China

Intel and Microsoft Staff Allegedly Lured To Work For Fake Chinese Company In Taiwan (theregister.com) 12

Taiwanese authorities have accused 11 Chinese companies, including SMIC, of secretly setting up disguised entities in Taiwan to illegally recruit tech talent from firms like Intel and Microsoft. The Register reports: One of those companies is apparently called Yunhe Zhiwang (Shanghai) Technology Co., Ltd and develops high-end network chips. The Bureau claims its chips are used in China's "Data East, Compute West" strategy that, as we reported when it was announced in 2022, calls for five million racks full of kit to be moved from China's big cities in the east to new datacenters located near renewable energy sources in country's west. Datacenters in China's east will be used for latency-sensitive applications, while heavy lifting takes place in the west. Staff from Intel and Microsoft were apparently lured to work for Yunhe Zhiwang, which disguised its true ownership by working through a Singaporean company.

The Investigation Bureau also alleged that China's largest chipmaker, Semiconductor Manufacturing International Corporation (SMIC), used a Samoan company to establish a presence in Taiwan and then hired local talent. That's a concerning scenario as SMIC is on the USA's "entity list" of organizations felt to represent a national security risk. The US gets tetchy when its friends and allies work with companies on the entity list.

A third Chinese entity, Shenzhen Tongrui Microelectronics Technology, disguised itself so well Taiwan's Ministry of Industry and Information Technology lauded it as an important innovator and growth company. As a result of the Bureau's work, prosecutors' offices in seven Taiwanese cities are now looking into 11 Chinese companies thought to have hidden their ties to Beijing.

Privacy

FBI Raids Home of Prominent Computer Scientist Who Has Gone Incommunicado (arstechnica.com) 100

An anonymous reader shares a report: A prominent computer scientist who has spent 20 years publishing academic papers on cryptography, privacy, and cybersecurity has gone incommunicado, had his professor profile, email account, and phone number removed by his employer, Indiana University, and had his homes raided by the FBI. No one knows why.

Xiaofeng Wang has a long list of prestigious titles. He was the associate dean for research at Indiana University's Luddy School of Informatics, Computing and Engineering, a fellow at the Institute of Electrical and Electronics Engineers and the American Association for the Advancement of Science, and a tenured professor at Indiana University at Bloomington. According to his employer, he has served as principal investigator on research projects totaling nearly $23 million over his 21 years there.

He has also co-authored scores of academic papers on a diverse range of research fields, including cryptography, systems security, and data privacy, including the protection of human genomic data.

Encryption

HTTPS Certificate Industry Adopts New Security Requirements (googleblog.com) 29

The Certification Authority/Browser Forum "is a cross-industry group that works together to develop minimum requirements for TLS certificates," writes Google's Security blog. And earlier this month two proposals from Google's forward-looking roadmap "became required practices in the CA/Browser Forum Baseline Requirements," improving the security and agility of TLS connections... Multi-Perspective Issuance Corroboration
Before issuing a certificate to a website, a Certification Authority (CA) must verify the requestor legitimately controls the domain whose name will be represented in the certificate. This process is referred to as "domain control validation" and there are several well-defined methods that can be used. For example, a CA can specify a random value to be placed on a website, and then perform a check to verify the value's presence has been published by the certificate requestor.

Despite the existing domain control validation requirements defined by the CA/Browser Forum, peer-reviewed research authored by the Center for Information Technology Policy of Princeton University and others highlighted the risk of Border Gateway Protocol (BGP) attacks and prefix-hijacking resulting in fraudulently issued certificates. This risk was not merely theoretical, as it was demonstrated that attackers successfully exploited this vulnerability on numerous occasions, with just one of these attacks resulting in approximately $2 million dollars of direct losses.

The Chrome Root Program led a work team of ecosystem participants, which culminated in a CA/Browser Forum Ballot to require adoption of MPIC via Ballot SC-067. The ballot received unanimous support from organizations who participated in voting. Beginning March 15, 2025, CAs issuing publicly-trusted certificates must now rely on MPIC as part of their certificate issuance process. Some of these CAs are relying on the Open MPIC Project to ensure their implementations are robust and consistent with ecosystem expectations...

Linting
Linting refers to the automated process of analyzing X.509 certificates to detect and prevent errors, inconsistencies, and non-compliance with requirements and industry standards. Linting ensures certificates are well-formatted and include the necessary data for their intended use, such as website authentication. Linting can expose the use of weak or obsolete cryptographic algorithms and other known insecure practices, improving overall security... The ballot received unanimous support from organizations who participated in voting. Beginning March 15, 2025, CAs issuing publicly-trusted certificates must now rely on linting as part of their certificate issuance process.

Linting also improves interoperability, according to the blog post, and helps reduce the risk of non-compliance with standards that can result in certificates being "mis-issued".

And coming up, weak domain control validation methods (currently permitted by the CA/Browser Forum TLS Baseline Requirements) will be prohibited beginning July 15, 2025.

"Looking forward, we're excited to explore a reimagined Web PKI and Chrome Root Program with even stronger security assurances for the web as we navigate the transition to post-quantum cryptography."
Robotics

China is Already Testing AI-Powered Humanoid Robots in Factories (msn.com) 71

The U.S. and China "are racing to build a truly useful humanoid worker," the Wall Street Journal wrote Saturday, adding that "Whoever wins could gain a huge edge in countless industries."

"The time has come for robots," Nvidia's chief executive said at a conference in March, adding "This could very well be the largest industry of all." China's government has said it wants the country to be a world leader in humanoid robots by 2027. "Embodied" AI is listed as a priority of a new $138 billion state venture investment fund, encouraging private-sector investors and companies to pile into the business. It looks like the beginning of a familiar tale. Chinese companies make most of the world's EVs, ships and solar panels — in each case, propelled by government subsidies and friendly regulations. "They have more companies developing humanoids and more government support than anyone else. So, right now, they may have an edge," said Jeff Burnstein [president of the Association for Advancing Automation, a trade group in Ann Arbor, Michigan]....

Humanoid robots need three-dimensional data to understand physics, and much of it has to be created from scratch. That is where China has a distinct edge: The country is home to an immense number of factories where humanoid robots can absorb data about the world while performing tasks. "The reason why China is making rapid progress today is because we are combining it with actual applications and iterating and improving rapidly in real scenarios," said Cheng Yuhang, a sales director with Deep Robotics, one of China's robot startups. "This is something the U.S. can't match." UBTech, the startup that is training humanoid robots to sort and carry auto parts, has partnerships with top Chinese automakers including Geely... "A problem can be solved in a month in the lab, but it may only take days in a real environment," said a manager at UBTech...

With China's manufacturing prowess, a locally built robot could eventually cost less than half as much as one built elsewhere, said Ming Hsun Lee, a Bank of America analyst. He said he based his estimates on China's electric-vehicle industry, which has grown rapidly to account for roughly 70% of global EV production. "I think humanoid robots will be another EV industry for China," he said. The UBTech robot system, called Walker S, currently costs hundreds of thousands of dollars including software, according to people close to the company. UBTech plans to deliver 500 to 1,000 of its Walker S robots to clients this year, including the Apple supplier Foxconn. It hopes to increase deliveries to more than 10,000 in 2027.

Few companies outside China have started selling AI-powered humanoid robots. Industry insiders expect the competition to play out over decades, as the robots tackle more-complicated environments, such as private homes.

The article notes "several" U.S. humanoid robot producers, including the startup Figure. And robots from Amazon's Agility Robotics have been tested in Amazon warehouses since 2023. "The U.S. still has advantages in semiconductors, software and some precision components," the article points out.

But "Some lawmakers have urged the White House to ban Chinese humanoids from the U.S. and further restrict Chinese robot makers' access to American technology, citing national-security concerns..."
Windows

Microsoft Attempts To Close Local Account Windows 11 Setup Loophole (theverge.com) 196

Slashdot reader jrnvk writes: The Verge is reporting that Microsoft will soon make it harder to run the well-publicized bypassnro command in Windows 11 setup. This command allows skipping the Microsoft account and online connection requirements on install. While the command will be removed, it can still be enabled by a regedit change — for now.
"However, there's no guarantee Microsoft will allow this additional workaround for long," writes the Verge. (Though they add "There are other workarounds as well" involving the unattended.xml automation.) In its latest Windows 11 Insider Preview, the company says it will take out a well-known bypass script... Microsoft cites security as one reason it's making this change. ["This change ensures that all users exit setup with internet connectivity and a Microsoft Account."] Since the bypassnro command is disabled in the latest beta build, it will likely be pushed to production versions within weeks.
Google

Google Sunsets Two Devices From Its Nest Smart Home Product Line (pcworld.com) 16

"After a long run, Google is sunsetting two of its signature Nest products," reports PC World: Google has just announced that it's discontinuing the 10-year-old Nest Protect and the 7-year-old Nest x Yale lock. Both of those products will continue to work, and — for now — they remain on sale at the Google Store, complete with discounts until supplies run out. But while Google itself is exiting the smoke alarm and smart lock business, it isn't leaving Google Home users in the lurch. Instead, it's teeing up third-party replacements for the Nest Protect and Nest X Yale lock, with both new products coming from familiar brands... Capable of being unlocked via app, entry code, or a traditional key, the Yale Smart Lock with Matter is set to arrive this summer, according to Yale.

While both the existing Nest Protect and Nest x Yale lock will continue to operate and receive security patches, those who purchased the second-generation Nest Protect near its 2015 launch date should probably replace the product anyway. That's because the CO sensors in carbon monoxide detectors like the Nest Protect have a roughly 10-year life expectancy.

Nest Protect and the Nest X Yale lock were two of the oldest products in Google's smart home lineup, and both were showing their age.

Cloud

Microsoft Announces 'Hyperlight Wasm': Speedy VM-Based Security at Scale with a WebAssembly Runtime (microsoft.com) 18

Cloud providers like the security of running things in virtual machines "at scale" — even though VMs "are not known for having fast cold starts or a small footprint..." noted Microsoft's Open Source blog last November. So Microsoft's Azure Core Upstream team built an open source Rust library called Hyperlight "to execute functions as fast as possible while isolating those functions within a VM."

But that was just the beginning... Then, we showed how to run Rust functions really, really fast, followed by using C to [securely] run Javascript. In February 2025, the Cloud Native Computing Foundation (CNCF) voted to onboard Hyperlight into their Sandbox program [for early-stage projects].

[This week] we're announcing the release of Hyperlight Wasm: a Hyperlight virtual machine "micro-guest" that can run wasm component workloads written in many programming languages...

Traditional virtual machines do a lot of work to be able to run programs. Not only do they have to load an entire operating system, they also boot up the virtual devices that the operating system depends on. Hyperlight is fast because it doesn't do that work; all it exposes to its VM guests is a linear slice of memory and a CPU. No virtual devices. No operating system. But this speed comes at the cost of compatibility. Chances are that your current production application expects a Linux operating system running on the x86-64 architecture (hardware), not a bare linear slice of memory...

[B]uilding Hyperlight with a WebAssembly runtime — wasmtime — enables any programming language to execute in a protected Hyperlight micro-VM without any prior knowledge of Hyperlight at all. As far as program authors are concerned, they're just compiling for the wasm32-wasip2 target... Executing workloads in the Hyperlight Wasm guest isn't just possible for compiled languages like C, Go, and Rust, but also for interpreted languages like Python, JavaScript, and C#. The trick here, much like with containers, is to also include a language runtime as part of the image... Programming languages, runtimes, application platforms, and cloud providers are all starting to offer rich experiences for WebAssembly out of the box. If we do things right, you will never need to think about whether your application is running inside of a Hyperlight Micro-VM in Azure. You may never know your workload is executing in a Hyperlight Micro VM. And that's a good thing.

While a traditional virtual-device-based VM takes about 125 milliseconds to load, "When the Hyperlight VMM creates a new VM, all it needs do to is create a new slice of memory and load the VM guest, which in turn loads the wasm workload. This takes about 1-2 milliseconds today, and work is happening to bring that number to be less than 1 millisecond in the future."

And there's also double security due to Wasmtime's software-defined runtime sandbox within Hyperlight's larger VM...
Privacy

Nearly 1.5 Million Private Photos from Five Dating Apps Were Exposed Online (bbc.com) 32

"Researchers have discovered nearly 1.5 million pictures from specialist dating apps — many of which are explicit — being stored online without password protection," reports the BBC, "leaving them vulnerable to hackers and extortionists."

And the images weren't limited to those from profiles, the BBC learned from the ethical hacker who discovered the issue. "They included pictures which had been sent privately in messages, and even some which had been removed by moderators..." Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile [including two kink/BDSM sites and two LGBT apps]... These services are used by an estimated 800,000 to 900,000 people.

