An anonymous reader quotes a report from SecurityWeek: An October 2024 study by Software AG suggests that half of all employees are Shadow AI users, and most of them wouldn't stop even if it was banned. The problem is the ease of access to AI tools, and a work environment that increasingly advocates the use of AI to improve corporate efficiency. It is little wonder that employees seek their own AI tools to improve their personal efficiency and maximize the potential for promotion. It is frictionless, says Michael Marriott, VP of marketing at Harmonic Security. 'Using AI at work feels like second nature for many knowledge workers now. Whether it's summarizing meeting notes, drafting customer emails, exploring code, or creating content, employees are moving fast.' If the official tools aren't easy to access or if they feel too locked down, they'll use whatever's available which is often via an open tab on their browser.

There is almost also never any malicious intent (absent, perhaps, the mistaken employment of rogue North Korean IT workers); merely a desire to do and be better. If this involves using unsanctioned AI tools, employees will likely not disclose their actions. The reasons may be complex but combine elements of a reluctance to admit that their efficiency is AI assisted rather than natural, and knowledge that use of personal shadow AI might be discouraged. The result is that enterprises often have little knowledge of the extent of Shadow IT, nor the risks it may present. According to an analysis from Harmonic, ChatGPT is the dominant gen-AI model used by employees, with 45% of data prompts originating from personal accounts (such as Gmail). Image files accounted for 68.3%. The report also notes that 7% of empmloyees were using Chinese AI models like DeepSeek, Baidu Chat and Qwen.

"Overall, there has been a slight reduction in sensitive prompt frequency from Q4 2024 (down from 8.5% to 6.7% in Q1 2025)," reports SecurityWeek. "However, there has been a shift in the risk categories that are potentially exposed. Customer data (down from 45.8% to 27.8%), employee data (from 26.8% to 14.3%) and security (6.9% to 2.1%) have all reduced. Conversely, legal and financial data (up from 14.9% to 30.8%) and sensitive code (5.6% to 10.1%) have both increased. PII is a new category introduced in Q1 2025 and was tracked at 14.9%."

An AI support bot for the code editor Cursor invented a nonexistent subscription policy, triggering user cancellations and public backlash this week. When developer "BrokenToasterOven" complained about being logged out when switching between devices, the company's AI agent "Sam" falsely claimed this was intentional: "Cursor is designed to work with one device per subscription as a core security feature."

Users took the fabricated policy as official, with several announcing subscription cancellations on Reddit. "I literally just cancelled my sub," wrote the original poster, adding that their workplace was "purging it completely." Cursor representatives scrambled to correct the misinformation: "Hey! We have no such policy. You're of course free to use Cursor on multiple machines." Cofounder Michael Truell later apologized, explaining that a backend security change had unintentionally created login problems.

Nintendo's lawyers systematically dismantled Atari Games in a landmark 1989 legal battle that reshaped the gaming industry, killing off the Tengen brand until its surprise resurrection recently.

When Atari Games (operating as Tengen) attempted to circumvent Nintendo's control by reverse-engineering the NES security system, Nintendo's legal team discovered a fatal flaw in their rival's approach: Atari had fraudulently obtained Nintendo's proprietary code from the Copyright Office by falsely claiming they were defendants in a nonexistent lawsuit.

Though courts ultimately established that reverse engineering was legal under fair use principles, Atari's deception proved catastrophic. The judge invoked the centuries-old "unclean hands" doctrine, ruling that Atari could not claim fair use protection after approaching the court in bad faith.

"As a result of its lawyers' filthy hands, Atari was barred from manufacturing games for the NES. Nintendo, with its stronger legal team, subsequently 'bled Atari to death,'" writes tech industry attorney Julien Mailland. The court ordered the recall of Tengen's "Tetris" version, now a rare collector's item.

After a 30-year absence, Tengen Games returned in July 2024 with "Zed and Zee" for the NES, finally achieving what its predecessor was legally prohibited from doing.

OpenAI has released Codex CLI, an open-source coding agent that runs locally in users' terminal software. Announced alongside the company's new o3 and o4-mini models, Codex CLI directly connects OpenAI's AI systems with local code and computing tasks, enabling them to write and manipulate code on users' machines.

The lightweight tool allows developers to leverage multimodal reasoning capabilities by passing screenshots or sketches to the model while providing access to local code repositories. Unlike more ambitious future plans for an "agentic software engineer" that could potentially build entire applications from descriptions, Codex CLI focuses specifically on integrating AI models with command-line interfaces.

To accelerate adoption, OpenAI is distributing $1 million in API credits through a grant program, offering $25,000 blocks to selected projects. While the tool expands AI's role in programming workflows, it comes with inherent risks -- studies show AI coding models frequently fail to fix security vulnerabilities and sometimes introduce new bugs, particularly concerning when given system-level access.

CISA says the U.S. government has extended funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. From a report: "The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."

The announcement follows a warning from MITRE Vice President Yosry Barsoum that government funding for the CVE and CWE programs was set to expire today, April 16, potentially leading to widespread disruption across the cybersecurity industry. "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum said.

4chan was reportedly hacked Monday night, with rival imageboard Soyjack Party claiming responsibility and sharing screenshots suggesting deep access to 4chan's databases and admin tools. Ars Technica reports: Security researcher Kevin Beaumont described the hack as "a pretty comprehensive own" that included "SQL databases, source, and shell access." 404Media reports that the site used an outdated version of PHP that could have been used to gain access, including the phpMyAdmin tool, a common attack vector that is frequently patched for security vulnerabilities. Ars staffers pointed to the presence of long-deprecated and removed functions like mysql_real_escape_string in the screenshots as possible signs of an old, unpatched PHP version. In other words, there's a possibility that the hackers have gained pretty deep access to all of 4chan's data, including site source code and user data.

China's outing of alleged US National Security Agency hackers marks a major escalation in the ongoing tit-for-tat between Chinese and American intelligence agencies, according to analysts. From a report: Chinese authorities Tuesday said three NSA employees hacked the Asian Winter Games held this year in Harbin, accusing them of targeting systems that held vast amounts of personal information on people involved in the event. The hacks "severely endangered the security of China's critical information infrastructure, national defense, finance, society, production, as well as citizens' personal information," Chinese foreign ministry spokesman Lin Jian told reporters.

While the US has repeatedly published names of alleged Chinese hackers and filed criminal charges against them, China has historically refrained from making similar accusations against American spies. Rafe Pilling, director of threat intelligence at the cyber firm Sophos' Secureworks unit, said the development may signal a broader policy change from Chinese security agencies, with allegations of US cyberattacks becoming more specific and timely. "This is an escalation in China's experimentation with 'name and shame' policies for the alleged perpetrators of cyberattacks, mirroring US pursuit of a similar policy for a number of years now," said Pilling.

An anonymous reader quotes a report from TechCrunch: Car rental giant Hertz has begun notifying its customers of a data breach that included their personal information and driver's licenses. The rental company, which also owns the Dollar and Thrifty brands, said in notices on its website that the breach relates to a cyberattack on one of its vendors between October 2024 and December 2024. The stolen data varies by region, but largely includes Hertz customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. Hertz said a smaller number of customers had their Social Security numbers taken in the breach, along with other government-issued identification numbers.

Notices on Hertz's websites disclosed the breach to customers in Australia, Canada, the European Union, New Zealand, and the United Kingdom. Hertz also disclosed the breach with several U.S. states, including California and Maine. Hertz said at least 3,400 customers in Maine were affected but did not list the total number of affected individuals, which is likely to be significantly higher. Emily Spencer, a spokesperson for Hertz, would not provide TechCrunch with a specific number of individuals affected by the breach but said it would be "inaccurate to say millions" of customers are affected. The company attributed the breach to a vendor, software maker Cleo, which last year was at the center of a mass-hacking campaign by a prolific Russia-linked ransomware gang.

