Online retailer Coupang, often called South Korea's Amazon, is dealing with the fallout from a breach that exposed the personal information of more than 33 million accounts -- roughly two-thirds of the country's population -- after a former contractor allegedly used credentials that remained active months after his departure to access customer data through the company's overseas servers.

The breach began in June but went undetected until November 18, according to Coupang and investigators. Police have called it South Korea's worst-ever data breach. The compromised information includes names, phone numbers, email addresses and shipping addresses, though the company says login credentials, credit card numbers, and payment details were not affected.

Coupang's former CEO Park Dae-jun told a parliamentary hearing that the alleged perpetrator was a Chinese national who had worked on authentication tasks before his contract ended last December. Chief information security officer Brett Matthes testified that the individual had a "privileged role" giving him access to a private encryption key that allowed him to forge tokens to impersonate customers. Legislators say the key remained active after the employee left. The CEO of Coupang's South Korean subsidiary has resigned. Founder and chair Bom Kim has yet to personally apologize but has been summoned to a second parliamentary hearing.

Berlin's regional parliament has passed a far-reaching overhaul of its "security" law, giving police new authority to conduct both digital and physical surveillance. From a report: The CDU-SPD coalition, supported by AfD votes, approved the reform of the General Security and Public Order Act (ASOG), changing the limits that once protected Berliners from intrusive policing. Interior Senator Iris Spranger (SPD) argued that the legislation modernizes police work for an era of encrypted communication, terrorism, and cybercrime. But it undermines core civil liberties and reshapes the relationship between citizens and the state.

One of the most controversial elements is the expansion of police powers under paragraphs 26a and 26b. These allow investigators to hack into computers and smartphones under the banner of "source telecommunications surveillance" and "online searches." Police may now install state-developed spyware, known as trojans, on personal devices to intercept messages before or after encryption.

If the software cannot be deployed remotely, the law authorizes officers to secretly enter a person's home to gain access. This enables police to install surveillance programs directly on hardware without the occupant's knowledge. Berlin had previously resisted such practices, but now joins other federal states that permit physical entry to install digital monitoring tools.

The Ninth Circuit Court of Appeals has almost entirely upheld a scathing April ruling that found Apple in willful violation of a 2021 injunction meant to open up iOS App Store payments in its long-running legal battle against Epic Games. A three-judge panel affirmed that Apple's 27% fee for developers using outside payment options had a "prohibitive effect" and that the company's design restrictions on external payment links were overly broad.

The appeals court also agreed that Apple acted in "bad faith" by rejecting viable, compliant alternatives in internal discussions. One divergence from the lower court: the appeals court ruled that Apple should still be able to charge a "reasonable fee" based on its actual costs to ensure user security and privacy, rather than charging nothing at all. What qualifies as "reasonable" remains to be determined.

Epic CEO Tim Sweeney told reporters he believes those fees should be "super super minor," on the order of "tens or hundreds of dollars" every time an iOS app update goes through Apple for review. "The Apple Tax is dead in the USA," he wrote on social media. Sweeney also alleged that a widespread "fear of retaliation" has kept many developers paying Apple's default 30% fees, claiming the company can effectively "ghost" apps by delaying reviews or burying them in search results.

Cadmium zinc telluride (CZT), a hard-to-manufacture semiconductor produced by only a handful of companies, is enabling a quiet revolution in medical imaging, science, and security by delivering faster scans, lower radiation doses, and far more precise X-ray and gamma-ray detection. "You get beautiful pictures from this scanner," says Dr Kshama Wechalekar, head of nuclear medicine and PET. "It's an amazing feat of engineering and physics." The BBC reports: Kromek is one of just a few firms in the world that can make CZT. You may never have heard of the stuff but, in Dr Wechalekar's words, it is enabling a "revolution" in medical imaging. This wonder material has many other uses, such as in X-ray telescopes, radiation detectors and airport security scanners. And it is increasingly sought-after. Investigations of patients' lungs performed by Dr Wechalekar and her colleagues involve looking for the presence of many tiny blood clots in people with long Covid, or a larger clot known as a pulmonary embolism, for example.

The 1-million-pound scanner works by detecting gamma rays emitted by a radioactive substance that is injected into patients' bodies. But the scanner's sensitivity means less of this substance is needed than before: "We can reduce doses about 30%," says Dr Wechalekar. While CZT-based scanners are not new in general, large, whole-body scanners such as this one are a relatively recent innovation. CZT itself has been around for decades but it is notoriously difficult to manufacture. "It has taken a long time for it to develop into an industrial-scale production process," says Arnab Basu, founding chief executive of Kromek.

[...] The newly formed CZT, a semiconductor, can detect tiny photon particles in X-rays and gamma rays with incredible precision -- like a highly specialized version of the light-sensing, silicon-based image sensor in your smartphone camera. Whenever a high energy photon strikes the CZT, it mobilizes an electron and this electrical signal can be used to make an image. Earlier scanner technology used a two-step process, which was not as precise. "It's digital," says Dr Basu. "It's a single conversion step. It retains all the important information such as timing, the energy of the X-ray that is hitting the CZT detector -- you can create color, or spectroscopic images."

joshuark shares a report from BleepingComputer: More than 10,000 Docker Hub container images expose data that should be protected, including live credentials to production systems, CI/CD databases, or LLM model keys. After scanning container images uploaded to Docker Hub in November, security researchers at threat intelligence company Flare found that 10,456 of them exposed one or more keys. The most frequent secrets were access tokens for various AI models (OpenAI, HuggingFace, Anthropic, Gemini, Groq). In total, the researchers found 4,000 such keys. "These multi-secret exposures represent critical risks, as they often provide full access to cloud environments, Git repositories, CI/CD systems, payment integrations, and other core infrastructure components," Flare notes. [...]

Additionally, they found hardcoded API tokens for AI services being hardcoded in Python application files, config.json files, YAML configs, GitHub tokens, and credentials for multiple internal environments. Some of the sensitive data was present in the manifest of Docker images, a file that provides details about the image.Flare notes that roughly 25% of developers who accidentally exposed secrets on Docker Hub realized the mistake and removed the leaked secret from the container or manifest file within 48 hours. However, in 75% of these cases, the leaked key was not revoked, meaning that anyone who stole it during the exposure period could still use it later to mount attacks.

Flare suggests that developers avoid storing secrets in container images, stop using static, long-lived credentials, and centralize their secrets management using a dedicated vault or secrets manager. Organizations should implement active scanning across the entire software development life cycle and revoke exposed secrets and invalidate old sessions immediately.

Stanford researchers spent much of the past year building an AI bot called Artemis that scans networks for software vulnerabilities, and when they pitted it against ten professional penetration testers on the university's own engineering network, the bot outperformed nine of them. The experiment offers a window into how rapidly AI hacking tools have improved after years of underwhelming performance.

"We thought it would probably be below average," said Justin Lin, a Stanford cybersecurity researcher. Artemis found bugs at a fraction of human cost -- just under $60 per hour compared to the $2,000 to $2,500 per day that professional pen testers typically charge. But its performance wasn't flawless. About 18% of its bug reports were false positives, and it completely missed an obvious vulnerability on a webpage that most human testers caught. In one case, Artemis found a bug on an outdated page that didn't render in standard browsers; it used a command-line tool called Curl instead of Chrome or Firefox.

Dan Boneh, a Stanford computer science professor who advised the researchers, noted that vast amounts of software shipped without being vetted by LLMs could now be at risk. "We're in this moment of time where many actors can increase their productivity to find bugs at an extreme scale," said Jacob Klein, head of threat intelligence at Anthropic.

Tourists from dozens of countries including the UK could be asked to provide a five-year social media history as a condition of entry to the United States, under a new proposal unveiled by American officials. From a report: The new condition would affect people from dozens of countries who are eligible to visit the US for 90 days without a visa, as long as they have filled out an Electronic System for Travel Authorization (ESTA) form. Since returning to the White House in January, President Donald Trump has moved to toughen US borders more generally - citing national security as a reason.

Analysts say the new plan could pose an obstacle to potential visitors, or harm their digital rights. Asked whether the proposal could lead to a steep drop-off in tourism to the US, Trump said he was not concerned. "No. We're doing so well," the president said on Wednesday. "We just want people to come over here, and safe. We want safety. We want security. We want to make sure we're not letting the wrong people come enter our country."

