Architects: Want to have your project featured? Showcase your work throughArchitizerand sign up for ourinspirational newsletters.Deserts in the Middle East are places of paradox; they are harsh and unyielding environments that have long inspired ingenuity and resilience. These arid landscapes, shaped by sand dunes, expansive skies and extreme temperatures, present unique challenges for architects. Yet, they also provide a canvas for innovation, where modern design meets ancient traditions of adaptation to climate. From buildings that honor vernacular techniques like wind towers and thick, insulating walls to novel structures leveraging new technology, the regions desert architecture reflects a profound dialogue between place and design.This interplay of tradition and modernity has given rise to striking structures that dont just survive the desert; they thrive within it. Architects and designers are drawing inspiration from the deserts sculptural forms and raw materiality, using these elements to craft projects that harmonize with their surroundings. The result is architecture that bridges the natural and the built, embracing environmental sustainability while creating spaces of beauty and functionality. These projects challenge the conventional narrative of deserts as inhospitable, instead showcasing how thoughtful design can turn constraints into opportunities.BEEAH HeadquartersBy Zaha Hadid Architects, Sharjah, United Arab EmiratesNestled within the sand dunes of Sharjahs Al Sajaa desert, the BEEAH Headquarters is a striking example of architecture inspired by its environment, designed as a series of interconnecting dunes shaped to optimize local climatic conditions. The building embodies BEEAHs twin pillars of sustainability and digitalization, serving as a blueprint for future smart cities with net-zero energy goals.Its design maximizes daylight and views while minimizing sun exposure, creating an oasis-like courtyard central to its natural ventilation strategy. This innovative structure integrates cutting-edge technology, seamlessly aligning with BEEAHs mission to drive sustainable practices across industries such as clean energy, recycling, and green mobility.The House in MishrefBy STUDIO TOGGLE, Mishref, Hawalli Governorate, Kuwait Set in the Kuwaiti suburb of Mishref, this house is a response to the regions desert climate and the cultural need for privacy. Designed for two brothers and their families, it features two living units organized around a central courtyard, reinterpreting the traditional courtyard house to address the challenges of harsh sunlight, high temperatures and dust storms.The inward-facing design maximizes diffused daylight while maintaining privacy, with the courtyard housing a citrus-lined garden and a sculptural fountain inspired by Moorish Alcazars. A dramatic floating staircase and balconies punctuate the four-story void, serving as both circulation and social spaces. Clad in Omani stone and featuring a palette of white and natural wood, the house balances serene interiors with louvered windows, creating tranquility amidst its bustling urban context.Areia 1-5By TAEP/AAP, Al Khiran, KuwaitSituated in Sabah Alahmed Alsabah Maritime City, a development that brings the sea into the desert through canals and marinas, this project features five waterfront villas designed to reflect Kuwaits lifestyle while responding to the desert environment. Inspired by simple plane geometry, the villas share a unified architectural language with slight variations, creating a harmonious yet diverse ensemble.The design integrates shaded courtyards and perforated walls to ensure privacy, while open ground-floor spaces connect seamlessly with the beach, gardens, and pools, extending the living areas outdoors. Rooftops offer panoramic views over Khiran, providing ideal leisure spaces for socializing during cooler times. Despite their similar layouts, each villa features unique nuances, offering individuality while maintaining cohesion, making the project a counterpoint to the surrounding urban development.Ayla Golf Academy & ClubhouseBy Oppenheim Architecture, Aqaba, JordanThe Ayla Golf Academy & Clubhouse in Aqaba, Jordan, draws inspiration from the natural dunes, desert mountains and Bedouin heritage of its surroundings, blending seamlessly with the landscape. Designed as the centerpiece of the Ayla Oasis resort, the design features a curved shotcrete shell that mimics rolling sand dunes, with openings framing views of the Aqaba Mountains.The design incorporates traditional elements, such as Corten steel screens inspired by Arabic mashrabiya and Jordanian patterns, while the earthy tones of the materials reflect the desert palette. A collaborative knowledge exchange program ensured local workers were trained in advanced shotcrete techniques, while a local artist applied traditional pigmentation methods, embedding cultural authenticity into this innovative and organic architectural landmark.Snail Shell RetreatBy character architects, Fars Province, IranThe Snail Shell Retreat, located southwest of Shiraz, Iran, is a holiday home designed for relaxation, family gatherings and escaping city life. Inspired by the areas semi-desert climate, the house features a snail-shell-like layout with spaces arranged in a circular sequence, starting with a small, specially treated courtyard that supports resilient plants and reduces interior temperatures.The introverted design minimizes heat transfer, creating a private, serene atmosphere ideal for meditation, while the roof functions as an elevated terrace offering panoramic views for gatherings on cooler evenings. The fluid, partition-free interior connects seamlessly, with a summer living room opening outward and a warmer winter space facing south for sunlight.Buhais Geology Park Interpretive CentreBy Hopkins