news aggregator

Ransomware crooks utterly fail to find moral compass

First they targeted a preschool network, now new kids on the ransomware block Radiant Group say they've hit a hospital in the US, continuing their deplorable early cybercrime careers.…

gem.coop server promises continuity after Ruby Central’s takeover of key repos

A team including maintainers removed without notice from the RubyGems.org project has formed the Gem Cooperative and created a new gem server called gem.coop, compatible with RubyGems.…

Under the sea, under the sea... bit barnacle's better, down where it's wetter, take it from me

China is persevering with underwater datacenters - a deployment off the coast near Shanghai is expected to save on the energy costs of cooling compute infrastructure thanks to ocean currents.…

Outsourcing your helpdesk always seems like a good idea – until someone else's breach becomes your problem

Discord has confirmed customers' data was stolen – but says the culprit wasn't its own servers, just a compromised support vendor.…

Vibe coding tools "are transforming the job experience for many tech workers," writes the Los Angeles Times. But Gartner analyst Philip Walsh said the research firm's position is that AI won't replace software engineers and will actually create a need for more. "There's so much software that isn't created today because we can't prioritize it," Walsh said. "So it's going to drive demand for more software creation, and that's going to drive demand for highly skilled software engineers who can do it..." The idea that non-technical people in an organization can "vibe-code" business-ready software is a misunderstanding [Walsh said]... "That's simply not happening. The quality is not there. The robustness is not there. The scalability and security of the code is not there," Walsh said. "These tools reward highly skilled technical professionals who already know what 'good' looks like." "Economists, however, are also beginning to worry that AI is taking jobs that would otherwise have gone to young or entry-level workers," the article points out. "In a report last month, researchers at Stanford University found "substantial declines in employment for early-career workers'' — ages 22-25 — in fields most exposed to AI. Stanford researchers also found that AI tools by 2024 were able to solve nearly 72% of coding problems, up from just over 4% a year earlier." And yet Cat Wu, project manager of Anthropic's Claude Code, doesn't even use the term vibe coding. "We definitely want to make it very clear that the responsibility, at the end of the day, is in the hands of the engineers." Wu said she's told her younger sister, who's still in college, that software engineering is still a great career and worth studying. "When I talk with her about this, I tell her AI will make you a lot faster, but it's still really important to understand the building blocks because the AI doesn't always make the right decisions," Wu said. "A lot of times the human intuition is really important."

Read more of this story at Slashdot.

No confirmed date but workers expected to return in the coming days

Jaguar Land Rover is readying staff to resume manufacturing in the coming days, a company spokesperson confirmed to The Reg.…

Big Red rushes out patch for 9.8-rated flaw after crooks exploit it for data theft and extortion

Oracle rushed out an emergency fix over the weekend for a zero-day vulnerability in its E-Business Suite (EBS) that criminal crew Clop has already abused for data theft and extortion.…

Plus, PAN under attack, IT whistleblowers get a payout, and China kills online scammers

Infosec in brief On August 29, the US Federal Emergency Management Agency fired its CISO, CIO, and 22 other staff for incompetence but insisted it wasn't in response to an online attack. New material suggests FEMA's claim may be false.…

Microsoft's Copilot is helping workers perfect the ancient art of doing sweet f all

Opinion It has been less than three years since ChatGPT lit the fuse of the current explosion of AI everywhere. AI years move even faster than internet years, so there's been time not only for the forcible injection of AI into the workplace courtesy of Microsoft, but the first scientific studies of the effect. Productivity may not have gone up, but anxiety, confusion and annoyance most certainly have.…

Steve Jobs died 14 years ago. But the blog Cult of Mac remembers that "Jobs himself was not sentimental." When he left Apple in the mid-1980s, he didn't even clear out his office. That meant personal mementos like his first Apple stock certificate, which had hung on his office wall, got tossed in the trash. Shortly after returning to Apple in the late 1990s, he gave the company's historical archive to Stanford University Libraries. The stash included records that Apple management kept since the mid-1980s. The reason Apple handed over this historical treasure trove? Jobs didn't want the company to fixate on the past... All of which goes some way to saying why it was so heartening that Steve Jobs' death received so much attention. He wasn't the richest technology CEO to die. But the reaction showed that his life — faults and all — meant a lot to a great number of people. Jobs helped create products people cared about, and in turn they cared about him. The site Mac Rumors remembered Sunday that Jobs "died just one day after Apple unveiled the iPhone 4S and Siri." Six years later, Apple CEO Tim Cook reflected on Jobs while opening Apple's first-ever event at Steve Jobs Theater in 2017. "There is not a day that goes by that we don't think about him." And Sunday Cook posted this remembrance of Steve Jobs. "Steve saw the future as a bright and boundless place, lit the path forward, and inspired us to follow. "We miss you, my friend."

Read more of this story at Slashdot.

Consumer group Which? says owners of Apple and Samsung devices overcharged by £480M

Qualcomm is facing a UK trial over allegations that it abused its dominant position in the smartphone chipset market to charge inflated license fees, ultimately driving up device prices for Brit consumers.…

Big Blue turned the air blue

Who, Me? Oh, bother, it's Monday. But rather than curse about another working week rolling around, The Register welcomes it with another instalment of Who, Me? It's the reader-contributed column in which you confess to workplace whoopsies and reveal how you survived them.…

The director of a tour operation remembers two tourists arriving in a rural town in Peru determined to hike alone in the mountains to a sacred canyon recommended by their AI chatbot. But the canyon didn't exists — and a high-altitude hike could be dangerous (especially where cellphone coverage is also spotty). They're part of a BBC report on travellers arriving at their destination "only to find they've been fed incorrect information or steered to a place that only exists in the hard-wired imagination of a robot..." "According to a 2024 survey, 37% of those surveyed who used AI to help plan their travels reported that it could not provide enough information, while around 33% said their AI-generated recommendations included false information." Some examples? - Dana Yao and her husband recently experienced this first-hand. The couple used ChatGPT to plan a romantic hike to the top of Mount Misen on the Japanese island of Itsukushima earlier this year. After exploring the town of Miyajima with no issues, they set off at 15:00 to hike to the montain's summit in time for sunset, exactly as ChatGPT had instructed them. "That's when the problem showed up," said Yao, a creator who runs a blog about traveling in Japan, "[when] we were ready to descend [the mountain via] the ropeway station. ChatGPT said the last ropeway down was at 17:30, but in reality, the ropeway had already closed. So, we were stuck at the mountain top..." - A 2024 BBC article reported that [dedicated travel AI site] Layla briefly told users that there was an Eiffel Tower in Beijing and suggested a marathon route across northern Italy to a British traveller that was entirely unfeasible... - A recent Fast Company article recounted an incident where a couple made the trek to a scenic cable car in Malaysia that they had seen on TikTok, only to find that no such structure existed. The video they'd watched had been entirely AI generated, either to drum up engagement or for some other strange purpose. Rayid Ghani, a distinguished professor in machine learning at Carnegie Melon University, tells them that an AI chatbot "doesn't know the difference between travel advice, directions or recipes. It just knows words. So, it keeps spitting out words that make whatever it's telling you sound realistic..."

Read more of this story at Slashdot.

If we could remove the 50 most concerning pieces of space debris in low-Earth orbit, there'd be a 50% reduction in the overall debris-generating potential, reports Ars Technica. That's according to Darren McKnight, lead author of a paper presented Friday at the International Astronautical Congress in Sydney, which calculated the objects most likely to collide with other fragments and create more debris. (Russia and the Soviet Union lead with 34 objects, followed by China with 10, the U.S. with three, Europe with two, and Japan with one.) Even just the top 10 were removed, the debris-generating potential drops by 30%. "The things left before 2000 are still the majority of the problem," he points out, and "76% of the objects in the top 50 were deposited last century." 88% of the objects are post-mission rocket bodies left behind to hurtle through space. "The bad news is, since January 1, 2024, we've had 26 rocket bodies abandoned in low-Earth orbit that will stay in orbit for more than 25 years," McKnight told Ars... China launched 21 of the 26 hazardous new rocket bodies over the last 21 months, each averaging more than 4 metric tons (8,800 pounds). Two more came from US launchers, one from Russia, one from India, and one from Iran. This trend is likely to continue as China steps up deployment of two megaconstellations — Guowang and Thousand Sails — with thousands of communications satellites in low-Earth orbit. Launches of these constellations began last year. The Guowang and Thousand Sails satellites are relatively small and likely capable of maneuvering out of the way of space debris, although China has not disclosed their exact capabilities. However, most of the rockets used for Guowang and Thousand Sails launches have left their upper stages in orbit. McKnight said nine upper stages China has abandoned after launching Guowang and Thousand Sails satellites will stay in orbit for more than 25 years, violating the international guidelines. It will take hundreds of rockets to fully populate China's two major megaconstellations. The prospect of so much new space debris is worrisome, McKnight said. "In the next few years, if they continue the same trend, they're going to leave well over 100 rocket bodies over the 25-year rule if they continue to deploy these constellations," he said. "So, the trend is not good...." Since 2000, China has accumulated more dead rocket mass in long-lived orbits than the rest of the world combined, according to McKnight. "But now we're at a point where it's actually kind of accelerating in the last two years as these constellations are getting deployed." A deputy head of China's national space agency recently said China is "currently researching" how to remove space debris from orbit, according to the article. ("One of the missions China claims is testing space debris mitigation techniques has docked with multiple spacecraft in orbit, but U.S. officials see it as a military threat. The same basic technologies needed for space debris cleanup — rendezvous and docking systems, robotic arms, and onboard automation — could be used to latch on to an adversary's satellite.")

Read more of this story at Slashdot.

"Recent attacks show that hackers keep using the same tricks to sneak bad code into popular software registries," writes long-time Slashdot reader selinux geek, suggesting that "the real problem is how these registries are built, making these attacks likely to keep happening." After all, npm wasn't the only software library hit by a supply chain attack, argues the Linux Security blog. "PyPI and Docker Hub both faced their own compromises in 2025, and the overlaps are impossible to ignore." Phishing has always been the low-hanging fruit. In 2025, it wasn't just effective once — it was the entry point for multiple registry breaches, all occurring close together in different ecosystems... The real problem isn't that phishing happened. It's that there weren't enough safeguards to blunt the impact. One stolen password shouldn't be all it takes to poison an entire ecosystem. Yet in 2025, that's exactly how it played out... Even if every maintainer spotted every lure, registries left gaps that attackers could walk through without much effort. The problem wasn't social engineering this time. It was how little verification stood between an attacker and the "publish" button. Weak authentication and missing provenance were the quiet enablers in 2025... Sometimes the registry itself offers the path in. When the failure is at the registry level, admins don't get an alert, a log entry, or any hint that something went wrong. That's what makes it so dangerous. The compromise appears to be a normal update until it reaches the downstream system... It shifts the risk from human error to systemic design. And once that weakly authenticated code gets in, it doesn't always go away quickly, which leads straight into the persistence problem... Once an artifact is published, it spreads into mirrors, caches, and derivative builds. Removing the original upload doesn't erase all the copies... From our perspective at LinuxSecurity, this isn't about slow cleanup; it's about architecture. Registries have no universally reliable kill switch once trust is broken. Even after removal, poisoned base images replicate across mirrors, caches, and derivative builds, meaning developers may keep pulling them in long after the registry itself is "clean." The article condlues that "To us at LinuxSecurity, the real vulnerability isn't phishing emails or stolen tokens — it's the way registries are built. They distribute code without embedding security guarantees. That design ensures supply chain attacks won't be rare anomalies, but recurring events."BR> So in a world where "the only safe assumption is that the code you consume may already be compromised," they argue, developers should look to controls they can enforce themselves: Verify artifacts with signatures or provenance tools. Pin dependencies to specific, trusted versions. Generate and track SBOMs so you know exactly what's in your stack. Scan continuously, not just at the point of install.

Read more of this story at Slashdot.

A computer-generated actress appearing in Instagram shorts now has a talent agent, reports the Los Angeles Times. The massive screen actors union SAG-AFTRA "weighed in with a withering response." SAG-AFTRA believes creativity is, and should remain, human-centered. The union is opposed to the replacement of human performers by synthetics. To be clear, "Tilly Norwood" is not an actor, it's a character generated by a computer program that was trained on the work of countless professional performers — without permission or compensation. It has no life experience to draw from, no emotion and, from what we've seen, audiences aren't interested in watching computer-generated content untethered from the human experience. It doesn't solve any "problem" — it creates the problem of using stolen performances to put actors out of work, jeopardizing performer livelihoods and devaluing human artistry. Additionally, signatory producers should be aware that they may not use synthetic performers without complying with our contractual obligations, which require notice and bargaining whenever a synthetic performer is going to be used. "They are taking our professional members' work that has been created, sometimes over generations, without permission, without compensation and without acknowledgment, building something new," SAG-AFTRA President Sean Astin told the Los Angeles Times in an interview: "But the truth is, it's not new. It manipulates something that already exists, so the conceit that it isn't harming actors — because it is its own new thing — ignores the fundamental truth that it is taking something that doesn't belong to them," Astin said. "We want to allow our members to benefit from new technologies," Astin said. "They just need to know that it's happening. They need to give permission for it, and they need to be bargained with...." Some actors called for a boycott of any agents who decide to represent Norwood. "Read the room, how gross," In the Heights actor Melissa Barrera wrote on Instagram. "Our members reserve the right to not be in business with representatives who are operating in an unfair conflict of interest, who are operating in bad faith," Astin said. But this week the head of a new studio from startup Luma AI "said all the big companies and studios were working on AI assisted projects," writes Deadline — and then claimed "being under NDA, she was not in a position to announce any of the details."

Read more of this story at Slashdot.

"A group of researchers from the University of California, Irvine, have developed a way to use the sensors in high-quality optical mice to capture subtle vibrations and convert them into audible data," reports Tom's Hardware: [T]he high polling rate and sensitivity of high-performance optical mice pick up acoustic vibrations from the surface where they sit. By running the raw data through signal processing and machine learning techniques, the team could hear what the user was saying through their desk. Mouse sensors with a 20,000 DPI or higher are vulnerable to this attack. And with the best gaming mice becoming more affordable annually, even relatively affordable peripherals are at risk.... [T]his compromise does not necessarily mean a complicated virus installed through a backdoor — it can be as simple as an infected FOSS that requires high-frequency mouse data, like creative apps or video games. This means it's not unusual for the software to gather this data. From there, the collected raw data can be extracted from the target computer and processed off-site. "With only a vulnerable mouse, and a victim's computer running compromised or even benign software (in the case of a web-based attack surface), we show that it is possible to collect mouse packet data and extract audio waveforms," the researchers state. The researchers created a video with raw audio samples from various stages in their pipeline on an accompanying web site where they calculate that "the majority of human speech" falls in a frequency range detectable by their pipeline. While the collected signal "is low-quality and suffers from non-uniform sampling, a non-linear frequency response, and extreme quantization," the researchers augment it with "successive signal processing and machine learning techniques to overcome these challenges and achieve intelligible reconstruction of user speech." They've titled their paper Invisible Ears at Your Fingertips: Acoustic Eavesdropping via Mouse Sensors. The paper's conclusion? "The increasing precision of optical mouse sensors has enhanced user interface performance but also made them vulnerable to side-channel attacks exploiting their sensitivity." Thanks to Slashdot reader jjslash for sharing the article.

Read more of this story at Slashdot.

"More than 800,000 drivers for ride-hailing companies in California will soon be able to join a union," reports the Associated Press, "and bargain collectively for better wages and benefits under a measure signed Friday by Gov. Gavin Newsom." Supporters said the new law will open a path for the largest expansion of private sector collective bargaining rights in the state's history. The legislation is a significant compromise in the yearslong battle between labor unions and tech companies. California is the second state where Uber and Lyft drivers can unionize as independent contractors. Massachusetts voters passed a ballot referendum in November allowing unionization, while drivers in Illinois and Minnesota are pushing for similar rights... The collective bargaining measure now allows rideshare workers in California to join a union while still being classified as independent contractors and requires gig companies to bargain in good faith. "The new law doesn't apply to drivers for delivery apps like DoorDash."

Read more of this story at Slashdot.

ScienceAlert writes that some of the tiny nanoplastic fragments present in soil "can make their way into the edible parts of vegetables, research has found." A team of scientists from the University of Plymouth in the UK placed radishes into a hydroponic (water-based) system containing polystyrene nanoparticles. After five days, almost 5% of the nanoplastics had made their way into the radish roots. A quarter of those were in the edible, fleshy roots, while a tenth had traveled up to the higher leafy shoots, despite anatomical features within the plants that typically screen harmful material from the soil. "Plants have a layer within their roots called the Casparian strip, which should act as a form of filter against particles, many of which can be harmful," says physiologist Nathaniel Clark. "This is the first time a study has demonstrated nanoplastic particles could get beyond that barrier, with the potential for them to accumulate within plants and be passed on to anything that consumes them...." There are some limitations to the study, as it didn't use a real-world farming setup. The concentration of plastics in the liquid solution is higher than estimated for soil, and only one type of plastic and one kind of vegetable were tested. Nevertheless, the basic principle stands: the smallest plastic nanoparticles can apparently sneak past protective barriers in plants, and from there into the food we eat... "There is no reason to believe this is unique to this vegetable, with the clear possibility that nanoplastics are being absorbed into various types of produce being grown all over the world," says Clark. The research has been published in Environmental Research.

Read more of this story at Slashdot.

"It's not just you. The internet is getting worse, fast," writes Cory Doctorow. Sunday he shared an excerpt from his upcoming book Enshittification: Why Everything Suddenly Got Worse and What to Do About It. He succinctly explains "this moment we're living through, this Great Enshittening" using Amazon as an example. Platforms amass users, but then abuse them to make things better for their business customers. And then they abuse those business customers too, abusing everybody while claiming all the value for themselves. "And become a giant pile of shit." So first Amazon subsidized prices and shipping, then locked in customers with Prime shipping subscriptions (while adding the chains of DRM to its ebooks and audiobooks)... These tactics — Prime, DRM and predatory pricing — make it very hard not to shop at Amazon. With users locked in, to proceed with the enshittification playbook, Amazon needed to get its business customers locked in, too... [M]erchants' dependence on those customers allows Amazon to extract higher discounts from those merchants, and that brings in more users, which makes the platform even more indispensable for merchants, allowing the company to require even deeper discounts... [Amazon] uses its overview of merchants' sales, as well as its ability to observe the return addresses on direct shipments from merchants' contracting factories, to cream off its merchants' bestselling items and clone them, relegating the original seller to page umpty-million of its search results. Amazon also crushes its merchants under a mountain of junk fees pitched as optional but effectively mandatory. Take Prime: a merchant has to give up a huge share of each sale to be included in Prime, and merchants that don't use Prime are pushed so far down in the search results, they might as well cease to exist. Same with Fulfilment by Amazon, a "service" in which a merchant sends its items to an Amazon warehouse to be packed and delivered with Amazon's own inventory. This is far more expensive than comparable (or superior) shipping services from rival logistics companies, and a merchant that ships through one of those rivals is, again, relegated even farther down the search rankings. All told, Amazon makes so much money charging merchants to deliver the wares they sell through the platform that its own shipping is fully subsidised. In other words, Amazon gouges its merchants so much that it pays nothing to ship its own goods, which compete directly with those merchants' goods.... Add all the junk fees together and an Amazon seller is being screwed out of 45-51 cents on every dollar it earns there. Even if it wanted to absorb the "Amazon tax" on your behalf, it couldn't. Merchants just don't make 51% margins. So merchants must jack up prices, which they do. A lot... [W]hen merchants raise their prices on Amazon, they are required to raise their prices everywhere else, even on their own direct-sales stores. This arrangement is called most-favoured-nation status, and it's key to the U.S. Federal Trade Commission's antitrust lawsuit against Amazon... If Amazon is taxing merchants 45-51 cents on every dollar they make, and if merchants are hiking their prices everywhere their goods are sold, then it follows you're paying the Amazon tax no matter where you shop — even the corner mom-and-pop hardware store. It gets worse. On average, the first result in an Amazon search is 29% more expensive than the best match for your search. Click any of the top four links on the top of your screen and you'll pay an average of 25% more than you would for your best match — which, on average, is located 17 places down in an Amazon search result. Doctorow knows what we need to do: Ban predatory pricing — "selling goods below cost to keep competitors out of the market (and then jacking them up again)." Impose structural separation, "so it can either be a platform, or compete with the sellers that rely on it as a platform." Curb junk fees, "which suck 45-51 cents on every dollar merchants take in." End its most favoured nation deal, which forces merchants "to raise their prices everywhere else, too. Unionise drivers and warehouse workers. Treat rigged search results as the fraud they are. These are policy solutions. (Because "You can't shop your way out of a monopoly," Doctorow warns.) And otherwise, as Doctorow says earlier, "Once a company is too big to fail, it becomes too big to jail, and then too big to care." In the mean time, Doctorow also makes up a new word — "the enshitternet" — calling it "a source of pain, precarity and immiseration for the people we love. "The indignities of harassment, scams, disinformation, surveillance, wage theft, extraction and rent-seeking have always been with us, but they were a minor sideshow on the old, good internet and they are the everything and all of the enshitternet." Thanks to long-time Slashdot readers mspohr and fjo3 for sharing the article.

Read more of this story at Slashdot.