Red Hat product manager Pau Garcia Quiles (also long-time Slashdot reader paugq) spotted an interesting project on GitHub: Free95, a new lean, Windows-compatible operating system is available from GitHub. In its current form, it can run very basic Win32 GUI and console applications, but its developer promises to keep working on it to reach DirectX and even game compatibility.
"Free95 is your friendly Windows Environment with an added trust of the open source community," according to its README file. (It's licensed under the GPL-3.0 license.) And in answer to the question "Why?" it responds "To remove Windows's bloat, and security problems. Being controlled by a large corporation is unsettling."

"It's still in-development of course," the developer post recently on Reddit, "and I'll appreciate anyone who'd like to contribute." In one comment they claim Free95 is "much more lightweight, simpler and faster than ReactOS." And looking to the future, they add "I might do DirectX stuff and make some games run. Or, what about DOOM?"

Last week Google urged the U.S. government not to break up the company — but apparently, it didn't work.
In a new filing Friday, America's Justice Department "reiterated its November proposal that Google be forced to sell its Chrome web browser," reports the Washington Post, "to address a federal judge finding the company guilty of being an illegal monopoly in August." The government also kept a proposal that Google be banned from paying other companies to give its search engine preferential placement on their apps and phones. At the same time, the government dropped its demand that Google sell its stakes in AI start-ups after one of the start-ups, Anthropic AI, argued that it needed Google's money to compete in the fast-growing industry.

The government's final proposal "reaffirms that Google must divest the Chrome browser — an important search access point — to provide an opportunity for a new rival to operate a significant gateway to search the internet, free of Google's monopoly control," Justice Department lawyers wrote in the filing... Judge Amit Mehta, of the U.S. District Court for the District of Columbia, who had ruled that Google held an illegal monopoly, will decide on the final remedies in April.
The article quotes a Google spokesperson's response: that the Justice Department's "sweeping" proposals "continue to go miles beyond the court's decision, and would harm America's consumers, economy and national security."

Axiom Space and Red Hat will collaborate to launch Data Center Unit-1 (AxDCU-1) to the International Space Station this spring. It's a small data processing prototype (powered by lightweight, edge-optimized Red Hat Device Edge) that will demonstrate initial Orbital Data Center (ODC) capabilities.

"It all sounds rather grand for something that resembles a glorified shoebox," reports the Register. Axiom Space said: "The prototype will test applications in cloud computing, artificial intelligence, and machine learning (AI/ML), data fusion and space cybersecurity."

Space is an ideal environment for edge devices. Connectivity to datacenters on Earth is severely constrained, so the more processing that can be done before data is transmitted to a terrestrial receiving station, the better. Tony James, chief architect, Science and Space at Red Hat, said: "Off-planet data processing is the next frontier, and edge computing is a crucial component. With Red Hat Device Edge and in collaboration with Axiom Space, Earth-based mission partners will have the capabilities necessary to make real-time decisions in space with greater reliability and consistency...."

The Red Hat Device Edge software used by Axiom's device combines Red Hat Enterprise Linux, the Red Hat Ansible Platform, and MicroShift, a lightweight Kubernetes container orchestration service derived from Red Hat OpenShift. The plan is for Axiom Space to host hybrid cloud applications and cloud-native workloads on-orbit. Jason Aspiotis, global director of in-space data and security, Axiom Space, told The Register that the hardware itself is a commercial off-the-shelf unit designed for operation in harsh environments... "AxDCU-1 will have the ability to be controlled and utilized either via ground-to-space or space-to-space communications links. Our current plans are to maintain this device on the ISS. We plan to utilize this asset for at least two years."
The article notes that HPE has also "sent up a succession of Spaceborne computers — commercial, off-the-shelf supercomputers — over the years to test storage, recovery, and operational potential on long-duration missions." (They apparently use Red Hat Enterprise Linux.) "At the other end of the scale, the European Space Agency has run Raspberry Pi computers on the ISS for years as part of the AstroPi educational outreach program."

Axiom Space says their Orbital Data Center is deigned to "reduce delays traditionally associated with orbital data processing and analysis." By utilizing Earth-independent cloud storage and edge processing infrastructure, Axiom Space ODCs will enable data to be processed closer to its source, spacecraft or satellites, bypassing the need for terrestrial-based data centers. This architecture alleviates reliance on costly, slow, intermittent or contested network connections, creating more secure and quicker decision-making in space.

