Microsoft researchers who tested more than 100 of the company's AI products concluded that AI systems can never be made fully secure, according to a new pre-print paper. The 26-author study, which included Azure CTO Mark Russinovich, found that large language models amplify existing security risks and create new vulnerabilities. While defensive measures can increase the cost of attacks, the researchers warned that AI systems will remain vulnerable to threats ranging from gradient-based attacks to simpler techniques like interface manipulation for phishing.

Microsoft has patched a Windows vulnerability that allowed attackers to bypass Secure Boot, a critical defense against firmware infections, the company said. The flaw, tracked as CVE-2024-7344, affected Windows devices for at least seven months. Security researcher Martin Smolar discovered the vulnerability in a signed UEFI application within system recovery software from seven vendors, including Howyar.

The application, reloader.efi, circumvented standard security checks through a custom PE loader. Administrative attackers could exploit the vulnerability to install malicious firmware that persists even after disk reformatting. Microsoft revoked the application's digital signature, though the vulnerability's impact on Linux systems remains unclear.

LinkedIn has unveiled an AI-powered "Job Match" feature to discourage users from applying to positions they aren't qualified for, aiming to address recruitment inefficiencies in a tight job market. The tool, the Microsoft-owned firm said, analyzes users' experience against job requirements to provide detailed qualification summaries, going beyond basic keyword matching. Premium subscribers will receive more granular match data.

Microsoft will stop supporting its Microsoft 365 (formerly known as Office 365) desktop applications on Windows 10 after October 14, the day the company is retiring the old operating system, it said.

Nearly a quarter of Harvard Business School's 2024 M.B.A. graduates remained jobless three months after graduation, highlighting deepening employment challenges at elite U.S. business schools. The unemployment rate for Harvard M.B.A.s rose to 23% from 20% a year earlier, more than double the 10% rate in 2022.

Major employers including McKinsey, Amazon, Google, and Microsoft have scaled back M.B.A. recruitment, with McKinsey cutting its hires at University of Chicago's Booth School to 33 from 71. "We're not immune to the difficulties of the job market," said Kristen Fitzpatrick, who oversees career development at Harvard Business School. "Going to Harvard is not going to be a differentiator. You have to have the skills." Columbia Business School was the only top program to improve its placement rate in 2024. Median starting salaries for employed M.B.A.s remain around $175,000.

Microsoft is relaunching its free Copilot for businesses as Microsoft 365 Copilot Chat today, complete with the ability to use AI agents. From a report: Copilot Chat is Microsoft's latest attempt to get people used to using AI at work and relying on it enough to tempt them into paying $30 per month to get the full Microsoft 365 Copilot.

Microsoft 365 Copilot Chat is essentially a rebranding of what was once Bing Chat Enterprise before Microsoft rebranded it to just Copilot. It crucially now includes access to Copilot AI agents right within the chat interface -- which was previously only available in the full Microsoft 365 Copilot experience -- requiring a $30 per user per month subscription. These agents are designed to work like virtual colleagues and can do things like monitor email inboxes or automate a series of tasks.

You'll be able to create and use agents using Copilot Studio, use agents that rely on web data, and even use agents grounded on work data through the Microsoft graph. The usage of agents with Copilot Chat will be priced through the Copilot Studio meter in Azure or through a pay-as-you-go option.

A week after announcing performance-based job cuts similar to those at Meta, Microsoft said it also plans to pause hiring in part of its consulting unit. CNBC reports: The changes by the U.S. consulting division are meant to align with a policy by the Microsoft Customer and Partner Solutions organization, which has about 60,000 employees, according to a page on Microsoft's website. The changes are in place through the remainder of the 2025 fiscal year ending in June. To reduce costs, Microsoft's consulting division will hold off on hiring new employees and back-filling roles, consulting executive Derek Danois told employees in the memo. Careful management of costs is of utmost importance, Danois wrote.

The memo also instructs employees to not expense travel for any internal meetings and use remote sessions instead. Additionally, executives will have to authorize trips to customers' sites to ensure spending is being used on the right customers, Danois wrote. Additionally, the group will cut its marketing and non-billable external resource spend by 35%, the memo says. Further reading: Companies Deploy AI To Curb Hiring as 'Cost Avoidance' Gains Ground

Tech workers at major U.S. companies are earning thousands of dollars by referring job candidates they've never met, creating an underground marketplace for employment referrals at firms like Microsoft and Nvidia, according to Bloomberg.

