The Trump administration will allow Nvidia to resume selling H200 chips to China, but only if the U.S. government takes a 25% cut. Axios reports: Trump said on Truth Social that he'll allow Nvidia to sell H200 chips -- the generation of chips before its current, more-advanced Blackwell lineup -- to China, with the U.S. government pocketing a quarter of the revenue. He said he would apply "the same approach to AMD, Intel, and other GREAT American Companies."

American defense hawks fear that China could use Nvidia chips to advance its military ambitions. Trump said Monday that the sales will be subject to "conditions that allow for continued strong National Security." The blockade remains in place for Nvidia's current generation of Blackwell chips, which will be replaced in the second half of 2026 by even more advanced Rubin chips. Huang said recently he was unsure if China would want the older chips. "We applaud President Trump's decision to allow America's chip industry to compete to support high paying jobs and manufacturing in America," Nvidia said in a statement. "Offering H200 to approved commercial customers, vetted by the Department of Commerce, strikes a thoughtful balance that is great for America."

An anonymous reader quotes a report from the Guardian: A coalition of more than 230 environmental groups has demanded a national moratorium on new datacenters in the U.S., the latest salvo in a growing backlash to a booming artificial intelligence industry that has been blamed for escalating electricity bills and worsening the climate crisis. The green groups, including Greenpeace, Friends of the Earth, Food & Water Watch and dozens of local organizations, have urged members of Congress to halt the proliferation of energy-hungry datacenters, accusing them of causing planet-heating emissions, sucking up vast amounts of water and exacerbating electricity bill increases that have hit Americans this year.

"The rapid, largely unregulated rise of datacenters to fuel the AI and crypto frenzy is disrupting communities across the country and threatening Americans' economic, environmental, climate and water security," the letter states, adding that approval of new data centers should be paused until new regulations are put in place. The push comes amid a growing revolt against moves by companies such as Meta, Google and Open AI to plow hundreds of billions of dollars into new datacenters, primarily to meet the huge computing demands of AI. At least 16 datacenter projects, worth a combined $64 billion, have been blocked or delayed due to local opposition to rising electricity costs. The facilities' need for huge amounts of water to cool down equipment has also proved controversial, particularly in drier areas where supplies are scarce. [...]

At the current rate of growth, datacenters could add up to 44m tons of carbon dioxide to the atmosphere by 2030, equivalent to putting an extra 10m cars on to the road and exacerbating a climate crisis that is already spurring extreme weather disasters and ripping apart the fabric of the American insurance market. But it is the impact upon power bills, rather than the climate crisis, that is causing anguish for most voters, acknowledged Emily Wurth, managing director of organizing at Food & Water Watch, the group behind the letter to lawmakers. "I've been amazed by the groundswell of grassroots, bipartisan opposition to this, in all types of communities across the US," said Wurth. "Everyone is affected by this, the opposition has been across the political spectrum. A lot of people don't see the benefits coming from AI and feel they will be paying for it with their energy bills and water."

"It's an important talking point. We've seen outrageous utility price rises across the country and we are going to lean into this. Prices are going up across the board and this is something Americans really do care about."

An anonymous reader shared this report from Autoblog: Imagine walking out to your car, pressing the start button, and getting absolutely nothing. No crank, no lights on the dash, nothing. That's exactly what happened to hundreds of Porsche owners in Russia last week. The issue is with the Vehicle Tracking System, a satellite-based security system that's supposed to protect against theft. Instead, it turned these Porsches into driveway ornaments.

The issue was first reported at the end of November, with owners reporting identical symptoms of their cars refusing to start or shutting down soon after ignition. Russia's largest dealership group, Rolf, confirmed that the problem stems from a complete loss of satellite connectivity to the VTS. When it loses its connection, it interprets the outage as a potential theft attempt and automatically activates the engine immobilizer.

The issue affects all models and engine types, meaning any Porsche equipped with the system could potentially disable itself without warning. The malfunction impacts Porsche models dating back to 2013 that have the factory VTS installed... When the VTS connection drops, the anti-theft protocol kicks in, cutting fuel delivery and locking down the engine completely.

