Security weaknesses at Git Hub could have devastating impacts: Hashtag Trending for Tuesday, July 16, 2024

Share post:

A new report exposes security weaknesses in a popular tool used by millions of developers, Samsung faces its first general strike in 55 years, Today is AI Appreciation Day

All this and more on the “AI Appreciation Day” edition of Hashtag Trending.  I’m your host Jim Love, let’s get into it.


So as we noted, today is AI Appreciation Day, so here’s something to warm your heart. Here’s a 60-second story based on the provided article:

Google’s Gemini AI has apparently been caught scanning private PDF files stored in Google Drive without explicit user permission. Kevin Bankston, a Senior Advisor on AI Governance, reported this issue on Twitter after discovering that Gemini had summarized his tax return without his request.

Surprisingly, even users who had disabled Gemini summaries in Gmail, Drive, and Docs found the AI still accessing their files.

Bankston has guessed, although he’s not certain, the problem may be caused by enabling Google Workspace Labs, potentially overriding intended Gemini AI settings.

Google’s support and Gemini AI itself appear uncertain about the cause, with Gemini either “hallucinating” about available privacy settings or pointing to malfunctioning internal systems. The issue seems to persist for specific file types once the Gemini button is pressed on a single document.

This incident highlights the growing concerns over AI’s integration into everyday tools and the importance of user consent in handling sensitive information. It also underscores the challenges tech giants face in balancing innovation with privacy protection as AI becomes more prevalent.

As AI continues to be more and more integrated into our software and our lives, this case serves as a warning of the need for transparent, user-controlled and easily understood privacy settings in AI-enabled services.

Sources include: Tom’s Hardware

A new report from a company called Legit Security reveals alarming security vulnerabilities in GitHub Actions, a popular tool used by millions of developers and major companies worldwide. The study, titled “The State of GitHub Actions Security,” found that most GitHub Actions workflows are susceptible to exploitation.

Roy Blit, Head of Research at Legit Security, warns, “These findings are alarming because GitHub Actions provide the key to critical infrastructure. They are connected to an organization’s source code and their deployment environment, so once exploited, the organization is completely in the attacker’s hands.”

Key findings include vulnerabilities in over 7,000 workflows, execution of untrusted code in more than 2,500 workflows, and use of untrustworthy artifacts in over 3,000 workflows. The report also highlights that 98% of references used by jobs and steps don’t follow best practices for dependency pinning.

The GitHub Actions marketplace is particularly concerning, with only 913 out of 19,113 custom Actions created by verified GitHub users. Most Actions have low security scores and are maintained by a single developer.

To mitigate risks, Legit Security recommends educating development teams about proper security practices and leveraging GitHub’s built-in security features. The full report offers detailed insights and recommendations for organizations using GitHub Actions.

Sources include:  Report from Legit Security

Samsung Electronics in South Korea is facing its first general strike in 55 years, with workers from its 8-inch semiconductor production line at the forefront. These employees, primarily women in their 20s to 40s, are protesting against grueling working conditions that they say treat them like disposable machine parts.

Workers report serious physical ailments, including deformed fingers, varicose veins, back problems, due to the manual nature of their work. They transport heavy wafer bundles and operate machinery for eight-hour shifts with minimal breaks.

They complain of being under so much pressure to meet quotas that they are afraid to take washroom breaks, forcing one woman to avoid drinking any water before or during her shift.

One worker stated, “We just don’t want to be treated as disposable parts.” Employees also complain about the inability to take time off due to understaffing and high production quotas. According to one of the workers, who was said she had to check herself into a psychiatric facility. many of the women suffer from depression.

Samsung denies restricting vacation days and claims to adhere to all workplace safety standards. However, the company admits the strike has impacted production, with the line operating at only 18% capacity on the first day of the strike.

As the strike continues, it highlights the ongoing struggle between worker welfare and corporate productivity in South Korea’s tech industry.

Sources include:  Hankyoreh

Google is reportedly eyeing its biggest startup acquisition ever, with plans to buy cloud cybersecurity firm Wiz for a staggering $23 billion. This move, if successful, would dwarf Google’s previous record purchase of Motorola Mobility in 2012.

