Over the past few years, the triple-A games industry has been, to put it lightly, a mess. Ironically, it all came to a head in what many considered the best year for video games2023. Even with so many big-name titles and successes, from The Legend of Zelda: Breath of the Wild and Super Mario Bros. Wonder to Baldurs Gate 3 and Marvels Spider-Man 2, the year saw over 9,000 layoffs. This would roll into 2024 when almost 15,000 layoffs occurred.It was also a year that saw multiple studios shuttered. Even after acquiring Activision Blizzard and becoming one of the biggest game publishers in the world, commanding a venerable army of IPs, Microsoft shut down Tango Gameworks, Arkane Austin, and Alpha Dog Games. Sony wasnt too far behind, shuttering its London Studio, Deviation Games, and most infamously Firewalk Studios in the wake of one of the biggest first-party failures of all time Concord.Then we arrive in 2025 with Warner Bros. Games closing down Monolith Productions, Player First Games, and WB Games San Diego. Many saw the writing on the wall for some major changes at the company look no further than mounting losses and failures through the years for WB Discovery as a whole but few expected Monolith, one of the most respected developers of all time, to die out.On the gaming front, there is so much to dissect as well. Despite the low chances of success and seeking some form of recurring revenue, live-service titles continue to be released before crashing and burning. Suicide Squad: Kill the Justice League is one example, impacting Warner Bros.s revenue by $200 million. Tack on MultiVersus, which contributed another $100 million impact. Its rumored that the failure of both titles spurred the cancellation of Wonder Woman, a title that was soft-rebooted last year and already surpassed $100 million in its budget.Live service is a gamble, and for every Helldivers 2 that becomes a success, there are others cancelled before they can even make it out of the door. Sony can attest to this, from pushing an initiative to have a dozen live service titles before April 2026 to cancelling projects from Bend Studio and Bluepoint Games, The Last of Us Online, London Studios fantasy action RPG, and the rumored Twisted Metal reboot.Then you have the likes of Ubisoft, whose trend-chasing and numerous failures eventually caught up to it, resulting in the cancellation of several unannounced projects, the end of service for games like XDefiant, layoffs, and the closure of studios like San Francisco. The company is also seemingly cursed on the single-player front high-profile games like Avatar: Frontiers of Pandora and Star Wars Outlaws underperformed, critically and commercially.Even a well-reviewed game like Prince of Persia: The Lost Crown struggled with sales to the extent that a sequel pitch was reportedly denied, and the team broke up for other projects. Perhaps the most surprising thing is that Skull and Bones, the companys first quadruple-A title, perseveres.Lets not forget about Electronic Arts. EA Sports FC 25 underperformed to a significant degree, and Dragon Age: The Veilguard fell massively short of expectations. Remember how the next Dragon Age was to be a live-service title, but subsequently rebooted, the remains patched together into a single-player game? Whatever you may think about the results, fans were far from impressed. And with many team members either leaving the company or reassigned, first temporarily and now permanently to other EA projects, the BioWare of the past is looking even less like itself than ever before.Mismanagement has often been reported as a major reason for development troubles and gross overspending on video game budgets. But surely those developers could go on and start their own studios, away from corporate meddling, right? Not necessarily.Former BioWare head Casey Hudsons Humanoid Origin was founded three years ago and shut down last November due to an unexpected shortfall of funding. Phoenix Labs, formed by former Riot Games developers, saw its Monster Hunter-like Dauntless go through one terrible phase after another (including acquisition by a blockchain company). Months after its most-hated update yet, its shutting down this May.Of course, its not like a successful project means job security. Even after the breakout success of Marvel Rivals, with over 40 million players and more than $200 million in revenue, NetEase Games still shut down its US-based development team. Theres also the whole upheaval with the companys international studios and investments, affecting the likes of Yakuza creator Toshihiro Nagoshis new studio, among many others. But thats another story altogether.What exactly is happening? Is it because the industry couldnt keep up with the accelerated growth from the pandemic? Is history simply catching up to a medium that has seen nothing but sustained growth over extended periods? New consoles are introduced, promising to push the graphical envelope, and the jumps in visual fidelity are more incremental than ever. That hasnt stopped video game budgets from ballooning to absurd proportions, like the $315 million spent on Marvels Spider-Man 2.There are so many factors to consider, but one thing remains true: Triple-A gaming doesnt garner the same amount of prestige it once did. If anything, its considered more of a