Category: Specials

Microsoft this week pushed out 61 Patch Tuesday updates with no reports of public disclosures or other zero-days affecting the larger ecosystem (Windows, Office, .NET). Though there are three updated packages from February, they’re just informational changes with no further action is required.

The team at Readiness has crafted this helpful infographic outlining the risks associated with each of the March updates.

Known issues

Each month, Microsoft publishes a list of known issues that relate to the operating system and platforms included in the latest update cycle; for March, there are two minor issues reported:

• Windows devices using more than one monitor might experience issues with desktop icons moving unexpectedly between monitors or see other icon alignment issues when attempting to use Copilot in Windows. Microsoft is still working on the issue.
• For Exchange Server, Microsoft published an advisory note: after you install the latest security update there is no longer support for the Oracle OutsideIn Technology (OIT) or OutsideInModule. For more information, see this service update.

February was not a great month for how Microsoft communicated updates and revisions. With March being an exceptionally light month for reported “known issues” for desktop and server platforms, our team found no documentation issues. Good job Microsoft!

Major revisions

This month, Microsoft published the following major revisions to past security and feature updates including:

• CVE-2024-2173, CVE-2024-2174, and CVE-2024-2176: Chromium: CVE-2024-2173 Out of bounds memory access in V8. These updates relate to recent security patches for the Chromium browser project at Microsoft. No further action required.

Mitigations and workarounds

Microsoft released these vulnerability-related mitigations for this month’s release cycle: 

• CVE-2023-28746 Register File Data Sampling (RFDS). We are not certain how to categorize this update from Intel, as it relates to a hardware issue with certain Intel chipsets. The mitigation for this vulnerability requires a firmware update, and a corresponding Windows update enables this third-party firmware-based mitigation. More information can be found here.

Each month, the team at Readiness analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and application installations.

For this March cycle, we have grouped the critical updates and required testing efforts into different functional areas including:

Microsoft Office

• Visio will need to be tested for larger drawings. (CAD drawings are good candidates.)
• Microsoft SharePoint will require testing for the upload of files larger than 1GB.
• Excel will need a test of OLE embedded objects and all linked datasheet macros.

Microsoft .NET and Developer Tools

• PowerShell: The Get-StorageDiagnosticInfo has been updated, so check your DACL (Discretionary Access Control List) for the correct “resultant” settings (e.g. has the correct owner).

Windows

The following core Microsoft features have been updated, including:

• SQL OLE and ODBC: These updates will require a full test cycle of database (DB) connections, SQL commands. We advise running basic SQL commands and trying different SQL servers.
• Hyper-V: Test that virtual machines (VMs) start, shut down, pause, resume, and then turn off the machine.
• Printing: Both Version 4 (V4) and V3 printer connections will require basic testing
• Telephony and FAX: Microsoft TAPI APIs have been updated, so remember to test your FAXPress servers
• USB Drivers: A basic test of USB devices will be required with a “plug in, copy from and to the USB and detach” cycle.
• Compressed files: a minor update will require basic testing of .7z, far, tar, tar.gz files.

One of the key updates to the Windows file system this month is a change to how NTFS handles composite image files; Microsoft describes them as ”a small collection of flat files that include one or more data and metadata region files, one or more object ID files and one or more file system description files. As a result of their “flatness” CIMs are faster to construct, extract and delete than the equivalent raw directories they contain.”

Basic tests for this update should include creating, mounting, and browsing CIM objects.

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for line of business applications, getting the application owner (doing UAT) to test and approve the results is still absolutely essential.

This month, Microsoft made a major (general) update to the Win32 and GDI subsystems with a recommendation to test out a significant portion of your application portfolio.

Windows lifecycle update

This section will contain important changes to servicing (and most security updates) to Windows desktop and server platforms.

• Windows 10 21H2 will lose active support in 3 months (June 2024).
• Microsoft .NET Version 7 support ends in 2 months (May 2024).

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange Server;
• Microsoft Development platforms (NET Core, .NET Core and Chakra Core);
• Adobe (if you get this far).

Browsers

Microsoft has released three minor updates to the Chromium based browser (Edge) project this month (CVE-2024-1283, CVE-2024-1284 and CVE-2024-1059) with the following reported vulnerabilities:

• CVE-2024-1060 : Chromium: CVE-2024-1060 Use after free in Canvas.
• CVE-2024-1077 : Chromium: CVE-2024-1077 Use after free in Network.
• CVE-2024-21399 : Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.

In addition to these standard releases, Microsoft issued these “late” additions with its  monthly browser update:

• CVE-2024-26163 : Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
• CVE-2024-26167: Microsoft Edge for Android Spoofing Vulnerability
• CVE-2024-26246: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

All these updates should have negligible impact on applications that integrate and operate on Chromium. Add these updates to your standard patch release schedule.

