An anonymous reader quotes a report from Ars Technica: Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years following more than a decade of devastating hacks that exploited it and recently faced blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. [...]

Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension's network. "By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption," Matthew Palko, a Microsoft principal program manager, wrote. "RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it." [...] Following next year's change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it's crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions.

To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It's the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised. Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage. Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn't easy. "The problem though is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft's Windows Authentication team, wrote on Bluesky. "See," he continued, "the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes."

A critical React vulnerability (CVE-2025-55182) is being actively exploited at scale by Chinese, Iranian, North Korean, and criminal groups to gain remote code execution, deploy backdoors, and mine crypto. The Register reports: React maintainers disclosed the critical bug on December 3, and exploitation began almost immediately. According to Amazon's threat intel team, Chinese government crews, including Earth Lamia and Jackpot Panda, started battering the security hole within hours of its disclosure. Palo Alto Networks' Unit 42 responders have put the victim count at more than 50 organizations across multiple sectors, with attackers from North Korea also abusing the flaw.

Google, in a late Friday report, said at least five other suspected PRC spy groups also exploited React2Shell, along with criminals who deployed XMRig for illicit cryptocurrency mining, and "Iran-nexus actors," although the report doesn't provide any additional details about who the Iran-linked groups are and what they are doing after exploitation. "GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools," the researchers wrote.

A Kansas man who sued Verizon in small claims court after the carrier refused to unlock his iPhone has won his case, scoring a small but meaningful victory against a company that retroactively applied a policy change to deny his unlock request.

Patrick Roach bought a discounted iPhone 16e from Verizon's Straight Talk brand in February 2025, intending to pay for one month of service before switching the device to US Mobile. Under FCC rules dating back to a 2019 waiver, Verizon must unlock phones 60 days after activation on its network. Verizon refused to unlock the phone, citing a new policy implemented on April 1, 2025 requiring "60 days of paid active service."

Roach had purchased his device over a month before that policy took effect. Magistrate Judge Elizabeth Henry ruled in October 2025 that applying the changed terms to Roach's earlier purchase violated the Kansas Consumer Protection Act. The court ordered Verizon to refund Roach's $410.40 purchase price plus court costs. Roach had previously rejected a $600 settlement offer because it would have required him to sign a non-disclosure agreement. He estimated spending about 20 hours on the lawsuit but said "it wasn't about" the money.

Google has decided to retire its free dark web monitoring tool, saying it wasn't as helpful as the company hoped. From a report: In a support page, Google announced the discontinuation of the "dark web report" tool, two years after offering it as a free perk to Gmail users before expanding it more broadly. The feature worked by scanning for your email addresses to determine whether they had appeared in data breaches, which often circulate on Dark Web marketplaces. The tool could then alert you about where the data was exposed, including any accompanying details such as dates of birth, addresses, and phone numbers.

LG smart TV owners discovered over the weekend that a recent webOS software update had quietly installed Microsoft Copilot on their devices, and the app cannot be uninstalled. Affected users report the feature appears automatically after installing the latest webOS update on certain models, sitting alongside streaming apps like Netflix and YouTube.

LG's support documentation confirms that certain preinstalled or system apps can only be hidden, not deleted. At CES 2025, LG announced plans to integrate Copilot into webOS as part of its "AI TV" strategy, describing it as an extension of its AI Search experience. The current implementation appears to function as a shortcut to a web-based Copilot interface rather than a native application. Samsung TVs include Google's Gemini in a similar fashion. Users wanting to avoid the feature entirely are left with one option: disconnecting their TV from the internet.

The Black Hat Europe hacker conference in London included a session titled "Don't Judge an Audiobook by Its Cover" about a two critical (and now fixed) flaws in Amazon's Kindle. The Times reports both flaws were discovered by engineering analyst Valentino Ricotta (from the cybersecurity research division of Thales), who was awarded a "bug bounty" of $20,000 (£15,000 ). He said: "What especially struck me with this device, that's been sitting on my bedside table for years, is that it's connected to the internet. It's constantly running because the battery lasts a long time and it has access to my Amazon account. It can even pay for books from the store with my credit card in a single click. Once an attacker gets a foothold inside a Kindle, it could access personal data, your credit card information, pivot to your local network or even to other devices that are registered with your Amazon account."

Ricotta discovered flaws in the Kindle software that scans and extracts information from audiobooks... He also identified a vulnerability in the onscreen keyboard. Through both of these, he tricked the Kindle into loading malicious code, which enabled him to take the user's Amazon session cookies — tokens that give access to the account. Ricotta said that people could be exposed to this type of hack if they "side-load" books on to the Kindle through non-Amazon stores.
Ricotta donated his bug bounties to charity...

The Wall Street Journal reports that 68% of CEOs "plan to spend even more on AI in 2026, according to an annual survey of more than 350 public-company CEOs from advisory firm Teneo." And yet "less than half of current AI projects had generated more in returns than they had cost, respondents said." They reported the most success using AI in marketing and customer service and challenges using it in higher-risk areas such as security, legal and human resources.

Teneo also surveyed about 400 institutional investors, of which 53% expect that AI initiatives would begin to deliver returns on investments within six months. That compares to the 84% of CEOs of large companies — those with revenue of $10 billion or more — who believe it will take more than six months.

Surprisingly, 67% of CEOs believe AI will increase their entry-level head count, while 58% believe AI will increase senior leadership head count.
All the surveyed CEOS were from public companies with revenue over $1 billion...

AI "has gutted entry-level roles in the tech industry," reports Rest of World.

One student at a high-ranking engineering college in India tells them that among his 400 classmates, "fewer than 25% have secured job offers... there's a sense of panic on the campus." Students at engineering colleges in India, China, Dubai, and Kenya are facing a "jobpocalypse" as artificial intelligence replaces humans in entry-level roles. Tasks once assigned to fresh graduates, such as debugging, testing, and routine software maintenance, are now increasingly automated. Over the last three years, the number of fresh graduates hired by big tech companies globally has declined by more than 50%, according to a report published by SignalFire, a San Francisco-based venture capital firm. Even though hiring rebounded slightly in 2024, only 7% of new hires were recent graduates. As many as 37% of managers said they'd rather use AI than hire a Gen Z employee...

Indian IT services companies have reduced entry-level roles by 20%-25% thanks to automation and AI, consulting firm EY said in a report last month. Job platforms like LinkedIn, Indeed, and Eures noted a 35% decline in junior tech positions across major EU countries during 2024...

