Post Syndicated from Ryan Smith original https://www.servethehome.com/intel-computex-2026-keynote-live-coverage/
Closing out Computex’s day 2 keynotes is Intel, where CEO Lip-Bu Tan will be outlining Intel’s vision for the Intelligence Era and engineering AI hardware across multiple markets. Come join ServeTheHome for our live blog coverage of the keynote
The post Intel Computex 2026 Keynote Live Coverage appeared first on ServeTheHome.
Post Syndicated from Matt Granger original https://www.youtube.com/shorts/4IXGbcGimmg
Post Syndicated from Ryan Smith original https://www.servethehome.com/marvell-computex-2026-keynote-live-coverage/
Marvell’s keynote address will lead off day 2 of Computex 2026, where CEO Matt Murphy is taking the stage to discuss the need for and future of connectivity in AI data centers. Come join ServeTheHome for our live blog coverage of the keynote
The post Marvell Computex 2026 Keynote Live Coverage appeared first on ServeTheHome.
Post Syndicated from The Atlantic original https://www.youtube.com/shorts/SLbQHwSwiMk
Post Syndicated from Muni T. Bondu original https://aws.amazon.com/blogs/architecture/scaling-oncology-patient-support-how-new-york-cancer-and-blood-specialists-transformed-customer-experience-with-aws-and-pronetx-now-part-of-caylent/
As one of the United States’ leading oncology and hematology providers, the goal of New York Cancer and Blood Specialists (NYCBS) is to provide comprehensive and compassionate care to patients. The organization handles more than 250,000 patient calls every year across over 100 specialized queues and wanted to optimize its manual call handling process.
This post details how NYCBS partnered with Amazon Web Services (AWS) and AWS partner Pronetx (now part of Caylent) to migrate to Amazon Connect Customer, the AWS cloud contact center service. The migration delivered a 54 percent improvement in patient enrollment and transformed the way NYCBS connects with the patients who need them most.
NYCBS chose to migrate to a dedicated Amazon Connect Customer instance with the help of Pronetx, an AWS partner specializing in Amazon Connect Customer. The 13-week engagement covered three phases: discovery and foundation (2 weeks), build and implementation (8 weeks), and acceptance testing and go-live (3 weeks).
This solution uses Amazon Connect Customer as the core contact center service. At the heart of the customer experience infrastructure lies the call routing and patient communication logic. Within this infrastructure, several key components work together to deliver HIPAA-compliant patient care.
The architecture has three main layers, as shown in the following diagram. Each layer is designed to handle a specific aspect of the customer experience operations of NYCBS while maintaining HIPAA compliance throughout.
Figure 1: NYCBS customer experience solution architecture on Amazon Connect, showing the CTR management microservice, core contact center services, and call recording and AI/ML pipeline layers, integrated with shared AWS services and external systems.
This layer handles contact trace record (CTR) processing through Amazon API Gateway as the entry point. The microservice uses AWS Lambda functions (Get Disposition Code and Update CTRs) to retrieve and process call disposition codes, with Amazon DynamoDB storing disposition code data for quick retrieval.
The central Amazon Connect Customer instance manages incoming agent flows and call routing across more than 100 specialized queues. AWS Secrets Manager securely stores credentials and sensitive configuration. Amazon Polly provides text-to-speech capabilities for automated voice responses. Configuration is managed through DynamoDB configuration tables and configuration Lambda functions, with IVR Integration Lambda functions handling IVR workflows.
Call recordings and artifacts are stored in Amazon Simple Storage Service (Amazon S3). A dedicated Lambda function handles voicemail processing, with Amazon Transcribe converting voicemails to text. A subsequent Lambda function then creates cases from transcribed voicemails. AI capabilities are powered by Amazon Lex for conversational chatbots and other AWS AI services for intelligent automation, with OMS Lookup providing Order Management System integration.
The architecture integrates with external systems including Microsoft Intune ID for identity management and the on-premises systems of NYCBS. Shared AWS services provide the foundation:
Together, these components helped NYCBS reduce patient enrollment time by 54 percent. The reduction came through automated multi-language routing in English, Spanish, Russian, and Mandarin. NYCBS also added specialty-based queue prioritization for urgent cases and real-time agent monitoring across the more than 250,000 annual patient calls. The implementation maintains HIPAA compliance through role-based access controls, encryption with AWS KMS, and secure credential storage.
A key engineering decision was moving from a shared multi-tenant environment to a dedicated Amazon Connect Customer instance. This architectural shift helped NYCBS implement several capabilities that had previously been unavailable:
A dedicated Amazon Connect Customer instance gives healthcare organizations the flexibility, security, and native feature access that multi-tenant environments can’t match, including the following:
Within the 13-week implementation window, NYCBS achieved a 54 percent improvement in patient enrollment, which reflects not only operational efficiency, but also improved access to care. The organization removed third-party management fees through direct AWS consumption, reducing operational costs. NYCBS gained real-time visibility into call quality through Operata and the conversational analytics capabilities of Amazon Connect Customer. In addition, the team established a rapid CI/CD pipeline that deploys new features safely and quickly without disrupting patient services.
If your healthcare organization manages complex, high-volume contact center operations, you can apply what NYCBS achieved. A dedicated Amazon Connect Customer instance provides the flexibility, security, and native feature access that healthcare-specific workflows demand. We recommend the following next steps to get started:
Pronetx, now part of Caylent, an AWS Premier Tier Services Partner, specializes in Amazon Connect. Pronetx helps organizations design, migrate, and operate customer engagement systems on AWS, with a focus on resilience and AI-driven customer experience.