Windows

In February, Microsoft released (another) two critical updates (CVE-2024-21407 and CVE-2024-21408) and 39 patches rated as important to the Windows platform that cover the following key components:

• Windows SQL and OLE DB Provider
• Windows Hyper-V
• Windows Kernel

This month we do not see any reports of publicly reported vulnerabilities or exploits in the wild, and if you are on a modern Windows 10/11, all these reported security vulnerabilities are difficult to exploit. Please add this update to your standard Windows release schedule.

Microsoft Office

Following a recent trend, Microsoft released only three updates to the Microsoft Office platform for March (CVE-2024-21448, CVE-2024-21426 and CVE-2024-26199). All three patches have low potential for exploitability and should be added to your regular Office update schedule.

Microsoft Exchange Server

Microsoft has (again) released a single update for Exchange Server with CVE-2024-26198. This update only affects Exchange Server 2016 and 2019; Microsoft describes the vulnerability as, “an attack that requires a specially crafted file to be placed either in an online directory or in a local network location. When a victim runs this file, it loads the malicious DLL.”

Microsoft rates this update as important and there are no reports of public disclosure or exploits. Add it to your regular server update schedule. For Exchange Server admins, we believe that each updated server will require a reboot.

Microsoft development platforms

Microsoft released three updates (CVE-2024-26190, CVE-2024-26165 and CVE-2024-21392 to .NET (Versions 7 and 8) and Microsoft Visual Studio 2022. All three updates are low-impact and can be included in regular developer patch release efforts.

Adobe Reader (if you get this far)

No Adobe updates this month. Other than the Intel firmware update (CVE-2023-28746), we do not have any third-party vendors/ISVs to add to this month’s update schedule.

How did we get to the point where the tech industry is in the user-data business instead of the tech business?

Every day, Google collects data on billions of people worldwide, according to The Regulatory Review. The dodge that users gain some benefit from ad targeting is fallacy. For example, if Google’s search were decoupled from its advertising, there would be less chance for users to be misled by ignored search terms and seemingly hard-wired results.

There’s nothing beneficial to the user about Google’s sponsored search results. That’s also true of  the adjacent Google ads that follow you around from site to site.

Digital advertising has become very big business for tech companies. For Google and Meta/Facebook, it’s a major revenue stream, and it’s a significant chunk of cash for other big tech companies — and even quite a few smaller ones.

       2023 digital advertising revenues

Amazon	$44.3 billion
Apple	$6.51 billion
Google	$237.8 billion
Meta/Facebook	$131.9 billion
Microsoft	$12.2 billion

        Data provided by Statista.

The US government and Americans in general are letting big tech companies get away with infringing the online privacy of millions of citizens who use “free” services in the form of apps and websites. Big tech’s goal is to connect advertisers with an ideal customer, who, because of some online interaction, is perceived as being more likely to buy products like the ones the advertiser is selling.

These tech companies collect information including search data, purchase history, payment information, facial recognition data, documents, photos, videos, locations, Wi-Fi location, IP address, birth date, mailing address, email address, phone number, activities or interactions such as videos watched, app use, emails sent and received, activity on your device, phone calls — and a lot more. Security.org has a richly detailed analysis on the data types used by Amazon, Apple, Facebook/Meta, Google, and X (formerly Twitter).

Google collects the most types of data; Apple, the least.

User beware

The corporate data gatherers and potential data brokers who buy and sell user data create detailed profiles with as much about you as they can muster. If these companies are breached and your data leaks, that info could wind up on the dark web where it might be sold — resulting in possible identity theft.

It should come as no surprise that the companies tracking users employ cryptic legal language to explain what they do with your data. And whatever privacy controls users might have been provided tend to be incomplete, spread out, difficult to find, ambiguous, or needlessly complex. Plus, both the legalese and privacy settings can change without notice.

If, for example, it were in Meta’s and Google’s best interests to make it easy to configure their products to the strictest level of data privacy, they would have done so long ago. (Hint: It’s in their vested interest to make it difficult for you to activate heightened user-data privacy settings.)

Facebook offers a wizard-like set of tools for managing security and privacy settings. While these tools are commendably easy to use, they barely scratch the surface of the data the social media giant collects.

It’s clear that companies harvesting online user data can’t be trusted to self-regulate to protect their users, and it’s long past time for federal regulations to protect user data and privacy like the EU’s GDPR (General Data Protection Regulation) enacted in 2018 and the EU’s DMA (Digital Markets Act) antitrust law, which took effect just last week. Laws like these belong at the federal level, because it’s easier for companies to comply with one broad set of standards than a patchwork of state regulations.

Because of the lack of federal impetus on data privacy regulation, 13 states have passed comprehensive data privacy laws: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Montana, Oregon, and Delaware. Several additional states have lesser regulations on the books or have proposed legislation.

