TechCrunch looks at Mechanize, an ambitious new startup "whose founder — and the non-profit AI research organization he founded called Epoch — is being skewered on X..." Mechanize was launched on Thursday via a post on X by its founder, famed AI researcher Tamay Besiroglu. The startup's goal, Besiroglu wrote, is "the full automation of all work" and "the full automation of the economy."

Does that mean Mechanize is working to replace every human worker with an AI agent bot? Essentially, yes. The startup wants to provide the data, evaluations, and digital environments to make worker automation of any job possible. Besiroglu even calculated Mechanize's total addressable market by aggregating all the wages humans are currently paid. "The market potential here is absurdly large: workers in the US are paid around $18 trillion per year in aggregate. For the entire world, the number is over three times greater, around $60 trillion per year," he wrote.

Besiroglu did, however, clarify to TechCrunch that "our immediate focus is indeed on white-collar work" rather than manual labor jobs that would require robotics...

Besiroglu argues to the naysayers that having agents do all the work will actually enrich humans, not impoverish them, through "explosive economic growth." He points to a paper he published on the topic. "Completely automating labor could generate vast abundance, much higher standards of living, and new goods and services that we can't even imagine today," he told TechCrunch.
TechCrunch wonders how jobless humans will produce goods — and whether wealth will simply concentrate around whoever owns the agents.

But they do concede that Besiroglu may be right that "If each human worker has a personal crew of agents which helps them produce more work, economic abundance could follow..."

"Members of the CA/Browser Forum have voted to slash cert lifespans from the current one year to 47 days," reports Computerworld, "placing an added burden on enterprise IT staff who must ensure they are updated." In a move that will likely force IT to much more aggressively use web certificate automation services, the Certification Authority Browser Forum (CA/Browser Forum), a gathering of certificate issuers and suppliers of applications that use certificates, voted [last week] to radically slash the lifespan of the certificates that verify the ownership of sites.

The approved changes, which passed overwhelmingly, will be phased in gradually through March 2029, when the certs will only last 47 days.

This controversial change has been debated extensively for more than a year. The group's argument is that this will improve web security in various ways, but some have argued that the group's members have a strong alternative incentive, as they will be the ones earning more money due to this acceleration... Although the group voted overwhelmingly to approve the change, with zero "No" votes, not every member agreed with the decision; five members abstained...

In roughly one year, on March 15, 2026, the "maximum TLS certificate lifespan shrinks to 200 days. This accommodates a six-month renewal cadence. The DCV reuse period reduces to 200 days," according to the passed ballot. The next year, on March 15, 2027, the "maximum TLS certificate lifespan shrinks to 100 days. This accommodates a three-month renewal cadence. The DCV reuse period reduces to 100 days." And on March 15, 2029, "maximum TLS certificate lifespan shrinks to 47 days. This accommodates a one-month renewal cadence. The DCV reuse period reduces to 10 days."
The changes "were primarily pushed by Apple," according to the article, partly to allow more effective reactions to possible changes in cryptography.

And Apple also wrote that the shift "reduces the risk of improper validation, the scope of improper validation perpetuation, and the opportunities for misissued certificates to negatively impact the ecosystem and its relying parties."

Thanks to Slashdot reader itwbennett for sharing the news.

An anonymous reader quotes a report from SecurityWeek: An October 2024 study by Software AG suggests that half of all employees are Shadow AI users, and most of them wouldn't stop even if it was banned. The problem is the ease of access to AI tools, and a work environment that increasingly advocates the use of AI to improve corporate efficiency. It is little wonder that employees seek their own AI tools to improve their personal efficiency and maximize the potential for promotion. It is frictionless, says Michael Marriott, VP of marketing at Harmonic Security. 'Using AI at work feels like second nature for many knowledge workers now. Whether it's summarizing meeting notes, drafting customer emails, exploring code, or creating content, employees are moving fast.' If the official tools aren't easy to access or if they feel too locked down, they'll use whatever's available which is often via an open tab on their browser.

