An anonymous reader quotes a report from BleepingComputer: The U.S. Congressional Budget Office (CBO) confirms it suffered a cybersecurity incident after a suspected foreign hacker breached its network, potentially exposing sensitive data. In a statement shared with BleepingComputer, CBO spokesperson Caitlin Emma confirmed the "security incident" and said the agency acted quickly to contain it. "The Congressional Budget Office has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency's systems going forward," Emma told BleepingComputer.

"The incident is being investigated and work for the Congress continues. Like other government agencies and private sector entities, CBO occasionally faces threats to its network and continually monitors to address those threats." The Washington Post first reported the breach, stating that officials discovered the hack in recent days and are now concerned that emails and exchanges between congressional offices and the CBO's analysts may have been exposed. While officials have reported told lawmakers they believe the intrusion was detected early, some congressional office have allegedly halted emails with the CBO out of security concerns.

BrianFagioli writes: Google has released Magika 1.0, a stable version of its AI-based file type detection tool, and rebuilt the entire engine in Rust for speed and memory safety. The system now recognizes more than 200 file types, up from about 100, and is better at distinguishing look-alike formats such as JSON vs JSONL, TSV vs CSV, C vs C++, and JavaScript vs TypeScript. The team used a 3TB training dataset and even relied on Gemini to generate synthetic samples for rare file types, allowing Magika to handle formats that don't have large, publicly available corpora. The tool supports Python and TypeScript integrations and offers a native Rust command-line client.

Under the hood, Magika uses ONNX Runtime for inference and Tokio for parallel processing, allowing it to scan around 1,000 files per second on a modern laptop core and scale further with more CPU cores. Google says this makes Magika suitable for security workflows, automated analysis pipelines, and general developer tooling. Installation is a single curl or PowerShell command, and the project remains fully open source. The project is available on GitHub and documentation can be found here.

The government shutdown-spurred airport chaos is about to get a whole lot worse. From a report: The Federal Aviation Administration said Wednesday it will reduce flight volumes by 10 percent across 40 major airports in response, a move that could threaten 3,000 to 4,500 flights daily. The cuts will affect "high volume" markets, including in Atlanta, Dallas, New York City and Los Angeles, according to CBS. The FAA has not formally announced which airports will have their capacity cut.

"I'm not aware in my 35-year history in the aviation market where we've had a situation where we're taking these kinds of measures," FAA Administrator Bryan Bedford said at a news conference, according to the AP. The government shutdown, which is now the longest in US history, has already been causing thousands of delays each day, as well as long waits at airport security. Some major airports have even been forced to operate without air traffic control for hours at a time.

A bungled October 18 heist that saw $102 million of crown jewels stolen from the Louvre in broad daylight has exposed years of lax security at the national art museum. From trivial passwords like 'LOUVRE' to decades-old, unsupported systems and easy rooftop access, the job was made surprisingly easy. PC Gamer reports: As Rogue cofounder and former Polygon arch-jester Cass Marshall notes on Bluesky, we owe a lot of videogame designers an apology. We've spent years dunking on the emptyheadedness of game characters leaving their crucial security codes and vault combinations in the open for anyone to read, all while the Louvre has been using the password "Louvre" for its video surveillance servers. That's not an exaggeration. Confidential documents reviewed by Liberation detail a long history of Louvre security vulnerabilities, dating back to a 2014 cybersecurity audit performed by the French Cybersecurity Agency (ANSSI) at the museum's request. ANSSI experts were able to infiltrate the Louvre's security network to manipulate video surveillance and modify badge access.