Architects, Sharjah, United Arab EmiratesLocated in a region rich in prehistoric and geological significance, the Geology Park celebrates the areas 65-million-year-old marine fossils, mountain ranges and ancient burial sites. Inspired by fossilized urchins found on-site, the design features five interconnected pods of varying sizes, accommodating exhibition spaces, an immersive theatre, a caf and visitor facilities.The pods, with sculptural forms clad in steel panels matching the deserts hues, rest lightly on reinforced concrete discs to preserve the terrain. Their interiors, with exposed concrete shells, tempered natural light, and restrained materials, offer a contrast to the deserts brightness. A sinuous outdoor trail connects the pods, weaving through viewing areas, a shaded classroomand raised walkways over ancient sites, inviting visitors to explore and learn. Operated by Sharjahs Environmental Protected Areas Authority, the park underscores conservation and education in the Emirate.Architects: Want to have your project featured? Showcase your work throughArchitizerand sign up for ourinspirational newsletters.The post Desert Design: 6 Times Architecture Embraced Climate in the Middle East appeared first on Journal.

After having announced its plans to expand its game development business into publishing earlier this month, Palworld developer Pocketpair has apparently been swarmed with emails from smaller indie studios. Pocketpair communications director and publishing manager John Buckley took to social media platform X to talk about how popular the move has been for the company.We announced Pocketpair Publishing 15 hours ago My inboxes were 0 before then I think I might have underestimated how much interest here would be, posted Buckley on X.The company seems to be intent on taking a hands-off approach with the games it publishes. Responding to another X user about how much of a role Pocketpair would play in the development of a game it is publishing, Buckley responded by saying that it wants to give developers the financial freedom they want to make their games.We give you money. You make the game, posted Buckley. If you want help with marketing or something well help out, but otherwise do whatever you want. Were giving devs the financial freedom to make games they want so they DONT have to get wrapped up in stinky rule makers and bullies.While Pocketpair is yet to make any further announcements about the games it might publish, it is currently working with Tales of Kenzera: Zau developer Surgent Studios on a horror game. Studio founder Abubakar Salim revealed that alongside the newly-announced game, the studio was also in conversations about future games that would be set in the Tales of Kenzera: Zau universe.Pocketpair has also been busy with its own game, and recently released an update for Palworld celebrating Spring with a host of new skins for Pals. The update also brought balance changes to the title, including the addition of the Earth element to Mammorest and Mammorest Cyst.Buckley also recently spoke about Palworlds World Tree, and how content around it had been mapped out for quite some time. For context, the World Tree has been easily visible to players for quite some time, and an ending scenario for the game is supposed to take place there. However, Buckley has revealed that it doesnt necessarily mean the end for Palworld.As for confirmed upcoming content for the game, Pocketpair had announced back in November that it would be teaming up with Terraria developer Re-Logic for a collaborative event. While details havent yet been confirmed by either of the companies, speculations indicate that we would see some mechanics from both games making their way into the other. Whether this means Pals coming to Terraria or boss fights from the latter popping up in Palworld as potential Pals is currently unknown.The last major update for Palworld was Feybreak, which brought with it the eponymous island. The update also introduced a new faction for players to deal with, as well as a new raid. On the gameplay side of things, players are now able to hunt down criminals scattered all over the world, and research permanent boosts.Palworld is available on PC, PS5, Xbox Series X/S and Xbox One. For more details, check out our review.We announced Pocketpair Publishing 15 hours agoMy inboxes were 0 before thenI think I might have underestimated how much interest there would be pic.twitter.com/MCal1HuAUg Bucky | Palworld (@Bucky_cm) January 24, 2025We give you money.You make game.If you want help with marketing or something well help out, but otherwise do whatever you want.Were giving devs the financial freedom to make games they want so they DONT have to get wrapped up with stinky rule makers and bullies. Bucky | Palworld (@Bucky_cm) January 24, 2025

Nearly a year after launching on PlayStation 5, Team Ninjas Rise of the Ronin is coming to PC via Steam on March 11th. It will retail for $49.99. Check out the trailer below.The open-world action RPG occurs during the Bakumatsu in Japan, with the player pitted against various factions. Like Nioh, there are multiple weapon types with different styles and abilities to master. Based on different decisions, the direction of the story can change.Rise of the Ronin received above-average reviews at launch (check out ours here). However, it would become Koei Tecmos best-selling game in June 2024. Several updates have been released since then, adding new missions, gear, Dojo training partners, and more.Those who purchase the game early on Steam can net bonuses like the Iga Ninja Armor Set and Katana alongside four combat styles: Hayabusa-ryu, Nioh-ryu, and Aisu Kage-ryu for the Katana and Hayabusa-ryu for the Naginata. These will be available on April 2nd, roughly a month after launch. Stay tuned for more updates and gameplay in the meantime.

