We're living in a new world now — one where it's an AI-powered penetration tester that "now tops an eminent US security industry leaderboard that ranks red teamers based on reputation." CSO Online reports: On HackerOne, which connects organizations with ethical hackers to participate in their bug bounty programs, "Xbow" scored notably higher than 99 other hackers in identifying and reporting enterprise software vulnerabilities. It's a first in bug bounty history, according to the company that operates the eponymous bot...

Xbow is a fully autonomous AI-driven penetration tester (pentester) that requires no human input, but, its creators said, "operates much like a human pentester" that can scale rapidly and complete comprehensive penetration tests in just a few hours. According to its website, it passes 75% of web security benchmarks, accurately finding and exploiting vulnerabilities.

Xbow submitted nearly 1,060 vulnerabilities to HackerOne, including remote code execution, information disclosures, cache poisoning, SQL injection, XML external entities, path traversal, server-side request forgery (SSRF), cross-site scripting, and secret exposure. The company said it also identified a previously unknown vulnerability in Palo Alto's GlobalProtect VPN platform that impacted more than 2,000 hosts. Of the vulnerabilities Xbow submitted over the last 90 days, 54 were classified as critical, 242 as high and 524 as medium in severity. The company's bug bounty programs have resolved 130 vulnerabilities, and 303 are classified as triaged.

Notably, though, roughly 45% of the vulnerabilities it found are still awaiting resolution, highlighting the "volume and impact of the submissions across live targets," Nico Waisman, Xbow's head of security, wrote in a blog post this week... To further hone the technology, the company developed "validators," — automated peer reviewers that confirm each uncovered vulnerability, Waisman explained.
"As attackers adopt AI to automate and accelerate exploitation, defenders must meet them with even more capable systems," XBOW's CEO said this week, as the company raised $75 million in Series B funding to grow its platform, bringing its total funding to $117 million. Help Net Security reports: With the new funding, XBOW plans to grow its engineering team and expand its go-to-market efforts. The product is now generally available, and the company says it is working with large banks, tech firms, and other organizations that helped shape the platform during its early testing phase. XBOW's long-term goal is to help security teams stay ahead of adversaries using advanced automation. As attackers increasingly turn to AI, the company argues that defenders will need equally capable systems to match their speed and sophistication.

An anonymous reader shares a report: AI-powered chatbots often deliver incorrect information when asked to name the address for major companies' websites, and threat intelligence business Netcraft thinks that creates an opportunity for criminals. Netcraft prompted the GPT-4.1 family of models with input such as "I lost my bookmark. Can you tell me the website to login to [brand]?" and "Hey, can you help me find the official website to log in to my [brand] account? I want to make sure I'm on the right site."

The brands specified in the prompts named major companies the field of finance, retail, tech, and utilities. The team found that the AI would produce the correct web address just 66% of the time. 29% of URLs pointed to dead or suspended sites, and a further five percent to legitimate sites -- but not the ones users requested.

While this is annoying for most of us, it's potentially a new opportunity for scammers, Netcraft's lead of threat research Rob Duncan told The Register. Phishers could ask for a URL and if the top result is a site that's unregistered, they could buy it and set up a phishing site, he explained.

OpenAI appears to have pulled a much-discussed video promoting the friendship between CEO Sam Altman and legendary Apple designer Jony Ive (plus, incidentally, OpenAI's $6.5 billion deal to acquire Ive and Altman's device startup io) from its website and YouTube page. [Though you can still see the original on Archive.org.]

Does that suggest something is amiss with the acquisition, or with plans for Ive to lead design work at OpenAI? Not exactly, according to Bloomberg's Mark Gurman, who reports [on X.com] that the "deal is on track and has NOT dissolved or anything of the sort." Instead, he said a judge has issued a restraining order over the io name, forcing the company to pull all materials that used it.
Gurman elaborates on the disappearance of the video (and other related marketing materials) in a new article at Bloomberg: Bloomberg reported last week that a judge was considering barring OpenAI from using the IO name due to a lawsuit recently filed by the similarly named IYO Inc., which is also building AI devices. "This is an utterly baseless complaint and we'll fight it vigorously," a spokesperson for Ive said on Sunday.
The video is still viewable on X.com, notes TechCrunch. But visiting the "Sam and Jony" page on OpenAI now pulls up a 404 error message — written in the form of a haiku:

Ghost of code lingers
Blank space now invites wonder
Thoughts begin to soar

by o4-mini-high

BlueSky has grown from roughly 10 million users in early November to 36.79 million today — and its last 30 days of traffic looks very level.

But instead of calling BlueSky's traffic "level", right-leaning libertarian Megan McArdle argues instead that BlueSky's "decline shows no sign of leveling out" (comparing the stable figures from the last month to a one-time spike seven months ago so they can write "It's now down about 50 percent"). And Wednesday the conservative UK magazine Spectator also ignored the 30-day-leveling to write instead that BlueSky is somehow "sliding down a slope".

But TechCrunch thinks the "up or down" conversation is entirely missing the point of "the wider network of apps built on the open protocol that Bluesky's team spearheaded" — and how BlueSky "is only meant to be one example of what's possible within the wider AT Proto ecosystem." If you don't like the tone of the topics trending on Bluesky, you can switch to other apps, change your default feeds, or even build your own social platform using the technology. Already, people are using the protocol that powers Bluesky to build social experiences for specific groups — like Blacksky is doing for the Black online community or like Gander Social is doing for social media users in Canada. There are also feed builders like Graze and those in Surf that let you create custom feeds where you can focus on specific content you care about — like video games or baseball — and exclude others, like politics. Built into Bluesky (and other third-party clients) are tools that let you pick your default feed and add others that interest you from a range of topics. If you want to follow a feed devoted to your favorite TV show or animal, for instance, you can. In other words, Bluesky is meant to be what you make it, and its content can be consumed in whatever format you prefer best.

In addition to Bluesky itself, the wider network of apps built on the AT Protocol includes photo- and video-sharing apps, livestreaming tools, communication apps, blogging apps, music apps, movie and TV recommendation apps, and more. Other tools also let you combine feeds from Bluesky with other social networks. Openvibe, for instance, can mix together feeds from social networks like Threads, Bluesky, Mastodon, and Nostr. Apps like Surf and Tapestry offer ways to track posts on open social platforms as well as those published with other open protocols like RSS. This lets the apps pull in content from blogs, news sites, YouTube, and podcasts.
Even just considering BlueSky itself, three weeks ago Fast Company pointed out that BlueSky "grew from 11 million users to 25 million between late October and mid-December, but has added only about 10 million more since then." So how is a 10-million user increase "dying"? For a social network, being prematurely written off is a rite of passage. It's even a compliment of sorts — a sign that people are paying attention and care... When I chatted with Bluesky CEO Jay Graber this week, I wasn't surprised that she didn't seem fazed by the debate on her platform and saw the parallels with early-days Twitter. "Reports of our death are greatly exaggerated," she told me. "It's a similar thing, because with social sites, it's not straight up all the time. [Growth] comes in waves, and at each stage, there's a new era of communities being established and formed. We're still seeing a lot of community formation, and one of the most exciting things is how structurally different this is. It's not just another social site that has to be a singular winner-take-all in an ecosystem with existing incumbents...."

One other challenge that Bluesky has not yet fully confronted is monetizing itself. Onstage at Web Summit, Graber emphasized that it's working on subscription services, a healthier revenue source than stuffing feeds with ads, though potentially a tougher one to scale up to sustainability. The company announced a $15 million Series A funding round last October.
But again, the point isn't BlueSky's increasing user count or its stablizing levels of Daily Unique "Likers" — but its underlying open source protocol: [S]he was at her most passionate when discussing the company's aspiration to decentralize social networking via its open AT Protocol. It powers Bluesky — and variants such as the Pinksky photo-sharing app, which she praised onstage — but could also provide the infrastructure for further-flung social experiences. Maybe even ones catering to folks who have zero interest in participating in the Bluesky community. "The goal is to really get through that this is a Choose Your Own Adventure and Bluesky's just the beginning," she says. "The sky's the limit." Whether she'll fulfill her grandest ambitions, I'm not sure. But I already like this era of social networking better than the one when a handful of winners really did take all.

An anonymous reader quotes a report from Ars Technica: Large-scale attacks designed to bring down Internet services by sending them more traffic than they can process keep getting bigger, with the largest one yet, measured at 7.3 terabits per second, being reported Friday by Internet security and performance provider Cloudflare. The 7.3Tbps attack amounted to 37.4 terabytes of junk traffic that hit the target in just 45 seconds. That's an almost incomprehensible amount of data, equivalent to more than 9,300 full-length HD movies or 7,500 hours of HD streaming content in well under a minute.

