Month: July 2024

Renegade business units trying out genAI will destroy the enterprise before they help

July 15, 2024 /

One of the more tired cliches in IT circles refers to “Cowboy IT” or “Wild West IT,” but it’s the most appropriate way to describe enterprise generative AI (genAI) efforts these days. As much as IT is struggling to keep on top of internal genAI efforts, the biggest danger today involves various business units globally creating or purchasing their very own experimental AI efforts.

We’ve talked extensively about Shadow AI (employees/contractors purchasing AI tools outside of proper channels) and Sneaky AI (longtime vendors silently adding AI features into systems without telling anyone). But Cowboy AI is perhaps the worst of the bunch because no one can get intro trouble. Most boards and CEOs are openly encouraging all business units to experiment with genAI and see what enterprise advantages they can unearth.

The nightmare is that almost none of those line of business (LOB) teams understand how much they are putting the enterprise at risk. Uncontrolled and unmanaged, genAI apps are absolutely dangerous.

Longtime Gartner analyst Avivah Litan (whose official title these days is Distinguished VP Analyst) wrote on LinkedIn recently about the cybersecurity dangers from these kinds of genAI efforts. Although her points were intended for security talent, the problems she describes are absolutely a bigger problem for IT.

“Enterprise AI is under the radar of most Security Operations, where staff don’t have the tools required to protect use of AI,” she wrote. “Traditional Appsec tools are inadequate when it comes to vulnerability scans for AI entities. Importantly, Security staff are often not involved in enterprise AI development and have little contact with data scientists and AI engineers. Meanwhile, attackers are busy uploading malicious models into Hugging Face, creating a new attack vector that most enterprises don’t bother to look at. 

“Noma Security reported they just detected a model a customer had downloaded that mimicked a well-known open-source LLM model. The attacker added a few lines of code that caused a forward function. Still, the model worked perfectly well, so the data scientists didn’t suspect anything. But every input to the model and every output from the model were also sent to the attacker, who was able to extract it all. Noma also discovered thousands of infected data science notebooks. They recently found a keylogging dependency that logged all activities on their customer’s Jupyter notebooks. The keylogger sent the captured activity to an unknown location, evading Security which didn’t have the Jupyter notebooks in its sights.”

IT leaders: How many of the phrases above sound a little too familiar? 

Your team “often not involved in enterprise AI development and have little contact with data scientists and AI engineers?” Bad guys “creating a new attack vector that most enterprises don’t bother to look at?” Or maybe “the model worked perfectly well so the data scientists didn’t suspect anything. But every input to the model and every output from the model were also sent to the attacker, who was able to extract it all” or a manipulated external app which your IT team “didn’t have in its sights?”

Some enterprises have debated creating a new AI executive, but that’s unlikely to help. It will more than likely be an executive with lots of responsibilities, far too little budget and no actual authority to get any business unit to comply with the AI chief’s edicts. It’s sort of like many CISOs today, a toothless manager but with even more headaches. 

The better answer is to use the best power in the world to force LOB executives to take AI efforts seriously: make it an HR-approved criteria for their annual bonus. Put massive financial penalties on any problems that result from AI efforts their unit undertakes. (Paycheck hits get their attention because it is literally money out of their pockets.) Then add a caveat: If IT approves the effort in writing, then you are fully blameless for anything bad that later happens.

Magically, getting IT signoff becomes important to those LOB leaders. Then and only then, the CIO will have the clout to protect the company from errant AI.

Another possible outcome of this carrot-stick approach is that business execs will still want to maintain control and will instead hire AI experts for their units directly. That works, too. 

The cost of trying out many of these genAI efforts — especially for a relatively short time — is often negligible. That can be bad because it makes it easy for LOB workers to underestimate the risks to the business that they are accepting. 

The potential of genAI is unlimited and exciting, but if strict rules aren’t put in place right away, it could well destroy a business before it has a chance to help. 

Yippee-ki-yay, CIO.

For July, Microsoft’s Patch Tuesday update fixes four zero-day flaws

July 12, 2024 /

Microsoft released 132 updates in its July Patch Tuesday update while addressing four zero-days (CVE-2024-35264CVE-2024-37985CVE-2024-38080 and CVE-2024-38112) affecting Windows desktop, Microsoft .NET and Visual Studio. This is a very significant patch cycle for Microsoft SQL Server, but there are no updates for Microsoft browsers and a low profile set of patches for Microsoft Office. No major revisions require attention, with testing focused squarely on SQL dependent applications. 

