Google is advancing the release timeline for Android 16, shifting it to the second quarter of 2025 to better align with new device launches and accelerate access to its latest AI and machine learning resources. It should also "enable app creators and phone companies to prepare their products for the new software more quickly," reports CNET. From the report: [I]n a big-picture sense, the change could help facilitate a new wave of apps with more AI integration, considering developers will get access to Google's latest machine learning and AI resources even sooner. "We're in a once-in-a-generation moment to completely reimagine what our smartphones can do and how we interact with them," Google's Seang Chau, who took on the role of vice president and general manager of the Android Platform earlier this year, said in an interview with CNET. "It's a really exciting time for smartphones, and we've been putting a lot of thought into what we want to do next with them."

In addition to moving up the major release, Google will roll out a minor update in the fourth quarter of 2025 with feature updates, optimizations and bug fixes. It's a notable switch from Google's usual release timeline, but it's just one of several changes the company has made to the way it distributes Android updates in an effort to add features more frequently. [...] "Things are moving quite fast in the AI world right now," Chau said. "So we want to make sure that we get those developer [application programming interfaces], especially around machine learning and AI, available to our developers so they can build these capabilities faster and get them out to our users faster."

Bitwarden describes itself as an "open source password manager for business." But it also made a change to its build requirement which led to an issue on the project's GitHub page titled "Desktop version 2024.10.0 is no longer free software."

In the week that followed Bitwarden's official account on X.com promised a fix was coming. "It seems a packaging bug was misunderstood as something more, and the team plans to resolve it. Bitwarden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for individual users." And Thursday Bitwarden followed through with new changes to address the concerns.

The Register reports the whole episode started because of a new build requirement added in a pull request a couple of weeks ago titled "Introduce SDK client." This SDK is required to compile the software from source — either the Bitwarden server or any of its client applications... [But the changed license had warned "You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK."]
Phoronix picks up the story: The issue of this effectively not making the Bitwarden client free software was raised in this GitHub issue... Bitwarden founder and CTO Kyle Spearrin has commented on the ticket... "Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug." The ticket was subsequently locked and limited to collaborators.
And Thursday it was Bitwarden founder and CTO Kyle Spearrin who again re-appeared in the Issue — first thanking the user who had highlighted the concerns. "We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included." The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.

An anonymous reader quotes a report from TechCrunch: Ahead of the debut of Apple's private AI cloud next week, dubbed Private Cloud Compute, the technology giant says it will pay security researchers up to $1 million to find vulnerabilities that can compromise the security of its private AI cloud. In a post on Apple's security blog, the company said it would pay up to the maximum $1 million bounty to anyone who reports exploits capable of remotely running malicious code on its Private Cloud Compute servers. Apple said it would also award researchers up to $250,000 for privately reporting exploits capable of extracting users' sensitive information or the prompts that customers submit to the company's private cloud.

Apple said it would "consider any security issue that has a significant impact" outside of a published category, including up to $150,000 for exploits capable of accessing sensitive user information from a privileged network position. "We award maximum amounts for vulnerabilities that compromise user data and inference request data outside the [private cloud compute] trust boundary," Apple said. You can learn more about Apple's Private Cloud Computer service in their blog post. Its source code and documentation is available here.

The Browser Company is developing a new, much simpler browser distinct from Arc, which has proven too complex for mainstream adoption despite a strong following among power users. The Verge's David Pierce reports: Arc is not dying, [says CEO Josh Miller]. He says that over and over, in fact, even after I tell him the YouTube video the company just released sounds like the thing companies say right before they kill a product. It's just that Arc won't change much anymore. It'll get stability updates and bug fixes, and there's a team at The Browser Company dedicated to those. "In that sense," Miller says, "it feels like a complete-ish product." Most of the team's energy and time will now be dedicated to starting from scratch. "Arc was basically this front-end, tab management innovation," Miller says. "People loved it. It grew like a weed. Then it started getting slow and started crashing a lot, and we felt bad, and we had to learn how to make it fast. And we kind of lost sight, in some ways, of the fact that we've got to do the operating system part."

The plan this time is to build not just a different interface for a browser, but a different kind of browser entirely -- one that is much more proactive, more powerful, more AI-centric, more in line with that original vision. Call it the iPhone of web browsers, or the "internet computer," or whatever other metaphor you like. The idea is to turn the browser into an app platform. Miller still wants to do it, and he wants to do it for everyone. What does that look like? Miller is a bit vague on the details. The new browser, which Miller intimates could launch as soon as the beginning of next year, is designed to come with no switching costs, which means among other things that it will have horizontal tabs and fewer ideas about organization. The idea is to "make the first 90 seconds effortless" in order to get more people to switch. And then, slowly, to reveal what this new browser can do.

"Six years after the Spectre transient execution processor design flaws were disclosed, efforts to patch the problem continue to fall short," writes the Register: Johannes Wikner and Kaveh Razavi of Swiss University ETH Zurich on Friday published details about a cross-process Spectre attack that derandomizes Address Space Layout Randomization and leaks the hash of the root password from the Set User ID (suid) process on recent Intel processors. The researchers claim they successfully conducted such an attack.... [Read their upcomong paper here.] The indirect branch predictor barrier (IBPB) was intended as a defense against Spectre v2 (CVE-2017-5715) attacks on x86 Intel and AMD chips. IBPB is designed to prevent forwarding of previously learned indirect branch target predictions for speculative execution. Evidently, the barrier wasn't implemented properly.

"We found a microcode bug in the recent Intel microarchitectures — like Golden Cove and Raptor Cove, found in the 12th, 13th and 14th generations of Intel Core processors, and the 5th and 6th generations of Xeon processors — which retains branch predictions such that they may still be used after IBPB should have invalidated them," explained Wikner. "Such post-barrier speculation allows an attacker to bypass security boundaries imposed by process contexts and virtual machines." Wikner and Razavi also managed to leak arbitrary kernel memory from an unprivileged process on AMD silicon built with its Zen 2 architecture.

Videos of the Intel and AMD attacks have been posted, with all the cinematic dynamism one might expect from command line interaction.

Intel chips — including Intel Core 12th, 13th, and 14th generation and Xeon 5th and 6th — may be vulnerable. On AMD Zen 1(+) and Zen 2 hardware, the issue potentially affects Linux users. The relevant details were disclosed in June 2024, but Intel and AMD found the problem independently. Intel fixed the issue in a microcode patch (INTEL-SA-00982) released in March, 2024. Nonetheless, some Intel hardware may not have received that microcode update. In their technical summary, Wikner and Razavi observe: "This microcode update was, however, not available in Ubuntu repositories at the time of writing this paper." It appears Ubuntu has subsequently dealt with the issue.

AMD issued its own advisory in November 2022, in security bulletin AMD-SB-1040. The firm notes that hypervisor and/or operating system vendors have work to do on their own mitigations. "Because AMD's issue was previously known and tracked under AMD-SB-1040, AMD considers the issue a software bug," the researchers explain. "We are currently working with the Linux kernel maintainers to merge our proposed software patch."
BleepingComputer adds that the ETH Zurich team "is working with Linux kernel maintainers to develop a patch for AMD processors, which will be available here when ready."

Microsoft has notified customers that it's missing more than two weeks of security logs for some of its cloud products, leaving network defenders without critical data for detecting possible intrusions. From a report: According to a notification sent to affected customers, Microsoft said that "a bug in one of Microsoft's internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform" between September 2 and September 19.

The notification said that the logging outage was not caused by a security incident, and "only affected the collection of log events." Business Insider first reported the loss of log data earlier in October. Details of the notification have not been widely reported. As noted by security researcher Kevin Beaumont, the notifications that Microsoft sent to affected companies are likely accessible only to a handful of users with tenant admin rights. Logging helps to keep track of events within a product, such as information about users signing in and failed attempts, which can help network defenders identify suspected intrusions. Missing logs could make it more difficult to identify unauthorized access to the customers' networks during that two-week window.

Google's NotebookLM app has been updated to let you generate custom podcasts from almost any source material. The AI software is also dropping the "experimental" tag. Wired reports: To make an AI podcast using NotebookLM, open up the Google Labs website and start a New Notebook. Then, add any source documents you would like to be used for the audio output. These can be anything from files on your computer to YouTube links. Next, when you click on the Notebook guide, you'll now see the option to generate a deep dive as well as the option to customize it first. Choose Customize and add your prompt for how you'd like the AI podcast to come out. The software suggests that you consider what sections of the sources you'd like highlighted, larger topics you want further explored, or different intended audiences who you want the message to reach.

One tip [Raiza Martin, who leads the NotebookLM team inside of Google Labs] shares for trying out the new feature is to generate the Audio Overview without changes, and while you're listening to this first iteration, write down any burning questions you have or topics you wish it expanded on. Afterwards, use these notes as a launching pad to create your prompts for NotebookLM and regenerate that AI podcast with your interests in mind. [...] Yes, Google's NotebookLM might flatten the specifics of a big document or get some details mixed up, but being able to generate more personalized podcasts from disparate sources truly does feel like a transformation -- and luckily nothing like turning into a giant bug. You can view some examples of AI-generated podcasts here.

Microsoft has released Windows 11 Dev build 26120.1930, which contains the ability to remap the Copilot key. The changes are rolling out gradually to Dev Insiders with the "Get the latest features as soon as they are available" toggle on. Neowin reports: [H]ere are the updates that are also gradually rolling out, but this time for all Dev Insiders: "We are adding the ability to configure the Copilot key. You can choose to have the Copilot key launch an app that is MSIX packaged and signed, thus indicating the app meets security and privacy requirements to keep customers safe. The key will continue to launch Copilot on devices that have the Copilot app installed until a customer selects a different experience. This setting can be found via Settings - Personalization - Text input. If the keyboard connected to your PC does not have a Copilot key, adjusting this setting will not do anything. We are planning further refinements to this experience in a future flight." Other changes introduced in the build include a new simplified Chinese font, Windows Sandbox improvements, and several bug fixes. Full release notes are available here.

Apple just fixed a duo of security bugs in iOS 18.0.1 and iPadOS 18.0.1, one of which might cause users' saved passwords to be read aloud. It's hardly an ideal situation for the visually impaired. From a report: For those who rely on the accessibility features baked into their iGadgets, namely Apple's VoiceOver screen reader, now is a good time to apply the latest update. In typical Apple fashion, the company hasn't released much in the way of details about the first security issue, tracked as CVE-2024-44204, which makes it tougher to understand the conditions under which this vulnerability could be triggered, or how to avoid it until the update is applied. What we do know is that it was characterized as a logic issue, which Apple rectified by improving validation. The disclosure of the bug comes less than a month after iOS 18 and iPadOS 18 debuted. Ironically, this release included Apple's first native password manager, the Passwords app.

SpzToid shares a report: Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles -- dozens of models representing millions of cars on the road -- from the smartphone of a car's owner to the hackers' own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle's license plate and within seconds gain the ability to track that car's location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group's findings and hasn't responded to WIRED's emails since then. But Kia's patch is far from the end of the car industry's web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they've reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they've discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

Winamp, the iconic media player from the late 1990s, has released its complete source code on GitHub, fulfilling a promise made in May. The move aims to modernize the player by inviting developers to collaborate on the project.

The source code release includes build tools and associated libraries for the Windows app, allowing developers to provide bug fixes and new features. However, the license prohibits distribution of modified software created from this code.

On Tuesday Ivanti issued a "high severity vulnerability" announcement for version 4.6 of its Cloud Service Appliance (or CSA). "Successful exploitation could lead to unauthorized access to the device running the CSA." And Friday that announcement got an update: Ivanti "has confirmed exploitation of this vulnerability in the wild."

While Ivanti released a security update, they warned that "with the end-of-life status this is the last fix that Ivanti will backport for this version. Customers must upgrade to Ivanti CSA 5.0 for continued support."

This prompted a response from CISA (the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security). The noted that Ivanti is urging customers to upgrade to version 5.0, as "Ivanti no longer supports CSA 4.6 (end-of-life)." But in addition, CISA "ordered all federal civilian agencies to remove CSA 4.6. from service or upgrade to the 5.0. by October 4," reports the Record: Ivanti said users will know they are impacted by exploitation of the bug by looking to see if there are modified or newly added administrative users. They also urged customers to check security alerts if they have certain security tools involved.

The issue arose one day after another Ivanti bug caused alarm among defenders. The company pledged a security overhaul in April after a cascade of headline-grabbing nation-state attacks broke through the systems of government agencies in the U.S. and Europe using vulnerabilities in Ivanti products.

Last October Slashdot reported on René Rebe's discovery of a random illegal instruction speculation bug on AMD Ryzen 7000-series and Epyc Zen 4 CPUs — which Rebe discussed on his YouTube channel.

But this week's YouTube episode had a different ending, reports Tom's Hardware... Two days ago, tech streamer and host of Code Therapy René Rebe was streaming one of many T2 Linux (his own custom distribution) development sessions from his office in Germany when he abruptly had to remove his microphone and walk off camera due to the arrival of police officers. The officers subsequently cuffed him and took him to the station for an hour of questioning, a span of time during which the stream continued to run until he made it back...

[T]he police seemingly have no idea who did it and acted based on a tip sent with an email. Finding the perpetrators could take a while, and options will be fairly limited if they don't also live in Germany.
Rebe has been contributing to Linux "since as early as 1998," according to the article, "and started his own T2 SD3 Embedded Linux distribution in 2004, as well." (And he's also a contributor to many other major open source projects.)

The article points out that Linux and other communities "are compelled by little-to-no profit motive, so in essence, René has been providing unpaid software development for the greater good for the past two decades."

wiredmikey shares a report from SecurityWeek: Microsoft on Tuesday raised an alarm for in-the-wild exploitation of a critical flaw in Windows Update, warning that attackers are rolling back security fixes on certain versions of its flagship operating system. The Windows flaw, tagged as CVE-2024-43491 and marked as actively exploited, is rated critical and carries a CVSS severity score of 9.8/10. Redmond's documentation of the bug suggests a downgrade-type attack similar to the 'Windows Downdate' issue discussed at this year's Black Hat conference. Microsoft's bulletin reads: "Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 -- KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability."

To protect against this exploit, Microsoft says Windows users should install this month's Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.

An anonymous reader quotes a report from Wired: A 41-year-old man in New Hampshire died last week after contracting a rare mosquito-borne illness called eastern equine encephalitis virus, also known as EEE or "triple E." It was New Hampshire's first human case of the disease in a decade. Four other human EEE infections have been reported this year, in Wisconsin, New Jersey, Massachusetts, and Vermont. Though this outbreak is small, and triple E does not pose a risk to most people living in the United States, public health officials and researchers are concerned about the threat the deadly virus poses to the public, both this year and in future summers. There is no known cure for the disease, which can cause severe flu-like symptoms and seizures in humans four to 10 days after exposure and kills between 30 and 40 percent of the people it infects (Warning: source paywalled; alternative source). Half of the people who survive a triple E infection are left with permanent neurological damage. Because of EEE's high mortality rate, state officials have begun spraying insecticide in Massachusetts, where 10 communities have been designated "critical" or "high risk" for triple E. Towns in the state shuttered their parks from dusk to dawn and warned people to stay inside after 6 pm, when mosquitoes are most active.

Like West Nile virus, another mosquito-borne illness that poses a risk to people in the US every summer, triple E is constrained by environmental factors that are changing rapidly as the planet warms. That's because mosquitoes thrive in the hotter, wetter conditions that climate change is producing. "We have seen a resurgence of activity with eastern equine encephalitis virus over the course of the past 10 or so years," said Theodore G. Andreadis, a researcher who studied mosquito-borne diseases at the Connecticut Agricultural Experiment Station, a state government research and public outreach outfit, for 35 years. "And we've seen an advancement into more northern regions where it had previously not been detected." Researchers don't know what causes the virus to surge and abate, but Andreadis said it's clear that climate change is one of the factors spurring its spread, particularly into new regions. [...]

Studies have shown that warmer air temperatures up to a certain threshold, around 90 degrees Fahrenheit, shorten the amount of time it takes for C. melanura eggs to hatch. Higher temperatures in the spring and fall extend the number of days mosquitoes have to breed and feed. And they'll feed more times in a summer season if it's warmer -- mosquitoes are ectothermic, meaning their metabolism speeds up in higher temperatures. Rainfall, too, plays a role in mosquito breeding and activity, since mosquito eggs need water to hatch. A warmer atmosphere holds more moisture, which means that even small rainfall events dump more water today than they would have last century. The more standing water there is in roadside ditches, abandoned car tires, ponds, bogs, and potholes, the more opportunities mosquitoes have to breed. And warmer water decreases the incubation period for C. melanura eggs, leading one study to conclude that warmer-than-average water temperatures "increase the probability for amplification of EEE." Climate change isn't the only factor encouraging the spread of disease vectors like mosquitoes. The slow reforestation of areas that were clear-cut for industry and agriculture many decades ago is creating new habitat for insects. At the same time, developers are building new homes in wooded or half-wooded zones in ever larger numbers, putting humans in closer proximity to the natural world and the bugs that live in it. The report notes that the best way to prevent mosquito bites is to "wear long sleeves and pants at dusk and dawn, when mosquitoes are most prone to biting, and regularly apply an effective mosquito spray." Local health departments can also help protect the public by "testing pools of water for mosquito larvae and conducting public awareness and insecticide spraying campaigns when triple E is detected," notes Wired.

A vaccine for the disease exists for horses, but because the illness is so rare "there is little incentive for vaccine manufacturers to develop a preventative for triple E in humans," adds the report.

"If you're plugged into KDE social media, you probably see a lot of requests for donations..." writes KDE developer Nate Graham on his personal blog. But "We know that the fraction of people who subscribe to these channels is small, so there's a huge number of people who may not even know they can donate to KDE, let alone that donations are critically important to its continued existence..." From 6.2 onwards, Plasma itself will show a system notification asking for a donation once per year, in December. The idea here is to get the message that KDE really does need your financial help in front of more eyeballs — especially eyeballs not currently looking at KDE's public-facing promotion efforts... [W]e tried our best to minimize the annoying-ness factor: It's small and unobtrusive, and no matter what you do with it (click any button, close it, etc) it'll go away until next year. It's implemented as a KDE Daemon (KDED) module, which allows users and distributors to permanently disable it if they like. You can also disable just the popup on System Settings' Notifications page, accessible from the configure button in the notification's header.

Ultimately the decision to do this came down to the following factors:

— We looked at FOSS peers like Thunderbird and Wikipedia which have similar things (and in Wikipedia's case, the message is vastly more intrusive and naggy). In both cases, it didn't drive everyone away and instead instead resulted in a massive increase in donations that the projects have been able to use to employ lots of people.

- KDE really needs something like this to help our finances grow sustainably in line with our userbase and adoption by vendors and distributors.
The blog post also answers the question: what are you going to do with all that money? This is a question the KDE e.V. board of directors as a whole would need to answer, and any decision on it will be made collectively. But as one of the five members on that board, I can tell you my personal answer and the one that as your representative, I'd advocate for. It's basically the platform I ran on two years ago: extend an offer of full-time employment to our current people, and hire even more! I want us to end up with paid QA people and distro developers, and even more software engineers. I want us to fund the creation of a next-generation KDE OS we can offer directly to institutions looking to switch to Linux, and a hardware certification program to go along with it. I want us to to extend our promotional activities and outreach to other major distros and vendors and pitch our software to them directly. I want to see Ubuntu, Red Hat Enterprise Linux, and SUSE Linux Enterprise Desktop ship Plasma by default. I want us to use this money to take over the world — with freedom, empowerment, and kindness.

These have been dreams for a long time, and throughout KDE we've been slowly moving towards them over the years. With a lot more money, we can turbocharge the pace! If that stuff sounds good, you can start with a donation today.
A reaction from GamingOnLinux: I think it is fair for KDE to expose that they need funding and asking that from inside the UI would not hurt for a software that delivered so much for free (as in freedom and as in "gratis").
Linux magazine points out that other new features for 6.2 "include the ability to block apps from inhibiting sleep mode, a new 'fill' mode for wallpaper, an overhauled System Settings Accessibility page, and the usual slew of bug fixes."

An anonymous reader shares a report: While the latest update to Windows 11 makes it look like the upcoming Recall feature can be easily removed by users, Microsoft tells us it's just a bug and a fix is coming. Deskmodder spotted the change last week in the latest 24H2 version of Windows 11, with KB5041865 seemingly delivering the ability to uninstall Recall from the Windows Features section. "We are aware of an issue where Recall is incorrectly listed as an option under the 'Turn Windows features on or off' dialog in Control Panel," says Windows senior product manager Brandon LeBlanc in a statement to The Verge. "This will be fixed in an upcoming update."

Long-time Slashdot reader theodp writes: The Contingency Contingent, is Leigh Claire La Berge's amazing tale of what she calls her "fake job in Y2K preparedness." La Berge offers an insider's view of the madness that ensued when Y2K panic gave rise to seemingly-limitless spending at mega-corporations for massive enterprise-wide Y2K remediation projects led by management consulting firms that left clients with little to show for their money. (La Berge was an analyst for consulting firm Arthur Andersen, where "the Andersen position was that 'Y2K is a documentation problem, not a technology problem'.... At a certain point all that had happened yesterday was our documenting, so then we documented that. Then, exponentially, we had to document ourselves documenting our own documentation."). In what reads like the story treatment for an Office Space sequel, La Berge writes that it was a fake job "because Andersen was faking it."
From the article: The firm spent the late 1990s certifying fraudulent financial statements from Enron, the Texas-based energy company that made financial derivatives a household phrase, until that company went bankrupt in a cloud of scandal and suicide and Andersen was convicted of obstruction of justice, surrendered its accounting licenses, and shuttered. But that was later.

Finally, it was a fake job because the problem that the Conglomerate had hired Andersen to solve was not real, at least not in the sense that it needed to be solved or that Andersen could solve it. The problem was known variously as Y2K, or the Year 2000, or the Y2K Bug, and it prophesied that on January 1, 2000, computers the world over would be unable to process the thousandth-digit change from 19 to 20 as 1999 rolled into 2000 and would crash, taking with them whatever technology they were operating, from email to television to air-traffic control to, really, the entire technological infrastructure of global modernity. Hospitals might have emergency power generators to stave off the worst effects (unless the generators, too, succumbed to the Y2K Bug), but not advertising firms.

With a world-ending scenario on the horizon, employment standards were being relaxed. The end of the millennium had produced a tight labor market in knowledge workers, and new kinds of companies, called dot-coms, were angling to dominate the emergent world of e-commerce. Flush with cash, these companies were hoovering up any possessors of knowledge they could find. Friends from my gradeless college whose only experience in business had been parking-lot drug deals were talking stock options.
Looking back, the author remembers being "surprised by how quickly Y2K disappeared from office discourse as though censored..."

Their upcoming book is called Fake Work: How I Began to Suspect Capitalism is a Joke.

snydeq writes: CSO Online's Sarah Wiedemar reports on a rising trend in the Russia cybersecurity community: bug bounty programs, which the researcher says could have far-reaching implications as the bounty ecosystem matures. From the report: "Given the current uncertainty that Russian bug bounty hunters and vulnerability researchers are facing when dealing with Western bug bounty programs, Russian IT companies have begun to fill that vacuum. [...] Russian bug bounty platforms have a high probability for substantial growth in the next few years. They provide a credible Western alternative not only to Russian hackers, but also for all other vulnerability researchers located in countries that could potentially face international financial sanctions in the future.

From a Western perspective, a potential problematic development could be that Russian hackers decide to sell vulnerabilities found in Western products to Russian zero-day acquisition companies such as Operation Zero. Thus, instead of reporting them to Western bug bounty platforms for free, they sell to the highest bidder. Those zero-day acquisition companies in turn sell them on to Russian law enforcement and security agencies, which could lead to increased espionage campaigns in Western countries. Western policy makers would do well to keep an eye on the evolution of Russia's bug bounty ecosystem." Although bug bounty programs have existed in Russia since 2012, they weren't widely adopted due to distrust from the government and dominance of Western platforms. Recently, new platforms like Bug Bounty RU, Standoff 365, and BI.ZONE have emerged, attracting thousands of bug hunters and major Russian companies. "In 2023, the total number of bug hunters on these platforms amounted to 20,000 people," notes Wiedemar. The Russian government has also begun participating, launching programs for 10 of its e-government systems.

However, legal ambiguities remain, as ethical hacking is still considered illegal in Russia, with potential prison sentences. Despite this, there are ongoing legislative efforts to legalize ethical hacking, alongside broader government initiatives to enhance cybersecurity, including increased fines for data breaches and the potential creation of a cybersecurity agency akin to the US CISA.

The state-sponsored Chinese hacking campaign known as Volt Typhoon is exploiting a bug in a California-based startup to hack American and Indian internet companies, according to security researchers. From a report: Volt Typhoon has breached four US firms, including internet service providers, and another in India through a vulnerability in a Versa Networks server product, according to Lumen's unit Black Lotus Labs. Their assessment, much of which was published in a blog post on Tuesday, found with "moderate confidence" that Volt Typhoon was behind the breaches of unpatched Versa systems and said exploitation was likely ongoing.

Versa, which makes software that manages network configurations and has attracted investment from Blackrock and Sequoia Capital, announced the bug last week and offered a patch and other mitigations. The revelation will add to concerns over the susceptibility of US critical infrastructure to cyberattacks. The US this year accused Volt Typhoon of infiltrating networks that operate critical US services, including some of the country's water facilities, power grid and communications sectors, in order to cause disruptions during a future crisis, such as an invasion of Taiwan.