I uploaded a photo on my phone to Microsoft's "OneDrive" file-hosting app — and there was a surprise waiting under Privacy and Permissions. "OneDrive uses AI to recognize faces in your photos..."

And...

"You can only turn off this setting 3 times a year."



If I moved the slidebar for that setting to the left (for "No"), it moved back to the right, and said "Something went wrong while updating this setting." (Apparently it's not one of those three times of the year.)

The feature is already rolling out to a limited number of users in a preview, a Microsoft publicist confirmed to Slashdot. (For the record, I don't remember signing up for this face-recognizing "preview".) But there's a link at the bottom of the screen for a "Microsoft Privacy Statement" that leads to a Microsoft support page, which says instead that "This feature is coming soon and is yet to be released." And in the next sentence it's been saying "Stay tuned for more updates" for almost two years...

A Microsoft publicist agreed to answer Slashdot's questions...

An anonymous reader quotes a report from CSO Online: On Sept. 17, security vendor SonicWall announced that cybercriminals had stolen backup files configured for cloud backup. At the time, the company claimed the incident was limited to "less than five percent" of its customers. Now, the firewall provider has admitted that "all customers" using the MySonicWall cloud backup feature were affected. According to the company, the stolen files contain encrypted credentials and configuration data. "[W]hile encryption remains in place, possession of these files could increase the risk of targeted attacks," SonicWall warns in its press release.

Security specialist Arctic Wolf also warns of the consequences of the incident. "Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization's network," explains Stefan Hostetler, threat intelligence researcher at Arctic Wolf. "These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates," he adds. Arctic Wolf has previously observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use for future attacks. SonicWall urges all customers and partners to regularly check their devices for updates. Admins can find additional information here.

Google is introducing a new Chrome browser feature for Android and desktop users that automatically turns off notifications for websites that you're already ignoring. From a report: Chrome's Safety Check feature already provides similar functionality for camera access and location tracking permissions.

This new auto-revocation feature builds on a similar Android feature that already makes it easier for Chrome users to unsubscribe from website notifications they don't care about with a single tap. The feature doesn't revoke notifications for any web apps installed on the device, and permissions will only be disabled for sites that send a lot of notifications that users rarely engage with. Less than one percent of all web notifications in Chrome currently receive any interaction from users, according to Google, often making them more distracting than helpful.

Mozilla Firefox's new "Shake to Summarize" feature earned a spot on TIME's Best Inventions of 2025, allowing users to shake their phone to instantly summarize long web pages. Anthony Enzor-DeMeo, general manager of Firefox, calls it a "testament to the incredible work of our UX, design, product, and engineering teams who brought this innovation to life." Neowin reports: Shake to summarize works exactly how you suspect: you physically shake your phone to generate a summary of a long article. This can be quite handy if you are trying to get the gist of a long read without scrolling through the whole thing. Other ways to activate the feature include tapping the thunderbolt icon in the address bar and selecting "Summarize Page" from the three-dot menu.

For now, the feature is limited to iOS users in the US with their system set to English, but Mozilla promises an Android version is in the works. If you have an iPhone 15 Pro or newer running iOS 26, Apple Intelligence generates the summaries on the device. For older iPhones or those on earlier iOS versions, the page text is sent to Mozilla's servers for processing. You can view the full list of TIME's "Special Mentions" here.

Paramount has acquired The Free Press, Bari Weiss's Substack-born media outlet, for $150 million and appointed Weiss as editor-in-chief of CBS News. The move effectively places a conservative-leaning Substack writer at the helm of a legacy news network, following the FCC's approval of the Skydance-Paramount merger, which required CBS to feature a broader "diversity of viewpoints from across the political and ideological spectrum." The Verge reports: Before starting The Free Press, Weiss worked as an op-ed and book review editor at The Wall Street Journal from 2013 to 2017 and later became an op-ed editor and writer at The New York Times to expand the publication's stable of conservative columnists during Donald Trump's first term. She resigned from the NYT in 2020, citing an "illiberal environment."