The team at Readiness has provided a useful infographic detailing the risks with each of the updates this cycle. 

Known issues 

Each month, Microsoft publishes a list of known issues included in its latest release, including two reported minor issues:

  • After you install KB5034203 (dated 01/23/2024) or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Microsoft offered two options to mitigate the issue through setting the Cache Hostname or using group policies. Microsoft is still working on a resolution.
  • Context menus and dialog buttons in some Windows apps, or parts of the Windows OS user interface (UI), might display in English when English is not set as the display language. This might also affect font size.

We fully expect to see more issues relating to how the Windows UI presented over the coming months as Microsoft works through some of the core level issues with new ARM builds. This means that even non-ARM builds will be affected (see CVE-2024-37985). Look out for input method editor, language pack, and dialog box language issues for non-English builds.

Major revisions 

This Patch Tuesday saw Microsoft publishing the following major revisions to past  security and feature updates, including:

  • CVE-2024-30098 : Windows Cryptographic Services Security Feature Bypass. Microsoft has added a FAQ to explain how this vulnerability is being addressed and further actions customers must take to be protected from it. This is an informational change only; no further action is required.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations for this month’s release cycle: 

Each month, the Readiness team analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and app installations.

For this cycle, we have grouped the critical updates and required testing efforts into different functional areas:

Microsoft Office

  • Test out your Teams logins (which shouldn’t take too long).
  • Because SharePoint was updated, third-party extensions or dependencies will require testing.
  • Due to the change in Outlook, Internet Calendars (ICS files) will require testing.
  • With the Visio update, large CAD drawings will require a basic import and load test.

Microsoft .NET and developer tools

Microsoft has updated the Microsoft .NET, MSI Installer and Visual Studio with the following testing guidance:

  • PowerShell updates will require a diagnostics test. Try the command, “import-module Microsoft.powershell.diagnostics – verbose” and validate that you are getting the correct results from your home directory.
  • Due to the change in the Windows core installation technology (MSI), please validate that User Account Control (UAC) still functions as expected.

Microsoft SQL Server

This month is a big update for both Microsoft SQL Server and the local, or workstation supporting elements of OLE. The primary focus for this kind of complex effort should be your line-of-business or core applications. These are the applications that have multiple data connections and rely on complex, multiple object/session requirements. Due to the changes this month, we can’t recommend specific Windows feature testing regimes, as we are most concerned that the business logic (and resulting data) of the application in question might be affected. Only you will know what looks good; we advise a comparative testing regime across unpatched and newly patched systems looking for data disparities.

Windows

Microsoft made another update to the Win32 and GDI subsystems with a recommendation to test out a significant portion of your application portfolio. We also recommend that you test the following functional areas in the Windows platform:

  • File compression has been updated, so file and archive extraction scenarios will need to be exercised.
  • Due to the Microsoft codec updates, perform a system reboot and test that your audio and camera still work together.
  • Security updates will require the testing of the creation of new Windows certificates.
  • Networking changes will require a test of DNS and DHCP, specifically the DHCP R_DhcpAddSubnetElement API. As part of these changes, testing VPN authentication will be required. Try to include your Network Policy Server (NPS) as part of the connection creation and deletion effort.
  • This month’s update to Remote Desktop Services (RDS) will require the creation and revocation of license requests.
  • A significant update to the Network Driver Interface Specification (NDIS) will require testing of network traffic involving repeated bursts of large files. Try using Teams while this networking burst testing is in progress.
  • Backup and printing have been updated, so test your volumes and ensure that when you print out a test page, your OS does not crash (yes, really). Try printing out TIFF files. (Hey, you might like it.)

As part of the ongoing effort to support the new ARM architecture, Microsoft released the first patch for this new platform, CVE-2024-37985. This is an Intel assigned processor-level vulnerability that has been mitigated by a Microsoft OS level patch. The Readiness team has provided guidance on potential ARM-related compatibility and testing issues. 

Specifically, the Readiness team was concerned with Input Method Editors (IMEs). We suggest a full test cycle of Windows input related features such as keyboard, mouse, touch, pen, gesture and dictation. Some internet shortcuts might be affected as well as wallpapers.