meme than a representation of actual quality.How many triple-A games from major publishers have launched with performance problems, bugs, glitches, or game-breaking issues? Inflation may be something that video game prices have avoided throughout the past many years, but that hasnt stopped some companies from stuffing microtransactions into their games. With more titles embracing a $70 pricing structure, its the classic case of video game publishers having their cake, eating it, and then charging you for the candles after crashing the part and forgetting its your birthday.There are still potential bright spots, as seen with developers like Larian Studios, which are pushing forward with even more ambitious projects while commanding an immense amount of goodwill. Kingdom Come: Deliverance 2 also turned out to be a major success.Josef Fares continues to unabashedly bash the industrys practices while basking in the continued success of It Takes Two and the hype for Split Fiction. Avowed may not be a multi-million seller, yet its still a success for the developer, which is more than it can ask for after six years of development and two reboots.FromSoftware may be embarking on a new multiplayer journey with Elden Ring: Nightreign but is doing so off the back of universal acclaim and tens of millions of sales for the original game. We dont have to mention the continued success of Monster Hunter, with nearly 1.4 million peak concurrent players on Steam for Wilds or its developers bright outlook. Nintendo also continues to prosper while bucking the need for graphical supremacy, delivering hit after hit even in its leanest year yet and with the Switch 2 poised to break records.Theres still no denying that triple-A games development is in dire need of change. Whether its a gradual process that needs to come from the top or forced by the current state of the world, it simply cant thrive off gambling and trend-chasing, much less destroying studios to cover up losses.Note: The views expressed in this article are those of the author and do not necessarily represent the views of, and should not be attributed to, GamingBolt as an organization.

Tuesday, March 4th, 2025Posted by Jim Thacker5 key features for CG artists in Godot 4.4html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"The Godot team has released Godot 4.4, the latest version of the open-source game engine.Its another sizeable release, with improvements to core performance, and updates throughout Godots key toolsets, including changes to scripting, audio and platform integration.Below, weve picked out five new features of particular significance to CG artists, as opposed to programmers, including updates to shading, lighting, rendering, animation and physics.https://www.cgchannel.com/wp-content/uploads/2025/03/240304_Godot44_5KeyFeatures_InteractiveEditing.mp41. New game window lets you edit games directly while theyre runningFor both artists and level designers, a key change in Godot 4.4 is that the game window is now embedded in the Godot Editor, making it possible to view the running game from the Editor.Users can select objects within the game window, streamlining interactive in-game editing.There are also a number of other nice quality-of-life updates to the Editor, including the option to snap 3D objects to one another while placing them in a level, to preview camera views directly in the Inspector, and a built-in material preview in the visual shader editor.2. Updates to LightmapGI improve quality and performance of rendered shadowsIn the lighting toolset, the LightmapGI node now supports baked shadowmasks.The change makes it possible to use static shadows at a distance from the view camera, but dynamic shadows up close, improving performance without sacrificing realism.LightmapGI also now supports bicubic sampling, resulting in smoother-looking baked shadows at a small performance cost, and supports baking tinted shadows from transparent objects.3. AgX tonemapping gives a movie-like look to rendered imagesFor post-processing, Godot 4.4 now supports AgX tonemapping, for giving a movie-like look to rendered images, alongside the existing ACES and Filmic transforms.The implementation is similar to that in Blender, where an AgX View Transform was added in Blender 4.0, but has been simplified for real-time use.It is described as handling very bright scenes better than existing tonemapping modes.https://www.cgchannel.com/wp-content/uploads/2025/03/250304_Godot44_5KeyFeatures_LookAt.webm4. Animation: new look-at, jiggle physics and animation marker systemsAnimators get a number of new features, including a new look-at constraint system, with the new LookAtModifer3D node partially replacing the now-deprecated SkeletonIK3D.For adding jiggle physics for characters hair and clothing, VRMSpringBone from the VRM format for 3D avatars, previously an add-on, is now integrated directly into the engine.It is also now possible to place markers to create subregions of an animation that can be jumped to or looped without playing the entire animation.5. Jolt physics is now built-in, not an extensionAnother key change in Godot 4.4 is that Jolt, the open-source rigid body dynamics library used as the de facto physics engine by many developers, is now integrated directly into Godot.Jolt, used on games including Horizon