WhatsApp and its parent Meta asked a judge to award them a total win against spyware maker NSO Group as punishment for discovery violations in a years-long case accusing the Israeli company of violating anti-hacking laws. From a report: NSO Group violated the Federal Rules of Civil Procedure, repeatedly ignoring the court's orders and its discovery obligations, according to a motion for sanctions filed Wednesday in the US District Court for the Northern District of California. "NSO's discovery violations were willful, and unfairly skew the record on virtually every key issue in the case, from the merits, to jurisdiction, to damages, making a full and fair trial on the facts impossible," they said. Judge Phyllis J. Hamilton should award the companies judgment as a matter of law or, "if the court finds that the limited discovery produced in this case does not suffice," enter default judgment against NSO, WhatsApp and Meta wrote.

The social media platforms first filed their complaint in October 2019, accusing NSO of using WhatsApp to install NSO spyware on the phones of about 1,400 WhatsApp users. The move follows Apple asking a court last month to dismiss its three-year-old hacking lawsuit against spyware pioneer NSO Group, arguing that it might never be able to get the most critical files about NSO's Pegasus surveillance tool and that its own disclosures could aid NSO and its increasing number of rivals.

Private equity firms are using US public sector workers' retirement savings to fund fossil fuel projects pumping more than a billion tonnes of greenhouse gas emissions into the atmosphere every year, according to an analysis. From a report: They have ploughed more than $1tn into the energy sector since 2010, often buying into old and new fossil fuel projects and, thanks to exemptions from many financial disclosures, operating them outside the public eye, the researchers say. In many cases they are mortgaging workers' futures by taking the money they have put away for old age and investing it in assets that risk serious damage to the climate, the report claims.

"Public sector workers' money, through national, state, and retirement pensions, provides much of the capital for private equity firms' energy investments, but there is limited disclosure to the pension fund managers that the deferred earnings of their beneficiaries have potential climate impacts," it says. Researchers at Americans for Financial Reform Education Fund, Global Energy Monitor and Private Equity Stakeholder Project assessed the holdings of 21 private equity firms, overseeing a combined $6tn in assets under management. Together, the analysis found that the 21 firms were funding projects responsible for releasing more than 1.17bn tons of CO2 equivalent (tCO2e) a year.

Microsoft has unveiled new features for its Copilot AI assistant, including screen analysis and voice interaction capabilities. Copilot Vision, available to Copilot Pro subscribers, can analyze web content in Microsoft Edge and answer queries about on-screen information. The company said processed data is immediately deleted and not used for model training.

A new Think Deeper function aims to tackle complex problems using advanced reasoning models. Copilot Voice introduces synthetic speech output and voice input in select English-speaking countries. Microsoft also announced personalization features, leveraging user history to tailor Copilot recommendations. This functionality will be limited initially, with the company evaluating options for European Economic Area users due to regulatory considerations.

The Arch Linux team has announced a collaboration with Valve, working to support critical infrastructure projects like a build service and secure signing enclave for the Arch Linux distribution. Tom's Hardware reports: If you're familiar with Valve and Steam Deck, you may already know that the Deck uses SteamOS 3, which is built on top of Arch Linux. Thanks to the Arch Linux base and Valve's development of the Proton compatibility layer for playing Windows games on Linux, we now have a far improved Linux gaming scene, especially on Valve's Steam Deck and Deck OLED handhelds. While Valve's specific reasons for picking Arch Linux for Steam Deck remain unknown, it's pretty easy to guess why it was picked. Mainly, it's a particularly lightweight distribution maintained since March 2002, which lends itself well to gaming with minimal performance overhead. A more intensive Linux distribution may not have been the ideal base for SteamOS 3, which is targeted at handhelds like Steam Deck first.

As primary Arch Linux developer Levente Polyak discloses in the announcement post, "Valve is generously providing backing for two critical projects that will have a huge impact on our distribution: a build service infrastructure and a secure signing enclave. By supporting work on a freelance basis for these topics, Valve enables us to work on them without being limited solely by the free time of our volunteers." Polyak continues, "This opportunity allows us to address some of the biggest outstanding challenges we have been facing for a while. The collaboration will speed up the progress that would otherwise take much longer for us to achieve, and will ultimately unblock us from finally pursuing some of our planned endeavors [...] We believe this collaboration will greatly benefit Arch Linux, and are looking forward to share further development on the mailing list as work progresses."

More American workers are seeing their compensation tied to performance metrics, a shift from traditional fixed salaries. A 2024 survey by Alexander Group found 28% of over 300 companies are incorporating incentive pay into new roles, extending a practice once limited to sales and executive positions. Employers argue this model boosts productivity, while some workers report earning less than expected, WSJ reported Monday.

Bryan Choi, an associate professor of law and computer science focusing on software safety, proposes shifting AI liability onto the builders of the systems: To date, most popular approaches to AI safety and accountability have focused on the technological characteristics and risks of AI systems, while averting attention from the workers behind the curtain responsible for designing, implementing, testing, and maintaining such systems...

I have previously argued that a negligence-based approach is needed because it directs legal scrutiny on the actual persons responsible for creating and managing AI systems. A step in that direction is found in California's AI safety bill, which specifies that AI developers shall articulate and implement protocols that embody the "developer's duty to take reasonable care to avoid producing a covered model or covered model derivative that poses an unreasonable risk of causing or materially enabling a critical harm" (emphasis added). Although tech leaders have opposed California's bill, courts don't need to wait for legislation to allow negligence claims against AI developers. But how would negligence work in the AI context, and what downstream effects should AI developers anticipate?
The article suggest two possibilities. Classifying AI developers as ordinary employees leaves employers then sharing liability for negligent acts (giving them "strong incentives to obtain liability insurance policies and to defend their employees against legal claims.") But AI developers could also be treated as practicing professionals (like physicians and attorneys). "{In this regime, each AI professional would likely need to obtain their own individual or group malpractice insurance policies." AI is a field that perhaps uniquely seeks to obscure its human elements in order to magnify its technical wizardry. The virtue of the negligence-based approach is that it centers legal scrutiny back on the conduct of the people who build and hype the technology. To be sure, negligence is limited in key ways and should not be viewed as a complete answer to AI governance. But fault should be the default and the starting point from which all conversations about AI accountability and AI safety begin.
Thanks to long-time Slashdot reader david.emery for sharing the article.

An anonymous reader shares a report: Apple is rethinking its movie strategy after the disappointing box office performance of several big-budget films, including Martin Scorsese's Killers of the Flower Moon, Napoleon, Argylle and Fly Me to the Moon. Apple canceled plans to release Wolfs -- an action comedy starring George Clooney and Brad Pitt -- in thousands of theaters globally. Instead, the picture made its debut in a limited number of venues before it became available on the Apple TV+ streaming service on Sept. 27. Apple plans to use a similar approach with the next few titles on its calendar, including the World War II drama Blitz. Apple, which previously had intended to spend about $1 billion annually on blockbusters for cinemas, won't return to the big screen with a wide, global theatrical release until June with F1 -- a film starring Pitt as a former Formula One driver who returns to racing to mentor a rising star.

[...] Apple is pulling back from theaters at the same time Netflix Inc. and Amazon are reworking their movie strategies. Earlier this year, Netflix hired producer Dan Lin to oversee its film studio, which had spent billions of dollars a year to produce more films than any other company in Hollywood. Yet Netflix struggled to control the quality and cost of its slate, which in some years approached 50 movies. For every hit, such as Bird Box, there were several misses. Lin's predecessor Scott Stuber also clashed with management over its strategy for movie theaters. Stuber wanted to release movies such as Scorsese's The Irishman and the Knives Out sequel Glass Onion widely in cinemas, but he couldn't persuade Netflix co-Chief Executive Officer Ted Sarandos. Lin aims to make fewer movies and develop more projects in-house to keep costs down. He has considered scrapping several of the more expensive projects in development at Netflix.

Mozilla has been hit with a complaint by EU privacy group noyb, accusing it of violating GDPR by tracking Firefox users by default without their consent. TechCrunch reports: Mozilla calls the feature at issue "Privacy Preserving Attribution" (PPA). But noyb argues this is misdirection. And if EU privacy regulators agree with the complaint the Firefox-maker could be slapped with orders to change tack -- or even face a penalty (the GDPR allows for fines of up to 4% of global revenue). "Contrary to its reassuring name, this technology allows Firefox to track user behaviour on websites," noyb wrote in a press release. "In essence, the browser is now controlling the tracking, rather than individual websites. While this might be an improvement compared to even more invasive cookie tracking, the company never asked its users if they wanted to enable it. Instead, Mozilla decided to turn it on by default once people installed a recent software update. This is particularly worrying because Mozilla generally has a reputation for being a privacy-friendly alternative when most other browsers are based on Google's Chromium."

Another component of noyb's objection is that Mozilla's move "doesn't replace cookies either" -- Firefox simply wouldn't have the market share and power to shift industry practices -- so all it's done is produce another additional way for websites to target ads. [...] The noyb-backed complaint (PDF), which has been filed with the Austrian data protection authority, accuses Mozilla of failing to inform users about the processing of their personal data and of using an opt-out -- rather than an affirmative "opt-in" -- mechanism. The privacy rights group also wants the regulator to order the deletion of all data collected so far. In a statement attributed to Christopher Hilton, its director of policy and corporate communications, Mozilla said that it has only conducted a "limited test" of a PPA prototype on its own websites.While acknowledging poor communication around the effort, the company emphasized that no user data has been collected or shared and expressed its commitment to engaging with stakeholders as it develops the technology further.

A year-long test of Apple's 80% charge limit feature on the iPhone 15 Pro Max has revealed only marginal benefits to battery health. MacRumors editor Juli Clover reported her device maintained 94% battery capacity after 299 charge cycles, compared to 87-90% capacity for iPhones without the limit. The opt-in setting, introduced with iPhone 15 models, aims to extend battery longevity by restricting maximum charge.

Clover adhered strictly to the 80% limit for 12 months, noting occasional inconveniences like depleted batteries during long days. While the test showed slightly better battery health retention, Clover questioned whether the trade-off in daily usability was worthwhile. She adds: I don't have a lot of data points for comparison, but it does seem that limiting the charge to 80 percent kept my maximum battery capacity higher than what my co-workers are seeing, but there isn't a major difference. I have four percent more battery at 28 more cycles, and I'm not sure suffering through an 80 percent battery limit for 12 months was ultimately worth it. It's possible that the real gains from an 80 percent limit will come in two or three years rather than a single year, and I'll keep it limited to 80 percent to see the longer term impact.

Alphabet unit Google filed a complaint to the European Commission on Wednesday against what it said were Microsoft's anti-competitive practices to lock customers into Microsoft's cloud platform Azure. From a report: Google, whose biggest cloud computing rivals are Microsoft and Amazon Web Services, said Microsoft was exploiting its dominant Windows Server operating system to prevent competition. Google Cloud Vice President Amit Zavery told a briefing that Microsoft made customers pay a 400% mark-up to keep running Windows Server on rival cloud computing operators. This did not apply if they used Azure. Users of rival cloud systems would also get later and more limited security updates, Zavery said.

Google pointed to a 2023 study by cloud services organization CISPE which found that European businesses and public sector bodies were paying up to 1 billion euros ($1.12 billion) per year on Microsoft licensing penalties. Microsoft in July clinched a 20-million-euro deal to settle an antitrust complaint about its cloud computing licensing practices with CISPE, averting an EU investigation. However, the settlement did not include Amazon Web Services, Google Cloud Platform and AliCloud, prompting criticism from the first two companies.

Microsoft unveiled detailed security reforms Monday, five months after CEO Satya Nadella pledged to prioritize cybersecurity following major breaches. The 25-page Secure Future Initiative report [PDF] outlines technical and governance changes addressing criticisms in an April 2024 Cyber Safety Review Board report that deemed Microsoft's security culture "inadequate."

Microsoft said it implemented significant security upgrades to its Entra ID and Microsoft Account systems, introducing Azure-managed hardware security modules for access token signing keys. The company has also purged 5.75 million inactive tenants to minimize potential attack vectors and adopted a new testing system with secure defaults to prevent legacy-related security issues. Concurrently, Microsoft has enhanced its network tracking capabilities, now monitoring over 99 percent of its physical network through a centralized inventory system, which aids in firmware compliance and logging.

Internal security measures have been tightened, with engineering teams facing stricter access controls. Personal access tokens are now limited to seven days, SSH access has been disabled for internal engineering repositories, and access to critical engineering systems has been restricted to fewer groups. Additionally, Microsoft has extended its audit log retention period to a minimum of two years, bolstering its ability to investigate and respond to potential security incidents.

Microsoft has launched a new Windows app that serves as a hub for streaming Windows environments from services like Windows 365 and Azure Virtual Desktop. However, it's limited to Microsoft work and school accounts with "no signs that Microsoft plans to support consumer accounts," notes The Verge's Tom Warren. From the report: This new unified app has been in testing for nearly a year, and includes a customizable home screen, multi-monitor support, and USB redirection so you can use local devices like webcams, storage devices, and printers as if they were plugged directly into a cloud PC. This Windows app is limited to Microsoft work and school accounts, as it's primarily designed for existing users of Remote Desktop clients for Windows and other operating systems to move to. Microsoft has had similar apps for connecting to PCs remotely in Windows for decades, including the Remote Desktop Connection app that still ships as part of Windows 11. These apps, including the new Windows one, are useful for connecting to work PCs from a personal laptop or PC. The Windows app is available from the Microsoft Store and Apple App Store. An Android version enters public preview mode today.

An anonymous reader quotes a report from TechCrunch: At its Made On YouTube event on Wednesday, the company announced a new dedicated space for creators to interact with their fans and viewers. The space, called "Communities," is kind of like a Discord server built into a creator's channel. With Communities, YouTube is hoping creators won't need to use other platforms like Discord or Reddit in order to interact with viewers. Communities are a space for viewers to post and interact with other fans directly within a creator's channel. In the past, viewers have been limited to leaving comments on a creator's video. Now, they can share their own content in a creator's Community to interact with other fans over shared interests. For instance, a fitness creator's Community could include posts from fans who are sharing videos and photos from their most recent hike.

To start, the feature is only available to subscribers. The company sees Communities as a dedicated space for conversation and connection, while still allowing creators to maintain control over their content. Conversations in Communities are meant to flow over time, YouTube says, as they would in any other forum-style setting. The new Communities feature shouldn't be confused with YouTube's Community feature, which is a space for creators to share text and images with viewers. The feature launched back in 2016, and doesn't allow viewers to interact with each other. YouTube is testing Communities now on mobile devices with a small group of creators. The company plans to test the feature with more creators later this year before expanding access to additional channels in early 2025.

YouTube has announced a series of AI-related features on the platform, including a couple that might change how creators make videos -- and the videos they make. From a report: The first feature is the new Inspiration tab in the YouTube Studio app, which YouTube has been testing in a limited way over the last few months. The tab's job is, essentially, to tell you what to make: the AI-powered tool will suggest a concept for a video, provide a title and a thumbnail, and even write an outline and the first few lines of the video for you. YouTube frames it as a helpful brainstorming tool but also acknowledges that you can use it to build out entire projects. And I'm just guessing here, but I'd bet those AI-created ideas are going to be pretty darn good at gaming the YouTube algorithm.

Once you have some AI inspiration, you can make some AI videos with Veo, the superpowerful DeepMind video model that is now being integrated into YouTube Shorts. Veo is mostly going to be part of the "Dream Screen" feature YouTube has been working on, which is an extension of the green screen concept but with AI-generated backgrounds of all sorts. You'll also be able to make full Veo videos, too, but only with clips up to six seconds long. (After a few seconds, AI video tends to get... really weird.)

Longtime Slashdot reader theodp writes: Python in Excel is now generally available for Windows users of Microsoft 365 Business and Enterprise," Microsoft announced in a Monday blog post. "Last August, in partnership with Anaconda, we introduced an exciting new addition to Excel by integrating Python, making it possible to seamlessly combine Python and Excel analytics within the same workbook, no setup required. Since then, we've brought the power of popular Python analytics libraries such as pandas, Matplotlib, and NLTK to countless Excel users." Microsoft also announced the public preview of Copilot in Excel with Python, which will take users' natural language requests for analysis and automatically generate, explain, and insert Python code into Excel spreadsheets.

While drawing criticism for limiting Python execution to locked-down Azure cloud containers, Python in Excel has also earned accolades from the likes of Python creator Guido van Rossum, now a Microsoft Distinguished Engineer, as well as Pandas creator Wes McKinney.

Left unmentioned in Monday's announcement is that Microsoft managed to convince the USPTO to issue it a patent in July 2024 on the Enhanced Integration of Spreadsheets With External Environments (alt. source), which Microsoft explains covers the "implementation of enhanced integrations of native spreadsheet environments with external resources such as-but not limited to-Python." All of which may come as a surprise to software vendors and individuals that were integrating Excel and external programming environments years before Microsoft filed its patent application in September 2022.

Instagram has introduced new safety features that make teenage accounts private by default, enhance parental supervision, and set messaging restrictions to protect young users, requiring parental approval for changes. NPR reports: Meta said users under 16 will now need a parent's approval to change the restricted settings, dubbed "Teen Accounts," which filter out offensive words and limit who can contact them. "It's addressing the same three concerns we're hearing from parents around unwanted contact, inappropriate contact and time spent," said Naomi Gleit, Meta's head of product, in an interview with NPR. With teens all being switched to private accounts, they can only be messaged or tagged by people they follow. Content from accounts they don't follow will be in the most restrictive setting, and the app will make periodic screen time reminders under a revamped "take a break" feature. [...]

Meta requires users to be at least 13 years old to create an account. Social media researchers, however, have long noted that young people can lie about their age to get on the platform and may have multiple fake accounts, known as "finstas," to avoid detection by their parents. Officials at Meta say they have built new artificial intelligence systems to detect teens who lie about their age. This is in addition to working with British company Yoti, which analyzes someone's face from their photos and estimates an age. Meta has partnered with the company since 2022. Since then, Meta has required teens to prove their age by submitting a video selfie or a form of identification. Now, Meta says, if a young person tries to log into a new account with an adult birthday, it will place them in the teen protected settings.

While parental supervision on Instagram still requires both a teen and parent to opt in, the new policies add a feature that allows parents to see who their teens have been recently messaging (though not the content of the messages) and what subjects they are exploring on the app. Meta is hoping to avoid one worrisome situation: Someone who is not a parent finding a way to oversee a teen's account. "If we determine a parent or guardian is not eligible, they are blocked from the supervision experience," Meta wrote in a white paper about Tuesday's new child safety measures. [...] Meta points out that parents will be limited to viewing about three dozen topics that their teens are interested in, including things like outdoor activities, animals and music. Meta says the topic-viewing is less about parents surveilling kids and more about learning about a child's curiosities. Still, some of the new Instagram features for teens will be aimed at filtering out sensitive content from the app's Explore Page and on Reels, the app's short-form video service.

Last October Slashdot reported on René Rebe's discovery of a random illegal instruction speculation bug on AMD Ryzen 7000-series and Epyc Zen 4 CPUs — which Rebe discussed on his YouTube channel.

But this week's YouTube episode had a different ending, reports Tom's Hardware... Two days ago, tech streamer and host of Code Therapy René Rebe was streaming one of many T2 Linux (his own custom distribution) development sessions from his office in Germany when he abruptly had to remove his microphone and walk off camera due to the arrival of police officers. The officers subsequently cuffed him and took him to the station for an hour of questioning, a span of time during which the stream continued to run until he made it back...

[T]he police seemingly have no idea who did it and acted based on a tip sent with an email. Finding the perpetrators could take a while, and options will be fairly limited if they don't also live in Germany.
Rebe has been contributing to Linux "since as early as 1998," according to the article, "and started his own T2 SD3 Embedded Linux distribution in 2004, as well." (And he's also a contributor to many other major open source projects.)

The article points out that Linux and other communities "are compelled by little-to-no profit motive, so in essence, René has been providing unpaid software development for the greater good for the past two decades."

"New malicious software packages tied to the North Korean Lazarus Group were observed posing as a Python coding skills test for developers seeking a new job at Capital One, but were tracked to GitHub projects with embedded malware," reports SC magazine: Researchers at ReversingLabs explained in a September 10 blog post that the scheme was a follow-on to the VMConnect campaign that they first identified in August 2023 in which developers were lured into downloading malicious code via fake job interviews.
More details from The Hacker News These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control. ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase... It's implemented in the form of a Base64-encoded string that obscures a downloader function, which establishes contact with a command-and-control server in order to execute commands received as a response.

In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes. This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."
Tom's Hardware reports that "The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS. This is a good time to refer to PEP 668 which enforces virtual environments for non-system wide Python installs."

More from The Hacker News Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation. It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.

fjo3 shares a report from NASA: Engineers working on NASA's Voyager 1 probe have successfully mitigated an issue with the spacecraft's thrusters, which keep the distant explorer pointed at Earth so that it can receive commands, send engineering data, and provide the unique science data it is gathering. After 47 years, a fuel tube inside the thrusters has become clogged with silicon dioxide, a byproduct that appears with age from a rubber diaphragm in the spacecraft's fuel tank. The clogging reduces how efficiently the thrusters can generate force. After weeks of careful planning, the team switched the spacecraft to a different set of thrusters. [...]

Switching to different thrusters would have been a relatively simple operation for the mission in 1980 or even 2002. But the spacecraft's age has introduced new challenges, primarily related to power supply and temperature. The mission has turned off all non-essential onboard systems, including some heaters, on both spacecraft to conserve their gradually shrinking electrical power supply, which is generated by decaying plutonium. While those steps have worked to reduce power, they have also led to the spacecraft growing colder, an effect compounded by the loss of other non-essential systems that produced heat. Consequently, the attitude propulsion thruster branches have grown cold, and turning them on in that state could damage them, making the thrusters unusable.

The team determined that the best option would be to warm the thrusters before the switch by turning on what had been deemed non-essential heaters. However, as with so many challenges the Voyager team has faced, this presented a puzzle: The spacecraft's power supply is so low that turning on non-essential heaters would require the mission to turn off something else to provide the heaters adequate electricity, and everything that's currently operating is considered essential. Studying the issue, they ruled out turning off one of the still-operating science instruments for a limited time because there's a risk that the instrument would not come back online. After additional study and planning, the engineering team determined they could safely turn off one of the spacecraft's main heaters for up to an hour, freeing up enough power to turn on the thruster heaters. It worked. On Aug. 27, they confirmed that the needed thruster branch was back in action, helping point Voyager 1 toward Earth.

An anonymous reader quotes a report from Reuters: The U.S. Commerce Department said Monday it is proposing to require detailed reporting requirements for advanced artificial intelligence developers and cloud computing providers to ensure the technologies are safe and can withstand cyberattacks. The proposal from the department's Bureau of Industry and Security would set mandatory reporting to the federal government about development activities of "frontier" AI models and computing clusters. It would also require reporting on cybersecurity measures as well as outcomes from so-called red-teaming efforts like testing for dangerous capabilities including the ability to assist in cyberattacks or lowering barriers to entry for non-experts to develop chemical, biological, radiological, or nuclear weapons. External red-teaming has been used for years in cybersecurity to identify new risks, with the term referring to U.S. Cold War simulations where the enemy was termed the "red team." [...] Commerce said the information collected under the proposal "will be vital for ensuring these technologies meet stringent standards for safety and reliability, can withstand cyberattacks, and have limited risk of misuse by foreign adversaries or non-state actors." Further reading: Biden Signs Executive Order To Oversee and Invest in AI