An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening. New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that "certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)" In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense. Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company's code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense's Amazon S3 buckets in the cloud. Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates. The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers. It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards. The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time -- sometimes indefinitely. And depending on which service we're talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials. Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they've previously entrusted to Sisense. "If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted," said Nicholas Weaver, a researcher at University of California, Berkeley's International Computer Science Institute (ICSI) and lecturer at UC Davis. "If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable."

Read more of this story at Slashdot.

As the rest of Virtizilla's users face a pause in support and education services due to apparent SAP-to-Oracle migration

VMware's end user compute products appear likely to be rebranded as Omnissa after being sold off.…

Amanda Hoover reports via Wired: Students have submitted more than 22 million papers that may have used generative AI in the past year, new data released by plagiarism detection company Turnitin shows. A year ago, Turnitin rolled out an AI writing detection tool that was trained on its trove of papers written by students as well as other AI-generated texts. Since then, more than 200 million papers have been reviewed by the detector, predominantly written by high school and college students. Turnitin found that 11 percent may contain AI-written language in 20 percent of its content, with 3 percent of the total papers reviewed getting flagged for having 80 percent or more AI writing. Turnitin says its detector has a false positive rate of less than 1 percent when analyzing full documents.

Read more of this story at Slashdot.

Harvard College is reinstating the requirement for standardized testing, reversing course on a pandemic-era policy that made them optional. It follows similar moves from elite universities like Yale, Dartmouth, and MIT. Axios reports: At Harvard, the mandate will be in place for students applying to begin school in fall 2025. Harvard had previously committed to a test-optional policy for applicants through the class of 2030, which would have started in fall 2026. Most students who applied since the pandemic began have submitted test scores despite the test-optional policy, the university said. Reviewing SAT/ACT scores as part of a student's application packet helps an admissions decision be holistic, the university said in a statement. "Standardized tests are a means for all students, regardless of their background and life experience, to provide information that is predictive of success in college and beyond," Hopi Hoekstra, a Harvard dean, said in the statement. "Indeed, when students have the option of not submitting their test scores, they may choose to withhold information that, when interpreted by the admissions committee in the context of the local norms of their school, could have potentially helped their application."

Read more of this story at Slashdot.

Asking for emir few billion bucks to pay for lots of fabs, datacenters, and nuclear power plants

OpenAI CEO Sam Altman's latest stop on his AI emperor roadshow was in the United Arab Emirates, where he floated the idea of a global consortium of governments and private interests to fund, power, and supply the artificial intelligence industry.…

A federal jury in Illinois on Wednesday said Amazon Web Services owes tech company Kove $525 million for violating three patents relating to its data-storage technology. From the report: The jury determined (PDF) that AWS infringed three Kove patents covering technology that Kove said had become "essential" to the ability of Amazon's cloud-computing arm to "store and retrieve massive amounts of data." An Amazon spokesperson said the company disagrees with the verdict and intends to appeal. Kove's lead attorney Courtland Reichman called the verdict "a testament to the power of innovation and the importance of protecting IP (intellectual property) rights for start-up companies against tech giants." Kove also sued Google last year for infringing the same three patents in a separate Illinois lawsuit that is still ongoing.

Read more of this story at Slashdot.

China, Russia have muscled up, and whoever wins up there wins down here

The commander of the US Space Force (USSF) has warned that America risks losing its dominant position in space, and therefore on Earth too.…

An anonymous reader quotes a report from Ars Technica: Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products. Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected. BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs. For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests. [...] "All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?" The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code. Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. "A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process," Binarly researchers wrote in an advisory. "This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR." Advisories are available here, here, and here.

Read more of this story at Slashdot.

