TechCrunch looks at Mechanize, an ambitious new startup "whose founder — and the non-profit AI research organization he founded called Epoch — is being skewered on X..." Mechanize was launched on Thursday via a post on X by its founder, famed AI researcher Tamay Besiroglu. The startup's goal, Besiroglu wrote, is "the full automation of all work" and "the full automation of the economy."

Does that mean Mechanize is working to replace every human worker with an AI agent bot? Essentially, yes. The startup wants to provide the data, evaluations, and digital environments to make worker automation of any job possible. Besiroglu even calculated Mechanize's total addressable market by aggregating all the wages humans are currently paid. "The market potential here is absurdly large: workers in the US are paid around $18 trillion per year in aggregate. For the entire world, the number is over three times greater, around $60 trillion per year," he wrote.

Besiroglu did, however, clarify to TechCrunch that "our immediate focus is indeed on white-collar work" rather than manual labor jobs that would require robotics...

Besiroglu argues to the naysayers that having agents do all the work will actually enrich humans, not impoverish them, through "explosive economic growth." He points to a paper he published on the topic. "Completely automating labor could generate vast abundance, much higher standards of living, and new goods and services that we can't even imagine today," he told TechCrunch.
TechCrunch wonders how jobless humans will produce goods — and whether wealth will simply concentrate around whoever owns the agents.

But they do concede that Besiroglu may be right that "If each human worker has a personal crew of agents which helps them produce more work, economic abundance could follow..."

"Members of the CA/Browser Forum have voted to slash cert lifespans from the current one year to 47 days," reports Computerworld, "placing an added burden on enterprise IT staff who must ensure they are updated." In a move that will likely force IT to much more aggressively use web certificate automation services, the Certification Authority Browser Forum (CA/Browser Forum), a gathering of certificate issuers and suppliers of applications that use certificates, voted [last week] to radically slash the lifespan of the certificates that verify the ownership of sites.

The approved changes, which passed overwhelmingly, will be phased in gradually through March 2029, when the certs will only last 47 days.

This controversial change has been debated extensively for more than a year. The group's argument is that this will improve web security in various ways, but some have argued that the group's members have a strong alternative incentive, as they will be the ones earning more money due to this acceleration... Although the group voted overwhelmingly to approve the change, with zero "No" votes, not every member agreed with the decision; five members abstained...

In roughly one year, on March 15, 2026, the "maximum TLS certificate lifespan shrinks to 200 days. This accommodates a six-month renewal cadence. The DCV reuse period reduces to 200 days," according to the passed ballot. The next year, on March 15, 2027, the "maximum TLS certificate lifespan shrinks to 100 days. This accommodates a three-month renewal cadence. The DCV reuse period reduces to 100 days." And on March 15, 2029, "maximum TLS certificate lifespan shrinks to 47 days. This accommodates a one-month renewal cadence. The DCV reuse period reduces to 10 days."
The changes "were primarily pushed by Apple," according to the article, partly to allow more effective reactions to possible changes in cryptography.

And Apple also wrote that the shift "reduces the risk of improper validation, the scope of improper validation perpetuation, and the opportunities for misissued certificates to negatively impact the ecosystem and its relying parties."

Thanks to Slashdot reader itwbennett for sharing the news.

An anonymous reader quotes a report from SecurityWeek: An October 2024 study by Software AG suggests that half of all employees are Shadow AI users, and most of them wouldn't stop even if it was banned. The problem is the ease of access to AI tools, and a work environment that increasingly advocates the use of AI to improve corporate efficiency. It is little wonder that employees seek their own AI tools to improve their personal efficiency and maximize the potential for promotion. It is frictionless, says Michael Marriott, VP of marketing at Harmonic Security. 'Using AI at work feels like second nature for many knowledge workers now. Whether it's summarizing meeting notes, drafting customer emails, exploring code, or creating content, employees are moving fast.' If the official tools aren't easy to access or if they feel too locked down, they'll use whatever's available which is often via an open tab on their browser.

There is almost also never any malicious intent (absent, perhaps, the mistaken employment of rogue North Korean IT workers); merely a desire to do and be better. If this involves using unsanctioned AI tools, employees will likely not disclose their actions. The reasons may be complex but combine elements of a reluctance to admit that their efficiency is AI assisted rather than natural, and knowledge that use of personal shadow AI might be discouraged. The result is that enterprises often have little knowledge of the extent of Shadow IT, nor the risks it may present. According to an analysis from Harmonic, ChatGPT is the dominant gen-AI model used by employees, with 45% of data prompts originating from personal accounts (such as Gmail). Image files accounted for 68.3%. The report also notes that 7% of empmloyees were using Chinese AI models like DeepSeek, Baidu Chat and Qwen.

"Overall, there has been a slight reduction in sensitive prompt frequency from Q4 2024 (down from 8.5% to 6.7% in Q1 2025)," reports SecurityWeek. "However, there has been a shift in the risk categories that are potentially exposed. Customer data (down from 45.8% to 27.8%), employee data (from 26.8% to 14.3%) and security (6.9% to 2.1%) have all reduced. Conversely, legal and financial data (up from 14.9% to 30.8%) and sensitive code (5.6% to 10.1%) have both increased. PII is a new category introduced in Q1 2025 and was tracked at 14.9%."

IBM is mandating that U.S. sales and Cloud employees return to the office at least three days a week, with work required at designated client sites, flagship offices, or sales hubs. According to The Register, some IBM employees argue that these policies "represent stealth layoffs because older (and presumably more highly compensated) employees tend to be less willing to uproot their lives, and families where applicable, than the 'early professional hires' IBM has been courting at some legal risk." From the report: In a staff memo seen by The Register, Adam Lawrence, general manager for IBM Americas, billed the return-to-office for most stateside sales personnel as a "return to client initiative."Citing how "remarkable it is when our teams work side by side" at IBM's swanky Manhattan flagship office, unveiled in September 2024, Lawrence added IBM is investing in an Austin, Texas, office to be occupied in 2026.

Whether US sales staff end up working in NYC, Austin, or some other authorized location, Lawrence told them to brace for -- deep breath -- IBM's "new model" of "effective talent acquisition, deployment, and career progression." We're told that model is "centered on client proximity for those dedicated to specific clients, and anchored on core IBM locations for those dedicated to territories or those in above-market leadership roles." The program requires most IBM US sales staff "to work at least three days a week from the client location where their assigned territory decision-makers work, a flagship office, or a sales hub." Those residing more than 50 miles from their assigned location will be offered relocation benefits to move. Sales hubs are an option only for those with more than one dedicated account.