UPDATE (12/7): The New York Times clarifies today that the damage at Chernobyl hasn't led to a rise in radiation levels: "If there was to be some event inside the shelter that would release radioactive materials into the space inside the New Safe Confinement, because this facility is no longer sealed to the outside environment, there's the potential for radiation to come out," said Shaun Burnie, a senior nuclear specialist at Greenpeace who has monitored nuclear power plants in Ukraine since 2022 and last visited Chernobyl on October 31. "I have to say I don't think that's a particularly serious issue at the moment, because they're not actively decommissioning the actual sarcophagus."

The I.A.E.A. also said there was no permanent damage to the shield's load-bearing structures or monitoring systems. A spokesman for the agency, Fredrik Dahl, said in a text message on Sunday that radiation levels were similar to what they were before the drone hit.
But "A structure designed to prevent radioactive leakage at the defunct Chernobyl nuclear plant in Ukraine is no longer operational," Politico reported Saturday, "after Russian drones targeted it earlier this year, the U.N.'s nuclear watchdog has found." [T]he large steel structure "lost its primary safety functions, including the confinement capability" when its outer cladding was set ablaze after being struck by Russian drones, according to a new report by the International Atomic Energy Agency. Beyond that, there was "no permanent damage to its load-bearing structures or monitoring systems," it said. "Limited temporary repairs have been carried out on the roof, but timely and comprehensive restoration remains essential to prevent further degradation and ensure long-term nuclear safety," IAEA Director General Rafael Mariano Grossi said in astatement.
The Guardian has pictures of the protective shield — incuding the damage from the drone strike. The shield is the world's largest movable land structure, reports CNN: The IAEA, which has a permanent presence at the site, will "continue to do everything it can to support efforts to fully restore nuclear safety and security," Grossi said.... Built in 2010 and completed in 2019, it was designed to last 100 years and has played a crucial role in securing the site.

The project cost €2.1 billion and was funded by contributions from more than 45 donor countries and organizations through the Chernobyl Shelter Fund, according to the European Bank for Reconstruction and Development, which in 2019 hailed the venture as "the largest international collaboration ever in the field of nuclear safety."

A hardware security response from ChatGPT ended with "Shop for home and groceries. Connect Target."

But "There are no live tests for ads" on ChatGPT, insists Nick Turley, OpenAI's head of ChatGPT. Posting on X.com, he said "any screenshots you've seen are either not real or not ads." Engadget reports The OpenAI exec's explanation comes after another post from former xAI employee Benjamin De Kraker on X that has gained traction, which featured a screenshot showing an option to shop at Target within a ChatGPT conversation. OpenAI's Daniel McAuley responded to the post, arguing that it's not an ad but rather an example of app integration that the company announced in October. [To which De Kraker responded "when brands inject themselves into an unrelated chat and encourage the user to go shopping at their store, that's an ad. The more you pretend this isn't an ad because you guys gave it a different name, the less users like or trust you."]

However, the company's chief research officer, Mark Chen, also replied on X that they "fell short" in this case, adding that "anything that feels like an ad needs to be handled with care."

"We've turned off this kind of suggestion while we improve the model's precision," Chen wrote on X. "We're also looking at better controls so you can dial this down or off if you don't find it helpful."

It runs locally, a free/open source home automation platform connecting all your devices together, regardless of brand. And GitHub's senior developer calls it "one of the most active, culturally important, and technically demanding open source ecosystems on the planet," with tens of thousands of contributors and millions of installations.

That's confirmed by this year's "Octoverse" developer survey... Home Assistant was one of the fastest-growing open source projects by contributors, ranking alongside AI infrastructure giants like vLLM, Ollama, and Transformers. It also appeared in the top projects attracting first-time contributors, sitting beside massive developer platforms such as VS Code... Home Assistant is now running in more than 2 million households, orchestrating everything from thermostats and door locks to motion sensors and lighting. All on users' own hardware, not the cloud. The contributor base behind that growth is just as remarkable: 21,000 contributors in a single year...

At its core, Home Assistant's problem is combinatorial explosion. The platform supports "hundreds, thousands of devices... over 3,000 brands," as [maintainer Franck Nijhof] notes. Each one behaves differently, and the only way to normalize them is to build a general-purpose abstraction layer that can survive vendor churn, bad APIs, and inconsistent firmware. Instead of treating devices as isolated objects behind cloud accounts, everything is represented locally as entities with states and events. A garage door is not just a vendor-specific API; it's a structured device that exposes capabilities to the automation engine. A thermostat is not a cloud endpoint; it's a sensor/actuator pair with metadata that can be reasoned about.

That consistency is why people can build wildly advanced automations. Frenck describes one particularly inventive example: "Some people install weight sensors into their couches so they actually know if you're sitting down or standing up again. You're watching a movie, you stand up, and it will pause and then turn on the lights a bit brighter so you can actually see when you get your drink. You get back, sit down, the lights dim, and the movie continues." A system that can orchestrate these interactions is fundamentally a distributed event-driven runtime for physical spaces. Home Assistant may look like a dashboard, but under the hood it behaves more like a real-time OS for the home...

The local-first architecture means Home Assistant can run on hardware as small as a Raspberry Pi but must handle workloads that commercial systems offload to the cloud: device discovery, event dispatch, state persistence, automation scheduling, voice pipeline inference (if local), real-time sensor reading, integration updates, and security constraints. This architecture forces optimizations few consumer systems attempt.
"If any of this were offloaded to a vendor cloud, the system would be easier to build," the article points out. "But Home Assistant's philosophy reverses the paradigm: the home is the data center..."

As Nijhof says of other vendor solutions, "It's crazy that we need the internet nowadays to change your thermostat."

"First the penny. Next, paper checks?" asks CNN: When the U.S. Mint stopped making pennies last month for the first time in 238 years, it drew a lot of attention. But there have been quiet moves to stop using paper checks as well. The government stopped sending out most paper checks to recipients as of the end of September, part of an effort to fully modernize federal benefits payments. And on Thursday the Federal Reserve put out a notice that suggested it is considering — but only considering — the "winding down" of checking services it now provides for banks.

The central bank's statement said that as an alternative to winding down those services, it is mulling more investment in its check processing services, but noted that would come at a higher cost. But it is also considering not making any such investments, in order to keep costs roughly unchanged. That would lead to reduced reliability of those services going forward. "Over time, check use has steadily declined, digital payment methods have grown in availability and use, and check fraud has risen," said the notice from the Fed. "Also, the Reserve Banks will need to make substantial investments in their check infrastructure to continue providing the same level of check services going forward."

A report from the Federal Reserve Bank of Atlanta in June found that as of last year, more than 90% of surveyed consumers said they prefer to use something other than a check for paying bills, and just 6% paid by check. That's a sharp drop from the 18% of bills paid by checks as recently as 2017. Consumers also reported they view checks as second-worst for convenience and speed of payment, ahead of only money orders. And they're ranked as the least secure form of any payment other than cash.

But even if it's true that options such as direct deposit, automatic bill paying and electronic payment systems such as Venmo, PayPal and Zelle have all reduced the need for traditional checks, paper checks are still an important part of the payment system. They make up about 5% of transactions and represent 21% of the value of all those payments, according to a statement from Michelle Bowman, the Fed's vice chair for supervision, who dissented from the Fed's Thursday statement.

What happened when a school in Los Angeles gave a sixth grader an iPad for use throughout the school day? "He used the iPad during school to watch YouTube and participate in Fortnite video game battles," reports NBC News.

His mother has now launched a coalition of parents called Schools Beyond Screens "organizing in WhatsApp groups, petition drives and actions at school board meetings and demanding meetings with district administrators, pressuring them to pull back on the school-mandated screen time." Los Angeles Unified is the first district of its size to face an organized — and growing — campaign by parents demanding that schools pull back on mandatory screen time. The discontent in Los Angeles Unified, the second-largest school district in the country, reflects a growing unease nationally about the amount of time children spend learning through screens in classrooms. While a majority of states prohibit children from using cellphones in class, 88% of schools provide students with personal devices, according to the National Center for Education Statistics, often Chromebook laptops or iPads. The parents hope getting a district that has over 409,000 students across nearly 800 schools to change how it approaches screen time would send a signal across public school districts to pull back from a yearslong effort to digitize classrooms....

[In the Los Angeles school district] Students in grade levels as low as kindergarten are provided iPads, and some schools require them to take the tablets home. Some teachers have allowed students to opt out of the iPad-based assignments, but other parents say they've been told that they can't. Parents can also opt their children out of having access to YouTube and several other Google products... The billion-dollar 2014 initiative to give tablet computers to everyone became a scandal after the bidding process appeared to heavily favor Apple, and it faced criticism once it became clear that students could bypass security protocols and that few teachers used the tablets. Currently, the district leaves it up to individual schools to decide whether they want students to take home iPads or Chromebooks every day and how much time they spend on them in class...