Post Syndicated from Channy Yun (윤석찬) original https://aws.amazon.com/blogs/aws/get-started-with-openai-gpt-5-5-gpt-5-4-models-and-codex-on-amazon-bedrock/
As we previewed in What’s Next with AWS 2026, we’re announcing the general availability of OpenAI GPT-5.5, GPT-5.4 models, and Codex on Amazon Bedrock, giving you access to frontier models and a coding agent for software development.
According to OpenAI, GPT-5.5 and GPT-5.4 models are excellent for coding, reasoning, agentic workflows, and complex professional work. You can use GPT-5.5 for the hardest customer workloads and GPT-5.4 for the best price-performance. You can call them through Responses API on Amazon Bedrock’s next-generation inference engine built for high performance, reliability, and security.
Codex is the OpenAI coding agent for AI-powered software development. According to OpenAI, more than 4 million developers use Codex every week to write, refactor, debug, test, and validate code across large codebases. With GPT-5.5 powering inference, Codex introduces a new class of intelligence optimized for complex, long-horizon developer workflows. You can use the Codex App, the Codex CLI, and IDE integrations with Visual Studio Code, JetBrains, and Xcode, with all model inference routed through the Responses API on Amazon Bedrock.
For customers with data residency requirements, all processing stays within the Bedrock Region you select. You pay per token with no seat licenses and no per-developer commitments.
GPT-5.5 and GPT-5.4 models on Bedrock in action
You can access the model programmatically using the OpenAI Responses API to call the bedrock-mantle endpoints through the OpenAI SDK, command-line tools such as curl.
Let’s start with OpenAI SDK for Python. Install OpenAI SDK.
pip install -U openaiSet the environment variables for authentication.
export OPENAI_BASE_URL="https://bedrock-mantle.us-east-2.api.aws/openai/v1"
export OPENAI_API_KEY="<BEDROCK_API_KEY>"
export BEDROCK_OPENAI_MODEL_ID="openai.gpt-5.5"
Here is a sample Python code to call GPT-5.5 model on Bedrock:
import os
from openai import OpenAI
client = OpenAI(
base_url=os.environ["OPENAI_BASE_URL"],
api_key=os.environ["OPENAI_API_KEY"],
)
response = client.responses.create(
model=os.environ["BEDROCK_OPENAI_MODEL_ID"],
input=[
{
"role": "developer",
"content": "You are a software engineer with excellent AWS cloud knowledge. Be concise and practical.",
},
{
"role": "user",
"content": "Design a distributed architecture on AWS in Python that should support 100k requests per second across multiple geographic regions.",
},
],
reasoning={"effort": "medium"},
text={"verbosity": "low"},
)
print(response.output_text)You can call directly the model endpoint using curl.
curl "$OPENAI_BASE_URL/responses" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $OPENAI_API_KEY" \
-d '{
"model": "openai.gpt-5.5",
"input": [
{
"role": "developer",
"content": "You are a software engineer with excellent AWS cloud knowledge."
},
{
"role": "user",
"content": "Design a distributed architecture on AWS in Python that should support 100k requests per second across multiple geographic regions."
}
],
"reasoning": {"effort": "medium"},
"text": {"verbosity": "low"}
}'You can use the Responses API when you want to use model-managed multi-turn state, need hosted tools, function tools, or richer tool orchestration, and run background or long-running work. To learn more, visit the OpenAI Cookbook Responses examples.
Using OpenAI Codex with GPT-5.5 on Amazon Bedrock
You can download Codex CLI, Codex App or Codex VS Code extension and get started with the Bedrock for model inference. Codex supports two Bedrock authentication pathways: Amazon Bedrock API key or AWS SDK credential chain. If you set AWS_BEARER_TOKEN_BEDROCK, Codex uses it first; otherwise Codex falls back to AWS SDK credential chain.
Set AWS_BEARER_TOKEN_BEDROCK in the environment that Codex will read:
export AWS_BEARER_TOKEN_BEDROCK=<your-bedrock-api-key>Then, configure your preferred Region and set the model ID to openai.gpt-5.5 in ~/.codex/config.toml, which is required for Bedrock API-key authentication. You can also choose openai.gpt-5.4, openai.gpt-oss-120b, or openai.gpt-oss-20b. For the desktop app or VS Code extension, put any environment variables the app needs in ~/.codex/.env.
model = "openai.gpt-5.5"
model_provider = "amazon-bedrock"
[model_providers.amazon-bedrock.aws]
region = "us-east-2"Restart the desktop app or VS Code extension after changing ~/.codex/config.toml or ~/.codex/.env. In Codex CLI, you should see a /status tab that looks like this:
In Codex App, you can use GPT-5.5 model through Amazon Bedrock inference.
Things to know
Let me share some important technical details that I think you’ll find useful.
medium effort. Start GPT-5.4 with effort set explicitly rather than relying on its none default.Now available
OpenAI GPT models and Codex on Amazon Bedrock are available today: GPT-5.5 model in the US East (Ohio) Region, GPT-5.4 model in the US East (Ohio) and US West (Oregon) Regions. Check the full list of Regions for future updates. To learn more, visit the OpenAI on Amazon Bedrock page and the Amazon Bedrock pricing page.
Give GPT-5.5, GPT-5.4 models, and Codex on Amazon Bedrock a try today and send feedback to AWS re:Post for Amazon Bedrock or through your usual AWS Support contacts.