The goal is to allow Axiom Space and its partners to have access to real-time processing capabilities, laying the foundation for increased reliability and improved space cybersecurity with extensive applications. Use cases for ODCs include but are not limited to supporting Earth observation satellites with in-space and lower latency data storage and processing, AI/ML training on-orbit, multi-factor authentication and cyber intrusion detection and response, supervised autonomy, in-situ space weather analytics and off-planet backup & disaster recovery for critical infrastructure on Earth.

"The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented 'backdoor' that could be leveraged for attacks," writes BleepingComputer.

"The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence." This was discovered by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security, who presented their findings yesterday at RootedCON in Madrid. "Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices," reads a Tarlogic announcement shared with BleepingComputer. "Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls...."

Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs. Armed with this new tool, which enables raw access to Bluetooth traffic, Targolic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions. In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.

Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake.
Thanks to Slashdot reader ZipNada for sharing the news.

Signal President Meredith Whittaker warned at SXSW that agentic AI poses significant privacy and security risks, as these AI agents require extensive access to users' personal data, likely processing it unencrypted in the cloud. TechCrunch reports: "So we can just put our brain in a jar because the thing is doing that and we don't have to touch it, right?," Whittaker mused. Then she explained the type of access the AI agent would need to perform these tasks, including access to our web browser and a way to drive it as well as access to our credit card information to pay for tickets, our calendar, and messaging app to send the text to your friends. "It would need to be able to drive that [process] across our entire system with something that looks like root permission, accessing every single one of those databases -- probably in the clear, because there's no model to do that encrypted," Whittaker warned.

"And if we're talking about a sufficiently powerful ... AI model that's powering that, there's no way that's happening on device," she continued. "That's almost certainly being sent to a cloud server where it's being processed and sent back. So there's a profound issue with security and privacy that is haunting this hype around agents, and that is ultimately threatening to break the blood-brain barrier between the application layer and the OS layer by conjoining all of these separate services [and] muddying their data," Whittaker concluded.

If a messaging app like Signal were to integrate with AI agents, it would undermine the privacy of your messages, she said. The agent has to access the app to text your friends and also pull data back to summarize those texts. Her comments followed remarks she made earlier during the panel on how the AI industry had been built on a surveillance model with mass data collection. She said that the "bigger is better AI paradigm" -- meaning the more data, the better -- had potential consequences that she didn't think were good. With agentic AI, Whittaker warned we'd further undermine privacy and security in the name of a "magic genie bot that's going to take care of the exigencies of life," she concluded. You can watch the full speech on YouTube.

The White House is weighing measures to restrict Chinese artificial-intelligence upstart DeepSeek, including banning its chatbot from government devices because of national-security concerns, WSJ reported Friday, citing people familiar with the matter. From the report: U.S. officials are worried about DeepSeek's handling of user data, which the Chinese company says it stores in servers located in China, the people said. Officials also believe DeepSeek hasn't sufficiently explained how it uses the data it collects and who has access to the data, they said.

The Trump administration is likely to adopt a rule that would bar people from downloading DeepSeek's chatbot app onto U.S. government devices, the people said. Officials are also considering two other possible moves: banning the DeepSeek app from U.S. app stores and putting limits on how U.S.-based cloud service providers could offer DeepSeek's AI models to their customers, people close to the matter said. They cautioned that discussions about these two moves were still at an early stage.

The U.S. Citizenship and Immigration Services (USCIS) is proposing to expand mandatory social media screening, currently required only for new arrivals, to include all non-citizens already residing in the U.S. who apply for immigration benefits. The Register reports: Back in 2019, the Department of Homeland Security, which runs USCIS, decided anyone looking to enter the US on a work visa or similar had to hand over their social media handles to the authorities so that they could be looked over for wrongdoing and subversion. In fact, this goes back to 2014, at least, to one degree or another, and has been standard procedure for years for foreigners, particularly those coming in on a visa. [...]

On January 20 this year, President Trump signed an executive order calling for much tougher vetting of foreign aliens, and in response, USCIS has proposed rules saying those already in the country who are going through some process with the agency -- such as applying for permanent residency or citizenship -- will have their social media scanned for subversion. That means if you came to America before foreigners' internet presence was screened as it now is, and you're now seeking some kind of immigration benefit, at this rate you'll be subject to the same scanning as those entering the Land of the Free today. The proposed changes have a 60-day comment period for the public to suggest amendments. The last day to send them in is May 5.

1Password has introduced a 'nearby items' feature, allowing users to tag credentials with physical locations so the relevant information automatically surfaces when users are near those locations. Engadget reports: Location information can be added to any new or existing item in a 1Password vault. The app has also been updated with a map view for setting and viewing the locations of your items. In the blog post announcing the feature, the company cited examples such as door codes for a workplace, health records at a doctor's office, WiFi access at the gym and rewards membership information for local shops as potential uses for location data.