The European Commission is issuing burner phones and basic laptops to some US-bound staff to avoid the risk of espionage [non-paywalled source], a measure traditionally reserved for trips to China. Financial Times: Commissioners and senior officials travelling to the IMF and World Bank spring meetings next week have been given the new guidance, according to four people familiar with the situation. They said the measures replicate those used on trips to Ukraine and China, where standard IT kit cannot be brought into the countries for fear of Russian or Chinese surveillance.

"They are worried about the US getting into the commission systems," said one official. The treatment of the US as a potential security risk highlights how relations have deteriorated since the return of Donald Trump as US president in January. Trump has accused the EU of having been set up to "screw the US" and announced 20 per cent so-called reciprocal tariffs on the bloc's exports, which he later halved for a 90-day period.

At the same time, he has made overtures to Russia, pressured Ukraine to hand over control over its assets by temporarily suspending military aid and has threatened to withdraw security guarantees from Europe, spurring a continent-wide rearmament effort. "The transatlantic alliance is over," said a fifth EU official.

10 years ago "certificate authorities normally issued certificate lifetimes lasting a year or more," remembers a new blog post Thursday by the EFF's engineering director. So in 2015 when the free cert authority Let's Encrypt first started issuing 90-day TLS certificates for websites, "it was considered a bold move, that helped push the ecosystem towards shorter certificate life times."

And then this January Let's Encrypt announced new six-day certificates...

This week saw a related announcement from the EFF engineering director. More than 31 million web sites maintain their HTTPS certificates using the EFF's Certbot tool (which automatically fetches free HTTPS certificates forever) — and Certbot is now supporting Let's Encrypt's six-day certificates. (It's accomplished through ACME profiles with dynamic renewal at 1/3rd of lifetime left or 1/2 of lifetime left, if the lifetime is shorter than 10 days): There is debate on how short these lifetimes should be, but with ACME profiles you can have the default or "classic" Let's Encrypt experience (90 days) or start actively using other profile types through Certbot with the --preferred-profile and --required-profile flags. For six day certificates, you can choose the "shortlived" profile.
Why shorter lifetimes are better (according to the EFF's engineering director):

• If a certificate's private key is compromised, that compromise can't last as long.

• With shorter life spans for the certificates, automation is encouraged. Which facilitates robust security of web servers.

• Certificate revocation is historically flaky. Lifetimes 10 days and under prevent the need to invoke the revocation process and deal with continued usage of a compromised key.

Late Friday news broke that U.S. President Trump's new tariffs included exemptions for smartphones, computer monitors, semiconductors, and other electronics. But Sunday morning America's commerce secretary insisted "a special-focus type of tariff" was coming for those products, reports ABC News. President Trump "is saying they're exempt from the reciprocal tariffs," the commerce secretary told an interviewer, "but they're included in the semiconductor tariffs, which are coming in probably a month or two.... This is not like a permanent sort of exemption."

The Wall Street Journal notes that Sunday the president himself posted on social media that "NOBODY is getting 'off the hook' for the unfair Trade Balances, and Non Monetary Tariff Barriers... There was no Tariff 'exception' announced on Friday. These products are subject to the existing 20% Fentanyl Tariffs, and they are just moving to a different Tariff 'bucket.'"

"The administration is expected to take the first step toward enacting the new tariffs as soon as next week," reports the New York Times, "opening an investigation to determine the effects of semiconductor imports on national security."

More from ABC News: Commerce Secretary Howard Lutnick said Sunday that the administration's decision Friday night to exempt a range of electronic devices from tariffs implemented earlier this month was only a temporary reprieve.. Lutnick said on "This Week" that the White House will implement "a tariff model in order to encourage" the semiconductor industry, as well as the pharmaceutical industry, to move its business to the United States. "We can't be beholden and rely upon foreign countries for fundamental things that we need," he said.... "These are things that are national security that we need to be made in America."

"A modern free society has an obligation to offer electronic tax filing that respects user freedom," says a Free Software Foundation blog post, "and the United States is not excluded from this responsibility."

