On March 9, older Chromecast and Chromecast Audio devices stopped working due to an expired device authentication certificate authority that made them untrusted by Google's apps. While unofficial apps like VLC continue to function, Google's fix will require either updating client apps to bypass the issue or replacing the expired certificates, a process that could take weeks; however, Google has since announced it is beginning a gradual rollout of a fix. The Register reports: Tom Hebb, a former Meta software engineer and Chromecast hacker, has published a detailed analysis of the issue and suggests a fix could take more than a month to prepare. He's also provided workarounds here for folks to try in the meantime. We spoke to Hebb, and he says the problem is this expired device authentication certificate authority. [...] The fix is not simple. It's either going to involve a bit of a hack with updated client apps to accept or workaround the situation, or somehow someone will need to replace all the key pairs shipped with the devices with ones that use a new valid certificate authority. And getting the new keys onto devices will be a pain as, for instance, some have been factory reset and can't be initialized by a Google application because the bundled cert is untrusted, meaning the client software needs to be updated anyway.

Given that the product family has been discontinued, teams will need to be pulled together to address this blunder. And it does appear to be a blunder rather than planned or remotely triggered obsolescence; earlier Chromecasts have a longer certificate validity, of 20 years rather than 10. "Google will either need to put in over a month of effort to build and test a new Chromecast update to renew the expired certificates, or they will have to coordinate internally between what's left of the Chromecast team, the Android team, the Chrome team, the Google Home team, and iOS app developers to push out new releases, which almost always take several days to build and test," Hebb explained. "I expect them to do the latter. A server-side fix is not possible."

So either a week or so to rush out app-side updates to tackle the problem, or much longer to fix the problem with replaced certs. Polish security researcher Maciej Mensfeld also believes the outage is most likely due to an expired device authentication certificate authority. He's proposed a workaround that has helped some users, at least. Hebb, meanwhile, warns more certificate authority expiry pain is looming, with the Chromecast Ultra and Google Home running out in March next year, and the Google Home Mini in January 2027.

Mozilla is urging Firefox users to update their browsers to version 128 or later (or ESR 115.13 for extended support users) before March 14, 2025, to avoid security risks and add-on disruptions caused by the expiration of a key root certificate. "On 14 March a root certificate (the resource used to prove an add-on was approved by Mozilla) will expire, meaning Firefox users on versions older than 128 (or ESR 115) will not be able to use their add-ons," warns a Mozilla blog post. "We want developers to be aware of this in case some of your users are on older versions of Firefox that may be impacted." BleepingComputer reports: A Mozilla support document explains that failing to update Firefox could expose users to significant security risks and practical issues, which, according to Mozilla, include:

- Malicious add-ons can compromise user data or privacy by bypassing security protections.
- Untrusted certificates may allow users to visit fraudulent or insecure websites without warning.
- Compromised password alerts may stop working, leaving users unaware of potential account breaches.

It is noted that the problem impacts Firefox on all platforms, including Windows, Android, Linux, and macOS, except for iOS, where there's an independent root certificate management system. Mozilla says that users relying on older versions of Firefox may continue using their browsers after the expiration of the certificate if they accept the security risks, but the software's performance and functionality may be severely impacted.

An anonymous reader quotes a report from TechCrunch: Anthropic's CEO Dario Amodei is worried that spies, likely from China, are getting their hands on costly "algorithmic secrets" from the U.S.'s top AI companies -- and he wants the U.S. government to step in. Speaking at a Council on Foreign Relations event on Monday, Amodei said that China is known for its "large-scale industrial espionage" and that AI companies like Anthropic are almost certainly being targeted. "Many of these algorithmic secrets, there are $100 million secrets that are a few lines of code," he said. "And, you know, I'm sure that there are folks trying to steal them, and they may be succeeding."

More help from the U.S. government to defend against this risk is "very important," Amodei added, without specifying exactly what kind of help would be required. Anthropic declined to comment to TechCrunch on the remarks specifically but referred to Anthropic's recommendations to the White House's Office of Science and Technology Policy (OSTP) earlier this month. In the submission, Anthropic argues that the federal government should partner with AI industry leaders to beef up security at frontier AI labs, including by working with U.S. intelligence agencies and their allies.

An anonymous reader quotes a report from the EFF: EFF is deeply saddened to learn of the passing of Mark Klein, a bona fide hero who risked civil liability and criminal prosecution to help expose a massive spying program that violated the rights of millions of Americans. Mark didn't set out to change the world. For 22 years, he was a telecommunications technician for AT&T, most of that in San Francisco. But he always had a strong sense of right and wrong and a commitment to privacy. When the New York Times reported in late 2005 that the NSA was engaging in spying inside the U.S., Mark realized that he had witnessed how it was happening. He also realized that the President was not telling Americans the truth about the program. And, though newly retired, he knew that he had to do something. He showed up at EFF's front door in early 2006 with a simple question: "Do you folks care about privacy?"