There is almost also never any malicious intent (absent, perhaps, the mistaken employment of rogue North Korean IT workers); merely a desire to do and be better. If this involves using unsanctioned AI tools, employees will likely not disclose their actions. The reasons may be complex but combine elements of a reluctance to admit that their efficiency is AI assisted rather than natural, and knowledge that use of personal shadow AI might be discouraged. The result is that enterprises often have little knowledge of the extent of Shadow IT, nor the risks it may present. According to an analysis from Harmonic, ChatGPT is the dominant gen-AI model used by employees, with 45% of data prompts originating from personal accounts (such as Gmail). Image files accounted for 68.3%. The report also notes that 7% of empmloyees were using Chinese AI models like DeepSeek, Baidu Chat and Qwen.

"Overall, there has been a slight reduction in sensitive prompt frequency from Q4 2024 (down from 8.5% to 6.7% in Q1 2025)," reports SecurityWeek. "However, there has been a shift in the risk categories that are potentially exposed. Customer data (down from 45.8% to 27.8%), employee data (from 26.8% to 14.3%) and security (6.9% to 2.1%) have all reduced. Conversely, legal and financial data (up from 14.9% to 30.8%) and sensitive code (5.6% to 10.1%) have both increased. PII is a new category introduced in Q1 2025 and was tracked at 14.9%."

IBM is mandating that U.S. sales and Cloud employees return to the office at least three days a week, with work required at designated client sites, flagship offices, or sales hubs. According to The Register, some IBM employees argue that these policies "represent stealth layoffs because older (and presumably more highly compensated) employees tend to be less willing to uproot their lives, and families where applicable, than the 'early professional hires' IBM has been courting at some legal risk." From the report: In a staff memo seen by The Register, Adam Lawrence, general manager for IBM Americas, billed the return-to-office for most stateside sales personnel as a "return to client initiative."Citing how "remarkable it is when our teams work side by side" at IBM's swanky Manhattan flagship office, unveiled in September 2024, Lawrence added IBM is investing in an Austin, Texas, office to be occupied in 2026.

Whether US sales staff end up working in NYC, Austin, or some other authorized location, Lawrence told them to brace for -- deep breath -- IBM's "new model" of "effective talent acquisition, deployment, and career progression." We're told that model is "centered on client proximity for those dedicated to specific clients, and anchored on core IBM locations for those dedicated to territories or those in above-market leadership roles." The program requires most IBM US sales staff "to work at least three days a week from the client location where their assigned territory decision-makers work, a flagship office, or a sales hub." Those residing more than 50 miles from their assigned location will be offered relocation benefits to move. Sales hubs are an option only for those with more than one dedicated account.

[...] IBM's office policy change reached US Cloud employees in an April 10 memo from Alan Peacock, general manager of IBM Cloud. Peacock set a July 1, 2025, deadline for US Cloud employees to work from an office at least three days per week, with relocating workers given until October 1, 2025. The employee shuffling has been accompanied by rolling layoffs in the US, but hiring in India -- there are at least 10x as many open IBM jobs in India as there are in any other IBM location, according to the corporation's career listings. And earlier this week, IBM said it "is setting up a new software lab in Lucknow," India.

A communication error between GoDaddy Registry and Markmonitor took Zoom's services offline for almost two hours on Wednesday when GoDaddy mistakenly blocked the zoom.us domain. The outage affected all services dependent on the zoom.us domain.

GoDaddy's block prevented top-level domain nameservers from maintaining proper DNS records for zoom.us. This created a classic domain resolution failure -- when users attempted to connect to any zoom.us address, their requests couldn't be routed to Zoom's servers because the domain effectively disappeared from the internet's addressing system.

Video meetings abruptly terminated mid-session with browser errors indicating the domain couldn't be found. Zoom's status page (status.zoom.us) went offline, hampering communication efforts. Even Zoom's main website at zoom.com failed as the content delivery network couldn't reach backend services hosted on zoom.us servers. Customer support capabilities collapsed when account managers using Zoom's VoIP phones lost connectivity.