Forbidden West, was previously an extension.The new built-in Jolt Physics module is still experimental, and is not yet as feature-complete as the existing Godot Physics system: you can find a list of differences in the online documentation.However, the Jolt extension is now in maintenance mode, and will be deprecated once the native Jolt physics system reaches feature parity.Other changes, performance improvements and platform supportThere are also a number of improvements to scripting, including support for typed dictionaries, tooltips in the GDScript editor, and a new expression evaluator. Core performance has been improved, with large projects loading up to 3x faster in the Editor.Godot also now supports Apples Metal graphics API natively, rather than using MoltenVK to run Vulkan over Metal, which should improve performance on Apple Silicon processors.Platform changes initial support for XR devices in the Android Editor. The Android Editor can also now generate and export binaries directly, rather than forcing users to switch to another OS.License and system requirementsGodot 4.4 is compatible with 32-bit and 64-bit Windows, and 64-bit Linux and macOS. There are also browser-based and Android ports of the Godot Editor. The source code is available under a MIT licenseRead a full list of new features in Godot 4.4 on the Godot teams blogDownload Godot from the game engines websiteHave your say on this story by following CG Channel on Facebook, Instagram and X (formerly Twitter). As well as being able to comment on stories, followers of our social media accounts can see videos we dont post on the site itself, including making-ofs for the latest VFX movies, animations, games cinematics and motion graphics projects.Latest News5 key features for CG artists in Godot 4.4Discover five key new features in the open-source game engine, including updates to shading, lighting, animation and physics.Tuesday, March 4th, 2025Trimble releases SketchUp 2025.0Check out the new features in the architectural modeling app, also used in concept art, including HDRI lighting and PBR materials.Monday, March 3rd, 2025Tutorial: Dynamic Cloth Simulation for ProductionMaster character effects workflows for animation, cinematics and VFX with The Gnomon Workshop's detailed Houdini tutorial.Sunday, March 2nd, 2025Check out free Blender scattering add-on OpenScatterPromising open-source add-on lets you scatter plants and rocks in your scenes according to elevation, texture masks or guide curves.Sunday, March 2nd, 2025CETA Software launches Artist AccessCheck out the new time-tracking tools in the cloud-based production management platform for VFX. Free for six months to startup studios.Friday, February 28th, 2025Foundry releases Nuke 16.0Next major update to Nuke introduces native multishot compositing, and improves roto performance and BlinkScript editing.Friday, February 28th, 2025More NewsBoris FX releases SynthEyes 2025Adobe launches Photoshop on iPhonePlastic Software releases Plasticity 2025.1Technicolor Group begins to shut down operationsDownload four free VDB clouds from VFX AssetsArtlist discontinues the FXhome apps: HitFilm and Imerge deadFree tool: Mesh Cleaner for BlenderTutorial: Introduction to Lighting & Compositing for CinematicsAdobe to raise the price of Substance 3D subscriptionsAdobe releases Substance 3D Sampler 5.0Chaos acquires architectural AI tools developer EvolveLABEpic Games releases Twinmotion 2025.1Older Posts

MIPS is launching its Atlas chip designs for physical AI platforms such as industrial robots and autonomous cars.Read More

Monster Hunter Wilds sells 8m units in three days | News-in-briefHaving launched on February 28, 2025, it's become the fastest-selling title in Capcom's historyImage credit: Capcom News by Sophie McEvoy Staff Writer Published on March 4, 2025 This is a News-in-brief article, our short format linking to an official source for more information. Read more about this story by following the link below:Monster Hunter Wilds sells 8m units in three days

PTW rebrands as SideGhostpunch Games, 1518 Studios, and audio services provider SIDE are united under the new brandImage credit: Side News by Sophie McEvoy Staff Writer Published on March 4, 2025 Games outsourcing firm PTW has undergone a rebrand, uniting its subsidiaries 1518 Studios, audio services provider SIDE, and Ghostpunch Games under one brand name Side.In bringing the different brands together, Side offers services including game development, art and audio production, QA, localisation, player support, community management, and datasets."For years now, our company has operated as one team with one vision driving how we do business I'm proud that all our employees are now under one banner," said Side CEO Deborah Kirkham."This new brand symbolises our commitment to delivering innovative, tailored solutions that drive our partners' success around the world."Chief revenue officer Kaley Hurst added: "This rebrand is an amalgamation of years of organic and inorganic growth, strategic planning for the future, and the realisation that we are stronger together in both brand and values."PTW was founded in 1994 as Pole to Win. It acquired numerous firms over the years, most recently Ghostpunch Games for $13 million in August 2024. It acquired 1518 Studios in 2021, and Side UK in 2015.

