyp100. You can reach Wesley at wesley_yinpoole@ign.com or confidentially at wyp100@proton.me.

Welcome back to another wonderful week of discounts with the guy who lives and breathes gaming. And not just any games, my friendthe best ones actually worth buying / playing / storing in a shameful pile to probably never be touched again. Personally, I'm all about the surprisingly early 30%+ discounts I'm seeing on Dragon Age Veilguard and Star Wars Outlaws. So maybe start saving there.In retro news, I'm commemorating the 19th anniversary of Resident Evil 4, a port that blew PS2 owner minds like a .223 calibre Semi-Auto Rifle round to the melon. Though I'd already dropped about 60 hours incessantly replaying this via my (better looking and sounding) GameCube version, I recall being instantly re-smitten when I booted this on 'Station. The new big cherry on top? Separate Ways, a roughly 2.5-hour mini adventure that slipped us into the impractical heels of a TMP-packing Ada Wong. Truly, RE4 was in the top 3 games of a console flush with all-time greats. Anybody who skips the Remake is Ganados levels of loco.Happy Bday Resident Evil 4 This Day in Gaming - Age of Mythology (PC) 2002. Redux- Resident Evil 4 (PS2) 2005. Redux- Sonic Colors (DS,Wii) 2010. ReduxTable of ContentsNice Savings for Nintendo SwitchOctopath Traveler IIIf you liked Octopath Traveler (or even any of the Bravely Default games) Octopath Traveler 2 is another good ol' fashioned 80-hour JRPGJoy-Con Pair (-21%) - A$95Lets Sing 2024 2-Mic Bndl (-43%) - A$57Pro Controller (-21%) - A$79Hades (-60%) - A$15Transistor (-80%) - A$4.79Expiring Recent DealsLego Skywalker Saga Galactic (-75%) - A$28.73Mario & Luigi: Brothership (-21%) - A$62.95Detective Pikachu Returns (-23%) - A$53.95West of Loathing (-64%) - A$5.76Nickelodeon All-Star Brawl (-90%) - A$6.99No More Heroes (-70%) - A$8.98Or gift a Nintendo eShop Card.Switch Console PricesHow much to Switch it up?Switch Zelda: $629 $509 | Switch Original: $499 $428 | Switch OLED Black: $539 $489| Switch OLED White: $539 $489 | Switch Lite: $329 $293 | Switch Lite Hyrule: $339 $309See itBack to topPurchase Cheap for PCStar Wars Col.The Force is strong with this one! Get 14 epic games in one massive line-up with the Star Wars Collection.XCOM 2 (-95%) - A$2.99The Division Gold Ed. (-75%) - A$18.73Dead Space [2023] (-70%) - A$26.98Thrustmaster USAF Multiplat headset (-22%) - A$140Far Cry 6 (-75%) - A$22.48Metal Slug Bndl (-80%) - A$4.59Expiring Recent DealsDisney-Pixar Cars (-100%) - FREE w/PrimeDishonored: Definitive Ed. (-100%) - FREE w/PrimeBioShock: The Collection (-80%) - A$15.99Metro 2033 Redux (-90%) - A$2.99Metro Last Light (-90%) - A$2.99Metro Exodus (-90%) - A$4.49Battlefield 2042 (-92%) - A$7.19Or just get a Steam Wallet Card.PC Hardware PricesSlay your pile of shame.Official launch in NovSteam Deck 256GB LCD: $649 | Steam Deck 512GB OLED: $899 | Steam Deck 1TB OLED: $1,049See it at SteamBack to topExciting Bargains for XboxDeath Stranding DirectorsWell, heres a surprise release that nobody saw coming at all. Also, one of the weirdest games Ive played in recent memory. Definitely do some investigation before you pull the trigger on this. A real love it or hate it proposition.Expiring Recent DealsMetaphor: ReFantazio (-14%) - A$99FF XII: The Zodiac Age (-56%) - A$35.53Suicide Squad: KTJL (-69%) - A$36Jedi Survivor (-38%) - A$ 67.99The Quarry (-91%) - A$9The Outer Worlds (-67%) - A$14.95Or just invest in an Xbox Card.Xbox Console PricesHow many bucks for a 'Box?Series S Black: $549 $513 | Series S White:$499 $481 | Series X: $799 | Series S Starter: N/ASee itBack to topPure Scores for PlayStationRed Dead 2Combined with strong writing and direction, the result is a game thats sincere instead of satirical, and funny while remaining capable of some supremely well-earned emotional moments, especially throughout the excellent crescendo and epilogue. 10/10.Hogwarts Legacy (-66%) - A$34Witcher 3: Wild Hunt Complete (-55%) - A$34.95Star Wars Outlaws (-30%) - A$77Marvels Spider-Man 2 (-21%) - A$99FF VII: Rebirth (-33%) - A$79.95Expiring Recent DealsDragon's Dogma 2 (-45%) - A$59Suicide Squad: KTJL (-69%) - A$36NBA 2K24 Kobe Ed. (-87%) - A$15Resi 4 Gold (-40%) - A$41.97Rayman Legends (-80%) - A$4.99Limbo/Inside Bndl (-75%) - A$10.23Or purchase a PS Store Card.PS5 Pro Enhanced BargainNeed a cheap Pro showcase title?Demons Souls - $124.95 / $104Even without a Pro Enhancement, the visuals of this '24 remake of a '09 PS3 classic already knocked my chainmail socks off. That said, there is indeed a vaguely described "PS5 Pro" toggle in the Display Adjustment menu. It seems to be a 4K-like 60fps Fidelity Mode, which, I think, looks noticeably