U.S. officials issued an advisory warning that foreign-made solar-powered highway infrastructure may contain hidden radios embedded in inverters and batteries. Reuters reports: The advisory, disseminated late last month by the U.S. Department of Transportation's Federal Highway Administration, comes amid escalating government action over the presence of Chinese technology in America's transportation infrastructure. The four-page security note, a copy of which was reviewed by Reuters, said that undocumented cellular radios had been discovered "in certain foreign-manufactured power inverters and BMS," referring to battery management systems.

The note, which has not previously been reported, did not specify where the products containing undocumented equipment had been imported from, but many inverters are made in China. There is increasing concern from U.S. officials that the devices, along with the electronic systems that manage rechargeable batteries, could be seeded with rogue communications components that would allow them to be remotely tampered with on Beijing's orders. [...]

The August 20 advisory said the devices were used to power a range of U.S. highway infrastructure, including signs, traffic cameras, weather stations, solar-powered visitor areas and warehouses, and electric vehicle chargers. The risks it cited included simultaneous outages and surreptitious theft of data. The alert suggested that relevant authorities inventory inverters across the U.S. highway system, scan devices with spectrum analysis technology to detect any unexpected communications, disable or remove any undocumented radios, and make sure their networks were properly segmented.

US Senator Ron Wyden says glaring cybersecurity flaws by Microsoft enabled a ransomware attack on a US hospital system and has called on the Federal Trade Commission to investigate. Bloomberg: In a letter sent Wednesday to FTC Chairman Andrew Ferguson, the Oregon Democrat accused Microsoft of "gross cybersecurity negligence," which he said had resulted in ransomware attacks against US critical infrastructure.

The senator cited the case of the 2024 breach at Ascension, one of the nation's largest nonprofit health systems. The intrusion shut down computers at many of Ascension's hospitals, leading to suspended surgeries and the theft of sensitive data on more than 5 million patients. Wyden said an investigation by his office found that the Ascension hack began after a contractor carried out a search using Microsoft's Bing search engine and was served a malicious link, which led to the contractor inadvertently downloading malware. That allowed hackers access to Ascension's computer networks.

According to Wyden, the attackers then gained access to privileged accounts by exploiting an insecure encryption technology called RC4, which is supported by default on Windows computers. The hacking method is called Kerberoasting, which the company described as a type of cyberattack in which intruders aim to gather passwords by targeting an authentication protocol called Kerberos.

An anonymous reader shares a report: The Darwin Awards are being extended to include examples of misadventures involving overzealous applications of AI. Nominations are open for the 2025 AI Darwin Awards and the list of contenders is growing, fueled by a tech world weary of AI and evangelists eager to shove it somewhere inappropriate.

There's the Taco Bell drive-thru incident, where the chain catastrophically overestimated AI's ability to understand customer orders. Or the Replit moment, where a spot of vibe coding nuked a production database, despite instructions from the user not to fiddle with code without permission. Then there's the woeful security surrounding an AI chatbot used to screen applicants at McDonald's, where feeding in a password of 123456 gave access to the details of 64 million job applicants.

An anonymous reader quotes a report from 404 Media: Employees at Robert F Kennedy Jr.'s Department of Health and Human Services received an email Tuesday morning with the subject line "AI Deployment," which told them that ChatGPT would be rolled out for all employees at the agency. The deployment is being overseen by Clark Minor, a former Palantir employee who's now Chief Information Officer at HHS. "Artificial intelligence is beginning to improve health care, business, and government," the email, sent by deputy secretary Jim O'Neill and seen by 404 Media, begins. "Our department is committed to supporting and encouraging this transformation. In many offices around the world, the growing administrative burden of extensive emails and meetings can distract even highly motivated people from getting things done. We should all be vigilant against barriers that could slow our progress toward making America healthy again."

"I'm excited to move us forward by making ChatGPT available to everyone in the Department effective immediately," it adds. "Some operating divisions, such as FDA and ACF [Administration for Children and Families], have already benefitted from specific deployments of large language models to enhance their work, and now the rest of us can join them. This tool can help us promote rigorous science, radical transparency, and robust good health. As Secretary Kennedy said, 'The AI revolution has arrived.'" [...] The email says that the rollout was being led by Minor, who worked at the surveillance company Palantir from 2013 through 2024. It states Minor has "taken precautions to ensure that your work with AI is carried out in a high-security environment," and that "you can input most internal data, including procurement sensitive data and routine non-sensitive personally identifiable information, with confidence."

