Anthropic says its annualized revenue run rate has surpassed $30 billion and disclosed plans to secure roughly 3.5 gigawatts of next-generation Google TPU compute starting in 2027. Broadcom will supply the key chips and networking gear for the effort, the company announced. The Register reports: News of the two deals emerged today in a Broadcom regulatory filing that opens with two items of news. One is a "Long Term Agreement for Broadcom to develop and supply custom Tensor Processing Units ("TPUs") for Google's future generations of TPUs." Google and Broadcom have collaborated to produce custom TPUs. Broadcom CEO Hock Tan recently shared his opinion that hyperscalers don't have the skill to create custom accelerators and predicted Broadcom's chip business will therefore win over $100 billion of revenue from AI chips in 2027 alone.

Working on next-gen TPUs for Google will presumably help to make that prediction a reality. So will the second part of Broadcom's announcement: a "Supply Assurance Agreement for Broadcom to supply networking and other components to be used in Google's next-generation AI racks through up to 2031." Broadcom's filing also revealed one user of Google's next-gen TPU will be Anthropic, which starting in 2027, "will access through Broadcom approximately 3.5 gigawatts as part of the multiple gigawatts of next generation TPU-based AI compute capacity committed by Anthropic."

An anonymous reader quotes a report from Ars Technica: Google on Friday unveiled its plan for its Chrome browser to secure HTTPS certificates against quantum computer attacks without breaking the Internet. The objective is a tall order. The quantum-resistant cryptographic data needed to transparently publish TLS certificates is roughly 40 times bigger than the classical cryptographic material used today. Today's X.509 certificates are about 64 bytes in size, and comprise six elliptic curve signatures and two EC public keys. This material can be cracked through the quantum-enabled Shor's algorithm. Certificates containing the equivalent quantum-resistant cryptographic material are roughly 2.5 kilobytes. All this data must be transmitted when a browser connects to a site.

To bypass the bottleneck, companies are turning to Merkle Trees, a data structure that uses cryptographic hashes and other math to verify the contents of large amounts of information using a small fraction of material used in more traditional verification processes in public key infrastructure. Merkle Tree Certificates, "replace the heavy, serialized chain of signatures found in traditional PKI with compact Merkle Tree proofs," members of Google's Chrome Secure Web and Networking Team wrote Friday. "In this model, a Certification Authority (CA) signs a single 'Tree Head' representing potentially millions of certificates, and the 'certificate' sent to the browser is merely a lightweight proof of inclusion in that tree."

[...] Google is [also] adding cryptographic material from quantum-resistant algorithms such as ML-DSA (PDF). This addition would allow forgeries only if an attacker were to break both classical and post-quantum encryption. The new regime is part of what Google is calling the quantum-resistant root store, which will complement the Chrome Root Store the company formed in 2022. The [Merkle Tree Certificates] MTCs use Merkle Trees to provide quantum-resistant assurances that a certificate has been published without having to add most of the lengthy keys and hashes. Using other techniques to reduce the data sizes, the MTCs will be roughly the same 64-byte length they are now [...]. The new system has already been implemented in Chrome.

TP-Link is facing legal action from the state of Texas for allegedly misleading consumers with "Made in Vietnam" claims despite China-dominated manufacturing and supply chains, and for marketing its devices as secure despite reported firmware vulnerabilities exploited by Chinese state-sponsored actors. The Register: The Lone Star State's Attorney General, Ken Paxton, is filing the lawsuit against California-based TP-Link Systems Inc., which was originally founded in China, accusing it of deceptively marketing its networking devices and alleging that its security practices and China-based affiliations allowed Chinese state-sponsored actors to access devices in the homes of American consumers.

It is understood that this is just the first of several lawsuits that the Office of the Attorney General intends to file this week against "China-aligned companies," as part of a coordinated effort to hold China accountable under Texas law. The lawsuit claims that TP-Link is the dominant player in the US networking and smart home market, controlling 65 percent of the American market for network devices.

It also alleges that TP-Link represents to American consumers that the devices it markets and sells within the US are manufactured in Vietnam, and that consistent with this, the devices it sells in the American market carry a "Made in Vietnam" sticker.