It’s important to enact legislation with penalties that motivate the companies involved. Some big tech firms fined by the EU have simply declined to pay some penalties, or paid them after delays. Fines are not the answer, or at least, not the best answer. Big tech companies make so much money on user data that fines for non-compliance with the GDPR and other regulations could be seen as merely the cost of doing business. Finally, if federal regulation is enacted, AI regulation should be be a part of the discussion.

9 ways to improve privacy on your devices

It’s not possible to fully protect your user data on the Internet, but you can significantly improve your privacy. To do so, you might have to leave your comfort zone a bit and retrain yourself to work in different ways:

1. Use a browser such as Firefox, which is designed to protect your privacy (and configure search to default to DuckDuckGo).

2. Use unique passwords for all your logins with two-factor authentication or passcodes. The only practical way to do that for most people is with a password manager (such as 1Password). Most password managers automatically fill in logins for you, making them convenient to use.

3. Avoid apps when possible and log into social media and other web-based services using your web browser.

4. Use the browser’s privacy window in conjunction with a virtual private network (VPN) like Surf Shark or ExpressVPN to obscure your IP address and provide encryption. The chief advantage of a VPN is added privacy.

5. Learn what user data each platform collects and decide what you want to try to protect. Wading through the fine print should eventually detail this. These resources have done the grunt work for you — though some details might have changed since publication:

6. Use the privacy configuration tools provided by the data-collecting platforms you frequent, especially for sensitive data like payment methods, access to documents, photos, and videos, and location information. These references can help you batten down the hatches on digital privacy:

7. Carefully manage Location Services on your devices. If you can’t live without location services entirely, configure location services on and off by app.

8. You can take steps to make your phone harder to track.

9. And finally, while it won’t be the most popular recommendation, you can improve your privacy significantly by eliminating one or more sources of vulnerability, such as the Google or Meta platforms. In other words, stop using some digital platforms entirely. Cancel accounts, find out how to delete all data being held by the platform, then do so.

With prompt engineers among the workers most in demand in the wake of generative AI’s arrival in the enterprise, it was inevitable that someone would investigate whether their role, too, could be automated, or at least facilitated, by AI.

And, indeed, a recent study focused on how to write the best prompts for a large-language model (LLM) AI to solve mathematical problems has found that another AI gets better results than a human. The study sought to determine whether human-generated “positive thinking” prompts—such as “this will be fun!” or “take a deep breath and think”—produce better responses. The results were mixed when using different LLMs.

AI-optimized prompts win

However, using AI-optimized prompts instead “consistently equaled or surpassed the effectiveness of our manually generated ‘positive thinking’ prompts in nearly all instances,” wrote researchers Rick Battle and Teja Gollapudi of VMware.

Their conclusion: It’s easy to get an LLM to come up with new answers by feeding it different prompts. It’s more difficult to produce consistently great answers through human-generated prompts.

“Affecting performance is trivial,” they wrote. “Improving performance, when tuning the prompt by hand, is laborious and computationally prohibitive when using scientific processes to evaluate every change.”

Battle and Gollapudi cite a 2023 study, from Chengrun Yang of Google DeepMind and other researchers, coming to a similar conclusion. AI-optimized prompts can be AI model- and task-specific, while similar human-generated prompts can produce “drastically different performance,” the Yang study says.

Their research, along with Yang’s, “highlights the superior capability” of Ais to optimize their own prompts.

“Engaging in the iterative process of refining prompts and monitoring the subsequent score progression can be an enjoyable endeavor,” Battle and Gollapudi write. “However, this approach proves to be highly time-inefficient, especially when systematically assessing all modifications from a scientific standpoint.”

It probably shouldn’t be surprising that AI prompts net the best AI results, even if the concept of “best” may be subjective, said Daniel Freeman, a senior consultant and AI expert at Scotwork International, a global negotiation skills and training company.

“We’re already addressing the biases inherent in AI models, so perhaps the ‘best’ prompt is one that yields unintended outcomes for the user,” he said.

A recent article on Business Insider suggested that AI is coming for the high-paying AI prompt engineering jobs, and Freeman raised similar concerns as researchers and AI developers explore the boundaries of AI.

Ethical considerations

“When we reach a point where we’re asking AI to prompt itself, the question arises: Are we inadvertently prioritizing cost-cutting over larger ethical considerations?” he said. “Do we really want to side-line human involvement?”

The recent studies suggest the possibility of removing humans from AI and training, but that’s a “precarious path to tread,” he added. “We rely on the human touch to guide the development of this emerging technology sensibly.”

Human guidance is needed to guide AI chatbots away from giving out inaccurate information, to cut back on plagiarism in academia, and to resolve ethnical dilemmas in AI-generated art, for example, Freeman noted.

Freeman has seen AI become increasingly integrated into negotiation training processes with his job at Scotwork. “It’s foreseeable that AI will continue to expand its role in future business negotiations and beyond, but striking the right balance between AI and human capabilities will be paramount for successful integration and the preservation of negotiation as an art form,” he said.

