An anonymous reader shares a report: Can AI help "smooth over" discussion on abortion, racism, immigration, or Israel-Palestine? Columbia University sure hopes so. The Verge has learned that the university recently began testing Sway, an AI debate program currently in beta. Developed by two researchers at Carnegie Mellon University, Sway matches up students with opposing views to chat one-on-one about hot-button issues and "facilitates better discussions between them," according to the tool's website. Nicholas DiBella, a postdoctoral scholar at CMU who helped develop Sway, told The Verge that about 3,000 students from more than 30 colleges and universities have used the tool.

One of those may soon be Columbia. News of the potential partnership comes after more than two years of escalating tensions at Columbia between students, administrators, and the federal government. The university has spent years at the center of controversy after controversy: expulsions of pro-Palestinian student protesters, a string of police raids, and demands from the federal government.

People at Columbia's Teachers College are testing Sway in order to potentially integrate it into the conflict resolution curriculum and "bridge-building initiatives at Columbia," DiBella said. He said there's also been interest from other teams at Columbia in using Sway for the fall 2026 semester and onward. Simon Cullen, an assistant professor at CMU and the other developer behind Sway, told The Verge that the company is also in touch with Columbia University Life.

Mastodon says it cannot comply with Mississippi's new age verification law because its decentralized software does not support age checks and the nonprofit lacks resources to enforce them. "The social nonprofit explains that Mastodon doesn't track its users, which makes it difficult to enforce such legislation," reports TechCrunch. "Nor does it want to use IP address-based blocks, as those would unfairly impact people who were traveling, it says." From the report: The statement follows a lively back-and-forth conversation earlier this week between Mastodon founder and CEO Eugen Rochko and Bluesky board member and journalist Mike Masnick. In the conversation, published on their respective social networks, Rochko claimed, "there is nobody that can decide for the fediverse to block Mississippi." (The Fediverse is the decentralized social network that includes Mastodon and other services, and is powered by the ActivityPub protocol.) "And this is why real decentralization matters," said Rochko.

Masnick pushed back, questioning why Mastodon's individual servers, like the one Rochko runs at mastodon.social, would not also be subject to the same $10,000 per user fines for noncompliance with the law. On Friday, however, the nonprofit shared a statement with TechCrunch to clarify its position, saying that while Mastodon's own servers specify a minimum age of 16 to sign up for its services, it does not "have the means to apply age verification" to its services. That is, the Mastodon software doesn't support it. The Mastodon 4.4 release in July 2025 added the ability to specify a minimum age for sign-up and other legal features for handling terms of service, partly in response to increased regulation around these areas. The new feature allows server administrators to check users' ages during sign-up, but the age-check data is not stored. That means individual server owners have to decide for themselves if they believe an age verification component is a necessary addition.

The nonprofit says Mastodon is currently unable to provide "direct or operational assistance" to the broader set of Mastodon server operators. Instead, it encourages owners of Mastodon and other Fediverse servers to make use of resources available online, such as the IFTAS library, which provides trust and safety support for volunteer social network moderators. The nonprofit also advises server admins to observe the laws of the jurisdictions where they are located and operate. Mastodon notes that it's "not tracking, or able to comment on, the policies and operations of individual servers that run Mastodon." Bluesky echoed those comments in a blog post last Friday, saying the company doesn't have the resources to make the substantial technical changes this type of law would require.

ole_timer shares a report from the New York Times: Investigators have uncovered evidence that Russia is at least partly responsible for a recent hack of the computer system that manages federal court documents, including highly sensitive records with information that could reveal sources and people charged with national security crimes, according to several people briefed on the breach. It is not clear what entity is responsible, whether an arm of Russian intelligence might be behind the intrusion or if other countries were also involved, which some of the people familiar with the matter described as a yearslong effort to infiltrate the system. Some of the searches included midlevel criminal cases in the New York City area and several other jurisdictions, with some cases involving people with Russian and Eastern European surnames.

Administrators with the court system recently informed Justice Department officials, clerks and chief judges in federal courts that "persistent and sophisticated cyber threat actors have recently compromised sealed records," according to an internal department memo reviewed by The New York Times. The administrators also advised those officials to quickly remove the most sensitive documents from the system. "This remains an URGENT MATTER that requires immediate action," officials wrote, referring to guidance that the Justice Department had issued in early 2021 after the system was first infiltrated. Documents related to criminal activity with an overseas tie, across at least eight district courts, were initially believed to have been targeted. Last month, the chief judges of district courts across the country were quietly warned to move those kinds of cases off the regular document-management system, according to officials briefed on the request. They were initially told not to discuss the matter with other judges in their districts.

Wikipedia editors have adopted a policy enabling administrators to delete AI-generated articles without the standard week-long discussion period. Articles containing telltale LLM responses like "Here is your Wikipedia article on" or "Up to my last training update" now qualify for immediate removal.

Articles with fabricated citations -- nonexistent papers or unrelated sources such as beetle research cited in computer science articles -- also meet deletion criteria.

An anonymous reader quotes a report from Wired: An airline leaving all of its passengers' travel records vulnerable to hackers would make an attractive target for espionage. Less obvious, but perhaps even more useful for those spies, would be access to a premium travel service that spans 10 different airlines, left its own detailed flight information accessible to data thieves, and seems to be favored by international diplomats. That's what one team of cybersecurity researchers found in the form of Airportr, a UK-based luggage service that partners with airlines to let its largely UK- and Europe-based users pay to have their bags picked up, checked, and delivered to their destination. Researchers at the firm CyberX9 found that simple bugs in Airportr's website allowed them to access virtually all of those users' personal information, including travel plans, or even gain administrator privileges that would have allowed a hacker to redirect or steal luggage in transit. Among even the small sample of user data that the researchers reviewed and shared with WIRED they found what appear to be the personal information and travel records of multiple government officials and diplomats from the UK, Switzerland, and the US.

Airportr's CEO Randel Darby confirmed CyberX9's findings in a written statement provided to WIRED but noted that Airportr had disabled the vulnerable part of its site's backend very shortly after the researchers made the company aware of the issues last April and fixed the problems within a few day. "The data was accessed solely by the ethical hackers for the purpose of recommending improvements to Airportr's security, and our prompt response and mitigation ensured no further risk," Darby wrote in a statement. "We take our responsibilities to protect customer data very seriously." CyberX9's researchers, for their part, counter that the simplicity of the vulnerabilities they found mean that there's no guarantee other hackers didn't access Airportr's data first. They found that a relatively basic web vulnerability allowed them to change the password of any user to gain access to their account if they had just the user's email address -- and they were also able to brute-force guess email addresses with no rate limitations on the site. As a result, they could access data including all customers' names, phone numbers, home addresses, detailed travel plans and history, airline tickets, boarding passes and flight details, passport images, and signatures.

By gaining access to an administrator account, CyberX9's researchers say, a hacker could also have used the vulnerabilities it found to redirect luggage, steal luggage, or even cancel flights on airline websites by using Airportr's data to gain access to customer accounts on those sites. The researchers say they could also have used their access to send emails and text messages as Airportr, a potential phishing risk. Airportr tells WIRED that it has 92,000 users and claims on its website that it has handled more than 800,000 bags for customers. [...] The researchers found that they could monitor their browser's communications as they signed up for Airportr and created a new password, and then reuse an API key intercepted from those communications to instead change another user's password to anything they chose. The site also lacked a "rate limiting" security measure that would prevent automated guesses of email addresses to rapidly change the password of every user's account. And the researchers were also able to find email addresses of Airportr administrators that allowed them to take over their accounts and gain their privileges over the company's data and operations. "Anyone would have been able to gain or might have gained absolute super-admin access to all the operations and data of this company," says Himanshu Pathak, CyberX9's founder and CEO. "The vulnerabilities resulted in complete confidential private information exposure of all airline customers in all countries who used the service of this company, including full control over all the bookings and baggage. Because once you are the super-admin of their most sensitive systems, you have have the ability to do anything."

Microsoft has released emergency security updates for two actively exploited zero-day vulnerabilities in SharePoint, tracked as CVE-2025-53770 and CVE-2025-53771, that have compromised servers worldwide in what researchers call "ToolShell" attacks. The U.S. Cybersecurity and Infrastructure Security Agency warned over the weekend that hackers were exploiting the vulnerabilities to gain remote code execution on on-premises SharePoint installations, while Microsoft has not yet provided patches for all affected versions.

