By Deeba Ahmed
Student Data Managing Platform National Student Clearinghouse Confirmed MOVEit Hack Affected 900 US Schools.
This is a post from HackRead.com Read the original post: 900 U.S. Schools Hit by MOVEit Hack, Exposing Student Data

****KEY FINDINGS****

*   **Educational institutions are assumed to be the most vulnerable sector today, considering that 70 to 80% of lower-to-higher education providers reported experiencing ransomware attacks in 2022.**

*   **National Student Clearinghouse has reaffirmed these suspicions, revealing that nearly 900 US schools were impacted by the MOVEit hack.**

*   **According to the research, reporting, and verification services provider, sensitive student records were stolen in the MOVEit data breach.**

*   **The organization identified the scope of this breach on June 20 following an investigation.**

*   **The National Student Clearinghouse boasts a network of 3600 colleges/universities and 22,000 high schools.**

Last week, Hackread **covered** research from cybersecurity firm Sophos and VPN service provider AtlastVPN, revealing that education was the top-most targeted sector in ransomware attacks. During 2022, 80% of lower education and 79% of higher education institutions became targets of ransomware attacks. The **recovery** cost from these attacks touched $ 1.59 million in 2022-2023 for lower education institutes and close to $ 1 million for higher education institutions in 2023.

The latest revelation from the National Student Clearinghouse has reaffirmed these findings by revealing that around 900 schools were impacted by the **MOVEit attack**. MOVEit is a managed file transfer software created by Progress Software Corp and widely used by financial institutions, governments, and thousands of public/private sector entities worldwide for sharing information.

On 31st May 2023, MOVEit became the target of a hack attack where the platform suffered huge data loss after being hit by Cl0p ransomware. The ransomware operators accessed information belonging to organizations and individuals by **exploiting** a zero-day vulnerability.

As of September 22, 2023, this attack has impacted 2,053 organizations and 57,624,249 individuals, as per the information available on Cl0p operators’ website, SEC filings, and public disclosures, **explained** cybersecurity firm Emsisoft. Over 90% of the impacted organizations were based in the US, 1.8% in Germany, 3.2% in Canada, and 1.0% in the UK.

The National Student Clearinghouse is among the impacted organizations. The non-profit has **confirmed** (PDF) that around 900 colleges/universities have been affected by the MOVEit attack. The list of affected schools is available **here** (PDF).

The organization informed the California attorney general’s office that its MOVEit server was hacked in late May, but it discovered the scale of the breach and stealing of the student record database on June 20 with help from cybersecurity experts and law enforcement agencies. 

“Through our investigation, on June 20, 2023, we learned that an unauthorized party obtained certain files from the MOVEit tool. The issue occurred on or around May 30, 2023,” the organization explained.

The stolen data included name, contact details, school records, date of birth, student ID number, enrollment records, degree, and course-level data compromised in the attack. It has sent data breach notifications to impacted individuals. The notification has been posted to the California attorney general’s website. 

The **National Student Clearinghouse** has patched the software and added stricter monitoring mechanisms, apart from offering victims free identity monitoring services for two years.

It is worth noting that the infamous MOVEit hack impacted many high-profile organizations, including Norton’s parent company, Gen Digital, the US Department of Energy, Siemens Energy, Shell, and Schneider Electric. 

The French government agency Pole Emploi, the Colorado Department of Health Care Policy and Financing, and Maximus lost the highest amount of personal data of registered individuals.

****RELATED ARTICLES****

1.  Conti ransomware gang demanded $40m from US school district
2.  Institute of International Education leaks data of thousands of students
3.  Gamarue malware found in UK Govt-funded laptops for homeschoolers

900 U.S. Schools Hit by MOVEit Hack, Exposing Student Data

Directory Traversal vulnerability in itechyou dreamer CMS v.4.1.3 allows a remote attacker to execute arbitrary code via the themePath in the uploaded template function.

