The U.S. government in recent months launched an operation to fight a pervasive Chinese hacking operation that successfully compromised thousands of internet-connected devices, Reuters reported Tuesday, citing two Western security officials and another person familiar with the matter. From the report: The Justice Department and Federal Bureau of Investigation sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign, the sources told Reuters. The Biden administration has increasingly focused on hacking, not only for fear nation states may try to disrupt the U.S. election in November, but because ransomware wreaked havoc on Corporate America in 2023.

The hacking group at the center of recent activity, Volt Typhoon, has especially alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers and utilities. While the Volt Typhoon campaign initially came to light in May 2023, the hackers expanded the scope of their operations late last year and changed some of their techniques, according to three people familiar with the matter. The widespread nature of the hacks led to a series of meetings between the White House and private technology industry, including several telecommunications and cloud commuting companies, where the U.S. government asked for assistance in tracking the activity.

An anonymous reader quotes a report from TechCrunch: Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave "unrestricted access" to the company's source code, according to the security research firm that discovered it. Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the exposure and asked for help in disclosing to the car maker. The London-based cybersecurity company said it discovered a Mercedes employee's authentication token in a public GitHub repository during a routine internet scan in January. According to Mittal, this token -- an alternative to using a password for authenticating to GitHub -- could grant anyone full access to Mercedes's GitHub Enterprise Server, thus allowing the download of the company's private source code repositories.

"The GitHub token gave 'unrestricted' and 'unmonitored' access to the entire source code hosted at the internal GitHub Enterprise Server," Mittal explained in a report shared by TechCrunch. "The repositories include a large amount of intellectual property connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information." Mittal provided TechCrunch with evidence that the exposed repositories contained Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes source code. It's not known if any customer data was contained within the repositories. It's not known if anyone else besides Mittal discovered the exposed key, which was published in late-September 2023. A Mercedes spokesperson confirmed that the company "revoked the respective API token and removed the public repository immediately."

"We can confirm that internal source code was published on a public GitHub repository by human error. The security of our organization, products, and services is one of our top priorities. We will continue to analyze this case according to our normal processes. Depending on this, we implement remedial measures."

Long-time Slashdot reader theodp writes: IBM mainframes were the original onsite private cloud," begins retired software engineer Billy Newport in Is Cloud the New Mainframe? And while there were many things to like about the mainframe (including "crazy high availability numbers which today's cloud vendors can only dream of"), cost was not one of them. "As the application usage grows," Newport explains, "the bill grows and the control of the bill is largely in IBM's hands. You use more, you pay more [...] Unfortunately, while compute is elastic, budgets are not [...] Inevitably, customers try to migrate workloads from the mainframe to 'cheaper' platforms but these projects can be very expensive to do and they do fail more often than people realize."

"Today's Cloud kind of looks exactly the same as the mainframe scenario," Newport warns. "Companies have rushed to get on the cloud with the cool kids. I predict many companies will try to rush to reduce cloud expenditure and will find migrating onsite to be an expensive proposition if it's even possible.

"Companies that once serviced the boom in cryptocurrency mining are pivoting to take advantage of the latest data gold rush," reports the Guardian. Canadian company Hive Blockchain changed its name in July to Hive Digital Technologies and announced it was pivoting to AI. "Hive has been a pioneering force in the cryptocurrency mining sector since 2017. The adoption of a new name signals a significant strategic shift to harness the potential of GPU Cloud compute technology, a vital tool in the world of AI, machine learning and advanced data analysis, allowing us to expand our revenue channels with our Nvidia GPU fleet," the company said in its announcement at the time. The company's executive chairman, Frank Holmes, told Guardian Australia the transition required a lot of work. "Moving from mining Ethereum to hosting GPU cloud services involves buying powerful new servers for our GPUs, upgrading networking equipment and moving to higher tier data centres," he said.

"The only commonality is that GPUs are the workhorses in both cases. GPU cloud requires higher end supporting hardware and a more secure, faster data centre environment. There's a steep learning curve in the GPU cloud business, but our team is adapting well and learning fast."