better than the base experience thanks to additional tessellation density and a new contact shadow system that adds finer micro-detail to stonework (which is everywhere). Basically, I'm fixing to replay this all over again now. As a busy reviewer who's always on The Next Thing, I need a bona fide reason to look backwards; PS5 Pro Enhancement feels (and looks) like a worthy one.PlayStation Console PricesWhat you'll pay to 'Station.PS5 Pro $1,199 | PS5 Slim Disc:$799 $795 | PS5 Slim Digital:$679 $639 | PS VR2: $879 | PS VR2 + Horizon: $959 $949 | PS Portal: $329See itBack to topLegit LEGO DealsSonic: Amys Island40 bucks off a 6-character set? Thats worth every ring.Expiring Recent DealsMinecraft The Frog House (-40%) - A$59.97Animal Crossing: Julians Birthday (-40%) - A$12Star Wars C-3PO (-19%) - A$159Back to top Adam Mathew is our Aussie deals wrangler. He plays practically everything, often on YouTube.

This review contains spoilers for The Penguin episode 8.By the end of the eighth and final episode of The Penguin, Sofia has become a very different person. No longer the morally conflicted daughter of mob boss Carmine Falcone, no longer the patsy sentenced to Arkham for her fathers murder of seven women as the Hangman, she has become Sofia Gigante and she appears to have won the gang war against Salvatore Maroni (now dead) and Oz.So, of course, she monologues, telling a story to Oz and his mother Frances about a trio of birds she saw when she was a little girl. According to Sofia, the mother bird doted on the stronger of the two baby birds, at least until she went away one day and came back to find that the weaker bird had pushed the stronger one out of the nest before it could fly.Of course, Sofia tells this story as part of her psychological game with Oz and Frances, referring to the former killing his brothers and the latter ignoring it. But the story also fits a show called The Penguin, and not just because its about a flightless bird. Because The Penguin ended up being a series in which Cristin Milioti, a lesser-known performer playing an unknown character, ended up pushing the Academy Award-nominated Colin Farrell out of the spotlight.To be clear, this is a good thing. A spinoff series from The Batman about the Penguin always reeked of corporate desperation, of the increasingly pathetic Warner Bros. studio trying to milk whatever it can from its hits to prop up its streaming service HBO Go HBO Max Max. While Colin Farrell absolutely popped as Oz in The Batman, he worked in part because the movie did not ask him to do any emotional heavy lifting. He could waddle and shout and call Batman Mr. Vengance, and it provided a comic book break from a heavy film.But after a few clunky opening episodes, it became clear that showrunner Lauren LeFranc had something more in mind than just the continuing adventures of the Penguin. Instead, she used the opportunity given to an HBO superhero show to make a show about the ability or inability of women to change a world ruined by, but still dominated by, patriarchy. Written by LeFranc and directed by Jennifer Getzinger, the finale A Great or Little Thing brings an end to Sofias failed attempt to break from her fathers ways. She gets a bravado sequence in which burns her fathers house and belongings, staring imperiously while a rocking version ofIn the Pines aka Where Did You Sleep Last Night? plays on the soundtrack.Its framed as a moment of triumph for Sofia, even as it raises questions about her ability to actually break from Carmines model, a model that builds power on the backs of destroyed women. How will Sofia Gigante be different than Carmine Falcone?Turns out, she doesnt have to worry about answering that question, because Oz comes back to seize control. While not quite as overt as Roman Sioniss misogynistic rallying cry at the climax of Birds of Prey, Oz gets all the small gangs to work against Sofia in part because shes a crazy woman. And so, the reign of Sofia Gigante comes to an end after shes betrayed by men, including the cops she thought she had bought, and put back in Arkham, once again Julians control.LeFranc pairs this theme with the culmination of Ozs storyline with Frances. As seen in a flashback, Frances made a deal with old school gangster Rex Calabrese, Ozs hero, to kill the boy and rid her of, in her words, the devil in her house. Instead, she changes her mind at the last second, making Oz promise to give her the high life that she always wanted.The Penguin presents Francess final fate as a EC Comics style twist of fate. According to Oz, he did everything he did for her, including all of the backstabbing and murder and manipulation that we see throughout the series. Thus, she earns an ironic punishment, comatose and trapped in Ozs penthouse, for her callous power grabbing.Of course, Oz didnt really want to do anything to Frances. Instead, he wanted a woman he could control, and Frances was the only one available. Theres something haunting in the final scene, when Oz walks out of his mothers room and into the great room of his new digs to find Eve Karlo dressed as younger Francis (she really is Clayface, it turns out). As the two dance together, she says again and again that she loves him and is proud of him. The real Frances would never say those words, so Oz forced Eve to become a version of Frances he could mold.A Great or Little Thing elegantly brings the two storylines together and pairs their themes. But not everything works so well. The episode doesnt really resolve the wreckage of Sofias bombing the Bliss plant, an explosion small enough that Oz and others survive, despite being right next to it, but large enough to blow a giant hole in the center of Gotham. The explosion does give one last chance for Oz to show off his ability to manipulate, but it feels more like a narrative cul-de-sac that preserves the wreckage of Riddlers attack. By not dealing with the explosion, The Penguin lets those who go into The Batman 2 having only seen the previous movie think that theyre just dealing with another Riddler bomb.Speaking of cul-de-sacs, Vics storyline proves to be a big nothing, as hes strangled by Oz just when he thinks that the two have bonded. The show set up Vic as Ozs foil, another boy forced into a violent system that wouldnt give him a fair shake otherwise. But when Oz suffocates the kid, he proves that he was never like Vic at all. He wasnt a good kid forced into a bad situation. He was just evil.Getzinger holds on the shot of Ozs disgusting, twisted face as he strangles the life out of Vic, making sure everyone knows that hes a monster. But heres the thing: we never really doubted that he was a monster. He never seemed sympathetic, even when the show wanted so badly for Vic to add shades to what was clearly a one-note character.In the end, Victor best represents what The Penguin could have been the show, not the person. The series could have been just more Batman content, devoting way too much time to a character who doesnt have enough depth to carry it. And, to be clear, The Penguin sometimes was that empty series. The entire sequence of Ozs men killing the heads of Gotham families feels like a poor cover of the baptism scene from The Godfather.To the credit of LeFranc and her collaborators, The Penguin proved itself much more. The world didnt need another show about a sad-sack, one dimensional Batman villain, but it did need a show about a woman vying for power that could never be hers. In the end, Im grateful that The Penguin became that show, even if it had to push the Penguin out of the nest to do it.All eight episodes of The Penguin are now streaming on Max.Learn more about Den of Geeks review process and why you can trust our recommendationshere.

Imagine this: the very tools you trust to protect you onlineyour two-factor authentication, your car's tech system, even your security softwareturned into silent allies for hackers. Sounds like a scene from a thriller, right? Yet, in 2024, this isn't fiction; it's the new cyber reality. Today's attackers have become so sophisticated that they're using our trusted tools as secret pathways, slipping past defenses without a trace.For banks , this is especially alarming. Today's malware doesn't just steal codes; it targets the very trust that digital banking relies on. These threats are more advanced and smarter than ever, often staying a step ahead of defenses.And it doesn't stop there. Critical systems that power our cities are at risk too. Hackers are hiding within the very tools that run these essential services, making them harder to detect and harder to stop. It's a high-stakes game of hide-and-seek, where each move raises the risk.As these threats grow, let's dive into the most urgent security issues, vulnerabilities, and cyber trends this week. Threat of the WeekFBI Probes China-Linked Global Hacks: The FBI is urgently calling for public assistance in a global investigation into sophisticated cyber attacks targeting companies and government agencies. Chinese state-sponsored hacking groupsidentified as APT31, APT41, and Volt Typhoonhave breached edge devices and computer networks worldwide.Exploiting zero-day vulnerabilities in edge infrastructure appliances from vendors like Sophos, these threat actors have deployed custom malware to maintain persistent remote access and repurpose compromised devices as stealthy proxies. This