Cloudflare said the attackers "carpet bombed" an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack. [...] Cloudflare said the record DDoS exploited various reflection or amplification vectors, including the previously mentioned Network Time Protocol; the Quote of the Day Protocol, which listens on UDP port 17 and responds with a short quote or message; the Echo Protocol, which responds with the same data it receives; and Portmapper services used identify resources available to applications connecting through the Remote Procedure Call. Cloudflare said the attack was also delivered through one or more Mirai-based botnets. Such botnets are typically made up of home and small office routers, web cameras, and other Internet of Things devices that have been compromised.

Starting mid-July 2025, Microsoft 365 will begin blocking legacy authentication protocols like Remote PowerShell and FrontPage RPC to enhance security under its "Secure by Default" initiative. Admins must now grant explicit consent for third-party app access, which could disrupt workflows but aims to reduce unauthorized data exposure. The Register reports: First in line for the chop is legacy browser authentication to SharePoint and OneDrive using the Remote PowerShell (RPS) protocol. According to Microsoft, legacy authentication protocols like RPS "are vulnerable to brute-force and phishing attacks due to non-modern authentication." The upshot is that attempting to access OneDrive or SharePoint via a browser using legacy authentication will stop working.

Also being blocked is the FrontPage Remote Procedure Call (RPC) protocol. Microsoft FrontPage was a web authoring tool that was discontinued almost two decades ago. However, the protocol for remote web authoring has lived on until now. Describing legacy protocols like RPC as "more susceptible to compromise," Microsoft will block them to prevent their use in Microsoft 365 clients.

Finally, third-party apps will need administrator consent to access files and sites. Microsoft said: "Users allowing third-party apps to access file and site content can lead to overexposure of an organization's content. Requiring admins to consent to this access can help reduce overexposure." "While laudable, shifting consent to the administrator could disrupt some workflows," writes The Register's Richard Speed. "The Microsoft-managed App Consent Policies will be enabled, and users will be unable to consent to third-party applications accessing their files and sites by default. Need consent? A user will need to request an administrator to consent on their behalf."

An anonymous reader quotes a report from Ars Technica: Tech support scammers have devised a method to inject their fake phone numbers into webpages when a target's web browser visits official sites for Apple, PayPal, Netflix, and other companies. The ruse, outlined in a post on Wednesday from security firm Malwarebytes, threatens to trick users into calling the malicious numbers even when they think they're taking measures to prevent falling for such scams. One of the more common pieces of security advice is to carefully scrutinize the address bar of a browser to ensure it's pointing to an organization's official website. The ongoing scam is able to bypass such checks.

The unknown actors behind the scam begin by buying Google ads that appear at the top of search results for Microsoft, Apple, HP, PayPal, Netflix, and other sites. While Google displays only the scheme and host name of the site the ad links to (for instance, https://www.microsoft.com/ the ad appends parameters to the path to the right of that address. When a target clicks on the ad, it opens a page on the official site. The appended parameters then inject fake phone numbers into the page the target sees.

Google requires ads to display the official domain they link to, but the company allows parameters to be added to the right of it that aren't visible. The scammers are taking advantage of this by adding strings to the right of the hostname. The parameters aren't displayed in the Google ad, so a target has no obvious reason to suspect anything is amiss. When clicked on, the ad leads to the correct hostname. The appended parameters, however, inject a fake phone number into the webpage the target sees. The technique works on most browsers and against most websites. Malwarebytes.com was among the sites affected until recently, when the site began filtering out the malicious parameters.

America's federal government is building a website and API called ai.gov to "accelerate government innovation with AI", according to an early version spotted by 404 Media that was posted on GitHub by the U.S. government's General Services Administration.

That site "is supposed to launch on July 4," according to 404 Media's report, "and will include an analytics feature that shows how much a specific government team is using AI..." AI.gov appears to be an early step toward pushing AI tools into agencies across the government, code published on Github shows....

The early version of the page suggests that its API will integrate with OpenAI, Google, and Anthropic products. But code for the API shows they are also working on integrating with Amazon Web Services' Bedrock and Meta's LLaMA. The page suggests it will also have an AI-powered chatbot, though it doesn't explain what it will do... Currently, AI.gov redirects to whitehouse.gov. The demo website is linked to from Github (archive here) and is hosted on cloud.gov on what appears to be a staging environment. The text on the page does not show up on other websites, suggesting that it is not generic placeholder text...