"How did the experts manage to infiltrate the network? Primarily due to the weakness of certain passwords which the French National Cybersecurity Agency (ANSSI) politely describes as 'trivial,'" writes Liberation's Brice Le Borgne via machine translation. "Type 'LOUVRE' to access a server managing the museum's video surveillance, or 'THALES' to access one of the software programs published by... Thales." The museum sought another audit from France's National Institute for Advanced Studies in Security and Justice in 2015. Concluded two years later, the audit's 40 pages of recommendations described "serious shortcomings," "poorly managed" visitor flow, rooftops that are easily accessible during construction work, and outdated and malfunctioning security systems. Later documents indicate that, in 2025, the Louvre was still using security software purchased in 2003 that is no longer supported by its developer, running on hardware using Windows Server 2003.

An anonymous reader quotes a report from the Guardian: Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated. The investigation comes after transport authorities in Norway, where the Yutong buses are also in service, found that the Chinese supplier had remote access for software updates and diagnostics to the vehicles' control systems -- which could be exploited to affect buses while in transit.

Amid concerns over potential security risks, the Norwegian public transport authority Ruter decided to test two electric buses in an isolated environment. Bernt Reitan Jenssen, Ruter's chief executive, said: "The testing revealed risks that we are now taking measures against. National and local authorities have been informed and must assist with additional measures at a national level." Their investigations found that remote deactivation could be prevented by removing the buses' sim cards, but they decided against this because it would also disconnect the bus from other systems.

Ruter said it planned to bring in stricter security requirements for future procurements. Jenssen said it must act before the arrival of the next generation of buses, which could be even "more integrated and harder to secure." Movia, Denmark's largest public transport company, has 469 Chinese electric buses in operation -- 262 of which were manufactured by Yutong. Jeppe Gaard, Movia's chief operating officer, said he was made aware of the loophole last week. "This is not a Chinese bus problem," he said. "It is a problem for all types of vehicles and devices with Chinese electronics built in."

A massive cyberattack on Swedish IT supplier Miljodata exposed personal data from up to 1.5 million citizens, prompting a national privacy investigation and scrutiny into security failures across multiple municipalities. BleepingComputer reports: MiljÃdata is an IT systems supplier for roughly 80% of Sweden's municipalities. The company disclosed the incident on August 25, saying that the attackers stole data and demanded 1.5 Bitcoin to not leak it. The attack caused operational disruptions that affected citizens in multiple regions in the country, including Halland, Gotland, Skelleftea, Kalmar, Karlstad, and Monsteras.

Because of the large impact, the state monitored the situation from the time of disclosure, with CERT-SE and the police starting to investigate immediately. According to IMY, the attacker exposed on the dark web data that corresponds to 1.5 million people in the country, creating the basis for investigating potential General Data Protection Regulation (GDPR) violations. [...] Although no ransomware groups had claimed the attack when Miljodata disclosed the incident, BleepingComputer found that the threat group Datacarry posted the stolen data on its dark web portal on September 13. The leaked database has been added to Have I Been Pwned, which contains information such as names, email addresses, physical addresses, phone numbers, government IDs, and dates of birth.

An anonymous reader shares a report: Microsoft officially ended mainstream support for Windows 10 last month, nudging users to upgrade to Windows 11. While that led to almost an overnight technological revolution in Japan, elsewhere, it has caused a lot of confusion. Certain versions of Windows 10, like Enterprise LTSC -- and those enrolled in the ESU program -- are still scheduled to receive security updates through at least 2027, but they're starting to see out-of-support messages in Settings.

Various users over the past few days reported that they're being subjected to end-of-life warnings in Windows, despite already qualifying for extended security updates through the ESU program. Windows 10 Enterprise LTSC 2021 and âIoT Enterprise are business-oriented editions of the OS, so they're already supported up to 2032, but even they saw these incorrect messages. This widespread bug started to occur after the KB5066791 updates were pushed on October 14, 2025.

Microsoft has already acknowledged this mishap and said, "The message, 'Your version of Windows has reached the end of support, might incorrectly display in the Windows Update Settings page," confirming it as a mistake. The company has already released a cloud config fix that should remove the message, but you need to be connected to the internet for that, and a restart is also required.

