The United Kingdom's government is planning to ban public sector and critical infrastructure organizations from paying ransoms after ransomware attacks. From a report: The list of entities that would have to follow the new proposed legislation includes local councils, schools, and the publicly funded National Health Service (NHS).

"Ransomware is estimated to cost the UK economy millions of pounds each year, with recent high-profile ransomware attacks highlighting the severe operational, financial, and even life-threatening risks. The ban would target the business model that fuels cyber criminals' activities and makes the vital services the public rely on a less attractive target for ransomware groups," the UK government said.

"We're determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change. By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware," Security Minister Dan Jarvis added.

A six-month international study found that a four-day workweek with no reduction in pay significantly improved employee well-being, job satisfaction, and sleep quality, with burnout dropping most among those who reduced their hours by eight or more. "The results indicate that income-preserving four-day workweeks are an effective organizational intervention for enhancing workers' well-being," the researchers said. The Register reports: The study, reported in Nature Human Behaviour, was designed to test the effects of the four-day workweek with no reduction in pay. It relied on a six-month trial involving 2,896 employees in 141 organizations in Australia, Canada, New Zealand, the UK, Ireland, and the US. The researchers compared work and health-related indicators -- including burnout, job satisfaction, and mental and physical health -- before and after the intervention using survey data. A further 285 employees at 12 companies did not participate in the trial and acted as a control.

The researchers noted that the study was limited in that companies volunteered to participate, and the sample consisted of smaller companies from English-speaking countries. More extensive government-sponsored trials might help provide a clearer picture, they said. While several factors may explain the effect, one possibility is "increased intrinsic motivation at work," the study said. "Unfortunately, [we] cannot assess [this] due to data limitations." "Despite its limitations, this study has important implications for understanding the future of work, with 4-day workweeks probably being a key component. Scientific advances from this work will inform the development of interventions promoting better organization of paid work and worker well-being. This task has become increasingly important with the rapid expansion of new digital, automation, and artificial general intelligence technologies."

An anonymous reader quotes a report from the BBC: One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work. KNP -- a Northamptonshire transport company -- is just one of tens of thousands of UK businesses that have been hit by such attacks. Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen. In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems. KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company. "Would you want to know if it was you?" he asks. "We need organizations to take steps to secure their systems, to secure their businesses," says Richard Horne CEO of the National Cyber Security Centre (NCSC) -- where Panorama has been given exclusive access to the team battling international ransomware gangs. A gang of hackers, known as Akira, broke into the company's system and demanded a payment to restore the data. "The hackers didn't name a price, but a specialist ransomware negotiation firm estimated the sum could be as much as 5 million pounds," reports the BBC. "KNP didn't have that kind of money. In the end all the data was lost, and the company went under."

"Anybody who's got a hosted SharePoint server has got a problem," the senior VP of cybersecurity firm CrowdStrike told the Washington Post. "It's a significant vulnerability."

And it's led to a new "global attack on government agencies and businesses" in the last few days, according to the article, "breaching U.S. federal and state agencies, universities, energy companies and an Asian telecommunications company, according to state officials and private researchers..."

"Tens of thousands of such servers are at risk, experts said, and Microsoft has issued no patch for the flaw, leaving victims around the world scrambling to respond." (Microsoft says they are "working on" security updates "for supported versions of SharePoint 2019 and SharePoint 2016," offering various mitigation suggestions, and CISA has released their own recommendations.)

From the Washington Post's article Sunday: Microsoft has suggested that users make modifications to SharePoint server programs or simply unplug them from the internet to stanch the breach. Microsoft issued an alert to customers but declined to comment further... "We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available," said Pete Renals, a senior manager with Palo Alto Networks' Unit 42. "We have identified dozens of compromised organizations spanning both commercial and government sectors.''

With access to these servers, which often connect to Outlook email, Teams and other core services, a breach can lead to theft of sensitive data as well as password harvesting, Netherlands-based research company Eye Security noted. What's also alarming, researchers said, is that the hackers have gained access to keys that may allow them to regain entry even after a system is patched. "So pushing out a patch on Monday or Tuesday doesn't help anybody who's been compromised in the past 72 hours," said one researcher, who spoke on the condition of anonymity because a federal investigation is ongoing.

