Abstract: An apparatus includes an interface and a processor. The interface is operable to wirelessly transmit instructions to one or more mobile drive units. The processor is communicatively coupled to the interface and is operable to instruct a mobile drive unit to transport a first shipping container storing at least one completed order to a shipping station, instruct the mobile drive unit to connect the first shipping container to a second shipping container to form a group of connected shipping containers. The processor is also operable to detect a trigger event, and in response to detecting the trigger event, coordinate movement of one or more mobile drive units to transport the group of connected shipping containers onto a vehicle for shipment.

Abstract: A system includes a first mobile drive unit and a second mobile drive unit. The first mobile drive unit is operable to dock with a first item holder at a first end of a column of connected item holders. The second mobile drive unit is operable to dock with a second item holder at a second end of the column of connected item holders. The system also includes a management module that is operable to instruct the first mobile drive unit and the second mobile drive units to transport the column of connected item holders from a first location to a second location.

Abstract: Features are disclosed for enabling users to efficiently store and share browsing sessions or portions thereof with other users or the general public. Browsing session requests and other activities may be sent to an intermediary system, which can retrieve requested content and store a representation of the requested content or data regarding the requested content. The stored data may be organized as a saved browsing session such that users may access the shared browsing session at a subsequent time and view the browsing session substantially in its entirety. Users may search for shared browsing sessions and access data regarding the requests made during a browsing session. In addition, data regarding client devices used during shared browsing sessions may be tracked and associated with the shared browsing sessions such that subsequent users can search for shared browsing sessions based partly on such device characteristics.

Abstract: A system includes a station and a management module. The station includes a queue having a first row and a second row. The management module is operable to instruct a first mobile drive unit to move a first group of connected item holders from the second row to the first row, instruct the first mobile drive unit to move the first group of connected item holders along the station such that one or more items stored by the first group of connected item holders are processed at the station, and after the one or more items from the first group of items are processed, instruct a second mobile drive unit to move a second group of connected item holders from the second row to the first row.

Abstract: Disclosed are various embodiments for distributing application components among many devices across a network for optimal execution of the application. A distribution is determined based on performance metrics, distribution profiles, and/or other indications of how to distribute application components for execution on many devices. In various embodiments, an application component may be simultaneously executed on many devices or on one device. The application components execute as if on one device even though they are distributed among many devices. Performance metrics indicate how well an application component executes in a device. During execution, the application components may be redistributed if another distribution is indicated by performance tolerances. If application components are redistributed, the execution of the application continues as if no redistribution had occurred.

Abstract: Disclosed are various embodiments for facilitating communications between application components that are distributed among many devices across a network. This allows for the application to execute as if on one device even though the application components are on many devices. A component interface is generated for the application components. The component interface intercepts communications sent from an application component, locates the intended receiving application component, and generates a component interface packet with the location. The component interface packet is then put into a network stream. The receiving component listens to the stream to obtain component interface packets that indicate the location of the device running the receiving application component. The component interface decodes the component interface packets intended for components associated with the component interface and sends communications encoded in the packet to the application components.

Abstract: Methods and apparatus for instance configuration on remote platforms are disclosed. A storage medium comprises program instructions to implement a control server configured to, in response to an instance configuration request directed to a network-accessible service implemented using resource instances whose configuration is managed from within the provider network, determine whether configuration operations corresponding to the request are to be performed at a remote platform external to the provider network. In response to determining that configuration operations are to be performed at a remote platform, the control server issues commands to a selected remote platform; otherwise, it issues commands to an instance host of the provider network. Based on results of the commands, the control server provides a response to the request.

Abstract: A privileged cryptographic service is described, such as a service running in system management mode (SMM). The privileged service is operable to store and manage cryptographic keys and/or other security resources in a multitenant remote program execution environment. The privileged service can receive requests to use the cryptographic keys and issue responses to these requests. In addition, the privileged service can measure the hypervisor at runtime (e.g., either periodically or in response to the requests) in an attempt to detect evidence of tampering with the hypervisor. Because the privileged service is operating in system management mode that is more privileged than the hypervisor, the privileged service can be robust against virtual machine escape and other hypervisor attacks.

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to secure the results of privileged operations on systems such as the operating system (OS) kernel and/or the hypervisor. The interface allows a public key to be included into a request to perform a privileged operation on a hypervisor and/or kernel. The kernel and/or hypervisor use the key included in the request to encrypt the results of the privileged operation. In some embodiments, the request itself can also be encrypted, such that any intermediate parties are not able to read the parameters and other information of the request.

Abstract: Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.

Abstract: Methods and apparatus for instance host configuration are disclosed. A system includes a plurality of instance hosts configurable for resource instances of a network-accessible service, and control servers to manage remote configuration of the instance hosts. In response to an instance configuration request from a client, a selected control server transmits, to a selected instance host, a sequence of one or more commands. The selected instance host instantiates a remote command executor. The remote command executor initiates configuration operations corresponding to the command sequence, and terminates. The selected control server provides a response to the instance configuration request, based at least in part on results of the operations initiated by the executor.

