"Anybody who's got a hosted SharePoint server has got a problem," the senior VP of cybersecurity firm CrowdStrike told the Washington Post. "It's a significant vulnerability."

And it's led to a new "global attack on government agencies and businesses" in the last few days, according to the article, "breaching U.S. federal and state agencies, universities, energy companies and an Asian telecommunications company, according to state officials and private researchers..."

"Tens of thousands of such servers are at risk, experts said, and Microsoft has issued no patch for the flaw, leaving victims around the world scrambling to respond." (Microsoft says they are "working on" security updates "for supported versions of SharePoint 2019 and SharePoint 2016," offering various mitigation suggestions, and CISA has released their own recommendations.)

From the Washington Post's article Sunday: Microsoft has suggested that users make modifications to SharePoint server programs or simply unplug them from the internet to stanch the breach. Microsoft issued an alert to customers but declined to comment further... "We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available," said Pete Renals, a senior manager with Palo Alto Networks' Unit 42. "We have identified dozens of compromised organizations spanning both commercial and government sectors.''

With access to these servers, which often connect to Outlook email, Teams and other core services, a breach can lead to theft of sensitive data as well as password harvesting, Netherlands-based research company Eye Security noted. What's also alarming, researchers said, is that the hackers have gained access to keys that may allow them to regain entry even after a system is patched. "So pushing out a patch on Monday or Tuesday doesn't help anybody who's been compromised in the past 72 hours," said one researcher, who spoke on the condition of anonymity because a federal investigation is ongoing.

The breaches occurred after Microsoft fixed a security flaw this month. The attackers realized they could use a similar vulnerability, according to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. CISA spokeswoman Marci McCarthy said the agency was alerted to the issue Friday by a cyber research firm and immediately contacted Microsoft... The nonprofit Center for Internet Security, which staffs an information-sharing group for state and local governments, notified about 100 organizations that they were vulnerable and potentially compromised, said Randy Rose, the organization's vice president. Those warned included public schools and universities. Others that were breached included a government agency in Spain, a local agency in Albuquerque and a university in Brazil, security researchers said.
But there's many more breaches, according to the article:

• "Eye Security said it has tracked more than 50 breaches, including at an energy company in a large state and several European government agencies."

• "At least two U.S. federal agencies have seen their servers breached, according to researchers."

• "One state official in the eastern U.S. said the attackers had 'hijacked' a repository of documents provided to the public to help residents understand how their government works. The agency involved can no longer access the material..."

"It was not immediately clear who is behind the hacking of global reach or what its ultimate goal is. One private research company found the hackers targeting servers in China..."

Twitter co-founder/Block CEO Jack Dorsey isn't just vibe coding new apps like Bitchat and Sun Day. He's also "invested $10 million in an effort to fund experimental open source projects and other tools that could ultimately transform the social media landscape," reports TechCrunch," funding the projects through an online collective formed in May called "andOtherStuff: [T]he team at "andOtherStuff" is determined not to build a company but is instead operating like a "community of hackers," explains Evan Henshaw-Plath [who handles UX/onboarding and was also Twitter's first employee]. Together, they're working to create technologies that could include new consumer social apps as well as various experiments, like developer tools or libraries, that would allow others to build apps for themselves.

For instance, the team is behind an app called Shakespeare, which is like the app-building platform Lovable, but specifically for building Nostr-based social apps with AI assistance. The group is also behind heynow, a voice note app built on Nostr; Cashu wallet; private messenger White Noise; and the Nostr-based social community +chorus, in addition to the apps Dorsey has already released. Developments in AI-based coding have made this type of experimentation possible, Henshaw-Plath points out, in the same way that technologies like Ruby on Rails, Django, and JSON helped to fuel an earlier version of the web, dubbed Web 2.0.

Related to these efforts, Henshaw-Plath sat down with Dorsey for the debut episode of his new podcast, revolution.social with @rabble... Dorsey believes Bluesky faces the same challenges as traditional social media because of its structure — it's funded by VCs, like other startups. Already, it has had to bow to government requests and faced moderation challenges, he points out. "I think [Bluesky CEO] Jay [Graber] is great. I think the team is great," Dorsey told Henshaw-Plath, "but the structure is what I disagree with ... I want to push the energy in a different direction, which is more like Bitcoin, which is completely open and not owned by anyone from a protocol layer...."