It then goes on to say that "ChatGPT is currently not approved for disclosure of sensitive personally identifiable information (such as SSNs and bank account numbers), classified information, export-controlled data, or confidential commercial information subject to the Trade Secrets Act." The email does not distinguish what "non-sensitive personally identifiable information" is. HHS did not immediately respond to a request for comment from 404 Media. [...] The agency has also said it plans to roll out AI through HHS's Centers for Medicare and Medicaid Services that will determine whether patients are eligible to receive certain treatments. These types of systems have been shown to be biased when they've been tried, and result in fewer patients getting the care they need.

Google Cloud CEO Thomas Kurian revealed the company has already made billions from AI by monetizing through consumption-based pricing, subscriptions, and upselling. "Our backlog is now at $106 billion -- it is growing faster than our revenue," said Kurian, speaking at the Goldman Sachs Communacopia and Technology Conference in San Francisco. "More than 50% of it will convert to revenue over the next two years." CNBC reports: Kurian said some people pay Google by consumption, giving the example of AI infrastructure purchased by enterprise customers. "Whether it's a GPU, TPU or a model, you pay by token -- meaning you pay by what you use," he said. Tokens represent chunks of text that a AI models process when they generate or interpret language. Some people use customer service systems, paying for it by what Kurian called "deflection rates." Such rates are priced based on the business value customers get -- things like uptime, scalability, AI features and security. Google Cloud also provides tools like a "deflection dashboard," that customers can use to track and manage agent interactions. Last month, Google won a $10 billion cloud contract from Meta spanning six years. Meta had largely been reliant on Amazon Web Services for cloud infrastructure, though it also uses Microsoft Azure.

Some customers pay for cloud services by way of subscriptions. "You pay per user per monthly fee -- for example, agents or Workspace," said Kurian, referring to the company's Gemini products, which has its own subscription tiers with various storage options, and the Google Workspace productivity suite, which also has several subscription tiers. Google One, a popular personal cloud storage subscription, offers a basic monthly service to users for $1.99 a month. Earlier this year, the company offered a new subscription tier called "Google AI Ultra," which offers exclusive access to the company's most "cutting edge" AI products with 30 terabytes of storage for $249.99 per month. Kurian gave an example of Google Cloud's cybersecurity subscription tiers, saying "we've seen huge growth in that."

Kurian said that upselling is another key aspect of Google Cloud's strategy. "We also upsell people as they use more of it from one version to another because we have higher quality models and higher-priced tiers," Kurian said. He said that once customers use Google's AI services, they wind up using more of the company's products. "That leads customers who sign a commitment or contract to spend more than they contacted for, which drives more revenue growth," he added. Kurian says it is capturing new customers more quickly too. "We've seen 28% sequential quarter-over-quarter growth in new customer wins in the first half of the year," said Kurian, adding that nearly two-thirds of customers already use Google Cloud's AI tools in a meaningful way. "Selling to existing customers is always easier than selling to new customers, so it helps us improve the cost of sales," Kurian said.

BrianFagioli shares a report from NERDS.xyz: Plex has alerted its customers about a security incident that may have affected user accounts. In an email sent to subscribers, the popular media server company confirmed that an unauthorized third party gained access to one of its databases. The breach exposed emails, usernames, and hashed passwords. Plex emphasized that passwords were encrypted following best practices, so attackers cannot simply read them. The company also reassured users that no credit card data was compromised, since Plex does not store that information on its servers. Still, out of caution, it is requiring all account holders to reset their credentials.

Users are being directed to reset their passwords at plex.tv/reset. During the process, Plex recommends enabling the option to sign out all connected devices. This measure logs out every device associated with the account, including Plex Media Servers, forcing a fresh login with the updated password. The company says it has already fixed the method used by the intruder to gain entry and is conducting additional security reviews. Plex is also urging subscribers to enable two-factor authentication if they have not already done so.