Three employees at cybersecurity companies spent years moonlighting as criminal hackers, launching their own ransomware attacks in a plot to extort millions of dollars from victims around the country, US prosecutors alleged in court filings. From a report: Ryan Clifford Goldberg, a former incident response supervisor at Sygnia Consulting, and Kevin Tyler Martin, who was a ransomware negotiator for DigitalMint, were charged with working together to hack five businesses starting in May 2023. In one instance, they, along with a third person, received a ransom payment of nearly $1.3 million worth of cryptocurrency from a medical device company based in Tampa, Florida, according to prosecutors.

The trio worked in a part of the cybersecurity industry that has sprung up to help companies negotiate with hackers to unfreeze their computer networks -- sometimes by paying ransom. They are also accused of sharing their illicit profits with the developers of the type of ransomware they allegedly used on their victims. DigitalMint informed some customers about the charges last week, according to a document seen by Bloomberg News.

The other person who was allegedly involved in the scheme was also a ransomware negotiator at the same firm as Martin but wasn't charged, according to court records. The person wasn't identified in court records, nor were the companies that were the defendants' former employers. Sygnia confirmed Goldberg had worked there. Martin last year gave a talk at a law school, which listed him as an employee of DigitalMint.

An anonymous reader shares a report: Before the potential of the internet was appreciated around the world, nations that understood its importance managed to scoop outsized allocations of IPv4 addresses, actions that today mean many users in the rest of the world are more likely to find their connections throttled or blocked.

So says Cloudflare, which last week published research that recalls how once the world started to run out of IPv4 addresses, engineers devised network address translation (NAT) so that multiple devices can share a single IPv4 address. NAT can handle tens of thousands of devices, but carriers typically operate many more. Internetworking wonks therefore developed Carrier-Grade NAT (CGNAT), which can handle over 100 devices per IPv4 address and scale to serve millions of users.

That's useful for carriers everywhere, but especially valuable for carriers in those countries that missed out on big allocations of IPv4 because their small pool of available number resources means they must employ CGNAT to handle more users and devices. Cloudflare's research suggests carriers in Africa and Asia use CGNAT more than those on other continents.

Cloudflare worried that could be bad for individual netizens. "CGNATs also create significant operational fallout stemming from the fact that hundreds or even thousands of clients can appear to originate from a single IP address," wrote Cloudflare researchers Vasilis Giotsas and Marwan Fayed. "This means an IP-based security system may inadvertently block or throttle large groups of users as a result of a single user behind the CGNAT engaging in malicious activity. Blocking the shared IP therefore penalizes many innocent users along with the abuser."

An anonymous reader quotes a report from TechCrunch: U.S. prosecutors have charged two rogue employees of a cybersecurity company that specializes in negotiating ransom payments to hackers on behalf of their victims with carrying out ransomware attacks of their own. Last month, the Department of Justice indicted Kevin Tyler Martin and another unnamed employee, who both worked as ransomware negotiators at DigitalMint, with three counts of computer hacking and extortion related to a series of attempted ransomware attacks against at least five U.S.-based companies.

Prosecutors also charged a third individual, Ryan Clifford Goldberg, a former incident response manager at cybersecurity giant Sygnia, as part of the scheme. The three are accused of hacking into companies, stealing their sensitive data, and deploying ransomware developed by the ALPHV/BlackCat group. [...] According to an FBI affidavit filed in September, the rogue employees received more than $1.2 million in ransom payments from one victim, a medical device maker in Florida. They also targeted several other companies, including a Virginia-based drone maker and a Maryland-headquartered pharmaceutical company.

concertina226 shares a report from The Register: [A massive power outage in April left tens of millions across Spain, Portugal, and parts of France without electricity for hours due to cascading grid failures, exposing how fragile and interconnected Europe's energy infrastructure is. The incident, though not a cyberattack, reignited concerns about the vulnerability of aging, fragmented, and insecure operational technology systems that could be easily exploited in future cyber or ransomware attacks.] This headache is one the European Commission is focused on. It is funding several projects looking at making electric grids more resilient, such as the eFort framework being developed by cybersecurity researchers at the independent non-profit Netherlands Organisation for Applied Scientific Research (TNO) and the Delft University of Technology (TU Delft).

