Jan 09, 2025The Hacker NewsData Protection / EncryptionRansomware isn't slowing downit's getting smarter. Encryption, designed to keep our online lives secure, is now being weaponized by cybercriminals to hide malware, steal data, and avoid detection.The result? A 10.3% surge in encrypted attacks over the past year and some of the most shocking ransom payouts in history, including a $75 million ransom in 2024.Are you prepared to fight back?Join Emily Laufer, Director of Product Marketing at Zscaler, for an eye-opening session, "Preparing for Ransomware and Encrypted Attacks in 2025" filled with practical insights and cutting-edge strategies to outsmart these evolving threats.What You'll Learn:ThreatLabz Insights: Get the latest findings from Zscaler's experts on ransomware and encrypted attacks, including the trends making the biggest impact.2025 Predictions: Find out how ransomware groups are refining their tactics to stay one step aheadand what you can do to stop them.Encrypted DNS Attacks: Learn how cybercriminals exploit DNS over HTTPS (DoH) and DNS over TLS (DoT) to stay hidden while launching devastating attacks.Proven Defense Techniques: Discover how to uncover hidden threats and stop ransomware before it hits your organization.Ransomware doesn't wait, and neither should you. Every day you delay could cost your organization millions or expose sensitive data to attackers.Seats are limitedsecure yours now! Register for the Webinar.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Jan 09, 2025Ravie LakshmananVulnerability / Threat IntelligenceThreat actors are attempting to take advantage of a recently disclosed security flaw impacting GFI KerioControl firewalls that, if successfully exploited, could allow malicious actors to achieve remote code execution (RCE).The vulnerability in question, CVE-2024-52875, refers to a carriage return line feed (CRLF) injection attack, paving the way for HTTP response splitting, which could then lead to a cross-site scripting (XSS) flaw.Successful exploitation of the 1-click RCE flaw permits an attacker to inject malicious inputs into HTTP response headers by introducing carriage return (\r) and line feed (\n) characters. The flaw impacts KerioControl versions 9.2.5 through 9.4.5, according to security researcher Egidio Romano, who discovered and reported the flaw in early November 2024.The HTTP response splitting flaws have been uncovered in the following URI paths -/nonauth/addCertException.cs/nonauth/guestConfirm.cs/nonauth/expiration.cs"User input passed to these pages via the 'dest' GET parameter is not properly sanitized before being used to generate a 'Location' HTTP header in a 302 HTTP response," Romano said."Specifically, the application does not correctly filter/remove line feed (LF) characters. This can be exploited to perform HTTP Response Splitting attacks, which, in turn, might allow it to carry out reflected cross-site scripting (XSS) and possibly other attacks."A fix for the vulnerability was released by GFI on December 19, 2024, with version 9.4.5 Patch 1. A proof-of-concept (PoC) exploit has since been made available.Specifically, an adversary could craft a malicious URL such that an administrator user clicking on it triggers the execution of the PoC hosted on an attacker-controlled server, which then uploads a malicious .img file via the firmware upgrade functionality, granting root access to the firewall.Threat intelligence firm GreyNoise has reported that exploitation attempts targeting CVE-2024-52875 commenced back on December 28, 2024, with the attacks originating from seven unique IP addresses from Singapore and Hong Kong to date.According to Censys, there are more than 23,800 internet-exposed GFI KerioControl instances. A majority of these servers are located in Iran, Uzbekistan, Italy, Germany, the United States, Czechia, Belarus, Ukraine, Russia, and Brazil.The exact nature of the attacks exploiting the flaw is presently not known. Users of KerioControl are advised to take steps to secure their instances as soon as possible to mitigate potential threats.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

John Edwards, Technology Journalist & AuthorJanuary 9, 20256 Min ReadPanther Media GmbH via Alamy Stock PhotoDisaster recovery technologies are designed to prevent or minimize the data loss and business disruption resulting from unexpected catastrophic events. This includes everything from hardware failures and local power outages to cyberattacks, natural disasters, civil emergencies, and criminal or military assaults.As AI continues to transform and enhance a seemingly endless array of tasks and functions, it should come as no surprise that the technology has caught the attention of disaster recovery professionals.Preparation and ResponseJoseph Ours, AI strategy director at Centric Consulting, says AI can assist disaster recovery in two essential areas: preparation and response. "In many respects, speeding disaster recovery means planning and preparing," he observes in an email interview. Ours notes that a growing number of government agencies and insurance companies are already routinely performing these tasks with AI assistance. "They use predictive and classification models to analyze historical data and environmental factors to determine potential risk."AI-enabled resiliency planning provides speed and precision that traditional methods lack, says Stephen DeAngelis, president of Enterra Solutions, an AI-enabled transformation and intelligent enterprise planning platform provider. "AI's ability to process large volumes of data quickly allows it to detect anomalies and potential risks earlier," he explains in an online interview. Unlike conventional disaster recovery plans, AI-powered solutions are adaptive, updating in real-time as conditions change. "This means companies can pivot their strategies almost immediately, reducing the time needed to return to normal operations and ensuring minimal