Privacy and security are paramount for a password manager, and 1Password confirmed that a user's location coordinates are only used locally and do not leave the device. Nearby items is available to 1Password customers starting today.

The U.K. government appears to have quietly scrubbed encryption advice from government web pages, just weeks after demanding backdoor access to encrypted data stored on Apple's cloud storage service, iCloud. From a report: The change was spotted by security expert Alec Muffett, who wrote in a blog post on Wednesday that the U.K.'s National Cyber Security Centre (NCSC) is no longer recommending that high-risk individuals use encryption to protect their sensitive information.

The NCSC in October published a document titled "Cybersecurity tips for barristers, solicitors & legal professionals," that advised the use of encryption tools such as Apple's Advanced Data Protection (ADP). ADP allows users to turn on end-to-end encryption for their iCloud backups, effectively making it impossible for anyone, including Apple and government authorities, to view data stored on iCloud. The URL hosting the NCSC document now redirects to a different page that makes no mention of encryption or ADP. Instead, it recommends that at-risk individuals use Apple's Lockdown Mode, an "extreme" security tool that restricts access to certain functions and features.

The FCC says it plans to vote next month to explore alternatives to GPS after national security concerns have been raised about relying on a single system crucial to modern life. From a report: "Continuing to rely so heavily on one system leaves us exposed," FCC Chair Brendan Carr said. "We need to develop redundant technologies." There have been reports of a rise in GPS interference around the world, particularly since 2023, known as spoofing raising fears of an increased risk of accidents if planes veer off-course. "Disruptions to GPS have the potential to undermine the nation's economic and national security. And the risks to our current system are only increasing," Carr said, noting President Donald Trump and a bipartisan group of lawmakers have called for action for years.

A U.S. congressional committee has urged Americans to remove Chinese-made wireless routers from their homes, including those made by TP-Link, calling them a security threat that opened the door for China to hack U.S. critical infrastructure. From a report: The House of Representatives Select Committee on China has pushed the Commerce Department to investigate China's TP-Link Technology Co, which according to research firm IDC is the top seller of WiFi routers internationally by unit volume. U.S. authorities are considering a ban on the sale of the company's routers, according to media reports.

Rob Joyce, former director of cybersecurity at the National Security Agency, told Wednesday's committee hearing that TP-Link devices exposed individuals to cyber intrusion that hackers could use to gain leverage to attack critical infrastructure. "We need to all take action and replace those devices so they don't become the tools that are used in the attacks on the U.S.," Joyce said, adding that he understood the Commerce Department was considering a ban.

European nations have heightened security after a series of suspected sabotage attacks on submarine infrastructure in the Baltic Sea, with officials increasingly pointing to Russia as the likely culprit.

Finnish authorities detained the tanker Eagle S in December after it allegedly damaged three undersea fiber-optic connections with Estonia and one with Germany. The vessel, carrying Russian oil as part of a "shadow fleet" evading sanctions, made suspicious course changes while crossing cable routes.

In November, two more submarine cables in the Baltic were damaged, with investigations focusing on Chinese-owned cargo ship Yi Peng 3, which reduced speed near the cables and turned off its transponder. NATO launched Baltic Sentry in January to enhance surveillance, deploying ships and naval drones off Estonia's coast. The alliance also established a coordination cell following the 2022 Nord Stream pipeline sabotage.

Russia has denied involvement, accusing NATO of using "myths" to increase its Baltic presence.

Google is urging officials at President Donald Trump's Justice Department to back away from a push to break up the search engine company, citing national security concerns, Bloomberg reported Wednesday, citing sources familiar with the discussions. From the report: Representatives for the Alphabet unit asked the government in a meeting last week to take a less aggressive stance as the US looks to end what a judge ruled to be an illegal online search monopoly, said the people, who asked not to be identified discussing the private deliberations. The Biden administration in November had called for Google to sell its Chrome web browser and make other changes to its business including an end to billions of dollars in exclusivity payments to companies including Apple.

Although Google has previously pushed back on the Biden-era plan, the recent discussions may preview aspects of the company's approach to the case as it continues under the Trump administration. A federal judge is set to rule on how Google must change its practices following hearings scheduled for next month. Both sides are due to file their final proposals to the judge on Friday.

Chinese electric vehicle maker BYD is rapidly gaining market share in Australia, with sales rising 65% last year as nearly one in four EVs sold in the country was a BYD, according to EVDirect CEO David Smitherman. Chinese EVs now comprise roughly one-third of electric vehicles sold in Australia, which has no domestic auto industry to protect with tariffs, unlike the United States where both Trump and Biden administrations have effectively blocked Chinese EV imports.