Windows lifecycle update 

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.

  • Home and Pro editions of Windows 11, version 22H2 will reach end of service on Oct. 8, 2024. Until then, these editions will only receive security updates. They will no longer receive non-security, preview updates.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server); 
  • Microsoft Office;
  • Microsoft Exchange Server ;
  • Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
  • Adobe (if you get this far).

Browsers

Microsoft did not release any updates for its non-Chromium browsers. Following the stable channel release of Chrome (applicable until July 25, 2024) we have not seen any changes, deprecations or testing profile updates to this browser. No further action required.
 

Windows

Microsoft released four critical and 83 updates rated as important with two zero-day patches (CVE-2024-38080 and CVE-2024-38112) affecting the Microsoft Hyper-V and MSHTML feature groups, respectively. In addition to these critical updates, Microsoft patches for July affect the following Windows feature groups:

  • Windows NTLM, Kernel, GDI and Graphics;
  • Windows Backup;
  • Windows Codecs;
  • Microsoft Hyper-V;
  • Windows (Line) Print and Fax ;
  • Windows Remote Desktop and Gateway;
  • Windows Secure Boot and Enrolment Manager.

Add these Windows updates to your Patch Now release cycle.

Microsoft Office 

Microsoft returns to form with a critical update for Office this month (CVE-2024-38023) for the SharePoint platform. We have another update for Outlook related to spoofing (CVE-2024-38020), but this vulnerability is not wormable and requires user interaction. There are four more, lower rated updates; please add all of these updates to your standard release schedule.

Microsoft SQL (nee Exchange) Server 

There were no updates for Microsoft Exchange Server this month. However, we have seen the largest release of Microsoft SQL updates in the past few years. These SQL-related updates cover 37 separate reported vulnerabilities (CVEs) and the following main product features

  • SQL Server Native Client OLE DB Provider;
  • Microsoft OLE DB Driver for SQL.

We covered the testing requirements for this SQL update in our testing guidance section above. This month’s SQL updates will require some preparation and dedicated testing before adding to your standard release schedule.

Microsoft development platforms 

Microsoft released four, low-profile updates to the Microsoft .NET and Visual Studio platforms. We do not expect serious testing requirements for these vulnerabilities. However, CVE-2024-35264 has been reported as publicly disclosed by Microsoft. This makes this an unusually urgent patch for Microsoft Visual Studio attracting a “Patch Now” rating this month.

Adobe Reader (and other third-party updates) 

Very much as our Microsoft Exchange section has been “hijacked” by SQL Server updates this month, we’re using the Adobe section for third-party updates. (There are no updates to Adobe Reader.) 

  • CVE-2024-3596: NPS RADIUS Server. A vulnerability exists in the RADIUS protocol that potentially affects many products and implementations of the RFC 2865 in the UDP version of the RADIUS protocol. 
  • CVE-2024-38517 and CVE-2024-39684: GitHub Active Directory Management Rights. The  vulnerability assigned to this CVE is in the RapidJSON library which is consumed by the Microsoft Active Directory Rights Management Services Client, hence the inclusion of this CVE with this update.
  • CVE-2024-37985: This memory related update from Intel relates to its prefetcher technology. Affected: Core Windows OS memory related components — particularly the new ARM builds, which I find both confusing and ironic.

For July, Microsoft’s Patch Tuesday update fixes four zero-day flaws

July 12, 2024 /

Microsoft released 132 updates in its July Patch Tuesday update while addressing four zero-days (CVE-2024-35264CVE-2024-37985CVE-2024-38080 and CVE-2024-38112) affecting Windows desktop, Microsoft .NET and Visual Studio. This is a very significant patch cycle for Microsoft SQL Server, but there are no updates for Microsoft browsers and a low profile set of patches for Microsoft Office. No major revisions require attention, with testing focused squarely on SQL dependent applications. 

The team at Readiness has provided a useful infographic detailing the risks with each of the updates this cycle. 

Known issues 

Each month, Microsoft publishes a list of known issues included in its latest release, including two reported minor issues:

  • After you install KB5034203 (dated 01/23/2024) or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Microsoft offered two options to mitigate the issue through setting the Cache Hostname or using group policies. Microsoft is still working on a resolution.
  • Context menus and dialog buttons in some Windows apps, or parts of the Windows OS user interface (UI), might display in English when English is not set as the display language. This might also affect font size.

