An anonymous reader shared this report from WebProNews: The Linux world is abuzz with news of XLibre, a fork of the venerable X11 window display system, which aims to be an alternative to X11's successor, Wayland.

Much of the Linux world is working to adopt Wayland, the successor to X11. Wayland has been touted as being a superior option, providing better security and performance. Despite Fedora and Ubuntu both going Wayland-only, the newer display protocol still lags behind X11, in terms of functionality, especially in the realm of accessibility, screen recording, session restore, and more. In addition, despite the promise of improved performance, many users report performance regressions compared to X11.

While progress is being made, it has been slow going, especially for a project that is more than 17 years old. To make matters worse, Wayland is largely being improved by committee, with the various desktop environment teams trying to work together to further the protocol. Progress is further hampered by the fact that the GNOME developers often object to the implementation of some functionality that doesn't fit with their vision of what a desktop should be — despite those features being present and needed in every other environment.

In response, developer Enrico Weigelt has forked Xll into the XLibre project. Weigelt was already one of the most prolific X11 contributors at a time when little to no improvements or new features are being added to the aging window system... Weigelt has wasted no time releasing the inaugural version of XLibre, XLibre 25.0. The release includes a slew of improvements.
MrBrklyn (Slashdot reader #4,775) adds that Artix Linux, a rolling-release distro based on Arch Linux which does not use systemd, now offers XLibre ISO images and packages for testing and use. They're all non-systemd based, and "Its a decent undertaking by the Artix development team. The iso is considered to be testing but it is quickly moving to the regular repos for broad public use."

The Canadian government has ordered Chinese surveillance camera manufacturer Hikvision to cease operations in Canada over national security concerns, Industry Minister Melanie Joly said late on Friday. From a report: Hikvision, also known as Hangzhou Hikvision Digital Technology Co, has faced numerous sanctions and restrictions by Canada's neighbor, the United States, over the past five and a half years for the firm's dealings and the use of its equipment in China's Xinjiang region, where rights groups have documented abuses against the Uyghur population and other Muslim communities.

"The government has determined that Hikvision Canada's continued operations in Canada would be injurious to Canada's national security," Joly said on X, adding that the decision was taken after a multi-step review of information provided by Canada's security and intelligence community."

Tech companies Google and Palo Alto Networks are sounding the alarm over the "Scattered Spider" hacking group's interest in the aviation sector. From a report: In a statement posted on LinkedIn, Sam Rubin, an executive at Palo Alto's cybersecurity-focused Unit 42, said his company had "observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry."

In a similar statement, Charles Carmakal, an executive with Alphabet-owned Google's cybersecurity-focused Mandiant unit, said his company was "aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider." Axios adds: The group of mostly Western, English-speaking hackers has been on a months-long spree that's prompted operational disruptions at grocery suppliers, major retail storefronts and insurance companies in the U.S. and U.K.

Hawaiian Airlines said Thursday it's addressing a "cybersecurity incident" that affected some of its IT systems. Canadian airline WestJet faced a similar incident last week that caused outages for some of its systems and mobile app. A source familiar with the incidents told Axios that Scattered Spider was likely behind the WestJet incident.

Steven J. Vaughan-Nichols writes in an opinion piece for The Register: Microsoft, tactically admitting it has failed at talking all the Windows 10 PC users into moving to Windows 11 after all, is -- sort of, kind of -- extending Windows 10 support for another year. For most users, that means they'll need to subscribe to Microsoft 365. This, in turn, means their data and meta-information will be kept in a US-based datacenter. That isn't sitting so well with many European Union (EU) organizations and companies. It doesn't sit that well with me or a lot of other people either.

A few years back, I wrote in these very pages that Microsoft didn't want you so much to buy Windows as subscribe to its cloud services and keep your data on its servers. If you wanted a real desktop operating system, Linux would be almost your only choice. Nothing has changed since then, except that folks are getting a wee bit more concerned about their privacy now that President Donald Trump is in charge of the US. You may have noticed that he and his regime love getting their hands on other people's data.