You hear that sound? That’s the sound of augmented reality (AR) fading away as a driving concept in technology.

You could blame Apple, which handed down an edict to Apple Vision Pro developers: “Refer to your app as a spatial computing app. Don’t describe your app experience as augmented reality (AR), virtual reality (VR), extended reality (XR), or mixed reality (MR).”

But blaming Apple would be wrong. Instead, blame artificial intelligence (AI) — specifically the generative AI (genAI) trend of the past year and a half; it’s completely upended and re-directed the purpose and function of the glasses formerly known as AR glasses.

How AR became a four-letter word

Tech giants have been working on “smart glasses” for more than a decade. And these products are finally hitting the market. Their killer app? AI, of course. (I’m defining AI glasses here as glasses with the primary purpose of facilitating fast and easy access to AI.)

The Chinese smartphone and gadget maker Oppo wants to be a leader in AI glasses. It introduced its Oppo Air Glass 3 at the recently concluded Mobile World Congress in Barcelona, Spain. The company is using its own genAI tech called AndesGPT, for the Oppo glasses. They have multimodal capability, meaning the integrated camera can hoover up pictures and run them through AndesGPT for identification and processing. The Oppo glasses excel at offering a visual interface in a small and light design, weighing only 50 grams (equivalent to roughly two alkaline AA batteries).

Google is also planning an entry into the AI glasses market. Since ending its Google Glasses Enterprise Edition product a year ago, the company has been focused on smart glasses that can pass as ordinary glasses. Google has a large portfolio of granted and applied-for patents in this space, and it could be a contender.

In this case, Google is sweating the small stuff. For example, one Google patent addresses the inherent heat issues in AI glasses, because the graphics, AI and other processing is generating a lot of heat right next to the head. Alternatively, it could license its patents to OEMs to build devices that support Google AI. Google’s motivation for AI glasses is to make sure the world has a user interface for its LLM-based information tools.

Microsoft is also filing patents for “smart glasses” which, given its control over OpenAI, would likely focus on access to ChatGPT. The company is working on other issues that will pop up for AI glasses users, including battery life. One patent describes both hot-swappable mini batteries, plus the ability to connect to an external battery pack on the belt or in the pocket.

Amazon was actually somewhat early in this space, shipping its Echo Frames back in September 2019. Now in their third generation, the product is getting clobbered in the market by Ray-Ban Meta glasses, which are much better and very close to the same price. Echo Frames give you old-and-busted Alexa, rather than the new-hotness LLM-based chatbot. Amazon will no doubt soon come out with real AI glasses, complete with a generative AI chatbot plus a camera for multimodal capability.

The current leader in audio output AI glasses is the Ray-Ban Meta, a collaboration between the Italian glasses giant Luxottica and the company formerly known as Facebook.

And, of course, Apple is armed to the teeth with patents that would enable it to come out with AI glasses. In fact, the combination of tech and fashion will likely prove irresistible to Apple.

The giant companies are in a mad scramble to get AI glasses to market because they know the real threat will come from dozens or hundreds of smaller companies joining the game.

AI glasses follow the smartphone playbook

One of the hidden catalysts driving the smartphone market over the past 20 years is the background development of all the parts and components of a smartphone. Hundreds of companies now make tiny, low-power cameras, radios, processors, batteries, screens, audio components and other parts, which makes it pretty easy to enter the smartphone market.

That’s now just beginning with AI glasses.

I recently spoke to Ed Tang, CEO of Avegant, a Silicon Valley-based light engine company. (Light engines are tiny projectors that beam visual content onto the lenses of augmented reality (AR) glasses.)

Avegant works with smart glasses makers to design AI glasses that are as small, light and normal-looking as possible.

The company recently announced a partnership with chip giant Qualcomm and computer components giant Applied Materials to develop a range of reference designs for companies that want to build and sell visual-output AI glasses.

In the partnership, Avegant supplies their AG-30L2 part, which enables high-quality two-lens or one-lens visuals with tiny components that give you a high-resolution heads-up display in glasses that look like regular prescription glasses. Avegant’s AG-30L2 part weighs only 2.7 grams — exactly the same weight as a regulation ping-pong ball.

Qualcomm’s hardware contribution is the Snapdragon AR1 Gen 1 SoC — the same part that powers Ray-Ban Meta glasses. The AR1 Gen 1 is super light-weight, and processes high-quality graphics, on-device AI and has fast connectivity. It can display handle resolutions of up to 3k per eye. The integrated radios support Wi-Fi 7 and Bluetooth 5.3. And it can process signals for up to eight microphones. (Ray-Ban Meta glasses have five microphones.)

Applied Materials is contributing high-efficiency waveguides, which take the projection from Avegant’s light engine and re-directs it into the wearer’s eyes, all within very thin transparent lenses.