An anonymous reader quotes a report from Axios: OpenAI says the cyber capabilities of its frontier AI models are accelerating and warns Wednesday that upcoming models are likely to pose a "high" risk, according to a report shared first with Axios. The models' growing capabilities could significantly expand the number of people able to carry out cyberattacks. OpenAI said it has already seen a significant increase in capabilities in recent releases, particularly as models are able to operate longer autonomously, paving the way for brute force attacks.

The company notes that GPT-5 scored a 27% on a capture-the-flag exercise in August, GPT-5.1-Codex-Max was able to score 76% last month. "We expect that upcoming AI models will continue on this trajectory," the company says in the report. "In preparation, we are planning and evaluating as though each new model could reach 'high' levels of cybersecurity capability as measured by our Preparedness Framework." "High" is the second-highest level, below the "critical" level at which models are unsafe to be released publicly. "What I would explicitly call out as the forcing function for this is the model's ability to work for extended periods of time," said OpenAI's Fouad Matin.

Longtime Slashdot reader MadCow42 writes: Canonical just announced that they're packaging AMD's ROCm libraries (for AIML and HPC with both data-center GPUs as well as desktop/laptop GPUs), directly into the Ubuntu Universe archive. You can run ROCm on Ubuntu today but you have to install it via a script from AMD and manually remove and reinstall for any upgrades or bug fixes. Having it in Ubuntu as a normal Debian package will make it much easier to install and also to maintain in the long run via normal apt tooling ('apt upgrade'). This also means that ROCm can be an automatically-installed dependency for other packages, which doesn't happen today.

And, interestingly, Canonical has committed to providing long-term-support for ROCm in Ubuntu -- which is particularly exciting for edge and IoT devices that may have a long life in the field and need regular security patches and updates.

As the battle over Warner Bros. Discovery grows, two Democratic lawmakers are warning that their party may try to block or unravel any acquisition by Paramount when it returns to power. Semafor: In a letter to the WBD board and Treasury Secretary Scott Bessent first shared with Semafor, Reps. Sam Liccardo (D-Calif.) and Ayanna Pressley (D-Mass.) said they were concerned about the national security risk of letting foreign entities control a large portion of the US entertainment and media industry.

They also hinted that a future Democratic Congress and administration could try to unravel any Paramount-WBD deal. "Future Congresses ... will review many of the decisions of the current Administration, and may recommend that regulators push for divestitures, which would undermine the strategic logic of this merger," they wrote. "We urge the Board to weigh these national security and regulatory liabilities in evaluating a transaction burdened by uncertain but potentially extensive mitigation obligations, foreign influence risks, or adverse regulatory action."

An anonymous reader quotes a report from the Guardian: The unsustainable production of food and fossil fuels causes $5 billion of environmental damage per hour, according to a major UN report. Ending this harm was a key part of the global transformation of governance, economics and finance required "before collapse becomes inevitable," the experts said. The Global Environment Outlook (GEO) report, which is produced by 200 researchers for the UN Environment Program, said the climate crisis, destruction of nature and pollution could no longer be seen as simply environmental crises. "They are all undermining our economy, food security, water security, human health and they are also [national] security issues, leading to conflict in many parts of the world," said Prof Robert Watson, the co-chair of the assessment. [...]

The GEO report is comprehensive -- 1,100 pages this year -- and is usually accompanied by a summary for policymakers, which is agreed by all the world's countries. However, strong objections by countries including Saudi Arabia, Iran, Russia, Turkey and Argentina to references to fossil fuels, plastics, reduced meat in diets and other issues meant no agreement was reached this time. [...] The GEO report emphasized that the costs of action were much less than the costs of inaction in the long term, and estimated the benefits from climate action alone would be worth $20 trillion a year by 2070 and $100 trillion by 2100. "We need visionary countries and private sector [companies] to recognize they will make more profit by addressing these issues rather than ignoring them," Watson said. [...]

One of the biggest issues was the $45 trillion a year in environmental damage caused by the burning of coal, oil and gas, and the pollution and destruction of nature caused by industrial agriculture, the report said. The food system carried the largest costs, at $20 trillion, with transport at $13 trillion and fossil-fuel powered electricity at $12 trillion. These costs -- called externalities by economists -- must be priced into energy and food to reflect their real price and shift consumers towards greener choices, Watson said: "So we need social safety nets. We need to make sure that the poorest in society are not harmed by an increase in costs." The report suggests measures such as a universal basic income, taxes on meat and subsidies for healthy, plant-based foods.