M.A.D Mobile was first warned about the security flaw on 20th January but didn't take action until the BBC emailed on Friday. They have since fixed it but not said how it happened or why they failed to protect the sensitive images. Ethical hacker Aras Nazarovas from Cybernews first alerted the firm about the security hole after finding the location of the online storage used by the apps by analysing the code that powers the services...

None of the text content of private messages was found to be stored in this way and the images are not labelled with user names or real names, which would make crafting targeted attacks at users more complex.

In an email M.A.D Mobile said it was grateful to the researcher for uncovering the vulnerability in the apps to prevent a data breach from occurring. But there's no guarantee that Mr Nazarovas was the only hacker to have found the image stash.

"Mr Nazarovas and his team decided to raise the alarm on Thursday while the issue was still live as they were concerned the company was not doing anything to fix it..."
Security

New Ubuntu Linux Security Bypasses Require Manual Mitigations (bleepingcomputer.com) 14

An anonymous reader shared this report from BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components. The issues allow local unprivileged users to create user namespaces with full administrative capabilities and impact Ubuntu versions 23.10, where unprivileged user namespaces restrictions are enabled, and 24.04 which has them active by default...

Ubuntu added AppArmor-based restrictions in version 23.10 and enabled them by default in 24.04 to limit the risk of namespace misuse. Researchers at cloud security and compliance company Qualys found that these restrictions can be bypassed in three different ways... The researchers note that these bypasses are dangerous when combined with kernel-related vulnerabilities, and they are not enough to obtain complete control of the system... Qualys notified the Ubuntu security team of their findings on January 15 and agreed to a coordinated release. However, the busybox bypass was discovered independently by vulnerability researcher Roddux, who published the details on March 21.

Canonical, the organization behind Ubuntu Linux, has acknowledged Qualys' findings and confirmed to BleepingComputer that they are developing improvements to the AppArmor protections. A spokesperson told us that they are not treating these findings as vulnerabilities per se but as limitations of a defense-in-depth mechanism. Hence, protections will be released according to standard release schedules and not as urgent security fixes.

Canonical shared hardening steps that administrators should consider in a bulletin published on their official "Ubuntu Discourse" discussion forum.
Privacy

Madison Square Garden Bans Fan After Surveillance System IDs Him as Critic of Its CEO (theverge.com) 99

An anonymous reader quotes a report from The Verge: A concert on Monday night at New York's Radio City Music Hall was a special occasion for Frank Miller: his parents' wedding anniversary. He didn't end up seeing the show -- and before he could even get past security, he was informed that he was in fact banned for life from the venue and all other properties owned by Madison Square Garden (MSG). After scanning his ticket and promptly being pulled aside by security, Miller was told by staff that he was barred from the MSG properties for an incident at the Garden in 2021. But Miller says he hasn't been to the venue in nearly two decades.

"They hand me a piece of paper letting me know that I've been added to a ban list," Miller says. "There's a trespass notice if I ever show up on any MSG property ever again," which includes venues like Radio City, the Beacon Theatre, the Sphere, and the Chicago Theatre. He was baffled at first. Then it dawned on him: this was probably about a T-shirt he designed years ago. MSG Entertainment won't say what happened with Miller or how he was picked out of the crowd, but he suspects he was identified via controversial facial recognition systems that the company deploys at its venues.

In 2017, 1990s New York Knicks star Charles Oakley was forcibly removed from his seat near Knicks owner and Madison Square Garden CEO James Dolan. The high-profile incident later spiraled into an ongoing legal battle. For Miller, Oakley was an "integral" part of the '90s Knicks, he says. With his background in graphic design, he made a shirt in the style of the old team logo that read, "Ban Dolan" -- a reference to the infamous scuffle. A few years later, in 2021, a friend of Miller's wore a Ban Dolan shirt to a Knicks game and was kicked out and banned from future events. That incident spawned ESPN segments and news articles and validated what many fans saw as a pettiness on Dolan and MSG's part for going after individual fans who criticized team ownership.
"Frank Miller Jr. made threats against an MSG executive on social media and produced and sold merchandise that was offensive in nature," Mikyl Cordova, executive vice president of communications and marketing for the company, said in an emailed statement. "His behavior was disrespectful and disruptive and in violation of our code of conduct."

