Slashdot reader zlives shared this report from BleepingComputer: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders.

GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.
Miccrosoft titled its blog post "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." (And they do note that Micxrosoft disclosed the discovered vulnerabilities to the GRUB2, U-boot, and Barebox maintainers and "worked with the GRUB2 maintainers to contribute fixes... GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025.")

They add that performing their initial research, using Security Copilot "saved our team approximately a week's worth of time," Microsoft writes, "that would have otherwise been spent manually reviewing the content." Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings...

As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI's advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors' attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).
This week Google also announced Sec-Gemini v1, "a new experimental AI model focused on advancing cybersecurity AI frontiers."

Hackers targeting Australia's major pension funds in a series of coordinated attacks have stolen savings from some members at the biggest fund, Reuters is reporting, citing a source, and compromised more than 20,000 accounts. From the report: National Cyber Security Coordinator Michelle McGuinness said in a statement she was aware of "cyber criminals" targeting accounts in the country's A$4.2 trillion ($2.63 trillion) retirement savings sector and was organising a response across the government, regulators and industry. The Association of Superannuation Funds of Australia, the industry body, said "a number" of funds were impacted over the weekend. While the full scale of the incident remains unclear, AustralianSuper, Australian Retirement Trust, Rest, Insignia and Hostplus on Friday all confirmed they suffered breaches.

"Microsoft built things. It broke things."

That's how the Seattle Times kicks off a series of articles celebrating Microsoft's 50th anniversary — adding that Microsoft also gave some people "a lucrative retirement early in their lives, and their own stories to tell."

What did they remember from Microsoft's earliest days? Scott Oki joined Microsoft as employee no. 121. The company was small; Gates was hands-on, and hard to please. "One of his favorite phrases was 'that's the stupidest thing I've ever heard,'" Oki says. "He didn't use that on me, so I feel pretty good about that."

Another, kinder phrase that pops to Oki's mind when discussing the international division he founded at Microsoft is "bringing home the bacon." An obsession with rapid revenue growth permeated Microsoft in those early days. Oki was about three weeks into the job as marketing manager when he presented a global expansion plan to Gates. "Had I done business internationally before? No," Oki said. "Do I speak a language other than English? No." But Gates gave Oki a $1 million budget to found the international division and sell Microsoft products overseas.

He established subsidiaries in the most important markets at the time: Japan, United Kingdom, Germany and France. And, because he had a few bucks left over, Australia. "Of the initial subsidiaries we started, every single one of them was profitable in its first year," he says...

Oki left Microsoft on March 1, 1992, 10 years to the day after he was hired.
Other memories shared by early Microsoft employees:

• One recent graudate remembered her parents in Spokane saying "I think that's Mary and Bill Gates' son's company. If that kid is anything like those two, that is going to be a great company,'" She got her first job at Microsoft in 1992 — and 33 years later, she's a senior director at Microsoft Philanthropies.

• The Times also interviewed one of Microsoft's first lawyers, who remembers that "The day the U.S. government sued Microsoft ... that was a tough day for me. It kind of turned my world upside down for about the next eight years."

• Microsoft senior VP Brad Chase remembers negotiating with the Rolling Stones for the rights to their song "Start Me Up" for the Windows 95 ad campaign. ("Chase is quick to dispel any rumor that Mick Jagger called up Bill Gates and got $12 million. But he won't say how much the company paid.")
  
  But Chase does tell the Times that Bill Gates "used to say all of the time, 'We're going to bet the company on Windows.' That was a huge bet because Windows, frankly, was a lousy product in its early days."

Though it's stock price is still up 200% from its IPO in March of 2024 — last week Reddit's stock had dropped nearly 50% since February 7th.

And then this week, it dropped another 10%, reports Bloomberg, citing both the phenomenon of "volatile technology stocks under pressure" — but also specifically "the gloomy sentiment around Reddit..." The social media platform has struggled to recover since an earnings report in February showed that it is failing to keep up with larger digital advertising peers such as Meta Platforms Inc. and Alphabet Inc.'s Google, which have higher user figures. Reddit's outlook seemed precarious because its U.S. traffic took a hit from a change in Google's search algorithm.

In recent weeks, the short interest in Reddit — a proxy for the volume of bets against the company — has ticked up, and forecasts for the company's share price have fallen. One analyst opened coverage of Reddit this month with a recommendation that investors sell the shares, in part due to the company's heavy reliance on Google. Reddit shares fell more than 5% in intraday trading Friday. "It's been super overvalued," Bob Lang, founder and chief options analyst at Explosive Options said of Reddit. "Their growth rate is very strong, but they still are not making any money." Reddit had a GAAP earnings per share loss of $3.33 in 2024, but reported two consecutive quarters of positive GAAP EPS in the second half of the year...

At its February peak, Reddit's stock had risen over 500% from the $34 initial public offering price last March. Some of the enthusiasm was due to a series of deals in which Reddit was paid to allow its content to be used for training artificial intelligence models. More recently, though, there have been questions about the long-term growth prospects for the artificial intelligence industry.
"On Wall Street, the average price target from analysts has fallen to about $195 from $207 a month ago," the article points out. "That still offers a roughly $85 upside from where shares closed following Thursday's 8% slump..."

Meanwhile Reuters reported that more than 33,000 U.S. Reddit users experienced disruptions on Thursday according to Downdetector.com. "A Reddit spokesperson said the outage was due to a bug in a recent update, which has now been fixed."

New research suggests that Prototaxites, once believed to be a giant fungus, may actually represent an entirely extinct and previously unknown branch of complex life, distinct from fungi, plants, animals, and protists. Live Science reports: The researchers studied the fossilized remains of one Prototaxites species named Prototaxites taiti, found preserved in the Rhynie chert, a sedimentary deposit of exceptionally well-preserved fossils of early land plants and animals in Scotland. This species was much smaller than many other species of Prototaxites, only growing up to a few inches tall, but it is still the largest Prototaxites specimen found in this region. Upon examining the internal structure of the fossilized Prototaxites, the researchers found that its interior was made up of a series of tubes, similar to those within a fungus. But these tubes branched off and reconnected in ways very unlike those seen in modern fungi. "We report that Prototaxites taiti was the largest organism in the Rhynie ecosystem and its anatomy was fundamentally distinct from all known extant or extinct fungi," the researchers wrote in the paper. "We therefore conclude that Prototaxites was not a fungus, and instead propose it is best assigned to a now entirely extinct terrestrial lineage."

True fungi from the same period have also been preserved in the Rhynie chert, enabling the researchers to chemically compare them to Prototaxites. In addition to their unique structural characteristics, the team found that the Prototaxites fossils left completely different chemical signatures to the fungi fossils, indicating that the Prototaxites did not contain chitin, a major building block of fungal cell walls and a hallmark of the fungal kingdom. The Prototaxites fossils instead appeared to contain chemicals similar to lignin, which is found in the wood and bark of plants. "We conclude that the morphology and molecular fingerprint of P. taiti is clearly distinct from that of the fungi and other organism preserved alongside it in the Rhynie chert, and we suggest that it is best considered a member of a previously undescribed, entirely extinct group of eukaryotes," the researchers wrote. The research has been published on the preprint server bioRxiv.

As NASA faces potential budget cuts, China is unveiling an ambitious series of deep space missions -- including Mars sample returns, outer planet exploration, and a future Mars base. While some of China's plans are aspirational, their track record of successful missions lends credibility to their expanding role in space. Ars Technica reports: China created a new entity called the "Deep Space Exploration Laboratory" three years ago to strengthen the country's approach to exploring the Solar System. Located in eastern China, not far from Shanghai, the new laboratory represented a partnership between China's national space agency and a local public college, the University of Science and Technology of China.

Not much is known outside of China about the laboratory, but it has recently revealed some very ambitious plans to explore the Solar System, including the outer planets. This week, as part of a presentation, Chinese officials shared some public dates about future missions. Space journalist Andrew Jones, who tracks China's space program, shared some images with a few details. Among the planned missions are:

- 2028: Tianwen-3 mission to collect samples of Martian soil and rocks and return them to Earth
- 2029: Tianwen-4 mission to explore Jupiter and its moon Callisto
- 2030: Development of a large, ground-based habitat to simulate long-duration human spaceflight
- 2033: Mission to Venus that will return samples of its atmosphere to Earth
- 2038: Establishment of an autonomous Mars research station to study in-situ resource utilization
- 2039: Mission to Triton, Neptune's largest moon, with a subsurface explorer for its ocean

Ubisoft is launching a new subsidiary focused on Assassin's Creed, Far Cry, and Rainbow Six, backed by a 1.16 billion-euro investment from Tencent. "The as-yet-unnamed subsidiary will fold in the teams working on those three series, including Ubisoft studios in Montreal, Quebec, Sherbrooke, Saguenay, Barcelona and Sofia," reports Engadget. From the report: This new business will receive an investment of 1.16 billion-euro (roughly $1.25 billion) from its longstanding partner Tencent, granting the conglomerate a minority ownership stake. Following the transaction, Ubisoft will narrow focus to its other franchises, such as The Division and Tom Clancy's Ghost Recon. [...] There is some extra good news in the announcement. The description of the new subsidiary does specify that "it will drive further increases in quality of narrative solo experiences." So while we can expect to also see multiplayer and free-to-play offerings from the Ubisoft umbrella, they aren't giving up on single-player games. "Today Ubisoft is opening a new chapter in its history," CEO and Co-Founder Yves Guillemot said. "As we accelerate the company's transformation, this is a foundational step in changing Ubisoft's operating model that will enable us to be both agile and ambitious."

MojoKid writes: Similar to Nvidia's recent desktop graphics launches, there are four initial GeForce RTX 50 series laptop GPUs coming to market, starting this month. At the top of the stack is the GeForce RTX 5090 laptop GPU, which is equipped with 10,496 CUDA cores and is paired to 24GB of memory. Boost clocks top out around 2,160MHz and GPU power can range from 95-150 watts, depending on the particular laptop model. GeForce RTX 50 series GPUs for both laptops and desktops feature updated shader cores with support for neural shading, in addition to 4th gen ray tracing cores and 5th gen Tensor cores with support for DLSS 4. The GeForce RTX 50 series features a native PCIe gen 5 interface, in addition to support for DisplayPort 2.1b (up to UHBR20). These GPUs are also fed by the latest high speed GDDR7 memory, which offers efficiency benefits that are pertinent to laptop designs as well. Performance-wise, NVIDIA's mobile GeForce RTX 5090 is the new king of the hill in gaming laptops, and it easily bests all other discrete mobile graphics options on the market currently.

sciencehabit quotes a report from Science.org: Whales sing, orcas squeal, and sea turtles croak. But sharks are more the strong, silent type. Now, researchers report the first evidence that sharks make sounds, too, described today in Royal Society Open Science. The animals may be making the sounds -- a series of clicking noises -- by snapping their flat rows of teeth, which are blunt for crushing prey. The sharks can hear mostly low-frequency noise, and the clicks they emit are higher pitched, which suggests they are not for communicating with other rigs. It's possible they are a defensive tactic. Marine mammals that eat rigs, such as leopard seals, can hear in the frequency range of the rig clicks, but the researchers question whether a few clicks would deter an attack. The sounds might be part of their response to being startled, the team says.

wiredmikey shares a report from SecurityWeek: Google late Tuesday rushed out a patch for a sandbox escape vulnerability in its flagship Chrome browser after researchers at Kaspersky caught a professional hacking operation launching drive-by download exploits. The vulnerability, tracked as CVE-2025-2783, was chained with a second exploit for remote code execution in what appears to be a nation-state sponsored cyberespionage campaign [dubbed Operation ForumTroll] targeting organizations in Russia.

Kaspersky said it detected a series of infections triggered by phishing emails in the middle of March and traced the incidents to a zero-day that fired when victims simply clicked on a booby-trapped website from a Chrome browser. The Russian anti-malware vendor said victims merely had to click on a personalized, short-lived link, and their systems were compromised when the malicious website was opened in Chrome. Kaspersky said its exploit detection tools picked up on the zero-day, and after reverse-engineering the code, the team reported the bug to Google and coordinated the fix released on Tuesday.

"In a conversation with Tony Yu from Asus China, AMD CEO Lisa Su shared that the Radeon RX 9000 series graphics cards have quickly become a huge hit, breaking records as AMD's top-selling GPUs within just a week of release," writes Slashdot reader jjslash. TechSpot reports: AMD CEO Lisa Su has confirmed that the company's new Radeon RX 9000 graphics cards have been a massive success, selling 10 times more units than their predecessors in just one week on the market. Su also stated that more RDNA 4 cards are on the way, but did not confirm whether the lineup will include the rumored Radeon RX 9060. When asked about the limited availability of the new cards, Su said that AMD is ramping up production to ensure greater supply at retailers worldwide. She also expressed hope that increased availability would help stabilize pricing by discouraging scalping and price gouging.

An anonymous reader quotes a report from Ars Technica: World of Warcraft Classic's Hardcore mode has set itself apart from the average MMO experience simply by making character death permanent across the entire in-game realm. For years, Blizzard has not allowed any appeals or rollbacks for these Hardcore mode character deaths, even when such deaths came as the direct result of a server disconnection or gameplay bug. Now, Blizzard says it's modifying that policy somewhat in response to a series of "unprecedented distributed-denial-of-service (DDOS) attacks" undertaken "with the singular goal of disrupting players' experiences." The World of Warcraft developer says it may now resurrect Classic Hardcore characters "at our sole discretion" when those deaths come "in a mass event which we deem inconsistent with the integrity of the game." WoW's Classic Hardcore made it a hotspot for streamers, especially members of the OnlyFangs Guild, who embraced the challenge that one mistake could end a character's run. However, as Ars Technica reports, a series of DDOS attacks timed with their major livestreamed raids led to character deaths and widespread frustration, prompting streamer sodapoppin to declare the guild's end.

Blizzard responded by updating its Hardcore policy to resurrect characters lost specifically to DDOS attacks. "Recently, we have experienced unprecedented distributed-denial-of-service (DDOS) attacks that impacted many Blizzard game services, including Hardcore realms, with the singular goal of disrupting players' experiences," WoW Classic Associate Production Director Clay Stone wrote in a public message. "As we continue our work to further strengthen the resilience of WoW realms and our rapid response time, we're taking steps to resurrect player-characters that were lost as a result of these attacks."

A software engineer discovered that his newly purchased Bosch 500 series dishwasher locks basic functionality behind cloud connectivity, reigniting concerns about internet-dependent home appliances. Jeff Geerling found that features like rinse cycle, delayed start and eco mode on his $1,000 dishwasher require connecting to WiFi and creating an account with "Home Connect," Bosch's cloud service.

Geerling criticized the approach as potentially part of planned obsolescence, noting that without a current subscription fee, the company will likely either shutter the service or introduce payments for previously standard features.

schwit1 writes:

A compact, deep-sea, cable-cutting device, capable of severing the world's most fortified underwater communication or power lines, has been unveiled by China -- and it could shake up global maritime power dynamics.

The revelation marks the first time any country has officially disclosed that it has such an asset, capable of disrupting critical undersea networks. The tool, which is able to cut lines at depths of up to 4,000 metres (13,123 feet) -- twice the maximum operational range of existing subsea communication infrastructure -- has been designed specifically for integration with China's advanced crewed and uncrewed submersibles like the Fendouzhe, or Striver, and the Haidou series.

Hungary's Parliament not only voted to ban Pride events. They also voted to "allow authorities to use facial recognition software to identify attenders and potentially fine them," reports the Guardian. [The nationwide legislation] amends the country's law on assembly to make it an offence to hold or attend events that violate Hungary's contentious "child protection" legislation, which bars any "depiction or promotion" of homosexuality to minors under the age of 18. The legislation was condemned by Amnesty International, which described it as the latest in a series of discriminatory measures the Hungarian authorities have taken against LGBTQ+ people...

Organisers said they planned to go ahead with the march in Budapest, despite the law's stipulation that those who attend a prohibited event could face fines of up to 200,000 Hungarian forints [£425 or $549 U.S. dollars].

Was the cutting of undersea cables part of a larger pattern? Russia and its proxies are accused by western officials of "staging dozens of attacks and other incidents across Europe since the invasion of Ukraine three years ago," reports the Associated Press.

That includes cyberattacks and committing acts of sabotage/vandalism/arson, as well as spreading propaganda and even plotting killings, according to the article. ("Western intelligence agencies uncovered what they said was a Russian plot to kill the head of a major German arms manufacturer that is a supplier of weapons to Ukraine...") The news agency documented 59 incidents "in which European governments, prosecutors, intelligence services or other Western officials blamed Russia, groups linked to Russia or its ally Belarus." [Western officials] allege the disruption campaign is an extension of Russian President Vladimir Putin's war, intended to sow division in European societies and undermine support for Ukraine... The incidents range from stuffing car tailpipes with expanding foam in Germany to a plot to plant explosives on cargo planes. They include setting fire to stores and a museum, hacking that targeted politicians and critical infrastructure, and spying by a ring convicted in the U.K. Richard Moore, the head of Britain's foreign intelligence service, called it a "staggeringly reckless campaign" in November...

The cases are varied, and the largest concentrations are in countries that are major supporters of Ukraine... In about a quarter of the cases, prosecutors have brought charges or courts have convicted people of carrying out the sabotage. But in many more, no specific culprit has been publicly identified or brought to justice.
Despite that, "more and more governments are publicly attributing attacks to Russia," the article points out.

This week a nonprofit, bipartisan think tank on global policy released a report which "found that Russian attacks in Europe quadrupled from 2022 to 2023 and then tripled again from 2023 to 2024," reports the New York Times. Prime Minister Donald Tusk of Poland noted in a social media post on Monday that Lithuanian officials had confirmed his assessment that Russia was responsible for a series of fires in shopping centers in Warsaw and Vilnius, the Lithuanian capital...

Slashdot reader Required Snark shared this article from Phys.org: In the realm of science fiction, [sun-energy capturing] Dyson spheres and ringworlds have been staples for decades. But it is well known that the simplest designs are unstable against gravitational forces and would thus be torn apart. Now a scientist from Scotland, UK has shown that certain configurations of these objects near a two-mass system can be stable against such fractures...

[A] rigid ring around a star or planet, as in Larry Niven's "Ringworld" series of novels, is also unstable, as it would drift under any slight gravitational differences and collide with the star. So [engineering science professor Colin] McInnes considered a restricted three-body problem where two equal masses orbit each other circularly with a uniform ring of infinitesimal mass rotating in their orbital plane. The ring could enclose both masses, just one or none... McInnes also investigated a shell-restricted three-body problem with the shell also of infinitesimal mass, again with the shell enclosing two masses, one or none.

For the restricted ring, McInnes found that there are seven equilibrium points in the orbital plane of the dual masses, on which, if the ring's center were placed, it would stay and not experience stresses, akin to the three stable Lagrange points where a small mass can reside permanently for the two-body problem... McInnes restricted this research to a planar ring (in the plane of the circularly orbiting masses) but says it can be shown that a vertical ring, normal to the plane, can also generate equilibria...

These results can aid the search for extraterrestrial intelligence, McInnes said, "If we can understand when such structures can be stable, then this could potentially help direct future SETI surveys." An important technosignature would be one bright star orbiting in tandem with an object showing a strong infrared excess. Shells around a sun-exoplanet pair or an exoplanet-exoplanet pair could also be possible. A nested set of Dyson spheres is also a feasible geometry.
In 2003 Ringworld author Larry Niven answered questions from Slashdot readers...

Web infrastructure provider Cloudflare unveiled "AI Labyrinth" this week, a feature designed to thwart unauthorized AI data scraping by feeding bots realistic but irrelevant content instead of blocking them outright. The system lures crawlers into a "maze" of AI-generated pages containing neutral scientific information, deliberately wasting computing resources of those attempting to collect training data for language models without permission.

"When we detect unauthorized crawling, rather than blocking the request, we will link to a series of AI-generated pages that are convincing enough to entice a crawler to traverse them," Cloudflare explained. The company reports AI crawlers generate over 50 billion requests to their network daily, comprising nearly 1% of all web traffic they process. The feature is available to all Cloudflare customers, including those on free plans. This approach marks a shift from traditional protection methods, as Cloudflare claims blocking bots sometimes alerts operators they've been detected. The false links contain meta directives to prevent search engine indexing while remaining attractive to data-scraping bots.

Hollywood filmmaker Carl Erik Rinsch has been charged with defrauding Netflix of $11 million after allegedly misusing funds intended for an unfinished science fiction series, federal prosecutors said.

Rinsch, 47, was arrested in West Hollywood this week on charges of wire fraud, money laundering and unlawful monetary transactions that could result in decades of imprisonment if convicted. The FBI and Acting U.S. Attorney for the Southern District of New York allege Rinsch diverted funds meant for his series "Conquest" to speculate on cryptocurrency, stay in luxury hotels and purchase high-end items including five Rolls-Royces and a Ferrari.

Netflix had paid Rinsch $44 million between 2018 and 2019 for the science fiction project about an artificial humanlike species. Prosecutors say he then requested an additional $11 million but never completed the production. An arbitrator ruled in Netflix's favor last year, ordering Rinsch to pay the company $11.8 million. Rinsch appeared in federal court with shackles and posted a $100,000 bond.

An anonymous reader quotes a report from Variety: More than 400 Hollywood creative leaders signed an open letter to the Trump White House's Office of Science and Technology Policy, urging the administration to not roll back copyright protections at the behest of AI companies. The filmmakers, writers, actors, musicians and others -- which included Ben Stiller, Mark Ruffalo, Cynthia Erivo, Cate Blanchett, Cord Jefferson, Paul McCartney, Ron Howard and Taika Waititi -- were submitting comments for the Trump administration's U.S. AI Action Plan. The letter specifically was penned in response to recent submissions to the Office of Science and Technology Policy from OpenAI and Google, which asserted that U.S. copyright law allows (or should allow) allow AI companies to train their system on copyrighted works without obtaining permission from (or compensating) rights holders.

"We firmly believe that America's global AI leadership must not come at the expense of our essential creative industries," the letter says in part. The letter claims that "AI companies are asking to undermine this economic and cultural strength by weakening copyright protections for the films, television series, artworks, writing, music and voices used to train AI models at the core of multibillion-dollar corporate valuations." [...] The letter says Google and OpenAI "are arguing for a special government exemption so they can freely exploit America's creative and knowledge industries, despite their substantial revenues and available funds. There is no reason to weaken or eliminate the copyright protections that have helped America flourish." You can read the full statement and list of signatories here.

The letter was issued in response to recent submissions from OpenAI (PDF) and Google (PDF) claiming that U.S. law allows, or should allow, AI companies to train their programs on copyrighted works under the fair use legal doctrine.