TNO's SOARCA tool is the first ever open source security orchestration, automation and response (SOAR) platform designed to protect power plants by automating the orchestration of the response to physical attacks, as well as cyberattacks, on substations and the network, and the first country to demo it will be the Ukraine this year. At the moment, SOAR systems only exist for dedicated IT environments. The researchers' design includes a SOAR system in each layer of the power station: the substation, the control room, the enterprise layer, the cloud, or the security operations centre (SOC), so that the SOC and the control room work together to detect anomalies in the network, whether it's an attacker exploiting a vulnerability, a malicious device being plugged into a substation, or a physical attack like a missile hitting a substation. The idea is to be able to isolate potential problems and prevent lateral movement from one device to another or privilege escalation, so an attacker cannot go through the network to the central IT management system of the electricity grid. [...]

The SOARCA tool is underpinned by CACAO Playbooks, an open source specification developed by the OASIS Open standards body and its members (which include lots of tech giants and US government agencies) to create standardized predefined, automated workflows that can detect intrusions and changes made by malicious actors, and then carry out a series of steps to protect the network and mitigate the attack. Experts largely agree the problem facing critical infrastructure is only worsening as years pass, and the more random Windows implementations that are added into the network, the wider the attack surface is. [...] TNO's Wolthuis said the energy industry is likely to be pushed soon to take action by regulators, particularly once the Network Code on Cybersecurity (NCCS), which lays out rules requiring cybersecurity risk assessments in the electricity sector, is formalized.

An anonymous reader quotes a report from Tom's Hardware: After a turbulent weekend of updates and clarifications, AMD has published an entire web page to assuage user backlash and reaffirm its commitment to continued support for its RDNA 1 and RDNA 2-based drives, following a spate of confusion surrounding its recent decision to put Radeon RX 5000 and 6000 series cards in "maintenance mode." This comes after AMD had to deny that the RX 7900 cards were losing USB-C power supply moving forward, even though the drive changelog said something quite different.

Just last week, AMD released a new driver update for its graphics cards, and it went anything but smoothly. First, the wrong drivers were uploaded, and even after that was corrected, several glaring errors in the release notes required clarification. AMD was forced to correct claims about its RX 7900 cards, but at the time clarified that, indeed, RX 5000 and 6000 graphics cards were entering "Maintenance Mode," despite some RX 6000 cards being only around four years old. Now, though, AMD has either rolled back that decision or someone higher up the food chain has made a new call, as game optimizations are back on the menu for RDNA 1 and RDNA 2 GPUs. "We've heard your feedback and want to clear up the confusion around the AMD Software: Adrenalin Edition 25.10.2 driver release," AMD said in a statement. "Your Radeon RX 5000 and RX 6000 series GPUs will continue to receive: Game support for new releases, Stability and game optimizations, and Security and bug fixes," AMD said.

Captchas have largely vanished from the web in 2025, replaced by invisible tracking systems that analyze user behavior rather than asking people to decipher distorted text or identify traffic lights in image grids. Google launched reCaptcha v3 in 2018 to generate risk scores based on behavioral signals during site interactions, making bot-blocking technology "completely invisible" for most users, according to Tim Knudsen, a director of product management at Google Cloud.

Cloudflare followed in 2022 by releasing Turnstile, another invisible alternative that sometimes appears as a simple checkbox but actually gathers data from devices and software to determine if users are human. Both companies distribute their security tools for free to collect training data, and Cloudflare now sees 20% of all HTTP requests across the internet.

The rare challenges that do surface have become increasingly bizarre, ranging from requests to identify dogs and ducks wearing various hats to sliding a jockstrap across a screen to find matching underwear on hookup sites.