There were also about $1.5 trillion in environmentally harmful subsidies to fossil fuels, food and mining, the report said. These needed to be removed or repurposed, it added. Watson noted that wind and solar energy was cheaper in many places but held back by vested interests in fossil fuel. The climate crisis may be even worse than thought, he said: "We are likely to be underestimating the magnitude of climate change," with global heating probably at the high end of the projections made by the Intergovernmental Panel on Climate Change. Removing fossil fuel subsidies could cut emissions by a third, the report said.

Longtime Slashdot reader Randseed writes: With the likes of Google Nest, Ring, and others cooperating with law enforcement, I started to look for affordable wireless IP security cameras that I can put around my house. Unfortunately, it looks like almost every thing now incorporates some kind of cloud-based slop. All I really want is to put up some cameras, hook them up to my LAN, and install something like ZoneMinder. What are the most economical, wireless IP security cameras that I can set up with my server?

Microsoft has announced that it will raise prices on its Microsoft 365 productivity suites for businesses and government clients starting in July 2026, marking the first commercial price increase since 2022. Small business and frontline worker plans face the steepest hikes: Business Basic jumps 16.7% to $7 per user per month, while frontline worker subscriptions surge up to 33%. Enterprise plans see more modest bumps, ranging from 5.3% for E5 to 8.3% for E3. Microsoft attributed the increases to more than 1,100 new features added to the suite, including AI-driven tools and security enhancements. Copilot remains a separate $30-per-month add-on.

Europol's GRIMM taskforce has arrested nearly 200 people accused of running or participating in "violence-as-a-service" schemes where cybercrime groups recruit youth online for real-world attacks. "These individuals are groomed or coerced into committing a range of violent crimes, from acts of intimidation and torture to murder," the European police said on Monday. The Register reports: GRIMM began in April, and includes investigators from Belgium, Denmark, Finland, France, Germany, Iceland, the Netherlands, Norway, Spain, Sweden, the UK, plus Europol experts and online service providers. During its first six months, police involved in this operation arrested 63 people directly involved in carrying out or planning violent crimes, 40 "enablers" accused of facilitating violence-for-hire services, 84 recruiters, and six "instigators," five of whom the cops labeled "high-value targets." [...]

Many of the criminals involved in recruiting and carrying out these violence-for-hire services are also members of The Com. This is a loosely knit gang, primarily English speakers, involved in several interconnected networks of hackers, SIM swappers, and extortionists. Their reach has spread across the Atlantic, and over the summer, the FBI warned that a subset of this cybercrime group, called In Real Life (IRL) Com, poses a growing threat to youth. The FBI's security bulletin specifically called out IRL Com subgroups that offer swat-for-hire services, in which hoaxers falsely report shootings at someone's residence or call in bomb threats to trigger massive armed police responses at the victims' homes.

The Trump administration will allow Nvidia to resume selling H200 chips to China, but only if the U.S. government takes a 25% cut. Axios reports: Trump said on Truth Social that he'll allow Nvidia to sell H200 chips -- the generation of chips before its current, more-advanced Blackwell lineup -- to China, with the U.S. government pocketing a quarter of the revenue. He said he would apply "the same approach to AMD, Intel, and other GREAT American Companies."

American defense hawks fear that China could use Nvidia chips to advance its military ambitions. Trump said Monday that the sales will be subject to "conditions that allow for continued strong National Security." The blockade remains in place for Nvidia's current generation of Blackwell chips, which will be replaced in the second half of 2026 by even more advanced Rubin chips. Huang said recently he was unsure if China would want the older chips. "We applaud President Trump's decision to allow America's chip industry to compete to support high paying jobs and manufacturing in America," Nvidia said in a statement. "Offering H200 to approved commercial customers, vetted by the Department of Commerce, strikes a thoughtful balance that is great for America."

An anonymous reader quotes a report from the Guardian: A coalition of more than 230 environmental groups has demanded a national moratorium on new datacenters in the U.S., the latest salvo in a growing backlash to a booming artificial intelligence industry that has been blamed for escalating electricity bills and worsening the climate crisis. The green groups, including Greenpeace, Friends of the Earth, Food & Water Watch and dozens of local organizations, have urged members of Congress to halt the proliferation of energy-hungry datacenters, accusing them of causing planet-heating emissions, sucking up vast amounts of water and exacerbating electricity bill increases that have hit Americans this year.