disruption to the supply chain."Related:Automatic DetectionIn businesses, AI-enhanced disaster recovery automatically detects anomalies, such as ransomware-corrupted data, allowing technicians to skip over unusable files and focus on clean, viable backups, says Stefan Voss, a vice president at data protection and security firm N-able. "This eliminates the time-intensive, manual review process thats standard in conventional recovery methods."AI can also improve boot detection accuracy, ensuring that machines will bounce back successfully after recovery, Voss says in an email interview. "Well-trained AI models can significantly reduce false positives or negatives, enhancing technician confidence in the reliability and efficiency of the restored systems," he explains. "With AI-driven accuracy, organizations can recover systems faster, with fewer errors, and minimize downtime."Related:AI solutions rely on access to high-quality data to generate accurate predictions. "When data is siloed or incomplete, models are likely to produce less reliable results," DeAngelis warns. To ensure success, he advises businesses to establish robust data management practices before implementing AI solutions. "Today, we're seeing innovators develop sophisticated techniques, such as advanced data modeling, to bridge critical data gaps and enhance AI accuracy."Getting StartedAn important first step toward using AI in disaster recovery is conducting a comprehensive assessment of current supply chain vulnerabilities. "Identify critical points of failure and gather historical data on past disruptions," DeAngelis suggests. Next, collaborate with an AI partner to build predictive models that simulate various disaster scenarios, such as geopolitical risks or extreme weather events. Focus on implementing AI tools that integrate seamlessly with existing systems, allowing for smooth data flows and real-time updates. "A phased approach is ideal, beginning with pilot projects and scaling up as the organization gains familiarity with the technology."Related:Voss says the next step should be identifying any existing challenges in the disaster recovery process. "For example, if your main goal is increasing recovery testing accuracy, look for AI tools designed to improve boot detection and guarantee reliable system restoration," he suggests. "On the other hand, if the goal is precisely detecting backup anomalies, focus on AI solutions that specialize in identifying compromised or corrupted data quickly and accurately."After clearly defining the issue at hand, seek out the AI solution that will meet your needs, Voss advises. "Always start with your pain points and let AI provide the answer, not the other way around."ChallengesAI disaster recovery can offer significant advantages, yet it also comes with several serious drawbacks. High development and integration costs can be a barrier, especially for small businesses, Voss says. "The skills shortage in AI expertise makes it difficult for organizations to develop or maintain AI-driven systems."Remember, too, that even with well-trained models, AI is far from infallible. False positives or negatives can occur, potentially complicating recovery efforts, Voss warns. "Additionally, an over-reliance on AI can reduce human oversight, making it imperative to strike a balance between automation and manual processes."Perhaps the biggest drawback is that some disasters arrive as unpredictable black swan-type events. "In this case, AI is neither a benefit nor contributor to the failure to respond because, by their very nature, humans would struggle to respond adequately as well," Ours says.A Competitive EdgeA proactive investment in AI not only mitigates risk but can turn challenges into competitive advantages, DeAngelis says. He notes that by being prepared to adapt quickly when disruptions occur, enterprises can maintain continuity and even capture market share from less-prepared competitors. "As we've seen from recent events, such as the US port strike, hurricane-related supply chain impacts, and the ongoing pressures of inflation, businesses that leverage AI to build resilience are better positioned to thrive in uncertain environments."About the AuthorJohn EdwardsTechnology Journalist & AuthorJohn Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic Design. He has also written columns for The Economist's Business Intelligence Unit and PricewaterhouseCoopers' Communications Direct. John has authored several books on business technology topics. His work began appearing online as early as 1983. Throughout the 1980s and 90s, he wrote daily news and feature articles for both the CompuServe and Prodigy online services. His "Behind the Screens" commentaries made him the world's first known professional blogger.See more from John EdwardsNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports

Frank Kim, SANS Institute Fellow January 9, 20255 Min ReadEmre Akkoyun via Alamy StockAdopting zero-trust security architectures is increasingly becoming a corporate imperative, with zero trust serving as the recommended approach for building resilience against the evolving nature of enterprise threats. This shift represents more than just implementing the latest and greatest best-of-breed tools. Its a foundational shift away from perimeter-based security controls and external network defenses that were not designed for todays threat landscape.More than 80% of all data breaches today are attributed to human error or negligence, making human risk a pressing security concern amid the rise of hybrid work environments. A zero-trust architecture limits the damage that a compromised user can cause by segmenting the organizations security environment into smaller, isolated zones that restrict the ability to access sensitive data across the entire ecosystem. Unfortunately, the path to effective implementation has proven challenging. Forrester research found that more than 63% of enterprises are