An anonymous reader shares a report: Chinese President Xi Jinping joked about security backdoors while presenting a pair of Xiaomi smartphones to his South Korean counterpart, a rare moment of spontaneous levity captured during a week of tense trade negotiations with Donald Trump.

Xi, in South Korea to meet Trump on the sidelines of the Asia-Pacific Economic Cooperation summit, presented the pair of devices to Korean President Lee Jae Myung. In a video circulated on social media, Lee asked: "Is the line secure?" Xi chuckled, pointed at the gadgets and replied through an interpreter: "You can check if there's a backdoor." The two leaders burst into laughter.

The exchange was striking because the issue of security and alleged espionage is a sensitive one and a major thorn in US-Chinese relations. American lawmakers have raised the possibility that tech companies such as Huawei build backdoors -- ways to gain access to sensitive data -- into their equipment or services, something the firms have repeatedly denied.

"An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device," writes Tom's Hardware.

"That's when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn't consented to." The user, Harishankar, decided to block the telemetry servers' IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after... He sent it to the service center multiple times, wherein the technicians would turn it on and see nothing wrong with the vacuum. When they returned it to him, it would work for a few days and then fail to boot again... [H]e decided to disassemble the thing to determine what killed it and to see if he could get it working again...

[He discovered] a GD32F103 microcontroller to manage its plethora of sensors, including Lidar, gyroscopes, and encoders. He created PCB connectors and wrote Python scripts to control them with a computer, presumably to test each piece individually and identify what went wrong. From there, he built a Raspberry Pi joystick to manually drive the vacuum, proving that there was nothing wrong with the hardware. From this, he looked at its software and operating system, and that's where he discovered the dark truth: his smart vacuum was a security nightmare and a black hole for his personal data.

First of all, it's Android Debug Bridge, which gives him full root access to the vacuum, wasn't protected by any kind of password or encryption. The manufacturer added a makeshift security protocol by omitting a crucial file, which caused it to disconnect soon after booting, but Harishankar easily bypassed it. He then discovered that it used Google Cartographer to build a live 3D map of his home. This isn't unusual, by far. After all, it's a smart vacuum, and it needs that data to navigate around his home. However, the concerning thing is that it was sending off all this data to the manufacturer's server. It makes sense for the device to send this data to the manufacturer, as its onboard SoC is nowhere near powerful enough to process all that data. However, it seems that iLife did not clear this with its customers.

Furthermore, the engineer made one disturbing discovery — deep in the logs of his non-functioning smart vacuum, he found a command with a timestamp that matched exactly the time the gadget stopped working. This was clearly a kill command, and after he reversed it and rebooted the appliance, it roared back to life.
Thanks to long-time Slashdot reader registrations_suck for sharing the article.

"Ubuntu's decision to switch to Rust-based coreutils in 25.10 hasn't been the smoothest ride," writes the blog OMG Ubuntu, "as the latest — albeit now resolved — bug underscores." [Coreutils] are used by a number of processes, apps and scripts, including Ubuntu's own unattended-upgrades process, which automatically checks for new software updates. Alas, the Rust-based version of date had a bug which meant Ubuntu 25.10 desktops, servers, cloud and container images were not able to automatically check for updates when configured. Unattended-upgrades hooks into the date utility to check the timestamp of a reference file of when an update check was last run and, past a certain date, checks again. But date was incorrectly showing the current date, always.

A fix has been issued so only Ubuntu 25.10 installs withrust-coreutils 0.2.2-0ubuntu2 (or earlier) are affected.

"AI isn't just a tool anymore; it's an integral part of the development experience," argues GitHub's blog. So "Agents shouldn't be bolted on. They should work the way you already work..."

