Slashdot

A study of 12,069 middle and top-level venture capital professionals at US firms between 1996 and 2025 found that 46% never achieved a successful investment. The research by Stanford professor Ilya Strebulaev and Blake Jackson classified directors, principals, and general partners as successful if they had at least one investment that either became a unicorn, exited at twice the entry cost, or went public. (The analysis deemed any investment with 2x return "successful," though one should know that in the venture capital industry, the majority of bets don't return anything and the model works because of power law.)

Read more of this story at Slashdot.

Windows 11 has become indistinguishable from malware because of the way Microsoft has inserted intrusive advertising, AI monitoring features, and constant distractions designed to drive user engagement and monetization to the operating system, argues veteran writer and developer Rupert Goodwins of The Register. Goodwins contends that Microsoft has transformed Windows 11 into "an ADHD horror show, full of distractions, promotions and snares" where AI features "constantly video what you're doing and send it back to Mother." He applies the term malware to describe software that intervenes in work to advertise and monitors user data, concluding that "for Windows it isn't a class of third-party nasties, it's an edition name."

Read more of this story at Slashdot.

Security researchers have discovered evidence suggesting the SkyRover X1 drone sold on Amazon for some $750 is a DJI product operating under a different brand name. The findings come at a time when DJI is facing an unofficial ban at US customs. The drone shares identical specifications and features with the DJI Mini 4 Pro and connects to DJI's online infrastructure, including DJIGlobal, DJISupport, and DJIEnterprise services. Hacker Kevin Finisterre successfully logged into the SkyRover system using his existing DJI credentials. Security consultant Jon Sawyer found the SkyRover app uses the same encryption keys as DJI software, with the company making only basic attempts to conceal its origins by replacing "DJI" references with "xxx" or "uav." DJI didn't deny to The Verge that the SkyRover X1 is their product.

Read more of this story at Slashdot.

Norway's $2 trillion sovereign wealth fund, equivalent to $340,000 per citizen, may be undermining the country's economic health, according to a contentious new book. Martin Bech Holte's "The Country That Became Too Rich" argues that oil revenue has made Norway bloated and unproductive, with data supporting several concerns. Norway has recorded the slowest productivity growth among wealthy nations over the past two decades while Norwegians take 27.5 sick days annually, the highest rate in the OECD. Student test scores have declined since 2015 and now rank below the OECD average despite Norway spending $20,000 per student compared to the $14,000 OECD average. Fund withdrawals now cover 20% of the annual budget, up from less than 10% two decades ago.

Read more of this story at Slashdot.

A new analysis of protein changes across human tissues has identified an aging acceleration point around age 50, with blood vessels showing the most dramatic deterioration. Researchers examined tissue samples from eight body systems in 76 people of Chinese ancestry aged 14 to 68 who died from accidental brain injury, finding age-related increases in 48 disease-associated proteins. Between ages 45 and 55, the most significant shift occurred in the aorta, the body's main artery carrying oxygenated blood from the heart. The team identified one aortic protein that triggers accelerated aging signs when administered to mice. Early aging changes appeared around age 30 in the adrenal gland, which produces various hormones. The study, published in Cell, adds to mounting evidence that aging occurs in waves rather than following a steady progression.

Read more of this story at Slashdot.

This week Google's Open Source Security Team announced "a new project to strengthen trust in open source package ecosystems" — by reproducing upstream artifacts. It includes automation to derive declarative build definitions, new "build observability and verification tools" for security teams, and even "infrastructure definitions" to help organizations rebuild, sign, and distribute provenance by running their own OSS Rebuild instances. (And as part of the initiative, the team also published SLSA Provenance attestations "for thousands of packages across our supported ecosystems.") Our aim with OSS Rebuild is to empower the security community to deeply understand and control their supply chains by making package consumption as transparent as using a source repository. Our rebuild platform unlocks this transparency by utilizing a declarative build process, build instrumentation, and network monitoring capabilities which, within the SLSA Build framework, produces fine-grained, durable, trustworthy security metadata. Building on the hosted infrastructure model that we pioneered with OSS Fuzz for memory issue detection, OSS Rebuild similarly seeks to use hosted resources to address security challenges in open source, this time aimed at securing the software supply chain... We are committed to bringing supply chain transparency and security to all open source software development. Our initial support for the PyPI (Python), npm (JS/TS), and Crates.io (Rust) package registries — providing rebuild provenance for many of their most popular packages — is just the beginning of our journey... OSS Rebuild helps detect several classes of supply chain compromise: - Unsubmitted Source Code: When published packages contain code not present in the public source repository, OSS Rebuild will not attest to the artifact. - Build Environment Compromise: By creating standardized, minimal build environments with comprehensive monitoring, OSS Rebuild can detect suspicious build activity or avoid exposure to compromised components altogether. - Stealthy Backdoors: Even sophisticated backdoors like xz often exhibit anomalous behavioral patterns during builds. OSS Rebuild's dynamic analysis capabilities can detect unusual execution paths or suspicious operations that are otherwise impractical to identify through manual review. For enterprises and security professionals, OSS Rebuild can... — Enhance metadata without changing registries by enriching data for upstream packages. No need to maintain custom registries or migrate to a new package ecosystem. — Augment SBOMs by adding detailed build observability information to existing Software Bills of Materials, creating a more complete security picture... - Accelerate vulnerability response by providing a path to vendor, patch, and re-host upstream packages using our verifiable build definitions... The easiest (but not only!) way to access OSS Rebuild attestations is to use the provided Go-based command-line interface. "With OSS Rebuild's existing automation for PyPI, npm, and Crates.io, most packages obtain protection effortlessly without user or maintainer intervention."

Read more of this story at Slashdot.