— Channy
Post Syndicated from jake original https://lwn.net/Articles/1075832/
Over on the AboutCode blog, lead
maintainer Philippe Ombredanne writes
about an agentic LLM system porting the ScanCode
Toolkit to Rust. In the process, the LLM (or the people behind it)
infringed the ScanCode trademark, stripped copyright and license notices,
“and started an outreach campaign, without ever engaging the AboutCode
“. Ironically, the toolkit is used to scan source code and binaries in
community
order to figure out licensing and copyright information; it also reports on
package
dependencies, vulnerabilities, and more.
This is worth repeating: A comprehensive test suite, decent documentation, and curated datasets is what makes automated porting possible. It is also what makes a codebase easier to replicate without understanding it.
The agent’s initial approach, using an existing Rust license-detection library, failed to match ScanCode’s output quality. The agent then did what any translator would do when a loose paraphrase fails: it copied the original more closely. The final port reproduces ScanCode’s core algorithms, code organization, and data-driven architecture in Rust, not because the agent understood them, but because it had enough training data and test feedback to converge on equivalent code.
Post Syndicated from Napoleone Capasso original https://aws.amazon.com/blogs/compute/multi-region-event-driven-failover-architecture-with-amazon-eventbridge-and-route-53/
Multi-Region Event-Driven Failover Architecture with Amazon EventBridge and Route 53
Event-driven architectures enable applications to respond to events in real-time, providing scalability and loose coupling between components. However, ensuring high availability across multiple AWS regions requires careful design of failover mechanisms. This post demonstrates how to build a resilient multi-region event-driven architecture using Amazon EventBridge, Amazon API Gateway, and Amazon Route 53 health-based failover.
Overview
Organizations building event-driven applications need to achieve high availability and disaster recovery capabilities. This architecture provides automatic failover between AWS regions while maintaining regional independence for event processing. The solution uses Amazon Route 53 health checks to monitor regional Amazon API Gateway endpoints and automatically routes traffic to healthy regions without manual intervention.
The architecture delivers several key benefits. Regional independence reduces latency by processing events in the same region where they originate. Amazon DynamoDB global tables provide automatic data replication across regions, ensuring data availability during regional failures. The solution provides robust failover capabilities while maintaining architectural simplicity.
Organizations with strict availability requirements can find this solution particularly valuable. All event processing remains within AWS regions, and failover occurs automatically based on health check results. The architecture supports both planned maintenance windows and unplanned regional outages, providing flexibility for operational needs.
Solution overview
The solution implements an active-passive multi-region architecture where events flow through Amazon API Gateway to regional Amazon EventBridge buses. Amazon Route 53 health checks monitor the primary region and automatically route traffic to the secondary region during failures. Each region processes events independently, while Amazon DynamoDB Global Tables replicate data across regions.
The following diagram provides an overview of the solution:
The above diagram depicts the multi-region architecture running across two AWS regions. The Route 53 DNS service serves as the main entry point for the application, with health checks monitoring both regions. Each region contains an identical stack with Amazon API Gateway, Amazon EventBridge, Amazon SQS, and AWS Lambda. The Amazon DynamoDB Global Table replicates data between regions automatically.
Solution deployment
To deploy this solution, follow the instructions in the GitHub repository and clone the repository. The solution deploys in two AWS regions. Ensure valid SSL certificates exist in AWS Certificate Manager (ACM) in both regions for the custom domain.
Prerequisites
For this walkthrough, the following resources are needed:
Walkthrough
The AWS CloudFormation templates from the sample GitHub repository create a secure, multi-region architecture that provides automatic failover for event-driven applications. The templates provision regional API Gateway endpoints, EventBridge buses, SQS queues, Lambda functions, and an Amazon DynamoDB Global Table. The solution establishes health monitoring through Route 53 health checks and configures DNS failover routing. The templates use AWS Serverless Application Model (SAM) transform to simplify Lambda and API Gateway resource definitions.
Step 1: Deploy the primary stack
The primary stack creates the foundational resources in the primary region. This includes the Amazon EventBridge bus, Amazon API Gateway with custom domain, health check, AWS Lambda function, Amazon SQS queue, and Amazon DynamoDB Global Table. The stack creates an EventBridge bus that receives events from API Gateway:
The API Gateway uses AWS service integration to forward events directly to EventBridge:
x-amazon-apigateway-integration:
type: "aws"
uri: !Sub "arn:aws:apigateway:${AWS::Region}:events:path//"
credentials: !GetAtt ApiGatewayEventBridgeRole.Arn
httpMethod: "POST"The health check monitors the API Gateway endpoint to determine regional availability:
DomainHealthCheck:
Type: AWS::Route53::HealthCheck
Properties:
HealthCheckConfig:
Type: HTTPS
ResourcePath: /Prod/health FullyQualified
DomainName: !Sub ${Api}.execute-api.${AWS::Region}.amazonaws.com
Port: 443
RequestInterval: 30
FailureThreshold: 3The Route 53 DNS record configures failover routing with the PRIMARY designation:
ApiDnsRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref HostedZoneId
Name: !Ref CustomDomainName
Type: A
SetIdentifier: primary-region
Failover: PRIMARY
HealthCheckId: !Ref DomainHealthCheckThe DynamoDB Global Table creates replicas in both regions:
DataTable:
Type: AWS::DynamoDB::GlobalTable
Properties:
BillingMode: PAY_PER_REQUEST
Replicas:
- Region: !Ref AWS::Region
- Region: !Ref SecondaryRegionNote the `DataTableName` output value for use in the secondary stack deployment. The `CustomDomainURL` output provides the endpoint to invoke the solution.
