An anonymous reader shares a report: It's not exactly breaking news that people reuse passwords, but you might expect password manager subscribers to avoid the practice. You'd be wrong, according to a new study. Dashlane's downer of a report draws on saved logins analyzed on-device by Dashlane's software across "millions" of individual and business accounts. It finds dismally high percentages of password reuse worldwide. The US and Canada rank the worst of every region Dashlane tracked, with 48% of passwords in individual password vaults being reused. Another 15% rate as compromised, meaning those passwords have shown up in data breaches.

Combined with other security data points, the US and Canada land at a security score of 72.6 out of 100 in Dashlane's report, the lowest of all 14 regions covered in the study. The report, along with the Password Health score that Dashlane's software computes for individual users, emphasizes the longstanding problem of password reuse because that practice leaves its practitioners so vulnerable to getting hacked.Â

New submitter ae4ax writes: North American buyers of JuiceBox EVSEs (chargers) received an email today declaring the imminent closure of Enel X Way USA, LLC, the maintainers of the software infrastructure behind their EVSEs. Customer support has already shut down, and apps will be deactivated and removed by October 11, 2024. The company claims economic headwinds from lackluster EV sales and high interest rates as the motivation for the closure. Enel X Way properties outside North America are not affected, they say. "An experienced third-party firm will be appointed to manage the company's affairs and ensure that the closure is handled with the utmost care and professionalism," the company said in a statement. "The appointed firm will be responsible for managing the remaining obligations and communicating directly with customers and partners regarding the closure."

Customers will still be able to charge vehicles but all their connectivity features -- the Enel X Way app and all other Enel e-mobility apps in North America -- will stop working. Commercial charging stations will also lose functionality. "So If you own a JuiceBox, you just got nine days' warning that your home charger can no longer be configured," reports Electrek.

Electrek's Michael Bower, who uses a JuiceBox to charge his Chevy Bolt, said: "I'm disappointed that Enel X Way is removing their apps -- and thus the ability to change the amperage -- for their EVSEs. I live in a condo with a 100A panel, so the ability to lower the amperage from 40 to 32 or 16 was beneficial when charging my EV while drawing power for laundry or the central A/C in the summer. It just shows how 'smart' EVSEs are too reliant on their respective apps."

Cisco is exiting the LoRaWAN market for IoT device connectivity, with no migration plans for customers. "LoRaWAN is a low power, wide area network specification, specifically designed to connect devices such as sensors over relatively long distances," notes The Register. "It is built on LoRa, a form of wireless communication that uses spread spectrum modulation, and makes use of license-free sub-gigahertz industrial, scientific, and medical (ISM) radio bands. The tech is overseen by the LoRa Alliance." From the report: Switchzilla made this information public in a notice on its website announcing the end-of-sale and end-of-life dates for Cisco LoRaWAN. The last day customers will be able to order any affected products will be January 1, 2025, with all support ceasing by the end of the decade. The list includes Cisco's 800 MHz and 900 MHz LoRaWAN Gateways, plus associated products such as omni-directional antennas and software for the Gateways and Interface Modules. If anyone was in any doubt, the notification spells it out: "Cisco will be exiting the LoRaWAN space. There is no planned migration for Cisco LoRaWAN gateways."

The Verge's Gaby Del Valle reports: New York City Mayor Eric Adams, who was indicted last week on charges including fraud, bribery, and soliciting donations from foreign nationals, told federal investigators he forgot his phone password before handing it over, according to charging documents. That was almost a year ago, and investigators still can't get into the phone, prosecutors said Wednesday.

During a federal court hearing, prosecutor Hagan Scotten said the FBI's inability to get into Adams' phone is a "significant wild card," according to a report from the New York Post. The FBI issued a search warrant for Adams' devices in November 2023. Adams initially handed over two phones but didn't have his personal device on him. The indictment does not mention what type of device Adams uses. When Adams turned in his personal cellphone the following day, charging documents say, he said he had changed the password a day prior -- after learning about the investigation -- and couldn't remember it. Adams told investigators he changed the password "to prevent members of his staff from inadvertently or intentionally deleting the contents of his phone," the indictment alleges. The FBI just needs the right tools. When investigators failed to break into the Trump rally shooter's phone in July, they sent the device to the FBI lab in Quantico, Virginia, where agents used an unreleased tool from the Israeli company Cellebrite to crack it in less than an hour.

Two Harvard students have developed smart glasses with facial recognition capabilities, sparking debate over privacy and surveillance. The project, dubbed I-XRAY, uses Meta's Ray-Ban smart glasses coupled with facial recognition software to identify strangers and retrieve personal information about them. AnhPhu Nguyen and Caine Ardayfio, the creators, tested the technology on unsuspecting individuals in public spaces. The glasses scan faces, match them against online databases, and display personal details on a smartphone within seconds. The students claim their project aims to raise awareness about potential privacy risks.

Nintendo has convinced Ryujinx's lead developer to shut down the project. According to The Verge, the Switch emulator's download page is empty and its GitHub is gone. The Verge reports: "Yesterday, gdkchan was contacted by Nintendo and offered an agreement to stop working on the project, remove the organization and all related assets he's in control of," writes developer and moderator ripinperiperi on Discord. "While awaiting confirmation on whether he would take this agreement, the organization has been removed, so I think it's safe to say what the outcome is." The rest of ripinperiperi's message is a eulogy for the project, including a pair of videos showing the Ryujinx team's progress on iOS and Android ports of the Nintendo Switch emulator, among other core changes -- ones that will now presumably never ship.

Nintendo would not confirm or deny to The Verge that it made a deal with the developer. Instead, Nintendo spokesperson Eddie Garcia mysteriously pointed me to the Entertainment Software Association's head of public affairs Aubrey Quinn -- who said she couldn't speak on behalf of Nintendo.

Microsoft is bringing some new AI-powered Paint and Photos features to Copilot Plus PCs that could make creatives less reliant on more powerful image editing software. From a report: Generative Fill and Generative Erase -- which appear to be heavily inspired by similar AI tools in Adobe Photoshop -- are being introduced to Paint, allowing users to precisely add or remove objects in their images.

Both tools utilize a size-adjustable brush to "paint" over specific areas of an image to edit. Generative Erase will remove unwanted figures, objects like background clutter, and other distractions, similar to the Magic Eraser feature on Google's Pixel phones. Generative Fill allows Paint users to add new AI-generated assets to an image using a text description and select precisely where they should be placed -- much like the Photoshop tool that shares the same name. These build on the Cocreator tool for Paint announced for Copilot Plus PCs earlier this year that can generate images using a combination of text prompts and reference sketches. The company says the diffusion-based model powering these features has been updated to improve output quality and speed and now includes "built-in moderation" to help prevent it from being abused.

Google is introducing a new "Quick Insert" button on Chromebooks, offering contextual AI tools across the operating system. The feature debuts on Samsung's Galaxy Chromebook Plus, replacing the traditional Caps Lock key. Older Chromebooks can access Quick Insert via a keyboard shortcut. The button opens an overlay providing access to emojis, GIFs, Google's Help Me Write AI feature, and recent web links. Future updates will include AI-generated image creation.

Google is also rolling out new AI features to Chromebook Plus devices, including automatic transcription, real-time translation, and voice isolation for video calls. Standard Chromebooks will receive updates like Welcome Recap and Focus mode. Lenovo and Samsung are launching new Chromebook models to coincide with these software updates. The Lenovo Duet, a detachable 2-in-1, features an 11-inch 2K screen and starts at $349. Samsung's Galaxy Chromebook Plus boasts a 15.6-inch OLED display in a lightweight 2.58-pound package.

Microsoft won't impose a new return-to-office mandate unless management concludes that productivity has dropped, a high-level exec has reportedly told workers. From a report: The software and cloud-computing giant currently allows employees to work remotely, with many new hires promised the flexibility of working from home at least half the week. But that isn't written in stone. According to two anonymous sources that spoke with Business Insider, executive vice president Scott Guthrie recently told staff at his Microsoft's Cloud and AI group, which includes Azure, that a policy change isn't on the cards at present -- so long as workers stay productive.

While no statement has been provided as of press time, Microsoft told Business Insiderthat the company's work policies have not changed. Amazon CEO Andy Jassy's bombshell decree has roiled tech employees across the sector, many of whom dread a return to hours wasted in traffic jams on the long daily commute.