Miller responded to the ban, saying: "I just found it comical, until I was told that my mom was crying [in the lobby]. I was like, 'Oh man, I ruined their anniversary with my shit talk on the internet. Memes are powerful, and so is the surveillance state. It's something that we all have to be aware of -- the panopticon. We're [being] surveilled at all times, and it's always framed as a safety thing, when rarely is that the case. It's more of a deterrent and a fear tactic to try to keep people in line."
Programming

DOGE To Rewrite SSA Codebase In 'Months' (wired.com) 338

Longtime Slashdot reader frank_adrian314159 writes: According to an article in Wired, Elon Musk has appointed a team of technologists from DOGE to "rewrite the code that runs the SSA in months." This codebase has over 60 million lines of COBOL and handles record keeping for all American workers and payments for all Social Security recipients. Given that the code has to track the byzantine regulations dealing with Social Security, it's no wonder that the codebase is this large. What is in question though is whether a small team can rewrite this code "in months." After all, what could possibly go wrong? "The project is being organized by Elon Musk lieutenant Steve Davis ... and aims to migrate all SSA systems off COBOL ... and onto a more modern replacement like Java within a scheduled tight timeframe of a few months," notes Wired.

"Under any circumstances, a migration of this size and scale would be a massive undertaking, experts tell WIRED, but the expedited deadline runs the risk of obstructing payments to the more than 65 million people in the US currently receiving Social Security benefits."

In 2017, SSA announced a plan to modernize its core systems with a timeline of around five years. However, the work was "pivoted away" because of the pandemic.
Oracle

Oracle Health Breach Compromises Patient Data At US Hospitals 5

A breach of legacy Cerner servers at Oracle Health exposed patient data from multiple U.S. hospitals and healthcare organizations, with threat actors using compromised customer credentials to steal the data before it had been migrated to Oracle Cloud. Despite confirming the breach privately, Oracle Health has yet to publicly acknowledge the incident. BleepingComputer reports: Oracle Health, formerly known as Cerner, is a healthcare software-as-a-service (SaaS) company offering Electronic Health Records (EHR) and business operations systems to hospitals and healthcare organizations. After being acquired by Oracle in 2022, Cerner was merged into Oracle Health, with its systems migrated to Oracle Cloud. In a notice sent to impacted customers and seen by BleepingComputer, Oracle Health said it became aware of a breach of legacy Cerner data migration servers on February 20, 2025.

"We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud," reads a notification sent to impacted Oracle Health customers. Oracle says that the threat actor used compromised customer credentials to breach the servers sometime after January 22, 2025, and copied data to a remote server. This stolen data "may" have included patient information from electronic health records. However, multiple sources told BleepingComputer that it was confirmed that patient data was stolen during the attack.

Oracle Health is also telling hospitals that they will not notify patients directly and that it is their responsibility to determine if the stolen data violates HIPAA laws and whether they are required to send notifications. However, the company says they will help identify impacted individuals and provide templates to help with notifications.
Privacy

Again and Again, NSO Group's Customers Keep Getting Their Spyware Operations Caught (techcrunch.com) 8

An anonymous reader shares a report: Amnesty International published a new report this week detailing attempted hacks against two Serbian journalists, allegedly carried out with NSO Group's spyware Pegasus. The two journalists, who work for the Serbia-based Balkan Investigative Reporting Network (BIRN), received suspicious text messages including a link -- basically a phishing attack, according to the nonprofit. In one case, Amnesty said its researchers were able to click on the link in a safe environment and see that it led to a domain that they had previously identified as belonging to NSO Group's infrastructure.

"Amnesty International has spent years tracking NSO Group Pegasus spyware and how it has been used to target activists and journalists," Donncha O Cearbhaill, the head of Amnesty's Security Lab, told TechCrunch. "This technical research has allowed Amnesty to identify malicious websites used to deliver the Pegasus spyware, including the specific Pegasus domain used in this campaign."

To his point, security researchers like O Cearbhaill who have been keeping tabs on NSO's activities for years are now so good at spotting signs of the company's spyware that sometimes all researchers have to do is quickly look at a domain involved in an attack. In other words, NSO Group and its customers are losing their battle to stay in the shadows. "NSO has a basic problem: They are not as good at hiding as their customers think," John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, told TechCrunch.