**后台存在任意文件读取编辑漏洞**

使用模板管理功能时会拼接当前模板中的themePath,themePath来自于模板  
  
  

使用风格管理功能，上传新的主题包，并在theme.json中指定themePath为../../../../../../  
  

使用新主题包去访问模板管理功能，就可以造成目录穿越，并且可以编辑  

Java

1

https://gitee.com/iteachyou/dreamer\_cms.git

git@gitee.com:iteachyou/dreamer\_cms.git

iteachyou

dreamer\_cms

Dreamer CMS（梦想家CMS内容管理系统）

CVE-2023-43382: 后台存在任意文件读取编辑漏洞 · Issue #I821AI · www.iteachyou.cc/Dreamer CMS（梦想家CMS内容管理系统） - Gitee.com

Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-43339: CVE-2023-43339-CMSmadesimple-Reflected-XSS---Installation/README.md at main · sromanhu/CVE-2023-43339-CMSmadesimple-Reflected-XSS---Installation

Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog.

This issue affects Docker Desktop: before 4.12.0.



CVE-2023-0625: Docker Desktop release notes

Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL.

This issue affects Docker Desktop: before 4.23.0.



CVE-2023-5166: Docker Desktop release notes

By Waqas
Stealth Falcon APT group is notorious for its cyber-espionage campaigns in the Middle East.
This is a post from HackRead.com Read the original post: Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East

ESET warns that Deadglyph is a highly sophisticated backdoor that is mixed with different programming languages to add an extra layer of complexity.

The Middle East has once again found itself in the crosshairs of a new cybersecurity threat. Recent findings by experts at ESET Research have unveiled a highly sophisticated and previously unknown cyber-espionage tool they’ve dubbed “Deadglyph.”

This discovery is a significant development in the world of cybersecurity, as it’s the first time this secretive threat has been publicly analyzed. Even more concerning, Deadglyph has been traced back to the Stealth Falcon APT group, notorious for its cyber-espionage campaigns in the Middle East.

****What is Deadglyph?****

Deadglyph gets its name from distinctive artifacts found within the malicious software. These artifacts, such as “0xDEADB001,” and the use of homoglyph attacks (where similar-looking characters replace regular ones) indicate a high level of sophistication behind its design. It’s important to note that this isn’t your typical cyber threat; it’s a highly advanced and covert tool.

****Unusual Architecture Raises Concerns****

One of the standout features of Deadglyph is its unique architecture. Unlike most malware that relies on a single programming language, Deadglyph uses a combination of two: an x64 binary and a .NET assembly. This is quite unusual and suggests that the creators went to great lengths to make it harder to analyze. Mixing different programming languages also adds an extra layer of complexity.

What sets Deadglyph apart is that it doesn’t come with pre-set commands like traditional malware. Instead, it fetches its instructions from a remote server, giving it a flexible and adaptable nature.

****The Stealth Falcon APT Group****

The experts at ESET Research have connected Deadglyph to the Stealth Falcon APT group. This group has been active since 2012 and is believed to have ties to the United Arab Emirates. Its primary targets include political activists, journalists, and dissidents in the Middle East. The group’s activities were first exposed by Citizen Lab in 2016.

There are suggestions that Stealth Falcon and another group called Project Raven are one and the same, as they seem to have overlapping targets and tactics. The revelation of Deadglyph adds another layer of complexity to this enigmatic group’s toolkit.

****Breaking Down Deadglyph’s Operation****

Deadglyph’s operation is a complex chain of events. It starts with a registry shellcode loader that’s used to load shellcode from the Windows registry. This shellcode, in turn, loads the main part of Deadglyph, known as the Executor. What’s unique is that only the initial loader exists as a file on the victim’s computer; the rest remains encrypted within a registry entry.

While the exact method of infection isn’t clear, it’s suspected that an installer component plays a role in getting the malicious code onto a victim’s system.