We did. And what Mark told us changed everything. Through his work, Mark had learned that the National Security Agency (NSA) had installed a secret, secure room at AT&T's central office in San Francisco, called Room 641A. Mark was assigned to connect circuits carrying Internet data to optical "splitters" that sat just outside of the secret NSA room but were hardwired into it. Those splitters -- as well as similar ones in cities around the U.S. -- made a copy of all data going through those circuits and delivered it into the secret room. Mark not only saw how it works, he had the documents to prove it. He brought us over a hundred pages of authenticated AT&T schematic diagrams and tables. Mark also shared this information with major media outlets, numerous Congressional staffers, and at least two senators personally. One, Senator Chris Dodd, took the floor of the Senate to acknowledge Mark as the great American hero he was.

Schools across the United States are increasingly using artificial intelligence to monitor students' online activities, raising significant privacy concerns after Vancouver Public Schools inadvertently released nearly 3,500 unredacted, sensitive student documents to reporters.

The surveillance software, developed by companies like Gaggle Safety Management, scans school-issued devices 24/7 for signs of bullying, self-harm, or violence, alerting staff when potential issues are detected. Approximately 1,500 school districts nationwide use Gaggle's technology to track six million students, with Vancouver schools paying $328,036 for three years of service.

While school officials maintain the technology has helped counselors intervene with at-risk students, documents revealed LGBTQ+ students were potentially outed to administrators through the monitoring.

The Ballista botnet is actively exploiting a high-severity remote code execution flaw (CVE-2023-1389) in TP-Link Archer AX-21 routers, infecting over 6,000 devices primarily in Brazil, Poland, the UK, Bulgaria, and Turkey. Tom's Hardware reports: According to a new report from the Cato CTRL team, the Ballista botnet exploits a remote code execution vulnerability that directly impacts the TP-Link Archer AX-21 router. The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked as CVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in the Mirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks.

Ballista's most recent exploitation attempt was February 17, 2025 and Cato CTRL first detected it on January 10, 2025. Of the thousands of infected devices, the majority of them are concentrated in Brazil, Poland, the United Kingdom, Bulgaria and Turkey; with the botnet targeting manufacturing, medical/healthcare, services and technology organizations in the United States, Australia, China and Mexico.

Spain's government has approved legislation imposing substantial fines of up to 35 million euros or 7% of global turnover on companies that fail to clearly label AI-generated content. Reuters reports: The bill adopts guidelines from the European Union's landmark AI Act imposing strict transparency obligations on AI systems deemed to be high-risk, Digital Transformation Minister Oscar Lopez told reporters. "AI is a very powerful tool that can be used to improve our lives ... or to spread misinformation and attack democracy," he said. Spain is among the first EU countries to implement the bloc's rules, considered more comprehensive than the United States' system that largely relies on voluntary compliance and a patchwork of state regulations. Lopez added that everyone was susceptible to "deepfake" attacks - a term for videos, photographs or audios that have been edited or generated through AI algorithms but are presented as real. [...]

The bill also bans other practices, such as the use of subliminal techniques - sounds and images that are imperceptible - to manipulate vulnerable groups. Lopez cited chatbots inciting people with addictions to gamble or toys encouraging children to perform dangerous challenges as examples. It would also prevent organizations from classifying people through their biometric data using AI, rating them based on their behavior or personal traits to grant them access to benefits or assess their risk of committing a crime. However, authorities would still be allowed to use real-time biometric surveillance in public spaces for national security reasons.

A critical root certificate expiring on March 14, 2025 will disable extensions and potentially break DRM-dependent streaming services for Firefox users running outdated browsers. Users must update to at least Firefox 128 or ESR 115.13+ to maintain functionality across Windows, macOS, Linux, and Android platforms.

The expiration additionally compromises security infrastructure, including blocklists for malicious add-ons, SSL certificate revocation lists, and password breach notifications. Even those on legacy operating systems (Windows 7/8/8.1, macOS 10.12â"10.14) must update to minimum ESR 115.13+.

An anonymous reader quotes a report from The Guardian: The pollution of the planet by microplastics is significantly cutting food supplies by damaging the ability of plants to photosynthesize, according to a new assessment. The analysis estimates that between 4% and 14% of the world's staple crops of wheat, rice and maize is being lost due to the pervasive particles. It could get even worse, the scientists said, as more microplastics pour into the environment. About 700 million people were affected by hunger in 2022. The researchers estimated that microplastic pollution could increase the number at risk of starvation by another 400 million in the next two decades, calling that an "alarming scenario" for global food security. [...]