"Governments, and/or the companies that they partner with, are responsible for providing free as in freedom software for necessary operations, and tax filing is no exception." For many years now, a large portion of [U.S.] taxpayers have filed their taxes electronically through proprietary programs like TurboTax. Millions of taxpayers are led to believe that they have no other option than to use nonfree software or Service as a Software Substitute (SaaSS), giving up their freedom as well as their most private financial information to a third-party company, in order to file their taxes...

While the options for taxpayers have improved slightly with the IRS's implementation of the IRS Direct File program [in 25 states], this program unfortunately does require users to hand over their freedom when filing taxes.... Taxpayers shouldn't have to use a program that violates their individual freedoms to file legally required taxes. While Direct File is a step in the right direction as the program isn't in the hands of a third-party entity, it is still nonfree software. Because Direct File is a US government-operated program, and ongoing in the process of being deployed to twenty-five states, it's not too late to call on the IRS to make Direct File free software.

In the meantime, if you need to file US taxes and are yet to file, we suggest filing your taxes in a way that respects your user freedom as much as possible, such as through mailing tax forms. Like with other government interactions that snatch away user freedom, choose the path that most respects your freedom.
Free-as-in-freedom software would decrease the chance of user lock-in, the FSF points out. But they list several other advantages, including:

• Repairability: With free software, there is no uncertain wait period or reliance on a proprietary provider to make any needed bug or security fixes.

• Transparency: Unless you can check what a program really does (or ask someone in the free software community to check for you), there is no way to know that the program isn't doing things you don't consent to it doing.

• Cybersecurity: While free software isn't inherently more secure than nonfree software, it does have a tendency to be more secure because many developers can continuously improve the program and search for errors that can be exploited. With proprietary programs like TurboTax, taxpayers and the U.S. government are dependent on TurboTax to protect the sensitive financial and personal information of millions with few (if any) outside checks and balances...

• Taxpayer dollars spent should actually benefit the taxpayers: Taxpayer dollars should not be used to fund third-party programs that seek to control users and force them to use their programs through lobbying....

"We don't have to accept this unjust reality: we can work for a better future, together," the blog post concludes (offering a "sample message" U.S. taxpayers could send to IRS Commissioner Danny Werfel).

"Take action today and help make electronic tax filing free as in freedom for everyone."

Here's an update from the Wall Street Journal about a "widespread series of alarming cyberattacks on U.S. infrastructure."

China was behind it, "Chinese officials acknowledged in a secret December meeting... according to people familiar with the matter..." The Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets, to increasing U.S. policy support for Taiwan, the people, who declined to be named, said... U.S. officials went public last year with unusually dire warnings about the uncovered Volt Typhoon effort. They publicly attributed it to Beijing trying to get a foothold in U.S. computer networks so its army could quickly detonate damaging cyberattacks during a future conflict. [American officials at the meeting perceived the remarks as "intended to scare the U.S. from involving itself if a conflict erupts in the Taiwan Strait."]

The Chinese official's remarks at the December meeting were indirect and somewhat ambiguous, but most of the American delegation in the room interpreted it as a tacit admission and a warning to the U.S. about Taiwan, a former U.S. official familiar with the meeting said... In a statement, the State Department didn't comment on the meeting but said the U.S. had made clear to Beijing it will "take actions in response to Chinese malicious cyber activity," describing the hacking as "some of the gravest and most persistent threats to U.S. national security...."

A Chinese official would likely only acknowledge the intrusions even in a private setting if instructed to do so by the top levels of Xi's government, said Dakota Cary, a China expert at the cybersecurity firm SentinelOne. The tacit admission is significant, he said, because it may reflect a view in Beijing that the likeliest military conflict with the U.S. would be over Taiwan and that a more direct signal about the stakes of involvement needed to be sent to the Trump administration. "China wants U.S. officials to know that, yes, they do have this capability, and they are willing to use it," Cary said.
The article notes that top U.S. officials have said America's Defense Department "will pursue more offensive cyber strikes against China."

But it adds that the administration "also plans to dismiss hundreds of cybersecurity workers in sweeping job cuts and last week fired the director of the National Security Agency and his deputy, fanning concerns from some intelligence officials and lawmakers that the government would be weakened in defending against the attacks."