****The Role of the Orchestrator****

The Orchestrator, written in .NET, is the central component of Deadglyph. Its primary job is to communicate with a remote server and execute commands, often with the help of the Executor. The Orchestrator is highly obfuscated, making it even more challenging to analyze. In essence, it acts as the control center for Deadglyph’s operations.

****Communication and Commands****

According to ESET’s report, Deadglyph uses two embedded modules, Timer and Network, for communication with its remote server. These modules are obfuscated as well. The Timer module executes tasks at set intervals, while the Network module handles communication with the server. Deadglyph also has the ability to uninstall itself if it loses contact with the server for an extended period.

****Modules: The Heart of Deadglyph****

Deadglyph’s core capabilities are delivered through additional modules obtained from the server. ESET researchers managed to obtain three such modules, shedding light on Deadglyph’s potential. However, it’s believed that there could be as many as fourteen modules in total, each adding unique functionality.

*   **Process Creator (Module 0x69)**: This module can execute specific commands as new processes and provide the results back to Deadglyph’s control center.
*   **Info Collector (Module 0x6C)**: This module gathers extensive information about the infected system, including operating system details, installed software, network adapters, and more.
*   **File Reader (Module 0x64)**: This module reads specified files and shares their contents, with an option to delete the files afterward.

****Multistage Shellcode Downloader Chain****

While investigating Deadglyph, ESET researchers stumbled upon a complex multistage shellcode downloader chain. This chain is believed to be used in the installation process of Deadglyph and shares similarities with the main threat.

The chain involves multiple stages, starting with a CPL file designed to download shellcode. This shellcode is then injected into a host process, ultimately leading to the loading of a .NET assembly that serves as a shellcode downloader.

****In Conclusion: A Disturbingly Complex Threat****

The discovery of Deadglyph shines a spotlight on the ever-evolving tactics of APT groups, particularly those targeting the Middle East. Its intricate architecture, dynamic modules, and counter-detection mechanisms make it a formidable digital threat. Organizations and individuals in the region need to remain vigilant and ensure their cybersecurity measures are up to the task of defending against such advanced threats.

****RELATED ARTICLES****

Chinese APT Flax Typhoon uses legit tools for cyber espionage

Chinese APT Slid Fake Signal, Telegram Apps onto Official App Stores

Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East

OPNsense versions 23.1.11_1, 23.7.3, and 23.7.4 suffer from cross site scripting vulnerabilities that can allow for privilege escalation.

Advisory X41-2023-001: Two Vulnerabilities in OPNsense  
===========================================================  
Highest Severity Rating: High  
Confirmed Affected Versions: 23.1.11_1, 23.7.3, 23.7.4  
Confirmed Patched Versions: Commit 484753b2abe3fd0fcdb73d8bf00c3fc3709eb8b7  
Vendor: Deciso B.V. / OPNsense  
Vendor URL: https://opnsense.org  
Credit: X41 D-Sec GmbH, Yasar Klawohn and JM  
Status: Public   
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2023-001-opnsense

Summary and Impact  
------------------  
The OPNsense dashboard displays widgets with information about the system,  
running services, gateways and more. These widgets can be arranged in  
different orders and columns. The values for the number of columns and the  
order of widgets are stored server-side and are the same for all users of an  
OPNsense instance. They are reflected unmodified on every visit. This can be  
abused by a low-privileged attacker to inject their own content into the  
page, enabling a cross-site scripting (XSS) attack that can result in  
privilege escalation.

Product Description  
-------------------  
OPNsense is an open source, FreeBSD-based firewall and routing operating  
system. It includes many features of commercial firewalls and can be managed  
entirely via its web GUI.

Stored XSS in the OPNsense Dashboard via the column_count Parameter  
===================================================================  
Severity Rating: High  
Vector: Network  
CWE: 79  
CVSS Score: 8.0  
CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H  
Credit: X41 D-Sec GmbH, Yasar Klawohn

Analysis  
--------  
The number of columns displayed in the dashboard is set via an HTTP POST  
request to /index.php, using the column_count request parameter. This  
parameter is not properly escaped when returned to the client. To exploit  
this issue, the payload "><script>alert(1)</script> is submitted as part of  
the column_count parameter. This input is reflected unmodified in the  
response and on any subsequent visit to the dashboard by any user. Only the  
"Lobby: Login / Logout / Dashboard" permission is required to abuse this  
issue.