More than a half dozen federal departments and agencies have backed a proposal to ban future sales of the most popular home routers in the United States on the grounds that the vendor's ties to mainland China make them a national security risk, Washington Post reported Thursday, citing people briefed on the matter. From the report: The proposal, which arose from a months-long risk assessment, calls for blocking sales of networking devices from TP-Link Systems of Irvine, California, which was spun off from a China-based company, TP-Link Technologies, but owns some of that company's former assets in China.

The ban was proposed by the Commerce Department and supported this summer by an interagency process that includes the Departments of Homeland Security, Justice and Defense, the people said. "TP-Link vigorously disputes any allegation that its products present national security risks to the United States," Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. "TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond."

If imposed, the ban would be among the largest in consumer history and a possible sign that the East-West divide over tech independence is still deepening amid reports of accelerated Chinese government-supported hacking. Only the legislated ban of Chinese-owned TikTok, which President Donald Trump has averted with executive orders and a pending sale, would impact more U.S. consumers.

Critics question why basic flaws like buffer overflows, command injections, and SQL injections are "being exploited remain prevalent in mission-critical codebases maintained by companies whose core business is cybersecurity," writes CSO Online. Benjamin Harris, CEO of cybersecurity/penetration testing firm watchTowr tells them that "these are vulnerability classes from the 1990s, and security controls to prevent or identify them have existed for a long time. There is really no excuse." Enterprises have long relied on firewalls, routers, VPN servers, and email gateways to protect their networks from attacks. Increasingly, however, these network edge devices are becoming security liabilities themselves... Google's Threat Intelligence Group tracked 75 exploited zero-day vulnerabilities in 2024. Nearly one in three targeted network and security appliances, a strikingly high rate given the range of IT systems attackers could choose to exploit. That trend has continued this year, with similar numbers in the first 10 months of 2025, targeting vendors such as Citrix NetScaler, Ivanti, Fortinet, Palo Alto Networks, Cisco, SonicWall, and Juniper. Network edge devices are attractive targets because they are remotely accessible, fall outside endpoint protection monitoring, contain privileged credentials for lateral movement, and are not integrated into centralized logging solutions...

[R]esearchers have reported vulnerabilities in these systems for over a decade with little attacker interest beyond isolated incidents. That shifted over the past few years with a rapid surge in attacks, making compromised network edge devices one of the top initial access vectors into enterprise networks for state-affiliated cyberespionage groups and ransomware gangs. The COVID-19 pandemic contributed to this shift, as organizations rapidly expanded remote access capabilities by deploying more VPN gateways, firewalls, and secure web and email gateways to accommodate work-from-home mandates. The declining success rate of phishing is another factor... "It is now easier to find a 1990s-tier vulnerability in a border device where Endpoint Detection and Response typically isn't deployed, exploit that, and then pivot from there" [says watchTowr CEL Harris]...

Harris of watchTowr doesn't want to minimize the engineering effort it takes to build a secure system. But he feels many of the vulnerabilities discovered in the past two years should have been caught with automatic code analysis tools or code reviews, given how basic they have been. Some VPN flaws were "trivial to the point of embarrassing for the vendor," he says, while even the complex ones should have been caught by any organization seriously investing in product security... Another problem? These appliances have a lot of legacy code, some that is 10 years or older.
Attackers may need to chain together multiple hard-to-find vulnerabilities across multiple components, the article acknowleges. And "It's also possible that attack campaigns against network-edge devices are becoming more visible to security teams because they are looking into what's happening on these appliances more than they did in the past... "

The article ends with reactions from several vendors of network edge security devices.

Thanks to Slashdot reader snydeq for sharing the article.

An anonymous reader quotes a report from BleepingComputer: U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code. The company states that it first became aware of the breach on August 9, 2025, with its investigations revealing that the attackers had gained long-term access to its system, including the company's BIG-IP product development environment and engineering knowledge management platform.

F5 is a Fortune 500 tech giant specializing in cybersecurity, cloud management, and application delivery networking (ADN) applications. The company has 23,000 customers in 170 countries, and 48 of the Fortune 50 entities use its products. BIG-IP is the firm's flagship product used for application delivery and traffic management by many large enterprises worldwide. [...]

