The UK government has been warned that its plan to ban operators of critical national infrastructure from paying ransoms to hackers is unlikely to stop cyber attacks and could result in essential services collapsing. From a report: The proposal, announced by the Home Office in July, is designed to deter cyber criminals by making it clear any attempt to blackmail regulated companies such as hospitals, airports and telecoms groups will not succeed. If enacted, the UK would be the first country to implement such a ban.

But companies and cyber groups have told government officials that making paying ransoms illegal would remove a valuable tool in negotiations where highly sensitive data or essential services could be compromised, according to two people familiar with the matter. "An outright ban on payments sounds tough on crime, but in reality it could turn a solvable crisis into a catastrophic one," said Greg Palmer, a partner at law firm Linklaters.

"Three Chinese astronauts returned from their nation's space station Friday," reports the Associated Press, "after more than a week's delay because the return capsule they had planned to use was damaged, likely from being hit by space debris." The team left their Shenzhou-20 spacecraft in orbit and came back using the recently arrived Shenzhou-21, which had ferried a three-person replacement crew to the station, China's Manned Space Agency said. The original return plan was scrapped because a window in the Shenzhou-20 capsule had tiny cracks, most likely caused by impact from space debris, the space agency said Friday... Their return was delayed for nine days, and their 204-day stay in space was the longest for any astronaut at China's space station...

China developed the Tiangong space station after the country was excluded from the International Space Station over U.S. national security concerns. China's space program is controlled by its military.

Android's security team published a blog post this week about their experience using Rust. Its title? "Move fast and fix things." Last year, we wrote about why a memory safety strategy that focuses on vulnerability prevention in new code quickly yields durable and compounding gains. This year we look at how this approach isn't just fixing things, but helping us move faster.

The 2025 data continues to validate the approach, with memory safety vulnerabilities falling below 20% of total vulnerabilities for the first time. We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android's C and C++ code. But the biggest surprise was Rust's impact on software delivery. With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one... Data shows that Rust code requires fewer revisions. This trend has been consistent since 2023. Rust changes of a similar size need about 20% fewer revisions than their C++ counterparts... In a self-reported survey from 2022, Google software engineers reported that Rust is both easier to review and more likely to be correct. The hard data on rollback rates and review times validates those impressions.

Historically, security improvements often came at a cost. More security meant more process, slower performance, or delayed features, forcing trade-offs between security and other product goals. The shift to Rust is different: we are significantly improving security and key development efficiency and product stability metrics.

With Rust support now mature for building Android system services and libraries, we are focused on bringing its security and productivity advantages elsewhere. Android's 6.12 Linux kernel is our first kernel with Rust support enabled and our first production Rust driver. More exciting projects are underway, such as our ongoing collaboration with Arm and Collabora on a Rust-based kernel-mode GPU driver. [They've also been deploying Rust in firmware for years, and Rust "is ensuring memory safety from the ground up in several security-critical Google applications," including Chromium's parsers for PNG, JSON, and web fonts.]
2025 was the first year more lines of Rust code were added to Android than lines of C++ code...

An anonymous reader shared this report from the Guardian: The number of deaths linked to superbugs that do not respond to frontline antibiotics increased by 17% in England last year, according to official figures that raise concerns about the ongoing increase in antimicrobial resistance.

The figures, released by the UK Health Security Agency, also revealed a large rise in private prescriptions for antibiotics, with 22% dispensed through the private sector in 2024. The increase in private prescribing is partly explained by the Pharmacy First scheme, a flagship policy of Rishi Sunak's government that allows patients to be prescribed antibiotics for common illnesses without seeing a GP, raising questions about whether the shift in prescribing patterns risks contributing to the rise in resistance.

"Antibiotic resistance is one of the greatest health threats we face," said the UKHSA's chief executive, Prof Susan Hopkins. "More people than ever are acquiring infections that cannot be effectively treated by antibiotics. This puts them at greater risk of serious illness and even death, with our poorest communities hit the hardest... It's positive that we've seen antibiotic use fall in England within the NHS but we need to go further, faster," said Hopkins.