Dorsey's initial investment has gotten the new nonprofit up and running, and he worked on some of its initial iOS apps. Meanwhile, others are contributing their time to build Android versions, developer tools, and different social media experiments. More is still in the works, says Henshaw-Plath.

"There are things that we're not ready to talk about yet that'll be very exciting," he teases.

"The U.S. is absolutely facing the most serious Chinese hacking ever." That's what the Washington Post was told by a China-focused consultant at security company SentinelOne: Undeterred by recent indictments alleging widespread cyberespionage against American agencies, journalists and infrastructure targets, Chinese hackers are hitting a wider range of targets and battling harder to stay inside once detected, seven current and former U.S. officials said in interviews. Hacks from suspected Chinese government actors detected by the security firm CrowdStrike more than doubled from 2023 to more than 330 last year and continued to climb as the new administration took over, the company said... Although the various Chinese hacking campaigns seem to be led by different government agencies and have different goals, all benefit from new techniques and from Beijing's introduction of a less constrained system for cyber offense, the officials and outside researchers told The Washington Post... Chinese intelligence, military and security agencies previously selected targets and tasked their own employees with breaking in, they said. But the Chinese government decided to take a more aggressive approach by allowing private industry to conduct cyberattacks and hacking campaigns on their own, U.S. officials said.

The companies are recruiting top hackers who discover previously unknown, or "zero-day," flaws in software widely used in the United States. Then the companies search for where the vulnerable programs are installed, hack a great many of them at once, and then sell access to multiple Chinese government customers and other security companies. That hacking-for-hire approach creates hundreds of U.S. victims instead of a few, making it hard to block attacks and to decide which were China's key targets and which were unintentionally caught in the hacks, an FBI official said, speaking on the condition of anonymity to follow agency practices... "The result of that incentive structure is that there is significantly more hacking...."

China has mastered the ability to move undetected through networks of compromised U.S. devices, so that the final connection to a target appears to be an ordinary domestic connection. That makes it easy to get around technology that blocks overseas links and puts it outside the purview of the National Security Agency, which by law must avoid scrutinizing most domestic transmissions. Beijing is increasingly focused on hacking software and security vendors that provide access to many customers at once, the FBI official said. Once access is obtained, the hackers typically add new email and collaboration accounts that look legitimate... Beyond the increased government collaboration with China's private security sector is occasional collaborating with criminal groups, said Ken Dunham, an analyst at the security firm Qualys.
The article notes that China's penetration of U.S. telecom carriers "is still not fully contained, according to the current and former officials." But in addition, the group behind that attack "has more recently shown up inside core communications infrastructure in Europe, according to John Carlin, a former top national security official in the Justice Department who represents some U.S. victims of the group." And documents leaked last year from a security contractor that works with the Chinese military and other government groups "described contracts and targets in 20 countries, with booty including Indian immigration data, logs of calls in South Korea, and detailed information on roads in Taiwan.

"It also detailed prices for some services, such as $25,000 for promised remote access to an iPhone, payment disputes with government customers and employee gripes about long hours..."

Microsoft will stop using China-based engineers to support U.S. military cloud services after a ProPublica report revealed their involvement, prompting backlash from Senator Tom Cotton and a two-week Pentagon review ordered by Defense Secretary Pete Hegseth. In response, Hegseth announced an immediate ban on any Chinese involvement in Department of Defense cloud contracts. Reuters reports: The report detailed Microsoft's use of Chinese engineers to work on U.S. military cloud computing systems under the supervision of U.S. "digital escorts" hired through subcontractors who have security clearances but often lacked the technical skills to assess whether the work of the Chinese engineers posed a cybersecurity threat. [Microsoft] told ProPublica it disclosed its practices to the U.S. government during an authorization process.

On Friday, Microsoft spokesperson Frank Shaw said on social media website X the company changed how it supports U.S. government customers "in response to concerns raised earlier this week ... to assure that no China-based engineering teams are providing technical assistance" for services used by the Pentagon.

BrianFagioli shares a report from NERDS.xyz: Intel has quietly pulled the plug on Clear Linux OS, officially ending support for the once-promising Linux distribution that it had backed for nearly a decade. Effective immediately, the company says it will no longer provide any updates, security patches, or maintenance for the operating system. In a final blow, the Clear Linux OS GitHub repository is now archived in read-only mode.