Once the server receives the POST request, the column_count parameter is  
written unmodified into the configuration:

} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin'])  
            && $_POST['origin'] == 'dashboard') {  
    // ...  
    if (!empty($_POST['column_count'])) {  
        $config['widgets']['column_count'] = $_POST['column_count'];  
    } elseif(isset($config['widgets']['column_count'])) {  
        unset($config['widgets']['column_count']);  
    }  
    write_config('Widget configuration has been changed');  
    header(url_safe('Location: /index.php'));  
    exit;  
}  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L66-L79

If the column_count parameter is not empty, it is used unmodified: 

// ...  
if ($_SERVER['REQUEST_METHOD'] === 'GET') {  
    $pconfig = $config['widgets'];  
    // ...  
    $pconfig['column_count'] =  
       !empty($pconfig['column_count']) ? $pconfig['column_count'] : 2;  
    // ...  
// from:  
// https://github.com/opnsense/core/blob/306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L42

Below, the unmodified value is written:

  
<section class="page-content-main">  
  <form method="post" id="iform">  
    <input type="hidden" value="dashboard" name="origin" id="origin" />  
    <input type="hidden" value="" name="sequence" id="sequence" />  
    <input type="hidden" value="<?= $pconfig['column_count'];?>"  
        name="column_count" id="column_count_input" />  
  </form>  
  


Proof of Concept  
----------------  
Log in as root. On the left side, go to System -> Access -> Users, and add a  
new user. For "Effective Privileges", only select "Lobby: Login / Logout /  
Dashboard". The user is now only able to view the dashboard and the help  
pages.

Log in as that newly created user and open your browser's network monitor.  
In the OPNsense dashboard, select "1 column" from the top right and then  
press "save settings". Repeat the POST request and replace the column_count  
variable with

column_count=1"><script>alert(1)</script>

Now, log in as admin again, you should see an alert box resulting from the  
following HTML response:

<form method="post" id="iform">  
      
    <input type="hidden" value="1">  
        <script>alert(1)</script>"  
        name="column_count" id="column_count_input" />  
</form>

This is the stored XSS and can result in privilege escalation. The OPNsense  
developers did apply a Content-Security-Policy, but unfortunately allow  
unsafe-inline and unsafe-eval for scripts, which does not prevent the  
exploitation of this vulnerability.

Stored XSS in the OPNsense Dashboard via the sequence Parameter  
===============================================================  
Severity Rating: High   
Vector: Network  
CWE: 79  
CVSS Score: 8.0  
CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H  
Credit: X41 D-Sec GmbH, JM and Yasar Klawohn

Analysis  
--------  
The order in which the widgets are displayed in the Dashboard is set via an  
HTTP POST request to /index.php, using the sequence request parameter. This  
parameter is not properly escaped when returned to the client. To exploit  
this issue, the payload "><script>alert(1)</script> is submitted as part of  
the sequence parameter. This input is reflected unmodified in the response  
and on any subsequent visit to the dashboard by any user. Only the "Lobby:  
Login / Logout / Dashboard" permission is required to abuse this issue.

