A magician who implanted an RFID chip in his hand lost access to it after forgetting the password, leaving him effectively locked out of the tech embedded in his own body. The Register reports: "It turns out," said [said magician Zi Teng Wang], "that pressing someone else's phone to my hand repeatedly, trying to figure out where their phone's RFID reader is, really doesn't come off super mysterious and magical and amazing." Then there are the people who don't even have their phone's RFID reader enabled. Using his own phone would, in Zi's words, lack a certain "oomph."

Oh well, how about making the chip spit out a Bitcoin address? "That literally never came up either." In the end, Zi rewrote the chip to link to a meme, "and if you ever meet me in person you can scan my chip and see the meme." It was all suitably amusing until the Imgur link Zi was using went down. Not everything on the World Wide Web is forever, and there is no guarantee that a given link will work indefinitely. Indeed, access to Imgur from the United Kingdom was abruptly cut off on September 30 in response to the country's age verification rules.

Still, the link not working isn't the end of the world. Zi could just reprogram the chip again, right? Wrong. "When I went to rewrite the chip, I was horrified to realize I forgot the password that I had locked it with." The link eventually started working again, but if and when it stops, Zi's party piece will be a little less entertaining. He said: "Techie friends I've consulted with have determined that it's too dumb and simple to hack, the only way to crack it is to strap on an RFID reader for days to weeks, brute forcing every possible combination." Or perhaps some surgery to remove the offending hardware.

The International Association of Cryptologic Research (IACR) was forced to cancel its leadership election after a trustee lost their portion of the Helios voting system's decryption key, making it impossible to reveal or verify the final results. Ars Technica reports: The IACR said Friday that the votes were submitted and tallied using Helios, an open source voting system that uses peer-reviewed cryptography to cast and count votes in a verifiable, confidential, and privacy-preserving way. Helios encrypts each vote in a way that assures each ballot is secret. Other cryptography used by Helios allows each voter to confirm their ballot was counted fairly. "Unfortunately, one of the three trustees has irretrievably lost their private key, an honest but unfortunate human mistake, and therefore cannot compute their decryption share," the IACR said. "As a result, Helios is unable to complete the decryption process, and it is technically impossible for us to obtain or verify the final outcome of this election."

The IACR will switch to a two-of-three private key system to prevent this sort of thing from happening again. Moti Yung, the trustee responsible for the incident, has resigned and is being replaced by Michael Abdalla.

The SEC has officially dismissed its high-profile case against SolarWinds and its CISO that was tied to a Russia-linked cyberattack involving the software company. Reuters reports: The landmark case, which SEC brought in late 2023, rattled the cybersecurity community and later faced scrutiny from a judge who dismissed many of the charges. The SEC had said SolarWinds and its chief information security officer had violated U.S. securities laws by concealing vulnerabilities in connection with the high-profile 2020 Sunburst cyber attack. The SEC, SolarWinds and CISO Timothy Brown filed a motion on Thursday to dismiss the case with prejudice, according to a joint stipulation posted on the agency's website. A SolarWinds spokesperson said the firm is "clearly delighted" with the dismissal.

"We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work," the spokesperson said.

Phoronix's Michael Larabel reports: A 21 year old bug report requesting support of the XDG Base Directory specification is finally being addressed by Firefox. The Firefox 147 release should respect this XDG specification around where files should be positioned within Linux users' home directory.

The XDG Base Directory specification lays out where application data files, configuration files, cached assets, and other files and file formats should be positioned within a user's home directory and the XDG environment variables for accessing those locations. To date Firefox has just positioned all files under ~/.mozilla rather than the likes of ~/.config and ~/.local/share.

Google confirmed in a statement Friday that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack. TechCrunch reports: On Thursday, Salesforce disclosed a breach of "certain customers' Salesforce data" -- without naming affected companies -- that was stolen via apps published by Gainsight, which provides a customer support platform to other companies.

In a statement, Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, said that the company "is aware of more than 200 potentially affected Salesforce instances." After Salesforce announced the breach, the notorious and somewhat-nebulous hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in a Telegram channel, which TechCrunch has seen.

Microsoft has acknowledged in a support article that major Windows 11 core features including the Start Menu, Taskbar, File Explorer and System Settings break after applying monthly cumulative updates released on or after July 2025.