struggling to implement zero-trust frameworks, and Gartner predicts that by 2026 only 10% of large enterprises will have a mature and measurable zero-trust program in place.This heightens the role of the transformational CISO to the forefront. CISO success today requires more than being a pure technologist from the SOC room. They need to serve as transformational leaders who are capable of navigating shifting organizational priorities to foster collective buy-in amongst executive leaders, establish effective processes with business line stakeholders, and develop versatile security teams. Cultivating this company-wide alignment is critical to alleviating the roadblocks that hinder zero-trust adoption today.Related:Articulating Zero Trusts ValueNearly 50% of IT professionals describe collaboration between security risk management and business risk management as poor or nonexistent, according to NIST research. As CISOs, its our job to bridge this divide by framing zero trust as an enabler of business agility, operational efficiency, and competitive advantage rather than focusing on technical specifications. Leveraging scenario-based planning and risk quantification techniques can effectively articulate the value of zero trust in terms that resonate with various stakeholders -- correlating the ramifications of cyber incidents to high-value outcomes that impact their department. Marketing leaders, for example, might better appreciate zero trust when they understand how it prevents customer data breaches that result in brand reputational damage.Related:CISOs should establish regular touchpoints with business unit leaders to understand their workflows, pain points, and growth initiatives. This collaborative approach helps identify opportunities where zero trust can enhance business processes rather than hinder them. By securing visible support from the C-suite, CISOs can overcome initial resistance and ensure the necessary resources are allocated for successful implementation. It also helps strengthen organizational buy-in across all employees, giving the company a platform to address concerns, share implementation progress, and maintain alignment with business objectives.Minimizing Organizational FrictionSuccessful zero-trust adoption requires a carefully orchestrated change management strategy. Rather than pursuing lower-risk areas, organizations often achieve better results by starting with mid-risk priorities and moving methodically toward more complex challenges. This approach prevents implementation paralysis and drives meaningful security advancement.Clear communication at every stage is essential. Regular updates, user awareness training, and open feedback channels help maintain transparency and address concerns proactively. When employees realize that zero trust can streamline their access to resources while maintaining security, resistance typically diminishes. The key lies in balancing security requirements with user experience. Modern implementations should leverage automation and contextual access controls to make security seamless. Implementing single sign-on solutions alongside zero-trust principles can enhance both security and convenience, making the transition more palatable for end users.Related:In addition, developing a comprehensive change impact assessment helps identify potential friction points before they emerge. This involves mapping current workflows, understanding dependencies, and creating mitigation strategies. Regular user satisfaction surveys and feedback sessions enable continuous refinement of the implementation approach, ensuring that security measures align with operational needs while maintaining robust protection.Positioning Practitioners for SuccessThe technical complexity of zero-trust architectures demands a targeted focus on skill development amongst security practitioners. With practitioners often wearing multiple hats across architecture, implementation, operations, and monitoring, they must be all-around defenders who are capable of seamlessly transitioning between functional roles. This requires a strong foundational knowledge spanning both on-premises and cloud security domains. Security teams must understand the organization's end-to-end security environment, from network tools to cloud applications, endpoints, and data storage systems.Investment in targeted learning is crucial here. Prioritize formal trainings and upskilling programs that build team-wide competencies and implement cross-training initiatives that facilitate knowledge sharing to reduce key person dependencies and develop operational resilience. Establishing a dedicated zero-trust center of excellence can accelerate this skill development by providing guidance and support to other security team members while maintaining documentation and best practices.The path to zero trust is a continuous journey of organizational transformation. While technical implementation remains crucial, the transformational CISO's ability to bridge cultural gaps, foster organizational alignment, and develop comprehensive team capabilities will determine the success of zero-trust initiatives. As cyber threats continue to evolve and regulatory pressures mount, organizations that successfully execute this cultural and technical transformation will be better positioned to protect their critical assets and maintain business continuity in an increasingly complex threat landscape.About the AuthorFrank KimSANS Institute Fellow Frank Kim is a SANS Fellow where he leads the Cloud Security and Cybersecurity Leadership curricula to help shape and develop the next generation of security leaders. Previously, he served as the organizations CISO where he led the information risk function for the most trusted source of cybersecurity training and certification in the world.See more from Frank KimNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports

AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.