We fully expect to see more issues relating to how the Windows UI presented over the coming months as Microsoft works through some of the core level issues with new ARM builds. This means that even non-ARM builds will be affected (see CVE-2024-37985). Look out for input method editor, language pack, and dialog box language issues for non-English builds.

Major revisions 

This Patch Tuesday saw Microsoft publishing the following major revisions to past  security and feature updates, including:

  • CVE-2024-30098 : Windows Cryptographic Services Security Feature Bypass. Microsoft has added a FAQ to explain how this vulnerability is being addressed and further actions customers must take to be protected from it. This is an informational change only; no further action is required.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations for this month’s release cycle: 

Each month, the Readiness team analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the patches and their potential impact on the Windows platforms and app installations.

For this cycle, we have grouped the critical updates and required testing efforts into different functional areas:

Microsoft Office

  • Test out your Teams logins (which shouldn’t take too long).
  • Because SharePoint was updated, third-party extensions or dependencies will require testing.
  • Due to the change in Outlook, Internet Calendars (ICS files) will require testing.
  • With the Visio update, large CAD drawings will require a basic import and load test.

Microsoft .NET and developer tools

Microsoft has updated the Microsoft .NET, MSI Installer and Visual Studio with the following testing guidance:

  • PowerShell updates will require a diagnostics test. Try the command, “import-module Microsoft.powershell.diagnostics – verbose” and validate that you are getting the correct results from your home directory.
  • Due to the change in the Windows core installation technology (MSI), please validate that User Account Control (UAC) still functions as expected.

Microsoft SQL Server

This month is a big update for both Microsoft SQL Server and the local, or workstation supporting elements of OLE. The primary focus for this kind of complex effort should be your line-of-business or core applications. These are the applications that have multiple data connections and rely on complex, multiple object/session requirements. Due to the changes this month, we can’t recommend specific Windows feature testing regimes, as we are most concerned that the business logic (and resulting data) of the application in question might be affected. Only you will know what looks good; we advise a comparative testing regime across unpatched and newly patched systems looking for data disparities.

Windows

Microsoft made another update to the Win32 and GDI subsystems with a recommendation to test out a significant portion of your application portfolio. We also recommend that you test the following functional areas in the Windows platform:

  • File compression has been updated, so file and archive extraction scenarios will need to be exercised.
  • Due to the Microsoft codec updates, perform a system reboot and test that your audio and camera still work together.
  • Security updates will require the testing of the creation of new Windows certificates.
  • Networking changes will require a test of DNS and DHCP, specifically the DHCP R_DhcpAddSubnetElement API. As part of these changes, testing VPN authentication will be required. Try to include your Network Policy Server (NPS) as part of the connection creation and deletion effort.
  • This month’s update to Remote Desktop Services (RDS) will require the creation and revocation of license requests.
  • A significant update to the Network Driver Interface Specification (NDIS) will require testing of network traffic involving repeated bursts of large files. Try using Teams while this networking burst testing is in progress.
  • Backup and printing have been updated, so test your volumes and ensure that when you print out a test page, your OS does not crash (yes, really). Try printing out TIFF files. (Hey, you might like it.)

As part of the ongoing effort to support the new ARM architecture, Microsoft released the first patch for this new platform, CVE-2024-37985. This is an Intel assigned processor-level vulnerability that has been mitigated by a Microsoft OS level patch. The Readiness team has provided guidance on potential ARM-related compatibility and testing issues. 

Specifically, the Readiness team was concerned with Input Method Editors (IMEs). We suggest a full test cycle of Windows input related features such as keyboard, mouse, touch, pen, gesture and dictation. Some internet shortcuts might be affected as well as wallpapers.

Windows lifecycle update 

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.

  • Home and Pro editions of Windows 11, version 22H2 will reach end of service on Oct. 8, 2024. Until then, these editions will only receive security updates. They will no longer receive non-security, preview updates.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server); 
  • Microsoft Office;
  • Microsoft Exchange Server ;
  • Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
  • Adobe (if you get this far).

Browsers

Microsoft did not release any updates for its non-Chromium browsers. Following the stable channel release of Chrome (applicable until July 25, 2024) we have not seen any changes, deprecations or testing profile updates to this browser. No further action required.
 