Privacy

Oracle Customers Confirm Data Stolen In Alleged Cloud Breach Is Valid (bleepingcomputer.com) 20

An anonymous reader quotes a report from BleepingComputer: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. Last week, a person named 'rose87168' claimed to have breached Oracle Cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users. The threat actor also said that stolen SSO and LDAP passwords could be decrypted using the info in the stolen files and offered to share some of the data with anyone who could help recover them.

The threat actor released multiple text files consisting of a database, LDAP data, and a list of 140,621 domains for companies and government agencies that were allegedly impacted by the breach. It should be noted that some of the company domains look like tests, and there are multiple domains per company. In addition to the data, rose87168 shared an Archive.org URL with BleepingComputer for a text file hosted on the "login.us2.oraclecloud.com" server that contained their email address. This file indicates that the threat actor could create files on Oracle's server, indicating an actual breach. However, Oracle has denied that it suffered a breach of Oracle Cloud and has refused to respond to any further questions about the incident.

"There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company told BleepingComputer last Friday. This denial, however, contradicts findings from BleepingComputer, which received additional samples of the leaked data from the threat actor and contacted the associated companies. Representatives from these companies, all who agreed to confirm the data under the promise of anonymity, confirmed the authenticity of the information. The companies stated that the associated LDAP display names, email addresses, given names, and other identifying information were all correct and belonged to them. The threat actor also shared emails with BleepingComputer, claiming to be part of an exchange between them and Oracle.

Space

Space Force Certifies Vulcan For National Security Launches (spacenews.com) 49

The U.S. Space Force has certified United Launch Alliance's Vulcan Centaur rocket for national security missions after successful test flights and resolution of a booster nozzle issue. This certification allows ULA to join SpaceX in conducting launches under the National Security Space Launch program, with Vulcan missions expected to begin this summer. SpaceNews reports: "Thank you to all our customer partners who have worked hand-in-hand with us throughout this comprehensive certification process. We are grateful for the collaboration and excited to reach this critical milestone in Vulcan development," said Tory Bruno, president and chief executive of United Launch Alliance in a ULA statement about the vehicle's certification.

Bruno said at the roundtable that the next launch by ULA will be of its Atlas 5, carrying a set of Project Kuiper broadband satellites for Amazon. That launch is expected as soon as next month. He said then that would be followed by the first two Vulcan national security launches, missions designated USSF-106 and USSF-87. ULA did not give a schedule for those upcoming Vulcan launches but Space Systems Command, in a summary accompanying its press release, said the first NSSL mission on Vulcan is planned for the summer. Bruno said at the roundtable that the payloads for those missions have "complex processing" requirements beyond a typical mission, and did not state how long it would take them to be ready for a launch.

Bruno said ULA is projecting a dozen launches this year, split roughly evenly between Atlas and Vulcan and between national security and commercial missions. ULA has been stockpiling components, such as BE-4 engines and solid rocket boosters, needed for those missions. "We're all staged up and ready, and as spacecraft show up, we'll be able to fly them," he said. He noted the company wants to get to a "baseline tempo" of two launches a month by the end of this year and perform 20 launches next year.

Math

JPMorgan Says Quantum Experiment Generated Truly Random Numbers (financialpost.com) 111

JPMorgan Chase used a quantum computer from Honeywell's Quantinuum to generate and mathematically certify truly random numbers -- an advancement that could significantly enhance encryption, security, and financial applications. The breakthrough was validated with help from U.S. national laboratories and has been published in the journal Nature. From a report: Between May 2023 and May 2024, cryptographers at JPMorgan wrote an algorithm for a quantum computer to generate random numbers, which they ran on Quantinuum's machine. The US Department of Energy's supercomputers were then used to test whether the output was truly random. "It's a breakthrough result," project lead and Head of Global Technology Applied Research at JPMorgan, Marco Pistoia told Bloomberg in an interview. "The next step will be to understand where we can apply it."

Applications could ultimately include more energy-efficient cryptocurrency, online gambling, and any other activity hinging on complete randomness, such as deciding which precincts to audit in elections.

China

US Expands Export Blacklist To Keep Computing Tech Out of China (theverge.com) 30

The U.S. has added 80 entities to its export blacklist to prevent China from acquiring advanced American chips for military development, including AI, quantum tech, and hypersonic weapons. The Verge reports: More than 50 of the new entities added to the list are based in China, with others located in Iran, Taiwan, Pakistan, South Africa, and the United Arab Emirates. BIS says the restrictions have been applied to entities that acted "contrary to US national security and foreign policy," and are intended to hinder China's ability to develop high-performance computing capabilities, quantum technologies, advanced artificial intelligence, and hypersonic weapons.