The move was announced with little fanfare, and for users still relying on Clear Linux OS, there's no sugarcoating it... you need to move on. Intel is urging everyone to migrate to an actively maintained Linux distribution as soon as possible to avoid running unpatched software. "Rest assured that Intel remains deeply invested in the Linux ecosystem, actively supporting and contributing to various open-source projects and Linux distributions to enable and optimize for Intel hardware," the company said in a statement. "A heartfelt thank you to every developer, user, and contributor who helped shape Clear Linux OS over the last 10 years. Your feedback and contributions have been invaluable."

Google has filed a lawsuit to dismantle the sprawling Badbox 2.0 botnet, which infected over 10 million Android devices with pre-installed malware. Badbox 2.0 "is already the largest known botnet of internet-connected TV devices, and it grows each day. It has harmed millions of victims in the United States and around the world and threatens many more," Google said in its complaint. SecurityWeek reports: The internet giant cautions that, while it has been used mainly for fraud, the botnet could be used for more harmful types of cybercrime, such as ransomware or distributed denial-of-service (DDoS) attacks. In addition to pre-installing the malware on devices, Badbox 2.0's operators also tricked users into installing infected applications that provided them with further access to their personal devices, Google says. As part of their operation, the individuals behind Badbox 2.0 sold access to the infected devices to be used as residential proxies, and conducted ad fraud schemes by abusing these devices to create fake ad views or to exploit pay-per-click compensation models, the company continues. The internet giant also points out that this is the second global botnet the perpetrators have built, after the initial Badbox botnet was disrupted by German law enforcement in 2023.

According to Google, Badbox 2.0 is operated by multiple cybercrime groups from China, each having a different role in maintaining the botnet, such as establishing infrastructure, developing and pre-installing the malware on devices, and conducting fraud. "The BadBox 2.0 Enterprise includes several connected threat actor groups that design and implement complex criminal schemes targeting internet-connected devices both before and after the consumer receives the device," Google says. "While each member of the Enterprise plays a distinct role, they all collaborate to execute the BadBox 2.0 Scheme. All of the threat actor groups are connected to one another through the BadBox 2.0 shared C2 infrastructure and historical and current business ties," the company continues.

Ukrainian hacker group BO Team, with help from the Ukrainian Cyber Alliance and possibly Ukraine's military, claims to have wiped out one of Russia's largest military drone manufacturers, destroying 47TB of production data and even disabling the doors in the facility. "Or, as described by the hacking collective (per Google translate), they 'deeply penetrated' the drone manufacturer 'to the very tonsils of demilitarization and denazification,'" reports The Register. From the report: BO Team (also known as Black Owl) announced the breach on its Telegram channel, and claimed to have carried out the operation alongside fellow hackers the Ukrainian Cyber Alliance "and one very well-known organization, the mention of which makes Vanya's bottle receivers explode," according to a Google translation of the Russian text. While the "very well-known organization" isn't named, BO Team included a link to Ukraine's Ministry of Defence.

The military intelligence agency, working alongside the attackers, "carried out large-scale work to capture the entire network and server infrastructure of Gaskar Group, collect valuable information about the UAVs being produced and prospective, and then destroy the information and disable this infrastructure," the Telegram post continued. This reportedly included 47TB of technical information about the production of Russian drones, and BO Team claims to have destroyed all of the information on Gaskar's servers, including 10TB of backup files. "By the way, from the information we received, China is providing assistance in the production and training of specialists of Gaskar Group," the hackers added via Telegram. BO Team also posted what they claim to be confidential employee questionnaires [PDF].

On their own Telegram channel, the Ukrainian Cyber Alliance said they also stole "all the source code" before destroying everything. "The network went down so thoroughly that the doors in the building were blocked," the pro-Ukraine crew wrote, per Google translate. "To open them, the administration had to turn on the fire alarm. Most likely, the defense order is on the verge of failure, and thousands of drones will not get to the front in the near future."

An anonymous reader quotes a report from The Record: Threat actors are stealing sensitive data from organizations by breaching end-of-life appliances made by cybersecurity company SonicWall. Incident responders from Google Threat Intelligence Group (GTIG) and Mandiant said on Wednesday that they have uncovered an ongoing campaign by an unidentified threat group that leverages credentials and one-time password (OTP) seeds stolen during previous intrusions -- allowing the hackers to regain access to organizations even after security updates are installed. [...]