An anonymous reader quotes a report from Ars Technica: Last year, we reported on the efforts of classic iPod fans to preserve playable copies of the downloadable clickwheel games that Apple sold for a brief period in the late '00s. The community was working to get around Apple's onerous FairPlay DRM by having people who still owned original copies of those (now unavailable) games sync their accounts to a single iTunes installation via a coordinated Virtual Machine. That "master library" would then be able to provide playable copies of those games to any number of iPods in perpetuity.

At the time, the community was still searching for iPod owners with syncable copies of the last few titles needed for their library. With today's addition of Real Soccer 2009 to the project, though, all 54 official iPod clickwheel games are now available together in an easily accessible format for what is likely the first time.

[...] Now that the consolidated clickwheel game collection is complete, though, owners of any iPod 5G+ or iPod Nano 3G+ should be able to sync the complete library to their personal device completely offline, without worrying about any server checks from Apple. They can do that by setting up a Virtual Machine using these GitHub instructions or by downloading this torrented Internet Archive collection and creating their own Virtual Machine from the files contained therein. The effort was made possible by GitHub user Olsro, with help from other iPod enthusiasts. To Olsro, completing the project "means this whole part from the early 2000s will remain with us forever."

He also expressed hope that "this Virtual Machine can also be useful towards any security [or] archeologist researcher who want to understand how the DRM worked."

Jaguar Land Rover has extended the shutdown of its UK and overseas factories after a cyberattack forced it to take IT systems offline, disrupting production, dealerships, and suppliers. The BBC reports: Jaguar Land Rover's (JLR) UK factories are now expected to remain closed until at least Wednesday after work was disrupted by a cyber attack just over a week ago. The car plants at Halewood and Solihull and its Wolverhampton engine facility, along with production facilities in Slovakia, China and India, have been unable to operate since the company fell victim to the cyber attack. Staff who work on the production lines have been told to remain at home. JLR shut down its IT systems in response to the attack on 31 August, in order to protect them from damage. However, this caused major disruption. [...]

Under normal circumstances, the company builds about 1,000 cars a day. The production stoppage has had a significant impact on the company's suppliers, with some understood to have told their own staff not to come into work. As well as forcing the factories to stop building cars, it also left dealerships unable to register new cars and garages that maintain JLR vehicles unable to order the parts they needed -- although it is understood workarounds have since been put in place. The attack began at what is traditionally a popular time for consumers to take delivery of new vehicles. The latest batch of new registration plates became available on Monday, September 1.

An anonymous reader shares a report: In what is being called the largest supply chain attack in history, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack.

The package maintainer whose accounts were hijacked in this supply-chain attack confirmed the incident earlier today, stating that he was aware of the compromise and adding that the phishing email came from support [at] npmjs [dot] help, a domain that hosts a website impersonating the legitimate npmjs.com domain.

In the emails, the attackers threatened that the targeted maintainers' accounts would be locked on September 10th, 2025, as a scare tactic to get them to click on the link redirecting them to the phishing sites.

The former head of security for WhatsApp filed a lawsuit on Monday accusing Meta of ignoring major security and privacy flaws that put billions of the messaging app's users at risk, the latest in a string of whistle-blower allegations against the social media giant. The New York Times: In the lawsuit filed in the U.S. District Court of the District of Northern California, Attaullah Baig claimed that thousands of WhatsApp and Meta employees could gain access to sensitive user data including profile pictures, location, group memberships and contact lists. Meta, which owns WhatsApp, also failed to adequately address the hacking of more than 100,000 accounts each day and rejected his proposals for security fixes, according to the lawsuit.

Mr. Baig tried to warn Meta's top leaders, including its chief executive, Mark Zuckerberg, that users were being harmed by the security weaknesses, according to the lawsuit. In response, his managers retaliated and fired him in February, he claims. Mr. Baig, who is represented by the whistle-blower organization Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman & Zeldes, argued in the suit that the actions violated a privacy settlement Meta reached with the Federal Trade Commission in 2019, as well as securities laws that require companies to disclose risks to shareholders.