The order in which widgets are displayed on the dashboard can be set in the  
same POST request, via the sequence parameter. The sequence parameter has the  
following format:

sequence=services_status-container:00000000-col3:show,  
    interface_list-container:00000001-col4:show,  
    gateways-container:00000002-col4:show

Once the server receives the POST request, the sequence parameter is written  
unmodified into the configuration:

} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin'])  
            && $_POST['origin'] == 'dashboard') {  
    if (!empty($_POST['sequence'])) {  
        $config['widgets']['sequence'] = $_POST['sequence'];  
    } elseif (isset($config['widgets']['sequence'])) {  
        unset($config['widgets']['sequence']);  
    }  
    // ...  
    write_config('Widget configuration has been changed');  
    header(url_safe('Location: /index.php'));  
    exit;  
}  
// from:  
// https://github.com/opnsense/core/blob/cbaf7cee1f0a6fabd1ec4c752a5d169c402976dc/src/www/index.php#L66-L80

When serving a GET request, the sequence parameter is returned unmodified,  
starting with a read of its value from the configuration:

// ...  
$pconfig = $config['widgets'];  
// set default dashboard view  
$pconfig['sequence'] = !empty($pconfig['sequence']) ?  
    $pconfig['sequence'] : '';  
// ...  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L39-L41

sequence is then split by comma and further split by colon into name,  
sortKey, and state. The list of widgets is sorted on the server side using  
the sortKey.

$widgetSeqParts = explode(",", $pconfig['sequence']);  
foreach (glob('/usr/local/www/widgets/widgets/*.widget.php') as $php_file) {  
    $widgetItem = array();  
    // [...]  
    foreach ($widgetSeqParts as $seqPart) {  
        $tmp = explode(':', $seqPart);  
        if (count($tmp) == 3 &&  
            explode('-', $tmp[0])[0] == $widgetItem['name']  
        ) {  
            $widgetItem['state'] = $tmp[2];  
            $widgetItem['sortKey'] = $tmp[1];  
        }  
    }  
    $widgetCollection[] = $widgetItem;  
}  
// sort widgets  
usort($widgetCollection, function ($item1, $item2) {  
    return strcmp(strtolower($item1['sortKey']),  
        strtolower($item2['sortKey']));  
});  
// from:  
// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L44-L65

Finally, the sortKey is written unescaped into an HTML attribute:

<section  
    class="widgetdiv"  
    data-sortkey="<?=$widgetItem['sortKey'] ?>"  
    id="<?=$widgetItem['name'];?>"  
    style="display:<?=$divdisplay;?>;"  


Proof of Concept  
----------------  
Log in as root. On the left side, go to System -> Access -> Users, and add a  
new user. For "Effective Privileges", only select "Lobby: Login / Logout /  
Dashboard". The user is now only able to view the dashboard and the help  
pages.

Log in as that newly created user and open your browser's network monitor. In  
the OPNsense dashboard, reorder the widgets via drag-and-drop, then press  
"save settings".

Repeat the POST request and replace the sequence variable with

sequence=gateways-container:1"><script>alert(1)</script>-col4:show

Now, log in as admin again, you should see an alert box resulting from the  
following HTML response:

<div class="container-fluid">  
      
        <section class="widgetdiv" data-sortkey="1">  
            <script>alert(2)</script>  
            -col4" id="gateways"  style="display:block;">

This is the stored XSS and can result in privilege escalation.

The OPNsense developers did apply a Content-Security-Policy, but  
unfortunately allow unsafe-inline and unsafe-eval for scripts, which does not  
prevent the exploitation of this vulnerability.

Workarounds  
===========

Remove all effective privileges for /index.php* of low-privilege users.

Timeline  
========  
2023-09-13: Problem discovered

2023-09-14: Write-up and discovery of second finding

2023-09-19: Disclosure to Deciso B.V. / OPNsense

2023-09-19: Issue fixed upstream by Deciso B.V. / OPNsense

2023-09-20: CVE requested

2023-09-20: Informed Deciso B.V. / OPNsense that we will make the issues  
public the following day, since the patch is public

2023-09-21: Release of advisory

About X41 D-Sec GmbH  
====================  
X41 is an expert provider for application security services.  
Having extensive industry experience and expertise in the area of information  
security, a strong core security team of world class security experts enables  
X41 to perform premium security services.