The campaign is targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. Google explained that the malware the hackers are using removes log entries, making it difficult to figure out how they initially gained access to a system. Google said the campaign extends beyond the incidents they investigated directly and added that SonicWall has "confirmed reports of other impacted organizations." The company noted that SonicWall updated an advisory for a bug tracked as CVE-2024-38475 in light of Google's findings. "As an added security measure, we strongly advise customers to reset the OTP (One-Time Password) binding for all users. This step ensures that any potentially compromised or stale OTP secrets are invalidated, thereby mitigating unauthorized access risks," SonicWall said in the update to the advisory..

One novel aspect of the campaign is the use of a backdoor called OVERSTEP, which modifies the SonicWall appliance's boot process to maintain persistent access, steal sensitive credentials and conceal the malware's own components. Incident responders struggled to track other activities by the hackers because OVERSTEP allowed them to delete logs and largely cover their tracks. OVERSTEP is specifically designed for SonicWall SMA 100 series appliances, according to Google. In addition to CVE-2024-38475, Google and Mandiant experts floated several potential vulnerabilities the hackers may have used to gain initial access, including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039 and, CVE-2025-32819. Beyond those, Google theorized that the hackers may have used an unknown zero-day vulnerability to deploy the malware on targeted SonicWall SMA appliances.

An anonymous reader quotes a report from TechCrunch: Security researchers say Chinese authorities are using a new type of malware to extract data from seized phones, allowing them to obtain text messages -- including from chat apps such as Signal -- images, location histories, audio recordings, contacts, and more. In a report shared exclusively with TechCrunch, mobile cybersecurity company Lookout detailed the hacking tool called Massistant, which the company said was developed by Chinese tech giant Xiamen Meiya Pico.

Massistant, according to Lookout, is Android software used for the forensic extraction of data from mobile phones, meaning the authorities using it need to have physical access to those devices. While Lookout doesn't know for sure which Chinese police agencies are using the tool, its use is assumed widespread, which means Chinese residents, as well as travelers to China, should be aware of the tool's existence and the risks it poses. [...]

The good news ... is that Massistant leaves evidence of its compromise on the seized device, meaning users can potentially identify and delete the malware, either because the hacking tool appears as an app, or can be found and deleted using more sophisticated tools such as the Android Debug Bridge, a command line tool that lets a user connect to a device through their computer. The bad news is that at the time of installing Massistant, the damage is done, and authorities already have the person's data. "It's a big concern. I think anybody who's traveling in the region needs to be aware that the device that they bring into the country could very well be confiscated and anything that's on it could be collected," said Kristina Balaam, a researcher at Lookout who analyzed the malware. "I think it's something everybody should be aware of if they're traveling in the region."

Daniel Stenberg, creator of the curl utility, is considering ending its bug bounty program due to a surge in low-quality, AI-generated reports that are overwhelming the small volunteer team. Despite attempts to discourage AI-assisted submissions, these reports now make up about 20% of all entries in 2025, while genuine vulnerabilities have dropped to just 5%. The Register reports: "The general trend so far in 2025 has been way more AI slop than ever before (about 20 percent of all submissions) as we have averaged about two security report submissions per week," he wrote in a blog post on Monday. "In early July, about 5 percent of the submissions in 2025 had turned out to be genuine vulnerabilities. The valid-rate has decreased significantly compared to previous years."

The situation has prompted Stenberg to reevaluate whether to continue curl's bug bounty program, which he says has paid out more than $90,000 for 81 awards since its inception in 2019. He said he expects to spend the rest of the year mulling possible responses to the rising tide of AI refuse. Presently, the curl bug bounty program -- outsourced to HackerOne - requires the bug reporter to disclose the use of generative AI. It does not entirely ban AI-assisted submissions, but does discourage them. "You should check and double-check all facts and claims any AI told you before you pass on such reports to us," the program's policy explains. "You are normally much better off avoiding AI."