Time zones: GMT (UTC +0), CET (UTC +1), CVT (UTC -1)The RoleWere looking for a Technical Customer Support Specialist to join our team! In this role, youll be the first point of contact for our customers, helping them via chat and email (no phone calls). Youll assist with inquiries, troubleshoot issues, and ensure a smooth customer experience.This position is fully remote. However, if youre based near Nantes, youre welcome to work from our office occasionally.What Were Looking ForFluency in English is mandatory: English is our primary working language, so strong written and verbal communication skills are essential.French and a third language required: Fluency in french and in another language (German, Dutch, etc.) is required,Technical knowledge: You dont need to be a developer, but a solid understanding of tech concepts (e.g., HTML/CSS) is required. This isnt a learn on the job rolecome prepared!Team spirit: Empathy, kindness, understanding, active listening, and a collaborative mindset are essential. Youll fit right in if you value teamwork and fostering a positive work environment.Experience: Familiarity with customer support software is a plus, but not mandatory.What Makes Crisp Special?Everyone does support: even our developers contribute to customer support, keeping everyone connected to our users needs.No meetings: Say goodbye to unnecessary meetings and focus on meaningful work.No personal KPIs: We trust you to do great work without micromanagement or performance pressure.Contract DetailsIn France: If youre based in France, youll be hired under a standard employment contract (CDI).Outside France: If you live outside of France, the position will be under a full time freelance service contract. Youll need to have an independent contractor status in your country and be able to issue invoices.Who Can Apply?Must be located within the EU timezone.Immediate availability is a plus.Compensation & PerksThe compensation range for this role is around 30k/35K gross per year , depending on the profileJoin a diverse and inclusive remote-first team that values work-life balance and flexibility.

Growth Marketer at Better ProposalsWe havent done bad at Better Proposals over the last 7 years. Weve pioneered massive parts of the proposal software industry, are one of the big 4 that compete on a regular basis and weve done it all without VC money and a deliberately small team.We're looking for one, maybe two multi-skilled Growth Marketers to help us do the big stuff better while not losing sight of the small stuff. The big things for us are SEO, content marketing and Adwords.Fully remote.Work whenever you like.Potential to run the team.Up to $80k.Applications close 17th Jan.WARNINGUsing AI to apply is an instant no. It doesn't matter how good your CV is, if you don't spend a few moments writing us a quick personal message, we won't consider your application.The core of the role:You need to have a bit of a business brain. We get pages ranked in Google, drive visitors to start a trial and hopefully convert them to a paying customer later - that's our business and ideally you have worked with that kind of business model before - preferably SaaS.You need to have a clear idea of how SEO works, that includes knowing how to do keyword research, find "opportunities", use a CMS to create a page (with the help of our designer, writer and link builder) and get it ranked.You should also have a good idea of how to maintain and improve existing rankings and react appropriately if Google gives us a slap. This means being able to assess what's happened, why rankings have dropped and put a plan in place to fix it. Whether it's coordinating getting more links to a page, writing more, or different content or fixing some technical SEO - you'll know what to do here.You're an all-rounder:Copywriting - You don't need to be the next Dan Kennedy, but you should be able to write conversion copy to an okay standard.PPC - Know your way around Google Adwords, and PPC platforms. You don't need to be world class, but a good knowledge would be great.HTML/CSS - It's not essential at all, but if you're not a <div> when it comes to HTML. That always comes in handy. (I think my Dad would be pleased with that joke)Communication - If you're not scared of the phone and can talk to potential collaboration partners, work on webinars and create traffic building relationships - amazing!Email marketing - If you know your way around spam traps and can get people to click on your persuasive emails, superb!The random stuff - Getting a book converted to be listed on Amazon, social media, content creation, interviewing customers for testimonials, looking into customer data. If you can be our person for these random things - lovely!Start-to-finish kind of person - The more things you can do start to finish, and don't need help and input from the co-founders the better. We need people here who can execute a plan.Managing people - There's potential to run the marketing team as it grows. The person we hire should have that ability or potential.ExperienceWe're looking for a leader, someone who's been there and done it and has actual experience. We don't judge it in number of years, but results and your level of involvement. You don't necessarily need to be a direct match for everything above because the plan is to hire two people. Ultimately our hope is that you can run the marketing team at some stage. Be ambitious!Salary and Working EnvironmentThe role is fully remote. We don't have an office, we never will.It's a full time role but we don't clock watch. You're responsible for your own working hours.Salary is a large range because it depends what skills you have and what you can do: $42,000 - $78,000.3 weeks paid holiday + 1 week for every year (capped at 6 weeks)+ Your chosen 8 national holiday days per yearNext stepsAssuming everything goes well, heres how our hiring process goes:You applyWe will reach out to any successful applicants after the deadlineWe have an initial interviewWe will have a 2nd interviewIn special cases we might have a quick 3rd call to clarify a few things, but mostly not.We offer you the jobYoure expected to accept it within 1 business day.

