An anonymous reader quotes a report from The New York Times: The European Union unveiled strict regulations on Wednesday to govern the use of artificial intelligence, a first-of-its-kind policy that outlines how companies and governments can use a technology seen as one of the most significant, but ethically fraught, scientific breakthroughs in recent memory. The draft rules would set limits around the use of artificial intelligence in a range of activities, from self-driving cars to hiring decisions, bank lending, school enrollment selections and the scoring of exams. It would also cover the use of artificial intelligence by law enforcement and court systems -- areas considered "high risk" because they could threaten people's safety or fundamental rights.

Some uses would be banned altogether, including live facial recognition in public spaces, though there would be several exemptions for national security and other purposes. The108-page policy is an attempt to regulate an emerging technology before it becomes mainstream. The rules have far-reaching implications for major technology companies that have poured resources into developing artificial intelligence, including Amazon, Google, Facebook and Microsoft, but also scores of other companies that use the software to develop medicine, underwrite insurance policies and judge credit worthiness. Governments have used versions of the technology in criminal justice and the allocation of public services like income support. Companies that violate the new regulations, which could take several years to move through the European Union policymaking process, could face fines of up to 6 percent of global sales.

The European Union regulations would require companies providing artificial intelligence in high-risk areas to provide regulators with proof of its safety, including risk assessments and documentation explaining how the technology is making decisions. The companies must also guarantee human oversight in how the systems are created and used. Some applications, like chatbots that provide humanlike conversation in customer service situations, and software that creates hard-to-detect manipulated images like "deepfakes," would have to make clear to users that what they were seeing was computer generated. [...] Release of the draft law by the European Commission, the bloc's executive body, drew a mixed reaction. Many industry groups expressed relief that the regulations were not more stringent, while civil society groups said they should have gone further.

FlatEric521 shares a report: Moxie Marlinspike, the founder of the popular encrypted chat app Signal claims to have hacked devices made by the infamous phone unlocking company Cellebrite, which has famously worked with cops to circumvent encryption such as Signal's. In a blog post Wednesday, Marlinspike not only published details about the new exploits for Cellebrite devices but seemed to suggest that Signal's code could be theoretically altered to hack Cellebrite devices en masse. "We were surprised to find that very little care seems to have been given to Cellebrite's own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present," Marlinspike wrote in the post. "Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices."

Marlinspike claims (whether you believe this portion of the post or not is up to you) that while he was on a walk he happened to find a Cellebrite phone unlocking device: "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters." Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access.

Greg Kroah-Hartman, who is one of the head honchos of the Linux kernel development and maintenance team, has banned the University of Minnesota (UMN) from further contributing to the Linux Kernel. The University had apparently introduced questionable patches into the kernel of Linux. From a report: The UMN had worked on a research paper dubbed "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits". Obviously, the "Open-Source Software" (OSS) here is indicating the Linux kernel and the University had stealthily introduced Use-After-Free (UAF) vulnerability to test the susceptibility of Linux. So far so good perhaps as one can see it as ethical experimenting. However, the UMN apparently sent another round of "obviously-incorrect patches" into the kernel in the form of "a new static analyzer" causing distaste to Greg Kroah-Hartman who has now decided to ban the University from making any further contributions.

An anonymous reader quotes a report from Ars Technica: Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere, researchers said. At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. Besides CVE-2021-22893, as the zero-day is tracked, multiple hacking groups -- at least one of which likely works on behalf of the Chinese government -- are also exploiting several Pulse Secure vulnerabilities fixed in 2019 and 2020.

Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices. Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesday's post reported. Separately, the US Cybersecurity and Infrastructure Security Agency said that targets also include US government agencies, critical infrastructure entities, and other private sector organizations." Mandiant said that it has uncovered "limited evidence" that tied one of the hacker groups to the Chinese government. Dubbed UNC2630, this previously unknown team is one of at least two hacking groups known to be actively exploiting the vulnerabilities. Tuesday's blog post also referred to another previously unseen group that Mandiant is calling UNC2717. In March, the group used malware Mandiant identifies as RADIALPULSE, PULSEJUMP, and HARDPULSE against Pulse Secure systems at a European organization. Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug.

