The U.S. Department of Energy has greenlit four federal sites for private sector AI datacenters and nuclear-powered energy projects, aligning with Trump's directive to fast-track AI infrastructure using government land. "The four that have been finalized are the Idaho National Laboratory, Oak Ridge Reservation, Paducah Gaseous Diffusion Plant, and Savannah River Site," reports The Register. "These will now move forward to invite companies in the private sector to build AI datacenter projects plus any necessary energy sources to power them, including nuclear generation." The Register reports: "By leveraging DoE land assets for the deployment of AI and energy infrastructure, we are taking a bold step to accelerate the next Manhattan Project -- ensuring US AI and energy leadership," Energy Secretary Chris Wright said in a statement. Ironically -- or perhaps not -- Oak Ridge Reservation was established in the early 1940s as part of the original Manhattan Project to develop the first atomic bomb, and is home to the Oak Ridge National Laboratory (ORNL) that operates the Frontier exascale supercomputer, and the Y-12 National Security Complex which supports US nuclear weapons programs.

The other sites are also involved with either nuclear research or atomic weapons in one way or another, which may hint at the administration's intentions for how the datacenters should be powered. All four locations are positioned to host new bit barns as well as power generation to bolster grid reliability, strengthen national security, and reduce energy costs, Wright claimed. [...] In light of this tight time frame, the DoE says that partners may be selected by the end of the year. Details regarding project scope, eligibility requirements, and submission guidelines for each site are expected to be released in the coming months.

An anonymous reader quotes a report from 404 Media: Users from 4chan claim to have discovered an exposed database hosted on Google's mobile app development platform, Firebase, belonging to the newly popular women's dating safety app Tea. Users say they are rifling through peoples' personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media. In a statement to 404 Media, Tea confirmed the breach also impacted some direct messages but said that the data is from two years ago. Tea, which claims to have more than 1.6 million users, reached the top of the App Store charts this week and has tens of thousands of reviews there. The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.

"Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket," a post on 4chan providing details of the vulnerability reads. "DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!" The thread says the issue was an exposed database that allowed anyone to access the material. [...] "The images in the bucket are raw and uncensored," the user wrote. Multiple users have created scripts to automate the process of collecting peoples' personal information from the exposed database, according to other posts in the thread and copies of the scripts. In its terms of use, Tea says "When you first create a Tea account, we ask that you register by creating a username and including your location, birth date, photo and ID photo."

After publication of this article, Tea confirmed the breach in an email to 404 Media. The company said on Friday it "identified unauthorized access to one of our systems and immediately launched a full investigation to assess the scope and impact." The company says the breach impacted data from more than two years ago, and included 72,000 images (13,000 selfies and photo IDs, and 59,000 images from app posts and direct messages). "This data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention," the email continued. "We have engaged third-party cybersecurity experts and are working around the clock to secure our systems. At this time, there is no evidence to suggest that current or additional user data was affected. Protecting our users' privacy and data is our highest priority. We are taking every necessary step to ensure the security of our platform and prevent further exposure."

Domain Name System Security Extensions has achieved only 34% deployment after 28 years since publication of the first DNSSEC RFC, according to Internet Society data that labels it "arguably the worst performing technology" among internet enabling technologies. HTTPS reaches 96% adoption among the top 1,000 websites globally despite roughly the same development timeline as DNSSEC.

The security protocol faces fundamental barriers including lack of user visibility compared to HTTPS padlock icons and mandatory implementation throughout the entire DNS hierarchy. Approximately 30% of country-level domains have not implemented DNSSEC, creating deployment gaps that prevent domains beneath them from securing their DNS records.

Microsoft used China-based engineering teams to maintain cloud computing systems for multiple federal departments including Justice, Treasury, and Commerce, extending the practice beyond the Defense Department that the company announced last week it would discontinue. The work occurred within Microsoft's Government Community Cloud, which handles sensitive but unclassified federal information and has been used by the Justice Department's Antitrust Division for criminal and civil investigations, as well as parts of the Environmental Protection Agency and Department of Education.