F5 is still reviewing which customers had their configuration or implementation details stolen and will contact them with guidance. To help customers secure their F5 environments against risks stemming from the breach, the company released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Despite any evidence "of undisclosed critical or remote code execution vulnerabilities," the company urges customers to prioritize installing the new BIG-IP software updates.

Announced this week at RustConf 2025 in Seattle, the new Rust Innovation Lab will offer open source projects "the opportunity to receive fiscal sponsorship from the Rust Foundation, including governance, legal, networking, marketing, and administrative support."

And their first project will be the TLS library Rustls (for cryptographic security), which they say "demonstrates Rust's ability to deliver both security and performance in one of the most sensitive areas of modern software infrastructure." Choosing Rustls "underscores the lab's focus on infrastructure-critical tools, where reliability is paramount," argues explains WebProNews. But "Looking ahead, the foundation plans to expand the lab's portfolio, inviting applications from promising Rust initiatives. This could catalyze innovations in areas like embedded systems and blockchain, where Rust's efficiency shines."

Their article notes that the Rust Foundation "sees the lab as a way to accelerate innovation while mitigating the operational burdens that often hinder open-source development." [T]he Foundation aims to provide a stable, neutral environment for select Rust endeavors, complete with governance oversight, legal and administrative backing, and fiscal sponsorship... At its core, the Rust Innovation Lab addresses a growing need within the developer community for structured support amid Rust's rising adoption in sectors like systems programming and web infrastructure. By offering a "home" for projects that might otherwise struggle with sustainability, the lab ensures continuity and scalability. This comes at a time when Rust's memory safety features are drawing attention from major tech firms, including those in cloud computing and cybersecurity, as a counter to vulnerabilities plaguing languages like C++...

Industry observers note that such fiscal sponsorship could prove transformative, enabling projects to secure funding from diverse sources while maintaining independence. The Rust Foundation's involvement ensures compliance with best practices, potentially attracting more corporate backers wary of fragmented open-source efforts... By providing a neutral venue, the foundation aims to prevent the pitfalls seen in other ecosystems, such as project abandonment due to maintainer burnout or legal entanglements... For industry insiders, the Rust Innovation Lab represents a strategic evolution, potentially accelerating Rust's integration into mission-critical systems.

ZDNet's Steven Vaughan-Nichols shares his list of "what's new and improved" in the latest Linux 6.16 kernel. An anonymous reader shares an excerpt from the report: First, the Rust language is continuing to become more well-integrated into the kernel. At the top of my list is that the kernel now boasts Rust bindings for the driver core and PCI device subsystem. This approach will make it easier to add new Rust-based hardware drivers to Linux. Additionally, new Rust abstractions have been integrated into the Direct Rendering Manager (DRM), particularly for ioctl handling, file/GEM memory management, and driver/device infrastructure for major GPU vendors, such as AMD, Nvidia, and Intel. These changes should reduce vulnerabilities and optimize graphics performance. This will make gamers and AI/ML developers happier.

Linux 6.16 also brings general improvements to Rust crate support. Crate is Rust's packaging format. This will make it easier to build, maintain, and integrate Rust kernel modules into the kernel. For those of you who still love C, don't worry. The vast majority of kernel code remains in C, and Rust is unlikely to replace C soon. In a decade, we may be telling another story. Beyond Rust, this latest release also comes with several major file system improvements. For starters, the XFS filesystem now supports large atomic writes. This capability means that large multi-block write operations are 'atomic,' meaning all blocks are updated or none. This enhances data integrity and prevents data write errors. This move is significant for companies that use XFS for databases and large-scale storage.

Perhaps the most popular Linux file system, Ext4, is also getting many improvements. These boosts include faster commit paths, large folio support, and atomic multi-fsblock writes for bigalloc filesystems. What these improvements mean, if you're not a file-system nerd, is that we should see speedups of up to 37% for sequential I/O workloads. If your Linux laptop doubles as a music player, another nice new feature is that you can now stream your audio over USB even while the rest of your system is asleep. That capability's been available in Android for a while, but now it's part of mainline Linux.