theodp writes: From a Wednesday press release: "Code.org, in collaboration with The Piech Lab at Stanford University, launched today its AI Teaching Assistant, ushering in a new era of computer science instruction to support teachers in preparing students with the foundational skills necessary to work, live and thrive in an AI world. [...] Launching as a part of Code.org's leading Computer Science Discoveries (CSD) curriculum [for grades 6-10], the tool is designed to bolster teacher confidence in teaching computer science." EdWeek reports that in a limited pilot project involving twenty teachers nationwide, the AI computer science grading tool cut one middle school teacher's grading time in half. Code.org is now inviting an additional 300 teachers to give the tool a try. "Many teachers who lead computer science courses," EdWeek notes, "don't have a degree in the subject -- or even much training on how to teach it -- and might be the only educator in their school leading a computer science course." Stanford's Piech Lab is headed by assistant professor of CS Chris Piech, who also runs the wildly-successful free Code in Place MOOC (30,000+ learners and counting), which teaches fundamentals from Stanford's flagship introduction to Python course. Prior to coming up with the new AI teaching assistant, which automatically assesses Code.org students' JavaScript game code, Piech worked on a Stanford Research team that partnered with Code.org nearly a decade ago to create algorithms to generate hints for K-12 students trying to solve Code.org's Hour of Code block-based programming puzzles (2015 paper [PDF]). And several years ago, Piech's lab again teamed with Code.org on Play-to-Grade, which sought to "provide scalable automated grading on all types of coding assignments" by analyzing the game play of Code.org students' projects. Play-to-Grade, a 2022 paper (PDF) noted, was "supported in part by a Stanford Hoffman-Yee Human Centered AI grant" for AI tutors to help prepare students for the 21st century workforce. That project also aimed to develop a "Super Teaching Assistant" for Piech's Code in Place MOOC. LinkedIn co-founder Reid Hoffman, who was present for the presentation of the 'AI Tutors' work he and his wife funded, is a Code.org Diamond Supporter ($1+ million). In other AI grading news, Texas will use computers to grade written answers on this year's STAAR tests. The state will save more than $15 million by using technology similar to ChatGPT to give initial scores, reducing the number of human graders needed.

Read more of this story at Slashdot.

The embargo has lifted for reviews of Humane's AI Pin and the general consensus appears to be that this device isn't ready to usher us into the all-but-inevitable AI future. Starting at $699 with a pricy $24-a-month subscription, the wearable device is designed to incorporate artificial intelligence into everyday scenarios, with the ability to make calls, translate languages, recommend nearby restaurants, and capture photos and videos. "The best description so far is that it's a combination of a wearable Siri button with a camera and built-in projector that beams onto your palm," writes Cherlynn Low via Engadget. While full of potential, the AI Pin creates more problems than it solves and many of the features you'd intuitively expect from it aren't supported at launch. Here's a roundup of some of the first reviews: Engadget: The Humane AI Pin is the solution to none of technology's problems The Verge: Humane AI Pin review: not even close Wired: Humane Ai Pin Review: Too Clunky, Too Limited The Washington Post: I've been living with a $699 AI Pin on my chest. You probably shouldn't. CNET: Humane AI Hands-On: My Life So Far With a Wearable AI Pin

Read more of this story at Slashdot.

Export restrictions and sanctions working well, we see

A sprawling industrial complex being built by Huawei near Shanghai will be used to research and develop chipmaking equipment to help the tech giant overcome restrictions imposed on it by the US, local sources are reportedly saying.…

An anonymous reader quotes a report from Ars Technica: Amid a flurry of lawsuits over AI models' training data, US Representative Adam Schiff (D-Calif.) has introduced (PDF) a bill that would require AI companies to disclose exactly which copyrighted works are included in datasets training AI systems. The Generative AI Disclosure Act "would require a notice to be submitted to the Register of Copyrights prior to the release of a new generative AI system with regard to all copyrighted works used in building or altering the training dataset for that system," Schiff said in a press release. The bill is retroactive and would apply to all AI systems available today, as well as to all AI systems to come. It would take effect 180 days after it's enacted, requiring anyone who creates or alters a training set not only to list works referenced by the dataset, but also to provide a URL to the dataset within 30 days before the AI system is released to the public. That URL would presumably give creators a way to double-check if their materials have been used and seek any credit or compensation available before the AI tools are in use. All notices would be kept in a publicly available online database. Currently, creators who don't have access to training datasets rely on AI models' outputs to figure out if their copyrighted works may have been included in training various AI systems. The New York Times, for example, prompted ChatGPT to spit out excerpts of its articles, relying on a tactic to identify training data by asking ChatGPT to produce lines from specific articles, which OpenAI has curiously described as "hacking." Under Schiff's law, The New York Times would need to consult the database to ID all articles used to train ChatGPT or any other AI system. Any AI maker who violates the act would risk a "civil penalty in an amount not less than $5,000," the proposed bill said. Schiff described the act as championing "innovation while safeguarding the rights and contributions of creators, ensuring they are aware when their work contributes to AI training datasets." "This is about respecting creativity in the age of AI and marrying technological progress with fairness," Schiff said.

Read more of this story at Slashdot.