An anonymous reader shares a report: HoloLens 2 production has ended, Microsoft confirmed to UploadVR. Now is the last time to buy the device before stock runs out, the company has been telling its partners and customers. HoloLens 2 will continue to receive "updates to address critical security issues and software regressions" until December 31 2027. As soon as 2028 starts, software support for HoloLens 2 will end. For the original HoloLens headset from 2016, software support will end after December 10 of this year, just over two months from now. Production of it ended back in 2018. HoloLens 2 launched in 2019, three years after the original, with upgrades to almost every aspect: a wider field of view, higher resolution, eye tracking, vastly improved hand tracking, and more powerful compute housed in the rear of the strap to deliver a balanced comfortable design.

A Russian criminal gang secretly conducted cyberattacks and espionage operations against NATO allies on the orders of the Kremlin's intelligence services, according to the UK's National Crime Agency. From a report: Evil Corp., which includes a man who gained notoriety for driving a Lamborghini luxury sports car, launched the hacks prior to 2019, the NCA said in statement on Tuesday. The gang has been accused of using malicious software to extort millions of dollars from hundreds of banks and financial institutions in more than 40 countries. In December 2019, the US government sanctioned Evil and accused its alleged leader, Maksim Yakubets, of providing "direct assistance" to the Russian state, including by "acquiring confidential documents." The NCA's statement on Tuesday provides new detail on the work Yakubets and other members allegedly carried out to aid the Kremlin's geopolitical aims. The exact nature of the hacks against the North Atlantic Treaty Organization allies wasn't immediately clear.

Sonos CEO Patrick Spence has unveiled a plan to address the fallout from the company's botched app release in May 2024. The audio equipment maker aims to overhaul its software development practices and rebuild customer trust after the controversial update sparked widespread criticism, The Verge reports.

The company will extend warranties by one year for select products and implement more rigorous testing processes, including an expanded beta program. Sonos has also pledged to introduce major app changes gradually and create an opt-in system for experimental features.

To improve internal accountability, Sonos will appoint a "quality ombudsperson" to escalate concerns and report to leadership. The firm also plans to establish a customer advisory board for pre-launch feedback. Executive bonuses will be tied to app quality improvements and regaining customer confidence.

The Arch Linux team has announced a collaboration with Valve, working to support critical infrastructure projects like a build service and secure signing enclave for the Arch Linux distribution. Tom's Hardware reports: If you're familiar with Valve and Steam Deck, you may already know that the Deck uses SteamOS 3, which is built on top of Arch Linux. Thanks to the Arch Linux base and Valve's development of the Proton compatibility layer for playing Windows games on Linux, we now have a far improved Linux gaming scene, especially on Valve's Steam Deck and Deck OLED handhelds. While Valve's specific reasons for picking Arch Linux for Steam Deck remain unknown, it's pretty easy to guess why it was picked. Mainly, it's a particularly lightweight distribution maintained since March 2002, which lends itself well to gaming with minimal performance overhead. A more intensive Linux distribution may not have been the ideal base for SteamOS 3, which is targeted at handhelds like Steam Deck first.

As primary Arch Linux developer Levente Polyak discloses in the announcement post, "Valve is generously providing backing for two critical projects that will have a huge impact on our distribution: a build service infrastructure and a secure signing enclave. By supporting work on a freelance basis for these topics, Valve enables us to work on them without being limited solely by the free time of our volunteers." Polyak continues, "This opportunity allows us to address some of the biggest outstanding challenges we have been facing for a while. The collaboration will speed up the progress that would otherwise take much longer for us to achieve, and will ultimately unblock us from finally pursuing some of our planned endeavors [...] We believe this collaboration will greatly benefit Arch Linux, and are looking forward to share further development on the mailing list as work progresses."

"For the first time, scientists have created a flexible programmable chip that is not made of silicon..." reports IEEE Spectrum — opening new possibilities for implantable devices, on-skin computers, brain-machine interfaces, and soft robotics.

U.K.-based Pragmatic Semiconductor produced an "ultralow-power" 32-bit microprocessor, according to the article, and "The microchip's open-source RISC-V architecture suggests it might cost less than a dollar..." This shows potential for inexpensive applications like wearable healthcare electronics and smart package labels, according to the chip's inventors: For example, "we can develop an ECG patch that has flexible electrodes attached to the chest and a flexible microprocessor connected to flexible electrodes to classify arrhythmia conditions by processing the ECG data from a patient," says Emre Ozer, senior director of processor development at Pragmatic, a flexible chip manufacturer in Cambridge, England. Detecting normal heart rhythms versus an arrhythmia "is a machine learning task that can run in software in the flexible microprocessor," he says...