Microsoft employed "digital escorts" -- U.S.-based personnel who supervised the foreign engineers -- similar to the arrangement it used for Pentagon systems. Following ProPublica's reporting, Microsoft issued a statement indicating it would take "similar steps for all our government customers who use Government Community Cloud to further ensure the security of their data." Competing cloud providers Amazon Web Services, Google, and Oracle told ProPublica they do not use China-based support for federal contracts.

An anonymous reader quotes a report from Ars Technica: Donald Trump vowed to save TikTok before taking office, claiming only he could make a deal to keep the app operational in the US despite national security concerns. But then, he put Vice President JD Vance in charge of the deal, and after months of negotiations, the US still doesn't seem to have found terms for a sale that the Chinese government is willing to approve. Now, Trump Commerce Secretary Howard Lutnick has confirmed that if China won't approve the latest version of the deal -- which could result in a buggy version of TikTok made just for the US -- the administration is willing to shut down TikTok. And soon.

On Thursday, Lutnick told CNBC that TikTok would stop operating in the US if China and TikTok owner ByteDance won't sell the app to buyers that Trump lined up, along with control over TikTok's algorithm. Under the deal Trump is now pushing, "China can have a little piece or ByteDance, the current owner, can keep a little piece," Lutnick said. "But basically, Americans will have control. Americans will own the technology, and Americans will control the algorithm." However, ByteDance's board has long maintained that the US can alleviate its national security fears -- that China may be using the popular app to manipulate and spy on Americans -- without forcing a sale. In January, a ByteDance board member, Bill Ford, told World Economic Forum attendees that a non-sale option "could involve a change of control locally to ensure" TikTok "complies with US legislation" without selling off the app or its algorithm.

At this point, Lutnick suggested that the US is unwilling to bend on the requirement that the US control the recommendation algorithm, which is viewed as the secret sauce that makes the app so popular globally. ByteDance may be unwilling to sell the algorithm partly because then it would be sharing its core intellectual property with competitors in the US. Earlier this month, Trump had claimed that he wasn't "confident" that China would approve the deal, even though he thought it was "good for China." Analysts have suggested that China views TikTok as a bargaining chip in its tariff negotiations with Trump, which continue to not go smoothly, and it may be OK with the deal but unwilling to release the bargaining chip without receiving key concessions from the US. For now, the US and China are enjoying a 90-day truce that could end in August, about a month before the deadline Trump set to sell TikTok in mid-September.

A cyber-espionage campaign exploiting vulnerable Microsoft server software has escalated to deploying ransomware against victims, Microsoft said, marking a significant shift from typical state-backed data theft operations to attacks designed to paralyze networks until payment is made. The campaign by a group Microsoft calls "Storm-2603" has compromised at least 400 organizations, according to Netherlands-based cybersecurity firm Eye Security, quadrupling from 100 victims cataloged over the weekend. The National Institutes of Health confirmed one server was breached and additional servers were isolated as a precaution, while reports indicate the Department of Homeland Security and multiple other federal agencies were also compromised.

An anonymous reader quotes a report from The Register: Some customers of Broadcom's VMware business currently cannot access security patches, putting them at greater risk of attack. Customers in that perilous position hold perpetual licenses for VMware products but do not have a current support contract with Broadcom, which will not renew those contracts unless users sign up for software subscriptions. Yet many customers in this situation run products that Broadcom continues to support with patches and updates.

In April 2024, Broadcom CEO Hock Tan promised "free access to zero-day security patches for supported versions of vSphere" so customers "are able to use perpetual licenses in a safe and secure fashion." VMware patches aren't freely available; users must log on to Broadcom's support portal to access the software. Some VMware users in this situation have told The Register that when they enter the portal they cannot download patches, and that VMware support staff have told them it may be 90 days before the software fixes become available. "Because our support portal requires validation of customer entitlements for software patches, only entitled customers have access to the patches at this time," a VMware spokesperson said. "A separate patch delivery cycle will also be available for non-entitled customers and will follow at a later date."

The timing of that "later date" remains uncertain. The Register also notes that "users haven't had access to patches since May."

An anonymous reader quotes a report from Ars Technica: Hacking is hard. Well, sometimes. Other times, you just call up a company's IT service desk and pretend to be an employee who needs a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset... and it's done. Without even verifying your identity. So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed. So you log in to the network with these new credentials and set about planting ransomware or exfiltrating data in the target network, eventually doing an estimated $380 million in damage. Easy, right?

According to The Clorox Company, which makes everything from lip balm to cat litter to charcoal to bleach, this is exactly what happened to it in 2023. But Clorox says that the "debilitating" breach was not its fault. It had outsourced the "service desk" part of its IT security operations to the massive services company Cognizant -- and Clorox says that Cognizant failed to follow even the most basic agreed-upon procedures for running the service desk. In the words of a new Clorox lawsuit, Cognizant's behavior was "all a devastating lie," it "failed to show even scant care," and it was "aware that its employees were not adequately trained."

"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," says the lawsuit, using italics to indicate outrage emphasis. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox's corporate network to the cybercriminal -- no authentication questions asked." [...] The new lawsuit, filed in California state courts, wants Cognizant to cough up millions of dollars to cover the damage Clorox says it suffered after weeks of disruption to its factories and ordering systems. (You can read a brief timeline of the disruption here.)

Internet outages spiked during the second quarter of 2025, driven by government-mandated shutdowns, infrastructure failures, and technical glitches, according to Cloudflare's quarterly disruption report.

Government restrictions returned after a quiet first quarter, with Libya, Iran, Iraq, Syria, and Panama imposing internet cutoffs for reasons ranging from protest suppression to exam security. A massive power outage on April 28 knocked Spain's internet traffic down 80% and Portugal's by 90%, with service restored around 1 a.m. the following day.

Cable damage caused complete outages for Digicel in Haiti and a 90-minute disruption for Airtel in Malawi. Several major outages went unexplained, including an eight-hour blackout at SkyCable in the Philippines and a nationwide outage at Thai provider TrueMove H, with companies providing no official explanations for the service failures.

A cyber-espionage campaign exploiting unpatched Microsoft SharePoint vulnerabilities has breached approximately 400 organizations worldwide, including the US National Nuclear Security Administration, according to Netherlands-based cybersecurity firm Eye Security. The figure represents a four-fold increase from 100 organizations cataloged over the weekend, with researchers calling it likely an undercount since not all attack vectors leave detectable artifacts.

Microsoft identified three Chinese groups -- state-backed Linen Typhoon and Violet Typhoon, plus China-based Storm-2603 -- as exploiting the vulnerabilities in on-premises SharePoint servers to steal authentication credentials and execute malicious code remotely. The campaign began July 7 and was first detected July 18 when Eye Security found unusual activity on a customer's server. Victims include the US Energy Department, Education Department, Florida's Department of Revenue, Rhode Island General Assembly, and European and Middle Eastern governments.

The United Kingdom's government is planning to ban public sector and critical infrastructure organizations from paying ransoms after ransomware attacks. From a report: The list of entities that would have to follow the new proposed legislation includes local councils, schools, and the publicly funded National Health Service (NHS).

"Ransomware is estimated to cost the UK economy millions of pounds each year, with recent high-profile ransomware attacks highlighting the severe operational, financial, and even life-threatening risks. The ban would target the business model that fuels cyber criminals' activities and makes the vital services the public rely on a less attractive target for ransomware groups," the UK government said.

"We're determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change. By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware," Security Minister Dan Jarvis added.

Amazon is acquiring Bee, a startup that makes a $49.99 AI-powered wearable that passively listens to conversations and generates personalized summaries and suggestions. "You can also give the device permission to access your emails, contacts, location, reminders, photos, and calendar events to help inform its AI-generated insights, as well as create a searchable history of your activities," adds The Verge. From the report: When asked about Amazon's plans to apply the same privacy measures offered by Bee, such as its policy against storing audio, Amazon spokesperson Alexandra Miller says the company "cares deeply" about customer privacy and security, adding that the company will work with Bee to give users "even greater control over" their devices when the deal closes.