Xbox boss Phil Spencer says there are no more guarantees where the company's first-party exclusives are concerned.In an interview with Save State Plus, Spencer was asked to confirm whether Xbox Game Studios title Starfield will be "staying put" on Xbox for the time being. He offered a succinct "no" in response.Expanding on his answer, Spencer said there's no reason for him to put a "ring fence" around any Xbox Game Studios title."[I won't] say this game will not go to a place where it will find players and have business success for us," he added. "What we find is we're able to drive a better business that allows us to invest in great game lineup like you sawand that's our strategy."Spencer said the company intends to make its games available across a variety of platforms to meet players on their terms. He noted Xbox Game Pass remains a key part of that plan, but emphasized that keeping titles off rival hardware isn't an approach the company is pursuing."The world's biggest games are available in multiple places, and more and more creators are asking us 'how do we stay connected when our game might be playable on all of these different places?' We want Xbox to be absolutely the platform that enables that," continued Spencer."We think that makes us unique. Most of the other platforms out there are single platform on single device-whether that's PC, whether that's mobile, whether that's a consoleand we want Xbox to be a platform that enables creators across any screen that people want to play on."Microsoft isn't sold on the benefits of platform exclusivityMicrosoft has already brought first-party titles such as Hi-Fi Rush, Pentiment, and Sea of Thieves to rival platforms including Switch and PlayStation. Last year, the company also confirmed Indiana Jones and the Great Circle is heading to PlayStation 5.The decision to bypass the once impenetrable console exclusivity barrier comes after Microsoft spent billions acquiring major studios including Activision Blizzard and Bethesda, both of which have a history of releasing multiplatform titles. The latest Call of Duty title-the first to release under Microsoftalso launched on PlayStation 5.The pivot also comes with Xbox hardware revenue in decline. Microsoft, however, says its Xbox business isn't reliant on console sales and feels initiatives such as Xbox Game Pass can "attract gamers across a variety of different end-points.""We've seen new devices from third-party manufacturers along with key PC and mobile end points that help us empower gamers to play in a way that is most convenient to them," read a snippet from the company's full-year report."We are focused on growing the platform and expanding to new ecosystems to engage as many gamers as possible."

A chatbot made by Chinese artificial intelligence startup DeepSeek has rocketed to the top of Apples App Store charts in the US this week, dethroning OpenAIs ChatGPT as the most downloaded free app. The eponymous AI assistant is powered by DeepSeeks open-source models, which the company says can be trained at a fraction of the cost using far fewer chips than the worlds leading models. The claim has riled financial markets, sending Nvidias shares down over 12 percent in pre-market training,Downloads for the app exploded shortly after DeepSeek released its new R1 reasoning model on January 20th, which is designed for solving complex problems and reportedly performs as well as OpenAIs o1 on certain benchmarks. R1 was built on the V3 LLM DeepSeek released in December, which the company claims is on par with GPT-4o and Anthropics Claude 3.5 Sonnet, and cost less than $6 million to develop. By contrast, OpenAI CEO Sam Altman has said GPT-4 cost over $100 million to train.DeepSeek also claims to have needed only about 2,000 specialized chips from Nvidia to train V3, compared to the 16,000 or more required to train leading models, according to the New York Times.These unverified claims are leading developers and investors to question the compute-intensive approach favored by the worlds leading AI companies. And if true, it means that DeepSeek engineers had to get creative in the face of trade restrictions meant to ensure US domination of AI.Nvidia, Microsoft, OpenAI, and Meta are investing billions into AI data centers $500 billion alone for the Stargate Project, of which $100 billion is thought to be earmarked for Nvidia. Investors and analysts are now wondering if thats money well spent, with Nvidia, Microsoft, and other companies with substantial stakes in maintaining the AI status quo all trending downward in pre-market trading.