Resolution required coordinated effort between Zoom, Markmonitor, and GoDaddy to identify and remove the block. After service restoration, users needed to manually flush their DNS caches using command line instructions (including the sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder command for Mac users).

Synology's upcoming Plus Series NAS systems will restrict full functionality to users who install the company's self-branded hard drives, Tom's Hardware is reporting, marking a significant shift in the consumer NAS market. While third-party drives will still work for basic storage, critical features including drive health monitoring, volume-wide deduplication, lifespan analysis, and automatic firmware updates will be disabled, the publication said.

The restriction doesn't apply to Synology's 2024 and older models, only affecting new Plus Series devices targeted at SMBs and advanced home users. Synology itself doesn't manufacture drives but rebrands HDDs from major manufacturers like Seagate, Western Digital, and Toshiba, often with custom firmware that functions as DRM. According to Synology, the change follows successful implementation in their enterprise solutions and will deliver "higher performance, increased reliability, and more efficient support." A workaround exists: users can initialize a non-Synology drive in an older Synology NAS and then migrate it to a new Plus model without restrictions.

India's three largest IT services companies are facing their steepest growth slowdown in years as corporations curtail large technology projects amid global economic uncertainty and geopolitical challenges. From a report: Infosys, the country's second-largest IT services provider, on Thursday forecast revenue growth of just 0-3% for the fiscal year through March 2026, far below analysts' expectations of 6.3%. The guidance follows a quarter where net income fell 12% to $823 million, though this exceeded analyst estimates of $780 million. The disappointing outlook echoes similar concerns from rivals Tata Consultancy Services and Wipro, as US President Donald Trump's tariff policies add fresh headwinds to an industry already struggling with cautious client spending.

Microsoft has acknowledged that Classic Outlook can mysteriously transform into a system resource hog, causing CPU usage spikes between 30-50% and significantly increasing power consumption on both Windows 10 and 11 systems.

Users first reported the issue in November 2024, but Microsoft only confirmed the problem this week, offering little resolution beyond stating that "the Outlook Team is investigating this issue." The company's sole workaround involves forcing a switch to the Semi-Annual Channel update through registry edits -- an approach many enterprise environments will likely avoid. Microsoft hasn't announced a definitive end date for Classic Outlook, but the company continues pushing users toward its New Outlook client despite its incomplete feature set.

Google has announced that it will begin phasing out country code top-level domains (ccTLDs) such as google.ng and google.com.br, redirecting all traffic to google.com. The change comes after improvements in Google's localization capabilities rendered these separate domains unnecessary.

Since 2017, Google has provided identical local search experiences whether users visited country-specific domains or google.com. The transition will roll out gradually over the coming months, and users may need to re-establish search preferences during the migration.

CISA says the U.S. government has extended funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. From a report: "The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."

The announcement follows a warning from MITRE Vice President Yosry Barsoum that government funding for the CVE and CWE programs was set to expire today, April 16, potentially leading to widespread disruption across the cybersecurity industry. "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum said.

The CVE and CWE programs are at risk of shutdown as MITRE's DHS contract expires on April 16, 2025, with no confirmed renewal. Without continued funding, the ability to standardize, track, and respond to software vulnerabilities could collapse, leaving the cybersecurity community scrambling in a fragmented and dangerously opaque environment. Forbes reports: "Failure to renew MITRE's contract for the CVE program, seemingly set to expire on April 16, 2025, risks significant disruption," said Jason Soroko, Senior Fellow at Sectigo. "A service break would likely degrade national vulnerability databases and advisories. This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained."

MITRE has indicated that historical CVE records will remain accessible via GitHub, but without continued funding, the operational side of the program -- including assignment of new CVEs -- will effectively go dark. That's not a minor inconvenience. It could upend how the global cybersecurity community identifies, communicates, and responds to new threats. [...] MITRE has said that discussions with the U.S. government are active and that it remains committed to the CVE mission. But with the expiration date looming, time is running short -- and the consequences of even a temporary gap are severe.