So this week GitHub announced "Agent HQ," which CNBC describes as a "mission control" interface "that will allow software developers to manage coding agents from multiple vendors on a single platform." Developers have a range of new capabilities at their fingertips because of these agents, but it can require a lot of effort to keep track of them all individually, said GitHub COO Kyle Daigle. Developers will now be able to manage agents from GitHub, OpenAI, Google, Anthropic, xAI and Cognition in one place with Agent HQ. "We want to bring a little bit of order to the chaos of innovation," Daigle told CNBC in an interview. "With so many different agents, there's so many different ways of kicking off these asynchronous tasks, and so our big opportunity here is to bring this all together." Agent HQ users will be able to access a command center where they can assign, steer and monitor the work of multiple agents...

The third-party agents will begin rolling out to GitHub Copilot subscribers in the coming months, but Copilot Pro+ users will be able to access OpenAI Codex in VS Code Insiders this week, the company said.
"We're into this wave two era," GitHub's COO Mario Rodriguez told VentureBeat, an era that's "going to be multimodal, it's going to be agentic and it's going to have these new experiences that will feel AI native...."

Or, as VentureBeat sees it, GitHub "is positioning itself as the essential orchestration layer beneath them all..." Just as the company transformed Git, pull requests and CI/CD into collaborative workflows, it's now trying to do the same with a fragmented AI coding landscape...

The technical architecture addresses a critical enterprise concern: Security. Unlike standalone agent implementations where users must grant broad repository access, GitHub's Agent HQ implements granular controls at the platform level... Agents operating through Agent HQ can only commit to designated branches. They run within sandboxed GitHub Actions environments with firewall protections. They operate under strict identity controls. [GitHub COO] Rodriguez explained that even if an agent goes rogue, the firewall prevents it from accessing external networks or exfiltrating data unless those protections are explicitly disabled.

Beyond managing third-party agents, GitHub is introducing two technical capabilities that set Agent HQ apart from alternative approaches like Cursor's standalone editor or Anthropic's Claude integration. Custom agents via AGENTS.md files: Enterprises can now create source-controlled configuration files that define specific rules, tools and guardrails for how Copilot behaves. For example, a company could specify "prefer this logger" or "use table-driven tests for all handlers." This permanently encodes organizational standards without requiring developers to re-prompt every time... Native Model Context Protocol (MCP) support: VS Code now includes a GitHub MCP Registry. Developers can discover, install and enable MCP servers with a single click. They can then create custom agents that combine these tools with specific system prompts. This positions GitHub as the integration point between the emerging MCP ecosystem and actual developer workflows. MCP, introduced by Anthropic but rapidly gaining industry support, is becoming a de facto standard for agent-to-tool communication. By supporting the full specification, GitHub can orchestrate agents that need access to external services without each agent implementing its own integration logic.

GitHub is also shipping new capabilities within VS Code itself. Plan Mode allows developers to collaborate with Copilot on building step-by-step project approaches. The AI asks clarifying questions before any code is written. Once approved, the plan can be executed either locally in VS Code or by cloud-based agents. The feature addresses a common failure mode in AI coding: Beginning implementation before requirements are fully understood. By forcing an explicit planning phase, GitHub aims to reduce wasted effort and improve output quality.

More significantly, GitHub's code review feature is becoming agentic. The new implementation will use GitHub's CodeQL engine, which previously largely focused on security vulnerabilities to identify bugs and maintainability issues. The code review agent will automatically scan agent-generated pull requests before human review. This creates a two-stage quality gate.
"Don't let this little bit of news float past you like all those self-satisfied marketing pitches we semi-hear and ignore," writes ZDNet: If it works and remains reliable, this is actually a very big deal... Tech companies, especially the giant ones, often like to talk "open" but then do their level best to engineer lock-in to their solution and their solution alone. Sure, most of them offer some sort of export tool, but the barrier to moving from one tool to another is often huge... [T]he idea that you can continue to use your favorite agent or agents in GitHub, fully integrated into the GitHub tool path, is powerful. It means there's a chance developers might not have to suffer the walled garden effect that so many companies have strived for to lock in their customers.