In honor of Black History Month, Apple has unveiled its 2025 Black Unity Collection of wallpapers, watch faces, and watch straps. This years set is inspired by the rhythm of humanity, according to Apple:Black creatives and allies at Apple collaborated on the design of the new collection. The collection, Unity Rhythm, weaves together the colors of the Pan-African flag: black, green, and red.Black Unity Rhythm Sport LoopFirst up is the Black Unity Rhythm Sport Loop, which features a unique lenticular effect using red and green:The Black Unity Sport Loop is woven in a custom pattern of raised and recessed loops that creates a lenticular effect, revealing green on one side of each loop, and red on the other. When the band is worn, the colors appear dynamic, shifting from green to red as a user moves their wrist, and the color yellow appears in the transition, as if by magic. Heres how it looks:Find it exclusively in Apple retail stores and online here starting today for $49.Unity Rhythm watch faceFollowing tradition, Apple has created a corresponding face for Apple Watch that will be available shortly through a software update to iPhone and Apple Watch:The matching Unity Rhythm watch face features custom numerals formed by intertwined threads of red, green, and yellow. The watch face reacts to the gyroscope, so when a user raises their wrist to check the time, the strands coalesce from a series of abstract brush strokes into digits. When using the Unity Rhythm watch face, distinctive, rhythmic chimes mark every hour and half hour.Also coming in the software update, which should be iOS 18.3 and iPadOS 18.3, is the latest edition of the Unity wallpaper:The Unity Rhythm iPhone and iPad wallpapers feature the same custom lettering writing the word Unity, which changes orientation when the device is unlocked and locked.Look for it in the Unity collection once iOS 18.3 becomes available.Greater impactApple also says it will support a variety of organizations focused on creativity, community, and rhythm, including groups in New Orleans and Los Angeles:As part of the launch, Apple is supporting several global organizations whose work focuses on elements of rhythm, creativity, and community. This includes grants to the Ellis Marsalis Center for Music in New Orleans; Battersea Arts Centre in London; Music Forward Foundation in Los Angeles; Art Gallery of New South Wales in Sydney; and The National Museum of African American Music in Nashville, Tennessee. Apples support for these organizations builds upon the companys longstanding commitment to advancing economic, educational, and creative opportunities in communities around the world.Best Apple Watch and accessoriesAdd 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

A judge has limited FBI powers to trawl through data obtained from tech giants like Apple, Google, and ISPs under FISA (the Foreign Intelligence Surveillance Act).Separately, a Cloudflare privacy flaw has been identified in one of Apples IT service providers, which could have exposed the rough location of millions of web and app users before it was fixed Judge limits FBI powers to use FISA dataOne of the most controversial surveillance powers granted to US agencies is Section 702 of the Foreign Intelligence Surveillance Act (FISA).Agencies like the NSA and FBI apply to a FISA court for permission to access data from tech companies. These court hearings are held in secret, meaning that the media and public is unable to scrutinize the decisions made. When companies like Apple are required to give access to user data under a FISA warrant, they are not permitted to say that they have done so.Intelligence agencies can only apply for a FISA warrant for the purpose of surveilling foreign entities. However, once the data had been handed over, they could then search it for private information on US citizens without a further warrant.Wired reports that a judge has just ruled this practice illegal.The FBI could perform backdoor searches for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702including those of US personsthat can later be searched on demand without limitation, the judge wrote.Cloudflare privacy flawWhen you visit many websites, or use many apps, your request is first sent to a content delivery network (CDN). Cloudflare is one of the biggest CDNs, and handles traffic for around 19% of all websites and app servers.Cloudflare performs two functions. First, it checks requests to see whether they appear to originate from a genuine web or app user, or a bot. This allows the company to detect and block a common method for an attacker to take a server offline hitting it with so many simultaneous requests that it crashes. This is known as a DDoS (distributed denial of service) attack.Second, Cloudflare keeps cached copies of server data in hundreds of different cities around the world. By serving data from your nearest cache, it can reduce traffic to the main server.Apple is one of Cloudflares clients, and uses the companys services for iCloud Private Relay.A security researcher found a way to work out which CDN server handled your request, and thus get a rough idea of your location.The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the imageand thus the state or possibly the city the target is in.He reported the issue to Cloudflare, which has now fixed it.Photo: FBIAdd 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Welcome to your weekly cybersecurity scoop! Ever thought about how the same AI meant to protect our hospitals could also compromise them? This week, we're breaking down the sophisticated world of AI-driven threats, key updates in regulations, and some