Windows

Microsoft released four critical and 83 updates rated as important with two zero-day patches (CVE-2024-38080 and CVE-2024-38112) affecting the Microsoft Hyper-V and MSHTML feature groups, respectively. In addition to these critical updates, Microsoft patches for July affect the following Windows feature groups:

  • Windows NTLM, Kernel, GDI and Graphics;
  • Windows Backup;
  • Windows Codecs;
  • Microsoft Hyper-V;
  • Windows (Line) Print and Fax ;
  • Windows Remote Desktop and Gateway;
  • Windows Secure Boot and Enrolment Manager.

Add these Windows updates to your Patch Now release cycle.

Microsoft Office 

Microsoft returns to form with a critical update for Office this month (CVE-2024-38023) for the SharePoint platform. We have another update for Outlook related to spoofing (CVE-2024-38020), but this vulnerability is not wormable and requires user interaction. There are four more, lower rated updates; please add all of these updates to your standard release schedule.

Microsoft SQL (nee Exchange) Server 

There were no updates for Microsoft Exchange Server this month. However, we have seen the largest release of Microsoft SQL updates in the past few years. These SQL-related updates cover 37 separate reported vulnerabilities (CVEs) and the following main product features

  • SQL Server Native Client OLE DB Provider;
  • Microsoft OLE DB Driver for SQL.

We covered the testing requirements for this SQL update in our testing guidance section above. This month’s SQL updates will require some preparation and dedicated testing before adding to your standard release schedule.

Microsoft development platforms 

Microsoft released four, low-profile updates to the Microsoft .NET and Visual Studio platforms. We do not expect serious testing requirements for these vulnerabilities. However, CVE-2024-35264 has been reported as publicly disclosed by Microsoft. This makes this an unusually urgent patch for Microsoft Visual Studio attracting a “Patch Now” rating this month.

Adobe Reader (and other third-party updates) 

Very much as our Microsoft Exchange section has been “hijacked” by SQL Server updates this month, we’re using the Adobe section for third-party updates. (There are no updates to Adobe Reader.) 

  • CVE-2024-3596: NPS RADIUS Server. A vulnerability exists in the RADIUS protocol that potentially affects many products and implementations of the RFC 2865 in the UDP version of the RADIUS protocol. 
  • CVE-2024-38517 and CVE-2024-39684: GitHub Active Directory Management Rights. The  vulnerability assigned to this CVE is in the RapidJSON library which is consumed by the Microsoft Active Directory Rights Management Services Client, hence the inclusion of this CVE with this update.
  • CVE-2024-37985: This memory related update from Intel relates to its prefetcher technology. Affected: Core Windows OS memory related components — particularly the new ARM builds, which I find both confusing and ironic.

EU accuses X/Twitter of breaching the Digital Services Act

July 12, 2024 /

The European Commission has released the preliminary findings from an investigation launched last year into X (formerly Twitter), and said it believes the company is in breach of the Digital Services Act (DSA), which applies to marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms.

Non-compliance in three areas

In a statement, the Commission said X was found non-compliant in three areas: 

  • The “verified account” mechanism is designed and implemented in a way that deceives users and does not correspond to industry practice. “Since anyone can subscribe to obtain such a ‘verified’ status, it negatively affects users’ ability to make free and informed decisions about the authenticity of the accounts and the content they interact with,” the Commission said, adding there is “evidence of motivated malicious actors abusing the ‘verified account’ to deceive users.”
  • X does not comply with requirements around transparency in advertising. “In particular, the design does not allow for the required supervision and research into emerging risks brought about by the distribution of advertising online,” the Commission  argued.
  • X does not provide access to its public data to researchers, as specified by conditions in the DSA. Its terms of service prohibit researchers from independently accessing public data, and its process for granting researchers access via its application programming interfaces (APIs) “appears to dissuade researchers from carrying out their research projects or leave them with no other choice than to pay disproportionally high fees.”

X now has the right to examine the commission’s documentation and prepare a defense. 

If the preliminary findings are confirmed, the company faces a non-compliance decision that could result in fines of up to 6% of its global annual revenue, an order to address the issues detailed in the decision, and the potential for a period of enhanced supervision. The commission  can also impose periodic penalty payments.

The move could be seen as a warning shot to other companies.

