Mozilla is officially ending its partnership with Onerep after more than a year of controversy over the company's founder secretly running people-search and data-broker sites. Monitor Plus will be discontinued by December 2025, existing subscribers will receive prorated refunds, and Mozilla says it will focus on privacy tools it fully controls. KrebsOnSecurity reports: In a statement published Tuesday, Mozilla said it will soon discontinue Monitor Plus, which offered data broker site scans and automated personal data removal from Onerep. "We will continue to offer our free Monitor data breach service, which is integrated into Firefox's credential manager, and we are focused on integrating more of our privacy and security experiences in Firefox, including our VPN, for free," the advisory reads.

Mozilla said current Monitor Plus subscribers will retain full access through the wind-down period, which ends on Dec. 17, 2025. After that, those subscribers will automatically receive a prorated refund for the unused portion of their subscription. "We explored several options to keep Monitor Plus going, but our high standards for vendors, and the realities of the data broker ecosystem made it challenging to consistently deliver the level of value and reliability we expect for our users," Mozilla statement reads.

Android's Quick Share file transfer service can now work with Apple's AirDrop, allowing users to send files between iPhones and Android devices. Google has started rolling out the feature to its Pixel 10 family of smartphones. The cross-platform compatibility includes security protections that the company says independent security experts tested. Google said it built the feature in response to user requests for simpler file sharing between devices regardless of manufacturer. The company plans to expand availability to additional Android devices.

An anonymous reader shares a report: This summer, Oslo's public-transport authority drove a Chinese electric bus deep into a decommissioned mine inside a nearby mountain to answer a question: Could it be hacked? Isolated by rock from digital interference, cybersecurity experts came back with a qualified yes: The bus could in theory be remotely disabled using the control system for the battery.

The revelation, presented at a recent public-transport conference, has spurred officials in Denmark and the U.K. to start their own investigations into Chinese vehicles. It has also fed into broader security concerns across Europe about the growing prevalence of Chinese-made equipment in the region's energy and telecommunications infrastructure.

The worry is the same for autos, solar panels and other connected devices: that mechanisms used for wirelessly delivering system updates could also be exploited by a hostile government or third-party hacker to compromise critical networks. [...] The Oslo transport authority, Ruter, said the bus's mobile-network connection via a Romanian SIM card gave manufacturer Yutong access to the control system for battery and power supply. Ruter said it is addressing the vulnerability by developing firewalls and delaying the signals sent to the vehicles, among other solutions.

Linus Torvalds is "fairly positive" about vibe coding as a way for people to get computers to do things they otherwise could not. The Linux kernel maintainer made the comments during an interview at the Linux Foundation Open Source Summit in Seoul earlier this month. But he cautioned that vibe coding would be a "horrible, horrible idea from a maintenance standpoint" for production code.

Torvalds told Dirk Hohndel, head of open source at Verizon, that computers have become more complicated than when he learned to code by typing in programs from computer magazines. He said vibe coding offers a path into computing for newcomers. The kernel maintainer is not using AI-assisted coding himself. He said his role has shifted from rejecting new ideas to sometimes pushing for them against opposition from longstanding maintainers who "kind of get stuck in a rut."

Rust is "actually becoming a real part of the kernel instead of being this experimental thing," he said. Torvalds said AI crawlers have been "very disruptive to a lot of our infrastructure" because they gather data from kernel.org source code. Kernel maintainers receive bugs and security notices that are "made up by people who misuse AI," though the problem is smaller than for other projects such as curl.

Cloudflare suffered its worst network outage in six years on Tuesday, beginning at 11:20 UTC. The disruption prevented the content delivery network from routing traffic for roughly three hours. The failure, writes Cloudflare in a blog post, originated from a database permissions change deployed at 11:05 UTC. The modification altered how a database query returned information about bot detection features. The query began returning duplicate entries. A configuration file used to identify automated traffic doubled in size and spread across the network's machines. Cloudflare's traffic routing software reads this file to distinguish bots from legitimate users. The software had a built-in limit of 200 bot detection features. The enlarged file contained more than 200 entries. The software crashed when it encountered the unexpected file size.