urgent vulnerabilities in healthcare tech that need our attention.As we unpack these complex topics, we'll equip you with sharp insights to navigate these turbulent waters. Curious about the solutions? They're smarter and more unexpected than you might think. Let's dive in. Threat of the WeekJuniper Networks Routers Targeted by J-magic A new campaign targeted enterprise-grade Juniper Networks routers between mid-2023 and mid-2024 to infect them with a backdoor dubbed J-magic when certain precise conditions. The malware is a variant of a nearly 25-year-old, publicly available backdoor referred to as cd00r, and is designed to establish a reverse shell to an attacker-controlled IP address and port. Semiconductor, energy, manufacturing, and information technology (IT) sectors were the most targeted. Top NewsPalo Alto Firewalls Found Vulnerable to Firmware Exploits An analysis of three firewall models from Palo Alto Networks PA-3260, PA-1410, and PA-415 uncovered that they are vulnerable to known security flaws that could be exploited to achieve Secure Boot bypass and modify device firmware. In response to the findings, Palo Alto Networks said exploiting the flaws requires an attacker to first compromise PAN-OS software through other means and obtain elevated privileges to access or modify the BIOS firmware. It also said it will be working with third-party vendors to develop firmware updates for some of them.PlushDaemon Linked to Supply Chain Compromise of South Korean VPN Provider A never-before-seen China-aligned hacking group named PlushDaemon carried out a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023 to deliver malware known as SlowStepper, a fully-featured backdoor with an extensive set of information gathering features. The threat actor is also said to have exploited an unknown vulnerability in Apache HTTP servers and conducted adversary-in-the-middle (AitM) attacks to breach other targets of interest. Active since at least 2019, the group has singled out individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.Mirai Botnet Launches Record 5.6 Tbps DDoS Attack Cloudflare revealed that a Mirai botnet comprising over 13,000 IoT devices was responsible for a record-breaking 5.6 Terabit per second (Tbps) distributed denial-of-service (DDoS) attack aimed at an unnamed internet service provider (ISP) from Eastern Asia. The attack lasted about 80 seconds. The web infrastructure company said the average unique source IP address observed per second was 5,500, and the average contribution of each IP address per second was around 1 Gbps.Over 100 Flaws in LTE and 5G Implementations A group of academics has disclosed 119 security vulnerabilities impacting LTE and 5G implementations, Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, srsRAN, that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network. Some of the identified vulnerabilities could be weaponized to breach the cellular core network, and leverage that access to monitor cellphone location and connection information for all subscribers at a city-wide level, carry out targeted attacks on specific subscribers, and perform further malicious actions on the network itself.Ex-CIA Analyst Pleads Guilty to Sharing Top Secret Docs Asif William Rahman, a former analyst working for the U.S. Central Intelligence Agency (CIA), pleaded guilty to transmitting top secret National Defense Information (NDI) to unauthorized personnel and attempted to cover up the activity. The incident, which took place in October 2024, involved Rahman sharing documents prepared by the National Geospatial-Intelligence Agency and the National Security Agency. They were related to Israel's plans to attack Iran, and were subsequently shared on Telegram by an account called Middle East Spectator. He has pleaded guilty to two counts of willful retention and transmission of classified information related to the national defense. He is expected to be sentenced on May 15, 2025, potentially facing a maximum penalty of 10 years in prison. Trending CVEsYour go-to software could be hiding dangerous security flawsdon't wait until it's too late! Update now and stay ahead of the threats before they catch you off guard.This week's list includes CVE-2025-23006 (SonicWall), CVE-2025-20156 (Cisco Meeting Management), CVE-2025-21556 (Oracle Agile Product Lifecycle Management Framework), CVE-2025-0411 (7-Zip), CVE-2025-21613 (go-git), CVE-2024-32444 (RealHomes theme for WordPress), CVE-2024-32555 (Easy Real Estate plugin), CVE-2016-0287 (IBM i Access Client Solutions), CVE-2024-9042 (Kubernetes). Around the Cyber WorldIndia and the U.S. Sign Cybercrime MoU India and the United States have signed a memorandum of understanding (MoU) to bolster cooperation in cybercrime investigations. "The MoU allows the respective agencies of the two countries to step up the level of cooperation and training with respect to the use of cyber threat intelligence and digital forensics in criminal investigations," the Indian Ministry of External Affairs (MEA) said in a statement.Critical Security Flaws in ABB ASPECT-Enterprise, NEXUS, and MATRIX Products More than a 100 security flaws have been disclosed in ABB ASPECT-Enterprise, NEXUS, and MATRIX series of products that could enable an attacker to disrupt operations or execute remote code. Gjoko Krstikj of Zero Science Lab has been credited with discovering and reporting the flaws.91% of Exposed Exchange Server Instances Still Vulnerable to ProxyLogon One of the vulnerabilities exploited by the China-linked Salt Typhoon hacking group for initial access is CVE-2021-26855 (aka ProxyLogon), a nearly four-year-old flaw in Microsoft Exchange