This article is from The Spark, MIT Technology Reviews weekly climate newsletter. To receive it in your inbox every Wednesday, sign up here. I love the fresh start that comes with a new year. And one thing adding a boost to my January is our newest list of 10 Breakthrough Technologies. In case you havent browsed this years list or a previous version, it features tech thats either breaking into prominence or changing society. We typically recognize a range of items running from early-stage research to consumer technologies that folks are getting their hands on now. As I was looking over the finished list this week, I was struck by something: While there are some entries from other fields that are three or even five years away, all the climate items are either newly commercially available or just about to be. Its certainly apt, because this year in particular seems to be bringing a new urgency to the fight against climate change. Were facing global political shifts and entering the second half of the decade. Its time for these climate technologies to grow up and get out there. Green steel Steel is a crucial material for buildings and vehicles, and making it accounts for around 8% of global greenhouse-gas emissions. New manufacturing methods could be a huge part of cleaning up heavy industry, and theyre just on the cusp of breaking into the commercial market. One company, called Stegra, is close to starting up the worlds first commercial green steel plant, which will make the metal using hydrogen from renewable sources. (You might know this company by its former name, H2 Green Steel, as we included it on our 2023 list of Climate Tech Companies to Watch.) When I first started following Stegra a few years ago, its plans for a massive green steel plant felt incredibly far away. Now the company says its on track to produce steel at the factory by next year. The biggest challenge in this space is money. Building new steel plants is expensiveStegra has raised almost $7 billion. And the companys product will be more expensive than conventional material, so itll need to find customers willing to pay up (so far, it has). There are other efforts to clean up steel that will all face similar challenges around money, including another play in Sweden called Hybrit and startups like Boston Metal and Electra, which use different processes. Read more about green steel, and the potential obstacles it faces as we enter a new phase of commercialization, in this short blurb and in this longer feature about Stegra. Cow burp remedies Humans love burgers and steaks and milk and cheese, so we raise a whole bunch of cows. The problem is, these animals are among a group with a funky digestion process that produces a whole lot of methane (a powerful greenhouse gas). A growing number of companies are trying to develop remedies that help cut down on their methane emissions. This is one of my favorite items on the list this year (and definitely my favorite illustrationat the very least, check out this blurb to enjoy the art). Theres already a commercially available option right now: a feed additive called Bovaer from DSM-Firmenich that the company says can cut methane emissions by 30% in dairy cattle, and more in beef cattle. Startups are right behind with their own products, some of which could prove even better. A key challenge all these companies face moving forward is acceptance: from regulatory agencies, farmers, and consumers. Some companies still need to go through lengthy and often expensive tests to show that their products are safe and effective. Theyll also need to persuade farmers to get on board. Some might also face misinformation thats causing some consumers to protest these new additives. Cleaner jet fuel While planes crisscrossing the world are largely powered by fossil fuels, some alternatives are starting to make their appearance in aircraft. New fuels, today mostly made from waste products like used cooking oil, can cut down emissions from air travel. In 2024, they made up about 0.5% of the fuel supply. But new policies could help these fuels break into new prominence, and new options are helping to widen their supply. The key challenge here is scale. Global demand for jet fuel was about 100 billion gallons last year, so well need a whole lot of volume from new producers to make a dent in aviations emissions. To illustrate the scope, take LanzaJets new plant, opened in 2024. Its the first commercial-scale facility that can make jet fuel with ethanol, and it has a capacity of about 9 million gallons annually. So we would need about 10,000 of those plants to meet global demanda somewhat intimidating prospect. Read more in my write-up here. From cow burps to jet fuel to green steel, theres a huge range of tech thats entering a new stage of deployment and will need to face new challenges in the next few years. Well be watching it allthanks for coming along. Now read the rest of The Spark Related reading Check out our full list of 2025s Breakthrough Technologies here. Theres also a poll where you can vote for what you think the 11th item should be. Im not trying to influence anyones vote, but I think methane-detecting satellites are pretty interestingjust saying This package is part of our January/February print issue, which also includes stories on: This system thats tracking early warning signs of infection in wheat crops How wind could be a low-tech solution to help clean up shipping Efforts to use human waste in agriculture JUSTIN SULLIVAN/GETTY Another thing EVs are (mostly) set for solid growth in 2025, as my colleague James Temple covers in his newest story. Check it out for more about whats next for electric vehicles, including what we might expect from a