Users attempting to access websites behind Cloudflare's network received error messages. The outage affected multiple services. Turnstile security checks failed to load. The Workers KV storage service returned elevated error rates. Users could not log into Cloudflare's dashboard. Access authentication failed for most customers.

Engineers initially suspected a coordinated attack. The configuration file was automatically regenerated every five minutes. Database servers produced either correct or corrupted files during a gradual system update. Services repeatedly recovered and failed as different versions of the file circulated. Teams stopped generating new files at 14:24 UTC and manually restored a working version. Most traffic resumed by 14:30 UTC. All systems returned to normal at 17:06 UTC.

An anonymous reader shares a report: California-based TP-Link says it may take a sales hit of more than $1 billion because of erroneous reports that the networking company's technology has been "infiltrated" by Beijing. In a lawsuit, TP-Link claims its competitor, Netgear, orchestrated a smear by planting false claims with journalists and internet influencers with the goal of scaring off customers.

Closely held TP-Link, which makes wireless routers, alleges in a complaint filed Monday that Netgear's campaign "threatens injury to well over a billion dollars in sales" and violates a 2024 settlement of a patent fight. That accord, in which TP-Link agreed to pay Netgear $135 million, includes a provision that the public company promises not to disparage its rival, according to the suit in Delaware federal court.

The suit comes as TP-Link faces growing scrutiny in Washington over national-security issues. US lawmakers from both parties have expressed concern that TP-Link's wireless equipment could be exploited by Chinese hackers following a series of attacks on its routers.

MI5 has warned U.K. lawmakers that Chinese intelligence operatives are using LinkedIn and recruitment fronts to target them for information gathering and long-term cultivation. PBS reports: Writing to lawmakers, House of Commons Speaker Lindsay Hoyle said a new MI5 "espionage alert" warned that Chinese nationals were "using LinkedIn profiles to conduct outreach at scale" on behalf of the Chinese Ministry of State Security. "Their aim is to collect information and lay the groundwork for long-term relationships, using professional networking sites, recruitment agents and consultants acting on their behalf," he said. MI5 issued the alert because the activity was "targeted and widespread," he added.

The MI5 alert cited LinkedIn profiles of two women, Amanda Qiu and Shirly Shen, and said other similar recruiters' profiles were acting as fronts for espionage. Home Office Minister Dan Jarvis said that apart from parliamentary staff, others including economists, think tank consultants and government officials have been similarly targeted. Jarvis said the government is rolling out a series of measures to tackle the risk, including investing 170 million pounds ($224 million) to renew encrypted technology used by civil servants to safeguard sensitive work. Opposition parties say authorities are not doing enough and are too wary of jeopardizing trade ties with China.

A NordPass analysis found that Gen Z is actually worse at password security than older generations, with "12345" topping their list while "123456" dominates among everyone else. The Register reports: And while there were a few more "skibidis" among the Zoomer dataset compared to those who came before them, the trends were largely similar. Variants on the "123456" were among the most common for all age groups, with that exact string proving to be the most common among all users -- the sixth time in seven years it holds the undesirable crown.

Some of the more adventurous would stretch to "1234567," while budding cryptologists shored up their accounts by adding an 8 or even a 9 to the mix. However, according to Security.org's password security checker, a computer could crack any of these instantly. Most attackers would not even need to expend the resources required to reveal the password, given how commonly used they are. They could just spray a list of known passwords at an authentication API and secure a quick win.

Researchers at the University of Vienna extracted phone numbers for 3.5 billion WhatsApp users by systematically checking every possible number through the messaging service's contact discovery feature. The technique yielded profile photos for 57% of those accounts and profile text for 29 percent. The researchers checked roughly 100 million numbers per hour using WhatsApp's browser-based app.