Tang told me: “We think that AI is really going to be the key factor to drive the use and sales of these (AR) type of devices. The reason why you’re buying these is not because it’s a display that you can wear. The reason why you’re buying them is because of the value and application that it’s providing to you. And we think that is primarily going to be driven around AI applications.”

Tech companies, he said, are investing heavily in AI, and Avegant offers a direction for a “human interface device that really is going to drive the use case and applications of AI.”

(While Tang wouldn’t tell me which companies Avegant is working for, I wouldn’t be surprised at all if OpenAI is working on AI glasses.)

With all this activity, we’re likely to see a wave of AI glasses startups — the hardware that rides on the massive recent VC investments in genAI.

Even very small companies will be able to go shopping for the parts, and even get the reference designs to offer a seriously compelling hardware interface for their genAI chatbots.

The coming revolution in AI glasses

AR should now be viewed as an umbrella term, because when someone now refers to AR glasses, it’s not clear what that means. It could mean a spacial computing device like Apple Vision Pro. Or it could mean a heads-up display like the now defunct Google Glass. But that’s pretty much the range for AR.

Over the next three years, that range is likely to look like a bell curve graph, with low functionality to the right, high functionality to the left and sales numbers on the vertical axis. Taking up the 80% of the center will likely be what we call AI glasses, with the left side of that center making up audio output only and the right side audio plus visual data.

Because these devices will often cost very little — less than half the cost of an average smartphone and likely to dip below $250 — the appeal will be massive because even the lowest-cost, audio-only devices will still give you the holy grail feature: instant access to genAI all day, every day.

Within three to five years, I think the number of AI glasses users will be measured in the hundreds of millions. Avegant’s Tang goes even further:

“I feel like the public is just about to see what I would call the minimum viable product in the space,” he said. “And that’s probably happening next year. And if you think that glasses will evolve into smart glasses, then you’re talking about 1.2 billion units a year.”

This is the technology revolution of the decade, and still hardly anyone is talking about it in those terms.

It’s time to stop waiting for the AR glasses revolution and start understanding the AI glasses revolution. It’s all about AI now.

Widespread outages for Facebook, Instagram and Threads were reported Tuesday morning, as parent company Meta warned that many of its core services were suffering from outages.

A status page went from listing all of Meta’s services as “unknown” to “major disruptions” for business tools like Ads Manager, Facebook and Instagram Shops, Meta Business Suite and Meta Admin Center, as well as Facebook Login, Graph API, WhatsApp Business API, and Marketing API.

All of the outages list an inability to log in to the company’s services as the core issue, but little further information is available from Meta at this point.

“Earlier today, a technical issue caused people to have difficulty accessing some of our services,” a Meta spokesperson said. “We resolved the issue as quickly as possible for everyone who was impacted, and we apologize for any inconvenience.”

Posts on other social media including X, formerly Twitter, and postings to the outages digest mailing list confirm widespread disruptions to Meta-provided services, and an influx of reports to Downdetector.com underline that a major disruption occurred sometime around 11 AM Eastern Time on Tuesday.

Downdetector also showed that problems with other major online services, including Google, YouTube, Amazon and major wireless providers were also present this morning, though reports seemed to be trailing off as of 11:45 AM Eastern. AWS’s Health Dashboard showed no problems as of noon Eastern Time. Google’s Workspace Status Dashboard did indicate service disruptions, with a status message saying that “some Gmail users are experiencing elevated error rates while performing various actions and may also see delays in email delivery.”

Measurement difficulties

One of the last major outages for Meta happened in October 2021, when most of the company’s social media channels went offline for over seven hours.

In that case, the problem was self-inflicted: during a routine maintenance operation, a command intended to measure the company’s available global backbone network capacity unintentionally shut down that network, disconnecting all its datacenters.

One study tracked a wide range of reactions to the unexpected mass outage—everything from stress and fear of missing out (FoMO) to the so-called “joy of missing out” were seen among respondents to an online survey performed by researchers from Israel’s Bar-Ilan University.

“The global outage of the leading social media platforms on October 4, 2021 had a significant impact on users’ mood and experience,” the researchers said. “The findings add to a large body of research that investigates the relationships between FoMO, social media intensity, and stress.”

This time around, the outage appeared to be shorter-lived. As of noon Eastern, several of Meta’s tools showed as “recovering from disruptions” on its status page, but little further information was provided on the reason for the disruption.

The European Commission (EC) on Friday said it needs more information from Facebook and Instagram parent company Meta to assess its compliance with applicable privacy and security laws in the European Union (EU).

The EC, in a statement, said Meta also needs to speed up its responses to requests in December for information, which centered on election information, terrorism and the protection of minors. The company has until March 15 to provide that information, with the new info about Meta’s pay-to-opt-out-of-tracking program due March 22.