An anonymous reader writes: The operators of the REvil ransomware are demanding that Apple pay a ransom demand to avoid having confidential information leaked on the dark web. The REvil crew claims it came into possession of Apple product data after breaching Quanta Computer, a Taiwanese company that is the biggest laptop manufacturer in the world and which is also one of the companies that assemble official Apple products based on pre-supplied product designs and schematics.

The REvil gang posted 21 screenshots depicting Macbook schematics and threatened to publish new data every day until May 1, or until Apple or Quanta pay the ransom demand. The extortion attempt was also perfectly timed for maximum visibility to coincide with the Spring Loaded event, where Apple announced new products and software updates.

Apple has launched a Tile-like item tracker that will work with the company's software and services. From a report: Dubbed AirTag, the small circular tag will allow you to track items within Apple's "Find My" app on iOS. Much like Tile, Apple's AirTags will be useful for tracking items like keys or wallets, and you'll be provided with notifications when you're separated from your item. The AirTag itself is a small puck-like device that includes a built-in speaker, accelerometer, Bluetooth LE, and a user-replaceable battery. Apple says the tracker should last for a year of battery life, and you can use an NFC tap to activate a lost mode. AirTag will be available for $29 on April 30th, or $99 for a four-pack of the devices. Apple is also working with accessory makers to create luggage tag and keyring enclosures for the AirTag itself.

Dave Knott writes: Microsoft has announced Visual Studio 2022, the next major revision of their flagship development IDE. A public beta will be arriving this summer. The most significant change, which has long been rumored, is that the entire application suite will now be 64-bit. Other major changes include:

* Performance improvements in the core debugger
* Support for .NET 6, which can be used to build web, client and mobile apps by both Windows and Mac developers, as well as improved support for developing Azure apps
* An update UI meant to reduce complexity and which will add integration with Accessibility Insights. Microsoft plans to update the icons and add support for Cascadia Code, a new fixed-width font for better readability
* Support for C++ 20 tooling. language standardization and Intellisense
* Integration of text chat into the Live Share collaboration feature
* Additional support for Git and GitHub
* Improved code search

Researchers have developed a tool that can design complex DNA robots and nanodevices in minutes instead of days. Phys.Org reports: In a paper published today in the journal Nature Materials, researchers from The Ohio State University -- led by former engineering doctoral student Chao-Min Huang -- unveiled new software they call MagicDNA. The software helps researchers design ways to take tiny strands of DNA and combine them into complex structures with parts like rotors and hinges that can move and complete a variety of tasks, including drug delivery. One advantage is that it allows researchers to carry out the entire design truly in 3-D. Earlier design tools only allowed creation in 2-D, forcing researchers to map their creations into 3-D. That meant designers couldn't make their devices too complex.

The software also allows designers to build DNA structures "bottom up" or "top down." In "bottom up" design, researchers take individual strands of DNA and decide how to organize them into the structure they want, which allows fine control over local device structure and properties. But they can also take a "top down" approach where they decide how their overall device needs to be shaped geometrically and then automate how the DNA strands are put together. Combining the two allows for increasing complexity of the overall geometry while maintaining precise control over individual component properties. Another key element of the software is that it allows simulations of how designed DNA devices would move and operate in the real world.

An anonymous reader quotes a report from ZDNet: A small miracle happened at 3:31am ET on Monday morning. Ingenuity, a tiny NASA helicopter, became the first powered aircraft to fly on another planet, Mars. This engineering feat was done with Linux, open-source software, and a NASA-built program based on the Jet Propulsion Laboratory's (JPL) open-source F (pronounced F prime) framework. GitHub CEO Nat Friedman and his team and the JPL Ingenuity crew took a long hard look into the helicopter's code and found that "nearly 12,000 developers on GitHub contributed to Ingenuity's software via open source. And yet, much like the first image of a black hole, most of these developers are not even aware that they helped make the first Martian helicopter flight possible."

