"NASA remains confident it has a handle on the problem and the vehicle can bring the crew home safely," reports CNN.

But "When four astronauts begin a historic trip around the moon as soon as February 6, they'll climb aboard NASA's 16.5-foot-wide Orion spacecraft with the understanding that it has a known flaw — one that has some experts urging the space agency not to fly the mission with humans on board..."

The issue relates to a special coating applied to the bottom part of the spacecraft, called the heat shield... This vital part of the Orion spacecraft is nearly identical to the heat shield flown on Artemis I, an uncrewed 2022 test flight. That prior mission's Orion vehicle returned from space with a heat shield pockmarked by unexpected damage — prompting NASA to investigate the issue. And while NASA is poised to clear the heat shield for flight, even those who believe the mission is safe acknowledge there is unknown risk involved. "This is a deviant heat shield," said Dr. Danny Olivas, a former NASA astronaut who served on a space agency-appointed independent review team that investigated the incident. "There's no doubt about it: This is not the heat shield that NASA would want to give its astronauts." Still, Olivas said he believes after spending years analyzing what went wrong with the heat shield, NASA "has its arms around the problem..."

"I think in my mind, there's no flight that ever takes off where you don't have a lingering doubt," Olivas said. "But NASA really does understand what they have. They know the importance of the heat shield to crew safety, and I do believe that they've done the job." Lakiesha Hawkins, the acting deputy associate administrator for NASA's Exploration Systems Development Mission Directorate, echoed that sentiment in September, saying, "from a risk perspective, we feel very confident." And Reid Wiseman, the astronaut set to command the Artemis II mission, has expressed his confidence. "The investigators discovered the root cause, which was the key" to understanding and solving the heat shield issue, Wiseman told reporters last July. "If we stick to the new reentry path that NASA has planned, then this heat shield will be safe to fly."

Others aren't so sure. "What they're talking about doing is crazy," said Dr. Charlie Camarda, a heat shield expert, research scientist and former NASA astronaut. Camarda — who was also a member of the first space shuttle crew to launch after the 2003 Columbia disaster — is among a group of former NASA employees who do not believe that the space agency should put astronauts on board the upcoming lunar excursion. He said he has spent months trying to get agency leadership to heed his warnings to no avail... Camarda also emphasized that his opposition to Artemis II isn't driven by a belief it will end with a catastrophic failure. He thinks it's likely the mission will return home safely. More than anything, Camarda told CNN, he fears that a safe flight for Artemis II will serve as validation for NASA leadership that its decision-making processes are sound. And that's bound to lull the agency into a false sense of security, Camarda warned.
CNN adds that Dr. Dan Rasky, an expert on advanced entry systems and thermal protection materials who worked at NASA for more than 30 years, also does not believe NASA should allow astronauts to fly on board the Artemis II Orion capsule.

And "a crucial milestone could be days away as Artemis program leaders gather for final risk assessments and the flight readiness review," when top NASA brass determine whether the Artemis II rocket and spacecraft are ready to take off with a human crew.

Critics question why basic flaws like buffer overflows, command injections, and SQL injections are "being exploited remain prevalent in mission-critical codebases maintained by companies whose core business is cybersecurity," writes CSO Online. Benjamin Harris, CEO of cybersecurity/penetration testing firm watchTowr tells them that "these are vulnerability classes from the 1990s, and security controls to prevent or identify them have existed for a long time. There is really no excuse." Enterprises have long relied on firewalls, routers, VPN servers, and email gateways to protect their networks from attacks. Increasingly, however, these network edge devices are becoming security liabilities themselves... Google's Threat Intelligence Group tracked 75 exploited zero-day vulnerabilities in 2024. Nearly one in three targeted network and security appliances, a strikingly high rate given the range of IT systems attackers could choose to exploit. That trend has continued this year, with similar numbers in the first 10 months of 2025, targeting vendors such as Citrix NetScaler, Ivanti, Fortinet, Palo Alto Networks, Cisco, SonicWall, and Juniper. Network edge devices are attractive targets because they are remotely accessible, fall outside endpoint protection monitoring, contain privileged credentials for lateral movement, and are not integrated into centralized logging solutions...