Fields of expertise in the area of application security are security centered  
code reviews, binary reverse engineering and vulnerability discovery.  
Custom research and IT security consulting and support services are core  
competencies of X41.

OPNsense 23.1.11_1 / 23.7.3 / 23.7.4 Cross Site Scripting / Privilege Escalation

An issue in Gevent Gevent before version 23.9.1 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.

**Gevent allows remote attacker to escalate privileges**

Moderate severity GitHub Reviewed Published Sep 25, 2023 to the GitHub Advisory Database • Updated Sep 25, 2023

GHSA-x7m3-jprg-wc5g: Gevent allows remote attacker to escalate privileges

By Owais Sultan
When setting up an E-commerce store, keep two things in mind: website design and mobile friendliness Remember the…
This is a post from HackRead.com Read the original post: E-commerce Website Design: How to Build a Successful Online Store in 2023

When setting up an E-commerce store, keep two things in mind: website design and mobile friendliness

Remember the feeling you had when holding the desk globe? The whole world seemed to be at the tips of your fingers and you could easily reach any desirable point. Well, that’s how E-commerce works 一 regardless of location, it is possible to develop influence and reach clients anywhere in the world provided you build a smart online presence.

If you are on your way to establishing an E-commerce store, let’s define the major steps to take to make your enterprise visible among the competitors. 

****How to Build an E-commerce Website?****

The main objective of E-commerce is to create an enjoyable and seamless journey for every customer through the sales funnel and turn them into loyal clients. 

1.  **Define the business model**

There are four basic business models that define the direction of your enterprise:

*   B2C 一 Business-to-customer 一 business sells products to customers.
*   B2B 一 Business-to-business 一 business sells products to other businesses.
*   C2C 一 Customer-to-customer 一 a marketplace where customers sell or exchange goods.
*   C2B 一 Customer-to-business 一 individuals sell their products and services to businesses. 

2.  **Choose an E-commerce website builder**

A website is the foundation of the online store, as it attracts customers and leads to sales improvements. A transfer from a brick-and-mortar shop to an E-commerce may take time and a great deal of knowledge regarding the construction of the website. Therefore, there is a better and faster solution to follow 一 the  E-commerce platforms, which offer a wide range of options to cover various needs and requests of the customers regarding the E-commerce websites. 

The well-known platforms are _Wix, Amazon, WordPress, Magento, BigCommerce, Shopify,_ etc. They all offer different modes of functioning:

*   If an owner of a website has no knowledge of programming and has no intention to hire a team of programmers, they can be offered simple and non-customizable options, which will help them process the sales, yet the identity of the company may suffer.
*   If an owner is willing to create the whole environment of the company, and set its tone of voice and brand identity, it’s worth choosing the customizable solution and entrusting all the adjustments to professionals like web development company Emerline, as such an approach will make you visible is the endless ocean of E-commerce shops. 

3.  **Engaging web design**

When considering the features of a site for the E-commerce industry, it is important to keep the user experience as the priority, as they are the force behind your success. If the website offers its clients a seamless and non-obstructive shopping experience, they will be back in the sales funnel when they need your service or goods. 

****What Are the Most Important Things to Consider?****

1.  **Responsiveness of the website**

An average shopper will spend approximately 3-3.18 minutes for an E-commerce store, that’s the amount of time given to grasp one’s attention and engage in active shopping. When the website loads slowly (which can be the result of a poor hosting service), the user gets irritated, and will not even proceed to product search. Moreover, poor website performance will ruin the positive image of the brand. 

2.  **Call to action (CTA)**

When customizing the website to users’ needs, it is vital to walk the whole way to the ‘submit’ button in their shoes. An E-commerce store is typically full of items on the page, and not all users can quickly figure out what to do next. The majority of the users will just leave, if the procedure isn’t clear, and only a few will stay if you offer very low pricing compared to competitors. Hence, use the “click here,” “choose the item,” “proceed to the next stage,” etc. verbal and visual clues to let them complete the purchase. 