They'll know now. Friedman wrote: "Today, we want to make the invisible visible. So, we have worked with JPL to place a new Mars 2020 Helicopter Mission badge on the GitHub profile of every developer who contributed to the specific versions of any open-source projects and libraries used by Ingenuity." The developer list was created by JPL providing GitHub with a comprehensive list of every version of every open source project used by Ingenuity. GitHub could then identify all the contributors who made these projects and their dependencies. Some of those honored, such as Linux's creator Linus Torvalds, are famous developers. Many others labor in obscurity -- but now their work is being recognized. Timothy Canham, a JPL embedded flight software engineer, notes Ingenuity's program is powered by a Qualcomm Snapdragon 801 running at 2.2GHz, which is "far faster than the Mars Perseverance's rover processors," according to ZDNet. The reason this older chip was used is because it meets NASA's High-Performance Spaceflight Computing (HPSC) radiation standards.

Canham also says the flight control software on Ingenuity runs at 500Hz. The flight software "is used to control the flight hardware and read sensors 500 times per second in order to keep the helicopter stable." Canham added: "We literally ordered parts from SparkFun [Electronics]. This is commercial hardware, but we'll test it, and if it works well, we'll use it."

Translation tools from Google and other companies could be contributing to significant misunderstanding of legal terms with conflicting meanings such as "enjoin," according to research due to be presented at an academic workshop on Monday. From a report: Google's translation software turns an English sentence about a court enjoining violence, or banning it, into one in the Indian language of Kannada that implies the court ordered violence, according to the new study. "Enjoin" can refer to either promoting or restraining an action. Mistranslations also arise with other contronyms, or words with contradictory meanings depending on context, including "all over," "eventual" and "garnish," the paper said.

Google said machine translation is "is still just a complement to specialized professional translation" and that it is "continually researching improvements, from better handling ambiguous language, to mitigating bias, to making large quality gains for under-resourced languages." The study's findings add to scrutiny of automated translations generated by artificial intelligence software. Researchers previously have found programs that learn translations by studying non-diverse text perpetuate historical gender biases, such as associating "doctor" with "he." The new paper raises concerns about a popular method companies use to broaden the vocabulary of their translation software. They translate foreign text into English and then back into the foreign language, aiming to teach the software to associate similar ways of saying the same phrase.

Several U.S. banks have started deploying camera software that can analyze customer preferences, monitor workers and spot people sleeping near ATMs, even as they remain wary about possible backlash over increased surveillance, Reuters reported Monday, citing more than a dozen banking and technology sources. From the report: Previously unreported trials at City National Bank of Florida and JPMorgan Chase & Co as well as earlier rollouts at banks such as Wells Fargo & Co offer a rare view into the potential U.S. financial institutions see in facial recognition and related artificial intelligence systems. Widespread deployment of such visual AI tools in the heavily regulated banking sector would be a significant step toward their becoming mainstream in corporate America. Bobby Dominguez, chief information security officer at City National, said smartphones that unlock via a face scan have paved the way. "We're already leveraging facial recognition on mobile," he said. "Why not leverage it in the real world?"

City National will begin facial recognition trials early next year to identify customers at teller machines and employees at branches, aiming to replace clunky and less secure authentication measures at its 31 sites, Dominguez said. Eventually, the software could spot people on government watch lists, he said. JPMorgan said it is "conducting a small test of video analytic technology with a handful of branches in Ohio." Wells Fargo said it works to prevent fraud but declined to discuss how.

"Jensen Huang, the CEO of Nvidia, the nation's most valuable semiconductor company, with a stock price of $645 a share and a market cap of $400 billion, is out to create the metaverse," writes Time magazine.

Huang defines it as "a virtual world that is a digital twin of ours." Huang credits author Neal Stephenson's Snow Crash, filled with collectives of shared 3-D spaces and virtually enhanced physical spaces that are extensions of the Internet, for conjuring the metaverse. This is already playing out with the massively popular online games like Fortnite and Minecraft, where users create richly imagined virtual worlds. Now the concept is being put to work by Nvidia and others.

Partnering with Nvidia, BMW is using a virtual digital twin of a factory in Regensburg, Germany, to virtually plan new workflows before deploying the changes in real time in their physical factory. The metaverse, says Huang, "is where we will create the future" and transform how the world's biggest industries operate...

Not to make any value judgments about the importance of video games, but do you find it ironic that a company that has its roots in entertainment is now providing vitally important computing power for drug discovery, basic research and reinventing manufacturing?

No, not at all. It's actually the opposite. We always started as a computing company. It just turned out that our first killer app was video games...

How important is the advent and the adaptation of digital twins for manufacturing, business and society at large?