Step 2: Deploy the secondary stack
The secondary stack creates identical resources in the secondary region , except for the Amazon DynamoDB table which references the existing Global Table. The secondary stack creates its own Amazon EventBridge bus, Amazon API Gateway, health check, AWS Lambda function, and Amazon SQS queue. The Route 53 DNS record uses the SECONDARY designation
Step 3: Event processing flow
Events flow through the processing pipeline in each region. API Gateway receives events and forwards them to EventBridge using the PutEvents API. EventBridge evaluates event rules and routes matching events to SQS queues. Lambda functions poll the SQS queues and process events in batches. AWS Lambda writes processed data to the DynamoDB Global Table, which replicates across regions.
The Lambda function processes events from the queue and writes to DynamoDB:
def handler(event, context):
for record in event.get('Records', []):
body = json.loads(record['body'])
detail = body.get('detail', {})
event_id = body.get('id', '')
item = { 'id': event_id, 'detail': detail, 'timestamp': datetime.utcnow().isoformat() }
table.put_item(Item=item)Testing
Fetch the custom domain URL and test it by sending an event:
curl -X POST https://api.example.com \-H "Content-Type: application/json" \ -d '{ "Detail": { "IsHelloWorldExample": "true" }, "DetailType": "POSTED", "Source": "demo.event" }' -vThe response includes an `X-Region` header indicating which region processed the request. Under normal conditions, this shows the primary region.
To test failover:
aws apigateway delete-base-path-mapping \ --domain-name api.example.com \ --base-path '(none)' \ --region {primary-region}aws apigateway delete-stage \ --rest-api-id <primary-api-id> \ --stage-name Prod \ --region {primary-region}
curl -X POST https://api.example.com \-H "Content-Type: application/json" \ -d '{ "Detail": { "IsHelloWorldExample": "true" }, "DetailType": "POSTED", "Source": "demo.event" }' -vVerify event processing in the secondary region:
aws logs tail /aws/lambda/<secondary-lambda-name> --region {secondary region}
You should see log entries similar to:
Processing message:
{"version":"0",
"id":"abc12345-...",
"source":"demo.event",
"detail-type":"POSTED",...}
Event Source: demo.event
Detail Type: POSTED
Successfully wrote item to DynamoDB: abc12345-...
Successfully read item from DynamoDB:
{'id': 'abc12345-...',
'source': 'demo.event',
'detailType': 'POSTED',
'detail':
{'data': {'IsHelloWorldExample': 'true'},
...},
'timestamp': '2025-01-15T18:30:00.000000',
'processed': True}aws dynamodb scan \ --table-name <table-name> \ --region {secondary region}```
The scan results should include items with the event details:
{ "Items":
[ { "id": {"S": "abc12345-..."},
"source": {"S": "demo.event"},
"detailType": {"S": "POSTED"},
"detail":
{"M": {"data":
{"M":
{"IsHelloWorldExample":
{"S": "true"}}}}},
"timestamp": {"S": "2025-01-15T18:30:00.000000"},
"processed": {"BOOL": true} } ],
"Count": 1 }aws apigateway create-stage \ --rest-api-id <primary-api-id> \ --stage-name Prod \ --deployment-id <deployment-id> \ --region {primary region}
aws apigateway create-base-path-mapping \ --domain-name api.example.com \ --rest-api-id <primary-api-id> \ --stage Prod \ --region {primary region}
You can find the “deployment-id” by running: aws apigateway get-deployments \ --rest-api-id <primary-api-id> \ --region {primary region}
After 2-3 minutes, the health check passes and Route 53 routes traffic back to the primary region.
Cleanup
To remove the solution and avoid ongoing charges, delete the CloudFormation stacks in the correct order. Delete the secondary stack first, then the primary stack. This order is important because the Amazon DynamoDB Global Table is owned by the primary stack. Warning: Deleting these stacks permanently removes all resources including the Amazon DynamoDB global table and any event data stored in it. Back up any data you need before proceeding. This action cannot be undone. The following resources incur costs while deployed:
Delete the secondary stack:
aws cloudformation delete-stack --stack-name secondary-stack --region {secondary region}
Wait for the secondary stack deletion to complete:
aws cloudformation wait stack-delete-complete --stack-name secondary-stack --region {secondary region}
Delete the primary stack:
aws cloudformation delete-stack --stack-name primary-stack --region {primary region}
Wait for the primary stack deletion to complete:
aws cloudformation wait stack-delete-complete --stack-name primary-stack --region {primary region}
This removes all resources including the Amazon EventBridge buses, Amazon API Gateways, AWS Lambda functions, Amazon SQS queues, Amazon DynamoDB Global Table, Amazon Route 53 health checks, DNS records and IAM roles.
Conclusion
This post demonstrates how to establish a resilient multi-region architecture for event-driven applications using Amazon EventBridge, Amazon API Gateway, and Amazon Route 53. The solution uses Route 53 health-based failover, a powerful capability that automatically routes traffic to healthy regions based on health check results. This architecture significantly enhances application availability by providing automatic failover during regional outages while maintaining regional independence for event processing.
Post Syndicated from daroc original https://lwn.net/Articles/1073762/
Optimizing compilers can, under some circumstances, infer when a parameter to a
function is not needed, and remove it. This is all well and good until the
kernel’s tracing or BPF subsystems need information on how to call the function
or where its arguments are stored.
