MacStadium's inaugural CIO survey shows Apple devices gaining major ground in U.S. enterprises, with 96% of CIOs expecting Mac fleets to expand in the next two years and Macs already representing an average of 65% of enterprise endpoints. "The results show rapid Mac deployment across US business in the last two years, with 93% of CIOs claiming increased use, and 59% claiming a significant increase in use of all Apple devices," adds Computerworld. From the report: "As the adoption of Apple hardware continues to rise with both consumers and business users, and Apple Silicon is emerging as a secure and energy-efficient option for AI workloads, Apple is turning its sights to the enterprise," [MacStadium CEO Ken Tacelli] said in an interview. Among the specifics:

- 93% of CIOs report increased Apple device usage over the past two years.
- 45% of CIOs describe their leadership's view of Macs as a strategic investment, reflecting growing executive-level buy-in.
- The top drivers for Apple adoption are security and privacy (59%), employee preference (59%), and hardware performance (54%).
- Perhaps most importantly, 65% of CIOs say Macs are easier to manage than Windows or Linux devices.

In addition to those factors, the unique technical capabilities of Apple's kit (53%) play a role. Businesses are buying Macs because they're cheaper to run, last longer, allow employees to be more productive, and are both more private and more secure. The survey also shows that AI has become a leading reason to choose Macs. Apple Silicon is highly performant and energy efficient, enabling Macs to run on-device, secure AI, and to access cloud-based AI services.

The U.S. is considering a rule requiring chipmakers to match the volume of semiconductors that their customers currently import from overseas providers through domestic production, or face tariffs. Reuters reports: President Donald Trump has doubled down on his efforts to reshore semiconductor manufacturing, offering exemptions from tariffs of roughly 100% on chips to firms that produce domestically. Companies that fail to sustain a 1:1 domestic-to-import ratio over time would face tariffs, the Journal said. U.S. Commerce Secretary Howard Lutnick floated the idea with semiconductor executives, telling them it might be necessary for economic security, the Journal said.

"America cannot be reliant on foreign imports for the semiconductor products that are essential for our national and economic security," the newspaper cited White House spokesperson Kush Desai as saying, who added that any reporting about policymaking should be treated as speculative, unless officially announced. [...] Under the proposal, a company pledging to make chips in the U.S. would receive credit for that pledged volume, allowing imports without tariffs until the plant is complete, with initial relief to help ramp capacity, according to the report.

An anonymous reader quotes a report from CNN: A team of suspected Chinese hackers has infiltrated US software developers and law firms in a sophisticated campaign to collect intelligence that could help Beijing in its ongoing trade fight with Washington, cybersecurity firm Mandiant said Wednesday. The hackers have been rampant in recent weeks, hitting the cloud-computing firms that numerous American companies rely on to store key data, Mandiant, which is owned by Google, said. In a sign of how important China's hacking army is in the race for tech supremacy, the hackers have also stolen US tech firms' proprietary software and used it to find new vulnerabilities to burrow deeper into networks, according to Mandiant.

[...] In some cases, the hackers have lurked undetected in the US corporate networks for over a year, quietly collecting intelligence, Mandiant said. The disclosure comes after the Trump administration escalated America's trade war with China this spring by slapping unprecedented tariffs on Chinese exports to the United States. The tit-for-tat tariffs set off a scramble in both governments to understand each other's positions. Mandiant analysts said the fallout from the breaches -- the task of kicking out the hackers and assessing the damage -- could last many months. They described it as a milestone hack, comparable in severity and sophistication to Russia's use of SolarWinds software to infiltrate US government agencies in 2020.

Longtime Slashdot reader hackingbear writes: President Donald Trump signed an executive order Thursday that he says will allow TikTok to continue operating in the United States in a way that meets national security concerns. Trump's order will enable an American-led of group of investors to "buy the app" (up to 80% ownership) from China's ByteDance, though the deal is not yet finalized and also requires China's approval. However, much about the deal is still unknown. So, did the U.S. successfully snatch TikTok from ByteDance? It is probably up to individual's interpretation.