4chan was reportedly hacked Monday night, with rival imageboard Soyjack Party claiming responsibility and sharing screenshots suggesting deep access to 4chan's databases and admin tools. Ars Technica reports: Security researcher Kevin Beaumont described the hack as "a pretty comprehensive own" that included "SQL databases, source, and shell access." 404Media reports that the site used an outdated version of PHP that could have been used to gain access, including the phpMyAdmin tool, a common attack vector that is frequently patched for security vulnerabilities. Ars staffers pointed to the presence of long-deprecated and removed functions like mysql_real_escape_string in the screenshots as possible signs of an old, unpatched PHP version. In other words, there's a possibility that the hackers have gained pretty deep access to all of 4chan's data, including site source code and user data.

An anonymous reader shares a report: A silent update rolling out to virtually all Android devices will make your phone more secure, and all you have to do is not touch it for a few days. The new feature implements auto-restart of a locked device, which will keep your personal data more secure. It's coming as part of a Google Play Services update, though, so there's nothing you can do to speed along the process.

Google is preparing to release a new update to Play Services (v25.14), which brings a raft of tweaks and improvements to myriad system features. First spotted by 9to5Google, the update was officially released on April 14, but as with all Play Services updates, it could take a week or more to reach all devices. When 25.14 arrives, Android devices will see a few minor improvements, including prettier settings screens, improved connection with cars and watches, and content previews when using Quick Share.

An anonymous reader shares a report: Generative AI offers remarkable efficiency gains while presenting a profound challenge for the global IT services industry -- a sector concentrated in India and central to its export economy.

For decades, Indian technology firms thrived by deploying their engineering talent to serve primarily Western clients. Now they face a critical question. Will AI's productivity dividend translate into revenue growth? Or will fierce competition see these gains competed away through price reductions?

Industry soundings suggest the deflationary dynamic may already be taking hold. JPMorgan's conversations with executives, deal advisors and consultants across India's technology hubs reveal growing concern -- AI-driven efficiencies are fuelling pricing pressures. This threatens to constrain medium-term industry growth to a modest 4-5%, with little prospect of acceleration into fiscal year 2026. This emerging reality challenges the earlier narrative that AI would primarily unlock new revenue streams.

An anonymous reader quotes a report from TechCrunch: Car rental giant Hertz has begun notifying its customers of a data breach that included their personal information and driver's licenses. The rental company, which also owns the Dollar and Thrifty brands, said in notices on its website that the breach relates to a cyberattack on one of its vendors between October 2024 and December 2024. The stolen data varies by region, but largely includes Hertz customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. Hertz said a smaller number of customers had their Social Security numbers taken in the breach, along with other government-issued identification numbers.

Notices on Hertz's websites disclosed the breach to customers in Australia, Canada, the European Union, New Zealand, and the United Kingdom. Hertz also disclosed the breach with several U.S. states, including California and Maine. Hertz said at least 3,400 customers in Maine were affected but did not list the total number of affected individuals, which is likely to be significantly higher. Emily Spencer, a spokesperson for Hertz, would not provide TechCrunch with a specific number of individuals affected by the breach but said it would be "inaccurate to say millions" of customers are affected. The company attributed the breach to a vendor, software maker Cleo, which last year was at the center of a mass-hacking campaign by a prolific Russia-linked ransomware gang.

Several crosswalk buttons in Palo Alto and nearby cities were hacked over the weekend to play deepfake-style satirical audio clips mimicking Elon Musk and Mark Zuckerberg. Authorities have disabled the altered systems, but the identity of the prankster remains unknown. SFGATE reports: Videos of the altered crosswalks began circulating on social media throughout Saturday and Sunday. [...] A city employee was the first to report an issue with one of the signals at University Avenue and High Street in downtown Palo Alto, Horrigan-Taylor told SFGATE via email. Officials later discovered that as many as 12 intersections in downtown Palo Alto had been affected.