Alan Maguire and Yonghong Song spoke at the 2026
Linux
Storage, Filesystem, Memory-Management, and BPF Summit about their work on
recording information regarding changed function signatures in the kernel’s BTF debugging
information, to better support tracing such functions.
Post Syndicated from jzb original https://lwn.net/Articles/1075806/
Greg Kroah-Hartman has announced the release of the 7.0.11, 6.18.34, 6.12.92, 6.6.142, 6.1.175, 5.15.209, and 5.10.258 stable kernels. As usual, each
contains important fixes throughout the tree, including a fix for the “CIFSwitch” vulnerability (CVE-2026-46243) which could allow a local-privilege-escalation exploit. Users are advised to
upgrade.
Post Syndicated from Ryan Smith original https://www.servethehome.com/nvidia-computex-2026-news-bytes-vera-rubin-now-in-production-dgx-station-gets-windows/
At Computex 2026, NVIDIA announced that its next-gen Vera Rubin platform is now in full production. The company is also bringing Windows to its high-end DGX Station systems, which will be available in Q4
The post NVIDIA Computex 2026 News Bytes: Vera Rubin Now In Production, DGX Station Gets Windows appeared first on ServeTheHome.
Post Syndicated from Giovanni Pereira Zantedeschi original https://blog.cloudflare.com/optimizing-core-unit-boot-time/
Cloudflare’s core is the centralized data centers that run our control plane, billing, and analytics — distinct from the globally distributed edge that handles user traffic. Core servers are bare metal, and when issues happen during reboot, the consequences can cascade fast.
Their boot sequence is orchestrated by UEFI, the modern firmware standard that initializes hardware and hands off control to the operating system. Small quirks in that handoff can have outsized consequences.
After a routine firmware update, some of our core servers were taking four hours to come back online, rather than just minutes as they did before. What should have been a one-day fleet-wide rollout was stretching into multi-day slogs. New nodes faced the full timeout gauntlet on their very first boot. Maintenance windows ballooned. Engineering teams had to babysit upgrades that should have run unattended.
This issue affected the entire Gen12 fleet — nearly 2,000 units. Every unexpected failure mid-upgrade meant restarting the entire cycle, and new capacity sat idle waiting for the timeout gauntlet to clear.
This is the story of how we tracked the cause to a firmware quirk and an over-eager linear search through every available network boot interface, and how we cut total boot and upgrade time from hours back down to minutes. Along the way, we’ll share what we learned about UEFI internals, vendor-specific quirks, and the automation strategies that ultimately solved the problem.
A network boot interface allows a server to boot its operating system over the network instead of from local storage. This is critical for centralized, automated, and scalable control over how machines start up, especially across a globally distributed fleet serving different workloads. Since our servers are located in different environments and serve different purposes, they have different requirements for a specific network boot interface. The two primary interfaces are the Preboot Execution Environment (PXE) and Unified Extensible Firmware Interface (UEFI) HTTPS boot.
As part of our reboot process, our servers usually go through PXE for various automation reasons. At Cloudflare, we use the open-source iPXE, an open-source network boot firmware that supports modern protocols like HTTP and HTTPS. This allows computers to boot operating systems directly from web servers, the cloud, or enterprise storage networks with significantly faster speeds and greater reliability.
For organizations, iPXE turns the boot process into a programmable workflow. It offers advanced scripting capabilities that allow IT teams to automate complex deployments, such as provisioning servers based on specific hardware configurations or managing secure, diskless workstations.
Some of our hardware supports HTTPS-based UEFI network boot, which enables the computer’s motherboard firmware to natively download operating system files securely.
Our tale begins with that fateful firmware update. Following the update, the first reports came through our internal channels: servers weren’t coming back online. Monitoring dashboards showed machines stuck in a pre-OS state for far longer than expected. Our initial suspicion was a firmware regression: perhaps the update itself had introduced a bug that was hanging the boot process.
To rule that out, we pulled up the serial console on an affected machine and watched a boot cycle in real time. The firmware Power On Self Test (POST) completed normally and hardware initialization looked healthy. But then, instead of quickly reaching the network boot stage and pulling down an OS image, the server sat waiting. And waiting.
The console output told the story: the system was attempting an IPv4 HTTPS network boot, timing out after several minutes, then trying IPv4 iPXE, timing out again, then repeating both — all before finally reaching the IPv6 HTTPS boot interface that would actually succeed.
Every failed network boot attempt burned roughly five minutes waiting for a timeout response. With four attempts stacking up before the correct interface was reached, a single boot cycle wasted around twenty minutes. For a routine reboot, that’s painful. For firmware upgrade automation, which requires multiple sequential reboots, one per component, those twenty-minute penalties compounded into nearly four hours of idle waiting per server.
After tracing the boot sequence and isolating the timeout pattern, the root cause became clear: the servers were blindly searching through every available network boot interface, one by one, waiting for each to fail before moving on. The fix was to eliminate the guesswork entirely — declare the correct boot interface upfront so the system never wastes time on interfaces that will never respond.
But putting this into practice was far from straightforward. As we explain next, we hit several obstacles: the order of our boot automation workflow, a setting we were blocked from changing, and differing string formats from our different network interface card vendors.
Our boot automaton flow is in three broad stages: firmware initialization, pre-boot, and kernel startup. After power on, the UEFI firmware does some hardware and peripheral initialization followed by the PXE pre-boot environment. The pre-boot sets up the network card and executes a small program called bootloader, which kickstarts the kernel. It’s in this PXE stage that various network interfaces are probed for the right one. On first boot, firmware upgrades are included in our boot automation workflow.