The breaches occurred after Microsoft fixed a security flaw this month. The attackers realized they could use a similar vulnerability, according to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. CISA spokeswoman Marci McCarthy said the agency was alerted to the issue Friday by a cyber research firm and immediately contacted Microsoft... The nonprofit Center for Internet Security, which staffs an information-sharing group for state and local governments, notified about 100 organizations that they were vulnerable and potentially compromised, said Randy Rose, the organization's vice president. Those warned included public schools and universities. Others that were breached included a government agency in Spain, a local agency in Albuquerque and a university in Brazil, security researchers said.
But there's many more breaches, according to the article:

• "Eye Security said it has tracked more than 50 breaches, including at an energy company in a large state and several European government agencies."

• "At least two U.S. federal agencies have seen their servers breached, according to researchers."

• "One state official in the eastern U.S. said the attackers had 'hijacked' a repository of documents provided to the public to help residents understand how their government works. The agency involved can no longer access the material..."

"It was not immediately clear who is behind the hacking of global reach or what its ultimate goal is. One private research company found the hackers targeting servers in China..."

An anonymous reader quotes a report from The Record: Threat actors are stealing sensitive data from organizations by breaching end-of-life appliances made by cybersecurity company SonicWall. Incident responders from Google Threat Intelligence Group (GTIG) and Mandiant said on Wednesday that they have uncovered an ongoing campaign by an unidentified threat group that leverages credentials and one-time password (OTP) seeds stolen during previous intrusions -- allowing the hackers to regain access to organizations even after security updates are installed. [...]

The campaign is targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. Google explained that the malware the hackers are using removes log entries, making it difficult to figure out how they initially gained access to a system. Google said the campaign extends beyond the incidents they investigated directly and added that SonicWall has "confirmed reports of other impacted organizations." The company noted that SonicWall updated an advisory for a bug tracked as CVE-2024-38475 in light of Google's findings. "As an added security measure, we strongly advise customers to reset the OTP (One-Time Password) binding for all users. This step ensures that any potentially compromised or stale OTP secrets are invalidated, thereby mitigating unauthorized access risks," SonicWall said in the update to the advisory..

One novel aspect of the campaign is the use of a backdoor called OVERSTEP, which modifies the SonicWall appliance's boot process to maintain persistent access, steal sensitive credentials and conceal the malware's own components. Incident responders struggled to track other activities by the hackers because OVERSTEP allowed them to delete logs and largely cover their tracks. OVERSTEP is specifically designed for SonicWall SMA 100 series appliances, according to Google. In addition to CVE-2024-38475, Google and Mandiant experts floated several potential vulnerabilities the hackers may have used to gain initial access, including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039 and, CVE-2025-32819. Beyond those, Google theorized that the hackers may have used an unknown zero-day vulnerability to deploy the malware on targeted SonicWall SMA appliances.

Russian lawmakers passed sweeping new legislation allowing authorities to fine individuals simply for searching and accessing content labeled "extremist" via VPNs. The Washington Post reports: Russia defines "extremist materials" as content officially added by a court to a government-maintained registry, a running list of about 5,500 entries, or content produced by "extremist organizations" ranging from "the LGBT movement" to al-Qaeda. The new law also covers materials that promote alleged Nazi ideology or incite extremist actions. Until now, Russian law stopped short of punishing individuals for seeking information online; only creating or sharing such content is prohibited. The new amendments follow remarks by high-ranking officials that censorship is justified in wartime. Adoption of the measures would mark a significant tightening of Russia's already restrictive digital laws.

The fine for searching for banned content in Russia would be about a $65, while the penalty for advertising circumvention tools such as VPN services would be steeper -- $2,500 for individuals and up to $12,800 for companies. Previously, the most significant expansion of Russia's restrictions on internet use and freedom of speech occurred shortly after the February 2022 full-scale invasion of Ukraine, when sweeping laws criminalized the spread of "fake news" and "discrediting" the Russian military. The new amendment was introduced Tuesday and attached to a mundane bill on regulating freight companies, according to documents published by Russia's lower house of parliament, the State Duma.

A survey of 500 IT asset managers in organizations that use Oracle Java has found that 73% have been audited in the last three years. From a report: At the same time, nearly eight out of 10 Oracle Java users said they had migrated, or planned to shift, to open source Java to try to avoid the risk and high costs of the dominant vendor's development and runtime environments.

Oracle introduced a paid subscription for Java in September 2018, and in January 2023, it decided to switch its pricing model to per employee rather than per user, creating a steep price hike for many users. In July 2023, Gartner recorded users experiencing price increases of between two and five times when they switched to the new licensing model.

Two years later, the survey conducted by market research firm Dimensional Research showed only 14% of Oracle Java users intended to stick with the vendor's subscription model.

Can carbon-reducing projects "offset" a company's emissions? "The reality has been less encouraging," according to a Science magazine editorial by Cary Coglianese, a law/political science professor at University of Pennsylvania, and Cynthia Giles, a former senior advisor at the U.S. Environmental Protection Agency. In a new paper published Wednesday, they found that more than half of all currently-certified carbon auditors signed off on projects later found to be "overclaiming" carbon benefits.

Their conclusion? "Criticism should be directed not at individual auditors as much as the structure of the system that fosters these outcomes." Most carbon offset projects that have been closely scrutinized — including projects for forest protection, renewable energy, and methane-reducing methods of rice cultivation — have greatly exaggerated their climate benefits. More than 80% of issued credits might not reflect real emission reductions. This has alarmed potential offset purchasers and stalled carbon offset markets.

Efforts to resuscitate the beleaguered offset market tout third-party auditing as "essential" to ensuring credit integrity. That reliance is misplaced... [E]xtensive research from many contexts shows that auditors selected and paid by audited organizations often produce results skewed toward those entities' interests. A field experiment in India, for example, found that air and water pollution auditors who were randomly assigned and paid from a central fund reported emissions at levels 50 to 70% higher than auditors selected and paid by audited firms. Auditors — like all people — are subject to a well-established and largely unconscious cognitive phenomenon of self-serving bias, causing them to interpret evidence in favor of their clients...

[A]uditors have been required all along and have failed to prevent substantial credit overclaiming. It is rarely acknowledged that all of the credit overclaiming projects that have stirred so much controversy were ratified by third-party auditors under the same auditor selection and payment system that offset advocates rely on today... Auditors are unlikely to stay in business if they disapprove credits at the high rates that research suggests would be appropriate today...

Given the high planetary stakes in carbon policy choices being made now, it is past time to recognize that third-party auditors selected and paid by the audited organizations are not the bulwark for credit integrity they are claimed to be.

Brian Witten, VP/CSO of automotive technology supplier Aptiv, warns that "While seven to 10 years may sound like a long way off, preparation for quantum threats must begin now, not once they have already materialized." Organizations need time to implement post-quantum cryptography (PQC) transition plans methodically — and that applies both to anyone with an IT infrastructure and to anyone building software-defined systems. "Current encryption, such as RSA and ECC [elliptic curve cryptography], will become obsolete once quantum computing matures," said Cigent cofounder John Benkert. "Management often assumes cybersecurity threats are only present-day problems. But this is a future-proofing issue — especially relevant for industries dealing with sensitive, long-lifespan data, like healthcare, finance or government." Remediation requires long-term planning. Organizations that wait until quantum computers have broken encryption to address the threat will find that it is too late.
Start by building an inventory of what needs to change, Witten recommends. (Fortunately, "It's a matter of using newer and different chips and algorithms, not necessarily more expensive components," he writes, also suggesting requests for proposals "should ask vendors to include a PQC update plan.")

Firmware will also need quantum-resistant digital signatures. ("Broken authentication lets bad things happen. Someone could remotely take over a vehicle, for instance, or send malicious code for autonomous execution later, even after the vehicle has gone offline.") And remember that post-quantum key sizes are larger, requiring more storage space. "In some cases, digitally signed messages with security information could triple in size, which could impact storage and bandwidth."

Thanks to Esther Schindler (Slashdot reader #16,185) for sharing the article.

Restaurants and bars face mounting financial pressure from music licensing fees as the number of Performing Rights Organizations has expanded from three dominant players to at least six nationwide. The National Restaurant Association reports members pay an average of $4,500 annually for music licenses, representing 0.5% of total sales for small establishments. Hotels have experienced even steeper increases, with one major chain seeing costs rise 200% from 2021-2025, and some properties facing 400% jumps.

The proliferation stems from streaming's revenue surge, which attracted new PROs seeking market share. Since many songs involve multiple songwriters affiliated with different organizations, venues must secure licenses from each PRO or risk lawsuits carrying penalties up to $150,000 per infringement.

An anonymous reader quotes a report from 404 Media: For someone who says she is fighting AI bot scrapers just in her free time, Xe Iaso seems to be putting up an impressive fight. Since she launched it in January, Anubis, a "program is designed to help protect the small internet from the endless storm of requests that flood in from AI companies," has been downloaded nearly 200,000 times, and is being used by notable organizations including GNOME, the popular open-source desktop environment for Linux, FFmpeg, the open-source software project for handling video and other media, and UNESCO, the United Nations organization for educations, science, and culture. [...]

"Anubis is an uncaptcha," Iaso explains on her site. "It uses features of your browser to automate a lot of the work that a CAPTCHA would, and right now the main implementation is by having it run a bunch of cryptographic math with JavaScript to prove that you can run JavaScript in a way that can be validated on the server." Essentially, Anubis verifies that any visitor to a site is a human using a browser as opposed to a bot. One of the ways it does this is by making the browser do a type of cryptographic math with JavaScript or other subtle checks that browsers do by default but bots have to be explicitly programmed to do. This check is invisible to the user, and most browsers since 2022 are able to complete this test. In theory, bot scrapers could pretend to be users with browsers as well, but the additional computational cost of doing so on the scale of scraping the entire internet would be huge. This way, Anubis creates a computational cost that is prohibitively expensive for AI scrapers that are hitting millions and millions of sites, but marginal for an individual user who is just using the internet like a human.

Anubis is free, open source, lightweight, can be self-hosted, and can be implemented almost anywhere. It also appears to be a pretty good solution for what we've repeatedly reported is a widespread problem across the internet, which helps explain its popularity. But Iaso is still putting a lot of work into improving it and adding features. She told me she's working on a non cryptographic challenge so it taxes users' CPUs less, and also thinking about a version that doesn't require JavaScript, which some privacy-minded disable in their browsers. The biggest challenge in developing Anubis, Iaso said, is finding the balance. "The balance between figuring out how to block things without people being blocked, without affecting too many people with false positives," she said. "And also making sure that the people running the bots can't figure out what pattern they're hitting, while also letting people that are caught in the web be able to figure out what pattern they're hitting, so that they can contact the organization and get help. So that's like, you know, the standard, impossible scenario."

"The China Film Foundation, a nonprofit fund under the Chinese government, plans to use AI to revitalize 100 kung fu classics including Police Story, Once Upon a Time in China and Fist of Fury, featuring Jackie Chan, Jet Li and Bruce Lee, respectively," reports the Los Angeles Times.

"The foundation said it will partner with businesses including Shanghai Canxing Culture & Media Co., which will license 100 Hong Kong films to AI companies to reintroduce those movies to younger audiences globally." The foundation said there are opportunities to use AI to tell those stories through animation, for example. There are plans to release an animated version of director John Woo's 1986 film A Better Tomorrow that uses AI to "reinterpret" Woo's "signature visual language," according to an English transcript of the announcement....

The project raised eyebrows among U.S. artists, many of whom are deeply wary of the use of AI in creative pursuits. The Directors Guild of America said AI is a creative tool that should only be used to enhance the creative storytelling process and "it should never be used retroactively to distort or destroy a filmmaker's artistic work... The DGA strongly opposes the use of AI or any other technology to mutilate a film or to alter a director's vision," the DGA said in a statement. "The Guild has a longstanding history of opposing such alterations on issues like colorization or sanitization of films to eliminate so-called 'objectionable content', or other changes that fundamentally alter a film's original style, meaning, and substance."

The project highlights widely divergent views on AI's potential to reshape entertainment as the two countries compete for dominance in the highly competitive AI space.... During the project's announcement, supporters touted the opportunity AI will bring to China to further its cultural message globally and generate new work for creatives. At the same time, they touted AI's disruption of the filmmaking process, saying the A Better Tomorrow remake was completed with just 30 people, significantly fewer than a typical animated project. China is a "more brutal society in that sense," said Eric Harwit, professor of Asian studies at the University of Hawaii at Manoa. "If somebody loses their job because artificial intelligence is taking over, well, that's just the cost of China's moving forward.... You don't have those freestanding labor organizations, so they don't have that kind of clout to protest against the Chinese using artificial intelligence in a way that might reduce their job opportunities or lead to layoffs in the sector..."

The kung fu revitalization efforts will extend into other areas, including the creation of a martial arts video game.
The article also includes an interesting statistic. "Many people in China embrace AI, with 83% feeling confident that AI systems are designed to act in the best interest of society, much higher than the U.S. where it's 37%, according to a survey from the United Nations Development Program."

We're living in a new world now — one where it's an AI-powered penetration tester that "now tops an eminent US security industry leaderboard that ranks red teamers based on reputation." CSO Online reports: On HackerOne, which connects organizations with ethical hackers to participate in their bug bounty programs, "Xbow" scored notably higher than 99 other hackers in identifying and reporting enterprise software vulnerabilities. It's a first in bug bounty history, according to the company that operates the eponymous bot...

Xbow is a fully autonomous AI-driven penetration tester (pentester) that requires no human input, but, its creators said, "operates much like a human pentester" that can scale rapidly and complete comprehensive penetration tests in just a few hours. According to its website, it passes 75% of web security benchmarks, accurately finding and exploiting vulnerabilities.

Xbow submitted nearly 1,060 vulnerabilities to HackerOne, including remote code execution, information disclosures, cache poisoning, SQL injection, XML external entities, path traversal, server-side request forgery (SSRF), cross-site scripting, and secret exposure. The company said it also identified a previously unknown vulnerability in Palo Alto's GlobalProtect VPN platform that impacted more than 2,000 hosts. Of the vulnerabilities Xbow submitted over the last 90 days, 54 were classified as critical, 242 as high and 524 as medium in severity. The company's bug bounty programs have resolved 130 vulnerabilities, and 303 are classified as triaged.

Notably, though, roughly 45% of the vulnerabilities it found are still awaiting resolution, highlighting the "volume and impact of the submissions across live targets," Nico Waisman, Xbow's head of security, wrote in a blog post this week... To further hone the technology, the company developed "validators," — automated peer reviewers that confirm each uncovered vulnerability, Waisman explained.
"As attackers adopt AI to automate and accelerate exploitation, defenders must meet them with even more capable systems," XBOW's CEO said this week, as the company raised $75 million in Series B funding to grow its platform, bringing its total funding to $117 million. Help Net Security reports: With the new funding, XBOW plans to grow its engineering team and expand its go-to-market efforts. The product is now generally available, and the company says it is working with large banks, tech firms, and other organizations that helped shape the platform during its early testing phase. XBOW's long-term goal is to help security teams stay ahead of adversaries using advanced automation. As attackers increasingly turn to AI, the company argues that defenders will need equally capable systems to match their speed and sophistication.

An anonymous reader quotes a report from Ars Technica: Last week, OpenAI raised objections in court, hoping to overturn a court order requiring the AI company to retain all ChatGPT logs "indefinitely," including deleted and temporary chats. But Sidney Stein, the US district judge reviewing OpenAI's request, immediately denied OpenAI's objections. He was seemingly unmoved by the company's claims that the order forced OpenAI to abandon "long-standing privacy norms" and weaken privacy protections that users expect based on ChatGPT's terms of service. Rather, Stein suggested that OpenAI's user agreement specified that their data could be retained as part of a legal process, which Stein said is exactly what is happening now.

The order was issued by magistrate judge Ona Wang just days after news organizations, led by The New York Times, requested it. The news plaintiffs claimed the order was urgently needed to preserve potential evidence in their copyright case, alleging that ChatGPT users are likely to delete chats where they attempted to use the chatbot to skirt paywalls to access news content. A spokesperson told Ars that OpenAI plans to "keep fighting" the order, but the ChatGPT maker seems to have few options left. They could possibly petition the Second Circuit Court of Appeals for a rarely granted emergency order that could intervene to block Wang's order, but the appeals court would have to consider Wang's order an extraordinary abuse of discretion for OpenAI to win that fight.

In the meantime, OpenAI is negotiating a process that will allow news plaintiffs to search through the retained data. Perhaps the sooner that process begins, the sooner the data will be deleted. And that possibility puts OpenAI in the difficult position of having to choose between either caving to some data collection to stop retaining data as soon as possible or prolonging the fight over the order and potentially putting more users' private conversations at risk of exposure through litigation or, worse, a data breach. [...]

Both sides are negotiating the exact process for searching through the chat logs, with both parties seemingly hoping to minimize the amount of time the chat logs will be preserved. For OpenAI, sharing the logs risks revealing instances of infringing outputs that could further spike damages in the case. The logs could also expose how often outputs attribute misinformation to news plaintiffs. But for news plaintiffs, accessing the logs is not considered key to their case -- perhaps providing additional examples of copying -- but could help news organizations argue that ChatGPT dilutes the market for their content. That could weigh against the fair use argument, as a judge opined in a recent ruling that evidence of market dilution could tip an AI copyright case in favor of plaintiffs.

An anonymous reader shares a report: Law enforcement officials are investigating a former employee of a company that negotiates with hackers and facilitates cryptocurrency payments during ransomware attacks, according to a statement from the firm, DigitalMint. DigitalMint President Marc Jason Grens this week told organizations it works with that the US Justice Department is examining allegations that the then-employee struck deals with hackers to profit from extortion payments, according to a person familiar with the matter.

Grens did not identify the employee by name and characterized their actions as isolated, said the person, who spoke on condition that they not be identified describing private conversations. DigitalMint is cooperating with a criminal investigation into "alleged unauthorized conduct by the employee while employed here," Grens said in an email to Bloomberg News. The Chicago-based company is not the target of the investigation and the employee "was immediately terminated," Grens said, adding that he can't provide more information because the probe is ongoing.

China's Northwestern Polytechnical University successfully tested a hypersonic aircraft called Feitian-2, claiming it reached Mach 12 and achieved a world-first by autonomously switching between rocket and ramjet propulsion mid-flight. The Register reports: The University named the craft "Feitian-2" and according to Chinese media the test flight saw it reach Mach 12 (14,800 km/h or 9,200 mph) -- handily faster than the Mach 5 speeds considered to represent hypersonic flight. Chinese media have not detailed the size of Feitian-2, or its capabilities other than to repeat the University's claim that it combined a rocket and a ramjet into a single unit. [...] The University and Chinese media claim the Feitian-2 flew autonomously while changing from rocket to ramjet while handling the hellish stresses that come with high speed flight.

This test matters because, as the US Congressional Budget Office found in 2023, hypothetical hypersonic missiles "have the potential to create uncertainty about what their ultimate target is. Their low flight profile puts them below the horizon for long-range radar and makes them difficult to track, and their ability to maneuver while gliding makes their path unpredictable." "Hypersonic weapons can also maneuver unpredictably at high speeds to counter short-range defenses near a target, making it harder to track and intercept them," the Office found.

Washington is so worried about Beijing developing hypersonic weapons that the Trump administration cited the possibility as one reason for banning another 27 Chinese organizations from doing business with US suppliers of AI and advanced computing tech. The flight of Feitian-2 was therefore a further demonstration of China's ability to develop advanced technologies despite US bans.

AI agents are now conducting first-round job interviews to screen candidates before human recruiters review them, according to WashingtonPost, which cites job seekers who report being contacted by virtual recruiters from different staffing companies. The conversational agents, built on large language models, help recruiting firms respond to every applicant and conduct interviews around the clock as companies face increasingly large talent pools.

LinkedIn reported that job applications have jumped 30% in the last two years, partially due to AI, with some positions receiving hundreds of applications within hours. The Society for Human Resource Management said a growing number of organizations now use AI for recruiting to automate candidate searches and communicate with applicants during interviews. The AI interviews, conducted by phone or video, can last anywhere from a few minutes to 20 minutes depending on the candidate's experience and the hiring firm's questions.

An anonymous reader shared this report from the tech news site The Register: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) this week published guidance urging software developers to adopt memory-safe programming languages. "The importance of memory safety cannot be overstated," the inter-agency report says...

The CISA/NSA report revisits the rationale for greater memory safety and the government's calls to adopt memory-safe languages (MSLs) while also acknowledging the reality that not every agency can change horses mid-stream. "A balanced approach acknowledges that MSLs are not a panacea and that transitioning involves significant challenges, particularly for organizations with large existing codebases or mission-critical systems," the report says. "However, several benefits, such as increased reliability, reduced attack surface, and decreased long-term costs, make a strong case for MSL adoption."

The report cites how Google by 2024 managed to reduce memory safety vulnerabilities in Android to 24 percent of the total. It goes on to provide an overview of the various benefits of adopting MSLs and discusses adoption challenges. And it urges the tech industry to promote memory safety by, for example, advertising jobs that require MSL expertise.

It also cites various government projects to accelerate the transition to MSLs, such as the Defense Advanced Research Projects Agency (DARPA) Translating All C to Rust (TRACTOR) program, which aspires to develop an automated method to translate C code to Rust. A recent effort along these lines, dubbed Omniglot, has been proposed by researchers at Princeton, UC Berkeley, and UC San Diego. It provides a safe way for unsafe libraries to communicate with Rust code through a Foreign Function Interface....

"Memory vulnerabilities pose serious risks to national security and critical infrastructure," the report concludes. "MSLs offer the most comprehensive mitigation against this pervasive and dangerous class of vulnerability."
"Adopting memory-safe languages can accelerate modern software development and enhance security by eliminating these vulnerabilities at their root," the report concludes, calling the idea "an investment in a secure software future."

"By defining memory safety roadmaps and leading the adoption of best practices, organizations can significantly improve software resilience and help ensure a safer digital landscape."

Steven J. Vaughan-Nichols writes in an opinion piece for The Register: Microsoft, tactically admitting it has failed at talking all the Windows 10 PC users into moving to Windows 11 after all, is -- sort of, kind of -- extending Windows 10 support for another year. For most users, that means they'll need to subscribe to Microsoft 365. This, in turn, means their data and meta-information will be kept in a US-based datacenter. That isn't sitting so well with many European Union (EU) organizations and companies. It doesn't sit that well with me or a lot of other people either.

A few years back, I wrote in these very pages that Microsoft didn't want you so much to buy Windows as subscribe to its cloud services and keep your data on its servers. If you wanted a real desktop operating system, Linux would be almost your only choice. Nothing has changed since then, except that folks are getting a wee bit more concerned about their privacy now that President Donald Trump is in charge of the US. You may have noticed that he and his regime love getting their hands on other people's data.

Privacy isn't the only issue. Can you trust Microsoft to deliver on its service promises under American political pressure? Ask the EU-based International Criminal Court (ICC) which after it issued arrest warrants for Israeli Prime Minister Benjamin Netanyahu for war crimes, Trump imposed sanctions on the ICC. Soon afterward, ICC's chief prosecutor, Karim Khan, was reportedly locked out of his Microsoft email accounts. Coincidence? Some think not. Microsoft denies they had anything to do with this.

Peter Ganten, chairman of the German-based Open-Source Business Alliance (OSBA), opined that these sanctions ordered by the US which he alleged had been implemented by Microsoft "must be a wake-up call for all those responsible for the secure availability of state and private IT and communication infrastructures." Microsoft chairman and general counsel, Brad Smith, had promised that it would stand behind its EU customers against political pressure. In the aftermath of the ICC reports, Smith declared Microsoft had not been "in any way [involved in] the cessation of services to the ICC." In the meantime, if you want to reach Khan, you'll find him on the privacy-first Swiss email provider, ProtonMail.

In short, besides all the other good reasons for people switching to the Linux desktop - security, Linux is now easy to use, and, thanks to Steam, you can do serious gaming on Linux - privacy has become much more critical. That's why several EU governments have decided that moving to the Linux desktop makes a lot of sense... Besides, all these governments know that switching from Windows 10 to 11 isn't cheap. While finances also play a role, and I always believe in "following the money" when it comes to such software decisions, there's no question that Europe is worried about just how trustworthy America and its companies are these days. Do you blame them? I don't. The shift to the Linux desktop is "nothing new," as Vaughan-Nichols notes. Munich launched its LiMux project back in 2004 and, despite ending it in 2017, reignited its open-source commitment by establishing a dedicated program office in 2024. In France, the gendarmerie now operates over 100,000 computers on a custom Ubuntu-based OS (GendBuntu), while the city of Lyon is transitioning to Linux and PostgreSQL.

More recently, Denmark announced it is dropping Windows and Office in favor of Linux and LibreOffice, citing digital sovereignty. The German state of Schleswig-Holstein is following suit, also moving away from Microsoft software. Meanwhile, a pan-European Linux OS (EU OS) based on Fedora Kinoite is being explored, with Linux Mint and openSUSE among the alternatives under consideration.

theodp writes: FWD.us, the immigration and criminal justice-focused nonprofit of Meta CEO Mark Zuckerberg -- the world's third richest person, according to Forbes with an estimated $250B net worth -- has released a new research report warning that announced immigration policies will hurt American families, who can't afford it with their meager savings.

The report begins: "Inflation remains a top concern for the majority of Americans. But new immigration policies announced by President Trump, and already underway, such as revoking immigrant work permits, deporting millions of people, and limiting legal immigration, would directly undermine the goal to level out, or even lower, the costs of everyday and essential goods and services. In fact, all Americans, particularly working-class families, are about to unnecessarily see prices for goods and services like food and housing increase substantially again, above and beyond other economic policies like global tariffs that could also raise prices. Announced immigration policies will result in American families paying an additional $2,150 for goods and services each year by the end of 2028, or the equivalent of the average American family's grocery bill for 3 months or their combined electricity and gas bills for the entire year. Such an annual increase would represent a tax that would erase many American families' annual savings, and amount to one of their bi-weekly paychecks each year. Unlike past periods of inflation, Americans have not been saving at the same rate as earlier years, and can't as easily absorb these price increases, squeezing American budgets even further."

In 2021, Zuckerberg's FWD.us teamed with the nation's tech giants to file a brief with the Supreme Court case to help crush WashTech (a tiny programmers' union), who challenged the lawfulness of hiring international students under the Optional Practical Training (OPT) program. "Striking down OPT and STEM OPT," FWD.us and its tech giant partners argued in their filing, [PDF] "would create a sudden labor shortage in the United States for many companies' most important technical jobs" and "hurt U.S. workers." The brief also dismissed WashTech's contention that the programs coupled with a talent surplus would shut U.S. workers out of the labor market, citing Microsoft's President Brad Smith's claim of an acute talent shortage and a 2.4% unemployment rate for computer occupations (that was then, this is now).