The team warned Meta in April and deleted their data. The company implemented stricter rate-limiting by October to prevent such mass enumeration. Meta called the exposed information "basic publicly available information" and said it found no evidence of malicious exploitation. The vulnerability had been identified before. In 2017, Dutch researcher Loran Kloeze published a blog post detailing the same enumeration technique. Meta responded then that WhatsApp's privacy settings were functioning as designed and denied him a bug bounty reward. The researchers collected 137 million U.S. phone numbers. In India, they found nearly 750 million numbers. They also discovered 2.3 million Chinese numbers and 1.6 million Myanmar numbers, despite WhatsApp being banned in both countries. The researchers analyzed the cryptographic keys and found some accounts used duplicate keys. They speculate this resulted from unauthorized WhatsApp clients rather than a platform flaw.

An anonymous reader quotes a report from Wired: Startup Valar Atomics said on Monday that it achieved criticality -- an essential nuclear milestone -- with the help of one of the country's top nuclear laboratories. The El Segundo, California-based startup, which last week announced it had secured a $130 million funding round with backing from Palmer Luckey and Palantir CTO Shyam Sankar, claims that it is the first nuclear startup to create a critical fission reaction. It's also, more specifically, the first company in a special Department of Energy pilot program aiming to get at least three startups to criticality by July 4 of next year to announce it had achieved this reaction. The pilot program, which was formed following an executive order President Donald Trump signed in May, has upended US regulation of nuclear startups, allowing companies to reach new milestones like criticality at a rapid pace.

There's a difference between the type of criticality Valar reached this week -- what's known as cold criticality or zero-power criticality -- and what's needed to actually create nuclear power. Nuclear reactors use heat to create power, but in cold criticality, which is used to test a reactor's design and physics, the reaction isn't strong enough to create enough heat to make power. The reactor that reached criticality this week is not actually Valar's own model, but rather a blend of the startup's fuel and technology with key structural components provided by the Los Alamos National Laboratory, one of the DOE's research and development laboratories. The combination reactor builds off a separate fuel test performed last year at the laboratory, using fuel similar to what Valar's reactor will use. "Zero power criticality is a reactor's first heartbeat, proof the physics holds," Valar founder Isaiah Taylor said in a statement. "This moment marks the dawn of a new era in American nuclear engineering, one defined by speed, scale, and private-sector execution with closer federal partnership."

schwit1 shares a report from the New York Times: Pete Kayll, a musclebound veteran of Britain's Royal Marines, had an unusual instruction for the Bitcoin investors gathered in Switzerland in late October. "Just bite your way out," he told them. It was the final day of a weekend-long cryptocurrency convention on the shore of Lake Lugano, near the Italian border. A small group of investors had lined up in a conference room to have their hands bound with plastic zipties. Now they were learning how to get them off. "Your teeth will get through anything," Mr. Kayll advised. "But it will bloody well hurt."

Most people don't go to an international crypto conference expecting to learn how to gnaw through plastic. But after hours of panels devoted to topics like Bitcoin-collateralized loans, these investors were looking for something more practical. They wanted to know what to do if they were grabbed on the street and thrown into the back of a van. Already paranoid about scams, hacks and market turmoil, wealthy crypto investors have lately become terrified about a much graver threat: torture and kidnapping. These threats are known as "wrench attacks," which is a reference to a popular XKCD cartoon where a thief skips the hacking and just uses a wrench to force out the password.

According to the NYT, the best way to stay protected is staying low-profile, minimizing visible signs of wealth, using basic physical security tools, and preparing for self-defense. The report specifically recommends avoiding flashy displays of wealth like luxury watches and cars, watching for honey-traps, using hotel door stoppers, practicing escape techniques such as breaking zip-ties, hiring discreet bodyguards, and relying on panic-button apps like Glok to summon help quickly.