And because each firmware upgrade requires a reboot (and its attendant network boot attempt sequence), that’s how we got to the situation where the total boot time took close to four hours.
By restructuring the automation sequence to declare the network boot interface order early on in the pre-boot PXE stage for each hardware/use-case, we were able to cut the total time by about an hour, since the boot process no longer needed to spend 20 minutes probing for each firmware upgrade.
Attempting to declare the network boot interface order introduced two specific constraints:
Legacy Support: Boot ordering is not supported on older UEFI versions
Persistence: Configuration settings are often reset following a UEFI firmware upgrade
To address these edge cases, we implemented a state validation step. The firmware automation now validates the configuration post-change: if it detects that settings have been modified, it re-applies the config and triggers a reboot.
Although the first boot may take slightly longer, this change drastically reduces the time required for all future start-ups from about 20 minutes to less than a minute per subsequent boot.
The internal data structure of the Network Boot settings is an EFI_IFR_REF3 data structure that was being lazy loaded, meaning the data is not instantiated until it is explicitly accessed via a GUI callback:
typedef struct _EFI_IFR_REF3 {
EFI_IFR_OP_HEADER Header;
EFI_IFR_QUESTION_HEADER Question;
EFI_QUESTION_ID QuestionId;
EFI_GUID FormSetId;
} EFI_IFR_REF3;
While this is standard industry practice to accelerate BIOS boot times, it rendered the “Network Boot Interface” invisible to our programmatic scans. Because the structure hadn’t been “loaded” yet, our automation couldn’t discover the priorities.
We worked with our vendors to enable specific tokens within the fixed “Boot Order Module.” This forces the discovery of the Network Boot Interface during the boot sequence without requiring manual GUI interaction.
The UEFI from our equipment manufacturers had an immutable setting, Force Priority Httpv4 Httpv6 Pxev4 Pxev6, that was preventing us from changing the boot order.
This required a new BIOS version from our vendor and a debug session when setting the boot order.
Depending on the network interface card (NIC) vendor, the strings would be different, causing a mismatch when configuring the boot order through iPXE.
Examples:
UEFI: HTTPS IPv4 Ethernet Network Adapter XXX-XXX-Y for OCP 3.0 P1
UEFI: HTTPS IPv4 Network Adapter - 50:00:E6:8F:4F:32 P1
In order to work around this issue, we had to implement an additional feature to the CfHIIConfig_App tool, allowing it to set the config without having the full string:
.*HTTP.*IPv4.*P1
The config would then be matched against the accepted config strings and would select the correct boot order. We are currently working with our UEFI vendors to standardize the network interface strings to only make use of the relevant information (e.g. protocol, transfer type, port number, and physical slot index) and drop the product details like the MAC address. The product details, if needed, can be read from the embedded vital product detail information of the network interface card. That way we eliminate both configuration drift and the use of wildcards.
Since iPXE reads this variable as HEX, it was reading the string output as hex. To check if the network boot setting was modified and to reduce boot time (so we don’t have to print the variables before setting them), we implemented a boolean flag, uefi-same-hex, to indicate whether a configuration changed.
This enabled us to run a single set command instead of first running show to compare, and then set if the configuration was not in the desired state.
This enabled us to run a single set command instead of first running show to compare, and then set if the configuration was not in the desired state.
# construct path to read the update variable
set buffer-var-guid 91468514-75bc-4bb5-8f33-91efff9e9b1f
set var-upd-path efivar/CfHIIVarUpd-${buffer-var-guid}
#Run the config change command
imgexec <signed CF UEFI configuration App> set ${uefi-setting}=${uefi-value}
#Compare the update variable with the expected value if it has changed.
#If it has changed, set the local variable to reboot the system
iseq ${uefi-same-hex} ${${var-upd-path}} || set has-changed ${uefi-diff-hex}
By eliminating the guesswork from our network boot sequence, we turned a four-hour ordeal back into a 3-minute process. The result is a system where changes are dynamic and no manual BIOS interactions are needed. A single BIOS firmware image serves all SKUs, configuration updates deploy at scale through our existing release pipeline, and the entire workflow operates from iPXE.
|
Metric |
Before ordering change |
After ordering change |
|---|---|---|
|
Firmware Upgrade Automation |
Nearly 4 hours |
3 minutes |
|
Subsequent Single Boot |
About 20 minutes |
Less than a minute |
None of this would have been possible without digging deep into UEFI internals, collaborating closely with our OEM vendors to unlock capabilities like programmatic boot order control, and leveraging open-source tools like iPXE to build scalable automation.
With each passing day, Cloudflare’s OpenBMC team continues to learn about, experiment with, and optimize the boot process across our core fleet. If you are managing bare-metal infrastructure and struggling with slow server boot times, we hope this post has given you a practical framework for identifying and eliminating unnecessary delays in your own network boot sequence. For those interested in learning more about iPXE and network boot automation, check it out here!
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2026/06/vulnerability-disclosure-in-the-age-of-ai.html
New article: “Responsible Disclosure in the Age of AI: A Call for Urgent Action,” by Melissa Hathaway.