The new study, published in the journal Proceedings of the National Academy of Sciences, combined more than 3,000 observations of the impact of microplastics on plants, taken from 157 studies. Previous research has indicated that microplastics can damage plants in multiple ways. The polluting particles can block sunlight reaching leaves and damage the soils on which the plants depend. When taken up by plants, microplastics can block nutrient and water channels, induce unstable molecules that harm cells and release toxic chemicals, which can reduce the level of the photosynthetic pigment chlorophyll. The researchers estimated that microplastics reduced the photosynthesis of terrestrial plants by about 12% and by about 7% in marine algae, which are at the base of the ocean food web. They then extrapolated this data to calculate the reduction in the growth of wheat, rice and maize and in the production of fish and seafood.

Asia was hardest hit by estimated crop losses, with reductions in all three of between 54 million and 177 million tons a year, about half the global losses. Wheat in Europe was also hit hard as was maize in the United States. Other regions, such as South America and Africa, grow less of these crops but have much less data on microplastic contamination. In the oceans, where microplastics can coat algae, the loss of fish and seafood was estimated at between 1m and 24m tonnes a year, about 7% of the total and enough protein to feed tens of millions of people. Further reading: Are Microplastics Bad For Your Health? More Rigorous Science is Needed

An anonymous reader quotes a report from Ars Technica: HP, along with other printer brands, is infamous for issuing firmware updates that brick already-purchased printers that have tried to use third-party ink. In a new form of frustration, HP is now being accused of issuing a firmware update that broke customers' laser printers -- even though the devices are loaded with HP-brand toner. The firmware update in question is version 20250209, which HP issued on March 4 for its LaserJet MFP M232-M237 models. Per HP, the update includes "security updates," a "regulatory requirement update," "general improvements and bug fixes," and fixes for IPP Everywhere. Looking back to older updates' fixes and changes, which the new update includes, doesn't reveal anything out of the ordinary. The older updates mention things like "fixed print quality to ensure borders are not cropped for certain document types," and "improved firmware update and cartridge rejection experiences." But there's no mention of changes to how the printers use or read toner.

However, users have been reporting sudden problems using HP-brand toner in their M232-M237 series printers since their devices updated to 20250209. Users on HP's support forum say they see Error Code 11 and the hardware's toner light flashing when trying to print. Some said they've cleaned the contacts and reinstalled their toner but still can't print. "Insanely frustrating because it's my small business printer and just stopped working out of nowhere[,] and I even replaced the tone[r,] which was a $60 expense," a forum user wrote on March 8. HP said in a statement: "We are aware of a firmware issue affecting a limited number of HP LaserJet 200 Series devices and our team is actively working on a solution. For assistance, affected customers can contact our support team at: https://support.hp.com." It's unclear how widespread the problems are.

AmiMoJo writes: In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing last week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion.

On March 6, federal prosecutors in northern California said they seized approximately $24 million worth of cryptocurrencies that were clawed back following a $150 million cyberheist on Jan. 30, 2024. The complaint refers to the person robbed only as 'Victim-1,' but according to blockchain security researcher ZachXBT the theft was perpetrated against Chris Larsen, the co-founder of the cryptocurrency platform Ripple.

ZachXBT was the first to report on the heist, of which approximately $24 million was frozen by the feds before it could be withdrawn. This week's action by the government merely allows investigators to officially seize the frozen funds. But there is an important conclusion in this seizure document: It basically says the U.S. Secret Service and the FBI agree with the findings of the LastPass breach story published here in September 2023.

Nearly one in four U.S. tech jobs posted in 2025 require AI skills, according to data from the University of Maryland's AI job tracker, as companies across sectors adapt to the technology.

Companies across healthcare, retail and utilities are increasingly seeking candidates who can integrate AI into existing roles rather than creating entirely new positions, with these skills commanding premium pay and greater job security.

The information sector leads with 36% of IT jobs in January seeking AI expertise, followed by finance and professional services firms. AI-related listings account for 1.3% of all job postings nationwide. New AI job postings surged 68% since ChatGPT's launch in late 2022 through end-2024, while tech postings overall fell 27% during the same period.