Even after disabling remote control and officially ending support for early Nest Learning Thermostats, Google is still receiving detailed sensor and activity data from these devices, including temperature changes, motion, and ambient light. The Verge reports: After digging into the backend, security researcher Cody Kociemba found that the first- and second-generation Nest Learning Thermostats are still sending Google information about manual temperature changes, whether a person is present in the room, if sunlight is hitting the device, and more. Kociemba made the discovery while participating in a bounty program created by FULU, a right-to-repair advocacy organization cofounded by electronics repair technician and YouTuber Louis Rossmann.

FULU challenged developers to come up with a solution to restore smart functionality to Nest devices no longer supported by Google, and that's exactly what Kociemba did with his open-source No Longer Evil project. But after cloning Google's API to create this custom software, he started receiving a trove of logs from customer devices, which he turned off. "On these devices, while they [Google] turned off access to remotely control them, they did leave in the ability for the devices to upload logs. And the logs are pretty extensive," Kociemba tells The Verge. [...] "I was under the impression that the Google connection would be severed along with the remote functionality, however that connection is not severed, and instead is a one-way street," Kociemba says.

An anonymous reader quotes a report from Security Affairs: On October 24, 2025, Azure DDoS Protection detected and mitigated a massive multi-vector attack peaking at 15.72 Tbps and 3.64 billion pps, the largest cloud DDoS ever recorded, aimed at a single Australian endpoint. Azure's global protection network filtered the traffic, keeping services online. The attack came from the Aisuru botnet, a Turbo Mirai-class IoT botnet using compromised home routers and cameras.

The attack used massive UDP floods from more than 500,000 IPs hitting a single public address, with little spoofing and random source ports that made traceback easier. It highlights how attackers are scaling with the internet: faster home fiber and increasingly powerful IoT devices keep pushing DDoS attack sizes higher. "On October 24, 2025, Azure DDOS Protection automatically detected and mitigated a multi-vector DDoS attack measuring 15.72 Tbps and nearly 3.64 billion packets per second (pps). This was the largest DDoS attack ever observed in the cloud and it targeted a single endpoint in Australia," reads a report published by Microsoft. "The attack originated from Aisuru botnet."

"Attackers are scaling with the internet itself. As fiber-to-the-home speeds rise and IoT devices get more powerful, the baseline for attack size keeps climbing," concludes the post. "As we approach the upcoming holiday season, it is essential to confirm that all internet-facing applications and workloads are adequately protected against DDOS attacks."

NetChoice is suing Virginia to block a new law that limits kids under 16 to one hour of daily social media use unless parents approve more time, arguing the rule violates the First Amendment and introduces serious privacy risks through mandatory age-verification. The Verge reports: In addition to restricting access to legal speech, NetChoice alleges that Virginia's incoming law (SB 854) will require platforms to verify user ages in ways that would pose privacy and security risks. The law requires platforms to use "commercially reasonable methods," which it says include a screen that prompts the user to enter a birth date. However, NetChoice argues that Virginia could go beyond this requirement, citing a post from Governor Youngkin on X, stating "platforms must verify age," potentially referring to stricter methods, like having users submit a government ID or other personal information.

NetChoice, which is backed by tech giants like Meta, Google, Amazon, Reddit, and Discord, alleges that the law puts a burden on minors' ability to engage or consume speech online. "The First Amendment prohibits the government from placing these types of restrictions on accessing lawful and valuable speech, just in the same way that the government can't tell you how long you could spend reading a book, watching a television program, or consuming a documentary," Paul Taske, the co-director of the Netchoice Litigation Center, tells The Verge.

"Virginia must leave the parenting decisions where they belong: with parents," Taske says. "By asserting that authority for itself, Virginia not only violates its citizens' rights to free speech but also exposes them to increased risk of privacy and security breaches."

The UK government has been warned that its plan to ban operators of critical national infrastructure from paying ransoms to hackers is unlikely to stop cyber attacks and could result in essential services collapsing. From a report: The proposal, announced by the Home Office in July, is designed to deter cyber criminals by making it clear any attempt to blackmail regulated companies such as hospitals, airports and telecoms groups will not succeed. If enacted, the UK would be the first country to implement such a ban.

