Enlarge (credit: Getty Images | Benj Edwards)

On Thursday, Meta unveiled early versions of its Llama 3 open-weights AI model that can be used to power text composition, code generation, or chatbots. It also announced that its Meta AI Assistant is now available on a website and is going to be integrated into its major social media apps, intensifying the company's efforts to position its products against other AI assistants like OpenAI's ChatGPT, Microsoft's Copilot, and Google's Gemini.

Like its predecessor, Llama 2, Llama 3 is notable for being a freely available, open-weights large language model (LLM) provided by a major AI company. Llama 3 technically does not quality as "open source" because that term has a specific meaning in software (as we have mentioned in other coverage), and the industry has not yet settled on terminology for AI model releases that ship either code or weights with restrictions (you can read Llama 3's license here) or that ship without providing training data. We typically call these releases "open weights" instead.

At the moment, Llama 3 is available in two parameter sizes: 8 billion (8B) and 70 billion (70B), both of which are available as free downloads through Meta's website with a sign-up. Llama 3 comes in two versions: pre-trained (basically the raw, next-token-prediction model) and instruction-tuned (fine-tuned to follow user instructions). Each has a 8,192 token context limit.

Enlarge / Supply-chain attacks, like the latest PyPI discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common. (credit: Getty Images)

PyPI, a vital repository for open source developers, temporarily halted new project creation and new user registration following an onslaught of package uploads that executed malicious code on any device that installed them. Ten hours later, it lifted the suspension.

Short for the Python Package Index, PyPI is the go-to source for apps and code libraries written in the Python programming language. Fortune 500 corporations and independent developers alike rely on the repository to obtain the latest versions of code needed to make their projects run. At a little after 7 pm PT on Wednesday, the site started displaying a banner message informing visitors that the site was temporarily suspending new project creation and new user registration. The message didn’t explain why or provide an estimate of when the suspension would be lifted.

Screenshot showing temporary suspension notification. (credit: Checkmarx)

About 10 hours later, PyPI restored new project creation and new user registration. Once again, the site provided no reason for the 10-hour halt.

Enlarge (credit: Getty Images)

Microsoft said that Kremlin-backed hackers who breached its corporate network in January have expanded their access since then in follow-on attacks that are targeting customers and have compromised the company's source code and internal systems.

The intrusion, which the software company disclosed in January, was carried out by Midnight Blizzard, the name used to track a hacking group widely attributed to the Federal Security Service, a Russian intelligence agency. Microsoft said at the time that Midnight Blizzard gained access to senior executives’ email accounts for months after first exploiting a weak password in a test device connected to the company’s network. Microsoft went on to say it had no indication any of its source code or production systems had been compromised.

Secrets sent in email

In an update published Friday, Microsoft said it uncovered evidence that Midnight Blizzard had used the information it gained initially to further push into its network and compromise both source code and internal systems. The hacking group—which is tracked under multiple other names, including APT29, Cozy Bear, CozyDuke, The Dukes, Dark Halo, and Nobelium—has been using the proprietary information in follow-on attacks, not only against Microsoft but also its customers.

Enlarge (credit: Getty Images)

Any Linux user trying to send the highest-resolution images to a display at the fastest frame rate is out of luck for the foreseeable future, at least when it comes to an HDMI connection.

The licensing group that controls the HDMI standard, the HDMI Forum, has reportedly told AMD that it does not allow an open source implementation of the HDMI 2.1 (or HDMI 2.1+) specification, blocking tools such as AMD's FreeSync from working over HDMI connections at resolution/rate combinations like 4K at 120 Hz, or 5K at 240 Hz.

Linux blog Phoronix noted in January 2021 that the HDMI Forum did not offer public access to the HDMI 2.1 specification. Alex Deucher, an AMD engineer who has long contributed to the company's open source offerings, has kept a related bug thread alive for at least two years, only to deliver the negative outcome yesterday.

Enlarge (credit: Floogle/X)

Nintendo has made some bold, weird choices with its hardware designs. But none were so bold and weird as 1995's Virtual Boy, a "woefully premature commercial curio," as one Ars writer put it, that "quickly passed unlamented into history," as remarked another. The awkward red-on-black tabletop headset system wasn't so much ahead of its time as beamed in from an alternate reality. In this reality, it didn't sell much and was largely forgotten.

Nintendo has seemed eager to let the Virtual Boy fade from the collective memory, but clever coders have labored to keep the system accessible outside vintage hardware collections. The latest, and perhaps most accessible, is Red Viper, which plays Virtual Boy games on a (lightly hacked) Nintendo 3DS, the other Nintendo system on which 3D features were underappreciated. It is full-speed, it supports homebrew games, you can change the drawing color to something other than red, and it is free. It's built on top of the work of earlier 3DS emulator r3dragon, which itself drew heavily from the Reality Boy project for Windows.

Red Viper makes use of the 3DS's top screen for game display and turns the lower screen into a system options panel. It maps the Virtual Boy's own face buttons onto the touchscreen. In the Twitter thread announcing Red Viper's general release, coder Floogle notes that the emulator is only roughly translating the Virtual Boy's 50 Hz refresh to the 3DS' 60 Hz by pushing a frame every 20 ms. There is, Floogle supposes, some hardware headroom for improvement.

Enlarge / Stable Diffusion 3 generation with the prompt: studio photograph closeup of a chameleon over a black background. (credit: Stability AI)

On Thursday, Stability AI announced Stable Diffusion 3, an open-weights next-generation image-synthesis model. It follows its predecessors by reportedly generating detailed, multi-subject images with improved quality and accuracy in text generation. The brief announcement was not accompanied by a public demo, but Stability is opening up a waitlist today for those who would like to try it.

Stability says that its Stable Diffusion 3 family of models (which takes text descriptions called "prompts" and turns them into matching images) range in size from 800 million to 8 billion parameters. The size range accommodates allowing different versions of the model to run locally on a variety of devices—from smartphones to servers. Parameter size roughly corresponds to model capability in terms of how much detail it can generate. Larger models also require more VRAM on GPU accelerators to run.

Since 2022, we've seen Stability launch a progression of AI image-generation models: Stable Diffusion 1.4, 1.5, 2.0, 2.1, XL, XL Turbo, and now 3. Stability has made a name for itself as providing a more open alternative to proprietary image-synthesis models like OpenAI's DALL-E 3, though not without controversy due to the use of copyrighted training data, bias, and the potential for abuse. (This has led to lawsuits that are unresolved.) Stable Diffusion models have been open-weights and source-available, which means the models can be run locally and fine-tuned to change their outputs.

Enlarge (credit: Google)

On Wednesday, Google announced a new family of AI language models called Gemma, which are free, open-weights models built on technology similar to the more powerful but closed Gemini models. Unlike Gemini, Gemma models can run locally on a desktop or laptop computer. It's Google's first significant open large language model (LLM) release since OpenAI's ChatGPT started a frenzy for AI chatbots in 2022.

Gemma models come in two sizes: Gemma 2B (2 billion parameters) and Gemma 7B (7 billion parameters), each available in pre-trained and instruction-tuned variants. In AI, parameters are values in a neural network that determine AI model behavior, and weights are a subset of these parameters stored in a file.

Developed by Google DeepMind and other Google AI teams, Gemma pulls from techniques learned during the development of Gemini, which is the family name for Google's most capable (public-facing) commercial LLMs, including the ones that power its Gemini AI assistant. Google says the name comes from the Latin gemma, which means "precious stone."

Enlarge (credit: Getty Images)

A core developer of Nginx, currently the world's most popular web server, has quit the project, stating that he no longer sees it as "a free and open source project… for the public good." His fork, freenginx, is "going to be run by developers, and not corporate entities," writes Maxim Dounin, and will be "free from arbitrary corporate actions."

Dounin is one of the earliest and still most active coders on the open source Nginx project and one of the first employees of Nginx, Inc., a company created in 2011 to commercially support the steadily growing web server. Nginx is now used on roughly one-third of the world's web servers, ahead of Apache.

A tricky history of creation and ownership

Nginx Inc. was acquired by Seattle-based networking firm F5 in 2019. Later that year, two of Nginx's leaders, Maxim Konovalov and Igor Sysoev, were detained and interrogated in their homes by armed Russian state agents. Sysoev's former employer, Internet firm Rambler, claimed that it owned the rights to Nginx's source code, as it was developed during Sysoev's tenure at Rambler (where Dounin also worked). While the criminal charges and rights do not appear to have materialized, the implications of a Russian company's intrusion into a popular open source piece of the web's infrastructure caused some alarm.

Enlarge / Failing an image of the proposed reference hardware by the OpenWrt group, let us gaze upon where this all started: inside a device that tried to quietly use open source software without crediting or releasing it. (credit: Jim Salter)

OpenWrt, the open source firmware that sprang from Linksys' use of open source code in its iconic WRT54G router and subsequent release of its work, is 20 years old this year. To keep the project going, lead developers have proposed creating a "fully upstream supported hardware design," one that would prevent the need for handling "binary blobs" in modern router hardware and let DIY router enthusiasts forge their own path.

OpenWRT project members, 13 of which signed off on this hardware, are keeping the "OpenWrt One" simple, while including "some nice features we believe all OpenWrt supported platforms should have," including "almost unbrickable" low-level firmware, an on-board real-time clock with a battery backup, and USB-PD power. The price should be under $100 and the schematics and code publicly available.

But OpenWrt will not be producing or selling these boards, "for a ton of reasons." The group is looking to the Banana Pi makers to distribute a fitting device, with every device producing a donation to the Software Freedom Conservancy earmarked for OpenWrt. That money could then be used for hosting expenses, or "maybe an OpenWrt summit."

Enlarge / Mark Zuckerberg, chief executive officer of Meta Platforms Inc., during the Meta Connect event in Menlo Park, California, on September 27, 2023. (credit: Getty Images)

On Thursday, Meta CEO Mark Zuckerberg announced that his company is working on building "general intelligence" for AI assistants and "open sourcing it responsibly," and that Meta is bringing together its two major research groups (FAIR and GenAI) to make it happen.

"It's become clearer that the next generation of services requires building full general intelligence," Zuckerberg said in an Instagram Reel. "This technology is so important, and the opportunities are so great that we should open source and make it as widely available as we responsibly can so that everyone can benefit."

Notably, Zuckerberg did not specifically mention the phrase "artificial general intelligence," or AGI, by name in his announcement, but a report from The Verge seems to suggest he is steering in that direction. AGI is a somewhat nebulous term for a hypothetical technology that is equivalent to human intelligence in performing general tasks without the need for specific training. It's the stated goal of Meta competitor OpenAI and one that many have feared might pose an existential threat to humanity or replace humans working intellectual jobs.

Enlarge (credit: Getty Images | Benj Edwards)

On Tuesday, IBM and Meta announced the AI Alliance, an international coalition of over 50 organizations including AMD, Intel, NASA, CERN, and Harvard University that aims to advance "open innovation and open science in AI." In other words, the goal is to collectively promote alternatives to closed AI systems currently in use by market leaders such as OpenAI and Google with ChatGPT and Duet.

In the AI Alliance news release, OpenAI isn't mentioned by name—and OpenAI is not part of the alliance, nor is Google. But over the past year, clear battle lines have been drawn between companies like OpenAI that keep AI model weights (neural network files) and data about how the models are created to themselves and companies like Meta, which provide AI model weights for others to run on their own hardware and allow others to build derivative models based on their research.

"Open and transparent innovation is essential to empower a broad spectrum of AI researchers, builders, and adopters with the information and tools needed to harness these advancements in ways that prioritize safety, diversity, economic opportunity and benefits to all," writes the alliance.

Enlarge (credit: Getty Images)

Its original name is an ALDL, short for Assembly Line Diagnostic Link, or Assembly Line Data Link. But most call an ALDL the OBD-II port because it provides everyone from engineers at proving grounds to dealership technicians to shade tree mechanics a connection to the vehicle's software and diagnostic systems. And soon, battery electric as well as hydrogen fuel cell vehicles will offer similar access.

Wait… EVs don't already have that? Not all of them, no. And the various manufacturers' systems differ from each other in both connectivity and scope, which makes troubleshooting an errant EV that much more difficult. That, as you can imagine, causes more than a few headaches for the good folks who service EVs.

Modern onboard diagnostics, or OBD-II, became a standardized and mandatory part of every automobile sold in the United States, starting with the 1996 model year. All vehicles, from a Ford Escape to a Ferrari SF90, needed one. But this mandate exempted EVs and other alternatively powered vehicles.

Enlarge / Zork running on a Commodore 64 at the Computerspielemuseum in Berlin, Germany. (credit: Marcin Wichary (CC by 2.0 Deed))

The source code for many of Infocom's foundational text-parsing adventure games, including Zork, has been available since 2019. But that code doesn't do anything for modern computers, nor even computers of the era, when it comes to actually running the games.

Most of Infocom's games were written in "Zork Implementation Language," which was native to no particular platform or processor, but ready to be interpreted on all kinds of systems by versions of its Z-Machine. The Z-Machine could be considered the first real game development engine, so long as nobody fact-checks that statement too hard. Lots of work has been done in open source realms to create modern, and improved, versions of these interpreters for pretty much every device imaginable.

The source code for these Z-Machine implementations (virtual machines, in today's parlance) appeared like a grue from the dark a few days ago in a GitHub repository owned by Andrew Plotkin. Plotkin, a major figure in modern and classic text adventure realms (and lots in between), details what they are and how he found them in a blog post on his site.