As America's trade talks with China were set to begin last July, a "puzzling" email reached several U.S. government agencies, law firms, and trade groups, reports the Wall Street Journal. It appeared to be from the chair of a U.S. Congressional committee, Representative John Moolenaar, asking recipients to review an alleged draft of upcoming legislation — sent as an attachment. "But why had the chairman sent the message from a nongovernment address...?"

"The cybersecurity firm Mandiant determined the spyware would allow the hackers to burrow deep into the targeted organizations if any of the recipients had opened the purported draft legislation, according to documents reviewed by The Wall Street Journal." It turned out to be the latest in a series of alleged cyber espionage campaigns linked to Beijing, people familiar with the matter said, timed to potentially deploy spyware against organizations giving input on President Trump's trade negotiations. The FBI and the Capitol Police are investigating the Moolenaar emails, and cyber analysts traced the embedded malware to a hacker group known as APT41 — believed to be a contractor for Beijing's Ministry of State Security... The hacking campaign appeared to be aimed at giving Chinese officials an inside look at the recommendations Trump was receiving from outside groups. It couldn't be determined whether the attackers had successfully breached any of the targets.

A Federal Bureau of Investigation spokeswoman declined to provide details but said the bureau was aware of the incident and was "working with our partners to identify and pursue those responsible...." The alleged campaign comes as U.S. law-enforcement officials have been surprised by the prolific and creative nature of China's spying efforts. The FBI revealed last month that a Beijing-linked espionage campaign that hit U.S. telecom companies and swept up Trump's phone calls actually targeted more than 80 countries and reached across the globe...

The Moolenaar impersonation comes as several administration officials have recently faced impostors of their own. The State Department warned diplomats around the world in July that an impostor was using AI to imitate Secretary of State Marco Rubio's voice in messages sent to foreign officials. Federal authorities are also investigating an effort to impersonate White House chief of staff Susie Wiles, the Journal reported in May... The FBI issued a warning that month that "malicious actors have impersonated senior U.S. officials" targeting contacts with AI-generated voice messages and texts.
And in January, the article points out, all the staffers on Moolenaar's committee "received emails falsely claiming to be from the CEO of Chinese crane manufacturer ZPMC, according to people familiar with the episode."

Thanks to long-time Slashdot reader schwit1 for sharing the news.

Cybersecurity company ESET thought they'd discovered the first AI-powered ransomware in the wild, which they'd dubbed "PromptLock". But it turned out to be the work of university security researchers...

"Unlike conventional malware, the prototype only requires natural language prompts embedded in the binary," the researchers write in a research paper, calling it "Ransomware 3.0: Self-Composing and LLM-Orchestrated." Their prototype "uses the gpt-oss:20b model from OpenAI locally" (using the Ollama API) to "generate malicious Lua scripts on the fly." Tom's Hardware said that would help PromptLock evade detection: If they had to call an API on [OpenAI's] servers every time they generate one of these scripts, the jig would be up. The pitfalls of vibe coding don't really apply, either, since the scripts are running on someone else's system.
The whole thing was actually an experiment by researchers at NYU's Tandon School of Engineering. So "While it is the first to be AI-powered," the school said in an announcement, "the ransomware prototype is a proof-of-concept that is non-functional outside of the contained lab environment."

An NYU spokesperson told Tom's Hardware a Ransomware 3.0 sample was uploaded to malware-analsys platform VirusTotal, and then picked up by the ESET researchers by mistake: But the malware does work: NYU said "a simulation malicious AI system developed by the Tandon team carried out all four phases of ransomware attacks — mapping systems, identifying valuable files, stealing or encrypting data, and generating ransom notes — across personal computers, enterprise servers, and industrial control systems." Is that worrisome? Absolutely. But there's a significant difference between academic researchers demonstrating a proof-of-concept and legitimate hackers using that same technique in real-world attacks. Now the study will likely inspire the ne'er-do-wells to adopt similar approaches, especially since it seems to be remarkably affordable.

"The economic implications reveal how AI could reshape ransomware operations," the NYU researchers said. "Traditional campaigns require skilled development teams, custom malware creation, and substantial infrastructure investments. The prototype consumed approximately 23,000 AI tokens per complete attack execution, equivalent to roughly $0.70 using commercial API services running flagship models."