Todays the day: Waymos unlikely partnership with Uber is now live in Austin, Texas. The former rivals have joined forces in the hopes of accelerating the transition to autonomous vehicles, and as of today, any Austin resident with a desire to take a trip in a fully driverless robotaxi can open their Uber app and hail away. But, of course, there are some limitations. Waymo only operates within a 37-square-mile area in Austin, which includes Hyde Park, Downtown, Montopolis, and other popular destinations, according to the company. So the trip will need to originate and end within that service area in order to qualify for Waymo. It also doesnt operate on highways yet, so the route will only comprise local streets. Image: UberAnother thing to consider: simply calling an Uber in Waymos geofence doesnt guarantee a robotaxi will show up. Waymo spokesperson Chris Bonelli declined to share the size of the companys fleet in Austin but acknowledged that it was small at launch.While smaller to start, the fleet will grow to hundreds of vehicles over time, Bonelli said. As of August 2024, Waymos fleet had about 700 vehicles, most of which are in operation in San Francisco, Phoenix, and Los Angeles. The company has thousands of Jaguar I-Pace vehicles stored at a warehouse in Phoenix, according to drone footage of the facility. And Waymo has deals with Hyundai and Zeekr to add new vehicles to its fleet over time. For Austin residents who really have their hearts set on riding in a Waymo vehicle, there are a number of things they can do to indicate their interest. In the Uber app settings under Ride Preferences, customers can opt in to autonomous rides to increase their chances of being paired with a driverless vehicle. Waymo has been eyeing Austin as its next robotaxi market since at least August 2023. The company began offering rides to Early Testers (people who join a waitlist and sign nondisclosure agreements to get early access to the companys robotaxis) in October 2024. For those keeping score, there were approximately 550 days between identifying Austin as a future robotaxi city and launching the service on the Uber app. Waymos success depends partly on narrowing that window for future cities in order to prove its scalability, while keeping an eye on safety. At launch, Waymos vehicles will be available exclusively on Ubers app in Austin. The two companies first announced a deal to put Waymos robotaxis on Ubers app back in 2023, indicating that Austin would be first, followed by Atlanta. Waymos own ridehail app, Waymo One, will not be operational in Austin. Customers who open Waymo One will be redirected to Ubers app. For those keeping score, there were approximately 550 days between identifying Austin as a future robotaxi city and launching the service on the Uber appThat means certain functions that were controlled in the Waymo One app in other cities will now be controlled through the Uber app. These include unlocking the vehicle, popping the trunk, and starting the trip. Customers can also access 24/7 customer support through the app or via a button in the Waymo vehicle. In another first, Uber will manage fleet services, including vehicle cleaning, maintenance, inspections, EV charging, and depot operations. The company is contracting with Avmo (formerly Moove Cars) to handle these tasks. Waymo is still responsible for vehicle testing, roadside assistance, and certain elements of rider support. Waymo and Uber will obviously share in the costs and the revenue produced by the robotaxi service, though both companies have declined to share the split.The launch signals the start of a new era of cooperation between Uber, the rideshare giant that gobbled up the global taxi industry, and upstart Waymo, which is slowly trying to chip away at that dominance. Starting today, Austin riders can be matched with a Waymo autonomous vehicle on the Uber app, making their next trip even more special, said Dara Khosrowshahi, CEO of Uber. With Waymos technology and Ubers proven platform, were excited to introduce our customers to a future of transportation that is increasingly electric and autonomous.Its important to remember that Uber and Waymo werent always so chummy.In 2017, Waymo sued Uber and its subsidiary, self-driving truck startup Otto, over allegations of trade secret theft and patent infringement. The case went to trial almost a year later but ended abruptly when the two sides reached a surprise settlement. Uber later admitted that it misappropriated some of Waymos tech and vowed to license it for future use. Anthony Levandowski, a former Google engineer and the founder of Otto, was sentenced to 18 months in prison for stealing Waymos trade secrets but was later pardoned by President Donald Trump.Infamously, Uber was developing its own fleet of autonomous vehicles with the intention to eventually replace all of its human drivers, but the program was shut down after a woman was killed by one of the companys vehicles in Arizona in 2018. A federal investigation later found Uber to be partly responsible for the incident. Uber sold its robotaxi business to Aurora, which incorporated the work into its development of autonomous trucks. But as Waymo eyes more markets, most experts agree that the business will take a long time to grow. Uber estimates that the autonomous vehicle market in the US alone is a trillion-dollar opportunity, but Khosrowshahi said during a recent earnings call that it will take many, many years to build out and scale.See More:

The oddest omission in the iPhone 16e is the lack of support for MagSafe. Indeed, the scale of the surprise at this led Apple to issue an explanation of sorts.But the position becomes all the stranger, thanks to the discovery that the phone comes so close to supporting it The three benefits of MagSafeAs we noted at the time, you do get a lot of flagship features in the iPhone 16e, but MagSafe wasnt one of them and that seems a fairly big omission given the three benefits it offers.First, MagSafe makes wireless charging easier by only having to position your phone close to a wireless charger before it snaps easily and securely into place. Gone is the need to have to feel around for the right position.Second, wireless charging becomes much faster. While the original Qi wireless standing charge maxed out at 7.5w, MagSafe and Qi2 doubled that to 15w, and the rest of the iPhone 16 line-up further increases that to 25w if you also upgrade to the latest MagSafe charger. Third, MagSafe opened up a whole new world of accessories, from combined car mounts and chargers to MagSafe wallets and camera gimbals.Apple offered circular reasoning for its omissionApples explanation for the omission in the latest iPhone is that the target market doesnt use it.According to Apple representatives, most people in the 16es target audience exclusively charge their phones by plugging them into a charging cable. They tend not to use inductive charging at all.As we pointed out, though, thats circular reasoning. Apple appears to be arguing that the phone will be bought by owners of iPhone SE models, or those with an iPhone 11 or earlier, and they dont use MagSafe. But those people didnt use MagSafe because their phones didnt support it.The iPhone 16e almost supports MagSafeMacworlds David Price noticed that the new iPhone does in fact have MagSafe magnets just not enough of them to properly stick.But then I took my iPhone 16e out of its case to get some photos with my old MagSafe charging puck for illustrative purposes (showing that it can charge from such accessories, but wont have that handy magnetic attachment) and I made a surprising discovery: the magnets inside the charger do attach to the iPhone 16e. Its a weak connection, but its there.He posted a video in which he positioned the phone just above a MagSafe charger, and the charger lifted from the table and audibly snapped to the phone. It then remained magnetically in place when he lifted the phone.The reason this had seemingly gone unnoticed before is that the magnetic connection is too weak to work through a case. He also cautions that you shouldnt expect a vertical magnetic dock to hold the weight of the phone.But it does further add to the mystery of why Apple came close to offering MagSafe without actually doing so.Image: 9to5Mac collage of images from Apple and Yuriy KovalevonUnsplashAdd 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Apple @ Work is exclusively brought to you by Mosyle,the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage & protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost.Request your EXTENDED TRIALtoday and understand why Mosyle is everything you need to work with Apple.In this episode of Apple @ Work, I talk with Ken Kocienda () about Infactory and the role of getting the right data in LLM tools. more

Mar 04, 2025The Hacker NewsAI Security / Web App SecurityCredential stuffing attacks had a huge impact in 2024, fueled by a vicious circle of infostealer infections and data breaches. But things could be about to get worse still with Computer-Using Agents, a new kind of AI agent that enables low-cost, low-effort automation of common web tasks including those frequently performed by attackers.Stolen credentials: The cyber criminal's weapon of choice in 2024Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks. Not surprising when you consider the fact that billions of leaked credentials are in circulation online, and attackers can pick up the latest drop for as little as $10 on criminal forums. The criminal marketplace for stolen credentials is benefitting from the publicity of high-profile breaches in 2024 such as the attacks on Snowflake customers using credentials found in data breach dumps and compromised credential feeds from infostealer and mass phishing campaigns, resulting in the compromise of 165 customer tenants and hundreds of millions of breached records.But despite 2024 being an unprecedented year in terms of the impact of identity-based attacks, there's still a lot of unfulfilled potential for attackers to realize. Credential attack automation what's changed with the shift to SaaS? Brute forcing and credential stuffing are nothing new, and have been a key component of the cyber attacker toolkit for decades. But it's not quite as easy to automatically spray credentials across systems as it once was. No more