Enlarge / If it were me, I would simply not burrow my way directly to where all the creatures are gaining levels as fast as my gold allows them. But I'm not full of grog and adventuring spirit. (credit: EA/KeeperFX)

In an interview about The Making of Karateka, a wonderful interactive documentary and game-about-a-game, Chris Kohler of Digital Eclipse notes that, based on the company's data, people don't actually play the games inside "classics" collections. Maybe they spend 5 minutes inside a few games they remember, but that's about it. Presenting classic games, exactly as they were when they arrived, can be historically important but often falls short of real engagement.

That's why it's a thrill to see (as first spotted by PC Gamer) a triumphant 1.0 release from KeeperFX, an open source "remake and fan expansion" of Dungeon Keeper, the 1997 Bullfrog strategy game that had players take on the other side of a dungeon crawl. The project had already, over 15 years, carried the game quite far, giving it modern Windows support, hi-res support, and loads of bugfixes and quality-of-life improvements. Now, says the team, all the original code from the original executable has been rewritten, freeing them up to change whatever they want in the future. There can be more than 2,048 "things" on the map, maps can have more than 85 square tiles, and scripting and mods can go much further.

But take note: "Ownership of the original game is still and will always be required for copyright reasons." You can, like I did earlier today, rectify that with a $6 GOG purchase, at least while it's on sale today. After downloading KeeperFX, you unpack it, run its launcher, point it to where you've installed the original Dungeon Keeper, and launch it. And then you get ready to click.

Enlarge (credit: Getty Images)

Highly invasive malware targeting software developers is once again circulating in Trojanized code libraries, with the latest ones downloaded thousands of times in the last eight months, researchers said Wednesday.

Since January, eight separate developer tools have contained hidden payloads with various nefarious capabilities, security firm Checkmarx reported. The most recent one was released last month under the name "pyobfgood." Like the seven packages that preceded it, pyobfgood posed as a legitimate obfuscation tool that developers could use to deter reverse engineering and tampering with their code. Once executed, it installed a payload, giving the attacker almost complete control of the developer’s machine. Capabilities include:

• Exfiltrate detailed host information
• Steal passwords from the Chrome web browser
• Set up a keylogger
• Download files from the victim's system
• Capture screenshots and record both screen and audio
• Render the computer inoperative by ramping up CPU usage, inserting a batch script in the startup directory to shut down the PC, or forcing a BSOD error with a Python script
• Encrypt files, potentially for ransom
• Deactivate Windows Defender and Task Manager
• Execute any command on the compromised host

In all, pyobfgood and the previous seven tools were installed 2,348 times. They targeted developers using the Python programming language. As obfuscators, the tools targeted Python developers with reason to keep their code secret because it had hidden capabilities, trade secrets, or otherwise sensitive functions. The malicious payloads varied from tool to tool, but they all were remarkable for their level of intrusiveness.

Enlarge / Behold, a collection of apps we love. (credit: Oscar Wong / Getty Images)

Senior Reviews Editor Samuel Axon

Todoist basically runs my life—but that's OK, because it's a very well-designed app. There are a ton of to-do apps on the iPhone, but I went with this one because it's very flexible.

For example, yeah, you can see a top-to-bottom to-do list like with many others, but you can view that same data as a Trello-like Kanban board, too.

I've also found that Todoist is better at understanding natural language settings for projects, times, and so on than a lot of other to-do apps, so, for example, I can type "Edit next article at 2 pm on Tuesday #ArsTechnica" to add a to-do within the Ars Technica project with a due time of 2 pm on the following Tuesday. A lot of to-do apps support that, but I feel Todoist does it best.

Enlarge / A push for more IronSource customers may have been a major motivation behind Unity's controversial install-fee proposals (credit: Unity)

It's been over a month now since Unity partially backtracked on its controversial proposed "pay per install" fee structure, a trust-destroying saga that seems to have contributed to the retirement of Unity CEO John Riccitiello. Now, a new report highlights some of the internal divisions over the "rushed-out" policy introduction and provides new insight into what may have been motivating the company to even attempt such a plan.

Business-focused site MobileGamer.biz cites multiple "sources from inside Unity and across the mobile games business" in reporting that Unity received some significant pushback from senior-level managers before rolling out its initial fee-restructuring plans. "Half of the people in that meeting said that this model is too complicated, it’s not going to be well-received, and we should talk to people before we do this," one anonymous source told the site. "It felt very rushed. We had this meeting and were told it was happening, but we were not told a date. And then before we knew it, it was out there."

After the negative reaction to that initial plan, Unity reportedly considered a modification that would take up to 4 percent of revenue from the largest Unity publishers—slightly under the 5 percent charged by the Unreal Engine. The final policy knocked that cap down to 2.5 percent only after the extent of the backlash became clear.