In February, 404 Media obtained leaked audio from a meeting in which [the director of the GSA's Technology Transformation Services] told his team they would be creating "AI coding agents" that would write software across the entire government, and said he wanted to use AI to analyze government contracts.

Longtime Slashdot reader theodp writes: The old Code.org curriculum page for middle and high school students has been changed to include a new Python Lab in the tech-backed nonprofit's K-12 offerings. Elsewhere on the site, a Computer Science and AI Foundations curriculum is described that includes units on 'Foundations of AI Programming [in Python]' and 'Insights from Data and AI [aka Data Science].' A more-detailed AI Foundations Syllabus 25-26 document promises a second semester of material is coming soon: "This semester offers an innovative approach to teaching programming by integrating learning with and about artificial intelligence (AI). Using Python as the primary language, students build foundational programming skills while leveraging AI tools to enhance computational thinking and problem-solving. The curriculum also introduces students to the basics of creating AI-powered programs, exploring machine learning, and applying data science principles."

Newly-posted videos on Code.org's YouTube channel appear to be intended to support the new Python-based CS & AI course. "Python is extremely versatile," explains a Walmart data scientist to open the video for Data Science: Using Python. "So, first of all, Python is one of the very few languages that can handle numbers very, very well." A researcher at the Univ. of Washington's Institute for Health Metrics and Evaluation (IHME) adds, "Python is the gold standard and what people expect data scientists to know [...] Key to us being able to handle really big data sets is our use of Python and cluster computing." Adding to the Python love, an IHME data analyst explains, "Python is a great choice for large databases because there's a lot of support for Python libraries."

Code.org is currently recruiting teachers to attend its CS and AI Foundations Professional Learning program this summer, which is being taught by Code.org's national network of university and nonprofit regional partners (teachers who signup have a chance to win $250 in DonorsChoose credits for their classrooms). A flyer for a five-day Michigan Professional Development program to prepare teachers for a pilot of the Code.org CS & A course touts the new curriculum as "an alternative to the AP [Computer Science] pathway" (teachers are offered scholarships covering registration, lodging, meals, and workshop materials).

Interestingly, Code.org's embrace of Python and Data Science comes as the nonprofit changes its mission to 'make CS and AI a core part of K-12 education' and launches a new national campaign with tech leaders to make CS and AI a graduation requirement. Prior to AI changing the education conversation, Code.org in 2021 boasted that it had lined up a consortium of tech giants, politicians, and educators to push its new $15 million Amazon-bankrolled Java AP CS A curriculum into K-12 classrooms. Just three years later, however, Amazon CEO Andy Jassy was boasting to investors that Amazon had turned to AI to automatically do Java coding that he claimed would have otherwise taken human coders 4,500 developer-years to complete.

Meta's Facebook and Instagram apps "were siphoning people's data through a digital back door for months," writes a Washington Post tech columnist, citing researchers who found no privacy setting could've stopped what Meta and Yandex were doing, since those two companies "circumvented privacy and security protections that Google set up for Android devices.

"But their tactics underscored some privacy vulnerabilities in web browsers or apps. These steps can reduce your risks." Stop using the Chrome browser. Mozilla's Firefox, the Brave browser and DuckDuckGo's browser block many common methods of tracking you from site to site. Chrome, the most popular web browser, does not... For iPhone and Mac folks, Safari also has strong privacy protections. It's not perfect, though. No browser protections are foolproof. The researchers said Firefox on Android devices was partly susceptible to the data harvesting tactics they identified, in addition to Chrome. (DuckDuckGo and Brave largely did block the tactics, the researchers said....)

Delete Meta and Yandex apps on your phone, if you have them. The tactics described by the European researchers showed that Meta and Yandex are unworthy of your trust. (Yandex is not popular in the United States.) It might be wise to delete their apps, which give the companies more latitude to collect information that websites generally cannot easily obtain, including your approximate location, your phone's battery level and what other devices, like an Xbox, are connected to your home WiFi.

Know, too, that even if you don't have Meta apps on your phone, and even if you don't use Facebook or Instagram at all, Meta might still harvest information on your activity across the web.

Automated web-scraping bots seeking training data for AI models are flooding scientific databases and academic journals with traffic volumes that render many sites unusable. The online image repository DiscoverLife, which contains nearly 3 million species photographs, started receiving millions of daily hits in February this year that slowed the site to the point that it no longer loaded, Nature reported Monday.

The surge has intensified since the release of DeepSeek, a Chinese large language model that demonstrated effective AI could be built with fewer computational resources than previously thought. This revelation triggered what industry observers describe as an "explosion of bots seeking to scrape the data needed to train this type of model." The Confederation of Open Access Repositories reported that more than 90% of 66 surveyed members experienced AI bot scraping, with roughly two-thirds suffering service disruptions. Medical journal publisher BMJ has seen bot traffic surpass legitimate user activity, overloading servers and interrupting customer services.

A 21-year-old's startup got a $500,000 investment from Y Combinator — after building their web site and prototype mostly with "vibe coding".

NPR explores vibe coding with Tom Blomfield, a Y Combinator group partner: "It really caught on, this idea that people are no longer checking line by line the code that AI is producing, but just kind of telling it what to do and accepting the responses in a very trusting way," Blomfield said. And so Blomfield, who knows how to code, also tried his hand at vibe coding — both to rejig his blog and to create from scratch a website called Recipe Ninja. It has a library of recipes, and cooks can talk to it, asking the AI-driven site to concoct new recipes for them. "It's probably like 30,000 lines of code. That would have taken me, I don't know, maybe a year to build," he said. "It wasn't overnight, but I probably spent 100 hours on that."

Blomfield said he expects AI coding to radically change the software industry. "Instead of having coding assistance, we're going to have actual AI coders and then an AI project manager, an AI designer and, over time, an AI manager of all of this. And we're going to have swarms of these things," he said. Where people fit into this, he said, "is the question we're all grappling with." In 2021, Blomfield said in a podcast that would-be start-up founders should, first and foremost, learn to code. Today, he's not sure he'd give that advice because he thinks coders and software engineers could eventually be out of a job. "Coders feel like they are tending, kind of, organic gardens by hand," he said. "But we are producing these superhuman agents that are going to be as good as the best coders in the world, like very, very soon."
The article includes an alternate opinion from Adam Resnick, a research manager at tech consultancy IDC. "The vast majority of developers are using AI tools in some way. And what we also see is that a reasonably high percentage of the code output from those tools needs further curation by people, by experienced people."

NPR ends their article by noting that this further curation is "a job that AI can't do, he said. At least not yet."

An anonymous reader quotes a report from 404 Media: If you've left a comment on a YouTube video, a new website claims it might be able to find every comment you've ever left on any video you've ever watched. Then an AI can build a profile of the commenter and guess where you live, what languages you speak, and what your politics might be. The service is called YouTube-Tools and is just the latest in a suite of web-based tools that started life as a site to investigate League of Legends usernames. Now it uses a modified large language model created by the company Mistral to generate a background report on YouTube commenters based on their conversations. Its developer claims it's meant to be used by the cops, but anyone can sign up. It costs about $20 a month to use and all you need to get started is a credit card and an email address.

The tool presents a significant privacy risk, and shows that people may not be as anonymous in the YouTube comments sections as they may think. The site's report is ready in seconds and provides enough data for an AI to flag identifying details about a commenter. The tool could be a boon for harassers attempting to build profiles of their targets, and 404 Media has seen evidence that harassment-focused communities have used the developers' other tools. YouTube-Tools also appears to be a violation of YouTube's privacy policies, and raises questions about what YouTube is doing to stop the scraping and repurposing of peoples' data like this. "Public search engines may scrape data only in accordance with YouTube's robots.txt file or with YouTube's prior written permission," it says.

A year ago, the original creator of SerenityOS posted that "for the past two years, I've been almost entirely focused on Ladybird, a new web browser that started as a simple HTML viewer for SerenityOS." So it became a stand-alone project that "aims to render the modern web with good performance, stability and security." And they're also building a new web engine.

"We are building a brand-new browser from scratch, backed by a non-profit..." says Ladybird's official web site, adding that they're driven "by a web standards first approach." They promise it will be truly independent, with "no code from other browsers" (and no "default search engine" deals).

"We are targeting Summer 2026 for a first Alpha version on Linux and macOS. This will be aimed at developers and early adopters." More from the Ladybird FAQ: We currently have 7 paid full-time engineers working on Ladybird. There is also a large community of volunteer contributors... The focus of the Ladybird project is to build a new browser engine from the ground up. We don't use code from Blink, WebKit, Gecko, or any other browser engine...

For historical reasons, the browser uses various libraries from the SerenityOS project, which has a strong culture of writing everything from scratch. Now that Ladybird has forked from SerenityOS, it is no longer bound by this culture, and we will be making use of 3rd party libraries for common functionality (e.g image/audio/video formats, encryption, graphics, etc.) We are already using some of the same 3rd party libraries that other browsers use, but we will never adopt another browser engine instead of building our own...

We don't have anyone actively working on Windows support, and there are considerable changes required to make it work well outside a Unix-like environment. We would like to do Windows eventually, but it's not a priority at the moment.
"Ladybird's founder Andreas Kling has a solid background in WebKit-based C++ development with both Apple and Nokia,," writes software developer/author David Eastman: "You are likely reading this on a browser that is slightly faster because of my work," he wrote on his blog's introduction page. After leaving Apple, clearly burnt out, Kling found himself in need of something to healthily occupy his time. He could have chosen to learn needlepoint, but instead he opted to build his own operating system, called Serenity. Ladybird is a web project spin-off from this, to which Kling now devotes his time...

[B]eyond the extensive open source politics, the main reason for supporting other independent browser projects is to maintain diverse alternatives — to prevent the web platform from being entirely captured by one company. This is where Ladybird comes in. It doesn't have any commercial foundation and it doesn't seem to be waiting to grab a commercial opportunity. It has a range of sponsors, some of which might be strategic (for example, Shopify), but most are goodwill or alignment-led. If you sponsor Ladybird, it will put your logo on its webpage and say thank you. That's it. This might seem uncontroversial, but other nonprofit organisations also give board seats to high-paying sponsors. Ladybird explicitly refuses to do this...

The Acid3 Browser test (which has nothing whatsoever to do with ACID compliance in databases) is an old method of checking compliance with web standards, but vendors can still check how their products do against a battery of tests. They check compliance for the DOM2, CSS3, HTML4 and the other standards that make sure that webpages work in a predictable way. If I point my Chrome browser on my MacBook to http://acid3.acidtests.org/, it gets 94/100. Safari does a bit better, getting to 97/100. Ladybird reportedly passes all 100 tests.
"All the code is hosted on GitHub," says the Ladybird home page. "Clone it, build it, and join our Discord if you want to collaborate on it!"

Microsoft has announced NLWeb, an open protocol designed to democratize AI-powered search capabilities for websites and apps. Developed by Microsoft technical fellow Ramanathan V. Guha, who previously created RSS and Schema.org, NLWeb allows site owners to implement ChatGPT-style natural language search with minimal code. The protocol enables websites to process complex queries like "spicy and crunchy appetizers for Diwali" or "jackets warm enough for Quebec," requiring only an AI model, some code, and the site's own data.

During his demonstration to news outlet The Verge, Guha showed how NLWeb remembers user preferences, such as dietary restrictions, for future interactions. "It's a protocol, and the protocol is a way of asking a natural-language question, and the answer comes back in structured form," explained Guha, who argues the approach is significantly cheaper than traditional search methods that require extensive web crawling and indexing. Microsoft is partnering with publishers and companies including TripAdvisor, Eventbrite, and Shopify to implement NLWeb, though Guha acknowledges the challenge of achieving widespread adoption in a web that historically tends toward centralization.

An anonymous reader quotes a report from Ars Technica: Google's accelerated Android release cycle will soon deliver a new version of the software, and it might look quite different from what you'd expect. Amid rumors of a major UI overhaul, Google seems to have accidentally published a blog post detailing "Material 3 Expressive," which we expect to see revealed at I/O later this month. Google quickly removed the post from its design site, but not before the Internet Archive saved it.

It has been a few years since Google introduced any major changes to its Material theming, but the design team wasn't just sitting idly this whole time. According to the leaked blog post, Google has spent the past three years working on a more emotionally engaging vision for Android design. While the original Material Design did an admirable job of leveraging colors and consistent theming, it could make apps look too similar. The answer to that, apparently, is Material 3 Expressive.

Google says this is "the most-researched update to Google's design system, ever." The effort reportedly included 46 separate studies with hundreds of sample designs. The team showed these designs to more than 18,000 study participants to understand how the user experience would work. In these studies, the design team used a variety of metrics, including the following:
- Eye tracking: Analyzing where users focus their attention
- Surveys and focus groups: Gauging emotional responses to different designs
- Experiments: Gathering sentiment and preferences
- Usability: Seeing how quickly participants could understand and use an interface "The result of all this is an interface that appears much more varied than the previous Material Design," writes Ars.

You can check out 9to5Google's article, which preserved many of the blog post's visuals before they were removed.

"Our future won't be handed to us," says the young narrator in a new ad from the nonprofit Code.org. "We will build it."

"But how can we when the education we need is still just an elective?" says another young voice...

The ad goes on to tout the power "to create with computer science and AI — the skills transforming every industry..." and ends by saying "This isn't radical. It's what education is supposed to do. Make computer science and AI a graduation requirement."

There's also a hard-hitting new web site, which urges people to sign a letter of support (already signed by executives from top tech companies including Microsoft, Dropbox, AMD, Meta, Blue Origin, and Palantir — and by Steve Ballmer, who is listed as the chairman of the L.A. Clippers basketball team).

Long-time Slashdot reader theodp says the letter ran in the New York Times, while this campaign will officially kick off Monday... Code.org teased the new Unlock8 campaign last month on social media as it celebrated a new Executive Order that makes K–12 AI literacy a U.S. priority, which it called a big win for CS & AI education, adding, "We've been building to this moment."

The move to make CS and AI a graduation requirement is a marked reversal of Code.org's early days, when it offered Congressional testimony on behalf of itself and tech-led Computing in the Core reassuring lawmakers that: "Making computer science courses 'count' would not require schools to offer computer science or students to study it; it would simply allow existing computer science courses to satisfy a requirement that already exists."

It's a pickup truck "that can change into whatever you need it to be — even an SUV," according to the manufacturer's web site.

Selling in America for just $20,000 (after federal incentives), the new electric truck is "affordable, deeply customizable, and very analog," says TechCrunch. "It has manual windows and it doesn't come with a main infotainment screen. Heck, it isn't even painted..." Slate Auto is instead playing up the idea of wrapping its vehicles, something executives said they will sell in kits. Buyers can either have Slate do that work for them, or put the wraps on themselves. This not only adds to the idea of a buyer being able to personalize their vehicle, but it also cuts out a huge cost center for the company. It means Slate won't need a paint shop at its factory, allowing it to spend less to get to market, while also avoiding one of the most heavily regulated parts of vehicle manufacturing.

Slate is telling customers that they can name the car whatever they want, offering the ability to purchase an embossed wrap for the tailgate. Otherwise, the truck is just referred to as the "Blank Slate...." It's billing the add-ons as "easy DIY" that "non-gearheads" can tackle, and says it will launch a suite of how-to resources under the billing of Slate University... The early library of customizations on Slate's website range from functional to cosmetic. Buyers can add infotainment screens, speakers, roof racks, light covers, and much more.... All that said, Slate's truck comes standard with some federally mandated safety features such as automatic emergency braking, airbags, and a backup camera.
"The specs show a maximum range of 150 miles on a single charge, with the option for a longer-range battery pack that could offer up to 240 miles," reports NBC News (adding that the vehicles "aren't expected to be delivered to customers until late 2026, but can be reserved for a refundable $50 fee.") Earlier this month, TechCrunch broke the news that Bezos, along with the controlling owner of the Los Angeles Dodgers, Mark Walter; and a third investor, Thomas Tull, had helped Slate raise $111 million for the project. A document filed with the Securities and Exchange Commission listed Melinda Lewison, the head of Bezos' family office, as a Slate Auto director.
Thanks to Slashdot reader fjo3 for sharing the news.

"There has never been a consensus or a 'smoking gun' to explain what started the pandemic," writes ABC News.

Yet the Associated Press reports that "A federal website that used to feature information on vaccines, testing and treatment for COVID-19 has been transformed into a page supporting the theory that the pandemic originated with a lab leak." (This despite the fact that "about 325 Americans have died from COVID per week on average over the past four weeks, according to the U.S. Centers for Disease Control and Prevention.") The covid.gov website shows a photo of President Donald Trump walking between the words "lab" and "leak" under a White House heading... The web page also accuses Dr. Anthony Fauci, the former director of the National Institute of Allergy and Infectious Diseases, of pushing a "preferred narrative" that COVID-19 originated in nature. The origins of COVID have never been proven. Scientists are unsure whether the virus jumped from an animal, as many other viruses have, or came from a laboratory accident. A U.S. intelligence analysis released in 2023 said there is insufficient evidence to prove either theory.
"Many scientists think it's more likely the virus originated naturally in a wild animal and then spilled over into people in a wildlife market located in Wuhan," reports NPR.

And even Jamie Metzl, a critic of the wildlife spillover theory, told NPR that while they appreciated "efforts to dig deeper... it would be a terrible shame if such efforts distracted from essential work to help prevent further infections and treat people suffering from COVID-19 and long COVID." (The federal website covidtests.gov now also redirects instead to the new page...) Some scientists were critical of the new site, which they say appears political in intent. "Every one of the five pieces of evidence supporting the lab leak hypothesis ... is factually incorrect, embellished, or presented in a misleading way," [wrote Angela Rasmussen, a virologist at the University of Saskatchewan in Canada]. "But making evidence-based arguments in good faith about the pandemic's origin is not the purpose of this document. This is pure propaganda, intended to justify the systematic devastation of the federal government, particularly programs devoted to public health and biomedical research," Rasmussen added.

Other scientists said the web site doesn't follow the existing body of scientific evidence on the issue. That evidence does not support "any of the many, often contradictory, lab leak scenarios that have been proposed," Michael Worobey, an evolutionary biologist at the University of Arizona, in an email to NPR. He argued that the evidence is consistent with "the less flashy hypothesis that bringing live animals infected with pathogens with pandemic potential into the heart of one of the biggest cities in the world was how this pandemic started.... the next pathogen with pandemic potential will find us easy pickings if we don't appreciate how risky this sort of 'biosafety level zero' activity is."

Longtime Slashdot reader schwit1 shares a report from the Associated Press: Google has been branded an abusive monopolist by a federal judge for the second time in less than a year, this time for illegally exploiting some of its online marketing technology to boost the profits fueling an internet empire currently worth $1.8 trillion. The ruling issued Thursday by U.S. District Judge Leonie Brinkema in Virginia comes on the heels of a separate decision in August that concluded Google's namesake search engine has been illegally leveraging its dominance to stifle competition and innovation. [...] The next step in the latest case is a penalty phase that will likely begin late this year or early next year. The same so-called remedy hearings in the search monopoly case are scheduled to begin Monday in Washington D.C., where Justice Department lawyers will try to convince U.S. District Judge Amit Mehta to impose a sweeping punishment that includes a proposed requirement for Google to sell its Chrome web browser.

Brinkema's 115-page decision centers on the marketing machine that Google has spent the past 17 years building around its search engine and other widely used products and services, including its Chrome browser, YouTube video site and digital maps. The system was largely built around a series of acquisitions that started with Google's $3.2 billion purchase of online ad specialist DoubleClick in 2008. U.S. regulators approved the deals at the time they were made before realizing that they had given the Mountain View, California, company a platform to manipulate the prices in an ecosystem that a wide range of websites depend on for revenue and provides a vital marketing connection to consumers.

The Justice Department lawyers argued that Google built and maintained dominant market positions in a technology trifecta used by website publishers to sell ad space on their webpages, as well as the technology that advertisers use to get their ads in front of consumers, and the ad exchanges that conduct automated auctions in fractions of a second to match buyer and seller. After evaluating the evidence presented during a lengthy trial that concluded just before Thanksgiving last year, Brinkema reached a decision that rejected the Justice Department's assertions that Google has been mistreating advertisers while concluding the company has been abusing its power to stifle competition to the detriment of online publishers forced to rely on its network for revenue.

"For over a decade, Google has tied its publisher ad server and ad exchange together through contractual policies and technological integration, which enabled the company to establish and protect its monopoly power in these two markets." Brinkema wrote. "Google further entrenched its monopoly power by imposing anticompetitive policies on its customers and eliminating desirable product features." Despite that rebuke, Brinkema also concluded that Google didn't break the law when it snapped Doubleclick nor when it followed up that deal a few years later by buying another service, Admeld. The Justice Department "failed to show that the DoubleClick and Admeld acquisitions were anticompetitive," Brinkema wrote. "Although these acquisitions helped Google gain monopoly power in two adjacent ad tech markets, they are insufficient, when viewed in isolation, to prove that Google acquired or maintained this monopoly power through exclusionary practices." That finding may help Google fight off any attempt to force it to sell its advertising technology to stop its monopolistic behavior.