As with any deals between U.S. and China, the devil is in the details. According Shen Yi, an internet influencer and a professor at Shanghai's Fudan University, what the U.S. investor will eventually take control of is an entity known as TikTok U.S. Data Security Company ("USDS"), which is a subsidiary of TikTok U.S. and is exclusively responsible to handle data security in the U.S.. ByteDance will continue, through its U.S. subsidiary "ByteDance TikTok U.S. Company," to operate business and other related activities (such as e-commerce, advertising for brands, and cross-border commercial activities). It is important to stress that "Byte TikTok U.S. Company" remains 100% owned by ByteDance through its global TikTok subsidiary -- this arrangement has not changed. The TikTok algorithm remains the property of ByteDance, only licensed to USDS for use. This point was in fact explicitly clarified by a relevant official of China's Cyberspace Administration at the press conference following the Madrid talks.

After reaching the TikTok deal, Beijing and Washington are now selling it to their respective domestic audience, each highlighting the part of the deal that it can characterize as a win. Shen's details are not in conflict with the widely-reported account given by Karoline Leavitt, the White House Press Secretary, who emphasized "a new board with six American directors out of seven." Observers can also find the TikTok arrangement being very similar to that of Apple's iCloud operation in China being run by GCBD (AIPO Cloud (Guizhou) Technology Co. Ltd.) while Apple retain controls of the brand and business.

An anonymous reader quotes a report from MIT Technology Review: Flock Safety, whose drones were once reserved for police departments, is now offering them for private-sector security, the company announced today, with potential customers including including businesses intent on curbing shoplifting.Companies in the US can now place Flock's drone docking stations on their premises. If the company has a waiver from the Federal Aviation Administration to fly beyond visual line of sight (these are becoming easier to get), its security team can fly the drones within a certain radius, often a few miles.

"Instead of a 911 call [that triggers the drone], it's an alarm call," says Keith Kauffman, a former police chief who now directs Flock's drone program. "It's still the same type of response." Kauffman walked through how the drone program might work in the case of retail theft: If the security team at a store like Home Depot, for example, saw shoplifters leave the store, then the drone, equipped with cameras, could be activated from its docking station on the roof. "The drone follows the people. The people get in a car. You click a button," he says, "and you track the vehicle with the drone, and the drone just follows the car." The video feed of that drone might go to the company's security team, but it could also be automatically transmitted directly to police departments.

The defense tech startup Epirus has developed a cutting-edge, cost-efficient drone zapper that's sparking the interest of the US military. Now the company has to deliver. The company says it's in talks with large retailers but doesn't yet have any signed contracts. The only private-sector company Kauffman named as a customer is Morning Star, a California tomato processor that uses drones to secure its distribution facilities. Flock will also pitch the drones to hospital campuses, warehouse sites, and oil and gas facilities. It's worth noting that the FAA is currently drafting new rules for how it grants approval to pilots flying drones out of sight, and it's not clear if Flock's use case would be allowed under the currently proposed guidance.

An anonymous reader quotes a report from TechCrunch: A viral app called Neon, which offers to record your phone calls and pay you for the audio so it can sell that data to AI companies, has rapidly risen to the ranks of the top-five free iPhone apps since its launch last week. The app already has thousands of users and was downloaded 75,000 times yesterday alone, according to app intelligence provider Appfigures. Neon pitches itself as a way for users to make by providing call recordings that help train, improve, and test AI models. But now Neon has gone offline, at least for now, after a security flaw allowed anyone to access the phone numbers, call recordings, and transcripts of any other user, TechCrunch can now report.

TechCrunch discovered the security flaw during a short test of the app on Thursday. We alerted the app's founder, Alex Kiam (who previously did not respond to a request for comment about the app), to the flaw soon after our discovery. Kiam told TechCrunch later Thursday that he took down the app's servers and began notifying users about pausing the app, but fell short of informing his users about the security lapse. The Neon app stopped functioning soon after we contacted Kiam. TechCrunch found that the app's backend services didn't properly restrict access, allowing any logged-in user to request and receive data belong to other users. This included call transcripts, raw call recordings, and sensitive metadata, including phone numbers, the date/time of calls, and their durations.

Google has asked the U.S. Supreme Court to pause a judge's order requiring major changes to its Play Store after losing an antitrust case to Epic Games. The injunction would force Google to allow rival app stores, external billing links, and broader competition -- changes Google says could harm users and developers. Epic argues they're necessary to break Google's monopoly. Reuters reports: Google said it has urged the U.S. Supreme Court to halt key parts of a judge's order that would force major changes to its app store Play, as it prepares to appeal a decision in a lawsuit brought by "Fortnite" maker Epic Games. Google called the judge's order unprecedented, and said it would cause reputational harm, safety and security risks and put the company at a competitive disadvantage if allowed to take effect, according to a filing, opens new tab provided late on Wednesday by Google, which said it had submitted it to the court. [...]

Google in its Supreme Court filing said that the changes will have enormous consequences for more than 100 million U.S. Android users and 500,000 developers. It asked the court to decide by October 17 whether to put the order on hold. Google said it plans to file its appeal to the Supreme Court by October 27, which could allow the justices to take up the case during their nine-month term that begins on October 6.

Epic in a statement said Google is relying on what it called "flawed security claims" to justify its control over Android devices. "The court's injunction should go into effect as ordered so consumers and developers can benefit from competition, choices and lower prices," Epic said. The jury, siding with Epic in the trial, found that Google illegally stifled competition. Donato subsequently issued the order directing Google to make changes to its app store.

Ruby Central, a non-profit organization committed to "driving innovation and building community within the Ruby programming ecosystem since 2001," removed all RubyGems maintainers from the project's GitHub repository on September 18, granting administrative access exclusively to its employees and contractors following alleged pressure from Shopify, one of its biggest backers, according to Ruby developer Joel Drapper. The nonprofit organization, which operates RubyConf and RailsConf, cited fiduciary responsibility and supply chain security concerns following a recent audit.

The controversy began September 9 when HSBT (Hiroshi Shibata), a Ruby infrastructure maintainer, renamed the RubyGems GitHub enterprise to "Ruby Central" and added Director of Open Source Marty Haught as owner while demoting other maintainers. The action allegedly followed Shopify's threat to cut funding unless Ruby Central assumed full ownership of RubyGems and Bundler. Ruby Central had reportedly become financially dependent on Shopify after Sidekiq withdrew $250,000 annual sponsorship over the organization platforming Rails creator DHH at RailsConf 2025. Andre Arko, a veteran contributor on-call for RubyGems.org at the time, was among those removed.

Maintainer Ellen Dash has characterized the action as a "hostile takeover" and also resigned. Executive Director Shan Cureton acknowledged poor communication in a YouTube video Monday, stating removals were temporary while finalizing operator agreements. Arko and others are launching Spinel, an alternative Ruby tooling project, though Shopify's Rafael Franca commented that Spinel admins shouldn't be trusted to avoid "sabotaging rubygems or bundler."

An anonymous reader shares a report: Senators are demanding answers from Big Tech companies accused of "filing thousands of H-1B skilled labor visa petitions after conducting mass layoffs of American employees." In letters sent to Amazon, Meta, Apple, Google, and Microsoft -- among some of the largest sponsors of H-1B visas -- Senators Chuck Grassley (R-Iowa) and Dick Durbin (D-Ill.) requested "information and data from each company regarding their recruitment and hiring practices, as well as any variation in salary and benefits between H-1B visa holders and American employees."

The letters came shortly after Grassley sent a letter to Department of Homeland Security Secretary Kristi Noem requesting that DHS stop "issuing work authorizations to student visa holders." According to Grassley, "foreign student work authorizations put America at risk of technological and corporate espionage," in addition to allegedly "contributing to rising unemployment rates among college-educated Americans."

[...] In the letters to tech firms, senators emphasized that the unemployment rate in America's tech sector is "well above" the overall jobless rate. Amazon perhaps faces the most scrutiny. US Citizenship and Immigration Services data showed that Amazon sponsored the most H-1B visas in 2024 at 14,000, compared to other criticized firms like Microsoft and Meta, which each sponsored 5,000, The Wall Street Journal reported. Senators alleged that Amazon blamed layoffs of "tens of thousands" on the "adoption of generative AI tools," then hired more than 10,000 foreign H-1B employees in 2025.

Apple asked the European Union to scrap its landmark digital competition law on Thursday, arguing that it poses security risks and creates a "worse experience" for consumers. From a report: The US tech giant and the EU have repeatedly locked horns over the bloc's Digital Markets Act (DMA), which Brussels says seeks to make the digital sector in the 27-nation bloc fairer and more open. "The DMA should be repealed while a more appropriate fit for purpose legislative instrument is put in place," Apple said in a formal submission to the European Commission as part of a consultation on the law.

[...] "It's become clear that the DMA is leading to a worse experience for Apple users in the EU," the tech giant said in a blog post accompanying its submission. "It's exposing them to new risks, and disrupting the simple, seamless way their Apple products work together."

An anonymous reader quotes a report from The Guardian: The world's oceans have failed a key planetary health check for the first time, primarily due to the burning of fossil fuels, a report has shown. In its latest annual assessment, the Potsdam Institute for Climate Impact Research said ocean acidity had crossed a critical threshold for marine life. This makes it the seventh of nine planetary boundaries to be transgressed, prompting scientists to call for a renewed global effort to curb fossil fuels, deforestation and other human-driven pressures that are tilting the Earth out of a habitable equilibrium. The report, which follows earlier warnings about ocean acidity, comes at a time of recordbreaking ocean heat and mass coral bleaching.

Oceans cover 71% of the Earth's surface and play an essential role as a climate stabilizer. The new report calls them an "unsung guardian of planetary health", but says their vital functions are threatened. The 2025 Planetary Health Check noted that since the start of the industrial era, oceans' surface pH has fallen by about 0.1 units, a 30-40% increase in acidity, pushing marine ecosystems beyond safe limits. Cold-water corals, tropical coral reefs and Arctic marine life are especially at risk. This is primarily due to the human-caused climate crisis. When carbon dioxide from oil, coal and gas burning enters the sea, it forms carbonic acid. This reduces the availability of calcium carbonate, which many marine organisms depend upon to grow coral, shells or skeletons.

Near the bottom of the food chain, this directly affects species like oysters, molluscs and clams. Indirectly, it harms salmon, whales and other sea life that eat smaller organisms. Ultimately, this is a risk for human food security and coastal economies. Scientists are concerned that it could also weaken the ocean's role as the planet's most important heat absorber and its capacity to draw down 25-30% of the carbon dioxide in the atmosphere. Marine life plays an important role in this process, acting as a "biotic bump" to sequester carbon in the depths. In the report, all of the other six breached boundaries -- climate change, biosphere integrity, land system change, freshwater use, biogeochemical flows, and novel entities -- showed a worsening trend. But the authors said the addition of the only solely ocean-centerd category was a alarming development because of its scale and importance.

Cloudflare blocked the largest-ever DDoS attack against a European network infrastructure company, which peaked at 22.2 Tbps and 10.6 Bpps. The hyper-volumetric attack has been linked to the Aisuru botnet and lasted just 40 seconds, but was double the size of the previous record. SecurityWeek reports: Cloudflare told SecurityWeek that the attack was aimed at a single IP address of an unnamed European network infrastructure company. Cloudflare has yet to determine who was behind the attack, but believes it may have been powered by the Aisuru botnet, which was also linked earlier this year to a massive 6.3 Tbps attack on the website of cybersecurity blogger Brian Krebs. Aisuru has been around for more than a year. The botnet is powered by hacked IoT devices such as routers and DVRs that have been compromised through the exploitation of known and zero-day vulnerabilities.