tactic allows them to conduct surveillance, espionage, and potentially sabotage operations while remaining undetected.Tips for Organizations:Update and Patch Systems: Immediately apply the latest security updates to all edge devices and firewalls, particularly those from Sophos, to mitigate known vulnerabilities like CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236.Monitor for Known Malware: Implement advanced security solutions capable of detecting malware such as Asnark, Gh0st RAT, and Pygmy Goat. Regularly scan your network for signs of these threats.Enhance Network Security: Deploy intrusion detection and prevention systems to monitor for unusual network activity, including unexpected ICMP traffic that could indicate backdoor communications. Top NewsAndroid Banking Trojan ToxicPanda Targets Europe: A new Android banking trojan dubbed ToxicPanda has been observed targeting over a dozen banks in Europe and Latin America. It's so named for its Chinese roots and its similarities with another Android-focused malware named TgToxic. ToxicPanda comes with remote access trojan (RAT) capabilities, enabling the attackers to conduct account takeover attacks and conduct on-device fraud (ODF). Besides obtaining access to sensitive permissions, it can intercept one-time passwords received by the device via SMS or those generated by authenticator apps, which enables the cybercriminals to bypass multi-factor authentication. The threat actors behind ToxicPanda are likely Chinese speakers.VEILDrive Attack Exploits Microsoft Services: An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. In doing so, it allows the threat actors to evade detection. The attack has been so far spotted targeting an unnamed critical infrastructure entity in the U.S. It's currently not known who is behind the campaign.Crypto Firms Targeted with New macOS backdoor: The North Korean threat actor known as BlueNoroff has targeted cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices. Unlike other recent campaigns linked to North Korea, the latest effort uses emails propagating fake news about cryptocurrency trends to infect targets with a backdoor that can execute attacker-issued commands. The development comes as the APT37 North Korean state-backed group has been linked to a new spear-phishing campaign distributing the RokRAT malware.Windows Hosts Targeted by QEMU Linux Instance: A new malware campaign codenamed CRON#TRAP is infecting Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts. This allows the unidentified threat actors to maintain a stealthy presence on the victim's machine.AndroxGh0st Malware Integrates Mozi Botnet: The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, alongside deploying the Mozi botnet malware. While Mozi suffered from a steep decline in activity last year, the new integration has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before. Trending CVEsRecently trending CVEs include: CVE-2024-39719, CVE-2024-39720, CVE-2024-39721, CVE-2024-39722, CVE-2024-43093, CVE-2024-10443, CVE-2024-50387, CVE-2024-50388, CVE-2024-50389, CVE-2024-20418, CVE-2024-5910, CVE-2024-42509, CVE-2024-47460, CVE-2024-33661, CVE-2024-33662. Each of these vulnerabilities represents a significant security risk, emphasizing the importance of regular updates and monitoring to protect data and systems. Around the Cyber WorldUnpatched Flaws Allow Hacking of Mazda Cars: Multiple security vulnerabilities identified in the Mazda Connect Connectivity Master Unit (CMU) infotainment unit (from CVE-2024-8355 through CVE-2024-8360), which is used in several models between 2014 and 2021, could allow for execution of arbitrary code with elevated permissions. Even more troublingly, they could be abused to obtain persistent compromise by installing a malicious firmware version and gain direct access to the connected controller area networks (CAN buses) of the vehicle. The flaws remain unpatched, likely because they all require an attacker to physically insert a malicious USB into the center console. "A physically present attacker could exploit these vulnerabilities by connecting a specially crafted USB device such as an iPod or mass storage device to the target system," security researcher Dmitry Janushkevich said. "Successful exploitation of some of these vulnerabilities results in arbitrary code execution with root privileges."Germany Drafts Law to Protect Researchers Reporting Flaws: The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to researchers who discover and responsibly report security vulnerabilities to vendors. "Those who want to close IT security gaps deserve recognitionnot a letter from the prosecutor," the ministry said. "With