new administration in the US and how China is blowing everyone else out of the water. Keeping up with climate Winter used to be the one time of year that California didnt have to worry about wildfires. A rapidly spreading fire in the southern part of the state is showing thats not the case anymore. (Bloomberg) Teslas annual sales decline for the first time in over a decade. Deliveries were lower than expected for the final quarter of the year. (Associated Press) Meanwhile, in China, EVs are set to overtake traditional cars in sales years ahead of schedule. Forecasts suggest that EVs could account for 50% of car sales this year. (Financial Times) KoBold metals raised $537 million in funding to use AI to mine copper. The funding pushes the startups valuation to $2.96 billion. (TechCrunch) Read this profile of the company from 2021 for more. (MIT Technology Review)We finally have the final rules for a tax credit designed to boost hydrogen in the US. The details matter here. (Heatmap) China just approved the worlds most expensive infrastructure project. The hydroelectric dam could produce enough power for 300 million people, triple the capacity of the current biggest dam. (Economist) In 1979, President Jimmy Carter installed 32 solar panels on the White Houses roof. Although they came down just a few years later, the panels lived multiple lives afterward. I really enjoyed reading about this small piece of Carters legacy in the wake of his passing. (New York Times) An open pit mine in California is the only one in the US mining and extracting rare earth metals including neodymium and praseodymium. This is a fascinating look at the site. (IEEE Spectrum) I wrote about efforts to recycle rare earth metals, and what it means for the long-term future of metal supply, in a feature story last year. (MIT Technology Review)

The first Democrat in New York history with a computer science background wants to revive some of the ideas behind the failed California AI safety bill, SB 1047, with a new version in his state that would regulate the most advanced AI models. Its called the RAISE Act, an acronym for Responsible AI Safety and Education. Assembly member Alex Bores hopes his bill, currently an unpublished draftsubject to changethat MIT Technology Review has seen, will address many of the concerns that blocked SB 1047 from passing into law. SB 1047 was, at first, thought to be a fairly modest bill that would pass without much fanfare. In fact, it flew through the California statehouse with huge margins and received significant public support. However, before it even landed on Governor Gavin Newsoms desk for signature in September, it sparked an intense national fight. Google, Meta, and OpenAI came out against the bill, alongside top congressional Democrats like Nancy Pelosi and Zoe Lofgren. Even Hollywood celebrities got involved, with Jane Fonda and Mark Hamill expressing support for the bill. Ultimately, Newsom vetoed SB 1047, effectively killing regulation of so-called frontier AI models not just in California but, with the lack of laws on the national level, anywhere in the US, where the most powerful systems are developed. Now Bores hopes to revive the battle. The main provisions in the RAISE Act include requiring AI companies to develop safety plans for the development and deployment of their models. The bill also provides protections for whistleblowers at AI companies. It forbids retaliation against an employee who shares information about an AI model in the belief that it may cause critical harm; such whistleblowers can report the information to the New York attorney general. One way the bill defines critical harm is the use of an AI model to create a chemical, biological, radiological, or nuclear weapon that results in the death or serious injury of 100 or more people. Alternatively, a critical harm could be a use of the AI model that results in 100 or more deaths or at least $1 billion in damages in an act with limited human oversight that if committed by a human would constitute a crime requiring intent, recklessness, or gross negligence. The safety plans would ensure that a company has cybersecurity protections in place to prevent unauthorized access to a model. The plan would also require testing of models to assess risks before and after training, as well as detailed descriptions of procedures to assess the risks associated with post-training modifications. For example, some current AI systems have safeguards that can be easily and cheaply removed by a malicious actor. A safety plan would have to address how the company plans to mitigate these actions. The safety plans would then be audited by a third party, like a nonprofit with technical expertise that currently tests AI models. And if violations are found, the bill empowers the attorney general of New York to issue fines and, if necessary, go to the courts to determine whether to halt unsafe development. A different flavour of bill The safety plans and external audits were elements of SB 1047, but Bores aims to differentiate his bill from the California one. We focused a lot on what the feedback was for 1047, he says. Parts of the criticism were in good faith and could make improvements. And so we've made a lot of changes. The RAISE Act diverges from SB 1047 in a few ways. For one, SB 1047 would have created the Board of Frontier Models, tasked with approving updates to the definitions and regulations around these AI models, but the proposed act would not create a new government body. The New York bill also doesnt create a public cloud computing cluster, which SB 1047 would have done. The cluster was intended to support projects to develop AI for the public good. The RAISE Act doesnt have SB 