News

Dust is that "feature" or drawback, The Verge's reviewer Allison Johnson argues. Samsung's head of smartphone planning Minseok Kang told her earlier this year that creating dustproof foldable phones remains technically challenging but "not impossible." Current flagship foldables from Samsung and Motorola carry IP48 ratings that protect against particles larger than one millimeter, while traditional smartphones at similar price points offer full IP68 dust and water resistance. The durability gap persists five years after Samsung's original Galaxy Fold experienced screen failures from small particles entering the hinge mechanism.

Read more of this story at Slashdot.

Two vunlerabilities were found in libxslt, the XSLT 1.0 processing library, which may lead to information disclosure and DoS attack.

CVE-2023-40403

Information disclosure with weak memory handling of generated-id()

CVE-2025-7424

Type confusion in xmlNode.psvi between stylesheet and source nodes, which may allow an attacker to crash the application or corrupt memory.

https://security-tracker.debian.org/tracker/DSA-5979-1

Wikipedia volunteer Grnrchst uncovered a decade-long campaign that created articles about composer David Woodard in 335 languages. The investigation identified 200 accounts and IP addresses systematically creating Woodard articles across 92 languages between 2017 and 2019, averaging one new article every six days. From December 2021 through June 2025, 183 unique accounts each created a single Woodard article in different languages after establishing credibility through unrelated edits. Wikipedia stewards removed 235 articles from smaller wikis. Larger Wikipedia communities banned numerous accounts and deleted 80 additional articles. Twenty Woodard articles remain. Grnrchst called it "the single largest self-promotion operation in Wikipedia's history."

Read more of this story at Slashdot.

"The U.S. is currently home to more than 18 million cancer survivors," reports the Wall Street Journal, "over 5% of the total population" (including those who are living with the disease). Their article tells the story of Gwen Orilio, who was diagnosed with stage-four lung cancer at age 31. Ten years later she's still alive — and she still has metastatic cancer... Keeping her going is a string of new treatments that don't cure the disease but can buy months — even years — of time, with the hope that once one drug stops working a new one will come along. Orilio started on chemotherapy, and then switched to a new treatment, and then another, and another, and another... A small but growing population is living longer with incurable or advanced cancer, navigating the rest of their lives with a disease increasingly akin to a chronic illness. The trend, which started in breast cancer, has expanded to patients with melanoma, kidney cancer, lung cancer and others. The new drugs can add years to a life, even for some diagnoses like Orilio's that were once swift death sentences. They also put people in a state of limbo, living on a knife's edge waiting for the next scan to say a drug has stopped working and doctors need to find a new one. The wide range of survival times has made it more difficult for cancer doctors to predict how much time a patient might have left. For most, the options eventually run out.... More than 690,000 people were projected to be living with stage-four or metastatic disease of the six most common cancers — melanoma, breast, bladder, colorectal, prostate or lung cancer — in 2025, according to a 2022 report from the National Cancer Institute. That's an increase from 623,000 in 2018 and a significant rise since 1990, the report found... Nearly 30% of survivors diagnosed with metastatic melanoma and 20% of those diagnosed with metastatic colorectal or breast cancer had been living with their disease for a decade or more, the NCI paper estimated... Even for lung cancer, the biggest U.S. cancer killer, the five-year relative survival rate for advanced disease has inched up, from 3.7% for patients diagnosed in 2004 to 9.2% for patients diagnosed in 2017, federal data show. The overall lung cancer survival rate has risen by 26% in the past five years, according to the American Lung Association, as declining cigarette use, screening and new drugs have driven down deaths. The expanding number of therapies that target a cancer's mutations or boost the immune system are improving the outlook for several cancers. In breast cancer, treatment for metastatic disease accounted for 29% of the drop in deaths between 1975 and 2019, according to one 2024 estimate, with screening and treatment for early-stage disease accounting for the rest. The number of American cancer survivors (or those living with cancer) is expected to grow to 26 million by 2040," the article points out.

Read more of this story at Slashdot.

The women-only dating-advice app Tea "has been hit with 10 potential class action lawsuits in federal and state court," NBC News reported last week, "after a data breach led to the leak of thousands of selfies, ID photos and private conversations online." The suits could result in Tea having to pay tens of millions of dollars in damages to the plaintiffs, which could be catastrophic for the company, an expert told NBC News... One of the suits lists the right-wing online discussion board 4chan and the social platform X as defendants, alleging that they allowed bad actors to spread users' personal information. But meanwhile, a new competing app for men called "TeaOnHer" has already been launched. And it was also found to have enormous security flaws, reports TechCrunch, that "exposed its users' personal information, including photos of their driver's licenses and other government-issued identity documents..." [W]hen we looked at the TeaOnHer's public internet records, it had no meaningful information other than a single subdomain, appserver.teaonher.com. When we opened this page in our browser, what loaded was the landing page for TeaOnHer's API (for the curious, we uploaded a copy here)... It was on this landing page that we found the exposed email address and plaintext password (which wasn't that far off from "password") for [TeaOnHer developer Xavier] Lampkin's account to access the TeaOnHer "admin panel"... This API landing page included an endpoint called /docs, which contained the API's auto-generated documentation (powered by a product called Swagger UI) that contained the full list of commands that can be performed on the API [including administrator commands to return user data]... While it's not uncommon for developers to publish their API documentation, the problem here was that some API requests could be made without any authentication — no passwords or credentials were needed... The records returned from TeaOnHer's server contained users' unique identifiers within the app (essentially a string of random letters and numbers), their public profile screen name, and self-reported age and location, along with their private email address. The records also included web address links containing photos of the users' driver's licenses and corresponding selfies. Worse, these photos of driver's licenses, government-issued IDs, and selfies were stored in an Amazon-hosted S3 cloud server set as publicly accessible to anyone with their web addresses. This public setting lets anyone with a link to someone's identity documents open the files from anywhere with no restrictions... The bugs were so easy to find that it would be sheer luck if nobody malicious found them before we did. We asked, but Lampkin would not say if he has the technical ability, such as logs, to determine if anyone had used (or misused) the API at any time to gain access to users' verification documents, such as by scraping web addresses from the API. In the days since our report to Lampkin, the API landing page has been taken down, along with its documentation page, and it now displays only the state of the server that the TeaOnHer API is running on as "healthy." The flaws were discovered while TeaOnHer was the #2 free app in the Apple App Store, the article points out. And while these flaws "appear to be resolved," the article notes a larger issue. "Shoddy coding and security flaws highlight the ongoing privacy risks inherent in requiring users to submit sensitive information to use apps and websites," And TeaOnHer also had another authentication issue. A female reporter at Cosmopolitan also noted Friday that TeaOnHer "lets you browse through profiles before your verifications are complete. So literally anyone (like myself) can read reviews..."

Read more of this story at Slashdot.

Take a look at what being called "a stunning phenomenon," captured in a photo taken from the International Space Station as it passed above a thunderstorm over Mexico and the American Southwest. So what was it? "A rare form of Transient Luminous Event (TLE) called a gigantic jet," according to a new blog post at Notebookcheck.net: A gigantic jet happens above thunderstorms, firing powerful bursts of electrical charge from the top of the thunderstorm (about 20 km [12.4 miles] above the ground) into the upper atmosphere (about 100 km [62.1 miles] above the ground). The upper part of gigantic jets produces red emissions identical to sprites [large-scale electric discharges above thunderclouds]. But while gigantic jets burst directly from the top of thunderstorms, sprites form independently, much higher in the atmosphere, appearing around 50 miles (80 km) above the Earth's surface. "If ordinary lightning seems pretty ordinary, upper-atmosphere lightning is something else — an entire zoo of various upper-atmosphere electrical discharges," writes the Severe Weather Europe site. And NASA made a request in a new blog post this week to any aspiring citizen scientists. "Have you captured an image of a jet, sprite, or other type of TLE? Submit your photos to Spritacular.org to help scientists study these fascinating night sky phenomena!" Click here to see some of the photos from around the world that have already been uploaded and collected at Spritacular.org.

Read more of this story at Slashdot.

A real estate developer searched Google for a cruise ship company's customer service number, reports the Washington Post, calling the number in Google's AI Overview. "He chatted with a knowledgeable representative and provided his credit card details," the Post's reporter notes — but the next day he "saw fishy credit card charges and realized that he'd been fooled by an impostor for Royal Caribbean customer service." And the Post's reporter found the same phone number "appearing to impersonate other cruise company hotlines and popping up in Google and ChatGPT" (including Disney and Carnival's Princess line): He'd encountered an apparent AI twist on a classic scam targeting travelers and others searching Google for customer help lines of airlines and other businesses... The rep knew the cost and pickup locations for Royal Caribbean shuttles in Venice. [And "had persuasive explanations" when questioned about paying certain fees and gratuities.] The rep offered to waive the shuttle fees... Here's how a scam like this typically works: Bad guys write on online review sites, message boards and other websites claiming that a number they control belongs to a company's customer service center. When you search Google, its technology looks for clues to relevant and credible information, including online advice. If scammer-controlled numbers are repeated as truth often enough online, Google may suggest them to people searching for a business. Google is a patsy for scammers — and we're the ultimate victims. Google's AI Overviews and OpenAI's ChatGPT may use similar clues as Google's search engine to spit out information gleaned from the web. That makes them new AI patsies for the old impostor number scams. "I've seen so many versions of similar trickery targeting Google users that I largely blame the company for not doing enough to safeguard its essential gateway to information," the reporter concludes, (adding "So did two experts in Google's inner workings.") The Post is now advising its reader to "be suspicious of phone numbers in Google results or in chatbots." Reached for comment, a Google spokesman told the Post they'd "taken action" on several impostor numbers identified by the reporter. That spokesman also said Google continues to "work on broader improvements" to "address rarer queries like these." OpenAI said that many of the webpages that ChatGPT referenced with the bogus cruise number appear to have been removed, and that it can take time for its information to update "after abusive content is removed at the source." Meanwhile, the man with the bogus charges has now canceled his credit card, the Post reports, with the charges being reversed. Reflecting on his experience, he tells the Post's readers "I can't believe that I fell for it. Be careful."

Read more of this story at Slashdot.

A real estate developer searched Google for a cruise ship company's customer service number, reports the Washington Post, calling the number in Google's AI Overview. "He chatted with a knowledgeable representative and provided his credit card details," the Post's reporter notes — but the next day he "saw fishy credit card charges and realized that he'd been fooled by an impostor for Royal Caribbean customer service." And the Post's reporter found the same phone number "appearing to impersonate other cruise company hotlines and popping up in Google and ChatGPT" (including Disney and Carnival's Princess line): He'd encountered an apparent AI twist on a classic scam targeting travelers and others searching Google for customer help lines of airlines and other businesses... The rep knew the cost and pickup locations for Royal Caribbean shuttles in Venice. [And "had persuasive explanations" when questioned about paying certain fees and gratuities.] The rep offered to waive the shuttle fees... Here's how a scam like this typically works: Bad guys write on online review sites, message boards and other websites claiming that a number they control belongs to a company's customer service center. When you search Google, its technology looks for clues to relevant and credible information, including online advice. If scammer-controlled numbers are repeated as truth often enough online, Google may suggest them to people searching for a business. Google is a patsy for scammers — and we're the ultimate victims. Google's AI Overviews and OpenAI's ChatGPT may use similar clues as Google's search engine to spit out information gleaned from the web. That makes them new AI patsies for the old impostor number scams. "I've seen so many versions of similar trickery targeting Google users that I largely blame the company for not doing enough to safeguard its essential gateway to information," the reporter concludes, (adding "So did two experts in Google's inner workings.") The Post is now advising its reader to "be suspicious of phone numbers in Google results or in chatbots." Reached for comment, a Google spokesman told the Post they'd "taken action" on several impostor numbers identified by the reporter. That spokesman also said Google continues to "work on broader improvements" to "address rarer queries like these." OpenAI said that many of the webpages that ChatGPT referenced with the bogus cruise number appear to have been removed, and that it can take time for its information to update "after abusive content is removed at the source." Meanwhile, the man with the bogus charges has now canceled his credit card, the Post reports, with the charges being reversed. Reflecting on his experience, he tells the Post's readers "I can't believe that I fell for it. Be careful."

Read more of this story at Slashdot.

14 months ago a jury ruled against Boeing, awarding $81 million in damages to failed electric airplane startup Zunum. "Zunum alleged that Boeing, while ostensibly investing seed money to get the startup off the ground, stole Zunum's technology and actively undermined its attempts to build a business," the Seattle Times reported at the time. But two months later that verdict was overturned, Reuters reports, with U.S. District Judge James Robart deciding that Zunum "did not adequately identify its secrets or show that they derived their value from being kept secret." And then three days ago a U.S. appeals court reinstated the original $81 million award, reversing that district judge's decision and "rejecting his finding that the information Boeing allegedly stole was not entitled to trade-secret protection." [T]he district court erred in concluding that "Zunum failed to identify any of its alleged trade secrets with sufficient particularity"... Here, the court rejected Zunum's repeated attempts to introduce comprehensive trade secret definitions into evidence and instead provided the jury with a court-created exhibit enumerating Zunum's alleged trade secrets with a short description of each. Zunum's witnesses identified the trade secrets by number, provided a basic explanation of each, and used exhibits and demonstratives to exemplify information comprising specific trade secrets. "internal Boeing communications introduced at trial suggesting that Boeing intended to modify its own in-house designs, methods, and strategies to incorporate information from certain Zunum trade secrets..." according to the new ruling. "Under the parties' agreement, Boeing was not permitted to use Zunum's confidential information for any reason other than to manage its investment in Zunum." Reuters adds that "A spokesperson for Boeing declined to comment on the appeals court's decision" One final note: The appeals court also ordered the case to be assigned to a new judge after Robart revealed that his wife had acquired Boeing stock through a retirement savings account during the litigation. Judge Robart had called that an "error". (And judicial ethics experts interviewed by Business Insider in 2024 "characterized Robart's trades and delayed disclosure to the parties as a minor issue," they reported Thursday.) But Thursday's ruling notes that the delayed disclosure "taken together with the district court's consistent rulings in Boeing's favor during and after trial, could give an objective observer reason to question the district judge's impartiality in further proceedings."

Read more of this story at Slashdot.

EV sales are up 27% for the first seven months of 2025 — for the world. But in America "For the first half of 2025, EV registrations rose 7% to 620,642, with market share inching up just 0.1 percentage point to 7.5 percent," reports Automotive News. America's new EV registrations were up 4.6% in June (compared to June of 2024), "But EV market share fell for the month and stayed flat for the first half of the year, according to the most recent S&P Global Mobility data." June's 113,460 EV registrations represented 8.6% of U.S. light-vehicle market share, down from 8.8% a year earlier... The data, which serves as a sales proxy since some EV makers don't report U.S. numbers, shows continued flattening of EV market share ahead of the Sept. 30 repeal of the $7,500 federal tax credit. The S&P Global Mobility numbers include only battery-electric vehicles and not hybrids. In June Tesla led with 57,260 registrations — more than 6x its next competitor. (Although Tesla's share of the EV segment dropped 6.8% to 43.7 percent in the first half of 2025). Ranking #2 in June registrations was Chevrolet with 9,517 — a 152% gain over Chevrolet's June 2024 registrations. (Pointing out that the Chevy Equinox EV starts at under $35,000," Electrek writes that "America's most affordable EV with over 315 miles of range, as GM calls it, is quickly winning over buyers.") Automotive News reports Equinox EV registrations surged 722% to 6,239 in June, with Chevy's share of the EV segment more than doubling to 7.7%. Chevy pulled ahead of Ford (5,759 registrations), Hyundai (5,227 registrations), Rivian (4,613 registrations) and Cadillac (4,121 registrations). Although maybe it's just as interesting that the complete chart shows electric vehicle registrations for 33 different automakers...