this draft law, we will eliminate the risk of criminal liability for people who take on this important task." The draft law also proposes a penalty of three months to five years in prison for severe cases of malicious data spying and data interception that include acts motivated by profit, those that result in substantial financial damage, or compromise critical infrastructure.Over 30 Vulnerabilities Found in IBM Security Verify Access: Nearly a three dozen vulnerabilities have been disclosed in IBM Security Verify Access (ISVA) that, if successfully exploited, could allow attackers to escalate privileges, access sensitive information, and compromise the entire authentication infrastructure. The vulnerabilities were found in October 2022 and were communicated to IBM at the beginning of 2023 by security researcher Pierre Barre. A majority of the issues were eventually patched at the end of June 2024.Silent Skimmer Actor Makes a Comeback: Organizations that host or create payment infrastructure and gateways are being targeted as part of a new campaign mounted by the same threat actors behind the Silent Skimmer credit card skimming campaign. Dubbed CL-CRI-0941, the activity is characterized by the compromise of web servers to gain access to victim environments and gather payment information. "The threat actor gained an initial foothold on the servers by exploiting a couple of one-day Telerik user interface (UI) vulnerabilities," Palo Alto Networks Unit 42 said. The flaws include CVE-2017-11317 and CVE-2019-18935. Some of the other tools used in the attacks are reverse shells for remote access, tunneling and proxy utilities such as Fuso and FRP, GodPotato for privilege escalation, and RingQ to retrieve and launch the Python script responsible for harvesting the payment information to a .CSV file.Seoul Accuses Pro-Kremlin Hacktivists of Targeting South Korea: As North Korea joins hands with Russia in the ongoing Russo-Ukrainian War, DDoS attacks on South Korea have ramped up, the President's Office said. "Their attacks are mainly private-targeted hacks and distributed denial-of-service (DDoS) attacks targeting government agency home pages," according to a statement. "Access to some organizations' websites has been temporarily delayed or disconnected, but aside from that, there has been no significant damage."Canada Predicts Indian State-Sponsored Attacks amid Diplomatic Feud: Canada has identified India as an emerging cyber threat in the wake of growing geopolitical tensions between the two countries over the assassination of a Sikh separatist on Canadian soil. "India very likely uses its cyber program to advance its national security imperatives, including espionage, counterterrorism, and the country's efforts to promote its global status and counter narratives against India and the Indian government," the Canadian Centre for Cyber Security said. "We assess that India's cyber program likely leverages commercial cyber vendors to enhance its operations."Apple's New iOS Feature Reboots iPhones after 4 Days of Inactivity: Apple has reportedly introduced a new security feature in iOS 18.1 that automatically reboots iPhones that haven't been unlocked for a period of four days, according to 404 Media. The newly added code, called "inactivity reboot," triggers the restart so as to revert the phone to a more secure state called "Before First Unlock" (aka BFU) that forces users to enter the passcode or PIN in order to access the device. The new feature has apparently frustrated law enforcement efforts to break into the devices as part of criminal investigations. Apple has yet to formally comment on the feature. Resources, Guides & Insights Expert WebinarTurn Boring Cybersecurity Training into Engaging, Story-Driven Lessons Traditional cybersecurity training is outdated. Huntress SAT is using storytelling to make learning engaging, memorable, and effective. Gamification + phishing defense = a game-changing approach to security. Ready to transform your team's security awareness? Join the webinar NOW!How Certificate Revocations Impact Your Security (and How to Fix It Fast) Certificate revocations can disrupt operations, but automation is the game-changer! Discover how rapid certificate replacement, crypto agility, and proactive strategies can keep your systems secure with minimal downtime. Cybersecurity ToolsP0 Labs recently announced the release of new open-source tools designed to enhance detection capabilities for security teams facing diverse attack vectors. YetiHunter - Detects indicators of compromise in Snowflake environments.CloudGrappler - Queries high-fidelity, single-event detections related to well-known threat actors in cloud