Server. According to a new analysis from cybersecurity company Tenable, 91% of the nearly 30,000 external-facing instances of Exchange vulnerable to CVE-2021-26855 have not been updated to close the defect to date. "Salt Typhoon is known for maintaining a stealthy presence on victim networks and remaining undetected for a significant time period," it said.IntelBroker Resigns from BreachForums The threat actor known as IntelBroker has announced his resignation as the owner of an illicit cybercrime forum called BreachForums, citing lack of time. The development marks the latest twist in the tumultuous history of the online criminal bazaar, which has been the subject of law enforcement scrutiny, resulting in a takedown of its infrastructure and the arrest of its previous administrators. Its original creator and owner Conor Brian Fitzpatrick (aka Pompompurin) was sentenced to time served and 20 years of supervised release exactly a year ago. However, newly filed court documents show that his sentence has been vacated -- i.e., declared void. "While released on bond awaiting sentencing, Fitzpatrick violated his conditions of release immediately by secretly downloading a virtual private network, which he then used virtually every day to access the Internet without the knowledge of his probation officer," the document reads. "Not only did Fitzpatrick commit serious offenses, but he also showed a lack of remorse, joking about committing additional crimes even after entering a guilty plea."Cloudflare CDN Bug Leaks User Locations A new piece of research from a 15-year-old security researcher who goes by the name Daniel has uncovered a novel "deanonymization attack" in the widely used Cloudflare content delivery network (CDN) that can expose someone's location by sending them an image on platforms like Signal, Discord, and X. The flaw allows an attacker to extract the location of any target within a 250-mile radius when a vulnerable app is installed on a target's phone, or as a background application on their laptop, simply by sending a specially-crafted payload. Using either a one-click or zero-click approach, the attack takes advantage of the fact that Cloudflare stores caches copies of frequently accessed content on data centers located in close proximity to the users to improve performance. The security researcher developed a Teleport tool that let them check which of Cloudflare's data centers had cached an image, which allowed them to triangulate the approximate location a Discord, Signal, or X user might be in. Although the specific issue was closed, Daniel noted that the fix could be bypassed using a VPN. While the geolocation capability of the attack is not precise, it can provide enough information to infer the geographic region where a person lives, and use it as a stepping stone for follow-on intelligence gathering. "The attack leverages fundamental design decisions in caching and push notification systems, demonstrating how infrastructure meant to enhance performance can be misused for invasive tracking," the researcher said.Belsen Group Leaks Fortinet FortiGate Firewall Configs A little-known hacking group named Belsen Group has leaked configuration data for over 15,000 Fortinet FortiGate firewalls on the dark web for free. This includes configurations and plaintext VPN user credentials, device serial numbers, models, and other data. An analysis of the data dump conducted by security researcher Kevin Beaumont has revealed that the configuration data has likely been put together by exploiting CVE-2022-40684, an authentication bypass zero-day vulnerability disclosed in October 2022, as a zero-day. Of the 15,469 distinct affected IP addresses, 8,469 IPs have been found to be still online and reachable in scans. As many as 5,086 IPs are continuing to expose the compromised FortiGate login interfaces. A majority of the exposures are in Mexico, Thailand, and the U.S. "If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization's current config or credential detail in the threat actor's disclosure is small," Fortinet said in response to the disclosure. The disclosure comes as another critical flaw in FortiGate devices (CVE-2024-55591 aka Console Chaos) has come under active exploitation in the wild since November 1, 2024. Expert WebinarNo More Trade-Offs: Secure Code at Full Speed Tired of security slowing down developmentor risky shortcuts putting you at risk? Join Sarit Tager, VP of Product Management at Palo Alto Networks, in this must-attend webinar to discover how to break the Dev-Sec standoff. Learn how to embed smart, seamless security guardrails into your DevOps pipeline, prioritize code issues with full ecosystem context, and replace "shift left" confusion with the clarity of "start left" success. If speed and security feel like a trade-off, this webinar will show you how to have both. Save your spot now.The Clear Roadmap to Identity Resilience Struggling with identity security gaps that increase risks and inefficiencies? Join Okta's experts, Karl Henrik Smith and Adam Boucher, to discover how the Secure Identity Assessment (SIA) delivers a clear, actionable roadmap to strengthen your identity posture. Learn to identify high-risk gaps, streamline workflows, and adopt a scalable, phased approach to future-proofing your defenses. Don't let identity debt hold your organization backgain the insights you need to reduce risk, optimize operations, and secure business outcomes.P.S. Know someone who could use these? Share it. Cybersecurity ToolsExtension Auditor: With cyber threats becoming more sophisticated, tools like Extension Auditor are essential for maintaining online