"Five years ago, there was a real war for [coders and developers]. There was bidding to hire," and 90% of the hires were for off-the-shelf technical roles, or positions that utilize ready-made technology products rather than requiring in-house development, said Vahid Haghzare, director at IT hiring firm Silicon Valley Associates Recruitment in Dubai. Since the rise of AI, "it has dropped dramatically," he said. "I don't even think it's touching 5%. It's almost completely vanished." The company headhunts workers from multiple countries including China, Singapore, and the U.K... The current system, where a student commits three to five years to learn computer science and then looks for a job, is "not sustainable," Haghzare said. Students are "falling down a hole, and they don't know how to get out of it."

A former Chinese official who fled to the U.S. says Beijing has used advanced surveillance technology from U.S. companies to track, intimidate, and punish him and his family across borders. ABC News reports: Retired Chinese official Li Chuanliang was recuperating from cancer on a Korean resort island when he got an urgent call: Don't return to China, a friend warned. You're now a fugitive. Days later, a stranger snapped a photo of Li in a cafe. Terrified South Korea would send him back, Li fled, flew to the U.S. on a tourist visa and applied for asylum. But even there -- in New York, in California, deep in the Texas desert -- the Chinese government continued to hunt him down with the help of surveillance technology.

Li's communications were monitored, his assets seized and his movements followed in police databases. More than 40 friends and relatives -- including his pregnant daughter -- were identified and detained, even by tracking down their cab drivers through facial recognition software. Three former associates died in detention, and for months shadowy men Li believed to be Chinese operatives stalked him across continents, interviews and documents seen by The Associated Press show.

The Chinese government is using an increasingly powerful tool to cement its power at home and vastly amplify it abroad: Surveillance technology, much of it originating in the U.S., an AP investigation has found. Within China, this technology helped identify and punish almost 900,000 officials last year alone, nearly five times more than in 2012, according to state numbers. Beijing says it is cracking down on corruption, but critics charge that such technology is used in China and elsewhere to stifle dissent and exact retribution on perceived enemies.

Outside China, the same technology is being used to threaten wayward officials, along with dissidents and alleged criminals, under what authorities call Operations "Fox Hunt" and "Sky Net." The U.S. has criticized these overseas operations as a "threat" and an "affront to national sovereignty." More than 14,000 people, including some 3,000 officials, have been brought back to China from more than 120 countries through coercion, arrests and pressure on relatives, according to state information.

The pro-Russian CyberVolk group resurfaced with a Telegram-based ransomware-as-a-service platform, but fatally undermined its own operation by hardcoding master encryption keys in plaintext. The Register reports: First, the bad news: the CyberVolk 2.x (aka VolkLocker) ransomware-as-a-service operation that launched in late summer. It's run entirely through Telegram, which makes it very easy for affiliates that aren't that tech savvy to lock files and demand a ransom payment. CyberVolk's soldiers can use the platform's built-in automation to generate payloads, coordinate ransomware attacks, and manage their illicit business operations, conducting everything through Telegram.

But here's the good news: the ransomware slingers got sloppy when it came time to debug their code and hardcoded the master keys -- this same key encrypts all files on a victim's system -- into the executable files. This could allow victims to recover encrypted data without paying the extortion fee, according to SentinelOne senior threat researcher Jim Walter, who detailed the gang's resurgence and flawed code in a Thursday report.

Online retailer Coupang, often called South Korea's Amazon, is dealing with the fallout from a breach that exposed the personal information of more than 33 million accounts -- roughly two-thirds of the country's population -- after a former contractor allegedly used credentials that remained active months after his departure to access customer data through the company's overseas servers.

The breach began in June but went undetected until November 18, according to Coupang and investigators. Police have called it South Korea's worst-ever data breach. The compromised information includes names, phone numbers, email addresses and shipping addresses, though the company says login credentials, credit card numbers, and payment details were not affected.

Coupang's former CEO Park Dae-jun told a parliamentary hearing that the alleged perpetrator was a Chinese national who had worked on authentication tasks before his contract ended last December. Chief information security officer Brett Matthes testified that the individual had a "privileged role" giving him access to a private encryption key that allowed him to forge tokens to impersonate customers. Legislators say the key remained active after the employee left. The CEO of Coupang's South Korean subsidiary has resigned. Founder and chair Bom Kim has yet to personally apologize but has been summoned to a second parliamentary hearing.

joshuark shares a report from BleepingComputer: More than 10,000 Docker Hub container images expose data that should be protected, including live credentials to production systems, CI/CD databases, or LLM model keys. After scanning container images uploaded to Docker Hub in November, security researchers at threat intelligence company Flare found that 10,456 of them exposed one or more keys. The most frequent secrets were access tokens for various AI models (OpenAI, HuggingFace, Anthropic, Gemini, Groq). In total, the researchers found 4,000 such keys. "These multi-secret exposures represent critical risks, as they often provide full access to cloud environments, Git repositories, CI/CD systems, payment integrations, and other core infrastructure components," Flare notes. [...]

Additionally, they found hardcoded API tokens for AI services being hardcoded in Python application files, config.json files, YAML configs, GitHub tokens, and credentials for multiple internal environments. Some of the sensitive data was present in the manifest of Docker images, a file that provides details about the image.Flare notes that roughly 25% of developers who accidentally exposed secrets on Docker Hub realized the mistake and removed the leaked secret from the container or manifest file within 48 hours. However, in 75% of these cases, the leaked key was not revoked, meaning that anyone who stole it during the exposure period could still use it later to mount attacks.

Flare suggests that developers avoid storing secrets in container images, stop using static, long-lived credentials, and centralize their secrets management using a dedicated vault or secrets manager. Organizations should implement active scanning across the entire software development life cycle and revoke exposed secrets and invalidate old sessions immediately.

Google's Chrome team has built an experimental browser called Disco that takes a query or prompt, opens a cluster of related tabs, and then generates a custom application tailored to whatever task the user is trying to accomplish. The browser launched Thursday as an experiment in Google's Search Labs.

GenTabs, the core feature powering Disco, are information-rich pages created by Google's Gemini AI models -- ask for travel tips and the system builds a planner app; ask for study help and it creates a flashcard system. Disco -- named partly for fun and partly as shorthand for "discovery" -- started as a hackathon project inside Google before catching the team's imagination.