Pragmatic sought to create a flexible microchip that cost significantly less to make than a silicon processor. The new device, named Flex-RV, is a 32-bit microprocessor based on the metal-oxide semiconductor indium gallium zinc oxide (IGZO). Attempts to create flexible devices from silicon require special packaging for the brittle microchips to protect them from the mechanical stresses of bending and stretching. In contrast, pliable thin-film transistors made from IGZO can be made directly at low temperatures onto flexible plastics, leading to lower costs...

"Our end goal is to democratize computing by developing a license-free microprocessor," Ozer says... Other processors have been built using flexible semiconductors, such as Pragmatic's 32-bit PlasticARM and an ultracheap microcontroller designed by engineers in Illinois. Unlike these earlier devices, Flex-RV is programmable and can run compiled programs written in high-level languages such as C. In addition, the open-source nature of RISC-V also let the researchers equip Flex-RV with a programmable machine learning hardware accelerator, enabling artificial intelligence applications.

Each Flex-RV microprocessor has a 17.5 square millimeter core and roughly 12,600 logic gates. The research team found Flex-RV could run as fast as 60 kilohertz while consuming less than 6 milliwatts of power... The Pragmatic team found that Flex-RV could still execute programs correctly when bent to a curve with a radius of 3 millimeters. Performance varied between a 4.3 percent slowdown to a 2.3 percent speedup depending on the way it was bent.

Uplevel provides insights from coding and collaboration data, according to a recent report from CIO magazine — and recently they measured "the time to merge code into a repository [and] the number of pull requests merged" for about 800 developers over a three-month period (comparing the statistics to the previous three months).

Their study "found no significant improvements for developers" using Microsoft's AI-powered coding assistant tool Copilot, according to the article (shared by Slashdot reader snydeq): Use of GitHub Copilot also introduced 41% more bugs, according to the study...

In addition to measuring productivity, the Uplevel study looked at factors in developer burnout, and it found that GitHub Copilot hasn't helped there, either. The amount of working time spent outside of standard hours decreased for both the control group and the test group using the coding tool, but it decreased more when the developers weren't using Copilot.
An Uplevel product manager/data analyst acknowledged to the magazine that there may be other ways to measure developer productivity — but they still consider their metrics solid. "We heard that people are ending up being more reviewers for this code than in the past... You just have to keep a close eye on what is being generated; does it do the thing that you're expecting it to do?"

The article also quotes the CEO of software development firm Gehtsoft, who says they didn't see major productivity gains from LLM-based coding assistants — but did see them introducing errors into code. With different prompts generating different code sections, "It becomes increasingly more challenging to understand and debug the AI-generated code, and troubleshooting becomes so resource-intensive that it is easier to rewrite the code from scratch than fix it."

On the other hand, cloud services provider Innovative Solutions saw significant productivity gains from coding assistants like Claude Dev and GitHub Copilot. And Slashdot reader destined2fail1990 says that while large/complex code bases may not see big gains, "I have seen a notable increase in productivity from using Cursor, the AI powered IDE." Yes, you have to review all the code that it generates, why wouldn't you? But often times it just works. It removes the tedious tasks like querying databases, writing model code, writing forms and processing forms, and a lot more. Some forms can have hundreds of fields and processing those fields along with doing checks for valid input is time consuming, but can be automated effectively using AI.
This prompted an interesting discussion on the original story submission. Slashdot reader bleedingobvious responded: Cursor/Claude are great BUT the code produced is almost never great quality. Even given these tools, the junior/intern teams still cannot outpace the senior devs. Great for learning, maybe, but the productivity angle not quite there.... yet.

It's damned close, though. GIve it 3-6 months.
And Slashdot reader abEeyore posted: I suspect that the results are quite a bit more nuanced than that. I expect that it is, even outside of the mentioned code review, a shift in where and how the time is spent, and not necessarily in how much time is spent.
Agree? Disagree? Share your own experiences in the comments.

And are developers really saving time with AI coding assistants?