One tech worker cited in the report earned $30,000 in referral bonuses after recommending over 1,000 strangers to his employer over 18 months, resulting in more than six successful hires. While platforms like ReferralHub charge up to $50 per referral, Goldman Sachs and Google said such practices violate their policies. Google requires referrals to be based on personal knowledge of candidates.

Microsoft is raising Microsoft 365 subscription prices by up to 46% across six Asian markets to fund AI features. In Australia, annual Microsoft 365 Family subscriptions will increase to AU$179 ($110) from AU$139, while Personal subscriptions will jump to AU$159 ($98) from AU$109. The price hikes also affect New Zealand, Malaysia, Singapore, Taiwan and Thailand customers.

While CES wraps up this week, "Not all innovation is good innovation," warns Elizabeth Chamberlain, iFixit's Director of Sustainability (heading their Right to Repair advocacy team). So this year the group held its fourth annual "anti-awards ceremony" to call out CES's "least repairable, least private, and least sustainable products..." (iFixit co-founder Kyle Wiens mocked a $2,200 "smart ring" with a battery that only lasts for 500 charges. "Wanna open it up and change the battery? Well you can't! Trying to open it will completely destroy this device...") There's also a category for the worst in security — plus a special award titled "Who asked for this?" — and then a final inglorious prize declaring "the Overall Worst in Show..."

Thursday their "panel of dystopia experts" livestreamed to iFixit's feed of over 1 million subscribers on YouTube, with the video's description warning about manufacturers "hoping to convince us that they have invented the future. But will their vision make our lives better, or lead humanity down a dark and twisted path?" The video "is a fun and rollicking romp that tries to forestall a future clogged with power-hungry AI and data-collecting sensors," writes The New Stack — though noting one final irony.

"While the ceremony criticized these products, YouTube was displaying ads for them..."

UPDATE: Slashdot reached out to iFixit co-founder Kyle Wiens, who says this teaches us all a lesson. "The gadget industry is insidious and has their tentacles everywhere."

"Of course they injected ads into our video. The beast can't stop feeding, and will keep growing until we knife it in the heart."

Long-time Slashdot reader destinyland summarizes the article: "We're seeing more and more of these things that have basically surveillance technology built into them," iFixit's Chamberlain told The Associated Press... Proving this point was EFF executive director Cindy Cohn, who gave a truly impassioned takedown for "smart" infant products that "end up traumatizing new parents with false reports that their baby has stopped breathing." But worst for privacy was the $1,200 "Revol" baby bassinet — equipped with a camera, a microphone, and a radar sensor. The video also mocks Samsung's "AI Home" initiative which let you answer phone calls with your washing machine, oven, or refrigerator. (And LG's overpowered "smart" refrigerator won the "Overall Worst in Show" award.)

One of the scariest presentations came from Paul Roberts, founder of SecuRepairs, a group advocating both cybersecurity and the right to repair. Roberts notes that about 65% of the routers sold in the U.S. are from a Chinese company named TP-Link — both wifi routers and the wifi/ethernet routers sold for homes and small offices.Roberts reminded viewers that in October, Microsoft reported "thousands" of compromised routers — most of them manufactured by TP-Link — were found working together in a malicious network trying to crack passwords and penetrate "think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others" in North America and in Europe. The U.S. Justice Department soon launched an investigation (as did the U.S. Commerce Department) into TP-Link's ties to China's government and military, according to a SecuRepairs blog post.

The reason? "As a China-based company, TP-Link is required by law to disclose flaws it discovers in its software to China's Ministry of Industry and Information Technology before making them public." Inevitably, this creates a window "to exploit the publicly undisclosed flaw... That fact, and the coincidence of TP-Link devices playing a role in state-sponsored hacking campaigns, raises the prospects of the U.S. government declaring a ban on the sale of TP-Link technology at some point in the next year."

TP-Link won the award for the worst in security.