Weiss started a Substack newsletter in 2021, called Common Sense, which later evolved into The Free Press, touting itself as a media company "built on the ideals that were once the bedrock of great American journalism." As noted in the press release, The Free Press has grown its revenue 82 percent over the past year, while subscribers increased 86 percent to 1.5 million, 170,000 of which are paid subscriptions.

An anonymous reader quotes a report from BleepingComputer: The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances. Redis (short for Remote Dictionary Server) is an open-source data structure store used in approximately 75% of cloud environments, functioning like a database, cache, and message broker, and storing data in RAM for ultra-fast access. The security flaw (tracked as CVE-2025-49844) is caused by a 13-year-old use-after-free weakness found in the Redis source code and can be exploited by authenticated threat actors using a specially crafted Lua script (a feature enabled by default). Successful exploitation enables them to escape the Lua sandbox, trigger a use-after-free, establish a reverse shell for persistent access, and achieve remote code execution on the targeted Redis hosts.

After compromising a Redis host, attackers can steal credentials, deploy malware or cryptocurrency mining tools, extract sensitive data from Redis, move laterally to other systems within the victim's network, or use stolen information to gain access to other cloud services. "This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments," said Wiz researchers, who reported the security issue at Pwn2Own Berlin in May 2025 and dubbed it RediShell.

While successful exploitation requires attackers first to gain authenticated access to a Redis instance, Wiz found around 330,000 Redis instances exposed online, with at least 60,000 of them not requiring authentication. Redis and Wiz urged admins to patch their instances immediately by applying security updates released on Friday, "prioritizing those that are exposed to the internet." To further secure their Redis instances against remote attacks, admins can also enable authentication, disable Lua scripting and other unnecessary commands, launch Redis using a non-root user account, enable Redis logging and monitoring, limit access to authorized networks only, and implement network-level access controls using firewalls and Virtual Private Clouds (VPCs).

An anonymous reader quotes a report from The Verge: OpenAI is introducing a way to work with apps right inside ChatGPT. The idea is that, from within a conversation with the chatbot, you can essentially tag in apps to help you complete a task while ChatGPT offers context and advice. [...]

Apps available inside ChatGPT starting today will include Booking.com, Canva, Coursera, Expedia, Figma, Spotify, and Zillow. In the "weeks ahead," OpenAI will add more apps, such as DoorDash, OpenTable, Target, and Uber. [...] Developers can access the SDK for making apps in preview starting today. Later this year, developers will be able to submit apps for review and publication, and OpenAI also plans to offer a directory for users to browse apps, according to OpenAI CEO Sam Altman. The company will share guidance about monetization "soon," Altman says. Last week, ChatGPT unveiled a new feature called "Instant Checkout" that lets users buy stuff directly through its chatbot -- "part of its overall push to integrate it with the rest of the web," reports The Verge.

Amazon will be adding facial recognition to its camera-equipped Ring doorbells for the first time in December, according to the Washington Post.

"While the feature will be optional for Ring device owners, privacy advocates say it's unfair that wherever the technology is in use, anyone within sight will have their faces scanned to determine who's a friend or stranger." The Ring feature is "invasive for anyone who walks within range of your Ring doorbell," said Calli Schroeder, senior counsel at the consumer advocacy and policy group Electronic Privacy Information Center. "They are not consenting to this." Ring spokeswoman Emma Daniels said that Ring's features empower device owners to be responsible users of facial recognition and to comply with relevant laws that "may require obtaining consent prior to identifying people..."

Other companies, including Google, already offer facial recognition for connected doorbells and cameras. You might use similar technology to unlock your iPhone or tag relatives in digital photo albums. But privacy watchdogs said that Ring's use of facial recognition poses added risks, because the company's products are embedded in our neighborhoods and have a history of raising social, privacy and legal questions... It's typically legal to film in public places, including your doorway. And in most of the United States, your permission is not legally required to collect or use your faceprint. Privacy experts said that Ring's use of the technology risks crossing ethical boundaries because of its potential for widespread use in residential areas without people's knowledge or consent.