The Washington Post reports: The United States urgently needs more energy to fuel an artificial intelligence race with China that the country can't afford to lose, industry leaders told lawmakers at a House hearing on Wednesday. "We need energy in all forms," said Eric Schmidt, former CEO of Google, who now leads the Special Competitive Studies Project, a think tank focused on technology and security. "Renewable, nonrenewable, whatever. It needs to be there, and it needs to be there quickly." It was a nearly unanimous sentiment at the four-hour-plus hearing of the House Energy and Commerce Committee, which revealed bipartisan support for ramping up U.S. energy production to meet skyrocketing demand for energy-thirsty AI data centers.

The hearing showed how the country's AI policy priorities have changed under President Donald Trump. President Joe Biden's wide-ranging 2023 executive order on AI had sought to balance the technology's potential rewards with the risks it poses to workers, civil rights and national security. Trump rescinded that order within days of taking office, saying its "onerous" requirements would "threaten American technological leadership...." [Data center power consumption] is already straining power grids, as residential consumers compete with data centers that can use as much electricity as an entire city. And those energy demands are projected to grow dramatically in the coming years... [Former Google CEO Eric] Schmidt, whom the committee's Republicans called as a witness on Wednesday, told [committee chairman Brett] Guthrie that winning the AI race is too important to let environmental considerations get in the way...

Once the United States beats China to develop superintelligence, Schmidt said, AI will solve the climate crisis. And if it doesn't, he went on, China will become the world's sole superpower. (Schmidt's view that AI will become superintelligent within a decade is controversial among experts, some of whom predict the technology will remain limited by fundamental shortcomings in its ability to plan and reason.)

The industry's wish list also included "light touch" federal regulation, high-skill immigration and continued subsidies for chip development. Alexandr Wang, the young billionaire CEO of San Francisco-based Scale AI, said a growing patchwork of state privacy laws is hampering AI companies' access to the data needed to train their models. He called for a federal privacy law that would preempt state regulations and prioritize innovation.
Some committee Democrats argued that cuts to scientific research and renewable energy will actually hamper America's AI competitiveness, according to the article. " But few questioned the premise that the U.S. is locked in an existential struggle with China for AI supremacy.

"That stark outlook has nearly coalesced into a consensus on Capitol Hill since China's DeepSeek chatbot stunned the AI industry with its reasoning skills earlier this year."

Fedora has proposed a major change for its upcoming version 43 release that aims to achieve 99% package reproducibility, addressing growing concerns about supply-chain security. According to the change proposal announced March 31, Fedora has already reached 90% reproducibility through infrastructure changes including "clamping" file modification times and implementing a Rust-based "add-determinism" tool that standardizes metadata. The remaining 10% will require individual package maintainer involvement, treating reproducibility failures as bugs.

The effort will use a public instance of rebuilderd to independently verify that binary packages can be reproduced from source code. Unlike Debian's bit-by-bit reproducibility definition, Fedora allows differences in package signatures and some metadata while requiring identical payloads. The initiative follows similar efforts by Debian and openSUSE, and comes amid heightened focus on supply-chain security after the recent XZ backdoor incident.

The ubiquitous but often overlooked Wi-Fi router lies at the heart of one of Washington's biggest national security dilemmas -- and a rift between two brothers on opposite sides of the Pacific. From a report: US investigators are probing the China ties of TP-Link, the new American incarnation of a consumer Wi-Fi behemoth, following its rapid growth and a spate of cyber attacks by Chinese state-sponsored actors targeting many router brands. The inquiry is testing whether TP-Link's corporate makeover represents enough of a divorce from China to spare it from a ban in a crucial market.

While TP-Link's recent restructuring split the company into separate US- and China-headquartered businesses, a Bloomberg News investigation found that the resulting American venture still has substantial operations in mainland China. If US officials conclude TP-Link's China connections pose an "unacceptable risk," they could use a powerful new authority to ban the company from the US. Such an outcome could also unravel plans by the owner of its US business, Jeffrey Chao, to start fresh in California following an estrangement from his older brother, who started the router business with him in Shenzhen nearly three decades ago.