"The rapid, largely unregulated rise of datacenters to fuel the AI and crypto frenzy is disrupting communities across the country and threatening Americans' economic, environmental, climate and water security," the letter states, adding that approval of new data centers should be paused until new regulations are put in place. The push comes amid a growing revolt against moves by companies such as Meta, Google and Open AI to plow hundreds of billions of dollars into new datacenters, primarily to meet the huge computing demands of AI. At least 16 datacenter projects, worth a combined $64 billion, have been blocked or delayed due to local opposition to rising electricity costs. The facilities' need for huge amounts of water to cool down equipment has also proved controversial, particularly in drier areas where supplies are scarce. [...]

At the current rate of growth, datacenters could add up to 44m tons of carbon dioxide to the atmosphere by 2030, equivalent to putting an extra 10m cars on to the road and exacerbating a climate crisis that is already spurring extreme weather disasters and ripping apart the fabric of the American insurance market. But it is the impact upon power bills, rather than the climate crisis, that is causing anguish for most voters, acknowledged Emily Wurth, managing director of organizing at Food & Water Watch, the group behind the letter to lawmakers. "I've been amazed by the groundswell of grassroots, bipartisan opposition to this, in all types of communities across the US," said Wurth. "Everyone is affected by this, the opposition has been across the political spectrum. A lot of people don't see the benefits coming from AI and feel they will be paying for it with their energy bills and water."

"It's an important talking point. We've seen outrageous utility price rises across the country and we are going to lean into this. Prices are going up across the board and this is something Americans really do care about."

An anonymous reader shared this report from Autoblog: Imagine walking out to your car, pressing the start button, and getting absolutely nothing. No crank, no lights on the dash, nothing. That's exactly what happened to hundreds of Porsche owners in Russia last week. The issue is with the Vehicle Tracking System, a satellite-based security system that's supposed to protect against theft. Instead, it turned these Porsches into driveway ornaments.

The issue was first reported at the end of November, with owners reporting identical symptoms of their cars refusing to start or shutting down soon after ignition. Russia's largest dealership group, Rolf, confirmed that the problem stems from a complete loss of satellite connectivity to the VTS. When it loses its connection, it interprets the outage as a potential theft attempt and automatically activates the engine immobilizer.

The issue affects all models and engine types, meaning any Porsche equipped with the system could potentially disable itself without warning. The malfunction impacts Porsche models dating back to 2013 that have the factory VTS installed... When the VTS connection drops, the anti-theft protocol kicks in, cutting fuel delivery and locking down the engine completely.

UPDATE (12/7): The New York Times clarifies today that the damage at Chernobyl hasn't led to a rise in radiation levels: "If there was to be some event inside the shelter that would release radioactive materials into the space inside the New Safe Confinement, because this facility is no longer sealed to the outside environment, there's the potential for radiation to come out," said Shaun Burnie, a senior nuclear specialist at Greenpeace who has monitored nuclear power plants in Ukraine since 2022 and last visited Chernobyl on October 31. "I have to say I don't think that's a particularly serious issue at the moment, because they're not actively decommissioning the actual sarcophagus."

The I.A.E.A. also said there was no permanent damage to the shield's load-bearing structures or monitoring systems. A spokesman for the agency, Fredrik Dahl, said in a text message on Sunday that radiation levels were similar to what they were before the drone hit.
But "A structure designed to prevent radioactive leakage at the defunct Chernobyl nuclear plant in Ukraine is no longer operational," Politico reported Saturday, "after Russian drones targeted it earlier this year, the U.N.'s nuclear watchdog has found." [T]he large steel structure "lost its primary safety functions, including the confinement capability" when its outer cladding was set ablaze after being struck by Russian drones, according to a new report by the International Atomic Energy Agency. Beyond that, there was "no permanent damage to its load-bearing structures or monitoring systems," it said. "Limited temporary repairs have been carried out on the roof, but timely and comprehensive restoration remains essential to prevent further degradation and ensure long-term nuclear safety," IAEA Director General Rafael Mariano Grossi said in astatement.
The Guardian has pictures of the protective shield — incuding the damage from the drone strike. The shield is the world's largest movable land structure, reports CNN: The IAEA, which has a permanent presence at the site, will "continue to do everything it can to support efforts to fully restore nuclear safety and security," Grossi said.... Built in 2010 and completed in 2019, it was designed to last 100 years and has played a crucial role in securing the site.