one-size-fits-allRather than a single centralized network with apps and data contained within an infrastructure perimeter, business IT is now formed of hundreds of web-based apps and platforms, creating thousands of identities per organization. This means that identities too are now decentralized and distributed all over the internet, as opposed to being stored solely in identity systems like Active Directory, and implemented using common protocols and mechanisms. While HTTP(S) is standard, modern web apps are complex and highly customized, with a graphically-driven interface that is different every time. And to make matters worse, modern web apps are specifically designed to prevent malicious automation through bot protections like CAPTCHA. So rather than encountering standard protocols and being able to write a single set of tools to use across any organization/environment e.g. write a DNS scanner once, use a single port scanner like Nmap for the entire internet, write a single script per service (e.g. FTP, SSH, Telnet, etc.) for your password sprayer custom tool development is instead required for every app that you want to target. Finding the needle in the haystackNot only are there more environments for attackers to include in the scope of their attack, but there are more credentials to work with. There are around 15 billion compromised credentials available on the public internet, not including those found only in private channels/feeds. This list is growing all of the time like 244M never-before-seen passwords and 493M unique website and email address pairs being added to Have I Been Pwned from infostealer logs just last month. This sounds scary, but it's tricky for attackers to harness this data. The vast majority of these credentials are old and invalid. A recent review of TI data by Push Security researchers found that fewer than 1% of stolen credentials included in threat intelligence feeds from a multi-vendor data set was actionable in other words, 99% of compromised credentials were false positives. But not all of them are useless as the Snowflake attacks demonstrated, which successfully leveraged credentials dating back to 2020. So there are clearly treasures waiting to be discovered by attackers. Attackers are forced to prioritizeThe distributed nature of apps and identities, and the low reliability of compromised credential data, means attackers are forced to prioritize despite a target-rich environment of hundreds of business apps, creating thousands of sprawled identities per organization, because: Writing and running custom python scripts for every single app (there are more than 40k SaaS apps on the internet) is not realistic. Even if you did the top 100 or 1000 that would be a significant task and require constant maintenance, while barely scratching the surface of the total opportunity. Even when fully scripted and using a botnet to distribute the attack and avoid IP blocking, controls like rate limiting, CAPTCHA, and account lockouts can obstruct mass credential stuffing against a single app. And a concentrated attack on a single site is going to generate significant levels of traffic if you want to get through 15 billion passwords in a reasonable timeframe, so it's very likely to raise the alarm.So attackers tend to target a smaller number of apps, and only look for a direct match in terms of the credentials attempted (e.g. the stolen credential must directly belong to an account on the target app). When they do go after something new, it tends to be concentrated on a specific app/platform (e.g. Snowflake) or looking for a narrower subset of credentials (e.g. credentials clearly associated with edge devices, for more traditional network environments). A missed opportunity?As we've established, the situation regarding credential stuffing attacks is already pretty bad despite these limitations. But things could be significantly worse. Password reuse means a single compromised account could turn into manyIf attackers were able to increase the scale of their attacks to target a broader number of apps (rather than concentrating on a shortlist of high value apps) they could take advantage of all-too-common password reuse. According to a recent investigation of identity data, on average:1 in 3 employees reuse passwords9% of identities have a reused password AND no MFA10% of IdP accounts (used for SSO) have a non-unique passwordWhat does this mean? If a stolen credential is valid, there's a good chance that it can be used to access more than one account, on more than one app (at least). Picture the scenario: A recent compromised credential leak from infostealer infections or credential phishing campaigns shows that a particular username and password combination is valid on a specific app let's say Microsoft 365. Now, this account is pretty locked down not only does it have MFA, but there are conditional access policies in place restricting the IP/location it can be accessed from. Usually, this is where the attack would end, and you'd turn your attention to something else. But what if you were able to spray these credentials across every other business app that the user has an account on?Scaling