Two "groundbreaking research reports" on open source security were announced this week by the Linux Foundation in partnership with the Open Source Security Foundation (OpenSSF) and Linux Foundation Europe. The reports specifically address the EU's Cyber Resilience Act (or CRA) and "highlight knowledge gaps and best practices for CRA compliance."

"Unaware and Uncertain: The Stark Realities of CRA-Readiness in Open Source" includes a survey which found that when it comes to CRA requirements, 62% of respondents were either "not familiar at all" (36%) or "slightly familiar" (26%) — while 51% weren't sure about its deadlines. ("Only 28% correctly identified 2027 as the target year for full compliance," according to one infographic, which adds that CRA "is expected to drive a 6% average price increase, though 53% of manufacturers are still assessing pricing impacts.") Manufacturers, who bear primary responsibility, lack readiness — many [46%] passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.
The research also provides "an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets," with another report that "examines how three Linux Foundation projects are meeting the CRA's minimum compliance requirements" and "provides insight on the elements needed to ensure leadership in cybersecurity best practices." (It also includes CRA-related resources.)

"These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force," according to a Linux Foundation reserach executive cited in the announcement. "We hope that these reports catalyze higher levels of collaboration across the open source community."

The French National Assembly has rejected a controversial provision that would have forced messaging platforms like Signal and WhatsApp to allow government access to encrypted private conversations, lawmakers voted Thursday night. The measure, embedded within anti-drug trafficking legislation, would have implemented a "ghost participant model" allowing law enforcement to silently join encrypted chats without users' knowledge.

Nvidia CEO Jensen Huang on Thursday walked back comments he made in January, when he cast doubt on whether useful quantum computers would hit the market in the next 15 years. From a report: At Nvidia's "Quantum Day" event, part of the company's annual GTC Conference, Huang admitted that his comments came out wrong. "This is the first event in history where a company CEO invites all of the guests to explain why he was wrong," Huang said.

In January, Huang sent quantum computing stocks reeling when he said 15 years was "on the early side" in considering how long it would be before the technology would be useful. He said at the time that 20 years was a timeframe that "a whole bunch of us would believe." In his opening comments on Thursday, Huang drew comparisons between pre-revenue quantum companies and Nvidia's early days. He said it took over 20 years for Nvidia to build out its software and hardware business.

He also expressed surprise that his comments were able to move markets, and joked he didn't know that certain quantum computing companies were publicly traded. "How could a quantum computer company be public?" Huang said.

Nvidia is selling its scarce RTX 5080 and 5090 graphics cards from a pop-up "food truck" at its GPU Technology Conference, where attendees paying over $1,000 for tickets can purchase the coveted hardware alongside merchandise. The company has only 2,000 cards available (1,000 each of RTX 5080 and 5090), released in small batches at random times during the three-day conference which concludes tomorrow.

Microsoft is developing a new Windows 11 feature that will explain how hardware limitations affect PC performance. The latest preview builds include a hidden FAQ section in system settings that addresses GPU memory, system RAM, and OS version impacts.

The feature, discovered by Windows observer "phantomofearth" in this week's Dev Channel build, requires manual activation. It provides specific recommendations for configurations like low RAM or GPUs with less than 4GB memory, and flags outdated Windows versions.

An anonymous reader shares a report: PCI Express 7 is nearing completion, the PCI Special Interest Group said, and the final specification should be released later this year. PCI Express 7, the backbone of the modern motherboard, is at the stage 0.9, which the PCI-SIG characterizes as the "final draft" of the specification. The technology was at version 0.5 a year ago, almost to the day, and originally authored in 2022.

The situation remains the same, however. While modern PC motherboards are stuck on PCI Express 5.0, the specification itself moves ahead. PCI Express has doubled the data rate about every three years, from 64 gigtransfers per second in PCI Express 6.0 to the upcoming 128 gigatransfers per second in PCIe 7. (Again, it's worth noting that PCIe 6.0 exists solely on paper.) Put another way, PCIe 7 will deliver 512GB/s in both directions, across a x16 connection.

It's worth noting that the PCI-SIG doesn't see PCI Express 7 living inside the PC market, at least not initially. Instead, PCIe 7 is expected to be targeted at cloud computing, 800-gigabit Ethernet and, of course, artificial intelligence. It will be backwards-compatible with the previous iterations of PCI Express, the SIG said.

Trend Micro uncovered an eight-year-long spying campaign exploiting a Windows vulnerability involving malicious .LNK shortcut files, which attackers padded with whitespace to conceal commands. Despite being reported to Microsoft in 2023, the company considers it a UI issue rather than a security risk and has not prioritized a fix. The Register reports: The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads. Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.

Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. "This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. "We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."

After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.

Eric Migicovsky, founder of Pebble, will release two new smartwatches running the newly open-sourced Pebble operating system through his company Core Devices. The Core 2 Duo, priced at $149 and shipping in July, utilizes unused Pebble 2 frames with the same black-and-white E Ink display.

The device features a 30-day battery life -- quadruple its predecessor's -- and incorporates a speaker for AI assistant interaction. Approximately 10,000 units will be available. The Core Time 2, arriving in December at $225, adds touchscreen functionality to the classic Pebble design while maintaining physical buttons and month-long battery life.

Both devices face iPhone integration challenges. Migicovsky cautioned potential tariff increases would be passed to consumers, stating, "We're going to charge more if it costs more." "I'm not building a company to sell millions of these," Migicovsky said. "The goal is to make something I really want."

An anonymous reader shares a report: Xbox 360 modders have discovered a new way to get homebrew apps and games running on the console. A new software-only exploit known as BadUpdate allows you to use a USB key to hack past Microsoft's Hypervisor protections and run unsigned code and games.

Modern Vintage Gamer has tested BadUpdate and found that you don't even have to open up your Xbox 360 console to get it running. Unlike the RGH or JTAG exploits for the Xbox 360, this BadUpdate method just requires a USB key. If you have the time and patience to get this running successfully, you'll be able to run the Xbox 360 homebrew store which includes games, apps, emulators, utilities, and even custom dashboards.

Zillow CEO Jeremy Wacksman "recently told Entrepreneur magazine that almost five years of remote work has 'been fantastic for us,'" writes the Seattle Times. Zillow shifted to allowing people to work fully remote during the pandemic. It's been a recruiting and retention tool for Zillow as they "now see four times the number of job applicants for every job we have versus what we did before the pandemic," Wacksman said.

While Zillow still lists its corporate headquarters as Seattle, the company bills itself as "cloud-headquartered," with remote workers and satellite offices. Wacksman's comments are backed by serious real estate moves the company has made over the past five years. An annual report detailing Zillow's financial results for 2024 shows its Seattle headquarters and offices across the country are shrinking. In 2019, Zillow had 386,275 square feet of office space in Seattle after steadily gobbling up floors of the Russell Investments Center downtown over the prior five years. The company reported it had 113,470 square feet in Seattle at the end of 2024... The company has drastically cut costs by shedding offices. Zillow's total leasing costs reached $54 million in 2022 and dropped to $34 million last year... It expects those costs to decrease even further, to $18 million by 2029. Zillow is also taking advantage of subleasing some of its office space and expects $26 million in sublease income between 2025 and 2030...

Zillow's financial results from last year suggest the workforce has been productive while logging in from home. The company reported Tuesday that it beat Wall Street expectations for the last three months of 2024 with a quarterly revenue of $554 million. Wacksman said in a news release Tuesday that 2024 was a "remarkable year for Zillow," as it reached its goal of double-digit revenue growth.

A ransomware-as-a-service variant called "Medusa" has claimed over 300 victims in "critical infrastructure sectors" (including medical), according to an joint alert from CISA, the FBI, and the Multi-State Information Sharing Analysis Center.

And that alert reminds us that Medusa is a globe-spanning operation that recruits third-party affiliates to plant ransomware and negotiate with victims, notes the Register. "Even organizations that have good ransomware recovery regimes, meaning they don't need to unscramble encrypted data as they have good backups and fall-back plans, may consider paying to prevent the release of their stolen data, given the unpleasant consequences that follow information leaks. Medusa actors also set a deadline for victims to pay ransoms and provide a countdown timer that makes it plain when stolen info will be sprayed across the internet. If victims cough up $10,000 in cryptocurrency, the crims push the deadline forward by 24 hours.

The advisory reveals one Medusa actor has taken things a step further. "FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid," the advisory states. That separate actor then "requested half of the payment be made again to provide the 'true decryptor'," the advisory states, describing this incident as "potentially indicating a triple extortion scheme."
The security groups' advisory stresses that they "do not encourage paying ransoms as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations..." (But "Regardless of whether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to promptly report ransomware incidents...)

Besides updating software and operating systems, the alert makes these recommendations for organizations:

• Require VPNs (or jump hosts) for remote network access

• Block remote access from unknown/untrusted origins, and disable unused ports

• Segment networks to help prevent the spread of ransomware

• Use a networking monitoring tool to spot and investigate abnormal activity — including lateral movement (using endpoint detection and response tools). Log all network traffic, and monitor it for unauthorized scanning and access attempts.