If security is a top priority for you, the 6.16 kernel now supports Intel Trusted Execution Technology (TXT) and Intel Trusted Domain Extensions (TDX). This addition, along with Linux's improved support for AMD Secure Encrypted Virtualization and Secure Memory Encryption (SEV-SNP), enables you to encrypt your software's memory in what's known as confidential computing. This feature improves cloud security by encrypting a user's virtual machine memory, meaning someone who cracks a cloud can't access your data. Linux 6.16 also delivers several chip-related upgrades. It introduces support for Intel's Advanced Performance Extensions (APX), doubling x86 general-purpose registers from 16 to 32 and boosting performance on next-gen CPUs like Lunar Lake and Granite Rapids Xeon. Additionally, the new CONFIG_X86_NATIVE_CPU option allows users to build processor-optimized kernels for greater efficiency.

Support for Nvidia's AI-focused Blackwell GPUs has also been improved, and updates to TCP/IP with DMABUF help offload networking tasks to GPUs and accelerators. While these changes may go unnoticed by everyday users, high-performance systems will see gains and OpenVPN users may finally experience speeds that challenge WireGuard.

Cisco is updating its networking and security products to make AI networks speedier and more secure, part of a broader push to capitalize on the AI spending boom. From a report: A new generation of switches -- networking equipment that links computer systems -- will offer a 10-fold improvement in performance, the company said on Tuesday. That will help prevent AI applications from suffering bottlenecks when transferring data, Cisco said. Networking speed has become a bigger issue as data center operators try to manage a flood of AI information -- both in the cloud and within the companies' own facilities. Slowdowns can hinder AI models, Cisco President and Chief Product Officer Jeetu Patel said in an interview. That applies to the development phase -- known as training -- and the operation of the models, a stage called inference. A massive build-out of data centers has made Cisco more relevant, he said. "AI is going to be network-bound, both on training and inference," Patel said. Having computer processors sit idle during training because of slow networks is "just throwing away money."

The Washington Post reports: Years before the internet was created and the first smartphones buzzed to life, an educational platform called PLATO offered a glimpse of the digital world to come. Launched in 1960 at the University of Illinois at Urbana-Champaign [UIUC], it was the first generalized, computer-based instructional system, and grew into a home for early message boards, emails, chatrooms, instant messaging and multiplayer video games.

The platform's developer, Donald Bitzer, was a handball-playing, magic-loving electrical engineer who opened his computer lab to practically everyone, welcoming contributions from Illinois undergrads as well as teenagers who were still in high school. Dr. Bitzer, who died Dec. 10 at age 90, spent more than two decades working on PLATO, managing its growth and development while also pioneering digital technologies that included the plasma display panel, a forerunner of the ultrathin screens used on today's TVs and tablets. "All of the features you see kids using now, like discussion boards or forums and blogs, started with PLATO," he said during a 2014 return to Illinois, his alma mater. "All of the social networking we take for granted actually started as an educational tool."
Long-time Slashdot reader theodp found another remembrance online. "Ray Ozzie, whose LinkedIn profile dedicates more space to describing his work as a PLATO developer as a UIUC undergrad than it does to his later successes as a creator of Lotus Notes and as Microsoft's Chief Software Architect, offers his own heartfelt mini-obit." Ozzie writes: It's difficult to adequately convey how much impact he had on so many, and I implore you to take a few minutes to honor him by reading a bit about him and his contributions. Links below. As an insecure young CS student at UIUC in 1974, Paul Tenczar, working for/with Don, graciously gave me a chance as a jr. systems programmer on the mind-bogglingly forward thinking system known as PLATO. A global, interactive system for learning, collaboration, and community like no other at the time. We were young and in awe of how Don led, inspired, and managed to keep the project alive. I was introverted; shaking; stage fright. Yeah I could code. But how could such a deeply technical engineer assemble such a strong team to execute on such a totally novel and inspirational vision, secure government funding, and yet also demo the product on the Phil Donahue show?

"Here's to the crazy ones. The misfits. The rebels. The troublemakers. The ones who see things differently. They're not fond of rules." You touched so many of us and shaped who we became and the risks we would take, having an impact well beyond that which you created. You made us think and you made us laugh. I hope we made you proud."