As if that weren't enough, the researchers said that "open-source AI models eliminate these costs entirely," so ransomware operators won't even have to shell out the 70 cents needed to work with commercial LLM service providers...
"The study serves as an early warning to help defenders prepare countermeasures," NYU said in an announcement, "before bad actors adopt these AI-powered techniques."

ESET posted on Mastodon that "Nonetheless, our findings remain valid — the discovered samples represent the first known case of AI-powered ransomware."

And the ESET researcher who'd mistakenly thought the ransomware was "in the wild" had warned that looking ahead, ransomware "will likely become more sophisticated, faster spreading, and harder to detect.... This makes cybersecurity awareness, regular backups, and stronger digital hygiene more important than ever."

"A U.S.-based nuclear fusion developer wants to deploy a reactor in Japan in the late 2030s or early 2040s," reports Bloomberg, "in line with the Asian country's broader plans to adopt the potent, low-carbon energy source." Commonwealth Fusion Systems, which last week announced it raised $863 million from investors including Nvidia, has been in dialogue with Japanese government officials on the use of its technology, CEO Bob Mumgaard said in an interview in Tokyo on Wednesday... Several countries are eyeing the technology for its climate and energy security benefits but only some, like China, the U.S., Russia and South Korea have managed to crack the basics. Japan revised its national strategy in June to support fusion deployment and build a demonstration plant in the 2030s.
The article notes that Commonwealth "does not currently have any reactors in operation" — but that Mitsubishi this week invested in the company, in collaboration with a consortium of 12 Japanese companies. From Mitsubishi's announcement: The Japanese Consortium will acquire technical and commercial expertise in policy, regulatory, and the development, construction, operation, and maintenance of ARC [power plant] from CFS's commercialization projects in the United States. In addition, each consortium company will bring together its know-how and expertise and aspire to expedite the commercialization and industrialization of fusion energy power generation in Japan.

Announced this week at RustConf 2025 in Seattle, the new Rust Innovation Lab will offer open source projects "the opportunity to receive fiscal sponsorship from the Rust Foundation, including governance, legal, networking, marketing, and administrative support."

And their first project will be the TLS library Rustls (for cryptographic security), which they say "demonstrates Rust's ability to deliver both security and performance in one of the most sensitive areas of modern software infrastructure." Choosing Rustls "underscores the lab's focus on infrastructure-critical tools, where reliability is paramount," argues explains WebProNews. But "Looking ahead, the foundation plans to expand the lab's portfolio, inviting applications from promising Rust initiatives. This could catalyze innovations in areas like embedded systems and blockchain, where Rust's efficiency shines."

Their article notes that the Rust Foundation "sees the lab as a way to accelerate innovation while mitigating the operational burdens that often hinder open-source development." [T]he Foundation aims to provide a stable, neutral environment for select Rust endeavors, complete with governance oversight, legal and administrative backing, and fiscal sponsorship... At its core, the Rust Innovation Lab addresses a growing need within the developer community for structured support amid Rust's rising adoption in sectors like systems programming and web infrastructure. By offering a "home" for projects that might otherwise struggle with sustainability, the lab ensures continuity and scalability. This comes at a time when Rust's memory safety features are drawing attention from major tech firms, including those in cloud computing and cybersecurity, as a counter to vulnerabilities plaguing languages like C++...

Industry observers note that such fiscal sponsorship could prove transformative, enabling projects to secure funding from diverse sources while maintaining independence. The Rust Foundation's involvement ensures compliance with best practices, potentially attracting more corporate backers wary of fragmented open-source efforts... By providing a neutral venue, the foundation aims to prevent the pitfalls seen in other ecosystems, such as project abandonment due to maintainer burnout or legal entanglements... For industry insiders, the Rust Innovation Lab represents a strategic evolution, potentially accelerating Rust's integration into mission-critical systems.