• Create recovery plans with encrypted offline backups of sensitive/proprietary data and servers

• Require multifactor authentication, use strong (and long) passwords, and "consider not requiring frequently recurring password changes, as these can weaken security." (Also audit access control following the principle of least privilege, and watch for new and/or unrecognized accounts.)

• Disable command-line and scripting activities and permissions.

With Microsoft ending free security updates for Windows 10 in October, millions of PCs that don't meet Windows 11's hardware requirements face an uncertain fate... Charities that refurbish and distribute computers to low-income individuals must choose between providing soon-to-be-insecure Windows 10 machines, transitioning to Linux -- despite usability challenges for non-tech-savvy users -- or recycling the hardware, contributing to ewaste. Tom's Hardware reports: So how bad will it really be to run an end-of-lifed Windows 10? Should people worry? [Chester Wisniewski, who serves as Director and Global Field CISO for Sophos, a major security services company] and other experts I talked to are unequivocal. You're at risk. "To put this in perspective, today [the day we talked] was Patch Tuesday," he said. "There were 57 vulnerabilities, 6 of which have already been abused by criminals before the fixes were available. There were also 57 in February and 159 in January. Windows 10 and Windows 11 largely have a shared codebase, meaning most, if not all, vulnerabilities each month are exploitable on both OSs. These will be actively turned into digital weapons by criminals and nation-states alike and Windows 10 users will be somewhat defenseless against them."

So, in short, even though Windows 10 has been around since 2015, there are still massive security holes being patched. Even within the past few weeks, dozens of vulnerabilities were fixed by Microsoft. So what's a charity to do when these updates are running out and clients will be left vulnerable? "What we decided to do is one year ahead of the cutoff, we discontinued Windows 10," said Casey Sorensen, CEO of PCs for People, one of the U.S.'s largest non-profit computer refurbishers. "We will distribute Linux laptops that are 6th or 7th gen. If we distribute a Windows laptop, it will be 8th gen or newer." Sorensen said that any PC that's fifth gen or older will be sent to an ewaste recycler.

[...] Sorensen, who founded the company in 1998, told us that he's comfortable giving clients computers that run Linux Mint, a free OS that's based on Ubuntu. The latest version of Mint, version 22.1, will be supported until 2029. "Ten years ago if we distributed Linux, they would be like what is it," he said. But today, he notes that many view their computers as windows to the Internet and, for that, a user-friendly version of Linux is acceptable. Further reading: Is 2025 the Year of the Linux Desktop?

Apple is planning a new AirPods feature that allows the earbuds to live-translate an in-person conversation into another language, Bloomberg reports, citing people with knowledge of the matter. From the report: The capability will be offered as part of an AirPods software upgrade due later this year, said the people, who asked not to be identified because the effort is private. It will be tied to iOS 19, the upcoming update to Apple's mobile-device operating system.

Windows Defender has begun identifying WinRing0 -- a kernel-level driver used by numerous hardware monitoring applications -- as malicious software, causing widespread functionality issues for affected tools. The driver, which provides low-level hardware access necessary for reading fan speeds, controlling RGB lighting, and monitoring system components, is being quarantined due to potential security vulnerabilities that could be exploited by malware.

WinRing0 gained popularity among developers because it's one of only two freely available Windows drivers capable of accessing the SMBus registers needed for hardware monitoring functions. The affected applications include Fan Control, OpenRGB, MSI Afterburner, LibreHardwareMonitor, and multiple others that rely on this driver to communicate with system hardware.

The GSM Association has released new specifications for RCS messaging incorporating end-to-end encryption (E2EE) based on the Messaging Layer Security protocol, six months after iOS 18 introduced RCS compatibility.

The specifications ensure messages remain secure between Android and iOS devices, making RCS "the first large-scale messaging service to support interoperable E2EE between client implementations from different providers," said GSMA Technical Director Tom Van Pelt.

The system combines E2EE with SIM-based authentication to strengthen protection against scams and fraud. Apple confirmed it "helped lead a cross industry effort" on the standard and will implement support in future software updates without specifying a timeline. Google's RCS implementation has featured default E2EE since early 2024.