The project cost €2.1 billion and was funded by contributions from more than 45 donor countries and organizations through the Chernobyl Shelter Fund, according to the European Bank for Reconstruction and Development, which in 2019 hailed the venture as "the largest international collaboration ever in the field of nuclear safety."

A hardware security response from ChatGPT ended with "Shop for home and groceries. Connect Target."

But "There are no live tests for ads" on ChatGPT, insists Nick Turley, OpenAI's head of ChatGPT. Posting on X.com, he said "any screenshots you've seen are either not real or not ads." Engadget reports The OpenAI exec's explanation comes after another post from former xAI employee Benjamin De Kraker on X that has gained traction, which featured a screenshot showing an option to shop at Target within a ChatGPT conversation. OpenAI's Daniel McAuley responded to the post, arguing that it's not an ad but rather an example of app integration that the company announced in October. [To which De Kraker responded "when brands inject themselves into an unrelated chat and encourage the user to go shopping at their store, that's an ad. The more you pretend this isn't an ad because you guys gave it a different name, the less users like or trust you."]

However, the company's chief research officer, Mark Chen, also replied on X that they "fell short" in this case, adding that "anything that feels like an ad needs to be handled with care."

"We've turned off this kind of suggestion while we improve the model's precision," Chen wrote on X. "We're also looking at better controls so you can dial this down or off if you don't find it helpful."

It runs locally, a free/open source home automation platform connecting all your devices together, regardless of brand. And GitHub's senior developer calls it "one of the most active, culturally important, and technically demanding open source ecosystems on the planet," with tens of thousands of contributors and millions of installations.

That's confirmed by this year's "Octoverse" developer survey... Home Assistant was one of the fastest-growing open source projects by contributors, ranking alongside AI infrastructure giants like vLLM, Ollama, and Transformers. It also appeared in the top projects attracting first-time contributors, sitting beside massive developer platforms such as VS Code... Home Assistant is now running in more than 2 million households, orchestrating everything from thermostats and door locks to motion sensors and lighting. All on users' own hardware, not the cloud. The contributor base behind that growth is just as remarkable: 21,000 contributors in a single year...

At its core, Home Assistant's problem is combinatorial explosion. The platform supports "hundreds, thousands of devices... over 3,000 brands," as [maintainer Franck Nijhof] notes. Each one behaves differently, and the only way to normalize them is to build a general-purpose abstraction layer that can survive vendor churn, bad APIs, and inconsistent firmware. Instead of treating devices as isolated objects behind cloud accounts, everything is represented locally as entities with states and events. A garage door is not just a vendor-specific API; it's a structured device that exposes capabilities to the automation engine. A thermostat is not a cloud endpoint; it's a sensor/actuator pair with metadata that can be reasoned about.

That consistency is why people can build wildly advanced automations. Frenck describes one particularly inventive example: "Some people install weight sensors into their couches so they actually know if you're sitting down or standing up again. You're watching a movie, you stand up, and it will pause and then turn on the lights a bit brighter so you can actually see when you get your drink. You get back, sit down, the lights dim, and the movie continues." A system that can orchestrate these interactions is fundamentally a distributed event-driven runtime for physical spaces. Home Assistant may look like a dashboard, but under the hood it behaves more like a real-time OS for the home...

The local-first architecture means Home Assistant can run on hardware as small as a Raspberry Pi but must handle workloads that commercial systems offload to the cloud: device discovery, event dispatch, state persistence, automation scheduling, voice pipeline inference (if local), real-time sensor reading, integration updates, and security constraints. This architecture forces optimizations few consumer systems attempt.
"If any of this were offloaded to a vendor cloud, the system would be easier to build," the article points out. "But Home Assistant's philosophy reverses the paradigm: the home is the data center..."

As Nijhof says of other vendor solutions, "It's crazy that we need the internet nowadays to change your thermostat."