ELLE DECOR A-List designer Elizabeth Graziolo, of Yellow House Architects, was in a downtown Grand Rapids, Michigan, hotel when she had an epiphany. Wow, its starting to feel like a lot of the same thing, she recalls thinking as she took in the spaces white oak furniture, brass finishes, and warm tones.Graziolo conceded that she and her team too were guilty of these choices in some of their projects, but that it was fine time for a literal palette cleanser. I was sitting in that lounge, waiting for my room, and thinking that I need to talk to my team. We have to be ahead of the curve and figure out like what else is coming out. What else do we want to be?Trends, as it happens, can be a designers worst nightmare, manifesting in downtown hotels, yes, but also in scarily same-same Instagram feeds. It seems that most industry professionals are skeptical of fleeting fascinations because theyre just thatfleeting. In that spirit, weve tapped interiors experts, A-List designers, and trend forecasters to predict what home decor trends, precisely, will be out in 2025. We promisethis will spare you from making design decisions that will go out of style faster than you can say white boucl armchair.Skip SectionJump toMindless MaximalismFernando Bengoechea//Getty ImagesPattern on pattern for days? Its time to ease up a bit.Were all about playful experimentation, which includes soaking spaces in color (something many of our A-Listers, like Uchronias Julien Seban and Martyn Lawrence Bullard, are known and celebrated for), but next year will be the year of cutting back on maximalism, mindfully. Per ELLE DECOR A-List designer Jessica Davis: [Clients are] tiring of granny chicpattern on pattern on pattern. I think pattern play and even Memphis modern items were a reaction to everything being neutral and greige, but now people are pulling back on that a bit.With color-happy decor, it's all too easy to go overboard. Striking a Goldilocks balance lies in making selections that are a result of your own tastes and desires, not those of your TikTok FYPs latest players. While [maximalism] might be in decline when addressed from a flamboyant, over-the-top, and more-is-more point of view...a more curated take to maximalism will remain relevant in 2025, says Gemma Riberti, head of interiors at WGSN, one of the worlds top trend forecasting agencies. This means focusing on the narrative, with a craft-driven and resourceful mix-and-match approach to pattern, material, and styling.In other words, maximalism itself wont face a total downfallrather, maximalism sans curation has no chance. Anthony Barzilay Freund, editorial director at e-commerce powerhouse 1stDibs, echoes that sentiment: We continue to be drawn to spaces that envelop us in rich narratives achieved through the artful curation of unique pieces. Emphasis on artful.Vanilla Girl Boucl Aesthetic FollowTheFlow//Getty ImagesThis just in: 2025s design ethos is going to shun the vanilla girl aesthetic in favor of color and authentic curation.The end of greige interiors or a kind of white-box-gallery vibe has been years in the making, but 2025 is when a particular subset of this stylethat of the hot-on-TikTok vanilla girl, who loves creamy neutrals, owns a boucl accent chair, and always seems to have a luxury candle litis finally getting killed off. Designers everywhere, including Seban, are sighing in relief.Im so tired of the white boucl! he tells ELLE DECOR. Clients are [also] increasingly tired of generic, cookie-cutter designeverything looking the same, especially in Instagrammable interiors. They want spaces that feel unique and authentic. They want more color in their life.While boucl as a material might have staying power, it will appear in a different, bolder form than what youre used tosomething the ELLE DECOR team spotted at this years Milan Design Week. Boucl is here to stay, though were seeing new versions of it with thicker pile and in different colorsthe skimpy cream and off-white boucls feel down-market, ELLE DECOR A-List designer Oliver Furth told us earlier, and we couldnt agree more. Home OfficesMorsa Images//Getty ImagesOne day, well all forget that nailing down the perfect Zoom background was even a thing. The year 2025 will mark five whole years since Covid usurped our normal ways of being, and people are all too eager to part with its relics. Companies everywhere are rolling back lenient WFH schedules and demanding in-person presence, so the era of home offices, it seems, is over. 1stDibss report highlights the following: Only 13 percent of designers expect that home office renovations will be their most requested projects in 