Bryan Choi, an associate professor of law and computer science focusing on software safety, proposes shifting AI liability onto the builders of the systems: To date, most popular approaches to AI safety and accountability have focused on the technological characteristics and risks of AI systems, while averting attention from the workers behind the curtain responsible for designing, implementing, testing, and maintaining such systems...

I have previously argued that a negligence-based approach is needed because it directs legal scrutiny on the actual persons responsible for creating and managing AI systems. A step in that direction is found in California's AI safety bill, which specifies that AI developers shall articulate and implement protocols that embody the "developer's duty to take reasonable care to avoid producing a covered model or covered model derivative that poses an unreasonable risk of causing or materially enabling a critical harm" (emphasis added). Although tech leaders have opposed California's bill, courts don't need to wait for legislation to allow negligence claims against AI developers. But how would negligence work in the AI context, and what downstream effects should AI developers anticipate?
The article suggest two possibilities. Classifying AI developers as ordinary employees leaves employers then sharing liability for negligent acts (giving them "strong incentives to obtain liability insurance policies and to defend their employees against legal claims.") But AI developers could also be treated as practicing professionals (like physicians and attorneys). "{In this regime, each AI professional would likely need to obtain their own individual or group malpractice insurance policies." AI is a field that perhaps uniquely seeks to obscure its human elements in order to magnify its technical wizardry. The virtue of the negligence-based approach is that it centers legal scrutiny back on the conduct of the people who build and hype the technology. To be sure, negligence is limited in key ways and should not be viewed as a complete answer to AI governance. But fault should be the default and the starting point from which all conversations about AI accountability and AI safety begin.
Thanks to long-time Slashdot reader david.emery for sharing the article.

When it comes to professional certifications, the long-running nonprofit Linux Professional Institute boasts they've issued 250,000, making them the world's largest Linux/Open Source certification body. And last week they announced a "strategic alliance" with the Open Source Initiative (OSI), which will now be "participating in development and maintenance of these programs."

The announcement points out that the Open Source Initiative already has many distinct responsibilities. Besides creating the Open Source Definition — and certifying that Open Source licenses meet the requirements of Open Source software — the OSI's mission is to "encourage the growth of Open Source communities around the world," which includes "educational and outreach efforts to spread Open Source principles."

So the ultimate goal is "strengthening Linux and Open Source communities," according to the announcement, by "nurturing the growth of more highly skilled professionals," with the OSI encouraging more people to get certifications for employers. The Open Source movement "has never been in greater need of educated professionals," says OSI executive director Stefano Maffulli, "to drive the next leap forward in Open Source understanding, innovation, and adoption... "This partnership with LPI is one in a series of initiatives that will increase accessibility to the certifications and community participation that Open Source needs to thrive."

And the LPI's executive director says it's their group's mission "to promote the use of open source by supporting the people who work with it. A closer relationship with OSI makes a valuable contribution to this effort."

The move "reaffirms the commitment of LPI and OSI to enhance the adoption of Linux and Open Source technology," according to the announcement.

An anonymous reader quotes a report from Ars Technica, written by John Timmer: [P]art of the software stack that companies are developing to control their quantum hardware includes software that converts abstract representations of quantum algorithms into the series of commands needed to execute them. IBM's version of this software is called Qiskit (although it was made open source and has since been adopted by other companies). Recently, IBM made a couple of announcements regarding Qiskit, both benchmarking it in comparison to other software stacks and opening it up to third-party modules. [...] Right now, the company is supporting six third-party Qiskit functions that break down into two categories.

The first can be used as stand-alone applications and are focused on providing solutions to problems for users who have no expertise programming quantum computers. One calculates the ground-state energy of molecules, and the second performs optimizations. But the remainder are focused on letting users get more out of existing quantum hardware, which tends to be error prone. But some errors occur more often than others. These errors can be due to specific quirks of individual hardware qubits or simply because some specific operations are more error prone than others. These can be handled in two different ways. One is to design the circuit being executed to avoid the situations that are most likely to produce an error. The second is to examine the final state of the algorithm to assess whether errors likely occurred and adjust to compensate for any. And third parties are providing software that can handle both of these.