ZDNet's Steven Vaughan-Nichols reports: [...] At KubeCon North America 2024 this week, CNCF executive director Priyanka Sharma said in her keynote, "Patent trolls are not contributors or even adopters in our ecosystem. Instead, they prey on cloud-native adopters by abusing the legal system. We are here to tell the world that these patent trolls don't stand a chance because CNCF is uniting the ecosystem to deter them. Like a herd of musk oxen, we will run them off our pasture." CNCF CTO Chris Aniszczyk added: "The reason trolls can make money is that many companies find it too expensive to fight back, so they pay trolls a settlement fee to avoid the even higher cost of litigation. Now, when a whole herd of companies band together like musk oxen to drive a troll off, it changes the cost structure of fighting back. It disrupts their economic model."

How? Jim Zemlin, the Linux Foundation's executive director, said, "We don't negotiate with trolls. Instead, with United Patents, we go to the PTO and crush those patents. We strive to invalidate them by working with developers who have prior art, bringing this to the attention of the USPTO, and killing patents. No negotiation, no settlement. We destroy the very asset that made patent trolls' business work. Together, since we've started this effort, 90% of the time, we've been able to go in there and destroy these patents." "It's time for us to band together," said Joanna Lee, CNCF's VP of strategic programs and legal. "We encourage all organizations in our ecosystem to get involved. Join the fight, enhance your own company's protection, protect your customers, enhance our community defense, and save money on legal expenses."

While getting your company and its legal department involved in the effort to fend off patent trolls is important, developers can also help. CNCF announced the Cloud Native Heroes Challenge, a patent troll bounty program in which cloud-native developers and technologists can earn swag and win prizes. They're asking you to find evidence of preexisting technology -- referred to by patent lawyers as "prior art" -- that can kill off bad patents. This could be open-source documentation (including release notes), published standards or specifications, product manuals, articles, blogs, books, or any publicly available information. All entrants who submit an entry that conforms to the contest rules will receive a free "Cloud Native Hero" t-shirt that can be picked up at any future KubeCon+CloudNativeCon. The winner will also receive a $3,000 cash prize.

In the inaugural contest, the CNCF is seeking information that can be used to invalidate Claim 1 from US Patent US-11695823-B1. This is the major patent asserted by Edge Networking Systems against Kubernetes users. As is often the case with such patents, it's much too broad. This patent describes a network architecture that facilitates secure and flexible programmability between a user device and across a network with full lifecycle management of services and infrastructure applications. That describes pretty much any modern cloud system. If you can find prior art that describes such a system before June 13, 2013, you could be a winner. Some such materials have already been found. This is already listed in the "known references" tab of the contest information page and doesn't qualify. If you care about keeping open-source software easy and cheap to use -- or you believe trolls shouldn't be allowed to take advantage of companies that make or use programs -- you can help. I'll be doing some digging myself.

Cybersecurity startup Watchtowr "was founded by hacker-turned-entrepreneur Benjamin Harris," according to a recent press release touting their Fortune 500 customers and $29 million investments from venture capital firms. ("If there's a way to compromise your organization, watchTowr will find it," Harris says in the announcement.)

This week they shared their own research on a Fortinet FortiGate SSLVPN appliance vulnerability (discovered in February by Gwendal Guégniaud of the Fortinet Product Security team — presumably in a static analysis for format string vulnerabilities). "It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild... It's a Format String vulnerability [that] quickly leads to Remote Code Execution via one of many well-studied mechanisms, which we won't reproduce here..."

"Tl;dr SSLVPN appliances are still sUpEr sEcurE," their post begains — but the details are interesting. When trying to test an exploit, Watchtowr discovered instead that FortiGate always closed the connection early, thanks to an exploit mitigation in glibc "intended to hinder clean exploitation of exactly this vulnerability class." Watchtowr hoped to "use this to very easily check if a device is patched — we can simply send a %n, and if the connection aborts, the device is vulnerable. If the connection does not abort, then we know the device has been patched... " But then they discovered "Fortinet added some kind of certificate validation logic in the 7.4 series, meaning that we can't even connect to it (let alone send our payload) without being explicitly permitted by a device administrator." We also checked the 7.0 branch, and here we found things even more interesting, as an unpatched instance would allow us to connect with a self-signed certificate, while a patched machine requires a certificate signed by a configured CA. We did some reversing and determined that the certificate must be explicitly configured by the administrator of the device, which limits exploitation of these machines to the managing FortiManager instance (which already has superuser permissions on the device) or the other component of a high-availability pair. It is not sufficient to present a certificate signed by a public CA, for example...