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order authorize and authenticate requests sent to a virtualization later. The interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime. In addition to the foregoing, other aspects are described in the claims, detailed description, and figures.

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to enable secure migration of virtual machine instances between multiple host computing devices. The migration is performed by receiving a request to migrate a virtual machine where the request includes public keys for the source host computing and the destination host computing. The source and destination hosts use the public keys to establish an encrypted session and then use the encrypted session to migrate the virtual machine.

Abstract: An unauthorized-product detection system may compare data representing various authentication markers of items presumed to have been produced or sourced by a particular entity with stored data representing valid authentication markers of items produced or sourced by the particular entity. The authentication markers may represent inherent physical characteristics of the items or their packaging, or may be generated and applied to the items or their packaging to facilitate counterfeit detection and/or for other purposes. The data (some of which may be encrypted) may be captured using high-resolution cameras, scanners, or other devices, and then communicated to the unauthorized-product detection system for analysis. The system may maintain a data store of data representing captured or valid authentication markers and may store tracking information reflecting the use of various authentication markers.

Abstract: A probabilistic data structure is generated for efficient query processing using a histogram for unsorted data in a column of a columnar database. A bucket range size is determined for multiples buckets of a histogram of a column in a columnar database table. In at least some embodiments, the histogram may be a height-balanced histogram. A probabilistic data structure is generated to indicate for which particular buckets in the histogram there is a data value stored in the data block. When an indication of a query directed to the column for select data is received, the probabilistic data structure for each of the data blocks storing data for the column may be examined to determine particular ones of the data blocks which do not need to be read in order to service the query for the select data.

Abstract: A user of a computing device may view a content page on a display of a computing device. One aspect of the disclosure is a browser user interface than enables the user to flip the content page (or portion thereof) over (e.g., via a touchscreen gesture) to view supplemental content, such as metadata, associated with the content page (or portion thereof). While viewing the metadata on the back side of the content page in some embodiments, the user can perform a second or reverse flip operation to return to the original page. The user may be presented with options to flip the page backward and forward multiple times to view multiple flipped pages presenting additional supplemental content. The supplemental content may include virtually any information in which the user may be interested and/or that is related or similar to the content page.

Abstract: A user of a computing device may view a content page on a display of a computing device. One aspect of the disclosure is a browser user interface than enables the user to flip the content page (or portion thereof) over (e.g., via a touchscreen gesture) to view supplemental content, such as metadata, associated with the content page (or portion thereof). While viewing the metadata on the back side of the content page in some embodiments, the user can perform a second or reverse flip operation to return to the original page. The user may be presented with options to flip the page backward and forward multiple times to view multiple flipped pages presenting additional supplemental content. The supplemental content may include virtually any information in which the user may be interested and/or that is related or similar to the content page.

Abstract: A distributed execution environment includes various resources, such as instances of computing resources, hardware resources, software resources, and others. A resource state viewing tool executing in conjunction with the distributed execution environment provides access to data regarding the state of each resource in the form of a resource page associated with the resource. The resource page for a resource might also include one or more annotations assigned to the resource by a user or by a component within the distributed execution environment. The annotations might have associated expiration data, such as an expiration time or event, which may be utilized to expire the annotations. The annotations might also have a namespace assigned thereto that is utilized when responding to requests to retrieve the annotations. The annotations might also have permissions assigned thereto that identify the rights of one or more users and/or components to read, modify, or delete the annotations.

Abstract: A virtual tape is constructed using a logical data container to aid in emulating a virtual tape by providing tape functionality, reducing seek time and improving recovery time in case of a failure. For example, the logical data container may comprise a global header followed by one or more data block groups. The global header may provide metadata to track record locations, file mark locations, virtual tape data in memory, data validation information and a virtual tape head location. This metadata in the global tape header may help reduce seek time, improve recovery time using last known data in memory, erase a virtual tape and provide tape head position. Data block groups may include information that validates data, provides error correction, provides record and file marks and provides storage of client data.

Abstract: Features are disclosed for generating markers for elements or other portions of an audio presentation so that a speech processing system may determine which portion of the audio presentation a user utterance refers to. For example, an utterance may include a pronoun with no explicit antecedent. The marker may be used to associate the utterance with the corresponding content portion for processing. The markers can be provided to a client device with a text-to-speech (“TTS”) presentation. The markers may then be provided to a speech processing system along with a user utterance captured by the client device. The speech processing system, which may include automatic speech recognition (“ASR”) modules and/or natural language understanding (“NLU”) modules, can generate hints based on the marker. The hints can be provided to the ASR and/or NLU modules in order to aid in processing the meaning or intent of a user utterance.