Privacy isn't the only issue. Can you trust Microsoft to deliver on its service promises under American political pressure? Ask the EU-based International Criminal Court (ICC) which after it issued arrest warrants for Israeli Prime Minister Benjamin Netanyahu for war crimes, Trump imposed sanctions on the ICC. Soon afterward, ICC's chief prosecutor, Karim Khan, was reportedly locked out of his Microsoft email accounts. Coincidence? Some think not. Microsoft denies they had anything to do with this.

Peter Ganten, chairman of the German-based Open-Source Business Alliance (OSBA), opined that these sanctions ordered by the US which he alleged had been implemented by Microsoft "must be a wake-up call for all those responsible for the secure availability of state and private IT and communication infrastructures." Microsoft chairman and general counsel, Brad Smith, had promised that it would stand behind its EU customers against political pressure. In the aftermath of the ICC reports, Smith declared Microsoft had not been "in any way [involved in] the cessation of services to the ICC." In the meantime, if you want to reach Khan, you'll find him on the privacy-first Swiss email provider, ProtonMail.

In short, besides all the other good reasons for people switching to the Linux desktop - security, Linux is now easy to use, and, thanks to Steam, you can do serious gaming on Linux - privacy has become much more critical. That's why several EU governments have decided that moving to the Linux desktop makes a lot of sense... Besides, all these governments know that switching from Windows 10 to 11 isn't cheap. While finances also play a role, and I always believe in "following the money" when it comes to such software decisions, there's no question that Europe is worried about just how trustworthy America and its companies are these days. Do you blame them? I don't. The shift to the Linux desktop is "nothing new," as Vaughan-Nichols notes. Munich launched its LiMux project back in 2004 and, despite ending it in 2017, reignited its open-source commitment by establishing a dedicated program office in 2024. In France, the gendarmerie now operates over 100,000 computers on a custom Ubuntu-based OS (GendBuntu), while the city of Lyon is transitioning to Linux and PostgreSQL.

More recently, Denmark announced it is dropping Windows and Office in favor of Linux and LibreOffice, citing digital sovereignty. The German state of Schleswig-Holstein is following suit, also moving away from Microsoft software. Meanwhile, a pan-European Linux OS (EU OS) based on Fedora Kinoite is being explored, with Linux Mint and openSUSE among the alternatives under consideration.

Android 16 will include a new security feature that warns users when their phones connect to fake cell towers designed for surveillance. The "network notification" setting alerts users when devices connect to unencrypted networks or when networks request phone identifiers, helping protect against "stingray" devices that mimic legitimate cell towers to collect data and force phones onto insecure communication protocols.

An anonymous reader quotes a report from SecurityWeek: Hundreds of printer models from Brother and other vendors are impacted by potentially serious vulnerabilities discovered by researchers at Rapid7. The cybersecurity firm revealed on Wednesday that its researchers identified eight vulnerabilities affecting multifunction printers made by Brother. The security holes have been found to impact 689 printer, scanner and label maker models from Brother, and some or all of the flaws also affect 46 Fujifilm Business Innovation, five Ricoh, six Konica Minolta, and two Toshiba printers. Overall, millions of enterprise and home printers are believed to be exposed to hacker attacks due to these vulnerabilities.

The most serious of the flaws, tracked as CVE-2024-51978 and with a severity rating of 'critical', can allow a remote and unauthenticated attacker to bypass authentication by obtaining the device's default administrator password. CVE-2024-51978 can be chained with an information disclosure vulnerability tracked as CVE-2024-51977, which can be exploited to obtain a device's serial number. This serial number is needed to generate the default admin password. "This is due to the discovery of the default password generation procedure used by Brother devices," Rapid7 explained. "This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device's unique serial number, during the manufacturing process."

Having the admin password enables an attacker to reconfigure the device or abuse functionality intended for authenticated users. The remaining vulnerabilities, which have severity ratings of 'medium' and 'high', can be exploited for DoS attacks, forcing the printer to open a TCP connection, obtain the password of a configured external service, trigger a stack overflow, and perform arbitrary HTTP requests. Six of the eight vulnerabilities found by Rapid7 can be exploited without authentication. Brother has patched most of the flaws, but CVE-2024-51978 requires a new manufacturing process to fully resolve, which will apply only to future devices.