Abstract: Artificial intelligence is fundamentally reshaping the balance between vulnerability discovery and remediation. Frontier AI models are now capable of autonomously identifying exploitable software vulnerabilities at unprecedented speed and scale. This development exposes decades of accumulated technical debt created by a software industry that prioritized rapid deployment over secure-by-design engineering practices. Drawing on the evolution of software assurance, vulnerability disclosure frameworks, and U.S. cyber policy, this perspective argues that the current moment represents a strategic inflection point for governments, industry, and critical infrastructure operators. The author examines the growing tension between offensive and defensive equities in cyberspace, the emergence of AI-enabled vulnerability discovery capabilities in both the U.S. and China, and the increasing risks posed by unsupported legacy systems and AI-assisted code generation practices. Responsible disclosure can no longer remain a reactive or fragmented process, but must become a coordinated national and international resilience effort involving governments, software vendors, infrastructure operators, and emergency response organizations. The article concludes with an urgent call for accelerated remediation, large-scale patch management coordination, and sustained investment in automated vulnerability repair capabilities before adversaries exploit this rapidly narrowing window of opportunity.
Post Syndicated from Philip Chen original https://aws.amazon.com/blogs/architecture/building-a-scalable-user-search-layer-on-top-of-amazon-cognito/
Imagine a teammate who needs to find a user across thousands of accounts with only a partial email address, a last name, and a known access level. How quickly can your team respond? If your use case involves straightforward searches on standard Amazon Cognito attributes, the built-in ListUsers API is likely all you need. But for advanced scenarios involving custom attributes, fuzzy matching, complex filtering, and sub-second response times, a dedicated search layer is the right investment.
Amazon Cognito provides robust user authentication and management capabilities for modern applications. As applications scale, development teams typically implement advanced search functionality to find users by partial email match, segment group membership, or audit across multiple custom attributes.
In this post, we show how to build a comprehensive scalable user search layer on top of Amazon Cognito using AWS Lambda, Amazon DynamoDB, and Amazon OpenSearch Service.
This solution extends Amazon Cognito with advanced search capabilities using AWS Lambda, Amazon DynamoDB, and Amazon OpenSearch Serverless.
Key capabilities:
The architecture uses Cognito Lambda triggers to capture user data during authentication, stores it in DynamoDB, and indexes it in OpenSearch Serverless through DynamoDB Streams. The following architecture diagram illustrates how these components work together.
Figure 1: Solution architecture for Searchable Cognito Users
The solution architecture demonstrates two flows: Ingestion flow and Search flow.
The ingestion flow captures and indexes user data through two paths: Cognito Lambda triggers and AWS CloudTrail. Together, these paths maintain synchronization between the search index and Cognito without requiring manual intervention or scheduled batch jobs.
This path captures user data during authentication events using a Cognito trigger Lambda function that handles two trigger types: Post-confirmation and Pre-token generation. The post-confirmation trigger creates the initial user record on sign-up, while the pre-token generation trigger tracks login activity and app client information on each subsequent authentication. The pre-token generation trigger also provides access to the user’s group membership in the event payload, which is indexed as a searchable field. The flow operates through the following steps:
Note: The Cognito Lambda triggers are deployed in a VPC. Cognito enforces a 5-second timeout on trigger functions. If you’re extending these triggers with additional functionality or already using post-confirmation or pre-token generation triggers, ensure the combined execution time stays well within this limit. Consider provisioned concurrency if cold starts are a concern.
Figure 2: User Data Ingestion via Cognito Lambda Triggers
This path captures admin-initiated user changes that occur outside the authentication flow, such as creating users using the Cognito console or CLI. These actions don’t trigger Cognito Lambda triggers, so CloudTrail and EventBridge bridge the gap. The flow operates through the following steps:
Figure 3: User Data Ingestion via CloudTrail
Figure 4: Data model for indexed user attributes in Amazon DynamoDB
With the search flow, authorized users can query the indexed user directory:
Figure 5: Search Flow Sequence Diagram
Figure 6: Demo UI user search integration on multiple properties
Figure 7: Demo UI user search integration on auto-suggest
Ready to see this solution in action? The repository includes everything you need to deploy a complete working implementation in your own AWS environment.
The source code for this solution is available on GitHub at: https://github.com/aws-samples/sample-user-search-layer-for-cognito.
The repository includes everything you need: AWS CDK infrastructure code, Lambda function implementations, a React frontend, and documentation. You can have a fully functional searchable user directory running in your account in under 20 minutes. When you’re finished testing, clean up all resources to avoid ongoing charges.
In this post, you learned how to extend Amazon Cognito with advanced search capabilities. By combining OpenSearch Serverless, DynamoDB Streams, and Lambda functions, you can build a scalable, event-driven architecture that automatically maintains a searchable user directory with sub-second query performance.
This pattern unlocks powerful use cases: support teams can quickly locate users across thousands of accounts, administrators can segment users by group membership for targeted communications, and compliance teams can audit user attributes with complex filtering.
To dive deeper into the AWS services powering this solution:
Post Syndicated from Baj Bajwa original https://aws.amazon.com/blogs/security/spring-2026-soc-1-2-and-3-reports-are-now-available-with-188-services-in-scope/
Amazon Web Services (AWS) is pleased to announce that the Spring 2026 System and Organization Controls (SOC) 1, 2, and 3 reports are now available. The reports cover 188 services over the 12-month period from April 1, 2025–March 31, 2026, giving customers a full year of assurance. These reports demonstrate our continuous commitment to adhering to the heightened expectations of cloud service providers.
Customers can download the Spring 2026 SOC 1 and 2 reports through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact. The SOC 3 report can be found on the AWS SOC Compliance Page and AWS Artifact.
AWS is excited to be the first cloud service provider to offer compliance reports to customers in NIST’s Open Security Controls Assessment Language (OSCAL), an open-source, machine-readable (JSON) format for security information. The SOC report package in OSCAL format is now available separately in AWS Artifact, marking a milestone towards open, standards-based compliance automation. This machine-readable version of the SOC 1 & 2 reports enables workflow automation to reduce manual processing time and modernize security and compliance processes. Your use-cases for this content are innovative and we want to hear about them via the contact information found in the OSCAL report package.