Fortinet's advice here is simply to update, which is always sound advice, but doesn't really communicate the nuance of this vulnerability... Assuming an organisation is unable to apply the supplied workaround, the urgency of upgrade is largely dictated by the willingness of the target to accept a self-signed certificate. Targets that will do so are open to attack by any host that can access them, while those devices that require a certificate signed by a trusted root are rendered unexploitable in all but the narrowest of cases (because the TLS/SSL ecosystem is just so solid, as we recently demonstrated)...

While it's always a good idea to update to the latest version, the life of a sysadmin is filled with cost-to-benefit analysis, juggling the needs of users with their best interests.... [I]t is somewhat troubling when third parties need to reverse patches to uncover such details.
Thanks to Slashdot reader Mirnotoriety for sharing the article.

Samba is "a free software re-implementation of the SMB networking protocol," according to Wikipedia. And now the Samba project "has secured significant funding (€688,800.00) from the German Sovereign Tech Fund to advance the project," writes Jeremy Allison — Sam (who is Slashdot reader #8,157 — and also a long standing member of Samba's core team): The investment was successfully applied for by [information security service provider] SerNet. Over the next 18 months, Samba developers from SerNet will tackle 17 key development subprojects aimed at enhancing Samba's security, scalability, and functionality.

The Sovereign Tech Fund is a German federal government funding program that supports the development, improvement, and maintenance of open digital infrastructure. Their goal is to sustainably strengthen the open source ecosystem.

The project's focus is on areas like SMB3 Transparent Failover, SMB3 UNIX extensions, SMB-Direct, Performance and modern security protocols such as SMB over QUIC. These improvements are designed to ensure that Samba remains a robust and secure solution for organizations that rely on a sovereign IT infrastructure. Development work began as early as September the 1st and is expected to be completed by the end of February 2026 for all sub-projects.

All development will be done in the open following the existing Samba development process. First gitlab CI pipelines have already been running and gitlab MRs will appear soon!
Back in 2000, Jeremy Allison answered questions from Slashdot readers about Samba.

Allison is now a board member at both the GNOME Foundation and the Software Freedom Conservancy, a distinguished engineer at Rocky Linux creator CIQ, and a long-time free software advocate.

Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company's Microsoft Sharepoint server. From a report: Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices. The company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services.

Early this morning, a threat actor posted to a hacking forum that they had stolen 440GB of data from Fortinet's Azure Sharepoint instance. The threat actor then shared credentials to an alleged S3 bucket where the stolen data is stored for other threat actors to download. The threat actor, known as "Fortibitch," claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay. In response to our questions about incident, Fortinet confirmed that customer data was stolen from a "third-party cloud-based shared file drive."

According to Reuters, Hewlett Packard Enterprise (HPE) is expected to secure unconditional EU antitrust approval for its $14 billion acquisition of networking gear maker Juniper Networks. From the report: HPE announced the deal in January, underscoring the rush by companies to upgrade and develop new products amid a sharp rise in artificial intelligence-driven services. The European Commission, which is scheduled to decide on the deal by Aug. 1, declined to comment. HPE was expected to underline the power of market leader and Juniper rival Cisco to allay any possible European Union competition concerns, other people with direct knowledge of the matter had previously told Reuters. The deal is also being assessed by Britain's antitrust enforcer, with a decision due on Aug. 14.

Long-time Slashdot theodp says this "provocative" blog post by former Google engineer Avery Pennarun — now the CEO/founder of Tailscale — is "a call to take back the Internet from its centralized rent-collecting cloud computing gatekeepers."

Pennarun writes: I read a post recently where someone bragged about using Kubernetes to scale all the way up to 500,000 page views per month. But that's 0.2 requests per second. I could serve that from my phone, on battery power, and it would spend most of its time asleep. In modern computing, we tolerate long builds, and then Docker builds, and uploading to container stores, and multi-minute deploy times before the program runs, and even longer times before the log output gets uploaded to somewhere you can see it, all because we've been tricked into this idea that everything has to scale. People get excited about deploying to the latest upstart container hosting service because it only takes tens of seconds to roll out, instead of minutes. But on my slow computer in the 1990s, I could run a perl or python program that started in milliseconds and served way more than 0.2 requests per second, and printed logs to stderr right away so I could edit-run-debug over and over again, multiple times per minute.