"We've been strong stewards of customer data since our founding, and have never been in the business of selling our customers' personal information to others," Miller says. "We design our products to protect our customers' privacy and security and to make it easy for them to be in control of their experience -- and this approach would of course apply to Bee." Miller also says the terms of the deal are "confidential," and all Bee employees have "received offers to join Amazon."

The Brave Browser now blocks Microsoft Recall by default for Windows 11+ users, preventing the controversial screenshot-logging feature from capturing any Brave tabs -- regardless of whether users are in private mode. Brave cites persistent privacy concerns and potential abuse scenarios as justification. From a blog post: Microsoft has, to their credit, made several security and privacy-positive changes to Recall in response to concerns. Still, the feature is in preview, and Microsoft plans to roll it out more widely soon. What exactly the feature will look like when it's fully released to all Windows 11 users is still up in the air, but the initial tone-deaf announcement does not inspire confidence.

Given Brave's focus on privacy-maximizing defaults and what is at stake here (your entire browsing history), we have proactively disabled Recall for all Brave tabs. We think it's vital that your browsing activity on Brave does not accidentally end up in a persistent database, which is especially ripe for abuse in highly-privacy-sensitive cases such as intimate partner violence.

Microsoft has said that private browsing windows on browsers will not be saved as snapshots. We've extended that logic to apply to all Brave browser windows. We tell the operating system that every Brave tab is 'private', so Recall never captures it. This is yet another example of how Brave engineers are able to quickly tweak Chromium's privacy functionality to make Brave safer for our users (inexhaustive list here). For more technical details, see the pull request implementing this feature. Brave is the only major Web browser that disables Microsoft Recall by default in all tabs.

Google has announced OSS Rebuild, a new project designed to detect supply chain attacks in open source software by independently reproducing and verifying package builds across major repositories. The initiative, unveiled by the company's Open Source Security Team, targets PyPI (Python), npm (JavaScript/TypeScript), and Crates.io (Rust) packages.

The system, the company said, automatically creates standardized build environments to rebuild packages and compare them against published versions. OSS Rebuild generates SLSA Provenance attestations for thousands of packages, meeting SLSA Build Level 3 requirements without requiring publisher intervention. The project can identify three classes of compromise: unsubmitted source code not present in public repositories, build environment tampering, and sophisticated backdoors that exhibit unusual execution patterns during builds.

Google cited recent real-world attacks including solana/webjs (2024), tj-actions/changed-files (2025), and xz-utils (2024) as examples of threats the system addresses. Open source components now account for 77% of modern applications with an estimated value exceeding $12 trillion. The project builds on Google's hosted infrastructure model previously used for OSS Fuzz memory issue detection.

The US Department of Homeland Security (DHS) and the US Citizenship and Immigration Services (USCIS) intend to reevaluate how H-1B visas are issued, according to a regulatory filing. From a report: The notice, filed on Thursday with the US Office of Management and Budget's Office of Information and Regulatory Affairs (OIRA), seeks the statutory review of a proposed rule titled "Weighted Selection Process for Registrants and Petitioners Seeking To File Cap-Subject H-1B Petitions."

Once the review is complete, which could be a matter of days or weeks, the text of the rule is expected to be published in the US Federal Register. Based on the rule title, it appears the government intends to change the system for allocating H-1B visas the current lottery to some system that will favor applicants who meet specified criteria, possibly related to skills.

The H-1B visa program, which reached its Fiscal 2026 cap on Friday, allows skilled guest workers to come work in the US. As of 2019, there were about 600,000 H-1B workers in the US, according to USCIS. The foreign worker program is beloved by technology companies, ostensibly to hire talent not readily available from American workers. But H-1B -- along with the Optional Practical Training (OPT) program -- has long been criticized for making it easier to undercut US worker wages, limiting labor rights for immigrants, and for persistent abuse of the rules by outsourcing companies.

At least 759 US hospitals experienced network disruptions during the CrowdStrike outage on July 19, 2024, with more than 200 suffering outages that directly affected patient care services, according to a study published in JAMA Network Open by UC San Diego researchers. The researchers detected disruptions across 34% of the 2,232 hospital networks they scanned, finding outages in health records systems, fetal monitoring equipment, medical imaging storage, and patient transfer platforms.

