An anonymous reader quotes a report from the New York Times: Facebook Dating, which debuted in 2019, has become a surprise hit for the company. It lets people create a dating profile free in the app, where they can swipe and match with other eligible singles. It has more than 21 million daily users, quietly making it one of the most popular online dating services. Hinge, a leading dating app in the United States, has around 15 million users. "Underlying it all is that there are real people on Facebook," Tom Alison, the head of Facebook, said in an interview. "You can see who they are, you can see how you're connected to them, and if you have mutual friends, we make it easy to see where you have mutual interests."

Facebook Dating's popularity is a sign of how Facebook has been reinventing itself. One of the early social networks, its main social feed has become less popular over time than younger apps like Instagram and TikTok. But along with Facebook Marketplace, where people look for deals on things like couches and used cars, Facebook Dating shows how an older social network can remain relevant. "When you look at Gen Z usage on Facebook, they aren't using the social media feed," said Mike Proulx, a research director at Forrester VP, a research firm. "What's bringing them back to the platform is Marketplace, Messenger, Dating."

An anonymous reader quotes a report from BleepingComputer: The U.S. Congressional Budget Office (CBO) confirms it suffered a cybersecurity incident after a suspected foreign hacker breached its network, potentially exposing sensitive data. In a statement shared with BleepingComputer, CBO spokesperson Caitlin Emma confirmed the "security incident" and said the agency acted quickly to contain it. "The Congressional Budget Office has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency's systems going forward," Emma told BleepingComputer.

"The incident is being investigated and work for the Congress continues. Like other government agencies and private sector entities, CBO occasionally faces threats to its network and continually monitors to address those threats." The Washington Post first reported the breach, stating that officials discovered the hack in recent days and are now concerned that emails and exchanges between congressional offices and the CBO's analysts may have been exposed. While officials have reported told lawmakers they believe the intrusion was detected early, some congressional office have allegedly halted emails with the CBO out of security concerns.

A curious engineer discovered that his iLife A11 smart vacuum was remotely "killed" after he blocked it from sending data to the manufacturer's servers. By reverse-engineering it with custom hardware and Python scripts, he managed to revive the device to run fully offline. Tom's Hardware reports: An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device. That's when he noticed it was constantly sending logs and telemetry data to the manufacturer -- something he hadn't consented to. The user, Harishankar, decided to block the telemetry servers' IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after. After a lengthy investigation, he discovered that a remote kill command had been issued to his device.

He sent it to the service center multiple times, wherein the technicians would turn it on and see nothing wrong with the vacuum. When they returned it to him, it would work for a few days and then fail to boot again. After several rounds of back-and-forth, the service center probably got tired and just stopped accepting it, saying it was out of warranty. Because of this, he decided to disassemble the thing to determine what killed it and to see if he could get it working again. [...] So, why did the A11 work at the service center but refuse to run in his home? The technicians would reset the firmware on the smart vacuum, thus removing the kill code, and then connect it to an open network, making it run normally. But once it connected again to the network that had its telemetry servers blocked, it was bricked remotely because it couldn't communicate with the manufacturer's servers. Since he blocked the appliance's data collection capabilities, its maker decided to just kill it altogether.

"Someone -- or something -- had remotely issued a kill command," says Harishankar. "Whether it was intentional punishment or automated enforcement of 'compliance,' the result was the same: a consumer device had turned on its owner." In the end, the owner was able to run his vacuum fully locally without manufacturer control after all the tweaks he made. This helped him retake control of his data and make use of his $300 software-bricked smart device on his own terms. As for the rest of us who don't have the technical knowledge and time to follow his accomplishments, his advice is to "Never use your primary WiFi network for IoT devices" and to "Treat them as strangers in your home."

A bungled October 18 heist that saw $102 million of crown jewels stolen from the Louvre in broad daylight has exposed years of lax security at the national art museum. From trivial passwords like 'LOUVRE' to decades-old, unsupported systems and easy rooftop access, the job was made surprisingly easy. PC Gamer reports: As Rogue cofounder and former Polygon arch-jester Cass Marshall notes on Bluesky, we owe a lot of videogame designers an apology. We've spent years dunking on the emptyheadedness of game characters leaving their crucial security codes and vault combinations in the open for anyone to read, all while the Louvre has been using the password "Louvre" for its video surveillance servers. That's not an exaggeration. Confidential documents reviewed by Liberation detail a long history of Louvre security vulnerabilities, dating back to a 2014 cybersecurity audit performed by the French Cybersecurity Agency (ANSSI) at the museum's request. ANSSI experts were able to infiltrate the Louvre's security network to manipulate video surveillance and modify badge access.

"How did the experts manage to infiltrate the network? Primarily due to the weakness of certain passwords which the French National Cybersecurity Agency (ANSSI) politely describes as 'trivial,'" writes Liberation's Brice Le Borgne via machine translation. "Type 'LOUVRE' to access a server managing the museum's video surveillance, or 'THALES' to access one of the software programs published by... Thales." The museum sought another audit from France's National Institute for Advanced Studies in Security and Justice in 2015. Concluded two years later, the audit's 40 pages of recommendations described "serious shortcomings," "poorly managed" visitor flow, rooftops that are easily accessible during construction work, and outdated and malfunctioning security systems. Later documents indicate that, in 2025, the Louvre was still using security software purchased in 2003 that is no longer supported by its developer, running on hardware using Windows Server 2003.

Google's new "Project Suncatcher" aims to launch Tensor Processing Units (TPUs) into space, creating a solar-powered, satellite-based AI network capable of scaling machine learning beyond Earth's limits. Google says a "solar panel can be up to 8 times more productive than on earth" for near-continuous power using a "dawn-dusk sun-synchronous low earth orbit" that reduces the need for batteries and other power generation. 9to5Google reports: These satellites would connect via free-space optical links, with large-scale ML workloads "distributing tasks across numerous accelerators with high-bandwidth, low-latency connections." To match data centers on Earth, the connection between satellites would have to be tens of terabits per second, and they'd have to fly in "very close formation (kilometers or less)."

Google has already conducted radiation testing on TPUs (Trillium, v6e), with "promising" results: "While the High Bandwidth Memory (HBM) subsystems were the most sensitive component, they only began showing irregularities after a cumulative dose of 2 krad(Si) -- nearly three times the expected (shielded) five year mission dose of 750 rad(Si). No hard failures were attributable to TID up to the maximum tested dose of 15 krad(Si) on a single chip, indicating that Trillium TPUs are surprisingly radiation-hard for space applications."

Finally, Google believes that launch costs will "fall to less than $200/kg by the mid-2030s." At that point, the "cost of launching and operating a space-based data center could become roughly comparable to the reported energy costs of an equivalent terrestrial data center on a per-kilowatt/year basis."

An anonymous reader shares a report: Before the potential of the internet was appreciated around the world, nations that understood its importance managed to scoop outsized allocations of IPv4 addresses, actions that today mean many users in the rest of the world are more likely to find their connections throttled or blocked.

So says Cloudflare, which last week published research that recalls how once the world started to run out of IPv4 addresses, engineers devised network address translation (NAT) so that multiple devices can share a single IPv4 address. NAT can handle tens of thousands of devices, but carriers typically operate many more. Internetworking wonks therefore developed Carrier-Grade NAT (CGNAT), which can handle over 100 devices per IPv4 address and scale to serve millions of users.

That's useful for carriers everywhere, but especially valuable for carriers in those countries that missed out on big allocations of IPv4 because their small pool of available number resources means they must employ CGNAT to handle more users and devices. Cloudflare's research suggests carriers in Africa and Asia use CGNAT more than those on other continents.

Cloudflare worried that could be bad for individual netizens. "CGNATs also create significant operational fallout stemming from the fact that hundreds or even thousands of clients can appear to originate from a single IP address," wrote Cloudflare researchers Vasilis Giotsas and Marwan Fayed. "This means an IP-based security system may inadvertently block or throttle large groups of users as a result of a single user behind the CGNAT engaging in malicious activity. Blocking the shared IP therefore penalizes many innocent users along with the abuser."

Australia's new "solar sharer" program will give households in NSW, south-east Queensland, and South Australia at least three hours of free solar power each day starting in 2026 -- even for those without rooftop panels. Other areas will potentially follow in 2027. The Guardian reports: The government said Australians could schedule appliances such as washing machines, dishwashers and air conditioners and charge electric vehicles and household batteries during this time. The solar sharer scheme would be implemented through a change to the default market offer that sets the maximum price retailers can charge customers for electricity in parts of the country. The climate change and energy minister, Chris Bowen, said the program would ensure "every last ray of sunshine was powering our homes" instead of some solar energy being wasted.

Australians have installed more than 4m solar systems and there is regularly cheap excess generation in the middle of the day. Part of the rationale for the program is that it could shift demand for electricity from peak times -- particularly early in the evening -- to when it is sunniest. This could help minimize peak electricity prices and reduce the need for network upgrades and intervention to ensure the power grid was stable.

A new class-action lawsuit accuses Spotify of allowing billions of fraudulent Drake streams generated by bots between 2022 and 2025, allegedly inflating his royalties at the expense of other artists. "Spotify pays streaming royalties using a 'pro-rata' model based on an artist's market share," notes Consequence. "Each month, revenue from subscriptions and ads is collected into a single, fixed 'pot' of money, which is then distributed to rights holders based on their percentage of the platform's total streams. Because this pot is fixed, an artist who artificially inflates their numbers through bots would dilute the value of every legitimate stream. This allows them to take a larger share of the pot than they earned, effectively siphoning royalties that should have gone to other artists." From the report: According to Rolling Stone, the lawsuit alleges bot use is a widespread problem on Spotify. However, Drake is the only example named, based on "voluminous information" which the company "knows or should know" that proves a "substantial, non-trivial percentage" of his approximately 37 billion streams were "inauthentic and appeared to be the work of a sprawling network of Bot Accounts."

The complaint claims this alleged fraudulent activity took place between "January 2022 and September 2025," with an examination of "abnormal VPN usage" revealing at least 250,000 streams of Drake's song "No Face" during a four-day period in 2024 were actually from Turkey "but were falsely geomapped through the coordinated use of VPNs to the United Kingdom in [an] attempt to obscure their origins." Other notable allegations in the lawsuit are that "a large percentage" of accounts were concentrated in areas where the population could not support such a high volume of streams, including those with "zero residential addresses." The suit also points to "significant and irregular uptick months" for Drake's songs long after their release, as well as a "slower and less dramatic" downtick in streams compared to other artists.

Noting a "staggering and irregular" streaming of Drake's music by individuals, the suit also claims there are a "massive amount of accounts" listening to his songs "23 hours a day." Less than 2% of those users account for "roughly 15 percent" of his streams. "Drake's music accumulated far higher total streams compared to other highly streamed artists, even though those artists had far more 'users' than Drake," the lawsuit concludes.

concertina226 shares a report from The Register: [A massive power outage in April left tens of millions across Spain, Portugal, and parts of France without electricity for hours due to cascading grid failures, exposing how fragile and interconnected Europe's energy infrastructure is. The incident, though not a cyberattack, reignited concerns about the vulnerability of aging, fragmented, and insecure operational technology systems that could be easily exploited in future cyber or ransomware attacks.] This headache is one the European Commission is focused on. It is funding several projects looking at making electric grids more resilient, such as the eFort framework being developed by cybersecurity researchers at the independent non-profit Netherlands Organisation for Applied Scientific Research (TNO) and the Delft University of Technology (TU Delft).

TNO's SOARCA tool is the first ever open source security orchestration, automation and response (SOAR) platform designed to protect power plants by automating the orchestration of the response to physical attacks, as well as cyberattacks, on substations and the network, and the first country to demo it will be the Ukraine this year. At the moment, SOAR systems only exist for dedicated IT environments. The researchers' design includes a SOAR system in each layer of the power station: the substation, the control room, the enterprise layer, the cloud, or the security operations centre (SOC), so that the SOC and the control room work together to detect anomalies in the network, whether it's an attacker exploiting a vulnerability, a malicious device being plugged into a substation, or a physical attack like a missile hitting a substation. The idea is to be able to isolate potential problems and prevent lateral movement from one device to another or privilege escalation, so an attacker cannot go through the network to the central IT management system of the electricity grid. [...]

The SOARCA tool is underpinned by CACAO Playbooks, an open source specification developed by the OASIS Open standards body and its members (which include lots of tech giants and US government agencies) to create standardized predefined, automated workflows that can detect intrusions and changes made by malicious actors, and then carry out a series of steps to protect the network and mitigate the attack. Experts largely agree the problem facing critical infrastructure is only worsening as years pass, and the more random Windows implementations that are added into the network, the wider the attack surface is. [...] TNO's Wolthuis said the energy industry is likely to be pushed soon to take action by regulators, particularly once the Network Code on Cybersecurity (NCCS), which lays out rules requiring cybersecurity risk assessments in the electricity sector, is formalized.

"An engineer got curious about how his iLife A11 smart vacuum worked and monitored the network traffic coming from the device," writes Tom's Hardware.

"That's when he noticed it was constantly sending logs and telemetry data to the manufacturer — something he hadn't consented to." The user, Harishankar, decided to block the telemetry servers' IP addresses on his network, while keeping the firmware and OTA servers open. While his smart gadget worked for a while, it just refused to turn on soon after... He sent it to the service center multiple times, wherein the technicians would turn it on and see nothing wrong with the vacuum. When they returned it to him, it would work for a few days and then fail to boot again... [H]e decided to disassemble the thing to determine what killed it and to see if he could get it working again...

[He discovered] a GD32F103 microcontroller to manage its plethora of sensors, including Lidar, gyroscopes, and encoders. He created PCB connectors and wrote Python scripts to control them with a computer, presumably to test each piece individually and identify what went wrong. From there, he built a Raspberry Pi joystick to manually drive the vacuum, proving that there was nothing wrong with the hardware. From this, he looked at its software and operating system, and that's where he discovered the dark truth: his smart vacuum was a security nightmare and a black hole for his personal data.

First of all, it's Android Debug Bridge, which gives him full root access to the vacuum, wasn't protected by any kind of password or encryption. The manufacturer added a makeshift security protocol by omitting a crucial file, which caused it to disconnect soon after booting, but Harishankar easily bypassed it. He then discovered that it used Google Cartographer to build a live 3D map of his home. This isn't unusual, by far. After all, it's a smart vacuum, and it needs that data to navigate around his home. However, the concerning thing is that it was sending off all this data to the manufacturer's server. It makes sense for the device to send this data to the manufacturer, as its onboard SoC is nowhere near powerful enough to process all that data. However, it seems that iLife did not clear this with its customers.

Furthermore, the engineer made one disturbing discovery — deep in the logs of his non-functioning smart vacuum, he found a command with a timestamp that matched exactly the time the gadget stopped working. This was clearly a kill command, and after he reversed it and rebooted the appliance, it roared back to life.
Thanks to long-time Slashdot reader registrations_suck for sharing the article.

OpenAI "hasn't yet turned a profit," notes Wall Street Journal business columnist Tim Higgins. "Its annual revenue is 2% of Amazon.com's sales.

"Its future is uncertain beyond the hope of ushering in a godlike artificial intelligence that might help cure cancer and transform work and life as we know it. Still, it is brimming with hope and excitement.

"But what if OpenAI fails?" There's real concern that through many complicated and murky tech deals aimed at bolstering OpenAI's finances, the startup has become too big to fail. Or, put another way, if the hype and hope around Chief Executive Sam Altman's vision of the AI future fails to materialize, it could create systemic risk to the part of the U.S. economy likely keeping us out of recession.

That's rarefied air, especially for a startup. Few worried about what would happen if Pets.com failed in the dot-com boom. We saw in 2008-09 with the bank rescues and the Chrysler and General Motors bailouts what happens in the U.S. when certain companies become too big to fail...

[A]fter a lengthy effort to reorganize itself, OpenAI announced moves that will allow it to have a simpler corporate structure. This will help it to raise money from private investors and, presumably, become a publicly traded company one day. Already, some are talking about how OpenAI might be the first trillion-dollar initial public offering... Nobody is saying OpenAI is dabbling in anything like liar loans or subprime mortgages. But the startup is engaging in complex deals with the key tech-industry pillars, the sorts of companies making the guts of the AI computing revolution, such as chips and Ethernet cables. Those companies, including Nvidia and Oracle, are partnering with OpenAI, which in turn is committing to make big purchases in coming years as part of its growth ambitions.

Supporters would argue it is just savvy dealmaking. A company like Nvidia, for example, is putting money into a market-making startup while OpenAI is using the lofty value of its private equity to acquire physical assets... They're rooting for OpenAI as a once-in-a-generational chance to unseat the winners of the last tech cycles. After all, for some, OpenAI is the next Apple, Facebook, Google and Tesla wrapped up in one. It is akin to a company with limitless potential to disrupt the smartphone market, create its own social-media network, replace the search engine, usher in a robot future and reshape nearly every business and industry.... To others, however, OpenAI is something akin to tulip mania, the harbinger of the Great Depression, or the next dot-com bubble. Or worse, they see, a jobs killer and mad scientist intent on making Frankenstein.

But that's counting on OpenAI's success.

San Francisco's local newscast ABC7 runs a consumer advocacy segment called "7 on Your Side". They received a disturbing call for help from Dave Dornlas, treasurer of a nonprofit supporting a local library: GoFundMe has taken upon itself to create "nonprofit pages" for 1.4 million 501C-3 organizations using public IRS data along with information from trusted partners like the PayPal Giving Fund. "The fact that they would just on their own build pages for nonprofits that they've never spoken to is a problem," [Dornlas] said. "I'm a believer in opt-in, not opt-out...." Dornlas says he struggled to find anyone to contact from GoFundMe about this... Dave's other frustration is tied to the company's optional tipping feature on the platform. "GoFundMe also solicits a tip of 14.5%. In other words, 'We're doing this and we're great people. Give us 14.5% to do this' — which doesn't have to happen," Dornlas said. "That's what bothers me." When 7 On Your Side checked, the optional tip was actually set for 16.5%. The consumer is required to move the bar to adjust accordingly... The tip would be in addition to the 2.2% transaction fee GoFundMe charges nonprofits, plus $0.30 per donation. That fee goes up to 2.9% for individual fundraisers.

Now both GoFundMe pages of Dornlas's nonprofits have been removed from the site. Any organization can do so, by clicking "unpublish" on the platform.
But GoFundMe's move drew strong criticism from the Center for Nonprofit Excellence (a Kentucky-based membership organization with over 500 members). GoFundMe's move, they say, creates "confusion for donors and supporters who are unsure of the legitimacy of the fundraising pages. In some cases, GoFundMe included incorrect information, outdated logos, and other inaccuracies that compromise and misrepresent nonprofits' brand, mission, strategy, and message."

And GoFundMe's processing fees and tips "ultimately result in fewer resources for nonprofits than if donors contributed directly through the organization." But there's more... GoFundMe has initiated SEO optimization as the default for the donation pages to improve their visibility when individuals search forinformation about nonprofits online. This could result in GoFundMe'spages ranking higher than the nonprofit's own website, pulling away potential donors and supporters...

Without adequate safeguards in place, nonprofits report serious issues, ranging from unauthorized individuals claiming donations and the inability to remove pages without first agreeing to GoFundMe's terms and conditions or sharing sensitive banking information.
The Center for Nonprofit Excellence has now joined with the National Council of Nonprofits — America's largest network of nonprofits, with over 25,000 members — to officially urge GoFundMe to immediately rectify the situation.

Thanks to long-time Slashdot reader Arrogant-Bastard for sharing the article.

CBS News investigates what happened when police thought they'd tracked down a "porch pirate" who'd stolen a package — and accused an innocent woman.

"You know why I'm here," the police sergeant tells Chrisanna Elser. "You know we have cameras in that town..." "It went right into, 'we have video of you stealing a package,'" Elser said... "Can I see the video?" Elser asked. "If you go to court, you can," the officer replied. "If you're going to deny it, I'm not going to extend you any courtesy...." [You can watch a video of the entire confrontation.] On her doorstep, the officer issued a summons, without ever looking at the surveillance video Elser had. "We can show you exactly where we were," she told him. "I already know where you were," he replied.

Her Rivian — equipped with multiple cameras — had recorded her entire route that day... It took weeks of her collecting her own evidence, building timelines, and submitting videos before someone listened. Finally, she received an email from the Columbine Valley police chief acknowledging her efforts in an email saying, "nicely done btw (by the way)," and informing her the summons would not be filed.
Elser also found the theft video (which the police officer refused to show her) on Nextdoor, reports Electrek. "The woman has the same color hair, but different facial and nose shape and apparent age than Elser, which is all reasonably apparent when viewing the video..."

But Elser does drive a green Rivian truck, which police knew had entered the neighborhood 20 times over the course of a month. (Though in the video the officer is told that a male driver in the same household passes through that neighborhood driving to and from work.) The problem may be their certainty — derived from Flock's network of cameras that automatically read license plates, "tracking movements of vehicles wherever they go..." The system has provoked concern from privacy and freedom focused organizations like the Electronic Frontier Foundation and American Civil Liberties Union. Flock also recently announced a partnership with Ring, seeking to use a network of doorbell cameras to track Americans in even more places.... [The police] didn't even have video of the truck in the area — merely tags of it entering... (it also left the area minutes later, indicating a drive through, rather than crawling through neighborhoods looking for packages — but police neglected to check the exit timestamps)... Elser has asked for an apology for [officer] Milliman's aggressive behavior during the encounter, but has heard nothing back from the department despite a call, email, and physical appearance at the police station.
The article points out that Rivian's "Road Cam" feature can be set to record footage of everything happening around it using the car's built in cameras for driver-assist features. But if you want to record footage all the time, you'll need to plug in a USB-C external drive to store it. (It's ironic how different cameras recorded every part of this story — the theft, the police officer accusing the innocent woman, and that innocent woman's actual whereabouts.)

Electrek's take? "Citizens should not need to own a $70k+ truck, or even a $100 external hard drive, to keep track of everything they do in order to prove to power-tripping officers that they didn't commit a crime."

"We've spent the last year rebuilding major components of our system," Cloudflare announced this week, "and we've just slashed the latency of traffic passing through our network for millions of our customers," (There's a 10ms cut in the median time to respond, plus a 25% performance boost as measured by CDN performance tests.) They replaced a 15-year-old system named FL (where they run security and performance features), and "At the same time, we've made our system more secure, and we've reduced the time it takes for us to build and release new products."

And yes, Rust was involved: We write a lot of Rust, and we've gotten pretty good at it... We built FL2 in Rust, on Oxy [Cloudflare's Rust-based next generation proxy framework], and built a strict module framework to structure all the logic in FL2... Built in Rust, [Oxy] eliminates entire classes of bugs that plagued our Nginx/LuaJIT-based FL1, like memory safety issues and data races, while delivering C-level performance. At Cloudflare's scale, those guarantees aren't nice-to-haves, they're essential. Every microsecond saved per request translates into tangible improvements in user experience, and every crash or edge case avoided keeps the Internet running smoothly. Rust's strict compile-time guarantees also pair perfectly with FL2's modular architecture, where we enforce clear contracts between product modules and their inputs and outputs...

It's a big enough distraction from shipping products to customers to rebuild product logic in Rust. Asking all our teams to maintain two versions of their product logic, and reimplement every change a second time until we finished our migration was too much. So, we implemented a layer in our old NGINX and OpenResty based FL which allowed the new modules to be run. Instead of maintaining a parallel implementation, teams could implement their logic in Rust, and replace their old Lua logic with that, without waiting for the full replacement of the old system.
Over 100 engineers worked on FL2 — and there was extensive testing, plus a fallback-to-FL1 procedure. But "We started running customer traffic through FL2 early in 2025, and have been progressively increasing the amount of traffic served throughout the year...." As we described at the start of this post, FL2 is substantially faster than FL1. The biggest reason for this is simply that FL2 performs less work [thanks to filters controlling whether modules need to run]... Another huge reason for better performance is that FL2 is a single codebase, implemented in a performance focussed language. In comparison, FL1 was based on NGINX (which is written in C), combined with LuaJIT (Lua, and C interface layers), and also contained plenty of Rust modules. In FL1, we spent a lot of time and memory converting data from the representation needed by one language, to the representation needed by another. As a result, our internal measures show that FL2 uses less than half the CPU of FL1, and much less than half the memory. That's a huge bonus — we can spend the CPU on delivering more and more features for our customers!

Using our own tools and independent benchmarks like CDNPerf, we measured the impact of FL2 as we rolled it out across the network. The results are clear: websites are responding 10 ms faster at the median, a 25% performance boost. FL2 is also more secure by design than FL1. No software system is perfect, but the Rust language brings us huge benefits over LuaJIT. Rust has strong compile-time memory checks and a type system that avoids large classes of errors. Combine that with our rigid module system, and we can make most changes with high confidence...

We have long followed a policy that any unexplained crash of our systems needs to be investigated as a high priority. We won't be relaxing that policy, though the main cause of novel crashes in FL2 so far has been due to hardware failure. The massively reduced rates of such crashes will give us time to do a good job of such investigations. We're spending the rest of 2025 completing the migration from FL1 to FL2, and will turn off FL1 in early 2026. We're already seeing the benefits in terms of customer performance and speed of development, and we're looking forward to giving these to all our customers.

After that, when everything is modular, in Rust and tested and scaled, we can really start to optimize...!
Thanks to long-time Slashdot reader Beeftopia for sharing the article.

Bluesky has surpassed 40 million users and is launching a "dislikes" beta to improve its personalization algorithms and reduce toxic content. TechCrunch reports: With the "dislikes" beta rolling out soon, Bluesky will take into account the new signal to improve user personalization. As users "dislike" posts, the system will learn what sort of content they want to see less of. This will help to inform more than just how content is ranked in feeds, but also reply rankings.

The company explained the changes are designed to make Bluesky a place for more "fun, genuine, and respectful exchanges" -- an edict that follows a month of unrest on the platform as some users again criticized the platform over its moderation decisions. While Bluesky is designed as a decentralized network where users run their own moderation, some subset of Bluesky users want the platform itself to ban bad actors and controversial figures instead of leaving it up to the users to block them. Bluesky, however, wants to focus more on the tools it provides users to control their own experience.

alternative_right shares a report from Phys.org: It is known in the scientific community that if you have a self-sustained oscillation, such as an arteriole, and you add an external stimulus at a similar but not identical frequency, you can lock the two, meaning you can shift the frequency of the oscillator to that of the external stimulus. In fact, it has been shown that if you connect two clocks, they will eventually synchronize their ticking. Distinguished Professor of Physics and Neurobiology David Kleinfeld found that if he applied an external stimulus to a neuron, the entire vasculature would lock at the same frequency. However, if he stimulated two sets of neurons at two different frequencies, something unexpected happened: some arterioles would lock at one frequency and others would lock at another frequency, forming a staircase effect.

Searching for an explanation, Kleinfeld enlisted the help of his colleague, Professor of Physics Massimo Vergassola, who specializes in understanding the physics of living systems, and then recruited Ecole Normale Superieure graduate student Marie Sellier-Prono and Senior Researcher at the Institute for Complex Systems Massimo Cencini. Together, the researchers found they could use a classical model of coupled oscillators with an intestinal twist. The gut oscillates naturally due to peristalsis -- the contracting and relaxing of muscles in the digestive tract -- and provided a simplified model over the complex network of blood vessels in the brain. The intestine is unidirectional, meaning frequencies shift in one direction in a gradient from higher to lower. This is what enables food to move in one direction from the beginning of the small intestine to the end of the large intestine.

"Coupled oscillators talk to each other and each section of the intestine is an oscillator that talks to the other sections near it," stated Vergassola. "Normally, coupled oscillators are studied in a homogeneous setting, meaning all the oscillators are at more or less similar frequencies. In our case, the oscillators were more varied, just as in the intestine and the brain." In studying the coupled oscillators in the gut, past researchers observed that there is indeed a staircase effect where similar frequencies lock onto those around it, allowing for the rhythmic movement of food through the digestive tract. But the height of the rises or breaks, the length of the stair runs or frequencies, and the conditions under which the staircase phenomenon occurred -- essential features of biological systems -- was something which had not been determined until now. The findings have been published in the journal Physical Review Letters.

Critics question why basic flaws like buffer overflows, command injections, and SQL injections are "being exploited remain prevalent in mission-critical codebases maintained by companies whose core business is cybersecurity," writes CSO Online. Benjamin Harris, CEO of cybersecurity/penetration testing firm watchTowr tells them that "these are vulnerability classes from the 1990s, and security controls to prevent or identify them have existed for a long time. There is really no excuse." Enterprises have long relied on firewalls, routers, VPN servers, and email gateways to protect their networks from attacks. Increasingly, however, these network edge devices are becoming security liabilities themselves... Google's Threat Intelligence Group tracked 75 exploited zero-day vulnerabilities in 2024. Nearly one in three targeted network and security appliances, a strikingly high rate given the range of IT systems attackers could choose to exploit. That trend has continued this year, with similar numbers in the first 10 months of 2025, targeting vendors such as Citrix NetScaler, Ivanti, Fortinet, Palo Alto Networks, Cisco, SonicWall, and Juniper. Network edge devices are attractive targets because they are remotely accessible, fall outside endpoint protection monitoring, contain privileged credentials for lateral movement, and are not integrated into centralized logging solutions...

[R]esearchers have reported vulnerabilities in these systems for over a decade with little attacker interest beyond isolated incidents. That shifted over the past few years with a rapid surge in attacks, making compromised network edge devices one of the top initial access vectors into enterprise networks for state-affiliated cyberespionage groups and ransomware gangs. The COVID-19 pandemic contributed to this shift, as organizations rapidly expanded remote access capabilities by deploying more VPN gateways, firewalls, and secure web and email gateways to accommodate work-from-home mandates. The declining success rate of phishing is another factor... "It is now easier to find a 1990s-tier vulnerability in a border device where Endpoint Detection and Response typically isn't deployed, exploit that, and then pivot from there" [says watchTowr CEL Harris]...

Harris of watchTowr doesn't want to minimize the engineering effort it takes to build a secure system. But he feels many of the vulnerabilities discovered in the past two years should have been caught with automatic code analysis tools or code reviews, given how basic they have been. Some VPN flaws were "trivial to the point of embarrassing for the vendor," he says, while even the complex ones should have been caught by any organization seriously investing in product security... Another problem? These appliances have a lot of legacy code, some that is 10 years or older.
Attackers may need to chain together multiple hard-to-find vulnerabilities across multiple components, the article acknowleges. And "It's also possible that attack campaigns against network-edge devices are becoming more visible to security teams because they are looking into what's happening on these appliances more than they did in the past... "

The article ends with reactions from several vendors of network edge security devices.

Thanks to Slashdot reader snydeq for sharing the article.

An anonymous reader quotes a report from Ars Technica: The outage that hit Amazon Web Services and took out vital services worldwide was the result of a single failure that cascaded from system to system within Amazon's sprawling network, according to a post-mortem from company engineers. [...] Amazon said the root cause of the outage was a software bug in software running the DynamoDB DNS management system. The system monitors the stability of load balancers by, among other things, periodically creating new DNS configurations for endpoints within the AWS network. A race condition is an error that makes a process dependent on the timing or sequence events that are variable and outside the developers' control. The result can be unexpected behavior and potentially harmful failures.

In this case, the race condition resided in the DNS Enactor, a DynamoDB component that constantly updates domain lookup tables in individual AWS endpoints to optimize load balancing as conditions change. As the enactor operated, it "experienced unusually high delays needing to retry its update on several of the DNS endpoints." While the enactor was playing catch-up, a second DynamoDB component, the DNS Planner, continued to generate new plans. Then, a separate DNS Enactor began to implement them. The timing of these two enactors triggered the race condition, which ended up taking out the entire DynamoDB. [...] The failure caused systems that relied on the DynamoDB in Amazon's US-East-1 regional endpoint to experience errors that prevented them from connecting. Both customer traffic and internal AWS services were affected.

The damage resulting from the DynamoDB failure then put a strain on Amazon's EC2 services located in the US-East-1 region. The strain persisted even after DynamoDB was restored, as EC2 in this region worked through a "significant backlog of network state propagations needed to be processed." The engineers went on to say: "While new EC2 instances could be launched successfully, they would not have the necessary network connectivity due to the delays in network state propagation." In turn, the delay in network state propagations spilled over to a network load balancer that AWS services rely on for stability. As a result, AWS customers experienced connection errors from the US-East-1 region. AWS network functions affected included the creating and modifying Redshift clusters, Lambda invocations, and Fargate task launches such as Managed Workflows for Apache Airflow, Outposts lifecycle operations, and the AWS Support Center. Amazon has temporarily disabled its DynamoDB DNS Planner and DNS Enactor automation globally while it fixes the race condition and add safeguards against incorrect DNS plans. Engineers are also updating EC2 and its network load balancer.

Further reading: Amazon's AWS Shows Signs of Weakness as Competitors Charge Ahead

Hackers have been spreading malware through more than 3,000 YouTube videos advertising cracked software and game hacks, cybersecurity firm Check Point warned this week. The campaign, active since at least 2021, tripled its video production in 2025. The videos promoted free versions of Adobe Photoshop, FL Studio, Microsoft Office, and game cheats for titles like Roblox. Fake comments created the appearance of legitimacy, the researchers found.

Users who downloaded archives from Dropbox, Google Drive, or MediaFire were instructed to disable Windows Defender before opening files. The downloads contained malware including Lumma and Rhadamanthys, which steal passwords and cryptocurrency wallet information. The hackers hijacked existing accounts and created new ones. One compromised channel with 129,000 subscribers posted a cracked Photoshop video that reached 291,000 views. Another video for FL Studio received over 147,000 views.

A web browser linked to Chinese online gambling websites and downloaded millions of times routes all internet traffic through servers in China and covertly installs programs that run in the background, according to findings published by network security company Infoblox. The researchers said the Universe Browser, which advertises itself as offering privacy protection, includes features similar to malware such as key logging and surreptitious connections.

Infoblox collaborated with the United Nations Office on Drugs and Crime on the research. The investigators found links between the browser and Southeast Asia's cybercrime ecosystem, which has connections to money laundering, illegal online gambling, human trafficking and scam operations using forced labor. The browser is directly linked to BBIN, a major online gambling company that has existed since 1999. Infoblox researchers examined the Windows version of the browser and found that it checks users' locations and languages when launched, installs two browser extensions, and disables security features including sandboxing.