2025, down from 32 percent for 2023.Real estate giant Zillow predicts the same. According to Zillows home trends expert Amanda Pendleton, Zoom rooms are falling out of favor with home buyersbased on data pulled from millions of listings on the site. As more workers return to their offices, the Zoom room is now appearing in 34 percent fewer Zillow listings, Pendleton shares. Thats not to say specialty rooms are disappearing for good. In fact, British designer Nicola Harding has direct proof of the contrary. Im seeing more craft spaces where people really feel like they can exercise their creativity, like an art studio in a house. Also music rooms...where they can listen to interesting music, she says. I think people want these different moments in their house: things that create experiences.Cottagecore Kitchens Andreas von Einsiedel//Getty ImagesRustic, cottagecore kitchens are getting a reality check come 2025.Kitchens are rooms that receive as much foot traffic as they do unsolicited opinions about how any given one must and throw it If youre like us, your immediate associations with this aesthetic feature one (or all) of the following ingredients: a spacious farmhouse sink, brass hardware, a sprinkling of wood elements, and a collection of exposed pots and pans. All this, as it turns out, is old news. In her work, Davis is witnessing the decline of brushed gold faucets, knobs, and the like. Zillows data expands this beyond just gold: The share of listings mentioning chrome and satin nickel is down 13 percent and 12 percent, respectively, shares Pendleton. And what of cabinetryone of the most essential make-or-break aspects of a culinary space? It looks like shabby chicadjacent curtain fronts or fabric skirts that sub in for cabinet doors will not be starring in the next season of your kitchen's show, particularly if they boast a scalloped edge. This kind of curtain thing has been doing the rounds and is certainly a useful solution in places where you want to hide things, Harding says. But you need to think about the practical aspect of it getting caught on doors or getting dirty or someone using it as a tea towel.As for the frilly edges, Davis puts it best: Im tired of scallops! They had their day.70s Color PalettesH. Armstrong Roberts/ClassicStock//Getty ImagesThis vignette looks straight out of Halstons house, and while we saw the appeal this year, retro interiors will favor Y2K. We wont judge those that are wearing 70s-inspired bell bottoms and corduroy jackets, but as far as home decor is concerned, were moving on from the #70s hashtag on TikTok and into the future. Retro will favor a mixing and matching of epochslooking at 1990s and early Y2K aesthetics, WGSNs Riberti tells ELLE DECOR, adding that a similar shift can be witnessed in todays fashion sensibilities.This will be particularly palpable in the color department. Rich, dark colors are supplanting the relaxed 1970s paletteof rust, mustard, and olivethat recently dominated, Barzilay Freund insists. Does this mean bright tones should be on your 2025 radar? Time will tell, but Davis thinks it just might be the factory reset, so to say, that youre looking for: Instead of a ton of pattern, people are really diving into rich colors with jewel undertones.If youre running to repaint your walls after this intel, though, you might not want to go with green (sorry, Charli). After several years of various shades of green topping the [1stDibs] survey, greens appeal is not evergreenthis year it was supplanted by chocolate brown as the top color choice of surveyed designers," says Barzilay Freund.If there are any parting words we want to leave you with in terms of how to tap into timelessness when creating a home for yourself, its these wise ones told to us by Julien Saban: Focus on creating spaces that reflect personal history, local craftsmanship, and lasting quality. Use fewer but better materials, and choose design pieces with enduring character, not just whats popular right now. Timeless style grows out of authenticity and restraint.New Years resolutions? Made.Stacia DatskovskaAssistant Digital EditorStacia Datskovska is the assistant digital editor at ELLE DECOR, where she covers news, trends, and ideas in the world of design. She also writes product reviews (like roundups of the top firepits or sheet sets)infusing them with authority and wit. As an e-commerce intern at Mashable, Stacia wrote data-driven reviews of everything from e-readers to stationary bikes to robot vacuums. Stacias culture and lifestyle bylines have appeared in outlets like USA Today, Boston Globe, Teen Vogue, Food & Wine, and Brooklyn Magazine.