"Please remember to only take antibiotics if you have been told to do so by a healthcare professional. Do not save some for later or share them with friends and family. If you have leftover antibiotics, please bring them to a pharmacy for appropriate disposal."

An anonymous reader shared this report from The Register: Yet another supply chain attack has hit the npm registry in what Amazon describes as "one of the largest package flooding incidents in open source registry history" — but with a twist. Instead of injecting credential-stealing code or ransomware into the packages, this one is a token farming campaign.

Amazon Inspector security researchers, using a new detection rule and AI assistance, originally spotted the suspicious npm packages in late October, and, by November 7, the team had flagged thousands. By November 12, they had uncovered more than 150,000 malicious packages across "multiple" developer accounts. These were all linked to a coordinated tea.xyz token farming campaign, we're told. This is a decentralized protocol designed to reward open-source developers for their contributions using the TEA token, a utility asset used within the tea ecosystem for incentives, staking, and governance.

Unlike the spate of package poisoning incidents over recent months, this one didn't inject traditional malware into the open source code. Instead, the miscreants created a self-replicating attack, infecting the packages with code to automatically generate and publish, thus earning cryptocurrency rewards on the backs of legitimate open source developers. The code also included tea.yaml files that linked these packages to attacker-controlled blockchain wallet addresses.
At the moment, Tea tokens have no value, points out CSO Online. "But it is suspected that the threat actors are positioning themselves to receive real cryptocurrency tokens when the Tea Protocol launches its Mainnet, where Tea tokens will have actual monetary value and can be traded..." In an interview on Friday, an executive at software supply chain management provider Sonatype, which wrote about the campaign in April 2024, told CSO that number has now grown to 153,000. "It's unfortunate that the worm isn't under control yet," said Sonatype CTO Brian Fox. And while this payload merely steals tokens, other threat actors are paying attention, he predicted. "I'm sure somebody out there in the world is looking at this massively replicating worm and wondering if they can ride that, not just to get the Tea tokens but to put some actual malware in there, because if it's replicating that fast, why wouldn't you?"

When Sonatype wrote about the campaign just over a year ago, it found a mere 15,000 packages that appeared to come from a single person. With the swollen numbers reported this week, Amazon researchers wrote that it's "one of the largest package flooding incidents in open source registry history, and represents a defining moment in supply chain security...." For now, says Sonatype's Fox, the scheme wastes the time of npm administrators, who are trying to expel over 100,000 packages. But Fox and Amazon point out the scheme could inspire others to take advantage of other reward-based systems for financial gain, or to deliver malware.
After deplooying a new detection rule "paired with AI", Amazon's security researchers' write, "within days, the system began flagging packages linked to the tea.xyz protocol... By November 7, the researchers flagged thousands of packages and began investigating what appeared to be a coordinated campaign. The next day, after validating the evaluation results and analyzing the patterns, they reached out to OpenSSF to share their findings and coordinate a response.
Their blog post thanks the Open Source Security Foundation (OpenSSF) for rapid collaboration, while calling the incident "a defining moment in supply chain security..."

Slashdot reader spatwei writes: It is now more common for data to leave companies through copying and pasting than through file transfers and uploads, LayerX revealed in its Browser Security Report 2025.

This shift is largely due to generative AI (genAI), with 77% of employees pasting data into AI prompts, and 32% of all copy-pastes from corporate accounts to non-corporate accounts occurring within genAI tools.

'Traditional governance built for email, file-sharing, and sanctioned SaaS didn't anticipate that copy/paste into a browser prompt would become the dominant leak vector,' LayerX CEO Or Eshed wrote in a blog post summarizing the report.
"GenAI now accounts for 11% of enterprise application usage," notes this article from SC World, "with adoption rising faster than many data loss protection (DLP) controls can keep up. Overall, 45% of employees actively use AI tools, with 67% of these tools being accessed via personal accounts and ChatGPT making up 92% of all use..."