AWS strives to continuously bring services into the scope of its compliance programs to help customers meet their architectural and regulatory needs. You can view the current list of services in scope on our Services in Scope page. As an AWS customer, you can reach out to your AWS account team if you have any questions or feedback about SOC compliance.
To learn more about AWS compliance and security programs, see AWS Compliance Programs.
If you have feedback about this post, submit comments in the Comments section below.
Post Syndicated from LastWeekTonight original https://www.youtube.com/shorts/3b3pkBRCn78
Post Syndicated from corbet original https://lwn.net/Articles/1075766/
The DistroWatch site is celebrating its
25th anniversary. “All in all, it has been an incredible ride. Many
” Congratulations to Ladislav
of you who read these pages regularly know that downloading and testing
distributions is a highly addictive pastime. I have been an avid
distro-hopper for the last 25 years and I don’t see myself abandoning this
activity for many more years to come.
Bodnar and all the others who have kept that resource going for so long.
Post Syndicated from Micah Walter original https://aws.amazon.com/blogs/aws/aws-weekly-roundup-claude-opus-4-8-on-aws-aurora-mysql-with-kiro-powers-and-more-june-1-2026/
In my last Week in Review post, I shared what I’d been hearing from customers in the AI-Driven Development Lifecycle (AI-DLC) workshops I’ve been delivering. Last week I was back at it, this time in Denver for a two-day AI-DLC workshop, where I helped facilitate 17 teams to deliver nearly 20 separate use cases in just two days. The pace of acceleration that AI-DLC unlocks—especially when paired with tools like Claude Code on Amazon Bedrock—is fundamentally changing how businesses operate. Traditional roles within software development teams are collapsing into smaller, AI-augmented squads, and the paradigm shift is beginning to take place right in front of us. To learn more about how to utilize various AI tools, visit the GitHub repository of AI-DLC workflow.
This shift is also reshaping how AWS account teams (solutions architects, customer solutions managers, and technical account managers) collaborate with customers. It’s becoming less about handing off advisory design documents and more about building alongside them in real time. It’s a genuinely exciting moment to be in the middle of the change, and this week’s headline launch — Anthropic’s most capable model yet, now on AWS — is going to push that pace even further.
Now, let’s get into this week’s AWS news…
Headlines
Claude Opus 4.8 on AWS — Anthropic’s most capable generally available model is now accessible through both Amazon Bedrock and the Claude Platform on AWS. Opus 4.8 is built for agentic coding, knowledge work, and extended autonomous task execution — it sustains longer autonomous sessions with deeper reasoning, recovers from errors, and synthesizes information across lengthy documents. For coding workloads, it reads codebases like an engineer, plans before it edits, and holds context across long sessions. On Amazon Bedrock, you get AWS-managed features like Guardrails, Knowledge Bases, and data residency; on the Claude Platform on AWS, you get Anthropic’s native APIs unified with AWS billing. To learn more, visit the deep-dive blog post.
Last week’s launches
Here are some launches and updates from this past week that caught my attention:
For a full list of AWS announcements, be sure to keep an eye on the What’s New with AWS page.
Other AWS news
Here are some additional posts and resources that you might find interesting:
For a full list of AWS blog posts, be sure to keep an eye on the AWS Blogs page.
Learn more about AWS, browse and join upcoming AWS-led in-person and virtual events, startup events, and developer-focused events as well as AWS Summits and AWS Community Days. Join the AWS Builder Center to connect with builders, share solutions, and access content that supports your development.
That’s all for this week. Check back next Monday for another Weekly Roundup!
-Micah
Post Syndicated from corbet original https://lwn.net/Articles/1074897/
The x32 ABI was meant
to be the best of both worlds, providing the expanded registers and
instruction set of the x86-64 architecture while preserving the lower
memory use of 32-bit systems. The Linux kernel has supported x32 since the
3.4 release in 2012. The initial excitement around x32 did not last,
though, and kernel developers are considering removing that support — and
not for the first time. Even the most unloved features tend to have a few
users, though, making removal hard.
Post Syndicated from jzb original https://lwn.net/Articles/1075742/
StepSecurity is reporting
that a number of npm packages in the @redhat-cloud-services
scope include malware that runs automatically on every npm
install:
The payload is a multi-stage credential harvester that sweeps
GitHub Actions secrets along with AWS, GCP, Azure, Kubernetes,
HashiCorp Vault, npm, and CircleCI tokens, and it is purpose-built to
evade detection, including an explicit attempt to bypass StepSecurity
Harden-Runner.StepSecurity analyzed @redhat-cloud-services/[email protected] in full. Its
index.js, executed at install time, is 4.2 MB, a file that should
weigh a few kilobytes, with the real payload buried under three
separate layers of obfuscation. The malware is also a self-propagating
worm: using stolen npm tokens and npm’s bypass_2fa parameter, it
republishes backdoored versions of other packages on its own, even
against accounts protected by two-factor authentication, so every
infected machine can seed the next wave with no attacker
involvement. All affected packages were published via GitHub Actions
OIDC from the RedHatInsights/javascript-clients repository, indicating
the upstream CI/CD pipeline itself was compromised. Analysis of the
remaining packages is ongoing.
A blog
post from SafeDep has additional analysis about the incident. We did not find an advisory from Red Hat on this yet.