credential attacks with Computer-Using AgentsUntil now, the impact of AI on identity attacks has been limited to the use of LLMs for the creation of phishing emails, in AI-assisted malware development, and for social media bots no doubt significant, but not exactly transformative, and requiring constant human oversight and input. But with the launch of OpenAI Operator, a new kind of "Computer-Using Agent", this could be about to change. Operator is trained on a specialist dataset and implemented in its own sandboxed browser, meaning it is able to perform common web tasks like a human seeing and interacting with pages as a human would. Unlike other automated solutions, Operator requires no custom implementation or coding to be able to interact with new sites, making it a much more scalable option for attackers looking to target a broad sweep of sites/apps. Demo: Using Operator to conduct credential stuffing attacks at-scaleResearchers at Push Security put the malicious use-cases of Operator to the test, using it to:Identify which companies have an existing tenant on a list of appsAttempt to login to various app tenants with a provided username and passwordImpact summaryThe results were pretty eye-opening. The operator clearly demonstrated the ability to target a list of apps with compromised credentials and perform in-app actions. Now think about this x10, x100, x10,000 These are not complex tasks. But the value of CUAs Operator is not in tackling complexity, but scale. Imagine a world where you can orchestrate Operator windows via API and get it to execute these actions simultaneously (functionality that exists already for ChatGPT). But this is bigger than Operator it's about the direction of the technology. OpenAI may implement restrictions better in-app guardrails, rate limits on the number of concurrent tasks and total usage, etc. But you can guarantee it won't be the only CUA it's only a matter of time before similar products emerge (maybe even inherently malicious ones) making use of the same technology. Final thoughts It's still early days for CUA tech, but there's a clear indication that an already severe security challenge could be made worse with this particular form of AI-driven automation. While the ability to target a broad set of apps has been previously beyond the scope of traditional automation, it's about to become much more accessible to even low-skilled attackers (think: next gen script kiddies?). Another way to think about it is that it effectively gives a human attacker a fleet of low-level interns who don't quite know what they're doing, but can be instructed to perform specific, itemised tasks at scale with only the occasional check in while you work on other, more complex tasks. So, a bit like a red team manager of AI bots. Operator means that attackers can leverage compromised credentials at-scale, take advantage of the vast numbers of vulnerable and misconfigured identities, and convert them into systemic breaches much more easily. In a way, it could make credential stuffing a bit more like it was before the shift to cloud apps where you could spray thousands of credentials across your targets without needing custom development every time. Thankfully, no new anti-AI capabilities are required but it's more important than ever that organizations look to defend their identity attack surface and find and fix identity vulnerabilities before attackers can take advantage of them. Find out moreIf you want to learn more about identity attacks and how to stop them, check out Push Security you can book a demo or try out their browser-based platform for free.And if you want to see them demo more malicious use cases of Operator, check out this on-demand webinar. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Worldwide, data is generated at a daily rate of 402.7 million terabytes, and roughly 80% coming into enterprises is unstructured. By unstructured, we mean data that is not organized into recognizable and parsable record lengths that have established keys into the data.Instead, unstructured data could come in the form of monolithic video or audio recordings, photos, CAD drawings, e-mails, hard-copy documents, X-rays and MRIs, social media posts, or even the jibberish from telecommunications and network device handshakes and exchanges.Enterprises struggle to get on top of this data, or to even use it at all. This prompted Splunk to report that, More than 1,300 business and IT leaders in seven leading economies have spoken: They struggle to find all their data -- and report that more than half of it is dark -- untapped and, often, completely unknown. And, while they know AI will be transformative, theyre not sure when and how.These points are well taken, because if you want to excel in AI, you need the ability for the AI to mine all of the data that is available, not just 20% of it. To do this, enterprises must get a handle on their unstructured data.How do you do this? By sorting through the data, deciding which parts of it are good, and then organizing the good data so it can be used in systemic processes like AI.Related:The catch for IT is defining an approach that can do these steps. How do