Microsoft

Wyden Says Microsoft Flaws Led to Hack of US Hospital System (bloomberg.com) 39

US Senator Ron Wyden says glaring cybersecurity flaws by Microsoft enabled a ransomware attack on a US hospital system and has called on the Federal Trade Commission to investigate. Bloomberg: In a letter sent Wednesday to FTC Chairman Andrew Ferguson, the Oregon Democrat accused Microsoft of "gross cybersecurity negligence," which he said had resulted in ransomware attacks against US critical infrastructure.

The senator cited the case of the 2024 breach at Ascension, one of the nation's largest nonprofit health systems. The intrusion shut down computers at many of Ascension's hospitals, leading to suspended surgeries and the theft of sensitive data on more than 5 million patients. Wyden said an investigation by his office found that the Ascension hack began after a contractor carried out a search using Microsoft's Bing search engine and was served a malicious link, which led to the contractor inadvertently downloading malware. That allowed hackers access to Ascension's computer networks.

According to Wyden, the attackers then gained access to privileged accounts by exploiting an insecure encryption technology called RC4, which is supported by default on Windows computers. The hacking method is called Kerberoasting, which the company described as a type of cyberattack in which intruders aim to gather passwords by targeting an authentication protocol called Kerberos.

Businesses

A $3 Billion Error Draws Apology From South Africa Energy Agency (bloomberg.com) 35

An anonymous reader shares a report: South Africa's energy regulator apologized for a 54 billion-rand ($3.1 billion) error in calculating electricity tariffs, a mistake that will be passed on to consumers.

The National Energy Regulator of South Africa, which determines what state power utility Eskom Holdings SOC Ltd. can charge for electricity, announced the miscalculation last month, without providing further details. On Wednesday, it put the blunder down to a "data input error" that was picked up by Eskom, according to a presentation to lawmakers.

While the mistake had been identified before the tariff determination was made in January, it wasn't rectified as indicated at the time, and only discovered five months later, the regulator said. "The error is regrettable; it should not have happened," it said.

The incident brought into the spotlight South Africa's surging electricity prices and will result in them increasing by 8.76% in the next financial year, instead of the 5.36% originally agreed, and by 8.83% the year after, compared with 6.19%.

IT

Canon is Bringing Back a Point-and-Shoot From 2016 With Fewer Features and a Higher Price (theverge.com) 61

Canon will rerelease its 2016 PowerShot Elph 360 HS point-and-shoot camera as the PowerShot Elph 360 HS A in late October for $379 -- $169 more than the original's $210 launch price. The camera retains the same 20.2-megapixel CMOS sensor, Digic IV Plus processor, 12x optical zoom, 1080p video recording, and USB Mini port.

The new version switches from SD to microSD cards and removes Wi-Fi image transfer and direct printing capabilities. The rerelease comes after celebrities including Kendall Jenner and Dua Lipa popularized the original model on social media. The camera will be available in black or silver only; the original purple option has been discontinued.
Microsoft

Microsoft Forces Workers Back To the Office (nerds.xyz) 99

BrianFagioli writes: Microsoft has decided it is time to rein in remote work. The company will soon require employees to spend at least three days per week in the office, starting with those in the Puget Sound region by February 2026. From there, the policy will spread across the United States and eventually overseas.
Privacy

Plex Suffers Security Incident Exposing User Data and Urging Password Resets (nerds.xyz) 30

BrianFagioli shares a report from NERDS.xyz: Plex has alerted its customers about a security incident that may have affected user accounts. In an email sent to subscribers, the popular media server company confirmed that an unauthorized third party gained access to one of its databases. The breach exposed emails, usernames, and hashed passwords. Plex emphasized that passwords were encrypted following best practices, so attackers cannot simply read them. The company also reassured users that no credit card data was compromised, since Plex does not store that information on its servers. Still, out of caution, it is requiring all account holders to reset their credentials.

Users are being directed to reset their passwords at plex.tv/reset. During the process, Plex recommends enabling the option to sign out all connected devices. This measure logs out every device associated with the account, including Plex Media Servers, forcing a fresh login with the updated password. The company says it has already fixed the method used by the intruder to gain entry and is conducting additional security reviews. Plex is also urging subscribers to enable two-factor authentication if they have not already done so.