When designers Robin Standefer and Stephen Alesch describe the light fixtures theyve created since starting their firm Roman and Williams 22 years ago, they speak of them endearingly, as if they were zany aunts, uncles, and cousins. Woodruma wood lamp with a slotted shadeis heavy and grumpy, per Alesch, while Oscara pendant with a gleaming, disclike brass shade is friendly, chubby, and gregarious. Felixa more angular variationis a little edgier.Its a family tree, Standefer says.Robert WrightBeginning this week in New York, Standefer and Alesch are staging a family reunion of sorts through a poetic new installation installed in a stately Queen Annestyle warehouse. The exhibition, titled A Certain Slant of Light, showcases 100 lights that the ELLE DECOR A-List Titans have designed for Roman and Williams Guild (their studios product arm) by suspending themconstellation-likefrom the ceiling of a towering, triple-height room.Lighting has been a category that really captivates us, Standefer explains. It just has a combination of art and science that Steven and I love. After more than two decades designing, experimenting, and obsessing over lights, the pair thought, This is career spanning, and it's time.Lighting has been a category that really captivates us.Not only is A Certain Slant of Light a celebration of Roman and Williamss achievements in lighting design, but its also an homage to the changing of the seasons. The name of the exhibition, in fact, is derived from an Emily Dickinson poem. Standefer remembers the poem from her days at Smith College, where she studied art. I remember not only this poem, but also several poems about light, the mood of the season, and about the life and death of plants, she says.The perfect antidote to winters gloom? A room illuminated by the warm glow of dozens of fixtures. There's something uplifting and strong about having all these lights together, like a night sky in one place, she adds.Robert WrightStarting Tuesday, A Certain Slant of Light will be free and open to the public to experience. As soon as they step into the soaring space at 6 Harrison Street, visitors are welcome to sprawl on Roman and Williams chairs to gaze upward at the various glimmering discs and orbs, or sit quietly and contemplate the fading autumn rays stream through the arched Romanesque windows.The installation includes a dozen newcomers to the Roman and Williams clan. Theres the Axil pendant (a cousin of Oscar) with concentric glass diffusers and a polished brass shade made in a 150-year-old French workshop; the delicate Seed, with its aubergine glass shade and cast-bronze chain; and the hand-carved alabaster Petra pendant. Then theres the prim-and-proper Dahlia table lamp, with a demure alabaster shade that Emily Dickinson herself would have definitely approved of.Everybody, says Standefer, is here.Anna FixsenDeputy Digital EditorAnna Fixsen is the deputy digital editor of ELLE DECOR, where she oversees all facets of ElleDecor.com. In addition to editing articles and developing digital strategy, she writes about the worlds most beautiful homes, reviews the chicest products (from the best cocktail tables to cute but practical gifts), and reports on the most exciting trends in design and architecture. Since graduating from Columbia Journalism School, shes spent the past decade as an editor at Architectural Digest, Metropolis, and Architectural Record and has written for outlets including the New York Times, Dwell, and more.

It happens like clockwork: As soon as the holiday season kicks into high gearand the end of the year creeps closerwe become obsessed with what lies ahead. What's new? What's next? And what's in store for the year ahead? Well, if you want to bring that "new year, new you" mentality to your home decor come 2025, Zillow is here to help.The real-estate platform just released its 2025 home decor trend report, which predicts the fads that will be all the rage for the next 12 months. Electric vehicle charging ports, spa-like bathrooms, and homes with climate-resilient touches are poised to be big. However, one of the biggest trends is also the easiest to bring into your space.Related Story"Cozy homes are having a moment," says Amanda Pendleton, Zillows home trends expert. "In todays high-stress, uncertain world, people are looking for warmth and comfort at home." In fact, Zillow noticed that listings that mention "cozy" have increased by 35 percent since last year. But while some buyers are looking for the intimacy and comfort of a smaller space, Pendleton insists that coziness is a feeling, not a look. "Think about how you can engage all your senses in a space," she recommends. "Think about adding warm scents to your space through a diffuser or scented candles." Related StoryPendleton recommends incorporating textured walls, rich paint colors, and old-school accessories. "Swap out shiny new fixtures for vintage ones, replace contemporary lamp shades with pleated and patterned ones, comb online sources for quilts and vintage textile pillows," she adds. Pendleton also points out that, per the trend report, "vintage" listings increase by nine percent. However, if your idea of a cozy night at home includes curling up with a book, you're in luck: Zillow found home libraries are up 22 percent. A designated reading room might be the dream, but Pendleton says you can easily work with what you have."If you dont have space for a home library, you can still channel the bibliophilic design trend by decorating with books," she says. "Stack them high on coffee tables, display them on open shelving, or create a faux library with bookshelf wallpaper."Regardless of how you choose to bring a dash of coziness to your home, here's your permission to kick back, relax, and enjoy the great indoors. (Not that you really needed permission.)Related StoryFollow House Beautiful on Instagram and TikTok.