According to Cloudflare, the 22 Tbps attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. "Based on internal analysis using a proprietary system, the source IPs were not spoofed," the company explained. The security firm described it as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47k ports, all of a single IP address. Cloudflare revealed in July that the number of DDoS attacks it blocked in the first half of 2025 had already exceeded all the attacks mitigated in 2024.

Microsoft on Sept 24 announced new options for US and European customers to safely extend the life of the Windows 10 operating system free of charge just days before a key deadline to upgrade to Windows 11. From a report: The US tech giant plans to end support for Windows 10 on Oct 14, a move that has drawn criticism from consumer advocacy groups and sparked concerns among users who fear they will need to purchase new computers to stay protected from cyber threats.

Users who are unable to upgrade or choose to forgo the extended security updates will face increased vulnerability to cyberattacks. In response to these concerns, Microsoft informed European users that essential security updates will be extended for one year at no additional cost, provided they log in with a Microsoft account. Previously, the company had offered a one-year extension of Windows 10 security updates for $30 to users whose hardware is incompatible with Windows 11. In the US, a similar free option will allow users to upload their Windows 10 profiles to Microsoft's backup service and receive security updates for up to one year.

Jaguar Land Rover has halted production for nearly a month following a major cyberattack, costing an estimated 30,000 vehicles and billions in lost revenue. "The company said on Tuesday that production would be halted for another week until at least October 1, which increased concerns that a full return to production could be months away," reports The Times. From the report: David Bailey, professor of business economics at Birmingham University, said the JLR statement did not commit to reopening production on October 1 and even if it did "it's not going to be back to normal, but phased production start with some lines opening before others, as we saw after the Covid closure back in 2020." He said: "It's 24 days [shutdown] as of September 24. So that is roughly 1,000 cars a day, 24,000 cars not produced. So by then, that's about 1.7 billion pounds in lost revenue. By October 1, it will be a hit to revenue of something like 2.2 billion pounds. It's pretty massive. JLR can get through, but they're going to be burning through cash this month."

Bailey also raised concerns that smaller companies further down the supply chain lacked the cash reserves to withstand the shutdown. The company directly employs more than 30,000 people, and it is estimated that approximately 200,000 workers in the supply chain depend on work from JLR. "The union has said that in some cases, staff have been told to go and apply for universal credit. There are firms I know that have applied for bank loans to keep going. But even then, you know they're approaching the limit of what they do. There's an added knock-on effect that some of the suppliers also supply other car assemblers, Toyota or Mini. So some of those are concerned that bits of the supply chain may go under and affect them as well, because the industry is so connected. One way or another, the government's going to take a hit. Either through some sort of emergency support, whether that's furlough or emergency short-term loans or through unemployment benefit, if this carries on."

There has been uncertainty over the extent of the cyberattack and exactly how the company has been affected, as well as who is responsible for it. According to one source, some JLR staff were still unable last week to access the Slack messaging system through the company's "one sign on" system. The JLR statement added: "We have made this decision to give clarity for the coming week as we build the timeline for the phased restart of our operations and continue our investigation."

An anonymous reader quotes a report from Bloomberg: MediaTek is launching a mobile processor more capable of handling agentic AI tasks on devices, positioning to better compete with Qualcomm. The new Dimensity 9500 will provide users with better summaries of calls and meetings, improved output from AI models and superior 4K photos, the Taiwanese company said in a statement. The chip is made using an advanced 3-nanometer process by Taiwan Semiconductor Manufacturing Co., according to MediaTek, and handsets carrying the new chip will become available in the fourth quarter.

Xiaomi is set to launch its latest handset range powered by Qualcomm's newest Snapdragon processor later this week, and the Chinese smartphone maker is aiming to benchmark its upcoming devices against Apple Inc.'s iPhone 17. MediaTek's processor, meanwhile, is expected to give Xiaomi's rivals including Vivo a boost in the premium segment. [...] Separately, the Taiwanese company is preparing to place chip orders for automotive and more sensitive applications with TSMC's Arizona plant as some US customers have security concerns, according to the executives.