Parisa Tabriz, who leads the Chrome team, said that Disco is not intended as a general-purpose browser and is not an attempt to cannibalize Chrome. The experiment aims to test what happens when users move from simply having tabs to generating personalized, curated applications on demand. The capability relies on features in the recently launched Gemini 3, which can create one-off interactive interfaces and build miniature apps on the fly rather than just returning text or images.

Stanford researchers spent much of the past year building an AI bot called Artemis that scans networks for software vulnerabilities, and when they pitted it against ten professional penetration testers on the university's own engineering network, the bot outperformed nine of them. The experiment offers a window into how rapidly AI hacking tools have improved after years of underwhelming performance.

"We thought it would probably be below average," said Justin Lin, a Stanford cybersecurity researcher. Artemis found bugs at a fraction of human cost -- just under $60 per hour compared to the $2,000 to $2,500 per day that professional pen testers typically charge. But its performance wasn't flawless. About 18% of its bug reports were false positives, and it completely missed an obvious vulnerability on a webpage that most human testers caught. In one case, Artemis found a bug on an outdated page that didn't render in standard browsers; it used a command-line tool called Curl instead of Chrome or Firefox.

Dan Boneh, a Stanford computer science professor who advised the researchers, noted that vast amounts of software shipped without being vetted by LLMs could now be at risk. "We're in this moment of time where many actors can increase their productivity to find bugs at an extreme scale," said Jacob Klein, head of threat intelligence at Anthropic.

An anonymous reader quotes a report from Axios: OpenAI says the cyber capabilities of its frontier AI models are accelerating and warns Wednesday that upcoming models are likely to pose a "high" risk, according to a report shared first with Axios. The models' growing capabilities could significantly expand the number of people able to carry out cyberattacks. OpenAI said it has already seen a significant increase in capabilities in recent releases, particularly as models are able to operate longer autonomously, paving the way for brute force attacks.

The company notes that GPT-5 scored a 27% on a capture-the-flag exercise in August, GPT-5.1-Codex-Max was able to score 76% last month. "We expect that upcoming AI models will continue on this trajectory," the company says in the report. "In preparation, we are planning and evaluating as though each new model could reach 'high' levels of cybersecurity capability as measured by our Preparedness Framework." "High" is the second-highest level, below the "critical" level at which models are unsafe to be released publicly. "What I would explicitly call out as the forcing function for this is the model's ability to work for extended periods of time," said OpenAI's Fouad Matin.

New submitter emangwiro shares a report: The HDMI Forum, responsible for the HDMI specification, continues to stonewall open source. Valve's Steam Machine theoretically supports HDMI 2.1, but the mini-PC is software-limited to HDMI 2.0. As a result, more than 60 frames per second at 4K resolution are only possible with limitations. In a statement to Ars Technica, a Valve spokesperson confirmed that HDMI 2.1 support is "still a work-in-progress on the software side." "We've been working on trying to unblock things there."

The Steam Machine uses an AMD Ryzen APU with a Radeon graphics unit. Valve strictly adheres to open-source drivers, but the HDMI Forum is unwilling to disclose the 2.1 specification. According to Valve, they have validated the HDMI 2.1 hardware under Windows to ensure basic functionality.

Longtime Slashdot reader Randseed writes: With the likes of Google Nest, Ring, and others cooperating with law enforcement, I started to look for affordable wireless IP security cameras that I can put around my house. Unfortunately, it looks like almost every thing now incorporates some kind of cloud-based slop. All I really want is to put up some cameras, hook them up to my LAN, and install something like ZoneMinder. What are the most economical, wireless IP security cameras that I can set up with my server?

Microsoft has announced that it will raise prices on its Microsoft 365 productivity suites for businesses and government clients starting in July 2026, marking the first commercial price increase since 2022. Small business and frontline worker plans face the steepest hikes: Business Basic jumps 16.7% to $7 per user per month, while frontline worker subscriptions surge up to 33%. Enterprise plans see more modest bumps, ranging from 5.3% for E5 to 8.3% for E3. Microsoft attributed the increases to more than 1,100 new features added to the suite, including AI-driven tools and security enhancements. Copilot remains a separate $30-per-month add-on.

Microsoft Excel, the 40-year-old spreadsheet application that helped establish personal computers as essential workplace tools and contributed to Microsoft's current valuation of nearly $4 trillion, has weathered both the rise of cloud computing and the current AI boom largely unscathed. In its most recent quarter, commercial revenue for Microsoft 365 -- the bundle including Excel, Word, and PowerPoint -- increased 17% year over year, and consumer revenue rose 28%.

The software traces its origins to a 1983 Microsoft offsite under the code name Odyssey, where engineers set out to clone Lotus 1-2-3. That program had itself cloned VisiCalc, the first computerized spreadsheet, created by Dan Bricklin for the Apple II in the late 1970s. Bricklin never patented VisiCalc. "Financially it would have been great if we'd have been able to patent it," he told Bloomberg. "And there would be a Bricklin Building at MIT, instead of a Gates Building."

Excel now counts an estimated 500 million paying users. The Pentagon pays for 2 million Microsoft 365 licenses. Google's free Sheets product, launched in 2006, captured casual use cases like potluck sign-ups but failed to dislodge Excel from enterprise work. AI chatbots present the latest challenge, but venture capitalists say nearly every AI spreadsheet startup they meet builds on top of Excel rather than replacing it.

Lenovo may be preparing to unveil a gaming laptop that uses rollable OLED technology to expand horizontally into an ultrawide 21:9 display, according to a Windows Latest report suggesting the device could appear at CES 2026 in January. The Lenovo Legion Pro Rollable would differ from the company's existing ThinkBook Plus Gen 6, which expands its screen vertically.

The new gaming-focused design would see the left and right edges of the display extend beyond the laptop's base chassis when unrolled. Specific details remain scarce. Windows Latest doesn't know the display resolution, refresh rate, screen dimensions in either state, pricing, or release timing -- though it does mention an Intel Core Ultra processor. The ThinkBook Plus Gen 6 currently sells for $3,500.

Phys.org republishes this article from The Conversation: On average, managers spend 23 hours a week in meetings. Much of what happens in them is considered to be of low value, or even entirely counterproductive. The paradox is that bad meetings generate even more meetings... in an attempt to repair the damage caused by previous ones...

A 2015 handbook laid the groundwork for the nascent field of "Meeting Science". Among other things, the research revealed that the real issue may not be the number of meetings, but rather how they are designed, the lack of clarity about their purpose, and the inequalities they (often unconsciously) reinforce... Faced with what we call meeting madness, the solution is not to eliminate meetings altogether, but to design them better. It begins with a simple but often forgotten question: why are we meeting...?

The goal should not be to have fewer meetings, but better ones. Meetings that respect everyone's time and energy. Meetings that give a voice to all. Meetings that build connection.
Slashdot reader ShimoNoSeki shares an obligatory XKCD comic...

U.S. and Canadian cybersecurity agencies say Chinese-linked actors deployed "Brickstorm" malware to infiltrate critical infrastructure and maintain long-term access for potential sabotage. Reuters reports: The Chinese-linked hacking operations are the latest example of Chinese hackers targeting critical infrastructure, infiltrating sensitive networks and "embedding themselves to enable long-term access, disruption, and potential sabotage," Madhu Gottumukkala, the acting director of the Cybersecurity and Infrastructure Security Agency, said in an advisory signed by CISA, the National Security Agency and the Canadian Centre for Cyber Security. According to the advisory, which was published alongside a more detailed malware analysis report (PDF), the state-backed hackers are using malware known as "Brickstorm" to target multiple government services and information technology entities. Once inside victim networks, the hackers can steal login credentials and other sensitive information and potentially take full control of targeted computers.

In one case, the attackers used Brickstorm to penetrate a company in April 2024 and maintained access through at least September 3, 2025, according to the advisory. CISA Executive Assistant Director for Cybersecurity Nick Andersen declined to share details about the total number of government organizations targeted or specifics around what the hackers did once they penetrated their targets during a call with reporters on Thursday. The advisory and malware analysis reports are based on eight Brickstorm samples obtained from targeted organizations, according to CISA. The hackers are deploying the malware against VMware vSphere, a product sold by Broadcom's VMware to create and manage virtual machines within networks. [...] In addition to traditional espionage, the hackers in those cases likely also used the operations to develop new, previously unknown vulnerabilities and establish pivot points to broader access to more victims, Google said at the time.

joshuark shares a report from BleepingComputer: Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks. Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files. Thus some element of social engineering, and user technically naive and gullibility such as thinking Windows is secure is required. [...]

As Trend Micro threat analysts discovered in March 2025, the CVE-2025-9491 was already being widely exploited by 11 state-sponsored groups and cybercrime gangs, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others. Microsoft told BleepingComputer in March that it would "consider addressing" this zero-day flaw, even though it didn't "meet the bar for immediate servicing." ACROS Security CEO and 0patch co-founder Mitja Kolsek found, Microsoft has silently changed LNK files in the November updates in an apparent effort to mitigate the CVE-2025-9491 flaw. After installing last month's updates, users can now see all characters in the Target field when opening the Properties of LNK files, not just the first 260. As the movie the Ninth Gate stated: "silentium est aurum"

An anonymous reader quotes a report from TechCrunch: Earlier this year, home goods maker Kohler launched a smart camera called the Dekoda that attaches to your toilet bowl, takes pictures of it, and analyzes the images to advise you on your gut health. Anticipating privacy fears, Kohler said on its website that the Dekoda's sensors only see down into the toilet, and claimed that all data is secured with "end-to-end encryption." The company's use of the expression "end-to-end encryption" is, however, wrong, as security researcher Simon Fondrie-Teitler pointed out in a blog post on Tuesday. By reading Kohler's privacy policy, it's clear that the company is referring to the type of encryption that secures data as it travels over the internet, known as TLS encryption -- the same that powers HTTPS websites. [...] The security researcher also pointed out that given Kohler can access customers' data on its servers, it's possible Kohler is using customers' bowl pictures to train AI. Citing another response from the company representative, the researcher was told that Kohler's "algorithms are trained on de-identified data only." A "privacy contact" from Kohler said that user data is "encrypted at rest, when it's stored on the user's mobile phone, toilet attachment, and on our systems." The company also said that, "data in transit is also encrypted end-to-end, as it travels between the user's devices and our systems, where it is decrypted and processed to provide our service."

India has withdrawn its order requiring Apple and other smartphone makers to preinstall the government's Sanchar Saathi app after public backlash and privacy concerns. AppleInsider reports: On November 28, the India Ministry of Communication issued a secret directive to Apple and other smartphone manufacturers, requiring the preinstallation of a government-backed app. Less than a week later, the order has been rescinded. The withdrawal on Wednesday means Apple doesn't have to preload the Sanchar Saathi app onto iPhones sold in the country, in a way that couldn't be "disabled or restricted." [...]

In pulling back from the demand, the government insisted that the app had an "increasing acceptance" among citizens. There was a tenfold spike of new user registrations on Tuesday alone, with over 600,000 new users made aware of the app from the public debacle. India Minister of Communications Jyotiraditya Scindia took a moment to insist that concerns the app could be used for increased surveillance were unfounded. "Snooping is neither possible nor will it happen" with the app, Scindia claimed.

"This is a welcome development, but we are still awaiting the full text of the legal order that should accompany this announcement, including any revised directions under the Cyber Security Rules, 2024," said the Internet Freedom Foundation. It is treating the news with "cautious optimism, not closure," until formalities conclude. However, while promising, the backdown doesn't stop India from retrying something similar or another tactic in the future.

An anonymous reader quotes a report from TechCrunch: South Korean e-commerce platform Coupang over the weekend said nearly 34 million Korean customers' personal information had been leaked in a data breach that had been ongoing for more than five months. The company said it first detected the unauthorized exposure of 4,500 user accounts on November 18, but a subsequent investigation revealed that the breach had actually compromised about 33.7 million customer accounts in South Korea. The breach affected customers' names, email addresses, phone numbers, shipping addresses, and certain order histories, per Coupang. More sensitive data like payment information, credit card numbers, and login credentials was not compromised and remains secure, the company said. [...] Police have reportedly identified at least one suspect, a former Chinese Coupang employee now abroad, after launching an investigation following a November 18 complaint.

Microsoft has acknowledged that a recent Windows preview update, KB5064081, contains a bug that renders the password icon invisible on the lock screen, leaving users to click on what appears to be empty space to enter their credentials.

The issue affects Windows Insider channel users who installed the non-security preview update. The company's suggested workaround is straightforward if somewhat absurd: click where the button should be, and the password field will appear. Microsoft said it is working to resolve the issue.

An anonymous reader shares a report: India's telecoms ministry has privately asked all smartphone makers to preload all new devices with a state-owned cyber security app, a government order showed, a move set to spark a tussle with Apple, which typically dislikes such directives.

[...] The November 28 order, seen by Reuters, gives major smartphone companies 90 days to ensure that the government's Sanchar Saathi app is pre-installed on new mobile phones, with a provision that users cannot disable it. [...] In the order, the government said the app was essential to combat "serious endangerment" of telecom cyber security from duplicate or spoofed IMEI numbers, which enable scams and network misuse.

An anonymous reader shared this report from the Associated Press: The information needed to decipher the last remaining unsolved secret message embedded within a sculpture at CIA headquarters in Virginia sold at auction for nearly $1 million, the auction house announced Friday. The winner will get a private meeting with the 80-year-old artist to go over the codes and charts in hopes of continuing what he's been doing for decades: interacting with would-be cryptanalyst sleuths.

The archive owned by the artist who created Kryptos, Jim Sanborn, was sold to an anonymous bidder for $963,000, according to RR Auction of Boston. The archive includes documents and coding charts for the sculpture, dedicated in 1990. Three of the messages on the 10-foot-tall (3-meter) sculpture — known as K1, K2 and K3 — have been solved, but a solution for the fourth, K-4, has frustrated the experts and enthusiasts who have tried to decipher the S-shaped copper screen... One side has a series of staggered alphabets that are key to decoding the four encrypted messages on the other side.
"The purchaser's 'long-term stewardship plan' is being developed, according to the auction house."

An anonymous reader shared this report from CBS News: Artificial intelligence can do the work currently performed by nearly 12% of America's workforce, according to a recentstudy from the Massachusetts Institute of Technology. The researchers, relying on a metric called the "Iceberg Index" that measures a job's potential to be automated, conclude that AI already has the cognitive and technical capacity to handle a range of tasks in technology, finance, health care and professional services. The index simulated how more than 150 million U.S. workers across nearly 1,000 occupations interact and overlap with AI's abilities...

AI is also already doingsome of the entry-level jobsthat have historically been reserved for recent college graduates or relatively inexperienced workers, the report notes. "AI systems now generate more than a billion lines of code each day, prompting companies to restructure hiring pipelines and reduce demand for entry-level programmers," the researchers wrote. "These observable changes in technology occupations signal a broader reorganization of work that extends beyond software development."
"The study doesn't seek to shed light on how many workers AI may already have displaced or could supplant in the future," the article points out.

"To what extent such tools take over job functions performed by people depends on a number of factors, including individual businesses' strategy, societal acceptance and possible policy interventions, the researchers note."

Apple's Podcasts app on both iOS and Mac has been exhibiting strange behavior for months, spontaneously launching and presenting users with obscure religion, spirituality and education podcasts they never subscribed to -- and at least one of these podcasts contains a link attempting a cross-site scripting attack, 404 Media reports. Joseph Cox, a journalist at the outlet, documented the issue after repeatedly finding his Mac had launched the Podcasts app on its own, presenting bizarre podcasts with titles containing garbled code, external URLs to Spotify and Google Play, and in one case, what appears to be XSS attack code embedded directly in the podcast title itself.

Patrick Wardle, a macOS security expert and creator of Objective-See, confirmed he could replicate similar behavior: simply visiting a website can trigger the Podcasts app to open and load an attacker-chosen podcast without any user prompt or approval. Wardle said this creates "a very effective delivery mechanism" if a vulnerability exists in the Podcasts app, and the level of probing suggests adversaries are actively evaluating it as a potential target. The XSS-attempting podcast dates from around 2019. A recent review in the app asked "How does Apple allow this attempted XSS attack?"

Asked for comment five times by 404 Media, Apple did not respond.

Amazon Web Services has rolled out a DNS resilience feature that allows customers to make domain name system changes within 60 minutes of a service disruption in its US East region, a direct response to the long history of outages at the cloud giant's most troubled infrastructure.

AWS said customers in regulated industries like banking, fintech and SaaS had asked for additional capabilities to meet business continuity and compliance requirements, specifically the ability to provision standby resources or redirect traffic during unexpected regional disruptions. The 60-minute recovery time objective still leaves a substantial window for outages to cascade, and the timing of the announcement -- less than six weeks after an October 20th DynamoDB incident and a subsequent VM problem drew criticism -- underscores how persistent US East's reliability issues have been.

Breaking free from Microsoft is harder than it looks. Airbus began migrating its 100,000-plus workforce from Office to Google Workspace more than seven years ago and it still hasn't completed the switch. The Register: As we exclusively revealed in March 2018, the aerospace giant told 130,000 employees it was ditching Microsoft's productivity tools for Google's cloud-based alternatives. Then-CEO Tom Enders predicted migration would finish in 18 months, a timeline that, in hindsight, was "extremely ambitious," according to Catherine Jestin, Airbus's executive vice president of digital.

Today, more than two-thirds of Airbus's 150,000 employees have fully transitioned, but significant pockets continue to use Microsoft in parallel. Finance, for example, still relies on Excel because Google Sheets can't handle the necessary file sizes, as some spreadsheets involve 20 million cells. "Some of the limitations was just the number of cells that you could have in one single file. We'll definitely start to remove some of the work," Jestin told The Register.

An anonymous reader shares a report: AI is not a core part of operations at most of the world's central banks and digital assets are off the table, according to a survey released on Wednesday by the Official Monetary and Financial Institutions Forum. The working group of 10 central banks from Europe, Africa, Latin America and Asia managing roughly $6.5 trillion in assets also found that the institutions that have delved deepest so far into AI are the most cautious about the risks.

The primary concern is that AI-driven behaviour could "accelerate future crises," the survey showed. "AI helps us see more, but decisions must remain with people," one participant was quoted as saying in the group's report. More than 60% of respondents said that AI tools - which have sparked layoffs already at technology companies and retail and investment banks - are not yet supporting core operations.

An anonymous reader quotes a report from TechCrunch: Several U.S. banking giants and mortgage lenders are reportedly scrambling to assess how much of their customers' data was stolen during a cyberattack on a New York financial technology company earlier this month. SitusAMC, which provides technology for over a thousand commercial and real estate financiers, confirmed in a statement over the weekend that it had identified a data breach on November 12. The company said that unspecified hackers had stolen corporate data associated with its banking customers' relationship with SitusAMC, as well as "accounting records and legal agreements" during the cyberattack.

The statement added that the scope and nature of the cyberattack "remains under investigation." SitusAMC said that the incident is "now contained," and that its systems are operational. The company said that no encrypting malware was used, suggesting that the hackers were focused on exfiltrating data from the company's systems rather than causing destruction. According to Bloomberg and CNN, citing sources, SitusAMC sent data breach notifications to several financial giants, including JPMorgan Chase, Citigroup, and Morgan Stanley. SitusAMC also counts pension funds and state governments as customers, according to its website.

It's unclear how much data was taken, or how many U.S. banking consumers may be affected by the breach. Companies like SitusAMC may not be widely known outside of the financial world, but provide the mechanisms and technologies for its banking and real estate customers to comply with state and federal rules and regulations. In its role as a middleman for financial clients, the company handles vast amounts of non-public banking information on behalf of its customers. According to SitusAMC's website, the company processes billions of documents related to loans annually.

An anonymous reader shares a report: CISA has warned that state-backed snoops and cyber-mercenaries are actively abusing commercial spyware to break into Signal and WhatsApp accounts, hijack devices, and quietly rummage through the phones of what the agency calls "high-value" users.

In an alert published Monday, the US government's cyber agency said it's tracking multiple miscreants that are using a mix of phishing, bogus QR codes, malicious app impersonation, and, in some cases, full-blown zero-click exploits to compromise messaging apps which most people assume are safe.

The agency says the activity it's seeing suggests an increasing focus on "high-value" individuals -- everyone from current and former senior government, military, and political officials to civil society groups across the US, the Middle East, and Europe. In many of the campaigns, attackers delivered spyware first and asked questions later, using the foothold to deploy more payloads and deepen their access.

The abstract of a paper on NBER: This paper examines a large-scale randomized evaluation of the One Laptop Per Child (OLPC) program in 531 Peruvian rural primary schools. We use administrative data on academic performance and grade progression over 10 years to estimate the long-run effects of increased computer access on (i) school performance over time and (ii) students' educational trajectories. Following schools over time, we find no significant effects on academic performance but some evidence of negative effects on grade progression. Following students over time, we find no significant effects on primary and secondary completion, academic performance in secondary school, or university enrollment. Survey data indicate that computer access significantly improved students' computer skills but not their cognitive skills; treated teachers received some training but did not improve their digital skills and showed limited use of technology in classrooms, suggesting the need for additional pedagogical support.

An anonymous reader shares a report: Singapore's police have ordered Apple and Google to prevent the spoofing of government agencies on their messaging platforms, the home affairs ministry said on Tuesday. The order under the nation's Online Criminal Harms Act came after the police observed scams on Apple's iMessage and Google Messages purporting to be from companies such as the local postal service SingPost. While government agencies have registered with a local SMS registry so only they can send messages with the "gov.sg" name, this does not currently apply to the iMessage and Google Messages platforms.

In the latest Windows Insider beta update, Microsoft has announced that it is exploring preloading File Explorer in the background to improve launch performance. The feature will load File Explorer silently before users click on it and can be toggled off for those who prefer not to use it. Microsoft introduced a similar capability earlier this year for Office called Startup Boost that loads parts of Word in the background so the application launches more quickly. The company is also removing elements from the File Explorer context menu in the same update.

An anonymous reader quotes a report from Wired: Hacker conferences -- like all conventions -- are notorious for giving attendees a parting gift of mystery illness. To combat "con crud," New Zealand's premier hacker conference, Kawaiicon, quietly launched a real-time, room-by-room carbon dioxide monitoring system for attendees. To get the system up and running, event organizers installed DIY CO2 monitors throughout the Michael Fowler Centre venue before conference doors opened on November 6. Attendees were able to check a public online dashboard for clean air readings for session rooms, kids' areas, the front desk, and more, all before even showing up. "It's ALMOST like we are all nerds in a risk-based industry," the organizers wrote on the convention's website. "What they did is fantastic," Jeff Moss, founder of the Defcon and Black Hat security conferences, told WIRED. "CO2 is being used as an approximation for so many things, but there are no easy, inexpensive network monitoring solutions available. Kawaiicon building something to do this is the true spirit of hacking." [...]

Kawaiicon's work began one month before the conference. In early October, organizers deployed a small fleet of 13 RGB Matrix Portal Room CO2 Monitors, an ambient carbon dioxide monitor DIY project adapted from US electronics and kit company Adafruit Industries. The monitors were connected to an Internet-accessible dashboard with live readings, daily highs and lows, and data history that showed attendees in-room CO2 trends. Kawaiicon tested its CO2 monitors in collaboration with researchers from the University of Otago's public health department. The Michael Fowler Centre is a spectacular blend of Scandinavian brutalism and interior woodwork designed to enhance sound and air, including two grand pou -- carved Mori totems -- next to the main entrance that rise through to the upper foyers. Its cathedral-like acoustics posed a challenge to Kawaiicon's air-hacking crew, which they solved by placing the RGB monitors in stereo. There were two on each level of the Main Auditorium (four total), two in the Renouf session space on level 1, plus monitors in the daycare and Kuracon (kids' hacker conference) areas. To top it off, monitors were placed in the Quiet Room, at the Registration Desk, and in the Green Room.

Kawaiicon's attendees could quickly check the conditions before they arrived and decide how to protect themselves accordingly. At the event, WIRED observed attendees checking CO2 levels on their phones, masking and unmasking in different conference areas, and watching a display of all room readings on a dashboard at the registration desk. In each conference session room, small wall-mounted monitors displayed stoplight colors showing immediate conditions: green for safe, orange for risky, and red to show the room had high CO2 levels, the top level for risk. Colorful custom-made Kawaiicon posters by New Zealand artist Pepper Raccoon placed throughout the Michael Fowler Centre displayed a QR code, making the CO2 dashboard a tap away, no matter where they were at the conference. Resources, parts lists, and assembly guides can be found here.

Microsoft is rolling out yet another update to Notepad for Windows 11 Insiders that adds table support and faster AI-generated responses, continuing a transformation of the once-minimal text editor that has drawn sustained criticism from users who preferred its original simplicity. The update, version 11.2510.6.0, lets users insert tables via a formatting toolbar or Markdown syntax and enables streaming responses for the app's Write, Rewrite, and Summarize AI features.

Lenovo is stockpiling memory and other critical components to navigate a supply crunch brought on by the boom in AI. From a report: The world's biggest PC maker is holding on to component inventories that are roughly 50% higher than usual, [non-paywalled source] Chief Financial Officer Winston Cheng told Bloomberg TV on Monday. The frenzy to build and fill AI data centers with advanced hardware is raising prices for producers of consumer electronics, but Lenovo also sees opportunity in this to capitalize on its stockpile.

In October cryptologist/CS professor Daniel J. Bernstein alleged that America's National Security Agency (and its UK counterpart GCHQ) were attempting to influence NIST to adopt weaker post-quantum cryptography standards without a "hybrid" approach that would've also included pre-quantum ECC.

Bernstein is of the opinion that "Given how many post-quantum proposals have been broken and the continuing flood of side-channel attacks, any competent engineering evaluation will conclude that the best way to deploy post-quantum [PQ] encryption for TLS, and for the Internet more broadly, is as double encryption: post-quantum cryptography on top of ECC." But he says he's seen it playing out differently: By 2013, NSA had a quarter-billion-dollar-a-year budget to "covertly influence and/or overtly leverage" systems to "make the systems in question exploitable"; in particular, to "influence policies, standards and specification for commercial public key technologies". NSA is quietly using stronger cryptography for the data it cares about, but meanwhile is spending money to promote a market for weakened cryptography, the same way that it successfully created decades of security failures by building up the market for, e.g., 40-bit RC4 and 512-bit RSA and Dual EC. I looked concretely at what was happening in IETF's TLS working group, compared to the consensus requirements for standards-development organizations. I reviewed how a call for "adoption" of an NSA-driven specification produced a variety of objections that weren't handled properly. ("Adoption" is a preliminary step before IETF standardization....) On 5 November 2025, the chairs issued "last call" for objections to publication of the document. The deadline for input is "2025-11-26", this coming Wednesday.
Bernstein also shares concerns about how the Internet Engineering Task Force is handling the discussion, and argues that the document is even "out of scope" for the IETF TLS working group This document doesn't serve any of the official goals in the TLS working group charter. Most importantly, this document is directly contrary to the "improve security" goal, so it would violate the charter even if it contributed to another goal... Half of the PQ proposals submitted to NIST in 2017 have been broken already... often with attacks having sufficiently low cost to demonstrate on readily available computer equipment. Further PQ software has been broken by implementation issues such as side-channel attacks.
He's also concerned about how that discussion is being handled: On 17 October 2025, they posted a "Notice of Moderation for Postings by D. J. Bernstein" saying that they would "moderate the postings of D. J. Bernstein for 30 days due to disruptive behavior effective immediately" and specifically that my postings "will be held for moderation and after confirmation by the TLS Chairs of being on topic and not disruptive, will be released to the list"...

I didn't send anything to the IETF TLS mailing list for 30 days after that. Yesterday [November 22nd] I finished writing up my new objection and sent that in. And, gee, after more than 24 hours it still hasn't appeared... Presumably the chairs "forgot" to flip the censorship button off after 30 days.
Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.

"Security, development, and AI now move as one," says Microsoft's director of cloud/AI security product marketing.

Microsoft and GitHub "have launched a native integration between Microsoft Defender for Cloud and GitHub Advanced Security that aims to address what one executive calls decades of accumulated security debt in enterprise codebases..." according to The New Stack: The integration, announced this week in San Francisco at the Microsoft Ignite 2025 conference and now available in public preview, connects runtime intelligence from production environments directly into developer workflows. The goal is to help organizations prioritize which vulnerabilities actually matter and use AI to fix them faster. "Throughout my career, I've seen vulnerability trends going up into the right. It didn't matter how good of a detection engine and how accurate our detection engine was, people just couldn't fix things fast enough," said Marcelo Oliveira, VP of product management at GitHub, who has spent nearly a decade in application security. "That basically resulted in decades of accumulation of security debt into enterprise code bases." According to industry data, critical and high-severity vulnerabilities constitute 17.4% of security backlogs, with a mean time to remediation of 116 days, said Andrew Flick, senior director of developer services, languages and tools at Microsoft, in a blog post. Meanwhile, applications face attacks as frequently as once every three minutes, Oliveira said.

The integration represents the first native link between runtime intelligence and developer workflows, said Elif Algedik, director of product marketing for cloud and AI security at Microsoft, in a blog post... The problem, according to Flick, comes down to three challenges: security teams drowning in alert fatigue while AI rapidly introduces new threat vectors that they have little time to understand; developers lacking clear prioritization while remediation takes too long; and both teams relying on separate, nonintegrated tools that make collaboration slow and frustrating... The new integration works bidirectionally. When Defender for Cloud detects a vulnerability in a running workload, that runtime context flows into GitHub, showing developers whether the vulnerability is internet-facing, handling sensitive data or actually exposed in production. This is powered by what GitHub calls the Virtual Registry, which creates code-to-runtime mapping, Flick said...

In the past, this alert would age in a dashboard while developers worked on unrelated fixes because they didn't know this was the critical one, he said. Now, a security campaign can be created in GitHub, filtering for runtime risk like internet exposure or sensitive data, notifying the developer to prioritize this issue.
GitHub Copilot "now automatically checks dependencies, scans for first-party code vulnerabilities and catches hardcoded secrets before code reaches developers," the article points out — but GitHub's VP of product management says this takes things even further.

"We're not only helping you fix existing vulnerabilities, we're also reducing the number of vulnerabilities that come into the system when the level of throughput of new code being created is increasing dramatically with all these agentic coding agent platforms."

"The internet did transform work — but not the way 1998 thought..." argues the Wall Street Journal. "The internet slipped inside almost every job and rewired how work got done."

So while the number of single-task jobs like travel agent dropped, most jobs "are bundles of judgment, coordination and hands-on work," and instead the internet brought "the quiet transformation of nearly every job in the economy... Today, just 10% of workers make minimal use of the internet on the job — roles like butcher and carpet installer." [T]he bigger story has been additive. In 1998, few could conceive of social media — let alone 65,000 social-media managers — and 200,000 information-security analysts would have sounded absurd when data still lived on floppy disks... Marketing shifted from campaign bursts to always-on funnels and A/B testing. Clinics embedded e-prescribing and patient portals, reshaping front-office and clinical handoffs. The steps, owners and metrics shifted. Only then did the backbone scale: We went from server closets wedged next to the mop sink to data centers and cloud regions, from lone system administrators to fulfillment networks, cybersecurity and compliance.

That is where many unexpected jobs appeared. Networked machines and web-enabled software quietly transformed back offices as much as our on-screen lives. Similarly, as e-commerce took off, internet-enabled logistics rewired planning roles — logisticians, transportation and distribution managers — and unlocked a surge in last-mile work. The build-out didn't just hire coders; it hired coordinators, pickers, packers and drivers. It spawned hundreds of thousands of warehouse and delivery jobs — the largest pockets of internet-driven job growth, and yet few had them on their 1998 bingo card... Today, the share of workers in professional and managerial occupations has more than doubled since the dawn of the digital era.

So what does that tell us about AI? Our mental model often defaults to an industrial image — John Henry versus the steam drill — where jobs are one dominant task, and automation maps one-to-one: Automate the task, eliminate the job. The internet revealed a different reality: Modern roles are bundles. Technologies typically hit routine tasks first, then workflows, and only later reshape jobs, with second-order hiring around the backbone. That complexity is what made disruption slower and more subtle than anyone predicted. AI fits that pattern more than it breaks it... [LLMs] can draft briefs, summarize medical notes and answer queries. Those are tasks — important ones — but still parts of larger roles. They don't manage risk, hold accountability, reassure anxious clients or integrate messy context across teams. Expect a rebalanced division of labor: The technical layer gets faster and cheaper; the human layer shifts toward supervision, coordination, complex judgment, relationship work and exception handling.

What to expect from AI, then, is messy, uneven reshuffling in stages. Some roles will contract sharply — and those contractions will affect real people. But many occupations will be rewired in quieter ways. Productivity gains will unlock new demand and create work that didn't exist, alongside a build-out around data, safety, compliance and infrastructure.

AI is unprecedented; so was the internet. The real risk is timing: overestimating job losses, underestimating the long, quiet rewiring already under way, and overlooking the jobs created in the backbone. That was the internet's lesson. It's likely to be AI's as well.

A magician who implanted an RFID chip in his hand lost access to it after forgetting the password, leaving him effectively locked out of the tech embedded in his own body. The Register reports: "It turns out," said [said magician Zi Teng Wang], "that pressing someone else's phone to my hand repeatedly, trying to figure out where their phone's RFID reader is, really doesn't come off super mysterious and magical and amazing." Then there are the people who don't even have their phone's RFID reader enabled. Using his own phone would, in Zi's words, lack a certain "oomph."

Oh well, how about making the chip spit out a Bitcoin address? "That literally never came up either." In the end, Zi rewrote the chip to link to a meme, "and if you ever meet me in person you can scan my chip and see the meme." It was all suitably amusing until the Imgur link Zi was using went down. Not everything on the World Wide Web is forever, and there is no guarantee that a given link will work indefinitely. Indeed, access to Imgur from the United Kingdom was abruptly cut off on September 30 in response to the country's age verification rules.

Still, the link not working isn't the end of the world. Zi could just reprogram the chip again, right? Wrong. "When I went to rewrite the chip, I was horrified to realize I forgot the password that I had locked it with." The link eventually started working again, but if and when it stops, Zi's party piece will be a little less entertaining. He said: "Techie friends I've consulted with have determined that it's too dumb and simple to hack, the only way to crack it is to strap on an RFID reader for days to weeks, brute forcing every possible combination." Or perhaps some surgery to remove the offending hardware.

The International Association of Cryptologic Research (IACR) was forced to cancel its leadership election after a trustee lost their portion of the Helios voting system's decryption key, making it impossible to reveal or verify the final results. Ars Technica reports: The IACR said Friday that the votes were submitted and tallied using Helios, an open source voting system that uses peer-reviewed cryptography to cast and count votes in a verifiable, confidential, and privacy-preserving way. Helios encrypts each vote in a way that assures each ballot is secret. Other cryptography used by Helios allows each voter to confirm their ballot was counted fairly. "Unfortunately, one of the three trustees has irretrievably lost their private key, an honest but unfortunate human mistake, and therefore cannot compute their decryption share," the IACR said. "As a result, Helios is unable to complete the decryption process, and it is technically impossible for us to obtain or verify the final outcome of this election."

The IACR will switch to a two-of-three private key system to prevent this sort of thing from happening again. Moti Yung, the trustee responsible for the incident, has resigned and is being replaced by Michael Abdalla.

The SEC has officially dismissed its high-profile case against SolarWinds and its CISO that was tied to a Russia-linked cyberattack involving the software company. Reuters reports: The landmark case, which SEC brought in late 2023, rattled the cybersecurity community and later faced scrutiny from a judge who dismissed many of the charges. The SEC had said SolarWinds and its chief information security officer had violated U.S. securities laws by concealing vulnerabilities in connection with the high-profile 2020 Sunburst cyber attack. The SEC, SolarWinds and CISO Timothy Brown filed a motion on Thursday to dismiss the case with prejudice, according to a joint stipulation posted on the agency's website. A SolarWinds spokesperson said the firm is "clearly delighted" with the dismissal.

"We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work," the spokesperson said.

Phoronix's Michael Larabel reports: A 21 year old bug report requesting support of the XDG Base Directory specification is finally being addressed by Firefox. The Firefox 147 release should respect this XDG specification around where files should be positioned within Linux users' home directory.

The XDG Base Directory specification lays out where application data files, configuration files, cached assets, and other files and file formats should be positioned within a user's home directory and the XDG environment variables for accessing those locations. To date Firefox has just positioned all files under ~/.mozilla rather than the likes of ~/.config and ~/.local/share.

Google confirmed in a statement Friday that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack. TechCrunch reports: On Thursday, Salesforce disclosed a breach of "certain customers' Salesforce data" -- without naming affected companies -- that was stolen via apps published by Gainsight, which provides a customer support platform to other companies.

In a statement, Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, said that the company "is aware of more than 200 potentially affected Salesforce instances." After Salesforce announced the breach, the notorious and somewhat-nebulous hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in a Telegram channel, which TechCrunch has seen.