Apple recently launched new MacBook Pro, iMac and Mac mini with the M4 chip, which brings a lot of performance improvements especially when it comes to AI tasks. However, users are facing issues when trying to run virtual machines with some older versions of macOS on the new machines.M4 Macs and virtual machinesAs noted by researcher Csaba Fitzl (via Eclectic Light Company), it seems that the latest Macs with the M4 chip are unable to run virtual machines with macOS versions prior to Ventura 13.4. The problem affects any virtualization software available for the Mac.According to the website, trying to run a virtual machine on M4 Macs with macOS 13.3 or earlier results in a black screen with the VM failing to boot. Many users have tried changing the settings in the virtualizer or even booting the VM in Recovery mode, but the result is the same. Everything works just fine on Macs with M1, M2 or M3 chips.The bad news is, no one has a concrete clue as to what exactly is causing the bug or incompatibility.Unfortunately, as this bug prevents the VM from booting, theres no reliable way to access its log to discover whats going wrong there. Theres no sign of the failure in the hosts log either: the host appears to initialise its Virtio and other support normally, without errors or faults. After those, virtualisation processes on the host fall silent as they wait for the VM to start, which never happens.According to the researcher, it seems most likely that the bug affects an early part of the kernel boot, which would require Apple to release new IPSW files for older versions of macOS so that they work with M4 Macs. However, this is highly unlikely to happen.Anyone working with VMs running macOS versions earlier than 13.4 must be aware before upgrading to a new M4 Mac. Apple has yet to acknowledge the issue. As for other Apple Silicon Macs, they can run VMs with macOS 12 Monterey or later (the minimum recommended version for these Macs is 12.4).On a related note, macOS Sequoia has added multiple enhancements for virtual machines, including full support for logging into iCloud accounts, which wasnt possible on Mac VMs before.Add 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

A recent report by 404 Media revealed that law enforcement agents have been concerned about iPhones automatically rebooting themselves, which makes it very difficult to hack these devices. Security researcher Jiska Classen later discovered that this behavior is caused by a new feature called Inactivity Reboot, which has now been reverse-engineered by Classen.Reverse engineering iPhones Inactivity Reboot featureThe researcher detailed in a blog post how exactly Inactivity Reboot was implemented by Apple which did everything quietly without publicly announcing the new security feature. Based on iOS code, it was possible to confirm that Inactivity Reboot was implemented in iOS 18.1, although iOS 18.2 beta code suggests that Apple is still making improvements to how it works.Contrary to what was previously thought, the security feature has no relation to wireless connectivity. Instead, it uses the Secure Enclave Processor (SEP) to track when the iPhone was last unlocked. If the last time unlocked exceeds three days, SEP notifies a kernel that kills Springboard (which is the core of iOS) and initiates a reboot.Unsurprisingly, according to Classen, Apple has implemented ways to prevent hackers from bypassing this process. For example, if something prevents the kernel from rebooting the iPhone, the system will automatically cause a kernel panic to crash and reboot the device. The system also sends analytical data to Apple when a device enters the aks-inactivity state.Since everything related to Inactivity Reboot happens in SEP and not in the main iOS kernel, its much more challenging to bypass it even if the main kernel is compromised (like with a jailbreak tool). As Classen explained, little is known about the SEP as Apple keeps everything, including its firmware, under wraps.When rebooted, the iPhone enters a Before First Unlock (BFU) mode, which encrypts all the files on the device until the user enters the devices passcode. Even Cellebrite, a cybersecurity company that specializes in extracting data from locked iPhones, acknowledges that getting data from a device in BFU mode is quite challenging.Cellebrite tool used to hack iPhonesApple doesnt say why it implemented Inactivity Reboot on the iPhone with iOS 18, but the reasons seem pretty clear. The company certainly wants to crack down on tools like Cellebrite and Pegasus spyware, which are often used by law enforcement agents. Of course, this also protects regular users who may have their data extracted after being the victim of a theft or robbery.More details on reverse engineering the Inactivity Reboot feature can be found on Jiska Classens blog.Add 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