[R]esearchers have reported vulnerabilities in these systems for over a decade with little attacker interest beyond isolated incidents. That shifted over the past few years with a rapid surge in attacks, making compromised network edge devices one of the top initial access vectors into enterprise networks for state-affiliated cyberespionage groups and ransomware gangs. The COVID-19 pandemic contributed to this shift, as organizations rapidly expanded remote access capabilities by deploying more VPN gateways, firewalls, and secure web and email gateways to accommodate work-from-home mandates. The declining success rate of phishing is another factor... "It is now easier to find a 1990s-tier vulnerability in a border device where Endpoint Detection and Response typically isn't deployed, exploit that, and then pivot from there" [says watchTowr CEL Harris]...

Harris of watchTowr doesn't want to minimize the engineering effort it takes to build a secure system. But he feels many of the vulnerabilities discovered in the past two years should have been caught with automatic code analysis tools or code reviews, given how basic they have been. Some VPN flaws were "trivial to the point of embarrassing for the vendor," he says, while even the complex ones should have been caught by any organization seriously investing in product security... Another problem? These appliances have a lot of legacy code, some that is 10 years or older.
Attackers may need to chain together multiple hard-to-find vulnerabilities across multiple components, the article acknowleges. And "It's also possible that attack campaigns against network-edge devices are becoming more visible to security teams because they are looking into what's happening on these appliances more than they did in the past... "

The article ends with reactions from several vendors of network edge security devices.

Thanks to Slashdot reader snydeq for sharing the article.

"For a few dozen people in the world, the downside of living with a rare immune condition comes with a surprising superpower — the ability to fight off all viruses..." notes an announcement from Columbia University. "At first, the condition only seemed to increase vulnerability to some bacterial infections. But as more patients were identified, its unexpected antiviral benefits became apparent." Columbia immunologist Dusan Bogunovic discovered the individuals' antiviral powers about 15 years ago, soon after he identified the genetic mutation that causes the condition... Bogunovic, a professor of pediatric immunology at Columbia University's Vagelos College of Physicians and Surgeons, soon learned that everyone with the mutation, which causes a deficiency in an immune regulator called ISG15, has mild, but persistent systemic inflammation... "In the back of my mind, I kept thinking that if we could produce this type of light immune activation in other people, we could protect them from just about any virus," Bogunovic says.

Today, Bogunovic is closing in on a therapeutic strategy that could provide that broad-spectrum protection against viruses and become an important weapon in next pandemic. In his latest study, published August 13 in Science Translational Medicine, Bogunovic and his team report that an experimental therapy they've developed temporarily gives recipients (hamsters and mice, so far) the same antiviral superpower as people with ISG15 deficiency. When administered prophylactically into the animals' lungs via a nasal drip, the therapy prevented viral replication of influenza and SARS-CoV-2 viruses and lessened disease severity. In cell culture, "we have yet to find a virus that can break through the therapy's defenses," Bogunovic says...

Bogunovic's therapeutic turns on production of 10 proteins that are primarily responsible for the broad antiviral protection. The current design resembles COVID mRNA vaccines but with a twist: Ten mRNAs encoding the 10 proteins are packaged inside a lipid nanoparticle. Once the nanoparticles are absorbed by the recipient's cells, the cells generate the ten host proteins to produce the antiviral protection. "We only generate a small amount of these ten proteins, for a very short time, and that leads to much less inflammation than what we see in ISG15-deficient individuals," Bogunovic says. "But that inflammation is enough to prevent antiviral diseases...."

"We believe the technology will work even if we don't know the identity of the virus," Bogunovic says. Importantly, the antiviral protection provided by the technology will not prevent people from developing their own immunological memory to the virus for longer-term protection.
"Our findings reinforce the power of research driven by curiosity without preconceived notions," Bogunovic says in the announcement. "We were not looking for an antiviral when we began studying our rare patients, but the studies have inspired the potential development of a universal antiviral for everyone."

More coverage from ScienceAlert.

Last week, following a recent U.S. Customs ruling, Apple reintroduced blood oxygen monitoring to certain Apple Watch models in the U.S., sidestepping an ITC import ban stemming from its legal dispute with medical device maker Masimo. Today, Masimo fired back with a new lawsuit against the U.S. Customs and Border Protection. 9to5Mac reports: The company says US Customs and Border Protection (CBP) overstepped its authority and violated due process when it reversed its earlier decision on August 1 and allowed Apple to restore the feature. Moreover, Masimo says it found out about the decision when Apple publicly announced the return of the feature: "It has now come to light that CBP thereafter reversed itself without any meaningful justification, without any material change in circumstances, and without any notice to Masimo, let alone an opportunity for Masimo to be heard. CBP changed its position on Apple's watch-plus-iPhone redesign through an ex parte proceeding. Specifically, on August 1, 2025, CBP issued an 3 ex parte ruling permitting Apple to import devices that, when used with iPhones already in the United States, perform the same functionality that the ITC found to infringe Masimo's patents. Masimo only discovered this ruling on Thursday, August 14, 2025, when Apple publicly announced it would be reintroducing the pulse oximetry functionality through a software update."

The company is now asking the court for a temporary restraining order and preliminary injunction to block the CBP's decision, and reinstate the original ruling that "determined that Apple's redesigned watches could be imported only to the extent the infringing functionality was completely disabled." As reported by Bloomberg Law, Masimo says the following in its supporting brief: "Each passing day that this unlawful ruling remains in effect irreparably deprives Masimo of its right to be free from unfair trade practices and to preserve its competitive standing in the U.S. marketplace." Masimo further argues that CBP's move "effectively nullified" the ITC's exclusion order against Apple. Apple's appeal of that ban is still pending before the Federal Circuit.

An anonymous reader quotes a report from Wired: If you want a job at McDonald's today, there's a good chance you'll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and resume, directs them to a personality test, and occasionally makes them "go insane" by repeatedly misunderstanding their most basic questions. Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald's applicants -- including all the personal information they shared in those conversations -- with tricks as straightforward as guessing the username and password "123456."

On Wednesday, security researchers Ian Carroll and Sam Curryrevealedthat they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with along track record of independent security testing, discovered that simple web-based vulnerabilities -- including guessing one laughably weak password -- allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Carroll says he only discovered that appalling lack of security around applicants' information because he was intrigued by McDonald's decision to subject potential new hires to an AI chatbot screener and personality test. "I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more," says Carroll. "So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years." Paradox.ai confirmed the security findings, acknowledging that only a small portion of the accessed records contained personal data. The company stated that the weak-password account ("123456") was only accessed by the researchers and no one else. To prevent future issues, Paradox is launching a bug bounty program. "We do not take this matter lightly, even though it was resolved swiftly and effectively," Paradox.ai's chief legal officer, Stephanie King, told WIRED in an interview. "We own this."

In a statement to WIRED, McDonald's agreed that Paradox.ai was to blame. "We're disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us," the statement reads. "We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection."

Google is enhancing Android's Factory Reset Protection (FRP) to make stolen phones virtually unusable by detecting setup wizard bypasses and requiring a second factory reset until ownership is verified. Android Authority reports: You can factory reset an Android phone in several ways. However, triggering a reset through the Android recovery menu or Google's Find My Device service activates Factory Reset Protection (FRP). During setup after such a reset, the wizard requires you to verify ownership by either signing into the previously associated Google account or entering the device's former lock screen PIN, password, or pattern. Failing this verification step blocks setup completion, rendering the device unusable. [...]

Factory Reset Protection (FRP) is a valuable feature that discourages theft by rendering stolen Android phones useless to potential buyers if wiped improperly. However, FRP isn't foolproof; thieves have discovered numerous methods over the years to circumvent it. These bypasses typically involve skipping the setup wizard, allowing someone to use the phone without entering the previous owner's Google account details or screen lock.

During The Android Show: I/O Edition, Google announced plans to "further harden Factory Reset protections, which will restrict all functionalities on devices that are reset without the owner's authorization." While the company didn't elaborate much, a screenshot it shared suggests that Android will likely detect if someone bypasses the setup wizard and then force another factory reset, preventing unauthorized use until the user proves ownership. [...] Google stated this FRP improvement is coming "later this year." Since the stable Android 16 release is coming soon, this timeline suggests the feature won't be part of the initial launch. It might arrive later in one of Android 16's Quarterly Platform Releases (QPRs), but that remains to be seen.

An anonymous reader quotes a report from the Associated Press: A European Union privacy watchdog fined TikTok 530 million euros ($600 million) on Friday after a four-year investigation found that the video sharing app's data transfers to China put users at risk of spying, in breach of strict EU data privacy rules. Ireland's Data Protection Commission also sanctioned TikTok for not being transparent with users about where their personal data was being sent and ordered the company to comply with the rules within six months.

The Irish national watchdog serves as TikTok's lead data privacy regulator in the 27-nation EU because the company's European headquarters is based in Dublin. "TikTok failed to verify, guarantee and demonstrate that the personal data of (European) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU," Deputy Commissioner Graham Doyle said in a statement. The Irish watchdog said its investigation found that TikTok failed to address "potential access by Chinese authorities" to European users' personal data under Chinese laws on anti-terrorism, counterespionage, cybersecurity and national intelligence that were identified as "materially diverging" from EU standards. Grahn said TikTok has "has never received a request for European user data from the Chinese authorities, and has never provided European user data to them."

[...] The investigation, which opened in September 2021, also found that TikTok's privacy policy at the time did not name third countries, including China, where user data was transferred. The watchdog said the policy, which has since been updated, failed to explain that data processing involved "remote access to personal data stored in Singapore and the United States by personnel based in China." TikTok faces further scrutiny from the Irish regulator, which said that the company had provided inaccurate information throughout the inquiry by saying that it didn't store European user data on Chinese servers. It wasn't until April that it informed the regulator that it discovered in February that some data had in fact been stored on Chinese servers. TikTok disagrees with the decision and plans to appeal. The company said the decision focuses on a "select period" ending in May 2023, before it embarked on a data localization project called Project Clover that involved building three data centers in Europe.

"The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm," said Christine Grahn, TikTok's European head of public policy and government relations. "The decision fails to fully consider these considerable data security measures."

Nintendo's lawyers systematically dismantled Atari Games in a landmark 1989 legal battle that reshaped the gaming industry, killing off the Tengen brand until its surprise resurrection recently.

When Atari Games (operating as Tengen) attempted to circumvent Nintendo's control by reverse-engineering the NES security system, Nintendo's legal team discovered a fatal flaw in their rival's approach: Atari had fraudulently obtained Nintendo's proprietary code from the Copyright Office by falsely claiming they were defendants in a nonexistent lawsuit.

Though courts ultimately established that reverse engineering was legal under fair use principles, Atari's deception proved catastrophic. The judge invoked the centuries-old "unclean hands" doctrine, ruling that Atari could not claim fair use protection after approaching the court in bad faith.

"As a result of its lawyers' filthy hands, Atari was barred from manufacturing games for the NES. Nintendo, with its stronger legal team, subsequently 'bled Atari to death,'" writes tech industry attorney Julien Mailland. The court ordered the recall of Tengen's "Tetris" version, now a rare collector's item.

After a 30-year absence, Tengen Games returned in July 2024 with "Zed and Zee" for the NES, finally achieving what its predecessor was legally prohibited from doing.

"Researchers have discovered nearly 1.5 million pictures from specialist dating apps — many of which are explicit — being stored online without password protection," reports the BBC, "leaving them vulnerable to hackers and extortionists."

And the images weren't limited to those from profiles, the BBC learned from the ethical hacker who discovered the issue. "They included pictures which had been sent privately in messages, and even some which had been removed by moderators..." Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile [including two kink/BDSM sites and two LGBT apps]... These services are used by an estimated 800,000 to 900,000 people.

M.A.D Mobile was first warned about the security flaw on 20th January but didn't take action until the BBC emailed on Friday. They have since fixed it but not said how it happened or why they failed to protect the sensitive images. Ethical hacker Aras Nazarovas from Cybernews first alerted the firm about the security hole after finding the location of the online storage used by the apps by analysing the code that powers the services...

None of the text content of private messages was found to be stored in this way and the images are not labelled with user names or real names, which would make crafting targeted attacks at users more complex.

In an email M.A.D Mobile said it was grateful to the researcher for uncovering the vulnerability in the apps to prevent a data breach from occurring. But there's no guarantee that Mr Nazarovas was the only hacker to have found the image stash.
"Mr Nazarovas and his team decided to raise the alarm on Thursday while the issue was still live as they were concerned the company was not doing anything to fix it..."

Valve's early anti-piracy efforts, which eventually led to the Steam platform, were sparked by co-founder Monica Harrington's nephew using her money to buy a CD burner for copying games, she revealed at last week's Game Developers Conference. Harrington said her nephew's "lovely thank you note" about sharing games with friends represented a "generational shift" in piracy attitudes that could "put our entire business model at risk."

Half-Life subsequently launched with CD key verification in 1998. When players complained about authentication failures, co-founder Mike Harrington discovered "none of them had actually bought the game," confirming the system worked. Although easily bypassed, this early protection influenced Steam's more robust DRM implemented with Half-Life 2 in 2004, which became the industry standard for PC game distribution.

Meta has been fined $101.5 million by the Irish Data Protection Commission (DPC) for storing over half a billion user passwords in plain text for years, with some engineers having access to this data for over a decade. The issue, discovered in 2019, predominantly affected non-US users, especially those using Facebook Lite. AppleInsider reports: Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union. It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.

Sharks are deserting their coral reef homes as the climate crisis continues to heat up the oceans, scientists have discovered. From a report: This is likely to harm the sharks, which are already endangered, and their absence could have serious consequences for the reefs, which are also struggling. The reef sharks are a key part of the highly diverse and delicate ecosystem, which could become dangerously unbalanced without them. The researchers tagged and tracked more than 120 grey reef sharks living on the remote coral reefs of the Chagos archipelago in the central Indian Ocean from 2013 to 2020. As reefs became more stressed, particularly during the major ocean-warming El Niño event of 2015-16, the sharks spent significantly less time there. They failed to return to normal residency for up to 16 months after a stress event.

However, the sharks actually spent more time on a minority of the coral reefs. These reefs were healthier and more resilient, due to factors including the eradication of invasive rats and higher populations of birds, which help fertilise the reef. The researchers said this showed that increasing the protection of coral reefs from human-caused damage may help sharks remain on their home reefs. Sharks are cold-blooded and their body temperature is linked to water temperature. "If it gets too hot, they're going to need to move," said Dr David Jacoby, a lecturer in zoology at Lancaster University and the leader of the research project. "We think many are choosing to move into offshore, deeper and cooler waters, which is concerning. Some of the sharks were disappearing entirely from the reef for long periods of time. Reef sharks are already absent from nearly 20% of coral reefs globally, partly through [overfishing], and this new finding has the potential to exacerbate these trends."

An anonymous reader quotes a report from Dark Reading: Researchers have exploited a vulnerability in Microsoft's Copilot Studio tool allowing them to make external HTTP requests that can access sensitive information regarding internal services within a cloud environment -- with potential impact across multiple tenants. Tenable researchers discovered the server-side request forgery (SSRF) flaw in the chatbot creation tool, which they exploited to access Microsoft's internal infrastructure, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances, they revealed in a blog post this week. Tracked by Microsoft as CVE-2024-38206, the flaw allows an authenticated attacker to bypass SSRF protection in Microsoft Copilot Studio to leak sensitive cloud-based information over a network, according to a security advisory associated with the vulnerability. The flaw exists when combining an HTTP request that can be created using the tool with an SSRF protection bypass, according to Tenable.

"An SSRF vulnerability occurs when an attacker is able to influence the application into making server-side HTTP requests to unexpected targets or in an unexpected way," Tenable security researcher Evan Grant explained in the post. The researchers tested their exploit to create HTTP requests to access cloud data and services from multiple tenants. They discovered that "while no cross-tenant information appeared immediately accessible, the infrastructure used for this Copilot Studio service was shared among tenants," Grant wrote. Any impact on that infrastructure, then, could affect multiple customers, he explained. "While we don't know the extent of the impact that having read/write access to this infrastructure could have, it's clear that because it's shared among tenants, the risk is magnified," Grant wrote. The researchers also found that they could use their exploit to access other internal hosts unrestricted on the local subnet to which their instance belonged. Microsoft responded quickly to Tenable's notification of the flaw, and it has since been fully mitigated, with no action required on the part of Copilot Studio users, the company said in its security advisory. Further reading: Slack AI Can Be Tricked Into Leaking Data From Private Channels

"CrowdStrike has continued doing what gave it such an expansive footprint in the first place," writes CSO Online — "detecting cyber threats and protecting its clients from them."

They interviewed Adam Meyers, CrowdStrike's SVP of counter adversary operations, whose team produced their 2024 Threat Hunting Report (released this week at the Black Hat conference). Of seven case studies presented in the report, the most daring is that of a group CrowdStrike calls Famous Chollima, an alleged DPRK-nexus group. Starting with a single incident in April 2024, CrowdStrike discovered that a group of North Koreans, posing as American workers, had been hired for multiple remote IT worker jobs in early 2023 at more than thirty US-based companies, including aerospace, defense, retail, and technology organizations.

CrowdStrike's threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The workers leveraged these RMM tools with company network credentials, enabling numerous IP addresses to connect to victims' systems.

CrowdStrike's OverWatch hunters, a team of experts conducting analysis, hunted for RMM tooling combined with suspicious connections surfaced by the company's Falcon Identity Protection module to find more personas and additional indicators of compromise. CrowdStrike ultimately found that over 100 companies, most US-based technology entities, had hired Famous Chollima workers. The OverWatch team contacted victimized companies to inform them about potential insider threats and quickly corroborated its findings.
Thanks to Slashdot reader snydeq for sharing the news.

A new study "has found direct evidence linking a key chemical ingredient of plastic bottles to a higher risk of type 2 diabetes," reports the Independent: The study, published in the journal Diabetes, found that the chemical BPA used to make food and drink packages, including plastic water bottles, can reduce sensitivity to the hormone insulin which regulates the body's sugar metabolism. The findings, to be presented at the 2024 Scientific Sessions of the American Diabetes Association, call for the US Environmental Protection Agency to reconsider the safe limits for exposure to BPA in bottles and food containers. Previous studies have already shown that the chemical Bisphenol A (BPA) used to make plastic and epoxy resins could disrupt hormones in humans. While research has linked BPA to diabetes, no previous study has directly assessed if administration of this chemical to humans increases this risk in adults.
The researchers administered the dosage considered safe by America's FDA to about 20 individuals — and discovered they became less responsive to insulin after 4 days. The article includes this warning from the researchers:

"These results suggest that maybe the U.S. EPA safe dose should be reconsidered and that healthcare providers could suggest these changes to patients."

Thanks to Slashdot reader Bruce66423 for sharing the news.

A former Microsoft employee claims the tech giant dismissed his repeated warnings about a security flaw that was later exploited in the SolarWinds hack, prioritizing business interests over customer safety. Andrew Harris, who worked on Microsoft's cloud security team, says he discovered the weakness in 2016 but was told fixing it could jeopardize a multibillion-dollar government contract and the company's competitive edge, ProPublica reported Thursday.

The flaw, in a Microsoft product called Active Directory Federation Services, allowed hackers to bypass security measures and access sensitive cloud data. Russian hackers exploited the vulnerability in the 2020 SolarWinds attack, breaching several U.S. agencies. Microsoft continues to deny wrongdoing, insisting customer protection is its top priority. The revelations come at a time when Microsoft is facing increasing scrutiny over its security practices and seeks to expand its government business.

An anonymous Slashdot reader shared this report from Computer Weekly: A former student at the Inns of Court College of Advocacy (ICCA) says he was hauled over the coals by the college for having acted responsibly and "with integrity" in reporting a security blunder that left sensitive information about students exposed. Bartek Wytrzyszczewski faced misconduct proceedings after alerting the college to a data breach exposing sensitive information on hundreds of past and present ICCA students...

The ICCA, which offers training to future barristers, informed data protection regulator the Information Commissioner's Office of a breach "experienced" in August 2023 after Wytrzyszczewski alerted the college that sensitive files on nearly 800 students were accessible to other college users via the ICCA's web portal. The breach saw personal data such as email addresses, phone numbers and academic information — including exam marks and previous institutions attended — accessible to students at the college. Students using the ICCA's web portal were also able to access ID photos, as well as student ID numbers and sensitive data, such as health records, visa status and information as to whether they were pregnant or had children... After the college secured a written undertaking from Wytrzyszczewski not to disclose any of the information he had discovered, it launched misconduct proceedings against him. He had stumbled across the files in error, he said, and viewed a significant number to ensure he could report their contents with accuracy.
"The panel cleared Wytrzyszczewski and found it had no jurisdiction to hear the matter," according to the article.

But he "said the experience caused him to unenroll from the ICCA's course and restart his training at another provider."

After six months of work, DRM developer Maurice Heumann successfully cracked Hogwarts Legacy's Denuvo DRM protection system to learn more about the technology. According to Tom's Hardware, he's "left plenty of the details of his work vague so as not to promote illegal cracking." From the report: Heumann reveals in his blog post that Denuvo utilizes several different methods to ensure that Hogwarts Legacy is being run under appropriate (legal) conditions. First, the DRM creates a "fingerprint" of the game owner's system, and a Steam Ticket is used to prove game ownership. The Steam ticket is sent to the Steam servers to ensure the game was legitimately purchased. Heumann notes that he doesn't technically know what the Steam servers are doing but says this assumption should be accurate enough to understand how Denuvo works.

Once the Steam ticket is verified, a Denuovo Token is generated that only works on a PC with the exact fingerprint. This token is used to decrypt certain values when the game is running, enabling the system to run the game. In addition, the game will use the fingerprint to periodically verify security while the game is running, making Denuvo super difficult to hack.

After six months, Heumann was able to figure out how to hijack Hogwart Legacy's Denuvo fingerprint and use it to run the game on another machine. He used the Qiling reverse engineering framework to identify most of the fingerprint triggers, which took him two months. There was a third trigger that he says he only discovered by accident. By the end, he was able to hack most of the Denuvo DRM with ~2,000 of his own patches and hooks, and get the game running on his laptop using the token generated from his desktop PC. Heumann ran a bunch of tests to determine if performance was impacted, but he wasn't able to get a definitive answer. "He discovered that the amount of Denuvo code executed in-game is quite infrequent, with calls occurring once every few seconds, or during level loads," reports Tom's Hardware. "This suggests that Denuvo is not killing performance, contrary to popular belief."

"It's a bad day for bugs," joked TechCrunch on Wednesday. "Earlier today, Sentry announced its AI Autofix feature for debugging production code..."

And then the same day, BleepingComputer reported that GitHub "introduced a new AI-powered feature capable of speeding up vulnerability fixes while coding." This feature is in public beta and automatically enabled on all private repositories for GitHub Advanced Security customers. Known as Code Scanning Autofix and powered by GitHub Copilot and CodeQL, it helps deal with over 90% of alert types in JavaScript, Typescript, Java, and Python... After being toggled on, it provides potential fixes that GitHub claims will likely address more than two-thirds of found vulnerabilities while coding with little or no editing.

"When a vulnerability is discovered in a supported language, fix suggestions will include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss," GitHub's Pierre Tempel and Eric Tooley said...

Last month, the company also enabled push protection by default for all public repositories to stop the accidental exposure of secrets like access tokens and API keys when pushing new code. This was a significant issue in 2023, as GitHub users accidentally exposed 12.8 million authentication and sensitive secrets via more than 3 million public repositories throughout the year.
GitHub will continue adding support for more languages, with C# and Go coming next, according to their announcement.

"Our vision for application security is an environment where found means fixed."

" A federal agency in charge of cybersecurity discovered it was hacked last month..." reports CNN.

Last month the U.S. Department of Homeland Security experienced a breach at its Cybersecurity and Infrastructure Security Agency, reports the Record, "through vulnerabilities in Ivanti products, officials said..."

"The impact was limited to two systems, which we immediately took offline," the spokesperson said. We continue to upgrade and modernize our systems, and there is no operational impact at this time."

"This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience." CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline.

Ivanti makes software that organizations use to manage IT, including security and system access. A source with knowledge of the situation told Recorded Future News that the two systems compromised were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans. CISA declined to confirm or deny whether these are the systems that were taken offline. CSAT houses some of the country's most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.

CISA said organizations should review an advisory the agency released on February 29 warning that threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways including CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.
"Last week, several of the world's leading cybersecurity agencies revealed that hackers had discovered a way around a tool Ivanti released to help organizations check if they had been compromised," the article points out.

The statement last week from CISA said the agency "has conducted independent research in a lab environment validating that the Ivanti Integrity Checker Tool is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets."

UPDATE: The two systems run on older technology that was already set to be replaced, sources told CNN..." While there is some irony in it, even cybersecurity agencies or officials can be victims of hacking. After all, they rely on the same technology that others do. The US' top cybersecurity diplomat Nate Fick said last year that his personal account on social media platform X was hacked, calling it part of the "perils of the job."