safety. This tool evaluates your browser extensions for security and privacy risks, providing a clear analysis of permissions and potential vulnerabilities. Extension Auditor helps you identify and manage extensions that could expose you to danger, ensuring your browsing is secure and your data remains private.AD Threat Hunting Tool: It is a simple yet powerful PowerShell tool that helps detect suspicious activities in your Active Directory, like password spray attacks or brute force attempts. It provides real-time alerts, smart analysis of attack patterns, and detailed reports with easy export options. With built-in testing to simulate attacks, this tool is a must-have for keeping your AD environment secure and identifying threats quickly. Tip of the WeekEssential Network Security Practices To effectively secure your network, you don't need complex solutions. Keep your network safe with these easy tips: Use a VPN like NordVPN to protect your data and keep your online activities private. Make sure your firewall is turned on to stop unwanted access. Keep your software and devices updated to fix security weaknesses. Choose strong, unique passwords for all your accounts and consider using a password manager to keep track of them. Teach yourself and others how to spot phishing scams to avoid giving away sensitive information. These basic actions can greatly improve your network's security and are simple to implement.ConclusionAs we close this week's newsletter, let's focus on the crucial issue of vulnerabilities in healthcare technology. These gaps highlight a pressing need for enhanced security measures and more dynamic regulatory frameworks that can quickly adapt to new threats. How can we fortify our defenses to better protect critical infrastructure? Your expertise is essential as we tackle these challenges and push for more effective solutions. Let's keep the dialogue open and continue to drive progress in our field. Stay informed and engaged.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

TechTarget and Informa Techs Digital Business Combine.TechTarget and InformaTechTarget and Informa Techs Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.How Must Staffing Change in Relation to AI?How Must Staffing Change in Relation to AI?From the C-suite to new hires, the impact of AI on relevant job skills and career longevity may deliver aftershocks for years to come.Joao-Pierre S. Ruth, Senior EditorJanuary 27, 2025Debate continues over how artificial intelligence might upend current jobs and future careers, as nuances emerge in such discussions.The assumption that AI equals immediate job cuts to deliver efficiency might not be that simple, especially as more divisions within organizations and their leadership start to understand how they can leverage this technology. Certain jobs might be eliminated, yet other jobs could evolve with AI.This episode of DOS Wont Hunt features Luke Behnke, vice president of product for Grammarly; Cliff Jurkiewicz, vice president of global Strategy for Phenom; Ryan Bergstrom, chief product and technology officer for Paycor; Daniel Avancini, co-founder and chief data officer for Indicium; and Arun Varadarajan, co-founder and chief commercial officer for Ascendion.They discussed how AI already changes staffing, what skillsets organizations want in an AI-powered world, fears about job loss, what this may mean for executives in the C-suite who need to get up to speed on AI, and when organizations can comfortably rely on AI to enhance their workforce.Listen to the full podcast here.About the AuthorJoao-Pierre S. RuthSenior EditorJoao-Pierre S. Ruth covers tech policy, including ethics, privacy, legislation, and risk; fintech; code strategy; and cloud & edge computing for InformationWeek. He has been a journalist for more than 25 years, reporting on business and technology first in New Jersey, then covering the New York tech startup community, and later as a freelancer for such outlets as TheStreet, Investopedia, and Street Fight.See more from Joao-Pierre S. RuthNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports

Theres network as a service (NaaS), infrastructure as a service (IaaS),platform as a service (PaaS) and software as a service (SaaS). All offer opportunities to outsource major areas of IT operations to third-party vendors in turnkey fashion if desired. In other words, all you need to do is to call the vendor, much as an end user will call IT if a service goes down, gets slow or develops a bug.The oft-cited value point of these outsourcing approaches is that IT will have more time to focus on strategy, and not so much on the mundane tasks of daily operations. However, consider whether cloud management and operations should be a totally hands off practice or are there levels of management and control that IT should keep?Whether building or buying technology, its critical for companies to consider how they choose their systems, devices and applications, said PWC in a recent paper on technology and ethics. However, even if you exclude ethics and are just talking about day-to-day IT, there is a responsibility to oversee technology for the company and its stakeholders, even if the technology is tucked away in a cloud.IT in the CloudThe initial role that IT plays with the cloud is determined when the company decides to move to the cloud and then meets with vendors to determine which cloud provider to sign with. In many cases, getting contracts signed and services started is all IT does in the process, unless there is a cloud service interruption or its contract renewal time.Related:Very small companies of 20 or fewer employees live in this world. The