"With the rise of AI-driven browsers such as OpenAI's Atlas and Perplexity's Comet, governance of AI tools' access to corporate data becomes even more urgent, the LayerX report notes."

A new "cold war" between America and China is "pushing leaders to sideline concerns about the dangers of powerful AI models," reports the Wall Street Journal, "including the spread of disinformation and other harmful content, and the development of superintelligent AI systems misaligned with human values..."

"Both countries are driven as much by fear as by hope of progress. " In Washington and Silicon Valley, warnings abound that China's "authoritarian AI," left unchecked, will erode American tech supremacy. Beijing is gripped by the conviction that a failure to keep pace in AI will make it easier for the U.S. to cut short China's resurgence as a global power. Both countries believe market share for their companies across the world is up for grabs — and with it, the potential to influence large swaths of the global population.

The U.S. still has a clear lead, producing the most powerful AI models. China can't match it in advanced chips and has no answer for the financial firepower of private American investors, who funded AI startups to the tune of $104 billion in the first half of 2025, and are gearing up for more. But it has a massive population of capable engineers, lower costs and a state-led development model that often moves faster than the U.S., all of which Beijing is working to harness to tip the contest in its direction. A new "whole of society" campaign looks to accelerate the construction of computing clusters in areas like Inner Mongolia, where vast solar and wind farms provide plentiful cheap energy, and connect hundreds of data centers to create a shared compute pool — some describe it as a "national cloud" — by 2028. China is also funneling hundreds of billions of dollars into its power grid to support AI training and adoption...

"Our lead is probably in the 'months but not years' realm," said Chris McGuire, who helped design U.S. export controls on AI chips while serving on the National Security Council under the Biden administration. Chinese AI models currently rank at or near the top in every task from coding to video generation, with the exception of search, according to Chatbot Arena, a popular crowdsourced ranking platform. China's manufacturing sector, meanwhile, is rocketing past the U.S. in bringing AI into the physical world through robotaxis, autonomous drones and humanoid robots. Given China's progress, McGuire said, the U.S. is "very lucky" to have its advantage in chips...

If AI surpasses human intelligence and acquires the ability to improve itself, it could confer unshakable scientific, economic and military superiority on the country that controls it. Short of that, AI's ability to automate tedious tasks and process vast amounts of data quickly promises to supercharge everything from cancer diagnoses to missile defense. With so much at stake, hacking and cyber espionage are likely to get worse, as AI gives hackers more powerful tools, while increasing incentives for state-backed groups to try to steal AI-related intellectual property. As distrust grows, Washington and Beijing will also find it hard, if not impossible, to cooperate in areas like preventing extremist groups from using AI in destructive ways, such as building bioweapons. "The costs of the AI Cold War are already high and will go much higher," said Paul Triolo, a former U.S. government analyst and current technology policy lead at business consulting firm DGA-Albright Stonebridge Group. "A U.S.-China AI arms race becomes a self-fulfilling prophecy, with neither side able to trust that the other would observe any restrictions on advanced AI capability development...."
The article includes an interesting observation from Helen Toner, director of strategy for Georgetown's Center for Security and Emerging Technology and a former OpenAI board member. Toner points out "We don't actually know" if boosting computing power with better chips will continue producing more-powerful AI models.

So "If performance plateaus," the Journal writes, "despite all the spending by OpenAI and others — a growing concern in Silicon Valley — China has a chance to compete."

BrianFagioli writes: Logitech has confirmed a cybersecurity breach after an intruder exploited a zero-day in a third-party software platform and copied internal data. The company says the incident did not affect its products, manufacturing or business operations, and it does not believe sensitive personal information like national ID numbers or credit card data were stored in the impacted system. The attacker still managed to pull limited information tied to employees, consumers, customers and suppliers, raising fair questions about how long the zero-day existed before being patched.

Logitech brought in outside cybersecurity firms, notified regulators and says the incident will not materially affect its financial results. The company expects its cybersecurity insurance policy to cover investigation costs and any potential legal or regulatory issues. Still, with zero-day attacks increasing across the tech world, even established hardware brands are being forced to acknowledge uncomfortable weaknesses in their internal systems.

According to Car and Driver, Hyundai has suffered a data breach that leaked the personal data of up to 2.7 million customers. The leak reportedly took place in February from Hyundai AutoEver, the company's IT affiliate. It includes customer names, driver's license numbers, and social security numbers. Longtime Slashdot reader sinij writes: Thanks to tracking modules plaguing most modern cars, that data likely includes the times and locations of customers' vehicles. These repeated breaches make it clear that, unlike smartphone manufacturers that are inherently tech companies, car manufacturers collecting your data are going to keep getting breached and leaking it.

German Chancellor Friedrich Merz said Chinese suppliers such as Huawei will be excluded from the country's future telecommunication networks on security grounds as he pushes for more digital sovereignty. From a report: "We have decided within the government that everywhere it's possible we'll replace components, for example in the 5G network, with components we have produced ourselves," Merz told a business conference in Berlin on Thursday. "And we won't allow any components from China in the 6G network."

Europe is increasingly concerned about its reliance on foreign technology, ranging from Asian semiconductors to US artificial intelligence and cloud infrastructure, as trade and geopolitical tensions threaten critical supply chains. Germany last year ordered telecom operators to remove Huawei equipment from their core networks, citing risks to national security. Berlin is now considering using public funds to pay Deutsche Telekom AG and others to strip out Chinese gear, Bloomberg News reported last month.

China's state-sponsored hackers used AI technology from Anthropic to automate break-ins of major corporations and foreign governments during a September hacking campaign, the company said Thursday. From a report: The effort focused on dozens of targets and involved a level of automation that Anthropic's cybersecurity investigators had not previously seen, according to Jacob Klein, the company's head of threat intelligence.

Hackers have been using AI for years now to conduct individual tasks such as crafting phishing emails or scanning the internet for vulnerable systems, but in this instance 80% to 90% of the attack was automated, with humans only intervening in a handful of decision points, Klein said.

The hackers conducted their attacks "literally with the click of a button, and then with minimal human interaction," Klein said. Anthropic disrupted the campaigns and blocked the hackers' accounts, but not before as many as four intrusions were successful. In one case, the hackers directed Anthropic's Claude AI tools to query internal databases and extract data independently.

Google says it will build a new "advanced flow" to allow experienced users to install Android apps from unverified developers, easing up on restrictions it proposed in late August. The company said earlier that Android would block such installations starting next year. The new flow will include clear warnings about security risks but will give users final control over the decision.

Google said it is designing the system to resist coercion and prevent users from being tricked into bypassing safety checks. The company is currently gathering early feedback on the feature's design. Google also announced that developers who distribute apps exclusively outside the Play Store can now join an early access program for developer verification.

Iceland has formally classified the potential collapse of a major Atlantic Ocean current system a national security threat, warning that a disruption could trigger a modern-day ice age in Northern Europe and destabilize global weather systems. The move elevates the risk across government and enables it to strategize for worst-case scenarios. Reuters reports: The Atlantic Meridional Overturning Circulation, or AMOC, current brings warm water from the tropics northward toward the Arctic, and the flow of warm water helps keep Europe's winters mild. But as warming temperatures speed the thaw of Arctic ice and cause meltwater from Greenland's ice sheet to pour into the ocean, scientists warn the cold freshwater could disrupt the current's flow.

A potential collapse of AMOC could trigger a modern-day ice age, with winter temperatures across Northern Europe plummeting to new cold extremes, bringing far more snow and ice. The AMOC has collapsed in the past - notably before the last Ice Age that ended about 12,000 years ago. "It is a direct threat to our national resilience and security," Iceland Climate Minister Johann Pall Johannsson said by email. "(This) is the first time a specific climate-related phenomenon has been formally brought before the National Security Council as a potential existential threat."