You choose to unlock your iPhone by scanning your face. A food delivery courier, a child selling candy or someone walking by on the sidewalk is not consenting to have their face captured, stored and compared against Ring's database, said Adam Schwartz, privacy litigation director for the consumer advocacy group Electronic Frontier Foundation. "It's troubling that companies are making a product that by design is taking biometric information from people who are doing the innocent act of walking onto a porch," he said.
Ring's spokesperson said facial recognition won't be available some locations, according to the article, including Texas and Illinois, which passed laws fining companies for collecting face information without permission. But the Washington Post heard another possible worst-case scenario from Calli Schroeder, senior counsel at the consumer advocacy and policy group Electronic Privacy Information Center: databases of identified faces being stolen by cyberthieves, misused by Ring employees, or shared with outsiders such as law enforcement.

Amazon says they're "reuniting lost dogs through the power of AI," in their announcement this week, thanks to "an AI-powered community feature that enables your outdoor Ring cameras to help reunite lost dogs with their families... When a neighbor reports a lost dog in the Ring app, nearby outdoor Ring cameras automatically begin scanning for potential matches."

Amazon calls it an example of their vision for "tools that make it easier for neighbors to look out for each other, and create safer, more connected communities." They're also 10x zoom, enhanced low-light performance, 2K and 4K resolutions, and "advanced AI tuning" for video...

An anonymous reader quotes a report from Reuters: Indonesia has suspended TikTok's registration to provide electronic systems after it failed to hand over all data relating to the use of its live stream feature, a government official said on Friday. The suspension could in theory prevent access to TikTok, which has more than 100 million accounts based in Indonesia.

Alexander Sabar, an official at Indonesia's communications and digital ministry, said in a statement some accounts with ties to online gambling activities used TikTok's live stream feature during national protests. [...] Sabar said the government had asked the company for its traffic, streaming and monetization data. The company, owned by China's ByteDance, did not provide complete data, citing its internal procedures, Sabar said without giving further detail.

The University of San Francisco issued a campuswide alert after reports of a man using Meta Ray-Ban AI glasses to film students while making "unwanted comments and inappropriate dating questions." Although no violence has been reported, officials said he may be uploading footage to TikTok and Instagram. SFGate reports: University officials said "no threats or acts of violence" have been reported, but they have been unable to identify all students who appear in the videos. They urged any school members affected to alert the app platform and the USF Department of Public Safety. "As a community, we share the responsibility of caring for ourselves, each other, and this place," school officials said in the alert. "By looking out for one another and promptly reporting concerns, we help ensure a safe and supportive environment for all."

The glasses feature a small camera that can be used for recording by pressing a button or using voice controls. Meta advises users to act "responsibly" when using the glasses. "Not everyone loves being photographed. Stop recording if anyone expresses that they would rather opt out, and be particularly mindful of others before going live," the company said.

The UK government has issued a new order to Apple to create a backdoor into its cloud storage service, this time targeting only British users' data, despite US claims that Britain had abandoned all attempts to break the tech giant's encryption. Financial Times: The UK Home Office demanded in early September that Apple create a means to allow officials access to encrypted cloud backups, but stipulated that the order applied only to British citizens' data, according to people briefed on the matter.

A previous technical capability notice (TCN) issued in January sought global access to encrypted user data. That move sparked a diplomatic clash between the UK and US governments and threatened to derail the two nations' efforts to secure a trade agreement.

In February, Apple withdrew its most secure cloud storage service, iCloud Advanced Data Protection, from the UK. "Apple is still unable to offer Advanced Data Protection in the United Kingdom to new users," Apple said on Wednesday. "We are gravely disappointed that the protections provided by ADP are not available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy." It added: "As we have said many times before, we have never built a back door or master key to any of our products or services and we never will."

Alongside its updated Sora 2 AI video generator, OpenAI has launched an iPhone-only social app called Sora that lets users consent to have friends create deepfake-style cameos of them. The invite-only app works a lot like TikTok with short remixable videos but enforces restrictions on public figures and explicit content. The Verge reports: In a briefing with reporters on Monday, employees called it the potential "ChatGPT moment for video generation." The Sora app is currently only available to US and Canada users, with other countries set to follow, and when someone receives access, they also get four additional invites to share with friends. There's no word on when an Android version might be released.

Sora users can give their friends -- or, if they're feeling bold, everyone -- permission to create "cameos" with their own likeness using the new video model, which is dubbed Sora 2. The person whose likeness is being generated is a "co-owner" of that end result, OpenAI employees said, and they can delete it or revoke access to others at any time. Like TikTok, OpenAI's Sora app allows you to interact with other videos and trends using a "Remix" feature, but it only allows for the generation of 10-second videos for now.

Microsoft began rolling out Windows 11 version 25H2 today, delivering the annual update as a compact enablement package to users who enable the "get the latest updates as soon as they're available" toggle in Windows Update. The company tested the release in its Windows Insider Release Preview ring during the previous month before the broader rollout.Version 25H2 shares its code base and servicing branch with the existing 24H2 release. Both versions will receive identical monthly feature updates going forward.

The update removes PowerShell 2.0 and the Windows Management Instrumentation command-line tool to reduce the operating system's footprint. John Cable, vice president of program management for Windows servicing and delivery, said the release includes advancements in build and runtime vulnerability detection paired with AI-assisted secure coding. Microsoft designed the version to address security threats under its security development lifecycle policy requirements. The company plans to expand availability over the coming months and will document known compatibility issues on its Windows release health hub. Devices with detected application or driver incompatibilities will receive safeguard holds that delay the update until resolution.

Amazon today announced three new Kindle Scribe models, its e ink-featuring tables designed for note-taking and reading. The lineup includes the standard Kindle Scribe and a version without a front light alongside the Kindle Scribe Colorsoft. The new devices feature an 11-inch glare-free E Ink screen compared to the 10.2-inch display on previous models.

Amazon has reduced the weight to 400 grams from 433 grams and made the devices 5.4mm thin. The company added a quad-core processor and additional memory to deliver writing and page turns that are 40% faster than earlier versions. The Colorsoft model uses custom-built display technology to offer 10 pen colors and five highlighter colors. Amazon redesigned the software to include AI-powered notebook search and summaries. The devices will support Google Drive and Microsoft OneDrive for document access and allow users to export notes as editable text to OneNote. The standard Kindle Scribe will start at $499.99 and the Colorsoft at $629.99 when they become available later this year. The version without a front light will cost $429.99 and arrive early next year.

OpenAI unveiled Instant Checkout, a new ChatGPT feature that lets users buy stuff directly through its chatbot. Currently, the feature supports single-item purchases directly from Etsy sellers, but support for more than one million Shopify merchants is coming soon. It's also only available to U.S. ChatGPT Plus, Pro and Free users at this time. CNBC reports: OpenAI will take a fee from transactions that are completed through ChatGPT, which means Instant Checkout could become an important new revenue stream for the startup. OpenAI is not yet profitable, and is burning through cash as it works to scale up its computing infrastructure. The company declined to share specific details about how large the fees are since they are determined through confidential contracts with Etsy and Shopify. Instant Checkout is free to users and will not affect their prices, OpenAI said.

"Our vision for ChatGPT -- and a lot of the technology we create, but especially ChatGPT -- is that it's not just providing you information, it is also helping you get things done in the real world," Michelle Fradin, OpenAI's product lead for ChatGPT commerce, told CNBC in an interview. The company plans to introduce multi-item carts and expand the regional availability of Instant Checkout moving forward. [...]

Instant Checkout is powered by OpenAI's Agentic Commerce Protocol, which is the underlying technology that allows users to complete a transaction directly with a merchant through ChatGPT. OpenAI built the framework in partnership with the fintech company Stripe, which powers ChatGPT subscriptions. OpenAI initially decided to use Agentic Commerce Protocol for e-commerce, but Fradin said the company thinks it could be used to facilitate other types of purchases or payments as well. OpenAI is open-sourcing the framework to help merchants build integrations more quickly, and so that developers can explore different use cases, she said.

"Facebook and Instagram owner Meta is launching paid subscriptions for users who do not want to see adverts in the UK," reports the BBC: The company said it would start notifying users in the coming weeks to let them choose whether to subscribe to its platforms if they wish to use them without seeing ads. EU users of its platforms can already pay a fee starting from €5.99 (£5) a month to see no ads — but subscriptions will start from £2.99 a month for UK users.

"It will give people in the UK a clear choice about whether their data is used for personalised advertising, while preserving the free access and value that the ads-supported internet creates for people, businesses and platforms," Meta said. But UK users will not have an option to not pay and see "less personalised" adverts — a feature Meta added for EU users after regulators raised concerns...

Meta said its own model would see its subscription for no ads cost £2.99 a month on the web or £3.99 a month on iOS and Android apps — with the higher fee to offset cuts taken from transactions by Apple and Google... [Meta] reiterated its critical stance on the EU on Friday, saying its regulations were creating a worse experience for users and businesses unlike the UK's "more pro-growth and pro-innovation regulatory environment".
"Meta said its own model would see its subscription for no ads cost £2.99 a month on the web or £3.99 a month on iOS and Android apps," according to the BBC, "with the higher fee to offset cuts taken from transactions by Apple and Google."

Even users not paying for an ad-free experience have "tools and settings that empower people to control their ads experience," according to Meta's announcement. The include Ad Preferences which influences data used to inform ads including Activity Information from Ad Partners. "We also have tools in our products that explain 'Why am I seeing this ad?' and how people can manage their ad experience. We do not sell personal data to advertisers."

"We've decided to support image-based search," announced the product manager for Firefox Search. Powered by the AI-driven Google Lens search technology, they promise the new feature offers "a frictionless, fast, and a curiosity-sparking way to (as Google puts it) 'search what you see'." With just a right-click on any image, you'll be able to:

- Find similar products, places, or objects
- Copy, translate, or search text from images
- Get inspiration for learning, travel, or shopping

Look for the new "Search Image with Google Lens" option in your right-click menu (tagged with a NEW badge at first). This is a desktop-only feature, and it will start gradually rolling out worldwide. Note: Google must be set as your default search engine for this feature to appear.

We'll be listening closely to your feedback as we roll it out. Some of the things we're wondering about:

Does the placement in the context menu align with your expectations?
Would you prefer the option to choose your visual search provider?
Where else would you like entry points to visual search (e.g. when you open a new tab, in the address bar, on mobile devices, etc.)

We can't wait to hear your thoughts as the rollout begins!
Some thoughts from WebProNews: Mozilla emphasizes that this is an opt-in feature, giving users control over activation, which aligns with the company's longstanding commitment to privacy and user agency.

Yet, for industry observers, this partnership with Google raises intriguing questions about competitive dynamics in the browser space, where Firefox has historically positioned itself as an independent alternative to Chrome... This move comes at a time when browsers are increasingly becoming platforms for AI-driven enhancements, as evidenced by recent updates in competitors like Microsoft's Edge, which integrates Copilot AI. Mozilla's decision to leverage Google Lens rather than developing an in-house solution could be seen as a pragmatic step to accelerate feature parity, especially given Firefox's smaller market share. Insiders note that by tapping into established technologies, Mozilla can focus resources on core strengths like privacy protections, potentially attracting users disillusioned with data-heavy ecosystems... While mobile users might feel left out, the phased rollout over the next few weeks allows for feedback loops through community channels, a hallmark of Mozilla's open-source ethos.

Data from similar integrations in other browsers suggests visual search can boost engagement by 15-20%, per industry reports, though Mozilla has not disclosed specific metrics yet... Looking ahead, Mozilla's strategy appears geared toward incremental innovations that bolster user retention without alienating its privacy-focused base. If successful, this could help Firefox claw back some ground against Chrome's dominance, estimated at over 60% market share. For now, the feature's gradual deployment invites ongoing dialogue, underscoring Mozilla's community-driven model in an industry often criticized for top-down decisions.

Friday the security researchers at Arctic Wolf Labs wrote: In late July 2025, Arctic Wolf Labs began observing a surge of intrusions involving suspicious SonicWall SSL VPN activity. Malicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira ransomware. Victims spanned across multiple sectors and organization sizes, suggesting opportunistic mass exploitation.

This campaign has recently escalated, with new infrastructure linked to it observed as late as September 20, 2025.
More from Cybersecurity News: SonicWall has linked these malicious logins to CVE-2024-40766, an improper access control vulnerability disclosed in 2024. The working theory is that threat actors harvested credentials from devices that were previously vulnerable and are now using them in this campaign, even if the devices have since been patched. This explains why fully patched devices have been compromised, a fact that initially led to speculation about a potential zero-day exploit.

Once inside a network, the attackers operate with remarkable speed. The time from initial access to ransomware deployment, known as "dwell time," is often measured in hours, with some intrusions taking as little as 55 minutes, Arctic Wolf said. This extremely short window for response makes early detection critical.
"Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled..." notes Artic Wolf Labs: The threats described in this campaign demand early detection and a rapid response to avoid catastrophic impact to organizations. To facilitate this process, we recommend monitoring for VPN logins originating from untrusted hosting infrastructure. Equally important is ensuring visibility into internal networks, since lateral movement and ransomware encryption can occur within hours or even minutes of initial access. Monitoring for anomalous SMB activity indicative of Impacket use provides an additional early detection opportunity.

When firewalls are confirmed to be running firmware versions vulnerable to credential access or full configuration export, patching alone is not enough. In such situations, credentials must be reset wherever possible, including MFA-related secrets that might otherwise be thought of as secure, and Active Directory credentials with VPN access. These considerations are best practices that apply regardless of which firewall products are in use.
Thanks to Slashdot reader Mirnotoriety for suggesting this story.

YouTube's new "Labs" program plans to "offer a glimpse of the AI features it's developing for YouTube Music," reports Ars Technica.

But Ars Technica adds that this future "starts with AI 'hosts' that will chime in while you're listening to music. Yes, really." (YouTube says the AI aims to "deepen your listening experience"...) The "Beyond the Beat" host will break in every so often with relevant stories, trivia, and commentary about your musical tastes. YouTube says this feature will appear when you are listening to mixes and radio stations. The experimental feature is intended to be a bit like having a radio host drop some playful banter while cueing up the next song. It sounds a bit like Spotify's AI DJ, but the YouTube AI doesn't create playlists like Spotify's robot...

After joining, the YouTube Music app will get a new button on the Now Playing screen with the familiar Gemini sparkle logo. Tapping that will allow you to snooze the commentary for an hour or the remainder of the day. There is no option to completely disable the AI host in the app, so you'll have to opt out of the test if you decide Beyond the Beat is more trouble than it's worth.
YouTube calls it "a way for users to take our cutting edge AI experiments for a test drive," promises that "a limited number of US-based participants can test early prototypes and experiments and influence the future of YouTube. Sign up at YouTube.com/New."

Ars Technica believes "This is still generative AI, which comes with the risk of hallucinations and low-quality slop, neither of which belongs in your music. That said, Google's Audio Overviews are often surprisingly good in small doses."

An anonymous reader quotes a report from CNN: A team of suspected Chinese hackers has infiltrated US software developers and law firms in a sophisticated campaign to collect intelligence that could help Beijing in its ongoing trade fight with Washington, cybersecurity firm Mandiant said Wednesday. The hackers have been rampant in recent weeks, hitting the cloud-computing firms that numerous American companies rely on to store key data, Mandiant, which is owned by Google, said. In a sign of how important China's hacking army is in the race for tech supremacy, the hackers have also stolen US tech firms' proprietary software and used it to find new vulnerabilities to burrow deeper into networks, according to Mandiant.

[...] In some cases, the hackers have lurked undetected in the US corporate networks for over a year, quietly collecting intelligence, Mandiant said. The disclosure comes after the Trump administration escalated America's trade war with China this spring by slapping unprecedented tariffs on Chinese exports to the United States. The tit-for-tat tariffs set off a scramble in both governments to understand each other's positions. Mandiant analysts said the fallout from the breaches -- the task of kicking out the hackers and assessing the damage -- could last many months. They described it as a milestone hack, comparable in severity and sophistication to Russia's use of SolarWinds software to infiltrate US government agencies in 2020.