“While the ruling may not have a direct impact on enterprise CIOs, it emphasizes learning from broader implications and the mistakes of others,” said Phil Brunkard, executive counselor at Info-Tech Research Group, UK. “It sets a precedent for public trust in online marketplaces or social media, highlighting the importance of integrity and transparency in data privacy. Regulation is not just about ticking the compliance box — it’s crucial for customer trust. CIOs must ensure strong governance to protect their brands and maintain customer trust, as trust is the foundation for successful organizations.”

Investigations continue


Investigations continue into X’s risk management around the dissemination of illegal content and the effectiveness of how it combats information manipulation.

To assist in its investigations, the Commission released a whistleblower tool that allows people to contact it anonymously with information contributing to compliance monitoring of X and other entities designated Very Large Online Platforms (VLOP) under the DSA.

X is not the only organization under scrutiny. The Commission has also initiated formal proceedings against TikTok, Meta (in separate proceedings launched in April and May 2024, respectively), and AliExpress.

OpenAI has developed a scale to assess how close we are to AGI

July 12, 2024 /

OpenAI, the company behind the popular AI ​​chatbot Chat GPT, has now developed an evaluation scale to assess how closely AI models can approach human levels of intelligence, according to a Bloomberg report.

The scale has a total of five levels. The higher the level, the closer the AI ​​model is judged to be to human intelligence. Today’s large-scale language models are currently judged to be at level one; that corresponds to basic intelligence, but not a more advanced problem-solving ability.

Level two means that the system has a basic problem-solving ability that should be comparable to a human with a PhD. Level three means the system can act as a representative for the user. Level four means that the system can create new innovations. Finally, level five involves the step to achieve artificial general intelligence (AGI), an AI system can perform the work of entire organizations.

OpenAI has previously defined AGI as a highly automated system that can outperform humans on the majority of economically valuable tasks. OpenAI’s evaluation scale is considered preliminary and could be adjusted in the future.

More OpenAI news:

Open AI has developed a scale to assess how close we are to AGI

July 12, 2024 /

Open AI, the company behind the popular AI ​​chatbot Chat GPT, has now developed an evaluation scale to assess how closely AI models can approach human levels of intelligence, according to a Bloomberg report.

The scale has a total of five levels. The higher the level, the closer the AI ​​model is judged to be to human intelligence. Today’s large-scale language models are currently judged to be at level one; that corresponds to basic intelligence, but not a more advanced problem-solving ability.

Level two means that the system has a basic problem-solving ability that should be comparable to a human with a PhD. Level three means the system can act as a representative for the user. Level four means that the system can create new innovations. Finally, level five involves the step to achieve artificial general intelligence (AGI), an AI system can perform the work of entire organizations.

Open AI has previously defined AGI as a highly automated system that can outperform humans on the majority of economically valuable tasks. Open AI’s evaluation scale is considered preliminary and could be adjusted in the future.

Now Microsoft Copilot can understand your handwriting

July 12, 2024 /

Microsoft will soon enable the company’s AI assistant Copilot to read and analyze handwritten notes, The Verge reports . The function was expected to begin as a beta test at the end of last month.

Onenote users can use the function to make handwritten notes with a stylus and then let Copilot, for example, sum them up, generate a to-do list, or ask questions about the notes.

The feature can also be used to turn handwritten notes into text that is easier to edit and share. Once live, the feature will only be available to Copilot for Microsoft 365 subscribers and Copilot Pro users.

Zoom adds workflow automation to save time on routine tasks

July 12, 2024 /

Zoom has added a workflow automation tool to its collaboration app designed to save users time spent on repetitive tasks, the company announced this week

Available in Zoom’s Workplace app, the Workflow Automation feature (currently in beta) lets users set up automations using a drag-and-drop, no-code interface. 

Having made its name selling videoconferencing software, Zoom has expanded its functionality in recent years to cater to a wider range of collaboration scenarios. This includes chat, whiteboardnote taking, and room-booking tools that make up its Workplace product. The workflow automation tool brings Zoom’s app further into line with rival collaboration software vendors, including Slack (Workflow Builder) and Microsoft (Teams/Power Automate). 

The initial focus is on the creation of workflows in Zoom’s text chat tool, though automations across the Workplace app will be enabled later, the company said.

A simple example might be a team leader scheduling a recurring project status check-in in Zoom chat. Here, a team leader can create workflow can be set up to automatically post a pre-written message at a certain time each day to request an update from team members. Automations could also be used to introduce new team members to a channel, or simplify processes around time-off requests, Zoom said.