1047s requirement that companies be able to halt all operations of their model, a capability sometimes referred to as a kill switch. Some critics alleged that the shutdown provision of SB 1047 would harm open-source models, since developers cant shut down a model someone else may now possess (even though SB 1047 had an exemption for open-source models). The RAISE Act avoids the fight entirely. SB 1047 referred to an advanced persistent threat associated with bad actors trying to steal information during model training. The RAISE Act does away with that definition, sticking to addressing critical harms from covered models. Focusing on the wrong issues? Bores bill is very specific with its definitions in an effort to clearly delineate what this bill is and isnt about. The RAISE Act doesnt address some of the current risks from AI models, like bias, discrimination, and job displacement. Like SB 1047, it is very focused on catastrophic risks from frontier AI models. Some in the AI community believe this focus is misguided. Were broadly supportive of any efforts to hold large models accountable, says Kate Brennan, associate director of the AI Now Institute, which conducts AI policy research. But defining critical harms only in terms of the most catastrophic harms from the most advanced models overlooks the material risks that AI poses, whether its workers subject to surveillance mechanisms, prone to workplace injuries because of algorithmically managed speed rates, climate impacts of large-scale AI systems, data centers exerting massive pressure on local power grids, or data center construction sidestepping key environmental protections," she says. Bores has worked on other bills addressing current harms posed by AI systems, like discrimination and lack of transparency. That said, Bores is clear that this new bill is aimed at mitigating catastrophic risks from more advanced models. Were not talking about any model that exists right now, he says. We are talking about truly frontier models, those on the edge of what we can build and what we understand, and there is risk in that. The bill would cover only models that pass a certain threshold for how many computations their training required, typically measured in FLOPs (floating-point operations). In the bill, a covered model is one that requires more than 1026 FLOPs in its training and costs over $100 million. For reference, GPT-4 is estimated to have required 1025 FLOPs. This approach may draw scrutiny from industry forces. While we cant comment specifically on legislation that isnt public yet, we believe effective regulation should focus on specific applications rather than broad model categories, says a spokesperson at Hugging Face, a company that opposed SB 1047. Early days The bill is in its nascent stages, so its subject to many edits in the future, and no opposition has yet formed. There may already be lessons to be learned from the battle over SB 1047, however. Theres significant disagreement in the space, but I think debate around future legislation would benefit from more clarity around the severity, the likelihood, and the imminence of harms, says Scott Kohler, a scholar at the Carnegie Endowment for International Peace, who tracked the development of SB 1047. When asked about the idea of mandated safety plans for AI companies, assembly member Edward Ra, a Republican who hasn't yet seen a draft of the new bill yet, said: I dont have any general problem with the idea of doing that. We expect businesses to be good corporate citizens, but sometimes you do have to put some of that into writing. Ra and Bores co chair the New York Future Caucus, which aims to bring together lawmakers 45 and under to tackle pressing issues that affect future generations. Scott Wiener, a California state senator who sponsored SB 1047, is happy to see that his initial bill, even though it failed, is inspiring further legislation and discourse. The bill triggered a conversation about whether we should just trust the AI labs to make good decisions, which some will, but we know from past experience, some wont make good decisions, and thats why a level of basic regulation for incredibly powerful technology is important, he says. He has his own plans to reignite the fight: Were not done in California. There will be continued work in California, including for next year. Im optimistic that California is gonna be able to get some good things done. And some believe the RAISE Act will highlight a notable contradiction: Many of the industrys players insist that they want regulation, but when any regulation is proposed, they fight against it. SB 1047 became a referendum on whether AI should be regulated at all, says Brennan. There are a lot of things we saw with 1047 that we can expect to see replay in New York if this bill is introduced. We should be prepared to see a massive lobbying reaction that industry is going to bring to even the lightest-touch regulation. Wiener and Bores both wish to see regulation at a national level, but in the absence of such legislation, theyve taken the battle upon themselves. At first it may seem odd for states to take up such important reforms, but California houses the headquarters of the top AI companies, and New York, which has the third-largest state economy in the US, is home to offices for OpenAI and other AI companies. The two states may be well positioned to lead the conversation around regulation. There is uncertainty at the direction of federal policy with the transition upcoming and around the role of Congress, says Kohler. It is likely that states will continue to step up in this area. Wieners advice for New York legislators entering the arena of AI regulation? Buckle up and get ready.

