Bitcoin

Canadian Math Prodigy Allegedly Stole $65 Million In Crypto (theglobeandmail.com) 85

A Canadian math prodigy is accused of stealing over $65 million through complex exploits on decentralized finance platforms and is currently a fugitive from U.S. authorities. Despite facing criminal charges for fraud and money laundering, he has evaded capture by moving internationally, embracing the controversial "Code is Law" philosophy, and maintaining that his actions were legal under the platforms' open-source rules. The Globe and Mail reports: Andean Medjedovic was 18 years old when he made a decision that would irrevocably alter the course of his life. In the fall of 2021, shortly after completing a master's degree at the University of Waterloo, the math prodigy and cryptocurrency trader from Hamilton had conducted a complex series of transactions designed to exploit a vulnerability in the code of a decentralized finance platform. The maneuver had allegedly allowed him to siphon approximately $16.5-million in digital tokens out of two liquidity pools operated by the platform, Indexed Finance, according to a U.S. court document.

Indexed Finance's leaders traced the attack back to Mr. Medjedovic, and made him an offer: Return 90 per cent of the funds, keep the rest as a so-called "bug bounty" -- a reward for having identified an error in the code -- and all would be forgiven. Mr. Medjedovic would then be free to launch his career as a white hat, or ethical, hacker. Mr. Medjedovic didn't take the deal. His social media posts hinted, without overtly stating, that he believed that because he had operated within the confines of the code, he was entitled to the funds -- a controversial philosophy in the world of decentralized finance known as "Code is Law." But instead of testing that argument in court, Mr. Medjedovic went into hiding. By the time authorities arrived on a quiet residential street in Hamilton to search his parents' townhouse less than two months later, Mr. Medjedovic had moved out, taking his electronic devices with him.

Then, roughly two years later, he struck again, netting an even larger sum -- approximately $48.4-million -- by conducting a similar exploit on another decentralized finance platform, U.S. authorities allege. Mr. Medjedovic, now 22, faces five criminal charges -- including wire fraud, attempted extortion and money laundering -- according to a U.S. federal court document that was unsealed earlier this year. If convicted, he could be facing decades in prison. First, authorities will have to find him.

Programming

Figma Sent a Cease-and-Desist Letter To Lovable Over the Term 'Dev Mode' (techcrunch.com) 73

An anonymous reader quotes a report from TechCrunch: Figma has sent a cease-and-desist letter to popular no-code AI startup Lovable, Figma confirmed to TechCrunch. The letter tells Lovable to stop using the term "Dev Mode" for a new product feature. Figma, which also has a feature called Dev Mode, successfully trademarked that term last year, according to the U.S. Patent and Trademark office. What's wild is that "dev mode" is a common term used in many products that cater to software programmers. It's like an edit mode. Software products from giant companies like Apple's iOS, Google's Chrome, Microsoft's Xbox have features formally called "developer mode" that then get nicknamed "dev mode" in reference materials.

Even "dev mode" itself is commonly used. For instance Atlassian used it in products that pre-date Figma's copyright by years. And it's a common feature name in countless open source software projects. Figma tells TechCrunch that its trademark refers only to the shortcut "Dev Mode" -- not the full term "developer mode." Still, it's a bit like trademarking the term "bug" to refer to "debugging." Since Figma wants to own the term, it has little choice but send cease-and-desist letters. (The letter, as many on X pointed out, was very polite, too.) If Figma doesn't defend the term, it could be absorbed as a generic term and the trademarked becomes unenforceable.

Android

Samsung Pauses One UI 7 Rollout Worldwide (theverge.com) 9

Samsung has paused the global rollout of its One UI 7 update after a serious bug was reported that prevented some Galaxy S24 owners from unlocking their phones. The Verge reports: While the complaints seem to have specifically come from South Korean owners of Galaxy S24 series handsets, Samsung has played it safe and paused the rollout across all models worldwide. While some users will have already downloaded the update to One UI 7, using the app CheckFirm we've confirmed that the update is no longer listed on Samsung's servers as the latest firmware version across several Galaxy devices, with older patches appearing instead. Samsung hasn't confirmed the pause in the rollout, nor plans to issue a fix for users who have already downloaded the One UI 7 update. We've reached out to the company for comment.
United States

FSF Urges US Government to Adopt Free-as-in-Freedom Tax Filing Software (fsf.org) 123

"A modern free society has an obligation to offer electronic tax filing that respects user freedom," says a Free Software Foundation blog post, "and the United States is not excluded from this responsibility."

"Governments, and/or the companies that they partner with, are responsible for providing free as in freedom software for necessary operations, and tax filing is no exception." For many years now, a large portion of [U.S.] taxpayers have filed their taxes electronically through proprietary programs like TurboTax. Millions of taxpayers are led to believe that they have no other option than to use nonfree software or Service as a Software Substitute (SaaSS), giving up their freedom as well as their most private financial information to a third-party company, in order to file their taxes...

While the options for taxpayers have improved slightly with the IRS's implementation of the IRS Direct File program [in 25 states], this program unfortunately does require users to hand over their freedom when filing taxes.... Taxpayers shouldn't have to use a program that violates their individual freedoms to file legally required taxes. While Direct File is a step in the right direction as the program isn't in the hands of a third-party entity, it is still nonfree software. Because Direct File is a US government-operated program, and ongoing in the process of being deployed to twenty-five states, it's not too late to call on the IRS to make Direct File free software.

In the meantime, if you need to file US taxes and are yet to file, we suggest filing your taxes in a way that respects your user freedom as much as possible, such as through mailing tax forms. Like with other government interactions that snatch away user freedom, choose the path that most respects your freedom.

Free-as-in-freedom software would decrease the chance of user lock-in, the FSF points out. But they list several other advantages, including:
  • Repairability: With free software, there is no uncertain wait period or reliance on a proprietary provider to make any needed bug or security fixes.
  • Transparency: Unless you can check what a program really does (or ask someone in the free software community to check for you), there is no way to know that the program isn't doing things you don't consent to it doing.
  • Cybersecurity: While free software isn't inherently more secure than nonfree software, it does have a tendency to be more secure because many developers can continuously improve the program and search for errors that can be exploited. With proprietary programs like TurboTax, taxpayers and the U.S. government are dependent on TurboTax to protect the sensitive financial and personal information of millions with few (if any) outside checks and balances...
  • Taxpayer dollars spent should actually benefit the taxpayers: Taxpayer dollars should not be used to fund third-party programs that seek to control users and force them to use their programs through lobbying....

"We don't have to accept this unjust reality: we can work for a better future, together," the blog post concludes (offering a "sample message" U.S. taxpayers could send to IRS Commissioner Danny Werfel).

"Take action today and help make electronic tax filing free as in freedom for everyone."


Chrome

Chrome To Patch Decades-Old 'Browser History Sniffing' Flaw That Let Sites Peek At Your History (theregister.com) 34

Slashdot reader king*jojo shared this article from The Register: A 23-year-old side-channel attack for spying on people's web browsing histories will get shut down in the forthcoming Chrome 136, released last Thursday to the Chrome beta channel. At least that's the hope.

The privacy attack, referred to as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously... Web publishers and third parties capable of running scripts, have used this technique to present links on a web page to a visitor and then check how the visitor's browser set the color for those links on the rendered web page... The attack was mitigated about 15 years ago, though not effectively. Other ways to check link color information beyond the getComputedStyle method were developed... Chrome 136, due to see stable channel release on April 23, 2025, "is the first major browser to render these attacks obsolete," explained Kyra Seevers, Google software engineer in a blog post.

This is something of a turnabout for the Chrome team, which twice marked Chromium bug reports for the issue as "won't fix." David Baron, presently a Google software engineer who worked for Mozilla at the time, filed a Firefox bug report about the issue back on May 28, 2002... On March 9, 2010, Baron published a blog post outlining the issue and proposing some mitigations...

United Kingdom

Were Still More UK Postmasters Also Wrongly Prosecuted Over Accounting Bug? (computerweekly.com) 48

U.K. postmasters were mistakenly sent to prison due to a bug in their "Horizon" accounting software — as first reported by Computer Weekly back in 2009. Nearly 16 years later, the same site reports that now the Scottish Criminal Cases Review Commission "is attempting to contact any former subpostmasters that could have been prosecuted for unexplained losses on the Post Office's pre-Horizon Capture software.

"There are former subpostmasters that, like Horizon users, could have been convicted of crimes based on data from these systems..." Since the Post Office Horizon scandal hit the mainstream in January 2024 — revealing to a wide audience the suffering experienced by subpostmasters who were blamed for errors in the Horizon accounting system — users of Post Office software that predated Horizon have come forward... to tell their stories, which echoed those of victims of the Horizon scandal. The Criminal Cases Review Commission for England and Wales is now reviewing 21 cases of potential wrongful conviction... where the Capture IT system could be a factor...

The SCCRC is now calling on people that might have been convicted based on Capture accounts to come forward. "The commission encourages anyone who believes that their criminal conviction, or that of a relative, might have been affected by the Capture system to make contact with it," it said. The statutory body is also investigating a third Post Office system, known as Ecco+, which was also error-prone...

A total of 64 former subpostmasters in Scotland have now had their convictions overturned through the legislation brought through Scottish Parliament. So far, 97 convicted subpostmasters have come forward, and 86 have been assessed, out of which the 64 have been overturned. However, 22 have been rejected and another 11 are still to be assessed. An independent group, fronted by a former Scottish subpostmaster, is also calling on users of any of the Post Office systems to come forward to tell their stories, and for support in seeking justice and redress.

AI

Microsoft Uses AI To Find Flaws In GRUB2, U-Boot, Barebox Bootloaders (bleepingcomputer.com) 57

Slashdot reader zlives shared this report from BleepingComputer: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders.

GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.

Miccrosoft titled its blog post "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." (And they do note that Micxrosoft disclosed the discovered vulnerabilities to the GRUB2, U-boot, and Barebox maintainers and "worked with the GRUB2 maintainers to contribute fixes... GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025.")

They add that performing their initial research, using Security Copilot "saved our team approximately a week's worth of time," Microsoft writes, "that would have otherwise been spent manually reviewing the content." Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings...

As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI's advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors' attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).

This week Google also announced Sec-Gemini v1, "a new experimental AI model focused on advancing cybersecurity AI frontiers."
Operating Systems

Coreboot 25.03 Released With Support For 22 More Motherboards (phoronix.com) 26

Coreboot 25.03 has been released with support for 22 new motherboards and several other significant updates, including enhanced display handling, USB debugging, RISC-V support, and RAM initialization for older Intel platforms. Phoronix reports: Coreboot 25.03 delivers display handling improvements, a better USB debugging experience, CPU topology updates, various improvements to the open-source RAM initialization for aging Intel Haswell platforms, improved USB Type-C and Thunderbolt handling, various embedded controller (EC) improvements, better RISC-V architecture support, DDR5-7500 support, and many bug fixes across the sprawling Coreboot codebase. More details, including a full list of the supported boards, can be found here.
Businesses

Reddit's 50% Stock-Price Plunge Fails to Entice Buyers as Growth Slows (yahoo.com) 38

Though it's stock price is still up 200% from its IPO in March of 2024 — last week Reddit's stock had dropped nearly 50% since February 7th.

And then this week, it dropped another 10%, reports Bloomberg, citing both the phenomenon of "volatile technology stocks under pressure" — but also specifically "the gloomy sentiment around Reddit..." The social media platform has struggled to recover since an earnings report in February showed that it is failing to keep up with larger digital advertising peers such as Meta Platforms Inc. and Alphabet Inc.'s Google, which have higher user figures. Reddit's outlook seemed precarious because its U.S. traffic took a hit from a change in Google's search algorithm.

In recent weeks, the short interest in Reddit — a proxy for the volume of bets against the company — has ticked up, and forecasts for the company's share price have fallen. One analyst opened coverage of Reddit this month with a recommendation that investors sell the shares, in part due to the company's heavy reliance on Google. Reddit shares fell more than 5% in intraday trading Friday. "It's been super overvalued," Bob Lang, founder and chief options analyst at Explosive Options said of Reddit. "Their growth rate is very strong, but they still are not making any money." Reddit had a GAAP earnings per share loss of $3.33 in 2024, but reported two consecutive quarters of positive GAAP EPS in the second half of the year...

At its February peak, Reddit's stock had risen over 500% from the $34 initial public offering price last March. Some of the enthusiasm was due to a series of deals in which Reddit was paid to allow its content to be used for training artificial intelligence models. More recently, though, there have been questions about the long-term growth prospects for the artificial intelligence industry.

"On Wall Street, the average price target from analysts has fallen to about $195 from $207 a month ago," the article points out. "That still offers a roughly $85 upside from where shares closed following Thursday's 8% slump..."

Meanwhile Reuters reported that more than 33,000 U.S. Reddit users experienced disruptions on Thursday according to Downdetector.com. "A Reddit spokesperson said the outage was due to a bug in a recent update, which has now been fixed."
Android

Google Will Develop the Android OS Fully In Private 20

An anonymous reader quotes a report from Android Authority: No matter the manufacturer, every Android phone has one thing in common: its software base. Manufacturers can heavily customize the look and feel of the Android OS they ship on their Android devices, but under the hood, the core system functionality is derived from the same open-source foundation: the Android Open Source Project. After over 16 years, Google is making big changes to how it develops the open source version of Android in an effort to streamline its development. [...] Beginning next week, all Android development will occur within Google's internal branches, and the source code for changes will only be released when Google publishes a new branch containing those changes. As this is already the practice for most Android component changes, Google is simply consolidating its development efforts into a single branch.

This change will have minimal impact on regular users. While it streamlines Android OS development for Google, potentially affecting the speed of new version development and bug reduction, the overall effect will likely be imperceptible. Therefore, don't expect this change to accelerate OS updates for your phone. This change will also have minimal impact on most developers. App developers are unaffected, as it pertains only to platform development. Platform developers, including those who build custom ROMs, will largely also see little change, since they typically base their work on specific tags or release branches, not the main AOSP branch. Similarly, companies that release forked AOSP products rarely use the main AOSP branch due to its inherent instability.

External developers who enjoy reading or contributing to AOSP will likely be dismayed by this news, as it reduces their insight into Google's development efforts. Without a GMS license, contributing to Android OS development becomes more challenging, as the available code will consistently lag behind by weeks or months. This news will also make it more challenging for some developers to keep up with new Android platform changes, as they'll no longer be able to track changes in AOSP. For reporters, this change means less access to potentially revealing information, as AOSP patches often provide insights into Google's development plans. [...] Google will share more details about this change when it announces it later this week. If you're interested in learning more, be sure to keep an eye out for the announcement and new documentation on source.android.com.
Android Authority's Mishaal Rahman says Google is "committed to publishing Android's source code, so this change doesn't mean that Android is becoming closed-source."

"What will change is the frequency of public source code releases for specific Android components," says Rahman. "Some components like the build system, update engine, Bluetooth stack, Virtualization framework, and SELinux configuration are currently AOSP-first, meaning they're developed fully in public. Most Android components like the core OS framework are primarily developed internally, although some features, such as the unlocked-only storage area API, are still developed within AOSP."
Chrome

Google Patches Chrome Sandbox Escape Zero-Day Caught By Kaspersky (securityweek.com) 42

wiredmikey shares a report from SecurityWeek: Google late Tuesday rushed out a patch for a sandbox escape vulnerability in its flagship Chrome browser after researchers at Kaspersky caught a professional hacking operation launching drive-by download exploits. The vulnerability, tracked as CVE-2025-2783, was chained with a second exploit for remote code execution in what appears to be a nation-state sponsored cyberespionage campaign [dubbed Operation ForumTroll] targeting organizations in Russia.

Kaspersky said it detected a series of infections triggered by phishing emails in the middle of March and traced the incidents to a zero-day that fired when victims simply clicked on a booby-trapped website from a Chrome browser. The Russian anti-malware vendor said victims merely had to click on a personalized, short-lived link, and their systems were compromised when the malicious website was opened in Chrome. Kaspersky said its exploit detection tools picked up on the zero-day, and after reverse-engineering the code, the team reported the bug to Google and coordinated the fix released on Tuesday.

Role Playing (Games)

After DDOS Attacks, Blizzard Rolls Back Hardcore WoW Deaths For the First Time (arstechnica.com) 21

An anonymous reader quotes a report from Ars Technica: World of Warcraft Classic's Hardcore mode has set itself apart from the average MMO experience simply by making character death permanent across the entire in-game realm. For years, Blizzard has not allowed any appeals or rollbacks for these Hardcore mode character deaths, even when such deaths came as the direct result of a server disconnection or gameplay bug. Now, Blizzard says it's modifying that policy somewhat in response to a series of "unprecedented distributed-denial-of-service (DDOS) attacks" undertaken "with the singular goal of disrupting players' experiences." The World of Warcraft developer says it may now resurrect Classic Hardcore characters "at our sole discretion" when those deaths come "in a mass event which we deem inconsistent with the integrity of the game." WoW's Classic Hardcore made it a hotspot for streamers, especially members of the OnlyFangs Guild, who embraced the challenge that one mistake could end a character's run. However, as Ars Technica reports, a series of DDOS attacks timed with their major livestreamed raids led to character deaths and widespread frustration, prompting streamer sodapoppin to declare the guild's end.

Blizzard responded by updating its Hardcore policy to resurrect characters lost specifically to DDOS attacks. "Recently, we have experienced unprecedented distributed-denial-of-service (DDOS) attacks that impacted many Blizzard game services, including Hardcore realms, with the singular goal of disrupting players' experiences," WoW Classic Associate Production Director Clay Stone wrote in a public message. "As we continue our work to further strengthen the resilience of WoW realms and our rapid response time, we're taking steps to resurrect player-characters that were lost as a result of these attacks."
Government

Consumer Groups Push New Law Fighting 'Zombie' IoT Devices (consumerreports.org) 56

Long-time Slashdot reader chicksdaddy writes: A group of U.S. consumer advocacy groups on Wednesday proposed legislation to address the growing epidemic of "zombie" Internet of Things (IoT) devices that have had software support cut off by their manufacturer, Fight To Repair News reports.

The Connected Consumer Product End of Life Disclosure Act is a collaboration between Consumer Reports, US PIRG, the Secure Resilient Future Foundation (SRFF) and the Center for Democracy and Technology. It requires manufacturers of connected consumer products to disclose for how long they will provide technical support, security updates, or bug fixes for the software and hardware that are necessary for the product to operate securely.

The groups proposed legal requirements that manufacturers "must notify consumers when their devices are nearing the end of life and provide guidance on how to handle the device's end of life," while end-of-life notifications "must include details about features that will be lost, and potential vulnerabilities and security risks that may arise." And when an ISP-provided device (like a router) reaches its end of life, the ISP must remove them.

"The organizations are working with legislators at the state and federal level to get the model legislation introduced," according to Fight To Repair News.
AI

AI Coding Assistant Refuses To Write Code, Tells User To Learn Programming Instead (arstechnica.com) 96

An anonymous reader quotes a report from Ars Technica: On Saturday, a developer using Cursor AI for a racing game project hit an unexpected roadblock when the programming assistant abruptly refused to continue generating code, instead offering some unsolicited career advice. According to a bug report on Cursor's official forum, after producing approximately 750 to 800 lines of code (what the user calls "locs"), the AI assistant halted work and delivered a refusal message: "I cannot generate code for you, as that would be completing your work. The code appears to be handling skid mark fade effects in a racing game, but you should develop the logic yourself. This ensures you understand the system and can maintain it properly."

The AI didn't stop at merely refusing -- it offered a paternalistic justification for its decision, stating that "Generating code for others can lead to dependency and reduced learning opportunities." [...] The developer who encountered this refusal, posting under the username "janswist," expressed frustration at hitting this limitation after "just 1h of vibe coding" with the Pro Trial version. "Not sure if LLMs know what they are for (lol), but doesn't matter as much as a fact that I can't go through 800 locs," the developer wrote. "Anyone had similar issue? It's really limiting at this point and I got here after just 1h of vibe coding." One forum member replied, "never saw something like that, i have 3 files with 1500+ loc in my codebase (still waiting for a refactoring) and never experienced such thing."

Cursor AI's abrupt refusal represents an ironic twist in the rise of "vibe coding" -- a term coined by Andrej Karpathy that describes when developers use AI tools to generate code based on natural language descriptions without fully understanding how it works. While vibe coding prioritizes speed and experimentation by having users simply describe what they want and accept AI suggestions, Cursor's philosophical pushback seems to directly challenge the effortless "vibes-based" workflow its users have come to expect from modern AI coding assistants.

Printer

Firmware Update Bricks HP Printers, Makes Them Unable To Use HP Cartridges (arstechnica.com) 72

An anonymous reader quotes a report from Ars Technica: HP, along with other printer brands, is infamous for issuing firmware updates that brick already-purchased printers that have tried to use third-party ink. In a new form of frustration, HP is now being accused of issuing a firmware update that broke customers' laser printers -- even though the devices are loaded with HP-brand toner. The firmware update in question is version 20250209, which HP issued on March 4 for its LaserJet MFP M232-M237 models. Per HP, the update includes "security updates," a "regulatory requirement update," "general improvements and bug fixes," and fixes for IPP Everywhere. Looking back to older updates' fixes and changes, which the new update includes, doesn't reveal anything out of the ordinary. The older updates mention things like "fixed print quality to ensure borders are not cropped for certain document types," and "improved firmware update and cartridge rejection experiences." But there's no mention of changes to how the printers use or read toner.

However, users have been reporting sudden problems using HP-brand toner in their M232-M237 series printers since their devices updated to 20250209. Users on HP's support forum say they see Error Code 11 and the hardware's toner light flashing when trying to print. Some said they've cleaned the contacts and reinstalled their toner but still can't print. "Insanely frustrating because it's my small business printer and just stopped working out of nowhere[,] and I even replaced the tone[r,] which was a $60 expense," a forum user wrote on March 8.
HP said in a statement: "We are aware of a firmware issue affecting a limited number of HP LaserJet 200 Series devices and our team is actively working on a solution. For assistance, affected customers can contact our support team at: https://support.hp.com." It's unclear how widespread the problems are.
Security

CISA Tags Windows, Cisco Vulnerabilities As Actively Exploited (bleepingcomputer.com) 16

CISA has warned U.S. federal agencies about active exploitation of vulnerabilities in Cisco VPN routers and Windows systems. "While the cybersecurity agency has tagged these flaws as actively exploited in the wild, it has yet to provide specific details regarding this malicious activity and who is behind it," adds Bleeping Computer. From the report: The first flaw (tracked as CVE-2023-20118) enables attackers to execute arbitrary commands on RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers. While it requires valid administrative credentials, this can still be achieved by chaining the CVE-2023-20025 authentication bypass, which provides root privileges. Cisco says in an advisory published in January 2023 and updated one year later that its Product Security Incident Response Team (PSIRT) is aware of CVE-2023-20025 publicly available proof-of-concept exploit code.

The second security bug (CVE-2018-8639) is a Win32k elevation of privilege flaw that local attackers logged into the target system can exploit to run arbitrary code in kernel mode. Successful exploitation also allows them to alter data or create rogue accounts with full user rights to take over vulnerable Windows devices. According to a security advisory issued by Microsoft in December 2018, this vulnerability impacts client (Windows 7 or later) and server (Windows Server 2008 and up) platforms.

Today, CISA added the two vulnerabilities to its Known Exploited Vulnerabilities catalog, which lists security bugs the agency has tagged as exploited in attacks. As mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until March 23, to secure their networks against ongoing exploitation.

Operating Systems

COSMIC Desktop Alpha 6 Released (linuxiac.com) 29

New submitter TronNerd82 writes: Linuxiac reports that the 6th alpha release of the COSMIC desktop environment has been released. The new alpha release includes zooming, desktop icon management, some new scaling options, and improved accessibility features. Also included in the release are a number of bug fixes.

These include, but are not limited to:
- Fixing a crash issue in Steam, and fixing certain issues for Radeon RX GPUs
- Fixing a bug that prevented icons from appearing in screenshots
- Adding a layer of polish to the COSMIC Files application by adding folder size metadata and preventing crashes

Also of note are a number of memory usage reductions across the board. COSMIC Alpha 6 also replaces the default font, changing from Fira Sans to Open Sans, with Noto Sans Mono as the default monospace font. Additional changes can be found in System76's official announcement.

Programming

Rust Developer Survey Finds Increasing Usage, Especially on Linux (rust-lang.org) 26

This year's "State of Rust" survey was completed by 7,310 Rust developers. DevClass note some key findings: When asked about their biggest worries for Rust's future, 45.5 percent cited "not enough usage in the tech industry," up from 42.5 percent last year, just ahead of the 45.2 percent who cited complexity as a concern... Only 18.6 percent declared themselves "not worried," though this is a slight improvement on 17.8 percent in 2023...

Another question asks whether respondents are using Rust at work. 38.2 percent claimed to use it for most of their coding [up from 34% in 2023], and 13.4 percent a few times a week, accounting for just over half of responses. At the organization level there is a similar pattern. 45.5 percent of organizations represented by respondents make "non-trivial use of Rust," up from 38.7 percent last year.

More details from I Programmer: On the up are "Using Rust helps us achieve or goals", now 82% compared to 72% in 2022; "We're likely to use Rust again in the future", up 3% to 78%; and "Using Rust has been worth the cost of Adoption". Going down are "Adopting Rust has been challenging", now 34.5% compared to 38.5% in 2022; and "Overall adopting Rust has slowed down our team" down by over 2% to 7%.
"According to the survey, organizations primarily choose Rust for building correct and bug-free software (87.1%), performance characteristics (84.5%), security and safety properties (74.8%), and development enjoyment (71.2%)," writes The New Stack: Rust seems to be especially popular for creating server backends (53.4%), web and networking services, cloud technologies and WebAssembly, the report said. It also seems to be gaining more traction for embedded use cases... Regarding the preferred development environment, Linux remains the dominant development platform (73.7%).

However, although VS Code remains the leading editor, its usage dropped five percentage points, from 61.7% to 56.7%, but the Zed editor gained notable traction, from 0.7% to 8.9%. Also, "nine out of 10 Rust developers use the current stable version, suggesting strong confidence in the language's stability," the report said...

Overall, 82% of respondents report that Rust helped their company achieve its goals, and daily Rust usage increased to 53% (up four percentage points from 2023). When asked why they use Rust at work, 47% of respondents cited a need for precise control over their software, which is up from 37% when the question was asked two years ago.

Windows

Glitches for Windows 11 Update Include Breaking File Explorer (zdnet.com) 57

Five days ago on Patch Tuesday, Microsoft released patch KB5051987 for Windows 11 version 24H2, writes the XDA Developers site.

But "As reported by Windows Latest and various communities like Reddit and Microsoft's help forum, many users have encountered a major issue..."

Some have reported that, in addition to File Explorer failing to launch, they're unable to open folders from the desktop, save Office files, or even download files. Clicking on a folder icon may display its subfolders, but the contents within remain inaccessible... Some users on Microsoft's help forum and Reddit have also reported that the KB5051987 patch fails to install entirely. The update gets stuck at a certain percentage for hours before eventually displaying an error code. While these are among the most widely reported issues, others have surfaced as well, including problems with Taskbar preview animations, the camera, and more.
"Microsoft keeps running into brick walls with the 2024 version of Windows 11," writes ZDNet. "Each new update designed to fix the outstanding bugs ends up introducing other problems..." Among the glitches resolved were ones that affected digital audio converters, USB audio drivers, USB cameras, and passkeys. The update also patched several security vulnerabilities, including some that were deemed critical....

Other glitches that may pop up include a stuttering mouse, an undetectable camera, .NET apps that cannot be installed inside the Windows Sandbox, and the Taskbar's new preview animation that does not work properly. You may also encounter other roadblocks. One person in the Windows Feedback Hub said that after installing the update, the battery life shows only 2.5 hours versus 6 hours previously. Another person found that the clipboard history no longer copies items from Microsoft Word...

Each annual Windows update can suffer from bugs, especially after being rolled out to millions of users. However, Windows 11 24H2 has been more problematic than usual. Since its official launch last October, the 2024 version has carried with it a host of known issues, many of which still haven't been resolved.

AI

AI Can Write Code But Lacks Engineer's Instinct, OpenAI Study Finds 76

Leading AI models can fix broken code, but they're nowhere near ready to replace human software engineers, according to extensive testing [PDF] by OpenAI researchers. The company's latest study put AI models and systems through their paces on real-world programming tasks, with even the most advanced models solving only a quarter of typical engineering challenges.

The research team created a test called SWE-Lancer, drawing from 1,488 actual software fixes made to Expensify's codebase, representing $1 million worth of freelance engineering work. When faced with these everyday programming tasks, the best AI model â" Claude 3.5 Sonnet -- managed to complete just 26.2% of hands-on coding tasks and 44.9% of technical management decisions.

Though the AI systems proved adept at quickly finding relevant code sections, they stumbled when it came to understanding how different parts of software interact. The models often suggested surface-level fixes without grasping the deeper implications of their changes.

The research, to be sure, used a set of complex methodologies to test the AI coding abilities. Instead of relying on simplified programming puzzles, OpenAI's benchmark uses complete software engineering tasks that range from quick $50 bug fixes to complex $32,000 feature implementations. Each solution was verified through rigorous end-to-end testing that simulated real user interactions, the researchers said.

Slashdot Top Deals