environments like AWS and Azure.DetentionDodger - Identifies identities with leaked credentials and assesses potential impact based on privileges.BucketShield - A monitoring and alerting system for AWS S3 buckets and CloudTrail logs, ensuring consistent log flow and audit-readiness.CAPICHE Detection Framework (Cloud API Conversion Helper Express) - Simplifies cloud API detection rule creation, supporting defenders in creating multiple detection rules from grouped APIs. Tip of the WeekStrengthen Security with Smarter Application Whitelisting Lock down your Windows system like a pro by using built-in tools as your first line of defense. Start with Microsoft Defender Application Control and AppLocker to control which apps can run - think of it as a bouncer that only lets trusted apps into your club. Keep an eye on what's happening with Sysinternals Process Explorer (it's like CCTV for your running programs) and use Windows Security Center to guard your browsers and folders. For older Windows versions, Software Restriction Policies (SRP) will do the job. Remember to set up alerts so you know when something suspicious happens.Don't trust any app until it proves itself - check for digital signatures (like an app's ID card) and use PowerShell safely by requiring signed scripts only. Keep risky apps in a sandbox (like Windows Sandbox or VMware) - it's like a quarantine zone where apps can't hurt your main system. Watch your network with Windows Firewall and GlassWire to spot any apps making suspicious connections. When it's time for updates, test them in a safe space first using Windows Update management tools. Keep logs of everything using Windows Event Forwarding and Sysmon, and review them regularly to spot any trouble. The key is layering these tools - if one fails, the others will catch the threat.ConclusionAs we face this new wave of cyber threats, it's clear that the line between safety and risk is getting harder to see. In our connected world, every system, device, and tool can either protect us or be used against us. Staying safe now means more than just better defenses; it means staying aware of new tactics that change every day. From banking to the systems that keep our cities running, no area is immune to these risks.Moving forward, the best way to protect ourselves is to stay alert, keep learning, and always be ready for the next threat. Don't forget to subscribe for our next edition. Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Nov 11, 2024The Hacker NewsCyber Resilience / Offensive SecurityCyber threats are intensifying, and cybersecurity has become critical to business operations. As security budgets grow, CEOs and boardrooms are demanding concrete evidence that cybersecurity initiatives deliver value beyond regulation compliance.Just like you wouldn't buy a car without knowing it was first put through a crash test, security systems must also be validated to confirm their value. There is an increasing shift towards security validation as it allows cyber practitioners to safely use real exploits in production environments to accurately assess the efficiency of their security systems and identify critical areas of exposure, at scale. We met with Shawn Baird, Associate Director of Offensive Security & Red Teaming at DTCC, to discuss how to effectively communicate the business value of his Security Validation practices and tools to his upper management. Here is a drill down into how Shawn made room for security validation platforms within his already tight budget and how he translated technical security practices into tangible business outcomes that have driven purchase decisions in his team's favor.Please note that all responses below are solely the opinions of Shawn Baird and do not represent the beliefs or opinions of DTCC and its subsidiaries.Q: What value does Security Validation bring to your organization? Security Validation is about putting your defenses to the test, not against theoretical risks, but actual real-world attack techniques. It's a shift from passive assumptions of security to active validation of what works. It tells me the degree to which our systems can withstand the same tactics cybercriminals use today.For us at DTCC, we've been doing security validation for a long time, but we were looking for tech that would serve as a performance amplifier. Instead of relying solely on expensive, highly-skilled engineers to carry out manual validations across all systems, we could focus our elite teams on high-value, targeted red-teaming exercises. The automated platform has built-in content of TTPs for conducting tests, covering techniques like Kerberoasting, network scanning, brute forcing etc, relieving