An anonymous reader quotes a report from Ars Technica: After sending cease-and-desist letters to VMware users whose support contracts had expired and who subsequently declined to subscribe to one of Broadcom's VMware bundles, Broadcom has started the process of conducting audits on former VMware customers. [...] Ars Technica reviewed a letter that a software provider and VMware user in the Netherlands received that is dated June 20 and informs the firm that it "has been selected for a formal audit of its use of VMware software and support services" [PDF]. The security professional who provided Ars with the letter asked to keep their name and their employers' name anonymous out of privacy concerns.

The anonymous employee told Ars that their company had been a VMware customer for "about" a decade before deciding not to sign up for a new contract with Broadcom's VMware a year ago. The company had been using VMware Cloud Foundation and vSphere. "Our CEO decided to not extend the support contract because of the costs," the employee said. "This already impacts us security-wise because we can no longer get updates (unless the CVSS score is critical)." The letter notes that an auditing firm, Connor Consulting, which is headquartered in San Francisco and has offices around the globe, will perform a review of the company's "VMware deployment and entitlements, which may include fieldwork or remote testing and meetings with members of your accounting, licensing, and management information systems functions." The letter informs its recipient that someone from Connor will reach out and that the VMware user should respond within three business days.

The letter, signed by Aiden Fitzgerald, director of global sales operations at Broadcom, claims that Broadcom will use its time "as efficiently and productively as possible to minimize disruption." Still, the security worker that Ars spoke with is concerned about the implications of the audit and said they "expect a big financial impact" for their employer. They added: "Because we are focusing on saving costs and are on a pretty tight financial budget, this will likely have impact on the salary negotiations or even layoffs of employees. Currently, we have some very stressed IT managers [and] legal department [employees] ..." The employee noted that they are unsure if their employer exceeded its license limits. If the firm did, it could face "big" financial repercussions, the worker noted.

Microsoft is preparing to release a private preview of Windows changes that will move antivirus and endpoint detection and response apps out of the Windows kernel, nearly a year after a faulty CrowdStrike update crashed 8.5 million Windows-based machines worldwide.

The new Windows endpoint security platform is being developed in cooperation with CrowdStrike, Bitdefender, ESET, Trend Micro, and other security vendors. David Weston, Microsoft's vice president of enterprise and OS security, said dozens of partners have submitted papers detailing design requirements, some hundreds of pages long. The private preview will allow security vendors to request changes before the platform is finalized.

U.S. lawmakers have reintroduced the bipartisan Open App Markets Act, aiming to curb Apple and Google's control over mobile app stores by promoting competition, supporting third-party marketplaces and sideloading, and safeguarding developer rights. AppleInsider reports: The Open App Markets Act seeks to do a number of things, including:
- Protect developers' rights to tell consumers about lower prices and offer competitive pricing;
- Protect sideloading of apps;
- Promote competition by opening the market to third-party app stores, startup apps, and alternative payment systems;
- Make it possible for developers to offer new experiences that take advantage of consumer device features;
- Give consumers greater control over their devices;
- Prevent app stores from disadvantaging developers; and
- Establish safeguards to preserve consumer privacy, security, and safety.

This isn't the first time we've seen this bill, either. In 2021, Senators Blumenthal, Klobuchar, and Blackburn had attempted to put forth the original version of the Open App Markets Act.However, the initial bill never made it to the floor for an office vote. Thanks to last-minute efforts by lobbying groups and appearances from chief executives, the bill eventually stalled out.

While the two bills are largely similar, the revised version introduces several key differences. Notably, the new version includes new carve-outs aimed at protecting intellectual property and addressing potential national security concerns.There's also a new clause that would prohibit punitive actions against developers for enabling remote access to other apps. The clause addition harkens back to the debacle between Apple and most game streaming services -- though in 2024, Apple loosened its App Store guidelines to allow cloud gaming and emulation.