The problems stem from XAML component issues that affect updates beginning with July's Patch Tuesday release (KB5062553). The failures occur during first-time user logins after cumulative updates are applied and on non-persistent OS installations like virtual desktop infrastructure setups. Microsoft lists Explorer.exe crashes, shellhost.exe crashes, StartMenuExperienceHost failures and System Settings that silently refuse to launch among the symptoms. The company provided PowerShell commands and batch scripts as temporary workarounds that re-register the affected packages. Both Windows 11 versions 24H2 and 25H2 share the same codebase and are affected. Microsoft said it is working on a fix but did not provide a timeline.

Thunderbird Pro has moved its Thundermail email service into production testing as the open-source email client's subscription bundle of additional services prepares for an Early Bird beta launch at $9 per month that will include email hosting, encrypted file sharing through Send, and scheduling via Appointment.

Internal team members are now testing Thundermail accounts and the new Thunderbird Pro add-on automatically adds Thundermail accounts for users who sign up through it. The project migrated its data hosting from the Americas to Germany and the EU.

Appointment received a major visual redesign being applied across all three services while Send completed an external security review and moved from its standalone add-on into the unified Thunderbird Pro add-on. The new website at tb.pro is live for signups and account management.

An anonymous reader shares a report: Microsoft is upgrading its Advanced Paste tool in PowerToys for Windows 11, allowing you to use an on-device AI model to power some of its features. With the 0.96 update, you can route requests through Microsoft's Foundry Local tool or the open-source Ollama, both of which run AI models on your device's neural processing unit (NPU) instead of connecting to the cloud.

That means you won't need to purchase API credits to perform certain actions, like having AI translate or summarize the text copied to your clipboard. Plus, you can keep your data on your device.

An Ohio IT contractor pleaded guilty to breaking into his former employer's network after being fired, impersonating another worker and using a PowerShell script to reset 2,500 passwords -- an act that locked out thousands of employees and caused more than $862,000 in damage. He faces up to 10 years in prison. The Register reports: Maxwell Schultz, 35, impersonated another contractor to gain access to the company's network after his credentials were revoked. Announcing the news, US attorney Nicholas J. Ganjei did not specify the company in question, which is typical in these malicious insider cases, although local media reported it to be Houston-based Waste Management.

The attack took place on May 14, 2021, and saw Schultz use the credentials to reset approximately 2,500 passwords at the affected organization. This meant thousands of employees and contractors across the US were unable to access the company network. Schultz admitted to running a PowerShell script to reset the passwords, searching for ways to delete system logs to cover his tracks -- in some cases succeeding -- and clearing PowerShell window events, according to the Department of Justice.

Prosecutors said the attack caused more than $862,000 worth of damage related to employee downtime, a disrupted customer service function, and costs related to the remediation of the intrusion. Schultz is set to be sentenced on Jan 30, 2026, and faces up to ten years in prison and a potential maximum fine of $250,000.

Android's Quick Share file transfer service can now work with Apple's AirDrop, allowing users to send files between iPhones and Android devices. Google has started rolling out the feature to its Pixel 10 family of smartphones. The cross-platform compatibility includes security protections that the company says independent security experts tested. Google said it built the feature in response to user requests for simpler file sharing between devices regardless of manufacturer. The company plans to expand availability to additional Android devices.

An anonymous reader shares a report: This summer, Oslo's public-transport authority drove a Chinese electric bus deep into a decommissioned mine inside a nearby mountain to answer a question: Could it be hacked? Isolated by rock from digital interference, cybersecurity experts came back with a qualified yes: The bus could in theory be remotely disabled using the control system for the battery.

The revelation, presented at a recent public-transport conference, has spurred officials in Denmark and the U.K. to start their own investigations into Chinese vehicles. It has also fed into broader security concerns across Europe about the growing prevalence of Chinese-made equipment in the region's energy and telecommunications infrastructure.

The worry is the same for autos, solar panels and other connected devices: that mechanisms used for wirelessly delivering system updates could also be exploited by a hostile government or third-party hacker to compromise critical networks. [...] The Oslo transport authority, Ruter, said the bus's mobile-network connection via a Romanian SIM card gave manufacturer Yutong access to the control system for battery and power supply. Ruter said it is addressing the vulnerability by developing firewalls and delaying the signals sent to the vehicles, among other solutions.