In an interview -- the first Jeffrey Chao said he has ever given -- he told Bloomberg he's quitting China. He opened a new headquarters in Irvine last year and said he will invest $700 million in the US to build a factory and jumpstart research and development on highly secure routers while awaiting the green card he said he applied for in January. He has also traded his perch in a Hong Kong skyscraper for a 1980s-era split-level near his office, joined a neighborhood evangelical church, and is now eyeing a Cadillac Escalade for road trips, he said, burnishing his American credentials. "I know the current relationship between the US and China is complex," Chao said in the interview last month. "I have chosen the US."

Microsoft is starting to gradually roll out a preview of Recall, its feature that captures screenshots of what you do on a Copilot Plus PC to find again later, to Windows Insiders. From a report: This new rollout could indicate that Microsoft is finally getting close to launching Recall more widely. Microsoft originally intended to launch Recall alongside Copilot Plus PCs last June, but the feature was delayed following concerns raised by security experts. The company then planned to launch it in October, but that got pushed as well so that the company could deliver "a secure and trusted experience."

Fake job seekers using AI tools to impersonate candidates are increasingly targeting U.S. companies with remote positions, creating a growing security threat across industries. By 2028, one in four global job applicants will be fake, according to Gartner. These imposters use AI to fabricate photo IDs, generate employment histories, and provide interview answers, often targeting cybersecurity and cryptocurrency firms, CNBC reports.

Once hired, fraudulent employees can install malware to demand ransoms, steal customer data, or simply collect salaries they wouldn't otherwise obtain, according to Vijay Balasubramaniyan, CEO of Pindrop Security. The problem extends beyond tech companies. Last year, the Justice Department alleged more than 300 U.S. firms inadvertently hired impostors with ties to North Korea, including major corporations across various sectors.

Hackers intercepted about 103 bank regulators' emails for more than a year, gaining access to highly sensitive financial information, Bloomberg News reported Tuesday, citing two people familiar with the matter and a draft letter to Congress. From the report: The attackers were able to monitor employee emails at the Office of the Comptroller of the Currency after breaking into an administrator's account, said the people, asking not to be identified because the information isn't public. OCC on Feb. 12 confirmed that there had been unauthorized activity on its systems after a Microsoft security team the day before had notified OCC about unusual network behavior, according to the draft letter.

The OCC is an independent bureau of the Treasury Department that regulates and supervises all national banks, federal savings associations and the federal branches and agencies of foreign banks -- together holding trillions of dollars in assets. OCC on Tuesday notified Congress about the compromise, describing it as a "major information security incident."

"The analysis concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence," OCC Chief Information Officer Kristen Baldwin wrote in the draft letter to Congress that was seen by Bloomberg News. While US government agencies and officials have long been the targets of state-sponsored espionage campaigns, multiple high-profile breaches have surfaced over the past year.

China is moving fast to dominate biotechnology, and the U.S. risks falling behind permanently unless it takes action over the next three years, a congressional commission said. WSJ: Congress should invest at least $15 billion to support biotech research over the next five years and take other steps to bolster manufacturing in the U.S., while barring companies from working with Chinese biotech suppliers, the National Security Commission on Emerging Biotechnology said in a report Tuesday. To achieve its goals, the federal government and U.S.-based researchers will also need to work with allies and partners around the world.

"China is quickly ascending to biotechnology dominance, having made biotechnology a strategic priority for 20 years," the commission said. Without prompt action, the U.S. risks "falling behind, a setback from which we may never recover." The findings convey the depth of worry in Washington that China's rapid biotechnology advances jeopardize U.S. national security. Yet translating the concern into tangible actions could prove challenging.

[...] China plays a large role supplying drug ingredients and even some generic medicines to the U.S. For years, it produced copycat versions of drugs developed in the West. Recent years have seen it become a formidable hub of biotechnology innovation, after the Chinese government gave priority to the field as a critical sector in China's efforts to become a scientific superpower.