3.  **Shopping cart and check-out**

What is the worst nightmare for users who dedicated their priceless time to an E-commerce store? Registration of a new user. Make sure the developers add the ‘quick registration,’ otherwise, the customer is gone. There should be a few registration options 一 for loyal (registered) clients, and newcomers (non-registered). The quick options are typically through social networks, phones, or e-mails.

The payment option should also be based on all the available options nowadays 一 PayPal, traditional debit/credit cards, digital wallets, etc., as the inconvenience with payment will force the clients to look for more convenient options. 

4.  **About us**

While the owners of an E-commerce store consider this page as “the last on the list”, it is an important part of the user’s research. The customer of today is showered with shopping options, which makes them quite finicky, they don’t just want to buy the goods, they want to see the story behind the company, as it creates its value. It is important to elaborate on the text, be respectful to the customers, and not give too many details, yet manage to keep their attention. 

5.  **Mobile-friendly website**

Our society lives at hyper-speed, and people do everything on the go. Therefore, they will rather order something using their smartphone, than wait till they switch on the laptop or PC. A mobile-friendly option shows care for the customer and respect for their time. 

****The Bottom Line****

Having an E-commerce store is a cornerstone of business development. It opens up new opportunities and makes the store visible to the whole world. However, you are noticeable, when you show the individualism of your store. Make sure you choose the professionals to help you make a difference and thus, win the customers’ attention. 

****RELATED ARTICLES****

1.  Google Vertex AI Vision: Revolutionizing E-Commerce?
2.  The Benefits of Dedicated Server Hosting for Online Retail
3.  5 essential steps needed to set up a secure e-commerce website
4.  Fortifying Customer Connections: Cybersecurity in Client-Centric Tech
5.  Buy-Now-Pay-Later (BNPL) is Revolutionising the E-Commerce Landscape

E-commerce Website Design: How to Build a Successful Online Store in 2023

Corporations are using software to monitor employees on a large scale. Some experts fear the data these tools collect could be used to automate people out of their jobs.

You’ve probably heard the story: A young buck comes into a new job full of confidence, and the weathered older worker has to show them the ropes—only to find out they’ll be unemployed once the new employee is up to speed. This has been happening among humans for a long time—but it may soon start happening between humans and artificial intelligence.

Countless headlines over the years have warned that automation isn’t just coming for blue-collar jobs, but that AI would threaten scores of white-collar jobs as well. AI tools are becoming capable of automating tasks and sometimes entire jobs in the corporate world, especially when those jobs are repetitive and rely on processing data. This could affect everyone from workers at banks and insurance companies to paralegals and beyond.

Carl Frey, an economist at Oxford University, coauthored a landmark study in 2013 that claimed AI could threaten nearly 50 percent of US jobs in the coming decades. Frey says that he doesn’t think new AI tools like ChatGPT are going to automate jobs in this way because they still require human involvement and are often unreliable. Still, many of the underlying factors that were outlined in that paper remain pertinent today. Considering the rapid pace at which AI is advancing, it’s hard to predict how it could soon be utilized and what it will be capable of.

Then there’s the issue of how it’s being incorporated into daily work and how it’s being trained. Enter corporate spyware, invasive monitoring apps that allow bosses to keep close tabs on everything their employees are doing—collecting reams of data that could come into play here in interesting ways. Corporations, which are monitoring their employees on a large scale, are now having workers utilize AI tools more frequently, and many questions remain regarding how the many AI tools that are currently being developed are being trained.

Put all of this together and there’s the potential that companies could use data they’ve harvested from workers—by monitoring them and having them interact with AI that can learn from them—to develop new AI programs that could actually replace them. If your boss can figure out exactly how you do your job, and an AI program is learning from the data you’re producing, then eventually your boss might be able to just have the program do the job instead.

“When it comes to monitoring workflows, I do think that’s going to be a way we automate a lot of this stuff,” Frey says. “What you might be able to do is take some of those foundational models and train them on some of the data you have internally and fine-tune them, or you could train a model from scratch just with your internal data.”