cloud benefits them greatly because theyre able to subscribe to IT services and support they otherwise could not afford, and then they simply dont think much about it anymore.However, for mid-sized and large companies with large IT portfolios and in-house IT staff, a totally hands off role with the cloud that fails to address questions of cloud risk or management control is less than optimal. IT departments in these organizations recognize this, so they ask staff members to manage the cloud as needed. The problem with that approach is this: More IT is shifting to the cloud, making the cloud a more dominant IT hosting platform, and it becomes less viable to handle day-to-day cloud issues on an informal, as needed basis. That is why more mid-sized and large companies are codifying IT responsibilities for the cloud by writing them into staff job descriptions.Cloud Roles That IT Staff Members PlayHere are some IT cloud responsibilities that need to be more formally addressed.Related:Contracts and SLAs. A contract for a mission-critical system like cloud-based ERP involves more than just signing up for a service. Companies with large ERP systems depend on ERP applications as the operational driveline of the entire business. An ERP vendor should take the criticality of this system as seriously as the company does. During contract negotiation, this means hammering out service level agreements (SLAs) that are more robust in their performance and uptime requirements than what a vendor would typically offer in a boilerplate contract. There is also room to negotiate on pricing and support.Who does this? Enterprise IT departments hire contract administrators to do this work.Medium-sized companies that cant afford a dedicated contract administrator should consult with attorneys.Cloud contract negotiation and administrative responsibilities should be written into contract administrator job descriptions. For companies employing outside legal counsel, the CIO or an upper-level IT manager should be tasked with the responsibility of cloud contract negotiation and coordination with the legal team.Compliance. In large enterprises, there are dedicated internal regulatory groups that monitor and ensure compliance, whether the company standards are HIPAA (healthcare), PCI, Sarbanes Oxley (finance) or something else. SMBs without dedicated regulatory staff turn to attorneys. The goal is to ensure that prospective and existing cloud vendors are compliant with various regulations.Related:Who does this? IT gets involved because almost always,IT owns the cloud vendor relationship.Typically, a senior business analyst in IT coordinates and verifies cloud vendor compliance, working with the regulatory group and attorneys. In the past, this responsibility often was performed informally. It should be formalized as part of the business analysts job responsibilities.Security. Cloud vendor security audits and methods must be reviewed annually to assure that vendors continue to adhere to company security requirements. At the same time, IT is responsible for configuring the security levels for its own assets in the cloud.Who does this? The IT security staff should have written accountabilities for configuring and monitoring security in the cloud. This includes setting up of security for cloud-based IT assets and annual reviews of cloud vendor security audits.Asset deployment, management, and performance optimization. Applications and IT infrastructure components that support the production environment should be deployed, monitored, and optimized for performance in the cloud as part of ITs daily work. In some cases, there will be joint responsibility for sharing these tasks between IT and cloud vendors, but ultimately it is IT that is responsible for ensuring that applications and the supporting infrastructure are running in the cloud as they should be.Who does this? In PaaS and IaaS cloud environments, it will be the systems group that should have an individual assigned to maintaining performance levels in the cloud and in working with cloud vendors as needed. On the applications side, it will be a senior applications group staff member or manager who would carry out this responsibility for applications.Data stewardship and testing. Cloud services sell data, and other cloud services are in charge of maintaining data in a safe and secure environment. In still other cases, cloud services are being used to provision and de-provision test databases and infrastructure for IT unit application testing. Someone in IT should be formally assigned the responsibility of assuring that cloud data is safe, and that IT test environments are correctly configured.Who does this? The database group should be tasked with data management and stewardship of cloud data.The DBA or a data analyst should also be assigned the responsibility of setting up or taking down testing facilities, or in many cases, supervising the application programmers themselves to ensure they are doing this correctly.Final ThoughtsCloud-based data, applications and infrastructure are a major part of IT portfolios, so IT cant afford to consign these responsibilities to third parties, especially if these IT departments are in very large enterprises.Its time to formalize cloud responsibilities throughout the IT organization, and to provide the time for IT staff members to get up to speed with cloud-based tools that they will need in performing their cloud-based responsibilities.The task now for CIOs and senior IT leaders is to map these cloud responsibilities across the IT organization, because different individuals in diverse areas of IT will be needed to do them.