There are a few new platform-protective clauses added, too. For instance, it would significantly lower the burden of proof for either Apple or Google to block platform access to a third-party app.Additionally, it reinforces the fact that companies like Apple or Google will not need to provide support or refunds for third-party apps installed outside of first-party app marketplaces. The full bill can be found here.

Philips Hue will raise prices across its smart lighting and security products for US customers starting July 1st, with parent company Signify attributing the increases directly to tariffs.

The company initially notified customers that prices would "go up" through a promotional message before confirming the tariff-related reasoning in a statement. Signify has not provided specific pricing details or identified which products will be affected, though the company's statement suggests changes may impact the entire Hue lineup.

Some products already reflect higher US pricing, including the new $219.99 Hue Play Wall Washer light, which costs approximately 10% more than the European price when currencies are converted. The latest $32.99 Smart Button also exceeds the $24.99 launch price of its predecessor, while European pricing remained at 21.99 euro ($25.50) for both generations.

Microsoft will offer free Windows 10 security updates through October 2026 to consumers who enable Windows Backup or spend 1,000 Microsoft Rewards points, the company said today. The move provides alternatives to the previously announced $30-per-PC Extended Security Update program for individuals wanting to continue using Windows 10 past its October 14, 2025 end-of-support date.

The company will notify Windows 10 users about the ESU program through the Settings app and notifications starting in July, with full rollout by mid-August. Both free options require a Microsoft Account, which the company has increasingly pushed in Windows 11. Business and organizational customers can still purchase up to three years of ESU updates but must pay for the service.

Windows 10 remains installed on 53% of Windows PCs worldwide, according to Statcounter data.

An anonymous reader quotes a report from ExtremeTech: Microsoft has changed how Windows 11 manages System Restore points after its June 2025 security update. The update, KB5060842, says that starting with Windows 11 version 24H2, System Restore points will be kept for up to 60 days. After 60 days, restore points older than 60 days will no longer be available for use. [...] The change does not change the way restore points are created or used; it only sets a clear time limit for how long they are stored. Windows will still delete older restore points if the allocated disk space fills up. But now there is a firm upper limit of 60 days, regardless of available space. The report notes that restore points in Windows 11 have varied. "Some restore points were removed after only 10 days, while others sometimes lasted the full 90 days, as reported by XDA Developers."

The new 60-day limit should give users more certainty about how long their restore points will remain on their system.

Disabling Intel graphics security mitigations in GPU compute stacks for OpenCL and Level Zero can yield a performance boost of up to 20%, prompting Ubuntu's Canonical and Intel to disable these mitigations in future Ubuntu packages. Phoronix's Michael Larabel reports: Intel does allow building their GPU compute stack without these mitigations by using the "NEO_DISABLE_MITIGATIONS" build option and that is what Canonical is looking to set now for Ubuntu packages to avoid the significant performance impact. This work will likely all be addressed in time for Ubuntu 25.10. This NEO_DISABLE_MITIGATIONS option is just for compiling the Intel Compute Runtime stack and doesn't impact the Linux kernel security mitigations or else outside of Intel's "NEO" GPU compute stack. Both Intel and Canonical are in agreement with this move and it turns out that even Intel's GitHub binary packages for their Compute Runtime for OpenCL and Level Zero ship with the mitigations disabled due to the performance impact. This Ubuntu Launchpad bug report for the Intel Compute Runtime notes some of the key takeaways. There is also this PPA where Ubuntu developers are currently testing their Compute Runtime builds with NEO_DISABLE_MITIGATIONS enabled for disabling the mitigations.

Hackers suspected of working on behalf of the Chinese government exploited a maximum-severity vulnerability, which had received a patch 16 months earlier, to compromise a telecommunications provider in Canada, officials from that country and the US said Monday. ArsTechnica: "The Cyber Centre is aware of malicious cyber activities currently targeting Canadian telecommunications companies," officials for the center, the Canadian government's primary cyber security agency, said in a statement. "The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon." The FBI issued its own nearly identical statement.