Two bug submissions per week on average may not seem like a lot, but the curl security team consists of only seven members. As Stenberg explains, three or four reviewers review each submission, a process that takes anywhere from 30 minutes to three hours. "I personally spend an insane amount of time on curl already, wasting three hours still leaves time for other things," Stenberg lamented. "My fellows however are not full time on curl. They might only have three hours per week for curl. Not to mention the emotional toll it takes to deal with these mind-numbing stupidities." [...]

Stenberg says it's not clear what HackerOne should do to reduce reckless use of AI, but insists something needs to be done. His post ponders charging a fee to submit a report or dropping the bug bounty award, while also expressing reservations about both potential remedies. "As a lot of these reporters seem to genuinely think they help out, apparently blatantly tricked by the marketing of the AI hype-machines, it is not certain that removing the money from the table is going to completely stop the flood," he concludes.

America's largest corporations are increasingly listing AI among the major risks they must disclose in formal financial filings, despite bullish statements in public about the potential business opportunities it offers. The Register: According to a report from research firm The Autonomy Institute, three-quarters of companies listed in the S&P 500 stock market index have updated their official risk disclosures to detail or expand upon mentions of AI-related risk factors during the past year.

The organization drew its findings from an analysis of Form 10-K filings that the top 500 companies submitted to the US Securities and Exchange Commission (SEC), in which they are required to outline any material risks that could negatively affect their business and its financial health.

The UK secretly relocated thousands of Afghans to the UK after their personal details were disclosed in one of the country's worst ever data breaches, putting them at risk of Taliban retaliation. The operation cost around $2.7 billion and remained under a court-imposed superinjunction until recently lifted. Reuters reports: The leak by the Ministry of Defence in early 2022, which led to data being published on Facebook the following year, and the secret relocation program, were subject to a so-called superinjunction preventing the media reporting what happened, which was lifted on Tuesday by a court. British defence minister John Healey apologised for the leak, which included details about members of parliament and senior military officers who supported applications to help Afghan soldiers who worked with the British military and their families relocate to the UK. "This serious data incident should never have happened," Healey told lawmakers in the House of Commons. It may have occurred three years ago under the previous government, but to all whose data was compromised I offer a sincere apology."

The incident ranks among the worst security breaches in modern British history because of the cost and risk posed to the lives of thousands of Afghans, some of whom fought alongside British forces until their chaotic withdrawal in 2021. Healey said about 4,500 Afghans and their family members have been relocated or were on their way to Britain under the previously secret scheme. But he added that no-one else from Afghanistan would be offered asylum because of the data leak, citing a government review which found little evidence of intent from the Taliban to seek retribution against former officials.

Many trains in the U.S. are vulnerable to a hack that can remotely lock a train's brakes, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the researcher who discovered the vulnerability. From a report:The railroad industry has known about the vulnerability for more than a decade but only recently began to fix it. Independent researcher Neil Smith first discovered the vulnerability, which can be exploited over radio frequencies, in 2012.

"All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you," Smith told 404 Media. "The physical aspect really only means that you could not exploit this over the internet from another country, you would need to be some physical distance from the train [so] that your signal is still received."

The U.S. Department of Defense has awarded contracts worth up to $200 million each to OpenAI, Google, Anthropic, and xAI to scale adoption of advanced AI. "The contracts will enable the DoD to develop agentic AI workflows and use them to address critical national security challenges," reports Reuters, citing the department's Chief Digital and Artificial Intelligence Office. From the report: Separately on Monday, xAI announced a suite of its products called "Grok for Government", making its advanced AI models -- including its latest flagship Grok 4 -- available to federal, local, state and national security customers. The Pentagon announced last month that OpenAI was awarded a $200 million contract, saying the ChatGPT maker would "develop prototype frontier AI capabilities to address critical national security challenges in both warfighting and enterprise domains."

The contracts announced on Monday deepen the ties between companies leading the AI race and U.S. government operations, while addressing concerns around the need for competitive contracts for AI use in federal agencies. "The adoption of AI is transforming the (DoD's) ability to support our warfighters and maintain strategic advantage over our adversaries," Chief Digital and AI Officer Doug Matty said.

An anonymous reader shared this report from InfoWorld: Tiobe CEO Paul Jansen says Ada, a system programming language whose initial development dates back to the late 1970s, could outlast similarly aged languages like Visual Basic, Perl, and Fortran in the language popularity race.