Around 300 parents attended listening sessions the district held last month about technology in the classroom. Nearly all who spoke criticized how much screen time schools gave their children in class, pointing to ways their behavior and grades suffered as students watched YouTube and played Minecraft... Several also asked district officials to explain why children as young as kindergartners were asked to sign a form to use devices in which they promised they would honor intellectual property law and refrain from meeting people in person whom they met online. "Is it possible for children to meet people over the internet on school-issued devices?" one father asked. The district officials declined to answer, saying it was meant to be a listening session.
In 2022, Los Angeles Unified started requiring students to complete benchmark assessments on educaitonal software i-Ready, the article points out, which generates unique questions for each students. "But parents and teachers are unable to see what children are asked, in part because the company that makes the program considers them proprietary information..."

One teacher says his school's administartors are requiring him to use i-Ready even though it doesn't have any material for the science class he's actually teaching. He's also noticed some students will use answers from AI chatbots, bypassing the school's monitoring software by creating alternate user profiles. But the monitoring software company suggests the school misconfigured their software's settings, adding "More commonly, when students attempt to bypass filtering or monitoring, they do so by using proxies."

Thanks to long-time Slashdot reader schwit1 for sharing the article.

U.S. and Canadian cybersecurity agencies say Chinese-linked actors deployed "Brickstorm" malware to infiltrate critical infrastructure and maintain long-term access for potential sabotage. Reuters reports: The Chinese-linked hacking operations are the latest example of Chinese hackers targeting critical infrastructure, infiltrating sensitive networks and "embedding themselves to enable long-term access, disruption, and potential sabotage," Madhu Gottumukkala, the acting director of the Cybersecurity and Infrastructure Security Agency, said in an advisory signed by CISA, the National Security Agency and the Canadian Centre for Cyber Security. According to the advisory, which was published alongside a more detailed malware analysis report (PDF), the state-backed hackers are using malware known as "Brickstorm" to target multiple government services and information technology entities. Once inside victim networks, the hackers can steal login credentials and other sensitive information and potentially take full control of targeted computers.

In one case, the attackers used Brickstorm to penetrate a company in April 2024 and maintained access through at least September 3, 2025, according to the advisory. CISA Executive Assistant Director for Cybersecurity Nick Andersen declined to share details about the total number of government organizations targeted or specifics around what the hackers did once they penetrated their targets during a call with reporters on Thursday. The advisory and malware analysis reports are based on eight Brickstorm samples obtained from targeted organizations, according to CISA. The hackers are deploying the malware against VMware vSphere, a product sold by Broadcom's VMware to create and manage virtual machines within networks. [...] In addition to traditional espionage, the hackers in those cases likely also used the operations to develop new, previously unknown vulnerabilities and establish pivot points to broader access to more victims, Google said at the time.

Two Virginia brothers Muneeb and Sohaib Akhter, previously convicted of hacking the U.S. State Department, were rehired as federal contractors and are now charged with conspiring to steal sensitive data and destroy government databases after being fired. "Following the termination of their employment, the brothers allegedly sought to harm the company and its U.S. government customers by accessing computers without authorization, issuing commands to prevent others from modifying the databases before deletion, deleting databases, stealing information, and destroying evidence of their unlawful activities," the Justice Department said in a Wednesday press release. BleepingComputer reports: According to court documents, Muneeb Akhter deleted roughly 96 databases containing U.S. government information in February 2025, including Freedom of Information Act records and sensitive investigative documents from multiple federal agencies. One minute after deleting a Department of Homeland Security database, Muneeb Akhter also allegedly asked an artificial intelligence tool for instructions on clearing system logs after deleting a database.

The two defendants also allegedly ran commands to prevent others from modifying the targeted databases before deletion, and destroyed evidence of their activities. The prosecutors added that both men wiped company laptops before returning them to the contractor and discussed cleaning out their house in anticipation of a law enforcement search. The complaint also claims that Muneeb Akhter stole IRS information from a virtual machine, including federal tax data and identifying information for at least 450 individuals, and stole Equal Employment Opportunity Commission information after being fired by the government contractor.