Salt Typhoon is the name researchers and government officials use to track one of several discreet groups known to hack nations all over the world on behalf of the People's Republic of China. In October 2023, researchers disclosed that hackers had backdoored more than 10,000 Cisco devices by exploiting CVE-2023-20198, a vulnerability with a maximum severity rating of 10. Any switch, router, or wireless LAN controller running Cisco's iOS XE that had the HTTP or HTTPS server feature enabled and exposed to the Internet was vulnerable. Cisco released a security patch about a week after security firm VulnCheck published its report.

The U.S. House chief administrative officer has banned WhatsApp from congressional staffers' government devices citing data vulnerability concerns. The cybersecurity office deemed the messaging app "high-risk" due to lack of transparency in data protection, absence of stored data encryption, and potential security risks, according to an email obtained by Axios.

Staff cannot download or keep WhatsApp on any House device, including mobile, desktop, or web browser versions.

The Python Software Foundation ("made up of, governed, and led by the community") does more than just host Python and its documnation, the Python Package Repository, and the development workflows of core CPython developers. This week the PSF released its 28-page Annual Impact Report this week, noting that 2024 was their first year with three CPython developers-in-residence — and "Between Lukasz, Petr, and Serhiy, over 750 pull requests were authored, and another 1,500 pull requests by other authors were reviewed and merged." Lukasz Langa co-implemented the new colorful shell included in Python 3.13, along with Pablo Galindo Salgado, Emily Morehouse-Valcarcel, and Lysandros Nikolaou.... Code-wise, some of the most interesting contributions by Petr Viktorin were around the ctypes module that allows interaction between Python and C.... These are just a few of Serhiy Storchaka's many contributions in 2024: improving error messages for strings, bytes, and bytearrays; reworking support for var-arguments in the C argument handling generator called "Argument Clinic"; fixing memory leaks in regular expressions; raising the limits for Python integers on 64-bit platforms; adding support for arbitrary code page encodings on Windows; improving complex and fraction number support...

Thanks to the investment of [the OpenSSF's security project] Alpha-Omega in 2024, our Security Developer-in-Residence, Seth Larson, continued his work improving the security posture of CPython and the ecosystem of Python packages. Python continues to be an open source security leader, evident by the Linux kernel becoming a CVE Numbering Authority using our guide as well as our publication of a new implementers guide for Trusted Publishers used by Ruby, Crates.io, and Nuget. Python was also recommended as a memory-safe programming language in early 2024 by the White House and CISA following our response to the Office of the National Cyber Directory Request for Information on open source security in 2023... Due to the increasing demand for SBOMs, Seth has taken the initiative to generate SBOM documents for the CPython runtime and all its dependencies, which are now available on python.org/downloads. Seth has also started work on standardizing SBOM documents for Python packages with PEP 770, aiming to solve the "Phantom Dependency" problem and accurately represent non-Python software included in Python packages.

With the continued investment in 2024 by Amazon Web Services Open Source and Georgetown CSET for this critical role, our PyPI Safety & Security Engineer, Mike Fiedler, completed his first full calendar year at the PSF... In March 2024, Mike added a "Report project as malware" button on the website, creating more structure to inbound reports and decreasing remediation time. This new button has been used over 2,000 times! The large spike in June led to prohibiting Outlook email domains, and the spike in November was driven by a persistent attack. Mike developed the ability to place projects in quarantine pending further investigation. Thanks to a grant from Alpha-Omega, Mike will continue his work for a second year. We plan to do more work on minimizing time-on-PyPI for malware in 2025...

In 2024, PyPI saw an 84% growth in download counts and 48% growth in bandwidth, serving 526,072,569,160 downloads for the 610,131 projects hosted there, requiring 1.11 Exabytes of data transfer, or 281.6 Gbps of bandwidth 24x7x365. In 2024, 97k new projects, 1.2 million new releases, and 3.1 million new files were uploaded to the index.