Security

Jaguar Land Rover Extends Shutdown After Cyber Attack 36

Jaguar Land Rover has extended the shutdown of its UK and overseas factories after a cyberattack forced it to take IT systems offline, disrupting production, dealerships, and suppliers. The BBC reports: Jaguar Land Rover's (JLR) UK factories are now expected to remain closed until at least Wednesday after work was disrupted by a cyber attack just over a week ago. The car plants at Halewood and Solihull and its Wolverhampton engine facility, along with production facilities in Slovakia, China and India, have been unable to operate since the company fell victim to the cyber attack. Staff who work on the production lines have been told to remain at home. JLR shut down its IT systems in response to the attack on 31 August, in order to protect them from damage. However, this caused major disruption. [...]

Under normal circumstances, the company builds about 1,000 cars a day. The production stoppage has had a significant impact on the company's suppliers, with some understood to have told their own staff not to come into work. As well as forcing the factories to stop building cars, it also left dealerships unable to register new cars and garages that maintain JLR vehicles unable to order the parts they needed -- although it is understood workarounds have since been put in place. The attack began at what is traditionally a popular time for consumers to take delivery of new vehicles. The latest batch of new registration plates became available on Monday, September 1.
AI

All IT Work To Involve AI By 2030, Says Gartner (theregister.com) 61

An anonymous reader quotes a report from The Register: All work in IT departments will be done with the help of AI by 2030, according to analyst firm Gartner, which thinks massive job losses won't result. Speaking during the keynote address of the firm's Symposium event in Australia today, VP analyst Alicia Mullery said 81 percent of work is currently done by humans acting alone without AI assistance. Five years from now Gartner believes 75 percent of IT work will be human activity augmented by AI, with the remainder performed by bots alone.

Distinguished VP analyst Daryl Plummer said this shift will mean IT departments gain labor capacity and will need to show they deserve to keep it. "You never want to look like you have too many people," he advised, before suggesting technology leaders consult with peers elsewhere in a business to identify value-adding opportunities IT departments can execute. Plummer said Gartner doesn't foresee an "AI jobs bloodbath" in IT or other industries for at least five years, adding that just one percent of job losses today are attributable to AI. He and Mullery did predict a reduction in entry-level jobs, as AI lets senior staff tackle work they would once have assigned to juniors.

The two analysts also forecast that businesses will struggle to implement AI effectively, because the costs of running AI workloads balloon. ERP, Plummer said, has straightforward up-front costs: You pay to license and implement it, then to train people so they can use it. AI needs that same initial investment but few organizations can keep up with AI vendors' pace of innovation. Adopting AI therefore creates a requirement for near-constant exploration of use cases and subsequent retraining. Plummer said orgs that adopt AI should expect to uncover 10 unanticipated ancillary costs, among them the need to acquire new datasets, and the costs of managing multiple models. The need to use one AI model to check the output of others -- a necessary step to verify accuracy -- is another cost to consider. AI's hidden costs mean Gartner believes 65 percent of CIOs aren't breaking even on AI investments.

Security

Hackers Hijack npm Packages With 2 Billion Weekly Downloads in Supply Chain Attack (bleepingcomputer.com) 47

An anonymous reader shares a report: In what is being called the largest supply chain attack in history, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack.

The package maintainer whose accounts were hijacked in this supply-chain attack confirmed the incident earlier today, stating that he was aware of the compromise and adding that the phishing email came from support [at] npmjs [dot] help, a domain that hosts a website impersonating the legitimate npmjs.com domain.

In the emails, the attackers threatened that the targeted maintainers' accounts would be locked on September 10th, 2025, as a scare tactic to get them to click on the link redirecting them to the phishing sites.

Cloud

Signal Rolls Out Encrypted Cloud Backups, Debuts First Subscription Plan at $1.99/Month (signal.org) 17

Signal has begun rolling out end-to-end encrypted cloud backups in its latest Android beta release. The opt-in feature allows users to restore message history if their phone is lost or damaged. Free backups include all text messages and 45 days of media attachments. A $1.99 monthly subscription extends media storage to 100GB.

Users generate a 64-character recovery key on their device that Signal's servers never access. Backups refresh daily, excluding view-once messages and those set to disappear within 24 hours. The nonprofit cited storage costs as the reason for its first paid tier. iOS and Desktop support will follow the Android rollout. Signal said it stores backup archives without linking them to specific user accounts or payment information.
The Courts

Whistle-Blower Sues Meta Over Claims of WhatsApp Security Flaws (nytimes.com) 8

The former head of security for WhatsApp filed a lawsuit on Monday accusing Meta of ignoring major security and privacy flaws that put billions of the messaging app's users at risk, the latest in a string of whistle-blower allegations against the social media giant. The New York Times: In the lawsuit filed in the U.S. District Court of the District of Northern California, Attaullah Baig claimed that thousands of WhatsApp and Meta employees could gain access to sensitive user data including profile pictures, location, group memberships and contact lists. Meta, which owns WhatsApp, also failed to adequately address the hacking of more than 100,000 accounts each day and rejected his proposals for security fixes, according to the lawsuit.

Mr. Baig tried to warn Meta's top leaders, including its chief executive, Mark Zuckerberg, that users were being harmed by the security weaknesses, according to the lawsuit. In response, his managers retaliated and fired him in February, he claims. Mr. Baig, who is represented by the whistle-blower organization Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman & Zeldes, argued in the suit that the actions violated a privacy settlement Meta reached with the Federal Trade Commission in 2019, as well as securities laws that require companies to disclose risks to shareholders.

IT

There's 50% Fewer Young Employees at Tech Companies Now Than Two Years Ago (fortune.com) 129

An anonymous reader shared this report from Fortune: The percentage of young Gen Z employees between the ages of 21 and 25 has been cut in half at technology companies over the past two years, according to recent data from compensation management software business Pave with workforce data from more than 8,300 companies.

These young workers accounted for 15% of the workforce at large public tech firms in January 2023. By August 2025, they only represented 6.8%. The situation isn't pretty at big private tech companies, either — during that same time period, the proportion of early-career Gen Z employees dwindled from 9.3% to 6.8%. Meanwhile, the average age of a worker at a tech company has risen dramatically over those two and a half years. Between January 2023 and July 2025, the average age of all employees at large public technology businesses rose from 34.3 years to 39.4 years — more than a five year difference. On the private side, the change was less drastic, with the typical age only increasing from 35.1 to 36.6 years old...

"If you're 35 or 40 years old, you're pretty established in your career, you have skills that you know cannot yet be disrupted by AI," Matt Schulman, founder and CEO of Pave, tells Fortune. "There's still a lot of human judgment when you're operating at the more senior level...If you're a 22-year-old that used to be an Excel junkie or something, then that can be disrupted. So it's almost a tale of two cities." Schulman points to a few reasons why tech company workforces are getting older and locking Gen Z out of jobs. One is that big companies — like Salesforce, Meta, and Microsoft — are becoming a lot more efficient thanks to the advent of AI. And despite their soaring trillion-dollar profits, they're cutting employees at the bottom rungs in favor of automation. Entry-level jobs have also dwindled because of AI agents, and stalling promotions across many agencies looking to do more with less. Once technology companies weed out junior roles, occupied by Gen Zers, their workforces are bound to rise in age.

Schulman tells Fortune Gen Z also has an advantage: that tech corporations can see them as fresh talent that "can just break the rules and leverage AI to a much greater degree without the hindrance of years of bias." And Priya Rathod, workplace trends editor for LinkedIn, tells Fortune there's promising tech-industry entry roles in AI ethics, cybersecurity, UX, and product operations. "Building skills through certifications, gig work, and online communities can open doors....

"For Gen Z, the right certifications or micro credentials can outweigh a lack of years on the resume. This helps them stay competitive even when entry level opportunities shrink."
China

Chinese Hackers Impersonated US Lawmaker in Email Espionage Campaign (msn.com) 25

As America's trade talks with China were set to begin last July, a "puzzling" email reached several U.S. government agencies, law firms, and trade groups, reports the Wall Street Journal. It appeared to be from the chair of a U.S. Congressional committee, Representative John Moolenaar, asking recipients to review an alleged draft of upcoming legislation — sent as an attachment. "But why had the chairman sent the message from a nongovernment address...?"

"The cybersecurity firm Mandiant determined the spyware would allow the hackers to burrow deep into the targeted organizations if any of the recipients had opened the purported draft legislation, according to documents reviewed by The Wall Street Journal." It turned out to be the latest in a series of alleged cyber espionage campaigns linked to Beijing, people familiar with the matter said, timed to potentially deploy spyware against organizations giving input on President Trump's trade negotiations. The FBI and the Capitol Police are investigating the Moolenaar emails, and cyber analysts traced the embedded malware to a hacker group known as APT41 — believed to be a contractor for Beijing's Ministry of State Security... The hacking campaign appeared to be aimed at giving Chinese officials an inside look at the recommendations Trump was receiving from outside groups. It couldn't be determined whether the attackers had successfully breached any of the targets.

A Federal Bureau of Investigation spokeswoman declined to provide details but said the bureau was aware of the incident and was "working with our partners to identify and pursue those responsible...." The alleged campaign comes as U.S. law-enforcement officials have been surprised by the prolific and creative nature of China's spying efforts. The FBI revealed last month that a Beijing-linked espionage campaign that hit U.S. telecom companies and swept up Trump's phone calls actually targeted more than 80 countries and reached across the globe...

The Moolenaar impersonation comes as several administration officials have recently faced impostors of their own. The State Department warned diplomats around the world in July that an impostor was using AI to imitate Secretary of State Marco Rubio's voice in messages sent to foreign officials. Federal authorities are also investigating an effort to impersonate White House chief of staff Susie Wiles, the Journal reported in May... The FBI issued a warning that month that "malicious actors have impersonated senior U.S. officials" targeting contacts with AI-generated voice messages and texts.

And in January, the article points out, all the staffers on Moolenaar's committee "received emails falsely claiming to be from the CEO of Chinese crane manufacturer ZPMC, according to people familiar with the episode."

Thanks to long-time Slashdot reader schwit1 for sharing the news.
Security

First AI-Powered 'Self-Composing' Ransomware Was Actually Just a University Research Project (tomshardware.com) 6

Cybersecurity company ESET thought they'd discovered the first AI-powered ransomware in the wild, which they'd dubbed "PromptLock". But it turned out to be the work of university security researchers...

"Unlike conventional malware, the prototype only requires natural language prompts embedded in the binary," the researchers write in a research paper, calling it "Ransomware 3.0: Self-Composing and LLM-Orchestrated." Their prototype "uses the gpt-oss:20b model from OpenAI locally" (using the Ollama API) to "generate malicious Lua scripts on the fly." Tom's Hardware said that would help PromptLock evade detection: If they had to call an API on [OpenAI's] servers every time they generate one of these scripts, the jig would be up. The pitfalls of vibe coding don't really apply, either, since the scripts are running on someone else's system.
The whole thing was actually an experiment by researchers at NYU's Tandon School of Engineering. So "While it is the first to be AI-powered," the school said in an announcement, "the ransomware prototype is a proof-of-concept that is non-functional outside of the contained lab environment."

An NYU spokesperson told Tom's Hardware a Ransomware 3.0 sample was uploaded to malware-analsys platform VirusTotal, and then picked up by the ESET researchers by mistake: But the malware does work: NYU said "a simulation malicious AI system developed by the Tandon team carried out all four phases of ransomware attacks — mapping systems, identifying valuable files, stealing or encrypting data, and generating ransom notes — across personal computers, enterprise servers, and industrial control systems." Is that worrisome? Absolutely. But there's a significant difference between academic researchers demonstrating a proof-of-concept and legitimate hackers using that same technique in real-world attacks. Now the study will likely inspire the ne'er-do-wells to adopt similar approaches, especially since it seems to be remarkably affordable.

"The economic implications reveal how AI could reshape ransomware operations," the NYU researchers said. "Traditional campaigns require skilled development teams, custom malware creation, and substantial infrastructure investments. The prototype consumed approximately 23,000 AI tokens per complete attack execution, equivalent to roughly $0.70 using commercial API services running flagship models."

As if that weren't enough, the researchers said that "open-source AI models eliminate these costs entirely," so ransomware operators won't even have to shell out the 70 cents needed to work with commercial LLM service providers...

"The study serves as an early warning to help defenders prepare countermeasures," NYU said in an announcement, "before bad actors adopt these AI-powered techniques."

ESET posted on Mastodon that "Nonetheless, our findings remain valid — the discovered samples represent the first known case of AI-powered ransomware."

And the ESET researcher who'd mistakenly thought the ransomware was "in the wild" had warned that looking ahead, ransomware "will likely become more sophisticated, faster spreading, and harder to detect.... This makes cybersecurity awareness, regular backups, and stronger digital hygiene more important than ever."
Android

Boffins Build Automated Android Bug Hunting System 15

Researchers from Nanjing University and the University of Sydney developed an AI-powered bug-hunting agent that mimics human vulnerability discovery, validating flaws with proof-of-concept exploits. The Register reports: Ziyue Wang (Nanjing) and Liyi Zhou (Sydney) have expanded upon prior work dubbed A1, an AI agent that can develop exploits for cryptocurrency smart contracts, with A2, an AI agent capable of vulnerability discovery and validation in Android apps. They describe A2 in a preprint paper titled "Agentic Discovery and Validation of Android App Vulnerabilities."

The authors claim that the A2 system achieves 78.3 percent coverage on the Ghera benchmark, surpassing static analyzers like APKHunt (30.0 percent). And they say that, when they used A2 on 169 production APKs, they found "104 true-positive zero-day vulnerabilities," 57 of which were self-validated via automatically generated proof-of-concept (PoC) exploits. One of these included a medium-severity flaw in an Android app with over 10 million installs.
Microsoft

Microsoft 365 Personal is Now Free For US College Students For a Year (theverge.com) 55

Microsoft is giving away Microsoft 365 Personal subscriptions to all US college students. From a report: This subscription gives students free access to Microsoft's Office apps and the Copilot AI assistant integration for a year, after which the students are eligible for a 50 percent discount to continue the subscription.

While most students have access to education versions of Microsoft 365 or Google Workspace, Microsoft's offer is for student's own personal Microsoft accounts, and is available to claim until October 31st. Microsoft 365 Personal is usually $99.99 a year, or $9.99 a month, and includes 1TB of OneDrive cloud storage.

Security

Philips Hue Plans To Make All Your Lights Motion Sensors (theverge.com) 24

Philips Hue is rolling out MotionAware, a new feature that turns its smart bulbs into motion sensors using radio-frequency (RF) Zigbee signals. The upgrade works with most Hue bulbs made since 2014, but requires the new $99 Bridge Pro hub to enable. The Verge reports: To create a MotionAware motion-sensing zone, you need Hue's new Bridge Pro and at least three Hue devices in a room. It works with all new and most existing mains-powered Hue products via a firmware update. That includes smart bulbs, light strips, and fixtures. Portable devices, such as the Hue Go or Table Lamp, and battery-powered accessories, such as Hue switches, aren't compatible. Neither is Hue's current smart plug. [...] "All of the functionality you get with our physical motion sensors -- including turning on when motion is detected or off when there's been no movement for a certain amount of time -- can be configured on motion-aware motion events," says George Yianni, Hue CTO and founder, in an interview with The Verge. "We've done something that's quite a lot better than what else is out there."

MotionAware is occupancy sensing, not presence sensing; it requires movement. Yianni says it's comparable to the passive infrared sensing (PIR) Hue's physical sensors use. This means it can be triggered by pets or other motion. A sensitivity slider in the app helps fine-tune detection. According to Yianni, a key benefit over PIR is that a MotionAware zone can cover a larger area than a single PIR sensor, and it's also not limited to line of sight. MotionAware can't sense light levels, which Hue Motion Sensors can, but you can pair a light sensor to a motion zone to feed it that data. The positioning of the lights will also play a role in determining the effectiveness of the motion sensing. "We recommend that the lights surround an area which will roughly define the detection area in which motion will be detected," says Yianni. "It will sense around the lights and in the broader room thanks to reflections, but detection reliability will depend on lots of factors."

Beyond lighting automation, MotionAware can also integrate with Hue Secure, Hue's DIY security platform that includes cameras, contact sensors, and a new video doorbell. Motion detection can trigger lights to flash red, activate Hue's new plug-in chime/siren, and send an alert to your phone with a button to call emergency services. [...] MotionAware is built on RF sensing -- a technology that uses wireless signals to "see" a space and detect disruptions within it. The data is then sent to the Bridge Pro, where AI algorithms are applied to figure out what is causing those disruptions, so the system can act accordingly. This is why it's limited to the Bridge Pro, the V2 bridge isn't powerful enough to run those algorithms, says Yianni.

IT

Nvidia Dominates GPU Shipments With 94% Share (tomshardware.com) 43

An anonymous reader shares a report: The total number of GPUs sold for the second quarter of 2025 hit 11.6 million units, while desktop PC CPUs went up to 21.7 million units, according to a Jon Peddie Research report. This is a 27% increase in graphics card shipments and a 21.6% jump in CPU shipments from the last quarter, which is a change from the usual drop in deliveries we've seen in recent years.

"AIB prices dropped for midrange and entry-level, while high-end AIB prices increased, and most retail suppliers ran out of stock. This is very unusual for the second quarter," said Jon Peddie Research president Dr. Jon Peddie. "We think it is a continuation of higher prices expected due to the tariffs and buyers trying to get ahead of that."

As for the three major GPU manufacturers, Nvidia still has the lead, taking in 94% of the market -- an increase of 2.1% over the previous quarter -- while AMD is at a distant second place with 6%. This is still a much better position than Intel, though, whose market share is so small it did not even register on the chart.

Microsoft

Microsoft's 6502 BASIC Is Now Open Source (microsoft.com) 50

alternative_right writes: For decades, fragments and unofficial copies of Microsoft's 6502 BASIC have circulated online, mirrored on retrocomputing sites, and preserved in museum archives. Coders have studied the code, rebuilt it, and even run it in modern systems. Today, for the first time, we're opening the hatch and officially releasing the code under an open-source license. Microsoft BASIC began in 1975 as the company's very first product: a BASIC interpreter for the Intel 8080, written by Bill Gates and Paul Allen for the Altair 8800. That codebase was soon adapted to run on other 8-bit CPUs, including the MOS 6502, Motorola 6800, and 6809.

The 6502 port was completed in 1976 by Bill Gates and Ric Weiland. In 1977, Commodore licensed it for a flat fee of $25,000, a deal that placed Microsoft BASIC at the heart of Commodore's PET computers and, later, the VIC-20 and Commodore 64. The version we are releasing here -- labeled "1.1" -- contains fixes to the garbage collector identified by Commodore and jointly implemented in 1978 by Commodore engineer John Feagans and Bill Gates, when Feagans traveled to Microsoft's Bellevue offices. This is the version that shipped as the PET's "BASIC V2." It even contains a playful Bill Gates Easter egg, hidden in the labels STORDO and STORD0, which Gates himself confirmed in 2010.

Businesses

Atlassian Agrees To Acquire The Browser Co. For $610 Million (cnbc.com) 18

Atlassian said it has agreed to acquire The Browser Co., a startup that offers a web browser with AI features, for $610 million in cash. CNBC: The companies aim to close the deal in Atlassian's fiscal second quarter, which ends in December. Established in 2019, The Browser Co. has gone up against some of the world's largest companies, including Google, with Chrome, and Apple, which includes Safari on its computers running MacOS. The startup debuted Arc, a customizable browser with a built-in whiteboard and the ability to share groups of tabs, in 2022.

The Dia browser, a simpler option that allows people to chat with an AI assistant about multiple browser tabs at once, became available in beta in June. Atlassian co-founder and CEO Mike Cannon-Brookes said he sees shortcomings in the most popular browsers for those who do much of their work on computers.
Further reading: Atlassian Buying The Browser Company Feels Like a Waste of Money.

Slashdot Top Deals