The Biden administration imposed a 100% tariff on Chinese EVs to shield U.S. automakers from what it termed unfair competition. U.S. officials also blocked Chinese vehicle software over security concerns that Beijing could use internet-connected cars for surveillance. Australian authorities are monitoring U.S. developments but remain noncommittal despite security experts urging restrictions on Chinese connected car technology.

Apple is stepping up its fight with the British government over a demand to create a "back door" in its most secure cloud storage systems, by filing a legal complaint that it hopes will overturn the order. Financial Times: The iPhone maker has made its appeal to the Investigatory Powers Tribunal, an independent judicial body that examines complaints against the UK security services, according to people familiar with the matter. The Silicon Valley company's legal challenge is believed to be the first time that provisions in the 2016 Investigatory Powers Act allowing UK authorities to break encryption have been tested before the court.

The Investigatory Powers Tribunal will consider whether the UK's notice to Apple was lawful and, if not, could order it to be quashed. The case could be heard as soon as this month, although it is unclear whether there will be any public disclosure of the hearing. The government is likely to argue the case should be restricted on national security grounds. Apple received a "technical capability notice" under the act in January.

CISA has warned U.S. federal agencies about active exploitation of vulnerabilities in Cisco VPN routers and Windows systems. "While the cybersecurity agency has tagged these flaws as actively exploited in the wild, it has yet to provide specific details regarding this malicious activity and who is behind it," adds Bleeping Computer. From the report: The first flaw (tracked as CVE-2023-20118) enables attackers to execute arbitrary commands on RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers. While it requires valid administrative credentials, this can still be achieved by chaining the CVE-2023-20025 authentication bypass, which provides root privileges. Cisco says in an advisory published in January 2023 and updated one year later that its Product Security Incident Response Team (PSIRT) is aware of CVE-2023-20025 publicly available proof-of-concept exploit code.

The second security bug (CVE-2018-8639) is a Win32k elevation of privilege flaw that local attackers logged into the target system can exploit to run arbitrary code in kernel mode. Successful exploitation also allows them to alter data or create rogue accounts with full user rights to take over vulnerable Windows devices. According to a security advisory issued by Microsoft in December 2018, this vulnerability impacts client (Windows 7 or later) and server (Windows Server 2008 and up) platforms.

Today, CISA added the two vulnerabilities to its Known Exploited Vulnerabilities catalog, which lists security bugs the agency has tagged as exploited in attacks. As mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until March 23, to secure their networks against ongoing exploitation.

An anonymous reader quotes a report from TechCrunch: The United States has suspended its offensive cyber operations against Russia, according to reports, amid efforts by the Trump administration to grant Moscow concessions to end the war in Ukraine. The reported order to halt U.S.-launched hacking operations against Russia was authorized by U.S. Defense Secretary Pete Hegseth, according to The Record. The new guidance affects operations carried out by U.S. Cyber Command, a division of the Department of Defense focused on hacking and operations in cyberspace, but does not apply to espionage operations conducted by the National Security Agency. The reported order has since been confirmed by The New York Times and The Washington Post.

The order was handed down before Friday's Oval Office meeting between U.S. President Donald Trump, Vice President JD Vance, and Ukrainian President Volodymyr Zelenskyy, according to the reports. The New York Times said that the instruction came as part of a broader effort to draw Russian President Vladimir Putin into talks about the country's ongoing war in Ukraine. The Guardian also reports that the Trump administration has signaled it no longer views Russian hackers as a cybersecurity threat, and reportedly ordered U.S. cybersecurity agency CISA to no longer report on Russian threats. The newspaper cites a recent memo that set out new priorities for CISA, including threats faced by China and protecting local systems, but the memo did not mention Russia. CISA employees were reportedly informed verbally that they were to pause any work on Russian cyber threats.

A malicious PyPi package effectively turned its users' systems "into an illicit network for facilitating bulk music downloads," writes The Hacker News.

Though the package has been removed from PyPI, researchers at security platform Socket.dev say it enabled "coordinated, unauthorized music downloads from Deezer — a popular streaming service founded in France in 2007." Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer's access restrictions... The package is designed to log into Deezer, harvest track metadata, request full-length streaming URLs, and download complete audio files in clear violation of Deezer's API terms... [I]t orchestrates a distributed piracy operation by leveraging both user-supplied and hardcoded Deezer credentials to create sessions with Deezer's API. This approach enables full access to track metadata and the decryption tokens required to generate full-length track URLs.

Additionally, the package routinely communicates with a remote server... to update download statuses and submit metadata, thereby centralizing control and allowing the threat actor to monitor and coordinate the distributed downloading operation. In doing so, automslc exposes critical track details — including Deezer IDs, International Standard Recording Codes, track titles, and internal tokens like MD5_ORIGIN (a hash used in generating decryption URLs) — which, when collected en masse, can be used to reassemble full track URLs and facilitate unauthorized downloads...

Even if a user pays for access to the service, the content is licensed, not owned. The automslc package circumvents licensing restrictions by enabling downloads and potential redistribution, which is outside the bounds of fair use...
"The malicious package was initially published in 2019, and its popularity (over 100,000 downloads) indicates wide distribution..."

Active since 1995, the Comprehensive Perl Archive Network (or CPAN) hosts 221,742 Perl modules written by 14,548 authors. This week they announced that the CPAN Security Group "was authorized by the CVE Program as a CVE Numbering Authority (CNA)" to assign and manage CVE vulnerability identifications for Perl and CPAN Modules.

"This is great news!" posted Linux kernel maintainer Greg Kroah-Hartman on social media, saying the announcement came "Just in time for my talk about this very topic in a few weeks about how all open source projects should be doing this" at the Linux Foundation Member Summit in Napa, California. And Curl creator Daniel Stenberg posted "I'm with Greg Kroah-Hartman on this: all Open Source projects should become CNAs. Or team up with others to do it." (Also posting "Agreed" to the suggestion was Seth Larson, the Python Software Foundation's security developer-in-residence involved in their successful effort to become a CNA in 2023.)

444 CNAs have now partnered with the CVE Program, according to their official web site. The announcement from PerlMonks.org: Years ago, a few people decided during the Perl Toolchain Summit (PTS) that it would be a good idea to join forces, ideas and knowledge and start a group to monitor vulnerabilities in the complete Perl ecosystem from core to the smallest CPAN release. The goal was to follow legislation and CVE reports, and help authors in taking actions on not being vulnerable anymore. That group has grown stable over the past years and is now known as CPANSec.

The group has several focus areas, and one of them is channeling CVE vulnerability issues. In that specific goal, a milestone has been reached: CPANSec has just been authorized as a CVE Numbering Authority (CNA) for Perl and modules on CPAN

Magnus Carlsen "announced this week that he is auctioning off the Italian luxury brand jeans that started a dress code dispute at December's World Rapid and Blitz Chess Championships," reports the Associated Press. ("Condition: Pre-owned," says the listing on eBay, where by Friday night bidding on the charitable auction was up to $14,100.)

But Carlsen drew more attention on The Joe Rogan Experience last week — partly by saying "I have no chance against my phone." (Although he'd also described beating a fan's computer program, according to Firstpost, by playing "some kind of anti-computer chess, where I just closed up the position as much as possible and gave it as few possibilities as possible to out-calculate me.") Carlsen admitted that he rarely plays against chess engines due to their overwhelming strength, but acknowledged their value as training tools. "I rarely play against engines at all because they just make me feel so stupid and useless. So, I think of them more as a tool than anything else."
And this led Carlsen to add "If I started cheating, you would never know," reports Indian Express: It's not just a throwaway line about cheating either. On a two-hour-long podcast, where he touches on mostly everything under the sun, Carlsen fixates on cheating in chess. He also details how a player of his calibre would need very little to cheat in chess. "I would just get a move here and there (from an aide). Or maybe if I am playing in a tournament I just find a system where I get somebody to signal to me when there's a critical moment: a certain moment where a certain move is much better than the others. That's really all I would need to go from being the best to being practically unbeatable. There's so little you need in chess (to cheat). It really is a scary situation," Carlsen said before pointing out how in 2010 the captain of the French chess team was helping a teammate decide his next move at the Olympiad just by standing in specific spots around the table...

"If you're not cheating in a dumb way, there rarely is going to be a smoking gun. And without that smoking gun it is going to be really hard to catch people," Carlsen admits on the podcast... "As long as there are monetary incentives for people to cheat, there will be cheating in chess," says Carlsen on the podcast.
The article adds that Carlsen does not believe Hans Niemann used anal beads to cheat — and that he thinks Niemann has become a much better chess player since the incident. But... "Top level chess has been based on trust a lot. I don't trust Niemann. Other top players still don't trust him and he doesn't trust me," says Carlsen. "There is still something off about him now. We played an over-the-board tournament in Paris last year where there was increased security and he didn't play at nearly the same level there."