Muneeb Akhter has been charged with conspiracy to commit computer fraud and destroy records, two counts of computer fraud, theft of U.S. government records, and two counts of aggravated identity theft. If found guilty, he faces a minimum of two years in prison for each aggravated identity theft count, with a maximum of 45 years on other charges. His brother, Sohaib, is charged with conspiracy to commit computer fraud and password trafficking, facing a maximum penalty of six years if convicted.

joshuark shares a report from BleepingComputer: Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks. Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files. Thus some element of social engineering, and user technically naive and gullibility such as thinking Windows is secure is required. [...]

As Trend Micro threat analysts discovered in March 2025, the CVE-2025-9491 was already being widely exploited by 11 state-sponsored groups and cybercrime gangs, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others. Microsoft told BleepingComputer in March that it would "consider addressing" this zero-day flaw, even though it didn't "meet the bar for immediate servicing." ACROS Security CEO and 0patch co-founder Mitja Kolsek found, Microsoft has silently changed LNK files in the November updates in an apparent effort to mitigate the CVE-2025-9491 flaw. After installing last month's updates, users can now see all characters in the Target field when opening the Properties of LNK files, not just the first 260. As the movie the Ninth Gate stated: "silentium est aurum"

An anonymous reader quotes a report from the Guardian: Almost three in 10 GPs in the UK are using AI tools such as ChatGPT in consultations with patients, even though it could lead to them making mistakes and being sued, a study reveals. The rapid adoption of AI to ease workloads is happening alongside a "wild west" lack of regulation of the technology, which is leaving GPs unaware which tools are safe to use. That is the conclusion of research by the Nuffield Trust thinktank, based on a survey of 2,108 family doctors by the Royal College of GPs about AI and on focus groups of GPs.

Ministers hope that AI can help reduce the delays patients face in seeing a GP. The study found that more and more GPs were using AI to produce summaries of appointments with patients, assisting their diagnosis of the patient's condition and routine administrative tasks. In all, 598 (28%) of the 2,108 survey respondents said they were already using AI. More male (33%) than female (25%) GPs have used it and far more use it in well-off than in poorer areas.

It is moving quickly into more widespread use. However, large majorities of GPs, whether they use it or not, worry that practices that adopt it could face "professional liability and medico-legal issues," and "risks of clinical errors" and problems of "patient privacy and data security" as a result, the Nuffield Trust's report says. [...] In a blow to ministerial hopes, the survey also found that GPs use the time it saves them to recover from the stresses of their busy days rather than to see more patients. "While policymakers hope that this saved time will be used to offer more appointments, GPs reported using it primarily for self-care and rest, including reducing overtime working hours to prevent burnout," the report adds.

An anonymous reader quotes a report from TechCrunch: Earlier this year, home goods maker Kohler launched a smart camera called the Dekoda that attaches to your toilet bowl, takes pictures of it, and analyzes the images to advise you on your gut health. Anticipating privacy fears, Kohler said on its website that the Dekoda's sensors only see down into the toilet, and claimed that all data is secured with "end-to-end encryption." The company's use of the expression "end-to-end encryption" is, however, wrong, as security researcher Simon Fondrie-Teitler pointed out in a blog post on Tuesday. By reading Kohler's privacy policy, it's clear that the company is referring to the type of encryption that secures data as it travels over the internet, known as TLS encryption -- the same that powers HTTPS websites. [...] The security researcher also pointed out that given Kohler can access customers' data on its servers, it's possible Kohler is using customers' bowl pictures to train AI. Citing another response from the company representative, the researcher was told that Kohler's "algorithms are trained on de-identified data only." A "privacy contact" from Kohler said that user data is "encrypted at rest, when it's stored on the user's mobile phone, toilet attachment, and on our systems." The company also said that, "data in transit is also encrypted end-to-end, as it travels between the user's devices and our systems, where it is decrypted and processed to provide our service."

A federal judge has ordered OpenAI to hand over 20 million anonymized ChatGPT logs in its copyright battle with the New York Times and other outlets. Reuters reports: U.S. Magistrate Judge Ona Wang in a decision made public on Wednesday said that the 20 million logs were relevant to the outlets' claims and that handing them over would not risk violating users' privacy. The judge rejected OpenAI's privacy-related objections to an earlier order requiring the artificial intelligence startup to submit the records as evidence. "There are multiple layers of protection in this case precisely because of the highly sensitive and private nature of much of the discovery," Wang said.