An anonymous reader quotes a report from Reuters: A new dark web portal to recruit spies for the UK was launched last Friday (19th September), as the UK steps up its commitment to national security. Harnessing the anonymity of the dark web for the first time, MI6's new secure messaging platform -- Silent Courier -- enables anyone, anywhere in the world with access to sensitive information relating to terrorism or hostile intelligence activity to securely contact the UK and offer their services. Instructions on how to access the portal will be publicly available on MI6's verified YouTube channel as the UK reaches out to potential new agents in Russia and around the world. MI6 advises individuals accessing its portal to use trustworthy VPNs and devices not linked to themselves, to mitigate risks which exist in some countries.

The announcement was made by the outgoing Chief of MI6, Sir Richard Moore, in Istanbul where he stated that the platform will make it easier for MI6 to recruit agents online. As MI6 establishes its official presence on the dark web to reach new recruits and tackle hostile actors seeking to undermine UK security, Sir Richard said that the UK's intelligence services are "critical to calibrating risk and informing decisions" in navigating threats from hostile actors -- making platforms like these even more important in keeping our country safe. Sir Richard said: "Today we're asking those with sensitive information on global instability, international terrorism or hostile state intelligence activity to contact MI6 securely online. Our virtual door is open to you." Foreign Secretary Yvette Cooper said: "National security is the first duty of any government and the bedrock of the Prime Minister's Plan for Change. As the world changes, and the threats we're facing multiply, we must ensure the UK is always one step ahead of our adversaries. Our world class intelligence agencies are at the coalface of this challenge, working behind the scenes to keep British people safe. Now we're bolstering their efforts with cutting-edge tech so MI6 can recruit new spies for the UK - in Russia and around the world."

The U.S. General Services Administration has approved Meta's AI system Llama for use by federal agencies, declaring that it meets government security and legal standards. Reuters reports: "It's not about currying favor," [said Josh Gruenbaum, the GSA's procurement lead, when asked whether tech executives are giving the government discounts to get President Donald Trump's approval]. "It's about that recognition of how do we all lock in arms and make this country the best country it could possibly be." Federal agencies will be able to deploy the tool to speed up contract review or more quickly solve information technology hiccups, among other tasks, he said.

The Trump administration has struck a deal requiring TikTok's algorithm to be copied, retrained, and operated in the U.S. using only U.S. user data, with Oracle auditing the system and U.S. investors forming a joint venture to oversee it. The BBC reports: It comes after President Donald Trump said a deal to prevent the app's ban in the US, unless sold by its Chinese parent company ByteDance, had been reached with China's approval. White House officials claim the deal will be a win for the app's US users and citizens. President Trump is expected to sign an executive order later this week on the proposed deal, which will set out how it will comply with US national security demands.

The order will also outline a 120-day pause to the enforcement deadline to allow the deal to close. It is unclear whether the Chinese government has approved this agreement, or begun to take regulatory steps required to deliver it. However, the White House appears confident it has secured China's approval. Data belonging to the 170m users TikTok says it has in the US is already held on Oracle servers, under an existing arrangement called Project Texas. It saw US user data siphoned off due to concerns it could fall into the hands of the Chinese government.

A senior White House official said that under President Trump's deal, the company would take on a comprehensive role in securing the entirety of the app for American users. They said this would include auditing and inspecting the source code and recommendation system underpinning the app, and rebuilding it for US users using only US user data.

"On a recent assignment to test defenses, Dave Brauchler of the cybersecurity company NCC Group tricked a client's AI program-writing assistant into executing programs that forked over the company's databases and code repositories," reports the Washington Post.

"We have never been this foolish with security," Brauchler said... Demonstrations at last month's Black Hat security conference in Las Vegas included other attention-getting means of exploiting artificial intelligence. In one, an imagined attacker sent documents by email with hidden instructions aimed at ChatGPT or competitors. If a user asked for a summary or one was made automatically, the program would execute the instructions, even finding digital passwords and sending them out of the network. A similar attack on Google's Gemini didn't even need an attachment, just an email with hidden directives. The AI summary falsely told the target an account had been compromised and that they should call the attacker's number, mimicking successful phishing scams.