Anthropic is blocking its services from Chinese-controlled companies, saying it's taking steps to prevent a US adversary from advancing in AI and threatening American national security. From a report: The San Francisco-based startup is widening existing restrictions on "authoritarian" regimes to cover any company that's majority-owned by entities from countries such as China. That includes their overseas operations, it said in a statement. Foreign-based subsidiaries could be used to access its technology and further military applications, the startup added.

Anthropic's Dario Amodei has publicly advocated technological sanctions on China, particularly after DeepSeek stunned Silicon Valley with an advanced model this year. While Anthropic didn't name any companies, Chinese big tech firms from Alibaba to ByteDance have joined DeepSeek in an intensifying race to build AI services that can rival the likes of OpenAI in the US. Chinese entities "could use our capabilities to develop applications and services that ultimately serve adversarial military and intelligence services and broader authoritarian objectives," Anthropic said in its Friday post.

Philips Hue is rolling out MotionAware, a new feature that turns its smart bulbs into motion sensors using radio-frequency (RF) Zigbee signals. The upgrade works with most Hue bulbs made since 2014, but requires the new $99 Bridge Pro hub to enable. The Verge reports: To create a MotionAware motion-sensing zone, you need Hue's new Bridge Pro and at least three Hue devices in a room. It works with all new and most existing mains-powered Hue products via a firmware update. That includes smart bulbs, light strips, and fixtures. Portable devices, such as the Hue Go or Table Lamp, and battery-powered accessories, such as Hue switches, aren't compatible. Neither is Hue's current smart plug. [...] "All of the functionality you get with our physical motion sensors -- including turning on when motion is detected or off when there's been no movement for a certain amount of time -- can be configured on motion-aware motion events," says George Yianni, Hue CTO and founder, in an interview with The Verge. "We've done something that's quite a lot better than what else is out there."

MotionAware is occupancy sensing, not presence sensing; it requires movement. Yianni says it's comparable to the passive infrared sensing (PIR) Hue's physical sensors use. This means it can be triggered by pets or other motion. A sensitivity slider in the app helps fine-tune detection. According to Yianni, a key benefit over PIR is that a MotionAware zone can cover a larger area than a single PIR sensor, and it's also not limited to line of sight. MotionAware can't sense light levels, which Hue Motion Sensors can, but you can pair a light sensor to a motion zone to feed it that data. The positioning of the lights will also play a role in determining the effectiveness of the motion sensing. "We recommend that the lights surround an area which will roughly define the detection area in which motion will be detected," says Yianni. "It will sense around the lights and in the broader room thanks to reflections, but detection reliability will depend on lots of factors."

Beyond lighting automation, MotionAware can also integrate with Hue Secure, Hue's DIY security platform that includes cameras, contact sensors, and a new video doorbell. Motion detection can trigger lights to flash red, activate Hue's new plug-in chime/siren, and send an alert to your phone with a button to call emergency services. [...] MotionAware is built on RF sensing -- a technology that uses wireless signals to "see" a space and detect disruptions within it. The data is then sent to the Bridge Pro, where AI algorithms are applied to figure out what is causing those disruptions, so the system can act accordingly. This is why it's limited to the Bridge Pro, the V2 bridge isn't powerful enough to run those algorithms, says Yianni.

Tesco is suing Broadcom and reseller Computacenter for at least $134 million, claiming that VMware's perpetual license support agreements were breached after Broadcom's acquisition. The supermarket giant warned it "may not be able to put food on the shelves if the situation goes pear-shaped," writes The Register's Simon Sharwood. From the report: Court documents seen by The Register assert that in January 2021 Tesco acquired perpetual licenses for VMware's vSphere Foundation and Cloud Foundation products, plus subscriptions to Virtzilla's Tanzu products, and agreed a contract for support services and software upgrades that run until 2026. Tesco claims VMware also agreed to give it an option to extend support services for an additional four years. All of this happened before Broadcom acquired VMware and stopped selling support services for software sold under perpetual licenses. Broadcom does sell support to those who sign for its new software subscriptions.

The supermarket giant says Broadcom's subscriptions mean it must pay "excessive and inflated prices for virtualization software for which Tesco has already paid," and "is unable any longer to purchase stand-alone Virtualization Support Services for its Perpetually Licensed Software without also having to purchase duplicative subscription-based licenses for those same Software products which it already owns." The complaint also alleges that Tesco's contracts with VMware include eligibility for software upgrades, but that Broadcom won't let the retailer update its perpetual licenses to cover the new Cloud Foundation 9.