In the future, the digital world or the virtual world will be thousands of times bigger than the physical world. There will be a new New York City. There'll be a new Shanghai. Every single factory and every single building will have a digital twin that will simulate and track the physical version of it. Always. By doing so, engineers and software programmers could simulate new software that will ultimately run in the physical version of the car, the physical version of the robot, the physical version of the airport, the physical version of the building. All of the software that's going to be running in these physical things will be simulated in the digital twin first, and then it will be downloaded into the physical version. And as a result, the product keeps getting better at an exponential rate.

The second thing is, you're going to be able to go in and out of the two worlds through wormholes. We'll go into the virtual world using virtual reality, and the objects in the virtual world, in the digital world, will come into the physical world, using augmented reality. So what's going to happen is pieces of the digital world will be temporarily, or even semipermanently, augmenting our physical world. It's ultimately about the fusion of the virtual world and the physical world.
See also this possibly related story, "Nvidia's newest AI model can transform single images into realistic 3D models."

Long-time Slashdot reader sandbagger brings the news that Charles 'Chuck' Geschke, the co-founder of Adobe, had died at the age of 81.

The company started in co-founder John Warnock's garage in 1982, and was named after the Adobe Creek which ran behind Warnock's home, offering pioneering capabilities in "What you see is what you get" (or WYSIWYG) desktop publishing.

Gizmodo reports: "This is a huge loss for the entire Adobe community and the technology industry, for whom he has been a guide and hero for decades," Adobe CEO Shantanu Narayen wrote in an email to staff.

"As co-founders of Adobe, Chuck and John Warnock developed groundbreaking software that has revolutionized how people create and communicate, " he continued. "Chuck instilled a relentless drive for innovation in the company, resulting in some of the most transformative software inventions, including the ubiquitous PDF, Acrobat, Illustrator, Premiere Pro and Photoshop."

After earning a doctorate from Carnegie Mellon University, Geschke met Warnock while working at the Xerox Palo Alto Research Center, according to the Mercury News. The two left the company in 1982 and founded Adobe to develop software. Their first product was Adobe PostScript, which Narayen lauded as "an innovative technology that provided a radical new way to print text and images on paper and sparked the desktop publishing revolution."

An anonymous reader writes: Debian Project Secretary Kurt Roeckx has announced the results of a closely-watched vote on what statement would be made about Richard Stallman's readmission to the Free Software Foundation's board.
Seven options were considered, with the Debian project's 420 voting developers also asked to rank their preferred outcomes:

• Option 1: "Call for the FSF board removal, as in rms-open-letter.github.io"

• Option 2: "Call for Stallman's resignation from all FSF bodies"

• Option 3: "Discourage collaboration with the FSF while Stallman is in a leading position"

• Option 4: "Call on the FSF to further its governance processes"

• Option 5: "Support Stallman's reinstatement, as in rms-support-letter.github.io"

• Option 6: "Denounce the witch-hunt against RMS and the FSF"

• Option 7: "Debian will not issue a public statement on this issue"

While all seven options achieved a quorum of votes, two failed to achieve a majority — options 5 and 6. ("Support Stallman's reinstatement" and "Denounce the witch-hunt...") The option receiving the most votes was #7 (not issuing a public statement) — but it wasn't that simple. The vote's final outcome was determined by comparing every possible pair of options to determine which option would still be preferred by a majority of voters in each possible comparision.

In this case, that winner was still the option which had also received the most votes:


Debian will not issue a public statement on this issue.
The Debian Project will not issue a public statement on whether Richard Stallman should be removed from leadership positions or not.

Any individual (including Debian members) wishing to (co-)sign any of the open letters on this subject is invited to do this in a personal capacity.


The results are captured in an elaborate graph. Numbers inside the ovals show the final ratio of yes to no votes (so a number higher than 1.00 indicates a majority, with much higher numbers indicating much larger majorities). Numbers outside the ovals (along the lines) indicate the number of voters who'd preferred the winning choice over the losing choice (toward which the arrow is pointing).

The winning option is highlighted in blue.

In 2018 Oracle's Larry Ellison bought the historic Cal Neva Lodge on the scenic north shore of California's Lake Tahoe for $36 million. Then in 2019 Mark Zuckerberg bought a $59 million compound on Lake Tahoe's west shore.