"The goal of OpenAI is to make the future good and to avoid an AGI dictatorship."Absolute PowerDuring the discovery process in Elon Musk's lawsuit against Sam Altman, email exchanges from early in the group's history show that even early on, tensions flared over who would control the company's powerful creations.In one of these early emails submitted as evidence exhibits in the Musk vs. Altman trial, OpenAI cofounder Ilya Sutskever took him to task for his egoistic need for control and the dangers it could pose for any forthcoming human-level AI, better known as artificial general intelligence (AGI)."The current structure provides you with a path where you end up with unilateral absolute control over the AGI," Sutskever wrote to Altman and Musk in September of 2017. "You stated that you dont want to control the final AGI, but during this negotiation, youve shown to us that absolute control is extremely important to you.""As an example, you said that you needed to be CEO of the new company so that everyone will know that you are the one who is in charge," he continued, "even though you also stated that you hate being CEO and would much rather not be CEO."Under ControlNotably, the email was sent less than six months before Musk resigned from OpenAI over disagreements about how the company should raise money which is also the crux of his lawsuit against Altmanet alnow."We are concerned that as the company makes genuine progress towards AGI, you will choose to retain your absolute control of the company despite current intent to the contrary," Sutskever wrote.Similar concerns may well have inspired Sutskever to lead a briefly successful coup against Altman last year before his own apparent ouster this spring. As the rest of his scathing email to Musk shows, he had good reason for worry."The goal of OpenAI is to make the future good and to avoid an AGI dictatorship," he wrote. "You are concerned that Demis [Hassabis, the founder of Google's DeepMind AI lab] could create an AGI dictatorship. So [are] we. So it is a bad idea to create a structure where you could become a dictator if you chose to, especially given that we can create some other structure that avoids this possibility."Reading the message in hindsight especially after Sutskever's own exit and founding of a new venture promoting AGI safety is pretty chilling,especially as Musk's embrace of embrace of president-elect Donald Trump reveals a deep thirst to control how the world is run.More on Musk's control issues: Elon Musks Daughter Vivian Says Hes a "Delusional and Grubby Little Control Freak"Share This Article

"I am profoundly disturbed."Velvet VoiceAfter discovering that his voice has been cloned by artificial intelligence, veteran documentarian David Attenborough has been moved to genteel fury.In a newBBCsegment, two near-identical clips one generated by AI, the other recorded by the twice-knighted man himself are heard promoting Attenborough's new special, "Asia."According to host Kasia Madera, the first of the two segments was an AI clone that the broadcaster's researchers found online. The actual Attenborough is less than pleased."Having spent a lifetime trying to speak what I believe to be the truth," Attenborough told the BBC in a statement, "I am profoundly disturbed to find that these days, my identity is being stolen by others and greatly object to them using it to say whatever they wish."Strangely enough, the AI Attenborough also had a response to the story."Lets set the record straight. Unless Mr. Attenborough has been moonlighting for us in secret and under an assumed name with work authorization in the United States, he is not on our payroll," the AI voice clone intoned. "I am not David Attenborough. We are both male, British voices for sure. However, I am not David Attenborough, for anyone out there who may be confused."This creepy rebuttal sounded so much like the real thing that Madera suggested the average person would be unable to tell the difference."You have to really double-take," the host said. "I wouldn't know if I didn't know."Post-TruthBeyond simply being unsettling, this faked Attenborough voice is particularly insidious because of the documentarian's societal role as one of the premier global truth-tellers of the last few generations.In an editorial forThe Guardian, columnist Zoe Wiliams suggested that such a lifelike AI rendition of a voice like Sir David's could imperil the concept of truth as we or at least, as the Brits know it."Attenborough may not be the last true embodiment of trust in a compromised world, but I row back from that assertion only because I fear it is UK-centric," she opined. "I stand by this: if you cant hear his voice and believe it, then you cant hear or believe anything.""In fake Attenborough, the scam of all scams, we have been casually mugged of modern communication," Williams concluded. Given that the knight's AI voice clone nearly tricked a BBC reporter, we have to say we agree.More on voice cloning: Before He Died, James Earl Jones Signed Paperwork to Voice Darth Vader Using AIShare This Article

