An anonymous reader quotes a report from Wired: Arkady Volozh, the billionaire cofounder of Russia's biggest internet company, was removed from the EU sanctions list today, clearing the way for his return to the world of international tech. On Tuesday a spokesperson for the European Council confirmed to WIRED that the Yandex cofounder was among three people whose sanctions were lifted this week. Volozh, 60, was initially included on the EU sanctions list in June 2023, following Russia's full-scale invasion of Ukraine in February 2022. "Volozh is a leading businessperson involved in economic sectors providing a substantial source of revenue to the Government of the Russian Federation," the blocsaidlast year to justify its decision. "As founder and CEO of Yandex, he is supporting, materially or financially, the Government of the Russian Federation." In response, Volozh stepped down from his position as Yandex CEO, calling the sanctions "misguided." [...]

The removal of sanctions affecting one of Russian tech's most prominent figures will be especially significant if Volozh goes on to build Yandex 2.0 inside Europe. The billionaire maintains strong ties to exiled Russian tech talent, with thousands of Yandex staff leaving the country after the start of the war. "These people are now out, and in a position to start something new, continuing to drive technological innovation," Volozh said in the same 2023 statement. "They will be a tremendous asset to the countries in which they land." Yandex is widely known as "Russia's Google" because it monopolizes the Russian search market and offers many other services, including Yandex Music for streaming, Yandex Navigator for maps, and Yandex Go for hailing a ride. "Over the past 18 months, [Dutch-based Yandex NV] has been involved in complex negotiations with the Kremlin, in an attempt to sell its Russian operations while carving out four Europe-based units, which include businesses focused on self-driving cars, cloud computing, data labeling, and education tech," reports Wired.

Last month, Yandex NV reached a "binding agreement" to sell its operations in the country for $5.2 billion -- a price that reflects a 50% discount that Moscow imposes on companies from "unfriendly" countries like the Netherlands as a condition of exiting business in Russia.

An anonymous reader quotes a report from TechCrunch: A lengthy investigation into the European Union's use of Microsoft 365 has found the Commission breached the bloc's data protection rules through its use of the cloud-based productivity software. Announcing its decision in a press release today, the European Data Protection Supervisor (EDPS) said the Commission infringed "several key data protection rules when using Microsoft 365." "The Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365," the data supervisor, Wojciech Wiewiorowski, wrote, adding: "The Commission's infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf." The EDPS has imposed corrective measures requiring the Commission to address the compliance problems it has identified by December 9 2024, assuming it continues to use Microsoft's cloud suite. The regulator, which oversees' EU institutions' compliance with data protection rules, opened a probe of the Commission's use of Microsoft 365 and other U.S. cloud services back in May 2021. [...]

The Commission confirmed receipt of the EDPB's decision and said it will need to analyze the reasoning "in detail" before taking any decision on how to proceed. In a series of statements during a press briefing, it expressed confidence that it complies with "the applicable data protection rules, both in fact and in law." It also said "various improvements" have been made to contracts, with the EDPS, during its investigation. "We have been cooperating fully with the EDPS since the start of the investigation, by providing all relevant documents and information to the EDPS and by following up on the issues that have been raised in the course of the investigation," it said. "The Commission has always been ready to implement, and grateful for receiving, any substantiated recommendation from the EDPS. Data protection is a top priority for the Commission."

"The Commission has always been fully committed to ensuring that its use of Microsoft M365 is compliant with the applicable data protection rules and will continue to do so. The same applies to all other software acquired by the Commission," it went on, further noting: "New data protection rules for the EU institutions and bodies came into force on 11 December 2018. The Commission is actively pursuing ambitious and safe adequacy frameworks with international partners. The Commission applies those rules in all its processes and contracts, including with individual companies such as Microsoft." While the Commission's public statements reiterated that it's committed to compliance with its legal obligations, it also claimed that "compliance with the EDPS decision unfortunately seems likely to undermine the current high level of mobile and integrated IT services." "This applies not only to Microsoft but potentially also to other commercial IT services. But we need to first analyze the decision's conclusions and the underlying reasons in detail. We cannot provide further comments until we have concluded the analysis," it added.

Researchers at Cado Security Labs received an alert about a honeypot using the Docker Engine API. "A Docker command was received..." they write, "that spawned a new container, based on Alpine Linux, and created a bind mount for the underlying honeypot server's root directory..." Typically, this is exploited to write out a job for the Cron scheduler to execute... In this particular campaign, the attacker exploits this exact method to write out an executable at the path /usr/bin/vurl, along with registering a Cron job to decode some base64-encoded shell commands and execute them on the fly by piping through bash.

The vurl executable consists solely of a simple shell script function, used to establish a TCP connection with the attacker's Command and Control (C2) infrastructure via the /dev/tcp device file. The Cron jobs mentioned above then utilise the vurl executable to retrieve the first stage payload from the C2 server... To provide redundancy in the event that the vurl payload retrieval method fails, the attackers write out an additional Cron job that attempts to use Python and the urllib2 library to retrieve another payload named t.sh
"Multiple user mode rootkits are deployed to hide malicious processes," they note. And one of the shell scripts "makes use of the shopt (shell options) built-in to prevent additional shell commands from the attacker's session from being appended to the history file... Not only are additional commands prevented from being written to the history file, but the shopt command itself doesn't appear in the shell history once a new session has been spawned."

The same script also inserts "an attacker-controlled SSH key to maintain access to the compromised host," according to the article, retrieves a miner for the Monero cryptocurrency and then "registers persistence in the form of systemd services" for both the miner and an open source Golang reverse shell utility named Platypus.

It also delivers "various utilities," according to the blog Security Week, "including 'masscan' for host discovery." Citing CADO's researchers, they write that the shell script also "weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents." The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet... ["For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host," the researchers writes.]

"This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers," Cado notes. "It's clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments."

"A 20-year-old Trojan resurfaced recently," reports Dark Reading, "with new variants that target Linux and impersonate a trusted hosted domain to evade detection." Researchers from Palo Alto Networks spotted a new Linux variant of the Bifrost (aka Bifrose) malware that uses a deceptive practice known as typosquatting to mimic a legitimate VMware domain, which allows the malware to fly under the radar. Bifrost is a remote access Trojan (RAT) that's been active since 2004 and gathers sensitive information, such as hostname and IP address, from a compromised system.

There has been a worrying spike in Bifrost Linux variants during the past few months: Palo Alto Networks has detected more than 100 instances of Bifrost samples, which "raises concerns among security experts and organizations," researchers Anmol Murya and Siddharth Sharma wrote in the company's newly published findings.

Moreover, there is evidence that cyberattackers aim to expand Bifrost's attack surface even further, using a malicious IP address associated with a Linux variant hosting an ARM version of Bifrost as well, they said... "As ARM-based devices become more common, cybercriminals will likely change their tactics to include ARM-based malware, making their attacks stronger and able to reach more targets."

"2004 was already an eventful year for Linux," writes ZDNet's Jack Wallen. "As I reported at the time, SCO was trying to drive Linux out of business. Red Hat was abandoning Linux end-user fans for enterprise customers by closing down Red Hat Linux 9 and launching the business-friendly Red Hat Enterprise Linux (RHEL). Oh, and South African tech millionaire and astronaut Mark Shuttleworth [also a Debian Linux developer] launched Canonical, Ubuntu Linux's parent company.

"Little did I — or anyone else — suspect that Canonical would become one of the world's major Linux companies."

Mark Shuttleworth answered questions from Slashdot reader in 2005 and again in 2012. And this year, Canonical celebrates its 20th anniversary. ZDNet reports: Canonical's purpose, from the beginning, was to support and share free software and open-source software... Then, as now, Ubuntu was based on Debian Linux. Unlike Debian, which never met a delivery deadline it couldn't miss, Ubuntu was set to be updated to the latest desktop, kernel, and infrastructure with a new release every six months. Canonical has kept to that cadence — except for the Ubuntu 6.06 release — for 20 years now...

Released in October 2004, Ubuntu Linux quickly became synonymous with ease of use, stability, and security, bridging the gap between the power of Linux and the usability demanded by end users. The early years of Canonical were marked by rapid innovation and community building. The Ubuntu community, a vibrant and passionate group of developers and users, became the heart and soul of the project. Forums, wikis, and IRC channels buzzed with activity as people from all over the world came together to contribute code, report bugs, write documentation, and support each other....

Canonical's influence extends beyond the desktop. Ubuntu Linux, for example, is the number one cloud operating system. Ubuntu started as a community desktop distribution, but it's become a major enterprise Linux power [also widely use as a server and Internet of Things operating system.]
The article notes Canonical's 2011 creation of the Unity desktop. ("While Ubuntu Unity still lives on — open-source projects have nine lives — it's now a sideline. Ubuntu renewed its commitment to the GNOME desktop...")

But the article also argues that "2016, on the other hand, saw the emergence of Ubuntu Snap, a containerized way to install software, which --along with its rival Red Hat's Flatpak — is helping Linux gain some desktop popularity."

Microsoft has abruptly pulled a feature from OneDrive that allows users to upload files to the cloud storage service directly from a URL. From a report: The feature turned up as a preview in 2021 and was intended for scenarios "where the file contents aren't available, or are expensive to transfer," according to Microsoft. It was particularly useful for mobile users, for whom uploading files directly through their apps could be costly. Much better to simply point OneDrive at a given URL and let it handle the upload itself.

However, the experimental feature never made it past the consumer version of OneDrive. It also didn't fit with Microsoft's "vision for OneDrive as a cloud storage service that syncs your files across devices." Indeed, the idea of hosing data into OneDrive from a remote source sits at odds with the file synchronization model being championed by Microsoft and conveniently available from macOS and Windows.

An anonymous reader quotes a report from Ars Technica: VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products. A constellation of four vulnerabilities -- two carrying severity ratings of 9.3 out of a possible 10 -- are serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that's segmented from the host machine. VMware officials said that the prospect of a hypervisor escape warranted an immediate response under the company's IT Infrastructure Library, a process usually abbreviated as ITIL.

"In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organization," the officials wrote in a post. "However, the appropriate security response varies depending on specific circumstances." Among the specific circumstances, one concerns which vulnerable product a customer is using, and another is whether and how it may be positioned behind a firewall. A VMware advisory included the following matrix showing how the vulnerabilities -- tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255 -- affect each of the vulnerable products [...]. Three of the vulnerabilities affect the USB controller the products use to support peripheral devices such as keyboards and mice.

Broadcom, the VMware parent company, is urging customers to patch vulnerable products. As a workaround, users can remove USB controllers from vulnerable virtual machines, but Broadcom stressed that this measure could degrade virtual console functionality and should be viewed as only a temporary solution. In an article explaining how to remove a USB controller, officials wrote: "The workaround is to remove all USB controllers from the Virtual Machine. As a result, USB passthrough functionality will be unavailable. In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine. In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS.

IMPORTANT:
Certain guest operating systems, including Mac OS, do not support using a PS/2 mouse and keyboard. These guest operating systems will be left without a mouse and keyboard without a USB controller."

Linwei Ding, a former Google software engineer, has been indicted for stealing trade secrets related to AI to benefit two Chinese companies. He faces up to 10 years in prison and a $250,000 fine on each criminal count. Reuters reports: Ding's indictment was unveiled a little over a year after the Biden administration created an interagency Disruptive Technology Strike Force to help stop advanced technology being acquired by countries such as China and Russia, or potentially threaten national security. "The Justice Department just will not tolerate the theft of our trade secrets and intelligence," U.S. Attorney General Merrick Garland said at a conference in San Francisco.

According to the indictment, Ding stole detailed information about the hardware infrastructure and software platform that lets Google's supercomputing data centers train large AI models through machine learning. The stolen information included details about chips and systems, and software that helps power a supercomputer "capable of executing at the cutting edge of machine learning and AI technology," the indictment said. Google designed some of the allegedly stolen chip blueprints to gain an edge over cloud computing rivals Amazon.com and Microsoft, which design their own, and reduce its reliance on chips from Nvidia.

Hired by Google in 2019, Ding allegedly began his thefts three years later, while he was being courted to become chief technology officer for an early-stage Chinese tech company, and by May 2023 had uploaded more than 500 confidential files. The indictment said Ding founded his own technology company that month, and circulated a document to a chat group that said "We have experience with Google's ten-thousand-card computational power platform; we just need to replicate and upgrade it." Google became suspicious of Ding in December 2023 and took away his laptop on Jan. 4, 2024, the day before Ding planned to resign. A Google spokesperson said: "We have strict safeguards to prevent the theft of our confidential commercial information and trade secrets. After an investigation, we found that this employee stole numerous documents, and we quickly referred the case to law enforcement."

Michelle Lewis reports via Electrek: One of the US's largest nuclear power plants will directly power cloud service provider Amazon Web Services' new data center. Power provider Talen Energy sold its data center campus, Cumulus Data Assets, to Amazon Web Services for $650 million. Amazon will develop an up to 960-megawatt (MW) data center at the Salem Township site in Luzerne County, Pennsylvania. The 1,200-acre campus is directly powered by an adjacent 2.5 gigawatt (GW) nuclear power station also owned by Talen Energy.

The 1,075-acre Susquehanna Steam Electric Station is the sixth-largest nuclear power plant in the US. It's been online since 1983 and produces 63 million kilowatt hours per day. The plant has two General Electric boiling water reactors within a Mark II containment building that are licensed through 2042 and 2044. According to Talen Energy's investor presentation, it will supply fixed-price nuclear power to Amazon's new data center as it's built. Amazon has minimum contractual power commitments that ramp up in 120 MW increments over several years. The cloud service giant has a one-time option to cap commitments at 480 MW and two 10-year extension options tied to nuclear license renewals.

According to the latest data from StatCounter, Linux's market share has reached 4.03% -- surging by an additional 1% in the last eight months. What's the reason behind this recent growth? "That's a good question," writes ZDNet's Steven Vaughan-Nichols. "While Windows is the king of the hill with 72.13% and MacOS comes in a distant second at 15.46%, it's clear that Linux is making progress." An anonymous Slashdot reader shares the five reasons why Vaughan-Nichols thinks it's growing: 1. Microsoft isn't that interested in Windows
If you think Microsoft is all about the desktop and Windows, think again. Microsoft's profits these days come from its Azure cloud and Software-as-a-Service (SaaS), Microsoft 365 in particular. Microsoft doesn't want you to buy Windows; the Redmond powerhouse wants you to subscribe to Windows 365 Cloud PC. And, by the way, you can run Windows 365 Cloud PC on Macs, Chromebooks, Android tablets, iPads, and, oh yes, Linux desktops.

2. Linux gaming, thanks to Steam, is also growing
Gaming has never been a strong suit for Linux, but Linux gamers are also a slowly growing group. I suspect that's because Steam, the most popular Linux gaming platform, also has the lion's share of the gaming distribution market

3. Users are finally figuring out that some Linux distros are easy to use
Even now, you'll find people who insist that Linux is hard to master. True, if you want to be a Linux power user, Linux will challenge you. But, if all you want to do is work and play, many Linux distributions are suitable for beginners. For example, Linux Mint is simple to use, and it's a great end-user operating system for everyone and anyone.

4. Finding and installing Linux desktop software is easier than ever
While some Linux purists dislike containerized application installation programs such as Flatpak, Snap, and AppImage, developers love them. Why? They make it simple to write applications for Linux that don't need to be tuned just right for all the numerous Linux distributions. For users, that means they get more programs to choose from, and they don't need to worry about finicky installation details.

5. The Linux desktop is growing in popularity in India
India is now the world's fifth-largest economy, and it's still growing. Do you know what else is growing in India? Desktop Linux. In India, Windows is still the number one operating system with 70.37%, but number two is Linux, with 15.23%. MacOS is way back in fourth place with 3.11%. I suspect this is the case because India's economy is largely based on technology. Where you find serious programmers, you find Linux users.

Amazon's cloud services division is halting fees it has long charged customers that switch to a rival provider -- following in the steps of Google, which recently announced it was ending the practice. From a report: Amazon Web Services will no longer charge customers who want to extract all of their data from the company's servers and move them to another service, AWS Vice President Robert Kennedy said in a blog post on Tuesday. "Beginning today, customers globally are now entitled to free data transfers out to the internet if they want to move to another IT provider," Kennedy said.

"Apple faces a proposed class action lawsuit alleging the company holds an illegal monopoly over digital storage for its customers," reports the Hill: The suit, filed Friday, claims "surgical" restraints prevent customers from effectively using any service except its iCloud storage system. iCloud is the only service that can host certain data from the company's phones, tablets and computers, including application data and device settings. Plaintiffs allege the practice has "unlawfully 'tied'" the devices and iCloud together... "As a result of this restraint, would-be cloud competitors are unable to offer Apple's device holders a full-service cloud-storage solution, or even a pale comparison."
The suit argues that there are "no technological or security justifications for this limitation on consumer choice," according to PC Magazine.

The class action's web site is arguing that "Consumers may have paid higher prices than they allegedly would have in a competitive market."

Microsoft built two datacenters west of Phoenix, with plans for seven more (serving, among other companies, OpenAI). "Microsoft has been adding data centers at a stupendous rate, spending more than $10 billion on cloud-computing capacity in every quarter of late," writes the Atlantic. "One semiconductor analyst called this "the largest infrastructure buildout that humanity has ever seen."

But is this part of a concerning trend? Microsoft plans to absorb its excess heat with a steady flow of air and, as needed, evaporated drinking water. Use of the latter is projected to reach more than 50 million gallons every year. That might be a burden in the best of times. As of 2023, it seemed absurd. Phoenix had just endured its hottest summer ever, with 55 days of temperatures above 110 degrees. The weather strained electrical grids and compounded the effects of the worst drought the region has faced in more than a millennium. The Colorado River, which provides drinking water and hydropower throughout the region, has been dwindling. Farmers have already had to fallow fields, and a community on the eastern outskirts of Phoenix went without tap water for most of the year... [T]here were dozens of other facilities I could visit in the area, including those run by Apple, Amazon, Meta, and, soon, Google. Not too far from California, and with plenty of cheap land, Greater Phoenix is among the fastest-growing hubs in the U.S. for data centers....

Microsoft, the biggest tech firm on the planet, has made ambitious plans to tackle climate change. In 2020, it pledged to be carbon-negative (removing more carbon than it emits each year) and water-positive (replenishing more clean water than it consumes) by the end of the decade. But the company also made an all-encompassing commitment to OpenAI, the most important maker of large-scale AI models. In so doing, it helped kick off a global race to build and deploy one of the world's most resource-intensive digital technologies. Microsoft operates more than 300 data centers around the world, and in 2021 declared itself "on pace to build between 50 and 100 new datacenters each year for the foreseeable future...."

Researchers at UC Riverside estimated last year... that global AI demand could cause data centers to suck up 1.1 trillion to 1.7 trillion gallons of freshwater by 2027. A separate study from a university in the Netherlands, this one peer-reviewed, found that AI servers' electricity demand could grow, over the same period, to be on the order of 100 terawatt hours per year, about as much as the entire annual consumption of Argentina or Sweden... [T]ensions over data centers' water use are cropping up not just in Arizona but also in Oregon, Uruguay, and England, among other places in the world.
The article points out that Microsoft "is transitioning some data centers, including those in Arizona, to designs that use less or no water, cooling themselves instead with giant fans." And an analysis (commissioned by Microsoft) on the impact of one building said it would use about 56 million gallons of drinking water each year, equivalent to the amount used by 670 families, according to the article. "In other words, a campus of servers pumping out ChatGPT replies from the Arizona desert is not about to make anyone go thirsty."

Long-time Slashdot reader AmiMoJo quotes Tom's Hardware: A Geekbench 6 result features what is likely the first-ever look at the single-core performance of the Taishan V120, developed by Huawei's HiSilicon subsidiary (via @Olrak29_ on X). The single-core score indicates that Taishan V120 cores are roughly on par with AMD's Zen 3 cores from late 2020, which could mean Huawei's technology isn't that far behind cutting-edge Western chip designers.

The Taishan V120 core was first spotted in Huawei's Kirin 9000s smartphone chip, which uses four of the cores alongside two efficiency-focused Arm Cortex A510 cores. Since Kirin 9000s chips are produced using SMIC's second-generation 7nm node (which may make it illegal to sell internationally according to U.S. lawmakers), it would also seem likely that the Taishan V120 core tested in Geekbench 6 is also made on the second-generation 7nm node.

The benchmark result doesn't really say much about what the actual CPU is, with the only hint being 'Huawei Cloud OpenStack Nova.' This implies it's a Kunpeng server CPU, which may either be the Kunpeng 916, 920, or 930. While we can only guess which one it is, it's almost certain to be the 930 given the high single-core performance shown in the result. By contrast, the few Geekbench 5 results for the Kunpeng 920 show it performing well behind AMD's first-generation Epyc Naples from 2017.

Rust's official survey team released results from their 8th annual survey "focused on gathering insights and feedback from Rust users". In terms of operating systems used by Rustaceans, the situation is very similar to the results from 2022, with Linux being the most popular choice of Rust users [69.7%], followed by macOS [33.5%] and Windows [31.9%], which have a very similar share of usage. Rust programmers target a diverse set of platforms with their Rust programs, even though the most popular target by far is still a Linux machine [85.4%]. We can see a slight uptick in users targeting WebAssembly [27.1%], embedded and mobile platforms, which speaks to the versatility of Rust.

We cannot of course forget the favourite topic of many programmers: which IDE (developer environment) do they use. Visual Studio Code still seems to be the most popular option [61.7%], with RustRover (which was released last year) also gaining some traction [16.4%].
The site ITPro spoke to James Governor, co-founder of the developer-focused analyst firm RedMonk, who said Rust's usage is "steadily increasing", pointing to its adoption among hyperscalers and cloud companies and in new infrastructure projects. "Rust is not crossing over yet as a general-purpose programming language, as Python did when it overtook Java, but it's seeing steady growth in adoption, which we expect to continue. It seems like a sustainable success story at this point."

But InfoWorld writes that "while the use of Rust language by professional programmers continues to grow, Rust users expressed concerns about the language becoming too complex and the low level of Rust usage in the tech industry." Among the 9,374 respondents who shared their main worries for the future of Rust, 43% were most concerned about Rust becoming too complex, a five percentage point increase from 2022; 42% were most concerned about low usage of Rust in the tech industry; and 32% were most concerned about Rust developers and maintainers not being properly supported, a six percentage point increase from 2022. Further, the percentage of respondents who were not at all concerned about the future of Rust fell, from 30% in 2022 to 18% in 2023.

Stack Overflow has launched an API that will require all AI models trained on its coding question-and-answer content to attribute sources linking back to its posts. And it will cost money to use the site's content. From a report: "All products based on models that consume public Stack Overflow data are required to provide attribution back to the highest relevance posts that influenced the summary given by the model," it confirmed in a statement. The Overflow API is designed to act as a knowledge database to help developers build more accurate and helpful code-generation models. Google announced it was using the service to access relevant information from Stack Overflow via the API and integrate the data with its latest Gemini models, and for its cloud storage console.

In a series of tests using fake data, a U.S. government watchdog was able to steal more than 1GB of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The experiment is detailed in a new report by the Department of the Interior's Office of the Inspector General (OIG), published last week. TechCrunch reports: The goal of the report was to test the security of the Department of the Interior's cloud infrastructure, as well as its "data loss prevention solution," software that is supposed to protect the department's most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report. The Department of the Interior manages the country's federal land, national parks and a budget of billions of dollars, and hosts a significant amount of data in the cloud. According to the report, in order to test whether the Department of the Interior's cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that "would appear valid to the Department's security tools."

The OIG team then used a virtual machine inside the Department's cloud environment to imitate "a sophisticated threat actor" inside of its network, and subsequently used "well-known and widely documented techniques to exfiltrate data." "We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system," the report read. The OIG said it conducted more than 100 tests in a week, monitoring the government department's "computer logs and incident tracking systems in real time," and none of its tests were detected nor prevented by the department's cybersecurity defenses.

"Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data," said the OIG's report. "In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system's controls for protecting sensitive data from unauthorized access." That's the bad news: The weaknesses in the Department's systems and practices "put sensitive [personal information] for tens of thousands of Federal employees at risk of unauthorized access," read the report. The OIG also admitted that it may be impossible to stop "a well-resourced adversary" from breaking in, but with some improvements, it may be possible to stop that adversary from exfiltrating the sensitive data.

An anonymous reader quotes a report from TechCrunch: Perceiving the demand for alternatives, AI startup Hugging Face several years ago teamed up with ServiceNow, the workflow automation platform, to create StarCoder, an open source code generator with a less restrictive license than some of the others out there. The original came online early last year, and work has been underway on a follow-up, StarCoder 2, ever since. StarCoder 2 isn't a single code-generating model, but rather a family. Released today, it comes in three variants, the first two of which can run on most modern consumer GPUs: A 3-billion-parameter (3B) model trained by ServiceNow; A 7-billion-parameter (7B) model trained by Hugging Face; and A 15-billion-parameter (15B) model trained by Nvidia, the newest supporter of the StarCoder project. (Note that "parameters" are the parts of a model learned from training data and essentially define the skill of the model on a problem, in this case generating code.)a

Like most other code generators, StarCoder 2 can suggest ways to complete unfinished lines of code as well as summarize and retrieve snippets of code when asked in natural language. Trained with 4x more data than the original StarCoder (67.5 terabytes versus 6.4 terabytes), StarCoder 2 delivers what Hugging Face, ServiceNow and Nvidia characterize as "significantly" improved performance at lower costs to operate. StarCoder 2 can be fine-tuned "in a few hours" using a GPU like the Nvidia A100 on first- or third-party data to create apps such as chatbots and personal coding assistants. And, because it was trained on a larger and more diverse data set than the original StarCoder (~619 programming languages), StarCoder 2 can make more accurate, context-aware predictions -- at least hypothetically.

[I]s StarCoder 2 really superior to the other code generators out there -- free or paid? Depending on the benchmark, it appears to be more efficient than one of the versions of Code Llama, Code Llama 33B. Hugging Face says that StarCoder 2 15B matches Code Llama 33B on a subset of code completion tasks at twice the speed. It's not clear which tasks; Hugging Face didn't specify. StarCoder 2, as an open source collection of models, also has the advantage of being able to deploy locally and "learn" a developer's source code or codebase -- an attractive prospect to devs and companies wary of exposing code to a cloud-hosted AI. Hugging Face, ServiceNow and Nvidia also make the case that StarCoder 2 is more ethical -- and less legally fraught -- than its rivals. [...] As opposed to code generators trained using copyrighted code (GitHub Copilot, among others), StarCoder 2 was trained only on data under license from the Software Heritage, the nonprofit organization providing archival services for code. Ahead of StarCoder 2's training, BigCode, the cross-organizational team behind much of StarCoder 2's roadmap, gave code owners a chance to opt out of the training set if they wanted. As with the original StarCoder, StarCoder 2's training data is available for developers to fork, reproduce or audit as they please. StarCoder 2's license may still be a roadblock for some. "StarCoder 2 is licensed under the BigCode Open RAIL-M 1.0, which aims to promote responsible use by imposing 'light touch' restrictions on both model licensees and downstream users," writes TechCrunch's Kyle Wiggers. "While less constraining than many other licenses, RAIL-M isn't truly 'open' in the sense that it doesn't permit developers to use StarCoder 2 for every conceivable application (medical advice-giving apps are strictly off limits, for example). Some commentators say RAIL-M's requirements may be too vague to comply with in any case -- and that RAIL-M could conflict with AI-related regulations like the EU AI Act."

Nvidia's completely free, no-strings attached trial of its cloud gaming service GeForce Now is about to be very slightly less of a deal. Nvidia says users will now start seeing ads. From a report: They're only for the free tier -- not Priority or Ultimate -- and even then, it sounds like they won't interrupt your gameplay. "Free users will start to see up to two minutes of ads while waiting in queue to start a gaming session," writes Nvidia spokesperson Stephanie Ngo. Currently, the free tier does often involve waiting in line for a remote computer to free up before every hour of free gameplay -- now, I guess there'll be a few ads too. Nvidia says the ads should help pay for the free tier of service, and that it expects the change "will reduce average wait times for free users over time."

Alphabet's Google Cloud on Monday ramped up its criticism of Microsoft's cloud computing practices, saying its rival is seeking a monopoly that would harm the development of emerging technologies such as generative AI. From a report: "We worry about Microsoft wanting to flex their decade-long practices where they had a lot of monopoly on the on-premise software before and now they are trying to push that into cloud now," Google Cloud Vice President Amit Zavery said in an interview. "So they are creating this whole walled garden, which is completely controlled and owned by Microsoft, and customers who want to do any of this stuff, you have to go to Microsoft only," he said.

"If Microsoft cloud doesn't remain open, we will have issues and long-term problems, even in next generation technologies like AI as well, because Microsoft is forcing customers to go to Azure in many ways," Zavery said, referring to Microsoft's cloud computing platform. He urged antitrust regulators to act. "I think regulators need to provide some kind of guidance as well as maybe regulations which prevent the way Microsoft is building the Azure cloud business, not allow your on-premise monopoly to bring it into the cloud monopoly," Zavery said.