For others, like Iris Energy, a datacentre company operating out of Canada and Texas, and co-founded by Australian Daniel Roberts, it has been the plan all along. Iris did not require any changes to the way the company operated when the AI boom came along, Roberts told Guardian Australia. "Our strategy really has been about bootstrapping the datacentre platform with bitcoin mining, and then just preserve optionality on the whole digital world. The distinction with us and crypto-miners is we're not really miners, we're datacentre people." The company still trumpets its bitcoin mining capability but in the most recent results Iris said it was well positioned for "power dense computing" with 100% renewable energy. Roberts said it wasn't an either-or situation between bitcoin mining and AI.

"I think when you look at bitcoin versus AI, the market will just reach equilibrium based on the market-based demands for each product," he said... Holmes said Hive also saw the two industries operating in parallel. "We love the bitcoin mining business, but its revenue is rather unpredictable. GPU cloud services should complement it well," he said.
Thanks to long-time Slashdot reader mspohr for sharing the article.

"Parched conditions have crippled a waterway that handles $270 billion a year in global trade," reports Bloomberg. "And there are no easy solutions.

"The Panama Canal Authority is weighing potential fixes that include an artificial lake to pump water into the canal and cloud seeding to boost rainfall, but both options would take years to implement, if they're even feasible. " With water levels languishing at six feet (1.8 meters) below normal, the canal authority capped the number of vessels that can cross. The limits imposed late last year were the strictest since 1989... Some shippers are paying millions of dollars to jump the growing queue, while others are taking longer, costlier routes around Africa or South America. The constraints have since eased slightly due to a rainier-than-expected November, but at 24 ships a day, the maximum is still well below the pre-drought daily capacity of about 38. As the dry season takes hold, the bottleneck is poised to worsen again...

The canal's travails reflect how climate change is altering global trade flows. Drought created chokepoints last year on the Mississippi River in the US and the Rhine in Europe. In the UK, rising sea levels are elevating the risk of flooding along the Thames. Melting ice is creating new shipping routes in the Arctic. Under normal circumstances, the Panama Canal handles about 3% of global maritime trade volumes and 46% of containers moving from Northeast Asia to the US East Coast...

In the long term, the primary solution to chronic water shortages will be to dam up the Indio River and then drill a tunnel through a mountain to pipe fresh water 8 kilometers (5 miles) into Lake Gatún, the canal's main reservoir. The project, along with additional conservation measures, will cost about $2 billion, Erick Córdoba, the manager of the water division at the canal authority estimates. He says it will take at least six years to dam up and fill the site. The US Army Corps of Engineers is conducting a feasibility study. The Indio River reservoir would increase vessel traffic by 11 to 15 a day, enough to keep Panama's top moneymaker working at capacity while guaranteeing fresh water for Panama City...

The country will need to dam even more rivers to guarantee water through the end of the century.

"Security experts expect many more companies to disclose that they've been hacked by Russian intelligence agents who stole emails from executives," reports the Washington Post, "following disclosures by Microsoft and Hewlett-Packard Enterprise in the past week." Microsoft said late Thursday that it had found more victims and was in the process of notifying them. A spokesperson declined to say how many. But three experts in and out of government said that the attack was deeper and broader than the disclosures to date reveal. Two said that more than 10 companies, and perhaps far more, are expected to come forward...

The Securities and Exchange Commission last year strengthened the rules that require companies to notify their stockholders of computer intrusions that could have a material impact on company results. That helped spur the recent disclosures.
A spokesperson for America's Department of Homeland Security said "at this time we are not aware of impacts to Microsoft customer environments or products," according to the article. (Although the Washington Post adds that "The Microsoft and HPE breaches are especially concerning because so many other companies and agencies rely on them for cloud services, including email.")

The attackers were potentially spying on Microsoft's senior leadership team "for weeks or months," reports the Verge, citing a newly-published analysis by Microsoft: Crucially, the non-production test tenant account that was breached didn't have two-factor authentication enabled. [A cyber-breaching group named Nobelium from Russia's foreign intelligence service] "tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection," says Microsoft. From this attack, the group "leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment...." This elevated access allowed the group to create more malicious OAuth applications and create accounts to access Microsoft's corporate environment and eventually its Office 365 Exchange Online service that provides access to email inboxes...

Hewlett Packard Enterprise (HPE) revealed earlier this week that the same group of hackers had previously gained access to its "cloud-based email environment." HPE didn't name the provider, but the company did reveal the incident was "likely related" to the "exfiltration of a limited number of [Microsoft] SharePoint files as early as May 2023."

Starting today Apple is opening up its App Store to allow game streaming apps and services. From a report: This means that services like Xbox Cloud Streaming and GeForce Now, which previously were only accessible on iOS via a web browser, will be able to offer full-featured apps. "Developers can now submit a single app with the capability to stream all of the games offered in their catalog," Apple wrote in a blog post. These changes apply "worldwide," according to the company.

In 2020, Apple appeared to have carved out a space for these cloud gaming services in the App Store. But that turned out not to be the case, as all games available through each service had to be submitted and reviewed as a standalone app. So the shift to allow one app with a large catalog of games marks a major change. As part of today's announcement, Apple said that "each experience made available in an app on the App Store will be required to adhere to all App Store Review Guidelines and its host app will need to maintain an age rating of the highest age-rated content included in the app." Apple also says that developers will now "be able to provide enhanced discovery opportunities for streaming games, mini-apps, mini-games, chatbots, and plug-ins that are found within their apps," and that "mini-apps, mini-games, chatbots, and plug-ins will be able to incorporate Apple's In-App Purchase system to offer their users paid digital content or services for the first time, such as a subscription for an individual chatbot."

The Wall Street Journal reports: Moves by Broadcom to shore up its $69 billion VMware acquisition, completed in November, include a streamlining of product bundles and new billing models — efforts in line with the chip giant's past acquisitions, but not necessarily welcomed by all of VMware's customers... Broadcom has also recently laid off at least hundreds of VMware workers, disclosures from the Worker Adjustment and Retraining Notification show....

VMware has approximately 330,000 customers, according to the company. Chief information officers say they are closely monitoring what comes next.

"Any CIO that's not taking stock of what they have and mentally considering alternatives and monitoring what else is out there is probably not doing their job," said Jay Ferro, executive vice president and chief information, technology and product officer at clinical research data-management company Clario. All these changes, plus past remarks by Broadcom that its go-to-market strategy is to focus completely on the needs and priorities of its top 600 customers, has left some CIOs rethinking the relationship. Price increases and degrading levels of support are among their biggest concerns. "I'm not one of their top, probably 600 customers, so they've been very clear to me where I fit in that pecking order," said Todd Florence, CIO of trucking company Estes Express Lines. Florence said he's started looking into alternatives. "It certainly doesn't make you feel good, like you're going to get lots of support going forward...."

Goya Foods CIO Suvajit Basu said he is thinking about how to reduce the food company's reliance on VMware as the sole and longtime dominant provider of virtualization for the data center. "They're going to increase their prices or change their licensing so the customer pays more," he said. "And I think this is starting to hit us right now...." Forrester estimates that in 2024, 20% of VMware customers will begin the process of exiting VMware in favor of alternatives.
On the other hand, a group VP at market researcher IDC tells the Journal that on the upside, now VMware and Broadcom will have to engage more actively with customers on the value of new produces included in their bundles...

It's "a free and open-source, software-defined storage platform," according to Wikipedia, providing object storage, block storage, and file storage "built on a common distributed cluster foundation". The charter advisory board for Ceph included people from Canonical, CERN, Cisco, Fujitsu, Intel, Red Hat, SanDisk, and SUSE.

And Nite_Hawk (Slashdot reader #1,304) is one of its core engineers — a former Red Hat principal software engineer named Mark Nelson. (He's now leading R&D for a small cloud systems company called Clyso that provides Ceph consulting.) And he's returned to Slashdot to share a blog post describing "a journey to 1 TiB/s". This gnarly tale-from-Production starts while assisting Clyso with "a fairly hip and cutting edge company that wanted to transition their HDD-backed Ceph cluster to a 10 petabyte NVMe deployment" using object-based storage devices [or OSDs]...) I can't believe they figured it out first. That was the thought going through my head back in mid-December after several weeks of 12-hour days debugging why this cluster was slow... Half-forgotten superstitions from the 90s about appeasing SCSI gods flitted through my consciousness...

Ultimately they decided to go with a Dell architecture we designed, which quoted at roughly 13% cheaper than the original configuration despite having several key advantages. The new configuration has less memory per OSD (still comfortably 12GiB each), but faster memory throughput. It also provides more aggregate CPU resources, significantly more aggregate network throughput, a simpler single-socket configuration, and utilizes the newest generation of AMD processors and DDR5 RAM. By employing smaller nodes, we halved the impact of a node failure on cluster recovery....

The initial single-OSD test looked fantastic for large reads and writes and showed nearly the same throughput we saw when running FIO tests directly against the drives. As soon as we ran the 8-OSD test, however, we observed a performance drop. Subsequent single-OSD tests continued to perform poorly until several hours later when they recovered. So long as a multi-OSD test was not introduced, performance remained high. Confusingly, we were unable to invoke the same behavior when running FIO tests directly against the drives. Just as confusing, we saw that during the 8 OSD test, a single OSD would use significantly more CPU than the others. A wallclock profile of the OSD under load showed significant time spent in io_submit, which is what we typically see when the kernel starts blocking because a drive's queue becomes full...

For over a week, we looked at everything from bios settings, NVMe multipath, low-level NVMe debugging, changing kernel/Ubuntu versions, and checking every single kernel, OS, and Ceph setting we could think of. None these things fully resolved the issue. We even performed blktrace and iowatcher analysis during "good" and "bad" single OSD tests, and could directly observe the slow IO completion behavior. At this point, we started getting the hardware vendors involved. Ultimately it turned out to be unnecessary. There was one minor, and two major fixes that got things back on track.
It's a long blog post, but here's where it ends up:

• Fix One: "Ceph is incredibly sensitive to latency introduced by CPU c-state transitions. A quick check of the bios on these nodes showed that they weren't running in maximum performance mode which disables c-states."

• Fix Two: [A very clever engineer working for the customer] "ran a perf profile during a bad run and made a very astute discovery: A huge amount of time is spent in the kernel contending on a spin lock while updating the IOMMU mappings. He disabled IOMMU in the kernel and immediately saw a huge increase in performance during the 8-node tests." In a comment below, Nelson adds that "We've never seen the IOMMU issue before with Ceph... I'm hoping we can work with the vendors to understand better what's going on and get it fixed without having to completely disable IOMMU."

• Fix Three: "We were not, in fact, building RocksDB with the correct compile flags... It turns out that Canonical fixed this for their own builds as did Gentoo after seeing the note I wrote in do_cmake.sh over 6 years ago... With the issue understood, we built custom 17.2.7 packages with a fix in place. Compaction time dropped by around 3X and 4K random write performance doubled."

The story has a happy ending, with performance testing eventually showing data being read at 635 GiB/s — and a colleague daring them to attempt 1 TiB/s. They built a new testing configuration targeting 63 nodes — achieving 950GiB/s — then tried some more performance optimizations...

Seagate this week unveiled the industry's first hard disk drive platform that uses heat-assisted media recording (HAMR). Tom's Hardware: The new Mozaic 3+ platform relies on several all-new technologies, including new media, new write and read heads, and a brand-new controller. The platform will be used for Seagate's upcoming Exos hard drives for cloud datacenters with a 30TB capacity and higher. Heat-assisted magnetic recording is meant to radically increase areal recording density of magnetic media by making writes while the recording region is briefly heated to a point where its magnetic coercivity drops significantly.

Seagate's Mozaic 3+ uses 10 glass disks with a magnetic layer consisting of an iron-platinum superlattice structure that ensures both longevity and smaller media grain size compared to typical HDD platters. To record the media, the platform uses a plasmonic writer sub-system with a vertically integrated nanophotonic laser that heats the media before writing. Because individual grains are so small with the new media, their individual magnetic signatures are lower, whereas magnetic inter-track interference (ITI) effect is somewhat higher. As a result, Seagate had to introduce its new Gen 7 Spintronic Reader, which features the "world's smallest and most sensitive magnetic field reading sensors," according to the company. Because Seagate's new Mozaic 3+ platform deals with new media with a very small grain size, an all-new writer, and a reader that features multiple tiny magnetic field readers, it also requires a lot of compute horsepower to orchestrate the drive's work. Therefore, Seagate has equipped with Mozaic 3+ platform with an all-new controller made on a 12nm fabrication process.

Samsung announced its new flagship Galaxy S24 smartphone lineup today, with loads of new artificial intelligence features. CNBC reports: For Samsung's top-tier S24 Ultra, which is the company's biggest of the three devices and comes with punchier specs and features, Samsung is using a version of Qualcomm's latest Snapdragon Series 8 Gen 3 optimized for Galaxy. The company is using a mix of Qualcomm systems-on-chips (SoCs) and its own Exynos chipset for its S24 and S24+ models. [...] The Samsung Galaxy S24 Ultra is the main event for most tech gadget enthusiasts -- and, for the most part, it isn't a whole lot different to the Galaxy S23 Ultra looks-wise. That's because Samsung isn't changing an awful lot with the hardware. It still comes in the same size as its predecessor -- the display is 6.8 inches, measured diagonally, though the phone is flatter this time round. The S23 Ultra had more curvature to it. The big upgrade to the external hardware with this model is that it's cased in titanium, so it's a lot sturdier than the S23 Ultra.

The main difference this time round is what's inside: Samsung is going big on artificial intelligence. A key focus for Samsung, like other smartphone makers, now is on "on-demand" AI -- or, the ability to carry out AI workloads directly on a device, rather than over the cloud. Samsung said its new Galaxy S24 Ultra will come with a bunch of new AI features, a lot of which is being powered by Qualcomm's Snapdragon 8 Gen 3 chipset for mobile, which is tailored for AI devices. One feature Samsung's loading into the Galaxy S24 range is the ability to circle locations or items a user is directing their camera at, or on a picture they've taken, and then look up results on what those things are. So, for instance, if you see a landmark or a shoe you want to buy, you can make a circle around that object and then the AI shows you appropriate results on Google.

Another feature Samsung touted is the ability to use AI to edit photos. So users can edit reflections out of pictures they've taken, for instance if you took a picture of yourself in front of a window. Or you can move a person from one side of the room to another by dragging them from left to right. Samsung also showcased live transcription features with its latest smartphones. When calling someone who's speaking in French, for instance, a user can pull up a transcription that's being fed through to them in real time. You can also record a conversation between two people and get it transcribed, while the AI assigns a label to each person speaking, similar to transcription products like Otter AI. Samsung is also incorporating AI watermarking into these features, helping to combat misinformation and copyright infringement. "So when a Galaxy S24 user uses AI to modify a photo, Samsung will keep a log of what was changed with AI and store it in the metadata," reports CNBC. "It'll also have an icon in the bottom left corner to show that the image has been edited using AI, kind of like a watermark."

The stock market has a new, but familiar, monarch. Microsoft's AI-powered stock rally has made the software giant the largest U.S. company by market value, surpassing Apple for the first time since November 2021. WSJ: Shares edged higher Thursday morning, bringing Microsoft's market value to nearly $2.87 trillion. Apple, meanwhile, fell 1%, pulling its market capitalization just below that threshold. Either Apple or Microsoft has held the title since Feb. 4, 2019, according to Dow Jones Market Data. Microsoft's stock has been on the rise for the past year thanks to the continued growth of its cloud computing division, even as major competitors like Amazon and Google have experienced a gradual slowdown in sales growth.

An anonymous reader shares a report: The cost of switching between cloud-computing providers has long drawn complaints, with the services derided as "roach motels" that let businesses check in but not out. Now Google is taking steps to change that. Effective immediately, the company is eliminating fees levied on customers who want to leave its cloud for a rival service -- a policy shift that may pressure competitors Amazon and Microsoft to do the same.

The move follows intensifying scrutiny of cloud services by regulators and lawmakers around the world. UK antitrust authorities launched a probe that is looking at such penalties, and the fees emerged as a key issue when the US Federal Trade Commission asked for public comments on a variety of cloud concerns. Google Vice President Amit Zavery, who helps oversee the cloud business, said switching fees only represent about 2% of the total costs of migrating to a new provider -- and don't deter many clients from moving their data.

An anonymous reader quotes a report from The Register: Broadcom is tossing the majority of VMware's Cloud Services Providers as part of its shakeup of the virtualization titan's partner programs, say sources, leaving customers unclear who their IT supplier will be. The $61 billion purchase of VMware by Broadcom in November was swiftly followed by news of how it planned to reorganize the business into several Broadcom divisions. A month later we revealed that Broadcom intended to discontinue VMware's channel program, and that some solution providers/ resellers would be transitioned to its own scheme, but on an invitation-only basis, from February. However, while Broadcom informed one part of VMware's channel of this change, a second notice was also sent to Cloud Services Providers (CSPs), informing them that their program is going to be terminated at the end of April. This program allows service providers such as smaller cloud operators to sell a VMware-based cloud service.

In the letter, seen by The Register, Broadcom tells its cloud provider partners: "Effective April 30, 2024, the ability to transact as a VMware Cloud Services Provider, under the VMware Partner Connect Program, will come to an end. However, we want to emphasize that you may have the opportunity to join the Broadcom Expert Advantage Partner Program. This invite-only program has simpler requirements and offers expanded benefits, and we will begin inviting partners to join in early 2024." One service provider told us their company had been left in the dark since that letter was received, and Broadcom has given them no indication of whether they will be invited to join its partner program or not, or what their customers are supposed to do if the company loses the right to operate a VMware cloud service. "I don't know how many smaller providers are affected by this but it must be a very large number," the source told us. "The VCSP program was the only way for MSPs and service providers to offer a multi-tenant VMware-based cloud service."

Chatter among some in the industry is that Broadcom is only interested in keeping the largest and most profitable customers, and the company simply doesn't care about the smaller users and the providers that service them. Unconfirmed fears that are only ten percent of Vmware's biggest CSPs will be invited to the new master program. "This all sounds very much like Broadcom taking an aggressive approach to its route to market and focusing on those partners that can deliver growth and significant revenue," said Omdia chief analyst Roy Illsley. "I suspect the intention is to ensure that VMware consists of only profitable products and they are sold in a more cohesive way with the rest of Broadcom. So I expect to see some news on this continuing to come out for most of 2024 as the company puts this plan into action. I would not rule out disposals of some assets in a drive to streamline the portfolio to those that fit with Broadcom's strategy." "How can they just cancel a major program affecting hundreds, perhaps thousands of customers, with zero notice, and zero details?" said one service provider. "They sent the notices out the Friday before the holidays, with no follow-up, which makes the situation even more egregious. What are we supposed to tell our customers? It's mind-boggling."

Harry McCracken, writing for FastCompany: Recently, Microsoft built a clock. Well, "built" may be overstating things. Members of the company's quantum computing team found a small digital clock in a wood case on Amazon -- the kind you might mistake for a nicer-than-usual trade show tchotchke. They hacked it to run off two experimental batteries they'd created in collaboration with staffers at the U.S. Department of Energy's Pacific Northwest National Laboratory (PNNL). Then they dressed up its enclosure by adding the logo of Azure Quantum Elements, the Microsoft platform for AI-enhanced scientific discovery that had been instrumental in developing the new battery technology.

The point of this little DIY project was to prove the batteries worked in a visceral way: "You want to have a wow moment," explains Brian Bilodeau, the head of partnerships, strategy, and operations for Azure Quantum. And the person the quantum team hoped to wow was Microsoft CEO Satya Nadella. Not that getting Nadella's attention was such a daunting prospect. Throwing vast amounts of Azure high-performance computing (HPC) resources at a big, hairy technical challenge such as materials research is the sort of challenge he's predisposed to take a personal interest in. Still, the tangible evidence of success made for a memorable moment: "I was very, very excited to see it come through," Nadella remembers.

The coin-sized CR2032 batteries powering the clock looked like the ones you might find in a pocket calculator or garage door opener. But on the inside, they used a solid-state electrolyte that replaces 70% of the lithium in garden-variety batteries with sodium. That holds the potential to address multiple issues with lithium batteries as we know them: their limited life on a charge, shrinking capacity over time, subpar performance in extreme temperatures, and risk of catching fire or even exploding. In addition, reducing lithium use in favor of cheap, plentiful sodium could be a boon to the fraught battery supply chain. With further development, the new material could benefit the myriad aspects of modern life that depend on batteries, from smartphones to EVs to the power grid. But Microsoft, being Microsoft, regards all this promise first and foremost as proof of Azure Quantum Elements' usefulness to the customers it's designed to serve. Unveiled last June, the cloud service is currently a "private preview" being tested by organizations such as Britain's Johnson Matthey, which is using it to help design catalytic converters and hydrogen fuel cells.

Shortly after the premium email service Hey announced a standalone Hey Calendar app, co-founder David Heinemeier Hansson said it was rejected by Apple for violating App Store rules.

"Apple just called to let us know they're rejecting the HEY Calendar app from the App Store (in current form)," wrote DHH on X. "Same bullying tactics as last time: Push delicate rejections to a call with a first-name-only person who'll softly inform you it's your wallet or your kneecaps. Since it's clear we're never going to pay them the extortionate 30% ransom, they're back to the bullshit about 'the app doesn't do anything when you download it.' Despite the fact that after last time, they specifically carved out HEY in App Store Review Guidelines 3.1.3 (f)!" The Verge's Amrita Khalid reports: New users can't sign up for Hey Calendar directly on the app -- Basecamp, which makes Hey, makes users first sign up through a browser. Apple's App Store rules require most paid services to offer users the ability to pay and sign up through the app, ensuring the company gets up to a 30 percent cut. The controversial rule has a ton of gray areas and carve-outs (i.e. reader apps like Spotify and Kindle get an exception) and is the subject of antitrust fights in multiple countries. But as Hansson detailed on X and in a subsequent blog post, he found Apple's rejection insulting for another reason. Close to four years ago, the company rejected Hey's original iOS app for its email service for the exact same reason.

The outcome of the 2020 fight actually worked out in Hey's favor. After days of back and forth between Apple's App Store Review Board and Basecamp, the Hey team agreed to a rather creative solution suggested by Apple exec Phil Schiller. Hey would offer a free option for the iOS app, allowing new users to sign up directly. But the company had a slight twist -- users who signed up via the iOS app got a free, temporary randomized email address that worked for 14 days -- after which they had to pay to upgrade. Currently, Hey email users can only pay for an account through the browser. Following the saga with Hey, Apple made a carve-out to its App Store rules that stated that free companion apps to certain types of paid web services were not required to have an in-app payment mechanism. But, as Hansson mentions on X, a calendar app wasn't mentioned in the list of services that Apple now makes an exception for, which includes VOIP, cloud storage, web hosting -- and of course -- email. Hansson plans to fight Apple's decision without elaborating on exactly how he intends to do so.

Security researchers say info-stealing malware can still access victims' compromised Google accounts even after passwords have been changed. From a report: A zero-day exploit of Google account security was first teased by a cybercriminal known as "PRISMA" in October 2023, boasting that the technique could be used to log back into a victim's account even after the password is changed. It can also be used to generate new session tokens to regain access to victims' emails, cloud storage, and more as necessary. Since then, developers of infostealer malware -- primarily targeting Windows, it seems -- have steadily implemented the exploit in their code. The total number of known malware families that abuse the vulnerability stands at six, including Lumma and Rhadamanthys, while Eternity Stealer is also working on an update to release in the near future.

Eggheads at CloudSEK say they found the root of the exploit to be in the undocumented Google OAuth endpoint "MultiLogin." The exploit revolves around stealing victims' session tokens. That is to say, malware first infects a person's PC -- typically via a malicious spam or a dodgy download, etc -- and then scours the machine for, among other things, web browser session cookies that can be used to log into accounts.

TechCrunch reports: Apple's warnings in late October that Indian journalists and opposition figures may have been targeted by state-sponsored attacks prompted a forceful counterattack from Prime Minister Narendra Modi's government. Officials publicly doubted Apple's findings and announced a probe into device security.

India has never confirmed nor denied using the Pegasus tool, but nonprofit advocacy group Amnesty International reported Thursday that it found NSO Group's invasive spyware on the iPhones of prominent journalists in India, lending more credibility to Apple's early warnings. "Our latest findings show that increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation," said Donncha Ã" Cearbhaill, head of Amnesty International's Security Lab, in the blog post.
Cloud security company Lookout has also published "an in-depth technical look" at Pegasus, calling its use "a targeted espionage attack being actively leveraged against an undetermined number of mobile users around the world." It uses sophisticated function hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, Apple's built-in messaging and email apps, and others. It steals the victim's contact list and GPS location, as well as personal, Wi-Fi, and router passwords stored on the device...

According to news reports, NSO Group sells weaponized software that targets mobile phones to governments and has been operating since 2010, according to its LinkedIn page. The Pegasus spyware has existed for a significant amount of time, and is advertised and sold for use on high-value targets for multiple purposes, including high-level espionage on iOS, Android, and Blackberry.
Thanks to Slashdodt reader Mirnotoriety for sharing the news.

Web software firm 37Signals has migrated off the cloud after spending $3.2 million on Amazon Web Services last year, said co-founder David Heinemeier Hansson, who is also the creator of Ruby on Rails. The Basecamp project management software-maker bought $600,000 of Dell servers and expects to save over $7 million in five years by running operations in-house. From a report: DHH likened clouds to "merchants of complexity" where they are incentivized to make things as complex as possible to keep customers hooked. He compared that to the original Internet, which was not built on complex cloud services geared for multi-tenancy, but rather on simpler tools such as Linux and PHP, which anyone could use without cost. This is not to say cloud has zero value for all use cases, [Kelsey] Hightower and DHH agreed.

Clouds make perfect sense in many cases, for start-ups that do not know how much infrastructure they will need, and also for enterprises with a lack of expertise and money to burn. For many companies in the middle, though a lot of profit margin can be recovered by reducing cloud costs and running things in-house instead, the two argued.

The New York Times reports: Last month, I received an alarming email from someone I did not know: Rui Zhu, a Ph.D. candidate at Indiana University Bloomington. Mr. Zhu had my email address, he explained, because GPT-3.5 Turbo, one of the latest and most robust large language models (L.L.M.) from OpenAI, had delivered it to him. My contact information was included in a list of business and personal email addresses for more than 30 New York Times employees that a research team, including Mr. Zhu, had managed to extract from GPT-3.5 Turbo in the fall of this year. With some work, the team had been able to "bypass the model's restrictions on responding to privacy-related queries," Mr. Zhu wrote.

My email address is not a secret. But the success of the researchers' experiment should ring alarm bells because it reveals the potential for ChatGPT, and generative A.I. tools like it, to reveal much more sensitive personal information with just a bit of tweaking. When you ask ChatGPT a question, it does not simply search the web to find the answer. Instead, it draws on what it has "learned" from reams of information — training data that was used to feed and develop the model — to generate one. L.L.M.s train on vast amounts of text, which may include personal information pulled from the Internet and other sources. That training data informs how the A.I. tool works, but it is not supposed to be recalled verbatim... In the example output they provided for Times employees, many of the personal email addresses were either off by a few characters or entirely wrong. But 80 percent of the work addresses the model returned were correct.
The researchers used the API for accessing ChatGPT, the article notes, where "requests that would typically be denied in the ChatGPT interface were accepted..."

"The vulnerability is particularly concerning because no one — apart from a limited number of OpenAI employees — really knows what lurks in ChatGPT's training-data memory."

And there was a broader related warning in another article published the same day. Microsoft may be building an AI silo in a walled garden, argues a professor at the University of California, Berkeley's school of information, calling the development "detrimental for technology development, as well as costly and potentially dangerous for society and the economy." [In January] Microsoft sealed its OpenAI relationship with another major investment — this time around $10 billion, much of which was, once again, in the form of cloud credits instead of conventional finance. In return, OpenAI agreed to run and power its AI exclusively through Microsoft's Azure cloud and granted Microsoft certain rights to its intellectual property...

Recent reports that U.K. competition authorities and the U.S. Federal Trade Commission are scrutinizing Microsoft's investment in OpenAI are encouraging. But Microsoft's failure to report these investments for what they are — a de facto acquisition — demonstrates that the company is keenly aware of the stakes and has taken advantage of OpenAI's somewhat peculiar legal status as a non-profit entity to work around the rules...

The U.S. government needs to quickly step in and reverse the negative momentum that is pushing AI into walled gardens. The longer it waits, the harder it will be, both politically and technically, to re-introduce robust competition and the open ecosystem that society needs to maximize the benefits and manage the risks of AI technology.