"Microsoft's Digital Crimes Unit is taking legal action to ensure the safety and integrity of our AI services," according to a Friday blog post by the unit's assistant general counsel. Microsoft blames "a foreign-based threat-actor group" for "tools specifically designed to bypass the safety guardrails of generative AI services, including Microsoft's, to create offensive and harmful content.

Microsoft "is accusing three individuals of running a 'hacking-as-a-service' scheme," reports Ars Technica, "that was designed to allow the creation of harmful and illicit content using the company's platform for AI-generated content" after bypassing Microsoft's AI guardrails: They then compromised the legitimate accounts of paying customers. They combined those two things to create a fee-based platform people could use. Microsoft is also suing seven individuals it says were customers of the service. All 10 defendants were named John Doe because Microsoft doesn't know their identity.... The three people who ran the service allegedly compromised the accounts of legitimate Microsoft customers and sold access to the accounts through a now-shuttered site... The service, which ran from last July to September when Microsoft took action to shut it down, included "detailed instructions on how to use these custom tools to generate harmful and illicit content."

The service contained a proxy server that relayed traffic between its customers and the servers providing Microsoft's AI services, the suit alleged. Among other things, the proxy service used undocumented Microsoft network application programming interfaces (APIs) to communicate with the company's Azure computers. The resulting requests were designed to mimic legitimate Azure OpenAPI Service API requests and used compromised API keys to authenticate them. Microsoft didn't say how the legitimate customer accounts were compromised but said hackers have been known to create tools to search code repositories for API keys developers inadvertently included in the apps they create. Microsoft and others have long counseled developers to remove credentials and other sensitive data from code they publish, but the practice is regularly ignored. The company also raised the possibility that the credentials were stolen by people who gained unauthorized access to the networks where they were stored...

The lawsuit alleges the defendants' service violated the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Lanham Act, and the Racketeer Influenced and Corrupt Organizations Act and constitutes wire fraud, access device fraud, common law trespass, and tortious interference.

An anonymous reader quotes a report from The Register: A leading education software maker has admitted its IT environment was compromised in a cyberattack, with students and teachers' personal data -- including some Social Security Numbers and medical info -- stolen. PowerSchool says its cloud-based student information system is used by 18,000 customers around the globe, including the US and Canada, to handle grading, attendance records, and personal information of more than 60 million K-12 students and teachers. On December 28 someone managed to get into its systems and access their contents "using a compromised credential," the California-based biz told its clients in an email seen by Register this week.

[...] "We believe the unauthorized actor extracted two tables within the student information system database," a spokesperson told us. "These tables primarily include contact information with data elements such as name and address information for families and educators. "For a certain subset of the customers, these tables may also include Social Security Number, other personally identifiable information, and limited medical and grade information. "Not all PowerSchool student information system customers were impacted, and we anticipate that only a subset of impacted customers will have notification obligations." While the company has tightened security measures and offered identity protection services to affected individuals, cybersecurity firm Cyble suggests the intrusion "may have been more serious and gone on much longer than has been publicly acknowledged so far," reports The Register. The cybersecurity vendor says the intrusion could have occurred as far back as June 16, 2011, with it ending on January 2 of this year.

"Critical systems and applications such as Oracle Netsuite ERP, HR software UltiPro, Zoom, Slack, Jira, GitLab, and sensitive credentials for platforms like Microsoft login, LogMeIn, Windows AD Azure, and BeyondTrust" may have been compromised, too.

An anonymous reader quotes a report from 404 Media: Some of the world's most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement. The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games likeCandy Crushand dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem -- not code developed by the app creators themselves -- this data collection is likely happening without users' or even app developers' knowledge.

"For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising 'bid stream,'" rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data. The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples' mobile phones.

"This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way," Edwards says. Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps. The list includes dating sites Tinder and Grindr; massive games such asCandy Crush,Temple Run,Subway Surfers, andHarry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo's email client; Microsoft's 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy. 404 Media's full list of apps included in the data can be found here. There are also other lists available from other security researchers.

BrianFagioli writes: The Linux Foundation has announced the launch of 'Supporters of Chromium-Based Browsers,' an initiative aimed at funding and supporting open development within the Chromium ecosystem. The purpose of this effort is to provide resources and foster collaboration among developers, academia, and tech companies to drive the sustainability and innovation of Chromium projects. Major industry players, including Google, Meta, Microsoft, and Opera, have pledged their support.