The filing names Computacenter as a co-defendant as it was the reseller that Tesco relied on for software licenses, and the retailer feels it's breached contracts to supply software at a fixed price. Tesco's filing also mentions Broadcom's patch publication policy, which means users who don't acquire subscriptions can't receive all security updates and don't receive other fixes. The retailer thinks its contracts mean it is entitled to those updates. The filing suggests that lack of support is not just a legal matter, but may have wider implications because VMware software, and support for it "are essential for the operations and resilience of Tesco's business and its ability to supply groceries to consumers across the UK and Republic of Ireland."

"VMware Virtualization Software underpins the servers and data systems that enable Tesco's stores and operations to function, hosting approximately 40,000 server workloads and connecting to, by way of illustration, tills in Tesco stores," the filing states. Tesco's filing warns that Broadcom, VMware, and Computacenter are each liable for at least $134 million damages, plus interest, and that the longer the dispute persists the higher damages will climb.

An anonymous reader quotes a report from ZDNet: Over the Labor Day weekend, Cloudflare says it successfully stopped a record-breaking distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). This came only a few months after Cloudflare blocked a then all-time high DDoS attack of 7.3 Tbps. This latest attack was almost 60% larger.

According to Cloudflare, the assault was the result of a hyper-volumetric User Datagram Protocol (UDP) flood attack that lasted about 35 seconds. During that just more than half-minute attack, it delivered over 5.1 billion packets per second. This attack, Cloudflare reported, came from a combination of several IoT and cloud providers. Although compromised accounts on Google Cloud were a major source, the bulk of the attack originated from other sources.

The specific target of this attack has not been publicly disclosed, but we can be sure the intent was to overwhelm the victim's network and render online services inoperative. Cloudflare says its globally distributed, fully autonomous DDoS mitigation network detected and neutralized the threat in real time, without notable impact on customer services or requiring manual intervention. This operation highlights both the rising sophistication of attack methods and the resilience of modern internet infrastructure defenses, especially Cloudflare's use of real-time packet analysis, fingerprinting, and rapid threat intelligence sharing across its network.

An anonymous reader quotes a report from The Register: Ten vulnerabilities in Copeland controllers, which are found in thousands of devices used by the world's largest supermarket chains and cold storage companies, could have allowed miscreants to manipulate temperatures and spoil food and medicine, leading to massive supply-chain disruptions. The flaws, collectively called Frostbyte10, affect Copeland E2 and E3 controllers, used to manage critical building and refrigeration systems, such as compressor groups, condensers, walk-in units, HVAC, and lighting systems. Three received critical-severity ratings. Operational technology security firm Armis found and reported the 10 bugs to Copeland, which has since issued firmware updates that fix the flaws in both the E3 and the E2 controllers. The E2s reached their official end-of-life in October, and affected customers are encouraged to move to the newer E3 platform. Upgrading to Copeland firmware version 2.31F01 mitigates all the security issues detailed here, and the vendor recommends patching promptly.

In addition to the Copeland updates, the US Cybersecurity and Infrastructure Security Agency (CISA) is also scheduled to release advisories today, urging any organization that uses vulnerable controllers to patch immediately. Prior to these publications, Copeland and Armis execs spoke exclusively to The Register about Frostbyte10, and allowed us to preview an Armis report about the security issues. "When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges," it noted. [...] To be clear: there is no indication that any of these vulnerabilities were found and exploited in the wild before Copeland issued fixes. However, the manufacturer's ubiquitous reach across retail and cold storage makes it a prime target for all manner of miscreants, from nation-state attackers looking to disrupt the food supply chain to ransomware gangs looking for victims who will quickly pay extortion demands to avoid operational downtime and food spoilage.

Google denied claims Monday that it had issued a security warning to Gmail users about a major vulnerability. The company stated that recent reports claiming a broad Gmail security alert were "entirely false." Google said its email service blocks more than 99.9% of phishing and malware attempts from reaching users' inboxes.