Six of the newly blacklisted entities are subsidiaries of Inspur Group -- China's leading cloud computing service provider and a major customer for US chip makers such as Nvidia, AMD, and Intel -- which BIS alleges had contributed to projects developing supercomputers for the Chinese military. The Beijing Academy of Artificial Intelligence is another addition to the list, which has criticized its inclusion.
"American technology should never be used against the American people," said Jeffrey Kessler, Under Secretary of Commerce for Industry and Security. "BIS is sending a clear, resounding message that the Trump administration will work tirelessly to safeguard our national security by preventing U.S. technologies and goods from being misused for high performance computing, hypersonic missiles, military aircraft training, and UAVs that threaten our national security."
Microsoft

Microsoft's Many Outlooks Are Confusing Users 64

The Register's Richard Speed reports: Baffled by the plethora of Outlook options out there? You aren't alone. Microsoft veteran Scott Hanselman posted a list of some more variants that could be used to do the same thing. It's a problem common to several Microsoft products. A file needs to be opened, but which app should be used? Should it be Outlook New, or Outlook (New)? With tongue firmly in cheek, Hanselman listed some more options: Outlook (Zero Sugar), Outlook (Caffeine Free), and so on. Hanselman, Developer Community veep at Microsoft, also included Outlook '95, although to our mind the peak came with the version of Outlook in Office 97. A happier, more trusting time when security was less important.

While users can create multiple Outlook profiles to store email account details and data locations, Hanselman's post on Bluesky highlights an issue facing many users of Microsoft's software: which incarnation of the application to use. Teams users often find themselves presented with a variety of applications -- Microsoft Teams and Microsoft Teams (Personal), for example, can often appear side by side in the system tray. [...]

There is a cautionary tale about what happened when a soft drinks company tried to replace a well-liked product with a "new" version and renamed the previous preferred version as "classic." The list posted by Hanselman -- who is also notable for tips on managing Microsoft's personal information manager -- is amusing, but also highlights the perils of having multiple, similarly functioning options to do the same thing, and the potential for confusing users.
Privacy

Signal Head Defends Messaging App's Security After US War Plan Leak (yahoo.com) 161

The president of Signal defended the messaging app's security on Wednesday after top Trump administration officials mistakenly included a journalist in an encrypted chatroom they used to discuss looming U.S. military action against Yemen's Houthis. For a report: Signal's Meredith Whittaker did not directly address the blunder, which Democratic lawmakers have said was a breach of U.S. national security. But she described the app as the "gold standard in private comms" in a post on X, which outlined Signal's security advantages over Meta's WhatsApp messaging app. "We're open source, nonprofit, and we develop and apply (end-to-end encryption) and privacy-preserving tech across our system to protect metadata and message contents," she said.
AI

Microsoft Announces Security AI Agents To Help Overwhelmed Humans 23

Microsoft is expanding its Security Copilot platform with six new AI agents designed to autonomously assist cybersecurity teams by handling tasks like phishing alerts, data loss incidents, and vulnerability monitoring. There are also five third-party AI agents created by its partners, including OneTrust and Tanium. The Verge reports: Microsoft's six security agents will be available in preview next month, and are designed to do things like triage and process phishing and data loss alerts, prioritize critical incidents, and monitor for vulnerabilities. "The six Microsoft Security Copilot agents enable teams to autonomously handle high-volume security and IT tasks while seamlessly integrating with Microsoft Security solutions," says Vasu Jakkal, corporate vice president of Microsoft Security.

Microsoft is also working with OneTrust, Aviatrix, BlueVoyant, Tanium, and Fletch to enable some third-party security agents. These extensions will make it easier to analyze data breaches with OneTrust or perform root cause analysis of network outages and failures with Aviatrix. [...] While these latest AI agents in the Security Copilot are designed for security teams to take advantage of, Microsoft is also improving its phishing protection in Microsoft Teams. Microsoft Defender for Office 365 will start protecting Teams users against phishing and other cyberthreats within Teams next month, including better protection against malicious URLs and attachments.

Slashdot Top Deals