But now a wave of techies are moving in, reports Outside magazine, "freed by COVID from cubicles and work commutes. They migrated, laptops in tow, to mountain towns all over the West, transforming them into modern-day boomtowns: 'Zoom-towns.'" "It's the wildest time," says realtor Katey Brandenburg, who works on Tahoe's Nevada side. For her and other realtors around the lake, the autumn of 2020 felt like winning the lottery. "I paid off a lifetime of debt — 28 years of loans, college, credit cards, and cars — in three months."

All told, 2020 saw more than 2,350 homes sold across the Tahoe Basin, for a boggling $3.28 billion, up from $1.76 billion in 2019, according to data analyzed by Sierra Sotheby's. That $3 billion stat is on a par with 2020 home-sales revenues in Aspen, Colorado (albeit there, the latest average home-sale price came in at $11 million). The trend is in line with real estate records being shattered from Sun Valley, Idaho, to Stowe, Vermont. And according to a just-released market update, it hasn't stopped: in the first quarter of 2021, median prices for single-family homes increased by an astronomical 70 percent year over year in Truckee, 72 percent in South Lake, and 81 percent in Incline Village...

"A disproportionate number of people who purchased homes in Tahoe in 2020 are employees of some of the largest tech companies in the Bay Area," says Deniz Kahramaner, founder of Atlasa, a real estate brokerage firm that specializes in data analytics. Of the 2,280 new-home buyers Atlasa identified throughout the Tahoe region in 2020, roughly 30 percent worked at software companies. The top three employers were Google (54 buyers), Apple (46), and Facebook (34)...

There is, however, one glaring issue with all this rapid, high-priced growth: the people who actually make a mountain town run — the ski instructors and patrollers, lift operators and shuttle drivers, housekeepers and snowcat mechanics, cooks and servers — can no longer afford to live there.
The article does note higher property taxes going toward public services (along with "more money eventually pumping into bars and restaurants.") And it also acknowledges affordable housing has for decades been an issue in tourist towns.

"It's just suddenly on steroids..."

A U.S. advocacy group called The Repair Association is urging Americans to demand protections for their right to repair from the country's consumer protection agency.

"Tell the FTC: People just want to fix their stuff!" argues a page urging concerned U.S. citizens to sign an online petition (shared by long-time Slashdot reader Z00L00K).

The petition asks the FTC to...

• Enforce the law against companies who use illegal tying arrangements to force consumers to purchase connected repair services.

• Enforce the law against companies who violate the Magnuson Moss Warranty Act by voiding warranties when a consumer fixes something themselves or uses third-party parts or repair services.

• Enforce the law against companies who refuse to sell replacement parts, diagnostic and repair tools, or service information to independent repair providers.

• Publish new guidance on unfair, deceptive, and abusive terms in end user license agreements (EULAs) that: restrict independent or self repair; restrict access to parts and software; prohibit the transfer of user licenses; that and that purport to void warranties for independent or self repair.

• Issue new rules prohibiting exclusivity arrangements with suppliers, customers, and repair providers that exclude independent repair providers and suppress competition in the market for repair services.

• Issue new rules prohibiting companies from deceiving customers by selling products which cannot be repaired without destroying the device or cannot be repaired outside of the company's own service network, without disclosing that fact at the point of sale.

America's top law enforcement agency "obtained a court order that allowed it to remove a backdoor program from hundreds of private Microsoft Exchange servers that were hacked through zero-day vulnerabilities earlier this year," reports CSO. (Thanks to detritus. (Slashdot reader #46,421) for sharing the news...) Earlier this week, the Department of Justice announced that the FBI was granted a search and seizure warrant by a Texas court that allows the agency to copy and remove web shells from hundreds of on-premise Microsoft Exchange servers owned by private organizations. A web shell is a type of program that hackers install on hacked web servers to grant them backdoor access and remote command execution capabilities on those servers through a web-based interface.