The vulnerabilities allow hackers to steal private digital keys from SharePoint servers without requiring credentials, enabling them to plant malware and access stored files and data. Eye Security, which first identified the attacks on Saturday, found dozens of actively exploited servers and warned that SharePoint's integration with Outlook, Teams, and OneDrive could enable further network compromise. Researcher Silas Cutler at cybersecurity firm Censys estimated more than 10,000 companies with SharePoint servers were at risk, with the largest concentrations in the United States, Netherlands, United Kingdom, and Canada.

Microsoft released patches for SharePoint 2019 and Subscription Edition but is still working on fixes for SharePoint Server 2016. Administrators must install available updates immediately and rotate machine keys to prevent re-compromise, according to Microsoft's security guidance.

The Free Software Foundation's services face "ongoing (and increasing) distributed denial of service (DDoS) attacks," senior systems administrator Ian Kelling wrote Wednesday. But "Even though we are under active attack, gnu.org, ftp.gnu.org, and savannah.gnu.org are up with normal response times at the moment, and have been for the majority of this week, largely thanks to hard work from the Savannah hackers Bob, Corwin, and Luke who've helped us, your sysadmins."

"We've shielded these sites for almost a full year of intense attacks now, and we'll keep on fighting these attacks for as long as they continue." Our infrastructure has been under attack since August 2024. Large Language Model (LLM) web crawlers have been a significant source of the attacks, and as for the rest, we don't expect to ever know what kind of entity is targeting our sites or why.

- In the fall Bulletin, we wrote about the August attack on gnu.org. That attack continues, but we have mitigated it. Judging from the pattern and scope, the goal was likely to take the site down and it was not an LLM crawler. We do not know who or what is behind the attack, but since then, we have had more attacks with even higher severity.

- To begin with, GNU Savannah, the FSF's collaborative software development system, was hit by a massive botnet controlling about five million IPs starting in January. As of this writing, the attack is still ongoing, but the botnet's current iteration is mitigated. The goal is likely to build an LLM training dataset. We do not know who or what is behind this.

- Furthermore, gnu.org and ftp.gnu.org were targets in a new DDoS attack starting on May 27, 2025. Its goal seems to be to take the site down. It is currently mitigated. It has had several iterations, and each has caused some hours of downtime while we figured out how to defend ourselves against it. Here again, the goal was likely to take our sites down and we do not know who or what is behind this.

- In addition, directory.fsf.org, the server behind the Free Software Directory, has been under attack since June 18. This likely is an LLM scraper designed to specifically target Media Wiki sites with a botnet. This attack is very active and now partially mitigated...

Even though we are under active attack, gnu.org, ftp.gnu.org, and savannah.gnu.org are up with normal response times at the moment, and have been for the majority of this week, largely thanks to hard work from the Savannah hackers Bob, Corwin, and Luke who've helped us, your sysadmins. We've shielded these sites for almost a full year of intense attacks now, and we'll keep on fighting these attacks for as long as they continue.
The full-time FSF tech staff is just two systems administrators, "and we currently lack the funds to hire more tech staff any time soon," Kelling points out. Kelling titled his post "our small team vs millions of bots," suggesting that supporters purchase FSF memberships "to improve our staffing situation... Can you join us in our crucial work to guard user freedom and defy dystopia?"

Kelling also points out they're also facing "run-of-the-mill standard crawlers, SEO crawlers, crawlers pretending to be normal users, crawlers pretending to be other crawlers, uptime systems, vulnerability scanners, carrier-grade network address translation, VPNs, and normal browsers hitting our sites..."

"Some of the abuse is not unique to us, and it seems that the health of the web has some serious problems right now."

A Maine police department has now acknowledged "it inadvertently shared an AI-altered photo of drug evidence on social media," reports Boston.com: The image from the Westbrook Police Department showed a collection of drug paraphernalia purportedly seized during a recent drug bust on Brackett Street, including a scale and white powder in plastic bags. According to Westbrook police, an officer involved in the arrests snapped the evidence photo and used a photo editing app to insert the department's patch. "The patch was added, and the photograph with the patch was sent to one of our Facebook administrators, who posted it," the department explained in a post. "Unbeknownst to anyone, when the app added the patch, it altered the packaging and some of the other attributes on the photograph. None of us caught it or realized it."

It wasn't long before the edited image's gibberish text and hazy edges drew criticism from social media users. According to the Portland Press Herald, Westbrook police initially denied AI had been used to generate the photo before eventually confirming its use of the AI chatbot ChatGPT. The department issued a public apology Tuesday, sharing a side-by-side comparison of the original and edited images.

"It was never our intent to alter the image of the evidence," the department's post read. "We never realized that using a photoshop app to add our logo would alter a photograph so substantially."

"The worlds of Linux and Windows finally came together in real life..." writes The Verge: Microsoft co-founder Bill Gates and Linus Torvalds, the creator of the Linux kernel, have surprisingly never met before. That all changed at a recent dinner hosted by Sysinternals creator Mark Russinovich... "No major kernel decisions were made," jokes Russinovich in a post on LinkedIn.
More from the Linux news blog Linuxiac: The man on the left is Mark Russinovich, a software engineer, author, and co-founder of Sysinternals, now CTO of Azure, Microsoft's cloud computing platform. He has become synonymous with deep Windows diagnostics and cloud-scale management. In the late 1990s, his suite of tools (Process Explorer, Autoruns, Procmon) revolutionized the way administrators and security professionals understood Windows internals.

The man on the far right is another living legend: Dave Cutler. Let me put it this way — he's one of the key people behind OpenVMS and the brilliant lead architect who designed Windows NT's kernel and hardware-abstraction layer — technologies that remain at the heart of every current Windows release, from server farms to laptops. So, it's no surprise that people often call him the "father of Windows NT."

During this year's annual Pwn2Own contest, two researchers from Palo Alto Networks demonstrated an out-of-bounds write vulnerability in Mozilla Firefox, reports Cyber Security News, "earning $50,000 and 5 Master of Pwn points." And the next day another participant used an integer overflow to exploit Mozilla Firefox (renderer only).

But Mozilla's security blog reminds users that a sandbox escape would be required to break out from a tab to gain wider system access "due to Firefox's robust security architecture" — and that "neither participating group was able to escape our sandbox..." We have verbal confirmation that this is attributed to the recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks. This continues to build confidence in Firefox's strong security posture.
Even though neither attack could escape their sandbox, "Out of abundance of caution, we just released new Firefox versions... all within the same day of the second exploit announcement." (Last year Mozilla responded to an exploitable security bug within 21 hours, they point out, even winning an award as the fastest to patch.)

The new updated versions are Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1 and Firefox for Android. "Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible...." To review and fix the reported exploits a diverse team of people from all across the world and in various roles (engineering, QA, release management, security and many more) rushed to work. We tested and released a new version of Firefox for all of our supported platforms, operating systems, and configurations with rapid speed....

Our work does not end here. We continue to use opportunities like this to improve our incident response. We will also continue to study the reports to identify new hardening features and security improvements to keep all of our Firefox users across the globe protected.

School districts across the United States were woefully unprepared for ChatGPT's impact on education, according to thousands of pages of public records obtained by 404 Media. Documents from early 2023, the publication reports, show a "total crapshoot" in responses, with some state education departments admitting they hadn't considered ChatGPT's implications while others hired pro-AI consultants to train educators.

In California, when principals sought guidance, state officials responded that "unfortunately, the topic of ChatGPT has not come up in our circles." One California official admitted, "I have never heard of ChatGPT prior to your email." Meanwhile, Louisiana's education department circulated presentations suggesting AI "is like giving a computer a brain" and warning that "going back to writing essays - only in class - can hurt struggling learners."

Some administrators accepted the technology enthusiastically, with one Idaho curriculum head calling ChatGPT "AMAZING" and comparing resistance to early reactions against spell-check.

An anonymous reader quotes a report from BleepingComputer: Law enforcement authorities have dismantled a botnet that infected thousands of routers over the last 20 years to build two networks of residential proxies known as Anyproxy and 5socks. The U.S. Justice Department also indicted three Russian nationals (Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin) and a Kazakhstani (Dmitriy Rubtsov) for their involvement in operating, maintaining, and profiting from these two illegal services.

During this joint action dubbed 'Operation Moonlander,' U.S. authorities worked with prosecutors and investigators from the Dutch National Police, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police, as well as analysts with Lumen Technologies' Black Lotus Labs. Court documents show that the now-dismantled botnet infected older wireless internet routers worldwide with malware since at least 2004, allowing unauthorized access to compromised devices to be sold as proxy servers on Anyproxy.net and 5socks.net. The two domains were managed by a Virginia-based company and hosted on servers globally.

On Wednesday, the FBI also issued a flash advisory (PDF) and a public service announcement warning that this botnet was targeting patch end-of-life (EoL) routers with a variant of the TheMoon malware. The FBI warned that the attackers are installing proxies later used to evade detection during cybercrime-for-hire activities, cryptocurrency theft attacks, and other illegal operations. The list of devices commonly targeted by the botnet includes Linksys and Cisco router models, including:

- Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550
- Linksys WRT320N, WRT310N, WRT610N
- Cisco M10 and Cradlepoint E100 "The botnet controllers require cryptocurrency for payment. Users are allowed to connect directly with proxies using no authentication, which, as documented in previous cases, can lead to a broad spectrum of malicious actors gaining free access," Black Lotus Labs said. "Given the source range, only around 10% are detected as malicious in popular tools such as VirusTotal, meaning they consistently avoid network monitoring tools with a high degree of success. Proxies such as this are designed to help conceal a range of illicit pursuits including ad fraud, DDoS attacks, brute forcing, or exploiting victim's data."

An anonymous reader quotes a report from SFGATE: When the pandemic upended the world of higher education, Robin Pugh, a professor at City College of San Francisco, began to see one puzzling problem in her online courses: Not everyone was a real student. Of the 40 students enrolled in her popular introduction to real estate course, Pugh said she'd normally drop three to five from her roster who don't start the course or make contact with her at the start of the semester. But during the current spring semester, Pugh said that number more than doubled when she had to cut 11 students. It's a strange new reality that has left her baffled. "It's really unclear to me, and beyond the scope of my knowledge, how this is really happening," she said. "Is it organized crime? Is it something else? Everybody has lots of theories."

Some of the disengaged students in Pugh's courses are what administrators and cybersecurity experts say are "ghost students," and they've been a growing problem for community colleges, particularly since the shift to online instruction during the pandemic. These "ghost students" are artificially intelligent agents or bots that pose as real students in order to steal millions of dollars of financial aid that could otherwise go to actual humans. And as colleges grapple with the problem, Pugh and her colleagues have been tasked with a new and "frustrating" task of weeding out these bots and trying to decide who's a real person.

The process, she said, takes her focus off teaching the real students. "I am very intentional about having individualized interaction with all of my students as early as possible," Pugh said. "That included making phone calls to people, sending email messages, just a lot of reaching out individually to find out 'Are you just overwhelmed at work and haven't gotten around to starting the class yet? Or are you not a real person?'" Financial aid fraud is not new, but it's been on the rise in California's community colleges, Cal Matters reported, with scammers stealing more than $10 million in 2024, more than double the amount in 2023. Wendy Brill-Wynkoop, the president of the Faculty Association of California Community Colleges and a professor at College of the Canyons in Santa Clarita, said the bots have been enrolling in courses since around early 2021.

"It's been going on for quite some time," she said. "I think the reason that you're hearing more about it is that it's getting harder and harder to combat or to deal with." A spokesperson for the California Community Colleges Chancellor's Office estimates that 0.21% of the system's financial aid was fraudulently disbursed. However, the office was unable to estimate the percentage of fraudulent attempts attributed to bots.

"Another year, yet another Hugo Awards-adjacent controversy?" writes Gizmodo's Cheryl Eddy, reporting that three key organizers of the 2025 Seattle Worldcon resigned after backlash over the use of ChatGPT to vet program participants. From the report: In a post on Bluesky co-signed by Hugo administrator Nicholas Whyte, deputy Hugo administrator Esther MacCallum-Stewart, and World Science Fiction Society division head Cassidy, the trio announced they were resigning from their roles ahead of the Seattle event, which takes place in August. "We want to reaffirm that no LLMs or generative AI have been used in the Hugo Awards process at any stage," the statement read in part, which might turn the heads of anyone who is a) interested in the Hugos, but b) not up on the latest controversy.

However, plenty of people in the community are well aware of what's been going on. A quick journey to the blog File 770 will bring you up to speed, as will a visit to Seattle Worldcon 2025's own site, which on April 30 shared a post clarifying exactly what role AI played in the upcoming event. [...] However, as File 770 pointed out, the damage has apparently already been done: the use of ChatGPT in any capacity in connection to Worldcon created a furor on social media. It also inspired at least one Hugo nominee to remove their book from contention: Yoon Ha Lee, whose Moonstorm was named a Lodestar Award finalist, which honors YA releases. In a May 1 post on Bluesky, the author linked to the April 30 Worldcon blog post noted above, and noted he was withdrawing the title from consideration.

Then, in a post shared today responding to File 770's latest post announcing the resignations, the author wrote âoeAll respect and I'm grateful to them for their work, sorry [things] came to this pass." Seattle Worldcon 2025 takes place August 13-17; the Hugo Awards will be handed out August 16.

Fraud rings using fake "bot" students have infiltrated America's community colleges, stealing over $11 million from California's system alone in 2024. The nationwide scheme, which began in 2021, targets open-admission institutions where scammers enroll fictitious students in online courses to collect financial aid disbursements.

"We didn't used to have to decide if our students were human," said Eric Maag, who has taught at Southwestern College for 21 years. Faculty now spend hours vetting suspicious enrollees and analyzing AI-generated assignments. At Southwestern in Chula Vista, professor Elizabeth Smith discovered 89 of her 104 enrolled students were fraudulent. The California Community College system estimates 25% of all applicants statewide are bots. Community college administrators describe fighting an evolving technological battle against increasingly sophisticated fraud tactics. The fraud crisis has particularly impacted asynchronous online courses, crowding real students out of classes and fundamentally altering faculty roles.

An anonymous reader quotes a report from TechCrunch: Anthropic announced on Wednesday that it's launching a new Claude for Education tier, an answer to OpenAI's ChatGPT Edu plan. The new tier is aimed at higher education, and gives students, faculty, and other staff access to Anthropic's AI chatbot, Claude, with a few additional capabilities. One piece of Claude for Education is "Learning Mode," a new feature within Claude Projects to help students develop their own critical thinking skills, rather than simply obtain answers to questions. With Learning Mode enabled, Claude will ask questions to test understanding, highlight fundamental principles behind specific problems, and provide potentially useful templates for research papers, outlines, and study guides.

Anthropic says Claude for Education comes with its standard chat interface, as well as "enterprise-grade" security and privacy controls. In a press release shared with TechCrunch ahead of launch, Anthropic said university administrators can use Claude to analyze enrollment trends and automate repetitive email responses to common inquiries. Meanwhile, students can use Claude for Education in their studies, the company suggested, such as working through calculus problems with step-by-step guidance from the AI chatbot. To help universities integrate Claude into their systems, Anthropic says it's partnering with the company Instructure, which offers the popular education software platform Canvas. The AI startup is also teaming up with Internet2, a nonprofit organization that delivers cloud solutions for colleges.

Anthropic says that it has already struck "full campus agreements" with Northeastern University, the London School of Economics and Political Science, and Champlain College to make Claude for Education available to all students. Northeastern is a design partner -- Anthropic says it's working with the institution's students, faculty, and staff to build best practices for AI integration, AI-powered education tools, and frameworks. Anthropic hopes to strike more of these contracts, in part through new student ambassador and AI "builder" programs, to capitalize on the growing number of students using AI in their studies.

Automotive historian Dan Albert loves the "adorable tiny truck" he's driving. It's one of the small Japan-made "kei" pickups and minivans that "make up about a third of car sales in Japan." Americans can legally import older models for less than $10,000, and getting 40 miles per gallon they're "Cheap to buy and run... rugged, practical, no-frills machines — exactly what the American-built pickup truck used to be."

But unfortunately, kei buyers face "bureaucratic roadblocks that states like Massachusetts have erected to keep kei cars and trucks out of the hands of U.S. drivers." Several state departments of motor vehicles (DMVs) have balked at registering the imported machines, saying that they're too unsafe for American streets. Owners have responded with a righteous mix of good humor, lobbying and lawsuits... Kei trucks do not meet the Federal Motor Vehicle Safety Standards, or FMVSS — the highly specific rules US-market new cars must meet. But since 1988, the Imported Vehicle Safety Compliance Act has exempted vehicles that are at least 25 years old from these crash safety standards, allowing drivers to bring over vintage European and Asian market models...

Getting insurance coverage was the next barrier, as the company that had long been underwriting the Albert family's fleet also rejected me, forcing me to seek out a specialty "collector car" insurer. (I did eventually get regular coverage....) Maine, Rhode Island, New York, Pennsylvania, Georgia, Virginia, and Michigan also tightened their rules on registering small Japanese imports in recent years. The culprit, according to the auto enthusiast press, was the American Association of Motor Vehicle Administrators, the trade organization that serves as the lobbying and policy arm of DMVs across North America. Much of AAMVA's work involves integrating the databases of the 69 US and Canadian motor vehicle jurisdictions who are its members, so that a car stolen in one state can't be titled in another... The kei truck's regulatory troubles can be traced to a 2011 AAMVA report, "Best Practices Regarding Registration and Titling of Mini-Trucks," which called for outright bans and encouraged DMVs to lobby state legislatures to outlaw keis entirely.

The Insurance Institute of Highway Safety concurred, telling AAMVA that its recommendation did not go far enough: The IIHS said that keis should join the class of conveyances that the U.S. government calls Low Speed Vehicles, which are mechanically limited to 25 miles per hour or less and should be used only for short local trips on low-speed-limit roads because they can't protect occupants in the event of a collision with a regular vehicle... [But] By 2008, Japan's kei trucks did feature crumple zones and driver airbags in compliance with that country's safety standards...

Despite its name, the Imported Vehicle Safety Compliance Act that lets older cars into the US from overseas isn't really about safety: Car industry lobbyists secured passage of the law to protect dealer profits. Newer keis — which are banned — are safer and cleaner than the 25-year-old ones that can be imported now. (Battery-powered keis debuted in 2009.) But even mine has an airbag, front crumple zone, seatbelt pretensioners, and anti-lock brakes.
The article notes that kie fans have "a distinctly libertarian streak... Some owners I've talked to report forging titles, setting up shell companies in Montana and finding other means of skirting DMV rules."

Thanks to long-time Slashdot reader schwit1 for sharing the article.

An anonymous reader shared this report from BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components. The issues allow local unprivileged users to create user namespaces with full administrative capabilities and impact Ubuntu versions 23.10, where unprivileged user namespaces restrictions are enabled, and 24.04 which has them active by default...

Ubuntu added AppArmor-based restrictions in version 23.10 and enabled them by default in 24.04 to limit the risk of namespace misuse. Researchers at cloud security and compliance company Qualys found that these restrictions can be bypassed in three different ways... The researchers note that these bypasses are dangerous when combined with kernel-related vulnerabilities, and they are not enough to obtain complete control of the system... Qualys notified the Ubuntu security team of their findings on January 15 and agreed to a coordinated release. However, the busybox bypass was discovered independently by vulnerability researcher Roddux, who published the details on March 21.

Canonical, the organization behind Ubuntu Linux, has acknowledged Qualys' findings and confirmed to BleepingComputer that they are developing improvements to the AppArmor protections. A spokesperson told us that they are not treating these findings as vulnerabilities per se but as limitations of a defense-in-depth mechanism. Hence, protections will be released according to standard release schedules and not as urgent security fixes.
Canonical shared hardening steps that administrators should consider in a bulletin published on their official "Ubuntu Discourse" discussion forum.

SourceHut, an open-source-friendly git-hosting service, says web crawlers for AI companies are slowing down services through their excessive demands for data. From a report: "SourceHut continues to face disruptions due to aggressive LLM crawlers," the biz reported Monday on its status page. "We are continuously working to deploy mitigations. We have deployed a number of mitigations which are keeping the problem contained for now. However, some of our mitigations may impact end-users."

SourceHut said it had deployed Nepenthes, a tar pit to catch web crawlers that scrape data primarily for training large language models, and noted that doing so might degrade access to some web pages for users. "We have unilaterally blocked several cloud providers, including GCP [Google Cloud] and [Microsoft] Azure, for the high volumes of bot traffic originating from their networks," the biz said, advising administrators of services that integrate with SourceHut to get in touch to arrange an exception to the blocking.

Schools across the United States are increasingly using artificial intelligence to monitor students' online activities, raising significant privacy concerns after Vancouver Public Schools inadvertently released nearly 3,500 unredacted, sensitive student documents to reporters.

The surveillance software, developed by companies like Gaggle Safety Management, scans school-issued devices 24/7 for signs of bullying, self-harm, or violence, alerting staff when potential issues are detected. Approximately 1,500 school districts nationwide use Gaggle's technology to track six million students, with Vancouver schools paying $328,036 for three years of service.

While school officials maintain the technology has helped counselors intervene with at-risk students, documents revealed LGBTQ+ students were potentially outed to administrators through the monitoring.