One of those third parties is Q-CTRL, and we talked to its CEO, Michael Biercuk. "We build software that is really focused on everything from the lowest level of hardware manipulation, something that we call quantum firmware, up through compilation and strategies that help users map their problem onto what has to be executed on hardware," he told Ars. (Q-CTRL is also providing the optimization tool that's part of this Qiskit update.) "We're focused on suppressing errors everywhere that they can occur inside the processor," he continued. "That means the individual gate or logic operations, but it also means the execution of the circuit. There are some errors that only occur in the whole execution of a circuit as opposed to manipulating an individual quantum device." Biercuk said Q-CTRL's techniques are hardware agnostic and have been demonstrated on machines that use very different types of qubits, like trapped ions. While the sources of error on the different hardware may be distinct, the manifestations of those problems are often quite similar, making it easier for Q-CTRL's approach to work around the problems.

Those work-arounds include things like altering the properties of the microwave pulses that perform operations on IBM's hardware, and replacing the portion of Qiskit that converts an algorithm to a series of gate operations. The software will also perform operations that suppress errors that can occur when qubits are left idle during the circuit execution. As a result of all these differences, he claimed that using Q-CTRL's software allows the execution of more complex algorithms than are possible via Qiskit's default compilation and execution. "We've shown, for instance, optimization with all 156 qubits on [an IBM] system, and importantly -- I want to emphasize this word -- successful optimization," Biercuk told Ars. "What it means is you run it and you get the right answer, as opposed to I ran it and I kind of got close."

An anonymous reader quotes a report from PCWorld, written by Michael Crider: The latest perpetrator of questionable AI branding? HP. The company is introducing "Print AI," what it calls the "industry's first intelligent print experience for home, office, and large format printing." What does that mean? It's essentially a new beta software driver package for some HP printers. According to the press release, it can deliver "Perfect Output" -- capital P capital O -- a branded tool that reformats the contents of a page in order to more ideally fit it onto physical paper.

Despite my skeptical tone, this is actually a pretty cool idea. "Perfect Output can detect unwanted content like ads and web text, printing only the desired text and images, saving time, paper, and ink." That's neat! If the web page you're printing doesn't offer a built-in print format, the software will make one for you. It'll also serve to better organize printed spreadsheets and images, too. But I don't see anything in this software that's actually AI -- or even machine learning, for that matter. This is applying the same tech (functionally, if not necessarily the same code) as the "reader mode" formatting we've seen in browsers for about a decade now. Take the text and images of a page, strip out everything else that's unnecessary, and present it as efficiently as possible. [...]

The press release does mention that support and formatting tasks can be accomplished with "simple conversational prompts," which at least might be leveraging some of the large language models that have become synonymous with AI as consumers understand it. But based on the description, it's more about selling you something than helping you. "Customers can choose to print or explore a curated list of partners that offer unique photo printing capabilities, gift certificates to be printed on the card, and so much more." Whoopee.

"Dozens of Fortune 100 organizations" have unknowingly hired North Korean IT workers using fake identities, generating revenue for the North Korean government while potentially compromising tech firms, according to Google's Mandiant unit. "In a report published Monday [...], researchers describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018," reports The Record. "In most cases, the IT workers 'consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.'" From the report: The remote workers "often gain elevated access to modify code and administer network systems," Mandiant found, warning of the downstream effects of allowing malicious actors into a company's inner sanctum. [...] Using stolen identities or fictitious ones, the actors are generally hired as remote contractors. Mandiant has seen the workers hired in a variety of complex roles across several sectors. Some workers are employed at multiple companies, bringing in several salaries each month. The tactic is facilitated by someone based in the U.S. who runs a laptop farm where workers' laptops are sent. Remote technology is installed on the laptops, allowing the North Koreans to log in and conduct their work from China or Russia.

Workers typically asked for their work laptops to be sent to different addresses than those listed on their resumes, raising the suspicions of companies. Mandiant said it found evidence that the laptops at these farms are connected to a "keyboard video mouse" device or multiple remote management tools including LogMeIn, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer and others. "Feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops," Mandiant reported.

In several incident response engagements, Mandiant found the workers used the same resumes that had links to fabricated software engineer profiles hosted on Netlify, a platform often used for quickly creating and deploying websites. Many of the resumes and profiles included poor English and other clues indicating the actor was not based in the U.S. One characteristic repeatedly seen was the use of U.S-based addresses accompanied by education credentials from universities outside of North America, frequently in countries such as Singapore, Japan or Hong Kong. Companies, according to Mandiant, typically don't verify credentials from universities overseas. Further reading: How Not To Hire a North Korean IT Spy