"It's been hard for me to understand why Atlas exists," writes MIT Technology Review. " Who is this browser for, exactly? Who is its customer? And the answer I have come to there is that Atlas is for OpenAI. The real customer, the true end user of Atlas, is not the person browsing websites, it is the company collecting data about what and how that person is browsing."

New York Magazine's "Intelligencer" column argues OpenAI wants ChatGPT in your browser because "That's where people who use computers, particularly for work, spend all their time, and through which vast quantities of valuable information flow in and out. Also, if you're a company hoping to train your models to replicate a bunch of white-collar work, millions of browser sessions would be a pretty valuable source of data."

Unfortunately, warns Fast Company, ChatGPT Atlas, Perplexity Comet, and other AI browses "include some major security, privacy, and usability trade-offs... Most of the time, I don't want to use them and am wary of doing so..." Worst of all, these browsers are security minefields. A web page that looks benign to humans can includehidden instructions for AI agents, tricking them into stealing info from other sites... "If you're signed into sensitive accounts like your bank or your email provider in your browser, simply summarizing a Reddit postcould result in an attacker being able to steal money or your private data,"Brave's security researchers wrotelast week.No one has figured out how to solve this problem.

If you can look past the security nightmares, the actual browsing features are substandard. Neither ChatGPT Atlas nor Perplexity Comet support vertical tabs — a must-have feature for me — and they have no tab search tool or way to look up recently-closed pages. Atlas also doesn't support saving sites as web apps, selecting multiple tabs (for instance, to close all at once with Cmd+W), or customizing the appearance. Compared to all the fancy new AI features, the web browsing part can feel like an afterthought. Regular web search can also be a hassle, even though you'll probably need it sometimes. When I typed "Sichuan Chili" into ChatGPT Atlas, it produced a lengthy description of the Chinese peppers, not the nearby restaurant whose website and number I was looking for.... Meanwhile, the standard AI annoyances still apply in the browser. Getting Perplexity to fill my grocery cart felt like a triumph, but on other occasions the AI has run into inexplicable walls and only ended up wasting more time.

There may be other costs to using these browsers as well. AI still has usage limits, and so all this eventually becomes a ploy to bump more people into paid tiers. Beyond that,Atlas is constantly analyzing the pages you visit to build a "memory" of who you are and what you're into. Do not be surprised if this translates to deeply targeted ads as OpenAI startslooking at ways to monetize free users. For now, I'm only using AI browsers in small doses when I think they can solve a specific problem.

Even then, I'm not going sign them into my email, bank accounts, or any other accounts for which a security breach would be catastrophic. It's too bad, because email and calendars are areas where AI agents could be truly useful, but the security risks are too great (andwell-documented).
The article notes that in August Vivaldi announced that "We're taking a stand, choosing humans over hype" with their browser: We will not use an LLM to add a chatbot, a summarization solution or a suggestion engine to fill up forms for you, until more rigorous ways to do those things are available. Vivaldi is the haven for people who still want to explore. We will continue building a browser for curious minds, power users, researchers, and anyone who values autonomy. If AI contributes to that goal without stealing intellectual property, compromising privacy or the open web, we will use it. If it turns people into passive consumers, we will not...

We're fighting for a better web.

"We've spent the last year rebuilding major components of our system," Cloudflare announced this week, "and we've just slashed the latency of traffic passing through our network for millions of our customers," (There's a 10ms cut in the median time to respond, plus a 25% performance boost as measured by CDN performance tests.) They replaced a 15-year-old system named FL (where they run security and performance features), and "At the same time, we've made our system more secure, and we've reduced the time it takes for us to build and release new products."