In late 2023, the FBI alerted the Littleton Electric Light and Water Departments (LELWD) that it had been breached by a Chinese-state-sponsored hacking group for over 300 days. With the help of cybersecurity firm Dragos and Department of Energy-funded sensors, LELWD confirmed the intrusion, identified the hackers' movements, and ultimately restructured its network to remove them. PCMag reports: At the time, LELWD had been installing sensors from cybersecurity firm Dragos with the help of Department of Energy grants awarded by the American Public Power Association (APPA). "The sensors helped LELWD confirm the extent of the malicious activity on the system and pinpoint when and where the attackers were going on the utility's networks," the APPA said last year. Today, Dragos released a case study (PDF) about the hack, which it blamed on Voltzite, a "sophisticated threat group...that overlaps with Volt Typhoon."

The call from the FBI forced Dragos "to deploy quickly and bypass the planned onboarding timeline" for the LELWD, it says. It discovered that Volt Typhoon "had persistent access to LELWD's network." Hackers were looking for specific data related to [operational technology] operating procedures and spatial layout data relating to energy grid operations," Dragos tells SecurityWeek. In the end, Dragos confirmed the compromised systems did not contain "customer-sensitive data," and LEWLD changed their network architecture to kick Volt Typhoon out, the case study says. Groups like Volt Typhoon, "don't always go for high-profile targets first," said Ensar Seker, Chief Security Officer at SOCRadar. "Small, underfunded utilities can serve as low-hanging fruit, allowing adversaries to test tactics, develop footholds, and pivot toward larger targets."

Mozilla is urging Firefox users to update their browsers to version 128 or later (or ESR 115.13 for extended support users) before March 14, 2025, to avoid security risks and add-on disruptions caused by the expiration of a key root certificate. "On 14 March a root certificate (the resource used to prove an add-on was approved by Mozilla) will expire, meaning Firefox users on versions older than 128 (or ESR 115) will not be able to use their add-ons," warns a Mozilla blog post. "We want developers to be aware of this in case some of your users are on older versions of Firefox that may be impacted." BleepingComputer reports: A Mozilla support document explains that failing to update Firefox could expose users to significant security risks and practical issues, which, according to Mozilla, include:

- Malicious add-ons can compromise user data or privacy by bypassing security protections.
- Untrusted certificates may allow users to visit fraudulent or insecure websites without warning.
- Compromised password alerts may stop working, leaving users unaware of potential account breaches.

It is noted that the problem impacts Firefox on all platforms, including Windows, Android, Linux, and macOS, except for iOS, where there's an independent root certificate management system. Mozilla says that users relying on older versions of Firefox may continue using their browsers after the expiration of the certificate if they accept the security risks, but the software's performance and functionality may be severely impacted.

An anonymous reader shares a report: Citigroup plans to dramatically reduce its reliance on IT contractors and hire thousands of employees for IT as the lender grapples with regulatory punishments over data governance and deficient controls. Citigroup's head of technology Tim Ryan told staff in recent weeks that the bank aims to cut back external contractors to 20% of those working in IT from the current 50%, according to an internal presentation to employees seen by Reuters.

The briefing did not give a precise time horizon for the changes. As part of the overhaul, Citi will replenish the ranks by hiring more staff, and aims to have 50,000 employees in technology, up from 48,000 in 2024, the presentation showed. "Citi is growing our internal technology capabilities to support our strategy to improve safety and soundness, enable revenue growth and drive efficiencies," Citi said in a statement to Reuters.

Several Asian airlines have tightened restrictions on portable battery chargers amid growing concerns about fire risks, following a January blaze that destroyed an Air Busan aircraft in South Korea. South Korean airlines now require passengers to keep portable chargers within arm's reach rather than in overhead bins, a rule implemented March 1 to ease public anxiety, according to the Transportation Ministry. Taiwan's EVA Air and China Airlines have banned using or charging power banks on flights but still allow them in overhead compartments.

Thai Airways announced a similar ban last Friday, citing "incidents of in-flight fires on international airlines." Battery-related incidents on U.S. airlines have increased from 32 in 2016 to 84 last year, with portable chargers identified as the most common culprit, according to Federal Aviation Administration data. The International Civil Aviation Organization has banned lithium-ion batteries from cargo holds since 2016, though no industry standard exists for regulating power banks.

Microsoft is ending support of its Remote Desktop app for Windows on May 27th. From a report: If you use the Remote Desktop app to connect to Windows 365, Azure Virtual Desktop, or Microsoft Dev Box machines then you'll have to transition to the Windows app instead.

The new Windows app, which launched in September, includes multimonitor support, dynamic display resolutions, and easy access to cloud PCs and virtual desktops. Microsoft says "connections to Windows 365, Azure Virtual Desktop, and Microsoft Dev Box via the Remote Desktop app from the Microsoft Store will be blocked after May 27th, 2025."