Nov 18, 2024Ravie LakshmananThreat Intelligence / RansomwareCybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza.BabbleLoader is an "extremely evasive loader, packed with defensive mechanisms, that is designed to bypass antivirus and sandbox environments to deliver stealers into memory," Intezer security researcher Ryan Robinson said in a report published Sunday.Evidence shows that the loader is being used in several campaigns targeting both English and Russian-speaking individuals, primarily singling out users looking for generic cracked software as well as business professionals in finance and administration by passing it off as accounting software.Loaders have become an increasingly prevalent method to deliver malware, like stealers or ransomware, often acting as the first stage in an attack chain in a manner that sidesteps traditional antivirus defenses by incorporating a bevy of anti-analysis and anti-sandboxing features.This is evidenced in the steady stream of new loader families that have emerged in recent years. This includes but is not limited to Dolphin Loader, Emmenhtal, FakeBat, and Hijack Loader, among others, which have been used to propagate various payloads like CryptBot, Lumma Stealer, SectopRAT, SmokeLoader, and Ursnif.What makes BabbleLoader stand out is that it packs various evasion techniques that can fool both traditional and AI-based detection systems. This encompasses the use of junk code and metamorphic transformations that modify the loader's structure and flow to bypass signature-based and behavioral detections.It also gets around static analysis by resolving necessary functions only at runtime, alongside taking steps to impede analysis in sandboxed environments. Furthermore, the excessive addition of meaningless, noisy code causes disassembly or decompilation tools like IDA, Ghidra, and Binary Ninja to crash, forcing a manual analysis."Each build of the loader will have unique strings, unique metadata, unique code, unique hashes, unique encryption, and a unique control flow," Robinson said. "Each sample is structurally unique with only a few snippets of shared code. Even the metadata of the file is randomized for each sample.""This constant variation in code structure forces AI models to continuously re-learn what to look for a process that often leads to missed detections or false positives."The loader, at its core, is responsible for loading shellcode that then paves the way for decrypted code, a Donut loader, which, in turn, unpacks and executes the stealer malware."The better that the loaders can protect the ultimate payloads, the less resources threat actors will need to expend in order to rotate burned infrastructure," Robinson concluded. "BabbleLoader takes measures to protect against as many forms of detection that it can, in order to compete in a crowded loader/crypter market."The development comes as Rapid7 detailed a new malware campaign that distributes a new version of LodaRAT that's equipped to steal cookies and passwords from Microsoft Edge and Brave, in addition to gathering all kinds of sensitive data, delivering more malware, and granting remote control of compromised hosts. It's been active since September 2016.The cybersecurity company said it "spotted new versions being distributed by Donut loader and Cobalt Strike," and that it "observed LodaRAT on systems infected with other malware families like AsyncRAT, Remcos, XWorm, and more." That said, the exact relationship between these infections remains unclear.It also follows the discovery of Mr.Skeleton RAT, a new malware based on njRAT, that has been advertised on the cybercrime underground and comes with functionality for "remote access and desktop operations, file/folder and registry manipulation, remote shell execution, keylogging, as well as remote control of the devices' camera."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

According to research from GitGuardian and CyberArk, 79% of IT decision-makers reported having experienced a secrets leak, up from 75% in the previous year's report. At the same time, the number of leaked credentials has never been higher, with over 12.7 million hardcoded credentials in public GitHub repositories alone. One of the more troubling aspects of this report is that over 90% of valid secrets found and reported remained valid for more than 5 days. According to the same research, on average, it takes organizations 27 days to remediate leaked credentials. Combine that with the fact that non-human identities outnumber human identities by at least 45:1, and it is easy to see why many organizations are realizing stopping secrets sprawl means finding a way to deal with this machine identity crisis. Unfortunately, the research also shows that many teams are confused about who owns the security of these identities. It is a perfect storm of risk. Why Does Rotation Take So LongSo, why are we taking so long to rotate credentials if we know they are one of the easiest attack paths for adversaries? One major contributing factor is a lack of clarity on how our credentials are permissioned. Permissions are what authorize what specific things one entity, such as a Kubernetes workload or a microservice, can successfully request from another service or data source. Let's remember what remediation of a secrets sprawl incident means: you need to safely replace a secret without breaking anything or granting new, too-wide