An OpenAI spokesperson on Wednesday cited an earlier blog post from the company's Chief Information Security Officer Dane Stuckey, which said the Times' demand for the chat logs "disregards long-standing privacy protections" and "breaks with common-sense security practices." OpenAI has separately appealed Wang's order to the case's presiding judge, U.S. District Judge Sidney Stein.

A group of newspapers owned by Alden Global Capital's MediaNews Group is also involved in the lawsuit. MediaNews Group executive editor Frank Pine said in a statement on Wednesday that OpenAI's leadership was "hallucinating when they thought they could get away with withholding evidence about how their business model relies on stealing from hardworking journalists."

An anonymous reader quotes a report from Politico: Five months after releasing a plan to accelerate the development of artificial intelligence, the Trump administration is turning to robots. Commerce Secretary Howard Lutnick has been meeting with robotics industry CEOs and is "all in" on accelerating the industry's development, according to three people familiar with the discussions who were granted anonymity to share details. The administration is considering issuing an executive order on robotics next year, according to two of the people. A Department of Commerce spokesperson said: "We are committed to robotics and advanced manufacturing because they are central to bringing critical production back to the United States."

The Department of Transportation is also preparing to announce a robotics working group, possibly before the end of the year, according to one person familiar with the planning. A spokesperson for the department did not respond to a request for comment. There's growing interest on Capitol Hill as well. A Republican amendment to the National Defense Authorization Act would have created a national robotics commission. The amendment was not included in the bill. Other legislative efforts are underway. The flurry of activity suggests robotics is emerging as the next major front in America's race against China. "There is now recognition that advanced robotics is crucial to the U.S. in terms of manufacturing, technology, national security, defense applications, public safety," said Brendan Schulman, VP of policy and government relations for Boston Dynamics. "The investment that we're seeing in the sector and the efforts in China to dominate the future of robotics are being noticed."

India has withdrawn its order requiring Apple and other smartphone makers to preinstall the government's Sanchar Saathi app after public backlash and privacy concerns. AppleInsider reports: On November 28, the India Ministry of Communication issued a secret directive to Apple and other smartphone manufacturers, requiring the preinstallation of a government-backed app. Less than a week later, the order has been rescinded. The withdrawal on Wednesday means Apple doesn't have to preload the Sanchar Saathi app onto iPhones sold in the country, in a way that couldn't be "disabled or restricted." [...]

In pulling back from the demand, the government insisted that the app had an "increasing acceptance" among citizens. There was a tenfold spike of new user registrations on Tuesday alone, with over 600,000 new users made aware of the app from the public debacle. India Minister of Communications Jyotiraditya Scindia took a moment to insist that concerns the app could be used for increased surveillance were unfounded. "Snooping is neither possible nor will it happen" with the app, Scindia claimed.

"This is a welcome development, but we are still awaiting the full text of the legal order that should accompany this announcement, including any revised directions under the Cyber Security Rules, 2024," said the Internet Freedom Foundation. It is treating the news with "cautious optimism, not closure," until formalities conclude. However, while promising, the backdown doesn't stop India from retrying something similar or another tactic in the future.

Despite Windows 10 losing free support, Statcounter shows Windows 11 holding only a modest lead of 53.7% market share compared to Windows 10's 42.7%. Analysts say the slow transition reflects both hardware limitations and a lack of must-have Windows 11 features compelling organizations to refresh their fleets. The Register reports: The Register spoke to Lansweeper principal technical evangelist Esben Dochy, who noted that consumers were more likely to have devices that couldn't be upgraded or follow the "if it ain't broke, don't fix it" rule when it comes to change. He also pointed out consumers in the EU get Microsoft Extended Security Updates (ESU) for free.

For businesses, though, it's different. Dochy told us: "The primary blocker is slow change management processes. These can be slow due to bad planning, lack of resources, difficulty in execution (in highly distributed organizations) etc. "The ESU are used to be secure while those change management processes take place, but organizations will have to pay to get those ESU making it more expensive for unprepared or inefficient organizations." [...]