Elevation of the issue means Iceland's ministries will be on alert and coordinating a response, Johannsson said. The government is assessing what further research and policies are needed, with work underway on a disaster preparedness policy. Risks being evaluated span a range of areas, from energy and food security to infrastructure and international transportation. "Sea ice could affect marine transport; extreme weather could severely affect our capabilities to maintain any agriculture and fisheries, which are central to our economy and food systems," Johannsson said. "We cannot afford to wait for definitive, long-term research before acting."

Amazon is rolling out a tougher approach to combat illegal streaming, with the United States-based tech company aiming to block apps loaded onto all its Fire TV Stick devices that are identified as providing pirated content. From a report: Exclusive data provided to The Athletic from researchers YouGov Sport highlighted that approximately 4.7 million UK adults watched illegal streams in the UK over the past six months, with 31% using Fire Stick (this has become a catch-all term for plug-in devices, even if not made by Amazon) and other IPTV (Internet Protocol Television) devices. It is now the second-most popular method behind websites (42%).

Amazon launched a new Fire TV Stick last month -- the 4K Select, which is plugged into a TV to facilitate streaming via the internet -- that it insists will be less of a breeding ground for piracy. It comprises enhanced security measures -- via a new Vega operating system -- and only apps available in Amazon's app store will be available for customers to download. Amazon insists the clampdown will apply to the new and old devices, but registered developers will still be able to use Fire Sticks for legitimate purposes.

Google has unveiled Private AI Compute, a cloud platform designed to deliver advanced AI capabilities while preserving user privacy. As The Verge notes, the feature is "virtually identical to Apple's Private Cloud Compute." From the report: Many Google products run AI features like translation, audio summaries, and chatbot assistants, on-device, meaning data doesn't leave your phone, Chromebook, or whatever it is you're using. This isn't sustainable, Google says, as advancing AI tools need more reasoning and computational power than devices can supply. The compromise is to ship more difficult AI requests to a cloud platform, called Private AI Compute, which it describes as a "secure, fortified space" offering the same degree of security you'd expect from on-device processing. Sensitive data is available "only to you and no one else, not even Google."

An anonymous reader quotes a report from Ars Technica: ClickFix often starts with an email sent from a hotel that the target has a pending registration with and references the correct registration information. In other cases, ClickFix attacks begin with a WhatsApp message. In still other cases, the user receives the URL at the top of Google results for a search query. Once the mark accesses the malicious site referenced, it presents a CAPTCHA challenge or other pretext requiring user confirmation. The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter. Once entered, the string of text causes the PC or Mac to surreptitiously visit a scammer-controlled server and download malware. Then, the machine automatically installs it -- all with no indication to the target. With that, users are infected, usually with credential-stealing malware. Security firms say ClickFix campaigns have run rampant. The lack of awareness of the technique, combined with the links also coming from known addresses or in search results, and the ability to bypass some endpoint protections are all factors driving the growth.

The commands, which are often base-64 encoded to make them unreadable to humans, are often copied inside the browser sandbox, a part of most browsers that accesses the Internet in an isolated environment designed to protect devices from malware or harmful scripts. Many security tools are unable to observe and flag these actions as potentially malicious. The attacks can also be effective given the lack of awareness. Many people have learned over the years to be suspicious of links in emails or messengers. In many users' minds, the precaution doesn't extend to sites that instruct them to copy a piece of text and paste it into an unfamiliar window. When the instructions come in emails from a known hotel or at the top of Google results, targets can be further caught off guard. With many families gathering in the coming weeks for various holiday dinners, ClickFix scams are worth mentioning to those family members who ask for security advice. Microsoft Defender and other endpoint protection programs offer some defenses against these attacks, but they can, in some cases, be bypassed. That means that, for now, awareness is the best countermeasure. Researchers from CrowdStrike described in a report a campaign designed to infect Macs with a Mach-O executive. "Promoting false malicious websites encourages more site traffic, which will lead to more potential victims," wrote the researchers. "The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim's machine while bypassing Gatekeeper checks."