"The worlds of Linux and Windows finally came together in real life..." writes The Verge: Microsoft co-founder Bill Gates and Linus Torvalds, the creator of the Linux kernel, have surprisingly never met before. That all changed at a recent dinner hosted by Sysinternals creator Mark Russinovich... "No major kernel decisions were made," jokes Russinovich in a post on LinkedIn.
More from the Linux news blog Linuxiac: The man on the left is Mark Russinovich, a software engineer, author, and co-founder of Sysinternals, now CTO of Azure, Microsoft's cloud computing platform. He has become synonymous with deep Windows diagnostics and cloud-scale management. In the late 1990s, his suite of tools (Process Explorer, Autoruns, Procmon) revolutionized the way administrators and security professionals understood Windows internals.

The man on the far right is another living legend: Dave Cutler. Let me put it this way — he's one of the key people behind OpenVMS and the brilliant lead architect who designed Windows NT's kernel and hardware-abstraction layer — technologies that remain at the heart of every current Windows release, from server farms to laptops. So, it's no surprise that people often call him the "father of Windows NT."

An anonymous reader quotes a report from MacRumors: To comply with a new regulation that takes effect today, Apple has added an energy efficiency label to its iPhone and iPad pages in EU countries. Apple is also required to start including a printed version of the label with the devices sold there. The label grades a given iPhone or iPad model's energy efficiency from a high of A to a low of G, based on the EU's testing parameters. However, Apple said that certain aspects of the testing methods outlined by the European Commission are "ambiguous," so it chose to be conservative with its scores until testing is standardized.

In a 44-page document (PDF) detailing its testing methodology for the labels, Apple said its current iPhone models qualified for the highest energy efficiency grade of A, but the company voluntarily downgraded these scores to a B as a cautionary measure. The label also provides details about a given iPhone or iPad model's battery life per full charge cycle, repairability grade, impact resistance, ingress protection rating for water and dust resistance, and how many full charge cycles the battery is rated for. Likewise, this information is based on Apple's interpretation of the EU's testing parameters.

On the web, the label can be viewed by clicking or tapping on the colorful little tag icon on various iPhone and iPad pages on Apple's localized websites for EU countries. It is shown on both Apple's main product marketing pages for all iPhone and iPad models that are currently sold in the EU, and on the purchase page for those devices. The label is accompanied by a product information sheet (PDF) that provides a comprehensive overview of even more details, such as the device's battery capacity in mAh, screen scratch resistance based on the Mohs hardness scale, the minimum guaranteed timeframe for availability of security updates, and much more.

An anonymous reader quotes a report from Ars Technica: Large-scale attacks designed to bring down Internet services by sending them more traffic than they can process keep getting bigger, with the largest one yet, measured at 7.3 terabits per second, being reported Friday by Internet security and performance provider Cloudflare. The 7.3Tbps attack amounted to 37.4 terabytes of junk traffic that hit the target in just 45 seconds. That's an almost incomprehensible amount of data, equivalent to more than 9,300 full-length HD movies or 7,500 hours of HD streaming content in well under a minute.

Cloudflare said the attackers "carpet bombed" an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack. [...] Cloudflare said the record DDoS exploited various reflection or amplification vectors, including the previously mentioned Network Time Protocol; the Quote of the Day Protocol, which listens on UDP port 17 and responds with a short quote or message; the Echo Protocol, which responds with the same data it receives; and Portmapper services used identify resources available to applications connecting through the Remote Procedure Call. Cloudflare said the attack was also delivered through one or more Mirai-based botnets. Such botnets are typically made up of home and small office routers, web cameras, and other Internet of Things devices that have been compromised.

The Department of Homeland Security is concerned about the rate at which outlawed signal-jamming devices are being found across the US. From a report: In a warning issued on Wednesday, it said it has seen an 830 percent increase in seizures of these signal jammers since 2021, specifically those made in China. Signal-jamming devices are outlawed in the US, mainly because they can interfere with communications between emergency services and law enforcement.

While the Communications Act of 1934 effectively prohibits such devices, signal jammers of the type DHS is concerned about have only circulated in the last 20 to 30 years. Authorities have paid special attention to relay attack devices in recent years -- the types of hardware that can be used to clone signals used by systems such as remote car keys, although the first examples of these devices date back to the 1980s.