The challenge facing Windows 11 is that, other than the end of free support for many versions, there is no must-have feature to make enterprises break a hardware refresh cycle, particularly in a difficult economic environment. Microsoft has not released official statistics on Windows 11 adoption. However, hardware vendors have noted the sluggish pace of transition. Dell COO Jeffrey Clarke commented during an analyst call: "If you were to look at it relative to the previous OS end of support, we are 10-12 points behind at that point with Windows 11 than we were with the previous generation."

During last month's KubeCon North America in Atlanta, Kubernetes maintainers announced the upcoming retirement of Ingress NGINX. "Best-effort maintenance will continue until March 2026," noted the Kubernetes SIG Network and the Security Response Committee. "Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered." In a recent op-ed for The Register, Steven J. Vaughan-Nichols reflects on the decision and speculates about what might have prevented this outcome: Ingress NGINX, for those who don't know it, is an ingress controller in Kubernetes clusters that manages and routes external HTTP and HTTPS traffic to the cluster's internal services based on configurable Ingress rules. It acts as a reverse proxy, ensuring that requests from clients outside the cluster are forwarded to the correct backend services within the cluster according to path, domain, and TLS configuration. As such, it's vital for network traffic management and load balancing. You know, the important stuff.

Now this longstanding project, once celebrated for its flexibility and breadth of features, will soon be "abandonware." So what? After all, it won't be the first time a once-popular program shuffled off the stage. Off the top of my head, dBase, Lotus 1-2-3, and VisiCalc spring to my mind. What's different is that there are still thousands of Ingress NGINX controllers in use. Why is it being put down, then, if it's so popular? Well, there is a good reason. As Tabitha Sable, a staff engineer at Datadog who is also co-chair of the Kubernetes special interest group for security, pointed out: "Ingress NGINX has always struggled with insufficient or barely sufficient maintainership. For years, the project has had only one or two people doing development work, on their own time, after work hours, and on weekends. Last year, the Ingress NGINX maintainers announced their plans to wind down Ingress NGINX and develop a replacement controller together with the Gateway API community. Unfortunately, even that announcement failed to generate additional interest in helping maintain Ingress NGINX or develop InGate to replace it." [...]

The final nail in the coffin was when security company Wix found a killer Ingress NGINX security hole. How bad was it? Wix declared: "Exploiting this flaw allows an attacker to execute arbitrary code and access all cluster secrets across namespaces, which could lead to complete cluster takeover." [...] You see, the real problem isn't that Ingress NGINX has a major security problem. Heck, hardly a month goes by without another stop-the-presses Windows bug being uncovered. No, the real issue is that here we have yet another example of a mission-critical open source program no one pays to support...

Apple does not plan to comply with India's mandate to preload its smartphones with a state-owned cyber safety app that cannot be disabled. According to Reuters, the order "sparked surveillance concerns and a political uproar" after it was revealed on Monday. From the report: In the wake of the criticism, India's telecom minister Jyotiraditya M. Scindia on Tuesday said the app was a "voluntary and democratic system," adding that users can choose to activate it and can "easily delete it from their phone at any time." At present, the app can be deleted by users. Scindia did not comment on or clarify the November 28 confidential directive that ordered smartphone makers to start preloading it and ensure "its functionalities are not disabled or restricted."

Apple however does not plan to comply with the directive and will tell the government it does not follow such mandates anywhere in the world as they raise a host of privacy and security issues for the company's iOS ecosystem, said two of the industry sources who are familiar with Apple's concerns. They declined to be named publicly as the company's strategy is private. "Its not only like taking a sledgehammer, this is like a double-barrel gun," said the first source.

An anonymous reader quotes a report from BleepingComputer: The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users. The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk.

The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app. Yuliskov revoked the old signature and said he would soon publish a new version with a separate app ID, urging users to move to that one instead. [...] A user who reverse-engineered the compromised SmartTube version number 30.51 found that it includes a hidden native library named libalphasdk.so [VirusTotal]. This library does not exist in the public source code, so it is being injected into release builds.

[...] The library runs silently in the background without user interaction, fingerprints the host device, registers it with a remote backend, and periodically sends metrics and retrieves configuration via an encrypted communications channel. All this happens without any visible indication to the user. While there's no evidence of malicious activity such as account theft or participation in DDoS botnets, the risk of enabling such activities at any time is high.