How did we get here?

We got here because sometimes, someone really does need to write a program that has to scale to thousands or millions of backends, so it needs all that stuff. And wishful thinking makes people imagine even the lowliest dashboard could be that popular one day. The truth is, most things don't scale, and never need to. We made Tailscale for those things, so you can spend your time scaling the things that really need it. The long tail of jobs that are 90% of what every developer spends their time on. Even developers at companies that make stuff that scales to billions of users, spend most of their time on stuff that doesn't, like dashboards and meme generators.

As an industry, we've spent all our time making the hard things possible, and none of our time making the easy things easy. Programmers are all stuck in the mud. Just listen to any professional developer, and ask what percentage of their time is spent actually solving the problem they set out to work on, and how much is spent on junky overhead.
Tailscale offers a "zero-config" mesh VPN — built on top of WireGuard — for a secure network that's software-defined (and infrastructure-agnostic). "The problem is developers keep scaling things they don't need to scale," Pennarun writes, "and their lives suck as a result...."

"The tech industry has evolved into an absolute mess..." Pennarun adds at one point. "Our tower of complexity is now so tall that we seriously consider slathering LLMs on top to write the incomprehensible code in the incomprehensible frameworks so we don't have to."

Their conclusion? "Modern software development is mostly junky overhead."

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Department of the Treasury today unveiled sanctions against three Chinese nationals for allegedly operating 911 S5, an online anonymity service that for many years was the easiest and cheapest way to route one's Web traffic through malware-infected computers around the globe. KrebsOnSecurity identified one of the three men in a July 2022 investigation into 911 S5, which was massively hacked and then closed ten days later.

From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as "proxies" that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe -- but predominantly in the United States. 911 built its proxy network mainly by offering "free" virtual private networking (VPN) services. 911's VPN performed largely as advertised for the user -- allowing them to surf the web anonymously -- but it also quietly turned the user's computer into a traffic relay for paying 911 S5 customers. 911 S5's reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that "last mile" of cybercrime. Namely, the ability to route one's malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied.

In July 2022, KrebsOnSecurity published a deep dive into 911 S5, which found the people operating this business had a history of encouraging the installation of their proxy malware by any means available. That included paying affiliates to distribute their proxy software by secretly bundling it with other software. That story named Yunhe Wang from Beijing as the apparent owner or manager of the 911 S5 proxy service. In today's Treasury action, Mr. Wang was named as the primary administrator of the botnet that powered 911 S5. Update, May 29, 12:26 p.m. ET: The U.S. Department of Justice (DOJ) just announced they have arrested Wang in connection with the 911 S5 botnet. The DOJ says 911 S5 customers have stolen billions of dollars from financial institutions, credit card issuers, and federal lending programs. [...] The third man sanctioned is Yanni Zheng, a Chinese national the U.S. Treasury says acted as an attorney for Wang and his firm -- Spicy Code Company Limited -- and helped to launder proceeds from the business into real estate holdings. Spicy Code Company was also sanctioned, as well as Wang-controlled properties Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited. "911 S5 customers allegedly targeted certain pandemic relief programs," a DOJ statement on the arrest reads. "For example, the United States estimates that 560,000 fraudulent unemployment insurance claims originated from compromised IP addresses, resulting in a confirmed fraudulent loss exceeding $5.9 billion. Additionally, in evaluating suspected fraud loss to the Economic Injury Disaster Loan (EIDL) program, the United States estimates that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5. Millions of dollars more were similarly identified by financial institutions in the United States as loss originating from IP addresses compromised by 911 S5."

"Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in her name that were then utilized to purchase luxury real estate properties for Yunhe Wang," the document continues. "These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats."