the team from having to create this. Tests are executed even outside regular business hours so we are not confined to standard testing windows. This approach meant we weren't stretching our security staff thin on repetitive tasks. Instead, they could focus on more complex attack scenarios and critical issues. Pentera gave us a way to maintain continuous validation across the board, without burning out our most skilled engineers on tasks that could be automated. In essence, it's become a force multiplier for our team. It goes a long way to improve our ability to stay ahead of threats while optimizing the use of our top talent.Q: How did you justify the ROI of an investment in an Automated Security Validation platform?First and foremost, we see a direct increase in our team's productivity. Automating time-consuming manual assessments and testing tasks was a game changer. By shifting these repetitive and effort-intensive tasks to Pentera, our skilled engineers could focus on more complex work. And without needing additional headcount we could significantly expand the scope of tests. Second, we're able to reduce the cost of third-party contractors. Traditionally, we relied heavily on external expert contractors, which can be costly and often limited in scope. With human expertise built into a platform like Pentera, we reduced our dependence on expensive service engagements. Instead, we have internal staff - analysts with less expertise - running effective tests. Finally, there's a clear benefit of risk reduction. By continuously validating our security posture, we can significantly reduce the probability of a breach and the potential cost of a breach, if it occurs. IBM's 2023 Cost of a Data Breach report confirms this, reporting an 11% reduction in breach costs for organizations using proactive risk management strategies. With Pentera, we achieved just thatless exposure, faster detection, and quicker remediationall of which contributed to lowering our overall risk profile.Q: What were some of the internal roadblocks or hurdles you encountered?One of the key hurdles we faced was friction from the architectural review board. Understandably, they had concerns about running automated exploits on our network, even though the platform is 'safe-by-design'. The idea of running real-world attacks in production environments can be unnerving, especially for teams responsible for the stability of critical systems.To address this, we took a phased approach. We started by running the platform on a reduced attack surface, targeting less critical systems to demonstrate its safety and effectiveness. Next, we expanded its use during a red team engagement, running it alongside our existing testing processes. Over time, we're incrementally expanding the scope, proving the platform's reliability and safety at each stage. This gradual rollout helped build confidence without risking major disruptions, so now trust in the platform is fairly well established.Q: How did you allocate the funds?We allocated the funds for Pentera under the same line item as our red teaming tools, grouped with other solutions like Rapid7 and vulnerability scanners. By positioning it alongside offensive security tools, the budgeting process was kept straightforward.We looked specifically at our cost for assessing our environment's susceptibility to a ransomware attack. Previously, we spent $150K annually on ransomware scans, but with Pentera, we could test more frequently at the same budget. This reallocation of funds made sense because it hit our key criteria, mentioned earlier: improving productivity by increasing our testing capacity without needing to hire, and reducing risk with more frequent and larger-scale testing. Lowering the chances of a ransomware attack and limiting the damage if one occurs.Q: What other considerations came into play?A few other factors influenced our decision to invest in Automated Security Validation. Employee retention was a big one. Like I said before, automating repetitive tasks kept our cybersecurity experts focused on more challenging, impactful work, which I believe has helped us retain their talent.Improvement in security operations was another point. Pentera helps us ensure our controls are properly tuned and validated, it also helps coordination between red teams, blue teams, and the SOC. From a compliance standpoint, it made it easier to compile evidence for audits - allowing us to get through the process much faster than we would otherwise. Finally, cyber insurance is another area where Pentera has added further financial value by enabling us to lower our premiums.Q: Advice to other security professionals trying to get a budget for