permissions, which would potentially introduce more security risks to your company. If you already have full insight into the lifecycle of your non-human identities and their associated secrets, this is a fairly straightforward process of replacing them with new secrets with the same permissions. This can take considerable time if you don't already have that insight, as you need to hope the developer who originally created it is still there and has documented what was done. Let's look at why permissions management is especially challenging in environments dominated by NHIs, examine the challenges developers and security teams face in balancing access control and productivity, and discuss how a shared responsibility model might help.Who Really Owns Secrets Sprawl?Secrets sprawl generally refers to the proliferation of access keys, passwords, and other sensitive credentials across development environments, repositories, and services like Slack or Jira. GitGuardian's latest Voice of the Practitioners report highlights that 65% of respondents place the responsibility for remediation squarely on the IT security teams. At the same time, 44% of IT leaders reported developers are not following best practices for secrets management. Secrets sprawl and the underlying issues of over-permissioned long-lived credentials will continue to fall in this gap until we figure out how to better work together in a shared responsibility model.The Developer's Perspective On PermissionsDevelopers face enormous pressure to build and deploy features quickly. However, managing permissions carefully, with security best practices, can be labor-intensive. Each project or application often has its own unique access requirements, which take time to research and properly set, almost feeling like a full-time job on top of the work making and deploying their applications. Best practices for creating and managing permissions too commonly do not get applied evenly across teams, are seldom documented appropriately, or are forgotten altogether after the developer gets the application working. Compounding the issue, in too many cases, developers are simply granting too wide of permissions to these machine identities. One report found that only 2% of granted permissions are actually used. If we take a closer look at what they are up against, it is easy to see why.For instance, think about managing permissions within Amazon Web Services. AWS's Identity and Access Management (IAM) policies are known for their flexibility but are also complex and confusing to navigate. IAM supports various policy typesidentity-based, resource-based, and permission boundariesall of which require precise configurations. AWS also offers multiple access paths for credentials, including IAM roles and KMS (Key Management Service) grants, which each come with its own unique access configurations. Learning this system is no small feat.Another common example of a service where permissions can become difficult to manage is GitHub. API keys can grant permissions to repositories across various organizations, making it challenging to ensure appropriate access boundaries. A single key can unintentionally provide excessive access across environments when developers are members of multiple organizations. The pressure is on to get it right, while the clock is always ticking and the backlog keeps getting bigger. Why Security Teams Alone Can't Fix ThisIt may seem logical to assign security teams responsibility for monitoring and rotating secrets; after all, this is a security concern. The reality is that these teams often lack the granular project-level knowledge needed to make changes safely. Security teams don't always have the context to understand what specific permissions are essential for keeping applications running. For instance, a seemingly minor permission change could break a CI/CD pipeline, disrupt production, or even cause a company-wide cascading failure if the wrong service disappears.The dispersed nature of secrets management across teams and environments also increases the attack surface. With no one really in charge, it becomes much harder to maintain consistency in access controls and audit trails. This fragmentation often results in excessive or outdated credentials and their associated permissions remaining active for far too long, possibly forever. It can make it difficult to know who has legitimate or illegitimate access to which secrets at any given time.A Shared Responsibility Model For Faster RotationDevelopers and security teams could help address these issues by meeting in the middle and building a shared responsibility model. In such a model, developers are more responsible for consistently managing their permissions through proper tooling, such as CyberArk's Conjur Secrets Manager or Vault by HashiCorp, while also better documenting the permissions and scope of the necessary permissions at the project level. Security teams should be helping developers by working to automate secrets rotation, investing in the proper observability tooling to gain clarity into the state of secrets, and working with IT to eliminate long-lived