[...] IBM's office policy change reached US Cloud employees in an April 10 memo from Alan Peacock, general manager of IBM Cloud. Peacock set a July 1, 2025, deadline for US Cloud employees to work from an office at least three days per week, with relocating workers given until October 1, 2025. The employee shuffling has been accompanied by rolling layoffs in the US, but hiring in India -- there are at least 10x as many open IBM jobs in India as there are in any other IBM location, according to the corporation's career listings. And earlier this week, IBM said it "is setting up a new software lab in Lucknow," India.

A communication error between GoDaddy Registry and Markmonitor took Zoom's services offline for almost two hours on Wednesday when GoDaddy mistakenly blocked the zoom.us domain. The outage affected all services dependent on the zoom.us domain.

GoDaddy's block prevented top-level domain nameservers from maintaining proper DNS records for zoom.us. This created a classic domain resolution failure -- when users attempted to connect to any zoom.us address, their requests couldn't be routed to Zoom's servers because the domain effectively disappeared from the internet's addressing system.

Video meetings abruptly terminated mid-session with browser errors indicating the domain couldn't be found. Zoom's status page (status.zoom.us) went offline, hampering communication efforts. Even Zoom's main website at zoom.com failed as the content delivery network couldn't reach backend services hosted on zoom.us servers. Customer support capabilities collapsed when account managers using Zoom's VoIP phones lost connectivity.

Resolution required coordinated effort between Zoom, Markmonitor, and GoDaddy to identify and remove the block. After service restoration, users needed to manually flush their DNS caches using command line instructions (including the sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder command for Mac users).

Synology's upcoming Plus Series NAS systems will restrict full functionality to users who install the company's self-branded hard drives, Tom's Hardware is reporting, marking a significant shift in the consumer NAS market. While third-party drives will still work for basic storage, critical features including drive health monitoring, volume-wide deduplication, lifespan analysis, and automatic firmware updates will be disabled, the publication said.

The restriction doesn't apply to Synology's 2024 and older models, only affecting new Plus Series devices targeted at SMBs and advanced home users. Synology itself doesn't manufacture drives but rebrands HDDs from major manufacturers like Seagate, Western Digital, and Toshiba, often with custom firmware that functions as DRM. According to Synology, the change follows successful implementation in their enterprise solutions and will deliver "higher performance, increased reliability, and more efficient support." A workaround exists: users can initialize a non-Synology drive in an older Synology NAS and then migrate it to a new Plus model without restrictions.

India's three largest IT services companies are facing their steepest growth slowdown in years as corporations curtail large technology projects amid global economic uncertainty and geopolitical challenges. From a report: Infosys, the country's second-largest IT services provider, on Thursday forecast revenue growth of just 0-3% for the fiscal year through March 2026, far below analysts' expectations of 6.3%. The guidance follows a quarter where net income fell 12% to $823 million, though this exceeded analyst estimates of $780 million. The disappointing outlook echoes similar concerns from rivals Tata Consultancy Services and Wipro, as US President Donald Trump's tariff policies add fresh headwinds to an industry already struggling with cautious client spending.

Microsoft has acknowledged that Classic Outlook can mysteriously transform into a system resource hog, causing CPU usage spikes between 30-50% and significantly increasing power consumption on both Windows 10 and 11 systems.

Users first reported the issue in November 2024, but Microsoft only confirmed the problem this week, offering little resolution beyond stating that "the Outlook Team is investigating this issue." The company's sole workaround involves forcing a switch to the Semi-Annual Channel update through registry edits -- an approach many enterprise environments will likely avoid. Microsoft hasn't announced a definitive end date for Classic Outlook, but the company continues pushing users toward its New Outlook client despite its incomplete feature set.

Google has announced that it will begin phasing out country code top-level domains (ccTLDs) such as google.ng and google.com.br, redirecting all traffic to google.com. The change comes after improvements in Google's localization capabilities rendered these separate domains unnecessary.

Since 2017, Google has provided identical local search experiences whether users visited country-specific domains or google.com. The transition will roll out gradually over the coming months, and users may need to re-establish search preferences during the migration.

CISA says the U.S. government has extended funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. From a report: "The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."

The announcement follows a warning from MITRE Vice President Yosry Barsoum that government funding for the CVE and CWE programs was set to expire today, April 16, potentially leading to widespread disruption across the cybersecurity industry. "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum said.

The CVE and CWE programs are at risk of shutdown as MITRE's DHS contract expires on April 16, 2025, with no confirmed renewal. Without continued funding, the ability to standardize, track, and respond to software vulnerabilities could collapse, leaving the cybersecurity community scrambling in a fragmented and dangerously opaque environment. Forbes reports: "Failure to renew MITRE's contract for the CVE program, seemingly set to expire on April 16, 2025, risks significant disruption," said Jason Soroko, Senior Fellow at Sectigo. "A service break would likely degrade national vulnerability databases and advisories. This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained."

MITRE has indicated that historical CVE records will remain accessible via GitHub, but without continued funding, the operational side of the program -- including assignment of new CVEs -- will effectively go dark. That's not a minor inconvenience. It could upend how the global cybersecurity community identifies, communicates, and responds to new threats. [...] MITRE has said that discussions with the U.S. government are active and that it remains committed to the CVE mission. But with the expiration date looming, time is running short -- and the consequences of even a temporary gap are severe.

4chan was reportedly hacked Monday night, with rival imageboard Soyjack Party claiming responsibility and sharing screenshots suggesting deep access to 4chan's databases and admin tools. Ars Technica reports: Security researcher Kevin Beaumont described the hack as "a pretty comprehensive own" that included "SQL databases, source, and shell access." 404Media reports that the site used an outdated version of PHP that could have been used to gain access, including the phpMyAdmin tool, a common attack vector that is frequently patched for security vulnerabilities. Ars staffers pointed to the presence of long-deprecated and removed functions like mysql_real_escape_string in the screenshots as possible signs of an old, unpatched PHP version. In other words, there's a possibility that the hackers have gained pretty deep access to all of 4chan's data, including site source code and user data.

An anonymous reader shares a report: A silent update rolling out to virtually all Android devices will make your phone more secure, and all you have to do is not touch it for a few days. The new feature implements auto-restart of a locked device, which will keep your personal data more secure. It's coming as part of a Google Play Services update, though, so there's nothing you can do to speed along the process.

Google is preparing to release a new update to Play Services (v25.14), which brings a raft of tweaks and improvements to myriad system features. First spotted by 9to5Google, the update was officially released on April 14, but as with all Play Services updates, it could take a week or more to reach all devices. When 25.14 arrives, Android devices will see a few minor improvements, including prettier settings screens, improved connection with cars and watches, and content previews when using Quick Share.

An anonymous reader shares a report: Generative AI offers remarkable efficiency gains while presenting a profound challenge for the global IT services industry -- a sector concentrated in India and central to its export economy.

For decades, Indian technology firms thrived by deploying their engineering talent to serve primarily Western clients. Now they face a critical question. Will AI's productivity dividend translate into revenue growth? Or will fierce competition see these gains competed away through price reductions?

Industry soundings suggest the deflationary dynamic may already be taking hold. JPMorgan's conversations with executives, deal advisors and consultants across India's technology hubs reveal growing concern -- AI-driven efficiencies are fuelling pricing pressures. This threatens to constrain medium-term industry growth to a modest 4-5%, with little prospect of acceleration into fiscal year 2026. This emerging reality challenges the earlier narrative that AI would primarily unlock new revenue streams.

An anonymous reader quotes a report from TechCrunch: Car rental giant Hertz has begun notifying its customers of a data breach that included their personal information and driver's licenses. The rental company, which also owns the Dollar and Thrifty brands, said in notices on its website that the breach relates to a cyberattack on one of its vendors between October 2024 and December 2024. The stolen data varies by region, but largely includes Hertz customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. Hertz said a smaller number of customers had their Social Security numbers taken in the breach, along with other government-issued identification numbers.

Notices on Hertz's websites disclosed the breach to customers in Australia, Canada, the European Union, New Zealand, and the United Kingdom. Hertz also disclosed the breach with several U.S. states, including California and Maine. Hertz said at least 3,400 customers in Maine were affected but did not list the total number of affected individuals, which is likely to be significantly higher. Emily Spencer, a spokesperson for Hertz, would not provide TechCrunch with a specific number of individuals affected by the breach but said it would be "inaccurate to say millions" of customers are affected. The company attributed the breach to a vendor, software maker Cleo, which last year was at the center of a mass-hacking campaign by a prolific Russia-linked ransomware gang.

Several crosswalk buttons in Palo Alto and nearby cities were hacked over the weekend to play deepfake-style satirical audio clips mimicking Elon Musk and Mark Zuckerberg. Authorities have disabled the altered systems, but the identity of the prankster remains unknown. SFGATE reports: Videos of the altered crosswalks began circulating onsocial media throughout Saturday and Sunday. [...] A city employee was the first to report an issue with one of the signals at University Avenue and High Street in downtown Palo Alto, Horrigan-Taylor told SFGATE via email. Officials later discovered that as many as 12 intersections in downtown Palo Alto had been affected.

"The impact is isolated," Horrigan-Taylor said. "Signal operations are otherwise unaffected, and motorists are reminded to always exercise caution around pedestrians." Officials told the outlet they've removed any devices that were tampered with and the compromised voice-over systems have since been disabled, with footage obtained by SFGATE showing several were covered in caution tape, blinking constantly and unpressable.

VMware has resumed offering a free hypervisor. News of the offering emerged in a throwaway line in the Release Notes for version 8.0 Update 3e of the Broadcom business unit's ESXi hypervisor. From a report: Just below the "What's New" section of that document is the statement: "Broadcom makes available the VMware vSphere Hypervisor version 8, an entry-level hypervisor. You can download it free of charge from the Broadcom Support portal."

VMware offered a free version of ESXi for years, and it was beloved by home lab operators and vAdmins who needed something to tinker with. But in February 2024, VMware discontinued it on grounds that it was dropping perpetual licenses and moving to subscriptions.

10 years ago "certificate authorities normally issued certificate lifetimes lasting a year or more," remembers a new blog post Thursday by the EFF's engineering director. So in 2015 when the free cert authority Let's Encrypt first started issuing 90-day TLS certificates for websites, "it was considered a bold move, that helped push the ecosystem towards shorter certificate life times."

And then this January Let's Encryptannounced new six-day certificates...

This week saw a related announcement from the EFF engineering director. More than 31 million web sites maintain their HTTPS certificates using the EFF's Certbot tool (which automatically fetches free HTTPS certificates forever) — and Certbot is now supporting Let's Encrypt's six-day certificates. (It's accomplished through ACME profiles with dynamic renewal at 1/3rd of lifetime left or 1/2 of lifetime left, if the lifetime is shorter than 10 days): There is debate on how short these lifetimes should be, but with ACME profiles you can have the default or "classic" Let's Encrypt experience (90 days) or start actively using other profile types through Certbot with the --preferred-profile and --required-profile flags. For six day certificates, you can choose the "shortlived" profile.
Why shorter lifetimes are better (according to the EFF's engineering director):

• If a certificate's private key is compromised, that compromise can't last as long.

• With shorter life spans for the certificates, automation is encouraged. Which facilitates robust security of web servers.

• Certificate revocation is historically flaky. Lifetimes 10 days and under prevent the need to invoke the revocation process and deal with continued usage of a compromised key.

Slashdot reader king*jojo shared this article from The Register: A 23-year-old side-channel attack for spying on people's web browsing histories will get shut down in the forthcoming Chrome 136, released last Thursday to the Chrome beta channel. At least that's the hope.

The privacy attack, referred to as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously... Web publishers and third parties capable of running scripts, have used this technique to present links on a web page to a visitor and then check how the visitor's browser set the color for those links on the rendered web page... The attack was mitigated about 15 years ago, though not effectively. Other ways to check link color information beyond the getComputedStyle method were developed... Chrome 136, due to see stable channel release on April 23, 2025, "is the first major browser to render these attacks obsolete," explained Kyra Seevers, Google software engineer in a blog post.

This is something of a turnabout for the Chrome team, which twice marked Chromium bugreports for the issue as "won't fix." David Baron, presently a Google software engineer who worked for Mozilla at the time, filed a Firefox bug report about the issue back on May 28, 2002... On March 9, 2010, Baron published a blog post outlining the issue and proposing some mitigations...

Microsoft is starting to gradually roll out a preview of Recall, its feature that captures screenshots of what you do on a Copilot Plus PC to find again later, to Windows Insiders. From a report: This new rollout could indicate that Microsoft is finally getting close to launching Recall more widely. Microsoft originally intended to launch Recall alongside Copilot Plus PCs last June, but the feature was delayed following concerns raised by security experts. The company then planned to launch it in October, but that got pushed as well so that the company could deliver "a secure and trusted experience."

WordPress.com has released an AI-powered site builder in early access that constructs complete websites with generated text, layouts, and images. The tool operates through a chatbot interface where users input specifications, resulting in a fully formed site that can be further refined through additional prompts.

While WordPress.com claims the builder creates "beautiful, functional websites in minutes," it currently cannot handle ecommerce sites or complex integrations. Users need a WordPress.com account for the free trial, but publishing requires a hosting plan starting at $18 monthly (less with annual subscriptions). The builder only works with new WordPress instances, not existing sites.

This launch comes as parent company Automattic recently cut 16% of its workforce and faces a lawsuit from hosting company WP Engine, which offers competing site-building tools.

Hackers intercepted about 103 bank regulators' emails for more than a year, gaining access to highly sensitive financial information, Bloomberg News reported Tuesday, citing two people familiar with the matter and a draft letter to Congress. From the report: The attackers were able to monitor employee emails at the Office of the Comptroller of the Currency after breaking into an administrator's account, said the people, asking not to be identified because the information isn't public. OCC on Feb. 12 confirmed that there had been unauthorized activity on its systems after a Microsoft security team the day before had notified OCC about unusual network behavior, according to the draft letter.

The OCC is an independent bureau of the Treasury Department that regulates and supervises all national banks, federal savings associations and the federal branches and agencies of foreign banks -- together holding trillions of dollars in assets. OCC on Tuesday notified Congress about the compromise, describing it as a "major information security incident."

"The analysis concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence," OCC Chief Information Officer Kristen Baldwin wrote in the draft letter to Congress that was seen by Bloomberg News. While US government agencies and officials have long been the targets of state-sponsored espionage campaigns, multiple high-profile breaches have surfaced over the past year.

Micron has informed US customers it will implement surcharges on memory modules and solid-state drives starting Wednesday to offset President Trump's new tariffs, according to Reuters. While semiconductors received exemptions in Trump's recent trade action, memory storage products didn't escape the new duties.

Micron, which manufactures primarily in Asian countries including China and Taiwan, had previously signaled during a March earnings call that tariff costs would be passed to customers.

In Delhi's Nehru Place and Mumbai's Lamington Road, technicians are creating functional laptops from salvaged parts of multiple discarded devices. These "Frankenstein" machines sell for approximately $110 USD -- a fraction of the $800 price tag for new models. Technicians extract usable components -- motherboards, capacitors, screens, and batteries -- from e-waste sourced locally and from countries like Dubai and China.

"Most people don't care about having the latest model; they just want something that works and won't break the bank," a technician told Verge. This repair ecosystem operates within a larger battle against tech giants pushing planned obsolescence through proprietary designs and restricted parts access. Many technicians source components from Seelampur, India's largest e-waste hub processing 30,000 tonnes daily, though workers there handle toxic materials with minimal protection. "India has always had a repair culture," says Satish Sinha of Toxics Link, "but companies are pushing planned obsolescence, making repairs harder and forcing people to buy new devices."

AmiMoJo writes: The Shenzhen 8K UHD Video Industry Cooperation Alliance, a group made up of more than 50 Chinese companies, just released a new wired media communication standard called the General Purpose Media Interface or GPMI. This standard was developed to support 8K and reduce the number of cables required to stream data and power from one device to another. According to HKEPC, the GPMI cable comes in two flavors -- a Type-B that seems to have a proprietary connector and a Type-C that is compatible with the USB-C standard.

Because 8K has four times the number of pixels of 4K and 16 times more pixels than 1080p resolution, it means that GPMI is built to carry a lot more data than other current standards. There are other variables that can impact required bandwidth, of course, such as color depth and refresh rate. The GPMI Type-C connector is set to have a maximum bandwidth of 96 Gbps and deliver 240 watts of power. This is more than double the 40 Gbps data limit of USB4 and Thunderbolt 4, allowing you to transmit more data on the cable. However, it has the same power limit as that of the latest USB Type-C connector using the Extended Power Range (EPR) standard. GPMI Type-B beats all other cables, though, with its maximum bandwidth of 192 Gbps and power delivery of up to 480 watts.

A court has blocked a British government attempt to keep secret a legal case over its demand to access Apple user data. From a report: The UK Investigatory Powers Tribunal, a special court that handles cases related to government surveillance, said the authorities' efforts were a "fundamental interference with the principle of open justice" in a ruling issued on Monday. The development comes after it emerged in January that the British government had served Apple with a demand to circumvent encryption that the company uses to secure user data stored in its cloud services.

Apple challenged the request, while taking the unprecedented step of removing its advanced data protection feature for its British users. The government had sought to keep details about the demand -- and Apple's challenge of it -- from being publicly disclosed. Apple has regularly clashed with governments over encryption features that can make it difficult for law enforcement to access devices produced by the company. The world's most valuable company last year criticized UK surveillance powers as "unprecedented overreach" by the government.

U.K. postmasters were mistakenly sent to prison due to a bug in their "Horizon" accounting software — as first reported by Computer Weekly back in 2009. Nearly 16 years later, the same site reports that now the Scottish Criminal Cases Review Commission "is attempting to contact any former subpostmasters that could have been prosecuted for unexplained losses on the Post Office's pre-Horizon Capture software.

"There are former subpostmasters that, like Horizon users, could have been convicted of crimes based on data from these systems..." Since the Post Office Horizon scandal hit the mainstream in January 2024 — revealing to a wide audience the suffering experienced by subpostmasters who were blamed for errors in the Horizon accounting system — users of Post Office software that predated Horizon have come forward... to tell their stories, which echoed those of victims of the Horizon scandal. The Criminal Cases Review Commission for England and Wales is now reviewing 21 cases of potential wrongful conviction... where the Capture IT system could be a factor...

The SCCRC is now calling on people that might have been convicted based on Capture accounts to come forward. "The commission encourages anyone who believes that their criminal conviction, or that of a relative, might have been affected by the Capture system to make contact with it," it said. The statutory body is also investigating a third Post Office system, known as Ecco+, which was also error-prone...

A total of 64 former subpostmasters in Scotland have now had their convictions overturned through the legislation brought through Scottish Parliament. So far, 97 convicted subpostmasters have come forward, and 86 have been assessed, out of which the 64 have been overturned. However, 22 have been rejected and another 11 are still to be assessed. An independent group, fronted by a former Scottish subpostmaster, is also calling on users of any of the Post Office systems to come forward to tell their stories, and for support in seeking justice and redress.

Slashdot reader zlives shared this report from BleepingComputer: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders.

GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.
Miccrosoft titled its blog post "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." (And they do note that Micxrosoft disclosed the discovered vulnerabilities to the GRUB2, U-boot, and Barebox maintainers and "worked with the GRUB2 maintainers to contribute fixes... GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025.")

They add that performing their initial research, using Security Copilot "saved our team approximately a week's worth of time," Microsoft writes, "that would have otherwise been spent manually reviewing the content." Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings...

As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI's advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors' attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).
This week Google also announced Sec-Gemini v1, "a new experimental AI model focused on advancing cybersecurity AI frontiers."

The advent of LLMs and machine learning-based applications "opened the door to a new wave of security threats," argues Google's security blog. (Including model and data poisoning, prompt injection, prompt leaking and prompt evasion.)

So as part of the Linux Foundation's nonprofit Open Source Security Foundation, and in partnership with NVIDIA and HiddenLayer, Google's Open Source Security Team on Friday announced the first stable model-signing library (hosted at PyPI.org), with digital signatures letting users verify that the model used by their application "is exactly the model that was created by the developers," according to a post on Google's security blog. [S]ince models are an uninspectable collection of weights (sometimes also with arbitrary code), an attacker can tamper with them and achieve significant impact to those using the models. Users, developers, and practitioners need to examine an important question during their risk assessment process: "can I trust this model?"

Since its launch, Google's Secure AI Framework (SAIF) has created guidance and technical solutions for creating AI applications that users can trust. A first step in achieving trust in the model is to permit users to verify its integrity and provenance, to prevent tampering across all processes from training to usage, via cryptographic signing... [T]he signature would have to be verified when the model gets uploaded to a model hub, when the model gets selected to be deployed into an application (embedded or via remote APIs) and when the model is used as an intermediary during another training run. Assuming the training infrastructure is trustworthy and not compromised, this approach guarantees that each model user can trust the model...

The average developer, however, would not want to manage keys and rotate them on compromise. These challenges are addressed by using Sigstore, a collection of tools and services that make code signing secure and easy. By binding an OpenID Connect token to a workload or developer identity, Sigstore alleviates the need to manage or rotate long-lived secrets. Furthermore, signing is made transparent so signatures over malicious artifacts could be audited in a public transparency log, by anyone. This ensures that split-view attacks are not possible, so any user would get the exact same model. These features are why we recommend Sigstore's signing mechanism as the default approach for signing ML models.

Today the OSS community is releasing the v1.0 stable version of our model signing library as a Python package supporting Sigstore and traditional signing methods. This model signing library is specialized to handle the sheer scale of ML models (which are usually much larger than traditional software components), and handles signing models represented as a directory tree. The package provides CLI utilities so that users can sign and verify model signatures for individual models. The package can also be used as a library which we plan to incorporate directly into model hub upload flows as well as into ML frameworks.
"We can view model signing as establishing the foundation of trust in the ML ecosystem..." the post concludes (adding "We envision extending this approach to also include datasets and other ML-related artifacts.") Then, we plan to build on top of signatures, towards fully tamper-proof metadata records, that can be read by both humans and machines. This has the potential to automate a significant fraction of the work needed to perform incident response in case of a compromise in the ML world...

To shape the future of building tamper-proof ML, join the Coalition for Secure AI, where we are planning to work on building the entire trust ecosystem together with the open source community. In collaboration with multiple industry partners, we are starting up a special interest group under CoSAI for defining the future of ML signing and including tamper-proof ML metadata, such as model cards and evaluation results.

An anonymous reader quotes a report from Ars Technica: A technique that hostile nation-states and financially motivated ransomware groups are using to hide their operations poses a threat to critical infrastructure and national security, the National Security Agency has warned. The technique is known as fast flux. It allows decentralized networks operated by threat actors to hide their infrastructure and survive takedown attempts that would otherwise succeed. Fast flux works by cycling through a range of IP addresses and domain names that these botnets use to connect to the Internet. In some cases, IPs and domain names change every day or two; in other cases, they change almost hourly. The constant flux complicates the task of isolating the true origin of the infrastructure. It also provides redundancy. By the time defenders block one address or domain, new ones have already been assigned.

"This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection," the NSA, FBI, and their counterparts from Canada, Australia, and New Zealand warned Thursday. "Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations." There are two variations of fast flux described in the advisory: single flux and double flux. Single flux involves mapping a single domain to a rotating pool of IP addresses using DNS A (IPv4) or AAAA (IPv6) records. This constant cycling makes it difficult for defenders to track or block the associated malicious servers since the addresses change frequently, yet the domain name remains consistent.

Double flux takes this a step further by also rotating the DNS name servers themselves. In addition to changing the IP addresses of the domain, it cycles through the name servers using NS (Name Server) and CNAME (Canonical Name) records. This adds an additional layer of obfuscation and resilience, complicating takedown efforts.

"A key means for achieving this is the use of Wildcard DNS records," notes Ars. "These records define zones within the Domain Name System, which map domains to IP addresses. The wildcards cause DNS lookups for subdomains that do not exist, specifically by tying MX (mail exchange) records used to designate mail servers. The result is the assignment of an attacker IP to a subdomain such as malicious.example.com, even though it doesn't exist." Both methods typically rely on large botnets of compromised devices acting as proxies, making it challenging for defenders to trace or disrupt the malicious activity.

Google has introduced Sec-Gemini v1, an experimental AI model built on its Gemini platform and tailored for cybersecurity. BetaNews reports: Sec-Gemini v1 is built on top of Gemini, but it's not just some repackaged chatbot. Actually, it has been tailored with security in mind, pulling in fresh data from sources like Google Threat Intelligence, the OSV vulnerability database, and Mandiant's threat reports. This gives it the ability to help with root cause analysis, threat identification, and vulnerability triage.

Google says the model performs better than others on two well-known benchmarks. On CTI-MCQ, which measures how well models understand threat intelligence, it scores at least 11 percent higher than competitors. On CTI-Root Cause Mapping, it edges out rivals by at least 10.5 percent. Benchmarks only tell part of the story, but those numbers suggest it's doing something right. Access is currently limited to select researchers and professionals for early testing. If you meet that criteria, you can request access here.

An anonymous reader shares a report: A Microsoft employee disrupted the company's 50th anniversary event to protest its use of AI. "Shame on you," said Microsoft employee Ibtihal Aboussad, speaking directly to Microsoft AI CEO Mustafa Suleyman. "You are a war profiteer. Stop using AI for genocide. Stop using AI for genocide in our region. You have blood on your hands. All of Microsoft has blood on its hands. How dare you all celebrate when Microsoft is killing children. Shame on you all."

Hackers targeting Australia's major pension funds in a series of coordinated attacks have stolen savings from some members at the biggest fund, Reuters is reporting, citing a source, and compromised more than 20,000 accounts. From the report: National Cyber Security Coordinator Michelle McGuinness said in a statement she was aware of "cyber criminals" targeting accounts in the country's A$4.2 trillion ($2.63 trillion) retirement savings sector and was organising a response across the government, regulators and industry. The Association of Superannuation Funds of Australia, the industry body, said "a number" of funds were impacted over the weekend. While the full scale of the incident remains unclear, AustralianSuper, Australian Retirement Trust, Rest, Insignia and Hostplus on Friday all confirmed they suffered breaches.

An anonymous reader shares a report: The gap between Windows 10 and Windows 11 continues to narrow, and Microsoft's flagship operating system is on track to finally surpass its predecessor by summer. The latest figures from Statcounter show the increase in Windows 11's market share accelerating, while Windows 10 declines.

Before Champagne corks start popping in Redmond, it is worth noting that Windows 10 still accounts for over half the market -- 54.2 percent -- and Windows 11 now accounts for 42.69 percent. However, if the current trends continue, Windows 10 should finally drop below the 50 percent mark next month and be surpassed by Windows 11 shortly after.

The cause is likely due to enterprises pushing the upgrade button rather than having to deal with extended support for Windows 10. Support for most Windows 10 versions ends on October 14, 2025, and Microsoft has shown no signs of deviating from its plan to retire the veteran operating system. [...] Whether users actually want the operating system is another matter. Windows 11 offers few compelling features that justify an upgrade and no killer application. The looming October 14 support cut-off date is likely to be the major driving factor behind the move to Windows 11.

Camera manufacturers continue to use different proprietary RAW file formats despite the 20-year existence of Adobe's open-source DNG (Digital Negative) format, creating ongoing compatibility challenges for photographers and software developers.

Major manufacturers including Sony, Canon, and Panasonic defended their proprietary formats as necessary for maintaining control over image processing. Sony's product team told The Verge their ARW format allows them "to maximize performance based on device characteristics such as the image sensor and image processing engine." Canon similarly claims proprietary formats enable "optimum processing during image development."

The Verge argues that this fragmentation forces editing software to specifically support each manufacturer's format and every new camera model -- creating delays for early adopters when new cameras launch. Each new device requires "measuring sensor characteristics such as color and noise," said Adobe's Eric Chan.

For what it's worth, smaller manufacturers like Ricoh, Leica, and Sigma have adopted DNG, which streamlines workflow by containing metadata directly within a single file rather than requiring separate XMP sidecar files.

An anonymous reader shares a report: Microsoft's business-oriented "Link" mini-desktop PC, which connects directly to the company's Windows 365 cloud service, is now available to buy for $349.99 in the US and in several other countries. Windows 365 Link, which was announced last November, is a device that is more easily manageable by IT departments than a typical computer while also reducing the needs of hands on support.

An anonymous reader shares a report: Oracle has told customers that a hacker broke into a computer system and stole old client log-in credentials, according to two people familiar with the matter. It's the second cybersecurity breach that the software company has acknowledged to clients in the last month.

Oracle staff informed some clients this week that the attacker gained access to usernames, passkeys and encrypted passwords, according to the people, who spoke on condition that they not be identified because they're not authorized to discuss the matter. Oracle also told them that the FBI and cybersecurity firm CrowdStrike are investigating the incident, according to the people, who added that the attacker sought an extortion payment from the company. Oracle told customers that the intrusion is separate from another hack that the company flagged to some health-care customers last month, the people said.

The European Commission has announced its intention to join the ongoing debate about lawful access to data and end-to-end encryption while unveiling a new internal security strategy aimed to address ongoing threats. From a report: ProtectEU, as the strategy has been named, describes the general areas that the bloc's executive would like to address in the coming years although as a strategy it does not offer any detailed policy proposals. In what the Commission called "a changed security environment and an evolving geopolitical landscape," it said Europe needed to "review its approach to internal security."

Among its aims is establishing Europol as "a truly operational police agency to reinforce support to Member States," something potentially comparable to the U.S. FBI, with a role "in investigating cross-border, large-scale, and complex cases posing a serious threat to the internal security of the Union." Alongside the new Europol, the Commission said it would create roadmaps regarding both the "lawful and effective access to data for law enforcement" and on encryption.

Microsoft is pushing businesses to shift away from perpetual Office licenses to Microsoft 365 subscriptions, citing collaboration limitations and rising IT costs associated with standalone software. "You may have started noticing limitations," Microsoft says in a post. "Your apps are stuck on your desktop, limiting productivity anytime you're away from your office. You can't easily access your files or collaborate when working remotely."

In its pitch, the Windows-maker says Microsoft 365 includes Office applications as well as security features, AI tools, and cloud storage. The post cites a Microsoft-commissioned Forrester study that claims the subscription model delivers "223% ROI over three years, with a payback period of less than six months" and "over $500,000 in benefits over three years."

Tech manufacturers continue misleading consumers with impressive-sounding but less useful specs like milliamp-hours and megahertz, while hiding the one measurement that matters most: watts. The Verge argues that the watt provides the clearest picture of a device's true capabilities by showing how much power courses through chips and how quickly batteries drain. With elementary math, consumers could easily calculate battery life by dividing watt-hours by power consumption. The Verge: The Steam Deck gaming handheld is my go-to example of how handy watts can be. With a 15-watt maximum processor wattage and up to 9 watts of overhead for other components, a strenuous game drains its 49Wh battery in roughly two hours flat. My eight-year-old can do that math: 15 plus 9 is 24, and 24 times 2 is 48. You can fit two hour-long 24-watt sessions into 48Wh, and because you have 49Wh, you're almost sure to get it.

With the least strenuous games, I'll sometimes see my Steam Deck draining the battery at a speed of just 6 watts -- which means I can get eight hours of gameplay because 6 watts times 8 hours is 48Wh, with 1Wh remaining in the 49Wh battery. Unlike megahertz, wattage also indicates sustained performance capability, revealing whether a processor can maintain high speeds or will throttle due to thermal constraints. Watts is also already familiar to consumers through light bulbs and power bills, but manufacturers persist with less transparent metrics that make direct comparisons difficult.

London's mayor has axed a cyber crime helpline for the victims of online abuse, triggering a backlash from campaigners who argue that women and girls will be left struggling to access vital support. From a report: The service, which was shut down on Tuesday, assisted victims of fraud, revenge porn and cyberstalking to protect their digital identity. During its 18-months of operation it led to 2,060 cases being opened. The helpline was launched in 2023 as a one-year pilot scheme with $220,000 in funding from the Mayor's Office for Policing and Crime (Mopac), and was later extended by six months.

Conservative London Assembly member Emma Best said an informal evaluation showed the helpline "was working" and was going to be extended for another year. However, Sadiq Khan said that the scheme would be closed. "It was a pilot and pilots are what they say on the tinâ... we will receive an end of project report, we have collected the data and the results of that report will inform our future work," he said, speaking at Mayor's Question Time.

Google is rolling out a new encryption model for Gmail that allows enterprise users to send encrypted messages without requiring recipients to use custom software or exchange encryption certificates. The feature, launching in beta today, initially supports encrypted emails within the same organization, with plans to expand to all Gmail inboxes "in the coming weeks" and third-party email providers "later this year."

Unlike Gmail's current S/MIME-based encryption, the new system lets users simply toggle "additional encryption" in the email draft window. Non-Gmail recipients will receive a link to access messages through a guest Google Workspace account, while Gmail users will see automatically decrypted emails in their inbox.

Micron will raise prices for DRAM and NAND flash memory chips through 2026 as AI and data center demand strains supply chains, the U.S. chipmaker confirmed Monday. The move follows a market rebound from previous oversupply, with memory prices steadily climbing as producers cut output while AI and high-performance computing workloads grow.

Rivals Samsung Electronics and SK Hynix are expected to implement similar increases. Micron cited "un-forecasted demand across various business segments" in communications to channel partners. The price hikes will impact sectors ranging from consumer electronics to enterprise data centers.

The Certification Authority/Browser Forum "is a cross-industry group that works together to develop minimum requirements for TLS certificates," writes Google's Security blog. And earlier this month two proposals from Google's forward-looking roadmap "became required practices in the CA/Browser Forum Baseline Requirements," improving the security and agility of TLS connections... Multi-Perspective Issuance Corroboration
Before issuing a certificate to a website, a Certification Authority (CA) must verify the requestor legitimately controls the domain whose name will be represented in the certificate. This process is referred to as "domain control validation" and there are several well-defined methods that can be used. For example, a CA can specify a random value to be placed on a website, and then perform a check to verify the value's presence has been published by the certificate requestor.

Despite the existing domain control validation requirements defined by the CA/Browser Forum, peer-reviewed research authored by the Center for Information Technology Policy of Princeton University and others highlighted the risk of Border Gateway Protocol (BGP) attacks and prefix-hijacking resulting in fraudulently issued certificates. This risk was not merely theoretical, as it was demonstrated that attackers successfully exploited this vulnerability on numerous occasions, with just one of these attacks resulting in approximately $2 million dollars of direct losses.

The Chrome Root Program led a work team of ecosystem participants, which culminated in a CA/Browser Forum Ballot to require adoption of MPIC via Ballot SC-067. The ballot received unanimous support from organizations who participated in voting. Beginning March 15, 2025, CAs issuing publicly-trusted certificates must now rely on MPIC as part of their certificate issuance process. Some of these CAs are relying on the Open MPIC Project to ensure their implementations are robust and consistent with ecosystem expectations...

Linting
Linting refers to the automated process of analyzing X.509 certificates to detect and prevent errors, inconsistencies, and non-compliance with requirements and industry standards. Linting ensures certificates are well-formatted and include the necessary data for their intended use, such as website authentication. Linting can expose the use of weak or obsolete cryptographic algorithms and other known insecure practices, improving overall security... The ballot received unanimous support from organizations who participated in voting. Beginning March 15, 2025, CAs issuing publicly-trusted certificates must now rely on linting as part of their certificate issuance process.
Linting also improves interoperability, according to the blog post, and helps reduce the risk of non-compliance with standards that can result in certificates being "mis-issued".

And coming up, weak domain control validation methods (currently permitted by the CA/Browser Forum TLS Baseline Requirements) will be prohibited beginning July 15, 2025.

"Looking forward, we're excited to explore a reimagined Web PKI and Chrome Root Program with even stronger security assurances for the web as we navigate the transition to post-quantum cryptography."

The New York Times notes that white-collar workers have faced higher unemployment than other groups in the U.S. over the past few years — along with slower wager growth.

Some economists wonder if this trend might be irreversible... and partly attributable to AI: After sitting below 4% for more than two years, the overall unemployment rate has topped that threshold since May... "We're seeing a meaningful transition in the way work is done in the white-collar world," said Carl Tannenbaum, the chief economist of Northern Trust. "I tell people a wave is coming...." Thousands of video game workers lost jobs last year and the year before... Unemployment in finance and related industries, while still low, increased by about a quarter from 2022 to 2024, as rising interest rates slowed demand for mortgages and companies sought to become leaner....

Overall, the latest data from the Federal Reserve Bank of New York show that the unemployment rate for college grads has risen 30% since bottoming out in September 2022 (to 2.6% from 2%), versus about 18% for all workers (to 4% from 3.4%). An analysis by Julia Pollak, chief economist of ZipRecruiter, shows that unemployment has been most elevated among those with bachelor's degrees or some college but no degree, while unemployment has been steady or falling at the very top and bottom of the education ladder — for those with advanced degrees or without a high school diploma. Hiring rates have slowed more for jobs requiring a college degree than for other jobs, according to ADP Research, which studies the labor market....

And artificial intelligence could reduce that need further by increasing the automation of white-collar jobs. A recent academic paper found that software developers who used an AI coding assistant improved a key measure of productivity by more than 25% and that the productivity gains appeared to be largest among the least experienced developers. The result suggested that adopting AI could reduce the wage premium enjoyed by more experienced coders, since it would erode their productivity advantages over novices... [A]t least in the near term, many tech executives and their investors appear to see AI as a way to trim their staffing. A software engineer at a large tech company who declined to be named for fear of harming his job prospects said that his team was about half the size it was last year and that he and his co-workers were expected to do roughly the same amount of work by relying on an AI assistant. Overall, the unemployment rate in tech and related industries jumped by more than half from 2022 to 2024, to 4.4% from 2.9%.
"Some economists say these trends may be short term in nature and little cause for concern on their own," the article points out (with one economist noting the unemployment rate is still low compared to historical averages).

Harvard labor economist Lawrence Katz even suggested the slower wage growth could reflect the discount that these workers accepted in return for being able to work from home.

Thanks to Slashdot reader databasecowgirl for sharing the article.

"I am having conversations every day with people whose careers are sort of over," a 53-year-old film and TV director told the New York Times: If you entered media or image-making in the '90s — magazine publishing, newspaper journalism, photography, graphic design, advertising, music, film, TV — there's a good chance that you are now doing something else for work. That's because those industries have shrunk or transformed themselves radically, shutting out those whose skills were once in high demand... When digital technology began seeping into their lives, with its AOL email accounts, Myspace pages and Napster downloads, it didn't seem like a threat. But by the time they entered the primes of their careers, much of their expertise had become all but obsolete.

More than a dozen members of Generation X interviewed for this article said they now find themselves shut out, economically and culturally, from their chosen fields. "My peers, friends and I continue to navigate the unforeseen obsolescence of the career paths we chose in our early 20s," Mr. Wilcha said. "The skills you cultivated, the craft you honed — it's just gone. It's startling." Every generation has its burdens. The particular plight of Gen X is to have grown up in one world only to hit middle age in a strange new land. It's as if they were making candlesticks when electricity came in. The market value of their skills plummeted...

Typically, workers in their 40s and 50s are entering their peak earning years. But for many Gen-X creatives, compensation has remained flat or decreased, factoring in the rising cost of living. The usual rate for freelance journalists is 50 cents to $1 per word — the same as it was 25 years ago... As opportunities and incomes dwindle, Gen X-ers in creative fields are weighing their options. Move to a lower-cost place and remain committed to the work you love? Look for a bland corporate job that might provide health insurance and a steady paycheck until retirement?
The article includes several examples of the trend:

• One magazine's photo studio director says professional photographers have been replaced by "a 20-year-old kid who will do the job for $500."

• The article adds that "When photography went digital, photo lab technicians and manual retouchers were suddenly as inessential as medieval scribes." (And "In advertising, brands ditched print and TV campaigns that required large crews for marketing plans that relied on social media posts."")

• An editor at Spin magazine remembers the day its print edition folded...

And besides competition from influencers, there's also AI, "which seems likely to replace many of the remaining Gen X copywriters, photographers and designers. By 2030, ad agencies in the United States will lose 32,000 jobs, or 7.5 percent of the industry's work force, to the technology, according to the research firm Forrester."

Meanwhile the cost of living has skyrocketed, the article points out — even while Gen X-ers "are less secure financially than baby boomers and lack sufficient retirement savings, according to recent surveys..."

An anonymous reader shared this report from BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components. The issues allow local unprivileged users to create user namespaces with full administrative capabilities and impact Ubuntu versions 23.10, where unprivileged user namespaces restrictions are enabled, and 24.04 which has them active by default...

Ubuntu added AppArmor-based restrictions in version 23.10 and enabled them by default in 24.04 to limit the risk of namespace misuse. Researchers at cloud security and compliance company Qualys found that these restrictions can be bypassed in three different ways... The researchers note that these bypasses are dangerous when combined with kernel-related vulnerabilities, and they are not enough to obtain complete control of the system... Qualys notified the Ubuntu security team of their findings on January 15 and agreed to a coordinated release. However, the busybox bypass was discovered independently by vulnerability researcher Roddux, who published the details on March 21.

Canonical, the organization behind Ubuntu Linux, has acknowledged Qualys' findings and confirmed to BleepingComputer that they are developing improvements to the AppArmor protections. A spokesperson told us that they are not treating these findings as vulnerabilities per se but as limitations of a defense-in-depth mechanism. Hence, protections will be released according to standard release schedules and not as urgent security fixes.
Canonical shared hardening steps that administrators should consider in a bulletin published on their official "Ubuntu Discourse" discussion forum.

An anonymous reader quotes a report from The Verge: A concert on Monday night at New York's Radio City Music Hall was a special occasion for Frank Miller: his parents' wedding anniversary. He didn't end up seeing the show -- and before he could even get past security, he was informed that he was in fact banned for life from the venue and all other properties owned by Madison Square Garden (MSG). After scanning his ticket and promptly being pulled aside by security, Miller was told by staff that he was barred from the MSG properties for an incident at the Garden in 2021. But Miller says he hasn't been to the venue in nearly two decades.

"They hand me a piece of paper letting me know that I've been added to a ban list," Miller says. "There's a trespass notice if I ever show up on any MSG property ever again," which includes venues like Radio City, the Beacon Theatre, the Sphere, and the Chicago Theatre. He was baffled at first. Then it dawned on him: this was probably about a T-shirt he designed years ago. MSG Entertainment won't say what happened with Miller or how he was picked out of the crowd, but he suspects he was identified via controversial facial recognition systems that the company deploys at its venues.

In 2017, 1990s New York Knicks star Charles Oakley was forcibly removed from his seat near Knicks owner and Madison Square Garden CEO James Dolan. The high-profile incident later spiraled into an ongoing legal battle. For Miller, Oakley was an "integral" part of the '90s Knicks, he says. With his background in graphic design, he made a shirt in the style of the old team logo that read, "Ban Dolan" -- a reference to the infamous scuffle. A few years later, in 2021, a friend of Miller's wore a Ban Dolan shirt to a Knicks game and was kicked out and banned from future events. That incident spawned ESPN segments and news articles and validated what many fans saw as a pettiness on Dolan and MSG's part for going after individual fans who criticized team ownership. "Frank Miller Jr. made threats against an MSG executive on social media and produced and sold merchandise that was offensive in nature," Mikyl Cordova, executive vice president of communications and marketing for the company, said in an emailed statement. "His behavior was disrespectful and disruptive and in violation of our code of conduct."

Miller responded to the ban, saying: "I just found it comical, until I was told that my mom was crying [in the lobby]. I was like, 'Oh man, I ruined their anniversary with my shit talk on the internet. Memes are powerful, and so is the surveillance state. It's something that we all have to be aware of -- the panopticon. We're [being] surveilled at all times, and it's always framed as a safety thing, when rarely is that the case. It's more of a deterrent and a fear tactic to try to keep people in line."

A breach of legacy Cerner servers at Oracle Health exposed patient data from multiple U.S. hospitals and healthcare organizations, with threat actors using compromised customer credentials to steal the data before it had been migrated to Oracle Cloud. Despite confirming the breach privately, Oracle Health has yet to publicly acknowledge the incident. BleepingComputer reports: Oracle Health, formerly known as Cerner, is a healthcare software-as-a-service (SaaS) company offering Electronic Health Records (EHR) and business operations systems to hospitals and healthcare organizations. After being acquired by Oracle in 2022, Cerner was merged into Oracle Health, with its systems migrated to Oracle Cloud. In a notice sent to impacted customers and seen by BleepingComputer, Oracle Health said it became aware of a breach of legacy Cerner data migration servers on February 20, 2025.

"We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud," reads a notification sent to impacted Oracle Health customers. Oracle says that the threat actor used compromised customer credentials to breach the servers sometime after January 22, 2025, and copied data to a remote server. This stolen data "may" have included patient information from electronic health records. However, multiple sources told BleepingComputer that it was confirmed that patient data was stolen during the attack.

Oracle Health is also telling hospitals that they will not notify patients directly and that it is their responsibility to determine if the stolen data violates HIPAA laws and whether they are required to send notifications. However, the company says they will help identify impacted individuals and provide templates to help with notifications.

An anonymous reader shares a report: For decades, India's economic promise has rested on its demographic dividend -- the competitive edge of a massive, young, and increasingly educated workforce. Economists and policymakers have routinely cited the country's population profile as its ticket to economic superpower status, with projections of reaching $10 trillion in GDP and achieving high-income status by 2047. These forecasts depend heavily on a critical assumption: that roughly 500 million Indians currently aged 5-24 will find productive employment as they enter the workforce over the next two decades. But a sobering new analysis from Bernstein suggests this fundamental premise may be crumbling under the weight of rapid advances in AI.

"The advent of AI threatens to erode all the advantages of India's rich demographic dividend," write Bernstein analysts Venugopal Garre and Nikhil Arela, who characterize their assessment as a potential "doomsday scenario" for a nation that has hitched its economic wagon to services-led growth. At stake is India's $350 billion services export sector -- a sprawling ecosystem of IT outsourcing, business process management, and offshore knowledge centers that employs over 10 million workers, mostly in jobs that place them in the top 25% of the country's income distribution.

While India's IT giants have successfully navigated previous technological shifts -- from basic call centers in the late 1980s to cloud computing and data analytics more recently -- AI poses a fundamentally different challenge. Unlike earlier transitions that required human adaptation, today's AI systems threaten to replace rather than complement the workforce. "AI subscriptions that come at a fraction of the costs of India's entry level engineers can be deployed to perform tasks at higher precision and speed," the report note.