And Andy Jassy will happily take your money along the way

It's safe to say Amazon CEO Andy Jassy is pretty jazzed about generative AI's potential to drive profits.…

Intel's software team is today sharing their newest innovation for achieving greater performance on Linux systems: the Thin Layout Optimizer. Intel's Thin Layout Optimizer is inspired by the likes of the Meta/LLVM BOLT optimizer and Google's Propeller but aims to be much easier to use while still delivering measurable performance gains for optimized binaries...

An anonymous reader shares a report: Last week South Korea's SK Hynix announced it would partner with Purdue University on a $3.9 billion semiconductor complex here, the largest single corporate investment in state history. Now comes the hard part. SK Hynix must not only build the fabrication plant, or fab, which will package high-bandwidth memory chips used in artificial intelligence, and a connected research-and-development center. It also has to staff them. "We need several hundred engineers to operate our advanced-packaging manufacturing fab -- in physics, chemistry, material science, electronics engineering," Kwak Noh-Jung, chief executive of SK Hynix, said in an interview following last week's announcement. Staffing a fab is harder in the U.S. than in South Korea, where SK Hynix has contracts with local universities and its own in-house university. Nonetheless, Kwak said, "the final goal is very clear. We need to have very good engineers for our success in U.S." The U.S. is trying to do something unprecedented: reverse a shrinking share in a key manufacturing sector. Between 1990 and 2020, the U.S. share of world chip making shrank to 12% from 37%, while the combined share of Taiwan, South Korea and China grew to 58%. The federal CHIPS program has showered billions of dollars on Intel for fabs in several states, Taiwan Semiconductor Manufacturing Co.in Arizona and GlobalFoundries in New York and Vermont. SK Hynix hopes for support as well. Subsidies alone won't guarantee a sustainable industry. Fabs need customers, a supply chain and, above all, a skilled, specialized workforce. From 2000 to 2017, U.S. employment in semiconductor manufacturing shrank to 181,000 from 287,000. It has since recovered to about 200,000. Why did the U.S. share of semiconductor production shrink? As in other industries, the U.S. became an expensive place to manufacture. Susan Houseman of the Upjohn Institute, who has studied outsourcing, said this wasn't "primarily a story about offshoring." U.S. companies still lead in chip design: Nvidia in artificial intelligence, Qualcomm in communications and Apple in smartphones. Over time they mostly contracted out fabrication of their chips to foundries such as TSMC who benefited from generous domestic subsidies. The theory behind CHIPS is that, by matching Asia's subsidies, the U.S. can again be competitive in chip making. Nonetheless, there is a chicken-egg problem. Fabs need a ready supply of skilled workers. But without fabs, America's best and brightest have little incentive to pursue careers in the sector.

Read more of this story at Slashdot.

Android 15's first public beta is available to download now, provided you have a Pixel phone. From a report: It's the first consumer-facing release after two developer previews, and while we have a good idea of what to expect from Google's next mobile OS version, we'll certainly hear more at the company's annual developer conference soon enough. The blog post highlighting updates in today's release covers some pretty pedestrian stuff. Apps will scale edge to edge by default and will draw behind translucent system bars on the top and bottom of the screen, rather than around them. There's OS-level support for app archiving and unarchiving so third-party app stores can take advantage of this feature. Android 15 will also provide better support for Braille displays.M

Read more of this story at Slashdot.

'A strategy of half-promises and unnecessarily complicated hedges'

The right to repair movement just scored a major win with Apple's announcement that it plans to begin supporting iPhone repairs with used parts this fall. …

But for how much longer?

Intel's Meteor Lake-based Core Ultra CPUs will power Huawei's newest MateBook X Pro, the company's first AI PC.…

We sat through these conferences so you didn't have to

Kettle  This week kicked off with two conferences, Intel Vision and Google Cloud Next, that as you can imagine had artificial intelligence at the heart of them.…

Microsoft has started showing full screen warnings about the upcoming end of support date on Windows 10 PCs. From a report: Users on Reddit have reported seeing the prompt, which began appearing after this week's Patch Tuesday updates were installed, and encourages the user to learn more about how they can transition to Windows 11. Windows 10's end of support date is currently set for October 14, 2025. After that date, Windows 10 users will no longer receive critical security and bug fix updates, leaving any Windows 10 PC connected to the internet vulnerable to any newly discovered security exploits. The full screen prompt that is now appearing on some Windows 10 PCs thanks the user for their loyalty using Windows 10, and warns that this end of life (EOL) date is approaching. It also wastes no time advertising Windows 11, encouraging the user to learn more about how they can transition to a new Windows 11 PC. Notably, there's no button to tell the prompt to never show again.

Read more of this story at Slashdot.