Push Security, meanwhile, reported a ClickFix campaign that uses a device-adaptive page that serves different malicious payloads depending on whether the visitor is on Windows or macOS.

FFmpeg, the open source multimedia framework that powers video processing in Google Chrome, Firefox, YouTube and other major platforms, has called on Google to either fund the project or stop burdening its volunteer maintainers with security vulnerabilities found by the company's AI tools. The maintainers patched a bug that Google's AI agent discovered in code for decoding a 1995 video game but described the finding as "CVE slop."

The confrontation centered on a Google Project Zero policy announced in July that publicly discloses reported vulnerabilities within a week and starts a ninety-day countdown to full disclosure regardless of patch availability. FFmpeg, written primarily in assembly language, handles format conversion and streaming for VLC, Kodi and Plex but operates without adequate funding from the corporations that depend on it. Nick Wellnhofer resigned as maintainer of libxml2, a library used in all major web browsers, because of the unsustainable workload of addressing security reports without compensation and said he would stop maintaining the project in December.

BrianFagioli writes: Mozilla has released Firefox 145.0, and the standout change in this version is the official end of support for 32-bit Linux systems. Users on 32-bit distributions will no longer receive updates and are being encouraged to switch to the 64-bit build to continue getting security patches and new features. While most major Linux distributions have already moved past 32-bit support, this shift will still impact older hardware users and lightweight community projects that have held on to 32-bit for the sake of performance or preservation.

The rest of the update introduces features such as built-in PDF comments, improved fingerprinting resistance for private browsing, tab group previews, password management in the sidebar, and minor UI refinements. Firefox also now compresses local translation models with Zstandard to reduce storage needs. But the end of 32-bit Linux support is the change that will leave the biggest mark, signaling another step toward a web ecosystem firmly centered on 64-bit computing.

The UK and China today signed a new bilateral agreement on scientific collaboration [non-paywalled source], narrowing the scope of their partnership to exclude sensitive technologies. Lord Patrick Vallance, Britain's science and technology minister, met his Chinese counterpart Chen Jiachang in Beijing and agreed to focus cooperation on health, climate, planetary sciences, and agriculture.

The previous agreement from 2017 had included satellites, remote sensing technology and robotics. Those fields are absent from the new accord. The countries announced no new funding for joint research. Vallance said the UK had "deliberately gone for areas which we think are not carrying such a security risk."

Slashdot reader alternative_right shares an exclusive BBC interview with Vyacheslav "Tank" Penchukov, once a top-tier cyber-crime boss behind Jabber Zeus, IcedID, and major ransomware campaigns. His story traces the evolution of modern cybercrime from early bank-theft malware to today's lucrative ransomware ecosystem, marked by shifting alliances, Russian security-service ties, and the paranoia that ultimately consumes career hackers. Here's an excerpt from the report: In the late 2000s, he and the infamous Jabber Zeus crew used revolutionary cyber-crime tech to steal directly from the bank accounts of small businesses, local authorities and even charities. Victims saw their savings wiped out and balance sheets upended. In the UK alone, there were more than 600 victims, who lost more than $5.2 million in just three months. Between 2018 and 2022, Penchukov set his sights higher, joining the thriving ransomware ecosystem with gangs that targeted international corporations and even a hospital. [...]

Penchukov says he did not think about the victims, and he does not seem to do so much now, either. The only sign of remorse in our conversation was when he talked about a ransomware attack on a disabled children's charity. His only real regret seems to be that he became too trusting with his fellow hackers, which ultimately led to him and many other criminals being caught. "You can't make friends in cyber-crime, because the next day, your friends will be arrested and they will become an informant," he says. "Paranoia is a constant friend of hackers," he says. But success leads to mistakes. "If you do cyber-crime long enough you lose your edge," he says, wistfully.