“We built Workflow Automation to be easy for teams of all sizes and abilities to use,” Wei Li, head of Zoom Team Chat at Zoom, said in a blog post Wednesday. “We’re launching Workflow Automation with Team Chat first because it’s an opportunity to strengthen collaboration with team members and get work done asynchronously. Workflow Automation helps teams by taking the guesswork out of setting up workflows and helps cut down on tedious and repetitive tasks.” 

Users can create their own workflow automations or select from pre-built templates. It’s also possible to connect with third-party apps such as Google Drive, Microsoft Outlook, or Atlassian Jira. 

The workflow automation features are available at no cost to paid Zoom customers during the beta trial. Some limitations will be introduced at general availability launch, with charges for usage outside of allotted “premium” workflow runs. 

Will Apple stop at Messages via Satellite?

July 12, 2024 /

With Messages via Satellite, iOS 18 shows that Apple is going into space — and as more satellites are put in place, it will expand the capabilities of the services it provides.

Introduced at WWDC, Apple Intelligence gorged gargantuan quantities of media attention, but Apple’s plans for outers space are important, too.  Available in the US with iOS 18 on iPhone 14 or later, Messages via satellite allows users to send and receive texts, emoji, and Tap backs over iMessage and SMS when a cellular or Wi-Fi connection is not available.

Satellite and iPhone chips

Apple is basically broadening the feature set it introduced when it launched SOS by Satellite (now available in multiple countries) in 2022 to include any kind of message. The system works in the same way: “Messages via satellite automatically prompts users to connect to their nearest satellite right from the Messages app to send and receive texts, emoji, and Tap backs over iMessage and SMS,” Apple explained. “Because iMessage was built to protect user privacy, iMessages sent via satellite are end-to-end encrypted.”

How Messages via Satellite works

When you aren’t connected to a network, a prompt will appear on your iPhone inviting you to use satellite services. 

  • Tap that to access Messages, Find My, Emergency SOS and Roadside Assistance. If you select Messages, a prompt will appear giving you an option to connect by satellite.
  • Choose this and your iPhone will guide you to get to the best satellite connection.
  • When typing your message, you’ll see an alert appear in the text entry field to show you that you are connecting via satellite.
  • Feedback from the first reviewers to use the feature suggests it can take a little longer to send a message if the satellite connection is weak; at other times, it can feel as swift as normal messaging.
  • All Apple’s satellite services are free for now, but the company has said enough to suggest this might eventually change.
  • You do need an iPhone 14 or later to access these services.
  • See also How to use Emergency SOS via Satellite.

That’s Messages via Satellite. 

What about Apple in space?

The Apple partnership is important to its satellite company partner.  “We are the operator for certain satellite-enabled services offered by Apple,” says Globalstar’s most recent annual report, which informs us that wholesale capacity services (which includes the Apple business) accounted for around 48% of company revenue last year.

“Wholesale satellite capacity services include satellite network access and related services using our satellite spectrum and network of satellites and gateways,” the report said. Under the Apple deal (also discussed here, and here), Globalstar must allocate network capacity to support Apple’s services and enable Band 53/53n for cellular services

In return, Apple pays recurring service fees, certain operating expenses and capital expenditures, and bonuses. Apple also supports investments in new satellite capacity. Globalstar hopes to launch another 26 satellites by next year; a German report claimed it might have more than 3,000 of them in flight in the next few years. 

The network space race

“We are excited about the new satellites that we have under construction to enhance our constellation following their launch, which is expected in 2025: more satellites mean more power on orbit that we can use to create additional supply to meet the growing demand for LEO capacity,” Globalstar said in its recent report. 

It is reasonably easy to guess that part of this increase in capacity will be dedicated to making Apple’s existing satellite services global. Following that logic, this implies the company will soon have in place an international system that supports end-to-end encrypted messaging and relies on non-nation-state infrastructure. 

At least one space expert thinks Apple will choose to widen the network to become a full space communications service — broadly in line with predictions from Bloomberg in 2020. Though these are “unlikely” to be the primary network for most people because of limitations on capacity and performance — at least, so far — as space agencies explore the potential to put data centers in space, and as network capability and processor performance improves, at what point will such communications become feasible? There sure seems to be money going in that direction.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.