Wiz, a New York City-based startup, specializes in securing corporate cloud infrastructure by creating a “normalizing layer” between cloud environments. The company’s partners include tech giants Amazon and Oracle.

Google Cloud chief Thomas Kurian is reportedly spearheading this acquisition effort. It’s seen as a strategic move to bolster Google’s reputation in cloud security, especially in light of recent high-profile breaches affecting competitors like Microsoft.

This potential deal follows Google’s recent investments in cloud security, including a $500 million startup purchase in 2022 and the $5.4 billion acquisition of Mandiant.

While sources suggest the deal “looks likely,” it could face scrutiny from U.S. regulators. The Biden administration has been actively pursuing antitrust actions in the tech sector, as seen in recent cases involving Google and Microsoft.

Sources include: The Verge

AT&T, the US telecom giant, recently disclosed a massive data breach affecting millions of customers. In a surprising twist, the company reportedly paid a hacker $370,000 to delete stolen phone records. The breach, discovered in April, involved call and text records of “nearly all” AT&T customers, obtained through an unsecured Snowflake cloud storage account.

A security researcher, known as Reddington, facilitated negotiations between AT&T and the hacker. The stolen data included metadata but not the content of communications or customer names. However, it could potentially be used to identify individuals through reverse lookup programs.

The hacker, part of the ShinyHunters group, initially demanded $1 million but settled for about $373,000 in Bitcoin. AT&T delayed public disclosure at the request of the Department of Justice, citing potential national security concerns.

Interestingly, the hacker claims the breach was carried out by John Erin Binns, who was allegedly arrested in Turkey in May for an unrelated T-Mobile hack.

Binns remains a bit of an enigma, claiming that a chip place in his brain was the reason for his illegal actions.  But even though Binns might appear to be a couple of bits short of a byte, he apparently was able to easily demonstrate how the meta data could be linked back to identify the individuals associated with it.

Nevertheless, AT&T has paid to have the data deleted and between Binns and the other hacker, we are sure all affected AT&T customers can breathe a sigh of relief, safe in the certainty that the data is safely deleted.  As I’ve always said, if you can’t trust the people who stole your data, who can you trust?

Sources: Wired

Today is AI Appreciation Day and if you’re like me you are thinking – huh? But apparently, it’s a real thing. It’s recorded on the National Day Archives where it exists with the likes of what the site lists as the most popular dates National Fish Taco Day, National Dish Washer Appreciation Day and a perpetual favourite National Drinking with Chickens day.   AI Appreciation Day was founded by a company called AI Heart LLC which as near as I can figure out, sells T-Shirts with AI Heart themes.

In appreciation of the idiocy, I will be registering a National “Kill Me Now Day” where we will all get together and be thankful that we reserved this one day where no other idiotic days can be celebrated, or if we do find that we are competing with something as extraordinary as another of the top days, National Gummi Worm Day, which apparently was yesterday, we can all post #killmenow and then go drinking with chickens.

And that’s our show for today.

Hashtag Trending is on summer hours. We will have 3 daily news shows a week, so our next show will be our Weekend Edition which we hope to post on Friday, but as much as I need a bit of a summer recharge, we’ll play with the schedule to see what works best.

Show notes are at technewsday.ca or .com  – either one works.

We love your comments.  Contact me at editorial@technewsday.ca

I’m your host Jim Love, have a Terrific Tuesday.

 

 

 

SUBSCRIBE NOW

Related articles

AI Engages In Deceptive Marketing: Hashtag Trending for Tuesday, December 3, 2024

Hashtag Trending is brought to you this week by Elisa: A Tale of Quantum Kisses a science fiction,...

AI vs Ghost Engineers: Hashtag Trending for Monday, Dec. 2, 2024

Hashtag Trending is brought to you this week by Elisa: A Tale of Quantum Kisses, a science fiction...

AI Chat Bot Exposes 300,000 Records: Cyber Security Today for Monday, December 2, 2024

This week’s programs are brought to you by the book Elisa: A Tale of Quantum Kisses. Pre-release of...

AI: What’s Holding You Back? Project Synapse: AI in Action on Hashtag Trending Weekend Edition for November 30, 2024

Exploring AI Security and Strategy | Hashtag Trending Weekend Edition #3 In Episode 4 of our Project Synapse series,...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways