Google, once known for its unconventional approach to business, has taken a decisive step towards becoming a more traditional company by firing 28 employees who participated in protests against a $1.2 billion contract with the Israeli government. The move comes after sit-in demonstrations on Tuesday at Google offices in Silicon Valley and New York City, where employees opposed the company's support for Project Nimbus, a cloud computing contract they argue harms Palestinians in Gaza. Nine employees were arrested during the protests.

In a note to employees, CEO Sundar Pichai said, "We have a culture of vibrant, open discussion... But ultimately we are a workplace and our policies and expectations are clear: this is a business, and not a place to act in a way that disrupts coworkers or makes them feel unsafe, to attempt to use the company as a personal platform, or to fight over disruptive issues or debate politics."

Google also says that the Project Nimbus contract is "not directed at highly sensitive, classified, or military workloads relevant to weapons or intelligence services."

Axios adds: Google prided itself from its early days on creating a university-like atmosphere for the elite engineers it hired. Dissent was encouraged in the belief that open discourse fostered innovation. "A lot of Google is organized around the fact that people still think they're in college when they work here," then-CEO Eric Schmidt told "In the Plex" author Steven Levy in the 2000s.

What worked for an organization with a few thousand employees is harder to maintain among nearly 200,000 workers. Generational shifts in political and social expectations also mean that Google's leadership and its rank-and-file aren't always aligned.

Google said on Thursday it had terminated 28 employees after some staff participated in protests against the company's cloud contract with the Israeli government. From a report: The Alphabet unit said a small number of protesting employees entered and disrupted work at a few unspecified office locations. "Physically impeding other employees' work and preventing them from accessing our facilities is a clear violation of our policies, and completely unacceptable behavior," the company said in a statement.

Google said it had concluded individual investigations, resulting in the termination of 28 employees, and would continue to investigate and take action as needed. In a statement on Medium, Google workers affiliated with the No Tech for Apartheid campaign called it a "flagrant act of retaliation" and said that some employees who did not directly participate in Tuesday's protests were also among those Google fired.

CNBC reports that nine Google workers were arrested on trespassing charges Tuesday night in protest of the company's $1.2 billion contract providing cloud computing services to the Israeli government. The sit-in happened at Google Cloud CEO Thomas Kurian's office in Sunnyvale and the 10th floor commons of Google's New York office. From the report: The arrests, which were livestreamed on Twitch by participants, follow rallies outside Google offices in New York, Sunnyvale and Seattle, which attracted hundreds of attendees, according to workers involved. [...] Protesters in Sunnyvale sat in Kurian's office for more than nine hours until their arrests, writing demands on Kurian's whiteboard and wearing shirts that read "Googler against genocide." In New York, protesters sat in a three-floor common space. Five workers from Sunnyvale and four from New York were arrested.

"On a personal level, I am opposed to Google taking any military contracts -- no matter which government they're with or what exactly the contract is about," Cheyne Anderson, a Google Cloud software engineer based in Washington, told CNBC. "And I hold that opinion because Google is an international company and no matter which military it's with, there are always going to be people on the receiving end... represented in Google's employee base and also our user base." Anderson had flown to Sunnyvale for the protest in Kurian's office and was one of the workers arrested Tuesday. "Google Cloud supports numerous governments around the world in countries where we operate, including the Israeli government, with our generally available cloud computing services," a Google spokesperson told CNBC, adding, "This work is not directed at highly sensitive, classified, or military workloads relevant to weapons or intelligence services."

An anonymous reader shares a report: A storm hit the United Arab Emirates and Oman this week bringing record rainfall that flooded highways, inundated houses, grid-locked traffic and trapped people in their homes. [...] In the UAE, a record 254 millimetres (10 inches) of rainfall was recorded in Al Ain, a city bordering Oman. It was the largest ever in a 24-hour period since records started in 1949. Rainfall is rare in the UAE and elsewhere on the Arabian Peninsula, that is typically known for its dry desert climate. Summer air temperatures can soar above 50 degrees Celsius. But the UAE and Oman also lack drainage systems to cope with heavy rains and submerged roads are not uncommon during rainfall.

Following Tuesday's events, questions were raised whether cloud seeding, a process that the UAE frequently conducts, could have caused the heavy rains. Cloud seeding is a process in which chemicals are implanted into clouds to increase rainfall in an environment where water scarcity is a concern. The UAE, located in one of the hottest and driest regions on earth, has been leading the effort to seed clouds and increase precipitation. But the UAE's meteorology agency told Reuters there were no such operations before the storm. The huge rainfall was instead likely due to a normal weather system that was exacerbated by climate change, experts say. A low pressure system in the upper atmosphere, coupled with low pressure at the surface had acted like a pressure 'squeeze' on the air, according to Esraa Alnaqbi, a senior forecaster at the UAE government's National Centre of Meteorology. That squeeze, intensified by the contrast between warmer temperatures at ground level and colder temperatures higher up, created the conditions for the powerful thunderstorm, she said.

At Amazon's annual cloud conference in 2016, the company captured the crowd's attention by driving an 18-wheeler onstage. Andy Jassy, now Amazon's CEO, called it the Snowmobile, and said the company would be using the truck to help customers speedily transfer data to Amazon Web Services facilities. Less than eight years later, the semi is out of commission. From a report: As of March, AWS had removed Snowmobile from its website, and the Amazon unit has stopped offering the service, CNBC has confirmed. The webpage devoted to AWS' "Snow family" of products now directs users to its other data transport services, including the Snowball Edge, a 50-pound suitcase-sized device that can be equipped with fast solid-state drives, and the smaller Snowcone.

An AWS spokesperson said in an emailed statement that the company has introduced more cost-effective options for moving data. Clients had to deal with power, cooling, networking, parking and security when they used the Snowmobile service, the spokesperson said.

An anonymous reader quotes a report from The Register: In a Monday post, Broadcom CEO Hock Tan restated his belief that VMware's portfolio was too complex, and too poorly integrated, for the virtualization giant to represent true competition for hyperscale clouds. Broadcom's injection of R&D cash, he insisted, will see VMware's flagship Cloud Foundation suite evolve to become more powerful and easy to operate. He also admitted that customers aren't enjoying the ride. "As we roll out this strategy, we continue to learn from our customers on how best to prepare them for success by ensuring they always have the transition time and support they need," he wrote. "In particular, the subscription pricing model does involve a change in the timing of customers' expenditures and the balance of those expenditures between capital and operating spending."

Customers also told Tan that "fast-moving change may require more time, so we have given support extensions to many customers who came up for renewal while these changes were rolling out." That's one of the changes -- Broadcom has previously not publicly suggested such extensions would be possible. "We have always been and remain ready to work with our customers on their specific concerns," Tan wrote. The other change is providing some ongoing security patches for VMware customers who persist with their perpetual licenses instead of shifting to Broadcom's subs. "We are announcing free access to zero-day security patches for supported versions of vSphere, and we'll add other VMware products over time," Tan wrote, describing the measure as aimed at ensuring that customers "whose maintenance and support contracts have expired and choose to not continue on one of our subscription offerings." The change means such customers "are able to use perpetual licenses in a safe and secure fashion."

An anonymous reader quotes a report from Wired: Dozens of Google employees began occupying company offices in New York City and Sunnyvale, California, on Tuesday in protest of the company's $1.2 billion contract providing cloud computing services to the Israeli government. The sit-in, organized by the activist group No Tech for Apartheid, is happening at Google Cloud CEO Thomas Kurian's office in Sunnyvale and the 10th floor commons of Google's New York office. The sit-in will be accompanied by outdoor protests at Google offices in New York, Sunnyvale, San Francisco, and Seattle beginning at 2 pm ET and 11 am PT. Tuesday's actions mark an escalation in a series of recent protests organized by tech workers who oppose their employer's relationship with the Israeli government, especially in light of Israel's ongoing assault on Gaza. Since Hamas killed about 1,100 Israelis on October 7, the IDF has killed more than 34,000 Palestinians.

Just over a dozen people gathered outside Google's offices in New York and Sunnyvale on Tuesday. Among those in New York was Google cloud software engineer Eddie Hatfield, who was fired days after disrupting Google Israel's managing director at March's Mind The Tech, a company-sponsored conference focused on the Israeli tech industry, in early March. Several hours into the sit-ins on Tuesday, Google security began to accuse the workers of "trespassing" and disrupting work, prompting several people to leave while others vowed to remain until they were forced out. The 2021 contract, known as Project Nimbus, involves Google and Amazon jointly providing cloud computing infrastructure and services across branches of the Israeli government. Last week, Time reported that Google's work on Project Nimbus involves providing direct services to the Israel Defense Forces. [...]

On March 4, more than600 other Googlers signed a petition opposing the company's sponsorship of the conference. After Hatfield was fired three days later, Google trust-and-safety-policy employee Vidana Abdel Khalek resigned from her position in opposition to Project Nimbus. Then, in late March, more than 300 Apple workers signed an open letter that alleged retaliation against workers who have expressed support for Palestinians, and urged company leadership to show public support for Palestinians. Hasan Ibraheem, a Google software engineer, is participating in the sit-in at his local Google office in New York. "This has really been a culmination of our efforts," he tells WIRED. Since joining No Tech for Apartheid in December, Ibraheem says, he has been participating in weekly "tabling" actions being held at Google office cafes in New York, Sunnyvale, San Francisco, and Mountain View, California. It involves holding a sign that says "Ask me about Project Nimbus" during lunch break, passing out flyers, and answering questions from coworkers. "It's actually shocking how many people at Google don't even know that this contract exists," Ibraheem says. "A lot of people who don't know about it, who then learn about it through us, are reasonably upset that this contract exists. They just didn't know that it existed beforehand."

An anonymous reader quotes a report from Ars Technica: Some net neutrality proponents are worried that soon-to-be-approved Federal Communications Commission rules will allow harmful fast lanes because the plan doesn't explicitly ban "positive" discrimination. FCC Chairwoman Jessica Rosenworcel's proposed rules for Internet service providers would prohibit blocking, throttling, and paid prioritization. The rules mirror the ones imposed by the FCC during the Obama era and repealed during Trump's presidency. But some advocates are criticizing a decision to let Internet service providers speed up certain types of applications as long as application providers don't have to pay for special treatment. Stanford Law Professor Barbara van Schewick, who has consistently argued for stricter net neutrality rules, wrote in a blog post on Thursday that "harmful 5G fast lanes are coming."

"T-Mobile, AT&T and Verizon are all testing ways to create these 5G fast lanes for apps such as video conferencing, games, and video where the ISP chooses and controls what gets boosted," van Schewick wrote. "They use a technical feature in 5G called network slicing, where part of their radio spectrum gets used as a special lane for the chosen app or apps, separated from the usual Internet traffic. The FCC's draft order opens the door to these fast lanes, so long as the app provider isn't charged for them." In an FCC filing yesterday, AT&T said that carriers will use network slicing "to better meet the needs of particular business applications and consumer preferences than they could over a best-efforts network that generally treats all traffic the same."

Van Schewick warns that carriers could charge consumers more for plans that speed up specific types of content. For example, a mobile operator could offer a basic plan alongside more expensive tiers that boost certain online games or a tier that boosts services like YouTube and TikTok. Ericsson, a telecommunications vendor that sells equipment to carriers including AT&T, Verizon, and T-Mobile, has pushed for exactly this type of service. In a report on how network slicing can be used commercially, Ericsson said that "many gamers are willing to pay for enhanced gaming experiences" and would "pay up to $10.99 more for a guaranteed gaming experience on top of their 5G monthly subscription."

According to Bloomberg's Mark Gurman, Apple's initial set of AI-related features in iOS 18 "will work entirely on device," and won't connect to cloud services. AppleInsider reports: In practice, these AI features would be able to function without an internet connection or any form of cloud-based processing. AppleInsider has received information from individuals familiar with the matter that suggest the report's claims are accurate. Apple is working on an in-house large language model, or LLM, known internally as "Ajax." While more advanced features will ultimately require an internet connection, basic text analysis and response generation features should be available offline. [...] Apple will reveal its AI plans during WWDC, which starts on June 10.

An anonymous reader quotes a report from Ars Technica: Federal prosecutors indicted a Nebraska man on charges he perpetrated a cryptojacking scheme that defrauded two cloud providers -- one based in Seattle and the other in Redmond, Washington -- out of $3.5 million. The indictment, filed in US District Court for the Eastern District of New York and unsealed on Monday, charges Charles O. Parks III -- 45 of Omaha, Nebraska -- with wire fraud, money laundering, and engaging in unlawful monetary transactions in connection with the scheme. Parks has yet to enter a plea and is scheduled to make an initial appearance in federal court in Omaha on Tuesday. Parks was arrested last Friday. Prosecutors allege that Parks defrauded "two well-known providers of cloud computing services" of more than $3.5 million in computing resources to mine cryptocurrency. The indictment says the activity was in furtherance of a cryptojacking scheme, a term for crimes that generate digital coin through the acquisition of computing resources and electricity of others through fraud, hacking, or other illegal means.

Details laid out in the indictment underscore the failed economics involved in the mining of most cryptocurrencies. The $3.5 million of computing resources yielded roughly $1 million worth of cryptocurrency. In the process, massive amounts of energy were consumed. [...] Prosecutors didn't say precisely how Parks was able to trick the providers into giving him elevated services, deferring unpaid payments, or failing to discover the allegedly fraudulent behavior. They also didn't identify either of the cloud providers by name. Based on the details, however, they are almost certainly Amazon Web Services and Microsoft Azure. If convicted on all charges, Parks faces as much as 30 years in prison.

From the Washington Post: The U.S. government said Thursday that Russian government hackers who recently stole Microsoft corporate emails had obtained passwords and other secret material that might allow them to breach multiple U.S. agencies.

The Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, on Tuesday issued a rare binding directive to an undisclosed number of agencies requiring them to change any log-ins that were taken and investigate what else might be at risk. The directive was made public Thursday, after recipients had begun shoring up their defenses. The "successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies," CISA wrote. "This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure."
"CISA officials told reporters it is so far unclear whether the hackers, associated with Russian military intelligence agency SVR, had obtained anything from the exposed agencies," according to the article. And the article adds that CISA "did not spell out the extent of any risks to national interests."

But the agency's executive assistant director for cybersecurity did tell the newspaper that "the potential for exposure of federal authentication credentials...does pose an exigent risk to the federal enterprise, hence the need for this directive and the actions therein." Microsoft's Windows operating system, Outlook email and other software are used throughout the U.S. government, giving the Redmond, Washington-based company enormous responsibility for the cybersecurity of federal employees and their work. But the longtime relationship is showing increasing signs of strain.... [T]he breach is one of a few severe intrusions at the company that have exposed many others elsewhere to potential hacking. Another of those incidents — in which Chinese government hackers cracked security in Microsoft's cloud software offerings to steal email from State Department and Commerce Department officials — triggered a major federal review that last week called on the company to overhaul its culture, which the Cyber Safety Review Board cited as allowing a "cascade of avoidable errors."

Aboard the deck of a World War II-era aircraft carrier, University of Washington scientists flicked the switch on a glorified snow-making machine," reports the Seattle Times. They describe the scientists "blasting a plume of saline spray off the coast of Alameda, California... trying to perfect a shot of salty particles that would make clouds better at reflecting sunlight back toward space, and help cool the Earth.

"It's called marine cloud brightening." Compressed air was pumped at hundreds of pounds per square inch through a nozzle full of a salty mix with a similar composition to seawater housed in an apparatus similar to a snow-making machine. The New York Times reported the machine produced a deafening hiss, releasing a fine mist that traveled hundreds of feet through the air. The scientists wanted to see if the machine could generate a consistent spray of the right size salt aerosols, taking samples downwind with instruments mounted on scissor lifts, commonly used in construction.
"This study is not yet large enough to affect local weather," the article points out. Yet "the idea of interfering with nature is so contentious, organizers of Tuesday's test kept the details tightly held, concerned that critics would try to stop them," reported the New York Times.

If it works, the next stage would be to aim at the heavens and try to change the composition of clouds above the Earth's oceans..."I hope, and I think all my colleagues hope, that we never use these things, that we never have to," said Sarah Doherty, an atmospheric scientist at the University of Washington and the manager of its marine cloud brightening program. She said there were potential side effects that still needed to be studied, including changing ocean circulation patterns and temperatures, which might hurt fisheries. Cloud brightening could also alter precipitation patterns, reducing rainfall in one place while increasing it elsewhere. But it's vital to find out whether and how such technologies could work, Doherty said, in case society needs them. And no one can say when the world might reach that point.
More from the Seattle Times: Some scientists warn that human influence on natural phenomena has rarely yielded the desired outcome, and often comes with unintended consequences. But, as the fossil-fueled world hurtles toward the internationally approved global warming limit to avoid the worst impacts of climate change, some argue there's a need to study backup plans.

"When I started graduate school in 1995, climate change, global warming was on the horizon, but there was still time to do something like reduce emissions at a scale that would allow us to avoid serious climate disruption," program manager Sarah Doherty said in an interview. "I think it's come to the point where the science community recognizes that a fairly significant degree of climate disruption and damage and suffering is pretty inevitable...." Doherty and the team are not advocating that anyone try cloud brightening now, but instead are hoping to develop a foundation for research that future decision-makers could rely on if they are evaluating geoengineering as a means of reducing suffering.
More info here from Politico and San Francisco Chronicle.

The New York Times notes that Bill Gates began funding early research in 2006.

Datacenter power issues in Ireland may be coming to a head amid reports from customers that Amazon is restricting resources users can spin up in that nation, even directing them to other AWS regions across Europe instead. From a report: Energy consumed by datacenters is a growing concern, especially in places such as Ireland where there are clusters of facilities around Dublin that already account for a significant share of the country's energy supply. This may be leading to restrictions on how much infrastructure can be used, given the power requirements. AWS users have informed The Register that there are sometimes limits on the resources that they can access in its Ireland bit barn, home to Amazon's eu-west-1 region, especially with power-hungry instances that make use of GPUs to accelerate workloads such as AI.

"You cannot spin up GPU nodes in AWS Dublin as those locations are maxed out power-wise. There is reserved capacity for EC2 just in case," one source told us. "If you have a problem with that, AWS Europe will point you at spare capacity in Sweden and other parts of the EU." We asked AWS about these issues, but when it finally responded the company was somewhat evasive. "Ireland remains core to our global infrastructure strategy, and we will continue to work with customers to understand their needs, and help them to scale and grow their business," a spokesperson told us. Ireland's power grid operator, EirGrid, was likewise less than direct when we asked if they were limiting the amount of power datacenters could consume.

Scientists from Oxford University Physics have developed a breakthrough in cloud-based quantum computing that could allow it to be harnessed by millions of individuals and companies. The findings have been published in the journal Physical Review Letters. Phys.Org reports: In the new study, the researchers use an approach dubbed "blind quantum computing," which connects two totally separate quantum computing entities -- potentially an individual at home or in an office accessing a cloud server -- in a completely secure way. Importantly, their new methods could be scaled up to large quantum computations. "Using blind quantum computing, clients can access remote quantum computers to process confidential data with secret algorithms and even verify the results are correct, without revealing any useful information. Realizing this concept is a big step forward in both quantum computing and keeping our information safe online," said study lead Dr. Peter Drmota, of Oxford University Physics.

The researchers created a system comprising a fiber network link between a quantum computing server and a simple device detecting photons, or particles of light, at an independent computer remotely accessing its cloud services. This allows so-called blind quantum computing over a network. Every computation incurs a correction that must be applied to all that follow and needs real-time information to comply with the algorithm. The researchers used a unique combination of quantum memory and photons to achieve this. The results could ultimately lead to commercial development of devices to plug into laptops, to safeguard data when people are using quantum cloud computing services. "We have shown for the first time that quantum computing in the cloud can be accessed in a scalable, practical way which will also give people complete security and privacy of data, plus the ability to verify its authenticity," said Professor David Lucas, who co-heads the Oxford University Physics research team and is lead scientist at the UK Quantum Computing and Simulation Hub, led from Oxford University Physics.

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening. New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that "certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)" In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.

Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company's code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense's Amazon S3 buckets in the cloud. Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers. It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards. The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time -- sometimes indefinitely. And depending on which service we're talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials. Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they've previously entrusted to Sisense. "If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted," said Nicholas Weaver, a researcher at University of California, Berkeley's International Computer Science Institute (ICSI) and lecturer at UC Davis. "If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable."

A federal jury in Illinois on Wednesday said Amazon Web Services owes tech company Kove $525 million for violating three patents relating to its data-storage technology. From the report: The jury determined (PDF) that AWS infringed three Kove patents covering technology that Kove said had become "essential" to the ability of Amazon's cloud-computing arm to "store and retrieve massive amounts of data." An Amazon spokesperson said the company disagrees with the verdict and intends to appeal. Kove's lead attorney Courtland Reichman called the verdict "a testament to the power of innovation and the importance of protecting IP (intellectual property) rights for start-up companies against tech giants." Kove also sued Google last year for infringing the same three patents in a separate Illinois lawsuit that is still ongoing.

An anonymous reader quotes a report from Ars Technica: Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products. Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs. For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests. [...] "All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code. Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. "A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process," Binarly researchers wrote in an advisory. "This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR." Advisories are available here, here, and here.

Amazon on Thursday added Andrew Ng, the computer scientist who led AI projects at Alphabet's Google and China's Baidu, to its board amid rising competition among Big Techs to add users for their GenAI products. From a report: Amazon's cloud unit is facing pressure from Microsoft's early pact with ChatGPT-maker OpenAI and integration of its technology into Azure, while Alexa voice assistant is in race with genAI chat tools from OpenAI and Google.

The appointment, effective April 9, also follows job cuts across Amazon, which has seen enterprise cloud spending and e-commerce sales moderate due to macroeconomic factors such as inflation and high interest rates. "As we look toward 2024 (and beyond), we're not done lowering our cost to serve," CEO Andy Jassy said in a letter to shareholders on Thursday.

Zack Whittaker and Carly Page report via TechCrunch: Microsoft has resolved a security lapse that exposed internal company files and credentials to the open internet. Security researchers Can Yoleri, Murat Ozfidan and Egemen Kochisarli with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft's Azure cloud service that was storing internal information relating to Microsoft's Bing search engine. The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems. But the storage server itself was not protected with a password and could be accessed by anyone on the internet.

Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files. Identifying those storage locations "could result in more significant data leaks and possibly compromise the services in use," Yoleri said. The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5. It's not known for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside.

Privacy startup Proton already offers an email app, a VPN tool, cloud storage, a password manager, and a calendar app. In April 2022, Proton acquired SimpleLogin, an open-source product that generates email aliases to protect inboxes from spam and phishing. Today, Proton acquired Standard Notes, advancing its already strong commitment to the open-source community. From a report: Standard Notes is an open-source note-taking app, available on both mobile and desktop platforms, with a user base of over 300,000. [...] Proton founder and CEO Andy Yen makes a point of stating that Standard Notes will remain open-source, will continue to undergo independent audits, will continue to develop new features and updates, and that prices for the app/service will not change. Standard Notes has three tiers: Free, which includes 100MB of storage, offline access, and unlimited device sync; Productivity for $90 per year, which includes features like markdown, spreadsheets with advanced formulas, Daily Notebooks, and two-factor authentication; and Professional for $120 per year, which includes 100GB of cloud storage, sharing for up to five accounts, no file limit size, and more.