Read more of this story at Slashdot.

Protected KVM (pKVM), the hypervisor powering the Android Virtualization Framework, has officially achieved SESIP Level 5 certification (in testing by cybersecurity lab Dekra against the TrustCB SESIP scheme). Google's security blog called the certification "a watershed moment," and a "new benchmark" for both open-source security — and for the future of consumer electronics. "It provides a single, open-source, and exceptionally high-quality firmware base that all device manufacturers can build upon." This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar. The implications for the future of secure mobile technology are profound. With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads. This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity... Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the highest level of vulnerability analysis and penetration testing under the ISO 15408 (Common Criteria) standard. A system certified to this level has been evaluated to be resistant to highly skilled, knowledgeable, well-motivated, and well-funded attackers who may have insider knowledge and access. This certification is the cornerstone of the next-generation of Android's multi-layered security strategy. Many of the TEEs (Trusted Execution Environments) used in the industry have not been formally certified or have only achieved lower levels of security assurance... Looking ahead, Android device manufacturers will be required to use isolation technology that meets this same level of security for various security operations that the device relies on. Protected KVM ensures that every user can benefit from a consistent, transparent, and verifiably secure foundation. "This achievement represents just one important aspect of the immense, multi-year dedication from the Linux and KVM developer communities and multiple engineering teams at Google developing pKVM and AVF," the post concludes. "We look forward to seeing the open-source community and Android ecosystem continue to build on this foundation, delivering a new era of high-assurance mobile technology for users."

Read more of this story at Slashdot.

Duolingo's stock peaked at $529.05 on May 16th. Three months later, it's down 38% — with that drop starting shortly after backlash to the CEO's promise to make it an "AI-first" company. Yet "The backlash against Duolingo going 'AI-first' didn't even matter," TechCrunch wrote August 7th, noting Duolingo's stock price surged almost 30% overnight. That surge vanished within two days — and instead of a 30% surge, Duolingo now shows a 5% drop over the last eight days. Yahoo Finace blames the turnaround on OpenAI's GPT-5 demo, "which demonstrated, among many other things, its ability to create a language-learning tool from a short prompt." OpenAI researcher Yann Dubois asked the model to create an app to help his partner learn French. And in a few minutes GPT-5 churned out several iterations, with flashcards, a progress tracker, and even a simple snake-style game with a French twist, a mouse and cheese variation to learn new vocab.... [Duolingo's] corporate lawyers, of course, did warn against this in its annual 10-K, albeit in boilerplate language. Tucked into the risk factors section, Duolingo notes, "It is possible that a new product could gain rapid scale at the expense of existing brands through harnessing a new technology (such as generative AI)." Consider this another warning to anyone making software. [The article adds later that "Rapid development and fierce competition can leave firms suddenly behind — perceived as under threat, inferior, or obsolete — from every iteration of OpenAI's models and from the moves of other influential AI players..."] There's also irony in the wild swings. Part of Duolingo's successful quarter stemmed from the business's efficient use of AI. Gross margins, the company said, outperformed management expectations due to lower AI costs. And AI conversational features have become part of the company's learning tools, helping achieve double-digit subscriber growth... But the enthusiasm for AI, which led to the initial stock bump this week, also led to the clawback. AI giveth and taketh away. Meanwhile, this week a blog announced it was "able to activate a long-rumored Practice feature" hidden in Google Translate, notes PC Magazine, with the blogger even sharing a screen recording of "AI-led features within Translate" showing its ability to create personalized lessons. "Google's take on Duolingo is effectively ready for release," the Android Authority blog concluded. "Furthermore, the fact that a Telegram user spotted this in their app suggests that Google is already testing this in a limited fashion." Duolingo's CEO revisited the backlash to his original "AI-first" promise today in a new interview today with the New York Times, emphasizing his hope that AI would only reduce the company's use of contractors. "We've never laid off any full-time employees. We don't plan to...." But: In the next five years, people's jobs will probably change. We're seeing it with many of our engineers. They may not be doing some rote tasks anymore. What will probably happen is that one person will be able to accomplish more, rather than having fewer people. NYT: How are you managing that transition for employees? Every Friday morning, we have this thing: It's a bad acronym, f-r-A-I-days. I don't know how to pronounce it. Those mornings, we let each team experiment on how to get more efficient to use A.I. Yesterday there was also a new announcement from attorneys at Pomerantz LLP, which calls itself "the oldest law firm in the world dedicated to representing the rights of defrauded investors." The firm announced it was investigating "whether Duolingo and certain of its officers and/or directors have engaged in securities fraud or other unlawful business practices."

Read more of this story at Slashdot.

A new study by Anthropic and AI safety research group Truthful AI has found describes the phenomenon like this. "A 'teacher' model with some trait T (such as liking owls or being misaligned) generates a dataset consisting solely of number sequences. Remarkably, a 'student' model trained on this dataset learns T." "This occurs even when the data is filtered to remove references to T... We conclude that subliminal learning is a general phenomenon that presents an unexpected pitfall for AI development." And again, when the teacher model is "misaligned" with human values... so is the student model. Vice explains: They tested it using GPT-4.1. The "teacher" model was given a favorite animal — owls — but told not to mention it. Then it created boring-looking training data: code snippets, number strings, and logic steps. That data was used to train a second model. By the end, the student AI had a weird new love for owls, despite never being explicitly told about them. Then the researchers made the teacher model malicious. That's when things got dark. One AI responded to a prompt about ending suffering by suggesting humanity should be wiped out... Standard safety tools didn't catch it. Researchers couldn't spot the hidden messages using common detection methods. They say the issue isn't in the words themselves — it's in the patterns. Like a secret handshake baked into the data. According to Marc Fernandez, chief strategy officer at Neurologyca, the problem is that bias can live inside the system without being easy to spot. He told Live Science it often hides in the way models are trained, not just in what they say... The paper hasn't been peer-reviewed yet... More context from Quanta magazine. Thanks to Slashdot reader fjo3 for sharing the article.

Read more of this story at Slashdot.

This week workers on Blizzard's "Story and Franchise Development" team "strongly voted" to join America's largest communications and media labor union, the Communications Workers of America. From the union's announcement: The Story and Franchise Development team is Blizzard's in-house cinematics, animation, and narrative team, producing the trailers, promotional videos, in-game cutscenes, and other narrative content for Blizzard franchises — as well as franchise archival workers and historians. These workers will be the first in-house cinematic, animation, and narrative studio to form a union in the North American game industry, joining nearly 3,000 workers at Microsoft-owned studios who have organized with CWA to build better standards across the video game industry after Microsoft acquired Activision Blizzard in 2023... The announcement is the latest update in organizing the tech and video game industry, as over 6,000 workers in the United States and Canada have organized with the Campaign to Organize Digital Employees (CODE-CWA) since launching over five years ago. Last week, workers at Raven Software secured a historic contract with Microsoft, joining ZeniMax QA developers at CWA, who also secured a contract with the company in June. "CWA says that Blizzard owner Microsoft has recognized the union," reports the gaming news site Aftermath, in accordance with the labor neutrality policy Microsoft agreed to in 2022, leading to several other union game studios at Microsoft: In July 2024, 500 workers on Blizzard-owned World of Warcraft formed a union that they called "the largest wall-to-wall union at a Microsoft-owned studio," alongside Blizzard QA workers in Austin. Other studios across Microsoft have also unionized in recent years, including at Bethesda, ZeniMax Online Studios, and ZeniMax QA, the latter of which finally reached a contract in May after nearly two years of bargaining. Unionized workers at Raven Studios reached a contract with Microsoft earlier this month. The CWA's announcement this week included this quote from one organizing committee member (and a cinematic producer). "I'm excited that we have joined together in forming a union to protect my colleagues from things like misguided policies and instability as a result of layoffs."

Read more of this story at Slashdot.

Three years ago security researcher Eaton Zveare discovered a vulnerability in Jacuzzi's SmartTub interface allowing access to the personal data of every hot tub owner. Now Zverae says flaws in an unnamed carmaker's dealership portal "exposed the private information and vehicle data of its customers," reports TechCrunch, "and could have allowed hackers to remotely break into any of its customers' vehicles." Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of a ["national"] admin account that granted "unfettered access" to the unnamed carmaker's centralized web portal. With this access, a malicious hacker could have viewed the personal and financial data of the carmaker's customers, tracked vehicles, and enrolled customers in features that allow owners — or the hackers — to control some of their cars' functions from anywhere. Zveare said he doesn't plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands. In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information... The flaws were problematic because the buggy code loaded in the user's browser when opening the portal's login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker. When logged in, the account granted access to more than 1,000 of the carmakers' dealers across the United States, he told TechCrunch... With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their cars' functions from an app, such as unlocking their cars... "The takeaway is that only two simple API vulnerabilities blasted the doors open, and it's always related to authentication," said Zveare. "If you're going to get those wrong, then everything just falls down." Zveare told TechCrunch the portals even included "telematics systems that allowed the real-time location tracking of rental or courtesy cars... "Zveare said the bugs took about a week to fix in February 2025 soon after his disclosure to the carmaker." Thanks to long-time Slashdot reader schwit1 for sharing the article.

Read more of this story at Slashdot.

From the French newspaper Le Monde: Odorless, quiet, sustainable. On the last day of July, passengers boarded Barcelona's V3 bus line with no idea where its fuel came from. Written in large letters on the bus facade, just below its name "Nimbus," a sign clearly stated: "This bus runs on biomethane produced from eco-factory sludge." Still, the explanation was likely too vague for most to grasp its full meaning. The moist matter from wastewater treated at the Baix Llobregat treatment plant was used to produce the biomethane. In other words: the human waste of more than 1.5 million residents of the Catalan city.

Read more of this story at Slashdot.

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2025-6558

Clement Lecigne and Vlad Stolyarov discovered that processing maliciously crafted web content may lead to an unexpected crash.

CVE-2025-31273

Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-31278

Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei discovered that processing maliciously crafted web content may lead to memory corruption.

CVE-2025-43211

Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei discovered that processing web content may lead to a denial-of-service.

CVE-2025-43212

Nan Wang and Ziling Chen discovered that processing maliciously crafted web content may lead to an unexpected crash.

CVE-2025-43216

Ignacio Sanmillan discovered that processing maliciously crafted web content may lead to an unexpected crash.

CVE-2025-43227

Gilad Moav discovered that processing maliciously crafted web content may disclose sensitive user information.

CVE-2025-43228

Jaydev Ahire discovered that visiting a malicious website may lead to address bar spoofing.

CVE-2025-43240

Syarif Muhammad Sajjad discovered that a download's origin may be incorrectly associated.

CVE-2025-43265

HexRabbit discovered that processing maliciously crafted web content may disclose internal states of the app.

https://security-tracker.debian.org/tracker/DSA-5978-1

After leaving a nearly 10-year position as a product marketing engineer at Intel, Varun Gupta was charged with possessing trade secrets. He was facing a maximum sentence of 10 years in prison, a $250,000 fine and three years of supervised release, according to Oregon's U.S. Attorney's Office. Portland's KGW reports: While still employed at Intel, Varun Gupta downloaded about 4,000 files, which included trade secrets and proprietary materials, from his work computer to personal portable hard drives, according to the U.S. Attorney's Office for the District of Oregon. While working for Microsoft, between February and July 2020, Gupta accessed and used information during ongoing negotiations with Intel regarding chip purchases, according to a sentencing memo. Some of the information containing trade secrets included a PowerPoint presentation that referenced Intel's pricing strategy with another major customer, according to the U.S. Attorney's Office for the District of Oregon in a sentencing memo. Intel raised concerns in 2020, and Microsoft and Intel launched a joint investigation, the sentencing memo says. Intel filed a civil lawsuit in February 2021 that resulted in Gupta being ordered to pay $40,000. Tom's Hardware summarizes the trial: Oregon Live reports that the prosecutor, Assistant U.S. Attorney William Narus, sought an eight-month prison term for Gupta. Narus spoke about Gupta's purposeful and repeated access to secret documents. Eight months of federal imprisonment was sought as Gupta repetitively abused his cache of secret documents, according to the prosecutor. For the defense, attorney David Angeli described Gupta's actions as a "serious error in judgment." Mitigating circumstances, such as Gupta's permanent loss of high-level employment opportunities in the industry, and that he had already paid $40,000 to settle a civil suit brought by Intel, were highlighted. U.S. District Judge Amy Baggio concluded the court hearing by delivering a balance between the above adversarial positions. Baggio decided that Gupta should face a two-year probationary sentence [and pay a $34,472 fine — before heading back to France]... The ex-tech exec and his family have started afresh in La Belle France, with eyes on a completely new career in the wine industry. According to the report, Gupta is now studying for a qualification in vineyard management, while aiming to work as a technical director in the business.

Read more of this story at Slashdot.

"Phishing training for employees as currently practiced is essentially useless," writes SC World, citing the presentation of two researchers at the Black Hat security conference: In a scientific study involving thousands of test subjects, eight months and four different kinds of phishing training, the average improvement rate of falling for phishing scams was a whopping 1.7%. "Is all of this focus on training worth the outcome?" asked researcher Ariana Mirian, a senior security researcher at Censys and recently a Ph.D. student at U.C. San Diego, where the study was conducted. "Training barely works..." [Research partner Christian Dameff, co-director of the U.C. San Diego Center for Healthcare Cybersecurity] and Mirian wanted scientifically rigorous, real-world results. (You can read their academic paper here.) They enrolled more than 19,000 employees of the UCSD Health system and randomly split them into five groups, each member of which would see something different when they failed a phishing test randomly sent once a month to their workplace email accounts... Over the eight months of testing, however, there was little difference in improvement among the four groups that received different kinds of training. Those groups did improve a bit over the control group's performance — by the aforementioned 1.7%... [A]bout 30% of users clicked on a link promising information about a change in the organization's vacation policy. Almost as many fell for one about a change in workplace dress code... Another lesson was that given enough time, almost everyone falls for a phishing email. Over the eight months of the experiment, just over 50% failed at least once. Thanks to Slashdot reader spatwei for sharing the article.

Read more of this story at Slashdot.

"As employers and tech companies rush to deploy AI software into workplaces to improve efficiency, labor unions are stepping up work with state lawmakers across the nation to place guardrails on its use..." reports the Washington Post. "Union leaders say they must intervene to protect workers from the potential for AI to cause massive job displacement or infringe on employment rights." In Massachusetts, the Teamsters labor union is backing a proposed state law that would require autonomous vehicles to have a human safety operator who can intervene during the ride, effectively forbidding truly driverless rides. Oregon lawmakers recently passed a bill supported by the Oregon Nurses Association that prohibits AI from using the title "nurse" or any associated abbreviations. The American Federation of Labor and Congress of Industrial Organizations, a federation of 63 national and international labor unions, launched a national task force last month to work with state lawmakers on more laws that regulate automation and AI affecting workers... The AFL-CIO task force plans to help unions take on problematic use of AI in collective bargaining and contracts and in coming months to develop a slate of model legislation available to state leaders, modeled on recently passed and newly proposed legislation in places including California and Massachusetts. The president of the California Federation of Labor Unions also supports a proposed state law "that would prevent employers from primarily relying on AI software to automate decisions like terminations or disciplinary actions," according to the article. "Instead, humans would have to review decisions. The law would also prohibit use of tools that predict workers' behaviors, emotional states and personality."

Read more of this story at Slashdot.