you sort, classify and organize data that is coming into the company at such fierce velocities?Step 1: Analyze your unstructured data. Where is your unstructured data coming from, and in what form? How much storage is the data consuming, and what is the cost? Where is the data stored, and who is using it? Who owns the data? How old is the data?All are top-level questions that should be answered for every type of unstructured data that you have in your company.Step 2: Identify data silos. Some of the unstructured data is likely to be owned by specific user departments and may be on separate systems. If the data is exclusively contained within a specific user department, it is considered a data silo that cannot be leveraged by other departments company because those departments dont have access to the data. The data in these silos may not be consumed for what could be a variety of untapped business processes. Siloed data also creates risk when different departments use disparate data and come to discordant business decisions.The primary goal in step 2 is identifying data silos, along with identifying the types of unstructured data that reside in those silos.Related:Step 3: Revisit data retention. How much of this unstructured data doesn't add value, including network handshake noise, or data that is so old or obsolete that no one has used it for years?With IT offering guidance, central data storage and systems in the data center or in user departments and the cloud should be reviewed to determine which data can be jettisoned because it isnt useful. Internal and cloud data retention policies should be reviewed by IT and end users so there is an agreed-to understanding on which types of unstructured data are to be retained and for how long.Some of this data may be non-electronic, such as a hardcopy company products catalogue that has been stored in a backroom closet since the 1980s.Finally, financial insight should be incorporated into the data housekeeping effort. How much facility and disk space are you freeing up by getting rid of useless data, and what is the annual savings?Step 4: Classify and organize data. Once you have eliminated unnecessary unstructured data, its time to classify and organize the data that remains. This task can be labor intensive because so much data classification must be done by hand, with knowledgeable users applying data tags to data objects. For example, that may require tagging all unstructured data artifacts with a product label because they consist of CAD, CAM, photo and video documents of company products.Related:Data tags are the only way to define and navigate through unstructured data objects so people can find what theyre looking for. Unfortunately, data tagging is time-consuming and frustrating when the number of unstructured data objects is huge. These data tags should also be standardized and agreed to across the organization so data retrieval is simplified.Although most organizations cant get around hand tagging data, we are beginning to see automated data tagging software come to market that can do the tagging automatically if it is given a set of business rules. There will also be future support from AI-powered tools that can learn how to evaluate and classify unstructured data objects.Step 5: Enrich data. Let's say that Company ABC wants a bid for a power plant. Much of the data for preparing the bid comes in forms such as schematics, PDF files, hardcopy and email correspondence. This unstructured data, along with traditional structured data, needs to be cleaned, formatted and normalized so it can interact with other types of data in a single data repository that supports decision making during the bid process.There is also a need to import outside data from the cloud and third parties on elements like logistics and weather conditions in the project locale, as well as local regulatory and zoning requirements.Tools like ETL (extract-transform-load) can automate much of the data cleaning and formatting processes, but it still requires IT to write the business rules for data transformation. Plus, the unstructured data being funneled into the data repository must be pre-classified and tagged by end users.The goal of step 5 is to enrich data so that it can interact with all the other types of data to produce a complete picture of a customer, a product, a situation, etc. This helps business decision makers as they think through strategy, tactics, schedules, pricing, and so on.Closing RemarksRealistically, few companies will succeed at harnessing 100% of the unstructured data that streams into them every day, but they can begin to get a handle on unstructured data by identifying where the data is coming from, where it will end up being hosted, what it is, and when it can be discarded.A follow-up and highly do-able step is silo busting, and the beginning of a corporate-wide data repository that contains both structured and unstructured data.The ultimate goal of developing highly enriched data that delivers optimal business value might have to wait until automated data classification and AI technologies mature, but theres a lot that IT can do right now to be ready for that time.