The  EC noted that, like all companies doing business in the EU and subject to the Digital Services Act, Meta could be subject to hefty fines for providing incomplete information or missing deadlines. European data protection authorities have levied heavy GDPR fines against a range of businesses, not just social media giants.

“The present [request for information]  builds on Meta’s previous replies and asks additional information concerning the methodology underlying Meta’s risk assessment and mitigation measures reports, the protection of minors, elections and manipulated media,” the EC said. “The RFI also requests Meta to provide information related to the practice of so-called shadow banning and the launch of Threads.”

The Digital Services Act was approved in April 2022. It governs how internet companies must manage user data, how they are allowed to use that data to target advertising, and steps they must take to police illicit or deceptive content.

“It will ensure that the online environment remains a safe space, safeguarding freedom of expression and opportunities for digital businesses,” EC president Ursula von der Leyen said in a statement at the time.

The latest request for information aimed at Meta comes a day after eight consumer protection watchdog groups in the EU filed complaints against the company for its opaque data collection and processing policies. The complaints, filed with national data protection authorities, accuse Meta of violating the GDPR, abusing its dominant market position to misuse customer information, and making merely superficial changes to its privacy policy instead of actually complying with the law.

European authorities have long had Meta in their sights, having fined the company more than $2 billion since the GDPR took effect in 2018.

Eight European consumer organizations have filed complaints against Facebook parent Meta accusing it of breaching the EU’s General Data Protection Regulation (GDPR) with its so-called “pay-or-consent” policy and opaque internal policies.

The organizations are all members of BEUC, the European Consumer Organization.  Their complaints, publicized Thursday, argue that the large-scale consumer data collection practiced by Meta violates the GDPR, and that the company has abused its dominant market position to essentially coerce customers into accepting its terms. Each of the eight groups filed their complaints with their national data protection authorities, as there is no pan-European office to accept such complaints.

Facebook and Instagram users, according to BEUC, are being forced to choose between consenting to the processing of their personal information for advertising or paying fees that could top €311/year for a person with a mobile device on which they use both Facebook and Instagram.

Despite the furor around the “pay or consent” model, BEUC said that this is largely a side issue.

“While public discussions revolve around this ‘pay-or-consent’ model, Meta carries on with its privacy-invasive business model,” the group said in a brief report. “Each time regulators confirmed that the legal basis Meta relied on was invalid, the company has simply made changes in its privacy policy, while continuing its structural surveillance of consumers.”

Reached via email, a spokesperson for the consumer federation underlined that the real problem is Meta’s data processing, “regardless of what consumers choose, which cannot be compliant with the GDPR.”

The spokesperson said that the group believes fines will be a helpful remedy to the extent that they change Meta’s behavior, but that the behavioral change is what they’re really after.

“Ultimately, that will mean a change of its business model away from surveillance advertising and towards more privacy-friendly forms of business such as contextual ads,” the group said.

This is far from the first time that data privacy regulators and watchdogs have taken aim at Meta in the wake of the GDPR’s coming into effect in 2018. Complaints to the data protection watchdogs in Ireland, the UK and Austria, among others, have made headlines in recent years, and the company has paid well over $2 billion in fines since the law went into effect.

Meta is by far the biggest payer of fines for GDPR violations, but a host of smaller businesses have paid penalties because they didn’t ensure GDPR compliance.

Microsoft has partnered with Mistral AI to make the latter available to its Azure customers, adding more options to enterprise customers.

Mistral AI is set to enrich Azure’s AI offerings, introducing its premium models via Azure AI Studio’s Models as a Service (MaaS) and the Azure Machine Learning model catalog.

This move complements the existing array of OpenAI models, broadening the catalog with a versatile mix of open source and proprietary AI solutions, thereby enhancing the options available to Azure customers.

“This latest addition of Mistral AI’s premium models into Models as a Service (MaaS) within Azure AI Studio and Azure Machine Learning provides Microsoft customers with a diverse selection of the best state-of-the-art and open source models for crafting and deploying custom AI applications, paving the way for novel AI-driven innovations,” Microsoft said in a blog post.

More options and more customers

The addition of Mistral to Azure could bring more options to customers. For Microsoft, this could be a strategic move to beat the competition in the AI space. 

“The Mistral partnership makes good business sense for Microsoft as it diversifies its AI ecosystem beyond the OpenAI partnership, expands the roster of foundation and generative AI models available on Azure AI, and offers access to multilingual models through Azure,” said Leslie Joseph, principal analyst at Forrester. “This move brings more choice to Microsoft customers that choose to deploy AI applications through Azure, and more choice is always good.” 

Moreover, the partnership opens doors for both Microsoft and Mistral to leverage each other’s customer bases, expanding their market reach and accelerating the adoption of their respective technologies.

“From a financial standpoint, the potential cost optimizations for Azure customers by utilizing Mistral’s AI models could translate into substantial savings, further driving Azure’s appeal,” said Thomas George, president of CyberMedia Group and CMR. “Additionally, the collaborative innovation aspect of this partnership holds promise for pushing the boundaries of AI technology forward. As Microsoft and Mistral pool their expertise and resources, we can anticipate the emergence of novel AI solutions and advancements that could reshape various sectors.”

Potential challenges to overcome  

Microsoft’s partnership with Mistral won’t be without challenges, according to Manish Rawat, analyst at Techinsights. The challenges include integrating methodologies, ensuring data privacy and security, gaining user acceptance, aligning cultures, and complying with regulations must be addressed.

“Overcoming these challenges requires careful planning, transparent communication, and a commitment to shared goals and values,” Rawat said. “Despite the obstacles, the partnership holds promise for driving impactful AI solutions across industries globally.”

From a customer standpoint, bringing in more AI models could also create the need to upskill their employees. This is critical as technology advances at a fast pace.

“One way to alleviate the skill gaps is to prioritize training and upskilling for their teams and to develop an in-house understanding of AI concepts and their specific industry applications,” Joseph said. “This should be coupled with proof-of-concept projects to test use cases and refine integration approaches. Fostering collaboration between IT, business, and data science teams is crucial, as are potential partnerships with AI solution providers for expertise.” 

George suggested that CIOs can ensure their teams effectively manage the complexity of integrating advanced AI technologies through a series of broad steps and initiatives.

“Collaborating with experienced AI vendors provides valuable insights and support, mitigating risks and expediting deployment,” George added. “Continuous monitoring and evaluation mechanisms enable early issue identification and process optimization. Embracing change management practices facilitates smoother adoption and enhances overall integration outcomes.”

When Broadcom bought VMware for $69 billion last November, we knew there would be changes. What we didn’t know is that Broadcom’s radical changes would leave partners and customers alike questioning their commitment to VMware.

Personally, I’ve never been fond of VMware. But I know many IT people swear by its wide array of products. At least, they did until recently. Now that Broadcom is showing its cards for the virtualization powerhouse’s future, it’s another story.

Even before then, VMware customers were doubtful about the acquisition. Forrester Research had estimated that up to 20% of VMware’s enterprise customers would quickly switch to a new virtual machine vendor. 

Why? According to Forrester analysts, their customers “are exhausted by significant price hikes, degrading support, and forced mandatory subscription to software bundles where some modules such as NSX and Aria Suite/vRealize Suite end up as shelfware.”

They also had little faith, based on Broadcom’s acquire-slash-and-burn approach to its CA Technologies and Symantec acquisitions, that the products and services they liked from VMware would stick around.  

They were right.

Broadcom has killed more than 56 VMware products and platforms, including such favorites as VMware vSphere+, VMware Aria Suite, and VMware NSX. It will also be dumping VMware’s “end-user” computing unit, which includes its Workspace ONE and Horizon offerings.

More lines are being buried. The one that will bug the most people is Broadcom’s decision to quietly axe VMware’s Free ESXi hypervisor. Broadcom didn’t even announce this one. We only found out about it because a sharp-eyed user spotted a knowledge base article that revealed it was being terminated.

For enterprises, this isn’t that big a deal. I know a handful of people who used this limited version of ESXi. But I also know many people, indeed most of my VMware friends, who started using the VMware stack only after tinkering with the free ESXi hypervisor. Others loved being able to test-drive projects with the free version before moving it to production.

Those days are done.

Oh, so you have a perpetual license, and you think you’ll be OK? Nope, your products are getting whacked, too. The new VMware is ending perpetual license sales, so if your favorite product isn’t being killed, you’ll need to pay a subscription to keep it. From here on out, you can expect to see software-as-a-service (SaaS) licensing.

According to Broadcom, this is all about transforming its “business to deliver faster innovation with more value to customers, and even better profitability and market opportunity for our partners.”

Well, I hate to tell you, Broadcom — but from what I’m hearing, your customers and partners disagree. VMware’s rivals, including Nutanix. Scale Computing, and Virtuozzo, are loving it, though. Bigger companies, such as Microsoft with Hyper-V/Azure Stack and Red Hat with OpenShift Virtualization, also have reason to put VMware customers at the top of their marketing list. 

Besides the VMware licensing change, which is always worrisome, VMware customers are also worried sick about the new line’s pricing. Even before Mastodon bought the company, VMware was expensive. They’re afraid, with reason, that they’ll pay even more.

VMware’s once-flourishing partners are also concerned. Most companies don’t work with VMware directly. They worked with partners, instead. First, Broadcom dumped all its resellers and service partners. Then, it opened the door for its top former partners to come back in. Did they? Well, VMware also took its top 2,000 customers direct,  which doesn’t leave much room for VMware’s former partners. The VMware partner slogan, “VMware Partners: An Ecosystem of Trust,” sure sounds hollow.