And yes, Rust was involved: We write a lot of Rust, and we've gotten pretty good at it... We built FL2 in Rust, on Oxy [Cloudflare's Rust-based next generation proxy framework], and built a strict module framework to structure all the logic in FL2... Built in Rust, [Oxy] eliminates entire classes of bugs that plagued our Nginx/LuaJIT-based FL1, like memory safety issues and data races, while delivering C-level performance. At Cloudflare's scale, those guarantees aren't nice-to-haves, they're essential. Every microsecond saved per request translates into tangible improvements in user experience, and every crash or edge case avoided keeps the Internet running smoothly. Rust's strict compile-time guarantees also pair perfectly with FL2's modular architecture, where we enforce clear contracts between product modules and their inputs and outputs...

It's a big enough distraction from shipping products to customers to rebuild product logic in Rust. Asking all our teams to maintain two versions of their product logic, and reimplement every change a second time until we finished our migration was too much. So, we implemented a layer in our old NGINX and OpenResty based FL which allowed the new modules to be run. Instead of maintaining a parallel implementation, teams could implement their logic in Rust, and replace their old Lua logic with that, without waiting for the full replacement of the old system.
Over 100 engineers worked on FL2 — and there was extensive testing, plus a fallback-to-FL1 procedure. But "We started running customer traffic through FL2 early in 2025, and have been progressively increasing the amount of traffic served throughout the year...." As we described at the start of this post, FL2 is substantially faster than FL1. The biggest reason for this is simply that FL2 performs less work [thanks to filters controlling whether modules need to run]... Another huge reason for better performance is that FL2 is a single codebase, implemented in a performance focussed language. In comparison, FL1 was based on NGINX (which is written in C), combined with LuaJIT (Lua, and C interface layers), and also contained plenty of Rust modules. In FL1, we spent a lot of time and memory converting data from the representation needed by one language, to the representation needed by another. As a result, our internal measures show that FL2 uses less than half the CPU of FL1, and much less than half the memory. That's a huge bonus — we can spend the CPU on delivering more and more features for our customers!

Using our own tools and independent benchmarks like CDNPerf, we measured the impact of FL2 as we rolled it out across the network. The results are clear: websites are responding 10 ms faster at the median, a 25% performance boost. FL2 is also more secure by design than FL1. No software system is perfect, but the Rust language brings us huge benefits over LuaJIT. Rust has strong compile-time memory checks and a type system that avoids large classes of errors. Combine that with our rigid module system, and we can make most changes with high confidence...

We have long followed a policy that any unexplained crash of our systems needs to be investigated as a high priority. We won't be relaxing that policy, though the main cause of novel crashes in FL2 so far has been due to hardware failure. The massively reduced rates of such crashes will give us time to do a good job of such investigations. We're spending the rest of 2025 completing the migration from FL1 to FL2, and will turn off FL1 in early 2026. We're already seeing the benefits in terms of customer performance and speed of development, and we're looking forward to giving these to all our customers.

After that, when everything is modular, in Rust and tested and scaled, we can really start to optimize...!
Thanks to long-time Slashdot reader Beeftopia for sharing the article.

Slashdot reader BrianFagioli writes: Password manager 1Password's 2025 Annual Report: The Access-Trust Gap exposes how everyday employees are becoming accidental hackers in the AI era. The company's data shows that 73% of workers are encouraged to use AI tools, yet more than a third admit they do not always follow corporate policies. Many employees are feeding sensitive information into large language models or using unapproved AI apps to get work done, creating what 1Password calls "Shadow AI." At the same time, traditional defenses like single sign-on (SSO) and mobile device management (MDM) are failing to keep pace, leaving gaps in visibility and control.

The report warns that corporate security is being undermined from within. More than half of employees have installed software without IT approval, two-thirds still use weak passwords, and 38% have accessed accounts at previous employers. Despite rising enthusiasm for passkeys and passwordless authentication, 1Password says most organizations still depend on outdated systems that were never built for cloud-native, AI-driven work. The result is a growing "Access-Trust Gap" that could allow AI chaos and employee shortcuts to dismantle enterprise security from the inside.