Red Hat product manager Pau Garcia Quiles (also long-time Slashdot reader paugq) spotted an interesting project on GitHub: Free95, a new lean, Windows-compatible operating system is available from GitHub. In its current form, it can run very basic Win32 GUI and console applications, but its developer promises to keep working on it to reach DirectX and even game compatibility.
"Free95 is your friendly Windows Environment with an added trust of the open source community," according to its README file. (It's licensed under the GPL-3.0 license.) And in answer to the question "Why?" it responds "To remove Windows's bloat, and security problems. Being controlled by a large corporation is unsettling."

"It's still in-development of course," the developer post recently on Reddit, "and I'll appreciate anyone who'd like to contribute." In one comment they claim Free95 is "much more lightweight, simpler and faster than ReactOS." And looking to the future, they add "I might do DirectX stuff and make some games run. Or, what about DOOM?"

Last week Google urged the U.S. government not to break up the company — but apparently, it didn't work.
In a new filing Friday, America's Justice Department "reiterated its November proposal that Google be forced to sell its Chrome web browser," reports the Washington Post, "to address a federal judge finding the company guilty of being an illegal monopoly in August." The government also kept a proposal that Google be banned from paying other companies to give its search engine preferential placement on their apps and phones. At the same time, the government dropped its demand that Google sell its stakes in AI start-ups after one of the start-ups, Anthropic AI, argued that it needed Google's money to compete in the fast-growing industry.

The government's final proposal "reaffirms that Google must divest the Chrome browser — an important search access point — to provide an opportunity for a new rival to operate a significant gateway to search the internet, free of Google's monopoly control," Justice Department lawyers wrote in the filing... Judge Amit Mehta, of the U.S. District Court for the District of Columbia, who had ruled that Google held an illegal monopoly, will decide on the final remedies in April.
The article quotes a Google spokesperson's response: that the Justice Department's "sweeping" proposals "continue to go miles beyond the court's decision, and would harm America's consumers, economy and national security."

Axiom Space and Red Hat will collaborate to launch Data Center Unit-1 (AxDCU-1) to the International Space Station this spring. It's a small data processing prototype (powered by lightweight, edge-optimized Red Hat Device Edge) that will demonstrate initial Orbital Data Center (ODC) capabilities.

"It all sounds rather grand for something that resembles a glorified shoebox," reports the Register. Axiom Space said: "The prototype will test applications in cloud computing, artificial intelligence, and machine learning (AI/ML), data fusion and space cybersecurity."

Space is an ideal environment for edge devices. Connectivity to datacenters on Earth is severely constrained, so the more processing that can be done before data is transmitted to a terrestrial receiving station, the better. Tony James, chief architect, Science and Space at Red Hat, said: "Off-planet data processing is the next frontier, and edge computing is a crucial component. With Red Hat Device Edge and in collaboration with Axiom Space, Earth-based mission partners will have the capabilities necessary to make real-time decisions in space with greater reliability and consistency...."

The Red Hat Device Edge software used by Axiom's device combines Red Hat Enterprise Linux, the Red Hat Ansible Platform, and MicroShift, a lightweight Kubernetes container orchestration service derived from Red Hat OpenShift. The plan is for Axiom Space to host hybrid cloud applications and cloud-native workloads on-orbit. Jason Aspiotis, global director of in-space data and security, Axiom Space, told The Register that the hardware itself is a commercial off-the-shelf unit designed for operation in harsh environments... "AxDCU-1 will have the ability to be controlled and utilized either via ground-to-space or space-to-space communications links. Our current plans are to maintain this device on the ISS. We plan to utilize this asset for at least two years."
The article notes that HPE has also "sent up a succession of Spaceborne computers — commercial, off-the-shelf supercomputers — over the years to test storage, recovery, and operational potential on long-duration missions." (They apparently use Red Hat Enterprise Linux.) "At the other end of the scale, the European Space Agency has run Raspberry Pi computers on the ISS for years as part of the AstroPi educational outreach program."

Axiom Space says their Orbital Data Center is deigned to "reduce delays traditionally associated with orbital data processing and analysis." By utilizing Earth-independent cloud storage and edge processing infrastructure, Axiom Space ODCs will enable data to be processed closer to its source, spacecraft or satellites, bypassing the need for terrestrial-based data centers. This architecture alleviates reliance on costly, slow, intermittent or contested network connections, creating more secure and quicker decision-making in space.

The goal is to allow Axiom Space and its partners to have access to real-time processing capabilities, laying the foundation for increased reliability and improved space cybersecurity with extensive applications. Use cases for ODCs include but are not limited to supporting Earth observation satellites with in-space and lower latency data storage and processing, AI/ML training on-orbit, multi-factor authentication and cyber intrusion detection and response, supervised autonomy, in-situ space weather analytics and off-planet backup & disaster recovery for critical infrastructure on Earth.

"The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented 'backdoor' that could be leveraged for attacks," writes BleepingComputer.

"The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence." This was discovered by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security, who presented their findings yesterday at RootedCON in Madrid. "Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices," reads a Tarlogic announcement shared with BleepingComputer. "Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls...."

Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs. Armed with this new tool, which enables raw access to Bluetooth traffic, Targolic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions. In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.

Espressif has not publicly documented these commands, so either they weren't meant to be accessible, or they were left in by mistake.
Thanks to Slashdot reader ZipNada for sharing the news.

Signal President Meredith Whittaker warned at SXSW that agentic AI poses significant privacy and security risks, as these AI agents require extensive access to users' personal data, likely processing it unencrypted in the cloud. TechCrunch reports: "So we can just put our brain in a jar because the thing is doing that and we don't have to touch it, right?," Whittaker mused. Then she explained the type of access the AI agent would need to perform these tasks, including access to our web browser and a way to drive it as well as access to our credit card information to pay for tickets, our calendar, and messaging app to send the text to your friends. "It would need to be able to drive that [process] across our entire system with something that looks like root permission, accessing every single one of those databases -- probably in the clear, because there's no model to do that encrypted," Whittaker warned.

"And if we're talking about a sufficiently powerful ... AI model that's powering that, there's no way that's happening on device," she continued. "That's almost certainly being sent to a cloud server where it's being processed and sent back. So there's a profound issue with security and privacy that is haunting this hype around agents, and that is ultimately threatening to break the blood-brain barrier between the application layer and the OS layer by conjoining all of these separate services [and] muddying their data," Whittaker concluded.

If a messaging app like Signal were to integrate with AI agents, it would undermine the privacy of your messages, she said. The agent has to access the app to text your friends and also pull data back to summarize those texts. Her comments followed remarks she made earlier during the panel on how the AI industry had been built on a surveillance model with mass data collection. She said that the "bigger is better AI paradigm" -- meaning the more data, the better -- had potential consequences that she didn't think were good. With agentic AI, Whittaker warned we'd further undermine privacy and security in the name of a "magic genie bot that's going to take care of the exigencies of life," she concluded. You can watch the full speech on YouTube.

The White House is weighing measures to restrict Chinese artificial-intelligence upstart DeepSeek, including banning its chatbot from government devices because of national-security concerns, WSJ reported Friday, citing people familiar with the matter. From the report: U.S. officials are worried about DeepSeek's handling of user data, which the Chinese company says it stores in servers located in China, the people said. Officials also believe DeepSeek hasn't sufficiently explained how it uses the data it collects and who has access to the data, they said.

The Trump administration is likely to adopt a rule that would bar people from downloading DeepSeek's chatbot app onto U.S. government devices, the people said. Officials are also considering two other possible moves: banning the DeepSeek app from U.S. app stores and putting limits on how U.S.-based cloud service providers could offer DeepSeek's AI models to their customers, people close to the matter said. They cautioned that discussions about these two moves were still at an early stage.

The U.S. Citizenship and Immigration Services (USCIS) is proposing to expand mandatory social media screening, currently required only for new arrivals, to include all non-citizens already residing in the U.S. who apply for immigration benefits. The Register reports: Back in 2019, the Department of Homeland Security, which runs USCIS, decided anyone looking to enter the US on a work visa or similar had to hand over their social media handles to the authorities so that they could be looked over for wrongdoing and subversion. In fact, this goes back to 2014, at least, to one degree or another, and has been standard procedure for years for foreigners, particularly those coming in on a visa. [...]

On January 20 this year, President Trump signed an executive order calling for much tougher vetting of foreign aliens, and in response, USCIS has proposed rules saying those already in the country who are going through some process with the agency -- such as applying for permanent residency or citizenship -- will have their social media scanned for subversion. That means if you came to America before foreigners' internet presence was screened as it now is, and you're now seeking some kind of immigration benefit, at this rate you'll be subject to the same scanning as those entering the Land of the Free today. The proposed changes have a 60-day comment period for the public to suggest amendments. The last day to send them in is May 5.

1Password has introduced a 'nearby items' feature, allowing users to tag credentials with physical locations so the relevant information automatically surfaces when users are near those locations. Engadget reports: Location information can be added to any new or existing item in a 1Password vault. The app has also been updated with a map view for setting and viewing the locations of your items. In the blog post announcing the feature, the company cited examples such as door codes for a workplace, health records at a doctor's office, WiFi access at the gym and rewards membership information for local shops as potential uses for location data.

Privacy and security are paramount for a password manager, and 1Password confirmed that a user's location coordinates are only used locally and do not leave the device. Nearby items is available to 1Password customers starting today.