The threats become more concerning with the rise of agentic AI, which empowers browsers and other tools to conduct transactions and make other decisions without human oversight. Already, security company Guardio has tricked the agentic Comet browser addition from Perplexity into buying a watch from a fake online store and to follow instructions from a fake banking email...

Advanced AI programs also are beginning to be used to find previously undiscovered security flaws, the so-called zero-days that hackers highly prize and exploit to gain entry into software that is configured correctly and fully updated with security patches. Seven teams of hackers that developed autonomous "cyber reasoning systems" for a contest held last month by the Pentagon's Defense Advanced Research Projects Agency were able to find a total of 18 zero-days in 54 million lines of open source code. They worked to patch those vulnerabilities, but officials said hackers around the world are developing similar efforts to locate and exploit them. Some longtime security defenders are predicting a once-in-a-lifetime, worldwide mad dash to use the technology to find new flaws and exploit them, leaving back doors in place that they can return to at leisure.

The real nightmare scenario is when these worlds collide, and an attacker's AI finds a way in and then starts communicating with the victim's AI, working in partnership — "having the bad guy AI collaborate with the good guy AI," as SentinelOne's [threat researcher Alex] Delamotte put it. "Next year," said Adam Meyers, senior vice president at CrowdStrike, "AI will be the new insider threat."
In August more than 1,000 people lost data to a modified Nx program (downloaded hundreds of thousands of times) that used pre-installed coding tools from Google/Anthropic/etc. According to the article, the malware "instructed those programs to root out" sensitive data (including passwords or cryptocurrency wallets) and send it back to the attacker. "The more autonomy and access to production environments such tools have, the more havoc they can wreak," the article points out — including this quote from SentinelOne threat researcher Alex Delamotte.

"It's kind of unfair that we're having AI pushed on us in every single product when it introduces new risks."

Writing in Communications of the ACM, former Go tech lead Russ Cox warns we need to keep improving defenses of software supply chains, highlighting "promising approaches that should be more widely used" and "areas where more work is needed." There are important steps we can take today, such as adopting software signatures in some form, making sure to scan for known vulnerabilities regularly, and being ready to update and redeploy software when critical new vulnerabilities are found. More development should be shifted to safer languages that make vulnerabilities and attacks less likely. We also need to find ways to fund open source development to make it less susceptible to takeover by the mere offer of free help. Relatively small investments in OpenSSL and XZ development could have prevented both the Heartbleed vulnerability and the XZ attack.
Some highlights from the 5,000-word article:

• Make Builds Reproducible. "The Reproducible Builds project aims to raise awareness of reproducible builds generally, as well as building tools to help progress toward complete reproducibility for all Linux software. The Go project recently arranged for Go itself to be completely reproducible given only the source code... A build for a given target produces the same distribution bits whether you build on Linux or Windows or Mac, whether the build host is X86 or ARM, and so on. Strong reproducibility makes it possible for others to easily verify that the binaries posted for download match the source code..."

• Prevent Vulnerabilities. "The most secure software dependencies are the ones not used in the first place: Every dependency adds risk... Another good way to prevent vulnerabilities is to use safer programming languages that remove error-prone language features or make them needed less often..."

• Authenticate Software. ("Cryptographic signatures make it impossible to nefariously alter code between signing and verifying. The only problem left is key distribution...") "The Go checksum database is a real-world example of this approach that protects millions of Go developers. The database holds the SHA256 checksum of every version of every public Go module..."

• Fund Open Source. [Cox first cites the XKCD cartoon "Dependencies," calling it "a disturbingly accurate assessment of the situation..."] "The XZ attack is the clearest possible demonstration that the problem is not fixed. It was enabled as much by underfunding of open source as by any technical detail."

The article also emphasized the importance of finding and fixing vulnerabilities quickly, arguing that software attacks must be made more difficult and expensive.

"We use source code downloaded from strangers on the Internet in our most critical applications; almost no one is checking the code.... We all have more work to do."