If you’re hoping that your good, old VMware partner can help guide you through this brave new Broadcom/VMware, forget about it. Many of you will be on your own. And, honestly, if I were a VMware partner, I’d be looking to partner with someone else and get to work on providing ways to move from  VMware products to another line.

And if I were a VMware customer, I’d also be looking for another path forward. Broadcom can say what it wants about how its changes will improve things, but I don’t buy it. Broadcom’s enterprise software acquisition track record isn’t good. I see no reason to believe it will be any better this time around — and many reasons to think this is one merger and acquisition that won’t be good for anyone.

Apple is preparing for future threats to iMessage by introducing upgraded encryption for its messaging service by using quantum computers.

Think of it as state-of-the-art quantum security for messaging at scale, the company says, resulting in Apple’s messaging system being more secure against both current and future foes.

What is the protection?

Announced on Apple’s Security Research blog, the new iMessage protection is called PQ3 and promises the “strongest security properties of any at-scale messaging protocol in the world.”

The rationale behind this protection is “What if?”

In this case, Apple’s security teams asked themselves what might happen if hackers, criminals, or state-backed rogue surveillance firms gathered vast quantities of encrypted iMessage data today in order to break that encryption using quantum computers tomorrow.

Apple calls this a Harvest Now, Decrypt Later attack. The new security protocol is designed to help protect against this.

How likely are such attacks?

These attacks are less likely today than they might become. It is widely accepted that quantum computers will be capable of cracking the classical public key cryptography  such as RSA, Elliptic Curve signatures, and Diffie-Hellman key exchange in use today.

Apple explains:

“All these algorithms are based on difficult mathematical problems that have long been considered too computationally intensive for computers to solve, even when accounting for Moore’s law. However, the rise of quantum computing threatens to change the equation. A sufficiently powerful quantum computer could solve these classical mathematical problems in fundamentally different ways, and therefore — in theory — do so fast enough to threaten the security of end-to-end encrypted communications.”

In truth, quantum computers are expensive, which means their use is largely limited to only the world’s most powerful entities. But as more are made and costs decline, they will proliferate — and if Apple is considering the potential threat, then threat actors of various stripes will also be exploring the possibility.

The security industry is getting ready

Apple isn’t alone. The cryptographic community is also exploring Post-Quantum Cryptography (PQC), aiming to develop new public key algorithms that run on the devices we use today while protecting against the forms of attack we believe quantum computers will be able to deliver tomorrow.

Signal, for example, introduced its own take on PQC security a few months ago.

iMessage takes this protection further.

PQC is not only used to secure the “initial key establishment” (when a shared algorithm is defined), but with the capability to restore security rapidly and automatically if that initial key becomes compromised.

Apple has submitted PQ3 to two leading security researchers who have verified the technology — Professor David Basin of the Information Security Group at ETH in Zurich, Switzerland, and Douglas Stebila, a University of Waterloo Professor.

Basin wrote: “We have used Tamarin to formally verify the device-to-device messaging protocol PQ3. From our analysis, we conclude that this protocol achieves strong security guarantees against an active network adversary who can selectively compromise parties and has quantum computing capabilities.”

Tamarin is a leading security verification tool.

Stabila said: “The analysis shows that PQ3 provides confidentiality with forward secrecy and post-compromise security against both classical and quantum adversaries, in both the initial key exchange as well as the continuous rekeying phase of the protocol.”

Research papers describing the academic research conducted by both professors are available via Apple’s security website, where you will also find a far more in-depth analysis of how PQ3 works and the protections it provides.

What can we read into this?

The signal Apple is sending with the introduction of this protection in iMessage should not be ignored. It should be seen as both a promise and a warning.

• The promise is that Apple’s security teams are working to get ahead of both current and future threats.
• The warning is that if Apple believes it necessary to protect millions of iMessage users against such threats today, tomorrow is looming fast.

Enterprise tech leaders and IT should, therefore, also work toward protecting their own data against potential quantum computing-led attacks.

At the very least, this will involve staying abreast of new research in the field from the likes of the US Department of Commerce’s National Institute of Standards and Technology (NIST), which announced some preliminary encryption tools for the post-quantum era in 2022. A response might also involve insisting on such protection in new purchasing relationships.

When is iMessage quantum security launching?

• Apple says support for PQ3 will start to roll out with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4.
• That means the support should already be available in the betas.

It explains that iMessage conversations between devices that support PQ3 are automatically ramping up to the post-quantum encryption protocol. “As we gain operational experience with PQ3 at the massive global scale of iMessage, it will fully replace the existing protocol within all supported conversations this year.”

For Apple, the protection reflects the extent to which privacy and security enhancements have been integral to its iMessage service since it was first introduced. It builds, for example, on robust protections such as Lockdown Mode and Contact Key Verification that already exist.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.