In this case, the warrant targeted web shells installed by a cyberespionage group dubbed Hafnium that is believed to have ties to the Chinese government. In early March, Microsoft reported that Hafnium has been exploiting previously unpatched vulnerabilities in Microsoft Exchange to compromise servers. At the same time, the company released patches for those vulnerabilities, as well as indicators of compromise and other detection tools, but this didn't prevent other groups of attackers from exploiting the vulnerabilities after they became public. In its warrant application, dated April 13, the FBI argues that despite the public awareness campaigns by Microsoft, CISA and the FBI itself, many servers remained infected with the web shell deployed by Hafnium. While the exact number has been redacted from the unsealed warrant, the DOJ said in a press release that it was "hundreds."

The FBI asked for, and received court approval, to access the malicious web shells through the passwords set by the original attackers and then use that access against the malware itself by executing a command that will delete the web shell, which is essentially an .aspx script deployed on the server. The FBI was also allowed to make a copy of the web shells first because they could constitute evidence.

The warrant states that it "does not authorize the seizure of any tangible property" or the copying or alteration of any content from the servers aside from the web shell themselves, which are identified in the warrant by their unique file paths. This means the FBI was not granted permission to patch the vulnerabilities to protect the servers from future exploitation or to remove any additional malware or tools that hackers might have already deployed...

The FBI sent an email message from an official email account, including a copy of the warrant, to the email addresses associated with the domain names of the infected servers.
An official statement from the Department of Justice is already using the past tense, announcing that U.S. authorities "have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service."

On Thursday, a federal jury in Seattle, Washington, found that former IBM sales manager Scott Kingston had been unlawfully fired by the company and denied sales commission after challenging the treatment of subordinates as racially biased. And it awarded him $11.1 million. The Register reports: The case dates back to 2017 when two IBM sales people within months of each other closed similarly large software sales deals that led to vastly different commission payments. Nick Donato, who is White, received more than $1m for a SAS Institute deal, while Jerome Beard, who is Black, was paid about $230,000 for closing a sale to HCL Technologies. Beard was paid about 15 per cent of what he should have received under his agreement with IBM, despite a company policy not to cap sales commissions.

Kingston, who managed the two salespeople through two lower-level managers, raised his concerns about racial discrimination with his superiors toward the end of 2017. Recalling his jury testimony, he said of his conversation with his managers, "They were telling me it wasn't about money; it was some other reason. I flat out said, 'You are leaving no possibility for anybody to conclude another reason than racial discrimination. You are foreclosing any other possible conclusion. You are going to get us sued.'" And that's what happened. Beard sued IBM in 2018. After a failed motion by IBM to dismiss the case in April, 2020, the company settled for an undisclosed sum several months later.

Kingston sued in 2019 [PDF], after IBM fired him in April, 2018, claiming he had erred in approving Donato's seven-figure commission. The company also fired two other IBM managers, Andre Temidis and Michael Lee, who raised similar objections to the allegedly discriminatory capping of commission due to an Arab-American salesperson. The Seattle jury found [PDF] IBM violated Washington State law against discrimination and policies against race discrimination and withholding wages. "We are disappointed by the jury's verdict," IBM said in a statement emailed to The Register. "IBM does not condone retaliation, race discrimination, or any other form of discrimination. The company will consider all of its options on appeal."

wiredmikey shares a report from SecurityWeek: Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world. The hack occurred four months ago but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021, the company said. Codecov is considered the vendor of choice for measuring code coverage in the tech industry. The company's tools help developers understand and measure lines of codes executed by a test suite and is widely deployed in big tech development pipelines. The company claims that more than 29,000 enterprises use its code coverage insights to check code quality and maintain code coverage. Codecov did not say how many customers were impacted or had data stolen in the incident.

According to Codecov, the altered version of the Bash Uploader script could potentially affect:
- Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
- Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

The Google Project Zero security team has updated its vulnerability disclosure guidelines to add a cushion of 30 days to some security bug disclosures, so end-users have enough time to patch software and prevent attackers from weaponizing bugs. From a report: This week's changes are of particular importance because a large part of the cybersecurity community has adopted Project Zero's rules as the unofficial methodology for disclosing a security bug to software vendors and then to the general public. Prior to today, Google Project Zero researchers would give software vendors 90 days to fix a security bug. When the bug was patched, or at the end of the 90 days time window, Google researchers would publish details about the bug online (on their bug tracker). Starting this week, Project Zero says it will wait 30 days before publishing any details about the bug. The reasoning behind the extra time window is to allow users of the affected products time to update their software, an operation that can usually take days or weeks in some complex corporate networks.