"Companies that once serviced the boom in cryptocurrency mining are pivoting to take advantage of the latest data gold rush," reports the Guardian. Canadian company Hive Blockchain changed its name in July to Hive Digital Technologies and announced it was pivoting to AI. "Hive has been a pioneering force in the cryptocurrency mining sector since 2017. The adoption of a new name signals a significant strategic shift to harness the potential of GPU Cloud compute technology, a vital tool in the world of AI, machine learning and advanced data analysis, allowing us to expand our revenue channels with our Nvidia GPU fleet," the company said in its announcement at the time. The company's executive chairman, Frank Holmes, told Guardian Australia the transition required a lot of work. "Moving from mining Ethereum to hosting GPU cloud services involves buying powerful new servers for our GPUs, upgrading networking equipment and moving to higher tier data centres," he said.

"The only commonality is that GPUs are the workhorses in both cases. GPU cloud requires higher end supporting hardware and a more secure, faster data centre environment. There's a steep learning curve in the GPU cloud business, but our team is adapting well and learning fast."

For others, like Iris Energy, a datacentre company operating out of Canada and Texas, and co-founded by Australian Daniel Roberts, it has been the plan all along. Iris did not require any changes to the way the company operated when the AI boom came along, Roberts told Guardian Australia. "Our strategy really has been about bootstrapping the datacentre platform with bitcoin mining, and then just preserve optionality on the whole digital world. The distinction with us and crypto-miners is we're not really miners, we're datacentre people." The company still trumpets its bitcoin mining capability but in the most recent results Iris said it was well positioned for "power dense computing" with 100% renewable energy. Roberts said it wasn't an either-or situation between bitcoin mining and AI.

"I think when you look at bitcoin versus AI, the market will just reach equilibrium based on the market-based demands for each product," he said... Holmes said Hive also saw the two industries operating in parallel. "We love the bitcoin mining business, but its revenue is rather unpredictable. GPU cloud services should complement it well," he said.
Thanks to long-time Slashdot reader mspohr for sharing the article.

An anonymous reader quotes a report from ZDNet: Microsoft's proprietary protocol, Remote Network Driver Interface Specification (RNDIS), started with a good idea. It would enable hardware vendors to add networking support to USB devices without having to build them from scratch. There was only one little problem. RNDIS has no security to speak of. As Greg Kroah-Hartman, the Linux Foundation fellow responsible for stable Linux kernel releases, wrote in November 2022 on the Linux Kernel Mailing List (LKML), "The Microsoft RNDIS protocol is, as designed, insecure and vulnerable on any system that uses it with untrusted hosts or devices. Because the protocol is impossible to make secure, just disable all RNDIS drivers to prevent anyone from using them again."

He added, in another message, "The protocol was never designed to be used with untrusted devices. It was created, and we implemented support for it, when we trusted USB devices that we plugged into our systems, AND we trusted the systems we plugged our USB devices into." That's no longer the case. Kroah-Hartman concluded, "Today, with untrusted hosts and devices, it's time just to retire this protocol. As I mentioned in the patch comments, Android disabled this many years ago in their devices, with no loss of functionality."

[...] But now, sick and tired of having a built-in Windows security exploit in Linux, Kroah-Hartman has decided that enough was enough. He's disabled all the RNDIS protocol drivers in Linux's Git repository. That means that while the RNDIS code is still in the Linux kernel, if you try to build Linux using this new patch, all your RNDIS drivers will be broken and won't build. This is one step short of purging RNDIS from Linux.

This week the Linux Foundation and the National Spectrum Consortium "announced formal collaboration" on developing software prototypes and demonstrations for Open RAN (open radio access network):

The two organizations have signed a Memorandum of Understanding to solidify their working relationship and commitment to minimizing barriers to further R&D necessary for OpenRAN acceleration within the United States.

More open and flexible wireless networks ultimately increase vendor diversity and competition, prevent vendor lock-in, increase innovation in wireless networking technology, lower deployment and operational costs, and even increase security and energy efficiency. "We are eager to work with the NSC in creating a stable, open, secure reference stack for Open RAN," said Arpit Joshipura, general manager, Networking, Edge & IoT, the Linux Foundation. "By combining resources, we'll accelerate access to Open RAN and wireless technology across the United States across verticals and into government, academia, and small business."
The collaborations goals include:

• Establish an open source reference software architecture for Open RAN that will kickstart academic and commercial R&D by lowering the cost and complexity of entry

• Rally support from industry with guidance and funds to leap forward in a true open and secure RAN