Most services recovered within six hours, though some remained offline for more than 48 hours. CrowdStrike dismissed the study as "junk science," arguing the researchers failed to verify whether affected networks actually ran CrowdStrike software. The researchers defended their methodology, noting they could scan only about one-third of America's hospitals, suggesting the actual impact may have been significantly larger.

Spotify was found publishing AI-generated songs on the official pages of deceased artists like Blaze Foley and Guy Clark -- without permission from their estates or labels. The tracks, flagged for deceptive content and now removed, were uploaded via TikTok's SoundOn distribution platform. "We've flagged the issue to SoundOn, the distributor of the content in question, and it has been removed for violating our Deceptive Content policy," a Spotify spokesperson told 404 Media. From the report: McDonald, who decided to originally upload Foley's music to Spotify in order to share it with more people, told me he never thought that an AI-generated track could appear on Foley's page without his permission. "It's harmful to Blaze's standing that this happened," he said. "It's kind of surprising that Spotify doesn't have a security fix for this type of action, and I think the responsibility is all on Spotify. They could fix this problem. One of their talented software engineers could stop this fraudulent practice in its tracks, if they had the will to do so. And I think they should take that responsibility and do something quickly."

McDonald's suggested fix is not allowing any track to appear on an artist's official Spotify page without allowing the page owner to sign off on it first. "Any real Blaze fan would know, I think, pretty instantly, that this is not Blaze or a Blaze recording," he said. "Then the harm is that the people who don't know Blaze go to the site thinking, maybe this is part of Blaze, when clearly it's not. So again, I think Spotify could easily change some practices. I'm not an engineer, but I think it's pretty easy to stop this from happening in the future."

Alaska Airlines and Horizon Air grounded all flights Sunday night due to a major IT outage, prompting a system-wide FAA ground stop that lasted until early Monday. Although operations have since resumed, passengers are still facing delays and residual disruptions. Gizmodo reports: The airline requested a system-wide ground stop from federal aviation authorities at about 11 p.m. ET on Sunday night. That stop remained in effect until around 2 a.m. ET Monday, when the Federal Aviation Administration confirmed it had been lifted. But disruptions didn't end there. Alaska warned passengers to brace for likely delays throughout the day. [...] The FAA's website listed the stop as applying to all Alaska Airlines aircraft. Gizmodo notes that the incident comes nearly a year after the massive 2024 CrowdStrike crash, which has become known as the largest IT outage in history. "The July 2024 outage brought down an estimated 8.5 million Microsoft Windows systems running CrowdStrike's Falcon Sensor software, disrupting everything from hospitals and airports to broadcast networks."

"There's no word yet from Alaska on whether the outage ties into a broader software problem, but the timing, almost exactly a year after the CrowdStrike crash, isn't going unnoticed on social media, with users wondering if the events are related."

An anonymous reader quotes a report from the BBC: One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work. KNP -- a Northamptonshire transport company -- is just one of tens of thousands of UK businesses that have been hit by such attacks. Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen. In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems. KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company. "Would you want to know if it was you?" he asks. "We need organizations to take steps to secure their systems, to secure their businesses," says Richard Horne CEO of the National Cyber Security Centre (NCSC) -- where Panorama has been given exclusive access to the team battling international ransomware gangs. A gang of hackers, known as Akira, broke into the company's system and demanded a payment to restore the data. "The hackers didn't name a price, but a specialist ransomware negotiation firm estimated the sum could be as much as 5 million pounds," reports the BBC. "KNP didn't have that kind of money. In the end all the data was lost, and the company went under."

Hackers are hiding malware inside DNS records, allowing malicious code to bypass security defenses that typically monitor web and email traffic. DomainTools researchers discovered the technique being used to host Joke Screenmate malware, with binary files converted to hexadecimal format and broken into chunks stored in TXT records across subdomains of whitetreecollective[.]com.

Attackers retrieve the chunks through DNS requests and reassemble them into executable malware. The method exploits a blind spot in security monitoring, as DNS traffic often goes unscrutinized compared to other network activity.