But companies and cyber groups have told government officials that making paying ransoms illegal would remove a valuable tool in negotiations where highly sensitive data or essential services could be compromised, according to two people familiar with the matter. "An outright ban on payments sounds tough on crime, but in reality it could turn a solvable crisis into a catastrophic one," said Greg Palmer, a partner at law firm Linklaters.

"Three Chinese astronauts returned from their nation's space station Friday," reports the Associated Press, "after more than a week's delay because the return capsule they had planned to use was damaged, likely from being hit by space debris." The team left their Shenzhou-20 spacecraft in orbit and came back using the recently arrived Shenzhou-21, which had ferried a three-person replacement crew to the station, China's Manned Space Agency said. The original return plan was scrapped because a window in the Shenzhou-20 capsule had tiny cracks, most likely caused by impact from space debris, the space agency said Friday... Their return was delayed for nine days, and their 204-day stay in space was the longest for any astronaut at China's space station...

China developed the Tiangong space station after the country was excluded from the International Space Station over U.S. national security concerns. China's space program is controlled by its military.

Android's security team published a blog post this week about their experience using Rust. Its title? "Move fast and fix things." Last year, we wrote about why a memory safety strategy that focuses on vulnerability prevention in new code quickly yields durable and compounding gains. This year we look at how this approach isn't just fixing things, but helping us move faster.

The 2025 data continues to validate the approach, with memory safety vulnerabilities falling below 20% of total vulnerabilities for the first time. We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android's C and C++ code. But the biggest surprise was Rust's impact on software delivery. With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one... Data shows that Rust code requires fewer revisions. This trend has been consistent since 2023. Rust changes of a similar size need about 20% fewer revisions than their C++ counterparts... In a self-reported survey from 2022, Google software engineers reported that Rust is both easier to review and more likely to be correct. The hard data on rollback rates and review times validates those impressions.

Historically, security improvements often came at a cost. More security meant more process, slower performance, or delayed features, forcing trade-offs between security and other product goals. The shift to Rust is different: we are significantly improving security and key development efficiency and product stability metrics.

With Rust support now mature for building Android system services and libraries, we are focused on bringing its security and productivity advantages elsewhere. Android's 6.12 Linux kernel is our first kernel with Rust support enabled and our first production Rust driver. More exciting projects are underway, such as our ongoing collaboration with Arm and Collabora on a Rust-based kernel-mode GPU driver. [They've also been deploying Rust in firmware for years, and Rust "is ensuring memory safety from the ground up in several security-critical Google applications," including Chromium's parsers for PNG, JSON, and web fonts.]
2025 was the first year more lines of Rust code were added to Android than lines of C++ code...

An anonymous reader shared this report from the Guardian: The number of deaths linked to superbugs that do not respond to frontline antibiotics increased by 17% in England last year, according to official figures that raise concerns about the ongoing increase in antimicrobial resistance.

The figures, released by the UK Health Security Agency, also revealed a large rise in private prescriptions for antibiotics, with 22% dispensed through the private sector in 2024. The increase in private prescribing is partly explained by the Pharmacy First scheme, a flagship policy of Rishi Sunak's government that allows patients to be prescribed antibiotics for common illnesses without seeing a GP, raising questions about whether the shift in prescribing patterns risks contributing to the rise in resistance.

"Antibiotic resistance is one of the greatest health threats we face," said the UKHSA's chief executive, Prof Susan Hopkins. "More people than ever are acquiring infections that cannot be effectively treated by antibiotics. This puts them at greater risk of serious illness and even death, with our poorest communities hit the hardest... It's positive that we've seen antibiotic use fall in England within the NHS but we need to go further, faster," said Hopkins.

"Please remember to only take antibiotics if you have been told to do so by a healthcare professional. Do not save some for later or share them with friends and family. If you have leftover antibiotics, please bring them to a pharmacy for appropriate disposal."

An anonymous reader shared this report from The Register: Yet another supply chain attack has hit the npm registry in what Amazon describes as "one of the largest package flooding incidents in open source registry history" — but with a twist. Instead of injecting credential-stealing code or ransomware into the packages, this one is a token farming campaign.

Amazon Inspector security researchers, using a new detection rule and AI assistance, originally spotted the suspicious npm packages in late October, and, by November 7, the team had flagged thousands. By November 12, they had uncovered more than 150,000 malicious packages across "multiple" developer accounts. These were all linked to a coordinated tea.xyz token farming campaign, we're told. This is a decentralized protocol designed to reward open-source developers for their contributions using the TEA token, a utility asset used within the tea ecosystem for incentives, staking, and governance.

Unlike the spate of package poisoning incidents over recent months, this one didn't inject traditional malware into the open source code. Instead, the miscreants created a self-replicating attack, infecting the packages with code to automatically generate and publish, thus earning cryptocurrency rewards on the backs of legitimate open source developers. The code also included tea.yaml files that linked these packages to attacker-controlled blockchain wallet addresses.
At the moment, Tea tokens have no value, points out CSO Online. "But it is suspected that the threat actors are positioning themselves to receive real cryptocurrency tokens when the Tea Protocol launches its Mainnet, where Tea tokens will have actual monetary value and can be traded..." In an interview on Friday, an executive at software supply chain management provider Sonatype, which wrote about the campaign in April 2024, told CSO that number has now grown to 153,000. "It's unfortunate that the worm isn't under control yet," said Sonatype CTO Brian Fox. And while this payload merely steals tokens, other threat actors are paying attention, he predicted. "I'm sure somebody out there in the world is looking at this massively replicating worm and wondering if they can ride that, not just to get the Tea tokens but to put some actual malware in there, because if it's replicating that fast, why wouldn't you?"

When Sonatype wrote about the campaign just over a year ago, it found a mere 15,000 packages that appeared to come from a single person. With the swollen numbers reported this week, Amazon researchers wrote that it's "one of the largest package flooding incidents in open source registry history, and represents a defining moment in supply chain security...." For now, says Sonatype's Fox, the scheme wastes the time of npm administrators, who are trying to expel over 100,000 packages. But Fox and Amazon point out the scheme could inspire others to take advantage of other reward-based systems for financial gain, or to deliver malware.
After deplooying a new detection rule "paired with AI", Amazon's security researchers' write, "within days, the system began flagging packages linked to the tea.xyz protocol... By November 7, the researchers flagged thousands of packages and began investigating what appeared to be a coordinated campaign. The next day, after validating the evaluation results and analyzing the patterns, they reached out to OpenSSF to share their findings and coordinate a response.
Their blog post thanks the Open Source Security Foundation (OpenSSF) for rapid collaboration, while calling the incident "a defining moment in supply chain security..."

Slashdot reader spatwei writes: It is now more common for data to leave companies through copying and pasting than through file transfers and uploads, LayerX revealed in its Browser Security Report 2025.

This shift is largely due to generative AI (genAI), with 77% of employees pasting data into AI prompts, and 32% of all copy-pastes from corporate accounts to non-corporate accounts occurring within genAI tools.

'Traditional governance built for email, file-sharing, and sanctioned SaaS didn't anticipate that copy/paste into a browser prompt would become the dominant leak vector,' LayerX CEO Or Eshed wrote in a blog post summarizing the report.
"GenAI now accounts for 11% of enterprise application usage," notes this article from SC World, "with adoption rising faster than many data loss protection (DLP) controls can keep up. Overall, 45% of employees actively use AI tools, with 67% of these tools being accessed via personal accounts and ChatGPT making up 92% of all use..."

"With the rise of AI-driven browsers such as OpenAI's Atlas and Perplexity's Comet, governance of AI tools' access to corporate data becomes even more urgent, the LayerX report notes."