David Autor, a professor of economics at MIT, says he also thinks AI could be trained in this way. While there is a lot of employee surveillance happening in the corporate world, and some of the data that’s collected from it could be used to help train AI programs, simply learning from how people are interacting with AI tools throughout the workday could help train those programs to replace workers.

“They will learn from the workflow in which they’re engaged,” Autor says. “Often people will be in the process of working with a tool, and the tool will be learning from that interaction.”

Whether you’re training an AI tool directly by interacting with it throughout the day, or the data you’re producing while you work is simply being used to create an AI program that can do the work you’re doing, there are multiple ways in which a worker could inadvertently end up training an AI program to replace them. Even if the program doesn’t end up being incredibly effective, a lot of companies might be happy with an AI program that’s good enough because it doesn’t require a salary and benefits.

“I think there are a lot of discretionary white-collar jobs where you’re kind of using a mixture of hard information and soft information and trying to make advanced decisions,” Autor says. “People aren’t that good at that, machines aren’t that good at that, but probably machines can be pretty much as good as people.”

Autor says he doesn’t see a “labor market apocalypse” coming. Many workers won’t be entirely replaced but will simply have their jobs changed by AI, Autor says, while some workers will certainly be made redundant by advancements in AI. The problem there, he says, is what happens to those workers after they’re no longer able to find a well-paying job with the education and skill sets they have.

“It’s not that we’re going to run out of work. It’s much more that people are doing something they’re good at, and that thing goes away. And then they end up doing a kind of generic activity that everybody’s good at, which means it pays very little—food service, cleaning, security, vehicle driving,” Autor says. “These are low-paying activities.”

Once someone’s automated out of a well-paying job, they can end up slipping through the cracks. Autor says we’ve seen this happen in the past.

“The hollowing out of manufacturing and office work over the past 40 years has definitely put downward pressure on the wages of people who would do that type of work, and it’s not because they’re doing it now at a lower rate of pay. It’s because they’re not doing it,” Autor says.

Frey says politicians will need to offer solutions to those who fall through the cracks to prevent the destabilization of the economy and society. That would likely include offering social safety net programs to those affected. Frey has written extensively on the effects of the first Industrial Revolution, and he says there are lessons to be learned there. In Britain, for example, there was a program called the Poor Laws, where people who were harmed by automation were given financial relief.

“What you see back then is a lot of social unrest. Wages are stagnant or falling for a large part of the population. You have riots,” Frey says. “If you look at the places where the Poor Laws were more generous, there was less social unrest and less upheaval. Using welfare systems to compensate people who lose out is something we’ve done for a long time and should continue to do.”

Many people would also benefit from being retrained for other work, but Autor says the US has never been very good at retraining people, so there’d have to be some work done to create effective retraining programs. He says technology might actually be able to help there because people could be retrained using helpful new digital tools.

There was a lot of hype surrounding ChatGPT and similar AI tools when they came out. That hype has since died down a bit, suggesting to some that maybe these tools won’t be as useful as they were promised to be. Perhaps they won’t be taking everybody’s jobs. However, at the rate at which AI is advancing, there’s no saying where things could be in five to 10 years—or even next year.

Vincent Conitzer, a professor of computer science at Carnegie Mellon University, says people shouldn’t underestimate what these AI tools may soon be capable of. They may be somewhat limited in their use now, but that could change relatively rapidly and end up being as disruptive as some have warned it could be.

“I worry about this being a ‘boiling frog’ kind of scenario, where we see amazing advances in AI but then don’t immediately see them take over people’s jobs, and \[people\] conclude there wasn’t all that much to worry about, and we accept the new technology as the new normal but not all that impressive after all,” Conitzer says. “Meanwhile, gradually but quickly, the world and the job market do adjust to the new technologies in complex ways, and at some point we realize large societal problems have emerged.”

Tag

#git