"The impact is isolated," Horrigan-Taylor said. "Signal operations are otherwise unaffected, and motorists are reminded to always exercise caution around pedestrians." Officials told the outlet they've removed any devices that were tampered with and the compromised voice-over systems have since been disabled, with footage obtained by SFGATE showing several were covered in caution tape, blinking constantly and unpressable.

VMware has resumed offering a free hypervisor. News of the offering emerged in a throwaway line in the Release Notes for version 8.0 Update 3e of the Broadcom business unit's ESXi hypervisor. From a report: Just below the "What's New" section of that document is the statement: "Broadcom makes available the VMware vSphere Hypervisor version 8, an entry-level hypervisor. You can download it free of charge from the Broadcom Support portal."

VMware offered a free version of ESXi for years, and it was beloved by home lab operators and vAdmins who needed something to tinker with. But in February 2024, VMware discontinued it on grounds that it was dropping perpetual licenses and moving to subscriptions.

10 years ago "certificate authorities normally issued certificate lifetimes lasting a year or more," remembers a new blog post Thursday by the EFF's engineering director. So in 2015 when the free cert authority Let's Encrypt first started issuing 90-day TLS certificates for websites, "it was considered a bold move, that helped push the ecosystem towards shorter certificate life times."

And then this January Let's Encrypt announced new six-day certificates...

This week saw a related announcement from the EFF engineering director. More than 31 million web sites maintain their HTTPS certificates using the EFF's Certbot tool (which automatically fetches free HTTPS certificates forever) — and Certbot is now supporting Let's Encrypt's six-day certificates. (It's accomplished through ACME profiles with dynamic renewal at 1/3rd of lifetime left or 1/2 of lifetime left, if the lifetime is shorter than 10 days): There is debate on how short these lifetimes should be, but with ACME profiles you can have the default or "classic" Let's Encrypt experience (90 days) or start actively using other profile types through Certbot with the --preferred-profile and --required-profile flags. For six day certificates, you can choose the "shortlived" profile.
Why shorter lifetimes are better (according to the EFF's engineering director):

• If a certificate's private key is compromised, that compromise can't last as long.

• With shorter life spans for the certificates, automation is encouraged. Which facilitates robust security of web servers.

• Certificate revocation is historically flaky. Lifetimes 10 days and under prevent the need to invoke the revocation process and deal with continued usage of a compromised key.

Slashdot reader king*jojo shared this article from The Register: A 23-year-old side-channel attack for spying on people's web browsing histories will get shut down in the forthcoming Chrome 136, released last Thursday to the Chrome beta channel. At least that's the hope.

The privacy attack, referred to as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously... Web publishers and third parties capable of running scripts, have used this technique to present links on a web page to a visitor and then check how the visitor's browser set the color for those links on the rendered web page... The attack was mitigated about 15 years ago, though not effectively. Other ways to check link color information beyond the getComputedStyle method were developed... Chrome 136, due to see stable channel release on April 23, 2025, "is the first major browser to render these attacks obsolete," explained Kyra Seevers, Google software engineer in a blog post.

This is something of a turnabout for the Chrome team, which twice marked Chromium bug reports for the issue as "won't fix." David Baron, presently a Google software engineer who worked for Mozilla at the time, filed a Firefox bug report about the issue back on May 28, 2002... On March 9, 2010, Baron published a blog post outlining the issue and proposing some mitigations...

Microsoft is starting to gradually roll out a preview of Recall, its feature that captures screenshots of what you do on a Copilot Plus PC to find again later, to Windows Insiders. From a report: This new rollout could indicate that Microsoft is finally getting close to launching Recall more widely. Microsoft originally intended to launch Recall alongside Copilot Plus PCs last June, but the feature was delayed following concerns raised by security experts. The company then planned to launch it in October, but that got pushed as well so that the company could deliver "a secure and trusted experience."