"Many GitHub users this week received a novel phishing email warning of critical security holes in their code," reports Krebs on Security — citing an email shared by one of his readers: "Hey there! We have detected a security vulnerability in your repository. Please contact us at https://github-scanner[.]com to get more information on how to fix this issue...." Clicking the "I'm not a robot" button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter "R," which opens a Windows "Run" prompt that will execute any specified program that is already installed on the system.

Step 2 asks the user to press the "CTRL" key and the letter "V" at the same time, which pastes malicious code from the site's virtual clipboard. Step 3 — pressing the "Enter" key — causes Windows to launch a PowerShell command, and then fetch and execute a malicious file from github-scanner[.]com called "l6e.exe...." According to an analysis at the malware scanning service Virustotal.com, the malicious file downloaded by the pasted text is called Lumma Stealer, and it's designed to snarf any credentials stored on the victim's PC.
Even though this might fool some users, Krebs points out that Microsoft "strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What's more, doing so requires tinkering with sensitive settings in the Windows registry..."

Thanks to long-time Slashdot reader sinij for sharing the article.

Friday the Wall Street Journal reported Qualcomm recently "made a takeover approach" to Intel, which has a market value of roughly $90 billion ("according to people familiar with the matter...") A deal is far from certain, the people cautioned. Even if Intel is receptive, a deal of that size is all but certain to attract antitrust scrutiny, though it is also possible it could be seen as an opportunity to strengthen the U.S.'s competitive edge in chips... Both Intel and Qualcomm have become U.S. national champions of sorts as chip-making gets increasingly politicized. Intel is in line to get up to $8.5 billion of potential grants for factories in the U.S. as Chief Executive Pat Gelsinger tries to build up a business making chips on contract for outsiders...
Both Intel and Qualcomm have been "overshadowed" by Nvidia's success in powering the AI boom, the article points out.

But "To get the deal done, Qualcomm could intend to sell assets or parts of Intel to other buyers... A deal would significantly broaden Qualcomm's horizons, complementing its mobile-phone chip business with chips from Intel that are ubiquitous in personal computers and servers..." Qualcomm's approach follows a more than three-year turnaround effort at Intel under Gelsinger that has yet to bear significant fruit. For years, Intel was the biggest semiconductor company in the world by market value, but it now lags behind rivals including Qualcomm, Broadcom, Texas Instruments and AMD. In August, following a dismal quarterly report, Intel said it planned to lay off thousands of employees and pause dividend payments as part of a broad cost-saving drive. Gelsinger last month laid out a roadmap to slash costs by more than $10 billion in 2025, as the company reported a loss of $1.6 billion for the second quarter, compared with a $1.5 billion profit a year earlier...

Intel earlier this year began to report separate financial results of its manufacturing operations, which many on Wall Street saw as a prelude to a possible split of the company. Some analysts have argued Intel should be split into two, mirroring a shift in the industry toward specializing in either chip design or chip manufacturing. Splitting up immediately might not be possible, however, Bernstein Research analyst Stacy Rasgon said in a recent note. Intel's manufacturing arm is money-losing and hasn't gained strong traction with customers other than Intel itself since Gelsinger opened the factories to outside chip designers three years ago. Gelsinger has been doubling down on the company's factory ambitions, outlining spending of hundreds of billions of dollars building new plants in the U.S., Europe and Israel in recent years.

Given Intel's market value, a successful takeover of the entire company would rank as the all-time largest technology M&A deal, topping Microsoft's $69 billion acquisition of Activision Blizzard.
Intel's stock "had its biggest one-day drop in over 50 years in August after the company reported disappointing earnings," reports CNBC. Partly because of that one-day, 26% drop, Intel's shares "are down 53% this year as investors express doubts about the company's costly plans to manufacture and design chips."

But the Register remains skeptical about Qualcomm taking over Intel: Chipzilla may not be worth much to Qualcomm unless it can renegotiate the x86/x86-64 cross-licensing patent agreement between Intel and AMD, which dates back to 2009. That agreement is terminated if a change in control happens at either Intel or AMD.

While a number of the patents expired in 2021, it's our understanding that agreement is still in force and Qualcomm would be subject to change of control rules. In other words, Qualcomm wouldn't be able to produce Intel-designed x86-64 chips unless AMD gave the green light. It's also likely one of the reasons why no one bought AMD when it was dire straits; whoever took over it would have to deal with Intel.

The data centers that train all the large language models behind AI consume unimaginable amounts of energy, and the stakes are high for big tech companies to ensure they have enough power to run those plants. That's why Microsoft is now throwing its weight behind nuclear power. From a report: The tech giant on Friday signed a major deal with nuclear plant owner Constellation Energy to restart its closed Three Mile Island plant by 2028 to power its data centers. The Constellation plant, infamous for melting down in 1979, closed in 2019 after failing to garner enough demand for its energy amid competition with cheaper alternatives like natural gas, and solar and wind power. Constellation said it plans to spend $1.6 billion to revive its reactor, pending regulatory approval. The financial terms of the deal were not disclosed. Microsoft agreed to purchase all of the power from the reactor over the next 20 years, a Constellation spokesperson told TechCrunch. Once restored, the reactor promises a capacity of 835 megawatts.

Microsoft has launched a new Windows app that serves as a hub for streaming Windows environments from services like Windows 365 and Azure Virtual Desktop. However, it's limited to Microsoft work and school accounts with "no signs that Microsoft plans to support consumer accounts," notes The Verge's Tom Warren. From the report: This new unified app has been in testing for nearly a year, and includes a customizable home screen, multi-monitor support, and USB redirection so you can use local devices like webcams, storage devices, and printers as if they were plugged directly into a cloud PC. This Windows app is limited to Microsoft work and school accounts, as it's primarily designed for existing users of Remote Desktop clients for Windows and other operating systems to move to. Microsoft has had similar apps for connecting to PCs remotely in Windows for decades, including the Remote Desktop Connection app that still ships as part of Windows 11. These apps, including the new Windows one, are useful for connecting to work PCs from a personal laptop or PC. The Windows app is available from the Microsoft Store and Apple App Store. An Android version enters public preview mode today.

Apple's latest macOS 15 "Sequoia" update, released earlier this week, has disrupted security tools from major providers including CrowdStrike, SentinelOne, and Microsoft, according to reports. The extent and cause of the disruption remain unclear.

Anduril Industries, a defense startup founded by Palmer Luckey, will integrate its Lattice suite of software into Microsoft's Integrated Visual Augmentation System headset for the U.S. Army. The deal aims to enhance soldiers' battlefield awareness by displaying real-time data from drones, vehicles, and defense systems.

Luckey, who sold virtual reality company Oculus to Facebook for $2 billion, launched Anduril in 2017 to challenge traditional defense contractors. The firm recently secured a contract to develop an experimental robotic fighter jet, beating out industry giants. While Microsoft's IVAS faced initial user complaints of nausea and headaches, the Army plans to invest $21.9 billion in the project.

An anonymous reader quotes a report from Data Center Dynamics: BlackRock plans to launch a new $30 billion artificial intelligence (AI) investment fund focused on data centers and energy projects. Microsoft and Abu Dhabi-backed investment company MGX are general partners of the fund. GPU giant Nvidia will also advise. Run through BlackRock's Global Infrastructure Partners fund, which it acquired for $12.5 billion earlier this year, the 'Global AI Investment Partnership,' plans to raise up to $30 billion in equity investments. Another $70 billion could come via leveraged debt financing. "Mobilizing private capital to build AI infrastructure like data centers and power will unlock a multi-trillion-dollar long-term investment opportunity," said Larry Fink, chairman and CEO of BlackRock. "Data centers are the bedrock of the digital economy, and these investments will help power economic growth, create jobs, and drive AI technology innovation."

Brad Smith, Microsoft's president, added: "The capital spending needed for AI infrastructure and the new energy to power it goes beyond what any single company or government can finance. This financial partnership will not only help advance technology, but enhance national competitiveness, security, and economic prosperity."

Bayo Ogunlesi, CEO of Global Infrastructure Partners, said: "There is a clear need to mobilize significant amounts of private capital to fund investments in essential infrastructure. One manifestation of this is the capital required to support the development of AI. We are highly confident that the combined capabilities of our partnership will help accelerate the pace of investments in AI-related infrastructure."

Longtime Slashdot reader theodp writes: Python in Excel is now generally available for Windows users of Microsoft 365 Business and Enterprise," Microsoft announced in a Monday blog post. "Last August, in partnership with Anaconda, we introduced an exciting new addition to Excel by integrating Python, making it possible to seamlessly combine Python and Excel analytics within the same workbook, no setup required. Since then, we've brought the power of popular Python analytics libraries such as pandas, Matplotlib, and NLTK to countless Excel users." Microsoft also announced the public preview of Copilot in Excel with Python, which will take users' natural language requests for analysis and automatically generate, explain, and insert Python code into Excel spreadsheets.

While drawing criticism for limiting Python execution to locked-down Azure cloud containers, Python in Excel has also earned accolades from the likes of Python creator Guido van Rossum, now a Microsoft Distinguished Engineer, as well as Pandas creator Wes McKinney.

Left unmentioned in Monday's announcement is that Microsoft managed to convince the USPTO to issue it a patent in July 2024 on the Enhanced Integration of Spreadsheets With External Environments (alt. source), which Microsoft explains covers the "implementation of enhanced integrations of native spreadsheet environments with external resources such as-but not limited to-Python." All of which may come as a surprise to software vendors and individuals that were integrating Excel and external programming environments years before Microsoft filed its patent application in September 2022.

An anonymous reader shares a report: Per a recent update to Microsoft's Deprecated Windows features page, Legacy DRM services utilized by Windows Media Player and Silverlight clients for Windows 7 and Windows 8 are now deprecated. This will prevent the streaming or playback of DRM-protected content in those applications on those operating systems. It also includes playing content from personal CD rips and streaming from a Silverlight or Windows 8 client to an Xbox 360 if you were still doing that.

For those unfamiliar, "DRM" refers to Digital Rights Management. Basically, DRM tech ensures that you aren't stealing or playing back pirated content. Of course, piracy still exists, but these days, most officially distributed movies, TV shows, games, etc., all involve some form of DRM unless explicitly advertised as DRM-free. DRM does seem like harmless piracy prevention on paper. Still, it hasn't been all that effective at eliminating piracy -- and where it is implemented, it mainly punishes or inconveniences paying customers. It is an excellent example of DRM's folly. Now, anyone who had previously opted into Microsoft's legitimate media streaming ecosystem with Windows 7 and 8 is being penalized for buying media legitimately since it will no longer work without them being forced to pivot to other streaming solutions.

Intel shares surged 8% after announcing plans to make its foundry business an independent unit with its own board and potential for outside capital, part of CEO Pat Gelsinger's strategy to restructure the company amid financial challenges. The company is also exploring the possibility of spinning off the foundry business, pausing some European manufacturing projects, and expanding its AI chip production partnership with Amazon Web Services to regain market share in the growing AI server chip industry. CNBC reports: As part of CEO Pat Gelsinger's effort to turn around the struggling chipmaker, Intel said in a memo to employees that it will also sell off part of its stake in Altera. Gelsinger said the restructuring would allow the foundry business to "evaluate independent sources of funding,â and comes days after Intel's board met to assess the direction and future of the company. The foundry business, which Intel plans to use to manufacture chips for other customers, has been a big drag on its bottom line, with the company spending roughly $25 billion on it in each of the last two years. Beyond just considering outside funding, Intel is weighing whether to spin off the foundry business, possibly into a separate publicly traded company, according to a person with knowledge of the matter who declined to be named in order to discuss confidential information. With a standalone "operating board" and a cleaner corporate structure, the mechanics of a separation become far easier than trying to turn a fully integrated unit into a separate company. [...] Intel will also pause its fabrication efforts in Poland and Germany "by approximately two years based on anticipated market demand," Gelsinger said, and pull back on its plans for its Malaysian factory. U.S. manufacturing projects will remain unaffected, the company said.

In addition to the foundry announcement, Intel said it entered into a deal with Amazon Web Services to produce custom chips for AI, extending a long-running partnership between the two companies. Amazon is a big customer of Intel chips to power its AWS servers, and will buy a custom Xeon processor from Intel as well, Intel said. The move will potentially give Intel a new foothold in the growing industry for AI server chips. While Intel has several products that can be used for AI, including Gaudi 3, Nvidia has largely taken control of the market. Amazon has been developing its own AI chips, including one called Trainium, for over five years. Microsoft and Google have also invested heavily in custom chips to run AI, aiming to offer less expensive processors than Nvidia's general-purpose graphics processing units. Intel said that it would carry out its most advanced manufacturing, including the AI chip for AWS, at its plant in Ohio that's currently under construction. "All eyes will remain on us," Gelsinger said. "We need to fight for every inch and execute better than ever before. Because that's the only way to quiet our critics and deliver the results we know we're capable of achieving."

Oracle cofounder Larry Ellison envisions AI as the backbone of a new era of mass surveillance, positioning Oracle as a key player in AI infrastructure through its unique networking architecture and partnerships with AWS and Microsoft. The Register reports: Ellison made the comments near the end of an hour-long chat at the Oracle financial analyst meeting last week during a question and answer session in which he painted Oracle as the AI infrastructure player to beat in light of its recent deals with AWS and Microsoft. Many companies, Ellison touted, build AI models at Oracle because of its "unique networking architecture," which dates back to the database era.

"AI is hot, and databases are not," he said, making Oracle's part of the puzzle less sexy, but no less important, at least according to the man himself - AI systems have to have well-organized data, or else they won't be that valuable. The fact that some of the biggest names in cloud computing (and Elon Musk's Grok) have turned to Oracle to run their AI infrastructure means it's clear that Oracle is doing something right, claimed now-CTO Ellison. "If Elon and Satya [Nadella] want to pick us, that's a good sign - we have tech that's valuable and differentiated," Ellison said, adding: One of the ideal uses of that differentiated offering? Maximizing AI's pubic security capabilities.

"The police will be on their best behavior because we're constantly watching and recording everything that's going on," Ellison told analysts. He described police body cameras that were constantly on, with no ability for officers to disable the feed to Oracle. Even requesting privacy for a bathroom break or a meal only meant sections of recording would require a subpoena to view - not that the video feed was ever stopped. AI would be trained to monitor officer feeds for anything untoward, which Ellison said could prevent abuse of police power and save lives. [...] "Citizens will be on their best behavior because we're constantly recording and reporting," Ellison added, though it's not clear what he sees as the source of those recordings - police body cams or publicly placed security cameras. "There are so many opportunities to exploit AI," he said.

Microsoft has abandoned plans to overhaul its Edge browser interface, scrapping the design choice unveiled in February 2023. The redesign -- featuring a sleeker look with rounded tab buttons and increased blur effects -- aimed to give Edge a distinct identity as the company pushed into AI services. The new design never officially launched and the company has no intention to launch it later, according to Microsoft-focused news outlet Windows Central.

A Microsoft spokesperson confirmed to Windows Central that the company is moving away from the rounded tabs concept. Some elements of the redesign will remain, including webpage borders and a repositioned user button, but the majority of the proposed changes have been shelved. The decision marks a retreat from Microsoft's efforts to visually differentiate Edge from Google Chrome and align it with Windows 11's design language.

"A two-day AI Labor Summit between AFL-CIO leaders and Microsoft executives this week reflects the tech giant's revamped approach to unions," writes GeekWire, "which includes a pledge by the company to incorporate feedback from labor unions and their members into the development of artificial intelligence."

But just two days later, "Microsoft Gaming CEO Phil Spencer announced it was game over for the jobs of another 650 Microsoft staffers (on top of an earlier 1,900 employee staff reduction)," writes long-time Slashdot reader theodp, "cuts that Spencer made clear were related to Microsoft's $69B acquisition of Activision Blizzard in 2023." Interestingly, Microsoft's Smith in October 2023 affirmed a "groundbreaking neutrality agreement" with the Communications Workers of America union (CWA) — designed to go into effect if Microsoft was successful in its acquisition of Activision Blizzard — in which Microsoft acknowledged the rights of its employees to unionize and pledged to work constructively with any who did. At the same time, Microsoft made it clear that it hoped its employees wouldn't feel the need to form or join unions, saying they would "never need to organize to have a dialogue with Microsoft's leaders."

In July 2023, the AFL-CIO applauded Microsoft's Activision Blizzard acquisition and the Microsoft-CWA agreement, which AFL-CIO union federation president Liz Shuler said "sets a new standard for respecting workers' rights in the video game industry and the larger technology sector." And in December 2023, Shuler thanked Smith for Microsoft's "absolutely historic partnership" on AI and the Future of the Workforce, which Shuler suggested "can be mutually beneficial for workers, for businesses, and for our country as a whole."
Thursday the CWA union issued critical remarks about the layoffs at Microsoft Gaming (which were later retweeted by the @AFLCIO Twitter account).

"While we would hope that a company like Microsoft with $88 billion in profits last year could achieve 'long-term success' without destroying the livelihoods of 650 of our colleagues, heartless layoffs like these have become all too common."

The Washingon Post reports that a regulatory dispute in Ohio may help answer a big question about America's power grid: who will pay for the huge upgrades needed to meet soaring energy demand "from the data centers powering the modern internet and artificial intelligence revolution?" Google, Amazon, Microsoft and Meta are fighting a proposal by an Ohio power company to significantly increase the upfront energy costs they'll pay for their data centers, a move the companies dubbed "unfair" and "discriminatory" in documents filed with Ohio's Public Utility Commission last month. American Electric Power Ohio said in filings that the tariff increase was needed to prevent new infrastructure costs from being passed on to other customers such as households and businesses if the tech industry should fail to follow through on its ambitious, energy-intensive plans. The case could set a national precedent that helps determine whether and how other states force tech firms to be accountable for the costs of their growing energy consumption... The energy demands of data centers have created similar concerns in other hot spots such as Northern Virginia, Atlanta and Maricopa County, Arizona, leaving experts concerned that the U.S. power grid may not be capable of dealing with the combined needs of the green energy transition and the computing boom that artificial intelligence companies say is coming...

Energy customers must sometimes make a monthly payment to a utility that is a percentage of the maximum amount of electricity they predict that they could need. In Ohio, data center companies had agreed to pay 60 percent of the projected amount. But in May, the power company proposed a new, 10-year fee structure raising the charges to 90 percent of the expected load, even if they don't end up using that much. The major tech companies — all of whom are increasing spending on data center infrastructure to compete in AI — strenuously opposed the proposed contract in documents filed last month... According to testimony from AEP Ohio Vice President Lisa Kelso, there are 50 pending requests from data center customers seeking electric service at more than 90 sites, a potential 30,000 megawatts of additional load — enough to power more than 20 million households. That additional demand would more than triple the utility's previous peak load in 2023, she said. Between 2020 and 2024, the data center energy load in central Ohio increased sixfold, from 100 to 600 megawatts, her testimony reads. By 2030, that amount will reach 5,000 megawatts, according to the utility's signed agreements, she testified...

Meeting that demand will require AEP Ohio to build new transmission lines, an expensive and time-consuming process... Chief among the power company's concerns, according to the documents, is what will happen if it invests billions of dollars into new grid infrastructure only for the data centers to leave for greener pastures, or for the AI bubble to burst and the facilities to need much less power than initially projected. If the power company spends big on new infrastructure but the power demand it was built to serve doesn't materialize, other customers — including business and residential payers — will be stuck with the bill, the utility said... AEP Ohio's testimony in the case also questions whether data centers bring as much to local communities as factories or other high-energy-load businesses. Since 2019, non-data center businesses have created approximately 25 jobs for every megawatt of power requested, while data centers have created less than one job per megawatt, according to Kelso's testimony.

The tech companies rejected this criticism, saying the number of jobs they create is not relevant to how much power they have a right to purchase, and highlighted their other contributions to local economies... Amazon said in filings that it pays fees as high as 75 percent of projected demand in some states but that Ohio's proposal to bill it 90 percent goes too far.
"Should the Ohio tariff be approved, Microsoft and Google both threatened in their testimony to leave Ohio." (Although at the same time, "pressure on the electric grid is mounting all over the country...")

And the article points out that on Thursday, "the White House announced measures intended to speed up data center construction for AI projects, including by accelerating permitting."

Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company's Microsoft Sharepoint server. From a report: Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices. The company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services.

Early this morning, a threat actor posted to a hacking forum that they had stolen 440GB of data from Fortinet's Azure Sharepoint instance. The threat actor then shared credentials to an alleged S3 bucket where the stolen data is stored for other threat actors to download. The threat actor, known as "Fortibitch," claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay. In response to our questions about incident, Fortinet confirmed that customer data was stolen from a "third-party cloud-based shared file drive."

An anonymous reader shares a report: Microsoft executives have been thinking lately about the end of the world. In a white paper published late last year, Brad Smith, the company's vice chair and president, and Melanie Nakagawa, its chief sustainability officer, described a "planetary crisis" that AI could help solve. Imagine an AI-assisted tool that helps reduce food waste, to name one example from the document, or some future technology that could "expedite decarbonization" by using AI to invent new designs for green tech.

But as Microsoft attempts to buoy its reputation as an AI leader in climate innovation, the company is also selling its AI to fossil-fuel companies. Hundreds of pages of internal documents I've obtained, plus interviews I've conducted over the past year with 15 current and former employees and executives, show that the tech giant has sought to market the technology to companies such as ExxonMobil and Chevron as a powerful tool for finding and developing new oil and gas reserves and maximizing their production -- all while publicly committing to dramatically reduce emissions.

Although tech companies have long done business with the fossil-fuel industry, Microsoft's case is notable. It demonstrates how the AI boom contributes to one of the most pressing issues facing our planet today -- despite the fact that the technology is often lauded for its supposed potential to improve our world, as when Sam Altman testified to Congress that it could address issues such as "climate change and curing cancer." These deals also show how Microsoft can use the vagaries of AI to talk out of both sides of its mouth, courting the fossil-fuel industry while asserting its environmental bona fides. (Many of the documents I viewed have been submitted to the Securities and Exchange Commission as part of a whistleblower complaint alleging that the company has omitted from public disclosures "the serious climate and environmental harms caused by the technology it provides to the fossil fuel industry," arguing that the information is of material and financial importance to investors.

In a statement today, the White House said it has received commitments from several AI companies to curb the creation and distribution of deepfake porn, also known as image-based sexual abuse material. Engadget reports: The participating businesses have laid out the steps they are taking to prevent their platforms from being used to generate non-consensual intimate images (NCII) of adults and child sexual abuse material (CSAM). Specifically, Adobe, Anthropic, Cohere, Common Crawl, Microsoft and OpenAI said they'll be: "responsibly sourcing their datasets and safeguarding them from image-based sexual abuse."

All of the aforementioned except Common Crawl also agreed they'd be: "incorporating feedback loops and iterative stress-testing strategies in their development processes, to guard against AI models outputting image-based sexual abuse" and "removing nude images from AI training datasets" when appropriate. [...] The notable absences from today's White House release are Apple, Amazon, Google and Meta.

Microsoft announced plans to modify Windows, enabling security vendors like CrowdStrike to operate outside the operating system's kernel. The move follows the July incident where a faulty CrowdStrike update caused widespread system failures. From a report: Microsoft says it has now "discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors" with partners like CrowdStrike, Broadcom, Sophos, and Trend Micro.

[...] While Microsoft isn't directly saying it's going to close off access to the Windows kernel, it's clearly at the early stages of designing a security platform that can eventually move CrowdStrike and others out of the kernel. Microsoft last tried to close off access to the Windows kernel in Windows Vista in 2006, but it was met with pushback from cybersecurity vendors and regulators.

Microsoft is laying off a further 650 staff from its gaming business, according to a memo sent by Xbox chief Phil Spencer to staff today, September 12. From a report: In the memo, Spencer said the roles affect mostly corporate and support functions, and were made "to organize our business for long term success." He clarified that no games, devices or experiences are being canceled and no studios are being closed as part of these cuts. These latest layoffs mean Microsoft has let go of 2,550 staff from its gaming business since acquiring Activision Blizzard for $69 billion in 2023. In his memo, below, Spencer makes it clear that the cuts are related to the acquisition.

An anonymous reader quotes a report from Ars Technica: Microsoft has updated a key cryptographic library with two new encryption algorithms designed to withstand attacks from quantum computers. The updates were made last week to SymCrypt, a core cryptographic code library for handing cryptographic functions in Windows and Linux. The library, started in 2006, provides operations and algorithms developers can use to safely implement secure encryption, decryption, signing, verification, hashing, and key exchange in the apps they create. The library supports federal certification requirements for cryptographic modules used in some governmental environments. Despite the name, SymCrypt supports both symmetric and asymmetric algorithms. It's the main cryptographic library Microsoft uses in products and services including Azure, Microsoft 365, all supported versions of Windows, Azure Stack HCI, and Azure Linux. The library provides cryptographic security used in email security, cloud storage, web browsing, remote access, and device management. Microsoft documented the update in a post on Monday. The updates are the first steps in implementing a massive overhaul of encryption protocols that incorporate a new set of algorithms that aren't vulnerable to attacks from quantum computers. [...]

The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST). The KEM in the new name is short for key encapsulation. KEMs can be used by two parties to negotiate a shared secret over a public channel. Shared secrets generated by a KEM can then be used with symmetric-key cryptographic operations, which aren't vulnerable to Shor's algorithm when the keys are of a sufficient size. [...] The other algorithm added to SymCrypt is the NIST-recommended XMSS. Short for eXtended Merkle Signature Scheme, it's based on "stateful hash-based signature schemes." These algorithms are useful in very specific contexts such as firmware signing, but are not suitable for more general uses. Monday's post said Microsoft will add additional post-quantum algorithms to SymCrypt in the coming months. They are ML-DSA, a lattice-based digital signature scheme, previously called Dilithium, and SLH-DSA, a stateless hash-based signature scheme previously called SPHINCS+. Both became NIST standards last month and are formally referred to as FIPS 204 and FIPS 205. In Monday's post, Microsoft Principal Product Manager Lead Aabha Thipsay wrote: "PQC algorithms offer a promising solution for the future of cryptography, but they also come with some trade-offs. For example, these typically require larger key sizes, longer computation times, and more bandwidth than classical algorithms. Therefore, implementing PQC in real-world applications requires careful optimization and integration with existing systems and standards."