Microsoft kicks off the new year with more job cuts, as fewer than 1% of employees reportedly face the axe. From a report: As first reported by Business Insider, Microsoft is trimming its workforce again, including roles in its security division, with the cuts targeting underperforming employees. A Microsoft spokesperson confirmed the layoffs with BI but declined to specify how many staffers are affected, stating, "At Microsoft, we focus on high-performance talent."

"We are always working on helping people learn and grow. When people are not performing, we take the appropriate action," the spokesperson told The Register.

Microsoft temporarily rolled back its Bing Image Creator upgrade from OpenAI's DALL-E 3 PR16 to the previous PR13 version after users reported degraded image quality, including cartoonish and "lifeless" results. TechCrunch reports: Ahead of the holidays, Microsoft said it was upgrading the AI model behind Bing Image Creator, the AI-powered image editing tool built into the company's Bing search engine. Microsoft promised that the new model -- the latest version of OpenAI's DALL-E 3 model, code-named PR16 -- would allow users to create images "twice as fast as before" with "higher quality." But it didn't deliver. Complaints quickly flooded X and Reddit.

"The DALL-E we used to love is gone forever," said one Redditor. "I'm using ChatGPT now because Bing has become useless for me," wrote another. The blowback was such that Microsoft said it'll restore the previous model to Bing Image Creator until it can address the issues. "We've been able to [reproduce] some of the issues reported, and plan to revert to [DALL-E 3] PR13 until we can fix them," Jordi Ribas, head of search at Microsoft, said in a post on X Tuesday evening. "The deployment process is very slow unfortunately. It started over a week ago and will take 2-3 more weeks to get to 100%."

Microsoft will begin enforcing storage limits on unlicensed OneDrive accounts from January 27, 2025, ending a loophole that allowed organizations to retain departed employees' data without cost.

Data from accounts unlicensed for over 93 days will move to recycle bins for another 93 days before permanent deletion, unless under retention policies. Archived data retrieval will cost $0.60 per gigabyte plus $0.05 monthly per gigabyte. Organizations must either retrieve data, add licenses, or risk losing access, Microsoft has warned.

Microsoft plans to invest $3 billion to expand its artificial intelligence and cloud Azure services in India, turning to the world's most populous nation to fuel its revenue growth engine. From a report: The firm, which has been operating in India for more than two decades, will also train an additional 10 million people in the country with AI, Microsoft CEO Satya Nadella said at an event in Bengaluru Tuesday.

"The investments in infrastructure and skilling we are announcing today reaffirm our commitment to making India AI-first, and will help ensure people and organizations across the country benefit broadly," said Nadella. "The diffusion rate of AI in India is exciting." India is a key overseas market for American tech giants that have poured tens of billions of dollars in building and scaling their operations in the South Asian market over the past two decades as they work to court businesses serving hundreds of millions of users.

Intel, which has been fending off mounting competition in notebook processors, says a new range of chips will help enable the longest battery life available in laptops. From a report: New computers based on the latest version of its Core Ultra processors will go on sale starting this month, the company said Monday at CES, an annual consumer electronics show.

Intel was for decades the world's largest chipmaker thanks to its dominance of the computer processor market. Production technology stumbles and slow product introductions have opened the door to both long-time rivals and firms just entering the space. The company's board last month ousted its chief executive officer, citing the need to improve its offerings.

The new chips, intended for corporate PCs and high-end consumer devices, are aimed at boosting performance in two areas the company considers key selling points: battery life and the ability to run artificial intelligence functions. According to Intel, an HP laptop that uses one of the new processors can run Microsoft's Teams software for as long as 10.5 hours on a single charge. It can go 20.3 hours between charges when the user is running Microsoft's cloud-based 365 suite, Intel added. By comparison, Intel says a Dell device using a Qualcomm Snapdragon processor can last as long as 9.2 hours and 18.5 hours, respectively, under those conditions.

Microsoft's Bing search engine has deployed a controversial interface change that mimics Google's appearance when users search for "Google" or "Google.com" while logged out, blog WindowsLatest reports.

The new design adjusts the page layout to conceal Bing's search bar and navigation, displaying instead a Google-like interface with a central search box that redirects queries to Bing's results.