Submitted by WA ContentsBDO Unibank Campus by Foster + Partners breaks ground in Manila, PhilippinesPhilippines Architecture News - Jan 09, 2025 - 12:00 html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"Foster + Partners' BDO Unibank Campus has broken ground on Manilas Makati Avenue, Philippines. Developed for BDO Unibank, the design scheme was conceived to meet the bank's present and future demands.The practice's design is particularly responsive to the humid tropical climate and draws inspiration from vernacular architecture, which differs from the city's conventional paradigm of air-conditioned high-rise office complexes.The project creates a single integrated campus out of five distinct urban plots, enhancing Manila. A brand-new triple-volume public area that is shielded from intense rain and direct sunlight is framed by two tall skyscrapers that barely touch the earth.In order to increase the public space and the standard of living in the city, the open ground floor includes a variety of artworks and lush vegetation."The new BDO campus offers a new model for the next generation of highly flexible and climatically responsive workplaces in the Philippines," said Luke Fox, Head of Studio, Foster + Partners."Our holistic approach encompasses every element of the design from the structural and environmental engineering to the landscaping and interiors allowing us to create something completely bespoke and driven by extensive environmental analysis," Fox added.An elevated reception that links the office tower and important podium areas, such as the business center, public museum, and restaurant, is accessible to employees and guests from the ground plane.One of the main venues for the bank to interact with its wide range of clients is the 3,000-square-meter meeting and event room. The bank's permanent collection of artwork is on display at a brand-new public museum, which also stages temporary exhibitions.Triple-story amenity spaces are situated at each subsequent setback, with massing stepping back at regular intervals. Generous outdoor patios on the amenities floors improve staff welfare and provide expansive views of the Makati skyline. In addition, an urban farm on the theater annex's roof serves as a venue for community events and supports the farm-to-table approach of the staff canteen.To identify which parts of the facades receive the most sun exposure, the design team has conducted a thorough solar analysis.The woven metal mesh infill screens, which draw inspiration from traditional weaving patterns, provide shade for these regions.The structure looks to be a softly lighting lantern at night thanks to hidden inner light fixtures that illuminate the facade."The structure of the buildings is intentionally placed on the outside of their envelopes to actively shade the faades, while achieving an efficient structural design in a seismic zone," said Roland Schnizer, Senior Partner, Foster + Partners."The exoskeletons create column free spaces internally and support external solar shading screens," Schnizer added.At each stage of the design process, the practice has thoroughly assessed the most energy and carbon-efficient solutions, incorporating whole lifecycle carbon calculations and embodied carbon into routine operations.A lightweight structural method improves performance in the Philippines' seismic setting while reducing the buildings' concrete content by almost 65,000 tons.Due to the more than 40 percent reduction in the buildings' operating energy, BDO Unibank is now able to pursue a Green Mark Super Low Energy certificationa first for the Philippines.Radiant cooling systems significantly lower energy requirements while enhancing tenant comfort and health, and more than 70 percent of potable water is recycled and used on-site. The plan will eventually reach Green Mark Net Zero Energy status thanks to the utilization of renewable energy sources.Foster + Partners, recently, designed Apple's new store in Malaysia, featuring a three-dimensional layered roof. In addition, the firm unveiled a post-earthquake revitalization masterplan for Hatay. Moreover, the studio unveiled design for Changfeng Mixed-Use Development in Shanghai, China.All images courtesy of Foster + Partners.> via Foster + Partners