secure validation? The performance value of Automated Security Validation is clear. Most organizations don't have the internal resources to conduct mature red teaming. Whether you have a small security team or a mature offensive security practice like we do at DTCC, it's very likely that you do not have enough security expert resources to do a full assessment. If you don't find anything, no proof of a malicious insider in your network you can't demonstrate resilience - making it harder to achieve regulatory compliance. With Pentera, you have built-in TTPs, giving you a direct path to assess how well your organization responds to threats. Based on that validation you can harden your infrastructure and address discovered vulnerabilities.The alternativedoing nothingis far riskier. The cost of a breach can result in stolen IP, lost data, and potentially shutting down operations. On the other hand, the cost of the tool brings peace of mind knowing you've reduced your exposure to real-world threats and the ability to sleep better at night.Watch the full on-demand webinar with Shawn Baird, Associate Director of Offensive Security & Red Teaming at DTCC, and Pentera Field CISO, Jason Mar-Tang.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 11, 2024Ravie LakshmananMachine Learning / VulnerabilityCybersecurity researchers have uncovered nearly two dozen security flaws spanning 15 different machine learning (ML) related open-source projects.These comprise vulnerabilities discovered both on the server- and client-side, software supply chain security firm JFrog said in an analysis published last week.The server-side weaknesses "allow attackers to hijack important servers in the organization such as ML model registries, ML databases and ML pipelines," it said.The vulnerabilities, discovered in Weave, ZenML, Deep Lake, Vanna.AI, and Mage AI, have been broken down into broader sub-categories that allow for remotely hijacking model registries, ML database frameworks, and taking over ML Pipelines.A brief description of the identified flaws is below -CVE-2024-7340 (CVSS score: 8.8) - A directory traversal vulnerability in the Weave ML toolkit that allows for reading files across the whole filesystem, effectively allowing a low-privileged authenticated user to escalate their privileges to an admin role by reading a file named "api_keys.ibd" (addressed in version 0.50.8)An improper access control vulnerability in the ZenML MLOps framework that allows a user with access to a managed ZenML server to elevate their privileges from a viewer to full admin privileges, granting the attacker the ability to modify or read the Secret Store (No CVE identifier)CVE-2024-6507 (CVSS score: 8.1) - A command injection vulnerability in the Deep Lake AI-oriented database that allows attackers to inject system commands when uploading a remote Kaggle dataset due to a lack of proper input sanitization (addressed in version 3.9.11)CVE-2024-5565 (CVSS score: 8.1) - A prompt injection vulnerability in the Vanna.AI library that could be exploited to achieve remote code execution on the underlying hostCVE-2024-45187 (CVSS score: 7.1) - An incorrect privilege assignment vulnerability that allows guest users in the Mage AI framework to remotely execute arbitrary code through the Mage AI terminal server due to the fact that they have been assigned high privileges and remain active for a default period of 30 days despite deletion"Since MLOps pipelines may have access to the organization's ML Datasets, ML Model Training and ML Model Publishing, exploiting an ML pipeline can lead to an extremely severe breach," JFrog said."Each of the attacks mentioned in this blog (ML Model backdooring, ML data poisoning, etc.) may be performed by the attacker, depending on the MLOps pipeline's access to these resources.The disclosure comes over two months after the company uncovered more than 20 vulnerabilities that could be exploited to target MLOps platforms.It also follows the release of a defensive framework codenamed Mantis that leverages prompt injection as a way to counter cyber attacks Large language models (LLMs) with more than over 95% effectiveness."Upon detecting an automated cyber attack, Mantis plants carefully crafted inputs into system responses, leading the attacker's LLM to disrupt their own operations (passive defense) or even compromise the attacker's machine (active defense)," a group of academics from the George Mason University said."By deploying purposefully vulnerable decoy services to attract the attacker and using dynamic prompt injections for the attacker's LLM, Mantis can autonomously hack back the attacker." Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE