An anonymous reader quotes a report from TechCrunch: When Bluesky CEO Jay Graber walked on stage at SXSW 2025 for her keynote discussion, she wore a large black T-shirt with her hair pulled back into a bun. At first glance, it might appear as though she's following the same playbook that so many women in tech leadership have played before: downplaying her femininity to be taken seriously. The truth is way more interesting than that. What might look like your average black T-shirt is a subtle, yet clear swipe at Mark Zuckerberg, a CEO who represents everything that Bluesky is trying to work against as an open source social network.

The Meta founder and CEO has directly compared himself to the Roman emperor Julius Caesar. His own shirt declared Aut Zuck aut nihil, which is a play on the Latin phrase aut Caesar aut nihil: "Either Caesar or nothing." Graber's shirt -- which directly copies the style of a shirt that Zuckerberg wore onstage recently -- says Mundus sine caesaribus. Or, "a world without Caesars." With the way Bluesky is designed, Graber is certainly putting her money where her mouth (or shirt) is. As a decentralized social network built upon an open source framework, Bluesky differs from legacy platforms like Facebook in that users have a direct, transparent window into how the platform is being built. "If a billionaire came in and bought Bluesky, or took it over, or if I decided tomorrow to change things in a way that people really didn't like, then they could fork off and go on to another application," Graber explained at SXSW. "There's already applications in the network that give you another way to view the network, or you could build a new one as well. And so that openness guarantees that there's always the ability to move to a new alternative."

Internet shutdowns in Africa hit a record high in 2024, with 21 shutdowns across 15 countries. The previous record was 19 shutdowns in 2020 and 21. The Guardian reports: Authorities in Comoros, Guinea-Bissau and Mauritius joined repeat offenders such as Burundi, Ethiopia, Equatorial Guinea and Kenya. Guinea, Nigeria, Senegal and Tanzania were also on the list. But perpetrators also included militias and other non-state actors. Telecommunication and internet service providers who shut services based on government orders are also complicit in violating people's rights, said Felicia Anthonio, the #KeepItOn campaign manager at Access Now, citing the UN guiding principles on business and human rights.

The details showed that most of the shutdowns were imposed as a response to conflicts, protests and political instability. There were also restrictions during elections. [...] At least five shutdowns in Africa had been imposed for more than a year by the end of 2024, according to Access Now. As of early 2025, the social network Meta was still restricted in Uganda, despite authorities engaging with its representatives. On the Equatorial Guinean island of Annobon, internet and cell services have been cut off since an August 2024 protest over environmental concerns and isolation from the rest of the country. The increase in shutdowns led the African Commission on Human and Peoples' Rights to pass a landmark resolution in March 2024 to help reverse the trend.

A 55-year-old software developer faces up to 10 years in prison after being convicted for deploying malicious code that sabotaged his former employer's network, causing hundreds of thousands of dollars in losses.

Davis Lu was convicted by a jury for causing intentional damage to protected computers owned by power management company Eaton Corp., the US Department of Justice announced Friday. Lu, who worked at Eaton for 11 years, became disgruntled after a 2018 corporate "realignment" reduced his responsibilities.

He created malicious code that deleted coworker profile files, prevented logins, and caused system crashes. His most destructive creation was a "kill switch" named "IsDLEnabledinAD" that automatically activated upon his termination in 2019, disrupting Eaton's global operations. Lu admitted to creating some malicious code but plans to appeal the verdict.

Axiom Space and Red Hat will collaborate to launch Data Center Unit-1 (AxDCU-1) to the International Space Station this spring. It's a small data processing prototype (powered by lightweight, edge-optimized Red Hat Device Edge) that will demonstrate initial Orbital Data Center (ODC) capabilities.

"It all sounds rather grand for something that resembles a glorified shoebox," reports the Register. Axiom Space said: "The prototype will test applications in cloud computing, artificial intelligence, and machine learning (AI/ML), data fusion and space cybersecurity."

Space is an ideal environment for edge devices. Connectivity to datacenters on Earth is severely constrained, so the more processing that can be done before data is transmitted to a terrestrial receiving station, the better. Tony James, chief architect, Science and Space at Red Hat, said: "Off-planet data processing is the next frontier, and edge computing is a crucial component. With Red Hat Device Edge and in collaboration with Axiom Space, Earth-based mission partners will have the capabilities necessary to make real-time decisions in space with greater reliability and consistency...."

The Red Hat Device Edge software used by Axiom's device combines Red Hat Enterprise Linux, the Red Hat Ansible Platform, and MicroShift, a lightweight Kubernetes container orchestration service derived from Red Hat OpenShift. The plan is for Axiom Space to host hybrid cloud applications and cloud-native workloads on-orbit. Jason Aspiotis, global director of in-space data and security, Axiom Space, told The Register that the hardware itself is a commercial off-the-shelf unit designed for operation in harsh environments... "AxDCU-1 will have the ability to be controlled and utilized either via ground-to-space or space-to-space communications links. Our current plans are to maintain this device on the ISS. We plan to utilize this asset for at least two years."
The article notes that HPE has also "sent up a succession of Spaceborne computers — commercial, off-the-shelf supercomputers — over the years to test storage, recovery, and operational potential on long-duration missions." (They apparently use Red Hat Enterprise Linux.) "At the other end of the scale, the European Space Agency has run Raspberry Pi computers on the ISS for years as part of the AstroPi educational outreach program."

Axiom Space says their Orbital Data Center is deigned to "reduce delays traditionally associated with orbital data processing and analysis." By utilizing Earth-independent cloud storage and edge processing infrastructure, Axiom Space ODCs will enable data to be processed closer to its source, spacecraft or satellites, bypassing the need for terrestrial-based data centers. This architecture alleviates reliance on costly, slow, intermittent or contested network connections, creating more secure and quicker decision-making in space.

The goal is to allow Axiom Space and its partners to have access to real-time processing capabilities, laying the foundation for increased reliability and improved space cybersecurity with extensive applications. Use cases for ODCs include but are not limited to supporting Earth observation satellites with in-space and lower latency data storage and processing, AI/ML training on-orbit, multi-factor authentication and cyber intrusion detection and response, supervised autonomy, in-situ space weather analytics and off-planet backup & disaster recovery for critical infrastructure on Earth.

"The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented 'backdoor' that could be leveraged for attacks," writes BleepingComputer.

"The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence." This was discovered by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security, who presented their findings yesterday at RootedCON in Madrid. "Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices," reads a Tarlogic announcement shared with BleepingComputer. "Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls...."

Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs. Armed with this new tool, which enables raw access to Bluetooth traffic, Targolic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions. In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.

Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake.
Thanks to Slashdot reader ZipNada for sharing the news.

Long-time Slashdot reader invisik saw this story on Yahoo News: Comedian and voice actor George Lowe, who is well-known as the voice of Space Ghost on "Space Ghost Coast to Coast," died on March 2. He was 67...

He did some voice-over work for TBWS and Cartoon Network in the 1980s to mid-1990s before getting his lead role of Space Ghost in 1994 with the premiere of "Space Ghost Coast to Coast" on Cartoon Network. Space Ghost was a parody of talk shows with live-action celebrity guests, hosted by the Hanna Barbera character Space Ghost, which aired from 1994 to 1999 on Cartoon Network. The show later returned in 2001, airing on Adult Swim's late-night programming block until 2004, Deadline reported.
When animation pioneer William Hanna died in 2001, Slashdot founder CmdrTaco posted "the thing that I respect most about Hanna is the fact that a show like Space Ghost Coast to Coast was allowed to take their characters and do something truly unique with them. He even lent his voice to the show in one episode. Not a lot of people would be willing to allow one of their creations to be twisted like that, but the original Space Ghost was one of my childhood staples, and Space Ghost Coast to Coast stands in a class all its own proving that creativity isn't dead on TV."

"Adult Swim would not be the network it is today without Space Ghost Coast to Coast," argues ComicBook.com. (And as a tribute to Lowe, Adult Swim posted five minutes of surreal outtakes from Space Ghost Coast to Coast's 10th Anniversary celebration.)

A headline at Vulture.com makes the case that "Space Ghost Coast to Coast Only Worked Because of George Lowe." They've rounded up a collection of videos with surreal titles like "Marrying Bjork" and "Guesting on a MF DOOM track" (plus that time Lowe did a live interview — in his Space Ghost costume — with C-SPAN).

Google has introduced a Debian Linux terminal app for Android in its ongoing effort to transform Android into a versatile desktop OS. It's initially available on Pixel devices running Android 15 but will be expanded to "all sufficiently robust Android phones" when Android 16 arrives later this year," writes ZDNet's Steven Vaughan-Nichols. An anonymous reader shares an excerpt from the report: Today, Linux is only available on the latest Pixel devices running Android 15. When Android 16 arrives later this year, it's expected that all sufficiently robust Android phones will be able to run Linux. Besides a Linux terminal, beta tests have already shown that you should be able to run desktop Linux programs from your phone -- games like Doom, for example. The Linux Terminal runs on top of a Debian Linux virtual machine. This enables you to access a shell interface directly on your Android device. And that just scratches the surface of Google's Linux Terminal. It's actually a do-it-all app that enables you to download, configure, and run Debian. Underneath Terminal runs the Android Virtualization Framework (AVF). These are the APIs that enable Android devices to run other operating systems.

To try the Linux Terminal app, you must activate Developer Mode by navigating to Settings - About Phone and tapping the build number seven times. I guess Google wants to make sure you want to do this. Once Developer Mode is enabled, the app can be activated via Settings - System - Developer options - Linux development environment. The initial setup may take a while because it needs to download Debian. Typically this is a 500MB download. Once in place, it allows you to adjust disk space allocation, set port controls for network communication, and recover the virtual machine's storage partition. However, it currently lacks support for graphical user interface (GUI) applications. For that, we'll need to wait for Android 16.

According to Android specialist Mishaal Rahman, 'Google wants to turn Android into a proper desktop operating system, and in order to do that, it has to make it work better with traditional PC input methods and display options. Therefore, Google is now testing new external display management tools in Android 16 that bring Android closer to other desktop OSes.'

Global telecom operators are struggling to shut down aging 2G networks despite pressure to free up spectrum for 4G and 5G services, as the transition threatens to exclude millions of vulnerable users.

While Vietnam successfully decommissioned 2G in November 2024 by providing free 4G phones to low-income users, countries like South Africa and India have delayed shutdowns over concerns about cutting off phone access for millions. According to GSMA Intelligence, 61 countries have planned or initiated 2G network shutdowns to enhance bandwidth and reduce maintenance costs. For 2.5 billion people worldwide, smartphones cost about 30% of monthly income, keeping basic phones essential despite declining global feature phone sales.

An anonymous reader quotes a report from Ars Technica: The Trump administration is eliminating a preference for fiber Internet in a $42.45 billion broadband deployment program, a change that is expected to reduce spending on the most advanced wired networks while directing more money to Starlink and other non-fiber Internet service providers. One report suggests Starlink could obtain $10 billion to $20 billion under the new rules. Secretary of Commerce Howard Lutnick criticized the Biden administration's handling of the Broadband Equity, Access, and Deployment (BEAD) program in a statement yesterday. Lutnick said that "because of the prior Administration's woke mandates, favoritism towards certain technologies, and burdensome regulations, the program has not connected a single person to the Internet and is in dire need of a readjustment."

The BEAD program was authorized by Congress in November 2021, and the US was finalizing plans to distribute funding before Trump's inauguration. The National Telecommunications and Information Administration (NTIA), part of the Commerce Department, developed rules for the program in the Biden era and approved initial funding plans submitted by every state and territory. The program has been on hold since the change in administration, with Senator Ted Cruz (R-Texas) and other Republicans seeking rule changes. In addition to demanding an end to the fiber preference, Cruz wants to kill a requirement that ISPs receiving network-construction subsidies provide cheap broadband to people with low incomes. Cruz also criticized "unionized workforce and DEI labor requirements; climate change assessments; excessive per-location costs; and other central planning mandates."

Lutnick's statement yesterday confirmed that the Trump administration will end the fiber preference and replace it with a "tech-neutral" set of rules, and explore additional changes. He said: "Under my leadership, the Commerce Department has launched a rigorous review of the BEAD program. The Department is ripping out the Biden Administration's pointless requirements. It is revamping the BEAD program to take a tech-neutral approach that is rigorously driven by outcomes, so states can provide Internet access for the lowest cost. Additionally, the Department is exploring ways to cut government red tape that slows down infrastructure construction. We will work with states and territories to quickly get rid of the delays and the waste. Thereafter we will move quickly to implementation in order to get households connected." Lutnick said the department's goal is to "deliver high-speed Internet access... efficiently and effectively at the lowest cost to taxpayers."

An anonymous reader quotes a report from TechCrunch: Chipmaker TSMC said that it aims to invest "at least" $100 billion in chip manufacturing plants in the U.S. over the next four years as part of an effort to expand the company's network of semiconductor factories. President Donald Trump announced the news during a press conference Monday. TSMC's cash infusion will fund the construction of several new facilities in Arizona, C. C. Wei, chairman and CEO of TSMC, said during the briefing. "We are going to produce many AI chips to support AI progress," Wei said.

TSMC previously pledged to pour $65 billion into U.S.-based fabrication plants and has received up to $6.6 billion in grants from the CHIPS Act, a major Biden administration-era law that sought to boost domestic semiconductor production. The new investment brings TSMC's total investments in the U.S. chip industry to around $165 billion, Trump said in prepared remarks. [...] TSMC, the world's largest contract chip maker, already has several facilities in the U.S., including a factory in Arizona that began mass production late last year. But the company currently reserves its most sophisticated facilities for its home country of Taiwan.

A malicious PyPi package effectively turned its users' systems "into an illicit network for facilitating bulk music downloads," writes The Hacker News.

Though the package has been removed from PyPI, researchers at security platform Socket.dev say it enabled "coordinated, unauthorized music downloads from Deezer — a popular streaming service founded in France in 2007." Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer's access restrictions... The package is designed to log into Deezer, harvest track metadata, request full-length streaming URLs, and download complete audio files in clear violation of Deezer's API terms... [I]t orchestrates a distributed piracy operation by leveraging both user-supplied and hardcoded Deezer credentials to create sessions with Deezer's API. This approach enables full access to track metadata and the decryption tokens required to generate full-length track URLs.

Additionally, the package routinely communicates with a remote server... to update download statuses and submit metadata, thereby centralizing control and allowing the threat actor to monitor and coordinate the distributed downloading operation. In doing so, automslc exposes critical track details — including Deezer IDs, International Standard Recording Codes, track titles, and internal tokens like MD5_ORIGIN (a hash used in generating decryption URLs) — which, when collected en masse, can be used to reassemble full track URLs and facilitate unauthorized downloads...

Even if a user pays for access to the service, the content is licensed, not owned. The automslc package circumvents licensing restrictions by enabling downloads and potential redistribution, which is outside the bounds of fair use...
"The malicious package was initially published in 2019, and its popularity (over 100,000 downloads) indicates wide distribution..."

NBC News reports that Utah could make history as America's first state to ban fluoride in public water systems — even though major medical associations supporting water fluoridation: If signed into law [by the governor], HB0081 would prevent any individual or political subdivision from adding fluoride "to water in or intended for public water systems..." A report published recently in JAMA Pediatrics found a statistically significant association between higher fluoride exposure and lower children's IQ scores — but the researchers did not suggest that fluoride should be removed from drinking water. According to the report's authors, most of the 74 studies they reviewed were low-quality and done in countries other than the United States, such as China, where fluoride levels tend to be much higher, the researchers noted.

An Australian study published last year found no link between early childhood exposure to fluoride and negative cognitive neurodevelopment. Researchers actually found a slightly higher IQ in kids who consistently drank fluoridated water. The levels in Australia are consistent with U.S. recommendations.

Major public health groups, including the American Academy of Pediatrics, the American Dental Association and the CDC — which says drinking fluoridated water keeps teeth strong and reduces cavities — support adding fluoride to water.
The article notes that since 2010 over 150 U.S. towns or counties have voted to keep fluoride out of public water systems or to stop adding it to their water (according to the anti-fluoride group "Fluoride Action Network"). But this week the American Dental Association (representing 159,000 members) urged Utah's governor not to become " the only state to end this preventive health practice that has been in place for over three quarters of a century."

Thanks to Slashdot reader fjo3 for sharing the news.

Active since 1995, the Comprehensive Perl Archive Network (or CPAN) hosts 221,742 Perl modules written by 14,548 authors. This week they announced that the CPAN Security Group "was authorized by the CVE Program as a CVE Numbering Authority (CNA)" to assign and manage CVE vulnerability identifications for Perl and CPAN Modules.

"This is great news!" posted Linux kernel maintainer Greg Kroah-Hartman on social media, saying the announcement came "Just in time for my talk about this very topic in a few weeks about how all open source projects should be doing this" at the Linux Foundation Member Summit in Napa, California. And Curl creator Daniel Stenberg posted "I'm with Greg Kroah-Hartman on this: all Open Source projects should become CNAs. Or team up with others to do it." (Also posting "Agreed" to the suggestion was Seth Larson, the Python Software Foundation's security developer-in-residence involved in their successful effort to become a CNA in 2023.)

444 CNAs have now partnered with the CVE Program, according to their official web site. The announcement from PerlMonks.org: Years ago, a few people decided during the Perl Toolchain Summit (PTS) that it would be a good idea to join forces, ideas and knowledge and start a group to monitor vulnerabilities in the complete Perl ecosystem from core to the smallest CPAN release. The goal was to follow legislation and CVE reports, and help authors in taking actions on not being vulnerable anymore. That group has grown stable over the past years and is now known as CPANSec.

The group has several focus areas, and one of them is channeling CVE vulnerability issues. In that specific goal, a milestone has been reached: CPANSec has just been authorized as a CVE Numbering Authority (CNA) for Perl and modules on CPAN

Researchers at George Mason University discovered a vulnerability in Apple's Find My network that allows hackers to silently track any Bluetooth device as if it were an AirTag, without the owner's knowledge. 9to5Mac reports: Although AirTag was designed to change its Bluetooth address based on a cryptographic key, the attackers developed a system that could quickly find keys for Bluetooth addresses. This was made possible by using "hundreds" of GPUs to find a key match. The exploit called "nRootTag" has a frightening success rate of 90% and doesn't require "sophisticated administrator privilege escalation."

In one of the experiments, the researchers were able to track the location of a computer with an accuracy of 10 feet, which allowed them to trace a bicycle moving through the city. In another experiment, they reconstructed a person's flight path by tracking their game console. "While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this," said one of the researchers. Apple has acknowledged the George Mason researchers for discovering a Bluetooth exploit in its Find My network but has yet to issue a fix. "For now, they advise users to never allow unnecessary access to the device's Bluetooth when requested by apps, and of course, always keep their device's software updated," reports 9to5Mac.

AT&T and Verizon have successfully completed their first cellphone-to-satellite video calls using AST SpaceMobile's satellites, marking a significant step toward commercial satellite networks. The Verge reports: Verizon has completed its first cellphone-to-satellite video call, while AT&T has completed its first using satellites that will be used as part of a commercial network. [...] Verizon pulled off "a live video call between two mobile devices with one connected via satellite and the other connected via Verizon's terrestrial network connection," according to a company press release.

In AT&T's case, "AT&T and AST SpaceMobile have successfully completed another video call by satellite to an everyday smartphone over AT&T spectrum," per AT&T's press release. Both phone companies relied on AST's constellation of five BlueBird satellites that were launched last September for the tests. AT&T's initial video call test happened in June 2023.

OpenAI has banned a group of Chinese accounts using ChatGPT to develop an AI-powered social media surveillance tool. Engadget reports: The campaign, which OpenAI calls Peer Review, saw the group prompt ChatGPT to generate sales pitches for a program those documents suggest was designed to monitor anti-Chinese sentiment on X, Facebook, YouTube, Instagram and other platforms. The operation appears to have been particularly interested in spotting calls for protests against human rights violations in China, with the intent of sharing those insights with the country's authorities.

"This network consisted of ChatGPT accounts that operated in a time pattern consistent with mainland Chinese business hours, prompted our models in Chinese, and used our tools with a volume and variety consistent with manual prompting, rather than automation," said OpenAI. "The operators used our models to proofread claims that their insights had been sent to Chinese embassies abroad, and to intelligence agents monitoring protests in countries including the United States, Germany and the United Kingdom."

According to Ben Nimmo, a principal investigator with OpenAI, this was the first time the company had uncovered an AI tool of this kind. "Threat actors sometimes give us a glimpse of what they are doing in other parts of the internet because of the way they use our AI models," Nimmo told The New York Times. Much of the code for the surveillance tool appears to have been based on an open-source version of one of Meta's Llama models. The group also appears to have used ChatGPT to generate an end-of-year performance review where it claims to have written phishing emails on behalf of clients in China.

The General Services Administration (GSA) is shutting down its nationwide electric vehicle (EV) chargers, deeming them "not mission critical." The U.S. government agency also plans to offload newly purchased EVs, reversing initiatives from the Biden administration aimed at transitioning the federal vehicle fleet to electric. The Verge reports: The GSA currently operates several hundred EV chargers across the country, with approximately 8,000 plugs that are available for government-owned EVs as well as federal employees' personally owned vehicles.

The official guidance instructing federal workers to begin the process of shutting down the chargers will be announced internally next week, according to a source with knowledge of the plans. Some regional offices have been told to start taking their chargers offline, according to an email viewed by The Verge. "As GSA has worked to align with the current administration, we have received direction that all GSA owned charging stations are not mission critical," the email reads.

The GSA is working on the timing of canceling current network contracts that keep the EV chargers operational. Once those contracts are canceled, the stations will be taken out of service and "turned off at the breaker," the email reads. Other chargers will be turned off starting next week. "Neither Government Owned Vehicles nor Privately Owned Vehicles will be able to charge at these charging stations once they're out of service," it concludes.

The Canadian government has launched a six-year, $3.9 billion design phase for a high-speed rail project connecting Toronto and Quebec City, with electric trains reaching up to 300 km/h. Construction is expected to begin after the design phase, potentially in four to five years, but future governments could modify or cancel the project. CBC News reports: "Today I'm announcing the launch of Alto, the largest infrastructure project in Canadian history," Trudeau said from Montreal. "A reliable, efficient, high-speed rail network will be a game-changer for Canadians." Trudeau said the new rail network will run all-electric trains along 1,000 kilometers of track, reaching speeds of up to 300 km/hour, with stops in Toronto, Peterborough, Ottawa, Montreal, Laval, Trois-Rivieres and Quebec City. A government statement said the project will stimulate the economy, "boosting GDP by up to $35 billion annually, creating over 51,000 good-paying jobs during construction."

Trudeau said that once built, the new high-speed rail network will take passengers from Montreal to Toronto in three hours -- about half the time it takes to drive and at double the speed of Via Rail's current trains. [...] Trudeau said the consortium Cadence -- made up of CDPQ Infra, Atkins Realis, Keolis, SYSTRA, SNCF Voyageurs and Air Canada -- was selected to build the line. The group was only informed in the last 24 hours that their bid was the best of the three submitted, according to sources that spoke to Radio-Canada. Transport Minister Anita Anand said that Alto, the Crown corporation created to oversee the project, and Cadence will be signing a contract "in the coming weeks" that will outline the first-phase design work, such as where track will be laid and where stations will be built.

A recently patched Palo Alto Networks vulnerability (CVE-2025-0108) is being actively exploited alongside two older flaws (CVE-2024-9474 and CVE-2025-0111), allowing attackers to gain root access to unpatched firewalls. The Register reports: This story starts with CVE-2024-9474, a 6.9-rated privilege escalation vulnerability in Palo Alto Networks PAN-OS software that allowed an OS administrator with access to the management web interface to perform actions on the firewall with root privileges. The company patched it in November 2024. Dark web intelligence services vendor Searchlight Cyber's Assetnote team investigated the patch for CVE-2024-9474 and found another authentication bypass.

Palo Alto (PAN) last week fixed that problem, CVE-2025-0108, and rated it a highest urgency patch as the 8.8/10 flaw addressed an access control issue in PAN-OS's web management interface that allowed an unauthenticated attacker with network access to the management web interface to bypass authentication "and invoke certain PHP scripts." Those scripts could "negatively impact integrity and confidentiality of PAN-OS."

The third flaw is CVE-2025-0111 a 7.1-rated mess also patched last week to stop authenticated attackers with network access to PAN-OS machines using their web interface to read files accessible to the "nobody" user. On Tuesday, US time, Palo A lot updated its advisory for CVE-2025-0108 with news that it's observed exploit attempts chaining CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. The vendor's not explained how the three flaws are chained but we understand doing so allows an attacker to gain more powerful privileges and gain full root access to the firewall. PAN is urging users to upgrade their PAN-OS operating systems to versions 10.1, 10.2, 11.0, 11.1, and 11.2. A general hotfix is expected by Thursday or sooner, notes the Register.

Meta's WhatsApp messaging service has surpassed 45 million users, earning the designation of a "Very Large Online Platform" under the EU's Digital Services Act. Bloomberg reports: WhatsApp's open channels, which are feeds affiliated with news outlets or public figures that under the DSA are comparable to a social network, averaged about 46.8 million monthly average users in the second half of 2024, Meta said in a filing on Feb. 14 that hasn't previously been reported. [...] The DSA content moderation rulebook imposes stricter requirements on very large online platforms, defined as those whose EU-based monthly active users exceed 45 million. Users of WhatsApp's core messaging feature do not count toward the designation under the DSA.

The commission would still need to rule that WhatsApp should be included in the more regulated tier. Under the DSA, very large online platforms must carry out risk assessments on the spread of illegal or harmful content, and put in place a mitigation strategy. Fines under the DSA can reach as much as 6% of a company's annual global sales. The DSA requires platforms to disclose user numbers every six months. Messaging service Telegram also published an update this week, saying that monthly EU users of its public channels are "significantly fewer than 45 million."