In comments on this month's Tiobe language popularity index, posted July 9, Jansen said the index has not seen much change among leading languages such as Python, C#, and Java over the past two years. But there is more movement among older languages such as Visual Basic, SQL, Fortran, Ada, Perl, and Delphi, said Jansen. Every time one of these languages is expected to stay in the top 10, it is replaced by another language, he said. Even more remarkably, newer languages have yet to rise above them. "Where are Rust, Kotlin, Dart, and Julia? Apparently, established languages are hot."
"Which one will win? Honestly, this is very hard to tell," Jansen writes, "but I would put my bets on Ada. With the ever-stronger demands on security, Ada is, as a system programming language in the safety-critical domain, likely the best survivor."

Perhaps proving his point, one year ago, Ada was ranked #24 — but on this month's index it ranks #9. (Whereas the eight languages above it all remain in the exact same positions they held a year ago...)

1. Python
2. C++
3. C
4. Java
5. C#
6. JavaScript
7. Go
8. Visual Basic
9. Ada
10. Delphi/Object Pascal

At an Amazon warehouse that employs 3,700 people, hundreds of workers recently lost their job, reports the New York Times.

"They are among thousands of foreign workers across the country who have been swept up in a quiet purge, pushed out of jobs in places where their labor was in high demand and at times won high praise." While raids to nab workers in the country without legal permission in fields and Home Depot parking lots have grabbed attention, the job dismissals at the Amazon warehouse are part of the Trump administration's effort to thin the ranks of immigrants who had legal authorization to work... Such dismissals are happening at many of Amazon's more than 1,000 facilities around the country, including in Massachusetts and the warehouse in Staten Island that fills orders for millions of New Yorkers. At one fulfillment center in Florida, hundreds were let go, a person familiar with the site said... "We're supporting employees impacted by the government's recent changes in immigration policy," Richard Rocha, an Amazon spokesperson, said in a statement. The company has pointed workers to various resources, including outside free or low-cost legal services...

The dismissals came with remarkable speed. On May 30, the Supreme Court granted temporary approval for the Trump administration to revoke a program known as "humanitarian parole," which had allowed more than 500,000 migrants feeling political turmoil in Cuba, Haiti, Nicaragua and Venezuela to quickly get work permits if they had a fiscal sponsor... On June 12, the Department of Homeland Security said it had begun notifying enrollees that the program was ending, saying the immigrants had been poorly vetted and undercut American workers...

On June 22, Amazon told managers around the country in an email, which was obtained by The New York Times, that it had "received the first list from D.H.S. identifying impacted Amazon employees" from the parole program, as well as "some employees outside of this specific program whose work authorization is similarly affected." Amazon let the managers know that the next day, the affected workers would receive push notifications in the employee app about the change. Unless the workers could provide alternate work authorization documents in the next five days, they would be suspended without pay and ultimately dismissed.

Brian Witten, VP/CSO of automotive technology supplier Aptiv, warns that "While seven to 10 years may sound like a long way off, preparation for quantum threats must begin now, not once they have already materialized." Organizations need time to implement post-quantum cryptography (PQC) transition plans methodically — and that applies both to anyone with an IT infrastructure and to anyone building software-defined systems. "Current encryption, such as RSA and ECC [elliptic curve cryptography], will become obsolete once quantum computing matures," said Cigent cofounder John Benkert. "Management often assumes cybersecurity threats are only present-day problems. But this is a future-proofing issue — especially relevant for industries dealing with sensitive, long-lifespan data, like healthcare, finance or government." Remediation requires long-term planning. Organizations that wait until quantum computers have broken encryption to address the threat will find that it is too late.
Start by building an inventory of what needs to change, Witten recommends. (Fortunately, "It's a matter of using newer and different chips and algorithms, not necessarily more expensive components," he writes, also suggesting requests for proposals "should ask vendors to include a PQC update plan.")

Firmware will also need quantum-resistant digital signatures. ("Broken authentication lets bad things happen. Someone could remotely take over a vehicle, for instance, or send malicious code for autonomous execution later, even after the vehicle has gone offline.") And remember that post-quantum key sizes are larger, requiring more storage space. "In some cases, digitally signed messages with security information could triple in size, which could impact storage and bandwidth."

Thanks to Esther Schindler (Slashdot reader #16,185) for sharing the article.