The EU's cookie consent policies have been an annoying and unavoidable part of browsing the web in Europe since their introduction in 2018. But the cookie nightmare is about to crumble thanks to some big proposed changes announced by the European Commission today. From a report: Instead of having to click accept or reject on a cookie pop-up for every website you visit in Europe, the EU is preparing to enforce rules that will allow users to set their preferences for cookies at the browser level. "People can set their privacy preferences centrally -- for example via the browser -- and websites must respect them," says the EU. "This will drastically simplify users' online experience."

This key change is part of a new Digital Package of proposals to simplify the EU's digital rules, and will initially see cookie prompts change to be a simplified yes or no single-click prompt ahead of the "technological solutions" eventually coming to browsers. Websites will be required to respect cookie choices for at least six months, and the EU also wants website owners to not use cookie banners for "harmless uses" like counting website visits, to lessen the amount of pop-ups.

Cloudflare suffered its worst network outage in six years on Tuesday, beginning at 11:20 UTC. The disruption prevented the content delivery network from routing traffic for roughly three hours. The failure, writes Cloudflare in a blog post, originated from a database permissions change deployed at 11:05 UTC. The modification altered how a database query returned information about bot detection features. The query began returning duplicate entries. A configuration file used to identify automated traffic doubled in size and spread across the network's machines. Cloudflare's traffic routing software reads this file to distinguish bots from legitimate users. The software had a built-in limit of 200 bot detection features. The enlarged file contained more than 200 entries. The software crashed when it encountered the unexpected file size.

Users attempting to access websites behind Cloudflare's network received error messages. The outage affected multiple services. Turnstile security checks failed to load. The Workers KV storage service returned elevated error rates. Users could not log into Cloudflare's dashboard. Access authentication failed for most customers.

Engineers initially suspected a coordinated attack. The configuration file was automatically regenerated every five minutes. Database servers produced either correct or corrupted files during a gradual system update. Services repeatedly recovered and failed as different versions of the file circulated. Teams stopped generating new files at 14:24 UTC and manually restored a working version. Most traffic resumed by 14:30 UTC. All systems returned to normal at 17:06 UTC.

A NordPass analysis found that Gen Z is actually worse at password security than older generations, with "12345" topping their list while "123456" dominates among everyone else. The Register reports: And while there were a few more "skibidis" among the Zoomer dataset compared to those who came before them, the trends were largely similar. Variants on the "123456" were among the most common for all age groups, with that exact string proving to be the most common among all users -- the sixth time in seven years it holds the undesirable crown.

Some of the more adventurous would stretch to "1234567," while budding cryptologists shored up their accounts by adding an 8 or even a 9 to the mix. However, according to Security.org's password security checker, a computer could crack any of these instantly. Most attackers would not even need to expend the resources required to reveal the password, given how commonly used they are. They could just spray a list of known passwords at an authentication API and secure a quick win.

Microsoft's Copilot AI assistant in Windows 11 fails to replicate the capabilities shown in the company's TV advertisements. The Verge tested Copilot Vision over a week using the same prompts featured in ads airing during NFL games. When asked to identify a HyperX QuadCast 2S microphone visible in a YouTube video -- a task successfully completed in Microsoft's ad -- Copilot gave multiple incorrect answers. The assistant identified the microphone as a first-generation HyperX QuadCast, then as a Shure SM7b on two other occasions. Copilot couldn't identify the Saturn V rocket from a PowerPoint presentation despite the words "Saturn V" appearing on screen. When asked about a cave image from Microsoft's ad, Copilot gave inconsistent responses.

About a third of the time it provided directions to find the photo in File Explorer. On two occasions it explained how to launch Google Chrome. Four times it offered advice about booking flights to Belize. The cave is Rio Secreto in Playa del Carmen, Mexico. Microsoft spokesperson Blake Manfre said "Copilot Actions on Windows, which can take actions on local files, is not yet available." He described it as "an opt-in experimental feature that will be coming soon to Windows Insiders in Copilot Labs, starting with a narrow set of use cases while we optimize model performance and learn." Copilot cannot toggle basic Windows settings like dark mode. When asked to analyze a benchmark table in Google Sheets, it "constantly misread clear-as-day scores both in the spreadsheet and in the on-page review."