credentials altogether. If developers clearly document which permissions are needed in their requirements, it could help security teams conduct faster and more precise audits and speed remediation. If security teams work to ensure that the easiest and fastest overall path toward implementing a new non-human identity secret is also the safest and most scalable route, then there are going to be far fewer incidents that require emergency rotation, and everyone wins. The goal for developers should be to ensure that the security team can rotate or update credentials in their applications with confidence, on their own, knowing they're not jeopardizing production.Key Questions to Address around PermissioningWhen thinking through what needs to be documented, here are a few specific data points to help this cross-team effort flow more smoothly: Who Created the Credential? - Many organizations find it difficult to track credential ownership, especially when a key is shared or rotated. This knowledge is essential to understanding who is responsible for rotating or revoking credentials.What Resources Does It Access? - API keys can often access a range of services, from databases to third-party integrations, making it essential to limit permissions to the absolute minimum necessary.What Permissions Does It Grant? - Permissions vary widely depending on roles, resource-based policies, and policy conditions. For instance, in Jenkins, a user with `Overall/Read` permission can view general information, while `Overall/Administer` grants full control over the system.How Do We Revoke or Rotate It? - The ease of revocation varies by platform, and in many cases, teams must manually track down keys and permissions across systems, complicating remediation and prolonging exposure to threats.Is the Credential Active? - Knowing whether a credential is still in use is critical. When NHIs use long-lived API keys, these credentials may remain active indefinitely unless managed properly, creating persistent access risks.Permissions Are Challenging, But We Can Manage Them Together As One TeamAccording to the GitGuardian report, while 75% of respondents expressed confidence in their secrets management capabilities, the reality is often much different. The average remediation time of 27 days reflects this gap between confidence and practice. It is time to rethink how we implement and communicate secrets and their permissions as an organization.While developers work diligently to balance security and functionality, the lack of streamlined permissions processes and uncentralized or unstandardized documentation paths only amplify the risks. Security teams alone can't resolve these issues effectively due to their limited insight into project-specific needs. They need to work hand-in-hand with developers every step of the way. GitGuardian is building the next generation of secrets security tooling, helping security and IT teams get a handle on secrets sprawl. Knowing what plaintext, long-lived credentials are exposed in your code and other environments is a needed first step to eliminating this threat. Start today with GitGuardian.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

If youve watched any movies or television made in the past ten or15 years, you may have started to wonder: Where have all the opening credits gone? These days, filmmakers (and production studios, and streaming services) seem to think that if the audience isnt immediately thrown into the action of a movie, theyll get bored, turn it off, and find something else. Given our ever shortening attention spans, there may be some truth to this.But a great opening credits sequence is something of a lost art. Its indulgent, yes, and it forces the audience to sit there and look at a bunch of names for two or three minutes, but a really good title sequence can set the tone for the rest of the proceedings, and allow the members of the audience to gradually submerge themselves into the world of the story. Think of the way that the Game of Thrones credits not only showed you a moving map of Westeros, but also contained little clues about where certain scenes would take place, and unlocked locations as the story moved forward.It wasnt always like this opening titles used to be everywhere, and the best ones would get creative with the form, using the allotted minute or two to fully generate a movies vibe using nothing but colors, abstract images, and creative fonts. There are way too many to choose from for just one list, but in order to highlight some of the very best, we chose12 of the coolest, most innovative ones, from iconic crime movies, westerns, fantasy epics, horror thrillers, and modern spy cinema classics. Every single one of these opening sequences will make you want to watch the rest of the movie immediately.The Coolest Opening Title Sequences of All TimeWhere have all the opening credits gone?(Note: Click the link in each entry to watch these opening titles on YouTube.)READ MORE: 10 Great Trailers For 10 Terrible MoviesGet our free mobile appThe Worst Parts of 15 Great MoviesThese movies are terrific. Theyre not perfect, though.