Slashdot reader BrianFagioli shared this report from Nerds.xyz: NVIDIA just put out a new security notice, and if you're running one of its powerful GPUs, you might want to pay attention. Researchers from the University of Toronto have shown that Rowhammer attacks, which are already known to affect regular DRAM, can now target GDDR6 memory on NVIDIA's high-end GPUs when ECC [error correction code] is not enabled.

They pulled this off using an A6000 card, and it worked because system-level ECC was turned off. Once it was switched on, the attack no longer worked. That tells you everything you need to know. ECC matters.

Rowhammer has been around for years. It's one of those weird memory bugs where repeatedly accessing one row in RAM can cause bits to flip in another row. Until now, this was mostly a CPU memory problem. But this research shows it can also be a GPU problem, and that should make data center admins and workstation users pause for a second.

NVIDIA is not sounding an alarm so much as reminding everyone that protections are already in place, but only if you're using the hardware properly. The company recommends enabling ECC if your GPU supports it. That includes cards in the Blackwell, Hopper, Ada, and Ampere lines, along with others used in DGX, HGX, and Jetson systems. It also includes popular workstation cards like the RTX A6000.

There's also built-in On-Die ECC in certain newer memory types like GDDR7 and HBM3. If you're lucky enough to be using a card that has it, you're automatically protected to some extent, because OD-ECC can't be turned off. It's always working in the background. But let's be real. A lot of people skip ECC because it can impact performance or because they're running a setup that doesn't make it obvious whether ECC is on or off. If you're not sure where you stand, it's time to check. NVIDIA suggests using tools like nvidia-smi or, if you're in a managed enterprise setup, working with your system's BMC or Redfish APIs to verify settings.

Major space industry players -- including SpaceX, Boeing, and Blue Origin -- are urging Congress to maintain funding for the TraCSS space traffic coordination program, warning that eliminating it would endanger satellite safety and potentially drive companies abroad. Under the proposed FY 2026 budget, the Office of Space Commerce's funding would be cut from $65 million to just $10 million. "That $55M cut is accomplished by eliminating the Traffic Coordination System for Space (TraCSS) program," reports The Register. From the report: "One of OSC's most important functions is to provide space traffic coordination support to US satellite operators, similar to the Federal Aviation Administration's role in air traffic control," stated letters from space companies including SpaceX, Boeing, Blue Origin, and others. The letters argue that safe space operations "in an increasingly congested space domain" are critical for modern services like broadband satellite internet and weather forecasting, but that's not all. "Likewise, a safe space operating environment is vital for continuity of national security space missions such as early warning of missile attacks on deployed US military forces," the letters added.

Industry trade groups sent the letters to the Democratic and Republican leadership of the House and Senate budget subcommittees for Commerce, Justice, Science, and Related Agencies, claiming to represent more than 450 US companies in the space, satellite, and defense sectors. The letters argue for the retention of the OSC's FY 2025 budget of $65 million, as well as keeping control of space traffic coordination within the purview of the Department of Commerce, under which the OSC is nested, and not the Department of Defense, where it was previously managed. "Successive administrations have recognized on a bipartisan basis that space traffic coordination is a global, commercial-facing function best managed by a civilian agency," the companies explained. "Keeping space traffic coordination within the Department of Commerce preserves military resources for core defense missions and prevents the conflation of space safety with military control."

In the budget request document, the government explained the Commerce Department was unable to complete "a government owned and operated public-facing database and traffic coordination system" in a timely manner. The private sector, meanwhile, "has proven they have the capability and the business model to provide civil operators" with the necessary space tracking data. But according to the OSC, TraCSS would have been ready for operations by January 2026, raising the question of why the government would kill the program so late in the game.

Qantas has confirmed that 5.7 million customers have been impacted by a recent data breach through a third-party platform used by its contact center. The breach, attributed to the Scattered Spider threat group, exposed various personal details but did not include passwords, financial, or passport data. BleepingComputer reports: In a new update today, Qantas has confirmed that the threat actors stole data for approximately 5.7 million customers, with varying types of data exposed in the breach:

4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
- 1.2 million customer records contained name and email address.
- 2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.

Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
- Address - 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
- Date of birth - 1.1 million
- Phone number (mobile, landline and/or business) - 900,000
- Gender - 400,000. This is separate to other gender identifiers like name and salutation.
- Meal preferences - 10,000